diff options
Diffstat (limited to 'contrib/go/_std_1.25/src/crypto/internal/fips140')
251 files changed, 0 insertions, 70826 deletions
diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/ctr_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/ctr_amd64_asm.go deleted file mode 100644 index 35e1d8aeb62..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/ctr_amd64_asm.go +++ /dev/null @@ -1,127 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - "fmt" - "sync" - - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../../ctr_amd64.s - -func main() { - Package("crypto/aes") - ConstraintExpr("!purego") - - ctrBlocks(1) - ctrBlocks(2) - ctrBlocks(4) - ctrBlocks(8) - - Generate() -} - -func ctrBlocks(numBlocks int) { - Implement(fmt.Sprintf("ctrBlocks%dAsm", numBlocks)) - - rounds := Load(Param("nr"), GP64()) - xk := Load(Param("xk"), GP64()) - dst := Load(Param("dst"), GP64()) - src := Load(Param("src"), GP64()) - ivlo := Load(Param("ivlo"), GP64()) - ivhi := Load(Param("ivhi"), GP64()) - - bswap := XMM() - MOVOU(bswapMask(), bswap) - - blocks := make([]VecVirtual, 0, numBlocks) - - // Lay out counter block plaintext. - for i := 0; i < numBlocks; i++ { - x := XMM() - blocks = append(blocks, x) - - MOVQ(ivlo, x) - PINSRQ(Imm(1), ivhi, x) - PSHUFB(bswap, x) - if i < numBlocks-1 { - ADDQ(Imm(1), ivlo) - ADCQ(Imm(0), ivhi) - } - } - - // Initial key add. - aesRoundStart(blocks, Mem{Base: xk}) - ADDQ(Imm(16), xk) - - // Branch based on the number of rounds. - SUBQ(Imm(12), rounds) - JE(LabelRef("enc192")) - JB(LabelRef("enc128")) - - // Two extra rounds for 256-bit keys. - aesRound(blocks, Mem{Base: xk}) - aesRound(blocks, Mem{Base: xk}.Offset(16)) - ADDQ(Imm(32), xk) - - // Two extra rounds for 192-bit keys. - Label("enc192") - aesRound(blocks, Mem{Base: xk}) - aesRound(blocks, Mem{Base: xk}.Offset(16)) - ADDQ(Imm(32), xk) - - // 10 rounds for 128-bit keys (with special handling for the final round). - Label("enc128") - for i := 0; i < 9; i++ { - aesRound(blocks, Mem{Base: xk}.Offset(16*i)) - } - aesRoundLast(blocks, Mem{Base: xk}.Offset(16*9)) - - // XOR state with src and write back to dst. - for i, b := range blocks { - x := XMM() - - MOVUPS(Mem{Base: src}.Offset(16*i), x) - PXOR(b, x) - MOVUPS(x, Mem{Base: dst}.Offset(16*i)) - } - - RET() -} - -func aesRoundStart(blocks []VecVirtual, k Mem) { - x := XMM() - MOVUPS(k, x) - for _, b := range blocks { - PXOR(x, b) - } -} - -func aesRound(blocks []VecVirtual, k Mem) { - x := XMM() - MOVUPS(k, x) - for _, b := range blocks { - AESENC(x, b) - } -} - -func aesRoundLast(blocks []VecVirtual, k Mem) { - x := XMM() - MOVUPS(k, x) - for _, b := range blocks { - AESENCLAST(x, b) - } -} - -var bswapMask = sync.OnceValue(func() Mem { - bswapMask := GLOBL("bswapMask", NOPTR|RODATA) - DATA(0x00, U64(0x08090a0b0c0d0e0f)) - DATA(0x08, U64(0x0001020304050607)) - return bswapMask -}) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/go.mod deleted file mode 100644 index 5d97cd7f4e6..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module crypto/aes/_asm/ctr - -go 1.24 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.20.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/tools v0.24.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/go.sum deleted file mode 100644 index 76af484b2eb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/ctr/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/aes_amd64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/aes_amd64.go deleted file mode 100644 index 44e0a79289c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/aes_amd64.go +++ /dev/null @@ -1,385 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - "os" - "strings" - - . "github.com/mmcloughlin/avo/build" - "github.com/mmcloughlin/avo/ir" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../../aes_amd64.s - -func main() { - Package("crypto/aes") - ConstraintExpr("!purego") - encryptBlockAsm() - decryptBlockAsm() - expandKeyAsm() - _expand_key_128() - _expand_key_192a() - _expand_key_192b() - _expand_key_256a() - _expand_key_256b() - Generate() - - var internalFunctions []string = []string{ - "·_expand_key_128<>", - "·_expand_key_192a<>", - "·_expand_key_192b<>", - "·_expand_key_256a<>", - "·_expand_key_256b<>", - } - removePeskyUnicodeDot(internalFunctions, "../../asm_amd64.s") -} - -func encryptBlockAsm() { - Implement("encryptBlockAsm") - Attributes(NOSPLIT) - AllocLocal(0) - - Load(Param("nr"), RCX) - Load(Param("xk"), RAX) - Load(Param("dst"), RDX) - Load(Param("src"), RBX) - MOVUPS(Mem{Base: AX}.Offset(0), X1) - MOVUPS(Mem{Base: BX}.Offset(0), X0) - ADDQ(Imm(16), RAX) - PXOR(X1, X0) - SUBQ(Imm(12), RCX) - JE(LabelRef("Lenc192")) - JB(LabelRef("Lenc128")) - - Label("Lenc256") - MOVUPS(Mem{Base: AX}.Offset(0), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(16), X1) - AESENC(X1, X0) - ADDQ(Imm(32), RAX) - - Label("Lenc192") - MOVUPS(Mem{Base: AX}.Offset(0), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(16), X1) - AESENC(X1, X0) - ADDQ(Imm(32), RAX) - - Label("Lenc128") - MOVUPS(Mem{Base: AX}.Offset(0), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(16), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(32), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(48), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(64), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(80), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(96), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(112), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(128), X1) - AESENC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(144), X1) - AESENCLAST(X1, X0) - MOVUPS(X0, Mem{Base: DX}.Offset(0)) - RET() -} - -func decryptBlockAsm() { - Implement("decryptBlockAsm") - Attributes(NOSPLIT) - AllocLocal(0) - - Load(Param("nr"), RCX) - Load(Param("xk"), RAX) - Load(Param("dst"), RDX) - Load(Param("src"), RBX) - - MOVUPS(Mem{Base: AX}.Offset(0), X1) - MOVUPS(Mem{Base: BX}.Offset(0), X0) - ADDQ(Imm(16), RAX) - PXOR(X1, X0) - SUBQ(Imm(12), RCX) - JE(LabelRef("Ldec192")) - JB(LabelRef("Ldec128")) - - Label("Ldec256") - MOVUPS(Mem{Base: AX}.Offset(0), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(16), X1) - AESDEC(X1, X0) - ADDQ(Imm(32), RAX) - - Label("Ldec192") - MOVUPS(Mem{Base: AX}.Offset(0), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(16), X1) - AESDEC(X1, X0) - ADDQ(Imm(32), RAX) - - Label("Ldec128") - MOVUPS(Mem{Base: AX}.Offset(0), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(16), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(32), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(48), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(64), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(80), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(96), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(112), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(128), X1) - AESDEC(X1, X0) - MOVUPS(Mem{Base: AX}.Offset(144), X1) - AESDECLAST(X1, X0) - MOVUPS(X0, Mem{Base: DX}.Offset(0)) - RET() -} - -// Note that round keys are stored in uint128 format, not uint32 -func expandKeyAsm() { - Implement("expandKeyAsm") - Attributes(NOSPLIT) - AllocLocal(0) - - Load(Param("nr"), RCX) - Load(Param("key"), RAX) - Load(Param("enc"), RBX) - Load(Param("dec"), RDX) - - MOVUPS(Mem{Base: AX}, X0) - Comment("enc") - MOVUPS(X0, Mem{Base: BX}) - ADDQ(Imm(16), RBX) - PXOR(X4, X4) // _expand_key_* expect X4 to be zero - CMPL(ECX, Imm(12)) - JE(LabelRef("Lexp_enc192")) - JB(LabelRef("Lexp_enc128")) - - Lexp_enc256() - Lexp_enc192() - Lexp_enc128() - Lexp_dec() - Lexp_dec_loop() -} - -func Lexp_enc256() { - Label("Lexp_enc256") - MOVUPS(Mem{Base: AX}.Offset(16), X2) - MOVUPS(X2, Mem{Base: BX}) - ADDQ(Imm(16), RBX) - - var rcon uint64 = 1 - for i := 0; i < 6; i++ { - AESKEYGENASSIST(Imm(rcon), X2, X1) - CALL(LabelRef("_expand_key_256a<>(SB)")) - AESKEYGENASSIST(Imm(rcon), X0, X1) - CALL(LabelRef("_expand_key_256b<>(SB)")) - rcon <<= 1 - } - AESKEYGENASSIST(Imm(0x40), X2, X1) - CALL(LabelRef("_expand_key_256a<>(SB)")) - JMP(LabelRef("Lexp_dec")) -} - -func Lexp_enc192() { - Label("Lexp_enc192") - MOVQ(Mem{Base: AX}.Offset(16), X2) - - var rcon uint64 = 1 - for i := 0; i < 8; i++ { - AESKEYGENASSIST(Imm(rcon), X2, X1) - if i%2 == 0 { - CALL(LabelRef("_expand_key_192a<>(SB)")) - } else { - CALL(LabelRef("_expand_key_192b<>(SB)")) - } - rcon <<= 1 - } - JMP(LabelRef("Lexp_dec")) -} - -func Lexp_enc128() { - Label("Lexp_enc128") - var rcon uint64 = 1 - for i := 0; i < 8; i++ { - AESKEYGENASSIST(Imm(rcon), X0, X1) - CALL(LabelRef("_expand_key_128<>(SB)")) - rcon <<= 1 - } - AESKEYGENASSIST(Imm(0x1b), X0, X1) - CALL(LabelRef("_expand_key_128<>(SB)")) - AESKEYGENASSIST(Imm(0x36), X0, X1) - CALL(LabelRef("_expand_key_128<>(SB)")) -} - -func Lexp_dec() { - Label("Lexp_dec") - Comment("dec") - SUBQ(Imm(16), RBX) - MOVUPS(Mem{Base: BX}, X1) - MOVUPS(X1, Mem{Base: DX}) - DECQ(RCX) -} - -func Lexp_dec_loop() { - Label("Lexp_dec_loop") - MOVUPS(Mem{Base: BX}.Offset(-16), X1) - AESIMC(X1, X0) - MOVUPS(X0, Mem{Base: DX}.Offset(16)) - SUBQ(Imm(16), RBX) - ADDQ(Imm(16), RDX) - DECQ(RCX) - JNZ(LabelRef("Lexp_dec_loop")) - MOVUPS(Mem{Base: BX}.Offset(-16), X0) - MOVUPS(X0, Mem{Base: DX}.Offset(16)) - RET() -} - -func _expand_key_128() { - Function("_expand_key_128<>") - Attributes(NOSPLIT) - AllocLocal(0) - - PSHUFD(Imm(0xff), X1, X1) - SHUFPS(Imm(0x10), X0, X4) - PXOR(X4, X0) - SHUFPS(Imm(0x8c), X0, X4) - PXOR(X4, X0) - PXOR(X1, X0) - MOVUPS(X0, Mem{Base: BX}) - ADDQ(Imm(16), RBX) - RET() -} - -func _expand_key_192a() { - Function("_expand_key_192a<>") - Attributes(NOSPLIT) - AllocLocal(0) - - PSHUFD(Imm(0x55), X1, X1) - SHUFPS(Imm(0x10), X0, X4) - PXOR(X4, X0) - SHUFPS(Imm(0x8c), X0, X4) - PXOR(X4, X0) - PXOR(X1, X0) - - MOVAPS(X2, X5) - MOVAPS(X2, X6) - PSLLDQ(Imm(0x4), X5) - PSHUFD(Imm(0xff), X0, X3) - PXOR(X3, X2) - PXOR(X5, X2) - - MOVAPS(X0, X1) - SHUFPS(Imm(0x44), X0, X6) - MOVUPS(X6, Mem{Base: BX}) - SHUFPS(Imm(0x4e), X2, X1) - MOVUPS(X1, Mem{Base: BX}.Offset(16)) - ADDQ(Imm(32), RBX) - RET() -} - -func _expand_key_192b() { - Function("_expand_key_192b<>") - Attributes(NOSPLIT) - AllocLocal(0) - - PSHUFD(Imm(0x55), X1, X1) - SHUFPS(Imm(0x10), X0, X4) - PXOR(X4, X0) - SHUFPS(Imm(0x8c), X0, X4) - PXOR(X4, X0) - PXOR(X1, X0) - - MOVAPS(X2, X5) - PSLLDQ(Imm(0x4), X5) - PSHUFD(Imm(0xff), X0, X3) - PXOR(X3, X2) - PXOR(X5, X2) - - MOVUPS(X0, Mem{Base: BX}) - ADDQ(Imm(16), RBX) - RET() -} - -func _expand_key_256a() { - Function("_expand_key_256a<>") - Attributes(NOSPLIT) - AllocLocal(0) - - // Hack to get Avo to emit: - // JMP _expand_key_128<>(SB) - Instruction(&ir.Instruction{ - Opcode: "JMP", - Operands: []Op{ - LabelRef("_expand_key_128<>(SB)"), - }, - }) -} - -func _expand_key_256b() { - Function("_expand_key_256b<>") - Attributes(NOSPLIT) - AllocLocal(0) - - PSHUFD(Imm(0xaa), X1, X1) - SHUFPS(Imm(0x10), X2, X4) - PXOR(X4, X2) - SHUFPS(Imm(0x8c), X2, X4) - PXOR(X4, X2) - PXOR(X1, X2) - - MOVUPS(X2, Mem{Base: BX}) - ADDQ(Imm(16), RBX) - RET() -} - -const ThatPeskyUnicodeDot = "\u00b7" - -// removePeskyUnicodeDot strips the dot from the relevant TEXT directives such that they -// can exist as internal assembly functions -// -// Avo v0.6.0 does not support the generation of internal assembly functions. Go's unicode -// dot tells the compiler to link a TEXT symbol to a function in the current Go package -// (or another package if specified). Avo unconditionally prepends the unicode dot to all -// TEXT symbols, making it impossible to emit an internal function without this hack. -// -// There is a pending PR to add internal functions to Avo: -// https://github.com/mmcloughlin/avo/pull/443 -// -// If merged it should allow the usage of InternalFunction("NAME") for the specified functions -func removePeskyUnicodeDot(internalFunctions []string, target string) { - bytes, err := os.ReadFile(target) - if err != nil { - panic(err) - } - - content := string(bytes) - - for _, from := range internalFunctions { - to := strings.ReplaceAll(from, ThatPeskyUnicodeDot, "") - content = strings.ReplaceAll(content, from, to) - } - - err = os.WriteFile(target, []byte(content), 0644) - if err != nil { - panic(err) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/go.mod deleted file mode 100644 index f1329b7290a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module crypto/aes/_asm/standard - -go 1.24 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.20.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/tools v0.24.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/go.sum deleted file mode 100644 index 76af484b2eb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/_asm/standard/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes.go deleted file mode 100644 index 62f6919eda8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes.go +++ /dev/null @@ -1,131 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package aes - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/alias" - "strconv" -) - -// BlockSize is the AES block size in bytes. -const BlockSize = 16 - -// A Block is an instance of AES using a particular key. -// It is safe for concurrent use. -type Block struct { - block -} - -// blockExpanded is the block type used for all architectures except s390x, -// which feeds the raw key directly to its instructions. -type blockExpanded struct { - rounds int - // Round keys, where only the first (rounds + 1) × (128 ÷ 32) words are used. - enc [60]uint32 - dec [60]uint32 -} - -const ( - // AES-128 has 128-bit keys, 10 rounds, and uses 11 128-bit round keys - // (11×128÷32 = 44 32-bit words). - - // AES-192 has 192-bit keys, 12 rounds, and uses 13 128-bit round keys - // (13×128÷32 = 52 32-bit words). - - // AES-256 has 256-bit keys, 14 rounds, and uses 15 128-bit round keys - // (15×128÷32 = 60 32-bit words). - - aes128KeySize = 16 - aes192KeySize = 24 - aes256KeySize = 32 - - aes128Rounds = 10 - aes192Rounds = 12 - aes256Rounds = 14 -) - -// roundKeysSize returns the number of uint32 of c.end or c.dec that are used. -func (b *blockExpanded) roundKeysSize() int { - return (b.rounds + 1) * (128 / 32) -} - -type KeySizeError int - -func (k KeySizeError) Error() string { - return "crypto/aes: invalid key size " + strconv.Itoa(int(k)) -} - -// New creates and returns a new [cipher.Block] implementation. -// The key argument should be the AES key, either 16, 24, or 32 bytes to select -// AES-128, AES-192, or AES-256. -func New(key []byte) (*Block, error) { - // This call is outline to let the allocation happen on the parent stack. - return newOutlined(&Block{}, key) -} - -// newOutlined is marked go:noinline to avoid it inlining into New, and making New -// too complex to inline itself. -// -//go:noinline -func newOutlined(b *Block, key []byte) (*Block, error) { - switch len(key) { - case aes128KeySize, aes192KeySize, aes256KeySize: - default: - return nil, KeySizeError(len(key)) - } - return newBlock(b, key), nil -} - -func newBlockExpanded(c *blockExpanded, key []byte) { - switch len(key) { - case aes128KeySize: - c.rounds = aes128Rounds - case aes192KeySize: - c.rounds = aes192Rounds - case aes256KeySize: - c.rounds = aes256Rounds - } - expandKeyGeneric(c, key) -} - -func (c *Block) BlockSize() int { return BlockSize } - -func (c *Block) Encrypt(dst, src []byte) { - // AES-ECB is not approved in FIPS 140-3 mode. - fips140.RecordNonApproved() - if len(src) < BlockSize { - panic("crypto/aes: input not full block") - } - if len(dst) < BlockSize { - panic("crypto/aes: output not full block") - } - if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) { - panic("crypto/aes: invalid buffer overlap") - } - encryptBlock(c, dst, src) -} - -func (c *Block) Decrypt(dst, src []byte) { - // AES-ECB is not approved in FIPS 140-3 mode. - fips140.RecordNonApproved() - if len(src) < BlockSize { - panic("crypto/aes: input not full block") - } - if len(dst) < BlockSize { - panic("crypto/aes: output not full block") - } - if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) { - panic("crypto/aes: invalid buffer overlap") - } - decryptBlock(c, dst, src) -} - -// EncryptBlockInternal applies the AES encryption function to one block. -// -// It is an internal function meant only for the gcm package. -func EncryptBlockInternal(c *Block, dst, src []byte) { - encryptBlock(c, dst, src) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_amd64.s deleted file mode 100644 index d88ccbf765a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_amd64.s +++ /dev/null @@ -1,286 +0,0 @@ -// Code generated by command: go run asm_amd64.go -out ../../asm_amd64.s -pkg aes. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func encryptBlockAsm(nr int, xk *uint32, dst *byte, src *byte) -// Requires: AES, SSE, SSE2 -TEXT ·encryptBlockAsm(SB), NOSPLIT, $0-32 - MOVQ nr+0(FP), CX - MOVQ xk+8(FP), AX - MOVQ dst+16(FP), DX - MOVQ src+24(FP), BX - MOVUPS (AX), X1 - MOVUPS (BX), X0 - ADDQ $0x10, AX - PXOR X1, X0 - SUBQ $0x0c, CX - JE Lenc192 - JB Lenc128 - MOVUPS (AX), X1 - AESENC X1, X0 - MOVUPS 16(AX), X1 - AESENC X1, X0 - ADDQ $0x20, AX - -Lenc192: - MOVUPS (AX), X1 - AESENC X1, X0 - MOVUPS 16(AX), X1 - AESENC X1, X0 - ADDQ $0x20, AX - -Lenc128: - MOVUPS (AX), X1 - AESENC X1, X0 - MOVUPS 16(AX), X1 - AESENC X1, X0 - MOVUPS 32(AX), X1 - AESENC X1, X0 - MOVUPS 48(AX), X1 - AESENC X1, X0 - MOVUPS 64(AX), X1 - AESENC X1, X0 - MOVUPS 80(AX), X1 - AESENC X1, X0 - MOVUPS 96(AX), X1 - AESENC X1, X0 - MOVUPS 112(AX), X1 - AESENC X1, X0 - MOVUPS 128(AX), X1 - AESENC X1, X0 - MOVUPS 144(AX), X1 - AESENCLAST X1, X0 - MOVUPS X0, (DX) - RET - -// func decryptBlockAsm(nr int, xk *uint32, dst *byte, src *byte) -// Requires: AES, SSE, SSE2 -TEXT ·decryptBlockAsm(SB), NOSPLIT, $0-32 - MOVQ nr+0(FP), CX - MOVQ xk+8(FP), AX - MOVQ dst+16(FP), DX - MOVQ src+24(FP), BX - MOVUPS (AX), X1 - MOVUPS (BX), X0 - ADDQ $0x10, AX - PXOR X1, X0 - SUBQ $0x0c, CX - JE Ldec192 - JB Ldec128 - MOVUPS (AX), X1 - AESDEC X1, X0 - MOVUPS 16(AX), X1 - AESDEC X1, X0 - ADDQ $0x20, AX - -Ldec192: - MOVUPS (AX), X1 - AESDEC X1, X0 - MOVUPS 16(AX), X1 - AESDEC X1, X0 - ADDQ $0x20, AX - -Ldec128: - MOVUPS (AX), X1 - AESDEC X1, X0 - MOVUPS 16(AX), X1 - AESDEC X1, X0 - MOVUPS 32(AX), X1 - AESDEC X1, X0 - MOVUPS 48(AX), X1 - AESDEC X1, X0 - MOVUPS 64(AX), X1 - AESDEC X1, X0 - MOVUPS 80(AX), X1 - AESDEC X1, X0 - MOVUPS 96(AX), X1 - AESDEC X1, X0 - MOVUPS 112(AX), X1 - AESDEC X1, X0 - MOVUPS 128(AX), X1 - AESDEC X1, X0 - MOVUPS 144(AX), X1 - AESDECLAST X1, X0 - MOVUPS X0, (DX) - RET - -// func expandKeyAsm(nr int, key *byte, enc *uint32, dec *uint32) -// Requires: AES, SSE, SSE2 -TEXT ·expandKeyAsm(SB), NOSPLIT, $0-32 - MOVQ nr+0(FP), CX - MOVQ key+8(FP), AX - MOVQ enc+16(FP), BX - MOVQ dec+24(FP), DX - MOVUPS (AX), X0 - - // enc - MOVUPS X0, (BX) - ADDQ $0x10, BX - PXOR X4, X4 - CMPL CX, $0x0c - JE Lexp_enc192 - JB Lexp_enc128 - MOVUPS 16(AX), X2 - MOVUPS X2, (BX) - ADDQ $0x10, BX - AESKEYGENASSIST $0x01, X2, X1 - CALL _expand_key_256a<>(SB) - AESKEYGENASSIST $0x01, X0, X1 - CALL _expand_key_256b<>(SB) - AESKEYGENASSIST $0x02, X2, X1 - CALL _expand_key_256a<>(SB) - AESKEYGENASSIST $0x02, X0, X1 - CALL _expand_key_256b<>(SB) - AESKEYGENASSIST $0x04, X2, X1 - CALL _expand_key_256a<>(SB) - AESKEYGENASSIST $0x04, X0, X1 - CALL _expand_key_256b<>(SB) - AESKEYGENASSIST $0x08, X2, X1 - CALL _expand_key_256a<>(SB) - AESKEYGENASSIST $0x08, X0, X1 - CALL _expand_key_256b<>(SB) - AESKEYGENASSIST $0x10, X2, X1 - CALL _expand_key_256a<>(SB) - AESKEYGENASSIST $0x10, X0, X1 - CALL _expand_key_256b<>(SB) - AESKEYGENASSIST $0x20, X2, X1 - CALL _expand_key_256a<>(SB) - AESKEYGENASSIST $0x20, X0, X1 - CALL _expand_key_256b<>(SB) - AESKEYGENASSIST $0x40, X2, X1 - CALL _expand_key_256a<>(SB) - JMP Lexp_dec - -Lexp_enc192: - MOVQ 16(AX), X2 - AESKEYGENASSIST $0x01, X2, X1 - CALL _expand_key_192a<>(SB) - AESKEYGENASSIST $0x02, X2, X1 - CALL _expand_key_192b<>(SB) - AESKEYGENASSIST $0x04, X2, X1 - CALL _expand_key_192a<>(SB) - AESKEYGENASSIST $0x08, X2, X1 - CALL _expand_key_192b<>(SB) - AESKEYGENASSIST $0x10, X2, X1 - CALL _expand_key_192a<>(SB) - AESKEYGENASSIST $0x20, X2, X1 - CALL _expand_key_192b<>(SB) - AESKEYGENASSIST $0x40, X2, X1 - CALL _expand_key_192a<>(SB) - AESKEYGENASSIST $0x80, X2, X1 - CALL _expand_key_192b<>(SB) - JMP Lexp_dec - -Lexp_enc128: - AESKEYGENASSIST $0x01, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x02, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x04, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x08, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x10, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x20, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x40, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x80, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x1b, X0, X1 - CALL _expand_key_128<>(SB) - AESKEYGENASSIST $0x36, X0, X1 - CALL _expand_key_128<>(SB) - -Lexp_dec: - // dec - SUBQ $0x10, BX - MOVUPS (BX), X1 - MOVUPS X1, (DX) - DECQ CX - -Lexp_dec_loop: - MOVUPS -16(BX), X1 - AESIMC X1, X0 - MOVUPS X0, 16(DX) - SUBQ $0x10, BX - ADDQ $0x10, DX - DECQ CX - JNZ Lexp_dec_loop - MOVUPS -16(BX), X0 - MOVUPS X0, 16(DX) - RET - -// func _expand_key_128<>() -// Requires: SSE, SSE2 -TEXT _expand_key_128<>(SB), NOSPLIT, $0 - PSHUFD $0xff, X1, X1 - SHUFPS $0x10, X0, X4 - PXOR X4, X0 - SHUFPS $0x8c, X0, X4 - PXOR X4, X0 - PXOR X1, X0 - MOVUPS X0, (BX) - ADDQ $0x10, BX - RET - -// func _expand_key_192a<>() -// Requires: SSE, SSE2 -TEXT _expand_key_192a<>(SB), NOSPLIT, $0 - PSHUFD $0x55, X1, X1 - SHUFPS $0x10, X0, X4 - PXOR X4, X0 - SHUFPS $0x8c, X0, X4 - PXOR X4, X0 - PXOR X1, X0 - MOVAPS X2, X5 - MOVAPS X2, X6 - PSLLDQ $0x04, X5 - PSHUFD $0xff, X0, X3 - PXOR X3, X2 - PXOR X5, X2 - MOVAPS X0, X1 - SHUFPS $0x44, X0, X6 - MOVUPS X6, (BX) - SHUFPS $0x4e, X2, X1 - MOVUPS X1, 16(BX) - ADDQ $0x20, BX - RET - -// func _expand_key_192b<>() -// Requires: SSE, SSE2 -TEXT _expand_key_192b<>(SB), NOSPLIT, $0 - PSHUFD $0x55, X1, X1 - SHUFPS $0x10, X0, X4 - PXOR X4, X0 - SHUFPS $0x8c, X0, X4 - PXOR X4, X0 - PXOR X1, X0 - MOVAPS X2, X5 - PSLLDQ $0x04, X5 - PSHUFD $0xff, X0, X3 - PXOR X3, X2 - PXOR X5, X2 - MOVUPS X0, (BX) - ADDQ $0x10, BX - RET - -// func _expand_key_256a<>() -TEXT _expand_key_256a<>(SB), NOSPLIT, $0 - JMP _expand_key_128<>(SB) - -// func _expand_key_256b<>() -// Requires: SSE, SSE2 -TEXT _expand_key_256b<>(SB), NOSPLIT, $0 - PSHUFD $0xaa, X1, X1 - SHUFPS $0x10, X2, X4 - PXOR X4, X2 - SHUFPS $0x8c, X2, X4 - PXOR X4, X2 - PXOR X1, X2 - MOVUPS X2, (BX) - ADDQ $0x10, BX - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_arm64.s deleted file mode 100644 index 1e885595404..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_arm64.s +++ /dev/null @@ -1,283 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" -DATA rotInvSRows<>+0x00(SB)/8, $0x080f0205040b0e01 -DATA rotInvSRows<>+0x08(SB)/8, $0x00070a0d0c030609 -GLOBL rotInvSRows<>(SB), (NOPTR+RODATA), $16 -DATA invSRows<>+0x00(SB)/8, $0x0b0e0104070a0d00 -DATA invSRows<>+0x08(SB)/8, $0x0306090c0f020508 -GLOBL invSRows<>(SB), (NOPTR+RODATA), $16 -// func encryptBlockAsm(nr int, xk *uint32, dst, src *byte) -TEXT ·encryptBlockAsm(SB),NOSPLIT,$0 - MOVD nr+0(FP), R9 - MOVD xk+8(FP), R10 - MOVD dst+16(FP), R11 - MOVD src+24(FP), R12 - - VLD1 (R12), [V0.B16] - - CMP $12, R9 - BLT enc128 - BEQ enc192 -enc256: - VLD1.P 32(R10), [V1.B16, V2.B16] - AESE V1.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V2.B16, V0.B16 - AESMC V0.B16, V0.B16 -enc192: - VLD1.P 32(R10), [V3.B16, V4.B16] - AESE V3.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V4.B16, V0.B16 - AESMC V0.B16, V0.B16 -enc128: - VLD1.P 64(R10), [V5.B16, V6.B16, V7.B16, V8.B16] - VLD1.P 64(R10), [V9.B16, V10.B16, V11.B16, V12.B16] - VLD1.P 48(R10), [V13.B16, V14.B16, V15.B16] - AESE V5.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V6.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V7.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V8.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V9.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V10.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V11.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V12.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V13.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V14.B16, V0.B16 - VEOR V0.B16, V15.B16, V0.B16 - VST1 [V0.B16], (R11) - RET - -// func decryptBlockAsm(nr int, xk *uint32, dst, src *byte) -TEXT ·decryptBlockAsm(SB),NOSPLIT,$0 - MOVD nr+0(FP), R9 - MOVD xk+8(FP), R10 - MOVD dst+16(FP), R11 - MOVD src+24(FP), R12 - - VLD1 (R12), [V0.B16] - - CMP $12, R9 - BLT dec128 - BEQ dec192 -dec256: - VLD1.P 32(R10), [V1.B16, V2.B16] - AESD V1.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V2.B16, V0.B16 - AESIMC V0.B16, V0.B16 -dec192: - VLD1.P 32(R10), [V3.B16, V4.B16] - AESD V3.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V4.B16, V0.B16 - AESIMC V0.B16, V0.B16 -dec128: - VLD1.P 64(R10), [V5.B16, V6.B16, V7.B16, V8.B16] - VLD1.P 64(R10), [V9.B16, V10.B16, V11.B16, V12.B16] - VLD1.P 48(R10), [V13.B16, V14.B16, V15.B16] - AESD V5.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V6.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V7.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V8.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V9.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V10.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V11.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V12.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V13.B16, V0.B16 - AESIMC V0.B16, V0.B16 - AESD V14.B16, V0.B16 - VEOR V0.B16, V15.B16, V0.B16 - VST1 [V0.B16], (R11) - RET - -// func expandKeyAsm(nr int, key *byte, enc, dec *uint32) { -// Note that round keys are stored in uint128 format, not uint32 -TEXT ·expandKeyAsm(SB),NOSPLIT,$0 - MOVD nr+0(FP), R8 - MOVD key+8(FP), R9 - MOVD enc+16(FP), R10 - MOVD dec+24(FP), R11 - LDP rotInvSRows<>(SB), (R0, R1) - VMOV R0, V3.D[0] - VMOV R1, V3.D[1] - VEOR V0.B16, V0.B16, V0.B16 // All zeroes - MOVW $1, R13 - TBZ $1, R8, ks192 - TBNZ $2, R8, ks256 - LDPW (R9), (R4, R5) - LDPW 8(R9), (R6, R7) - STPW.P (R4, R5), 8(R10) - STPW.P (R6, R7), 8(R10) - MOVW $0x1b, R14 -ks128Loop: - VMOV R7, V2.S[0] - VTBL V3.B16, [V2.B16], V2.B16 - AESE V0.B16, V2.B16 // Use AES to compute the SBOX - EORW R13, R4 - LSLW $1, R13 // Compute next Rcon - ANDSW $0x100, R13, ZR - CSELW NE, R14, R13, R13 // Fake modulo - SUBS $1, R8 - VMOV V2.S[0], R0 - EORW R0, R4 - EORW R4, R5 - EORW R5, R6 - EORW R6, R7 - STPW.P (R4, R5), 8(R10) - STPW.P (R6, R7), 8(R10) - BNE ks128Loop - CBZ R11, ksDone // If dec is nil we are done - SUB $176, R10 - // Decryption keys are encryption keys with InverseMixColumns applied - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - VMOV V0.B16, V7.B16 - AESIMC V1.B16, V6.B16 - AESIMC V2.B16, V5.B16 - AESIMC V3.B16, V4.B16 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - AESIMC V0.B16, V11.B16 - AESIMC V1.B16, V10.B16 - AESIMC V2.B16, V9.B16 - AESIMC V3.B16, V8.B16 - VLD1 (R10), [V0.B16, V1.B16, V2.B16] - AESIMC V0.B16, V14.B16 - AESIMC V1.B16, V13.B16 - VMOV V2.B16, V12.B16 - VST1.P [V12.B16, V13.B16, V14.B16], 48(R11) - VST1.P [V8.B16, V9.B16, V10.B16, V11.B16], 64(R11) - VST1 [V4.B16, V5.B16, V6.B16, V7.B16], (R11) - B ksDone -ks192: - LDPW (R9), (R2, R3) - LDPW 8(R9), (R4, R5) - LDPW 16(R9), (R6, R7) - STPW.P (R2, R3), 8(R10) - STPW.P (R4, R5), 8(R10) - SUB $4, R8 -ks192Loop: - STPW.P (R6, R7), 8(R10) - VMOV R7, V2.S[0] - VTBL V3.B16, [V2.B16], V2.B16 - AESE V0.B16, V2.B16 - EORW R13, R2 - LSLW $1, R13 - SUBS $1, R8 - VMOV V2.S[0], R0 - EORW R0, R2 - EORW R2, R3 - EORW R3, R4 - EORW R4, R5 - EORW R5, R6 - EORW R6, R7 - STPW.P (R2, R3), 8(R10) - STPW.P (R4, R5), 8(R10) - BNE ks192Loop - CBZ R11, ksDone - SUB $208, R10 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - VMOV V0.B16, V7.B16 - AESIMC V1.B16, V6.B16 - AESIMC V2.B16, V5.B16 - AESIMC V3.B16, V4.B16 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - AESIMC V0.B16, V11.B16 - AESIMC V1.B16, V10.B16 - AESIMC V2.B16, V9.B16 - AESIMC V3.B16, V8.B16 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - AESIMC V0.B16, V15.B16 - AESIMC V1.B16, V14.B16 - AESIMC V2.B16, V13.B16 - AESIMC V3.B16, V12.B16 - VLD1 (R10), [V0.B16] - VST1.P [V0.B16], 16(R11) - VST1.P [V12.B16, V13.B16, V14.B16, V15.B16], 64(R11) - VST1.P [V8.B16, V9.B16, V10.B16, V11.B16], 64(R11) - VST1 [V4.B16, V5.B16, V6.B16, V7.B16], (R11) - B ksDone -ks256: - LDP invSRows<>(SB), (R0, R1) - VMOV R0, V4.D[0] - VMOV R1, V4.D[1] - LDPW (R9), (R0, R1) - LDPW 8(R9), (R2, R3) - LDPW 16(R9), (R4, R5) - LDPW 24(R9), (R6, R7) - STPW.P (R0, R1), 8(R10) - STPW.P (R2, R3), 8(R10) - SUB $7, R8 -ks256Loop: - STPW.P (R4, R5), 8(R10) - STPW.P (R6, R7), 8(R10) - VMOV R7, V2.S[0] - VTBL V3.B16, [V2.B16], V2.B16 - AESE V0.B16, V2.B16 - EORW R13, R0 - LSLW $1, R13 - SUBS $1, R8 - VMOV V2.S[0], R9 - EORW R9, R0 - EORW R0, R1 - EORW R1, R2 - EORW R2, R3 - VMOV R3, V2.S[0] - VTBL V4.B16, [V2.B16], V2.B16 - AESE V0.B16, V2.B16 - VMOV V2.S[0], R9 - EORW R9, R4 - EORW R4, R5 - EORW R5, R6 - EORW R6, R7 - STPW.P (R0, R1), 8(R10) - STPW.P (R2, R3), 8(R10) - BNE ks256Loop - CBZ R11, ksDone - SUB $240, R10 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - VMOV V0.B16, V7.B16 - AESIMC V1.B16, V6.B16 - AESIMC V2.B16, V5.B16 - AESIMC V3.B16, V4.B16 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - AESIMC V0.B16, V11.B16 - AESIMC V1.B16, V10.B16 - AESIMC V2.B16, V9.B16 - AESIMC V3.B16, V8.B16 - VLD1.P 64(R10), [V0.B16, V1.B16, V2.B16, V3.B16] - AESIMC V0.B16, V15.B16 - AESIMC V1.B16, V14.B16 - AESIMC V2.B16, V13.B16 - AESIMC V3.B16, V12.B16 - VLD1 (R10), [V0.B16, V1.B16, V2.B16] - AESIMC V0.B16, V18.B16 - AESIMC V1.B16, V17.B16 - VMOV V2.B16, V16.B16 - VST1.P [V16.B16, V17.B16, V18.B16], 48(R11) - VST1.P [V12.B16, V13.B16, V14.B16, V15.B16], 64(R11) - VST1.P [V8.B16, V9.B16, V10.B16, V11.B16], 64(R11) - VST1 [V4.B16, V5.B16, V6.B16, V7.B16], (R11) -ksDone: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_asm.go deleted file mode 100644 index 95a07e7a1ca..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_asm.go +++ /dev/null @@ -1,96 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (amd64 || arm64 || ppc64 || ppc64le) && !purego - -package aes - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/fips140deps/godebug" - "crypto/internal/impl" -) - -//go:noescape -func encryptBlockAsm(nr int, xk *uint32, dst, src *byte) - -//go:noescape -func decryptBlockAsm(nr int, xk *uint32, dst, src *byte) - -//go:noescape -func expandKeyAsm(nr int, key *byte, enc *uint32, dec *uint32) - -var supportsAES = cpu.X86HasAES && cpu.X86HasSSE41 && cpu.X86HasSSSE3 || - cpu.ARM64HasAES || cpu.PPC64 || cpu.PPC64le - -func init() { - if cpu.AMD64 { - impl.Register("aes", "AES-NI", &supportsAES) - } - if cpu.ARM64 { - impl.Register("aes", "Armv8.0", &supportsAES) - } - if cpu.PPC64 || cpu.PPC64le { - // The POWER architecture doesn't have a way to turn off AES support - // at runtime with GODEBUG=cpu.something=off, so introduce a new GODEBUG - // knob for that. It's intentionally only checked at init() time, to - // avoid the performance overhead of checking it every time. - if godebug.Value("#ppc64aes") == "off" { - supportsAES = false - } - impl.Register("aes", "POWER8", &supportsAES) - } -} - -// checkGenericIsExpected is called by the variable-time implementation to make -// sure it is not used when hardware support is available. It shouldn't happen, -// but this way it's more evidently correct. -func checkGenericIsExpected() { - if supportsAES { - panic("crypto/aes: internal error: using generic implementation despite hardware support") - } -} - -type block struct { - blockExpanded -} - -func newBlock(c *Block, key []byte) *Block { - switch len(key) { - case aes128KeySize: - c.rounds = aes128Rounds - case aes192KeySize: - c.rounds = aes192Rounds - case aes256KeySize: - c.rounds = aes256Rounds - } - if supportsAES { - expandKeyAsm(c.rounds, &key[0], &c.enc[0], &c.dec[0]) - } else { - expandKeyGeneric(&c.blockExpanded, key) - } - return c -} - -// EncryptionKeySchedule is used from the GCM implementation to access the -// precomputed AES key schedule, to pass to the assembly implementation. -func EncryptionKeySchedule(c *Block) []uint32 { - return c.enc[:c.roundKeysSize()] -} - -func encryptBlock(c *Block, dst, src []byte) { - if supportsAES { - encryptBlockAsm(c.rounds, &c.enc[0], &dst[0], &src[0]) - } else { - encryptBlockGeneric(&c.blockExpanded, dst, src) - } -} - -func decryptBlock(c *Block, dst, src []byte) { - if supportsAES { - decryptBlockAsm(c.rounds, &c.dec[0], &dst[0], &src[0]) - } else { - decryptBlockGeneric(&c.blockExpanded, dst, src) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_generic.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_generic.go deleted file mode 100644 index 0112c0a675c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_generic.go +++ /dev/null @@ -1,181 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This Go implementation is derived in part from the reference -// ANSI C implementation, which carries the following notice: -// -// rijndael-alg-fst.c -// -// @version 3.0 (December 2000) -// -// Optimised ANSI C code for the Rijndael cipher (now AES) -// -// @author Vincent Rijmen <[email protected]> -// @author Antoon Bosselaers <[email protected]> -// @author Paulo Barreto <[email protected]> -// -// This code is hereby placed in the public domain. -// -// THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS -// OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -// ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE -// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -// BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -// WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -// OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -// EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -// See FIPS 197 for specification, and see Daemen and Rijmen's Rijndael submission -// for implementation details. -// https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf -// https://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf - -package aes - -import "crypto/internal/fips140deps/byteorder" - -// Encrypt one block from src into dst, using the expanded key xk. -func encryptBlockGeneric(c *blockExpanded, dst, src []byte) { - checkGenericIsExpected() - xk := c.enc[:] - - _ = src[15] // early bounds check - s0 := byteorder.BEUint32(src[0:4]) - s1 := byteorder.BEUint32(src[4:8]) - s2 := byteorder.BEUint32(src[8:12]) - s3 := byteorder.BEUint32(src[12:16]) - - // First round just XORs input with key. - s0 ^= xk[0] - s1 ^= xk[1] - s2 ^= xk[2] - s3 ^= xk[3] - - // Middle rounds shuffle using tables. - k := 4 - var t0, t1, t2, t3 uint32 - for r := 0; r < c.rounds-1; r++ { - t0 = xk[k+0] ^ te0[uint8(s0>>24)] ^ te1[uint8(s1>>16)] ^ te2[uint8(s2>>8)] ^ te3[uint8(s3)] - t1 = xk[k+1] ^ te0[uint8(s1>>24)] ^ te1[uint8(s2>>16)] ^ te2[uint8(s3>>8)] ^ te3[uint8(s0)] - t2 = xk[k+2] ^ te0[uint8(s2>>24)] ^ te1[uint8(s3>>16)] ^ te2[uint8(s0>>8)] ^ te3[uint8(s1)] - t3 = xk[k+3] ^ te0[uint8(s3>>24)] ^ te1[uint8(s0>>16)] ^ te2[uint8(s1>>8)] ^ te3[uint8(s2)] - k += 4 - s0, s1, s2, s3 = t0, t1, t2, t3 - } - - // Last round uses s-box directly and XORs to produce output. - s0 = uint32(sbox0[t0>>24])<<24 | uint32(sbox0[t1>>16&0xff])<<16 | uint32(sbox0[t2>>8&0xff])<<8 | uint32(sbox0[t3&0xff]) - s1 = uint32(sbox0[t1>>24])<<24 | uint32(sbox0[t2>>16&0xff])<<16 | uint32(sbox0[t3>>8&0xff])<<8 | uint32(sbox0[t0&0xff]) - s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16&0xff])<<16 | uint32(sbox0[t0>>8&0xff])<<8 | uint32(sbox0[t1&0xff]) - s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16&0xff])<<16 | uint32(sbox0[t1>>8&0xff])<<8 | uint32(sbox0[t2&0xff]) - - s0 ^= xk[k+0] - s1 ^= xk[k+1] - s2 ^= xk[k+2] - s3 ^= xk[k+3] - - _ = dst[15] // early bounds check - byteorder.BEPutUint32(dst[0:4], s0) - byteorder.BEPutUint32(dst[4:8], s1) - byteorder.BEPutUint32(dst[8:12], s2) - byteorder.BEPutUint32(dst[12:16], s3) -} - -// Decrypt one block from src into dst, using the expanded key xk. -func decryptBlockGeneric(c *blockExpanded, dst, src []byte) { - checkGenericIsExpected() - xk := c.dec[:] - - _ = src[15] // early bounds check - s0 := byteorder.BEUint32(src[0:4]) - s1 := byteorder.BEUint32(src[4:8]) - s2 := byteorder.BEUint32(src[8:12]) - s3 := byteorder.BEUint32(src[12:16]) - - // First round just XORs input with key. - s0 ^= xk[0] - s1 ^= xk[1] - s2 ^= xk[2] - s3 ^= xk[3] - - // Middle rounds shuffle using tables. - k := 4 - var t0, t1, t2, t3 uint32 - for r := 0; r < c.rounds-1; r++ { - t0 = xk[k+0] ^ td0[uint8(s0>>24)] ^ td1[uint8(s3>>16)] ^ td2[uint8(s2>>8)] ^ td3[uint8(s1)] - t1 = xk[k+1] ^ td0[uint8(s1>>24)] ^ td1[uint8(s0>>16)] ^ td2[uint8(s3>>8)] ^ td3[uint8(s2)] - t2 = xk[k+2] ^ td0[uint8(s2>>24)] ^ td1[uint8(s1>>16)] ^ td2[uint8(s0>>8)] ^ td3[uint8(s3)] - t3 = xk[k+3] ^ td0[uint8(s3>>24)] ^ td1[uint8(s2>>16)] ^ td2[uint8(s1>>8)] ^ td3[uint8(s0)] - k += 4 - s0, s1, s2, s3 = t0, t1, t2, t3 - } - - // Last round uses s-box directly and XORs to produce output. - s0 = uint32(sbox1[t0>>24])<<24 | uint32(sbox1[t3>>16&0xff])<<16 | uint32(sbox1[t2>>8&0xff])<<8 | uint32(sbox1[t1&0xff]) - s1 = uint32(sbox1[t1>>24])<<24 | uint32(sbox1[t0>>16&0xff])<<16 | uint32(sbox1[t3>>8&0xff])<<8 | uint32(sbox1[t2&0xff]) - s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16&0xff])<<16 | uint32(sbox1[t0>>8&0xff])<<8 | uint32(sbox1[t3&0xff]) - s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16&0xff])<<16 | uint32(sbox1[t1>>8&0xff])<<8 | uint32(sbox1[t0&0xff]) - - s0 ^= xk[k+0] - s1 ^= xk[k+1] - s2 ^= xk[k+2] - s3 ^= xk[k+3] - - _ = dst[15] // early bounds check - byteorder.BEPutUint32(dst[0:4], s0) - byteorder.BEPutUint32(dst[4:8], s1) - byteorder.BEPutUint32(dst[8:12], s2) - byteorder.BEPutUint32(dst[12:16], s3) -} - -// Apply sbox0 to each byte in w. -func subw(w uint32) uint32 { - return uint32(sbox0[w>>24])<<24 | - uint32(sbox0[w>>16&0xff])<<16 | - uint32(sbox0[w>>8&0xff])<<8 | - uint32(sbox0[w&0xff]) -} - -// Rotate -func rotw(w uint32) uint32 { return w<<8 | w>>24 } - -// Key expansion algorithm. See FIPS-197, Figure 11. -// Their rcon[i] is our powx[i-1] << 24. -func expandKeyGeneric(c *blockExpanded, key []byte) { - checkGenericIsExpected() - - // Encryption key setup. - var i int - nk := len(key) / 4 - for i = 0; i < nk; i++ { - c.enc[i] = byteorder.BEUint32(key[4*i:]) - } - for ; i < c.roundKeysSize(); i++ { - t := c.enc[i-1] - if i%nk == 0 { - t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24) - } else if nk > 6 && i%nk == 4 { - t = subw(t) - } - c.enc[i] = c.enc[i-nk] ^ t - } - - // Derive decryption key from encryption key. - // Reverse the 4-word round key sets from enc to produce dec. - // All sets but the first and last get the MixColumn transform applied. - n := c.roundKeysSize() - for i := 0; i < n; i += 4 { - ei := n - i - 4 - for j := 0; j < 4; j++ { - x := c.enc[ei+j] - if i > 0 && i+4 < n { - x = td0[sbox0[x>>24]] ^ td1[sbox0[x>>16&0xff]] ^ td2[sbox0[x>>8&0xff]] ^ td3[sbox0[x&0xff]] - } - c.dec[i+j] = x - } - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_noasm.go deleted file mode 100644 index 8ba540273e3..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_noasm.go +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !s390x && !ppc64 && !ppc64le && !arm64) || purego - -package aes - -type block struct { - blockExpanded -} - -func newBlock(c *Block, key []byte) *Block { - newBlockExpanded(&c.blockExpanded, key) - return c -} - -func encryptBlock(c *Block, dst, src []byte) { - encryptBlockGeneric(&c.blockExpanded, dst, src) -} - -func decryptBlock(c *Block, dst, src []byte) { - decryptBlockGeneric(&c.blockExpanded, dst, src) -} - -func checkGenericIsExpected() {} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_ppc64x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_ppc64x.s deleted file mode 100644 index 4c95dd21527..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_ppc64x.s +++ /dev/null @@ -1,891 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -// Based on CRYPTOGAMS code with the following comment: -// # ==================================================================== -// # Written by Andy Polyakov <[email protected]> for the OpenSSL -// # project. The module is, however, dual licensed under OpenSSL and -// # CRYPTOGAMS licenses depending on where you obtain it. For further -// # details see http://www.openssl.org/~appro/cryptogams/. -// # ==================================================================== - -// Original code can be found at the link below: -// https://github.com/dot-asm/cryptogams/blob/master/ppc/aesp8-ppc.pl - -// Some function names were changed to be consistent with Go function -// names. For instance, function aes_p8_set_{en,de}crypt_key become -// set{En,De}cryptKeyAsm. I also split setEncryptKeyAsm in two parts -// and a new session was created (doEncryptKeyAsm). This was necessary to -// avoid arguments overwriting when setDecryptKeyAsm calls setEncryptKeyAsm. -// There were other modifications as well but kept the same functionality. - -#include "textflag.h" - -// For expandKeyAsm -#define INP R3 -#define BITS R4 -#define OUTENC R5 // Pointer to next expanded encrypt key -#define PTR R6 -#define CNT R7 -#define ROUNDS R8 -#define OUTDEC R9 // Pointer to next expanded decrypt key -#define TEMP R19 -#define ZERO V0 -#define IN0 V1 -#define IN1 V2 -#define KEY V3 -#define RCON V4 -#define MASK V5 -#define TMP V6 -#define STAGE V7 -#define OUTPERM V8 -#define OUTMASK V9 -#define OUTHEAD V10 -#define OUTTAIL V11 - -// For P9 instruction emulation -#define ESPERM V21 // Endian swapping permute into BE -#define TMP2 V22 // Temporary for P8_STXVB16X/P8_STXVB16X - -// For {en,de}cryptBlockAsm -#define BLK_INP R3 -#define BLK_OUT R4 -#define BLK_KEY R5 -#define BLK_ROUNDS R6 -#define BLK_IDX R7 - -DATA ·rcon+0x00(SB)/8, $0x0f0e0d0c0b0a0908 // Permute for vector doubleword endian swap -DATA ·rcon+0x08(SB)/8, $0x0706050403020100 -DATA ·rcon+0x10(SB)/8, $0x0100000001000000 // RCON -DATA ·rcon+0x18(SB)/8, $0x0100000001000000 // RCON -DATA ·rcon+0x20(SB)/8, $0x1b0000001b000000 -DATA ·rcon+0x28(SB)/8, $0x1b0000001b000000 -DATA ·rcon+0x30(SB)/8, $0x0d0e0f0c0d0e0f0c // MASK -DATA ·rcon+0x38(SB)/8, $0x0d0e0f0c0d0e0f0c // MASK -DATA ·rcon+0x40(SB)/8, $0x0000000000000000 -DATA ·rcon+0x48(SB)/8, $0x0000000000000000 -GLOBL ·rcon(SB), RODATA, $80 - -#ifdef GOARCH_ppc64le -# ifdef GOPPC64_power9 -#define P8_LXVB16X(RA,RB,VT) LXVB16X (RA+RB), VT -#define P8_STXVB16X(VS,RA,RB) STXVB16X VS, (RA+RB) -#define XXBRD_ON_LE(VA,VT) XXBRD VA, VT -#define SETUP_ESPERM(rtmp) -# else -// On POWER8/ppc64le, emulate the POWER9 instructions by loading unaligned -// doublewords and byte-swapping each doubleword to emulate BE load/stores. -#define NEEDS_ESPERM -#define P8_LXVB16X(RA,RB,VT) \ - LXVD2X (RA+RB), VT \ - VPERM VT, VT, ESPERM, VT - -#define P8_STXVB16X(VS,RA,RB) \ - VPERM VS, VS, ESPERM, TMP2 \ - STXVD2X TMP2, (RA+RB) - -#define XXBRD_ON_LE(VA,VT) \ - VPERM VA, VA, ESPERM, VT - -// Setup byte-swapping permute value in ESPERM for POWER9 instruction -// emulation macros. -#define SETUP_ESPERM(rtmp) \ - MOVD $·rcon(SB), rtmp \ - LVX (rtmp), ESPERM -# endif // defined(GOPPC64_power9) -#else -#define P8_LXVB16X(RA,RB,VT) LXVD2X (RA+RB), VT -#define P8_STXVB16X(VS,RA,RB) STXVD2X VS, (RA+RB) -#define XXBRD_ON_LE(VA, VT) -#define SETUP_ESPERM(rtmp) -#endif // defined(GOARCH_ppc64le) - -// func setEncryptKeyAsm(nr int, key *byte, enc *uint32, dec *uint32) -TEXT ·expandKeyAsm(SB), NOSPLIT|NOFRAME, $0 - // Load the arguments inside the registers - MOVD nr+0(FP), ROUNDS - MOVD key+8(FP), INP - MOVD enc+16(FP), OUTENC - MOVD dec+24(FP), OUTDEC - -#ifdef NEEDS_ESPERM - MOVD $·rcon(SB), PTR // PTR points to rcon addr - LVX (PTR), ESPERM - ADD $0x10, PTR -#else - MOVD $·rcon+0x10(SB), PTR // PTR points to rcon addr (skipping permute vector) -#endif - - // Get key from memory and write aligned into VR - P8_LXVB16X(INP, R0, IN0) - ADD $0x10, INP, INP - MOVD $0x20, TEMP - - CMPW ROUNDS, $12 - LVX (PTR)(R0), RCON // lvx 4,0,6 Load first 16 bytes into RCON - LVX (PTR)(TEMP), MASK - ADD $0x10, PTR, PTR // addi 6,6,0x10 PTR to next 16 bytes of RCON - MOVD $8, CNT // li 7,8 CNT = 8 - VXOR ZERO, ZERO, ZERO // vxor 0,0,0 Zero to be zero :) - MOVD CNT, CTR // mtctr 7 Set the counter to 8 (rounds) - - // The expanded decrypt key is the expanded encrypt key stored in reverse order. - // Move OUTDEC to the last key location, and store in descending order. - ADD $160, OUTDEC, OUTDEC - BLT loop128 - ADD $32, OUTDEC, OUTDEC - BEQ l192 - ADD $32, OUTDEC, OUTDEC - JMP l256 - -loop128: - // Key schedule (Round 1 to 8) - VPERM IN0, IN0, MASK, KEY // vperm 3,1,1,5 Rotate-n-splat - VSLDOI $12, ZERO, IN0, TMP // vsldoi 6,0,1,12 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - VCIPHERLAST KEY, RCON, KEY // vcipherlast 3,3,4 - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VADDUWM RCON, RCON, RCON // vadduwm 4,4,4 - VXOR IN0, KEY, IN0 // vxor 1,1,3 - BDNZ loop128 - - LVX (PTR)(R0), RCON // lvx 4,0,6 Last two round keys - - // Key schedule (Round 9) - VPERM IN0, IN0, MASK, KEY // vperm 3,1,1,5 Rotate-n-spat - VSLDOI $12, ZERO, IN0, TMP // vsldoi 6,0,1,12 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - VCIPHERLAST KEY, RCON, KEY // vcipherlast 3,3,4 - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - - // Key schedule (Round 10) - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VADDUWM RCON, RCON, RCON // vadduwm 4,4,4 - VXOR IN0, KEY, IN0 // vxor 1,1,3 - - VPERM IN0, IN0, MASK, KEY // vperm 3,1,1,5 Rotate-n-splat - VSLDOI $12, ZERO, IN0, TMP // vsldoi 6,0,1,12 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - VCIPHERLAST KEY, RCON, KEY // vcipherlast 3,3,4 - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - - // Key schedule (Round 11) - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VXOR IN0, KEY, IN0 // vxor 1,1,3 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - - RET - -l192: - LXSDX (INP+R0), IN1 // Load next 8 bytes into upper half of VSR. - XXBRD_ON_LE(IN1, IN1) // and convert to BE ordering on LE hosts. - MOVD $4, CNT // li 7,4 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - VSPLTISB $8, KEY // vspltisb 3,8 - MOVD CNT, CTR // mtctr 7 - VSUBUBM MASK, KEY, MASK // vsububm 5,5,3 - -loop192: - VPERM IN1, IN1, MASK, KEY // vperm 3,2,2,5 - VSLDOI $12, ZERO, IN0, TMP // vsldoi 6,0,1,12 - VCIPHERLAST KEY, RCON, KEY // vcipherlast 3,3,4 - - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - - VSLDOI $8, ZERO, IN1, STAGE // vsldoi 7,0,2,8 - VSPLTW $3, IN0, TMP // vspltw 6,1,3 - VXOR TMP, IN1, TMP // vxor 6,6,2 - VSLDOI $12, ZERO, IN1, IN1 // vsldoi 2,0,2,12 - VADDUWM RCON, RCON, RCON // vadduwm 4,4,4 - VXOR IN1, TMP, IN1 // vxor 2,2,6 - VXOR IN0, KEY, IN0 // vxor 1,1,3 - VXOR IN1, KEY, IN1 // vxor 2,2,3 - VSLDOI $8, STAGE, IN0, STAGE // vsldoi 7,7,1,8 - - VPERM IN1, IN1, MASK, KEY // vperm 3,2,2,5 - VSLDOI $12, ZERO, IN0, TMP // vsldoi 6,0,1,12 - STXVD2X STAGE, (R0+OUTENC) - STXVD2X STAGE, (R0+OUTDEC) - VCIPHERLAST KEY, RCON, KEY // vcipherlast 3,3,4 - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - - VSLDOI $8, IN0, IN1, STAGE // vsldoi 7,1,2,8 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - STXVD2X STAGE, (R0+OUTENC) - STXVD2X STAGE, (R0+OUTDEC) - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - - VSPLTW $3, IN0, TMP // vspltw 6,1,3 - VXOR TMP, IN1, TMP // vxor 6,6,2 - VSLDOI $12, ZERO, IN1, IN1 // vsldoi 2,0,2,12 - VADDUWM RCON, RCON, RCON // vadduwm 4,4,4 - VXOR IN1, TMP, IN1 // vxor 2,2,6 - VXOR IN0, KEY, IN0 // vxor 1,1,3 - VXOR IN1, KEY, IN1 // vxor 2,2,3 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - BDNZ loop192 - - RET - -l256: - P8_LXVB16X(INP, R0, IN1) - MOVD $7, CNT // li 7,7 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - MOVD CNT, CTR // mtctr 7 - -loop256: - VPERM IN1, IN1, MASK, KEY // vperm 3,2,2,5 - VSLDOI $12, ZERO, IN0, TMP // vsldoi 6,0,1,12 - STXVD2X IN1, (R0+OUTENC) - STXVD2X IN1, (R0+OUTDEC) - VCIPHERLAST KEY, RCON, KEY // vcipherlast 3,3,4 - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN0, TMP, IN0 // vxor 1,1,6 - VADDUWM RCON, RCON, RCON // vadduwm 4,4,4 - VXOR IN0, KEY, IN0 // vxor 1,1,3 - STXVD2X IN0, (R0+OUTENC) - STXVD2X IN0, (R0+OUTDEC) - ADD $16, OUTENC, OUTENC - ADD $-16, OUTDEC, OUTDEC - BDZ done - - VSPLTW $3, IN0, KEY // vspltw 3,1,3 - VSLDOI $12, ZERO, IN1, TMP // vsldoi 6,0,2,12 - VSBOX KEY, KEY // vsbox 3,3 - - VXOR IN1, TMP, IN1 // vxor 2,2,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN1, TMP, IN1 // vxor 2,2,6 - VSLDOI $12, ZERO, TMP, TMP // vsldoi 6,0,6,12 - VXOR IN1, TMP, IN1 // vxor 2,2,6 - - VXOR IN1, KEY, IN1 // vxor 2,2,3 - JMP loop256 // b .Loop256 - -done: - RET - -// func encryptBlockAsm(nr int, xk *uint32, dst, src *byte) -TEXT ·encryptBlockAsm(SB), NOSPLIT|NOFRAME, $0 - MOVD nr+0(FP), R6 // Round count/Key size - MOVD xk+8(FP), R5 // Key pointer - MOVD dst+16(FP), R3 // Dest pointer - MOVD src+24(FP), R4 // Src pointer - SETUP_ESPERM(R7) - - // Set CR{1,2,3}EQ to hold the key size information. - CMPU R6, $10, CR1 - CMPU R6, $12, CR2 - CMPU R6, $14, CR3 - - MOVD $16, R6 - MOVD $32, R7 - MOVD $48, R8 - MOVD $64, R9 - MOVD $80, R10 - MOVD $96, R11 - MOVD $112, R12 - - // Load text in BE order - P8_LXVB16X(R4, R0, V0) - - // V1, V2 will hold keys, V0 is a temp. - // At completion, V2 will hold the ciphertext. - // Load xk[0:3] and xor with text - LXVD2X (R0+R5), V1 - VXOR V0, V1, V0 - - // Load xk[4:11] and cipher - LXVD2X (R6+R5), V1 - LXVD2X (R7+R5), V2 - VCIPHER V0, V1, V0 - VCIPHER V0, V2, V0 - - // Load xk[12:19] and cipher - LXVD2X (R8+R5), V1 - LXVD2X (R9+R5), V2 - VCIPHER V0, V1, V0 - VCIPHER V0, V2, V0 - - // Load xk[20:27] and cipher - LXVD2X (R10+R5), V1 - LXVD2X (R11+R5), V2 - VCIPHER V0, V1, V0 - VCIPHER V0, V2, V0 - - // Increment xk pointer to reuse constant offsets in R6-R12. - ADD $112, R5 - - // Load xk[28:35] and cipher - LXVD2X (R0+R5), V1 - LXVD2X (R6+R5), V2 - VCIPHER V0, V1, V0 - VCIPHER V0, V2, V0 - - // Load xk[36:43] and cipher - LXVD2X (R7+R5), V1 - LXVD2X (R8+R5), V2 - BEQ CR1, Ldec_tail // Key size 10? - VCIPHER V0, V1, V0 - VCIPHER V0, V2, V0 - - // Load xk[44:51] and cipher - LXVD2X (R9+R5), V1 - LXVD2X (R10+R5), V2 - BEQ CR2, Ldec_tail // Key size 12? - VCIPHER V0, V1, V0 - VCIPHER V0, V2, V0 - - // Load xk[52:59] and cipher - LXVD2X (R11+R5), V1 - LXVD2X (R12+R5), V2 - BNE CR3, Linvalid_key_len // Not key size 14? - // Fallthrough to final cipher - -Ldec_tail: - // Cipher last two keys such that key information is - // cleared from V1 and V2. - VCIPHER V0, V1, V1 - VCIPHERLAST V1, V2, V2 - - // Store the result in BE order. - P8_STXVB16X(V2, R3, R0) - RET - -Linvalid_key_len: - // Segfault, this should never happen. Only 3 keys sizes are created/used. - MOVD R0, 0(R0) - RET - -// func decryptBlockAsm(nr int, xk *uint32, dst, src *byte) -TEXT ·decryptBlockAsm(SB), NOSPLIT|NOFRAME, $0 - MOVD nr+0(FP), R6 // Round count/Key size - MOVD xk+8(FP), R5 // Key pointer - MOVD dst+16(FP), R3 // Dest pointer - MOVD src+24(FP), R4 // Src pointer - SETUP_ESPERM(R7) - - // Set CR{1,2,3}EQ to hold the key size information. - CMPU R6, $10, CR1 - CMPU R6, $12, CR2 - CMPU R6, $14, CR3 - - MOVD $16, R6 - MOVD $32, R7 - MOVD $48, R8 - MOVD $64, R9 - MOVD $80, R10 - MOVD $96, R11 - MOVD $112, R12 - - // Load text in BE order - P8_LXVB16X(R4, R0, V0) - - // V1, V2 will hold keys, V0 is a temp. - // At completion, V2 will hold the text. - // Load xk[0:3] and xor with ciphertext - LXVD2X (R0+R5), V1 - VXOR V0, V1, V0 - - // Load xk[4:11] and cipher - LXVD2X (R6+R5), V1 - LXVD2X (R7+R5), V2 - VNCIPHER V0, V1, V0 - VNCIPHER V0, V2, V0 - - // Load xk[12:19] and cipher - LXVD2X (R8+R5), V1 - LXVD2X (R9+R5), V2 - VNCIPHER V0, V1, V0 - VNCIPHER V0, V2, V0 - - // Load xk[20:27] and cipher - LXVD2X (R10+R5), V1 - LXVD2X (R11+R5), V2 - VNCIPHER V0, V1, V0 - VNCIPHER V0, V2, V0 - - // Increment xk pointer to reuse constant offsets in R6-R12. - ADD $112, R5 - - // Load xk[28:35] and cipher - LXVD2X (R0+R5), V1 - LXVD2X (R6+R5), V2 - VNCIPHER V0, V1, V0 - VNCIPHER V0, V2, V0 - - // Load xk[36:43] and cipher - LXVD2X (R7+R5), V1 - LXVD2X (R8+R5), V2 - BEQ CR1, Ldec_tail // Key size 10? - VNCIPHER V0, V1, V0 - VNCIPHER V0, V2, V0 - - // Load xk[44:51] and cipher - LXVD2X (R9+R5), V1 - LXVD2X (R10+R5), V2 - BEQ CR2, Ldec_tail // Key size 12? - VNCIPHER V0, V1, V0 - VNCIPHER V0, V2, V0 - - // Load xk[52:59] and cipher - LXVD2X (R11+R5), V1 - LXVD2X (R12+R5), V2 - BNE CR3, Linvalid_key_len // Not key size 14? - // Fallthrough to final cipher - -Ldec_tail: - // Cipher last two keys such that key information is - // cleared from V1 and V2. - VNCIPHER V0, V1, V1 - VNCIPHERLAST V1, V2, V2 - - // Store the result in BE order. - P8_STXVB16X(V2, R3, R0) - RET - -Linvalid_key_len: - // Segfault, this should never happen. Only 3 keys sizes are created/used. - MOVD R0, 0(R0) - RET - -// Remove defines from above so they can be defined here -#undef INP -#undef OUTENC -#undef ROUNDS -#undef KEY -#undef TMP - -#define INP R3 -#define OUTP R4 -#define LEN R5 -#define KEYP R6 -#define ROUNDS R7 -#define IVP R8 -#define ENC R9 - -#define INOUT V2 -#define TMP V3 -#define IVEC V4 - -// Load the crypt key into VSRs. -// -// The expanded key is stored and loaded using -// STXVD2X/LXVD2X. The in-memory byte ordering -// depends on the endianness of the machine. The -// expanded keys are generated by expandKeyAsm above. -// -// Rkeyp holds the key pointer. It is clobbered. Once -// the expanded keys are loaded, it is not needed. -// -// R12,R14-R21 are scratch registers. -// For keyp of 10, V6, V11-V20 hold the expanded key. -// For keyp of 12, V6, V9-V20 hold the expanded key. -// For keyp of 14, V6, V7-V20 hold the expanded key. -#define LOAD_KEY(Rkeyp) \ - MOVD $16, R12 \ - MOVD $32, R14 \ - MOVD $48, R15 \ - MOVD $64, R16 \ - MOVD $80, R17 \ - MOVD $96, R18 \ - MOVD $112, R19 \ - MOVD $128, R20 \ - MOVD $144, R21 \ - LXVD2X (R0+Rkeyp), V6 \ - ADD $16, Rkeyp \ - BEQ CR1, L_start10 \ - BEQ CR2, L_start12 \ - LXVD2X (R0+Rkeyp), V7 \ - LXVD2X (R12+Rkeyp), V8 \ - ADD $32, Rkeyp \ - L_start12: \ - LXVD2X (R0+Rkeyp), V9 \ - LXVD2X (R12+Rkeyp), V10 \ - ADD $32, Rkeyp \ - L_start10: \ - LXVD2X (R0+Rkeyp), V11 \ - LXVD2X (R12+Rkeyp), V12 \ - LXVD2X (R14+Rkeyp), V13 \ - LXVD2X (R15+Rkeyp), V14 \ - LXVD2X (R16+Rkeyp), V15 \ - LXVD2X (R17+Rkeyp), V16 \ - LXVD2X (R18+Rkeyp), V17 \ - LXVD2X (R19+Rkeyp), V18 \ - LXVD2X (R20+Rkeyp), V19 \ - LXVD2X (R21+Rkeyp), V20 - -// Perform aes cipher operation for keysize 10/12/14 using the keys -// loaded by LOAD_KEY, and key size information held in CR1EQ/CR2EQ. -// -// Vxor is ideally V6 (Key[0-3]), but for slightly improved encrypting -// performance V6 and IVEC can be swapped (xor is both associative and -// commutative) during encryption: -// -// VXOR INOUT, IVEC, INOUT -// VXOR INOUT, V6, INOUT -// -// into -// -// VXOR INOUT, V6, INOUT -// VXOR INOUT, IVEC, INOUT -// -#define CIPHER_BLOCK(Vin, Vxor, Vout, vcipher, vciphel, label10, label12) \ - VXOR Vin, Vxor, Vout \ - BEQ CR1, label10 \ - BEQ CR2, label12 \ - vcipher Vout, V7, Vout \ - vcipher Vout, V8, Vout \ - label12: \ - vcipher Vout, V9, Vout \ - vcipher Vout, V10, Vout \ - label10: \ - vcipher Vout, V11, Vout \ - vcipher Vout, V12, Vout \ - vcipher Vout, V13, Vout \ - vcipher Vout, V14, Vout \ - vcipher Vout, V15, Vout \ - vcipher Vout, V16, Vout \ - vcipher Vout, V17, Vout \ - vcipher Vout, V18, Vout \ - vcipher Vout, V19, Vout \ - vciphel Vout, V20, Vout \ - -#define CLEAR_KEYS() \ - VXOR V6, V6, V6 \ - VXOR V7, V7, V7 \ - VXOR V8, V8, V8 \ - VXOR V9, V9, V9 \ - VXOR V10, V10, V10 \ - VXOR V11, V11, V11 \ - VXOR V12, V12, V12 \ - VXOR V13, V13, V13 \ - VXOR V14, V14, V14 \ - VXOR V15, V15, V15 \ - VXOR V16, V16, V16 \ - VXOR V17, V17, V17 \ - VXOR V18, V18, V18 \ - VXOR V19, V19, V19 \ - VXOR V20, V20, V20 - -//func cryptBlocksChain(src, dst *byte, length int, key *uint32, iv *byte, enc int, nr int) -TEXT ·cryptBlocksChain(SB), NOSPLIT|NOFRAME, $0 - MOVD src+0(FP), INP - MOVD dst+8(FP), OUTP - MOVD length+16(FP), LEN - MOVD key+24(FP), KEYP - MOVD iv+32(FP), IVP - MOVD enc+40(FP), ENC - MOVD nr+48(FP), ROUNDS - - SETUP_ESPERM(R11) - - // Assume len > 0 && len % blockSize == 0. - CMPW ENC, $0 - P8_LXVB16X(IVP, R0, IVEC) - CMPU ROUNDS, $10, CR1 - CMPU ROUNDS, $12, CR2 // Only sizes 10/12/14 are supported. - - // Setup key in VSRs, and set loop count in CTR. - LOAD_KEY(KEYP) - SRD $4, LEN - MOVD LEN, CTR - - BEQ Lcbc_dec - - PCALIGN $16 -Lcbc_enc: - P8_LXVB16X(INP, R0, INOUT) - ADD $16, INP - VXOR INOUT, V6, INOUT - CIPHER_BLOCK(INOUT, IVEC, INOUT, VCIPHER, VCIPHERLAST, Lcbc_enc10, Lcbc_enc12) - VOR INOUT, INOUT, IVEC // ciphertext (INOUT) is IVEC for next block. - P8_STXVB16X(INOUT, OUTP, R0) - ADD $16, OUTP - BDNZ Lcbc_enc - - P8_STXVB16X(INOUT, IVP, R0) - CLEAR_KEYS() - RET - - PCALIGN $16 -Lcbc_dec: - P8_LXVB16X(INP, R0, TMP) - ADD $16, INP - CIPHER_BLOCK(TMP, V6, INOUT, VNCIPHER, VNCIPHERLAST, Lcbc_dec10, Lcbc_dec12) - VXOR INOUT, IVEC, INOUT - VOR TMP, TMP, IVEC // TMP is IVEC for next block. - P8_STXVB16X(INOUT, OUTP, R0) - ADD $16, OUTP - BDNZ Lcbc_dec - - P8_STXVB16X(IVEC, IVP, R0) - CLEAR_KEYS() - RET - - -#define DO1_CIPHER(iv0, keyv, key, op) \ - LXVD2X (key), keyv \ - ADD $16, key \ - op iv0, keyv, iv0 - -#define DO2_CIPHER(iv0, iv1, keyv, key, op) \ - DO1_CIPHER(iv0, keyv, key, op) \ - op iv1, keyv, iv1 - -#define DO4_CIPHER(iv0, iv1, iv2, iv3, keyv, key, op) \ - DO2_CIPHER(iv0, iv1, keyv, key, op) \ - op iv2, keyv, iv2 \ - op iv3, keyv, iv3 - -#define DO8_CIPHER(iv0, iv1, iv2, iv3, iv4, iv5, iv6, iv7, keyv, key, op) \ - DO4_CIPHER(iv0, iv1, iv2, iv3, keyv, key, op) \ - op iv4, keyv, iv4 \ - op iv5, keyv, iv5 \ - op iv6, keyv, iv6 \ - op iv7, keyv, iv7 - -#define XOR_STORE(src, iv, dstp, dstpoff) \ - XXLXOR src, iv, V8 \ - P8_STXVB16X(V8,dstp,dstpoff) - -//func ctrBlocks1Asm(nr int, xk *[60]uint32, dst, src *[1 * BlockSize]byte, ivlo, ivhi uint64) -TEXT ·ctrBlocks1Asm(SB), NOSPLIT|NOFRAME, $0 - -#define CTRBLOCK_PROLOGUE \ - MOVD nr+0(FP), R3 \ - MOVD xk+8(FP), R4 \ - MOVD dst+16(FP), R5 \ - MOVD src+24(FP), R6 \ - MOVD ivlo+32(FP), R8 \ - MOVD ivhi+40(FP), R9 \ - CMP R3, $12, CR1 \ - MTVSRD R8, V0 \ - MTVSRD R9, V1 \ - XXPERMDI V1, V0, $0, V0 \ - SETUP_ESPERM(R8) - - CTRBLOCK_PROLOGUE - - DO1_CIPHER(V0,V8,R4,VXOR) - - BEQ CR1, key_12 - BLT CR1, key_10 -key_14: - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) -key_12: - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) -key_10: - P8_LXVB16X(R6,R0,V9) - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) - - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHER) - - DO1_CIPHER(V0,V8,R4,VCIPHER) - DO1_CIPHER(V0,V8,R4,VCIPHERLAST) - - XOR_STORE(V9,V0,R5,R0) - RET - -//func ctrBlocks2Asm(nr int, xk *[60]uint32, dst, src *[2 * BlockSize]byte, ivlo, ivhi uint64) -TEXT ·ctrBlocks2Asm(SB), NOSPLIT|NOFRAME, $0 - CTRBLOCK_PROLOGUE - - XXLEQV V8, V8, V8 // V0 is -1 - VSUBUQM V0, V8, V1 // Vi = IV + i (as IV - (-1)) - - DO2_CIPHER(V0,V1,V8,R4,VXOR) - - BEQ CR1, key_12 - BLT CR1, key_10 -key_14: - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) -key_12: - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) -key_10: - P8_LXVB16X(R6,R0,V9) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - MOVD $16, R8 - P8_LXVB16X(R6,R8,V10) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHER) - DO2_CIPHER(V0,V1,V8,R4,VCIPHERLAST) - - XOR_STORE(V9,V0,R5,R0) - XOR_STORE(V10,V1,R5,R8) - - RET - -//func ctrBlocks4Asm(nr int, xk *[60]uint32, dst, src *[4 * BlockSize]byte, ivlo, ivhi uint64) -TEXT ·ctrBlocks4Asm(SB), NOSPLIT|NOFRAME, $0 - CTRBLOCK_PROLOGUE - - XXLEQV V8, V8, V8 // V0 is -1 - VSUBUQM V0, V8, V1 // Vi = IV + i (as IV - (-1)) - VSUBUQM V1, V8, V2 - VSUBUQM V2, V8, V3 - - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VXOR) - - BEQ CR1, key_12 - BLT CR1, key_10 -key_14: - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) -key_12: - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) -key_10: - P8_LXVB16X(R6,R0,V9) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - MOVD $16, R8 - P8_LXVB16X(R6,R8,V10) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - MOVD $32, R9 - P8_LXVB16X(R6,R9,V11) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - MOVD $48, R10 - P8_LXVB16X(R6,R10,V12) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHER) - DO4_CIPHER(V0,V1,V2,V3,V8,R4,VCIPHERLAST) - - XOR_STORE(V9,V0,R5,R0) - XOR_STORE(V10,V1,R5,R8) - XOR_STORE(V11,V2,R5,R9) - XOR_STORE(V12,V3,R5,R10) - - RET - -//func ctrBlocks8Asm(nr int, xk *[60]uint32, dst, src *[8 * BlockSize]byte, ivlo, ivhi uint64) -TEXT ·ctrBlocks8Asm(SB), NOSPLIT|NOFRAME, $0 - CTRBLOCK_PROLOGUE - - XXLEQV V8, V8, V8 // V8 is -1 - VSUBUQM V0, V8, V1 // Vi = IV + i (as IV - (-1)) - VADDUQM V8, V8, V9 // V9 is -2 - - VSUBUQM V0, V9, V2 - VSUBUQM V1, V9, V3 - VSUBUQM V2, V9, V4 - VSUBUQM V3, V9, V5 - VSUBUQM V4, V9, V6 - VSUBUQM V5, V9, V7 - - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VXOR) - - BEQ CR1, key_12 - BLT CR1, key_10 -key_14: - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) -key_12: - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) -key_10: - P8_LXVB16X(R6,R0,V9) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $16, R8 - P8_LXVB16X(R6,R8,V10) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $32, R9 - P8_LXVB16X(R6,R9,V11) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $48, R10 - P8_LXVB16X(R6,R10,V12) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $64, R11 - P8_LXVB16X(R6,R11,V13) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $80, R12 - P8_LXVB16X(R6,R12,V14) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $96, R14 - P8_LXVB16X(R6,R14,V15) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - MOVD $112, R15 - P8_LXVB16X(R6,R15,V16) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHER) - DO8_CIPHER(V0,V1,V2,V3,V4,V5,V6,V7,V8,R4,VCIPHERLAST) - - XOR_STORE(V9,V0,R5,R0) - XOR_STORE(V10,V1,R5,R8) - XOR_STORE(V11,V2,R5,R9) - XOR_STORE(V12,V3,R5,R10) - XOR_STORE(V13,V4,R5,R11) - XOR_STORE(V14,V5,R5,R12) - XOR_STORE(V15,V6,R5,R14) - XOR_STORE(V16,V7,R5,R15) - - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_s390x.go deleted file mode 100644 index 72d7b6f763d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_s390x.go +++ /dev/null @@ -1,99 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package aes - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -type code int - -// Function codes for the cipher message family of instructions. -const ( - aes128 code = 18 - aes192 code = 19 - aes256 code = 20 -) - -type block struct { - function code // code for cipher message instruction - key []byte // key (128, 192 or 256 bits) - storage [32]byte // array backing key slice - - fallback *blockExpanded -} - -// cryptBlocks invokes the cipher message (KM) instruction with -// the given function code. This is equivalent to AES in ECB -// mode. The length must be a multiple of BlockSize (16). -// -//go:noescape -func cryptBlocks(c code, key, dst, src *byte, length int) - -var supportsAES = cpu.S390XHasAES && cpu.S390XHasAESCBC - -func init() { - // CP Assist for Cryptographic Functions (CPACF) - // https://www.ibm.com/docs/en/zos/3.1.0?topic=icsf-cp-assist-cryptographic-functions-cpacf - impl.Register("aes", "CPACF", &supportsAES) -} - -func checkGenericIsExpected() { - if supportsAES { - panic("crypto/aes: internal error: using generic implementation despite hardware support") - } -} - -func newBlock(c *Block, key []byte) *Block { - if !supportsAES { - c.fallback = &blockExpanded{} - newBlockExpanded(c.fallback, key) - return c - } - - switch len(key) { - case aes128KeySize: - c.function = aes128 - case aes192KeySize: - c.function = aes192 - case aes256KeySize: - c.function = aes256 - } - c.key = c.storage[:len(key)] - copy(c.key, key) - return c -} - -// BlockFunction returns the function code for the block cipher. -// It is used by the GCM implementation to invoke the KMA instruction. -func BlockFunction(c *Block) int { - return int(c.function) -} - -// BlockKey returns the key for the block cipher. -// It is used by the GCM implementation to invoke the KMA instruction. -func BlockKey(c *Block) []byte { - return c.key -} - -func encryptBlock(c *Block, dst, src []byte) { - if c.fallback != nil { - encryptBlockGeneric(c.fallback, dst, src) - } else { - cryptBlocks(c.function, &c.key[0], &dst[0], &src[0], BlockSize) - } -} - -func decryptBlock(c *Block, dst, src []byte) { - if c.fallback != nil { - decryptBlockGeneric(c.fallback, dst, src) - } else { - // The decrypt function code is equal to the function code + 128. - cryptBlocks(c.function+128, &c.key[0], &dst[0], &src[0], BlockSize) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_s390x.s deleted file mode 100644 index 5a60dd03b16..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/aes_s390x.s +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func cryptBlocks(c code, key, dst, src *byte, length int) -TEXT ·cryptBlocks(SB),NOSPLIT,$0-40 - MOVD key+8(FP), R1 - MOVD dst+16(FP), R2 - MOVD src+24(FP), R4 - MOVD length+32(FP), R5 - MOVD c+0(FP), R0 -loop: - KM R2, R4 // cipher message (KM) - BVS loop // branch back if interrupted - XOR R0, R0 - RET - -// func cryptBlocksChain(c code, iv, key, dst, src *byte, length int) -TEXT ·cryptBlocksChain(SB),NOSPLIT,$48-48 - LA params-48(SP), R1 - MOVD iv+8(FP), R8 - MOVD key+16(FP), R9 - MVC $16, 0(R8), 0(R1) // move iv into params - MVC $32, 0(R9), 16(R1) // move key into params - MOVD dst+24(FP), R2 - MOVD src+32(FP), R4 - MOVD length+40(FP), R5 - MOVD c+0(FP), R0 -loop: - KMC R2, R4 // cipher message with chaining (KMC) - BVS loop // branch back if interrupted - XOR R0, R0 - MVC $16, 0(R1), 0(R8) // update iv - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cast.go deleted file mode 100644 index de8f3676527..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cast.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package aes - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "errors" -) - -func init() { - fips140.CAST("AES-CBC", func() error { - key := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - iv := [16]byte{ - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - plaintext := []byte{ - 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, - 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, - } - ciphertext := []byte{ - 0xdf, 0x76, 0x26, 0x4b, 0xd3, 0xb2, 0xc4, 0x8d, - 0x40, 0xa2, 0x6e, 0x7a, 0xc4, 0xff, 0xbd, 0x35, - } - b, err := New(key) - if err != nil { - return err - } - buf := make([]byte, 16) - NewCBCEncrypter(b, iv).CryptBlocks(buf, plaintext) - if !bytes.Equal(buf, ciphertext) { - return errors.New("unexpected result") - } - NewCBCDecrypter(b, iv).CryptBlocks(buf, ciphertext) - if !bytes.Equal(buf, plaintext) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc.go deleted file mode 100644 index a5a079453f7..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc.go +++ /dev/null @@ -1,130 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package aes - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/alias" - "crypto/internal/fips140/subtle" -) - -type CBCEncrypter struct { - b Block - iv [BlockSize]byte -} - -// NewCBCEncrypter returns a [cipher.BlockMode] which encrypts in cipher block -// chaining mode, using the given Block. -func NewCBCEncrypter(b *Block, iv [BlockSize]byte) *CBCEncrypter { - return &CBCEncrypter{b: *b, iv: iv} -} - -func (c *CBCEncrypter) BlockSize() int { return BlockSize } - -func (c *CBCEncrypter) CryptBlocks(dst, src []byte) { - if len(src)%BlockSize != 0 { - panic("crypto/cipher: input not full blocks") - } - if len(dst) < len(src) { - panic("crypto/cipher: output smaller than input") - } - if alias.InexactOverlap(dst[:len(src)], src) { - panic("crypto/cipher: invalid buffer overlap") - } - fips140.RecordApproved() - if len(src) == 0 { - return - } - cryptBlocksEnc(&c.b, &c.iv, dst, src) -} - -func (x *CBCEncrypter) SetIV(iv []byte) { - if len(iv) != len(x.iv) { - panic("cipher: incorrect length IV") - } - copy(x.iv[:], iv) -} - -func cryptBlocksEncGeneric(b *Block, civ *[BlockSize]byte, dst, src []byte) { - iv := civ[:] - for len(src) > 0 { - // Write the xor to dst, then encrypt in place. - subtle.XORBytes(dst[:BlockSize], src[:BlockSize], iv) - encryptBlock(b, dst[:BlockSize], dst[:BlockSize]) - - // Move to the next block with this block as the next iv. - iv = dst[:BlockSize] - src = src[BlockSize:] - dst = dst[BlockSize:] - } - - // Save the iv for the next CryptBlocks call. - copy(civ[:], iv) -} - -type CBCDecrypter struct { - b Block - iv [BlockSize]byte -} - -// NewCBCDecrypter returns a [cipher.BlockMode] which decrypts in cipher block -// chaining mode, using the given Block. -func NewCBCDecrypter(b *Block, iv [BlockSize]byte) *CBCDecrypter { - return &CBCDecrypter{b: *b, iv: iv} -} - -func (c *CBCDecrypter) BlockSize() int { return BlockSize } - -func (c *CBCDecrypter) CryptBlocks(dst, src []byte) { - if len(src)%BlockSize != 0 { - panic("crypto/cipher: input not full blocks") - } - if len(dst) < len(src) { - panic("crypto/cipher: output smaller than input") - } - if alias.InexactOverlap(dst[:len(src)], src) { - panic("crypto/cipher: invalid buffer overlap") - } - fips140.RecordApproved() - if len(src) == 0 { - return - } - cryptBlocksDec(&c.b, &c.iv, dst, src) -} - -func (x *CBCDecrypter) SetIV(iv []byte) { - if len(iv) != len(x.iv) { - panic("cipher: incorrect length IV") - } - copy(x.iv[:], iv) -} - -func cryptBlocksDecGeneric(b *Block, civ *[BlockSize]byte, dst, src []byte) { - // For each block, we need to xor the decrypted data with the previous - // block's ciphertext (the iv). To avoid making a copy each time, we loop - // over the blocks backwards. - end := len(src) - start := end - BlockSize - prev := start - BlockSize - - // Copy the last block of ciphertext as the IV of the next call. - iv := *civ - copy(civ[:], src[start:end]) - - for start >= 0 { - decryptBlock(b, dst[start:end], src[start:end]) - - if start > 0 { - subtle.XORBytes(dst[start:end], dst[start:end], src[prev:start]) - } else { - // The first block is special because it uses the saved iv. - subtle.XORBytes(dst[start:end], dst[start:end], iv[:]) - } - - end -= BlockSize - start -= BlockSize - prev -= BlockSize - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_noasm.go deleted file mode 100644 index fd10c2e99fe..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_noasm.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!s390x && !ppc64 && !ppc64le) || purego - -package aes - -func cryptBlocksEnc(b *Block, civ *[BlockSize]byte, dst, src []byte) { - cryptBlocksEncGeneric(b, civ, dst, src) -} - -func cryptBlocksDec(b *Block, civ *[BlockSize]byte, dst, src []byte) { - cryptBlocksDecGeneric(b, civ, dst, src) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_ppc64x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_ppc64x.go deleted file mode 100644 index 460bae3d497..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_ppc64x.go +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -package aes - -// cryptBlocksChain invokes the cipher message identifying encrypt or decrypt. -// -//go:noescape -func cryptBlocksChain(src, dst *byte, length int, key *uint32, iv *byte, enc int, nr int) - -const cbcEncrypt = 1 -const cbcDecrypt = 0 - -func cryptBlocksEnc(b *Block, civ *[BlockSize]byte, dst, src []byte) { - if !supportsAES { - cryptBlocksEncGeneric(b, civ, dst, src) - } else { - cryptBlocksChain(&src[0], &dst[0], len(src), &b.enc[0], &civ[0], cbcEncrypt, b.rounds) - } -} - -func cryptBlocksDec(b *Block, civ *[BlockSize]byte, dst, src []byte) { - if !supportsAES { - cryptBlocksDecGeneric(b, civ, dst, src) - } else { - cryptBlocksChain(&src[0], &dst[0], len(src), &b.dec[0], &civ[0], cbcDecrypt, b.rounds) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_s390x.go deleted file mode 100644 index b4eb997a60c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/cbc_s390x.go +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package aes - -// cryptBlocksChain invokes the cipher message with chaining (KMC) instruction -// with the given function code. The length must be a multiple of BlockSize (16). -// -//go:noescape -func cryptBlocksChain(c code, iv, key, dst, src *byte, length int) - -func cryptBlocksEnc(b *Block, civ *[BlockSize]byte, dst, src []byte) { - if b.fallback != nil { - cryptBlocksEncGeneric(b, civ, dst, src) - return - } - cryptBlocksChain(b.function, &civ[0], &b.key[0], &dst[0], &src[0], len(src)) -} - -func cryptBlocksDec(b *Block, civ *[BlockSize]byte, dst, src []byte) { - if b.fallback != nil { - cryptBlocksDecGeneric(b, civ, dst, src) - return - } - // Decrypt function code is encrypt + 128. - cryptBlocksChain(b.function+128, &civ[0], &b.key[0], &dst[0], &src[0], len(src)) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/const.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/const.go deleted file mode 100644 index 3ecc922b5a4..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/const.go +++ /dev/null @@ -1,356 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package aes - -// This file contains AES constants - 8720 bytes of initialized data. - -// https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf - -// AES is based on the mathematical behavior of binary polynomials -// (polynomials over GF(2)) modulo the irreducible polynomial x⁸ + x⁴ + x³ + x + 1. -// Addition of these binary polynomials corresponds to binary xor. -// Reducing mod poly corresponds to binary xor with poly every -// time a 0x100 bit appears. -const poly = 1<<8 | 1<<4 | 1<<3 | 1<<1 | 1<<0 // x⁸ + x⁴ + x³ + x + 1 - -// Powers of x mod poly in GF(2). -var powx = [16]byte{ - 0x01, - 0x02, - 0x04, - 0x08, - 0x10, - 0x20, - 0x40, - 0x80, - 0x1b, - 0x36, - 0x6c, - 0xd8, - 0xab, - 0x4d, - 0x9a, - 0x2f, -} - -// FIPS-197 Figure 7. S-box substitution values in hexadecimal format. -var sbox0 = [256]byte{ - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16, -} - -// FIPS-197 Figure 14. Inverse S-box substitution values in hexadecimal format. -var sbox1 = [256]byte{ - 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, - 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, - 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, - 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, - 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, - 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, - 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, - 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, - 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, - 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, - 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, - 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, - 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, - 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, - 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, - 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d, -} - -// Lookup tables for encryption. -// These can be recomputed by adapting the tests in aes_test.go. - -var te0 = [256]uint32{ - 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554, - 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d, 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, - 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87, 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b, - 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b, - 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a, 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, - 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108, 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f, - 0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, 0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5, - 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d, 0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, - 0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e, 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb, - 0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, 0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497, - 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c, 0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, - 0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b, 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a, - 0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, 0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594, - 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81, 0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, - 0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a, 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504, - 0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, 0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d, - 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f, 0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, - 0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47, 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395, - 0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, 0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883, - 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c, 0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, - 0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e, 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4, - 0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, 0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b, - 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7, 0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, - 0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25, 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818, - 0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, 0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651, - 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21, 0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85, - 0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa, 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12, - 0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, 0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9, - 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133, 0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7, - 0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920, 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a, - 0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17, 0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8, - 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11, 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a, -} -var te1 = [256]uint32{ - 0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, 0x0dfff2f2, 0xbdd66b6b, 0xb1de6f6f, 0x5491c5c5, - 0x50603030, 0x03020101, 0xa9ce6767, 0x7d562b2b, 0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676, - 0x458fcaca, 0x9d1f8282, 0x4089c9c9, 0x87fa7d7d, 0x15effafa, 0xebb25959, 0xc98e4747, 0x0bfbf0f0, - 0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf, 0xbf239c9c, 0xf753a4a4, 0x96e47272, 0x5b9bc0c0, - 0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626, 0x5a6c3636, 0x417e3f3f, 0x02f5f7f7, 0x4f83cccc, - 0x5c683434, 0xf451a5a5, 0x34d1e5e5, 0x08f9f1f1, 0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515, - 0x0c080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3, 0x28301818, 0xa1379696, 0x0f0a0505, 0xb52f9a9a, - 0x090e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2, 0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575, - 0x1b120909, 0x9e1d8383, 0x74582c2c, 0x2e341a1a, 0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0, - 0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3, 0x7b522929, 0x3edde3e3, 0x715e2f2f, 0x97138484, - 0xf5a65353, 0x68b9d1d1, 0x00000000, 0x2cc1eded, 0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b, - 0xbed46a6a, 0x468dcbcb, 0xd967bebe, 0x4b723939, 0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf, - 0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb, 0xc5864343, 0xd79a4d4d, 0x55663333, 0x94118585, - 0xcf8a4545, 0x10e9f9f9, 0x06040202, 0x81fe7f7f, 0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8, - 0xf3a25151, 0xfe5da3a3, 0xc0804040, 0x8a058f8f, 0xad3f9292, 0xbc219d9d, 0x48703838, 0x04f1f5f5, - 0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121, 0x30201010, 0x1ae5ffff, 0x0efdf3f3, 0x6dbfd2d2, - 0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec, 0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717, - 0x5793c4c4, 0xf255a7a7, 0x82fc7e7e, 0x477a3d3d, 0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373, - 0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc, 0x66442222, 0x7e542a2a, 0xab3b9090, 0x830b8888, - 0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414, 0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb, - 0x3bdbe0e0, 0x56643232, 0x4e743a3a, 0x1e140a0a, 0xdb924949, 0x0a0c0606, 0x6c482424, 0xe4b85c5c, - 0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262, 0xa8399191, 0xa4319595, 0x37d3e4e4, 0x8bf27979, - 0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d, 0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9, - 0xb4d86c6c, 0xfaac5656, 0x07f3f4f4, 0x25cfeaea, 0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808, - 0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e, 0x24381c1c, 0xf157a6a6, 0xc773b4b4, 0x5197c6c6, - 0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f, 0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a, - 0x90e07070, 0x427c3e3e, 0xc471b5b5, 0xaacc6666, 0xd8904848, 0x05060303, 0x01f7f6f6, 0x121c0e0e, - 0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9, 0x91178686, 0x5899c1c1, 0x273a1d1d, 0xb9279e9e, - 0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111, 0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494, - 0xb62d9b9b, 0x223c1e1e, 0x92158787, 0x20c9e9e9, 0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf, - 0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d, 0xda65bfbf, 0x31d7e6e6, 0xc6844242, 0xb8d06868, - 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f, 0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616, -} -var te2 = [256]uint32{ - 0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, 0xf20dfff2, 0x6bbdd66b, 0x6fb1de6f, 0xc55491c5, - 0x30506030, 0x01030201, 0x67a9ce67, 0x2b7d562b, 0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76, - 0xca458fca, 0x829d1f82, 0xc94089c9, 0x7d87fa7d, 0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0, - 0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af, 0x9cbf239c, 0xa4f753a4, 0x7296e472, 0xc05b9bc0, - 0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26, 0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc, - 0x345c6834, 0xa5f451a5, 0xe534d1e5, 0xf108f9f1, 0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15, - 0x040c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3, 0x18283018, 0x96a13796, 0x050f0a05, 0x9ab52f9a, - 0x07090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2, 0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75, - 0x091b1209, 0x839e1d83, 0x2c74582c, 0x1a2e341a, 0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0, - 0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3, 0x297b5229, 0xe33edde3, 0x2f715e2f, 0x84971384, - 0x53f5a653, 0xd168b9d1, 0x00000000, 0xed2cc1ed, 0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b, - 0x6abed46a, 0xcb468dcb, 0xbed967be, 0x394b7239, 0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf, - 0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb, 0x43c58643, 0x4dd79a4d, 0x33556633, 0x85941185, - 0x45cf8a45, 0xf910e9f9, 0x02060402, 0x7f81fe7f, 0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8, - 0x51f3a251, 0xa3fe5da3, 0x40c08040, 0x8f8a058f, 0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5, - 0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221, 0x10302010, 0xff1ae5ff, 0xf30efdf3, 0xd26dbfd2, - 0xcd4c81cd, 0x0c14180c, 0x13352613, 0xec2fc3ec, 0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17, - 0xc45793c4, 0xa7f255a7, 0x7e82fc7e, 0x3d477a3d, 0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673, - 0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc, 0x22664422, 0x2a7e542a, 0x90ab3b90, 0x88830b88, - 0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814, 0xde79a7de, 0x5ee2bc5e, 0x0b1d160b, 0xdb76addb, - 0xe03bdbe0, 0x32566432, 0x3a4e743a, 0x0a1e140a, 0x49db9249, 0x060a0c06, 0x246c4824, 0x5ce4b85c, - 0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462, 0x91a83991, 0x95a43195, 0xe437d3e4, 0x798bf279, - 0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d, 0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9, - 0x6cb4d86c, 0x56faac56, 0xf407f3f4, 0xea25cfea, 0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x08181008, - 0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e, 0x1c24381c, 0xa6f157a6, 0xb4c773b4, 0xc65197c6, - 0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f, 0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a, - 0x7090e070, 0x3e427c3e, 0xb5c471b5, 0x66aacc66, 0x48d89048, 0x03050603, 0xf601f7f6, 0x0e121c0e, - 0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9, 0x86911786, 0xc15899c1, 0x1d273a1d, 0x9eb9279e, - 0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211, 0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394, - 0x9bb62d9b, 0x1e223c1e, 0x87921587, 0xe920c9e9, 0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df, - 0x8c8f038c, 0xa1f859a1, 0x89800989, 0x0d171a0d, 0xbfda65bf, 0xe631d7e6, 0x42c68442, 0x68b8d068, - 0x41c38241, 0x99b02999, 0x2d775a2d, 0x0f111e0f, 0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16, -} -var te3 = [256]uint32{ - 0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, 0xf2f20dff, 0x6b6bbdd6, 0x6f6fb1de, 0xc5c55491, - 0x30305060, 0x01010302, 0x6767a9ce, 0x2b2b7d56, 0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec, - 0xcaca458f, 0x82829d1f, 0xc9c94089, 0x7d7d87fa, 0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb, - 0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45, 0x9c9cbf23, 0xa4a4f753, 0x727296e4, 0xc0c05b9b, - 0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c, 0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83, - 0x34345c68, 0xa5a5f451, 0xe5e534d1, 0xf1f108f9, 0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a, - 0x04040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d, 0x18182830, 0x9696a137, 0x05050f0a, 0x9a9ab52f, - 0x0707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf, 0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea, - 0x09091b12, 0x83839e1d, 0x2c2c7458, 0x1a1a2e34, 0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b, - 0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d, 0x29297b52, 0xe3e33edd, 0x2f2f715e, 0x84849713, - 0x5353f5a6, 0xd1d168b9, 0x00000000, 0xeded2cc1, 0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6, - 0x6a6abed4, 0xcbcb468d, 0xbebed967, 0x39394b72, 0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85, - 0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed, 0x4343c586, 0x4d4dd79a, 0x33335566, 0x85859411, - 0x4545cf8a, 0xf9f910e9, 0x02020604, 0x7f7f81fe, 0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b, - 0x5151f3a2, 0xa3a3fe5d, 0x4040c080, 0x8f8f8a05, 0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1, - 0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342, 0x10103020, 0xffff1ae5, 0xf3f30efd, 0xd2d26dbf, - 0xcdcd4c81, 0x0c0c1418, 0x13133526, 0xecec2fc3, 0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e, - 0xc4c45793, 0xa7a7f255, 0x7e7e82fc, 0x3d3d477a, 0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6, - 0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3, 0x22226644, 0x2a2a7e54, 0x9090ab3b, 0x8888830b, - 0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28, 0xdede79a7, 0x5e5ee2bc, 0x0b0b1d16, 0xdbdb76ad, - 0xe0e03bdb, 0x32325664, 0x3a3a4e74, 0x0a0a1e14, 0x4949db92, 0x06060a0c, 0x24246c48, 0x5c5ce4b8, - 0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4, 0x9191a839, 0x9595a431, 0xe4e437d3, 0x79798bf2, - 0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da, 0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049, - 0x6c6cb4d8, 0x5656faac, 0xf4f407f3, 0xeaea25cf, 0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x08081810, - 0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c, 0x1c1c2438, 0xa6a6f157, 0xb4b4c773, 0xc6c65197, - 0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e, 0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f, - 0x707090e0, 0x3e3e427c, 0xb5b5c471, 0x6666aacc, 0x4848d890, 0x03030506, 0xf6f601f7, 0x0e0e121c, - 0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069, 0x86869117, 0xc1c15899, 0x1d1d273a, 0x9e9eb927, - 0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322, 0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733, - 0x9b9bb62d, 0x1e1e223c, 0x87879215, 0xe9e920c9, 0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5, - 0x8c8c8f03, 0xa1a1f859, 0x89898009, 0x0d0d171a, 0xbfbfda65, 0xe6e631d7, 0x4242c684, 0x6868b8d0, - 0x4141c382, 0x9999b029, 0x2d2d775a, 0x0f0f111e, 0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c, -} - -// Lookup tables for decryption. -// These can be recomputed by adapting the tests in aes_test.go. - -var td0 = [256]uint32{ - 0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, 0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393, - 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25, 0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f, - 0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1, 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6, - 0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da, 0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844, - 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd, 0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4, - 0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45, 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94, - 0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7, 0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a, - 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5, 0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c, - 0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1, 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a, - 0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75, 0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051, - 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46, 0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff, - 0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77, 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb, - 0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000, 0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e, - 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927, 0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a, - 0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e, 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16, - 0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d, 0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8, - 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd, 0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34, - 0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163, 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120, - 0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d, 0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0, - 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422, 0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef, - 0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36, 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4, - 0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662, 0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5, - 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3, 0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b, - 0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8, 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6, - 0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6, 0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0, - 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815, 0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f, - 0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df, 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f, - 0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e, 0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713, - 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89, 0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c, - 0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf, 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86, - 0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f, 0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541, - 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190, 0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742, -} -var td1 = [256]uint32{ - 0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e, 0xcb3bab6b, 0xf11f9d45, 0xabacfa58, 0x934be303, - 0x552030fa, 0xf6ad766d, 0x9188cc76, 0x25f5024c, 0xfc4fe5d7, 0xd7c52acb, 0x80263544, 0x8fb562a3, - 0x49deb15a, 0x6725ba1b, 0x9845ea0e, 0xe15dfec0, 0x02c32f75, 0x12814cf0, 0xa38d4697, 0xc66bd3f9, - 0xe7038f5f, 0x9515929c, 0xebbf6d7a, 0xda955259, 0x2dd4be83, 0xd3587421, 0x2949e069, 0x448ec9c8, - 0x6a75c289, 0x78f48e79, 0x6b99583e, 0xdd27b971, 0xb6bee14f, 0x17f088ad, 0x66c920ac, 0xb47dce3a, - 0x1863df4a, 0x82e51a31, 0x60975133, 0x4562537f, 0xe0b16477, 0x84bb6bae, 0x1cfe81a0, 0x94f9082b, - 0x58704868, 0x198f45fd, 0x8794de6c, 0xb7527bf8, 0x23ab73d3, 0xe2724b02, 0x57e31f8f, 0x2a6655ab, - 0x07b2eb28, 0x032fb5c2, 0x9a86c57b, 0xa5d33708, 0xf2302887, 0xb223bfa5, 0xba02036a, 0x5ced1682, - 0x2b8acf1c, 0x92a779b4, 0xf0f307f2, 0xa14e69e2, 0xcd65daf4, 0xd50605be, 0x1fd13462, 0x8ac4a6fe, - 0x9d342e53, 0xa0a2f355, 0x32058ae1, 0x75a4f6eb, 0x390b83ec, 0xaa4060ef, 0x065e719f, 0x51bd6e10, - 0xf93e218a, 0x3d96dd06, 0xaedd3e05, 0x464de6bd, 0xb591548d, 0x0571c45d, 0x6f0406d4, 0xff605015, - 0x241998fb, 0x97d6bde9, 0xcc894043, 0x7767d99e, 0xbdb0e842, 0x8807898b, 0x38e7195b, 0xdb79c8ee, - 0x47a17c0a, 0xe97c420f, 0xc9f8841e, 0x00000000, 0x83098086, 0x48322bed, 0xac1e1170, 0x4e6c5a72, - 0xfbfd0eff, 0x560f8538, 0x1e3daed5, 0x27362d39, 0x640a0fd9, 0x21685ca6, 0xd19b5b54, 0x3a24362e, - 0xb10c0a67, 0x0f9357e7, 0xd2b4ee96, 0x9e1b9b91, 0x4f80c0c5, 0xa261dc20, 0x695a774b, 0x161c121a, - 0x0ae293ba, 0xe5c0a02a, 0x433c22e0, 0x1d121b17, 0x0b0e090d, 0xadf28bc7, 0xb92db6a8, 0xc8141ea9, - 0x8557f119, 0x4caf7507, 0xbbee99dd, 0xfda37f60, 0x9ff70126, 0xbc5c72f5, 0xc544663b, 0x345bfb7e, - 0x768b4329, 0xdccb23c6, 0x68b6edfc, 0x63b8e4f1, 0xcad731dc, 0x10426385, 0x40139722, 0x2084c611, - 0x7d854a24, 0xf8d2bb3d, 0x11aef932, 0x6dc729a1, 0x4b1d9e2f, 0xf3dcb230, 0xec0d8652, 0xd077c1e3, - 0x6c2bb316, 0x99a970b9, 0xfa119448, 0x2247e964, 0xc4a8fc8c, 0x1aa0f03f, 0xd8567d2c, 0xef223390, - 0xc787494e, 0xc1d938d1, 0xfe8ccaa2, 0x3698d40b, 0xcfa6f581, 0x28a57ade, 0x26dab78e, 0xa43fadbf, - 0xe42c3a9d, 0x0d507892, 0x9b6a5fcc, 0x62547e46, 0xc2f68d13, 0xe890d8b8, 0x5e2e39f7, 0xf582c3af, - 0xbe9f5d80, 0x7c69d093, 0xa96fd52d, 0xb3cf2512, 0x3bc8ac99, 0xa710187d, 0x6ee89c63, 0x7bdb3bbb, - 0x09cd2678, 0xf46e5918, 0x01ec9ab7, 0xa8834f9a, 0x65e6956e, 0x7eaaffe6, 0x0821bccf, 0xe6ef15e8, - 0xd9bae79b, 0xce4a6f36, 0xd4ea9f09, 0xd629b07c, 0xaf31a4b2, 0x312a3f23, 0x30c6a594, 0xc035a266, - 0x37744ebc, 0xa6fc82ca, 0xb0e090d0, 0x1533a7d8, 0x4af10498, 0xf741ecda, 0x0e7fcd50, 0x2f1791f6, - 0x8d764dd6, 0x4d43efb0, 0x54ccaa4d, 0xdfe49604, 0xe39ed1b5, 0x1b4c6a88, 0xb8c12c1f, 0x7f466551, - 0x049d5eea, 0x5d018c35, 0x73fa8774, 0x2efb0b41, 0x5ab3671d, 0x5292dbd2, 0x33e91056, 0x136dd647, - 0x8c9ad761, 0x7a37a10c, 0x8e59f814, 0x89eb133c, 0xeecea927, 0x35b761c9, 0xede11ce5, 0x3c7a47b1, - 0x599cd2df, 0x3f55f273, 0x791814ce, 0xbf73c737, 0xea53f7cd, 0x5b5ffdaa, 0x14df3d6f, 0x867844db, - 0x81caaff3, 0x3eb968c4, 0x2c382434, 0x5fc2a340, 0x72161dc3, 0x0cbce225, 0x8b283c49, 0x41ff0d95, - 0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1, 0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857, -} -var td2 = [256]uint32{ - 0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27, 0x6bcb3bab, 0x45f11f9d, 0x58abacfa, 0x03934be3, - 0xfa552030, 0x6df6ad76, 0x769188cc, 0x4c25f502, 0xd7fc4fe5, 0xcbd7c52a, 0x44802635, 0xa38fb562, - 0x5a49deb1, 0x1b6725ba, 0x0e9845ea, 0xc0e15dfe, 0x7502c32f, 0xf012814c, 0x97a38d46, 0xf9c66bd3, - 0x5fe7038f, 0x9c951592, 0x7aebbf6d, 0x59da9552, 0x832dd4be, 0x21d35874, 0x692949e0, 0xc8448ec9, - 0x896a75c2, 0x7978f48e, 0x3e6b9958, 0x71dd27b9, 0x4fb6bee1, 0xad17f088, 0xac66c920, 0x3ab47dce, - 0x4a1863df, 0x3182e51a, 0x33609751, 0x7f456253, 0x77e0b164, 0xae84bb6b, 0xa01cfe81, 0x2b94f908, - 0x68587048, 0xfd198f45, 0x6c8794de, 0xf8b7527b, 0xd323ab73, 0x02e2724b, 0x8f57e31f, 0xab2a6655, - 0x2807b2eb, 0xc2032fb5, 0x7b9a86c5, 0x08a5d337, 0x87f23028, 0xa5b223bf, 0x6aba0203, 0x825ced16, - 0x1c2b8acf, 0xb492a779, 0xf2f0f307, 0xe2a14e69, 0xf4cd65da, 0xbed50605, 0x621fd134, 0xfe8ac4a6, - 0x539d342e, 0x55a0a2f3, 0xe132058a, 0xeb75a4f6, 0xec390b83, 0xefaa4060, 0x9f065e71, 0x1051bd6e, - 0x8af93e21, 0x063d96dd, 0x05aedd3e, 0xbd464de6, 0x8db59154, 0x5d0571c4, 0xd46f0406, 0x15ff6050, - 0xfb241998, 0xe997d6bd, 0x43cc8940, 0x9e7767d9, 0x42bdb0e8, 0x8b880789, 0x5b38e719, 0xeedb79c8, - 0x0a47a17c, 0x0fe97c42, 0x1ec9f884, 0x00000000, 0x86830980, 0xed48322b, 0x70ac1e11, 0x724e6c5a, - 0xfffbfd0e, 0x38560f85, 0xd51e3dae, 0x3927362d, 0xd9640a0f, 0xa621685c, 0x54d19b5b, 0x2e3a2436, - 0x67b10c0a, 0xe70f9357, 0x96d2b4ee, 0x919e1b9b, 0xc54f80c0, 0x20a261dc, 0x4b695a77, 0x1a161c12, - 0xba0ae293, 0x2ae5c0a0, 0xe0433c22, 0x171d121b, 0x0d0b0e09, 0xc7adf28b, 0xa8b92db6, 0xa9c8141e, - 0x198557f1, 0x074caf75, 0xddbbee99, 0x60fda37f, 0x269ff701, 0xf5bc5c72, 0x3bc54466, 0x7e345bfb, - 0x29768b43, 0xc6dccb23, 0xfc68b6ed, 0xf163b8e4, 0xdccad731, 0x85104263, 0x22401397, 0x112084c6, - 0x247d854a, 0x3df8d2bb, 0x3211aef9, 0xa16dc729, 0x2f4b1d9e, 0x30f3dcb2, 0x52ec0d86, 0xe3d077c1, - 0x166c2bb3, 0xb999a970, 0x48fa1194, 0x642247e9, 0x8cc4a8fc, 0x3f1aa0f0, 0x2cd8567d, 0x90ef2233, - 0x4ec78749, 0xd1c1d938, 0xa2fe8cca, 0x0b3698d4, 0x81cfa6f5, 0xde28a57a, 0x8e26dab7, 0xbfa43fad, - 0x9de42c3a, 0x920d5078, 0xcc9b6a5f, 0x4662547e, 0x13c2f68d, 0xb8e890d8, 0xf75e2e39, 0xaff582c3, - 0x80be9f5d, 0x937c69d0, 0x2da96fd5, 0x12b3cf25, 0x993bc8ac, 0x7da71018, 0x636ee89c, 0xbb7bdb3b, - 0x7809cd26, 0x18f46e59, 0xb701ec9a, 0x9aa8834f, 0x6e65e695, 0xe67eaaff, 0xcf0821bc, 0xe8e6ef15, - 0x9bd9bae7, 0x36ce4a6f, 0x09d4ea9f, 0x7cd629b0, 0xb2af31a4, 0x23312a3f, 0x9430c6a5, 0x66c035a2, - 0xbc37744e, 0xcaa6fc82, 0xd0b0e090, 0xd81533a7, 0x984af104, 0xdaf741ec, 0x500e7fcd, 0xf62f1791, - 0xd68d764d, 0xb04d43ef, 0x4d54ccaa, 0x04dfe496, 0xb5e39ed1, 0x881b4c6a, 0x1fb8c12c, 0x517f4665, - 0xea049d5e, 0x355d018c, 0x7473fa87, 0x412efb0b, 0x1d5ab367, 0xd25292db, 0x5633e910, 0x47136dd6, - 0x618c9ad7, 0x0c7a37a1, 0x148e59f8, 0x3c89eb13, 0x27eecea9, 0xc935b761, 0xe5ede11c, 0xb13c7a47, - 0xdf599cd2, 0x733f55f2, 0xce791814, 0x37bf73c7, 0xcdea53f7, 0xaa5b5ffd, 0x6f14df3d, 0xdb867844, - 0xf381caaf, 0xc43eb968, 0x342c3824, 0x405fc2a3, 0xc372161d, 0x250cbce2, 0x498b283c, 0x9541ff0d, - 0x017139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456, 0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8, -} -var td3 = [256]uint32{ - 0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a, 0xab6bcb3b, 0x9d45f11f, 0xfa58abac, 0xe303934b, - 0x30fa5520, 0x766df6ad, 0xcc769188, 0x024c25f5, 0xe5d7fc4f, 0x2acbd7c5, 0x35448026, 0x62a38fb5, - 0xb15a49de, 0xba1b6725, 0xea0e9845, 0xfec0e15d, 0x2f7502c3, 0x4cf01281, 0x4697a38d, 0xd3f9c66b, - 0x8f5fe703, 0x929c9515, 0x6d7aebbf, 0x5259da95, 0xbe832dd4, 0x7421d358, 0xe0692949, 0xc9c8448e, - 0xc2896a75, 0x8e7978f4, 0x583e6b99, 0xb971dd27, 0xe14fb6be, 0x88ad17f0, 0x20ac66c9, 0xce3ab47d, - 0xdf4a1863, 0x1a3182e5, 0x51336097, 0x537f4562, 0x6477e0b1, 0x6bae84bb, 0x81a01cfe, 0x082b94f9, - 0x48685870, 0x45fd198f, 0xde6c8794, 0x7bf8b752, 0x73d323ab, 0x4b02e272, 0x1f8f57e3, 0x55ab2a66, - 0xeb2807b2, 0xb5c2032f, 0xc57b9a86, 0x3708a5d3, 0x2887f230, 0xbfa5b223, 0x036aba02, 0x16825ced, - 0xcf1c2b8a, 0x79b492a7, 0x07f2f0f3, 0x69e2a14e, 0xdaf4cd65, 0x05bed506, 0x34621fd1, 0xa6fe8ac4, - 0x2e539d34, 0xf355a0a2, 0x8ae13205, 0xf6eb75a4, 0x83ec390b, 0x60efaa40, 0x719f065e, 0x6e1051bd, - 0x218af93e, 0xdd063d96, 0x3e05aedd, 0xe6bd464d, 0x548db591, 0xc45d0571, 0x06d46f04, 0x5015ff60, - 0x98fb2419, 0xbde997d6, 0x4043cc89, 0xd99e7767, 0xe842bdb0, 0x898b8807, 0x195b38e7, 0xc8eedb79, - 0x7c0a47a1, 0x420fe97c, 0x841ec9f8, 0x00000000, 0x80868309, 0x2bed4832, 0x1170ac1e, 0x5a724e6c, - 0x0efffbfd, 0x8538560f, 0xaed51e3d, 0x2d392736, 0x0fd9640a, 0x5ca62168, 0x5b54d19b, 0x362e3a24, - 0x0a67b10c, 0x57e70f93, 0xee96d2b4, 0x9b919e1b, 0xc0c54f80, 0xdc20a261, 0x774b695a, 0x121a161c, - 0x93ba0ae2, 0xa02ae5c0, 0x22e0433c, 0x1b171d12, 0x090d0b0e, 0x8bc7adf2, 0xb6a8b92d, 0x1ea9c814, - 0xf1198557, 0x75074caf, 0x99ddbbee, 0x7f60fda3, 0x01269ff7, 0x72f5bc5c, 0x663bc544, 0xfb7e345b, - 0x4329768b, 0x23c6dccb, 0xedfc68b6, 0xe4f163b8, 0x31dccad7, 0x63851042, 0x97224013, 0xc6112084, - 0x4a247d85, 0xbb3df8d2, 0xf93211ae, 0x29a16dc7, 0x9e2f4b1d, 0xb230f3dc, 0x8652ec0d, 0xc1e3d077, - 0xb3166c2b, 0x70b999a9, 0x9448fa11, 0xe9642247, 0xfc8cc4a8, 0xf03f1aa0, 0x7d2cd856, 0x3390ef22, - 0x494ec787, 0x38d1c1d9, 0xcaa2fe8c, 0xd40b3698, 0xf581cfa6, 0x7ade28a5, 0xb78e26da, 0xadbfa43f, - 0x3a9de42c, 0x78920d50, 0x5fcc9b6a, 0x7e466254, 0x8d13c2f6, 0xd8b8e890, 0x39f75e2e, 0xc3aff582, - 0x5d80be9f, 0xd0937c69, 0xd52da96f, 0x2512b3cf, 0xac993bc8, 0x187da710, 0x9c636ee8, 0x3bbb7bdb, - 0x267809cd, 0x5918f46e, 0x9ab701ec, 0x4f9aa883, 0x956e65e6, 0xffe67eaa, 0xbccf0821, 0x15e8e6ef, - 0xe79bd9ba, 0x6f36ce4a, 0x9f09d4ea, 0xb07cd629, 0xa4b2af31, 0x3f23312a, 0xa59430c6, 0xa266c035, - 0x4ebc3774, 0x82caa6fc, 0x90d0b0e0, 0xa7d81533, 0x04984af1, 0xecdaf741, 0xcd500e7f, 0x91f62f17, - 0x4dd68d76, 0xefb04d43, 0xaa4d54cc, 0x9604dfe4, 0xd1b5e39e, 0x6a881b4c, 0x2c1fb8c1, 0x65517f46, - 0x5eea049d, 0x8c355d01, 0x877473fa, 0x0b412efb, 0x671d5ab3, 0xdbd25292, 0x105633e9, 0xd647136d, - 0xd7618c9a, 0xa10c7a37, 0xf8148e59, 0x133c89eb, 0xa927eece, 0x61c935b7, 0x1ce5ede1, 0x47b13c7a, - 0xd2df599c, 0xf2733f55, 0x14ce7918, 0xc737bf73, 0xf7cdea53, 0xfdaa5b5f, 0x3d6f14df, 0x44db8678, - 0xaff381ca, 0x68c43eb9, 0x24342c38, 0xa3405fc2, 0x1dc37216, 0xe2250cbc, 0x3c498b28, 0x0d9541ff, - 0xa8017139, 0x0cb3de08, 0xb4e49cd8, 0x56c19064, 0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0, -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr.go deleted file mode 100644 index 2e55d233d3a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr.go +++ /dev/null @@ -1,148 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package aes - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/alias" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" - "math/bits" -) - -type CTR struct { - b Block - ivlo, ivhi uint64 // start counter as 64-bit limbs - offset uint64 // for XORKeyStream only -} - -func NewCTR(b *Block, iv []byte) *CTR { - // Allocate the CTR here, in an easily inlineable function, so - // the allocation can be done in the caller's stack frame - // instead of the heap. See issue 70499. - c := newCTR(b, iv) - return &c -} -func newCTR(b *Block, iv []byte) CTR { - if len(iv) != BlockSize { - panic("bad IV length") - } - - return CTR{ - b: *b, - ivlo: byteorder.BEUint64(iv[8:16]), - ivhi: byteorder.BEUint64(iv[0:8]), - offset: 0, - } -} - -func (c *CTR) XORKeyStream(dst, src []byte) { - c.XORKeyStreamAt(dst, src, c.offset) - - var carry uint64 - c.offset, carry = bits.Add64(c.offset, uint64(len(src)), 0) - if carry != 0 { - panic("crypto/aes: counter overflow") - } -} - -// RoundToBlock is used by CTR_DRBG, which discards the rightmost unused bits at -// each request. It rounds the offset up to the next block boundary. -func RoundToBlock(c *CTR) { - if remainder := c.offset % BlockSize; remainder != 0 { - var carry uint64 - c.offset, carry = bits.Add64(c.offset, BlockSize-remainder, 0) - if carry != 0 { - panic("crypto/aes: counter overflow") - } - } -} - -// XORKeyStreamAt behaves like XORKeyStream but keeps no state, and instead -// seeks into the keystream by the given bytes offset from the start (ignoring -// any XORKetStream calls). This allows for random access into the keystream, up -// to 16 EiB from the start. -func (c *CTR) XORKeyStreamAt(dst, src []byte, offset uint64) { - if len(dst) < len(src) { - panic("crypto/aes: len(dst) < len(src)") - } - dst = dst[:len(src)] - if alias.InexactOverlap(dst, src) { - panic("crypto/aes: invalid buffer overlap") - } - fips140.RecordApproved() - - ivlo, ivhi := add128(c.ivlo, c.ivhi, offset/BlockSize) - - if blockOffset := offset % BlockSize; blockOffset != 0 { - // We have a partial block at the beginning. - var in, out [BlockSize]byte - copy(in[blockOffset:], src) - ctrBlocks1(&c.b, &out, &in, ivlo, ivhi) - n := copy(dst, out[blockOffset:]) - src = src[n:] - dst = dst[n:] - ivlo, ivhi = add128(ivlo, ivhi, 1) - } - - for len(src) >= 8*BlockSize { - ctrBlocks8(&c.b, (*[8 * BlockSize]byte)(dst), (*[8 * BlockSize]byte)(src), ivlo, ivhi) - src = src[8*BlockSize:] - dst = dst[8*BlockSize:] - ivlo, ivhi = add128(ivlo, ivhi, 8) - } - - // The tail can have at most 7 = 4 + 2 + 1 blocks. - if len(src) >= 4*BlockSize { - ctrBlocks4(&c.b, (*[4 * BlockSize]byte)(dst), (*[4 * BlockSize]byte)(src), ivlo, ivhi) - src = src[4*BlockSize:] - dst = dst[4*BlockSize:] - ivlo, ivhi = add128(ivlo, ivhi, 4) - } - if len(src) >= 2*BlockSize { - ctrBlocks2(&c.b, (*[2 * BlockSize]byte)(dst), (*[2 * BlockSize]byte)(src), ivlo, ivhi) - src = src[2*BlockSize:] - dst = dst[2*BlockSize:] - ivlo, ivhi = add128(ivlo, ivhi, 2) - } - if len(src) >= 1*BlockSize { - ctrBlocks1(&c.b, (*[1 * BlockSize]byte)(dst), (*[1 * BlockSize]byte)(src), ivlo, ivhi) - src = src[1*BlockSize:] - dst = dst[1*BlockSize:] - ivlo, ivhi = add128(ivlo, ivhi, 1) - } - - if len(src) != 0 { - // We have a partial block at the end. - var in, out [BlockSize]byte - copy(in[:], src) - ctrBlocks1(&c.b, &out, &in, ivlo, ivhi) - copy(dst, out[:]) - } -} - -// Each ctrBlocksN function XORs src with N blocks of counter keystream, and -// stores it in dst. src is loaded in full before storing dst, so they can -// overlap even inexactly. The starting counter value is passed in as a pair of -// little-endian 64-bit integers. - -func ctrBlocks(b *Block, dst, src []byte, ivlo, ivhi uint64) { - buf := make([]byte, len(src), 8*BlockSize) - for i := 0; i < len(buf); i += BlockSize { - byteorder.BEPutUint64(buf[i:], ivhi) - byteorder.BEPutUint64(buf[i+8:], ivlo) - ivlo, ivhi = add128(ivlo, ivhi, 1) - encryptBlock(b, buf[i:], buf[i:]) - } - // XOR into buf first, in case src and dst overlap (see above). - subtle.XORBytes(buf, src, buf) - copy(dst, buf) -} - -func add128(lo, hi uint64, x uint64) (uint64, uint64) { - lo, c := bits.Add64(lo, x, 0) - hi, _ = bits.Add64(hi, 0, c) - return lo, hi -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_amd64.s deleted file mode 100644 index e6710834dd2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_amd64.s +++ /dev/null @@ -1,494 +0,0 @@ -// Code generated by command: go run ctr_amd64_asm.go -out ../../ctr_amd64.s. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func ctrBlocks1Asm(nr int, xk *[60]uint32, dst *[16]byte, src *[16]byte, ivlo uint64, ivhi uint64) -// Requires: AES, SSE, SSE2, SSE4.1, SSSE3 -TEXT ·ctrBlocks1Asm(SB), $0-48 - MOVQ nr+0(FP), AX - MOVQ xk+8(FP), CX - MOVQ dst+16(FP), DX - MOVQ src+24(FP), BX - MOVQ ivlo+32(FP), SI - MOVQ ivhi+40(FP), DI - MOVOU bswapMask<>+0(SB), X0 - MOVQ SI, X1 - PINSRQ $0x01, DI, X1 - PSHUFB X0, X1 - MOVUPS (CX), X0 - PXOR X0, X1 - ADDQ $0x10, CX - SUBQ $0x0c, AX - JE enc192 - JB enc128 - MOVUPS (CX), X0 - AESENC X0, X1 - MOVUPS 16(CX), X0 - AESENC X0, X1 - ADDQ $0x20, CX - -enc192: - MOVUPS (CX), X0 - AESENC X0, X1 - MOVUPS 16(CX), X0 - AESENC X0, X1 - ADDQ $0x20, CX - -enc128: - MOVUPS (CX), X0 - AESENC X0, X1 - MOVUPS 16(CX), X0 - AESENC X0, X1 - MOVUPS 32(CX), X0 - AESENC X0, X1 - MOVUPS 48(CX), X0 - AESENC X0, X1 - MOVUPS 64(CX), X0 - AESENC X0, X1 - MOVUPS 80(CX), X0 - AESENC X0, X1 - MOVUPS 96(CX), X0 - AESENC X0, X1 - MOVUPS 112(CX), X0 - AESENC X0, X1 - MOVUPS 128(CX), X0 - AESENC X0, X1 - MOVUPS 144(CX), X0 - AESENCLAST X0, X1 - MOVUPS (BX), X0 - PXOR X1, X0 - MOVUPS X0, (DX) - RET - -DATA bswapMask<>+0(SB)/8, $0x08090a0b0c0d0e0f -DATA bswapMask<>+8(SB)/8, $0x0001020304050607 -GLOBL bswapMask<>(SB), RODATA|NOPTR, $16 - -// func ctrBlocks2Asm(nr int, xk *[60]uint32, dst *[32]byte, src *[32]byte, ivlo uint64, ivhi uint64) -// Requires: AES, SSE, SSE2, SSE4.1, SSSE3 -TEXT ·ctrBlocks2Asm(SB), $0-48 - MOVQ nr+0(FP), AX - MOVQ xk+8(FP), CX - MOVQ dst+16(FP), DX - MOVQ src+24(FP), BX - MOVQ ivlo+32(FP), SI - MOVQ ivhi+40(FP), DI - MOVOU bswapMask<>+0(SB), X0 - MOVQ SI, X1 - PINSRQ $0x01, DI, X1 - PSHUFB X0, X1 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X2 - PINSRQ $0x01, DI, X2 - PSHUFB X0, X2 - MOVUPS (CX), X0 - PXOR X0, X1 - PXOR X0, X2 - ADDQ $0x10, CX - SUBQ $0x0c, AX - JE enc192 - JB enc128 - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - ADDQ $0x20, CX - -enc192: - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - ADDQ $0x20, CX - -enc128: - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 32(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 48(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 64(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 80(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 96(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 112(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 128(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - MOVUPS 144(CX), X0 - AESENCLAST X0, X1 - AESENCLAST X0, X2 - MOVUPS (BX), X0 - PXOR X1, X0 - MOVUPS X0, (DX) - MOVUPS 16(BX), X0 - PXOR X2, X0 - MOVUPS X0, 16(DX) - RET - -// func ctrBlocks4Asm(nr int, xk *[60]uint32, dst *[64]byte, src *[64]byte, ivlo uint64, ivhi uint64) -// Requires: AES, SSE, SSE2, SSE4.1, SSSE3 -TEXT ·ctrBlocks4Asm(SB), $0-48 - MOVQ nr+0(FP), AX - MOVQ xk+8(FP), CX - MOVQ dst+16(FP), DX - MOVQ src+24(FP), BX - MOVQ ivlo+32(FP), SI - MOVQ ivhi+40(FP), DI - MOVOU bswapMask<>+0(SB), X0 - MOVQ SI, X1 - PINSRQ $0x01, DI, X1 - PSHUFB X0, X1 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X2 - PINSRQ $0x01, DI, X2 - PSHUFB X0, X2 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X3 - PINSRQ $0x01, DI, X3 - PSHUFB X0, X3 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X4 - PINSRQ $0x01, DI, X4 - PSHUFB X0, X4 - MOVUPS (CX), X0 - PXOR X0, X1 - PXOR X0, X2 - PXOR X0, X3 - PXOR X0, X4 - ADDQ $0x10, CX - SUBQ $0x0c, AX - JE enc192 - JB enc128 - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - ADDQ $0x20, CX - -enc192: - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - ADDQ $0x20, CX - -enc128: - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 32(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 48(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 64(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 80(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 96(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 112(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 128(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - MOVUPS 144(CX), X0 - AESENCLAST X0, X1 - AESENCLAST X0, X2 - AESENCLAST X0, X3 - AESENCLAST X0, X4 - MOVUPS (BX), X0 - PXOR X1, X0 - MOVUPS X0, (DX) - MOVUPS 16(BX), X0 - PXOR X2, X0 - MOVUPS X0, 16(DX) - MOVUPS 32(BX), X0 - PXOR X3, X0 - MOVUPS X0, 32(DX) - MOVUPS 48(BX), X0 - PXOR X4, X0 - MOVUPS X0, 48(DX) - RET - -// func ctrBlocks8Asm(nr int, xk *[60]uint32, dst *[128]byte, src *[128]byte, ivlo uint64, ivhi uint64) -// Requires: AES, SSE, SSE2, SSE4.1, SSSE3 -TEXT ·ctrBlocks8Asm(SB), $0-48 - MOVQ nr+0(FP), AX - MOVQ xk+8(FP), CX - MOVQ dst+16(FP), DX - MOVQ src+24(FP), BX - MOVQ ivlo+32(FP), SI - MOVQ ivhi+40(FP), DI - MOVOU bswapMask<>+0(SB), X0 - MOVQ SI, X1 - PINSRQ $0x01, DI, X1 - PSHUFB X0, X1 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X2 - PINSRQ $0x01, DI, X2 - PSHUFB X0, X2 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X3 - PINSRQ $0x01, DI, X3 - PSHUFB X0, X3 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X4 - PINSRQ $0x01, DI, X4 - PSHUFB X0, X4 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X5 - PINSRQ $0x01, DI, X5 - PSHUFB X0, X5 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X6 - PINSRQ $0x01, DI, X6 - PSHUFB X0, X6 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X7 - PINSRQ $0x01, DI, X7 - PSHUFB X0, X7 - ADDQ $0x01, SI - ADCQ $0x00, DI - MOVQ SI, X8 - PINSRQ $0x01, DI, X8 - PSHUFB X0, X8 - MOVUPS (CX), X0 - PXOR X0, X1 - PXOR X0, X2 - PXOR X0, X3 - PXOR X0, X4 - PXOR X0, X5 - PXOR X0, X6 - PXOR X0, X7 - PXOR X0, X8 - ADDQ $0x10, CX - SUBQ $0x0c, AX - JE enc192 - JB enc128 - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - ADDQ $0x20, CX - -enc192: - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - ADDQ $0x20, CX - -enc128: - MOVUPS (CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 16(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 32(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 48(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 64(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 80(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 96(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 112(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 128(CX), X0 - AESENC X0, X1 - AESENC X0, X2 - AESENC X0, X3 - AESENC X0, X4 - AESENC X0, X5 - AESENC X0, X6 - AESENC X0, X7 - AESENC X0, X8 - MOVUPS 144(CX), X0 - AESENCLAST X0, X1 - AESENCLAST X0, X2 - AESENCLAST X0, X3 - AESENCLAST X0, X4 - AESENCLAST X0, X5 - AESENCLAST X0, X6 - AESENCLAST X0, X7 - AESENCLAST X0, X8 - MOVUPS (BX), X0 - PXOR X1, X0 - MOVUPS X0, (DX) - MOVUPS 16(BX), X0 - PXOR X2, X0 - MOVUPS X0, 16(DX) - MOVUPS 32(BX), X0 - PXOR X3, X0 - MOVUPS X0, 32(DX) - MOVUPS 48(BX), X0 - PXOR X4, X0 - MOVUPS X0, 48(DX) - MOVUPS 64(BX), X0 - PXOR X5, X0 - MOVUPS X0, 64(DX) - MOVUPS 80(BX), X0 - PXOR X6, X0 - MOVUPS X0, 80(DX) - MOVUPS 96(BX), X0 - PXOR X7, X0 - MOVUPS X0, 96(DX) - MOVUPS 112(BX), X0 - PXOR X8, X0 - MOVUPS X0, 112(DX) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_arm64.s deleted file mode 100644 index fc4ab4eaada..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_arm64.s +++ /dev/null @@ -1,729 +0,0 @@ -// Code generated by ctr_arm64_gen.go. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -#define NR R9 -#define XK R10 -#define DST R11 -#define SRC R12 -#define IV_LOW_LE R16 -#define IV_HIGH_LE R17 -#define IV_LOW_BE R19 -#define IV_HIGH_BE R20 - -// V0.B16 - V7.B16 are for blocks (<=8). See BLOCK_OFFSET. -// V8.B16 - V22.B16 are for <=15 round keys (<=15). See ROUND_KEY_OFFSET. -// V23.B16 - V30.B16 are for destinations (<=8). See DST_OFFSET. - -// func ctrBlocks1Asm(nr int, xk *[60]uint32, dst *[1*16]byte, src *[1*16]byte, ivlo uint64, ivhi uint64) -TEXT ·ctrBlocks1Asm(SB), NOSPLIT, $0 - MOVD nr+0(FP), NR - MOVD xk+8(FP), XK - MOVD dst+16(FP), DST - MOVD src+24(FP), SRC - MOVD ivlo+32(FP), IV_LOW_LE - MOVD ivhi+40(FP), IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V0.D[1] - VMOV IV_HIGH_BE, V0.D[0] - - CMP $12, NR - BLT Lenc128 - BEQ Lenc192 - -Lenc256: - VLD1.P 32(XK), [V8.B16, V9.B16] - - AESE V8.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V9.B16, V0.B16 - AESMC V0.B16, V0.B16 - -Lenc192: - VLD1.P 32(XK), [V10.B16, V11.B16] - - AESE V10.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V11.B16, V0.B16 - AESMC V0.B16, V0.B16 - -Lenc128: - VLD1.P 64(XK), [V12.B16, V13.B16, V14.B16, V15.B16] - VLD1.P 64(XK), [V16.B16, V17.B16, V18.B16, V19.B16] - VLD1.P 48(XK), [V20.B16, V21.B16, V22.B16] - - AESE V12.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V13.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V14.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V15.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V16.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V17.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V18.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V19.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V20.B16, V0.B16 - AESMC V0.B16, V0.B16 - - AESE V21.B16, V0.B16 - - VEOR V0.B16, V22.B16, V0.B16 - - VLD1.P 16(SRC), [V23.B16] - VEOR V23.B16, V0.B16, V23.B16 - VST1.P [V23.B16], 16(DST) - - RET - -// func ctrBlocks2Asm(nr int, xk *[60]uint32, dst *[2*16]byte, src *[2*16]byte, ivlo uint64, ivhi uint64) -TEXT ·ctrBlocks2Asm(SB), NOSPLIT, $0 - MOVD nr+0(FP), NR - MOVD xk+8(FP), XK - MOVD dst+16(FP), DST - MOVD src+24(FP), SRC - MOVD ivlo+32(FP), IV_LOW_LE - MOVD ivhi+40(FP), IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V0.D[1] - VMOV IV_HIGH_BE, V0.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V1.D[1] - VMOV IV_HIGH_BE, V1.D[0] - - CMP $12, NR - BLT Lenc128 - BEQ Lenc192 - -Lenc256: - VLD1.P 32(XK), [V8.B16, V9.B16] - - AESE V8.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V8.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V9.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V9.B16, V1.B16 - AESMC V1.B16, V1.B16 - -Lenc192: - VLD1.P 32(XK), [V10.B16, V11.B16] - - AESE V10.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V10.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V11.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V11.B16, V1.B16 - AESMC V1.B16, V1.B16 - -Lenc128: - VLD1.P 64(XK), [V12.B16, V13.B16, V14.B16, V15.B16] - VLD1.P 64(XK), [V16.B16, V17.B16, V18.B16, V19.B16] - VLD1.P 48(XK), [V20.B16, V21.B16, V22.B16] - - AESE V12.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V12.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V13.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V13.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V14.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V14.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V15.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V15.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V16.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V16.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V17.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V17.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V18.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V18.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V19.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V19.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V20.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V20.B16, V1.B16 - AESMC V1.B16, V1.B16 - - AESE V21.B16, V0.B16 - AESE V21.B16, V1.B16 - - VEOR V0.B16, V22.B16, V0.B16 - VEOR V1.B16, V22.B16, V1.B16 - - VLD1.P 32(SRC), [V23.B16, V24.B16] - VEOR V23.B16, V0.B16, V23.B16 - VEOR V24.B16, V1.B16, V24.B16 - VST1.P [V23.B16, V24.B16], 32(DST) - - RET - -// func ctrBlocks4Asm(nr int, xk *[60]uint32, dst *[4*16]byte, src *[4*16]byte, ivlo uint64, ivhi uint64) -TEXT ·ctrBlocks4Asm(SB), NOSPLIT, $0 - MOVD nr+0(FP), NR - MOVD xk+8(FP), XK - MOVD dst+16(FP), DST - MOVD src+24(FP), SRC - MOVD ivlo+32(FP), IV_LOW_LE - MOVD ivhi+40(FP), IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V0.D[1] - VMOV IV_HIGH_BE, V0.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V1.D[1] - VMOV IV_HIGH_BE, V1.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V2.D[1] - VMOV IV_HIGH_BE, V2.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V3.D[1] - VMOV IV_HIGH_BE, V3.D[0] - - CMP $12, NR - BLT Lenc128 - BEQ Lenc192 - -Lenc256: - VLD1.P 32(XK), [V8.B16, V9.B16] - - AESE V8.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V8.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V8.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V8.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V9.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V9.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V9.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V9.B16, V3.B16 - AESMC V3.B16, V3.B16 - -Lenc192: - VLD1.P 32(XK), [V10.B16, V11.B16] - - AESE V10.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V10.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V10.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V10.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V11.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V11.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V11.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V11.B16, V3.B16 - AESMC V3.B16, V3.B16 - -Lenc128: - VLD1.P 64(XK), [V12.B16, V13.B16, V14.B16, V15.B16] - VLD1.P 64(XK), [V16.B16, V17.B16, V18.B16, V19.B16] - VLD1.P 48(XK), [V20.B16, V21.B16, V22.B16] - - AESE V12.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V12.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V12.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V12.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V13.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V13.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V13.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V13.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V14.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V14.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V14.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V14.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V15.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V15.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V15.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V15.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V16.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V16.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V16.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V16.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V17.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V17.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V17.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V17.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V18.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V18.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V18.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V18.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V19.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V19.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V19.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V19.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V20.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V20.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V20.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V20.B16, V3.B16 - AESMC V3.B16, V3.B16 - - AESE V21.B16, V0.B16 - AESE V21.B16, V1.B16 - AESE V21.B16, V2.B16 - AESE V21.B16, V3.B16 - - VEOR V0.B16, V22.B16, V0.B16 - VEOR V1.B16, V22.B16, V1.B16 - VEOR V2.B16, V22.B16, V2.B16 - VEOR V3.B16, V22.B16, V3.B16 - - VLD1.P 64(SRC), [V23.B16, V24.B16, V25.B16, V26.B16] - VEOR V23.B16, V0.B16, V23.B16 - VEOR V24.B16, V1.B16, V24.B16 - VEOR V25.B16, V2.B16, V25.B16 - VEOR V26.B16, V3.B16, V26.B16 - VST1.P [V23.B16, V24.B16, V25.B16, V26.B16], 64(DST) - - RET - -// func ctrBlocks8Asm(nr int, xk *[60]uint32, dst *[8*16]byte, src *[8*16]byte, ivlo uint64, ivhi uint64) -TEXT ·ctrBlocks8Asm(SB), NOSPLIT, $0 - MOVD nr+0(FP), NR - MOVD xk+8(FP), XK - MOVD dst+16(FP), DST - MOVD src+24(FP), SRC - MOVD ivlo+32(FP), IV_LOW_LE - MOVD ivhi+40(FP), IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V0.D[1] - VMOV IV_HIGH_BE, V0.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V1.D[1] - VMOV IV_HIGH_BE, V1.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V2.D[1] - VMOV IV_HIGH_BE, V2.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V3.D[1] - VMOV IV_HIGH_BE, V3.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V4.D[1] - VMOV IV_HIGH_BE, V4.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V5.D[1] - VMOV IV_HIGH_BE, V5.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V6.D[1] - VMOV IV_HIGH_BE, V6.D[0] - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - VMOV IV_LOW_BE, V7.D[1] - VMOV IV_HIGH_BE, V7.D[0] - - CMP $12, NR - BLT Lenc128 - BEQ Lenc192 - -Lenc256: - VLD1.P 32(XK), [V8.B16, V9.B16] - - AESE V8.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V8.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V8.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V8.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V8.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V8.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V8.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V8.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V9.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V9.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V9.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V9.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V9.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V9.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V9.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V9.B16, V7.B16 - AESMC V7.B16, V7.B16 - -Lenc192: - VLD1.P 32(XK), [V10.B16, V11.B16] - - AESE V10.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V10.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V10.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V10.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V10.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V10.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V10.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V10.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V11.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V11.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V11.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V11.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V11.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V11.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V11.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V11.B16, V7.B16 - AESMC V7.B16, V7.B16 - -Lenc128: - VLD1.P 64(XK), [V12.B16, V13.B16, V14.B16, V15.B16] - VLD1.P 64(XK), [V16.B16, V17.B16, V18.B16, V19.B16] - VLD1.P 48(XK), [V20.B16, V21.B16, V22.B16] - - AESE V12.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V12.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V12.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V12.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V12.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V12.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V12.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V12.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V13.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V13.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V13.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V13.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V13.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V13.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V13.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V13.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V14.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V14.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V14.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V14.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V14.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V14.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V14.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V14.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V15.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V15.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V15.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V15.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V15.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V15.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V15.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V15.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V16.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V16.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V16.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V16.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V16.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V16.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V16.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V16.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V17.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V17.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V17.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V17.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V17.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V17.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V17.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V17.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V18.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V18.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V18.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V18.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V18.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V18.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V18.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V18.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V19.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V19.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V19.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V19.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V19.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V19.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V19.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V19.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V20.B16, V0.B16 - AESMC V0.B16, V0.B16 - AESE V20.B16, V1.B16 - AESMC V1.B16, V1.B16 - AESE V20.B16, V2.B16 - AESMC V2.B16, V2.B16 - AESE V20.B16, V3.B16 - AESMC V3.B16, V3.B16 - AESE V20.B16, V4.B16 - AESMC V4.B16, V4.B16 - AESE V20.B16, V5.B16 - AESMC V5.B16, V5.B16 - AESE V20.B16, V6.B16 - AESMC V6.B16, V6.B16 - AESE V20.B16, V7.B16 - AESMC V7.B16, V7.B16 - - AESE V21.B16, V0.B16 - AESE V21.B16, V1.B16 - AESE V21.B16, V2.B16 - AESE V21.B16, V3.B16 - AESE V21.B16, V4.B16 - AESE V21.B16, V5.B16 - AESE V21.B16, V6.B16 - AESE V21.B16, V7.B16 - - VEOR V0.B16, V22.B16, V0.B16 - VEOR V1.B16, V22.B16, V1.B16 - VEOR V2.B16, V22.B16, V2.B16 - VEOR V3.B16, V22.B16, V3.B16 - VEOR V4.B16, V22.B16, V4.B16 - VEOR V5.B16, V22.B16, V5.B16 - VEOR V6.B16, V22.B16, V6.B16 - VEOR V7.B16, V22.B16, V7.B16 - - VLD1.P 64(SRC), [V23.B16, V24.B16, V25.B16, V26.B16] - VLD1.P 64(SRC), [V27.B16, V28.B16, V29.B16, V30.B16] - VEOR V23.B16, V0.B16, V23.B16 - VEOR V24.B16, V1.B16, V24.B16 - VEOR V25.B16, V2.B16, V25.B16 - VEOR V26.B16, V3.B16, V26.B16 - VEOR V27.B16, V4.B16, V27.B16 - VEOR V28.B16, V5.B16, V28.B16 - VEOR V29.B16, V6.B16, V29.B16 - VEOR V30.B16, V7.B16, V30.B16 - VST1.P [V23.B16, V24.B16, V25.B16, V26.B16], 64(DST) - VST1.P [V27.B16, V28.B16, V29.B16, V30.B16], 64(DST) - - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_arm64_gen.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_arm64_gen.go deleted file mode 100644 index 1c032083c35..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_arm64_gen.go +++ /dev/null @@ -1,213 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build ignore - -// Generate Go assembly for XORing CTR output to n blocks at once with one key. -package main - -import ( - "fmt" - "os" - "strings" - "text/template" -) - -// First registers in their groups. -const ( - blockOffset = 0 - roundKeyOffset = 8 - dstOffset = 23 -) - -var tmplArm64Str = ` -// Code generated by ctr_arm64_gen.go. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -#define NR R9 -#define XK R10 -#define DST R11 -#define SRC R12 -#define IV_LOW_LE R16 -#define IV_HIGH_LE R17 -#define IV_LOW_BE R19 -#define IV_HIGH_BE R20 - -// V0.B16 - V7.B16 are for blocks (<=8). See BLOCK_OFFSET. -// V8.B16 - V22.B16 are for <=15 round keys (<=15). See ROUND_KEY_OFFSET. -// V23.B16 - V30.B16 are for destinations (<=8). See DST_OFFSET. - -{{define "load_keys"}} - {{- range regs_batches (round_key_reg $.FirstKey) $.NKeys }} - VLD1.P {{ .Size }}(XK), [{{ .Regs }}] - {{- end }} -{{ end }} - -{{define "enc"}} - {{ range $i := xrange $.N -}} - AESE V{{ round_key_reg $.Key}}.B16, V{{ block_reg $i }}.B16 - {{- if $.WithMc }} - AESMC V{{ block_reg $i }}.B16, V{{ block_reg $i }}.B16 - {{- end }} - {{ end }} -{{ end }} - -{{ range $N := $.Sizes }} -// func ctrBlocks{{$N}}Asm(nr int, xk *[60]uint32, dst *[{{$N}}*16]byte, src *[{{$N}}*16]byte, ivlo uint64, ivhi uint64) -TEXT ·ctrBlocks{{ $N }}Asm(SB),NOSPLIT,$0 - MOVD nr+0(FP), NR - MOVD xk+8(FP), XK - MOVD dst+16(FP), DST - MOVD src+24(FP), SRC - MOVD ivlo+32(FP), IV_LOW_LE - MOVD ivhi+40(FP), IV_HIGH_LE - - {{/* Prepare plain from IV and blockIndex. */}} - - {{/* Copy to plaintext registers. */}} - {{ range $i := xrange $N }} - REV IV_LOW_LE, IV_LOW_BE - REV IV_HIGH_LE, IV_HIGH_BE - {{- /* https://developer.arm.com/documentation/dui0801/g/A64-SIMD-Vector-Instructions/MOV--vector--from-general- */}} - VMOV IV_LOW_BE, V{{ block_reg $i }}.D[1] - VMOV IV_HIGH_BE, V{{ block_reg $i }}.D[0] - {{- if ne (add $i 1) $N }} - ADDS $1, IV_LOW_LE - ADC $0, IV_HIGH_LE - {{ end }} - {{ end }} - - {{/* Num rounds branching. */}} - CMP $12, NR - BLT Lenc128 - BEQ Lenc192 - - {{/* 2 extra rounds for 256-bit keys. */}} - Lenc256: - {{- template "load_keys" (load_keys_args 0 2) }} - {{- template "enc" (enc_args 0 $N true) }} - {{- template "enc" (enc_args 1 $N true) }} - - {{/* 2 extra rounds for 192-bit keys. */}} - Lenc192: - {{- template "load_keys" (load_keys_args 2 2) }} - {{- template "enc" (enc_args 2 $N true) }} - {{- template "enc" (enc_args 3 $N true) }} - - {{/* 10 rounds for 128-bit (with special handling for final). */}} - Lenc128: - {{- template "load_keys" (load_keys_args 4 11) }} - {{- range $r := xrange 9 }} - {{- template "enc" (enc_args (add $r 4) $N true) }} - {{ end }} - {{ template "enc" (enc_args 13 $N false) }} - - {{/* We need to XOR blocks with the last round key (key 14, register V22). */}} - {{ range $i := xrange $N }} - VEOR V{{ block_reg $i }}.B16, V{{ round_key_reg 14 }}.B16, V{{ block_reg $i }}.B16 - {{- end }} - - {{/* XOR results to destination. */}} - {{- range regs_batches $.DstOffset $N }} - VLD1.P {{ .Size }}(SRC), [{{ .Regs }}] - {{- end }} - {{- range $i := xrange $N }} - VEOR V{{ add $.DstOffset $i }}.B16, V{{ block_reg $i }}.B16, V{{ add $.DstOffset $i }}.B16 - {{- end }} - {{- range regs_batches $.DstOffset $N }} - VST1.P [{{ .Regs }}], {{ .Size }}(DST) - {{- end }} - - RET -{{ end }} -` - -func main() { - type Params struct { - DstOffset int - Sizes []int - } - - params := Params{ - DstOffset: dstOffset, - Sizes: []int{1, 2, 4, 8}, - } - - type RegsBatch struct { - Size int - Regs string // Comma-separated list of registers. - } - - type LoadKeysArgs struct { - FirstKey int - NKeys int - } - - type EncArgs struct { - Key int - N int - WithMc bool - } - - funcs := template.FuncMap{ - "add": func(a, b int) int { - return a + b - }, - "xrange": func(n int) []int { - result := make([]int, n) - for i := 0; i < n; i++ { - result[i] = i - } - return result - }, - "block_reg": func(block int) int { - return blockOffset + block - }, - "round_key_reg": func(key int) int { - return roundKeyOffset + key - }, - "regs_batches": func(firstReg, nregs int) []RegsBatch { - result := make([]RegsBatch, 0) - for nregs != 0 { - batch := 4 - if nregs < batch { - batch = nregs - } - regsList := make([]string, 0, batch) - for j := firstReg; j < firstReg+batch; j++ { - regsList = append(regsList, fmt.Sprintf("V%d.B16", j)) - } - result = append(result, RegsBatch{ - Size: 16 * batch, - Regs: strings.Join(regsList, ", "), - }) - nregs -= batch - firstReg += batch - } - return result - }, - "enc_args": func(key, n int, withMc bool) EncArgs { - return EncArgs{ - Key: key, - N: n, - WithMc: withMc, - } - }, - "load_keys_args": func(firstKey, nkeys int) LoadKeysArgs { - return LoadKeysArgs{ - FirstKey: firstKey, - NKeys: nkeys, - } - }, - } - - var tmpl = template.Must(template.New("ctr_arm64").Funcs(funcs).Parse(tmplArm64Str)) - - if err := tmpl.Execute(os.Stdout, params); err != nil { - panic(err) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_asm.go deleted file mode 100644 index 463e232c45c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_asm.go +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (amd64 || arm64 || ppc64 || ppc64le) && !purego - -package aes - -//go:generate sh -c "go run ./ctr_arm64_gen.go | asmfmt > ctr_arm64.s" - -//go:noescape -func ctrBlocks1Asm(nr int, xk *[60]uint32, dst, src *[BlockSize]byte, ivlo, ivhi uint64) - -//go:noescape -func ctrBlocks2Asm(nr int, xk *[60]uint32, dst, src *[2 * BlockSize]byte, ivlo, ivhi uint64) - -//go:noescape -func ctrBlocks4Asm(nr int, xk *[60]uint32, dst, src *[4 * BlockSize]byte, ivlo, ivhi uint64) - -//go:noescape -func ctrBlocks8Asm(nr int, xk *[60]uint32, dst, src *[8 * BlockSize]byte, ivlo, ivhi uint64) - -func ctrBlocks1(b *Block, dst, src *[BlockSize]byte, ivlo, ivhi uint64) { - if !supportsAES { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) - } else { - ctrBlocks1Asm(b.rounds, &b.enc, dst, src, ivlo, ivhi) - } -} - -func ctrBlocks2(b *Block, dst, src *[2 * BlockSize]byte, ivlo, ivhi uint64) { - if !supportsAES { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) - } else { - ctrBlocks2Asm(b.rounds, &b.enc, dst, src, ivlo, ivhi) - } -} - -func ctrBlocks4(b *Block, dst, src *[4 * BlockSize]byte, ivlo, ivhi uint64) { - if !supportsAES { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) - } else { - ctrBlocks4Asm(b.rounds, &b.enc, dst, src, ivlo, ivhi) - } -} - -func ctrBlocks8(b *Block, dst, src *[8 * BlockSize]byte, ivlo, ivhi uint64) { - if !supportsAES { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) - } else { - ctrBlocks8Asm(b.rounds, &b.enc, dst, src, ivlo, ivhi) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_noasm.go deleted file mode 100644 index a170606a6db..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_noasm.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !arm64 && !s390x && !ppc64 && !ppc64le) || purego - -package aes - -func ctrBlocks1(b *Block, dst, src *[BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocks2(b *Block, dst, src *[2 * BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocks4(b *Block, dst, src *[4 * BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocks8(b *Block, dst, src *[8 * BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocks(b, dst[:], src[:], ivlo, ivhi) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_s390x.go deleted file mode 100644 index afa8786a727..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ctr_s390x.go +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package aes - -import ( - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" -) - -func ctrBlocks1(b *Block, dst, src *[BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocksS390x(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocks2(b *Block, dst, src *[2 * BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocksS390x(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocks4(b *Block, dst, src *[4 * BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocksS390x(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocks8(b *Block, dst, src *[8 * BlockSize]byte, ivlo, ivhi uint64) { - ctrBlocksS390x(b, dst[:], src[:], ivlo, ivhi) -} - -func ctrBlocksS390x(b *Block, dst, src []byte, ivlo, ivhi uint64) { - if b.fallback != nil { - ctrBlocks(b, dst, src, ivlo, ivhi) - return - } - - buf := make([]byte, len(src), 8*BlockSize) - for i := 0; i < len(buf); i += BlockSize { - byteorder.BEPutUint64(buf[i:], ivhi) - byteorder.BEPutUint64(buf[i+8:], ivlo) - ivlo, ivhi = add128(ivlo, ivhi, 1) - } - - // Encrypt the buffer using AES in ECB mode. - cryptBlocks(b.function, &b.key[0], &buf[0], &buf[0], len(buf)) - - // XOR into buf first, in case src and dst overlap (see ctrBlocks). - subtle.XORBytes(buf, src, buf) - copy(dst, buf) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/gcm_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/gcm_amd64_asm.go deleted file mode 100644 index ed5f14b9386..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/gcm_amd64_asm.go +++ /dev/null @@ -1,1568 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This is an optimized implementation of AES-GCM using AES-NI and CLMUL-NI -// The implementation uses some optimization as described in: -// [1] Gueron, S., Kounavis, M.E.: Intel® Carry-Less Multiplication -// Instruction and its Usage for Computing the GCM Mode rev. 2.02 -// [2] Gueron, S., Krasnov, V.: Speeding up Counter Mode in Software and -// Hardware - -package main - -import ( - . "github.com/mmcloughlin/avo/build" - "github.com/mmcloughlin/avo/ir" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../../gcm_amd64.s - -var ( - B0 VecPhysical = X0 - B1 = X1 - B2 = X2 - B3 = X3 - B4 = X4 - B5 = X5 - B6 = X6 - B7 = X7 - - ACC0 VecPhysical = X8 - ACC1 = X9 - ACCM = X10 - - T0 VecPhysical = X11 - T1 = X12 - T2 = X13 - POLY = X14 - BSWAP = X15 -) - -func main() { - Package("crypto/aes") - ConstraintExpr("!purego") - - gcmAesFinish() - gcmAesInit() - gcmAesData() - gcmAesEnc() - gcmAesDec() - - Generate() -} - -func gcmAesFinish() { - Implement("gcmAesFinish") - Attributes(NOSPLIT) - AllocLocal(0) - - var ( - pTbl GPPhysical = RDI - tMsk = RSI - tPtr = RDX - plen = RAX - dlen = RCX - ) - - Load(Param("productTable"), pTbl) - Load(Param("tagMask"), tMsk) - Load(Param("T"), tPtr) - Load(Param("pLen"), plen) - Load(Param("dLen"), dlen) - - MOVOU(Mem{Base: tPtr}, ACC0) - MOVOU(Mem{Base: tMsk}, T2) - - bswapMask := bswapMask_DATA() - gcmPoly := gcmPoly_DATA() - MOVOU(bswapMask, BSWAP) - MOVOU(gcmPoly, POLY) - - SHLQ(Imm(3), plen) - SHLQ(Imm(3), dlen) - - MOVQ(plen, B0) - PINSRQ(Imm(1), dlen, B0) - - PXOR(ACC0, B0) - - MOVOU(Mem{Base: pTbl}.Offset(16*14), ACC0) - MOVOU(Mem{Base: pTbl}.Offset(16*15), ACCM) - MOVOU(ACC0, ACC1) - - PCLMULQDQ(Imm(0x00), B0, ACC0) - PCLMULQDQ(Imm(0x11), B0, ACC1) - PSHUFD(Imm(78), B0, T0) - PXOR(B0, T0) - PCLMULQDQ(Imm(0x00), T0, ACCM) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - MOVOU(POLY, T0) - PCLMULQDQ(Imm(0x01), ACC0, T0) - PSHUFD(Imm(78), ACC0, ACC0) - PXOR(T0, ACC0) - - MOVOU(POLY, T0) - PCLMULQDQ(Imm(0x01), ACC0, T0) - PSHUFD(Imm(78), ACC0, ACC0) - PXOR(T0, ACC0) - - PXOR(ACC1, ACC0) - - PSHUFB(BSWAP, ACC0) - PXOR(T2, ACC0) - MOVOU(ACC0, Mem{Base: tPtr}) - - RET() -} - -func gcmAesInit() { - Implement("gcmAesInit") - Attributes(NOSPLIT) - AllocLocal(0) - - var ( - dst GPPhysical = RDI - KS = RSI - NR = RDX - ) - - Load(Param("productTable"), dst) - Load(Param("ks").Base(), KS) - Load(Param("ks").Len(), NR) - - SHRQ(Imm(2), NR) - DECQ(NR) - - bswapMask := bswapMask_DATA() - gcmPoly := gcmPoly_DATA() - MOVOU(bswapMask, BSWAP) - MOVOU(gcmPoly, POLY) - - Comment("Encrypt block 0, with the AES key to generate the hash key H") - MOVOU(Mem{Base: KS}.Offset(16*0), B0) - MOVOU(Mem{Base: KS}.Offset(16*1), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*2), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*3), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*4), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*5), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*6), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*7), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*8), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*9), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("initEncLast")) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*11), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*12), T0) - JE(LabelRef("initEncLast")) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*13), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: KS}.Offset(16*14), T0) - - initEncLast(dst) - initLoop(dst) - - RET() -} - -func initEncLast(dst GPPhysical) { - Label("initEncLast") - AESENCLAST(T0, B0) - - PSHUFB(BSWAP, B0) - Comment("H * 2") - PSHUFD(Imm(0xff), B0, T0) - MOVOU(B0, T1) - PSRAL(Imm(31), T0) - PAND(POLY, T0) - PSRLL(Imm(31), T1) - PSLLDQ(Imm(4), T1) - PSLLL(Imm(1), B0) - PXOR(T0, B0) - PXOR(T1, B0) - Comment("Karatsuba pre-computations") - MOVOU(B0, Mem{Base: dst}.Offset(16*14)) - PSHUFD(Imm(78), B0, B1) - PXOR(B0, B1) - MOVOU(B1, Mem{Base: dst}.Offset(16*15)) - - MOVOU(B0, B2) - MOVOU(B1, B3) - Comment("Now prepare powers of H and pre-computations for them") - MOVQ(U32(7), RAX) -} - -func initLoop(dst GPPhysical) { - Label("initLoop") - MOVOU(B2, T0) - MOVOU(B2, T1) - MOVOU(B3, T2) - PCLMULQDQ(Imm(0x00), B0, T0) - PCLMULQDQ(Imm(0x11), B0, T1) - PCLMULQDQ(Imm(0x00), B1, T2) - - PXOR(T0, T2) - PXOR(T1, T2) - MOVOU(T2, B4) - PSLLDQ(Imm(8), B4) - PSRLDQ(Imm(8), T2) - PXOR(B4, T0) - PXOR(T2, T1) - - MOVOU(POLY, B2) - PCLMULQDQ(Imm(0x01), T0, B2) - PSHUFD(Imm(78), T0, T0) - PXOR(B2, T0) - MOVOU(POLY, B2) - PCLMULQDQ(Imm(0x01), T0, B2) - PSHUFD(Imm(78), T0, T0) - PXOR(T0, B2) - PXOR(T1, B2) - - MOVOU(B2, Mem{Base: dst}.Offset(16*12)) - PSHUFD(Imm(78), B2, B3) - PXOR(B2, B3) - MOVOU(B3, Mem{Base: dst}.Offset(16*13)) - - DECQ(RAX) - LEAQ(Mem{Base: dst}.Offset(-16*2), dst) - JNE(LabelRef("initLoop")) -} - -func gcmAesData() { - Implement("gcmAesData") - Attributes(NOSPLIT) - AllocLocal(0) - - var ( - pTbl GPPhysical = RDI - aut = RSI - tPtr = RCX - autLen = RDX - ) - - Load(Param("productTable"), pTbl) - Load(Param("data").Base(), aut) - Load(Param("data").Len(), autLen) - Load(Param("T"), tPtr) - - bswapMask := bswapMask_DATA() - gcmPoly := gcmPoly_DATA() - PXOR(ACC0, ACC0) - MOVOU(bswapMask, BSWAP) - MOVOU(gcmPoly, POLY) - - TESTQ(autLen, autLen) - JEQ(LabelRef("dataBail")) - - CMPQ(autLen, Imm(13)) // optimize the TLS case - JE(LabelRef("dataTLS")) - CMPQ(autLen, Imm(128)) - JB(LabelRef("startSinglesLoop")) - JMP(LabelRef("dataOctaLoop")) - - dataTLS(pTbl, aut, autLen) - dataOctaLoop(pTbl, aut, autLen) - startSinglesLoop(pTbl) - dataSinglesLoop(aut, autLen) - dataMul(aut) - dataEnd(aut, autLen) - dataLoadLoop(aut, autLen) - dataBail(tPtr) -} - -func reduceRound(a VecPhysical) { - MOVOU(POLY, T0) - PCLMULQDQ(Imm(0x01), a, T0) - PSHUFD(Imm(78), a, a) - PXOR(T0, a) -} - -func mulRoundAAD(X VecPhysical, i int, pTbl GPPhysical) { - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2)), T1) - MOVOU(T1, T2) - PCLMULQDQ(Imm(0x00), X, T1) - PXOR(T1, ACC0) - PCLMULQDQ(Imm(0x11), X, T2) - PXOR(T2, ACC1) - PSHUFD(Imm(78), X, T1) - PXOR(T1, X) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2+1)), T1) - PCLMULQDQ(Imm(0x00), X, T1) - PXOR(T1, ACCM) -} - -func dataTLS(pTbl, aut, autLen GPPhysical) { - Label("dataTLS") - MOVOU(Mem{Base: pTbl}.Offset(16*14), T1) - MOVOU(Mem{Base: pTbl}.Offset(16*15), T2) - PXOR(B0, B0) - MOVQ(Mem{Base: aut}, B0) - PINSRD(Imm(2), Mem{Base: aut}.Offset(8), B0) - PINSRB(Imm(12), Mem{Base: aut}.Offset(12), B0) - XORQ(autLen, autLen) - JMP(LabelRef("dataMul")) -} - -func dataOctaLoop(pTbl, aut, autLen GPPhysical) { - Label("dataOctaLoop") - CMPQ(autLen, Imm(128)) - JB(LabelRef("startSinglesLoop")) - SUBQ(Imm(128), autLen) - - MOVOU(Mem{Base: aut}.Offset(16*0), X0) - MOVOU(Mem{Base: aut}.Offset(16*1), X1) - MOVOU(Mem{Base: aut}.Offset(16*2), X2) - MOVOU(Mem{Base: aut}.Offset(16*3), X3) - MOVOU(Mem{Base: aut}.Offset(16*4), X4) - MOVOU(Mem{Base: aut}.Offset(16*5), X5) - MOVOU(Mem{Base: aut}.Offset(16*6), X6) - MOVOU(Mem{Base: aut}.Offset(16*7), X7) - LEAQ(Mem{Base: aut}.Offset(16*8), aut) - PSHUFB(BSWAP, X0) - PSHUFB(BSWAP, X1) - PSHUFB(BSWAP, X2) - PSHUFB(BSWAP, X3) - PSHUFB(BSWAP, X4) - PSHUFB(BSWAP, X5) - PSHUFB(BSWAP, X6) - PSHUFB(BSWAP, X7) - PXOR(ACC0, X0) - - MOVOU(Mem{Base: pTbl}.Offset(16*0), ACC0) - MOVOU(Mem{Base: pTbl}.Offset(16*1), ACCM) - MOVOU(ACC0, ACC1) - PSHUFD(Imm(78), X0, T1) - PXOR(X0, T1) - PCLMULQDQ(Imm(0x00), X0, ACC0) - PCLMULQDQ(Imm(0x11), X0, ACC1) - PCLMULQDQ(Imm(0x00), T1, ACCM) - - mulRoundAAD(X1, 1, pTbl) - mulRoundAAD(X2, 2, pTbl) - mulRoundAAD(X3, 3, pTbl) - mulRoundAAD(X4, 4, pTbl) - mulRoundAAD(X5, 5, pTbl) - mulRoundAAD(X6, 6, pTbl) - mulRoundAAD(X7, 7, pTbl) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - reduceRound(ACC0) - reduceRound(ACC0) - PXOR(ACC1, ACC0) - JMP(LabelRef("dataOctaLoop")) -} - -func startSinglesLoop(pTbl GPPhysical) { - Label("startSinglesLoop") - MOVOU(Mem{Base: pTbl}.Offset(16*14), T1) - MOVOU(Mem{Base: pTbl}.Offset(16*15), T2) - -} - -func dataSinglesLoop(aut, autLen GPPhysical) { - Label("dataSinglesLoop") - - CMPQ(autLen, Imm(16)) - JB(LabelRef("dataEnd")) - SUBQ(Imm(16), autLen) - - MOVOU(Mem{Base: aut}, B0) -} - -func dataMul(aut GPPhysical) { - Label("dataMul") - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - - MOVOU(T1, ACC0) - MOVOU(T2, ACCM) - MOVOU(T1, ACC1) - - PSHUFD(Imm(78), B0, T0) - PXOR(B0, T0) - PCLMULQDQ(Imm(0x00), B0, ACC0) - PCLMULQDQ(Imm(0x11), B0, ACC1) - PCLMULQDQ(Imm(0x00), T0, ACCM) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - MOVOU(POLY, T0) - PCLMULQDQ(Imm(0x01), ACC0, T0) - PSHUFD(Imm(78), ACC0, ACC0) - PXOR(T0, ACC0) - - MOVOU(POLY, T0) - PCLMULQDQ(Imm(0x01), ACC0, T0) - PSHUFD(Imm(78), ACC0, ACC0) - PXOR(T0, ACC0) - PXOR(ACC1, ACC0) - - LEAQ(Mem{Base: aut}.Offset(16), aut) - - JMP(LabelRef("dataSinglesLoop")) -} - -func dataEnd(aut, autLen GPPhysical) { - Label("dataEnd") - - TESTQ(autLen, autLen) - JEQ(LabelRef("dataBail")) - - PXOR(B0, B0) - // LEAQ -1(aut)(autLen*1), aut - LEAQ(Mem{Base: aut, Index: autLen, Scale: 1}.Offset(-1), aut) -} - -func dataLoadLoop(aut, autLen GPPhysical) { - Label("dataLoadLoop") - - PSLLDQ(Imm(1), B0) - PINSRB(Imm(0), Mem{Base: aut}, B0) - - LEAQ(Mem{Base: aut}.Offset(-1), aut) - DECQ(autLen) - JNE(LabelRef("dataLoadLoop")) - - JMP(LabelRef("dataMul")) -} - -func dataBail(tPtr GPPhysical) { - Label("dataBail") - MOVOU(ACC0, Mem{Base: tPtr}) - RET() -} - -func gcmAesEnc() { - Implement("gcmAesEnc") - Attributes(0) - AllocLocal(256) - - var ( - pTbl GPPhysical = RDI - ctx = RDX - ctrPtr = RCX - ptx = RSI - ks = RAX - tPtr = R8 - ptxLen = R9 - aluCTR = R10L - aluTMP = R11L - aluK = R12L - NR = R13 - ) - - Load(Param("productTable"), pTbl) - Load(Param("dst").Base(), ctx) - Load(Param("src").Base(), ptx) - Load(Param("src").Len(), ptxLen) - Load(Param("ctr"), ctrPtr) - Load(Param("T"), tPtr) - Load(Param("ks").Base(), ks) - Load(Param("ks").Len(), NR) - - SHRQ(Imm(2), NR) - DECQ(NR) - - bswapMask := bswapMask_DATA() - gcmPoly := gcmPoly_DATA() - MOVOU(bswapMask, BSWAP) - MOVOU(gcmPoly, POLY) - - MOVOU(Mem{Base: tPtr}, ACC0) - PXOR(ACC1, ACC1) - PXOR(ACCM, ACCM) - MOVOU(Mem{Base: ctrPtr}, B0) - MOVL(Mem{Base: ctrPtr}.Offset(3*4), aluCTR) - MOVOU(Mem{Base: ks}, T0) - MOVL(Mem{Base: ks}.Offset(3*4), aluK) - BSWAPL(aluCTR) - BSWAPL(aluK) - - PXOR(B0, T0) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+0*16)) - incrementEnc(0, aluCTR, aluTMP, aluK) - - CMPQ(ptxLen, Imm(128)) - JB(LabelRef("gcmAesEncSingles")) - SUBQ(Imm(128), ptxLen) - - Comment("We have at least 8 blocks to encrypt, prepare the rest of the counters") - MOVOU(T0, Mem{Base: SP}.Offset(8*16+1*16)) - incrementEnc(1, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+2*16)) - incrementEnc(2, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+3*16)) - incrementEnc(3, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+4*16)) - incrementEnc(4, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+5*16)) - incrementEnc(5, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+6*16)) - incrementEnc(6, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(8*16+7*16)) - incrementEnc(7, aluCTR, aluTMP, aluK) - - MOVOU(Mem{Base: SP}.Offset(8*16+0*16), B0) - MOVOU(Mem{Base: SP}.Offset(8*16+1*16), B1) - MOVOU(Mem{Base: SP}.Offset(8*16+2*16), B2) - MOVOU(Mem{Base: SP}.Offset(8*16+3*16), B3) - MOVOU(Mem{Base: SP}.Offset(8*16+4*16), B4) - MOVOU(Mem{Base: SP}.Offset(8*16+5*16), B5) - MOVOU(Mem{Base: SP}.Offset(8*16+6*16), B6) - MOVOU(Mem{Base: SP}.Offset(8*16+7*16), B7) - - aesRound(1, ks) - incrementEnc(0, aluCTR, aluTMP, aluK) - aesRound(2, ks) - incrementEnc(1, aluCTR, aluTMP, aluK) - aesRound(3, ks) - incrementEnc(2, aluCTR, aluTMP, aluK) - aesRound(4, ks) - incrementEnc(3, aluCTR, aluTMP, aluK) - aesRound(5, ks) - incrementEnc(4, aluCTR, aluTMP, aluK) - aesRound(6, ks) - incrementEnc(5, aluCTR, aluTMP, aluK) - aesRound(7, ks) - incrementEnc(6, aluCTR, aluTMP, aluK) - aesRound(8, ks) - incrementEnc(7, aluCTR, aluTMP, aluK) - aesRound(9, ks) - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("encLast1")) - aesRnd(T0) - aesRound(11, ks) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("encLast1")) - aesRnd(T0) - aesRound(13, ks) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) - - encLast1(ctx, ptx) - gcmAesEncOctetsLoop(pTbl, ks, ptxLen, aluCTR, aluTMP, aluK, NR) - encLast2(ctx, ptx) - gcmAesEncOctetsEnd(pTbl, ptxLen, aluCTR) - gcmAesEncSingles(pTbl, ks) - gcmAesEncSinglesLoop(ks, ptxLen, aluCTR, aluTMP, aluK, NR) - encLast3(pTbl, ctx, ptx) - gcmAesEncTail(ks, ptxLen, NR) - encLast4(ptx, ptxLen, aluCTR, aluTMP) - ptxLoadLoop(pTbl, ctx, ptx, ptxLen) - gcmAesEncDone(tPtr) -} - -func incrementEnc(i int, aluCTR, aluTMP, aluK GPPhysical) { - ADDL(Imm(1), aluCTR) - MOVL(aluCTR, aluTMP) - XORL(aluK, aluTMP) - BSWAPL(aluTMP) - MOVL(aluTMP, Mem{Base: SP}.Offset(3*4+8*16+i*16)) -} - -func aesRnd(k VecPhysical) { - AESENC(k, B0) - AESENC(k, B1) - AESENC(k, B2) - AESENC(k, B3) - AESENC(k, B4) - AESENC(k, B5) - AESENC(k, B6) - AESENC(k, B7) -} - -func aesRound(i int, ks GPPhysical) { - // MOVOU (16*i)(ks), T0 - MOVOU(Mem{Base: ks}.Offset(16*i), T0) - AESENC(T0, B0) - AESENC(T0, B1) - AESENC(T0, B2) - AESENC(T0, B3) - AESENC(T0, B4) - AESENC(T0, B5) - AESENC(T0, B6) - AESENC(T0, B7) -} - -func aesRndLast(k VecPhysical) { - AESENCLAST(k, B0) - AESENCLAST(k, B1) - AESENCLAST(k, B2) - AESENCLAST(k, B3) - AESENCLAST(k, B4) - AESENCLAST(k, B5) - AESENCLAST(k, B6) - AESENCLAST(k, B7) -} - -func combinedRound(i int, pTbl, ks GPPhysical) { - MOVOU(Mem{Base: ks}.Offset(16*i), T0) - AESENC(T0, B0) - AESENC(T0, B1) - AESENC(T0, B2) - AESENC(T0, B3) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2)), T1) - MOVOU(T1, T2) - AESENC(T0, B4) - AESENC(T0, B5) - AESENC(T0, B6) - AESENC(T0, B7) - MOVOU(Mem{Base: SP}.Offset(16*i), T0) - PCLMULQDQ(Imm(0x00), T0, T1) - PXOR(T1, ACC0) - PSHUFD(Imm(78), T0, T1) - PCLMULQDQ(Imm(0x11), T0, T2) - PXOR(T1, T0) - PXOR(T2, ACC1) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2+1)), T2) - PCLMULQDQ(Imm(0x00), T2, T0) - PXOR(T0, ACCM) -} - -func mulRound(i int, pTbl GPPhysical) { - MOVOU(Mem{Base: SP}.Offset(16*i), T0) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2)), T1) - MOVOU(T1, T2) - PCLMULQDQ(Imm(0x00), T0, T1) - PXOR(T1, ACC0) - PCLMULQDQ(Imm(0x11), T0, T2) - PXOR(T2, ACC1) - PSHUFD(Imm(78), T0, T1) - PXOR(T1, T0) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2+1)), T1) - PCLMULQDQ(Imm(0x00), T0, T1) - PXOR(T1, ACCM) -} - -func encLast1(ctx, ptx GPPhysical) { - Label("encLast1") - aesRndLast(T0) - - MOVOU(Mem{Base: ptx}.Offset(16*0), T0) - PXOR(T0, B0) - MOVOU(Mem{Base: ptx}.Offset(16*1), T0) - PXOR(T0, B1) - MOVOU(Mem{Base: ptx}.Offset(16*2), T0) - PXOR(T0, B2) - MOVOU(Mem{Base: ptx}.Offset(16*3), T0) - PXOR(T0, B3) - MOVOU(Mem{Base: ptx}.Offset(16*4), T0) - PXOR(T0, B4) - MOVOU(Mem{Base: ptx}.Offset(16*5), T0) - PXOR(T0, B5) - MOVOU(Mem{Base: ptx}.Offset(16*6), T0) - PXOR(T0, B6) - MOVOU(Mem{Base: ptx}.Offset(16*7), T0) - PXOR(T0, B7) - - MOVOU(B0, Mem{Base: ctx}.Offset(16*0)) - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - MOVOU(B1, Mem{Base: ctx}.Offset(16*1)) - PSHUFB(BSWAP, B1) - MOVOU(B2, Mem{Base: ctx}.Offset(16*2)) - PSHUFB(BSWAP, B2) - MOVOU(B3, Mem{Base: ctx}.Offset(16*3)) - PSHUFB(BSWAP, B3) - MOVOU(B4, Mem{Base: ctx}.Offset(16*4)) - PSHUFB(BSWAP, B4) - MOVOU(B5, Mem{Base: ctx}.Offset(16*5)) - PSHUFB(BSWAP, B5) - MOVOU(B6, Mem{Base: ctx}.Offset(16*6)) - PSHUFB(BSWAP, B6) - MOVOU(B7, Mem{Base: ctx}.Offset(16*7)) - PSHUFB(BSWAP, B7) - - MOVOU(B0, Mem{Base: SP}.Offset(16*0)) - MOVOU(B1, Mem{Base: SP}.Offset(16*1)) - MOVOU(B2, Mem{Base: SP}.Offset(16*2)) - MOVOU(B3, Mem{Base: SP}.Offset(16*3)) - MOVOU(B4, Mem{Base: SP}.Offset(16*4)) - MOVOU(B5, Mem{Base: SP}.Offset(16*5)) - MOVOU(B6, Mem{Base: SP}.Offset(16*6)) - MOVOU(B7, Mem{Base: SP}.Offset(16*7)) - - LEAQ(Mem{Base: ptx}.Offset(128), ptx) - LEAQ(Mem{Base: ctx}.Offset(128), ctx) -} - -func gcmAesEncOctetsLoop(pTbl, ks, ptxLen, aluCTR, aluTMP, aluK, NR GPPhysical) { - Label("gcmAesEncOctetsLoop") - - CMPQ(ptxLen, Imm(128)) - JB(LabelRef("gcmAesEncOctetsEnd")) - SUBQ(Imm(128), ptxLen) - - MOVOU(Mem{Base: SP}.Offset(8*16+0*16), B0) - MOVOU(Mem{Base: SP}.Offset(8*16+1*16), B1) - MOVOU(Mem{Base: SP}.Offset(8*16+2*16), B2) - MOVOU(Mem{Base: SP}.Offset(8*16+3*16), B3) - MOVOU(Mem{Base: SP}.Offset(8*16+4*16), B4) - MOVOU(Mem{Base: SP}.Offset(8*16+5*16), B5) - MOVOU(Mem{Base: SP}.Offset(8*16+6*16), B6) - MOVOU(Mem{Base: SP}.Offset(8*16+7*16), B7) - - MOVOU(Mem{Base: SP}.Offset(16*0), T0) - PSHUFD(Imm(78), T0, T1) - PXOR(T0, T1) - - MOVOU(Mem{Base: pTbl}.Offset(16*0), ACC0) - MOVOU(Mem{Base: pTbl}.Offset(16*1), ACCM) - MOVOU(ACC0, ACC1) - - PCLMULQDQ(Imm(0x00), T1, ACCM) - PCLMULQDQ(Imm(0x00), T0, ACC0) - PCLMULQDQ(Imm(0x11), T0, ACC1) - - combinedRound(1, pTbl, ks) - incrementEnc(0, aluCTR, aluTMP, aluK) - combinedRound(2, pTbl, ks) - incrementEnc(1, aluCTR, aluTMP, aluK) - combinedRound(3, pTbl, ks) - incrementEnc(2, aluCTR, aluTMP, aluK) - combinedRound(4, pTbl, ks) - incrementEnc(3, aluCTR, aluTMP, aluK) - combinedRound(5, pTbl, ks) - incrementEnc(4, aluCTR, aluTMP, aluK) - combinedRound(6, pTbl, ks) - incrementEnc(5, aluCTR, aluTMP, aluK) - combinedRound(7, pTbl, ks) - incrementEnc(6, aluCTR, aluTMP, aluK) - - aesRound(8, ks) - incrementEnc(7, aluCTR, aluTMP, aluK) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - aesRound(9, ks) - - reduceRound(ACC0) - PXOR(ACC1, ACC0) - - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("encLast2")) - aesRnd(T0) - aesRound(11, ks) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("encLast2")) - aesRnd(T0) - aesRound(13, ks) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) -} - -func encLast2(ctx, ptx GPPhysical) { - Label("encLast2") - aesRndLast(T0) - - MOVOU(Mem{Base: ptx}.Offset(16*0), T0) - PXOR(T0, B0) - MOVOU(Mem{Base: ptx}.Offset(16*1), T0) - PXOR(T0, B1) - MOVOU(Mem{Base: ptx}.Offset(16*2), T0) - PXOR(T0, B2) - MOVOU(Mem{Base: ptx}.Offset(16*3), T0) - PXOR(T0, B3) - MOVOU(Mem{Base: ptx}.Offset(16*4), T0) - PXOR(T0, B4) - MOVOU(Mem{Base: ptx}.Offset(16*5), T0) - PXOR(T0, B5) - MOVOU(Mem{Base: ptx}.Offset(16*6), T0) - PXOR(T0, B6) - MOVOU(Mem{Base: ptx}.Offset(16*7), T0) - PXOR(T0, B7) - - MOVOU(B0, Mem{Base: ctx}.Offset(16*0)) - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - MOVOU(B1, Mem{Base: ctx}.Offset(16*1)) - PSHUFB(BSWAP, B1) - MOVOU(B2, Mem{Base: ctx}.Offset(16*2)) - PSHUFB(BSWAP, B2) - MOVOU(B3, Mem{Base: ctx}.Offset(16*3)) - PSHUFB(BSWAP, B3) - MOVOU(B4, Mem{Base: ctx}.Offset(16*4)) - PSHUFB(BSWAP, B4) - MOVOU(B5, Mem{Base: ctx}.Offset(16*5)) - PSHUFB(BSWAP, B5) - MOVOU(B6, Mem{Base: ctx}.Offset(16*6)) - PSHUFB(BSWAP, B6) - MOVOU(B7, Mem{Base: ctx}.Offset(16*7)) - PSHUFB(BSWAP, B7) - - MOVOU(B0, Mem{Base: SP}.Offset(16*0)) - MOVOU(B1, Mem{Base: SP}.Offset(16*1)) - MOVOU(B2, Mem{Base: SP}.Offset(16*2)) - MOVOU(B3, Mem{Base: SP}.Offset(16*3)) - MOVOU(B4, Mem{Base: SP}.Offset(16*4)) - MOVOU(B5, Mem{Base: SP}.Offset(16*5)) - MOVOU(B6, Mem{Base: SP}.Offset(16*6)) - MOVOU(B7, Mem{Base: SP}.Offset(16*7)) - - LEAQ(Mem{Base: ptx}.Offset(128), ptx) - LEAQ(Mem{Base: ctx}.Offset(128), ctx) - - JMP(LabelRef("gcmAesEncOctetsLoop")) -} - -func gcmAesEncOctetsEnd(pTbl, ptxLen, aluCTR GPPhysical) { - Label("gcmAesEncOctetsEnd") - - MOVOU(Mem{Base: SP}.Offset(16*0), T0) - MOVOU(Mem{Base: pTbl}.Offset(16*0), ACC0) - MOVOU(Mem{Base: pTbl}.Offset(16*1), ACCM) - MOVOU(ACC0, ACC1) - PSHUFD(Imm(78), T0, T1) - PXOR(T0, T1) - PCLMULQDQ(Imm(0x00), T0, ACC0) - PCLMULQDQ(Imm(0x11), T0, ACC1) - PCLMULQDQ(Imm(0x00), T1, ACCM) - - mulRound(1, pTbl) - mulRound(2, pTbl) - mulRound(3, pTbl) - mulRound(4, pTbl) - mulRound(5, pTbl) - mulRound(6, pTbl) - mulRound(7, pTbl) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - reduceRound(ACC0) - PXOR(ACC1, ACC0) - - TESTQ(ptxLen, ptxLen) - JE(LabelRef("gcmAesEncDone")) - - // Hack to get Avo to emit: - // SUBQ $7, aluCTR` - Instruction(&ir.Instruction{Opcode: "SUBQ", Operands: []Op{Imm(7), aluCTR}}) -} - -func gcmAesEncSingles(pTbl, ks GPPhysical) { - Label("gcmAesEncSingles") - - MOVOU(Mem{Base: ks}.Offset(16*1), B1) - MOVOU(Mem{Base: ks}.Offset(16*2), B2) - MOVOU(Mem{Base: ks}.Offset(16*3), B3) - MOVOU(Mem{Base: ks}.Offset(16*4), B4) - MOVOU(Mem{Base: ks}.Offset(16*5), B5) - MOVOU(Mem{Base: ks}.Offset(16*6), B6) - MOVOU(Mem{Base: ks}.Offset(16*7), B7) - - MOVOU(Mem{Base: pTbl}.Offset(16*14), T2) -} - -func gcmAesEncSinglesLoop(ks, ptxLen, aluCTR, aluTMP, aluK, NR GPPhysical) { - Label("gcmAesEncSinglesLoop") - - CMPQ(ptxLen, Imm(16)) - JB(LabelRef("gcmAesEncTail")) - SUBQ(Imm(16), ptxLen) - - MOVOU(Mem{Base: SP}.Offset(8*16+0*16), B0) - incrementEnc(0, aluCTR, aluTMP, aluK) - - AESENC(B1, B0) - AESENC(B2, B0) - AESENC(B3, B0) - AESENC(B4, B0) - AESENC(B5, B0) - AESENC(B6, B0) - AESENC(B7, B0) - MOVOU(Mem{Base: ks}.Offset(16*8), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*9), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("encLast3")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*11), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("encLast3")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*13), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) -} - -func encLast3(pTbl, ctx, ptx GPPhysical) { - Label("encLast3") - AESENCLAST(T0, B0) - - MOVOU(Mem{Base: ptx}, T0) - PXOR(T0, B0) - MOVOU(B0, Mem{Base: ctx}) - - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - - MOVOU(T2, ACC0) - MOVOU(T2, ACC1) - MOVOU(Mem{Base: pTbl}.Offset(16*15), ACCM) - - PSHUFD(Imm(78), B0, T0) - PXOR(B0, T0) - PCLMULQDQ(Imm(0x00), B0, ACC0) - PCLMULQDQ(Imm(0x11), B0, ACC1) - PCLMULQDQ(Imm(0x00), T0, ACCM) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - reduceRound(ACC0) - PXOR(ACC1, ACC0) - - LEAQ(Mem{Base: ptx}.Offset(16*1), ptx) - LEAQ(Mem{Base: ctx}.Offset(16*1), ctx) - - JMP(LabelRef("gcmAesEncSinglesLoop")) -} - -func gcmAesEncTail(ks, ptxLen, NR GPPhysical) { - Label("gcmAesEncTail") - TESTQ(ptxLen, ptxLen) - JE(LabelRef("gcmAesEncDone")) - - MOVOU(Mem{Base: SP}.Offset(8*16+0*16), B0) - AESENC(B1, B0) - AESENC(B2, B0) - AESENC(B3, B0) - AESENC(B4, B0) - AESENC(B5, B0) - AESENC(B6, B0) - AESENC(B7, B0) - MOVOU(Mem{Base: ks}.Offset(16*8), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*9), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("encLast4")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*11), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("encLast4")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*13), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) -} - -func encLast4(ptx, ptxLen, aluCTR, aluTMP GPPhysical) { - Label("encLast4") - AESENCLAST(T0, B0) - MOVOU(B0, T0) - - LEAQ(Mem{Base: ptx, Index: ptxLen, Scale: 1}.Offset(-1), ptx) - - // Hack to get Avo to emit: - // MOVQ ptxLen, aluTMP - Instruction(&ir.Instruction{Opcode: "MOVQ", Operands: []Op{ptxLen, aluTMP}}) - // Hack to get Avo to emit: - // SHLQ $4, aluTMP - Instruction(&ir.Instruction{Opcode: "SHLQ", Operands: []Op{Imm(4), aluTMP}}) - - andMask := andMask_DATA() - // Hack to get Avo to emit: - // LEAQ andMask<>(SB), aluCTR - Instruction(&ir.Instruction{Opcode: "LEAQ", Operands: []Op{andMask, aluCTR}}) - MOVOU(Mem{Base: aluCTR, Index: aluTMP, Scale: 1}.Offset(-16), T1) - - PXOR(B0, B0) -} - -func ptxLoadLoop(pTbl, ctx, ptx, ptxLen GPPhysical) { - Label("ptxLoadLoop") - PSLLDQ(Imm(1), B0) - PINSRB(Imm(0), Mem{Base: ptx}, B0) - LEAQ(Mem{Base: ptx}.Offset(-1), ptx) - DECQ(ptxLen) - JNE(LabelRef("ptxLoadLoop")) - - PXOR(T0, B0) - PAND(T1, B0) - MOVOU(B0, Mem{Base: ctx}) - - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - - MOVOU(T2, ACC0) - MOVOU(T2, ACC1) - MOVOU(Mem{Base: pTbl}.Offset(16*15), ACCM) - - PSHUFD(Imm(78), B0, T0) - PXOR(B0, T0) - PCLMULQDQ(Imm(0x00), B0, ACC0) - PCLMULQDQ(Imm(0x11), B0, ACC1) - PCLMULQDQ(Imm(0x00), T0, ACCM) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - reduceRound(ACC0) - PXOR(ACC1, ACC0) -} - -func gcmAesEncDone(tPtr GPPhysical) { - Label("gcmAesEncDone") - MOVOU(ACC0, Mem{Base: tPtr}) - RET() -} - -func gcmAesDec() { - Implement("gcmAesDec") - Attributes(0) - AllocLocal(128) - - var ( - pTbl GPPhysical = RDI - ctx = RDX - ctrPtr = RCX - ptx = RSI - ks = RAX - tPtr = R8 - ptxLen = R9 - aluCTR = R10L - aluTMP = R11L - aluK = R12L - NR = R13 - ) - - Load(Param("productTable"), pTbl) - Load(Param("dst").Base(), ptx) - Load(Param("src").Base(), ctx) - Load(Param("src").Len(), ptxLen) - Load(Param("ctr"), ctrPtr) - Load(Param("T"), tPtr) - Load(Param("ks").Base(), ks) - Load(Param("ks").Len(), NR) - - SHRQ(Imm(2), NR) - DECQ(NR) - - bswapMask := bswapMask_DATA() - gcmPoly := gcmPoly_DATA() - MOVOU(bswapMask, BSWAP) - MOVOU(gcmPoly, POLY) - - MOVOU(Mem{Base: tPtr}, ACC0) - PXOR(ACC1, ACC1) - PXOR(ACCM, ACCM) - MOVOU(Mem{Base: ctrPtr}, B0) - MOVL(Mem{Base: ctrPtr}.Offset(3*4), aluCTR) - MOVOU(Mem{Base: ks}, T0) - MOVL(Mem{Base: ks}.Offset(3*4), aluK) - BSWAPL(aluCTR) - BSWAPL(aluK) - - PXOR(B0, T0) - MOVOU(T0, Mem{Base: SP}.Offset(0*16)) - incrementDec(0, aluCTR, aluTMP, aluK) - - CMPQ(ptxLen, Imm(128)) - JB(LabelRef("gcmAesDecSingles")) - - MOVOU(T0, Mem{Base: SP}.Offset(1*16)) - incrementDec(1, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(2*16)) - incrementDec(2, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(3*16)) - incrementDec(3, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(4*16)) - incrementDec(4, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(5*16)) - incrementDec(5, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(6*16)) - incrementDec(6, aluCTR, aluTMP, aluK) - MOVOU(T0, Mem{Base: SP}.Offset(7*16)) - incrementDec(7, aluCTR, aluTMP, aluK) - - gcmAesDecOctetsLoop(pTbl, ctx, ks, ptxLen, aluCTR, aluTMP, aluK, NR) - decLast1(ctx, ptx) - gcmAesDecEndOctets(aluCTR) - gcmAesDecSingles(pTbl, ks) - gcmAesDecSinglesLoop(pTbl, ctx, ks, ptxLen, aluCTR, aluTMP, aluK, NR) - decLast2(ctx, ptx) - gcmAesDecTail(pTbl, ctx, ks, ptxLen, aluCTR, aluTMP, aluK, NR) - decLast3() - ptxStoreLoop(ptx, ptxLen) - gcmAesDecDone(tPtr) -} - -func incrementDec(i int, aluCTR, aluTMP, aluK GPPhysical) { - ADDL(Imm(1), aluCTR) - MOVL(aluCTR, aluTMP) - XORL(aluK, aluTMP) - BSWAPL(aluTMP) - MOVL(aluTMP, Mem{Base: SP}.Offset(3*4+i*16)) -} - -func combinedDecRound(i int, pTbl, ctx, ks GPPhysical) { - MOVOU(Mem{Base: ks}.Offset(16*i), T0) - AESENC(T0, B0) - AESENC(T0, B1) - AESENC(T0, B2) - AESENC(T0, B3) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2)), T1) - MOVOU(T1, T2) - AESENC(T0, B4) - AESENC(T0, B5) - AESENC(T0, B6) - AESENC(T0, B7) - MOVOU(Mem{Base: ctx}.Offset(16*i), T0) - PSHUFB(BSWAP, T0) - PCLMULQDQ(Imm(0x00), T0, T1) - PXOR(T1, ACC0) - PSHUFD(Imm(78), T0, T1) - PCLMULQDQ(Imm(0x11), T0, T2) - PXOR(T1, T0) - PXOR(T2, ACC1) - MOVOU(Mem{Base: pTbl}.Offset(16*(i*2+1)), T2) - PCLMULQDQ(Imm(0x00), T2, T0) - PXOR(T0, ACCM) -} - -func gcmAesDecOctetsLoop(pTbl, ctx, ks, ptxLen, aluCTR, aluTMP, aluK, NR GPPhysical) { - Label("gcmAesDecOctetsLoop") - - CMPQ(ptxLen, Imm(128)) - JB(LabelRef("gcmAesDecEndOctets")) - SUBQ(Imm(128), ptxLen) - - MOVOU(Mem{Base: SP}.Offset(0*16), B0) - MOVOU(Mem{Base: SP}.Offset(1*16), B1) - MOVOU(Mem{Base: SP}.Offset(2*16), B2) - MOVOU(Mem{Base: SP}.Offset(3*16), B3) - MOVOU(Mem{Base: SP}.Offset(4*16), B4) - MOVOU(Mem{Base: SP}.Offset(5*16), B5) - MOVOU(Mem{Base: SP}.Offset(6*16), B6) - MOVOU(Mem{Base: SP}.Offset(7*16), B7) - - MOVOU(Mem{Base: ctx}.Offset(16*0), T0) - PSHUFB(BSWAP, T0) - PXOR(ACC0, T0) - PSHUFD(Imm(78), T0, T1) - PXOR(T0, T1) - - MOVOU(Mem{Base: pTbl}.Offset(16*0), ACC0) - MOVOU(Mem{Base: pTbl}.Offset(16*1), ACCM) - MOVOU(ACC0, ACC1) - - PCLMULQDQ(Imm(0x00), T1, ACCM) - PCLMULQDQ(Imm(0x00), T0, ACC0) - PCLMULQDQ(Imm(0x11), T0, ACC1) - - combinedDecRound(1, pTbl, ctx, ks) - incrementDec(0, aluCTR, aluTMP, aluK) - combinedDecRound(2, pTbl, ctx, ks) - incrementDec(1, aluCTR, aluTMP, aluK) - combinedDecRound(3, pTbl, ctx, ks) - incrementDec(2, aluCTR, aluTMP, aluK) - combinedDecRound(4, pTbl, ctx, ks) - incrementDec(3, aluCTR, aluTMP, aluK) - combinedDecRound(5, pTbl, ctx, ks) - incrementDec(4, aluCTR, aluTMP, aluK) - combinedDecRound(6, pTbl, ctx, ks) - incrementDec(5, aluCTR, aluTMP, aluK) - combinedDecRound(7, pTbl, ctx, ks) - incrementDec(6, aluCTR, aluTMP, aluK) - - aesRound(8, ks) - incrementDec(7, aluCTR, aluTMP, aluK) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - aesRound(9, ks) - - reduceRound(ACC0) - PXOR(ACC1, ACC0) - - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("decLast1")) - aesRnd(T0) - aesRound(11, ks) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("decLast1")) - aesRnd(T0) - aesRound(13, ks) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) -} - -func decLast1(ctx, ptx GPPhysical) { - Label("decLast1") - aesRndLast(T0) - - MOVOU(Mem{Base: ctx}.Offset(16*0), T0) - PXOR(T0, B0) - MOVOU(Mem{Base: ctx}.Offset(16*1), T0) - PXOR(T0, B1) - MOVOU(Mem{Base: ctx}.Offset(16*2), T0) - PXOR(T0, B2) - MOVOU(Mem{Base: ctx}.Offset(16*3), T0) - PXOR(T0, B3) - MOVOU(Mem{Base: ctx}.Offset(16*4), T0) - PXOR(T0, B4) - MOVOU(Mem{Base: ctx}.Offset(16*5), T0) - PXOR(T0, B5) - MOVOU(Mem{Base: ctx}.Offset(16*6), T0) - PXOR(T0, B6) - MOVOU(Mem{Base: ctx}.Offset(16*7), T0) - PXOR(T0, B7) - - MOVOU(B0, Mem{Base: ptx}.Offset(16*0)) - MOVOU(B1, Mem{Base: ptx}.Offset(16*1)) - MOVOU(B2, Mem{Base: ptx}.Offset(16*2)) - MOVOU(B3, Mem{Base: ptx}.Offset(16*3)) - MOVOU(B4, Mem{Base: ptx}.Offset(16*4)) - MOVOU(B5, Mem{Base: ptx}.Offset(16*5)) - MOVOU(B6, Mem{Base: ptx}.Offset(16*6)) - MOVOU(B7, Mem{Base: ptx}.Offset(16*7)) - - LEAQ(Mem{Base: ptx}.Offset(128), ptx) - LEAQ(Mem{Base: ctx}.Offset(128), ctx) - - JMP(LabelRef("gcmAesDecOctetsLoop")) -} - -func gcmAesDecEndOctets(aluCTR GPPhysical) { - Label("gcmAesDecEndOctets") - // Hack to make Avo emit: - // SUBQ $7, aluCTR - Instruction(&ir.Instruction{Opcode: "SUBQ", Operands: []Op{Imm(7), aluCTR}}) -} - -func gcmAesDecSingles(pTbl, ks GPPhysical) { - Label("gcmAesDecSingles") - - MOVOU(Mem{Base: ks}.Offset(16*1), B1) - MOVOU(Mem{Base: ks}.Offset(16*2), B2) - MOVOU(Mem{Base: ks}.Offset(16*3), B3) - MOVOU(Mem{Base: ks}.Offset(16*4), B4) - MOVOU(Mem{Base: ks}.Offset(16*5), B5) - MOVOU(Mem{Base: ks}.Offset(16*6), B6) - MOVOU(Mem{Base: ks}.Offset(16*7), B7) - - MOVOU(Mem{Base: pTbl}.Offset(16*14), T2) -} - -func gcmAesDecSinglesLoop(pTbl, ctx, ks, ptxLen, aluCTR, aluTMP, aluK, NR GPPhysical) { - Label("gcmAesDecSinglesLoop") - - CMPQ(ptxLen, Imm(16)) - JB(LabelRef("gcmAesDecTail")) - SUBQ(Imm(16), ptxLen) - - MOVOU(Mem{Base: ctx}, B0) - MOVOU(B0, T1) - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - - MOVOU(T2, ACC0) - MOVOU(T2, ACC1) - MOVOU(Mem{Base: pTbl}.Offset(16*15), ACCM) - - PCLMULQDQ(Imm(0x00), B0, ACC0) - PCLMULQDQ(Imm(0x11), B0, ACC1) - PSHUFD(Imm(78), B0, T0) - PXOR(B0, T0) - PCLMULQDQ(Imm(0x00), T0, ACCM) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - reduceRound(ACC0) - PXOR(ACC1, ACC0) - - MOVOU(Mem{Base: SP}.Offset(0*16), B0) - incrementDec(0, aluCTR, aluTMP, aluK) - AESENC(B1, B0) - AESENC(B2, B0) - AESENC(B3, B0) - AESENC(B4, B0) - AESENC(B5, B0) - AESENC(B6, B0) - AESENC(B7, B0) - MOVOU(Mem{Base: ks}.Offset(16*8), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*9), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("decLast2")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*11), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("decLast2")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*13), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) -} - -func decLast2(ctx, ptx GPPhysical) { - Label("decLast2") - AESENCLAST(T0, B0) - - PXOR(T1, B0) - MOVOU(B0, Mem{Base: ptx}) - - LEAQ(Mem{Base: ptx}.Offset(16*1), ptx) - LEAQ(Mem{Base: ctx}.Offset(16*1), ctx) - - JMP(LabelRef("gcmAesDecSinglesLoop")) -} - -func gcmAesDecTail(pTbl, ctx, ks, ptxLen, aluCTR, aluTMP, aluK, NR GPPhysical) { - Label("gcmAesDecTail") - - TESTQ(ptxLen, ptxLen) - JE(LabelRef("gcmAesDecDone")) - - // Hack to get Avo to emit: - // MOVQ ptxLen, aluTMP - Instruction(&ir.Instruction{Opcode: "MOVQ", Operands: []Op{ptxLen, aluTMP}}) - // Hack to get Avo to emit: - // SHLQ $4, aluTMP - Instruction(&ir.Instruction{Opcode: "SHLQ", Operands: []Op{Imm(4), aluTMP}}) - - andMask := andMask_DATA() - // Hack to get Avo to emit: - // LEAQ andMask<>(SB), aluCTR - Instruction(&ir.Instruction{Opcode: "LEAQ", Operands: []Op{andMask, aluCTR}}) - MOVOU(Mem{Base: aluCTR, Index: aluTMP, Scale: 1}.Offset(-16), T1) - - MOVOU(Mem{Base: ctx}, B0) - PAND(T1, B0) - - MOVOU(B0, T1) - PSHUFB(BSWAP, B0) - PXOR(ACC0, B0) - - MOVOU(Mem{Base: pTbl}.Offset(16*14), ACC0) - MOVOU(Mem{Base: pTbl}.Offset(16*15), ACCM) - MOVOU(ACC0, ACC1) - - PCLMULQDQ(Imm(0x00), B0, ACC0) - PCLMULQDQ(Imm(0x11), B0, ACC1) - PSHUFD(Imm(78), B0, T0) - PXOR(B0, T0) - PCLMULQDQ(Imm(0x00), T0, ACCM) - - PXOR(ACC0, ACCM) - PXOR(ACC1, ACCM) - MOVOU(ACCM, T0) - PSRLDQ(Imm(8), ACCM) - PSLLDQ(Imm(8), T0) - PXOR(ACCM, ACC1) - PXOR(T0, ACC0) - - reduceRound(ACC0) - reduceRound(ACC0) - PXOR(ACC1, ACC0) - - MOVOU(Mem{Base: SP}.Offset(0*16), B0) - incrementDec(0, aluCTR, aluTMP, aluK) - AESENC(B1, B0) - AESENC(B2, B0) - AESENC(B3, B0) - AESENC(B4, B0) - AESENC(B5, B0) - AESENC(B6, B0) - AESENC(B7, B0) - MOVOU(Mem{Base: ks}.Offset(16*8), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*9), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*10), T0) - CMPQ(NR, Imm(12)) - JB(LabelRef("decLast3")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*11), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*12), T0) - JE(LabelRef("decLast3")) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*13), T0) - AESENC(T0, B0) - MOVOU(Mem{Base: ks}.Offset(16*14), T0) -} - -func decLast3() { - Label("decLast3") - AESENCLAST(T0, B0) - PXOR(T1, B0) -} - -func ptxStoreLoop(ptx, ptxLen GPPhysical) { - Label("ptxStoreLoop") - PEXTRB(Imm(0), B0, Mem{Base: ptx}) - PSRLDQ(Imm(1), B0) - LEAQ(Mem{Base: ptx}.Offset(1), ptx) - DECQ(ptxLen) - - JNE(LabelRef("ptxStoreLoop")) -} - -func gcmAesDecDone(tPtr GPPhysical) { - Label("gcmAesDecDone") - MOVOU(ACC0, Mem{Base: tPtr}) - RET() -} - -// ##~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~DATA SECTION~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~## - -var bswapMask_DATA_ptr, gcmPoly_DATA_ptr, andMask_DATA_ptr *Mem - -func bswapMask_DATA() Mem { - if bswapMask_DATA_ptr != nil { - return *bswapMask_DATA_ptr - } - - bswapMask := GLOBL("bswapMask", NOPTR|RODATA) - bswapMask_DATA_ptr = &bswapMask - DATA(0x00, U64(0x08090a0b0c0d0e0f)) - DATA(0x08, U64(0x0001020304050607)) - - return bswapMask -} - -func gcmPoly_DATA() Mem { - if gcmPoly_DATA_ptr != nil { - return *gcmPoly_DATA_ptr - } - - gcmPoly := GLOBL("gcmPoly", NOPTR|RODATA) - gcmPoly_DATA_ptr = &gcmPoly - DATA(0x00, U64(0x0000000000000001)) - DATA(0x08, U64(0xc200000000000000)) - - return gcmPoly -} - -var andMask_K = [30]uint64{ - 0x00000000000000ff, - 0x0000000000000000, - 0x000000000000ffff, - 0x0000000000000000, - 0x0000000000ffffff, - 0x0000000000000000, - 0x00000000ffffffff, - 0x0000000000000000, - 0x000000ffffffffff, - 0x0000000000000000, - 0x0000ffffffffffff, - 0x0000000000000000, - 0x00ffffffffffffff, - 0x0000000000000000, - 0xffffffffffffffff, - 0x0000000000000000, - 0xffffffffffffffff, - 0x00000000000000ff, - 0xffffffffffffffff, - 0x000000000000ffff, - 0xffffffffffffffff, - 0x0000000000ffffff, - 0xffffffffffffffff, - 0x00000000ffffffff, - 0xffffffffffffffff, - 0x000000ffffffffff, - 0xffffffffffffffff, - 0x0000ffffffffffff, - 0xffffffffffffffff, - 0x00ffffffffffffff, -} - -func andMask_DATA() Mem { - if andMask_DATA_ptr != nil { - return *andMask_DATA_ptr - } - andMask := GLOBL("andMask", NOPTR|RODATA) - andMask_DATA_ptr = &andMask - - for i, k := range andMask_K { - DATA(i*8, U64(k)) - } - - return andMask -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/go.mod deleted file mode 100644 index 3fd2094068e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module crypto/aes/_asm/gcm - -go 1.24 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.20.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/tools v0.24.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/go.sum deleted file mode 100644 index 76af484b2eb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/_asm/gcm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/cast.go deleted file mode 100644 index 7f1975638ae..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/cast.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/aes" - _ "crypto/internal/fips140/check" - "errors" -) - -func init() { - // Counter KDF covers CMAC per IG 10.3.B, and CMAC covers GCM per IG 10.3.A - // Resolution 1.d(i). AES decryption is covered by the CBC CAST in package - // crypto/internal/fips140/aes. - fips140.CAST("CounterKDF", func() error { - key := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - context := [12]byte{ - 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, - 0x29, 0x2a, 0x2b, 0x2c, - } - want := [32]byte{ - 0xe6, 0x86, 0x96, 0x97, 0x08, 0xfc, 0x90, 0x30, - 0x36, 0x1c, 0x65, 0x94, 0xb2, 0x62, 0xa5, 0xf7, - 0xcb, 0x9d, 0x93, 0x94, 0xda, 0xf1, 0x94, 0x09, - 0x6a, 0x27, 0x5e, 0x85, 0x22, 0x5e, 0x7a, 0xee, - } - b, err := aes.New(key) - if err != nil { - return err - } - got := NewCounterKDF(b).DeriveKey(0xFF, context) - if got != want { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/cmac.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/cmac.go deleted file mode 100644 index 3a979a5c708..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/cmac.go +++ /dev/null @@ -1,77 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/aes" - "crypto/internal/fips140/subtle" -) - -// CMAC implements the CMAC mode from NIST SP 800-38B. -// -// It is optimized for use in Counter KDF (SP 800-108r1) and XAES-256-GCM -// (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications -// as a stand-alone MAC. -type CMAC struct { - b aes.Block - k1 [aes.BlockSize]byte - k2 [aes.BlockSize]byte -} - -func NewCMAC(b *aes.Block) *CMAC { - c := &CMAC{b: *b} - c.deriveSubkeys() - return c -} - -func (c *CMAC) deriveSubkeys() { - aes.EncryptBlockInternal(&c.b, c.k1[:], c.k1[:]) - msb := shiftLeft(&c.k1) - c.k1[len(c.k1)-1] ^= msb * 0b10000111 - - c.k2 = c.k1 - msb = shiftLeft(&c.k2) - c.k2[len(c.k2)-1] ^= msb * 0b10000111 -} - -func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte { - fips140.RecordApproved() - _ = c.b // Hoist the nil check out of the loop. - var x [aes.BlockSize]byte - if len(m) == 0 { - // Special-cased as a single empty partial final block. - x = c.k2 - x[len(m)] ^= 0b10000000 - aes.EncryptBlockInternal(&c.b, x[:], x[:]) - return x - } - for len(m) >= aes.BlockSize { - subtle.XORBytes(x[:], m[:aes.BlockSize], x[:]) - if len(m) == aes.BlockSize { - // Final complete block. - subtle.XORBytes(x[:], c.k1[:], x[:]) - } - aes.EncryptBlockInternal(&c.b, x[:], x[:]) - m = m[aes.BlockSize:] - } - if len(m) > 0 { - // Final incomplete block. - subtle.XORBytes(x[:], m, x[:]) - subtle.XORBytes(x[:], c.k2[:], x[:]) - x[len(m)] ^= 0b10000000 - aes.EncryptBlockInternal(&c.b, x[:], x[:]) - } - return x -} - -// shiftLeft sets x to x << 1, and returns MSB₁(x). -func shiftLeft(x *[aes.BlockSize]byte) byte { - var msb byte - for i := len(x) - 1; i >= 0; i-- { - msb, x[i] = x[i]>>7, x[i]<<1|msb - } - return msb -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ctrkdf.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ctrkdf.go deleted file mode 100644 index 9c7d4971a3e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ctrkdf.go +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/aes" -) - -// CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES, -// according to NIST SP 800-108 Revision 1 Update 1, Section 4.1. -// -// It produces a 256-bit output, and accepts a 8-bit Label and a 96-bit Context. -// It uses a counter of 16 bits placed before the fixed data. The fixed data is -// the sequence Label || 0x00 || Context. The L field is omitted, since the -// output key length is fixed. -// -// It's optimized for use in XAES-256-GCM (https://c2sp.org/XAES-256-GCM), -// rather than for exposing it to applications as a stand-alone KDF. -type CounterKDF struct { - mac CMAC -} - -// NewCounterKDF creates a new CounterKDF with the given key. -func NewCounterKDF(b *aes.Block) *CounterKDF { - return &CounterKDF{mac: *NewCMAC(b)} -} - -// DeriveKey derives a key from the given label and context. -func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte { - fips140.RecordApproved() - var output [32]byte - - var input [aes.BlockSize]byte - input[2] = label - copy(input[4:], context[:]) - - input[1] = 0x01 // i = 1 - K1 := kdf.mac.MAC(input[:]) - - input[1] = 0x02 // i = 2 - K2 := kdf.mac.MAC(input[:]) - - copy(output[:], K1[:]) - copy(output[aes.BlockSize:], K2[:]) - return output -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm.go deleted file mode 100644 index 20da20c5245..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm.go +++ /dev/null @@ -1,143 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/aes" - "crypto/internal/fips140/alias" - "errors" -) - -// GCM represents a Galois Counter Mode with a specific key. -type GCM struct { - cipher aes.Block - nonceSize int - tagSize int - gcmPlatformData -} - -func New(cipher *aes.Block, nonceSize, tagSize int) (*GCM, error) { - // This function is outlined to let the allocation happen on the parent stack. - return newGCM(&GCM{}, cipher, nonceSize, tagSize) -} - -// newGCM is marked go:noinline to avoid it inlining into New, and making New -// too complex to inline itself. -// -//go:noinline -func newGCM(g *GCM, cipher *aes.Block, nonceSize, tagSize int) (*GCM, error) { - if tagSize < gcmMinimumTagSize || tagSize > gcmBlockSize { - return nil, errors.New("cipher: incorrect tag size given to GCM") - } - if nonceSize <= 0 { - return nil, errors.New("cipher: the nonce can't have zero length") - } - if cipher.BlockSize() != gcmBlockSize { - return nil, errors.New("cipher: NewGCM requires 128-bit block cipher") - } - g.cipher = *cipher - g.nonceSize = nonceSize - g.tagSize = tagSize - initGCM(g) - return g, nil -} - -const ( - gcmBlockSize = 16 - gcmTagSize = 16 - gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes. - gcmStandardNonceSize = 12 -) - -func (g *GCM) NonceSize() int { - return g.nonceSize -} - -func (g *GCM) Overhead() int { - return g.tagSize -} - -func (g *GCM) Seal(dst, nonce, plaintext, data []byte) []byte { - fips140.RecordNonApproved() - return g.sealAfterIndicator(dst, nonce, plaintext, data) -} - -func (g *GCM) sealAfterIndicator(dst, nonce, plaintext, data []byte) []byte { - if len(nonce) != g.nonceSize { - panic("crypto/cipher: incorrect nonce length given to GCM") - } - if g.nonceSize == 0 { - panic("crypto/cipher: incorrect GCM nonce size") - } - if uint64(len(plaintext)) > uint64((1<<32)-2)*gcmBlockSize { - panic("crypto/cipher: message too large for GCM") - } - - ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize) - if alias.InexactOverlap(out, plaintext) { - panic("crypto/cipher: invalid buffer overlap of output and input") - } - if alias.AnyOverlap(out, data) { - panic("crypto/cipher: invalid buffer overlap of output and additional data") - } - - seal(out, g, nonce, plaintext, data) - return ret -} - -var errOpen = errors.New("cipher: message authentication failed") - -func (g *GCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { - if len(nonce) != g.nonceSize { - panic("crypto/cipher: incorrect nonce length given to GCM") - } - // Sanity check to prevent the authentication from always succeeding if an - // implementation leaves tagSize uninitialized, for example. - if g.tagSize < gcmMinimumTagSize { - panic("crypto/cipher: incorrect GCM tag size") - } - - if len(ciphertext) < g.tagSize { - return nil, errOpen - } - if uint64(len(ciphertext)) > uint64((1<<32)-2)*gcmBlockSize+uint64(g.tagSize) { - return nil, errOpen - } - - ret, out := sliceForAppend(dst, len(ciphertext)-g.tagSize) - if alias.InexactOverlap(out, ciphertext) { - panic("crypto/cipher: invalid buffer overlap of output and input") - } - if alias.AnyOverlap(out, data) { - panic("crypto/cipher: invalid buffer overlap of output and additional data") - } - - fips140.RecordApproved() - if err := open(out, g, nonce, ciphertext, data); err != nil { - // We sometimes decrypt and authenticate concurrently, so we overwrite - // dst in the event of a tag mismatch. To be consistent across platforms - // and to avoid releasing unauthenticated plaintext, we clear the buffer - // in the event of an error. - clear(out) - return nil, err - } - return ret, nil -} - -// sliceForAppend takes a slice and a requested number of bytes. It returns a -// slice with the contents of the given slice followed by that many bytes and a -// second slice that aliases into it and contains only the extra bytes. If the -// original slice has sufficient capacity then no allocation is performed. -func sliceForAppend(in []byte, n int) (head, tail []byte) { - if total := len(in) + n; cap(in) >= total { - head = in[:total] - } else { - head = make([]byte, total) - copy(head, in) - } - tail = head[len(in):] - return -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_amd64.s deleted file mode 100644 index 7db6a4baf25..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_amd64.s +++ /dev/null @@ -1,1882 +0,0 @@ -// Code generated by command: go run gcm_amd64_asm.go -out ../../gcm_amd64.s -pkg aes. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func gcmAesFinish(productTable *[256]byte, tagMask *[16]byte, T *[16]byte, pLen uint64, dLen uint64) -// Requires: PCLMULQDQ, SSE2, SSE4.1, SSSE3 -TEXT ·gcmAesFinish(SB), NOSPLIT, $0-40 - MOVQ productTable+0(FP), DI - MOVQ tagMask+8(FP), SI - MOVQ T+16(FP), DX - MOVQ pLen+24(FP), AX - MOVQ dLen+32(FP), CX - MOVOU (DX), X8 - MOVOU (SI), X13 - MOVOU bswapMask<>+0(SB), X15 - MOVOU gcmPoly<>+0(SB), X14 - SHLQ $0x03, AX - SHLQ $0x03, CX - MOVQ AX, X0 - PINSRQ $0x01, CX, X0 - PXOR X8, X0 - MOVOU 224(DI), X8 - MOVOU 240(DI), X10 - MOVOU X8, X9 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PSHUFD $0x4e, X0, X11 - PXOR X0, X11 - PCLMULQDQ $0x00, X11, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - PSHUFB X15, X8 - PXOR X13, X8 - MOVOU X8, (DX) - RET - -DATA bswapMask<>+0(SB)/8, $0x08090a0b0c0d0e0f -DATA bswapMask<>+8(SB)/8, $0x0001020304050607 -GLOBL bswapMask<>(SB), RODATA|NOPTR, $16 - -DATA gcmPoly<>+0(SB)/8, $0x0000000000000001 -DATA gcmPoly<>+8(SB)/8, $0xc200000000000000 -GLOBL gcmPoly<>(SB), RODATA|NOPTR, $16 - -// func gcmAesInit(productTable *[256]byte, ks []uint32) -// Requires: AES, PCLMULQDQ, SSE2, SSSE3 -TEXT ·gcmAesInit(SB), NOSPLIT, $0-32 - MOVQ productTable+0(FP), DI - MOVQ ks_base+8(FP), SI - MOVQ ks_len+16(FP), DX - SHRQ $0x02, DX - DECQ DX - MOVOU bswapMask<>+0(SB), X15 - MOVOU gcmPoly<>+0(SB), X14 - - // Encrypt block 0, with the AES key to generate the hash key H - MOVOU (SI), X0 - MOVOU 16(SI), X11 - AESENC X11, X0 - MOVOU 32(SI), X11 - AESENC X11, X0 - MOVOU 48(SI), X11 - AESENC X11, X0 - MOVOU 64(SI), X11 - AESENC X11, X0 - MOVOU 80(SI), X11 - AESENC X11, X0 - MOVOU 96(SI), X11 - AESENC X11, X0 - MOVOU 112(SI), X11 - AESENC X11, X0 - MOVOU 128(SI), X11 - AESENC X11, X0 - MOVOU 144(SI), X11 - AESENC X11, X0 - MOVOU 160(SI), X11 - CMPQ DX, $0x0c - JB initEncLast - AESENC X11, X0 - MOVOU 176(SI), X11 - AESENC X11, X0 - MOVOU 192(SI), X11 - JE initEncLast - AESENC X11, X0 - MOVOU 208(SI), X11 - AESENC X11, X0 - MOVOU 224(SI), X11 - -initEncLast: - AESENCLAST X11, X0 - PSHUFB X15, X0 - - // H * 2 - PSHUFD $0xff, X0, X11 - MOVOU X0, X12 - PSRAL $0x1f, X11 - PAND X14, X11 - PSRLL $0x1f, X12 - PSLLDQ $0x04, X12 - PSLLL $0x01, X0 - PXOR X11, X0 - PXOR X12, X0 - - // Karatsuba pre-computations - MOVOU X0, 224(DI) - PSHUFD $0x4e, X0, X1 - PXOR X0, X1 - MOVOU X1, 240(DI) - MOVOU X0, X2 - MOVOU X1, X3 - - // Now prepare powers of H and pre-computations for them - MOVQ $0x00000007, AX - -initLoop: - MOVOU X2, X11 - MOVOU X2, X12 - MOVOU X3, X13 - PCLMULQDQ $0x00, X0, X11 - PCLMULQDQ $0x11, X0, X12 - PCLMULQDQ $0x00, X1, X13 - PXOR X11, X13 - PXOR X12, X13 - MOVOU X13, X4 - PSLLDQ $0x08, X4 - PSRLDQ $0x08, X13 - PXOR X4, X11 - PXOR X13, X12 - MOVOU X14, X2 - PCLMULQDQ $0x01, X11, X2 - PSHUFD $0x4e, X11, X11 - PXOR X2, X11 - MOVOU X14, X2 - PCLMULQDQ $0x01, X11, X2 - PSHUFD $0x4e, X11, X11 - PXOR X11, X2 - PXOR X12, X2 - MOVOU X2, 192(DI) - PSHUFD $0x4e, X2, X3 - PXOR X2, X3 - MOVOU X3, 208(DI) - DECQ AX - LEAQ -32(DI), DI - JNE initLoop - RET - -// func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte) -// Requires: PCLMULQDQ, SSE2, SSE4.1, SSSE3 -TEXT ·gcmAesData(SB), NOSPLIT, $0-40 - MOVQ productTable+0(FP), DI - MOVQ data_base+8(FP), SI - MOVQ data_len+16(FP), DX - MOVQ T+32(FP), CX - PXOR X8, X8 - MOVOU bswapMask<>+0(SB), X15 - MOVOU gcmPoly<>+0(SB), X14 - TESTQ DX, DX - JEQ dataBail - CMPQ DX, $0x0d - JE dataTLS - CMPQ DX, $0x80 - JB startSinglesLoop - JMP dataOctaLoop - -dataTLS: - MOVOU 224(DI), X12 - MOVOU 240(DI), X13 - PXOR X0, X0 - MOVQ (SI), X0 - PINSRD $0x02, 8(SI), X0 - PINSRB $0x0c, 12(SI), X0 - XORQ DX, DX - JMP dataMul - -dataOctaLoop: - CMPQ DX, $0x80 - JB startSinglesLoop - SUBQ $0x80, DX - MOVOU (SI), X0 - MOVOU 16(SI), X1 - MOVOU 32(SI), X2 - MOVOU 48(SI), X3 - MOVOU 64(SI), X4 - MOVOU 80(SI), X5 - MOVOU 96(SI), X6 - MOVOU 112(SI), X7 - LEAQ 128(SI), SI - PSHUFB X15, X0 - PSHUFB X15, X1 - PSHUFB X15, X2 - PSHUFB X15, X3 - PSHUFB X15, X4 - PSHUFB X15, X5 - PSHUFB X15, X6 - PSHUFB X15, X7 - PXOR X8, X0 - MOVOU (DI), X8 - MOVOU 16(DI), X10 - MOVOU X8, X9 - PSHUFD $0x4e, X0, X12 - PXOR X0, X12 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PCLMULQDQ $0x00, X12, X10 - MOVOU 32(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X1, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X1, X13 - PXOR X13, X9 - PSHUFD $0x4e, X1, X12 - PXOR X12, X1 - MOVOU 48(DI), X12 - PCLMULQDQ $0x00, X1, X12 - PXOR X12, X10 - MOVOU 64(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X2, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X2, X13 - PXOR X13, X9 - PSHUFD $0x4e, X2, X12 - PXOR X12, X2 - MOVOU 80(DI), X12 - PCLMULQDQ $0x00, X2, X12 - PXOR X12, X10 - MOVOU 96(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X3, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X3, X13 - PXOR X13, X9 - PSHUFD $0x4e, X3, X12 - PXOR X12, X3 - MOVOU 112(DI), X12 - PCLMULQDQ $0x00, X3, X12 - PXOR X12, X10 - MOVOU 128(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X4, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X4, X13 - PXOR X13, X9 - PSHUFD $0x4e, X4, X12 - PXOR X12, X4 - MOVOU 144(DI), X12 - PCLMULQDQ $0x00, X4, X12 - PXOR X12, X10 - MOVOU 160(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X5, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X5, X13 - PXOR X13, X9 - PSHUFD $0x4e, X5, X12 - PXOR X12, X5 - MOVOU 176(DI), X12 - PCLMULQDQ $0x00, X5, X12 - PXOR X12, X10 - MOVOU 192(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X6, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X6, X13 - PXOR X13, X9 - PSHUFD $0x4e, X6, X12 - PXOR X12, X6 - MOVOU 208(DI), X12 - PCLMULQDQ $0x00, X6, X12 - PXOR X12, X10 - MOVOU 224(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X7, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X7, X13 - PXOR X13, X9 - PSHUFD $0x4e, X7, X12 - PXOR X12, X7 - MOVOU 240(DI), X12 - PCLMULQDQ $0x00, X7, X12 - PXOR X12, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - JMP dataOctaLoop - -startSinglesLoop: - MOVOU 224(DI), X12 - MOVOU 240(DI), X13 - -dataSinglesLoop: - CMPQ DX, $0x10 - JB dataEnd - SUBQ $0x10, DX - MOVOU (SI), X0 - -dataMul: - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU X12, X8 - MOVOU X13, X10 - MOVOU X12, X9 - PSHUFD $0x4e, X0, X11 - PXOR X0, X11 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PCLMULQDQ $0x00, X11, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - LEAQ 16(SI), SI - JMP dataSinglesLoop - -dataEnd: - TESTQ DX, DX - JEQ dataBail - PXOR X0, X0 - LEAQ -1(SI)(DX*1), SI - -dataLoadLoop: - PSLLDQ $0x01, X0 - PINSRB $0x00, (SI), X0 - LEAQ -1(SI), SI - DECQ DX - JNE dataLoadLoop - JMP dataMul - -dataBail: - MOVOU X8, (CX) - RET - -// func gcmAesEnc(productTable *[256]byte, dst []byte, src []byte, ctr *[16]byte, T *[16]byte, ks []uint32) -// Requires: AES, PCLMULQDQ, SSE2, SSE4.1, SSSE3 -TEXT ·gcmAesEnc(SB), $256-96 - MOVQ productTable+0(FP), DI - MOVQ dst_base+8(FP), DX - MOVQ src_base+32(FP), SI - MOVQ src_len+40(FP), R9 - MOVQ ctr+56(FP), CX - MOVQ T+64(FP), R8 - MOVQ ks_base+72(FP), AX - MOVQ ks_len+80(FP), R13 - SHRQ $0x02, R13 - DECQ R13 - MOVOU bswapMask<>+0(SB), X15 - MOVOU gcmPoly<>+0(SB), X14 - MOVOU (R8), X8 - PXOR X9, X9 - PXOR X10, X10 - MOVOU (CX), X0 - MOVL 12(CX), R10 - MOVOU (AX), X11 - MOVL 12(AX), R12 - BSWAPL R10 - BSWAPL R12 - PXOR X0, X11 - MOVOU X11, 128(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 140(SP) - CMPQ R9, $0x80 - JB gcmAesEncSingles - SUBQ $0x80, R9 - - // We have at least 8 blocks to encrypt, prepare the rest of the counters - MOVOU X11, 144(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 156(SP) - MOVOU X11, 160(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 172(SP) - MOVOU X11, 176(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 188(SP) - MOVOU X11, 192(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 204(SP) - MOVOU X11, 208(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 220(SP) - MOVOU X11, 224(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 236(SP) - MOVOU X11, 240(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 252(SP) - MOVOU 128(SP), X0 - MOVOU 144(SP), X1 - MOVOU 160(SP), X2 - MOVOU 176(SP), X3 - MOVOU 192(SP), X4 - MOVOU 208(SP), X5 - MOVOU 224(SP), X6 - MOVOU 240(SP), X7 - MOVOU 16(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 140(SP) - MOVOU 32(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 156(SP) - MOVOU 48(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 172(SP) - MOVOU 64(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 188(SP) - MOVOU 80(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 204(SP) - MOVOU 96(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 220(SP) - MOVOU 112(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 236(SP) - MOVOU 128(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 252(SP) - MOVOU 144(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB encLast1 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 176(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 192(AX), X11 - JE encLast1 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 208(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 224(AX), X11 - -encLast1: - AESENCLAST X11, X0 - AESENCLAST X11, X1 - AESENCLAST X11, X2 - AESENCLAST X11, X3 - AESENCLAST X11, X4 - AESENCLAST X11, X5 - AESENCLAST X11, X6 - AESENCLAST X11, X7 - MOVOU (SI), X11 - PXOR X11, X0 - MOVOU 16(SI), X11 - PXOR X11, X1 - MOVOU 32(SI), X11 - PXOR X11, X2 - MOVOU 48(SI), X11 - PXOR X11, X3 - MOVOU 64(SI), X11 - PXOR X11, X4 - MOVOU 80(SI), X11 - PXOR X11, X5 - MOVOU 96(SI), X11 - PXOR X11, X6 - MOVOU 112(SI), X11 - PXOR X11, X7 - MOVOU X0, (DX) - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU X1, 16(DX) - PSHUFB X15, X1 - MOVOU X2, 32(DX) - PSHUFB X15, X2 - MOVOU X3, 48(DX) - PSHUFB X15, X3 - MOVOU X4, 64(DX) - PSHUFB X15, X4 - MOVOU X5, 80(DX) - PSHUFB X15, X5 - MOVOU X6, 96(DX) - PSHUFB X15, X6 - MOVOU X7, 112(DX) - PSHUFB X15, X7 - MOVOU X0, (SP) - MOVOU X1, 16(SP) - MOVOU X2, 32(SP) - MOVOU X3, 48(SP) - MOVOU X4, 64(SP) - MOVOU X5, 80(SP) - MOVOU X6, 96(SP) - MOVOU X7, 112(SP) - LEAQ 128(SI), SI - LEAQ 128(DX), DX - -gcmAesEncOctetsLoop: - CMPQ R9, $0x80 - JB gcmAesEncOctetsEnd - SUBQ $0x80, R9 - MOVOU 128(SP), X0 - MOVOU 144(SP), X1 - MOVOU 160(SP), X2 - MOVOU 176(SP), X3 - MOVOU 192(SP), X4 - MOVOU 208(SP), X5 - MOVOU 224(SP), X6 - MOVOU 240(SP), X7 - MOVOU (SP), X11 - PSHUFD $0x4e, X11, X12 - PXOR X11, X12 - MOVOU (DI), X8 - MOVOU 16(DI), X10 - MOVOU X8, X9 - PCLMULQDQ $0x00, X12, X10 - PCLMULQDQ $0x00, X11, X8 - PCLMULQDQ $0x11, X11, X9 - MOVOU 16(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 32(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 16(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 48(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 140(SP) - MOVOU 32(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 64(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 32(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 80(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 156(SP) - MOVOU 48(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 96(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 48(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 112(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 172(SP) - MOVOU 64(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 128(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 64(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 144(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 188(SP) - MOVOU 80(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 160(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 80(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 176(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 204(SP) - MOVOU 96(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 192(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 96(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 208(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 220(SP) - MOVOU 112(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 224(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 112(SP), X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 240(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 236(SP) - MOVOU 128(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 252(SP) - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU 144(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB encLast2 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 176(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 192(AX), X11 - JE encLast2 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 208(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 224(AX), X11 - -encLast2: - AESENCLAST X11, X0 - AESENCLAST X11, X1 - AESENCLAST X11, X2 - AESENCLAST X11, X3 - AESENCLAST X11, X4 - AESENCLAST X11, X5 - AESENCLAST X11, X6 - AESENCLAST X11, X7 - MOVOU (SI), X11 - PXOR X11, X0 - MOVOU 16(SI), X11 - PXOR X11, X1 - MOVOU 32(SI), X11 - PXOR X11, X2 - MOVOU 48(SI), X11 - PXOR X11, X3 - MOVOU 64(SI), X11 - PXOR X11, X4 - MOVOU 80(SI), X11 - PXOR X11, X5 - MOVOU 96(SI), X11 - PXOR X11, X6 - MOVOU 112(SI), X11 - PXOR X11, X7 - MOVOU X0, (DX) - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU X1, 16(DX) - PSHUFB X15, X1 - MOVOU X2, 32(DX) - PSHUFB X15, X2 - MOVOU X3, 48(DX) - PSHUFB X15, X3 - MOVOU X4, 64(DX) - PSHUFB X15, X4 - MOVOU X5, 80(DX) - PSHUFB X15, X5 - MOVOU X6, 96(DX) - PSHUFB X15, X6 - MOVOU X7, 112(DX) - PSHUFB X15, X7 - MOVOU X0, (SP) - MOVOU X1, 16(SP) - MOVOU X2, 32(SP) - MOVOU X3, 48(SP) - MOVOU X4, 64(SP) - MOVOU X5, 80(SP) - MOVOU X6, 96(SP) - MOVOU X7, 112(SP) - LEAQ 128(SI), SI - LEAQ 128(DX), DX - JMP gcmAesEncOctetsLoop - -gcmAesEncOctetsEnd: - MOVOU (SP), X11 - MOVOU (DI), X8 - MOVOU 16(DI), X10 - MOVOU X8, X9 - PSHUFD $0x4e, X11, X12 - PXOR X11, X12 - PCLMULQDQ $0x00, X11, X8 - PCLMULQDQ $0x11, X11, X9 - PCLMULQDQ $0x00, X12, X10 - MOVOU 16(SP), X11 - MOVOU 32(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 48(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - MOVOU 32(SP), X11 - MOVOU 64(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 80(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - MOVOU 48(SP), X11 - MOVOU 96(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 112(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - MOVOU 64(SP), X11 - MOVOU 128(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 144(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - MOVOU 80(SP), X11 - MOVOU 160(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 176(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - MOVOU 96(SP), X11 - MOVOU 192(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 208(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - MOVOU 112(SP), X11 - MOVOU 224(DI), X12 - MOVOU X12, X13 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PCLMULQDQ $0x11, X11, X13 - PXOR X13, X9 - PSHUFD $0x4e, X11, X12 - PXOR X12, X11 - MOVOU 240(DI), X12 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - TESTQ R9, R9 - JE gcmAesEncDone - SUBQ $0x07, R10 - -gcmAesEncSingles: - MOVOU 16(AX), X1 - MOVOU 32(AX), X2 - MOVOU 48(AX), X3 - MOVOU 64(AX), X4 - MOVOU 80(AX), X5 - MOVOU 96(AX), X6 - MOVOU 112(AX), X7 - MOVOU 224(DI), X13 - -gcmAesEncSinglesLoop: - CMPQ R9, $0x10 - JB gcmAesEncTail - SUBQ $0x10, R9 - MOVOU 128(SP), X0 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 140(SP) - AESENC X1, X0 - AESENC X2, X0 - AESENC X3, X0 - AESENC X4, X0 - AESENC X5, X0 - AESENC X6, X0 - AESENC X7, X0 - MOVOU 128(AX), X11 - AESENC X11, X0 - MOVOU 144(AX), X11 - AESENC X11, X0 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB encLast3 - AESENC X11, X0 - MOVOU 176(AX), X11 - AESENC X11, X0 - MOVOU 192(AX), X11 - JE encLast3 - AESENC X11, X0 - MOVOU 208(AX), X11 - AESENC X11, X0 - MOVOU 224(AX), X11 - -encLast3: - AESENCLAST X11, X0 - MOVOU (SI), X11 - PXOR X11, X0 - MOVOU X0, (DX) - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU X13, X8 - MOVOU X13, X9 - MOVOU 240(DI), X10 - PSHUFD $0x4e, X0, X11 - PXOR X0, X11 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PCLMULQDQ $0x00, X11, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - LEAQ 16(SI), SI - LEAQ 16(DX), DX - JMP gcmAesEncSinglesLoop - -gcmAesEncTail: - TESTQ R9, R9 - JE gcmAesEncDone - MOVOU 128(SP), X0 - AESENC X1, X0 - AESENC X2, X0 - AESENC X3, X0 - AESENC X4, X0 - AESENC X5, X0 - AESENC X6, X0 - AESENC X7, X0 - MOVOU 128(AX), X11 - AESENC X11, X0 - MOVOU 144(AX), X11 - AESENC X11, X0 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB encLast4 - AESENC X11, X0 - MOVOU 176(AX), X11 - AESENC X11, X0 - MOVOU 192(AX), X11 - JE encLast4 - AESENC X11, X0 - MOVOU 208(AX), X11 - AESENC X11, X0 - MOVOU 224(AX), X11 - -encLast4: - AESENCLAST X11, X0 - MOVOU X0, X11 - LEAQ -1(SI)(R9*1), SI - MOVQ R9, R11 - SHLQ $0x04, R11 - LEAQ andMask<>+0(SB), R10 - MOVOU -16(R10)(R11*1), X12 - PXOR X0, X0 - -ptxLoadLoop: - PSLLDQ $0x01, X0 - PINSRB $0x00, (SI), X0 - LEAQ -1(SI), SI - DECQ R9 - JNE ptxLoadLoop - PXOR X11, X0 - PAND X12, X0 - MOVOU X0, (DX) - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU X13, X8 - MOVOU X13, X9 - MOVOU 240(DI), X10 - PSHUFD $0x4e, X0, X11 - PXOR X0, X11 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PCLMULQDQ $0x00, X11, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - -gcmAesEncDone: - MOVOU X8, (R8) - RET - -DATA andMask<>+0(SB)/8, $0x00000000000000ff -DATA andMask<>+8(SB)/8, $0x0000000000000000 -DATA andMask<>+16(SB)/8, $0x000000000000ffff -DATA andMask<>+24(SB)/8, $0x0000000000000000 -DATA andMask<>+32(SB)/8, $0x0000000000ffffff -DATA andMask<>+40(SB)/8, $0x0000000000000000 -DATA andMask<>+48(SB)/8, $0x00000000ffffffff -DATA andMask<>+56(SB)/8, $0x0000000000000000 -DATA andMask<>+64(SB)/8, $0x000000ffffffffff -DATA andMask<>+72(SB)/8, $0x0000000000000000 -DATA andMask<>+80(SB)/8, $0x0000ffffffffffff -DATA andMask<>+88(SB)/8, $0x0000000000000000 -DATA andMask<>+96(SB)/8, $0x00ffffffffffffff -DATA andMask<>+104(SB)/8, $0x0000000000000000 -DATA andMask<>+112(SB)/8, $0xffffffffffffffff -DATA andMask<>+120(SB)/8, $0x0000000000000000 -DATA andMask<>+128(SB)/8, $0xffffffffffffffff -DATA andMask<>+136(SB)/8, $0x00000000000000ff -DATA andMask<>+144(SB)/8, $0xffffffffffffffff -DATA andMask<>+152(SB)/8, $0x000000000000ffff -DATA andMask<>+160(SB)/8, $0xffffffffffffffff -DATA andMask<>+168(SB)/8, $0x0000000000ffffff -DATA andMask<>+176(SB)/8, $0xffffffffffffffff -DATA andMask<>+184(SB)/8, $0x00000000ffffffff -DATA andMask<>+192(SB)/8, $0xffffffffffffffff -DATA andMask<>+200(SB)/8, $0x000000ffffffffff -DATA andMask<>+208(SB)/8, $0xffffffffffffffff -DATA andMask<>+216(SB)/8, $0x0000ffffffffffff -DATA andMask<>+224(SB)/8, $0xffffffffffffffff -DATA andMask<>+232(SB)/8, $0x00ffffffffffffff -GLOBL andMask<>(SB), RODATA|NOPTR, $240 - -// func gcmAesDec(productTable *[256]byte, dst []byte, src []byte, ctr *[16]byte, T *[16]byte, ks []uint32) -// Requires: AES, PCLMULQDQ, SSE2, SSE4.1, SSSE3 -TEXT ·gcmAesDec(SB), $128-96 - MOVQ productTable+0(FP), DI - MOVQ dst_base+8(FP), SI - MOVQ src_base+32(FP), DX - MOVQ src_len+40(FP), R9 - MOVQ ctr+56(FP), CX - MOVQ T+64(FP), R8 - MOVQ ks_base+72(FP), AX - MOVQ ks_len+80(FP), R13 - SHRQ $0x02, R13 - DECQ R13 - MOVOU bswapMask<>+0(SB), X15 - MOVOU gcmPoly<>+0(SB), X14 - MOVOU (R8), X8 - PXOR X9, X9 - PXOR X10, X10 - MOVOU (CX), X0 - MOVL 12(CX), R10 - MOVOU (AX), X11 - MOVL 12(AX), R12 - BSWAPL R10 - BSWAPL R12 - PXOR X0, X11 - MOVOU X11, (SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 12(SP) - CMPQ R9, $0x80 - JB gcmAesDecSingles - MOVOU X11, 16(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 28(SP) - MOVOU X11, 32(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 44(SP) - MOVOU X11, 48(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 60(SP) - MOVOU X11, 64(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 76(SP) - MOVOU X11, 80(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 92(SP) - MOVOU X11, 96(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 108(SP) - MOVOU X11, 112(SP) - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 124(SP) - -gcmAesDecOctetsLoop: - CMPQ R9, $0x80 - JB gcmAesDecEndOctets - SUBQ $0x80, R9 - MOVOU (SP), X0 - MOVOU 16(SP), X1 - MOVOU 32(SP), X2 - MOVOU 48(SP), X3 - MOVOU 64(SP), X4 - MOVOU 80(SP), X5 - MOVOU 96(SP), X6 - MOVOU 112(SP), X7 - MOVOU (DX), X11 - PSHUFB X15, X11 - PXOR X8, X11 - PSHUFD $0x4e, X11, X12 - PXOR X11, X12 - MOVOU (DI), X8 - MOVOU 16(DI), X10 - MOVOU X8, X9 - PCLMULQDQ $0x00, X12, X10 - PCLMULQDQ $0x00, X11, X8 - PCLMULQDQ $0x11, X11, X9 - MOVOU 16(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 32(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 16(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 48(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 12(SP) - MOVOU 32(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 64(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 32(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 80(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 28(SP) - MOVOU 48(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 96(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 48(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 112(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 44(SP) - MOVOU 64(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 128(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 64(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 144(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 60(SP) - MOVOU 80(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 160(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 80(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 176(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 76(SP) - MOVOU 96(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 192(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 96(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 208(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 92(SP) - MOVOU 112(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - MOVOU 224(DI), X12 - MOVOU X12, X13 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 112(DX), X11 - PSHUFB X15, X11 - PCLMULQDQ $0x00, X11, X12 - PXOR X12, X8 - PSHUFD $0x4e, X11, X12 - PCLMULQDQ $0x11, X11, X13 - PXOR X12, X11 - PXOR X13, X9 - MOVOU 240(DI), X13 - PCLMULQDQ $0x00, X13, X11 - PXOR X11, X10 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 108(SP) - MOVOU 128(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 124(SP) - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU 144(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB decLast1 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 176(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 192(AX), X11 - JE decLast1 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 208(AX), X11 - AESENC X11, X0 - AESENC X11, X1 - AESENC X11, X2 - AESENC X11, X3 - AESENC X11, X4 - AESENC X11, X5 - AESENC X11, X6 - AESENC X11, X7 - MOVOU 224(AX), X11 - -decLast1: - AESENCLAST X11, X0 - AESENCLAST X11, X1 - AESENCLAST X11, X2 - AESENCLAST X11, X3 - AESENCLAST X11, X4 - AESENCLAST X11, X5 - AESENCLAST X11, X6 - AESENCLAST X11, X7 - MOVOU (DX), X11 - PXOR X11, X0 - MOVOU 16(DX), X11 - PXOR X11, X1 - MOVOU 32(DX), X11 - PXOR X11, X2 - MOVOU 48(DX), X11 - PXOR X11, X3 - MOVOU 64(DX), X11 - PXOR X11, X4 - MOVOU 80(DX), X11 - PXOR X11, X5 - MOVOU 96(DX), X11 - PXOR X11, X6 - MOVOU 112(DX), X11 - PXOR X11, X7 - MOVOU X0, (SI) - MOVOU X1, 16(SI) - MOVOU X2, 32(SI) - MOVOU X3, 48(SI) - MOVOU X4, 64(SI) - MOVOU X5, 80(SI) - MOVOU X6, 96(SI) - MOVOU X7, 112(SI) - LEAQ 128(SI), SI - LEAQ 128(DX), DX - JMP gcmAesDecOctetsLoop - -gcmAesDecEndOctets: - SUBQ $0x07, R10 - -gcmAesDecSingles: - MOVOU 16(AX), X1 - MOVOU 32(AX), X2 - MOVOU 48(AX), X3 - MOVOU 64(AX), X4 - MOVOU 80(AX), X5 - MOVOU 96(AX), X6 - MOVOU 112(AX), X7 - MOVOU 224(DI), X13 - -gcmAesDecSinglesLoop: - CMPQ R9, $0x10 - JB gcmAesDecTail - SUBQ $0x10, R9 - MOVOU (DX), X0 - MOVOU X0, X12 - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU X13, X8 - MOVOU X13, X9 - MOVOU 240(DI), X10 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PSHUFD $0x4e, X0, X11 - PXOR X0, X11 - PCLMULQDQ $0x00, X11, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - MOVOU (SP), X0 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 12(SP) - AESENC X1, X0 - AESENC X2, X0 - AESENC X3, X0 - AESENC X4, X0 - AESENC X5, X0 - AESENC X6, X0 - AESENC X7, X0 - MOVOU 128(AX), X11 - AESENC X11, X0 - MOVOU 144(AX), X11 - AESENC X11, X0 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB decLast2 - AESENC X11, X0 - MOVOU 176(AX), X11 - AESENC X11, X0 - MOVOU 192(AX), X11 - JE decLast2 - AESENC X11, X0 - MOVOU 208(AX), X11 - AESENC X11, X0 - MOVOU 224(AX), X11 - -decLast2: - AESENCLAST X11, X0 - PXOR X12, X0 - MOVOU X0, (SI) - LEAQ 16(SI), SI - LEAQ 16(DX), DX - JMP gcmAesDecSinglesLoop - -gcmAesDecTail: - TESTQ R9, R9 - JE gcmAesDecDone - MOVQ R9, R11 - SHLQ $0x04, R11 - LEAQ andMask<>+0(SB), R10 - MOVOU -16(R10)(R11*1), X12 - MOVOU (DX), X0 - PAND X12, X0 - MOVOU X0, X12 - PSHUFB X15, X0 - PXOR X8, X0 - MOVOU 224(DI), X8 - MOVOU 240(DI), X10 - MOVOU X8, X9 - PCLMULQDQ $0x00, X0, X8 - PCLMULQDQ $0x11, X0, X9 - PSHUFD $0x4e, X0, X11 - PXOR X0, X11 - PCLMULQDQ $0x00, X11, X10 - PXOR X8, X10 - PXOR X9, X10 - MOVOU X10, X11 - PSRLDQ $0x08, X10 - PSLLDQ $0x08, X11 - PXOR X10, X9 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - MOVOU X14, X11 - PCLMULQDQ $0x01, X8, X11 - PSHUFD $0x4e, X8, X8 - PXOR X11, X8 - PXOR X9, X8 - MOVOU (SP), X0 - ADDL $0x01, R10 - MOVL R10, R11 - XORL R12, R11 - BSWAPL R11 - MOVL R11, 12(SP) - AESENC X1, X0 - AESENC X2, X0 - AESENC X3, X0 - AESENC X4, X0 - AESENC X5, X0 - AESENC X6, X0 - AESENC X7, X0 - MOVOU 128(AX), X11 - AESENC X11, X0 - MOVOU 144(AX), X11 - AESENC X11, X0 - MOVOU 160(AX), X11 - CMPQ R13, $0x0c - JB decLast3 - AESENC X11, X0 - MOVOU 176(AX), X11 - AESENC X11, X0 - MOVOU 192(AX), X11 - JE decLast3 - AESENC X11, X0 - MOVOU 208(AX), X11 - AESENC X11, X0 - MOVOU 224(AX), X11 - -decLast3: - AESENCLAST X11, X0 - PXOR X12, X0 - -ptxStoreLoop: - PEXTRB $0x00, X0, (SI) - PSRLDQ $0x01, X0 - LEAQ 1(SI), SI - DECQ R9 - JNE ptxStoreLoop - -gcmAesDecDone: - MOVOU X8, (R8) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_arm64.s deleted file mode 100644 index 23ce1890e4e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_arm64.s +++ /dev/null @@ -1,1023 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -#define B0 V0 -#define B1 V1 -#define B2 V2 -#define B3 V3 -#define B4 V4 -#define B5 V5 -#define B6 V6 -#define B7 V7 - -#define ACC0 V8 -#define ACC1 V9 -#define ACCM V10 - -#define T0 V11 -#define T1 V12 -#define T2 V13 -#define T3 V14 - -#define POLY V15 -#define ZERO V16 -#define INC V17 -#define CTR V18 - -#define K0 V19 -#define K1 V20 -#define K2 V21 -#define K3 V22 -#define K4 V23 -#define K5 V24 -#define K6 V25 -#define K7 V26 -#define K8 V27 -#define K9 V28 -#define K10 V29 -#define K11 V30 -#define KLAST V31 - -#define reduce() \ - VEOR ACC0.B16, ACCM.B16, ACCM.B16 \ - VEOR ACC1.B16, ACCM.B16, ACCM.B16 \ - VEXT $8, ZERO.B16, ACCM.B16, T0.B16 \ - VEXT $8, ACCM.B16, ZERO.B16, ACCM.B16 \ - VEOR ACCM.B16, ACC0.B16, ACC0.B16 \ - VEOR T0.B16, ACC1.B16, ACC1.B16 \ - VPMULL POLY.D1, ACC0.D1, T0.Q1 \ - VEXT $8, ACC0.B16, ACC0.B16, ACC0.B16 \ - VEOR T0.B16, ACC0.B16, ACC0.B16 \ - VPMULL POLY.D1, ACC0.D1, T0.Q1 \ - VEOR T0.B16, ACC1.B16, ACC1.B16 \ - VEXT $8, ACC1.B16, ACC1.B16, ACC1.B16 \ - VEOR ACC1.B16, ACC0.B16, ACC0.B16 \ - -// func gcmAesFinish(productTable *[256]byte, tagMask, T *[16]byte, pLen, dLen uint64) -TEXT ·gcmAesFinish(SB),NOSPLIT,$0 -#define pTbl R0 -#define tMsk R1 -#define tPtr R2 -#define plen R3 -#define dlen R4 - - MOVD $0xC2, R1 - LSL $56, R1 - MOVD $1, R0 - VMOV R1, POLY.D[0] - VMOV R0, POLY.D[1] - VEOR ZERO.B16, ZERO.B16, ZERO.B16 - - MOVD productTable+0(FP), pTbl - MOVD tagMask+8(FP), tMsk - MOVD T+16(FP), tPtr - MOVD pLen+24(FP), plen - MOVD dLen+32(FP), dlen - - VLD1 (tPtr), [ACC0.B16] - VLD1 (tMsk), [B1.B16] - - LSL $3, plen - LSL $3, dlen - - VMOV dlen, B0.D[0] - VMOV plen, B0.D[1] - - ADD $14*16, pTbl - VLD1.P (pTbl), [T1.B16, T2.B16] - - VEOR ACC0.B16, B0.B16, B0.B16 - - VEXT $8, B0.B16, B0.B16, T0.B16 - VEOR B0.B16, T0.B16, T0.B16 - VPMULL B0.D1, T1.D1, ACC1.Q1 - VPMULL2 B0.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - - reduce() - - VREV64 ACC0.B16, ACC0.B16 - VEOR B1.B16, ACC0.B16, ACC0.B16 - - VST1 [ACC0.B16], (tPtr) - RET -#undef pTbl -#undef tMsk -#undef tPtr -#undef plen -#undef dlen - -// func gcmAesInit(productTable *[256]byte, ks []uint32) -TEXT ·gcmAesInit(SB),NOSPLIT,$0 -#define pTbl R0 -#define KS R1 -#define NR R2 -#define I R3 - MOVD productTable+0(FP), pTbl - MOVD ks_base+8(FP), KS - MOVD ks_len+16(FP), NR - - MOVD $0xC2, I - LSL $56, I - VMOV I, POLY.D[0] - MOVD $1, I - VMOV I, POLY.D[1] - VEOR ZERO.B16, ZERO.B16, ZERO.B16 - - // Encrypt block 0 with the AES key to generate the hash key H - VLD1.P 64(KS), [T0.B16, T1.B16, T2.B16, T3.B16] - VEOR B0.B16, B0.B16, B0.B16 - AESE T0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T1.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T3.B16, B0.B16 - AESMC B0.B16, B0.B16 - VLD1.P 64(KS), [T0.B16, T1.B16, T2.B16, T3.B16] - AESE T0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T1.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T3.B16, B0.B16 - AESMC B0.B16, B0.B16 - TBZ $4, NR, initEncFinish - VLD1.P 32(KS), [T0.B16, T1.B16] - AESE T0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T1.B16, B0.B16 - AESMC B0.B16, B0.B16 - TBZ $3, NR, initEncFinish - VLD1.P 32(KS), [T0.B16, T1.B16] - AESE T0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T1.B16, B0.B16 - AESMC B0.B16, B0.B16 -initEncFinish: - VLD1 (KS), [T0.B16, T1.B16, T2.B16] - AESE T0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE T1.B16, B0.B16 - VEOR T2.B16, B0.B16, B0.B16 - - VREV64 B0.B16, B0.B16 - - // Multiply by 2 modulo P - VMOV B0.D[0], I - ASR $63, I - VMOV I, T1.D[0] - VMOV I, T1.D[1] - VAND POLY.B16, T1.B16, T1.B16 - VUSHR $63, B0.D2, T2.D2 - VEXT $8, ZERO.B16, T2.B16, T2.B16 - VSHL $1, B0.D2, B0.D2 - VEOR T1.B16, B0.B16, B0.B16 - VEOR T2.B16, B0.B16, B0.B16 // Can avoid this when VSLI is available - - // Karatsuba pre-computation - VEXT $8, B0.B16, B0.B16, B1.B16 - VEOR B0.B16, B1.B16, B1.B16 - - ADD $14*16, pTbl - VST1 [B0.B16, B1.B16], (pTbl) - SUB $2*16, pTbl - - VMOV B0.B16, B2.B16 - VMOV B1.B16, B3.B16 - - MOVD $7, I - -initLoop: - // Compute powers of H - SUBS $1, I - - VPMULL B0.D1, B2.D1, T1.Q1 - VPMULL2 B0.D2, B2.D2, T0.Q1 - VPMULL B1.D1, B3.D1, T2.Q1 - VEOR T0.B16, T2.B16, T2.B16 - VEOR T1.B16, T2.B16, T2.B16 - VEXT $8, ZERO.B16, T2.B16, T3.B16 - VEXT $8, T2.B16, ZERO.B16, T2.B16 - VEOR T2.B16, T0.B16, T0.B16 - VEOR T3.B16, T1.B16, T1.B16 - VPMULL POLY.D1, T0.D1, T2.Q1 - VEXT $8, T0.B16, T0.B16, T0.B16 - VEOR T2.B16, T0.B16, T0.B16 - VPMULL POLY.D1, T0.D1, T2.Q1 - VEXT $8, T0.B16, T0.B16, T0.B16 - VEOR T2.B16, T0.B16, T0.B16 - VEOR T1.B16, T0.B16, B2.B16 - VMOV B2.B16, B3.B16 - VEXT $8, B2.B16, B2.B16, B2.B16 - VEOR B2.B16, B3.B16, B3.B16 - - VST1 [B2.B16, B3.B16], (pTbl) - SUB $2*16, pTbl - - BNE initLoop - RET -#undef I -#undef NR -#undef KS -#undef pTbl - -// func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte) -TEXT ·gcmAesData(SB),NOSPLIT,$0 -#define pTbl R0 -#define aut R1 -#define tPtr R2 -#define autLen R3 -#define H0 R4 -#define pTblSave R5 - -#define mulRound(X) \ - VLD1.P 32(pTbl), [T1.B16, T2.B16] \ - VREV64 X.B16, X.B16 \ - VEXT $8, X.B16, X.B16, T0.B16 \ - VEOR X.B16, T0.B16, T0.B16 \ - VPMULL X.D1, T1.D1, T3.Q1 \ - VEOR T3.B16, ACC1.B16, ACC1.B16 \ - VPMULL2 X.D2, T1.D2, T3.Q1 \ - VEOR T3.B16, ACC0.B16, ACC0.B16 \ - VPMULL T0.D1, T2.D1, T3.Q1 \ - VEOR T3.B16, ACCM.B16, ACCM.B16 - - MOVD productTable+0(FP), pTbl - MOVD data_base+8(FP), aut - MOVD data_len+16(FP), autLen - MOVD T+32(FP), tPtr - - VEOR ACC0.B16, ACC0.B16, ACC0.B16 - CBZ autLen, dataBail - - MOVD $0xC2, H0 - LSL $56, H0 - VMOV H0, POLY.D[0] - MOVD $1, H0 - VMOV H0, POLY.D[1] - VEOR ZERO.B16, ZERO.B16, ZERO.B16 - MOVD pTbl, pTblSave - - CMP $13, autLen - BEQ dataTLS - CMP $128, autLen - BLT startSinglesLoop - B octetsLoop - -dataTLS: - ADD $14*16, pTbl - VLD1.P (pTbl), [T1.B16, T2.B16] - VEOR B0.B16, B0.B16, B0.B16 - - MOVD (aut), H0 - VMOV H0, B0.D[0] - MOVW 8(aut), H0 - VMOV H0, B0.S[2] - MOVB 12(aut), H0 - VMOV H0, B0.B[12] - - MOVD $0, autLen - B dataMul - -octetsLoop: - CMP $128, autLen - BLT startSinglesLoop - SUB $128, autLen - - VLD1.P 32(aut), [B0.B16, B1.B16] - - VLD1.P 32(pTbl), [T1.B16, T2.B16] - VREV64 B0.B16, B0.B16 - VEOR ACC0.B16, B0.B16, B0.B16 - VEXT $8, B0.B16, B0.B16, T0.B16 - VEOR B0.B16, T0.B16, T0.B16 - VPMULL B0.D1, T1.D1, ACC1.Q1 - VPMULL2 B0.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - - mulRound(B1) - VLD1.P 32(aut), [B2.B16, B3.B16] - mulRound(B2) - mulRound(B3) - VLD1.P 32(aut), [B4.B16, B5.B16] - mulRound(B4) - mulRound(B5) - VLD1.P 32(aut), [B6.B16, B7.B16] - mulRound(B6) - mulRound(B7) - - MOVD pTblSave, pTbl - reduce() - B octetsLoop - -startSinglesLoop: - - ADD $14*16, pTbl - VLD1.P (pTbl), [T1.B16, T2.B16] - -singlesLoop: - - CMP $16, autLen - BLT dataEnd - SUB $16, autLen - - VLD1.P 16(aut), [B0.B16] -dataMul: - VREV64 B0.B16, B0.B16 - VEOR ACC0.B16, B0.B16, B0.B16 - - VEXT $8, B0.B16, B0.B16, T0.B16 - VEOR B0.B16, T0.B16, T0.B16 - VPMULL B0.D1, T1.D1, ACC1.Q1 - VPMULL2 B0.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - - reduce() - - B singlesLoop - -dataEnd: - - CBZ autLen, dataBail - VEOR B0.B16, B0.B16, B0.B16 - ADD autLen, aut - -dataLoadLoop: - MOVB.W -1(aut), H0 - VEXT $15, B0.B16, ZERO.B16, B0.B16 - VMOV H0, B0.B[0] - SUBS $1, autLen - BNE dataLoadLoop - B dataMul - -dataBail: - VST1 [ACC0.B16], (tPtr) - RET - -#undef pTbl -#undef aut -#undef tPtr -#undef autLen -#undef H0 -#undef pTblSave - -// func gcmAesEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) -TEXT ·gcmAesEnc(SB),NOSPLIT,$0 -#define pTbl R0 -#define dstPtr R1 -#define ctrPtr R2 -#define srcPtr R3 -#define ks R4 -#define tPtr R5 -#define srcPtrLen R6 -#define aluCTR R7 -#define aluTMP R8 -#define aluK R9 -#define NR R10 -#define H0 R11 -#define H1 R12 -#define curK R13 -#define pTblSave R14 - -#define aesrndx8(K) \ - AESE K.B16, B0.B16 \ - AESMC B0.B16, B0.B16 \ - AESE K.B16, B1.B16 \ - AESMC B1.B16, B1.B16 \ - AESE K.B16, B2.B16 \ - AESMC B2.B16, B2.B16 \ - AESE K.B16, B3.B16 \ - AESMC B3.B16, B3.B16 \ - AESE K.B16, B4.B16 \ - AESMC B4.B16, B4.B16 \ - AESE K.B16, B5.B16 \ - AESMC B5.B16, B5.B16 \ - AESE K.B16, B6.B16 \ - AESMC B6.B16, B6.B16 \ - AESE K.B16, B7.B16 \ - AESMC B7.B16, B7.B16 - -#define aesrndlastx8(K) \ - AESE K.B16, B0.B16 \ - AESE K.B16, B1.B16 \ - AESE K.B16, B2.B16 \ - AESE K.B16, B3.B16 \ - AESE K.B16, B4.B16 \ - AESE K.B16, B5.B16 \ - AESE K.B16, B6.B16 \ - AESE K.B16, B7.B16 - - MOVD productTable+0(FP), pTbl - MOVD dst+8(FP), dstPtr - MOVD src_base+32(FP), srcPtr - MOVD src_len+40(FP), srcPtrLen - MOVD ctr+56(FP), ctrPtr - MOVD T+64(FP), tPtr - MOVD ks_base+72(FP), ks - MOVD ks_len+80(FP), NR - - MOVD $0xC2, H1 - LSL $56, H1 - MOVD $1, H0 - VMOV H1, POLY.D[0] - VMOV H0, POLY.D[1] - VEOR ZERO.B16, ZERO.B16, ZERO.B16 - // Compute NR from len(ks) - MOVD pTbl, pTblSave - // Current tag, after AAD - VLD1 (tPtr), [ACC0.B16] - VEOR ACC1.B16, ACC1.B16, ACC1.B16 - VEOR ACCM.B16, ACCM.B16, ACCM.B16 - // Prepare initial counter, and the increment vector - VLD1 (ctrPtr), [CTR.B16] - VEOR INC.B16, INC.B16, INC.B16 - MOVD $1, H0 - VMOV H0, INC.S[3] - VREV32 CTR.B16, CTR.B16 - VADD CTR.S4, INC.S4, CTR.S4 - // Skip to <8 blocks loop - CMP $128, srcPtrLen - - MOVD ks, H0 - // For AES-128 round keys are stored in: K0 .. K10, KLAST - VLD1.P 64(H0), [K0.B16, K1.B16, K2.B16, K3.B16] - VLD1.P 64(H0), [K4.B16, K5.B16, K6.B16, K7.B16] - VLD1.P 48(H0), [K8.B16, K9.B16, K10.B16] - VMOV K10.B16, KLAST.B16 - - BLT startSingles - // There are at least 8 blocks to encrypt - TBZ $4, NR, octetsLoop - - // For AES-192 round keys occupy: K0 .. K7, K10, K11, K8, K9, KLAST - VMOV K8.B16, K10.B16 - VMOV K9.B16, K11.B16 - VMOV KLAST.B16, K8.B16 - VLD1.P 16(H0), [K9.B16] - VLD1.P 16(H0), [KLAST.B16] - TBZ $3, NR, octetsLoop - // For AES-256 round keys occupy: K0 .. K7, K10, K11, mem, mem, K8, K9, KLAST - VMOV KLAST.B16, K8.B16 - VLD1.P 16(H0), [K9.B16] - VLD1.P 16(H0), [KLAST.B16] - ADD $10*16, ks, H0 - MOVD H0, curK - -octetsLoop: - SUB $128, srcPtrLen - - VMOV CTR.B16, B0.B16 - VADD B0.S4, INC.S4, B1.S4 - VREV32 B0.B16, B0.B16 - VADD B1.S4, INC.S4, B2.S4 - VREV32 B1.B16, B1.B16 - VADD B2.S4, INC.S4, B3.S4 - VREV32 B2.B16, B2.B16 - VADD B3.S4, INC.S4, B4.S4 - VREV32 B3.B16, B3.B16 - VADD B4.S4, INC.S4, B5.S4 - VREV32 B4.B16, B4.B16 - VADD B5.S4, INC.S4, B6.S4 - VREV32 B5.B16, B5.B16 - VADD B6.S4, INC.S4, B7.S4 - VREV32 B6.B16, B6.B16 - VADD B7.S4, INC.S4, CTR.S4 - VREV32 B7.B16, B7.B16 - - aesrndx8(K0) - aesrndx8(K1) - aesrndx8(K2) - aesrndx8(K3) - aesrndx8(K4) - aesrndx8(K5) - aesrndx8(K6) - aesrndx8(K7) - TBZ $4, NR, octetsFinish - aesrndx8(K10) - aesrndx8(K11) - TBZ $3, NR, octetsFinish - VLD1.P 32(curK), [T1.B16, T2.B16] - aesrndx8(T1) - aesrndx8(T2) - MOVD H0, curK -octetsFinish: - aesrndx8(K8) - aesrndlastx8(K9) - - VEOR KLAST.B16, B0.B16, B0.B16 - VEOR KLAST.B16, B1.B16, B1.B16 - VEOR KLAST.B16, B2.B16, B2.B16 - VEOR KLAST.B16, B3.B16, B3.B16 - VEOR KLAST.B16, B4.B16, B4.B16 - VEOR KLAST.B16, B5.B16, B5.B16 - VEOR KLAST.B16, B6.B16, B6.B16 - VEOR KLAST.B16, B7.B16, B7.B16 - - VLD1.P 32(srcPtr), [T1.B16, T2.B16] - VEOR B0.B16, T1.B16, B0.B16 - VEOR B1.B16, T2.B16, B1.B16 - VST1.P [B0.B16, B1.B16], 32(dstPtr) - VLD1.P 32(srcPtr), [T1.B16, T2.B16] - VEOR B2.B16, T1.B16, B2.B16 - VEOR B3.B16, T2.B16, B3.B16 - VST1.P [B2.B16, B3.B16], 32(dstPtr) - VLD1.P 32(srcPtr), [T1.B16, T2.B16] - VEOR B4.B16, T1.B16, B4.B16 - VEOR B5.B16, T2.B16, B5.B16 - VST1.P [B4.B16, B5.B16], 32(dstPtr) - VLD1.P 32(srcPtr), [T1.B16, T2.B16] - VEOR B6.B16, T1.B16, B6.B16 - VEOR B7.B16, T2.B16, B7.B16 - VST1.P [B6.B16, B7.B16], 32(dstPtr) - - VLD1.P 32(pTbl), [T1.B16, T2.B16] - VREV64 B0.B16, B0.B16 - VEOR ACC0.B16, B0.B16, B0.B16 - VEXT $8, B0.B16, B0.B16, T0.B16 - VEOR B0.B16, T0.B16, T0.B16 - VPMULL B0.D1, T1.D1, ACC1.Q1 - VPMULL2 B0.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - - mulRound(B1) - mulRound(B2) - mulRound(B3) - mulRound(B4) - mulRound(B5) - mulRound(B6) - mulRound(B7) - MOVD pTblSave, pTbl - reduce() - - CMP $128, srcPtrLen - BGE octetsLoop - -startSingles: - CBZ srcPtrLen, done - ADD $14*16, pTbl - // Preload H and its Karatsuba precomp - VLD1.P (pTbl), [T1.B16, T2.B16] - // Preload AES round keys - ADD $128, ks - VLD1.P 48(ks), [K8.B16, K9.B16, K10.B16] - VMOV K10.B16, KLAST.B16 - TBZ $4, NR, singlesLoop - VLD1.P 32(ks), [B1.B16, B2.B16] - VMOV B2.B16, KLAST.B16 - TBZ $3, NR, singlesLoop - VLD1.P 32(ks), [B3.B16, B4.B16] - VMOV B4.B16, KLAST.B16 - -singlesLoop: - CMP $16, srcPtrLen - BLT tail - SUB $16, srcPtrLen - - VLD1.P 16(srcPtr), [T0.B16] - VEOR KLAST.B16, T0.B16, T0.B16 - - VREV32 CTR.B16, B0.B16 - VADD CTR.S4, INC.S4, CTR.S4 - - AESE K0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K1.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K3.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K4.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K5.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K6.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K7.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K8.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K9.B16, B0.B16 - TBZ $4, NR, singlesLast - AESMC B0.B16, B0.B16 - AESE K10.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B1.B16, B0.B16 - TBZ $3, NR, singlesLast - AESMC B0.B16, B0.B16 - AESE B2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B3.B16, B0.B16 -singlesLast: - VEOR T0.B16, B0.B16, B0.B16 -encReduce: - VST1.P [B0.B16], 16(dstPtr) - - VREV64 B0.B16, B0.B16 - VEOR ACC0.B16, B0.B16, B0.B16 - - VEXT $8, B0.B16, B0.B16, T0.B16 - VEOR B0.B16, T0.B16, T0.B16 - VPMULL B0.D1, T1.D1, ACC1.Q1 - VPMULL2 B0.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - - reduce() - - B singlesLoop -tail: - CBZ srcPtrLen, done - - VEOR T0.B16, T0.B16, T0.B16 - VEOR T3.B16, T3.B16, T3.B16 - MOVD $0, H1 - SUB $1, H1 - ADD srcPtrLen, srcPtr - - TBZ $3, srcPtrLen, ld4 - MOVD.W -8(srcPtr), H0 - VMOV H0, T0.D[0] - VMOV H1, T3.D[0] -ld4: - TBZ $2, srcPtrLen, ld2 - MOVW.W -4(srcPtr), H0 - VEXT $12, T0.B16, ZERO.B16, T0.B16 - VEXT $12, T3.B16, ZERO.B16, T3.B16 - VMOV H0, T0.S[0] - VMOV H1, T3.S[0] -ld2: - TBZ $1, srcPtrLen, ld1 - MOVH.W -2(srcPtr), H0 - VEXT $14, T0.B16, ZERO.B16, T0.B16 - VEXT $14, T3.B16, ZERO.B16, T3.B16 - VMOV H0, T0.H[0] - VMOV H1, T3.H[0] -ld1: - TBZ $0, srcPtrLen, ld0 - MOVB.W -1(srcPtr), H0 - VEXT $15, T0.B16, ZERO.B16, T0.B16 - VEXT $15, T3.B16, ZERO.B16, T3.B16 - VMOV H0, T0.B[0] - VMOV H1, T3.B[0] -ld0: - - MOVD ZR, srcPtrLen - VEOR KLAST.B16, T0.B16, T0.B16 - VREV32 CTR.B16, B0.B16 - - AESE K0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K1.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K3.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K4.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K5.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K6.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K7.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K8.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K9.B16, B0.B16 - TBZ $4, NR, tailLast - AESMC B0.B16, B0.B16 - AESE K10.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B1.B16, B0.B16 - TBZ $3, NR, tailLast - AESMC B0.B16, B0.B16 - AESE B2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B3.B16, B0.B16 - -tailLast: - VEOR T0.B16, B0.B16, B0.B16 - VAND T3.B16, B0.B16, B0.B16 - B encReduce - -done: - VST1 [ACC0.B16], (tPtr) - RET - -// func gcmAesDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) -TEXT ·gcmAesDec(SB),NOSPLIT,$0 - MOVD productTable+0(FP), pTbl - MOVD dst+8(FP), dstPtr - MOVD src_base+32(FP), srcPtr - MOVD src_len+40(FP), srcPtrLen - MOVD ctr+56(FP), ctrPtr - MOVD T+64(FP), tPtr - MOVD ks_base+72(FP), ks - MOVD ks_len+80(FP), NR - - MOVD $0xC2, H1 - LSL $56, H1 - MOVD $1, H0 - VMOV H1, POLY.D[0] - VMOV H0, POLY.D[1] - VEOR ZERO.B16, ZERO.B16, ZERO.B16 - // Compute NR from len(ks) - MOVD pTbl, pTblSave - // Current tag, after AAD - VLD1 (tPtr), [ACC0.B16] - VEOR ACC1.B16, ACC1.B16, ACC1.B16 - VEOR ACCM.B16, ACCM.B16, ACCM.B16 - // Prepare initial counter, and the increment vector - VLD1 (ctrPtr), [CTR.B16] - VEOR INC.B16, INC.B16, INC.B16 - MOVD $1, H0 - VMOV H0, INC.S[3] - VREV32 CTR.B16, CTR.B16 - VADD CTR.S4, INC.S4, CTR.S4 - - MOVD ks, H0 - // For AES-128 round keys are stored in: K0 .. K10, KLAST - VLD1.P 64(H0), [K0.B16, K1.B16, K2.B16, K3.B16] - VLD1.P 64(H0), [K4.B16, K5.B16, K6.B16, K7.B16] - VLD1.P 48(H0), [K8.B16, K9.B16, K10.B16] - VMOV K10.B16, KLAST.B16 - - // Skip to <8 blocks loop - CMP $128, srcPtrLen - BLT startSingles - // There are at least 8 blocks to encrypt - TBZ $4, NR, octetsLoop - - // For AES-192 round keys occupy: K0 .. K7, K10, K11, K8, K9, KLAST - VMOV K8.B16, K10.B16 - VMOV K9.B16, K11.B16 - VMOV KLAST.B16, K8.B16 - VLD1.P 16(H0), [K9.B16] - VLD1.P 16(H0), [KLAST.B16] - TBZ $3, NR, octetsLoop - // For AES-256 round keys occupy: K0 .. K7, K10, K11, mem, mem, K8, K9, KLAST - VMOV KLAST.B16, K8.B16 - VLD1.P 16(H0), [K9.B16] - VLD1.P 16(H0), [KLAST.B16] - ADD $10*16, ks, H0 - MOVD H0, curK - -octetsLoop: - SUB $128, srcPtrLen - - VMOV CTR.B16, B0.B16 - VADD B0.S4, INC.S4, B1.S4 - VREV32 B0.B16, B0.B16 - VADD B1.S4, INC.S4, B2.S4 - VREV32 B1.B16, B1.B16 - VADD B2.S4, INC.S4, B3.S4 - VREV32 B2.B16, B2.B16 - VADD B3.S4, INC.S4, B4.S4 - VREV32 B3.B16, B3.B16 - VADD B4.S4, INC.S4, B5.S4 - VREV32 B4.B16, B4.B16 - VADD B5.S4, INC.S4, B6.S4 - VREV32 B5.B16, B5.B16 - VADD B6.S4, INC.S4, B7.S4 - VREV32 B6.B16, B6.B16 - VADD B7.S4, INC.S4, CTR.S4 - VREV32 B7.B16, B7.B16 - - aesrndx8(K0) - aesrndx8(K1) - aesrndx8(K2) - aesrndx8(K3) - aesrndx8(K4) - aesrndx8(K5) - aesrndx8(K6) - aesrndx8(K7) - TBZ $4, NR, octetsFinish - aesrndx8(K10) - aesrndx8(K11) - TBZ $3, NR, octetsFinish - VLD1.P 32(curK), [T1.B16, T2.B16] - aesrndx8(T1) - aesrndx8(T2) - MOVD H0, curK -octetsFinish: - aesrndx8(K8) - aesrndlastx8(K9) - - VEOR KLAST.B16, B0.B16, T1.B16 - VEOR KLAST.B16, B1.B16, T2.B16 - VEOR KLAST.B16, B2.B16, B2.B16 - VEOR KLAST.B16, B3.B16, B3.B16 - VEOR KLAST.B16, B4.B16, B4.B16 - VEOR KLAST.B16, B5.B16, B5.B16 - VEOR KLAST.B16, B6.B16, B6.B16 - VEOR KLAST.B16, B7.B16, B7.B16 - - VLD1.P 32(srcPtr), [B0.B16, B1.B16] - VEOR B0.B16, T1.B16, T1.B16 - VEOR B1.B16, T2.B16, T2.B16 - VST1.P [T1.B16, T2.B16], 32(dstPtr) - - VLD1.P 32(pTbl), [T1.B16, T2.B16] - VREV64 B0.B16, B0.B16 - VEOR ACC0.B16, B0.B16, B0.B16 - VEXT $8, B0.B16, B0.B16, T0.B16 - VEOR B0.B16, T0.B16, T0.B16 - VPMULL B0.D1, T1.D1, ACC1.Q1 - VPMULL2 B0.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - mulRound(B1) - - VLD1.P 32(srcPtr), [B0.B16, B1.B16] - VEOR B2.B16, B0.B16, T1.B16 - VEOR B3.B16, B1.B16, T2.B16 - VST1.P [T1.B16, T2.B16], 32(dstPtr) - mulRound(B0) - mulRound(B1) - - VLD1.P 32(srcPtr), [B0.B16, B1.B16] - VEOR B4.B16, B0.B16, T1.B16 - VEOR B5.B16, B1.B16, T2.B16 - VST1.P [T1.B16, T2.B16], 32(dstPtr) - mulRound(B0) - mulRound(B1) - - VLD1.P 32(srcPtr), [B0.B16, B1.B16] - VEOR B6.B16, B0.B16, T1.B16 - VEOR B7.B16, B1.B16, T2.B16 - VST1.P [T1.B16, T2.B16], 32(dstPtr) - mulRound(B0) - mulRound(B1) - - MOVD pTblSave, pTbl - reduce() - - CMP $128, srcPtrLen - BGE octetsLoop - -startSingles: - CBZ srcPtrLen, done - ADD $14*16, pTbl - // Preload H and its Karatsuba precomp - VLD1.P (pTbl), [T1.B16, T2.B16] - // Preload AES round keys - ADD $128, ks - VLD1.P 48(ks), [K8.B16, K9.B16, K10.B16] - VMOV K10.B16, KLAST.B16 - TBZ $4, NR, singlesLoop - VLD1.P 32(ks), [B1.B16, B2.B16] - VMOV B2.B16, KLAST.B16 - TBZ $3, NR, singlesLoop - VLD1.P 32(ks), [B3.B16, B4.B16] - VMOV B4.B16, KLAST.B16 - -singlesLoop: - CMP $16, srcPtrLen - BLT tail - SUB $16, srcPtrLen - - VLD1.P 16(srcPtr), [T0.B16] - VREV64 T0.B16, B5.B16 - VEOR KLAST.B16, T0.B16, T0.B16 - - VREV32 CTR.B16, B0.B16 - VADD CTR.S4, INC.S4, CTR.S4 - - AESE K0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K1.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K3.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K4.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K5.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K6.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K7.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K8.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K9.B16, B0.B16 - TBZ $4, NR, singlesLast - AESMC B0.B16, B0.B16 - AESE K10.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B1.B16, B0.B16 - TBZ $3, NR, singlesLast - AESMC B0.B16, B0.B16 - AESE B2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B3.B16, B0.B16 -singlesLast: - VEOR T0.B16, B0.B16, B0.B16 - - VST1.P [B0.B16], 16(dstPtr) - - VEOR ACC0.B16, B5.B16, B5.B16 - VEXT $8, B5.B16, B5.B16, T0.B16 - VEOR B5.B16, T0.B16, T0.B16 - VPMULL B5.D1, T1.D1, ACC1.Q1 - VPMULL2 B5.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - reduce() - - B singlesLoop -tail: - CBZ srcPtrLen, done - - VREV32 CTR.B16, B0.B16 - VADD CTR.S4, INC.S4, CTR.S4 - - AESE K0.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K1.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K3.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K4.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K5.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K6.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K7.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K8.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE K9.B16, B0.B16 - TBZ $4, NR, tailLast - AESMC B0.B16, B0.B16 - AESE K10.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B1.B16, B0.B16 - TBZ $3, NR, tailLast - AESMC B0.B16, B0.B16 - AESE B2.B16, B0.B16 - AESMC B0.B16, B0.B16 - AESE B3.B16, B0.B16 -tailLast: - VEOR KLAST.B16, B0.B16, B0.B16 - - // Assuming it is safe to load past dstPtr due to the presence of the tag - VLD1 (srcPtr), [B5.B16] - - VEOR B5.B16, B0.B16, B0.B16 - - VEOR T3.B16, T3.B16, T3.B16 - MOVD $0, H1 - SUB $1, H1 - - TBZ $3, srcPtrLen, ld4 - VMOV B0.D[0], H0 - MOVD.P H0, 8(dstPtr) - VMOV H1, T3.D[0] - VEXT $8, ZERO.B16, B0.B16, B0.B16 -ld4: - TBZ $2, srcPtrLen, ld2 - VMOV B0.S[0], H0 - MOVW.P H0, 4(dstPtr) - VEXT $12, T3.B16, ZERO.B16, T3.B16 - VMOV H1, T3.S[0] - VEXT $4, ZERO.B16, B0.B16, B0.B16 -ld2: - TBZ $1, srcPtrLen, ld1 - VMOV B0.H[0], H0 - MOVH.P H0, 2(dstPtr) - VEXT $14, T3.B16, ZERO.B16, T3.B16 - VMOV H1, T3.H[0] - VEXT $2, ZERO.B16, B0.B16, B0.B16 -ld1: - TBZ $0, srcPtrLen, ld0 - VMOV B0.B[0], H0 - MOVB.P H0, 1(dstPtr) - VEXT $15, T3.B16, ZERO.B16, T3.B16 - VMOV H1, T3.B[0] -ld0: - - VAND T3.B16, B5.B16, B5.B16 - VREV64 B5.B16, B5.B16 - - VEOR ACC0.B16, B5.B16, B5.B16 - VEXT $8, B5.B16, B5.B16, T0.B16 - VEOR B5.B16, T0.B16, T0.B16 - VPMULL B5.D1, T1.D1, ACC1.Q1 - VPMULL2 B5.D2, T1.D2, ACC0.Q1 - VPMULL T0.D1, T2.D1, ACCM.Q1 - reduce() -done: - VST1 [ACC0.B16], (tPtr) - - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_asm.go deleted file mode 100644 index 7924e457dee..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_asm.go +++ /dev/null @@ -1,131 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (amd64 || arm64) && !purego - -package gcm - -import ( - "crypto/internal/fips140/aes" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -// The following functions are defined in gcm_*.s. - -//go:noescape -func gcmAesInit(productTable *[256]byte, ks []uint32) - -//go:noescape -func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte) - -//go:noescape -func gcmAesEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) - -//go:noescape -func gcmAesDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) - -//go:noescape -func gcmAesFinish(productTable *[256]byte, tagMask, T *[16]byte, pLen, dLen uint64) - -// Keep in sync with crypto/tls.hasAESGCMHardwareSupport. -var supportsAESGCM = cpu.X86HasAES && cpu.X86HasPCLMULQDQ && cpu.X86HasSSE41 && cpu.X86HasSSSE3 || - cpu.ARM64HasAES && cpu.ARM64HasPMULL - -func init() { - if cpu.AMD64 { - impl.Register("gcm", "AES-NI", &supportsAESGCM) - } - if cpu.ARM64 { - impl.Register("gcm", "Armv8.0", &supportsAESGCM) - } -} - -// checkGenericIsExpected is called by the variable-time implementation to make -// sure it is not used when hardware support is available. It shouldn't happen, -// but this way it's more evidently correct. -func checkGenericIsExpected() { - if supportsAESGCM { - panic("gcm: internal error: using generic implementation despite hardware support") - } -} - -type gcmPlatformData struct { - productTable [256]byte -} - -func initGCM(g *GCM) { - if !supportsAESGCM { - return - } - gcmAesInit(&g.productTable, aes.EncryptionKeySchedule(&g.cipher)) -} - -func seal(out []byte, g *GCM, nonce, plaintext, data []byte) { - if !supportsAESGCM { - sealGeneric(out, g, nonce, plaintext, data) - return - } - - var counter, tagMask [gcmBlockSize]byte - - if len(nonce) == gcmStandardNonceSize { - // Init counter to nonce||1 - copy(counter[:], nonce) - counter[gcmBlockSize-1] = 1 - } else { - // Otherwise counter = GHASH(nonce) - gcmAesData(&g.productTable, nonce, &counter) - gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0)) - } - - aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:]) - - var tagOut [gcmTagSize]byte - gcmAesData(&g.productTable, data, &tagOut) - - if len(plaintext) > 0 { - gcmAesEnc(&g.productTable, out, plaintext, &counter, &tagOut, aes.EncryptionKeySchedule(&g.cipher)) - } - gcmAesFinish(&g.productTable, &tagMask, &tagOut, uint64(len(plaintext)), uint64(len(data))) - copy(out[len(plaintext):], tagOut[:]) -} - -func open(out []byte, g *GCM, nonce, ciphertext, data []byte) error { - if !supportsAESGCM { - return openGeneric(out, g, nonce, ciphertext, data) - } - - tag := ciphertext[len(ciphertext)-g.tagSize:] - ciphertext = ciphertext[:len(ciphertext)-g.tagSize] - - // See GCM spec, section 7.1. - var counter, tagMask [gcmBlockSize]byte - - if len(nonce) == gcmStandardNonceSize { - // Init counter to nonce||1 - copy(counter[:], nonce) - counter[gcmBlockSize-1] = 1 - } else { - // Otherwise counter = GHASH(nonce) - gcmAesData(&g.productTable, nonce, &counter) - gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0)) - } - - aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:]) - - var expectedTag [gcmTagSize]byte - gcmAesData(&g.productTable, data, &expectedTag) - - if len(ciphertext) > 0 { - gcmAesDec(&g.productTable, out, ciphertext, &counter, &expectedTag, aes.EncryptionKeySchedule(&g.cipher)) - } - gcmAesFinish(&g.productTable, &tagMask, &expectedTag, uint64(len(ciphertext)), uint64(len(data))) - - if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { - return errOpen - } - return nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_generic.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_generic.go deleted file mode 100644 index 385955ed778..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_generic.go +++ /dev/null @@ -1,105 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140/aes" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" -) - -func sealGeneric(out []byte, g *GCM, nonce, plaintext, additionalData []byte) { - var H, counter, tagMask [gcmBlockSize]byte - aes.EncryptBlockInternal(&g.cipher, H[:], H[:]) - deriveCounterGeneric(&H, &counter, nonce) - gcmCounterCryptGeneric(&g.cipher, tagMask[:], tagMask[:], &counter) - - gcmCounterCryptGeneric(&g.cipher, out, plaintext, &counter) - - var tag [gcmTagSize]byte - gcmAuthGeneric(tag[:], &H, &tagMask, out[:len(plaintext)], additionalData) - copy(out[len(plaintext):], tag[:]) -} - -func openGeneric(out []byte, g *GCM, nonce, ciphertext, additionalData []byte) error { - var H, counter, tagMask [gcmBlockSize]byte - aes.EncryptBlockInternal(&g.cipher, H[:], H[:]) - deriveCounterGeneric(&H, &counter, nonce) - gcmCounterCryptGeneric(&g.cipher, tagMask[:], tagMask[:], &counter) - - tag := ciphertext[len(ciphertext)-g.tagSize:] - ciphertext = ciphertext[:len(ciphertext)-g.tagSize] - - var expectedTag [gcmTagSize]byte - gcmAuthGeneric(expectedTag[:], &H, &tagMask, ciphertext, additionalData) - if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { - return errOpen - } - - gcmCounterCryptGeneric(&g.cipher, out, ciphertext, &counter) - - return nil -} - -// deriveCounterGeneric computes the initial GCM counter state from the given nonce. -// See NIST SP 800-38D, section 7.1. This assumes that counter is filled with -// zeros on entry. -func deriveCounterGeneric(H, counter *[gcmBlockSize]byte, nonce []byte) { - // GCM has two modes of operation with respect to the initial counter - // state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path" - // for nonces of other lengths. For a 96-bit nonce, the nonce, along - // with a four-byte big-endian counter starting at one, is used - // directly as the starting counter. For other nonce sizes, the counter - // is computed by passing it through the GHASH function. - if len(nonce) == gcmStandardNonceSize { - copy(counter[:], nonce) - counter[gcmBlockSize-1] = 1 - } else { - lenBlock := make([]byte, 16) - byteorder.BEPutUint64(lenBlock[8:], uint64(len(nonce))*8) - ghash(counter, H, nonce, lenBlock) - } -} - -// gcmCounterCryptGeneric encrypts src using AES in counter mode with 32-bit -// wrapping (which is different from AES-CTR) and places the result into out. -// counter is the initial value and will be updated with the next value. -func gcmCounterCryptGeneric(b *aes.Block, out, src []byte, counter *[gcmBlockSize]byte) { - var mask [gcmBlockSize]byte - - for len(src) >= gcmBlockSize { - aes.EncryptBlockInternal(b, mask[:], counter[:]) - gcmInc32(counter) - - subtle.XORBytes(out, src, mask[:]) - out = out[gcmBlockSize:] - src = src[gcmBlockSize:] - } - - if len(src) > 0 { - aes.EncryptBlockInternal(b, mask[:], counter[:]) - gcmInc32(counter) - subtle.XORBytes(out, src, mask[:]) - } -} - -// gcmInc32 treats the final four bytes of counterBlock as a big-endian value -// and increments it. -func gcmInc32(counterBlock *[gcmBlockSize]byte) { - ctr := counterBlock[len(counterBlock)-4:] - byteorder.BEPutUint32(ctr, byteorder.BEUint32(ctr)+1) -} - -// gcmAuthGeneric calculates GHASH(additionalData, ciphertext), masks the result -// with tagMask and writes the result to out. -func gcmAuthGeneric(out []byte, H, tagMask *[gcmBlockSize]byte, ciphertext, additionalData []byte) { - checkGenericIsExpected() - lenBlock := make([]byte, 16) - byteorder.BEPutUint64(lenBlock[:8], uint64(len(additionalData))*8) - byteorder.BEPutUint64(lenBlock[8:], uint64(len(ciphertext))*8) - var S [gcmBlockSize]byte - ghash(&S, H, additionalData, ciphertext, lenBlock) - subtle.XORBytes(out, S[:], tagMask[:]) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_noasm.go deleted file mode 100644 index 4ae3831a458..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_noasm.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !s390x && !ppc64 && !ppc64le && !arm64) || purego - -package gcm - -func checkGenericIsExpected() {} - -type gcmPlatformData struct{} - -func initGCM(g *GCM) {} - -func seal(out []byte, g *GCM, nonce, plaintext, data []byte) { - sealGeneric(out, g, nonce, plaintext, data) -} - -func open(out []byte, g *GCM, nonce, ciphertext, data []byte) error { - return openGeneric(out, g, nonce, ciphertext, data) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go deleted file mode 100644 index b1ac8152885..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_nonces.go +++ /dev/null @@ -1,257 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/aes" - "crypto/internal/fips140/alias" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140deps/byteorder" - "math" -) - -// SealWithRandomNonce encrypts plaintext to out, and writes a random nonce to -// nonce. nonce must be 12 bytes, and out must be 16 bytes longer than plaintext. -// out and plaintext may overlap exactly or not at all. additionalData and out -// must not overlap. -// -// This complies with FIPS 140-3 IG C.H Scenario 2. -// -// Note that this is NOT a [cipher.AEAD].Seal method. -func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte) { - if uint64(len(plaintext)) > uint64((1<<32)-2)*gcmBlockSize { - panic("crypto/cipher: message too large for GCM") - } - if len(nonce) != gcmStandardNonceSize { - panic("crypto/cipher: incorrect nonce length given to GCMWithRandomNonce") - } - if len(out) != len(plaintext)+gcmTagSize { - panic("crypto/cipher: incorrect output length given to GCMWithRandomNonce") - } - if alias.InexactOverlap(out, plaintext) { - panic("crypto/cipher: invalid buffer overlap of output and input") - } - if alias.AnyOverlap(out, additionalData) { - panic("crypto/cipher: invalid buffer overlap of output and additional data") - } - fips140.RecordApproved() - drbg.Read(nonce) - seal(out, g, nonce, plaintext, additionalData) -} - -// NewGCMWithCounterNonce returns a new AEAD that works like GCM, but enforces -// the construction of deterministic nonces. The nonce must be 96 bits, the -// first 32 bits must be an encoding of the module name, and the last 64 bits -// must be a counter. -// -// This complies with FIPS 140-3 IG C.H Scenario 3. -func NewGCMWithCounterNonce(cipher *aes.Block) (*GCMWithCounterNonce, error) { - g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) - if err != nil { - return nil, err - } - return &GCMWithCounterNonce{g: *g}, nil -} - -type GCMWithCounterNonce struct { - g GCM - ready bool - fixedName uint32 - start uint64 - next uint64 -} - -func (g *GCMWithCounterNonce) NonceSize() int { return gcmStandardNonceSize } - -func (g *GCMWithCounterNonce) Overhead() int { return gcmTagSize } - -func (g *GCMWithCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte { - if len(nonce) != gcmStandardNonceSize { - panic("crypto/cipher: incorrect nonce length given to GCM") - } - - counter := byteorder.BEUint64(nonce[len(nonce)-8:]) - if !g.ready { - // The first invocation sets the fixed name encoding and start counter. - g.ready = true - g.start = counter - g.fixedName = byteorder.BEUint32(nonce[:4]) - } - if g.fixedName != byteorder.BEUint32(nonce[:4]) { - panic("crypto/cipher: incorrect module name given to GCMWithCounterNonce") - } - counter -= g.start - - // Ensure the counter is monotonically increasing. - if counter == math.MaxUint64 { - panic("crypto/cipher: counter wrapped") - } - if counter < g.next { - panic("crypto/cipher: counter decreased") - } - g.next = counter + 1 - - fips140.RecordApproved() - return g.g.sealAfterIndicator(dst, nonce, plaintext, data) -} - -func (g *GCMWithCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { - fips140.RecordApproved() - return g.g.Open(dst, nonce, ciphertext, data) -} - -// NewGCMForTLS12 returns a new AEAD that works like GCM, but enforces the -// construction of nonces as specified in RFC 5288, Section 3 and RFC 9325, -// Section 7.2.1. -// -// This complies with FIPS 140-3 IG C.H Scenario 1.a. -func NewGCMForTLS12(cipher *aes.Block) (*GCMForTLS12, error) { - g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) - if err != nil { - return nil, err - } - return &GCMForTLS12{g: *g}, nil -} - -type GCMForTLS12 struct { - g GCM - next uint64 -} - -func (g *GCMForTLS12) NonceSize() int { return gcmStandardNonceSize } - -func (g *GCMForTLS12) Overhead() int { return gcmTagSize } - -func (g *GCMForTLS12) Seal(dst, nonce, plaintext, data []byte) []byte { - if len(nonce) != gcmStandardNonceSize { - panic("crypto/cipher: incorrect nonce length given to GCM") - } - - counter := byteorder.BEUint64(nonce[len(nonce)-8:]) - - // Ensure the counter is monotonically increasing. - if counter == math.MaxUint64 { - panic("crypto/cipher: counter wrapped") - } - if counter < g.next { - panic("crypto/cipher: counter decreased") - } - g.next = counter + 1 - - fips140.RecordApproved() - return g.g.sealAfterIndicator(dst, nonce, plaintext, data) -} - -func (g *GCMForTLS12) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { - fips140.RecordApproved() - return g.g.Open(dst, nonce, ciphertext, data) -} - -// NewGCMForTLS13 returns a new AEAD that works like GCM, but enforces the -// construction of nonces as specified in RFC 8446, Section 5.3. -func NewGCMForTLS13(cipher *aes.Block) (*GCMForTLS13, error) { - g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) - if err != nil { - return nil, err - } - return &GCMForTLS13{g: *g}, nil -} - -type GCMForTLS13 struct { - g GCM - ready bool - mask uint64 - next uint64 -} - -func (g *GCMForTLS13) NonceSize() int { return gcmStandardNonceSize } - -func (g *GCMForTLS13) Overhead() int { return gcmTagSize } - -func (g *GCMForTLS13) Seal(dst, nonce, plaintext, data []byte) []byte { - if len(nonce) != gcmStandardNonceSize { - panic("crypto/cipher: incorrect nonce length given to GCM") - } - - counter := byteorder.BEUint64(nonce[len(nonce)-8:]) - if !g.ready { - // In the first call, the counter is zero, so we learn the XOR mask. - g.ready = true - g.mask = counter - } - counter ^= g.mask - - // Ensure the counter is monotonically increasing. - if counter == math.MaxUint64 { - panic("crypto/cipher: counter wrapped") - } - if counter < g.next { - panic("crypto/cipher: counter decreased") - } - g.next = counter + 1 - - fips140.RecordApproved() - return g.g.sealAfterIndicator(dst, nonce, plaintext, data) -} - -func (g *GCMForTLS13) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { - fips140.RecordApproved() - return g.g.Open(dst, nonce, ciphertext, data) -} - -// NewGCMForSSH returns a new AEAD that works like GCM, but enforces the -// construction of nonces as specified in RFC 5647. -// -// This complies with FIPS 140-3 IG C.H Scenario 1.d. -func NewGCMForSSH(cipher *aes.Block) (*GCMForSSH, error) { - g, err := newGCM(&GCM{}, cipher, gcmStandardNonceSize, gcmTagSize) - if err != nil { - return nil, err - } - return &GCMForSSH{g: *g}, nil -} - -type GCMForSSH struct { - g GCM - ready bool - start uint64 - next uint64 -} - -func (g *GCMForSSH) NonceSize() int { return gcmStandardNonceSize } - -func (g *GCMForSSH) Overhead() int { return gcmTagSize } - -func (g *GCMForSSH) Seal(dst, nonce, plaintext, data []byte) []byte { - if len(nonce) != gcmStandardNonceSize { - panic("crypto/cipher: incorrect nonce length given to GCM") - } - - counter := byteorder.BEUint64(nonce[len(nonce)-8:]) - if !g.ready { - // In the first call we learn the start value. - g.ready = true - g.start = counter - } - counter -= g.start - - // Ensure the counter is monotonically increasing. - if counter == math.MaxUint64 { - panic("crypto/cipher: counter wrapped") - } - if counter < g.next { - panic("crypto/cipher: counter decreased") - } - g.next = counter + 1 - - fips140.RecordApproved() - return g.g.sealAfterIndicator(dst, nonce, plaintext, data) -} - -func (g *GCMForSSH) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { - fips140.RecordApproved() - return g.g.Open(dst, nonce, ciphertext, data) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.go deleted file mode 100644 index 8d44c75745d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.go +++ /dev/null @@ -1,187 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64le || ppc64) && !purego - -package gcm - -import ( - "crypto/internal/fips140/aes" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" - "crypto/internal/fips140deps/godebug" - "crypto/internal/impl" - "runtime" -) - -// This file implements GCM using an optimized GHASH function. - -//go:noescape -func gcmInit(productTable *[256]byte, h []byte) - -//go:noescape -func gcmHash(output []byte, productTable *[256]byte, inp []byte, len int) - -func counterCryptASM(nr int, out, in []byte, counter *[gcmBlockSize]byte, key *uint32) - -// The POWER architecture doesn't have a way to turn off AES-GCM support -// at runtime with GODEBUG=cpu.something=off, so introduce a new GODEBUG -// knob for that. It's intentionally only checked at init() time, to -// avoid the performance overhead of checking it every time. -var supportsAESGCM = godebug.Value("#ppc64gcm") != "off" - -func init() { - impl.Register("gcm", "POWER8", &supportsAESGCM) -} - -func checkGenericIsExpected() { - if supportsAESGCM { - panic("gcm: internal error: using generic implementation despite hardware support") - } -} - -type gcmPlatformData struct { - productTable [256]byte -} - -func initGCM(g *GCM) { - if !supportsAESGCM { - return - } - - hle := make([]byte, gcmBlockSize) - aes.EncryptBlockInternal(&g.cipher, hle, hle) - - // Reverse the bytes in each 8 byte chunk - // Load little endian, store big endian - var h1, h2 uint64 - if runtime.GOARCH == "ppc64le" { - h1 = byteorder.LEUint64(hle[:8]) - h2 = byteorder.LEUint64(hle[8:]) - } else { - h1 = byteorder.BEUint64(hle[:8]) - h2 = byteorder.BEUint64(hle[8:]) - } - byteorder.BEPutUint64(hle[:8], h1) - byteorder.BEPutUint64(hle[8:], h2) - gcmInit(&g.productTable, hle) -} - -// deriveCounter computes the initial GCM counter state from the given nonce. -func deriveCounter(counter *[gcmBlockSize]byte, nonce []byte, productTable *[256]byte) { - if len(nonce) == gcmStandardNonceSize { - copy(counter[:], nonce) - counter[gcmBlockSize-1] = 1 - } else { - var hash [16]byte - paddedGHASH(&hash, nonce, productTable) - lens := gcmLengths(0, uint64(len(nonce))*8) - paddedGHASH(&hash, lens[:], productTable) - copy(counter[:], hash[:]) - } -} - -// counterCrypt encrypts in using AES in counter mode and places the result -// into out. counter is the initial count value and will be updated with the next -// count value. The length of out must be greater than or equal to the length -// of in. -// counterCryptASM implements counterCrypt which then allows the loop to -// be unrolled and optimized. -func counterCrypt(b *aes.Block, out, in []byte, counter *[gcmBlockSize]byte) { - enc := aes.EncryptionKeySchedule(b) - rounds := len(enc)/4 - 1 - counterCryptASM(rounds, out, in, counter, &enc[0]) -} - -// paddedGHASH pads data with zeroes until its length is a multiple of -// 16-bytes. It then calculates a new value for hash using the ghash -// algorithm. -func paddedGHASH(hash *[16]byte, data []byte, productTable *[256]byte) { - if siz := len(data) - (len(data) % gcmBlockSize); siz > 0 { - gcmHash(hash[:], productTable, data[:], siz) - data = data[siz:] - } - if len(data) > 0 { - var s [16]byte - copy(s[:], data) - gcmHash(hash[:], productTable, s[:], len(s)) - } -} - -// auth calculates GHASH(ciphertext, additionalData), masks the result with -// tagMask and writes the result to out. -func auth(out, ciphertext, aad []byte, tagMask *[gcmTagSize]byte, productTable *[256]byte) { - var hash [16]byte - paddedGHASH(&hash, aad, productTable) - paddedGHASH(&hash, ciphertext, productTable) - lens := gcmLengths(uint64(len(aad))*8, uint64(len(ciphertext))*8) - paddedGHASH(&hash, lens[:], productTable) - - copy(out, hash[:]) - for i := range out { - out[i] ^= tagMask[i] - } -} - -func seal(out []byte, g *GCM, nonce, plaintext, data []byte) { - if !supportsAESGCM { - sealGeneric(out, g, nonce, plaintext, data) - return - } - - var counter, tagMask [gcmBlockSize]byte - deriveCounter(&counter, nonce, &g.productTable) - - aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:]) - gcmInc32(&counter) - - counterCrypt(&g.cipher, out, plaintext, &counter) - auth(out[len(plaintext):], out[:len(plaintext)], data, &tagMask, &g.productTable) -} - -func open(out []byte, g *GCM, nonce, ciphertext, data []byte) error { - if !supportsAESGCM { - return openGeneric(out, g, nonce, ciphertext, data) - } - - tag := ciphertext[len(ciphertext)-g.tagSize:] - ciphertext = ciphertext[:len(ciphertext)-g.tagSize] - - var counter, tagMask [gcmBlockSize]byte - deriveCounter(&counter, nonce, &g.productTable) - - aes.EncryptBlockInternal(&g.cipher, tagMask[:], counter[:]) - gcmInc32(&counter) - - var expectedTag [gcmTagSize]byte - auth(expectedTag[:], ciphertext, data, &tagMask, &g.productTable) - - if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { - return errOpen - } - - counterCrypt(&g.cipher, out, ciphertext, &counter) - return nil -} - -func gcmLengths(len0, len1 uint64) [16]byte { - return [16]byte{ - byte(len0 >> 56), - byte(len0 >> 48), - byte(len0 >> 40), - byte(len0 >> 32), - byte(len0 >> 24), - byte(len0 >> 16), - byte(len0 >> 8), - byte(len0), - byte(len1 >> 56), - byte(len1 >> 48), - byte(len1 >> 40), - byte(len1 >> 32), - byte(len1 >> 24), - byte(len1 >> 16), - byte(len1 >> 8), - byte(len1), - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.s deleted file mode 100644 index 558399b10a7..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_ppc64x.s +++ /dev/null @@ -1,1069 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -// Portions based on CRYPTOGAMS code with the following comment: -// # ==================================================================== -// # Written by Andy Polyakov <[email protected]> for the OpenSSL -// # project. The module is, however, dual licensed under OpenSSL and -// # CRYPTOGAMS licenses depending on where you obtain it. For further -// # details see http://www.openssl.org/~appro/cryptogams/. -// # ==================================================================== - -// The implementations for gcmHash and gcmInit are based on the generated asm -// from the script https://github.com/dot-asm/cryptogams/blob/master/ppc/ghashp8-ppc.pl -// from commit d47afb3c. - -// Changes were made due to differences in the ABI and some register usage. -// Some arguments were changed due to the way the Go code passes them. - -// Portions that use the stitched AES-GCM approach in counterCryptASM -// are based on code found in -// https://github.com/IBM/ipcri/blob/main/aes/p10_aes_gcm.s - -#include "textflag.h" - -#define XIP R3 -#define HTBL R4 -#define INP R5 -#define LEN R6 - -#define XL V0 -#define XM V1 -#define XH V2 -#define IN V3 -#define ZERO V4 -#define T0 V5 -#define T1 V6 -#define T2 V7 -#define XC2 V8 -#define H V9 -#define HH V10 -#define HL V11 -#define LEMASK V12 -#define XL1 V13 -#define XM1 V14 -#define XH1 V15 -#define IN1 V16 -#define H2 V17 -#define H2H V18 -#define H2L V19 -#define XL3 V20 -#define XM2 V21 -#define IN2 V22 -#define H3L V23 -#define H3 V24 -#define H3H V25 -#define XH3 V26 -#define XM3 V27 -#define IN3 V28 -#define H4L V29 -#define H4 V30 -#define H4H V31 - -#define IN0 IN -#define H21L HL -#define H21H HH -#define LOPERM H2L -#define HIPERM H2H - -#define VXL VS32 -#define VIN VS35 -#define VXC2 VS40 -#define VH VS41 -#define VHH VS42 -#define VHL VS43 -#define VIN1 VS48 -#define VH2 VS49 -#define VH2H VS50 -#define VH2L VS51 - -#define VIN2 VS54 -#define VH3L VS55 -#define VH3 VS56 -#define VH3H VS57 -#define VIN3 VS60 -#define VH4L VS61 -#define VH4 VS62 -#define VH4H VS63 - -#define VIN0 VIN - -#define ESPERM V10 -#define TMP2 V11 - -DATA ·rcon+0x00(SB)/8, $0x0f0e0d0c0b0a0908 // Permute for vector doubleword endian swap -DATA ·rcon+0x08(SB)/8, $0x0706050403020100 -DATA ·rcon+0x10(SB)/8, $0x0100000001000000 // RCON -DATA ·rcon+0x18(SB)/8, $0x0100000001000000 // RCON -DATA ·rcon+0x20(SB)/8, $0x1b0000001b000000 -DATA ·rcon+0x28(SB)/8, $0x1b0000001b000000 -DATA ·rcon+0x30(SB)/8, $0x0d0e0f0c0d0e0f0c // MASK -DATA ·rcon+0x38(SB)/8, $0x0d0e0f0c0d0e0f0c // MASK -DATA ·rcon+0x40(SB)/8, $0x0000000000000000 -DATA ·rcon+0x48(SB)/8, $0x0000000000000000 -GLOBL ·rcon(SB), RODATA, $80 - -// The following macros provide appropriate -// implementations for endianness as well as -// ISA specific for power8 and power9. -#ifdef GOARCH_ppc64le -# ifdef GOPPC64_power9 -#define P8_LXVB16X(RA,RB,VT) LXVB16X (RA)(RB), VT -#define P8_STXVB16X(VS,RA,RB) STXVB16X VS, (RA)(RB) -# else -#define NEEDS_ESPERM -#define P8_LXVB16X(RA,RB,VT) \ - LXVD2X (RA+RB), VT \ - VPERM VT, VT, ESPERM, VT - -#define P8_STXVB16X(VS,RA,RB) \ - VPERM VS, VS, ESPERM, TMP2; \ - STXVD2X TMP2, (RA+RB) - -# endif -#else -#define P8_LXVB16X(RA,RB,VT) \ - LXVD2X (RA+RB), VT - -#define P8_STXVB16X(VS,RA,RB) \ - STXVD2X VS, (RA+RB) - -#endif - -#define MASK_PTR R8 - -#define MASKV V0 -#define INV V1 - -// The following macros are used for -// the stitched implementation within -// counterCryptASM. - -// Load the initial GCM counter value -// in V30 and set up the counter increment -// in V31 -#define SETUP_COUNTER \ - P8_LXVB16X(COUNTER, R0, V30); \ - VSPLTISB $1, V28; \ - VXOR V31, V31, V31; \ - VSLDOI $1, V31, V28, V31 - -// These macros set up the initial value -// for a single encryption, or 4 or 8 -// stitched encryptions implemented -// with interleaving vciphers. -// -// The input value for each encryption -// is generated by XORing the counter -// from V30 with the first key in VS0 -// and incrementing the counter. -// -// Single encryption in V15 -#define GEN_VCIPHER_INPUT \ - XXLOR VS0, VS0, V29 \ - VXOR V30, V29, V15; \ - VADDUWM V30, V31, V30 - -// 4 encryptions in V15 - V18 -#define GEN_VCIPHER_4_INPUTS \ - XXLOR VS0, VS0, V29; \ - VXOR V30, V29, V15; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V16; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V17; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V18; \ - VADDUWM V30, V31, V30 - -// 8 encryptions in V15 - V22 -#define GEN_VCIPHER_8_INPUTS \ - XXLOR VS0, VS0, V29; \ - VXOR V30, V29, V15; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V16; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V17; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V18; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V19; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V20; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V21; \ - VADDUWM V30, V31, V30; \ - VXOR V30, V29, V22; \ - VADDUWM V30, V31, V30 - -// Load the keys to be used for -// encryption based on key_len. -// Keys are in VS0 - VS14 -// depending on key_len. -// Valid keys sizes are verified -// here. CR2 is set and used -// throughout to check key_len. -#define LOAD_KEYS(blk_key, key_len) \ - MOVD $16, R16; \ - MOVD $32, R17; \ - MOVD $48, R18; \ - MOVD $64, R19; \ - LXVD2X (blk_key)(R0), VS0; \ - LXVD2X (blk_key)(R16), VS1; \ - LXVD2X (blk_key)(R17), VS2; \ - LXVD2X (blk_key)(R18), VS3; \ - LXVD2X (blk_key)(R19), VS4; \ - ADD $64, R16; \ - ADD $64, R17; \ - ADD $64, R18; \ - ADD $64, R19; \ - LXVD2X (blk_key)(R16), VS5; \ - LXVD2X (blk_key)(R17), VS6; \ - LXVD2X (blk_key)(R18), VS7; \ - LXVD2X (blk_key)(R19), VS8; \ - ADD $64, R16; \ - ADD $64, R17; \ - ADD $64, R18; \ - ADD $64, R19; \ - LXVD2X (blk_key)(R16), VS9; \ - LXVD2X (blk_key)(R17), VS10; \ - CMP key_len, $12, CR2; \ - CMP key_len, $10; \ - BEQ keysLoaded; \ - LXVD2X (blk_key)(R18), VS11; \ - LXVD2X (blk_key)(R19), VS12; \ - BEQ CR2, keysLoaded; \ - ADD $64, R16; \ - ADD $64, R17; \ - LXVD2X (blk_key)(R16), VS13; \ - LXVD2X (blk_key)(R17), VS14; \ - CMP key_len, $14; \ - BEQ keysLoaded; \ - MOVD R0,0(R0); \ -keysLoaded: - -// Encrypt 1 (vin) with first 9 -// keys from VS1 - VS9. -#define VCIPHER_1X9_KEYS(vin) \ - XXLOR VS1, VS1, V23; \ - XXLOR VS2, VS2, V24; \ - XXLOR VS3, VS3, V25; \ - XXLOR VS4, VS4, V26; \ - XXLOR VS5, VS5, V27; \ - VCIPHER vin, V23, vin; \ - VCIPHER vin, V24, vin; \ - VCIPHER vin, V25, vin; \ - VCIPHER vin, V26, vin; \ - VCIPHER vin, V27, vin; \ - XXLOR VS6, VS6, V23; \ - XXLOR VS7, VS7, V24; \ - XXLOR VS8, VS8, V25; \ - XXLOR VS9, VS9, V26; \ - VCIPHER vin, V23, vin; \ - VCIPHER vin, V24, vin; \ - VCIPHER vin, V25, vin; \ - VCIPHER vin, V26, vin - -// Encrypt 1 value (vin) with -// 2 specified keys -#define VCIPHER_1X2_KEYS(vin, key1, key2) \ - XXLOR key1, key1, V25; \ - XXLOR key2, key2, V26; \ - VCIPHER vin, V25, vin; \ - VCIPHER vin, V26, vin - -// Encrypt 4 values in V15 - V18 -// with the specified key from -// VS1 - VS9. -#define VCIPHER_4X1_KEY(key) \ - XXLOR key, key, V23; \ - VCIPHER V15, V23, V15; \ - VCIPHER V16, V23, V16; \ - VCIPHER V17, V23, V17; \ - VCIPHER V18, V23, V18 - -// Encrypt 8 values in V15 - V22 -// with the specified key, -// assuming it is a VSreg -#define VCIPHER_8X1_KEY(key) \ - XXLOR key, key, V23; \ - VCIPHER V15, V23, V15; \ - VCIPHER V16, V23, V16; \ - VCIPHER V17, V23, V17; \ - VCIPHER V18, V23, V18; \ - VCIPHER V19, V23, V19; \ - VCIPHER V20, V23, V20; \ - VCIPHER V21, V23, V21; \ - VCIPHER V22, V23, V22 - -// Load input block into V1-V4 -// in big endian order and -// update blk_inp by 64. -#define LOAD_INPUT_BLOCK64(blk_inp) \ - MOVD $16, R16; \ - MOVD $32, R17; \ - MOVD $48, R18; \ - P8_LXVB16X(blk_inp,R0,V1); \ - P8_LXVB16X(blk_inp,R16,V2); \ - P8_LXVB16X(blk_inp,R17,V3); \ - P8_LXVB16X(blk_inp,R18,V4); \ - ADD $64, blk_inp - -// Load input block into V1-V8 -// in big endian order and -// Update blk_inp by 128 -#define LOAD_INPUT_BLOCK128(blk_inp) \ - MOVD $16, R16; \ - MOVD $32, R17; \ - MOVD $48, R18; \ - MOVD $64, R19; \ - MOVD $80, R20; \ - MOVD $96, R21; \ - MOVD $112, R22; \ - P8_LXVB16X(blk_inp,R0,V1); \ - P8_LXVB16X(blk_inp,R16,V2); \ - P8_LXVB16X(blk_inp,R17,V3); \ - P8_LXVB16X(blk_inp,R18,V4); \ - P8_LXVB16X(blk_inp,R19,V5); \ - P8_LXVB16X(blk_inp,R20,V6); \ - P8_LXVB16X(blk_inp,R21,V7); \ - P8_LXVB16X(blk_inp,R22,V8); \ - ADD $128, blk_inp - -// Finish encryption on 8 streams and -// XOR with input block -#define VCIPHERLAST8_XOR_INPUT \ - VCIPHERLAST V15, V23, V15; \ - VCIPHERLAST V16, V23, V16; \ - VCIPHERLAST V17, V23, V17; \ - VCIPHERLAST V18, V23, V18; \ - VCIPHERLAST V19, V23, V19; \ - VCIPHERLAST V20, V23, V20; \ - VCIPHERLAST V21, V23, V21; \ - VCIPHERLAST V22, V23, V22; \ - XXLXOR V1, V15, V1; \ - XXLXOR V2, V16, V2; \ - XXLXOR V3, V17, V3; \ - XXLXOR V4, V18, V4; \ - XXLXOR V5, V19, V5; \ - XXLXOR V6, V20, V6; \ - XXLXOR V7, V21, V7; \ - XXLXOR V8, V22, V8 - -// Finish encryption on 4 streams and -// XOR with input block -#define VCIPHERLAST4_XOR_INPUT \ - VCIPHERLAST V15, V23, V15; \ - VCIPHERLAST V16, V23, V16; \ - VCIPHERLAST V17, V23, V17; \ - VCIPHERLAST V18, V23, V18; \ - XXLXOR V1, V15, V1; \ - XXLXOR V2, V16, V2; \ - XXLXOR V3, V17, V3; \ - XXLXOR V4, V18, V4 - -// Store output block from V1-V8 -// in big endian order and -// Update blk_out by 128 -#define STORE_OUTPUT_BLOCK128(blk_out) \ - P8_STXVB16X(V1,blk_out,R0); \ - P8_STXVB16X(V2,blk_out,R16); \ - P8_STXVB16X(V3,blk_out,R17); \ - P8_STXVB16X(V4,blk_out,R18); \ - P8_STXVB16X(V5,blk_out,R19); \ - P8_STXVB16X(V6,blk_out,R20); \ - P8_STXVB16X(V7,blk_out,R21); \ - P8_STXVB16X(V8,blk_out,R22); \ - ADD $128, blk_out - -// Store output block from V1-V4 -// in big endian order and -// Update blk_out by 64 -#define STORE_OUTPUT_BLOCK64(blk_out) \ - P8_STXVB16X(V1,blk_out,R0); \ - P8_STXVB16X(V2,blk_out,R16); \ - P8_STXVB16X(V3,blk_out,R17); \ - P8_STXVB16X(V4,blk_out,R18); \ - ADD $64, blk_out - -// func gcmInit(productTable *[256]byte, h []byte) -TEXT ·gcmInit(SB), NOSPLIT, $0-32 - MOVD productTable+0(FP), XIP - MOVD h+8(FP), HTBL - - MOVD $0x10, R8 - MOVD $0x20, R9 - MOVD $0x30, R10 - LXVD2X (HTBL)(R0), VH // Load H - - VSPLTISB $-16, XC2 // 0xf0 - VSPLTISB $1, T0 // one - VADDUBM XC2, XC2, XC2 // 0xe0 - VXOR ZERO, ZERO, ZERO - VOR XC2, T0, XC2 // 0xe1 - VSLDOI $15, XC2, ZERO, XC2 // 0xe1... - VSLDOI $1, ZERO, T0, T1 // ...1 - VADDUBM XC2, XC2, XC2 // 0xc2... - VSPLTISB $7, T2 - VOR XC2, T1, XC2 // 0xc2....01 - VSPLTB $0, H, T1 // most significant byte - VSL H, T0, H // H<<=1 - VSRAB T1, T2, T1 // broadcast carry bit - VAND T1, XC2, T1 - VXOR H, T1, IN // twisted H - - VSLDOI $8, IN, IN, H // twist even more ... - VSLDOI $8, ZERO, XC2, XC2 // 0xc2.0 - VSLDOI $8, ZERO, H, HL // ... and split - VSLDOI $8, H, ZERO, HH - - STXVD2X VXC2, (XIP+R0) // save pre-computed table - STXVD2X VHL, (XIP+R8) - MOVD $0x40, R8 - STXVD2X VH, (XIP+R9) - MOVD $0x50, R9 - STXVD2X VHH, (XIP+R10) - MOVD $0x60, R10 - - VPMSUMD IN, HL, XL // H.lo·H.lo - VPMSUMD IN, H, XM // H.hi·H.lo+H.lo·H.hi - VPMSUMD IN, HH, XH // H.hi·H.hi - - VPMSUMD XL, XC2, T2 // 1st reduction phase - - VSLDOI $8, XM, ZERO, T0 - VSLDOI $8, ZERO, XM, T1 - VXOR XL, T0, XL - VXOR XH, T1, XH - - VSLDOI $8, XL, XL, XL - VXOR XL, T2, XL - - VSLDOI $8, XL, XL, T1 // 2nd reduction phase - VPMSUMD XL, XC2, XL - VXOR T1, XH, T1 - VXOR XL, T1, IN1 - - VSLDOI $8, IN1, IN1, H2 - VSLDOI $8, ZERO, H2, H2L - VSLDOI $8, H2, ZERO, H2H - - STXVD2X VH2L, (XIP+R8) // save H^2 - MOVD $0x70, R8 - STXVD2X VH2, (XIP+R9) - MOVD $0x80, R9 - STXVD2X VH2H, (XIP+R10) - MOVD $0x90, R10 - - VPMSUMD IN, H2L, XL // H.lo·H^2.lo - VPMSUMD IN1, H2L, XL1 // H^2.lo·H^2.lo - VPMSUMD IN, H2, XM // H.hi·H^2.lo+H.lo·H^2.hi - VPMSUMD IN1, H2, XM1 // H^2.hi·H^2.lo+H^2.lo·H^2.hi - VPMSUMD IN, H2H, XH // H.hi·H^2.hi - VPMSUMD IN1, H2H, XH1 // H^2.hi·H^2.hi - - VPMSUMD XL, XC2, T2 // 1st reduction phase - VPMSUMD XL1, XC2, HH // 1st reduction phase - - VSLDOI $8, XM, ZERO, T0 - VSLDOI $8, ZERO, XM, T1 - VSLDOI $8, XM1, ZERO, HL - VSLDOI $8, ZERO, XM1, H - VXOR XL, T0, XL - VXOR XH, T1, XH - VXOR XL1, HL, XL1 - VXOR XH1, H, XH1 - - VSLDOI $8, XL, XL, XL - VSLDOI $8, XL1, XL1, XL1 - VXOR XL, T2, XL - VXOR XL1, HH, XL1 - - VSLDOI $8, XL, XL, T1 // 2nd reduction phase - VSLDOI $8, XL1, XL1, H // 2nd reduction phase - VPMSUMD XL, XC2, XL - VPMSUMD XL1, XC2, XL1 - VXOR T1, XH, T1 - VXOR H, XH1, H - VXOR XL, T1, XL - VXOR XL1, H, XL1 - - VSLDOI $8, XL, XL, H - VSLDOI $8, XL1, XL1, H2 - VSLDOI $8, ZERO, H, HL - VSLDOI $8, H, ZERO, HH - VSLDOI $8, ZERO, H2, H2L - VSLDOI $8, H2, ZERO, H2H - - STXVD2X VHL, (XIP+R8) // save H^3 - MOVD $0xa0, R8 - STXVD2X VH, (XIP+R9) - MOVD $0xb0, R9 - STXVD2X VHH, (XIP+R10) - MOVD $0xc0, R10 - STXVD2X VH2L, (XIP+R8) // save H^4 - STXVD2X VH2, (XIP+R9) - STXVD2X VH2H, (XIP+R10) - - RET - -// func gcmHash(output []byte, productTable *[256]byte, inp []byte, len int) -TEXT ·gcmHash(SB), NOSPLIT, $0-64 - MOVD output+0(FP), XIP - MOVD productTable+24(FP), HTBL - MOVD inp+32(FP), INP - MOVD len+56(FP), LEN - - MOVD $0x10, R8 - MOVD $0x20, R9 - MOVD $0x30, R10 - LXVD2X (XIP)(R0), VXL // load Xi - - LXVD2X (HTBL)(R8), VHL // load pre-computed table - MOVD $0x40, R8 - LXVD2X (HTBL)(R9), VH - MOVD $0x50, R9 - LXVD2X (HTBL)(R10), VHH - MOVD $0x60, R10 - LXVD2X (HTBL)(R0), VXC2 -#ifdef GOARCH_ppc64le - LVSL (R0)(R0), LEMASK - VSPLTISB $0x07, T0 - VXOR LEMASK, T0, LEMASK - VPERM XL, XL, LEMASK, XL -#endif - VXOR ZERO, ZERO, ZERO - - CMPU LEN, $64 - BGE gcm_ghash_p8_4x - - LXVD2X (INP)(R0), VIN - ADD $16, INP, INP - SUBCCC $16, LEN, LEN -#ifdef GOARCH_ppc64le - VPERM IN, IN, LEMASK, IN -#endif - VXOR IN, XL, IN - BEQ short - - LXVD2X (HTBL)(R8), VH2L // load H^2 - MOVD $16, R8 - LXVD2X (HTBL)(R9), VH2 - ADD LEN, INP, R9 // end of input - LXVD2X (HTBL)(R10), VH2H - -loop_2x: - LXVD2X (INP)(R0), VIN1 -#ifdef GOARCH_ppc64le - VPERM IN1, IN1, LEMASK, IN1 -#endif - - SUBC $32, LEN, LEN - VPMSUMD IN, H2L, XL // H^2.lo·Xi.lo - VPMSUMD IN1, HL, XL1 // H.lo·Xi+1.lo - SUBE R11, R11, R11 // borrow?-1:0 - VPMSUMD IN, H2, XM // H^2.hi·Xi.lo+H^2.lo·Xi.hi - VPMSUMD IN1, H, XM1 // H.hi·Xi+1.lo+H.lo·Xi+1.hi - AND LEN, R11, R11 - VPMSUMD IN, H2H, XH // H^2.hi·Xi.hi - VPMSUMD IN1, HH, XH1 // H.hi·Xi+1.hi - ADD R11, INP, INP - - VXOR XL, XL1, XL - VXOR XM, XM1, XM - - VPMSUMD XL, XC2, T2 // 1st reduction phase - - VSLDOI $8, XM, ZERO, T0 - VSLDOI $8, ZERO, XM, T1 - VXOR XH, XH1, XH - VXOR XL, T0, XL - VXOR XH, T1, XH - - VSLDOI $8, XL, XL, XL - VXOR XL, T2, XL - LXVD2X (INP)(R8), VIN - ADD $32, INP, INP - - VSLDOI $8, XL, XL, T1 // 2nd reduction phase - VPMSUMD XL, XC2, XL -#ifdef GOARCH_ppc64le - VPERM IN, IN, LEMASK, IN -#endif - VXOR T1, XH, T1 - VXOR IN, T1, IN - VXOR IN, XL, IN - CMP R9, INP - BGT loop_2x // done yet? - - CMPWU LEN, $0 - BNE even - -short: - VPMSUMD IN, HL, XL // H.lo·Xi.lo - VPMSUMD IN, H, XM // H.hi·Xi.lo+H.lo·Xi.hi - VPMSUMD IN, HH, XH // H.hi·Xi.hi - - VPMSUMD XL, XC2, T2 // 1st reduction phase - - VSLDOI $8, XM, ZERO, T0 - VSLDOI $8, ZERO, XM, T1 - VXOR XL, T0, XL - VXOR XH, T1, XH - - VSLDOI $8, XL, XL, XL - VXOR XL, T2, XL - - VSLDOI $8, XL, XL, T1 // 2nd reduction phase - VPMSUMD XL, XC2, XL - VXOR T1, XH, T1 - -even: - VXOR XL, T1, XL -#ifdef GOARCH_ppc64le - VPERM XL, XL, LEMASK, XL -#endif - STXVD2X VXL, (XIP+R0) - - OR R12, R12, R12 // write out Xi - RET - -gcm_ghash_p8_4x: - LVSL (R8)(R0), T0 // 0x0001..0e0f - MOVD $0x70, R8 - LXVD2X (HTBL)(R9), VH2 - MOVD $0x80, R9 - VSPLTISB $8, T1 // 0x0808..0808 - MOVD $0x90, R10 - LXVD2X (HTBL)(R8), VH3L // load H^3 - MOVD $0xa0, R8 - LXVD2X (HTBL)(R9), VH3 - MOVD $0xb0, R9 - LXVD2X (HTBL)(R10), VH3H - MOVD $0xc0, R10 - LXVD2X (HTBL)(R8), VH4L // load H^4 - MOVD $0x10, R8 - LXVD2X (HTBL)(R9), VH4 - MOVD $0x20, R9 - LXVD2X (HTBL)(R10), VH4H - MOVD $0x30, R10 - - VSLDOI $8, ZERO, T1, T2 // 0x0000..0808 - VADDUBM T0, T2, HIPERM // 0x0001..1617 - VADDUBM T1, HIPERM, LOPERM // 0x0809..1e1f - - SRD $4, LEN, LEN // this allows to use sign bit as carry - - LXVD2X (INP)(R0), VIN0 // load input - LXVD2X (INP)(R8), VIN1 - SUBCCC $8, LEN, LEN - LXVD2X (INP)(R9), VIN2 - LXVD2X (INP)(R10), VIN3 - ADD $0x40, INP, INP -#ifdef GOARCH_ppc64le - VPERM IN0, IN0, LEMASK, IN0 - VPERM IN1, IN1, LEMASK, IN1 - VPERM IN2, IN2, LEMASK, IN2 - VPERM IN3, IN3, LEMASK, IN3 -#endif - - VXOR IN0, XL, XH - - VPMSUMD IN1, H3L, XL1 - VPMSUMD IN1, H3, XM1 - VPMSUMD IN1, H3H, XH1 - - VPERM H2, H, HIPERM, H21L - VPERM IN2, IN3, LOPERM, T0 - VPERM H2, H, LOPERM, H21H - VPERM IN2, IN3, HIPERM, T1 - VPMSUMD IN2, H2, XM2 // H^2.lo·Xi+2.hi+H^2.hi·Xi+2.lo - VPMSUMD T0, H21L, XL3 // H^2.lo·Xi+2.lo+H.lo·Xi+3.lo - VPMSUMD IN3, H, XM3 // H.hi·Xi+3.lo +H.lo·Xi+3.hi - VPMSUMD T1, H21H, XH3 // H^2.hi·Xi+2.hi+H.hi·Xi+3.hi - - VXOR XM2, XM1, XM2 - VXOR XL3, XL1, XL3 - VXOR XM3, XM2, XM3 - VXOR XH3, XH1, XH3 - - BLT tail_4x - -loop_4x: - LXVD2X (INP)(R0), VIN0 - LXVD2X (INP)(R8), VIN1 - SUBCCC $4, LEN, LEN - LXVD2X (INP)(R9), VIN2 - LXVD2X (INP)(R10), VIN3 - ADD $0x40, INP, INP -#ifdef GOARCH_ppc64le - VPERM IN1, IN1, LEMASK, IN1 - VPERM IN2, IN2, LEMASK, IN2 - VPERM IN3, IN3, LEMASK, IN3 - VPERM IN0, IN0, LEMASK, IN0 -#endif - - VPMSUMD XH, H4L, XL // H^4.lo·Xi.lo - VPMSUMD XH, H4, XM // H^4.hi·Xi.lo+H^4.lo·Xi.hi - VPMSUMD XH, H4H, XH // H^4.hi·Xi.hi - VPMSUMD IN1, H3L, XL1 - VPMSUMD IN1, H3, XM1 - VPMSUMD IN1, H3H, XH1 - - VXOR XL, XL3, XL - VXOR XM, XM3, XM - VXOR XH, XH3, XH - VPERM IN2, IN3, LOPERM, T0 - VPERM IN2, IN3, HIPERM, T1 - - VPMSUMD XL, XC2, T2 // 1st reduction phase - VPMSUMD T0, H21L, XL3 // H.lo·Xi+3.lo +H^2.lo·Xi+2.lo - VPMSUMD T1, H21H, XH3 // H.hi·Xi+3.hi +H^2.hi·Xi+2.hi - - VSLDOI $8, XM, ZERO, T0 - VSLDOI $8, ZERO, XM, T1 - VXOR XL, T0, XL - VXOR XH, T1, XH - - VSLDOI $8, XL, XL, XL - VXOR XL, T2, XL - - VSLDOI $8, XL, XL, T1 // 2nd reduction phase - VPMSUMD IN2, H2, XM2 // H^2.hi·Xi+2.lo+H^2.lo·Xi+2.hi - VPMSUMD IN3, H, XM3 // H.hi·Xi+3.lo +H.lo·Xi+3.hi - VPMSUMD XL, XC2, XL - - VXOR XL3, XL1, XL3 - VXOR XH3, XH1, XH3 - VXOR XH, IN0, XH - VXOR XM2, XM1, XM2 - VXOR XH, T1, XH - VXOR XM3, XM2, XM3 - VXOR XH, XL, XH - BGE loop_4x - -tail_4x: - VPMSUMD XH, H4L, XL // H^4.lo·Xi.lo - VPMSUMD XH, H4, XM // H^4.hi·Xi.lo+H^4.lo·Xi.hi - VPMSUMD XH, H4H, XH // H^4.hi·Xi.hi - - VXOR XL, XL3, XL - VXOR XM, XM3, XM - - VPMSUMD XL, XC2, T2 // 1st reduction phase - - VSLDOI $8, XM, ZERO, T0 - VSLDOI $8, ZERO, XM, T1 - VXOR XH, XH3, XH - VXOR XL, T0, XL - VXOR XH, T1, XH - - VSLDOI $8, XL, XL, XL - VXOR XL, T2, XL - - VSLDOI $8, XL, XL, T1 // 2nd reduction phase - VPMSUMD XL, XC2, XL - VXOR T1, XH, T1 - VXOR XL, T1, XL - - ADDCCC $4, LEN, LEN - BEQ done_4x - - LXVD2X (INP)(R0), VIN0 - CMPU LEN, $2 - MOVD $-4, LEN - BLT one - LXVD2X (INP)(R8), VIN1 - BEQ two - -three: - LXVD2X (INP)(R9), VIN2 -#ifdef GOARCH_ppc64le - VPERM IN0, IN0, LEMASK, IN0 - VPERM IN1, IN1, LEMASK, IN1 - VPERM IN2, IN2, LEMASK, IN2 -#endif - - VXOR IN0, XL, XH - VOR H3L, H3L, H4L - VOR H3, H3, H4 - VOR H3H, H3H, H4H - - VPERM IN1, IN2, LOPERM, T0 - VPERM IN1, IN2, HIPERM, T1 - VPMSUMD IN1, H2, XM2 // H^2.lo·Xi+1.hi+H^2.hi·Xi+1.lo - VPMSUMD IN2, H, XM3 // H.hi·Xi+2.lo +H.lo·Xi+2.hi - VPMSUMD T0, H21L, XL3 // H^2.lo·Xi+1.lo+H.lo·Xi+2.lo - VPMSUMD T1, H21H, XH3 // H^2.hi·Xi+1.hi+H.hi·Xi+2.hi - - VXOR XM3, XM2, XM3 - JMP tail_4x - -two: -#ifdef GOARCH_ppc64le - VPERM IN0, IN0, LEMASK, IN0 - VPERM IN1, IN1, LEMASK, IN1 -#endif - - VXOR IN, XL, XH - VPERM ZERO, IN1, LOPERM, T0 - VPERM ZERO, IN1, HIPERM, T1 - - VSLDOI $8, ZERO, H2, H4L - VOR H2, H2, H4 - VSLDOI $8, H2, ZERO, H4H - - VPMSUMD T0, H21L, XL3 // H.lo·Xi+1.lo - VPMSUMD IN1, H, XM3 // H.hi·Xi+1.lo+H.lo·Xi+2.hi - VPMSUMD T1, H21H, XH3 // H.hi·Xi+1.hi - - JMP tail_4x - -one: -#ifdef GOARCH_ppc64le - VPERM IN0, IN0, LEMASK, IN0 -#endif - - VSLDOI $8, ZERO, H, H4L - VOR H, H, H4 - VSLDOI $8, H, ZERO, H4H - - VXOR IN0, XL, XH - VXOR XL3, XL3, XL3 - VXOR XM3, XM3, XM3 - VXOR XH3, XH3, XH3 - - JMP tail_4x - -done_4x: -#ifdef GOARCH_ppc64le - VPERM XL, XL, LEMASK, XL -#endif - STXVD2X VXL, (XIP+R0) // write out Xi - RET - -#define BLK_INP R3 -#define BLK_OUT R4 -#define BLK_KEY R5 -#define KEY_LEN R6 -#define BLK_IDX R7 -#define IDX R8 -#define IN_LEN R9 -#define COUNTER R10 -#define CONPTR R14 -#define MASK V5 - -// Implementation of the counterCrypt function in assembler. -// Original loop is unrolled to allow for multiple encryption -// streams to be done in parallel, which is achieved by interleaving -// vcipher instructions from each stream. This is also referred to as -// stitching, and provides significant performance improvements. -// Some macros are defined which enable execution for big or little -// endian as well as different ISA targets. -//func (g *gcmAsm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte, key[gcmBlockSize]uint32) -//func counterCryptASM(xr, out, in, counter, key) -TEXT ·counterCryptASM(SB), NOSPLIT, $16-72 - MOVD xr(FP), KEY_LEN - MOVD out+8(FP), BLK_OUT - MOVD out_len+16(FP), R8 - MOVD in+32(FP), BLK_INP - MOVD in_len+40(FP), IN_LEN - MOVD counter+56(FP), COUNTER - MOVD key+64(FP), BLK_KEY - -// Set up permute string when needed. -#ifdef NEEDS_ESPERM - MOVD $·rcon(SB), R14 - LVX (R14), ESPERM // Permute value for P8_ macros. -#endif - SETUP_COUNTER // V30 Counter V31 BE {0, 0, 0, 1} - LOAD_KEYS(BLK_KEY, KEY_LEN) // VS1 - VS10/12/14 based on keysize - CMP IN_LEN, $128 - BLT block64 -block128_loop: - // Do 8 encryptions in parallel by setting - // input values in V15-V22 and executing - // vcipher on the updated value and the keys. - GEN_VCIPHER_8_INPUTS - VCIPHER_8X1_KEY(VS1) - VCIPHER_8X1_KEY(VS2) - VCIPHER_8X1_KEY(VS3) - VCIPHER_8X1_KEY(VS4) - VCIPHER_8X1_KEY(VS5) - VCIPHER_8X1_KEY(VS6) - VCIPHER_8X1_KEY(VS7) - VCIPHER_8X1_KEY(VS8) - VCIPHER_8X1_KEY(VS9) - // Additional encryptions are done based on - // the key length, with the last key moved - // to V23 for use with VCIPHERLAST. - // CR2 = CMP key_len, $12 - XXLOR VS10, VS10, V23 - BLT CR2, block128_last // key_len = 10 - VCIPHER_8X1_KEY(VS10) - VCIPHER_8X1_KEY(VS11) - XXLOR VS12,VS12,V23 - BEQ CR2, block128_last // ken_len = 12 - VCIPHER_8X1_KEY(VS12) - VCIPHER_8X1_KEY(VS13) - XXLOR VS14,VS14,V23 // key_len = 14 -block128_last: - // vcipher encryptions are in V15-V22 at this - // point with vcipherlast remaining to be done. - // Load input block into V1-V8, setting index offsets - // in R16-R22 to use with the STORE. - LOAD_INPUT_BLOCK128(BLK_INP) - // Do VCIPHERLAST on the last key for each encryption - // stream and XOR the result with the corresponding - // value from the input block. - VCIPHERLAST8_XOR_INPUT - // Store the results (8*16) and update BLK_OUT by 128. - STORE_OUTPUT_BLOCK128(BLK_OUT) - ADD $-128, IN_LEN // input size - CMP IN_LEN, $128 // check if >= blocksize - BGE block128_loop // next input block - CMP IN_LEN, $0 - BEQ done -block64: - CMP IN_LEN, $64 // Check if >= 64 - BLT block16_loop - // Do 4 encryptions in parallel by setting - // input values in V15-V18 and executing - // vcipher on the updated value and the keys. - GEN_VCIPHER_4_INPUTS - VCIPHER_4X1_KEY(VS1) - VCIPHER_4X1_KEY(VS2) - VCIPHER_4X1_KEY(VS3) - VCIPHER_4X1_KEY(VS4) - VCIPHER_4X1_KEY(VS5) - VCIPHER_4X1_KEY(VS6) - VCIPHER_4X1_KEY(VS7) - VCIPHER_4X1_KEY(VS8) - VCIPHER_4X1_KEY(VS9) - // Check key length based on CR2 - // Move last key to V23 for use with later vcipherlast - XXLOR VS10, VS10, V23 - BLT CR2, block64_last // size = 10 - VCIPHER_4X1_KEY(VS10) // Encrypt next 2 keys - VCIPHER_4X1_KEY(VS11) - XXLOR VS12, VS12, V23 - BEQ CR2, block64_last // size = 12 - VCIPHER_4X1_KEY(VS12) // Encrypt last 2 keys - VCIPHER_4X1_KEY(VS13) - XXLOR VS14, VS14, V23 // size = 14 -block64_last: - LOAD_INPUT_BLOCK64(BLK_INP) // Load 64 bytes of input - // Do VCIPHERLAST on the last for each encryption - // stream and XOR the result with the corresponding - // value from the input block. - VCIPHERLAST4_XOR_INPUT - // Store the results (4*16) and update BLK_OUT by 64. - STORE_OUTPUT_BLOCK64(BLK_OUT) - ADD $-64, IN_LEN // decrement input block length - CMP IN_LEN, $0 // check for remaining length - BEQ done -block16_loop: - CMP IN_LEN, $16 // More input - BLT final_block // If not, then handle partial block - // Single encryption, no stitching - GEN_VCIPHER_INPUT // Generate input value for single encryption - VCIPHER_1X9_KEYS(V15) // Encrypt V15 value with 9 keys - XXLOR VS10, VS10, V23 // Last key -> V23 for later vcipiherlast - // Key length based on CR2. (LT=10, EQ=12, GT=14) - BLT CR2, block16_last // Finish for key size 10 - VCIPHER_1X2_KEYS(V15, VS10, VS11) // Encrypt V15 with 2 more keys - XXLOR VS12, VS12, V23 // Last key -> V23 for later vcipherlast - BEQ CR2, block16_last // Finish for key size 12 - VCIPHER_1X2_KEYS(V15, VS12, VS13) // Encrypt V15 with last 2 keys - XXLOR VS14, VS14, V23 // Last key -> V23 for vcipherlast with key size 14 -block16_last: - P8_LXVB16X(BLK_INP, R0, V1) // Load input - VCIPHERLAST V15, V23, V15 // Encrypt last value in V23 - XXLXOR V15, V1, V1 // XOR with input - P8_STXVB16X(V1,R0,BLK_OUT) // Store final encryption value to output - ADD $16, BLK_INP // Increment input pointer - ADD $16, BLK_OUT // Increment output pointer - ADD $-16, IN_LEN // Decrement input length - BR block16_loop // Check for next -final_block: - CMP IN_LEN, $0 - BEQ done - GEN_VCIPHER_INPUT // Generate input value for partial encryption - VCIPHER_1X9_KEYS(V15) // Encrypt V15 with 9 keys - XXLOR VS10, VS10, V23 // Save possible last key - BLT CR2, final_block_last - VCIPHER_1X2_KEYS(V15, VS10, VS11) // Encrypt V15 with next 2 keys - XXLOR VS12, VS12, V23 // Save possible last key - BEQ CR2, final_block_last - VCIPHER_1X2_KEYS(V15, VS12, VS13) // Encrypt V15 with last 2 keys - XXLOR VS14, VS14, V23 // Save last key -final_block_last: - VCIPHERLAST V15, V23, V15 // Finish encryption -#ifdef GOPPC64_power10 - // set up length - SLD $56, IN_LEN, R17 - LXVLL BLK_INP, R17, V25 - VXOR V25, V15, V25 - STXVLL V25, BLK_OUT, R17 -#else - ADD $32, R1, MASK_PTR - MOVD $0, R16 - P8_STXVB16X(V15, MASK_PTR, R0) - CMP IN_LEN, $8 - BLT next4 - MOVD 0(MASK_PTR), R14 - MOVD 0(BLK_INP), R15 - XOR R14, R15, R14 - MOVD R14, 0(BLK_OUT) - ADD $8, R16 - ADD $-8, IN_LEN -next4: - CMP IN_LEN, $4 - BLT next2 - MOVWZ (BLK_INP)(R16), R15 - MOVWZ (MASK_PTR)(R16), R14 - XOR R14, R15, R14 - MOVW R14, (R16)(BLK_OUT) - ADD $4, R16 - ADD $-4, IN_LEN -next2: - CMP IN_LEN, $2 - BLT next1 - MOVHZ (BLK_INP)(R16), R15 - MOVHZ (MASK_PTR)(R16), R14 - XOR R14, R15, R14 - MOVH R14, (R16)(BLK_OUT) - ADD $2, R16 - ADD $-2, IN_LEN -next1: - CMP IN_LEN, $1 - BLT done - MOVBZ (MASK_PTR)(R16), R14 - MOVBZ (BLK_INP)(R16), R15 - XOR R14, R15, R14 - MOVB R14, (R16)(BLK_OUT) -#endif -done: - // Save the updated counter value - P8_STXVB16X(V30, COUNTER, R0) - // Clear the keys - XXLXOR VS0, VS0, VS0 - XXLXOR VS1, VS1, VS1 - XXLXOR VS2, VS2, VS2 - XXLXOR VS3, VS3, VS3 - XXLXOR VS4, VS4, VS4 - XXLXOR VS5, VS5, VS5 - XXLXOR VS6, VS6, VS6 - XXLXOR VS7, VS7, VS7 - XXLXOR VS8, VS8, VS8 - XXLXOR VS9, VS9, VS9 - XXLXOR VS10, VS10, VS10 - XXLXOR VS11, VS11, VS11 - XXLXOR VS12, VS12, VS12 - XXLXOR VS13, VS13, VS13 - XXLXOR VS14, VS14, VS14 - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_s390x.go deleted file mode 100644 index 526f3f9d4a2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_s390x.go +++ /dev/null @@ -1,251 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package gcm - -import ( - "crypto/internal/fips140/aes" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -// This file contains two implementations of AES-GCM. The first implementation -// (useGHASH) uses the KMCTR instruction to encrypt using AES in counter mode -// and the KIMD instruction for GHASH. The second implementation (useGCM) uses -// the newer KMA instruction which performs both operations (but still requires -// KIMD to hash large nonces). - -// Keep in sync with crypto/tls.hasAESGCMHardwareSupport. -var useGHASH = cpu.S390XHasAES && cpu.S390XHasAESCTR && cpu.S390XHasGHASH -var useGCM = useGHASH && cpu.S390XHasAESGCM - -func init() { - impl.Register("gcm", "CPACF/KIMD", &useGHASH) - impl.Register("gcm", "CPACF/KMA", &useGCM) -} - -func checkGenericIsExpected() { - if useGHASH || useGCM { - panic("gcm: internal error: using generic implementation despite hardware support") - } -} - -// gcmLengths writes len0 || len1 as big-endian values to a 16-byte array. -func gcmLengths(len0, len1 uint64) [16]byte { - v := [16]byte{} - byteorder.BEPutUint64(v[0:], len0) - byteorder.BEPutUint64(v[8:], len1) - return v -} - -// gcmHashKey represents the 16-byte hash key required by the GHASH algorithm. -type gcmHashKey [16]byte - -type gcmPlatformData struct { - hashKey gcmHashKey -} - -func initGCM(g *GCM) { - if !useGCM && !useGHASH { - return - } - // Note that hashKey is also used in the KMA codepath to hash large nonces. - aes.EncryptBlockInternal(&g.cipher, g.hashKey[:], g.hashKey[:]) -} - -// ghashAsm uses the GHASH algorithm to hash data with the given key. The initial -// hash value is given by hash which will be updated with the new hash value. -// The length of data must be a multiple of 16-bytes. -// -//go:noescape -func ghashAsm(key *gcmHashKey, hash *[16]byte, data []byte) - -// paddedGHASH pads data with zeroes until its length is a multiple of -// 16-bytes. It then calculates a new value for hash using the GHASH algorithm. -func paddedGHASH(hashKey *gcmHashKey, hash *[16]byte, data []byte) { - siz := len(data) &^ 0xf // align size to 16-bytes - if siz > 0 { - ghashAsm(hashKey, hash, data[:siz]) - data = data[siz:] - } - if len(data) > 0 { - var s [16]byte - copy(s[:], data) - ghashAsm(hashKey, hash, s[:]) - } -} - -// cryptBlocksGCM encrypts src using AES in counter mode using the given -// function code and key. The rightmost 32-bits of the counter are incremented -// between each block as required by the GCM spec. The initial counter value -// is given by cnt, which is updated with the value of the next counter value -// to use. -// -// The lengths of both dst and buf must be greater than or equal to the length -// of src. buf may be partially or completely overwritten during the execution -// of the function. -// -//go:noescape -func cryptBlocksGCM(fn int, key, dst, src, buf []byte, cnt *[gcmBlockSize]byte) - -// counterCrypt encrypts src using AES in counter mode and places the result -// into dst. cnt is the initial count value and will be updated with the next -// count value. The length of dst must be greater than or equal to the length -// of src. -func counterCrypt(g *GCM, dst, src []byte, cnt *[gcmBlockSize]byte) { - // Copying src into a buffer improves performance on some models when - // src and dst point to the same underlying array. We also need a - // buffer for counter values. - var ctrbuf, srcbuf [2048]byte - for len(src) >= 16 { - siz := len(src) - if len(src) > len(ctrbuf) { - siz = len(ctrbuf) - } - siz &^= 0xf // align siz to 16-bytes - copy(srcbuf[:], src[:siz]) - cryptBlocksGCM(aes.BlockFunction(&g.cipher), aes.BlockKey(&g.cipher), dst[:siz], srcbuf[:siz], ctrbuf[:], cnt) - src = src[siz:] - dst = dst[siz:] - } - if len(src) > 0 { - var x [16]byte - aes.EncryptBlockInternal(&g.cipher, x[:], cnt[:]) - for i := range src { - dst[i] = src[i] ^ x[i] - } - gcmInc32(cnt) - } -} - -// deriveCounter computes the initial GCM counter state from the given nonce. -// See NIST SP 800-38D, section 7.1 and deriveCounterGeneric in gcm_generic.go. -func deriveCounter(H *gcmHashKey, counter *[gcmBlockSize]byte, nonce []byte) { - if len(nonce) == gcmStandardNonceSize { - copy(counter[:], nonce) - counter[gcmBlockSize-1] = 1 - } else { - var hash [16]byte - paddedGHASH(H, &hash, nonce) - lens := gcmLengths(0, uint64(len(nonce))*8) - paddedGHASH(H, &hash, lens[:]) - copy(counter[:], hash[:]) - } -} - -// gcmAuth calculates GHASH(additionalData, ciphertext), masks the result -// with tagMask and writes the result to out. -func gcmAuth(out []byte, H *gcmHashKey, tagMask *[gcmBlockSize]byte, ciphertext, additionalData []byte) { - var hash [16]byte - paddedGHASH(H, &hash, additionalData) - paddedGHASH(H, &hash, ciphertext) - lens := gcmLengths(uint64(len(additionalData))*8, uint64(len(ciphertext))*8) - paddedGHASH(H, &hash, lens[:]) - - copy(out, hash[:]) - for i := range out { - out[i] ^= tagMask[i] - } -} - -func seal(out []byte, g *GCM, nonce, plaintext, data []byte) { - switch { - case useGCM: - sealKMA(out, g, nonce, plaintext, data) - case useGHASH: - sealAsm(out, g, nonce, plaintext, data) - default: - sealGeneric(out, g, nonce, plaintext, data) - } -} - -func sealAsm(out []byte, g *GCM, nonce, plaintext, additionalData []byte) { - var counter, tagMask [gcmBlockSize]byte - deriveCounter(&g.hashKey, &counter, nonce) - counterCrypt(g, tagMask[:], tagMask[:], &counter) - - counterCrypt(g, out, plaintext, &counter) - - var tag [gcmTagSize]byte - gcmAuth(tag[:], &g.hashKey, &tagMask, out[:len(plaintext)], additionalData) - copy(out[len(plaintext):], tag[:]) -} - -func open(out []byte, g *GCM, nonce, ciphertext, data []byte) error { - switch { - case useGCM: - return openKMA(out, g, nonce, ciphertext, data) - case useGHASH: - return openAsm(out, g, nonce, ciphertext, data) - default: - return openGeneric(out, g, nonce, ciphertext, data) - } -} - -func openAsm(out []byte, g *GCM, nonce, ciphertext, additionalData []byte) error { - var counter, tagMask [gcmBlockSize]byte - deriveCounter(&g.hashKey, &counter, nonce) - counterCrypt(g, tagMask[:], tagMask[:], &counter) - - tag := ciphertext[len(ciphertext)-g.tagSize:] - ciphertext = ciphertext[:len(ciphertext)-g.tagSize] - - var expectedTag [gcmTagSize]byte - gcmAuth(expectedTag[:], &g.hashKey, &tagMask, ciphertext, additionalData) - if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { - return errOpen - } - - counterCrypt(g, out, ciphertext, &counter) - - return nil -} - -// flags for the KMA instruction -const ( - kmaHS = 1 << 10 // hash subkey supplied - kmaLAAD = 1 << 9 // last series of additional authenticated data - kmaLPC = 1 << 8 // last series of plaintext or ciphertext blocks - kmaDecrypt = 1 << 7 // decrypt -) - -// kmaGCM executes the encryption or decryption operation given by fn. The tag -// will be calculated and written to tag. cnt should contain the current -// counter state and will be overwritten with the updated counter state. -// TODO(mundaym): could pass in hash subkey -// -//go:noescape -func kmaGCM(fn int, key, dst, src, aad []byte, tag *[16]byte, cnt *[gcmBlockSize]byte) - -func sealKMA(out []byte, g *GCM, nonce, plaintext, data []byte) { - var counter [gcmBlockSize]byte - deriveCounter(&g.hashKey, &counter, nonce) - fc := aes.BlockFunction(&g.cipher) | kmaLAAD | kmaLPC - - var tag [gcmTagSize]byte - kmaGCM(fc, aes.BlockKey(&g.cipher), out[:len(plaintext)], plaintext, data, &tag, &counter) - copy(out[len(plaintext):], tag[:]) -} - -func openKMA(out []byte, g *GCM, nonce, ciphertext, data []byte) error { - tag := ciphertext[len(ciphertext)-g.tagSize:] - ciphertext = ciphertext[:len(ciphertext)-g.tagSize] - - var counter [gcmBlockSize]byte - deriveCounter(&g.hashKey, &counter, nonce) - fc := aes.BlockFunction(&g.cipher) | kmaLAAD | kmaLPC | kmaDecrypt - - var expectedTag [gcmTagSize]byte - kmaGCM(fc, aes.BlockKey(&g.cipher), out[:len(ciphertext)], ciphertext, data, &expectedTag, &counter) - - if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { - return errOpen - } - - return nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_s390x.s deleted file mode 100644 index 23a15dfcb0c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/gcm_s390x.s +++ /dev/null @@ -1,130 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func cryptBlocksGCM(fn code, key, dst, src, buf []byte, cnt *[16]byte) -TEXT ·cryptBlocksGCM(SB),NOSPLIT,$0-112 - MOVD src_len+64(FP), R0 - MOVD buf_base+80(FP), R1 - MOVD cnt+104(FP), R12 - LMG (R12), R2, R3 - - // Check that the src size is less than or equal to the buffer size. - MOVD buf_len+88(FP), R4 - CMP R0, R4 - BGT crash - - // Check that the src size is a multiple of 16-bytes. - MOVD R0, R4 - AND $0xf, R4 - BLT crash // non-zero - - // Check that the src size is less than or equal to the dst size. - MOVD dst_len+40(FP), R4 - CMP R0, R4 - BGT crash - - MOVD R2, R4 - MOVD R2, R6 - MOVD R2, R8 - MOVD R3, R5 - MOVD R3, R7 - MOVD R3, R9 - ADDW $1, R5 - ADDW $2, R7 - ADDW $3, R9 -incr: - CMP R0, $64 - BLT tail - STMG R2, R9, (R1) - ADDW $4, R3 - ADDW $4, R5 - ADDW $4, R7 - ADDW $4, R9 - MOVD $64(R1), R1 - SUB $64, R0 - BR incr -tail: - CMP R0, $0 - BEQ crypt - STMG R2, R3, (R1) - ADDW $1, R3 - MOVD $16(R1), R1 - SUB $16, R0 - BR tail -crypt: - STMG R2, R3, (R12) // update next counter value - MOVD fn+0(FP), R0 // function code (encryption) - MOVD key_base+8(FP), R1 // key - MOVD buf_base+80(FP), R2 // counter values - MOVD dst_base+32(FP), R4 // dst - MOVD src_base+56(FP), R6 // src - MOVD src_len+64(FP), R7 // len -loop: - KMCTR R4, R2, R6 // cipher message with counter (KMCTR) - BVS loop // branch back if interrupted - RET -crash: - MOVD $0, (R0) - RET - - -// func ghashAsm(key *gcmHashKey, hash *[16]byte, data []byte) -TEXT ·ghashAsm(SB),NOSPLIT,$32-40 - MOVD $65, R0 // GHASH function code - MOVD key+0(FP), R2 - LMG (R2), R6, R7 - MOVD hash+8(FP), R8 - LMG (R8), R4, R5 - MOVD $params-32(SP), R1 - STMG R4, R7, (R1) - LMG data+16(FP), R2, R3 // R2=base, R3=len -loop: - KIMD R0, R2 // compute intermediate message digest (KIMD) - BVS loop // branch back if interrupted - MVC $16, (R1), (R8) - MOVD $0, R0 - RET - -// func kmaGCM(fn int, key, dst, src, aad []byte, tag *[16]byte, cnt *[gcmBlockSize]byte) -TEXT ·kmaGCM(SB),NOSPLIT,$112-120 - MOVD fn+0(FP), R0 - MOVD $params-112(SP), R1 - - // load ptr/len pairs - LMG dst+32(FP), R2, R3 // R2=base R3=len - LMG src+56(FP), R4, R5 // R4=base R5=len - LMG aad+80(FP), R6, R7 // R6=base R7=len - - // setup parameters - MOVD cnt+112(FP), R8 - XC $12, (R1), (R1) // reserved - MVC $4, 12(R8), 12(R1) // set chain value - MVC $16, (R8), 64(R1) // set initial counter value - XC $32, 16(R1), 16(R1) // set hash subkey and tag - SLD $3, R7, R12 - MOVD R12, 48(R1) // set total AAD length - SLD $3, R5, R12 - MOVD R12, 56(R1) // set total plaintext/ciphertext length - - LMG key+8(FP), R8, R9 // R8=base R9=len - MVC $16, (R8), 80(R1) // set key - CMPBEQ R9, $16, kma - MVC $8, 16(R8), 96(R1) - CMPBEQ R9, $24, kma - MVC $8, 24(R8), 104(R1) - -kma: - KMA R2, R6, R4 // Cipher Message with Authentication - BVS kma - - MOVD tag+104(FP), R2 - MVC $16, 16(R1), 0(R2) // copy tag to output - MOVD cnt+112(FP), R8 - MVC $4, 12(R1), 12(R8) // update counter value - - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ghash.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ghash.go deleted file mode 100644 index fb60352246e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ghash.go +++ /dev/null @@ -1,163 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package gcm - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140deps/byteorder" -) - -// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM -// standard and make binary.BigEndian suitable for marshaling these values, the -// bits are stored in big endian order. For example: -// -// the coefficient of x⁰ can be obtained by v.low >> 63. -// the coefficient of x⁶³ can be obtained by v.low & 1. -// the coefficient of x⁶⁴ can be obtained by v.high >> 63. -// the coefficient of x¹²⁷ can be obtained by v.high & 1. -type gcmFieldElement struct { - low, high uint64 -} - -// GHASH is exposed to allow crypto/cipher to implement non-AES GCM modes. -// It is not allowed as a stand-alone operation in FIPS mode because it -// is not ACVP tested. -func GHASH(key *[16]byte, inputs ...[]byte) []byte { - fips140.RecordNonApproved() - var out [gcmBlockSize]byte - ghash(&out, key, inputs...) - return out[:] -} - -// ghash is a variable-time generic implementation of GHASH, which shouldn't -// be used on any architecture with hardware support for AES-GCM. -// -// Each input is zero-padded to 128-bit before being absorbed. -func ghash(out, H *[gcmBlockSize]byte, inputs ...[]byte) { - // productTable contains the first sixteen powers of the key, H. - // However, they are in bit reversed order. - var productTable [16]gcmFieldElement - - // We precompute 16 multiples of H. However, when we do lookups - // into this table we'll be using bits from a field element and - // therefore the bits will be in the reverse order. So normally one - // would expect, say, 4*H to be in index 4 of the table but due to - // this bit ordering it will actually be in index 0010 (base 2) = 2. - x := gcmFieldElement{ - byteorder.BEUint64(H[:8]), - byteorder.BEUint64(H[8:]), - } - productTable[reverseBits(1)] = x - - for i := 2; i < 16; i += 2 { - productTable[reverseBits(i)] = ghashDouble(&productTable[reverseBits(i/2)]) - productTable[reverseBits(i+1)] = ghashAdd(&productTable[reverseBits(i)], &x) - } - - var y gcmFieldElement - for _, input := range inputs { - ghashUpdate(&productTable, &y, input) - } - - byteorder.BEPutUint64(out[:], y.low) - byteorder.BEPutUint64(out[8:], y.high) -} - -// reverseBits reverses the order of the bits of 4-bit number in i. -func reverseBits(i int) int { - i = ((i << 2) & 0xc) | ((i >> 2) & 0x3) - i = ((i << 1) & 0xa) | ((i >> 1) & 0x5) - return i -} - -// ghashAdd adds two elements of GF(2¹²⁸) and returns the sum. -func ghashAdd(x, y *gcmFieldElement) gcmFieldElement { - // Addition in a characteristic 2 field is just XOR. - return gcmFieldElement{x.low ^ y.low, x.high ^ y.high} -} - -// ghashDouble returns the result of doubling an element of GF(2¹²⁸). -func ghashDouble(x *gcmFieldElement) (double gcmFieldElement) { - msbSet := x.high&1 == 1 - - // Because of the bit-ordering, doubling is actually a right shift. - double.high = x.high >> 1 - double.high |= x.low << 63 - double.low = x.low >> 1 - - // If the most-significant bit was set before shifting then it, - // conceptually, becomes a term of x^128. This is greater than the - // irreducible polynomial so the result has to be reduced. The - // irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to - // eliminate the term at x^128 which also means subtracting the other - // four terms. In characteristic 2 fields, subtraction == addition == - // XOR. - if msbSet { - double.low ^= 0xe100000000000000 - } - - return -} - -var ghashReductionTable = []uint16{ - 0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0, - 0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0, -} - -// ghashMul sets y to y*H, where H is the GCM key, fixed during New. -func ghashMul(productTable *[16]gcmFieldElement, y *gcmFieldElement) { - var z gcmFieldElement - - for i := 0; i < 2; i++ { - word := y.high - if i == 1 { - word = y.low - } - - // Multiplication works by multiplying z by 16 and adding in - // one of the precomputed multiples of H. - for j := 0; j < 64; j += 4 { - msw := z.high & 0xf - z.high >>= 4 - z.high |= z.low << 60 - z.low >>= 4 - z.low ^= uint64(ghashReductionTable[msw]) << 48 - - // the values in |table| are ordered for little-endian bit - // positions. See the comment in New. - t := productTable[word&0xf] - - z.low ^= t.low - z.high ^= t.high - word >>= 4 - } - } - - *y = z -} - -// updateBlocks extends y with more polynomial terms from blocks, based on -// Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks. -func updateBlocks(productTable *[16]gcmFieldElement, y *gcmFieldElement, blocks []byte) { - for len(blocks) > 0 { - y.low ^= byteorder.BEUint64(blocks) - y.high ^= byteorder.BEUint64(blocks[8:]) - ghashMul(productTable, y) - blocks = blocks[gcmBlockSize:] - } -} - -// ghashUpdate extends y with more polynomial terms from data. If data is not a -// multiple of gcmBlockSize bytes long then the remainder is zero padded. -func ghashUpdate(productTable *[16]gcmFieldElement, y *gcmFieldElement, data []byte) { - fullBlocks := (len(data) >> 4) << 4 - updateBlocks(productTable, y, data[:fullBlocks]) - - if len(data) != fullBlocks { - var partialBlock [gcmBlockSize]byte - copy(partialBlock[:], data[fullBlocks:]) - updateBlocks(productTable, y, partialBlock[:]) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ya.make deleted file mode 100644 index c479fa7e7e5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/gcm/ya.make +++ /dev/null @@ -1,43 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - cmac.go - ctrkdf.go - gcm.go - gcm_arm64.s - gcm_asm.go - gcm_generic.go - gcm_nonces.go - ghash.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - cmac.go - ctrkdf.go - gcm.go - gcm_amd64.s - gcm_asm.go - gcm_generic.go - gcm_nonces.go - ghash.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - cmac.go - ctrkdf.go - gcm.go - gcm_generic.go - gcm_noasm.go - gcm_nonces.go - ghash.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ya.make deleted file mode 100644 index be1c4a39c9b..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/aes/ya.make +++ /dev/null @@ -1,48 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - aes.go - aes_arm64.s - aes_asm.go - aes_generic.go - cast.go - cbc.go - cbc_noasm.go - const.go - ctr.go - ctr_arm64.s - ctr_asm.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - aes.go - aes_amd64.s - aes_asm.go - aes_generic.go - cast.go - cbc.go - cbc_noasm.go - const.go - ctr.go - ctr_amd64.s - ctr_asm.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - aes.go - aes_generic.go - aes_noasm.go - cast.go - cbc.go - cbc_noasm.go - const.go - ctr.go - ctr_noasm.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/alias/alias.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/alias/alias.go deleted file mode 100644 index daf3ebcc4dc..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/alias/alias.go +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package alias implements memory aliasing tests. -// This code also exists as golang.org/x/crypto/internal/alias. -package alias - -import "unsafe" - -// AnyOverlap reports whether x and y share memory at any (not necessarily -// corresponding) index. The memory beyond the slice length is ignored. -func AnyOverlap(x, y []byte) bool { - return len(x) > 0 && len(y) > 0 && - uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && - uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) -} - -// InexactOverlap reports whether x and y share memory at any non-corresponding -// index. The memory beyond the slice length is ignored. Note that x and y can -// have different lengths and still not have any inexact overlap. -// -// InexactOverlap can be used to implement the requirements of the crypto/cipher -// AEAD, Block, BlockMode and Stream interfaces. -func InexactOverlap(x, y []byte) bool { - if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { - return false - } - return AnyOverlap(x, y) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/alias/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/alias/ya.make deleted file mode 100644 index bb467bd50e0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/alias/ya.make +++ /dev/null @@ -1,12 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - alias.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/asan.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/asan.go deleted file mode 100644 index af8f24df811..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/asan.go +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build asan - -package fips140 - -const asanEnabled = true diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/go.mod deleted file mode 100644 index 3c1ae18929b..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/go.mod +++ /dev/null @@ -1,10 +0,0 @@ -module crypto/internal/fips140/bigmod/_asm - -go 1.25 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.14.0 // indirect - golang.org/x/tools v0.16.1 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/go.sum deleted file mode 100644 index 483bba88396..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= -golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/nat_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/nat_amd64_asm.go deleted file mode 100644 index 548216dc482..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/_asm/nat_amd64_asm.go +++ /dev/null @@ -1,113 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - "strconv" - - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../nat_amd64.s -pkg bigmod - -func main() { - Package("crypto/internal/fips140/bigmod") - ConstraintExpr("!purego") - - addMulVVW(1024) - addMulVVW(1536) - addMulVVW(2048) - - Generate() -} - -func addMulVVW(bits int) { - if bits%64 != 0 { - panic("bit size unsupported") - } - - Implement("addMulVVW" + strconv.Itoa(bits)) - - CMPB(Mem{Symbol: Symbol{Name: "·supportADX"}, Base: StaticBase}, Imm(1)) - JEQ(LabelRef("adx")) - - z := Mem{Base: Load(Param("z"), GP64())} - x := Mem{Base: Load(Param("x"), GP64())} - y := Load(Param("y"), GP64()) - - carry := GP64() - XORQ(carry, carry) // zero out carry - - for i := 0; i < bits/64; i++ { - Comment("Iteration " + strconv.Itoa(i)) - hi, lo := RDX, RAX // implicit MULQ inputs and outputs - MOVQ(x.Offset(i*8), lo) - MULQ(y) - ADDQ(z.Offset(i*8), lo) - ADCQ(Imm(0), hi) - ADDQ(carry, lo) - ADCQ(Imm(0), hi) - MOVQ(hi, carry) - MOVQ(lo, z.Offset(i*8)) - } - - Store(carry, ReturnIndex(0)) - RET() - - Label("adx") - - // The ADX strategy implements the following function, where c1 and c2 are - // the overflow and the carry flag respectively. - // - // func addMulVVW(z, x []uint, y uint) (carry uint) { - // var c1, c2 uint - // for i := range z { - // hi, lo := bits.Mul(x[i], y) - // lo, c1 = bits.Add(lo, z[i], c1) - // z[i], c2 = bits.Add(lo, carry, c2) - // carry = hi - // } - // return carry + c1 + c2 - // } - // - // The loop is fully unrolled and the hi / carry registers are alternated - // instead of introducing a MOV. - - z = Mem{Base: Load(Param("z"), GP64())} - x = Mem{Base: Load(Param("x"), GP64())} - Load(Param("y"), RDX) // implicit source of MULXQ - - carry = GP64() - XORQ(carry, carry) // zero out carry - z0 := GP64() - XORQ(z0, z0) // unset flags and zero out z0 - - for i := 0; i < bits/64; i++ { - hi, lo := GP64(), GP64() - - Comment("Iteration " + strconv.Itoa(i)) - MULXQ(x.Offset(i*8), lo, hi) - ADCXQ(carry, lo) - ADOXQ(z.Offset(i*8), lo) - MOVQ(lo, z.Offset(i*8)) - - i++ - - Comment("Iteration " + strconv.Itoa(i)) - MULXQ(x.Offset(i*8), lo, carry) - ADCXQ(hi, lo) - ADOXQ(z.Offset(i*8), lo) - MOVQ(lo, z.Offset(i*8)) - } - - Comment("Add back carry flags and return") - ADCXQ(z0, carry) - ADOXQ(z0, carry) - - Store(carry, ReturnIndex(0)) - RET() -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat.go deleted file mode 100644 index 7b690178b9e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat.go +++ /dev/null @@ -1,1229 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package bigmod - -import ( - _ "crypto/internal/fips140/check" - "crypto/internal/fips140deps/byteorder" - "errors" - "math/bits" -) - -const ( - // _W is the size in bits of our limbs. - _W = bits.UintSize - // _S is the size in bytes of our limbs. - _S = _W / 8 -) - -// Note: These functions make many loops over all the words in a Nat. -// These loops used to be in assembly, invisible to -race, -asan, and -msan, -// but now they are in Go and incur significant overhead in those modes. -// To bring the old performance back, we mark all functions that loop -// over Nat words with //go:norace. Because //go:norace does not -// propagate across inlining, we must also mark functions that inline -// //go:norace functions - specifically, those that inline add, addMulVVW, -// assign, cmpGeq, rshift1, and sub. - -// choice represents a constant-time boolean. The value of choice is always -// either 1 or 0. We use an int instead of bool in order to make decisions in -// constant time by turning it into a mask. -type choice uint - -func not(c choice) choice { return 1 ^ c } - -const yes = choice(1) -const no = choice(0) - -// ctMask is all 1s if on is yes, and all 0s otherwise. -func ctMask(on choice) uint { return -uint(on) } - -// ctEq returns 1 if x == y, and 0 otherwise. The execution time of this -// function does not depend on its inputs. -func ctEq(x, y uint) choice { - // If x != y, then either x - y or y - x will generate a carry. - _, c1 := bits.Sub(x, y, 0) - _, c2 := bits.Sub(y, x, 0) - return not(choice(c1 | c2)) -} - -// Nat represents an arbitrary natural number -// -// Each Nat has an announced length, which is the number of limbs it has stored. -// Operations on this number are allowed to leak this length, but will not leak -// any information about the values contained in those limbs. -type Nat struct { - // limbs is little-endian in base 2^W with W = bits.UintSize. - limbs []uint -} - -// preallocTarget is the size in bits of the numbers used to implement the most -// common and most performant RSA key size. It's also enough to cover some of -// the operations of key sizes up to 4096. -const preallocTarget = 2048 -const preallocLimbs = (preallocTarget + _W - 1) / _W - -// NewNat returns a new nat with a size of zero, just like new(Nat), but with -// the preallocated capacity to hold a number of up to preallocTarget bits. -// NewNat inlines, so the allocation can live on the stack. -func NewNat() *Nat { - limbs := make([]uint, 0, preallocLimbs) - return &Nat{limbs} -} - -// expand expands x to n limbs, leaving its value unchanged. -func (x *Nat) expand(n int) *Nat { - if len(x.limbs) > n { - panic("bigmod: internal error: shrinking nat") - } - if cap(x.limbs) < n { - newLimbs := make([]uint, n) - copy(newLimbs, x.limbs) - x.limbs = newLimbs - return x - } - extraLimbs := x.limbs[len(x.limbs):n] - clear(extraLimbs) - x.limbs = x.limbs[:n] - return x -} - -// reset returns a zero nat of n limbs, reusing x's storage if n <= cap(x.limbs). -func (x *Nat) reset(n int) *Nat { - if cap(x.limbs) < n { - x.limbs = make([]uint, n) - return x - } - // Clear both the returned limbs and the previously used ones. - clear(x.limbs[:max(n, len(x.limbs))]) - x.limbs = x.limbs[:n] - return x -} - -// resetToBytes assigns x = b, where b is a slice of big-endian bytes, resizing -// n to the appropriate size. -// -// The announced length of x is set based on the actual bit size of the input, -// ignoring leading zeroes. -func (x *Nat) resetToBytes(b []byte) *Nat { - x.reset((len(b) + _S - 1) / _S) - if err := x.setBytes(b); err != nil { - panic("bigmod: internal error: bad arithmetic") - } - return x.trim() -} - -// trim reduces the size of x to match its value. -func (x *Nat) trim() *Nat { - // Trim most significant (trailing in little-endian) zero limbs. - // We assume comparison with zero (but not the branch) is constant time. - for i := len(x.limbs) - 1; i >= 0; i-- { - if x.limbs[i] != 0 { - break - } - x.limbs = x.limbs[:i] - } - return x -} - -// set assigns x = y, optionally resizing x to the appropriate size. -func (x *Nat) set(y *Nat) *Nat { - x.reset(len(y.limbs)) - copy(x.limbs, y.limbs) - return x -} - -// Bits returns x as a little-endian slice of uint. The length of the slice -// matches the announced length of x. The result and x share the same underlying -// array. -func (x *Nat) Bits() []uint { - return x.limbs -} - -// Bytes returns x as a zero-extended big-endian byte slice. The size of the -// slice will match the size of m. -// -// x must have the same size as m and it must be less than or equal to m. -func (x *Nat) Bytes(m *Modulus) []byte { - i := m.Size() - bytes := make([]byte, i) - for _, limb := range x.limbs { - for j := 0; j < _S; j++ { - i-- - if i < 0 { - if limb == 0 { - break - } - panic("bigmod: modulus is smaller than nat") - } - bytes[i] = byte(limb) - limb >>= 8 - } - } - return bytes -} - -// SetBytes assigns x = b, where b is a slice of big-endian bytes. -// SetBytes returns an error if b >= m. -// -// The output will be resized to the size of m and overwritten. -// -//go:norace -func (x *Nat) SetBytes(b []byte, m *Modulus) (*Nat, error) { - x.resetFor(m) - if err := x.setBytes(b); err != nil { - return nil, err - } - if x.cmpGeq(m.nat) == yes { - return nil, errors.New("input overflows the modulus") - } - return x, nil -} - -// SetOverflowingBytes assigns x = b, where b is a slice of big-endian bytes. -// SetOverflowingBytes returns an error if b has a longer bit length than m, but -// reduces overflowing values up to 2^⌈log2(m)⌉ - 1. -// -// The output will be resized to the size of m and overwritten. -func (x *Nat) SetOverflowingBytes(b []byte, m *Modulus) (*Nat, error) { - x.resetFor(m) - if err := x.setBytes(b); err != nil { - return nil, err - } - // setBytes would have returned an error if the input overflowed the limb - // size of the modulus, so now we only need to check if the most significant - // limb of x has more bits than the most significant limb of the modulus. - if bitLen(x.limbs[len(x.limbs)-1]) > bitLen(m.nat.limbs[len(m.nat.limbs)-1]) { - return nil, errors.New("input overflows the modulus size") - } - x.maybeSubtractModulus(no, m) - return x, nil -} - -// bigEndianUint returns the contents of buf interpreted as a -// big-endian encoded uint value. -func bigEndianUint(buf []byte) uint { - if _W == 64 { - return uint(byteorder.BEUint64(buf)) - } - return uint(byteorder.BEUint32(buf)) -} - -func (x *Nat) setBytes(b []byte) error { - i, k := len(b), 0 - for k < len(x.limbs) && i >= _S { - x.limbs[k] = bigEndianUint(b[i-_S : i]) - i -= _S - k++ - } - for s := 0; s < _W && k < len(x.limbs) && i > 0; s += 8 { - x.limbs[k] |= uint(b[i-1]) << s - i-- - } - if i > 0 { - return errors.New("input overflows the modulus size") - } - return nil -} - -// SetUint assigns x = y. -// -// The output will be resized to a single limb and overwritten. -func (x *Nat) SetUint(y uint) *Nat { - x.reset(1) - x.limbs[0] = y - return x -} - -// Equal returns 1 if x == y, and 0 otherwise. -// -// Both operands must have the same announced length. -// -//go:norace -func (x *Nat) Equal(y *Nat) choice { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - yLimbs := y.limbs[:size] - - equal := yes - for i := 0; i < size; i++ { - equal &= ctEq(xLimbs[i], yLimbs[i]) - } - return equal -} - -// IsZero returns 1 if x == 0, and 0 otherwise. -// -//go:norace -func (x *Nat) IsZero() choice { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - - zero := yes - for i := 0; i < size; i++ { - zero &= ctEq(xLimbs[i], 0) - } - return zero -} - -// IsOne returns 1 if x == 1, and 0 otherwise. -// -//go:norace -func (x *Nat) IsOne() choice { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - - if len(xLimbs) == 0 { - return no - } - - one := ctEq(xLimbs[0], 1) - for i := 1; i < size; i++ { - one &= ctEq(xLimbs[i], 0) - } - return one -} - -// IsMinusOne returns 1 if x == -1 mod m, and 0 otherwise. -// -// The length of x must be the same as the modulus. x must already be reduced -// modulo m. -// -//go:norace -func (x *Nat) IsMinusOne(m *Modulus) choice { - minusOne := m.Nat() - minusOne.SubOne(m) - return x.Equal(minusOne) -} - -// IsOdd returns 1 if x is odd, and 0 otherwise. -func (x *Nat) IsOdd() choice { - if len(x.limbs) == 0 { - return no - } - return choice(x.limbs[0] & 1) -} - -// TrailingZeroBitsVarTime returns the number of trailing zero bits in x. -func (x *Nat) TrailingZeroBitsVarTime() uint { - var t uint - limbs := x.limbs - for _, l := range limbs { - if l == 0 { - t += _W - continue - } - t += uint(bits.TrailingZeros(l)) - break - } - return t -} - -// cmpGeq returns 1 if x >= y, and 0 otherwise. -// -// Both operands must have the same announced length. -// -//go:norace -func (x *Nat) cmpGeq(y *Nat) choice { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - yLimbs := y.limbs[:size] - - var c uint - for i := 0; i < size; i++ { - _, c = bits.Sub(xLimbs[i], yLimbs[i], c) - } - // If there was a carry, then subtracting y underflowed, so - // x is not greater than or equal to y. - return not(choice(c)) -} - -// assign sets x <- y if on == 1, and does nothing otherwise. -// -// Both operands must have the same announced length. -// -//go:norace -func (x *Nat) assign(on choice, y *Nat) *Nat { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - yLimbs := y.limbs[:size] - - mask := ctMask(on) - for i := 0; i < size; i++ { - xLimbs[i] ^= mask & (xLimbs[i] ^ yLimbs[i]) - } - return x -} - -// add computes x += y and returns the carry. -// -// Both operands must have the same announced length. -// -//go:norace -func (x *Nat) add(y *Nat) (c uint) { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - yLimbs := y.limbs[:size] - - for i := 0; i < size; i++ { - xLimbs[i], c = bits.Add(xLimbs[i], yLimbs[i], c) - } - return -} - -// sub computes x -= y. It returns the borrow of the subtraction. -// -// Both operands must have the same announced length. -// -//go:norace -func (x *Nat) sub(y *Nat) (c uint) { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - yLimbs := y.limbs[:size] - - for i := 0; i < size; i++ { - xLimbs[i], c = bits.Sub(xLimbs[i], yLimbs[i], c) - } - return -} - -// ShiftRightVarTime sets x = x >> n. -// -// The announced length of x is unchanged. -// -//go:norace -func (x *Nat) ShiftRightVarTime(n uint) *Nat { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - - shift := int(n % _W) - shiftLimbs := int(n / _W) - - var shiftedLimbs []uint - if shiftLimbs < size { - shiftedLimbs = xLimbs[shiftLimbs:] - } - - for i := range xLimbs { - if i >= len(shiftedLimbs) { - xLimbs[i] = 0 - continue - } - - xLimbs[i] = shiftedLimbs[i] >> shift - if i+1 < len(shiftedLimbs) { - xLimbs[i] |= shiftedLimbs[i+1] << (_W - shift) - } - } - - return x -} - -// BitLenVarTime returns the actual size of x in bits. -// -// The actual size of x (but nothing more) leaks through timing side-channels. -// Note that this is ordinarily secret, as opposed to the announced size of x. -func (x *Nat) BitLenVarTime() int { - // Eliminate bounds checks in the loop. - size := len(x.limbs) - xLimbs := x.limbs[:size] - - for i := size - 1; i >= 0; i-- { - if xLimbs[i] != 0 { - return i*_W + bitLen(xLimbs[i]) - } - } - return 0 -} - -// bitLen is a version of bits.Len that only leaks the bit length of n, but not -// its value. bits.Len and bits.LeadingZeros use a lookup table for the -// low-order bits on some architectures. -func bitLen(n uint) int { - len := 0 - // We assume, here and elsewhere, that comparison to zero is constant time - // with respect to different non-zero values. - for n != 0 { - len++ - n >>= 1 - } - return len -} - -// Modulus is used for modular arithmetic, precomputing relevant constants. -// -// A Modulus can leak the exact number of bits needed to store its value -// and is stored without padding. Its actual value is still kept secret. -type Modulus struct { - // The underlying natural number for this modulus. - // - // This will be stored without any padding, and shouldn't alias with any - // other natural number being used. - nat *Nat - - // If m is even, the following fields are not set. - odd bool - m0inv uint // -nat.limbs[0]⁻¹ mod _W - rr *Nat // R*R for montgomeryRepresentation -} - -// rr returns R*R with R = 2^(_W * n) and n = len(m.nat.limbs). -func rr(m *Modulus) *Nat { - rr := NewNat().ExpandFor(m) - n := uint(len(rr.limbs)) - mLen := uint(m.BitLen()) - logR := _W * n - - // We start by computing R = 2^(_W * n) mod m. We can get pretty close, to - // 2^⌊log₂m⌋, by setting the highest bit we can without having to reduce. - rr.limbs[n-1] = 1 << ((mLen - 1) % _W) - // Then we double until we reach 2^(_W * n). - for i := mLen - 1; i < logR; i++ { - rr.Add(rr, m) - } - - // Next we need to get from R to 2^(_W * n) R mod m (aka from one to R in - // the Montgomery domain, meaning we can use Montgomery multiplication now). - // We could do that by doubling _W * n times, or with a square-and-double - // chain log2(_W * n) long. Turns out the fastest thing is to start out with - // doublings, and switch to square-and-double once the exponent is large - // enough to justify the cost of the multiplications. - - // The threshold is selected experimentally as a linear function of n. - threshold := n / 4 - - // We calculate how many of the most-significant bits of the exponent we can - // compute before crossing the threshold, and we do it with doublings. - i := bits.UintSize - for logR>>i <= threshold { - i-- - } - for k := uint(0); k < logR>>i; k++ { - rr.Add(rr, m) - } - - // Then we process the remaining bits of the exponent with a - // square-and-double chain. - for i > 0 { - rr.montgomeryMul(rr, rr, m) - i-- - if logR>>i&1 != 0 { - rr.Add(rr, m) - } - } - - return rr -} - -// minusInverseModW computes -x⁻¹ mod _W with x odd. -// -// This operation is used to precompute a constant involved in Montgomery -// multiplication. -func minusInverseModW(x uint) uint { - // Every iteration of this loop doubles the least-significant bits of - // correct inverse in y. The first three bits are already correct (1⁻¹ = 1, - // 3⁻¹ = 3, 5⁻¹ = 5, and 7⁻¹ = 7 mod 8), so doubling five times is enough - // for 64 bits (and wastes only one iteration for 32 bits). - // - // See https://crypto.stackexchange.com/a/47496. - y := x - for i := 0; i < 5; i++ { - y = y * (2 - x*y) - } - return -y -} - -// NewModulus creates a new Modulus from a slice of big-endian bytes. The -// modulus must be greater than one. -// -// The number of significant bits and whether the modulus is even is leaked -// through timing side-channels. -func NewModulus(b []byte) (*Modulus, error) { - n := NewNat().resetToBytes(b) - return newModulus(n) -} - -// NewModulusProduct creates a new Modulus from the product of two numbers -// represented as big-endian byte slices. The result must be greater than one. -// -//go:norace -func NewModulusProduct(a, b []byte) (*Modulus, error) { - x := NewNat().resetToBytes(a) - y := NewNat().resetToBytes(b) - n := NewNat().reset(len(x.limbs) + len(y.limbs)) - for i := range y.limbs { - n.limbs[i+len(x.limbs)] = addMulVVW(n.limbs[i:i+len(x.limbs)], x.limbs, y.limbs[i]) - } - return newModulus(n.trim()) -} - -func newModulus(n *Nat) (*Modulus, error) { - m := &Modulus{nat: n} - if m.nat.IsZero() == yes || m.nat.IsOne() == yes { - return nil, errors.New("modulus must be > 1") - } - if m.nat.IsOdd() == 1 { - m.odd = true - m.m0inv = minusInverseModW(m.nat.limbs[0]) - m.rr = rr(m) - } - return m, nil -} - -// Size returns the size of m in bytes. -func (m *Modulus) Size() int { - return (m.BitLen() + 7) / 8 -} - -// BitLen returns the size of m in bits. -func (m *Modulus) BitLen() int { - return m.nat.BitLenVarTime() -} - -// Nat returns m as a Nat. -func (m *Modulus) Nat() *Nat { - // Make a copy so that the caller can't modify m.nat or alias it with - // another Nat in a modulus operation. - n := NewNat() - n.set(m.nat) - return n -} - -// shiftIn calculates x = x << _W + y mod m. -// -// This assumes that x is already reduced mod m. -// -//go:norace -func (x *Nat) shiftIn(y uint, m *Modulus) *Nat { - d := NewNat().resetFor(m) - - // Eliminate bounds checks in the loop. - size := len(m.nat.limbs) - xLimbs := x.limbs[:size] - dLimbs := d.limbs[:size] - mLimbs := m.nat.limbs[:size] - - // Each iteration of this loop computes x = 2x + b mod m, where b is a bit - // from y. Effectively, it left-shifts x and adds y one bit at a time, - // reducing it every time. - // - // To do the reduction, each iteration computes both 2x + b and 2x + b - m. - // The next iteration (and finally the return line) will use either result - // based on whether 2x + b overflows m. - needSubtraction := no - for i := _W - 1; i >= 0; i-- { - carry := (y >> i) & 1 - var borrow uint - mask := ctMask(needSubtraction) - for i := 0; i < size; i++ { - l := xLimbs[i] ^ (mask & (xLimbs[i] ^ dLimbs[i])) - xLimbs[i], carry = bits.Add(l, l, carry) - dLimbs[i], borrow = bits.Sub(xLimbs[i], mLimbs[i], borrow) - } - // Like in maybeSubtractModulus, we need the subtraction if either it - // didn't underflow (meaning 2x + b > m) or if computing 2x + b - // overflowed (meaning 2x + b > 2^_W*n > m). - needSubtraction = not(choice(borrow)) | choice(carry) - } - return x.assign(needSubtraction, d) -} - -// Mod calculates out = x mod m. -// -// This works regardless how large the value of x is. -// -// The output will be resized to the size of m and overwritten. -// -//go:norace -func (out *Nat) Mod(x *Nat, m *Modulus) *Nat { - out.resetFor(m) - // Working our way from the most significant to the least significant limb, - // we can insert each limb at the least significant position, shifting all - // previous limbs left by _W. This way each limb will get shifted by the - // correct number of bits. We can insert at least N - 1 limbs without - // overflowing m. After that, we need to reduce every time we shift. - i := len(x.limbs) - 1 - // For the first N - 1 limbs we can skip the actual shifting and position - // them at the shifted position, which starts at min(N - 2, i). - start := len(m.nat.limbs) - 2 - if i < start { - start = i - } - for j := start; j >= 0; j-- { - out.limbs[j] = x.limbs[i] - i-- - } - // We shift in the remaining limbs, reducing modulo m each time. - for i >= 0 { - out.shiftIn(x.limbs[i], m) - i-- - } - return out -} - -// ExpandFor ensures x has the right size to work with operations modulo m. -// -// The announced size of x must be smaller than or equal to that of m. -func (x *Nat) ExpandFor(m *Modulus) *Nat { - return x.expand(len(m.nat.limbs)) -} - -// resetFor ensures out has the right size to work with operations modulo m. -// -// out is zeroed and may start at any size. -func (out *Nat) resetFor(m *Modulus) *Nat { - return out.reset(len(m.nat.limbs)) -} - -// maybeSubtractModulus computes x -= m if and only if x >= m or if "always" is yes. -// -// It can be used to reduce modulo m a value up to 2m - 1, which is a common -// range for results computed by higher level operations. -// -// always is usually a carry that indicates that the operation that produced x -// overflowed its size, meaning abstractly x > 2^_W*n > m even if x < m. -// -// x and m operands must have the same announced length. -// -//go:norace -func (x *Nat) maybeSubtractModulus(always choice, m *Modulus) { - t := NewNat().set(x) - underflow := t.sub(m.nat) - // We keep the result if x - m didn't underflow (meaning x >= m) - // or if always was set. - keep := not(choice(underflow)) | choice(always) - x.assign(keep, t) -} - -// Sub computes x = x - y mod m. -// -// The length of both operands must be the same as the modulus. Both operands -// must already be reduced modulo m. -// -//go:norace -func (x *Nat) Sub(y *Nat, m *Modulus) *Nat { - underflow := x.sub(y) - // If the subtraction underflowed, add m. - t := NewNat().set(x) - t.add(m.nat) - x.assign(choice(underflow), t) - return x -} - -// SubOne computes x = x - 1 mod m. -// -// The length of x must be the same as the modulus. -func (x *Nat) SubOne(m *Modulus) *Nat { - one := NewNat().ExpandFor(m) - one.limbs[0] = 1 - // Sub asks for x to be reduced modulo m, while SubOne doesn't, but when - // y = 1, it works, and this is an internal use. - return x.Sub(one, m) -} - -// Add computes x = x + y mod m. -// -// The length of both operands must be the same as the modulus. Both operands -// must already be reduced modulo m. -// -//go:norace -func (x *Nat) Add(y *Nat, m *Modulus) *Nat { - overflow := x.add(y) - x.maybeSubtractModulus(choice(overflow), m) - return x -} - -// montgomeryRepresentation calculates x = x * R mod m, with R = 2^(_W * n) and -// n = len(m.nat.limbs). -// -// Faster Montgomery multiplication replaces standard modular multiplication for -// numbers in this representation. -// -// This assumes that x is already reduced mod m. -func (x *Nat) montgomeryRepresentation(m *Modulus) *Nat { - // A Montgomery multiplication (which computes a * b / R) by R * R works out - // to a multiplication by R, which takes the value out of the Montgomery domain. - return x.montgomeryMul(x, m.rr, m) -} - -// montgomeryReduction calculates x = x / R mod m, with R = 2^(_W * n) and -// n = len(m.nat.limbs). -// -// This assumes that x is already reduced mod m. -func (x *Nat) montgomeryReduction(m *Modulus) *Nat { - // By Montgomery multiplying with 1 not in Montgomery representation, we - // convert out back from Montgomery representation, because it works out to - // dividing by R. - one := NewNat().ExpandFor(m) - one.limbs[0] = 1 - return x.montgomeryMul(x, one, m) -} - -// montgomeryMul calculates x = a * b / R mod m, with R = 2^(_W * n) and -// n = len(m.nat.limbs), also known as a Montgomery multiplication. -// -// All inputs should be the same length and already reduced modulo m. -// x will be resized to the size of m and overwritten. -// -//go:norace -func (x *Nat) montgomeryMul(a *Nat, b *Nat, m *Modulus) *Nat { - n := len(m.nat.limbs) - mLimbs := m.nat.limbs[:n] - aLimbs := a.limbs[:n] - bLimbs := b.limbs[:n] - - switch n { - default: - // Attempt to use a stack-allocated backing array. - T := make([]uint, 0, preallocLimbs*2) - if cap(T) < n*2 { - T = make([]uint, 0, n*2) - } - T = T[:n*2] - - // This loop implements Word-by-Word Montgomery Multiplication, as - // described in Algorithm 4 (Fig. 3) of "Efficient Software - // Implementations of Modular Exponentiation" by Shay Gueron - // [https://eprint.iacr.org/2011/239.pdf]. - var c uint - for i := 0; i < n; i++ { - _ = T[n+i] // bounds check elimination hint - - // Step 1 (T = a × b) is computed as a large pen-and-paper column - // multiplication of two numbers with n base-2^_W digits. If we just - // wanted to produce 2n-wide T, we would do - // - // for i := 0; i < n; i++ { - // d := bLimbs[i] - // T[n+i] = addMulVVW(T[i:n+i], aLimbs, d) - // } - // - // where d is a digit of the multiplier, T[i:n+i] is the shifted - // position of the product of that digit, and T[n+i] is the final carry. - // Note that T[i] isn't modified after processing the i-th digit. - // - // Instead of running two loops, one for Step 1 and one for Steps 2–6, - // the result of Step 1 is computed during the next loop. This is - // possible because each iteration only uses T[i] in Step 2 and then - // discards it in Step 6. - d := bLimbs[i] - c1 := addMulVVW(T[i:n+i], aLimbs, d) - - // Step 6 is replaced by shifting the virtual window we operate - // over: T of the algorithm is T[i:] for us. That means that T1 in - // Step 2 (T mod 2^_W) is simply T[i]. k0 in Step 3 is our m0inv. - Y := T[i] * m.m0inv - - // Step 4 and 5 add Y × m to T, which as mentioned above is stored - // at T[i:]. The two carries (from a × d and Y × m) are added up in - // the next word T[n+i], and the carry bit from that addition is - // brought forward to the next iteration. - c2 := addMulVVW(T[i:n+i], mLimbs, Y) - T[n+i], c = bits.Add(c1, c2, c) - } - - // Finally for Step 7 we copy the final T window into x, and subtract m - // if necessary (which as explained in maybeSubtractModulus can be the - // case both if x >= m, or if x overflowed). - // - // The paper suggests in Section 4 that we can do an "Almost Montgomery - // Multiplication" by subtracting only in the overflow case, but the - // cost is very similar since the constant time subtraction tells us if - // x >= m as a side effect, and taking care of the broken invariant is - // highly undesirable (see https://go.dev/issue/13907). - copy(x.reset(n).limbs, T[n:]) - x.maybeSubtractModulus(choice(c), m) - - // The following specialized cases follow the exact same algorithm, but - // optimized for the sizes most used in RSA. addMulVVW is implemented in - // assembly with loop unrolling depending on the architecture and bounds - // checks are removed by the compiler thanks to the constant size. - case 1024 / _W: - const n = 1024 / _W // compiler hint - T := make([]uint, n*2) - var c uint - for i := 0; i < n; i++ { - d := bLimbs[i] - c1 := addMulVVW1024(&T[i], &aLimbs[0], d) - Y := T[i] * m.m0inv - c2 := addMulVVW1024(&T[i], &mLimbs[0], Y) - T[n+i], c = bits.Add(c1, c2, c) - } - copy(x.reset(n).limbs, T[n:]) - x.maybeSubtractModulus(choice(c), m) - - case 1536 / _W: - const n = 1536 / _W // compiler hint - T := make([]uint, n*2) - var c uint - for i := 0; i < n; i++ { - d := bLimbs[i] - c1 := addMulVVW1536(&T[i], &aLimbs[0], d) - Y := T[i] * m.m0inv - c2 := addMulVVW1536(&T[i], &mLimbs[0], Y) - T[n+i], c = bits.Add(c1, c2, c) - } - copy(x.reset(n).limbs, T[n:]) - x.maybeSubtractModulus(choice(c), m) - - case 2048 / _W: - const n = 2048 / _W // compiler hint - T := make([]uint, n*2) - var c uint - for i := 0; i < n; i++ { - d := bLimbs[i] - c1 := addMulVVW2048(&T[i], &aLimbs[0], d) - Y := T[i] * m.m0inv - c2 := addMulVVW2048(&T[i], &mLimbs[0], Y) - T[n+i], c = bits.Add(c1, c2, c) - } - copy(x.reset(n).limbs, T[n:]) - x.maybeSubtractModulus(choice(c), m) - } - - return x -} - -// addMulVVW multiplies the multi-word value x by the single-word value y, -// adding the result to the multi-word value z and returning the final carry. -// It can be thought of as one row of a pen-and-paper column multiplication. -// -//go:norace -func addMulVVW(z, x []uint, y uint) (carry uint) { - _ = x[len(z)-1] // bounds check elimination hint - for i := range z { - hi, lo := bits.Mul(x[i], y) - lo, c := bits.Add(lo, z[i], 0) - // We use bits.Add with zero to get an add-with-carry instruction that - // absorbs the carry from the previous bits.Add. - hi, _ = bits.Add(hi, 0, c) - lo, c = bits.Add(lo, carry, 0) - hi, _ = bits.Add(hi, 0, c) - carry = hi - z[i] = lo - } - return carry -} - -// Mul calculates x = x * y mod m. -// -// The length of both operands must be the same as the modulus. Both operands -// must already be reduced modulo m. -// -//go:norace -func (x *Nat) Mul(y *Nat, m *Modulus) *Nat { - if m.odd { - // A Montgomery multiplication by a value out of the Montgomery domain - // takes the result out of Montgomery representation. - xR := NewNat().set(x).montgomeryRepresentation(m) // xR = x * R mod m - return x.montgomeryMul(xR, y, m) // x = xR * y / R mod m - } - - n := len(m.nat.limbs) - xLimbs := x.limbs[:n] - yLimbs := y.limbs[:n] - - switch n { - default: - // Attempt to use a stack-allocated backing array. - T := make([]uint, 0, preallocLimbs*2) - if cap(T) < n*2 { - T = make([]uint, 0, n*2) - } - T = T[:n*2] - - // T = x * y - for i := 0; i < n; i++ { - T[n+i] = addMulVVW(T[i:n+i], xLimbs, yLimbs[i]) - } - - // x = T mod m - return x.Mod(&Nat{limbs: T}, m) - - // The following specialized cases follow the exact same algorithm, but - // optimized for the sizes most used in RSA. See montgomeryMul for details. - case 1024 / _W: - const n = 1024 / _W // compiler hint - T := make([]uint, n*2) - for i := 0; i < n; i++ { - T[n+i] = addMulVVW1024(&T[i], &xLimbs[0], yLimbs[i]) - } - return x.Mod(&Nat{limbs: T}, m) - case 1536 / _W: - const n = 1536 / _W // compiler hint - T := make([]uint, n*2) - for i := 0; i < n; i++ { - T[n+i] = addMulVVW1536(&T[i], &xLimbs[0], yLimbs[i]) - } - return x.Mod(&Nat{limbs: T}, m) - case 2048 / _W: - const n = 2048 / _W // compiler hint - T := make([]uint, n*2) - for i := 0; i < n; i++ { - T[n+i] = addMulVVW2048(&T[i], &xLimbs[0], yLimbs[i]) - } - return x.Mod(&Nat{limbs: T}, m) - } -} - -// Exp calculates out = x^e mod m. -// -// The exponent e is represented in big-endian order. The output will be resized -// to the size of m and overwritten. x must already be reduced modulo m. -// -// m must be odd, or Exp will panic. -// -//go:norace -func (out *Nat) Exp(x *Nat, e []byte, m *Modulus) *Nat { - if !m.odd { - panic("bigmod: modulus for Exp must be odd") - } - - // We use a 4 bit window. For our RSA workload, 4 bit windows are faster - // than 2 bit windows, but use an extra 12 nats worth of scratch space. - // Using bit sizes that don't divide 8 are more complex to implement, but - // are likely to be more efficient if necessary. - - table := [(1 << 4) - 1]*Nat{ // table[i] = x ^ (i+1) - // newNat calls are unrolled so they are allocated on the stack. - NewNat(), NewNat(), NewNat(), NewNat(), NewNat(), - NewNat(), NewNat(), NewNat(), NewNat(), NewNat(), - NewNat(), NewNat(), NewNat(), NewNat(), NewNat(), - } - table[0].set(x).montgomeryRepresentation(m) - for i := 1; i < len(table); i++ { - table[i].montgomeryMul(table[i-1], table[0], m) - } - - out.resetFor(m) - out.limbs[0] = 1 - out.montgomeryRepresentation(m) - tmp := NewNat().ExpandFor(m) - for _, b := range e { - for _, j := range []int{4, 0} { - // Square four times. Optimization note: this can be implemented - // more efficiently than with generic Montgomery multiplication. - out.montgomeryMul(out, out, m) - out.montgomeryMul(out, out, m) - out.montgomeryMul(out, out, m) - out.montgomeryMul(out, out, m) - - // Select x^k in constant time from the table. - k := uint((b >> j) & 0b1111) - for i := range table { - tmp.assign(ctEq(k, uint(i+1)), table[i]) - } - - // Multiply by x^k, discarding the result if k = 0. - tmp.montgomeryMul(out, tmp, m) - out.assign(not(ctEq(k, 0)), tmp) - } - } - - return out.montgomeryReduction(m) -} - -// ExpShortVarTime calculates out = x^e mod m. -// -// The output will be resized to the size of m and overwritten. x must already -// be reduced modulo m. This leaks the exponent through timing side-channels. -// -// m must be odd, or ExpShortVarTime will panic. -func (out *Nat) ExpShortVarTime(x *Nat, e uint, m *Modulus) *Nat { - if !m.odd { - panic("bigmod: modulus for ExpShortVarTime must be odd") - } - // For short exponents, precomputing a table and using a window like in Exp - // doesn't pay off. Instead, we do a simple conditional square-and-multiply - // chain, skipping the initial run of zeroes. - xR := NewNat().set(x).montgomeryRepresentation(m) - out.set(xR) - for i := bits.UintSize - bits.Len(e) + 1; i < bits.UintSize; i++ { - out.montgomeryMul(out, out, m) - if k := (e >> (bits.UintSize - i - 1)) & 1; k != 0 { - out.montgomeryMul(out, xR, m) - } - } - return out.montgomeryReduction(m) -} - -// InverseVarTime calculates x = a⁻¹ mod m and returns (x, true) if a is -// invertible. Otherwise, InverseVarTime returns (x, false) and x is not -// modified. -// -// a must be reduced modulo m, but doesn't need to have the same size. The -// output will be resized to the size of m and overwritten. -// -//go:norace -func (x *Nat) InverseVarTime(a *Nat, m *Modulus) (*Nat, bool) { - u, A, err := extendedGCD(a, m.nat) - if err != nil { - return x, false - } - if u.IsOne() == no { - return x, false - } - return x.set(A), true -} - -// GCDVarTime calculates x = GCD(a, b) where at least one of a or b is odd, and -// both are non-zero. If GCDVarTime returns an error, x is not modified. -// -// The output will be resized to the size of the larger of a and b. -func (x *Nat) GCDVarTime(a, b *Nat) (*Nat, error) { - u, _, err := extendedGCD(a, b) - if err != nil { - return nil, err - } - return x.set(u), nil -} - -// extendedGCD computes u and A such that a = GCD(a, m) and u = A*a - B*m. -// -// u will have the size of the larger of a and m, and A will have the size of m. -// -// It is an error if either a or m is zero, or if they are both even. -func extendedGCD(a, m *Nat) (u, A *Nat, err error) { - // This is the extended binary GCD algorithm described in the Handbook of - // Applied Cryptography, Algorithm 14.61, adapted by BoringSSL to bound - // coefficients and avoid negative numbers. For more details and proof of - // correctness, see https://github.com/mit-plv/fiat-crypto/pull/333/files. - // - // Following the proof linked in the PR above, the changes are: - // - // 1. Negate [B] and [C] so they are positive. The invariant now involves a - // subtraction. - // 2. If step 2 (both [x] and [y] are even) runs, abort immediately. This - // case needs to be handled by the caller. - // 3. Subtract copies of [x] and [y] as needed in step 6 (both [u] and [v] - // are odd) so coefficients stay in bounds. - // 4. Replace the [u >= v] check with [u > v]. This changes the end - // condition to [v = 0] rather than [u = 0]. This saves an extra - // subtraction due to which coefficients were negated. - // 5. Rename x and y to a and n, to capture that one is a modulus. - // 6. Rearrange steps 4 through 6 slightly. Merge the loops in steps 4 and - // 5 into the main loop (step 7's goto), and move step 6 to the start of - // the loop iteration, ensuring each loop iteration halves at least one - // value. - // - // Note this algorithm does not handle either input being zero. - - if a.IsZero() == yes || m.IsZero() == yes { - return nil, nil, errors.New("extendedGCD: a or m is zero") - } - if a.IsOdd() == no && m.IsOdd() == no { - return nil, nil, errors.New("extendedGCD: both a and m are even") - } - - size := max(len(a.limbs), len(m.limbs)) - u = NewNat().set(a).expand(size) - v := NewNat().set(m).expand(size) - - A = NewNat().reset(len(m.limbs)) - A.limbs[0] = 1 - B := NewNat().reset(len(a.limbs)) - C := NewNat().reset(len(m.limbs)) - D := NewNat().reset(len(a.limbs)) - D.limbs[0] = 1 - - // Before and after each loop iteration, the following hold: - // - // u = A*a - B*m - // v = D*m - C*a - // 0 < u <= a - // 0 <= v <= m - // 0 <= A < m - // 0 <= B <= a - // 0 <= C < m - // 0 <= D <= a - // - // After each loop iteration, u and v only get smaller, and at least one of - // them shrinks by at least a factor of two. - for { - // If both u and v are odd, subtract the smaller from the larger. - // If u = v, we need to subtract from v to hit the modified exit condition. - if u.IsOdd() == yes && v.IsOdd() == yes { - if v.cmpGeq(u) == no { - u.sub(v) - A.Add(C, &Modulus{nat: m}) - B.Add(D, &Modulus{nat: a}) - } else { - v.sub(u) - C.Add(A, &Modulus{nat: m}) - D.Add(B, &Modulus{nat: a}) - } - } - - // Exactly one of u and v is now even. - if u.IsOdd() == v.IsOdd() { - panic("bigmod: internal error: u and v are not in the expected state") - } - - // Halve the even one and adjust the corresponding coefficient. - if u.IsOdd() == no { - rshift1(u, 0) - if A.IsOdd() == yes || B.IsOdd() == yes { - rshift1(A, A.add(m)) - rshift1(B, B.add(a)) - } else { - rshift1(A, 0) - rshift1(B, 0) - } - } else { // v.IsOdd() == no - rshift1(v, 0) - if C.IsOdd() == yes || D.IsOdd() == yes { - rshift1(C, C.add(m)) - rshift1(D, D.add(a)) - } else { - rshift1(C, 0) - rshift1(D, 0) - } - } - - if v.IsZero() == yes { - return u, A, nil - } - } -} - -//go:norace -func rshift1(a *Nat, carry uint) { - size := len(a.limbs) - aLimbs := a.limbs[:size] - - for i := range size { - aLimbs[i] >>= 1 - if i+1 < size { - aLimbs[i] |= aLimbs[i+1] << (_W - 1) - } else { - aLimbs[i] |= carry << (_W - 1) - } - } -} - -// DivShortVarTime calculates x = x / y and returns the remainder. -// -// It panics if y is zero. -// -//go:norace -func (x *Nat) DivShortVarTime(y uint) uint { - if y == 0 { - panic("bigmod: division by zero") - } - - var r uint - for i := len(x.limbs) - 1; i >= 0; i-- { - x.limbs[i], r = bits.Div(r, x.limbs[i], y) - } - return r -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_386.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_386.s deleted file mode 100644 index 0637d271e83..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_386.s +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB), $0-16 - MOVL $32, BX - JMP addMulVVWx(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB), $0-16 - MOVL $48, BX - JMP addMulVVWx(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB), $0-16 - MOVL $64, BX - JMP addMulVVWx(SB) - -TEXT addMulVVWx(SB), NOFRAME|NOSPLIT, $0 - MOVL z+0(FP), DI - MOVL x+4(FP), SI - MOVL y+8(FP), BP - LEAL (DI)(BX*4), DI - LEAL (SI)(BX*4), SI - NEGL BX // i = -n - MOVL $0, CX // c = 0 - JMP E6 - -L6: MOVL (SI)(BX*4), AX - MULL BP - ADDL CX, AX - ADCL $0, DX - ADDL AX, (DI)(BX*4) - ADCL $0, DX - MOVL DX, CX - ADDL $1, BX // i++ - -E6: CMPL BX, $0 // i < 0 - JL L6 - - MOVL CX, c+12(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_amd64.s deleted file mode 100644 index ab94344e10a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_amd64.s +++ /dev/null @@ -1,1230 +0,0 @@ -// Code generated by command: go run nat_amd64_asm.go -out ../nat_amd64.s -pkg bigmod. DO NOT EDIT. - -//go:build !purego - -// func addMulVVW1024(z *uint, x *uint, y uint) (c uint) -// Requires: ADX, BMI2 -TEXT ·addMulVVW1024(SB), $0-32 - CMPB ·supportADX+0(SB), $0x01 - JEQ adx - MOVQ z+0(FP), CX - MOVQ x+8(FP), BX - MOVQ y+16(FP), SI - XORQ DI, DI - - // Iteration 0 - MOVQ (BX), AX - MULQ SI - ADDQ (CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, (CX) - - // Iteration 1 - MOVQ 8(BX), AX - MULQ SI - ADDQ 8(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 8(CX) - - // Iteration 2 - MOVQ 16(BX), AX - MULQ SI - ADDQ 16(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 16(CX) - - // Iteration 3 - MOVQ 24(BX), AX - MULQ SI - ADDQ 24(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 24(CX) - - // Iteration 4 - MOVQ 32(BX), AX - MULQ SI - ADDQ 32(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 32(CX) - - // Iteration 5 - MOVQ 40(BX), AX - MULQ SI - ADDQ 40(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 40(CX) - - // Iteration 6 - MOVQ 48(BX), AX - MULQ SI - ADDQ 48(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 48(CX) - - // Iteration 7 - MOVQ 56(BX), AX - MULQ SI - ADDQ 56(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 56(CX) - - // Iteration 8 - MOVQ 64(BX), AX - MULQ SI - ADDQ 64(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 64(CX) - - // Iteration 9 - MOVQ 72(BX), AX - MULQ SI - ADDQ 72(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 72(CX) - - // Iteration 10 - MOVQ 80(BX), AX - MULQ SI - ADDQ 80(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 80(CX) - - // Iteration 11 - MOVQ 88(BX), AX - MULQ SI - ADDQ 88(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 88(CX) - - // Iteration 12 - MOVQ 96(BX), AX - MULQ SI - ADDQ 96(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 96(CX) - - // Iteration 13 - MOVQ 104(BX), AX - MULQ SI - ADDQ 104(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 104(CX) - - // Iteration 14 - MOVQ 112(BX), AX - MULQ SI - ADDQ 112(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 112(CX) - - // Iteration 15 - MOVQ 120(BX), AX - MULQ SI - ADDQ 120(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 120(CX) - MOVQ DI, c+24(FP) - RET - -adx: - MOVQ z+0(FP), AX - MOVQ x+8(FP), CX - MOVQ y+16(FP), DX - XORQ BX, BX - XORQ SI, SI - - // Iteration 0 - MULXQ (CX), R8, DI - ADCXQ BX, R8 - ADOXQ (AX), R8 - MOVQ R8, (AX) - - // Iteration 1 - MULXQ 8(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 8(AX), R8 - MOVQ R8, 8(AX) - - // Iteration 2 - MULXQ 16(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 16(AX), R8 - MOVQ R8, 16(AX) - - // Iteration 3 - MULXQ 24(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 24(AX), R8 - MOVQ R8, 24(AX) - - // Iteration 4 - MULXQ 32(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 32(AX), R8 - MOVQ R8, 32(AX) - - // Iteration 5 - MULXQ 40(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 40(AX), R8 - MOVQ R8, 40(AX) - - // Iteration 6 - MULXQ 48(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 48(AX), R8 - MOVQ R8, 48(AX) - - // Iteration 7 - MULXQ 56(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 56(AX), R8 - MOVQ R8, 56(AX) - - // Iteration 8 - MULXQ 64(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 64(AX), R8 - MOVQ R8, 64(AX) - - // Iteration 9 - MULXQ 72(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 72(AX), R8 - MOVQ R8, 72(AX) - - // Iteration 10 - MULXQ 80(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 80(AX), R8 - MOVQ R8, 80(AX) - - // Iteration 11 - MULXQ 88(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 88(AX), R8 - MOVQ R8, 88(AX) - - // Iteration 12 - MULXQ 96(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 96(AX), R8 - MOVQ R8, 96(AX) - - // Iteration 13 - MULXQ 104(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 104(AX), R8 - MOVQ R8, 104(AX) - - // Iteration 14 - MULXQ 112(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 112(AX), R8 - MOVQ R8, 112(AX) - - // Iteration 15 - MULXQ 120(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 120(AX), R8 - MOVQ R8, 120(AX) - - // Add back carry flags and return - ADCXQ SI, BX - ADOXQ SI, BX - MOVQ BX, c+24(FP) - RET - -// func addMulVVW1536(z *uint, x *uint, y uint) (c uint) -// Requires: ADX, BMI2 -TEXT ·addMulVVW1536(SB), $0-32 - CMPB ·supportADX+0(SB), $0x01 - JEQ adx - MOVQ z+0(FP), CX - MOVQ x+8(FP), BX - MOVQ y+16(FP), SI - XORQ DI, DI - - // Iteration 0 - MOVQ (BX), AX - MULQ SI - ADDQ (CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, (CX) - - // Iteration 1 - MOVQ 8(BX), AX - MULQ SI - ADDQ 8(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 8(CX) - - // Iteration 2 - MOVQ 16(BX), AX - MULQ SI - ADDQ 16(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 16(CX) - - // Iteration 3 - MOVQ 24(BX), AX - MULQ SI - ADDQ 24(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 24(CX) - - // Iteration 4 - MOVQ 32(BX), AX - MULQ SI - ADDQ 32(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 32(CX) - - // Iteration 5 - MOVQ 40(BX), AX - MULQ SI - ADDQ 40(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 40(CX) - - // Iteration 6 - MOVQ 48(BX), AX - MULQ SI - ADDQ 48(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 48(CX) - - // Iteration 7 - MOVQ 56(BX), AX - MULQ SI - ADDQ 56(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 56(CX) - - // Iteration 8 - MOVQ 64(BX), AX - MULQ SI - ADDQ 64(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 64(CX) - - // Iteration 9 - MOVQ 72(BX), AX - MULQ SI - ADDQ 72(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 72(CX) - - // Iteration 10 - MOVQ 80(BX), AX - MULQ SI - ADDQ 80(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 80(CX) - - // Iteration 11 - MOVQ 88(BX), AX - MULQ SI - ADDQ 88(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 88(CX) - - // Iteration 12 - MOVQ 96(BX), AX - MULQ SI - ADDQ 96(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 96(CX) - - // Iteration 13 - MOVQ 104(BX), AX - MULQ SI - ADDQ 104(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 104(CX) - - // Iteration 14 - MOVQ 112(BX), AX - MULQ SI - ADDQ 112(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 112(CX) - - // Iteration 15 - MOVQ 120(BX), AX - MULQ SI - ADDQ 120(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 120(CX) - - // Iteration 16 - MOVQ 128(BX), AX - MULQ SI - ADDQ 128(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 128(CX) - - // Iteration 17 - MOVQ 136(BX), AX - MULQ SI - ADDQ 136(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 136(CX) - - // Iteration 18 - MOVQ 144(BX), AX - MULQ SI - ADDQ 144(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 144(CX) - - // Iteration 19 - MOVQ 152(BX), AX - MULQ SI - ADDQ 152(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 152(CX) - - // Iteration 20 - MOVQ 160(BX), AX - MULQ SI - ADDQ 160(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 160(CX) - - // Iteration 21 - MOVQ 168(BX), AX - MULQ SI - ADDQ 168(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 168(CX) - - // Iteration 22 - MOVQ 176(BX), AX - MULQ SI - ADDQ 176(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 176(CX) - - // Iteration 23 - MOVQ 184(BX), AX - MULQ SI - ADDQ 184(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 184(CX) - MOVQ DI, c+24(FP) - RET - -adx: - MOVQ z+0(FP), AX - MOVQ x+8(FP), CX - MOVQ y+16(FP), DX - XORQ BX, BX - XORQ SI, SI - - // Iteration 0 - MULXQ (CX), R8, DI - ADCXQ BX, R8 - ADOXQ (AX), R8 - MOVQ R8, (AX) - - // Iteration 1 - MULXQ 8(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 8(AX), R8 - MOVQ R8, 8(AX) - - // Iteration 2 - MULXQ 16(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 16(AX), R8 - MOVQ R8, 16(AX) - - // Iteration 3 - MULXQ 24(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 24(AX), R8 - MOVQ R8, 24(AX) - - // Iteration 4 - MULXQ 32(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 32(AX), R8 - MOVQ R8, 32(AX) - - // Iteration 5 - MULXQ 40(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 40(AX), R8 - MOVQ R8, 40(AX) - - // Iteration 6 - MULXQ 48(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 48(AX), R8 - MOVQ R8, 48(AX) - - // Iteration 7 - MULXQ 56(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 56(AX), R8 - MOVQ R8, 56(AX) - - // Iteration 8 - MULXQ 64(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 64(AX), R8 - MOVQ R8, 64(AX) - - // Iteration 9 - MULXQ 72(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 72(AX), R8 - MOVQ R8, 72(AX) - - // Iteration 10 - MULXQ 80(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 80(AX), R8 - MOVQ R8, 80(AX) - - // Iteration 11 - MULXQ 88(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 88(AX), R8 - MOVQ R8, 88(AX) - - // Iteration 12 - MULXQ 96(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 96(AX), R8 - MOVQ R8, 96(AX) - - // Iteration 13 - MULXQ 104(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 104(AX), R8 - MOVQ R8, 104(AX) - - // Iteration 14 - MULXQ 112(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 112(AX), R8 - MOVQ R8, 112(AX) - - // Iteration 15 - MULXQ 120(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 120(AX), R8 - MOVQ R8, 120(AX) - - // Iteration 16 - MULXQ 128(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 128(AX), R8 - MOVQ R8, 128(AX) - - // Iteration 17 - MULXQ 136(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 136(AX), R8 - MOVQ R8, 136(AX) - - // Iteration 18 - MULXQ 144(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 144(AX), R8 - MOVQ R8, 144(AX) - - // Iteration 19 - MULXQ 152(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 152(AX), R8 - MOVQ R8, 152(AX) - - // Iteration 20 - MULXQ 160(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 160(AX), R8 - MOVQ R8, 160(AX) - - // Iteration 21 - MULXQ 168(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 168(AX), R8 - MOVQ R8, 168(AX) - - // Iteration 22 - MULXQ 176(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 176(AX), R8 - MOVQ R8, 176(AX) - - // Iteration 23 - MULXQ 184(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 184(AX), R8 - MOVQ R8, 184(AX) - - // Add back carry flags and return - ADCXQ SI, BX - ADOXQ SI, BX - MOVQ BX, c+24(FP) - RET - -// func addMulVVW2048(z *uint, x *uint, y uint) (c uint) -// Requires: ADX, BMI2 -TEXT ·addMulVVW2048(SB), $0-32 - CMPB ·supportADX+0(SB), $0x01 - JEQ adx - MOVQ z+0(FP), CX - MOVQ x+8(FP), BX - MOVQ y+16(FP), SI - XORQ DI, DI - - // Iteration 0 - MOVQ (BX), AX - MULQ SI - ADDQ (CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, (CX) - - // Iteration 1 - MOVQ 8(BX), AX - MULQ SI - ADDQ 8(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 8(CX) - - // Iteration 2 - MOVQ 16(BX), AX - MULQ SI - ADDQ 16(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 16(CX) - - // Iteration 3 - MOVQ 24(BX), AX - MULQ SI - ADDQ 24(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 24(CX) - - // Iteration 4 - MOVQ 32(BX), AX - MULQ SI - ADDQ 32(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 32(CX) - - // Iteration 5 - MOVQ 40(BX), AX - MULQ SI - ADDQ 40(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 40(CX) - - // Iteration 6 - MOVQ 48(BX), AX - MULQ SI - ADDQ 48(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 48(CX) - - // Iteration 7 - MOVQ 56(BX), AX - MULQ SI - ADDQ 56(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 56(CX) - - // Iteration 8 - MOVQ 64(BX), AX - MULQ SI - ADDQ 64(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 64(CX) - - // Iteration 9 - MOVQ 72(BX), AX - MULQ SI - ADDQ 72(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 72(CX) - - // Iteration 10 - MOVQ 80(BX), AX - MULQ SI - ADDQ 80(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 80(CX) - - // Iteration 11 - MOVQ 88(BX), AX - MULQ SI - ADDQ 88(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 88(CX) - - // Iteration 12 - MOVQ 96(BX), AX - MULQ SI - ADDQ 96(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 96(CX) - - // Iteration 13 - MOVQ 104(BX), AX - MULQ SI - ADDQ 104(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 104(CX) - - // Iteration 14 - MOVQ 112(BX), AX - MULQ SI - ADDQ 112(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 112(CX) - - // Iteration 15 - MOVQ 120(BX), AX - MULQ SI - ADDQ 120(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 120(CX) - - // Iteration 16 - MOVQ 128(BX), AX - MULQ SI - ADDQ 128(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 128(CX) - - // Iteration 17 - MOVQ 136(BX), AX - MULQ SI - ADDQ 136(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 136(CX) - - // Iteration 18 - MOVQ 144(BX), AX - MULQ SI - ADDQ 144(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 144(CX) - - // Iteration 19 - MOVQ 152(BX), AX - MULQ SI - ADDQ 152(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 152(CX) - - // Iteration 20 - MOVQ 160(BX), AX - MULQ SI - ADDQ 160(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 160(CX) - - // Iteration 21 - MOVQ 168(BX), AX - MULQ SI - ADDQ 168(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 168(CX) - - // Iteration 22 - MOVQ 176(BX), AX - MULQ SI - ADDQ 176(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 176(CX) - - // Iteration 23 - MOVQ 184(BX), AX - MULQ SI - ADDQ 184(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 184(CX) - - // Iteration 24 - MOVQ 192(BX), AX - MULQ SI - ADDQ 192(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 192(CX) - - // Iteration 25 - MOVQ 200(BX), AX - MULQ SI - ADDQ 200(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 200(CX) - - // Iteration 26 - MOVQ 208(BX), AX - MULQ SI - ADDQ 208(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 208(CX) - - // Iteration 27 - MOVQ 216(BX), AX - MULQ SI - ADDQ 216(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 216(CX) - - // Iteration 28 - MOVQ 224(BX), AX - MULQ SI - ADDQ 224(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 224(CX) - - // Iteration 29 - MOVQ 232(BX), AX - MULQ SI - ADDQ 232(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 232(CX) - - // Iteration 30 - MOVQ 240(BX), AX - MULQ SI - ADDQ 240(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 240(CX) - - // Iteration 31 - MOVQ 248(BX), AX - MULQ SI - ADDQ 248(CX), AX - ADCQ $0x00, DX - ADDQ DI, AX - ADCQ $0x00, DX - MOVQ DX, DI - MOVQ AX, 248(CX) - MOVQ DI, c+24(FP) - RET - -adx: - MOVQ z+0(FP), AX - MOVQ x+8(FP), CX - MOVQ y+16(FP), DX - XORQ BX, BX - XORQ SI, SI - - // Iteration 0 - MULXQ (CX), R8, DI - ADCXQ BX, R8 - ADOXQ (AX), R8 - MOVQ R8, (AX) - - // Iteration 1 - MULXQ 8(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 8(AX), R8 - MOVQ R8, 8(AX) - - // Iteration 2 - MULXQ 16(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 16(AX), R8 - MOVQ R8, 16(AX) - - // Iteration 3 - MULXQ 24(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 24(AX), R8 - MOVQ R8, 24(AX) - - // Iteration 4 - MULXQ 32(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 32(AX), R8 - MOVQ R8, 32(AX) - - // Iteration 5 - MULXQ 40(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 40(AX), R8 - MOVQ R8, 40(AX) - - // Iteration 6 - MULXQ 48(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 48(AX), R8 - MOVQ R8, 48(AX) - - // Iteration 7 - MULXQ 56(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 56(AX), R8 - MOVQ R8, 56(AX) - - // Iteration 8 - MULXQ 64(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 64(AX), R8 - MOVQ R8, 64(AX) - - // Iteration 9 - MULXQ 72(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 72(AX), R8 - MOVQ R8, 72(AX) - - // Iteration 10 - MULXQ 80(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 80(AX), R8 - MOVQ R8, 80(AX) - - // Iteration 11 - MULXQ 88(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 88(AX), R8 - MOVQ R8, 88(AX) - - // Iteration 12 - MULXQ 96(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 96(AX), R8 - MOVQ R8, 96(AX) - - // Iteration 13 - MULXQ 104(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 104(AX), R8 - MOVQ R8, 104(AX) - - // Iteration 14 - MULXQ 112(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 112(AX), R8 - MOVQ R8, 112(AX) - - // Iteration 15 - MULXQ 120(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 120(AX), R8 - MOVQ R8, 120(AX) - - // Iteration 16 - MULXQ 128(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 128(AX), R8 - MOVQ R8, 128(AX) - - // Iteration 17 - MULXQ 136(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 136(AX), R8 - MOVQ R8, 136(AX) - - // Iteration 18 - MULXQ 144(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 144(AX), R8 - MOVQ R8, 144(AX) - - // Iteration 19 - MULXQ 152(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 152(AX), R8 - MOVQ R8, 152(AX) - - // Iteration 20 - MULXQ 160(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 160(AX), R8 - MOVQ R8, 160(AX) - - // Iteration 21 - MULXQ 168(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 168(AX), R8 - MOVQ R8, 168(AX) - - // Iteration 22 - MULXQ 176(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 176(AX), R8 - MOVQ R8, 176(AX) - - // Iteration 23 - MULXQ 184(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 184(AX), R8 - MOVQ R8, 184(AX) - - // Iteration 24 - MULXQ 192(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 192(AX), R8 - MOVQ R8, 192(AX) - - // Iteration 25 - MULXQ 200(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 200(AX), R8 - MOVQ R8, 200(AX) - - // Iteration 26 - MULXQ 208(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 208(AX), R8 - MOVQ R8, 208(AX) - - // Iteration 27 - MULXQ 216(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 216(AX), R8 - MOVQ R8, 216(AX) - - // Iteration 28 - MULXQ 224(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 224(AX), R8 - MOVQ R8, 224(AX) - - // Iteration 29 - MULXQ 232(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 232(AX), R8 - MOVQ R8, 232(AX) - - // Iteration 30 - MULXQ 240(CX), R8, DI - ADCXQ BX, R8 - ADOXQ 240(AX), R8 - MOVQ R8, 240(AX) - - // Iteration 31 - MULXQ 248(CX), R8, BX - ADCXQ DI, R8 - ADOXQ 248(AX), R8 - MOVQ R8, 248(AX) - - // Add back carry flags and return - ADCXQ SI, BX - ADOXQ SI, BX - MOVQ BX, c+24(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_arm.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_arm.s deleted file mode 100644 index c7397b89c5f..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_arm.s +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB), $0-16 - MOVW $32, R5 - JMP addMulVVWx(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB), $0-16 - MOVW $48, R5 - JMP addMulVVWx(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB), $0-16 - MOVW $64, R5 - JMP addMulVVWx(SB) - -TEXT addMulVVWx(SB), NOFRAME|NOSPLIT, $0 - MOVW $0, R0 - MOVW z+0(FP), R1 - MOVW x+4(FP), R2 - MOVW y+8(FP), R3 - ADD R5<<2, R1, R5 - MOVW $0, R4 - B E9 - -L9: MOVW.P 4(R2), R6 - MULLU R6, R3, (R7, R6) - ADD.S R4, R6 - ADC R0, R7 - MOVW 0(R1), R4 - ADD.S R4, R6 - ADC R0, R7 - MOVW.P R6, 4(R1) - MOVW R7, R4 - -E9: TEQ R1, R5 - BNE L9 - - MOVW R4, c+12(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_arm64.s deleted file mode 100644 index ba1e6118cc8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_arm64.s +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB), $0-32 - MOVD $16, R0 - JMP addMulVVWx(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB), $0-32 - MOVD $24, R0 - JMP addMulVVWx(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB), $0-32 - MOVD $32, R0 - JMP addMulVVWx(SB) - -TEXT addMulVVWx(SB), NOFRAME|NOSPLIT, $0 - MOVD z+0(FP), R1 - MOVD x+8(FP), R2 - MOVD y+16(FP), R3 - MOVD $0, R4 - -// The main loop of this code operates on a block of 4 words every iteration -// performing [R4:R12:R11:R10:R9] = R4 + R3 * [R8:R7:R6:R5] + [R12:R11:R10:R9] -// where R4 is carried from the previous iteration, R8:R7:R6:R5 hold the next -// 4 words of x, R3 is y and R12:R11:R10:R9 are part of the result z. -loop: - CBZ R0, done - - LDP.P 16(R2), (R5, R6) - LDP.P 16(R2), (R7, R8) - - LDP (R1), (R9, R10) - ADDS R4, R9 - MUL R6, R3, R14 - ADCS R14, R10 - MUL R7, R3, R15 - LDP 16(R1), (R11, R12) - ADCS R15, R11 - MUL R8, R3, R16 - ADCS R16, R12 - UMULH R8, R3, R20 - ADC $0, R20 - - MUL R5, R3, R13 - ADDS R13, R9 - UMULH R5, R3, R17 - ADCS R17, R10 - UMULH R6, R3, R21 - STP.P (R9, R10), 16(R1) - ADCS R21, R11 - UMULH R7, R3, R19 - ADCS R19, R12 - STP.P (R11, R12), 16(R1) - ADC $0, R20, R4 - - SUB $4, R0 - B loop - -done: - MOVD R4, c+24(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_asm.go deleted file mode 100644 index e3d125149ae..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_asm.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego && (386 || amd64 || arm || arm64 || loong64 || ppc64 || ppc64le || riscv64 || s390x) - -package bigmod - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -// amd64 assembly uses ADCX/ADOX/MULX if ADX is available to run two carry -// chains in the flags in parallel across the whole operation, and aggressively -// unrolls loops. arm64 processes four words at a time. -// -// It's unclear why the assembly for all other architectures, as well as for -// amd64 without ADX, perform better than the compiler output. -// TODO(filippo): file cmd/compile performance issue. - -var supportADX = cpu.X86HasADX && cpu.X86HasBMI2 - -func init() { - if cpu.AMD64 { - impl.Register("aes", "ADX", &supportADX) - } -} - -//go:noescape -func addMulVVW1024(z, x *uint, y uint) (c uint) - -//go:noescape -func addMulVVW1536(z, x *uint, y uint) (c uint) - -//go:noescape -func addMulVVW2048(z, x *uint, y uint) (c uint) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_loong64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_loong64.s deleted file mode 100644 index 4e88586da8d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_loong64.s +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// derived from crypto/internal/fips140/bigmod/nat_riscv64.s - -//go:build !purego - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB),$0-32 - MOVV $16, R8 - JMP addMulVVWx(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB),$0-32 - MOVV $24, R8 - JMP addMulVVWx(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB),$0-32 - MOVV $32, R8 - JMP addMulVVWx(SB) - -TEXT addMulVVWx(SB),NOFRAME|NOSPLIT,$0 - MOVV z+0(FP), R4 - MOVV x+8(FP), R6 - MOVV y+16(FP), R5 - MOVV $0, R7 - - BEQ R8, R0, done -loop: - MOVV 0*8(R4), R9 // z[0] - MOVV 1*8(R4), R10 // z[1] - MOVV 2*8(R4), R11 // z[2] - MOVV 3*8(R4), R12 // z[3] - - MOVV 0*8(R6), R13 // x[0] - MOVV 1*8(R6), R14 // x[1] - MOVV 2*8(R6), R15 // x[2] - MOVV 3*8(R6), R16 // x[3] - - MULHVU R13, R5, R17 // z_hi[0] = x[0] * y - MULV R13, R5, R13 // z_lo[0] = x[0] * y - ADDV R13, R9, R18 // z_lo[0] = x[0] * y + z[0] - SGTU R13, R18, R19 - ADDV R17, R19, R17 // z_hi[0] = x[0] * y + z[0] - ADDV R18, R7, R9 // z_lo[0] = x[0] * y + z[0] + c - SGTU R18, R9, R19 - ADDV R17, R19, R7 // next c - - MULHVU R14, R5, R24 // z_hi[1] = x[1] * y - MULV R14, R5, R14 // z_lo[1] = x[1] * y - ADDV R14, R10, R18 // z_lo[1] = x[1] * y + z[1] - SGTU R14, R18, R19 - ADDV R24, R19, R24 // z_hi[1] = x[1] * y + z[1] - ADDV R18, R7, R10 // z_lo[1] = x[1] * y + z[1] + c - SGTU R18, R10, R19 - ADDV R24, R19, R7 // next c - - MULHVU R15, R5, R25 // z_hi[2] = x[2] * y - MULV R15, R5, R15 // z_lo[2] = x[2] * y - ADDV R15, R11, R18 // z_lo[2] = x[2] * y + z[2] - SGTU R15, R18, R19 - ADDV R25, R19, R25 // z_hi[2] = x[2] * y + z[2] - ADDV R18, R7, R11 // z_lo[2] = x[2] * y + z[2] + c - SGTU R18, R11, R19 - ADDV R25, R19, R7 // next c - - MULHVU R16, R5, R26 // z_hi[3] = x[3] * y - MULV R16, R5, R16 // z_lo[3] = x[3] * y - ADDV R16, R12, R18 // z_lo[3] = x[3] * y + z[3] - SGTU R16, R18, R19 - ADDV R26, R19, R26 // z_hi[3] = x[3] * y + z[3] - ADDV R18, R7, R12 // z_lo[3] = x[3] * y + z[3] + c - SGTU R18, R12, R19 - ADDV R26, R19, R7 // next c - - MOVV R9, 0*8(R4) // z[0] - MOVV R10, 1*8(R4) // z[1] - MOVV R11, 2*8(R4) // z[2] - MOVV R12, 3*8(R4) // z[3] - - ADDV $32, R4 - ADDV $32, R6 - - SUBV $4, R8 - BNE R8, R0, loop - -done: - MOVV R7, c+24(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_noasm.go deleted file mode 100644 index dbec229f5d2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_noasm.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build purego || !(386 || amd64 || arm || arm64 || loong64 || ppc64 || ppc64le || riscv64 || s390x || wasm) - -package bigmod - -import "unsafe" - -func addMulVVW1024(z, x *uint, y uint) (c uint) { - return addMulVVW(unsafe.Slice(z, 1024/_W), unsafe.Slice(x, 1024/_W), y) -} - -func addMulVVW1536(z, x *uint, y uint) (c uint) { - return addMulVVW(unsafe.Slice(z, 1536/_W), unsafe.Slice(x, 1536/_W), y) -} - -func addMulVVW2048(z, x *uint, y uint) (c uint) { - return addMulVVW(unsafe.Slice(z, 2048/_W), unsafe.Slice(x, 2048/_W), y) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_ppc64x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_ppc64x.s deleted file mode 100644 index 94260ca29f3..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_ppc64x.s +++ /dev/null @@ -1,82 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego && (ppc64 || ppc64le) - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB), $0-32 - MOVD $4, R6 // R6 = z_len/4 - JMP addMulVVWx<>(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB), $0-32 - MOVD $6, R6 // R6 = z_len/4 - JMP addMulVVWx<>(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB), $0-32 - MOVD $8, R6 // R6 = z_len/4 - JMP addMulVVWx<>(SB) - -// This local function expects to be called only by -// callers above. R6 contains the z length/4 -// since 4 values are processed for each -// loop iteration, and is guaranteed to be > 0. -// If other callers are added this function might -// need to change. -TEXT addMulVVWx<>(SB), NOSPLIT, $0 - MOVD z+0(FP), R3 - MOVD x+8(FP), R4 - MOVD y+16(FP), R5 - - MOVD $0, R9 // R9 = c = 0 - MOVD R6, CTR // Initialize loop counter - PCALIGN $16 - -loop: - MOVD 0(R4), R14 // x[i] - MOVD 8(R4), R16 // x[i+1] - MOVD 16(R4), R18 // x[i+2] - MOVD 24(R4), R20 // x[i+3] - MOVD 0(R3), R15 // z[i] - MOVD 8(R3), R17 // z[i+1] - MOVD 16(R3), R19 // z[i+2] - MOVD 24(R3), R21 // z[i+3] - MULLD R5, R14, R10 // low x[i]*y - MULHDU R5, R14, R11 // high x[i]*y - ADDC R15, R10 - ADDZE R11 - ADDC R9, R10 - ADDZE R11, R9 - MULLD R5, R16, R14 // low x[i+1]*y - MULHDU R5, R16, R15 // high x[i+1]*y - ADDC R17, R14 - ADDZE R15 - ADDC R9, R14 - ADDZE R15, R9 - MULLD R5, R18, R16 // low x[i+2]*y - MULHDU R5, R18, R17 // high x[i+2]*y - ADDC R19, R16 - ADDZE R17 - ADDC R9, R16 - ADDZE R17, R9 - MULLD R5, R20, R18 // low x[i+3]*y - MULHDU R5, R20, R19 // high x[i+3]*y - ADDC R21, R18 - ADDZE R19 - ADDC R9, R18 - ADDZE R19, R9 - MOVD R10, 0(R3) // z[i] - MOVD R14, 8(R3) // z[i+1] - MOVD R16, 16(R3) // z[i+2] - MOVD R18, 24(R3) // z[i+3] - ADD $32, R3 - ADD $32, R4 - BDNZ loop - -done: - MOVD R9, c+24(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_riscv64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_riscv64.s deleted file mode 100644 index c1d9cc0dd48..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_riscv64.s +++ /dev/null @@ -1,91 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB),$0-32 - MOV $16, X30 - JMP addMulVVWx(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB),$0-32 - MOV $24, X30 - JMP addMulVVWx(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB),$0-32 - MOV $32, X30 - JMP addMulVVWx(SB) - -TEXT addMulVVWx(SB),NOFRAME|NOSPLIT,$0 - MOV z+0(FP), X5 - MOV x+8(FP), X7 - MOV y+16(FP), X6 - MOV $0, X29 - - BEQZ X30, done -loop: - MOV 0*8(X5), X10 // z[0] - MOV 1*8(X5), X13 // z[1] - MOV 2*8(X5), X16 // z[2] - MOV 3*8(X5), X19 // z[3] - - MOV 0*8(X7), X8 // x[0] - MOV 1*8(X7), X11 // x[1] - MOV 2*8(X7), X14 // x[2] - MOV 3*8(X7), X17 // x[3] - - MULHU X8, X6, X9 // z_hi[0] = x[0] * y - MUL X8, X6, X8 // z_lo[0] = x[0] * y - ADD X8, X10, X21 // z_lo[0] = x[0] * y + z[0] - SLTU X8, X21, X22 - ADD X9, X22, X9 // z_hi[0] = x[0] * y + z[0] - ADD X21, X29, X10 // z_lo[0] = x[0] * y + z[0] + c - SLTU X21, X10, X22 - ADD X9, X22, X29 // next c - - MULHU X11, X6, X12 // z_hi[1] = x[1] * y - MUL X11, X6, X11 // z_lo[1] = x[1] * y - ADD X11, X13, X21 // z_lo[1] = x[1] * y + z[1] - SLTU X11, X21, X22 - ADD X12, X22, X12 // z_hi[1] = x[1] * y + z[1] - ADD X21, X29, X13 // z_lo[1] = x[1] * y + z[1] + c - SLTU X21, X13, X22 - ADD X12, X22, X29 // next c - - MULHU X14, X6, X15 // z_hi[2] = x[2] * y - MUL X14, X6, X14 // z_lo[2] = x[2] * y - ADD X14, X16, X21 // z_lo[2] = x[2] * y + z[2] - SLTU X14, X21, X22 - ADD X15, X22, X15 // z_hi[2] = x[2] * y + z[2] - ADD X21, X29, X16 // z_lo[2] = x[2] * y + z[2] + c - SLTU X21, X16, X22 - ADD X15, X22, X29 // next c - - MULHU X17, X6, X18 // z_hi[3] = x[3] * y - MUL X17, X6, X17 // z_lo[3] = x[3] * y - ADD X17, X19, X21 // z_lo[3] = x[3] * y + z[3] - SLTU X17, X21, X22 - ADD X18, X22, X18 // z_hi[3] = x[3] * y + z[3] - ADD X21, X29, X19 // z_lo[3] = x[3] * y + z[3] + c - SLTU X21, X19, X22 - ADD X18, X22, X29 // next c - - MOV X10, 0*8(X5) // z[0] - MOV X13, 1*8(X5) // z[1] - MOV X16, 2*8(X5) // z[2] - MOV X19, 3*8(X5) // z[3] - - ADD $32, X5 - ADD $32, X7 - - SUB $4, X30 - BNEZ X30, loop - -done: - MOV X29, c+24(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_s390x.s deleted file mode 100644 index 0c07a0c8a6d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_s390x.s +++ /dev/null @@ -1,85 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func addMulVVW1024(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1024(SB), $0-32 - MOVD $16, R5 - JMP addMulVVWx(SB) - -// func addMulVVW1536(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW1536(SB), $0-32 - MOVD $24, R5 - JMP addMulVVWx(SB) - -// func addMulVVW2048(z, x *uint, y uint) (c uint) -TEXT ·addMulVVW2048(SB), $0-32 - MOVD $32, R5 - JMP addMulVVWx(SB) - -TEXT addMulVVWx(SB), NOFRAME|NOSPLIT, $0 - MOVD z+0(FP), R2 - MOVD x+8(FP), R8 - MOVD y+16(FP), R9 - - MOVD $0, R1 // i*8 = 0 - MOVD $0, R7 // i = 0 - MOVD $0, R0 // make sure it's zero - MOVD $0, R4 // c = 0 - - MOVD R5, R12 - AND $-2, R12 - CMPBGE R5, $2, A6 - BR E6 - -A6: - MOVD (R8)(R1*1), R6 - MULHDU R9, R6 - MOVD (R2)(R1*1), R10 - ADDC R10, R11 // add to low order bits - ADDE R0, R6 - ADDC R4, R11 - ADDE R0, R6 - MOVD R6, R4 - MOVD R11, (R2)(R1*1) - - MOVD (8)(R8)(R1*1), R6 - MULHDU R9, R6 - MOVD (8)(R2)(R1*1), R10 - ADDC R10, R11 // add to low order bits - ADDE R0, R6 - ADDC R4, R11 - ADDE R0, R6 - MOVD R6, R4 - MOVD R11, (8)(R2)(R1*1) - - ADD $16, R1 // i*8 + 8 - ADD $2, R7 // i++ - - CMPBLT R7, R12, A6 - BR E6 - -L6: - // TODO: drop unused single-step loop. - MOVD (R8)(R1*1), R6 - MULHDU R9, R6 - MOVD (R2)(R1*1), R10 - ADDC R10, R11 // add to low order bits - ADDE R0, R6 - ADDC R4, R11 - ADDE R0, R6 - MOVD R6, R4 - MOVD R11, (R2)(R1*1) - - ADD $8, R1 // i*8 + 8 - ADD $1, R7 // i++ - -E6: - CMPBLT R7, R5, L6 // i < n - - MOVD R4, c+24(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_wasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_wasm.go deleted file mode 100644 index b4aaff74cf0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/nat_wasm.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package bigmod - -import "unsafe" - -// The generic implementation relies on 64x64->128 bit multiplication and -// 64-bit add-with-carry, which are compiler intrinsics on many architectures. -// Wasm doesn't support those. Here we implement it with 32x32->64 bit -// operations, which is more efficient on Wasm. - -func idx(x *uint, i uintptr) *uint { - return (*uint)(unsafe.Pointer(uintptr(unsafe.Pointer(x)) + i*8)) -} - -func addMulVVWWasm(z, x *uint, y uint, n uintptr) (carry uint) { - const mask32 = 1<<32 - 1 - y0 := y & mask32 - y1 := y >> 32 - for i := range n { - xi := *idx(x, i) - x0 := xi & mask32 - x1 := xi >> 32 - zi := *idx(z, i) - z0 := zi & mask32 - z1 := zi >> 32 - c0 := carry & mask32 - c1 := carry >> 32 - - w00 := x0*y0 + z0 + c0 - l00 := w00 & mask32 - h00 := w00 >> 32 - - w01 := x0*y1 + z1 + h00 - l01 := w01 & mask32 - h01 := w01 >> 32 - - w10 := x1*y0 + c1 + l01 - h10 := w10 >> 32 - - carry = x1*y1 + h10 + h01 - *idx(z, i) = w10<<32 + l00 - } - return carry -} - -func addMulVVW1024(z, x *uint, y uint) (c uint) { - return addMulVVWWasm(z, x, y, 1024/_W) -} - -func addMulVVW1536(z, x *uint, y uint) (c uint) { - return addMulVVWWasm(z, x, y, 1536/_W) -} - -func addMulVVW2048(z, x *uint, y uint) (c uint) { - return addMulVVWWasm(z, x, y, 2048/_W) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/ya.make deleted file mode 100644 index 6a1913d9397..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/bigmod/ya.make +++ /dev/null @@ -1,31 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nat.go - nat_arm64.s - nat_asm.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nat.go - nat_amd64.s - nat_asm.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nat.go - nat_arm.s - nat_asm.go - ) -ELSEIF (OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nat.go - nat_wasm.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/boring.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/boring.go deleted file mode 100644 index d627bc68903..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/boring.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Keep in sync with notboring.go and crypto/internal/boring/boring.go. -//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan && cgo - -package fips140 - -const boringEnabled = true diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/cast.go deleted file mode 100644 index 3968dcadd4d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/cast.go +++ /dev/null @@ -1,89 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package fips140 - -import ( - "crypto/internal/fips140deps/godebug" - "errors" - "strings" - _ "unsafe" // for go:linkname -) - -// fatal is [runtime.fatal], pushed via linkname. -// -//go:linkname fatal crypto/internal/fips140.fatal -func fatal(string) - -// failfipscast is a GODEBUG key allowing simulation of a CAST or PCT failure, -// as required during FIPS 140-3 functional testing. The value is the whole name -// of the target CAST or PCT. -var failfipscast = godebug.Value("#failfipscast") - -// CAST runs the named Cryptographic Algorithm Self-Test (if operated in FIPS -// mode) and aborts the program (stopping the module input/output and entering -// the "error state") if the self-test fails. -// -// CASTs are mandatory self-checks that must be performed by FIPS 140-3 modules -// before the algorithm is used. See Implementation Guidance 10.3.A. -// -// The name must not contain commas, colons, hashes, or equal signs. -// -// If a package p calls CAST from its init function, an import of p should also -// be added to crypto/internal/fips140test. If a package p calls CAST on the first -// use of the algorithm, an invocation of that algorithm should be added to -// fipstest.TestConditionals. -func CAST(name string, f func() error) { - if strings.ContainsAny(name, ",#=:") { - panic("fips: invalid self-test name: " + name) - } - if !Enabled { - return - } - - err := f() - if name == failfipscast { - err = errors.New("simulated CAST failure") - } - if err != nil { - fatal("FIPS 140-3 self-test failed: " + name + ": " + err.Error()) - panic("unreachable") - } - if debug { - println("FIPS 140-3 self-test passed:", name) - } -} - -// PCT runs the named Pairwise Consistency Test (if operated in FIPS mode) and -// aborts the program (stopping the module input/output and entering the "error -// state") if the test fails. -// -// PCTs are mandatory for every generated (but not imported) key pair, including -// ephemeral keys (which effectively doubles the cost of key establishment). See -// Implementation Guidance 10.3.A Additional Comment 1. -// -// The name must not contain commas, colons, hashes, or equal signs. -// -// If a package p calls PCT during key generation, an invocation of that -// function should be added to fipstest.TestConditionals. -func PCT(name string, f func() error) { - if strings.ContainsAny(name, ",#=:") { - panic("fips: invalid self-test name: " + name) - } - if !Enabled { - return - } - - err := f() - if name == failfipscast { - err = errors.New("simulated PCT failure") - } - if err != nil { - fatal("FIPS 140-3 self-test failed: " + name + ": " + err.Error()) - panic("unreachable") - } - if debug { - println("FIPS 140-3 PCT passed:", name) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/check.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/check.go deleted file mode 100644 index 454cd6c738b..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/check.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package check implements the FIPS 140 load-time code+data verification. -// Every FIPS package providing cryptographic functionality except hmac and sha256 -// must import crypto/internal/fips140/check, so that the verification happens -// before initialization of package global variables. -// The hmac and sha256 packages are used by this package, so they cannot import it. -// Instead, those packages must be careful not to change global variables during init. -// (If necessary, we could have check call a PostCheck function in those packages -// after the check has completed.) -package check - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/hmac" - "crypto/internal/fips140/sha256" - "crypto/internal/fips140deps/byteorder" - "crypto/internal/fips140deps/godebug" - "io" - "unsafe" -) - -// Verified is set when verification succeeded. It can be expected to always be -// true when [fips140.Enabled] is true, or init would have panicked. -var Verified bool - -// Linkinfo holds the go:fipsinfo symbol prepared by the linker. -// See cmd/link/internal/ld/fips.go for details. -// -//go:linkname Linkinfo go:fipsinfo -var Linkinfo struct { - Magic [16]byte - Sum [32]byte - Self uintptr - Sects [4]struct { - // Note: These must be unsafe.Pointer, not uintptr, - // or else checkptr panics about turning uintptrs - // into pointers into the data segment during - // go test -race. - Start unsafe.Pointer - End unsafe.Pointer - } -} - -// "\xff"+fipsMagic is the expected linkinfo.Magic. -// We avoid writing that explicitly so that the string does not appear -// elsewhere in normal binaries, just as a precaution. -const fipsMagic = " Go fipsinfo \xff\x00" - -var zeroSum [32]byte - -func init() { - if !fips140.Enabled { - return - } - - if err := fips140.Supported(); err != nil { - panic("fips140: " + err.Error()) - } - - if Linkinfo.Magic[0] != 0xff || string(Linkinfo.Magic[1:]) != fipsMagic || Linkinfo.Sum == zeroSum { - panic("fips140: no verification checksum found") - } - - h := hmac.New(sha256.New, make([]byte, 32)) - w := io.Writer(h) - - /* - // Uncomment for debugging. - // Commented (as opposed to a const bool flag) - // to avoid import "os" in default builds. - f, err := os.Create("fipscheck.o") - if err != nil { - panic(err) - } - w = io.MultiWriter(h, f) - */ - - w.Write([]byte("go fips object v1\n")) - - var nbuf [8]byte - for _, sect := range Linkinfo.Sects { - n := uintptr(sect.End) - uintptr(sect.Start) - byteorder.BEPutUint64(nbuf[:], uint64(n)) - w.Write(nbuf[:]) - w.Write(unsafe.Slice((*byte)(sect.Start), n)) - } - sum := h.Sum(nil) - - if [32]byte(sum) != Linkinfo.Sum { - panic("fips140: verification mismatch") - } - - // "The temporary value(s) generated during the integrity test of the - // module’s software or firmware shall [05.10] be zeroised from the module - // upon completion of the integrity test" - clear(sum) - clear(nbuf[:]) - h.Reset() - - if godebug.Value("fips140") == "debug" { - println("fips140: verified code+data") - } - - Verified = true -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm.s deleted file mode 100644 index cc74e56f981..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm.s +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego && !wasm - -#include "textflag.h" - -DATA crypto∕internal∕fips140∕check∕checktest·RODATA(SB)/4, $2 -GLOBL crypto∕internal∕fips140∕check∕checktest·RODATA(SB), RODATA, $4 diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_386.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_386.s deleted file mode 100644 index c2978b51624..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_386.s +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -DATA StaticData<>(SB)/4, $10 -GLOBL StaticData<>(SB), NOPTR, $4 - -TEXT StaticText<>(SB), $0 - RET - -TEXT ·PtrStaticData(SB), $0-4 - MOVL $StaticData<>(SB), AX - MOVL AX, ret+0(FP) - RET - -TEXT ·PtrStaticText(SB), $0-4 - MOVL $StaticText<>(SB), AX - MOVL AX, ret+0(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_amd64.s deleted file mode 100644 index 88e4d94074c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_amd64.s +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -DATA StaticData<>(SB)/4, $10 -GLOBL StaticData<>(SB), NOPTR, $4 - -TEXT StaticText<>(SB), $0 - RET - -TEXT ·PtrStaticData(SB), $0-8 - MOVQ $StaticData<>(SB), AX - MOVQ AX, ret+0(FP) - RET - -TEXT ·PtrStaticText(SB), $0-8 - MOVQ $StaticText<>(SB), AX - MOVQ AX, ret+0(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_arm.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_arm.s deleted file mode 100644 index 5cc9230100f..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_arm.s +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -DATA StaticData<>(SB)/4, $10 -GLOBL StaticData<>(SB), NOPTR, $4 - -TEXT StaticText<>(SB), $0 - RET - -TEXT ·PtrStaticData(SB), $0-4 - MOVW $StaticData<>(SB), R1 - MOVW R1, ret+0(FP) - RET - -TEXT ·PtrStaticText(SB), $0-4 - MOVW $StaticText<>(SB), R1 - MOVW R1, ret+0(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_arm64.s deleted file mode 100644 index 721bb03ada5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_arm64.s +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -DATA StaticData<>(SB)/4, $10 -GLOBL StaticData<>(SB), NOPTR, $4 - -TEXT StaticText<>(SB), $0 - RET - -TEXT ·PtrStaticData(SB), $0-8 - MOVD $StaticData<>(SB), R1 - MOVD R1, ret+0(FP) - RET - -TEXT ·PtrStaticText(SB), $0-8 - MOVD $StaticText<>(SB), R1 - MOVD R1, ret+0(FP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_none.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_none.go deleted file mode 100644 index 956bad1cdad..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_none.go +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!386 && !amd64 && !arm && !arm64) || purego - -package checktest - -import "unsafe" - -func PtrStaticData() *uint32 { return nil } -func PtrStaticText() unsafe.Pointer { return nil } diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_stub.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_stub.go deleted file mode 100644 index ebb5b17b28f..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/asm_stub.go +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (386 || amd64 || arm || arm64) && !purego - -package checktest - -import "unsafe" - -func PtrStaticData() *uint32 -func PtrStaticText() unsafe.Pointer diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/test.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/test.go deleted file mode 100644 index 13429ef4ec5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/test.go +++ /dev/null @@ -1,62 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package checktest defines some code and data for use in -// the crypto/internal/fips140/check test. -package checktest - -import ( - _ "crypto/internal/fips140/check" - "runtime" - _ "unsafe" // go:linkname -) - -var NOPTRDATA int = 1 - -// The linkname here disables asan registration of this global, -// because asan gets mad about rodata globals. -// -//go:linkname RODATA crypto/internal/fips140/check/checktest.RODATA -var RODATA int32 // set to 2 in asm.s - -// DATA needs to have both a pointer and an int so that _some_ of it gets -// initialized at link time, so it is treated as DATA and not BSS. -// The pointer is deferred to init time. -var DATA = struct { - P *int - X int -}{&NOPTRDATA, 3} - -var NOPTRBSS int - -var BSS *int - -func TEXT() {} - -var ( - globl12 [12]byte - globl8 [8]byte -) - -func init() { - globl8 = [8]byte{1, 2, 3, 4, 5, 6, 7, 8} - globl12 = [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12} - runtime.Gosched() - - sum := byte(0) - for _, x := range globl12 { - sum += x - } - if sum != 78 { - panic("globl12 did not sum properly") - } - - sum = byte(0) - for _, x := range globl8 { - sum += x - } - if sum != 36 { - panic("globl8 did not sum properly") - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/ya.make deleted file mode 100644 index aaf859abaaf..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/checktest/ya.make +++ /dev/null @@ -1,34 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - asm.s - asm_arm64.s - asm_stub.go - test.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - asm.s - asm_amd64.s - asm_stub.go - test.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - asm.s - asm_arm.s - asm_stub.go - test.go - ) -ELSEIF (OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - asm_none.go - test.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/check/ya.make deleted file mode 100644 index ee00bbb58df..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/check/ya.make +++ /dev/null @@ -1,12 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - check.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/cast.go deleted file mode 100644 index 24c0e0f1088..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/cast.go +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package drbg - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "errors" -) - -func init() { - // Per IG 10.3.A, Resolution 7: "A KAT of a DRBG may be performed by: - // Instantiate with known data, Reseed with other known data, Generate and - // then compare the result to a pre-computed value." - fips140.CAST("CTR_DRBG", func() error { - entropy := &[SeedSize]byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, - 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, - } - reseedEntropy := &[SeedSize]byte{ - 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, - 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, - 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, - 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, - 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, - 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, - } - additionalInput := &[SeedSize]byte{ - 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, - 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, - 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, - 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, - 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, - 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, - } - want := []byte{ - 0x6e, 0x6e, 0x47, 0x9d, 0x24, 0xf8, 0x6a, 0x3b, - 0x77, 0x87, 0xa8, 0xf8, 0x18, 0x6d, 0x98, 0x5a, - 0x53, 0xbe, 0xbe, 0xed, 0xde, 0xab, 0x92, 0x28, - 0xf0, 0xf4, 0xac, 0x6e, 0x10, 0xbf, 0x01, 0x93, - } - c := NewCounter(entropy) - c.Reseed(reseedEntropy, additionalInput) - got := make([]byte, len(want)) - c.Generate(got, additionalInput) - if !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/ctrdrbg.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/ctrdrbg.go deleted file mode 100644 index 3c90054dfd2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/ctrdrbg.go +++ /dev/null @@ -1,143 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package drbg - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/aes" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" - "math/bits" -) - -// Counter is an SP 800-90A Rev. 1 CTR_DRBG instantiated with AES-256. -// -// Per Table 3, it has a security strength of 256 bits, a seed size of 384 bits, -// a counter length of 128 bits, a reseed interval of 2^48 requests, and a -// maximum request size of 2^19 bits (2^16 bytes, 64 KiB). -// -// We support a narrow range of parameters that fit the needs of our RNG: -// AES-256, no derivation function, no personalization string, no prediction -// resistance, and 384-bit additional input. -// -// WARNING: this type provides tightly scoped support for the DRBG -// functionality we need for FIPS 140-3 _only_. This type _should not_ be used -// outside of the FIPS 140-3 module for any other use. -// -// In particular, as documented, Counter does not support the derivation -// function, or personalization strings which are necessary for safely using -// this DRBG for generic purposes without leaking sensitive values. -type Counter struct { - // c is instantiated with K as the key and V as the counter. - c aes.CTR - - reseedCounter uint64 -} - -const ( - keySize = 256 / 8 - SeedSize = keySize + aes.BlockSize - reseedInterval = 1 << 48 - maxRequestSize = (1 << 19) / 8 -) - -func NewCounter(entropy *[SeedSize]byte) *Counter { - // CTR_DRBG_Instantiate_algorithm, per Section 10.2.1.3.1. - fips140.RecordApproved() - - K := make([]byte, keySize) - V := make([]byte, aes.BlockSize) - - // V starts at 0, but is incremented in CTR_DRBG_Update before each use, - // unlike AES-CTR where it is incremented after each use. - V[len(V)-1] = 1 - - cipher, err := aes.New(K) - if err != nil { - panic(err) - } - - c := &Counter{} - c.c = *aes.NewCTR(cipher, V) - c.update(entropy) - c.reseedCounter = 1 - return c -} - -func (c *Counter) update(seed *[SeedSize]byte) { - // CTR_DRBG_Update, per Section 10.2.1.2. - - temp := make([]byte, SeedSize) - c.c.XORKeyStream(temp, seed[:]) - K := temp[:keySize] - V := temp[keySize:] - - // Again, we pre-increment V, like in NewCounter. - increment((*[aes.BlockSize]byte)(V)) - - cipher, err := aes.New(K) - if err != nil { - panic(err) - } - c.c = *aes.NewCTR(cipher, V) -} - -func increment(v *[aes.BlockSize]byte) { - hi := byteorder.BEUint64(v[:8]) - lo := byteorder.BEUint64(v[8:]) - lo, c := bits.Add64(lo, 1, 0) - hi, _ = bits.Add64(hi, 0, c) - byteorder.BEPutUint64(v[:8], hi) - byteorder.BEPutUint64(v[8:], lo) -} - -func (c *Counter) Reseed(entropy, additionalInput *[SeedSize]byte) { - // CTR_DRBG_Reseed_algorithm, per Section 10.2.1.4.1. - fips140.RecordApproved() - - var seed [SeedSize]byte - subtle.XORBytes(seed[:], entropy[:], additionalInput[:]) - c.update(&seed) - c.reseedCounter = 1 -} - -// Generate produces at most maxRequestSize bytes of random data in out. -func (c *Counter) Generate(out []byte, additionalInput *[SeedSize]byte) (reseedRequired bool) { - // CTR_DRBG_Generate_algorithm, per Section 10.2.1.5.1. - fips140.RecordApproved() - - if len(out) > maxRequestSize { - panic("crypto/drbg: internal error: request size exceeds maximum") - } - - // Step 1. - if c.reseedCounter > reseedInterval { - return true - } - - // Step 2. - if additionalInput != nil { - c.update(additionalInput) - } else { - // If the additional input is null, the first CTR_DRBG_Update is - // skipped, but the additional input is replaced with an all-zero string - // for the second CTR_DRBG_Update. - additionalInput = new([SeedSize]byte) - } - - // Steps 3-5. - clear(out) - c.c.XORKeyStream(out, out) - aes.RoundToBlock(&c.c) - - // Step 6. - c.update(additionalInput) - - // Step 7. - c.reseedCounter++ - - // Step 8. - return false -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/rand.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/rand.go deleted file mode 100644 index c1a3ea0ae65..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/rand.go +++ /dev/null @@ -1,100 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package drbg provides cryptographically secure random bytes -// usable by FIPS code. In FIPS mode it uses an SP 800-90A Rev. 1 -// Deterministic Random Bit Generator (DRBG). Otherwise, -// it uses the operating system's random number generator. -package drbg - -import ( - "crypto/internal/entropy" - "crypto/internal/fips140" - "crypto/internal/randutil" - "crypto/internal/sysrand" - "io" - "sync" -) - -var drbgs = sync.Pool{ - New: func() any { - var c *Counter - entropy.Depleted(func(seed *[48]byte) { - c = NewCounter(seed) - }) - return c - }, -} - -// Read fills b with cryptographically secure random bytes. In FIPS mode, it -// uses an SP 800-90A Rev. 1 Deterministic Random Bit Generator (DRBG). -// Otherwise, it uses the operating system's random number generator. -func Read(b []byte) { - if !fips140.Enabled { - sysrand.Read(b) - return - } - - // At every read, 128 random bits from the operating system are mixed as - // additional input, to make the output as strong as non-FIPS randomness. - // This is not credited as entropy for FIPS purposes, as allowed by Section - // 8.7.2: "Note that a DRBG does not rely on additional input to provide - // entropy, even though entropy could be provided in the additional input". - additionalInput := new([SeedSize]byte) - sysrand.Read(additionalInput[:16]) - - drbg := drbgs.Get().(*Counter) - defer drbgs.Put(drbg) - - for len(b) > 0 { - size := min(len(b), maxRequestSize) - if reseedRequired := drbg.Generate(b[:size], additionalInput); reseedRequired { - // See SP 800-90A Rev. 1, Section 9.3.1, Steps 6-8, as explained in - // Section 9.3.2: if Generate reports a reseed is required, the - // additional input is passed to Reseed along with the entropy and - // then nulled before the next Generate call. - entropy.Depleted(func(seed *[48]byte) { - drbg.Reseed(seed, additionalInput) - }) - additionalInput = nil - continue - } - b = b[size:] - } -} - -// DefaultReader is a sentinel type, embedded in the default -// [crypto/rand.Reader], used to recognize it when passed to -// APIs that accept a rand io.Reader. -type DefaultReader interface{ defaultReader() } - -// ReadWithReader uses Reader to fill b with cryptographically secure random -// bytes. It is intended for use in APIs that expose a rand io.Reader. -// -// If Reader is not the default Reader from crypto/rand, -// [randutil.MaybeReadByte] and [fips140.RecordNonApproved] are called. -func ReadWithReader(r io.Reader, b []byte) error { - if _, ok := r.(DefaultReader); ok { - Read(b) - return nil - } - - fips140.RecordNonApproved() - randutil.MaybeReadByte(r) - _, err := io.ReadFull(r, b) - return err -} - -// ReadWithReaderDeterministic is like ReadWithReader, but it doesn't call -// [randutil.MaybeReadByte] on non-default Readers. -func ReadWithReaderDeterministic(r io.Reader, b []byte) error { - if _, ok := r.(DefaultReader); ok { - Read(b) - return nil - } - - fips140.RecordNonApproved() - _, err := io.ReadFull(r, b) - return err -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/ya.make deleted file mode 100644 index 51c5bba5aad..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/drbg/ya.make +++ /dev/null @@ -1,14 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - ctrdrbg.go - rand.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/cast.go deleted file mode 100644 index d63058fdabb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/cast.go +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ecdh - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "errors" - "sync" -) - -var fipsSelfTest = sync.OnceFunc(func() { - // Per IG D.F, Scenario 2, path (1). - fips140.CAST("KAS-ECC-SSC P-256", func() error { - privateKey := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - publicKey := []byte{ - 0x04, - 0x51, 0x5c, 0x3d, 0x6e, 0xb9, 0xe3, 0x96, 0xb9, - 0x04, 0xd3, 0xfe, 0xca, 0x7f, 0x54, 0xfd, 0xcd, - 0x0c, 0xc1, 0xe9, 0x97, 0xbf, 0x37, 0x5d, 0xca, - 0x51, 0x5a, 0xd0, 0xa6, 0xc3, 0xb4, 0x03, 0x5f, - 0x45, 0x36, 0xbe, 0x3a, 0x50, 0xf3, 0x18, 0xfb, - 0xf9, 0xa5, 0x47, 0x59, 0x02, 0xa2, 0x21, 0x50, - 0x2b, 0xef, 0x0d, 0x57, 0xe0, 0x8c, 0x53, 0xb2, - 0xcc, 0x0a, 0x56, 0xf1, 0x7d, 0x9f, 0x93, 0x54, - } - want := []byte{ - 0xb4, 0xf1, 0xfc, 0xce, 0x40, 0x73, 0x5f, 0x83, - 0x6a, 0xf8, 0xd6, 0x31, 0x2d, 0x24, 0x8d, 0x1a, - 0x83, 0x48, 0x40, 0x56, 0x69, 0xa1, 0x95, 0xfa, - 0xc5, 0x35, 0x04, 0x06, 0xba, 0x76, 0xbc, 0xce, - } - k := &PrivateKey{d: privateKey, pub: PublicKey{curve: p256}} - peer := &PublicKey{curve: p256, q: publicKey} - got, err := ecdh(P256(), k, peer) - if err != nil { - return err - } - if !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -}) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/ecdh.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/ecdh.go deleted file mode 100644 index 967032aab28..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/ecdh.go +++ /dev/null @@ -1,308 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ecdh - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140/nistec" - "crypto/internal/fips140deps/byteorder" - "errors" - "io" - "math/bits" -) - -// PrivateKey and PublicKey are not generic to make it possible to use them -// in other types without instantiating them with a specific point type. -// They are tied to one of the Curve types below through the curveID field. - -// All this is duplicated from crypto/internal/fips/ecdsa, but the standards are -// different and FIPS 140 does not allow reusing keys across them. - -type PrivateKey struct { - pub PublicKey - d []byte // bigmod.(*Nat).Bytes output (fixed length) -} - -func (priv *PrivateKey) Bytes() []byte { - return priv.d -} - -func (priv *PrivateKey) PublicKey() *PublicKey { - return &priv.pub -} - -type PublicKey struct { - curve curveID - q []byte // uncompressed nistec Point.Bytes output -} - -func (pub *PublicKey) Bytes() []byte { - return pub.q -} - -type curveID string - -const ( - p224 curveID = "P-224" - p256 curveID = "P-256" - p384 curveID = "P-384" - p521 curveID = "P-521" -) - -type Curve[P Point[P]] struct { - curve curveID - newPoint func() P - N []byte -} - -// Point is a generic constraint for the [nistec] Point types. -type Point[P any] interface { - *nistec.P224Point | *nistec.P256Point | *nistec.P384Point | *nistec.P521Point - Bytes() []byte - BytesX() ([]byte, error) - SetBytes([]byte) (P, error) - ScalarMult(P, []byte) (P, error) - ScalarBaseMult([]byte) (P, error) -} - -func P224() *Curve[*nistec.P224Point] { - return &Curve[*nistec.P224Point]{ - curve: p224, - newPoint: nistec.NewP224Point, - N: p224Order, - } -} - -var p224Order = []byte{ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x16, 0xa2, - 0xe0, 0xb8, 0xf0, 0x3e, 0x13, 0xdd, 0x29, 0x45, - 0x5c, 0x5c, 0x2a, 0x3d, -} - -func P256() *Curve[*nistec.P256Point] { - return &Curve[*nistec.P256Point]{ - curve: p256, - newPoint: nistec.NewP256Point, - N: p256Order, - } -} - -var p256Order = []byte{ - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84, - 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51, -} - -func P384() *Curve[*nistec.P384Point] { - return &Curve[*nistec.P384Point]{ - curve: p384, - newPoint: nistec.NewP384Point, - N: p384Order, - } -} - -var p384Order = []byte{ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, 0x2d, 0xdf, - 0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a, - 0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73, -} - -func P521() *Curve[*nistec.P521Point] { - return &Curve[*nistec.P521Point]{ - curve: p521, - newPoint: nistec.NewP521Point, - N: p521Order, - } -} - -var p521Order = []byte{0x01, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, - 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, - 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09, 0xa5, 0xd0, - 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, - 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, -} - -// GenerateKey generates a new ECDSA private key pair for the specified curve. -func GenerateKey[P Point[P]](c *Curve[P], rand io.Reader) (*PrivateKey, error) { - fips140.RecordApproved() - // This procedure is equivalent to Key Pair Generation by Testing - // Candidates, specified in NIST SP 800-56A Rev. 3, Section 5.6.1.2.2. - - for { - key := make([]byte, len(c.N)) - if err := drbg.ReadWithReader(rand, key); err != nil { - return nil, err - } - // In tests, rand will return all zeros and NewPrivateKey will reject - // the zero key as it generates the identity as a public key. This also - // makes this function consistent with crypto/elliptic.GenerateKey. - key[1] ^= 0x42 - - // Mask off any excess bits if the size of the underlying field is not a - // whole number of bytes, which is only the case for P-521. - if c.curve == p521 && c.N[0]&0b1111_1110 == 0 { - key[0] &= 0b0000_0001 - } - - privateKey, err := NewPrivateKey(c, key) - if err != nil { - continue - } - - // A "Pairwise Consistency Test" makes no sense if we just generated the - // public key from an ephemeral private key. Moreover, there is no way to - // check it aside from redoing the exact same computation again. SP 800-56A - // Rev. 3, Section 5.6.2.1.4 acknowledges that, and doesn't require it. - // However, ISO 19790:2012, Section 7.10.3.3 has a blanket requirement for a - // PCT for all generated keys (AS10.35) and FIPS 140-3 IG 10.3.A, Additional - // Comment 1 goes out of its way to say that "the PCT shall be performed - // consistent [...], even if the underlying standard does not require a - // PCT". So we do it. And make ECDH nearly 50% slower (only) in FIPS mode. - fips140.PCT("ECDH PCT", func() error { - p1, err := c.newPoint().ScalarBaseMult(privateKey.d) - if err != nil { - return err - } - if !bytes.Equal(p1.Bytes(), privateKey.pub.q) { - return errors.New("crypto/ecdh: public key does not match private key") - } - return nil - }) - - return privateKey, nil - } -} - -func NewPrivateKey[P Point[P]](c *Curve[P], key []byte) (*PrivateKey, error) { - // SP 800-56A Rev. 3, Section 5.6.1.2.2 checks that c <= n – 2 and then - // returns d = c + 1. Note that it follows that 0 < d < n. Equivalently, - // we check that 0 < d < n, and return d. - if len(key) != len(c.N) || isZero(key) || !isLess(key, c.N) { - return nil, errors.New("crypto/ecdh: invalid private key") - } - - p, err := c.newPoint().ScalarBaseMult(key) - if err != nil { - // This is unreachable because the only error condition of - // ScalarBaseMult is if the input is not the right size. - panic("crypto/ecdh: internal error: nistec ScalarBaseMult failed for a fixed-size input") - } - - publicKey := p.Bytes() - if len(publicKey) == 1 { - // The encoding of the identity is a single 0x00 byte. This is - // unreachable because the only scalar that generates the identity is - // zero, which is rejected above. - panic("crypto/ecdh: internal error: public key is the identity element") - } - - k := &PrivateKey{d: bytes.Clone(key), pub: PublicKey{curve: c.curve, q: publicKey}} - return k, nil -} - -func NewPublicKey[P Point[P]](c *Curve[P], key []byte) (*PublicKey, error) { - // Reject the point at infinity and compressed encodings. - if len(key) == 0 || key[0] != 4 { - return nil, errors.New("crypto/ecdh: invalid public key") - } - - // SetBytes checks that x and y are in the interval [0, p - 1], and that - // the point is on the curve. Along with the rejection of the point at - // infinity (the identity element) above, this fulfills the requirements - // of NIST SP 800-56A Rev. 3, Section 5.6.2.3.4. - if _, err := c.newPoint().SetBytes(key); err != nil { - return nil, err - } - - return &PublicKey{curve: c.curve, q: bytes.Clone(key)}, nil -} - -func ECDH[P Point[P]](c *Curve[P], k *PrivateKey, peer *PublicKey) ([]byte, error) { - fipsSelfTest() - fips140.RecordApproved() - return ecdh(c, k, peer) -} - -func ecdh[P Point[P]](c *Curve[P], k *PrivateKey, peer *PublicKey) ([]byte, error) { - if c.curve != k.pub.curve { - return nil, errors.New("crypto/ecdh: mismatched curves") - } - if k.pub.curve != peer.curve { - return nil, errors.New("crypto/ecdh: mismatched curves") - } - - // This applies the Shared Secret Computation of the Ephemeral Unified Model - // scheme specified in NIST SP 800-56A Rev. 3, Section 6.1.2.2. - - // Per Section 5.6.2.3.4, Step 1, reject the identity element (0x00). - if len(k.pub.q) == 1 { - return nil, errors.New("crypto/ecdh: public key is the identity element") - } - - // SetBytes checks that (x, y) are reduced modulo p, and that they are on - // the curve, performing Steps 2-3 of Section 5.6.2.3.4. - p, err := c.newPoint().SetBytes(peer.q) - if err != nil { - return nil, err - } - - // Compute P according to Section 5.7.1.2. - if _, err := p.ScalarMult(p, k.d); err != nil { - return nil, err - } - - // BytesX checks that the result is not the identity element, and returns the - // x-coordinate of the result, performing Steps 2-5 of Section 5.7.1.2. - return p.BytesX() -} - -// isZero reports whether x is all zeroes in constant time. -func isZero(x []byte) bool { - var acc byte - for _, b := range x { - acc |= b - } - return acc == 0 -} - -// isLess reports whether a < b, where a and b are big-endian buffers of the -// same length and shorter than 72 bytes. -func isLess(a, b []byte) bool { - if len(a) != len(b) { - panic("crypto/ecdh: internal error: mismatched isLess inputs") - } - - // Copy the values into a fixed-size preallocated little-endian buffer. - // 72 bytes is enough for every scalar in this package, and having a fixed - // size lets us avoid heap allocations. - if len(a) > 72 { - panic("crypto/ecdh: internal error: isLess input too large") - } - bufA, bufB := make([]byte, 72), make([]byte, 72) - for i := range a { - bufA[i], bufB[i] = a[len(a)-i-1], b[len(b)-i-1] - } - - // Perform a subtraction with borrow. - var borrow uint64 - for i := 0; i < len(bufA); i += 8 { - limbA, limbB := byteorder.LEUint64(bufA[i:]), byteorder.LEUint64(bufB[i:]) - _, borrow = bits.Sub64(limbA, limbB, borrow) - } - - // If there is a borrow at the end of the operation, then a < b. - return borrow == 1 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/ya.make deleted file mode 100644 index 04907cf5276..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdh/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - ecdh.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/cast.go deleted file mode 100644 index 6bc9fd1f46d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/cast.go +++ /dev/null @@ -1,136 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ecdsa - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/sha512" - "errors" - "sync" -) - -func testPrivateKey() *PrivateKey { - // https://www.rfc-editor.org/rfc/rfc9500.html#section-2.3 - return &PrivateKey{ - pub: PublicKey{ - curve: p256, - q: []byte{ - 0x04, - 0x42, 0x25, 0x48, 0xF8, 0x8F, 0xB7, 0x82, 0xFF, - 0xB5, 0xEC, 0xA3, 0x74, 0x44, 0x52, 0xC7, 0x2A, - 0x1E, 0x55, 0x8F, 0xBD, 0x6F, 0x73, 0xBE, 0x5E, - 0x48, 0xE9, 0x32, 0x32, 0xCC, 0x45, 0xC5, 0xB1, - 0x6C, 0x4C, 0xD1, 0x0C, 0x4C, 0xB8, 0xD5, 0xB8, - 0xA1, 0x71, 0x39, 0xE9, 0x48, 0x82, 0xC8, 0x99, - 0x25, 0x72, 0x99, 0x34, 0x25, 0xF4, 0x14, 0x19, - 0xAB, 0x7E, 0x90, 0xA4, 0x2A, 0x49, 0x42, 0x72}, - }, - d: []byte{ - 0xE6, 0xCB, 0x5B, 0xDD, 0x80, 0xAA, 0x45, 0xAE, - 0x9C, 0x95, 0xE8, 0xC1, 0x54, 0x76, 0x67, 0x9F, - 0xFE, 0xC9, 0x53, 0xC1, 0x68, 0x51, 0xE7, 0x11, - 0xE7, 0x43, 0x93, 0x95, 0x89, 0xC6, 0x4F, 0xC1, - }, - } -} - -func testHash() []byte { - return []byte{ - 0x17, 0x1b, 0x1f, 0x5e, 0x9f, 0x8f, 0x8c, 0x5c, - 0x42, 0xe8, 0x06, 0x59, 0x7b, 0x54, 0xc7, 0xb4, - 0x49, 0x05, 0xa1, 0xdb, 0x3a, 0x3c, 0x31, 0xd3, - 0xb7, 0x56, 0x45, 0x8c, 0xc2, 0xd6, 0x88, 0x62, - 0x9e, 0xd6, 0x7b, 0x9b, 0x25, 0x68, 0xd6, 0xc6, - 0x18, 0x94, 0x1e, 0xfe, 0xe3, 0x33, 0x78, 0xa6, - 0xe1, 0xce, 0x13, 0x88, 0x81, 0x26, 0x02, 0x52, - 0xdf, 0xc2, 0x0a, 0xf2, 0x67, 0x49, 0x0a, 0x20, - } -} - -func fipsPCT[P Point[P]](c *Curve[P], k *PrivateKey) { - fips140.PCT("ECDSA PCT", func() error { - hash := testHash() - drbg := newDRBG(sha512.New, k.d, bits2octets(P256(), hash), nil) - sig, err := sign(c, k, drbg, hash) - if err != nil { - return err - } - return Verify(c, &k.pub, hash, sig) - }) -} - -var fipsSelfTest = sync.OnceFunc(func() { - fips140.CAST("ECDSA P-256 SHA2-512 sign and verify", func() error { - k := testPrivateKey() - Z := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - persStr := []byte{ - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - hash := testHash() - want := &Signature{ - R: []byte{ - 0x33, 0x64, 0x96, 0xff, 0x8a, 0xfe, 0xaa, 0x0b, - 0x2c, 0x4a, 0x1a, 0x97, 0x77, 0xcc, 0x84, 0xa5, - 0x7e, 0x88, 0x1f, 0x16, 0x2d, 0xe0, 0x29, 0xf7, - 0x62, 0xc2, 0x34, 0x18, 0x10, 0x9c, 0x69, 0x8a, - }, S: []byte{ - 0x97, 0x53, 0x2e, 0x13, 0x6e, 0xd0, 0x9b, 0x30, - 0x8a, 0xdf, 0x4f, 0xe0, 0x54, 0x82, 0x14, 0x83, - 0x5e, 0x93, 0xc7, 0x79, 0x4b, 0x18, 0xa3, 0xf1, - 0x8a, 0x60, 0xae, 0x52, 0x31, 0xe4, 0x2e, 0x4e, - }, - } - drbg := newDRBG(sha512.New, Z, nil, plainPersonalizationString(persStr)) - got, err := sign(P256(), k, drbg, hash) - if err != nil { - return err - } - if err := verify(P256(), &k.pub, hash, got); err != nil { - return err - } - if !bytes.Equal(got.R, want.R) || !bytes.Equal(got.S, want.S) { - return errors.New("unexpected result") - } - return nil - }) -}) - -var fipsSelfTestDeterministic = sync.OnceFunc(func() { - fips140.CAST("DetECDSA P-256 SHA2-512 sign", func() error { - k := testPrivateKey() - hash := testHash() - want := &Signature{ - R: []byte{ - 0x9f, 0xc3, 0x83, 0x32, 0x6e, 0xd9, 0x4f, 0x8e, - 0x24, 0xa0, 0x19, 0xef, 0x1d, 0x3a, 0xc3, 0x55, - 0xdd, 0x4b, 0x98, 0xae, 0x78, 0xa7, 0xaf, 0xd3, - 0xfd, 0xf3, 0x22, 0x1c, 0x8b, 0xd6, 0x11, 0x7b, - }, S: []byte{ - 0xd6, 0x52, 0x87, 0x41, 0x71, 0xbd, 0x66, 0xd1, - 0xaf, 0x6c, 0x61, 0xdd, 0xd8, 0xa7, 0xbb, 0xd2, - 0xf7, 0xd5, 0x47, 0x70, 0xe9, 0xe4, 0xac, 0x0a, - 0xb9, 0xfa, 0x0f, 0xbd, 0x3b, 0x9b, 0xc2, 0xfe, - }, - } - drbg := newDRBG(sha512.New, k.d, bits2octets(P256(), hash), nil) - got, err := sign(P256(), k, drbg, hash) - if err != nil { - return err - } - if err := verify(P256(), &k.pub, hash, got); err != nil { - return err - } - if !bytes.Equal(got.R, want.R) || !bytes.Equal(got.S, want.S) { - return errors.New("unexpected result") - } - return nil - }) -}) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa.go deleted file mode 100644 index 81179de4f4e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa.go +++ /dev/null @@ -1,496 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ecdsa - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/bigmod" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140/nistec" - "errors" - "hash" - "io" - "sync" -) - -// PrivateKey and PublicKey are not generic to make it possible to use them -// in other types without instantiating them with a specific point type. -// They are tied to one of the Curve types below through the curveID field. - -type PrivateKey struct { - pub PublicKey - d []byte // bigmod.(*Nat).Bytes output (same length as the curve order) -} - -func (priv *PrivateKey) Bytes() []byte { - return priv.d -} - -func (priv *PrivateKey) PublicKey() *PublicKey { - return &priv.pub -} - -type PublicKey struct { - curve curveID - q []byte // uncompressed nistec Point.Bytes output -} - -func (pub *PublicKey) Bytes() []byte { - return pub.q -} - -type curveID string - -const ( - p224 curveID = "P-224" - p256 curveID = "P-256" - p384 curveID = "P-384" - p521 curveID = "P-521" -) - -type Curve[P Point[P]] struct { - curve curveID - newPoint func() P - ordInverse func([]byte) ([]byte, error) - N *bigmod.Modulus - nMinus2 []byte -} - -// Point is a generic constraint for the [nistec] Point types. -type Point[P any] interface { - *nistec.P224Point | *nistec.P256Point | *nistec.P384Point | *nistec.P521Point - Bytes() []byte - BytesX() ([]byte, error) - SetBytes([]byte) (P, error) - ScalarMult(P, []byte) (P, error) - ScalarBaseMult([]byte) (P, error) - Add(p1, p2 P) P -} - -func precomputeParams[P Point[P]](c *Curve[P], order []byte) { - var err error - c.N, err = bigmod.NewModulus(order) - if err != nil { - panic(err) - } - two, _ := bigmod.NewNat().SetBytes([]byte{2}, c.N) - c.nMinus2 = bigmod.NewNat().ExpandFor(c.N).Sub(two, c.N).Bytes(c.N) -} - -func P224() *Curve[*nistec.P224Point] { return _P224() } - -var _P224 = sync.OnceValue(func() *Curve[*nistec.P224Point] { - c := &Curve[*nistec.P224Point]{ - curve: p224, - newPoint: nistec.NewP224Point, - } - precomputeParams(c, p224Order) - return c -}) - -var p224Order = []byte{ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x16, 0xa2, - 0xe0, 0xb8, 0xf0, 0x3e, 0x13, 0xdd, 0x29, 0x45, - 0x5c, 0x5c, 0x2a, 0x3d, -} - -func P256() *Curve[*nistec.P256Point] { return _P256() } - -var _P256 = sync.OnceValue(func() *Curve[*nistec.P256Point] { - c := &Curve[*nistec.P256Point]{ - curve: p256, - newPoint: nistec.NewP256Point, - ordInverse: nistec.P256OrdInverse, - } - precomputeParams(c, p256Order) - return c -}) - -var p256Order = []byte{ - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xbc, 0xe6, 0xfa, 0xad, 0xa7, 0x17, 0x9e, 0x84, - 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, 0x25, 0x51} - -func P384() *Curve[*nistec.P384Point] { return _P384() } - -var _P384 = sync.OnceValue(func() *Curve[*nistec.P384Point] { - c := &Curve[*nistec.P384Point]{ - curve: p384, - newPoint: nistec.NewP384Point, - } - precomputeParams(c, p384Order) - return c -}) - -var p384Order = []byte{ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, 0x2d, 0xdf, - 0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a, - 0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73} - -func P521() *Curve[*nistec.P521Point] { return _P521() } - -var _P521 = sync.OnceValue(func() *Curve[*nistec.P521Point] { - c := &Curve[*nistec.P521Point]{ - curve: p521, - newPoint: nistec.NewP521Point, - } - precomputeParams(c, p521Order) - return c -}) - -var p521Order = []byte{0x01, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, - 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, - 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09, 0xa5, 0xd0, - 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, - 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09} - -func NewPrivateKey[P Point[P]](c *Curve[P], D, Q []byte) (*PrivateKey, error) { - fips140.RecordApproved() - pub, err := NewPublicKey(c, Q) - if err != nil { - return nil, err - } - d, err := bigmod.NewNat().SetBytes(D, c.N) - if err != nil { - return nil, err - } - priv := &PrivateKey{pub: *pub, d: d.Bytes(c.N)} - return priv, nil -} - -func NewPublicKey[P Point[P]](c *Curve[P], Q []byte) (*PublicKey, error) { - // SetBytes checks that Q is a valid point on the curve, and that its - // coordinates are reduced modulo p, fulfilling the requirements of SP - // 800-89, Section 5.3.2. - _, err := c.newPoint().SetBytes(Q) - if err != nil { - return nil, err - } - return &PublicKey{curve: c.curve, q: Q}, nil -} - -// GenerateKey generates a new ECDSA private key pair for the specified curve. -func GenerateKey[P Point[P]](c *Curve[P], rand io.Reader) (*PrivateKey, error) { - fips140.RecordApproved() - - k, Q, err := randomPoint(c, func(b []byte) error { - return drbg.ReadWithReader(rand, b) - }) - if err != nil { - return nil, err - } - - priv := &PrivateKey{ - pub: PublicKey{ - curve: c.curve, - q: Q.Bytes(), - }, - d: k.Bytes(c.N), - } - fipsPCT(c, priv) - return priv, nil -} - -// randomPoint returns a random scalar and the corresponding point using a -// procedure equivalent to FIPS 186-5, Appendix A.2.2 (ECDSA Key Pair Generation -// by Rejection Sampling) and to Appendix A.3.2 (Per-Message Secret Number -// Generation of Private Keys by Rejection Sampling) or Appendix A.3.3 -// (Per-Message Secret Number Generation for Deterministic ECDSA) followed by -// Step 5 of Section 6.4.1. -func randomPoint[P Point[P]](c *Curve[P], generate func([]byte) error) (k *bigmod.Nat, p P, err error) { - for { - b := make([]byte, c.N.Size()) - if err := generate(b); err != nil { - return nil, nil, err - } - - // Take only the leftmost bits of the generated random value. This is - // both necessary to increase the chance of the random value being in - // the correct range and to match the specification. It's unfortunate - // that we need to do a shift instead of a mask, but see the comment on - // rightShift. - // - // These are the most dangerous lines in the package and maybe in the - // library: a single bit of bias in the selection of nonces would likely - // lead to key recovery, but no tests would fail. Look but DO NOT TOUCH. - if excess := len(b)*8 - c.N.BitLen(); excess > 0 { - // Just to be safe, assert that this only happens for the one curve that - // doesn't have a round number of bits. - if c.curve != p521 { - panic("ecdsa: internal error: unexpectedly masking off bits") - } - b = rightShift(b, excess) - } - - // FIPS 186-5, Appendix A.4.2 makes us check x <= N - 2 and then return - // x + 1. Note that it follows that 0 < x + 1 < N. Instead, SetBytes - // checks that k < N, and we explicitly check 0 != k. Since k can't be - // negative, this is strictly equivalent. None of this matters anyway - // because the chance of selecting zero is cryptographically negligible. - if k, err := bigmod.NewNat().SetBytes(b, c.N); err == nil && k.IsZero() == 0 { - p, err := c.newPoint().ScalarBaseMult(k.Bytes(c.N)) - return k, p, err - } - - if testingOnlyRejectionSamplingLooped != nil { - testingOnlyRejectionSamplingLooped() - } - } -} - -// testingOnlyRejectionSamplingLooped is called when rejection sampling in -// randomPoint rejects a candidate for being higher than the modulus. -var testingOnlyRejectionSamplingLooped func() - -// Signature is an ECDSA signature, where r and s are represented as big-endian -// byte slices of the same length as the curve order. -type Signature struct { - R, S []byte -} - -// Sign signs a hash (which shall be the result of hashing a larger message with -// the hash function H) using the private key, priv. If the hash is longer than -// the bit-length of the private key's curve order, the hash will be truncated -// to that length. -func Sign[P Point[P], H hash.Hash](c *Curve[P], h func() H, priv *PrivateKey, rand io.Reader, hash []byte) (*Signature, error) { - if priv.pub.curve != c.curve { - return nil, errors.New("ecdsa: private key does not match curve") - } - fips140.RecordApproved() - fipsSelfTest() - - // Random ECDSA is dangerous, because a failure of the RNG would immediately - // leak the private key. Instead, we use a "hedged" approach, as specified - // in draft-irtf-cfrg-det-sigs-with-noise-04, Section 4. This has also the - // advantage of closely resembling Deterministic ECDSA. - - Z := make([]byte, len(priv.d)) - if err := drbg.ReadWithReader(rand, Z); err != nil { - return nil, err - } - - // See https://github.com/cfrg/draft-irtf-cfrg-det-sigs-with-noise/issues/6 - // for the FIPS compliance of this method. In short Z is entropy from the - // main DRBG, of length 3/2 of security_strength, so the nonce is optional - // per SP 800-90Ar1, Section 8.6.7, and the rest is a personalization - // string, which per SP 800-90Ar1, Section 8.7.1 may contain secret - // information. - drbg := newDRBG(h, Z, nil, blockAlignedPersonalizationString{priv.d, bits2octets(c, hash)}) - - return sign(c, priv, drbg, hash) -} - -// SignDeterministic signs a hash (which shall be the result of hashing a -// larger message with the hash function H) using the private key, priv. If the -// hash is longer than the bit-length of the private key's curve order, the hash -// will be truncated to that length. This applies Deterministic ECDSA as -// specified in FIPS 186-5 and RFC 6979. -func SignDeterministic[P Point[P], H hash.Hash](c *Curve[P], h func() H, priv *PrivateKey, hash []byte) (*Signature, error) { - if priv.pub.curve != c.curve { - return nil, errors.New("ecdsa: private key does not match curve") - } - fips140.RecordApproved() - fipsSelfTestDeterministic() - drbg := newDRBG(h, priv.d, bits2octets(c, hash), nil) // RFC 6979, Section 3.3 - return sign(c, priv, drbg, hash) -} - -// bits2octets as specified in FIPS 186-5, Appendix B.2.4 or RFC 6979, -// Section 2.3.4. See RFC 6979, Section 3.5 for the rationale. -func bits2octets[P Point[P]](c *Curve[P], hash []byte) []byte { - e := bigmod.NewNat() - hashToNat(c, e, hash) - return e.Bytes(c.N) -} - -func signGeneric[P Point[P]](c *Curve[P], priv *PrivateKey, drbg *hmacDRBG, hash []byte) (*Signature, error) { - // FIPS 186-5, Section 6.4.1 - - k, R, err := randomPoint(c, func(b []byte) error { - drbg.Generate(b) - return nil - }) - if err != nil { - return nil, err - } - - // kInv = k⁻¹ - kInv := bigmod.NewNat() - inverse(c, kInv, k) - - Rx, err := R.BytesX() - if err != nil { - return nil, err - } - r, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N) - if err != nil { - return nil, err - } - - // The spec wants us to retry here, but the chance of hitting this condition - // on a large prime-order group like the NIST curves we support is - // cryptographically negligible. If we hit it, something is awfully wrong. - if r.IsZero() == 1 { - return nil, errors.New("ecdsa: internal error: r is zero") - } - - e := bigmod.NewNat() - hashToNat(c, e, hash) - - s, err := bigmod.NewNat().SetBytes(priv.d, c.N) - if err != nil { - return nil, err - } - s.Mul(r, c.N) - s.Add(e, c.N) - s.Mul(kInv, c.N) - - // Again, the chance of this happening is cryptographically negligible. - if s.IsZero() == 1 { - return nil, errors.New("ecdsa: internal error: s is zero") - } - - return &Signature{r.Bytes(c.N), s.Bytes(c.N)}, nil -} - -// inverse sets kInv to the inverse of k modulo the order of the curve. -func inverse[P Point[P]](c *Curve[P], kInv, k *bigmod.Nat) { - if c.ordInverse != nil { - kBytes, err := c.ordInverse(k.Bytes(c.N)) - // Some platforms don't implement ordInverse, and always return an error. - if err == nil { - _, err := kInv.SetBytes(kBytes, c.N) - if err != nil { - panic("ecdsa: internal error: ordInverse produced an invalid value") - } - return - } - } - - // Calculate the inverse of s in GF(N) using Fermat's method - // (exponentiation modulo P - 2, per Euler's theorem) - kInv.Exp(k, c.nMinus2, c.N) -} - -// hashToNat sets e to the left-most bits of hash, according to -// FIPS 186-5, Section 6.4.1, point 2 and Section 6.4.2, point 3. -func hashToNat[P Point[P]](c *Curve[P], e *bigmod.Nat, hash []byte) { - // ECDSA asks us to take the left-most log2(N) bits of hash, and use them as - // an integer modulo N. This is the absolute worst of all worlds: we still - // have to reduce, because the result might still overflow N, but to take - // the left-most bits for P-521 we have to do a right shift. - if size := c.N.Size(); len(hash) >= size { - hash = hash[:size] - if excess := len(hash)*8 - c.N.BitLen(); excess > 0 { - hash = rightShift(hash, excess) - } - } - _, err := e.SetOverflowingBytes(hash, c.N) - if err != nil { - panic("ecdsa: internal error: truncated hash is too long") - } -} - -// rightShift implements the right shift necessary for bits2int, which takes the -// leftmost bits of either the hash or HMAC_DRBG output. -// -// Note how taking the rightmost bits would have been as easy as masking the -// first byte, but we can't have nice things. -func rightShift(b []byte, shift int) []byte { - if shift <= 0 || shift >= 8 { - panic("ecdsa: internal error: shift can only be by 1 to 7 bits") - } - b = bytes.Clone(b) - for i := len(b) - 1; i >= 0; i-- { - b[i] >>= shift - if i > 0 { - b[i] |= b[i-1] << (8 - shift) - } - } - return b -} - -// Verify verifies the signature, sig, of hash (which should be the result of -// hashing a larger message) using the public key, pub. If the hash is longer -// than the bit-length of the private key's curve order, the hash will be -// truncated to that length. -// -// The inputs are not considered confidential, and may leak through timing side -// channels, or if an attacker has control of part of the inputs. -func Verify[P Point[P]](c *Curve[P], pub *PublicKey, hash []byte, sig *Signature) error { - if pub.curve != c.curve { - return errors.New("ecdsa: public key does not match curve") - } - fips140.RecordApproved() - fipsSelfTest() - return verify(c, pub, hash, sig) -} - -func verifyGeneric[P Point[P]](c *Curve[P], pub *PublicKey, hash []byte, sig *Signature) error { - // FIPS 186-5, Section 6.4.2 - - Q, err := c.newPoint().SetBytes(pub.q) - if err != nil { - return err - } - - r, err := bigmod.NewNat().SetBytes(sig.R, c.N) - if err != nil { - return err - } - if r.IsZero() == 1 { - return errors.New("ecdsa: invalid signature: r is zero") - } - s, err := bigmod.NewNat().SetBytes(sig.S, c.N) - if err != nil { - return err - } - if s.IsZero() == 1 { - return errors.New("ecdsa: invalid signature: s is zero") - } - - e := bigmod.NewNat() - hashToNat(c, e, hash) - - // w = s⁻¹ - w := bigmod.NewNat() - inverse(c, w, s) - - // p₁ = [e * s⁻¹]G - p1, err := c.newPoint().ScalarBaseMult(e.Mul(w, c.N).Bytes(c.N)) - if err != nil { - return err - } - // p₂ = [r * s⁻¹]Q - p2, err := Q.ScalarMult(Q, w.Mul(r, c.N).Bytes(c.N)) - if err != nil { - return err - } - // BytesX returns an error for the point at infinity. - Rx, err := p1.Add(p1, p2).BytesX() - if err != nil { - return err - } - - v, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N) - if err != nil { - return err - } - - if v.Equal(r) != 1 { - return errors.New("ecdsa: signature did not verify") - } - return nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_noasm.go deleted file mode 100644 index ffcc9fa0884..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_noasm.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2020 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !s390x || purego - -package ecdsa - -func sign[P Point[P]](c *Curve[P], priv *PrivateKey, drbg *hmacDRBG, hash []byte) (*Signature, error) { - return signGeneric(c, priv, drbg, hash) -} - -func verify[P Point[P]](c *Curve[P], pub *PublicKey, hash []byte, sig *Signature) error { - return verifyGeneric(c, pub, hash, sig) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_s390x.go deleted file mode 100644 index d0a49cad610..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_s390x.go +++ /dev/null @@ -1,210 +0,0 @@ -// Copyright 2020 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package ecdsa - -import ( - "crypto/internal/fips140/bigmod" - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" - "errors" -) - -// kdsa invokes the "compute digital signature authentication" -// instruction with the given function code and 4096 byte -// parameter block. -// -// The return value corresponds to the condition code set by the -// instruction. Interrupted invocations are handled by the -// function. -// -//go:noescape -func kdsa(fc uint64, params *[4096]byte) (errn uint64) - -var supportsKDSA = cpu.S390XHasECDSA - -func init() { - // CP Assist for Cryptographic Functions (CPACF) - // https://www.ibm.com/docs/en/zos/3.1.0?topic=icsf-cp-assist-cryptographic-functions-cpacf - impl.Register("ecdsa", "CPACF", &supportsKDSA) -} - -// canUseKDSA checks if KDSA instruction is available, and if it is, it checks -// the name of the curve to see if it matches the curves supported(P-256, P-384, P-521). -// Then, based on the curve name, a function code and a block size will be assigned. -// If KDSA instruction is not available or if the curve is not supported, canUseKDSA -// will set ok to false. -func canUseKDSA(c curveID) (functionCode uint64, blockSize int, ok bool) { - if !supportsKDSA { - return 0, 0, false - } - switch c { - case p256: - return 1, 32, true - case p384: - return 2, 48, true - case p521: - // Note that the block size doesn't match the field size for P-521. - return 3, 80, true - } - return 0, 0, false // A mismatch -} - -func hashToBytes[P Point[P]](c *Curve[P], hash []byte) []byte { - e := bigmod.NewNat() - hashToNat(c, e, hash) - return e.Bytes(c.N) -} - -// randomScalar is a copy of [randomPoint] that doesn't call ScalarBaseMult. -func randomScalar[P Point[P]](c *Curve[P], generate func([]byte) error) (k *bigmod.Nat, err error) { - for { - b := make([]byte, c.N.Size()) - if err := generate(b); err != nil { - return nil, err - } - if excess := len(b)*8 - c.N.BitLen(); excess > 0 { - if c.curve != p521 { - panic("ecdsa: internal error: unexpectedly masking off bits") - } - b = rightShift(b, excess) - } - if k, err := bigmod.NewNat().SetBytes(b, c.N); err == nil && k.IsZero() == 0 { - return k, nil - } - } -} - -func appendBlock(p []byte, blocksize int, b []byte) []byte { - if len(b) > blocksize { - panic("ecdsa: internal error: appendBlock input larger than block") - } - padding := blocksize - len(b) - p = append(p, make([]byte, padding)...) - return append(p, b...) -} - -func trimBlock(p []byte, size int) ([]byte, error) { - for _, b := range p[:len(p)-size] { - if b != 0 { - return nil, errors.New("ecdsa: internal error: KDSA produced invalid signature") - } - } - return p[len(p)-size:], nil -} - -func sign[P Point[P]](c *Curve[P], priv *PrivateKey, drbg *hmacDRBG, hash []byte) (*Signature, error) { - functionCode, blockSize, ok := canUseKDSA(c.curve) - if !ok { - return signGeneric(c, priv, drbg, hash) - } - for { - k, err := randomScalar(c, func(b []byte) error { - drbg.Generate(b) - return nil - }) - if err != nil { - return nil, err - } - - // The parameter block looks like the following for sign. - // +---------------------+ - // | Signature(R) | - // +---------------------+ - // | Signature(S) | - // +---------------------+ - // | Hashed Message | - // +---------------------+ - // | Private Key | - // +---------------------+ - // | Random Number | - // +---------------------+ - // | | - // | ... | - // | | - // +---------------------+ - // The common components(signatureR, signatureS, hashedMessage, privateKey and - // random number) each takes block size of bytes. The block size is different for - // different curves and is set by canUseKDSA function. - var params [4096]byte - - // Copy content into the parameter block. In the sign case, - // we copy hashed message, private key and random number into - // the parameter block. We skip the signature slots. - p := params[:2*blockSize] - p = appendBlock(p, blockSize, hashToBytes(c, hash)) - p = appendBlock(p, blockSize, priv.d) - p = appendBlock(p, blockSize, k.Bytes(c.N)) - // Convert verify function code into a sign function code by adding 8. - // We also need to set the 'deterministic' bit in the function code, by - // adding 128, in order to stop the instruction using its own random number - // generator in addition to the random number we supply. - switch kdsa(functionCode+136, ¶ms) { - case 0: // success - elementSize := (c.N.BitLen() + 7) / 8 - r, err := trimBlock(params[:blockSize], elementSize) - if err != nil { - return nil, err - } - s, err := trimBlock(params[blockSize:2*blockSize], elementSize) - if err != nil { - return nil, err - } - return &Signature{R: r, S: s}, nil - case 1: // error - return nil, errors.New("zero parameter") - case 2: // retry - continue - } - } -} - -func verify[P Point[P]](c *Curve[P], pub *PublicKey, hash []byte, sig *Signature) error { - functionCode, blockSize, ok := canUseKDSA(c.curve) - if !ok { - return verifyGeneric(c, pub, hash, sig) - } - - r, s := sig.R, sig.S - if len(r) > blockSize || len(s) > blockSize { - return errors.New("invalid signature") - } - - // The parameter block looks like the following for verify: - // +---------------------+ - // | Signature(R) | - // +---------------------+ - // | Signature(S) | - // +---------------------+ - // | Hashed Message | - // +---------------------+ - // | Public Key X | - // +---------------------+ - // | Public Key Y | - // +---------------------+ - // | | - // | ... | - // | | - // +---------------------+ - // The common components(signatureR, signatureS, hashed message, public key X, - // and public key Y) each takes block size of bytes. The block size is different for - // different curves and is set by canUseKDSA function. - var params [4096]byte - - // Copy content into the parameter block. In the verify case, - // we copy signature (r), signature(s), hashed message, public key x component, - // and public key y component into the parameter block. - p := params[:0] - p = appendBlock(p, blockSize, r) - p = appendBlock(p, blockSize, s) - p = appendBlock(p, blockSize, hashToBytes(c, hash)) - p = appendBlock(p, blockSize, pub.q[1:1+len(pub.q)/2]) - p = appendBlock(p, blockSize, pub.q[1+len(pub.q)/2:]) - if kdsa(functionCode, ¶ms) != 0 { - return errors.New("invalid signature") - } - return nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_s390x.s deleted file mode 100644 index 2aae59c291d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ecdsa_s390x.s +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2020 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func kdsa(fc uint64, params *[4096]byte) (errn uint64) -TEXT ·kdsa(SB), NOSPLIT|NOFRAME, $0-24 - MOVD fc+0(FP), R0 // function code - MOVD params+8(FP), R1 // address parameter block - -loop: - KDSA R0, R4 // compute digital signature authentication - BVS loop // branch back if interrupted - BGT retry // signing unsuccessful, but retry with new CSPRN - BLT error // condition code of 1 indicates a failure - -success: - MOVD $0, errn+16(FP) // return 0 - sign/verify was successful - RET - -error: - MOVD $1, errn+16(FP) // return 1 - sign/verify failed - RET - -retry: - MOVD $2, errn+16(FP) // return 2 - sign/verify was unsuccessful -- if sign, retry with new RN - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/hmacdrbg.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/hmacdrbg.go deleted file mode 100644 index 698c23bcda5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/hmacdrbg.go +++ /dev/null @@ -1,175 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ecdsa - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/hmac" - "hash" -) - -// hmacDRBG is an SP 800-90A Rev. 1 HMAC_DRBG. -// -// It is only intended to be used to generate ECDSA nonces. Since it will be -// instantiated ex-novo for each signature, its Generate function will only be -// invoked once or twice (only for P-256, with probability 2⁻³²). -// -// Per Table 2, it has a reseed interval of 2^48 requests, and a maximum request -// size of 2^19 bits (2^16 bytes, 64 KiB). -type hmacDRBG struct { - newHMAC func(key []byte) *hmac.HMAC - - hK *hmac.HMAC - V []byte - - reseedCounter uint64 -} - -const ( - reseedInterval = 1 << 48 - maxRequestSize = (1 << 19) / 8 -) - -// plainPersonalizationString is used by HMAC_DRBG as-is. -type plainPersonalizationString []byte - -func (plainPersonalizationString) isPersonalizationString() {} - -// Each entry in blockAlignedPersonalizationString is written to the HMAC at a -// block boundary, as specified in draft-irtf-cfrg-det-sigs-with-noise-04, -// Section 4. -type blockAlignedPersonalizationString [][]byte - -func (blockAlignedPersonalizationString) isPersonalizationString() {} - -type personalizationString interface { - isPersonalizationString() -} - -func newDRBG[H hash.Hash](hash func() H, entropy, nonce []byte, s personalizationString) *hmacDRBG { - // HMAC_DRBG_Instantiate_algorithm, per Section 10.1.2.3. - fips140.RecordApproved() - - d := &hmacDRBG{ - newHMAC: func(key []byte) *hmac.HMAC { - return hmac.New(hash, key) - }, - } - size := hash().Size() - - // K = 0x00 0x00 0x00 ... 0x00 - K := make([]byte, size) - - // V = 0x01 0x01 0x01 ... 0x01 - d.V = bytes.Repeat([]byte{0x01}, size) - - // HMAC_DRBG_Update, per Section 10.1.2.2. - // K = HMAC (K, V || 0x00 || provided_data) - h := hmac.New(hash, K) - h.Write(d.V) - h.Write([]byte{0x00}) - h.Write(entropy) - h.Write(nonce) - switch s := s.(type) { - case plainPersonalizationString: - h.Write(s) - case blockAlignedPersonalizationString: - l := len(d.V) + 1 + len(entropy) + len(nonce) - for _, b := range s { - pad000(h, l) - h.Write(b) - l = len(b) - } - } - K = h.Sum(K[:0]) - // V = HMAC (K, V) - h = hmac.New(hash, K) - h.Write(d.V) - d.V = h.Sum(d.V[:0]) - // K = HMAC (K, V || 0x01 || provided_data). - h.Reset() - h.Write(d.V) - h.Write([]byte{0x01}) - h.Write(entropy) - h.Write(nonce) - switch s := s.(type) { - case plainPersonalizationString: - h.Write(s) - case blockAlignedPersonalizationString: - l := len(d.V) + 1 + len(entropy) + len(nonce) - for _, b := range s { - pad000(h, l) - h.Write(b) - l = len(b) - } - } - K = h.Sum(K[:0]) - // V = HMAC (K, V) - h = hmac.New(hash, K) - h.Write(d.V) - d.V = h.Sum(d.V[:0]) - - d.hK = h - d.reseedCounter = 1 - return d -} - -// TestingOnlyNewDRBG creates an SP 800-90A Rev. 1 HMAC_DRBG with a plain -// personalization string. -// -// This should only be used for ACVP testing. hmacDRBG is not intended to be -// used directly. -func TestingOnlyNewDRBG[H hash.Hash](hash func() H, entropy, nonce []byte, s []byte) *hmacDRBG { - return newDRBG(hash, entropy, nonce, plainPersonalizationString(s)) -} - -func pad000(h *hmac.HMAC, writtenSoFar int) { - blockSize := h.BlockSize() - if rem := writtenSoFar % blockSize; rem != 0 { - h.Write(make([]byte, blockSize-rem)) - } -} - -// Generate produces at most maxRequestSize bytes of random data in out. -func (d *hmacDRBG) Generate(out []byte) { - // HMAC_DRBG_Generate_algorithm, per Section 10.1.2.5. - fips140.RecordApproved() - - if len(out) > maxRequestSize { - panic("ecdsa: internal error: request size exceeds maximum") - } - - if d.reseedCounter > reseedInterval { - panic("ecdsa: reseed interval exceeded") - } - - tlen := 0 - for tlen < len(out) { - // V = HMAC_K(V) - // T = T || V - d.hK.Reset() - d.hK.Write(d.V) - d.V = d.hK.Sum(d.V[:0]) - tlen += copy(out[tlen:], d.V) - } - - // Note that if this function shows up on ECDSA-level profiles, this can be - // optimized in the common case by deferring the rest to the next Generate - // call, which will never come in nearly all cases. - - // HMAC_DRBG_Update, per Section 10.1.2.2, without provided_data. - // K = HMAC (K, V || 0x00) - d.hK.Reset() - d.hK.Write(d.V) - d.hK.Write([]byte{0x00}) - K := d.hK.Sum(nil) - // V = HMAC (K, V) - d.hK = d.newHMAC(K) - d.hK.Write(d.V) - d.V = d.hK.Sum(d.V[:0]) - - d.reseedCounter++ -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ya.make deleted file mode 100644 index 246ff64e3a5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ecdsa/ya.make +++ /dev/null @@ -1,15 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - ecdsa.go - ecdsa_noasm.go - hmacdrbg.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/cast.go deleted file mode 100644 index 2a3426bd42f..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/cast.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ed25519 - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "errors" - "sync" -) - -func fipsPCT(k *PrivateKey) { - fips140.PCT("Ed25519 sign and verify PCT", func() error { - return pairwiseTest(k) - }) -} - -// pairwiseTest needs to be a top-level function declaration to let the calls -// inline and their allocations not escape. -func pairwiseTest(k *PrivateKey) error { - msg := []byte("PCT") - sig := Sign(k, msg) - // Note that this runs pub.a.SetBytes. If we wanted to make key generation - // in FIPS mode faster, we could reuse A from GenerateKey. But another thing - // that could make it faster is just _not doing a useless self-test_. - pub, err := NewPublicKey(k.PublicKey()) - if err != nil { - return err - } - return Verify(pub, msg, sig) -} - -func signWithoutSelfTest(priv *PrivateKey, message []byte) []byte { - signature := make([]byte, signatureSize) - return signWithDom(signature, priv, message, domPrefixPure, "") -} - -func verifyWithoutSelfTest(pub *PublicKey, message, sig []byte) error { - return verifyWithDom(pub, message, sig, domPrefixPure, "") -} - -var fipsSelfTest = sync.OnceFunc(func() { - fips140.CAST("Ed25519 sign and verify", func() error { - seed := [32]byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - msg := []byte("CAST") - want := []byte{ - 0xbd, 0xe7, 0xa5, 0xf3, 0x40, 0x73, 0xb9, 0x5a, - 0x2e, 0x6d, 0x63, 0x20, 0x0a, 0xd5, 0x92, 0x9b, - 0xa2, 0x3d, 0x00, 0x44, 0xb4, 0xc5, 0xfd, 0x62, - 0x1d, 0x5e, 0x33, 0x2f, 0xe4, 0x61, 0x42, 0x31, - 0x5b, 0x10, 0x53, 0x13, 0x4d, 0xcb, 0xd1, 0x1b, - 0x2a, 0xf6, 0xcd, 0x0e, 0xdb, 0x9a, 0xd3, 0x1e, - 0x35, 0xdb, 0x0b, 0xcf, 0x58, 0x90, 0x4f, 0xd7, - 0x69, 0x38, 0xed, 0x30, 0x51, 0x0f, 0xaa, 0x03, - } - k := &PrivateKey{seed: seed} - precomputePrivateKey(k) - pub, err := NewPublicKey(k.PublicKey()) - if err != nil { - return err - } - sig := signWithoutSelfTest(k, msg) - if !bytes.Equal(sig, want) { - return errors.New("unexpected result") - } - return verifyWithoutSelfTest(pub, msg, sig) - }) -}) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/ed25519.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/ed25519.go deleted file mode 100644 index 8beda341d94..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/ed25519.go +++ /dev/null @@ -1,328 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ed25519 - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140/edwards25519" - "crypto/internal/fips140/sha512" - "errors" - "strconv" -) - -// See https://blog.mozilla.org/warner/2011/11/29/ed25519-keys/ for the -// components of the keys and the moving parts of the algorithm. - -const ( - seedSize = 32 - publicKeySize = 32 - privateKeySize = seedSize + publicKeySize - signatureSize = 64 - sha512Size = 64 -) - -type PrivateKey struct { - seed [seedSize]byte - pub [publicKeySize]byte - s edwards25519.Scalar - prefix [sha512Size / 2]byte -} - -func (priv *PrivateKey) Bytes() []byte { - k := make([]byte, 0, privateKeySize) - k = append(k, priv.seed[:]...) - k = append(k, priv.pub[:]...) - return k -} - -func (priv *PrivateKey) Seed() []byte { - seed := priv.seed - return seed[:] -} - -func (priv *PrivateKey) PublicKey() []byte { - pub := priv.pub - return pub[:] -} - -type PublicKey struct { - a edwards25519.Point - aBytes [32]byte -} - -func (pub *PublicKey) Bytes() []byte { - a := pub.aBytes - return a[:] -} - -// GenerateKey generates a new Ed25519 private key pair. -func GenerateKey() (*PrivateKey, error) { - priv := &PrivateKey{} - return generateKey(priv) -} - -func generateKey(priv *PrivateKey) (*PrivateKey, error) { - fips140.RecordApproved() - drbg.Read(priv.seed[:]) - precomputePrivateKey(priv) - fipsPCT(priv) - return priv, nil -} - -func NewPrivateKeyFromSeed(seed []byte) (*PrivateKey, error) { - priv := &PrivateKey{} - return newPrivateKeyFromSeed(priv, seed) -} - -func newPrivateKeyFromSeed(priv *PrivateKey, seed []byte) (*PrivateKey, error) { - fips140.RecordApproved() - if l := len(seed); l != seedSize { - return nil, errors.New("ed25519: bad seed length: " + strconv.Itoa(l)) - } - copy(priv.seed[:], seed) - precomputePrivateKey(priv) - return priv, nil -} - -func precomputePrivateKey(priv *PrivateKey) { - hs := sha512.New() - hs.Write(priv.seed[:]) - h := hs.Sum(make([]byte, 0, sha512Size)) - - s, err := priv.s.SetBytesWithClamping(h[:32]) - if err != nil { - panic("ed25519: internal error: setting scalar failed") - } - A := (&edwards25519.Point{}).ScalarBaseMult(s) - copy(priv.pub[:], A.Bytes()) - - copy(priv.prefix[:], h[32:]) -} - -func NewPrivateKey(priv []byte) (*PrivateKey, error) { - p := &PrivateKey{} - return newPrivateKey(p, priv) -} - -func newPrivateKey(priv *PrivateKey, privBytes []byte) (*PrivateKey, error) { - fips140.RecordApproved() - if l := len(privBytes); l != privateKeySize { - return nil, errors.New("ed25519: bad private key length: " + strconv.Itoa(l)) - } - - copy(priv.seed[:], privBytes[:32]) - - hs := sha512.New() - hs.Write(priv.seed[:]) - h := hs.Sum(make([]byte, 0, sha512Size)) - - if _, err := priv.s.SetBytesWithClamping(h[:32]); err != nil { - panic("ed25519: internal error: setting scalar failed") - } - // Note that we are not decompressing the public key point here, - // because it takes > 20% of the time of a signature generation. - // Signing doesn't use it as a point anyway. - copy(priv.pub[:], privBytes[32:]) - - copy(priv.prefix[:], h[32:]) - - return priv, nil -} - -func NewPublicKey(pub []byte) (*PublicKey, error) { - p := &PublicKey{} - return newPublicKey(p, pub) -} - -func newPublicKey(pub *PublicKey, pubBytes []byte) (*PublicKey, error) { - if l := len(pubBytes); l != publicKeySize { - return nil, errors.New("ed25519: bad public key length: " + strconv.Itoa(l)) - } - // SetBytes checks that the point is on the curve. - if _, err := pub.a.SetBytes(pubBytes); err != nil { - return nil, errors.New("ed25519: bad public key") - } - copy(pub.aBytes[:], pubBytes) - return pub, nil -} - -// Domain separation prefixes used to disambiguate Ed25519/Ed25519ph/Ed25519ctx. -// See RFC 8032, Section 2 and Section 5.1. -const ( - // domPrefixPure is empty for pure Ed25519. - domPrefixPure = "" - // domPrefixPh is dom2(phflag=1) for Ed25519ph. It must be followed by the - // uint8-length prefixed context. - domPrefixPh = "SigEd25519 no Ed25519 collisions\x01" - // domPrefixCtx is dom2(phflag=0) for Ed25519ctx. It must be followed by the - // uint8-length prefixed context. - domPrefixCtx = "SigEd25519 no Ed25519 collisions\x00" -) - -func Sign(priv *PrivateKey, message []byte) []byte { - // Outline the function body so that the returned signature can be - // stack-allocated. - signature := make([]byte, signatureSize) - return sign(signature, priv, message) -} - -func sign(signature []byte, priv *PrivateKey, message []byte) []byte { - fipsSelfTest() - fips140.RecordApproved() - return signWithDom(signature, priv, message, domPrefixPure, "") -} - -func SignPH(priv *PrivateKey, message []byte, context string) ([]byte, error) { - // Outline the function body so that the returned signature can be - // stack-allocated. - signature := make([]byte, signatureSize) - return signPH(signature, priv, message, context) -} - -func signPH(signature []byte, priv *PrivateKey, message []byte, context string) ([]byte, error) { - fipsSelfTest() - fips140.RecordApproved() - if l := len(message); l != sha512Size { - return nil, errors.New("ed25519: bad Ed25519ph message hash length: " + strconv.Itoa(l)) - } - if l := len(context); l > 255 { - return nil, errors.New("ed25519: bad Ed25519ph context length: " + strconv.Itoa(l)) - } - return signWithDom(signature, priv, message, domPrefixPh, context), nil -} - -func SignCtx(priv *PrivateKey, message []byte, context string) ([]byte, error) { - // Outline the function body so that the returned signature can be - // stack-allocated. - signature := make([]byte, signatureSize) - return signCtx(signature, priv, message, context) -} - -func signCtx(signature []byte, priv *PrivateKey, message []byte, context string) ([]byte, error) { - fipsSelfTest() - // FIPS 186-5 specifies Ed25519 and Ed25519ph (with context), but not Ed25519ctx. - fips140.RecordNonApproved() - // Note that per RFC 8032, Section 5.1, the context SHOULD NOT be empty. - if l := len(context); l > 255 { - return nil, errors.New("ed25519: bad Ed25519ctx context length: " + strconv.Itoa(l)) - } - return signWithDom(signature, priv, message, domPrefixCtx, context), nil -} - -func signWithDom(signature []byte, priv *PrivateKey, message []byte, domPrefix, context string) []byte { - mh := sha512.New() - if domPrefix != domPrefixPure { - mh.Write([]byte(domPrefix)) - mh.Write([]byte{byte(len(context))}) - mh.Write([]byte(context)) - } - mh.Write(priv.prefix[:]) - mh.Write(message) - messageDigest := make([]byte, 0, sha512Size) - messageDigest = mh.Sum(messageDigest) - r, err := edwards25519.NewScalar().SetUniformBytes(messageDigest) - if err != nil { - panic("ed25519: internal error: setting scalar failed") - } - - R := (&edwards25519.Point{}).ScalarBaseMult(r) - - kh := sha512.New() - if domPrefix != domPrefixPure { - kh.Write([]byte(domPrefix)) - kh.Write([]byte{byte(len(context))}) - kh.Write([]byte(context)) - } - kh.Write(R.Bytes()) - kh.Write(priv.pub[:]) - kh.Write(message) - hramDigest := make([]byte, 0, sha512Size) - hramDigest = kh.Sum(hramDigest) - k, err := edwards25519.NewScalar().SetUniformBytes(hramDigest) - if err != nil { - panic("ed25519: internal error: setting scalar failed") - } - - S := edwards25519.NewScalar().MultiplyAdd(k, &priv.s, r) - - copy(signature[:32], R.Bytes()) - copy(signature[32:], S.Bytes()) - - return signature -} - -func Verify(pub *PublicKey, message, sig []byte) error { - return verify(pub, message, sig) -} - -func verify(pub *PublicKey, message, sig []byte) error { - fipsSelfTest() - fips140.RecordApproved() - return verifyWithDom(pub, message, sig, domPrefixPure, "") -} - -func VerifyPH(pub *PublicKey, message []byte, sig []byte, context string) error { - fipsSelfTest() - fips140.RecordApproved() - if l := len(message); l != sha512Size { - return errors.New("ed25519: bad Ed25519ph message hash length: " + strconv.Itoa(l)) - } - if l := len(context); l > 255 { - return errors.New("ed25519: bad Ed25519ph context length: " + strconv.Itoa(l)) - } - return verifyWithDom(pub, message, sig, domPrefixPh, context) -} - -func VerifyCtx(pub *PublicKey, message []byte, sig []byte, context string) error { - fipsSelfTest() - // FIPS 186-5 specifies Ed25519 and Ed25519ph (with context), but not Ed25519ctx. - fips140.RecordNonApproved() - if l := len(context); l > 255 { - return errors.New("ed25519: bad Ed25519ctx context length: " + strconv.Itoa(l)) - } - return verifyWithDom(pub, message, sig, domPrefixCtx, context) -} - -func verifyWithDom(pub *PublicKey, message, sig []byte, domPrefix, context string) error { - if l := len(sig); l != signatureSize { - return errors.New("ed25519: bad signature length: " + strconv.Itoa(l)) - } - - if sig[63]&224 != 0 { - return errors.New("ed25519: invalid signature") - } - - kh := sha512.New() - if domPrefix != domPrefixPure { - kh.Write([]byte(domPrefix)) - kh.Write([]byte{byte(len(context))}) - kh.Write([]byte(context)) - } - kh.Write(sig[:32]) - kh.Write(pub.aBytes[:]) - kh.Write(message) - hramDigest := make([]byte, 0, sha512Size) - hramDigest = kh.Sum(hramDigest) - k, err := edwards25519.NewScalar().SetUniformBytes(hramDigest) - if err != nil { - panic("ed25519: internal error: setting scalar failed") - } - - S, err := edwards25519.NewScalar().SetCanonicalBytes(sig[32:]) - if err != nil { - return errors.New("ed25519: invalid signature") - } - - // [S]B = R + [k]A --> [k](-A) + [S]B = R - minusA := (&edwards25519.Point{}).Negate(&pub.a) - R := (&edwards25519.Point{}).VarTimeDoubleScalarBaseMult(k, minusA, S) - - if !bytes.Equal(sig[:32], R.Bytes()) { - return errors.New("ed25519: invalid signature") - } - return nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/ya.make deleted file mode 100644 index d2fb5d60722..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ed25519/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - ed25519.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/doc.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/doc.go deleted file mode 100644 index 8cba6febfe1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/doc.go +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package edwards25519 implements group logic for the twisted Edwards curve -// -// -x^2 + y^2 = 1 + -(121665/121666)*x^2*y^2 -// -// This is better known as the Edwards curve equivalent to Curve25519, and is -// the curve used by the Ed25519 signature scheme. -// -// Most users don't need this package, and should instead use crypto/ed25519 for -// signatures, golang.org/x/crypto/curve25519 for Diffie-Hellman, or -// github.com/gtank/ristretto255 for prime order group logic. -// -// However, developers who do need to interact with low-level edwards25519 -// operations can use filippo.io/edwards25519, an extended version of this -// package repackaged as an importable module. -// -// (Note that filippo.io/edwards25519 and github.com/gtank/ristretto255 are not -// maintained by the Go team and are not covered by the Go 1 Compatibility Promise.) -package edwards25519 diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/edwards25519.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/edwards25519.go deleted file mode 100644 index 395cf18adbc..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/edwards25519.go +++ /dev/null @@ -1,427 +0,0 @@ -// Copyright (c) 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package edwards25519 - -import ( - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/edwards25519/field" - "errors" -) - -// Point types. - -type projP1xP1 struct { - X, Y, Z, T field.Element -} - -type projP2 struct { - X, Y, Z field.Element -} - -// Point represents a point on the edwards25519 curve. -// -// This type works similarly to math/big.Int, and all arguments and receivers -// are allowed to alias. -// -// The zero value is NOT valid, and it may be used only as a receiver. -type Point struct { - // Make the type not comparable (i.e. used with == or as a map key), as - // equivalent points can be represented by different Go values. - _ incomparable - - // The point is internally represented in extended coordinates (X, Y, Z, T) - // where x = X/Z, y = Y/Z, and xy = T/Z per https://eprint.iacr.org/2008/522. - x, y, z, t field.Element -} - -type incomparable [0]func() - -func checkInitialized(points ...*Point) { - for _, p := range points { - if p.x == (field.Element{}) && p.y == (field.Element{}) { - panic("edwards25519: use of uninitialized Point") - } - } -} - -type projCached struct { - YplusX, YminusX, Z, T2d field.Element -} - -type affineCached struct { - YplusX, YminusX, T2d field.Element -} - -// Constructors. - -func (v *projP2) Zero() *projP2 { - v.X.Zero() - v.Y.One() - v.Z.One() - return v -} - -// identity is the point at infinity. -var identity, _ = new(Point).SetBytes([]byte{ - 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}) - -// NewIdentityPoint returns a new Point set to the identity. -func NewIdentityPoint() *Point { - return new(Point).Set(identity) -} - -// generator is the canonical curve basepoint. See TestGenerator for the -// correspondence of this encoding with the values in RFC 8032. -var generator, _ = new(Point).SetBytes([]byte{ - 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66}) - -// NewGeneratorPoint returns a new Point set to the canonical generator. -func NewGeneratorPoint() *Point { - return new(Point).Set(generator) -} - -func (v *projCached) Zero() *projCached { - v.YplusX.One() - v.YminusX.One() - v.Z.One() - v.T2d.Zero() - return v -} - -func (v *affineCached) Zero() *affineCached { - v.YplusX.One() - v.YminusX.One() - v.T2d.Zero() - return v -} - -// Assignments. - -// Set sets v = u, and returns v. -func (v *Point) Set(u *Point) *Point { - *v = *u - return v -} - -// Encoding. - -// Bytes returns the canonical 32-byte encoding of v, according to RFC 8032, -// Section 5.1.2. -func (v *Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var buf [32]byte - return v.bytes(&buf) -} - -func (v *Point) bytes(buf *[32]byte) []byte { - checkInitialized(v) - - var zInv, x, y field.Element - zInv.Invert(&v.z) // zInv = 1 / Z - x.Multiply(&v.x, &zInv) // x = X / Z - y.Multiply(&v.y, &zInv) // y = Y / Z - - out := copyFieldElement(buf, &y) - out[31] |= byte(x.IsNegative() << 7) - return out -} - -var feOne = new(field.Element).One() - -// SetBytes sets v = x, where x is a 32-byte encoding of v. If x does not -// represent a valid point on the curve, SetBytes returns nil and an error and -// the receiver is unchanged. Otherwise, SetBytes returns v. -// -// Note that SetBytes accepts all non-canonical encodings of valid points. -// That is, it follows decoding rules that match most implementations in -// the ecosystem rather than RFC 8032. -func (v *Point) SetBytes(x []byte) (*Point, error) { - // Specifically, the non-canonical encodings that are accepted are - // 1) the ones where the field element is not reduced (see the - // (*field.Element).SetBytes docs) and - // 2) the ones where the x-coordinate is zero and the sign bit is set. - // - // Read more at https://hdevalence.ca/blog/2020-10-04-its-25519am, - // specifically the "Canonical A, R" section. - - y, err := new(field.Element).SetBytes(x) - if err != nil { - return nil, errors.New("edwards25519: invalid point encoding length") - } - - // -x² + y² = 1 + dx²y² - // x² + dx²y² = x²(dy² + 1) = y² - 1 - // x² = (y² - 1) / (dy² + 1) - - // u = y² - 1 - y2 := new(field.Element).Square(y) - u := new(field.Element).Subtract(y2, feOne) - - // v = dy² + 1 - vv := new(field.Element).Multiply(y2, d) - vv = vv.Add(vv, feOne) - - // x = +√(u/v) - xx, wasSquare := new(field.Element).SqrtRatio(u, vv) - if wasSquare == 0 { - return nil, errors.New("edwards25519: invalid point encoding") - } - - // Select the negative square root if the sign bit is set. - xxNeg := new(field.Element).Negate(xx) - xx = xx.Select(xxNeg, xx, int(x[31]>>7)) - - v.x.Set(xx) - v.y.Set(y) - v.z.One() - v.t.Multiply(xx, y) // xy = T / Z - - return v, nil -} - -func copyFieldElement(buf *[32]byte, v *field.Element) []byte { - copy(buf[:], v.Bytes()) - return buf[:] -} - -// Conversions. - -func (v *projP2) FromP1xP1(p *projP1xP1) *projP2 { - v.X.Multiply(&p.X, &p.T) - v.Y.Multiply(&p.Y, &p.Z) - v.Z.Multiply(&p.Z, &p.T) - return v -} - -func (v *projP2) FromP3(p *Point) *projP2 { - v.X.Set(&p.x) - v.Y.Set(&p.y) - v.Z.Set(&p.z) - return v -} - -func (v *Point) fromP1xP1(p *projP1xP1) *Point { - v.x.Multiply(&p.X, &p.T) - v.y.Multiply(&p.Y, &p.Z) - v.z.Multiply(&p.Z, &p.T) - v.t.Multiply(&p.X, &p.Y) - return v -} - -func (v *Point) fromP2(p *projP2) *Point { - v.x.Multiply(&p.X, &p.Z) - v.y.Multiply(&p.Y, &p.Z) - v.z.Square(&p.Z) - v.t.Multiply(&p.X, &p.Y) - return v -} - -// d is a constant in the curve equation. -var d, _ = new(field.Element).SetBytes([]byte{ - 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, - 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, - 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, - 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52}) -var d2 = new(field.Element).Add(d, d) - -func (v *projCached) FromP3(p *Point) *projCached { - v.YplusX.Add(&p.y, &p.x) - v.YminusX.Subtract(&p.y, &p.x) - v.Z.Set(&p.z) - v.T2d.Multiply(&p.t, d2) - return v -} - -func (v *affineCached) FromP3(p *Point) *affineCached { - v.YplusX.Add(&p.y, &p.x) - v.YminusX.Subtract(&p.y, &p.x) - v.T2d.Multiply(&p.t, d2) - - var invZ field.Element - invZ.Invert(&p.z) - v.YplusX.Multiply(&v.YplusX, &invZ) - v.YminusX.Multiply(&v.YminusX, &invZ) - v.T2d.Multiply(&v.T2d, &invZ) - return v -} - -// (Re)addition and subtraction. - -// Add sets v = p + q, and returns v. -func (v *Point) Add(p, q *Point) *Point { - checkInitialized(p, q) - qCached := new(projCached).FromP3(q) - result := new(projP1xP1).Add(p, qCached) - return v.fromP1xP1(result) -} - -// Subtract sets v = p - q, and returns v. -func (v *Point) Subtract(p, q *Point) *Point { - checkInitialized(p, q) - qCached := new(projCached).FromP3(q) - result := new(projP1xP1).Sub(p, qCached) - return v.fromP1xP1(result) -} - -func (v *projP1xP1) Add(p *Point, q *projCached) *projP1xP1 { - var YplusX, YminusX, PP, MM, TT2d, ZZ2 field.Element - - YplusX.Add(&p.y, &p.x) - YminusX.Subtract(&p.y, &p.x) - - PP.Multiply(&YplusX, &q.YplusX) - MM.Multiply(&YminusX, &q.YminusX) - TT2d.Multiply(&p.t, &q.T2d) - ZZ2.Multiply(&p.z, &q.Z) - - ZZ2.Add(&ZZ2, &ZZ2) - - v.X.Subtract(&PP, &MM) - v.Y.Add(&PP, &MM) - v.Z.Add(&ZZ2, &TT2d) - v.T.Subtract(&ZZ2, &TT2d) - return v -} - -func (v *projP1xP1) Sub(p *Point, q *projCached) *projP1xP1 { - var YplusX, YminusX, PP, MM, TT2d, ZZ2 field.Element - - YplusX.Add(&p.y, &p.x) - YminusX.Subtract(&p.y, &p.x) - - PP.Multiply(&YplusX, &q.YminusX) // flipped sign - MM.Multiply(&YminusX, &q.YplusX) // flipped sign - TT2d.Multiply(&p.t, &q.T2d) - ZZ2.Multiply(&p.z, &q.Z) - - ZZ2.Add(&ZZ2, &ZZ2) - - v.X.Subtract(&PP, &MM) - v.Y.Add(&PP, &MM) - v.Z.Subtract(&ZZ2, &TT2d) // flipped sign - v.T.Add(&ZZ2, &TT2d) // flipped sign - return v -} - -func (v *projP1xP1) AddAffine(p *Point, q *affineCached) *projP1xP1 { - var YplusX, YminusX, PP, MM, TT2d, Z2 field.Element - - YplusX.Add(&p.y, &p.x) - YminusX.Subtract(&p.y, &p.x) - - PP.Multiply(&YplusX, &q.YplusX) - MM.Multiply(&YminusX, &q.YminusX) - TT2d.Multiply(&p.t, &q.T2d) - - Z2.Add(&p.z, &p.z) - - v.X.Subtract(&PP, &MM) - v.Y.Add(&PP, &MM) - v.Z.Add(&Z2, &TT2d) - v.T.Subtract(&Z2, &TT2d) - return v -} - -func (v *projP1xP1) SubAffine(p *Point, q *affineCached) *projP1xP1 { - var YplusX, YminusX, PP, MM, TT2d, Z2 field.Element - - YplusX.Add(&p.y, &p.x) - YminusX.Subtract(&p.y, &p.x) - - PP.Multiply(&YplusX, &q.YminusX) // flipped sign - MM.Multiply(&YminusX, &q.YplusX) // flipped sign - TT2d.Multiply(&p.t, &q.T2d) - - Z2.Add(&p.z, &p.z) - - v.X.Subtract(&PP, &MM) - v.Y.Add(&PP, &MM) - v.Z.Subtract(&Z2, &TT2d) // flipped sign - v.T.Add(&Z2, &TT2d) // flipped sign - return v -} - -// Doubling. - -func (v *projP1xP1) Double(p *projP2) *projP1xP1 { - var XX, YY, ZZ2, XplusYsq field.Element - - XX.Square(&p.X) - YY.Square(&p.Y) - ZZ2.Square(&p.Z) - ZZ2.Add(&ZZ2, &ZZ2) - XplusYsq.Add(&p.X, &p.Y) - XplusYsq.Square(&XplusYsq) - - v.Y.Add(&YY, &XX) - v.Z.Subtract(&YY, &XX) - - v.X.Subtract(&XplusYsq, &v.Y) - v.T.Subtract(&ZZ2, &v.Z) - return v -} - -// Negation. - -// Negate sets v = -p, and returns v. -func (v *Point) Negate(p *Point) *Point { - checkInitialized(p) - v.x.Negate(&p.x) - v.y.Set(&p.y) - v.z.Set(&p.z) - v.t.Negate(&p.t) - return v -} - -// Equal returns 1 if v is equivalent to u, and 0 otherwise. -func (v *Point) Equal(u *Point) int { - checkInitialized(v, u) - - var t1, t2, t3, t4 field.Element - t1.Multiply(&v.x, &u.z) - t2.Multiply(&u.x, &v.z) - t3.Multiply(&v.y, &u.z) - t4.Multiply(&u.y, &v.z) - - return t1.Equal(&t2) & t3.Equal(&t4) -} - -// Constant-time operations - -// Select sets v to a if cond == 1 and to b if cond == 0. -func (v *projCached) Select(a, b *projCached, cond int) *projCached { - v.YplusX.Select(&a.YplusX, &b.YplusX, cond) - v.YminusX.Select(&a.YminusX, &b.YminusX, cond) - v.Z.Select(&a.Z, &b.Z, cond) - v.T2d.Select(&a.T2d, &b.T2d, cond) - return v -} - -// Select sets v to a if cond == 1 and to b if cond == 0. -func (v *affineCached) Select(a, b *affineCached, cond int) *affineCached { - v.YplusX.Select(&a.YplusX, &b.YplusX, cond) - v.YminusX.Select(&a.YminusX, &b.YminusX, cond) - v.T2d.Select(&a.T2d, &b.T2d, cond) - return v -} - -// CondNeg negates v if cond == 1 and leaves it unchanged if cond == 0. -func (v *projCached) CondNeg(cond int) *projCached { - v.YplusX.Swap(&v.YminusX, cond) - v.T2d.Select(new(field.Element).Negate(&v.T2d), &v.T2d, cond) - return v -} - -// CondNeg negates v if cond == 1 and leaves it unchanged if cond == 0. -func (v *affineCached) CondNeg(cond int) *affineCached { - v.YplusX.Swap(&v.YminusX, cond) - v.T2d.Select(new(field.Element).Negate(&v.T2d), &v.T2d, cond) - return v -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/fe_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/fe_amd64_asm.go deleted file mode 100644 index ecb713b3c42..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/fe_amd64_asm.go +++ /dev/null @@ -1,311 +0,0 @@ -// Copyright (c) 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - "fmt" - - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/gotypes" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field - -func main() { - Package("crypto/internal/fips140/edwards25519/field") - ConstraintExpr("!purego") - feMul() - feSquare() - Generate() -} - -type namedComponent struct { - Component - name string -} - -func (c namedComponent) String() string { return c.name } - -type uint128 struct { - name string - hi, lo GPVirtual -} - -func (c uint128) String() string { return c.name } - -func feSquare() { - TEXT("feSquare", NOSPLIT, "func(out, a *Element)") - Doc("feSquare sets out = a * a. It works like feSquareGeneric.") - Pragma("noescape") - - a := Dereference(Param("a")) - l0 := namedComponent{a.Field("l0"), "l0"} - l1 := namedComponent{a.Field("l1"), "l1"} - l2 := namedComponent{a.Field("l2"), "l2"} - l3 := namedComponent{a.Field("l3"), "l3"} - l4 := namedComponent{a.Field("l4"), "l4"} - - // r0 = l0×l0 + 19×2×(l1×l4 + l2×l3) - r0 := uint128{"r0", GP64(), GP64()} - mul64(r0, 1, l0, l0) - addMul64(r0, 38, l1, l4) - addMul64(r0, 38, l2, l3) - - // r1 = 2×l0×l1 + 19×2×l2×l4 + 19×l3×l3 - r1 := uint128{"r1", GP64(), GP64()} - mul64(r1, 2, l0, l1) - addMul64(r1, 38, l2, l4) - addMul64(r1, 19, l3, l3) - - // r2 = = 2×l0×l2 + l1×l1 + 19×2×l3×l4 - r2 := uint128{"r2", GP64(), GP64()} - mul64(r2, 2, l0, l2) - addMul64(r2, 1, l1, l1) - addMul64(r2, 38, l3, l4) - - // r3 = = 2×l0×l3 + 2×l1×l2 + 19×l4×l4 - r3 := uint128{"r3", GP64(), GP64()} - mul64(r3, 2, l0, l3) - addMul64(r3, 2, l1, l2) - addMul64(r3, 19, l4, l4) - - // r4 = = 2×l0×l4 + 2×l1×l3 + l2×l2 - r4 := uint128{"r4", GP64(), GP64()} - mul64(r4, 2, l0, l4) - addMul64(r4, 2, l1, l3) - addMul64(r4, 1, l2, l2) - - Comment("First reduction chain") - maskLow51Bits := GP64() - MOVQ(Imm((1<<51)-1), maskLow51Bits) - c0, r0lo := shiftRightBy51(&r0) - c1, r1lo := shiftRightBy51(&r1) - c2, r2lo := shiftRightBy51(&r2) - c3, r3lo := shiftRightBy51(&r3) - c4, r4lo := shiftRightBy51(&r4) - maskAndAdd(r0lo, maskLow51Bits, c4, 19) - maskAndAdd(r1lo, maskLow51Bits, c0, 1) - maskAndAdd(r2lo, maskLow51Bits, c1, 1) - maskAndAdd(r3lo, maskLow51Bits, c2, 1) - maskAndAdd(r4lo, maskLow51Bits, c3, 1) - - Comment("Second reduction chain (carryPropagate)") - // c0 = r0 >> 51 - MOVQ(r0lo, c0) - SHRQ(Imm(51), c0) - // c1 = r1 >> 51 - MOVQ(r1lo, c1) - SHRQ(Imm(51), c1) - // c2 = r2 >> 51 - MOVQ(r2lo, c2) - SHRQ(Imm(51), c2) - // c3 = r3 >> 51 - MOVQ(r3lo, c3) - SHRQ(Imm(51), c3) - // c4 = r4 >> 51 - MOVQ(r4lo, c4) - SHRQ(Imm(51), c4) - maskAndAdd(r0lo, maskLow51Bits, c4, 19) - maskAndAdd(r1lo, maskLow51Bits, c0, 1) - maskAndAdd(r2lo, maskLow51Bits, c1, 1) - maskAndAdd(r3lo, maskLow51Bits, c2, 1) - maskAndAdd(r4lo, maskLow51Bits, c3, 1) - - Comment("Store output") - out := Dereference(Param("out")) - Store(r0lo, out.Field("l0")) - Store(r1lo, out.Field("l1")) - Store(r2lo, out.Field("l2")) - Store(r3lo, out.Field("l3")) - Store(r4lo, out.Field("l4")) - - RET() -} - -func feMul() { - TEXT("feMul", NOSPLIT, "func(out, a, b *Element)") - Doc("feMul sets out = a * b. It works like feMulGeneric.") - Pragma("noescape") - - a := Dereference(Param("a")) - a0 := namedComponent{a.Field("l0"), "a0"} - a1 := namedComponent{a.Field("l1"), "a1"} - a2 := namedComponent{a.Field("l2"), "a2"} - a3 := namedComponent{a.Field("l3"), "a3"} - a4 := namedComponent{a.Field("l4"), "a4"} - - b := Dereference(Param("b")) - b0 := namedComponent{b.Field("l0"), "b0"} - b1 := namedComponent{b.Field("l1"), "b1"} - b2 := namedComponent{b.Field("l2"), "b2"} - b3 := namedComponent{b.Field("l3"), "b3"} - b4 := namedComponent{b.Field("l4"), "b4"} - - // r0 = a0×b0 + 19×(a1×b4 + a2×b3 + a3×b2 + a4×b1) - r0 := uint128{"r0", GP64(), GP64()} - mul64(r0, 1, a0, b0) - addMul64(r0, 19, a1, b4) - addMul64(r0, 19, a2, b3) - addMul64(r0, 19, a3, b2) - addMul64(r0, 19, a4, b1) - - // r1 = a0×b1 + a1×b0 + 19×(a2×b4 + a3×b3 + a4×b2) - r1 := uint128{"r1", GP64(), GP64()} - mul64(r1, 1, a0, b1) - addMul64(r1, 1, a1, b0) - addMul64(r1, 19, a2, b4) - addMul64(r1, 19, a3, b3) - addMul64(r1, 19, a4, b2) - - // r2 = a0×b2 + a1×b1 + a2×b0 + 19×(a3×b4 + a4×b3) - r2 := uint128{"r2", GP64(), GP64()} - mul64(r2, 1, a0, b2) - addMul64(r2, 1, a1, b1) - addMul64(r2, 1, a2, b0) - addMul64(r2, 19, a3, b4) - addMul64(r2, 19, a4, b3) - - // r3 = a0×b3 + a1×b2 + a2×b1 + a3×b0 + 19×a4×b4 - r3 := uint128{"r3", GP64(), GP64()} - mul64(r3, 1, a0, b3) - addMul64(r3, 1, a1, b2) - addMul64(r3, 1, a2, b1) - addMul64(r3, 1, a3, b0) - addMul64(r3, 19, a4, b4) - - // r4 = a0×b4 + a1×b3 + a2×b2 + a3×b1 + a4×b0 - r4 := uint128{"r4", GP64(), GP64()} - mul64(r4, 1, a0, b4) - addMul64(r4, 1, a1, b3) - addMul64(r4, 1, a2, b2) - addMul64(r4, 1, a3, b1) - addMul64(r4, 1, a4, b0) - - Comment("First reduction chain") - maskLow51Bits := GP64() - MOVQ(Imm((1<<51)-1), maskLow51Bits) - c0, r0lo := shiftRightBy51(&r0) - c1, r1lo := shiftRightBy51(&r1) - c2, r2lo := shiftRightBy51(&r2) - c3, r3lo := shiftRightBy51(&r3) - c4, r4lo := shiftRightBy51(&r4) - maskAndAdd(r0lo, maskLow51Bits, c4, 19) - maskAndAdd(r1lo, maskLow51Bits, c0, 1) - maskAndAdd(r2lo, maskLow51Bits, c1, 1) - maskAndAdd(r3lo, maskLow51Bits, c2, 1) - maskAndAdd(r4lo, maskLow51Bits, c3, 1) - - Comment("Second reduction chain (carryPropagate)") - // c0 = r0 >> 51 - MOVQ(r0lo, c0) - SHRQ(Imm(51), c0) - // c1 = r1 >> 51 - MOVQ(r1lo, c1) - SHRQ(Imm(51), c1) - // c2 = r2 >> 51 - MOVQ(r2lo, c2) - SHRQ(Imm(51), c2) - // c3 = r3 >> 51 - MOVQ(r3lo, c3) - SHRQ(Imm(51), c3) - // c4 = r4 >> 51 - MOVQ(r4lo, c4) - SHRQ(Imm(51), c4) - maskAndAdd(r0lo, maskLow51Bits, c4, 19) - maskAndAdd(r1lo, maskLow51Bits, c0, 1) - maskAndAdd(r2lo, maskLow51Bits, c1, 1) - maskAndAdd(r3lo, maskLow51Bits, c2, 1) - maskAndAdd(r4lo, maskLow51Bits, c3, 1) - - Comment("Store output") - out := Dereference(Param("out")) - Store(r0lo, out.Field("l0")) - Store(r1lo, out.Field("l1")) - Store(r2lo, out.Field("l2")) - Store(r3lo, out.Field("l3")) - Store(r4lo, out.Field("l4")) - - RET() -} - -// mul64 sets r to i * aX * bX. -func mul64(r uint128, i int, aX, bX namedComponent) { - switch i { - case 1: - Comment(fmt.Sprintf("%s = %s×%s", r, aX, bX)) - Load(aX, RAX) - case 2: - Comment(fmt.Sprintf("%s = 2×%s×%s", r, aX, bX)) - Load(aX, RAX) - SHLQ(Imm(1), RAX) - default: - panic("unsupported i value") - } - MULQ(mustAddr(bX)) // RDX, RAX = RAX * bX - MOVQ(RAX, r.lo) - MOVQ(RDX, r.hi) -} - -// addMul64 sets r to r + i * aX * bX. -func addMul64(r uint128, i uint64, aX, bX namedComponent) { - switch i { - case 1: - Comment(fmt.Sprintf("%s += %s×%s", r, aX, bX)) - Load(aX, RAX) - case 2: - Comment(fmt.Sprintf("%s += %d×%s×%s", r, i, aX, bX)) - Load(aX, RAX) - SHLQ(U8(1), RAX) - case 19: - Comment(fmt.Sprintf("%s += %d×%s×%s", r, i, aX, bX)) - // 19 * v ==> v + (v+v*8)*2 - tmp := Load(aX, GP64()) - LEAQ(Mem{Base: tmp, Index: tmp, Scale: 8}, RAX) - LEAQ(Mem{Base: tmp, Index: RAX, Scale: 2}, RAX) - case 38: - Comment(fmt.Sprintf("%s += %d×%s×%s", r, i, aX, bX)) - // 38 * v ==> (v + (v+v*8)*2) * 2 - tmp := Load(aX, GP64()) - LEAQ(Mem{Base: tmp, Index: tmp, Scale: 8}, RAX) - LEAQ(Mem{Base: tmp, Index: RAX, Scale: 2}, RAX) - SHLQ(U8(1), RAX) - default: - Comment(fmt.Sprintf("%s += %d×%s×%s", r, i, aX, bX)) - IMUL3Q(Imm(i), Load(aX, GP64()), RAX) - } - MULQ(mustAddr(bX)) // RDX, RAX = RAX * bX - ADDQ(RAX, r.lo) - ADCQ(RDX, r.hi) -} - -// shiftRightBy51 returns r >> 51 and r.lo. -// -// After this function is called, the uint128 may not be used anymore. -func shiftRightBy51(r *uint128) (out, lo GPVirtual) { - out = r.hi - lo = r.lo - SHLQ(Imm(64-51), r.lo, r.hi) - r.lo, r.hi = nil, nil // make sure the uint128 is unusable - return -} - -// maskAndAdd sets r = r&mask + c*i. -func maskAndAdd(r, mask, c GPVirtual, i uint64) { - ANDQ(mask, r) - if i != 1 { - IMUL3Q(Imm(i), c, c) - } - ADDQ(c, r) -} - -func mustAddr(c Component) Op { - b, err := c.Resolve() - if err != nil { - panic(err) - } - return b.Addr -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/go.mod deleted file mode 100644 index 93794a63d9d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/go.mod +++ /dev/null @@ -1,10 +0,0 @@ -module crypto/internal/fips140/edwards25519/field/_asm - -go 1.25 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.14.0 // indirect - golang.org/x/tools v0.16.1 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/go.sum deleted file mode 100644 index 483bba88396..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/_asm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= -golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= -golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe.go deleted file mode 100644 index e1035456a83..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe.go +++ /dev/null @@ -1,421 +0,0 @@ -// Copyright (c) 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package field implements fast arithmetic modulo 2^255-19. -package field - -import ( - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" - "errors" - "math/bits" -) - -// Element represents an element of the field GF(2^255-19). Note that this -// is not a cryptographically secure group, and should only be used to interact -// with edwards25519.Point coordinates. -// -// This type works similarly to math/big.Int, and all arguments and receivers -// are allowed to alias. -// -// The zero value is a valid zero element. -type Element struct { - // An element t represents the integer - // t.l0 + t.l1*2^51 + t.l2*2^102 + t.l3*2^153 + t.l4*2^204 - // - // Between operations, all limbs are expected to be lower than 2^52. - l0 uint64 - l1 uint64 - l2 uint64 - l3 uint64 - l4 uint64 -} - -const maskLow51Bits uint64 = (1 << 51) - 1 - -var feZero = &Element{0, 0, 0, 0, 0} - -// Zero sets v = 0, and returns v. -func (v *Element) Zero() *Element { - *v = *feZero - return v -} - -var feOne = &Element{1, 0, 0, 0, 0} - -// One sets v = 1, and returns v. -func (v *Element) One() *Element { - *v = *feOne - return v -} - -// reduce reduces v modulo 2^255 - 19 and returns it. -func (v *Element) reduce() *Element { - v.carryPropagate() - - // After the light reduction we now have a field element representation - // v < 2^255 + 2^13 * 19, but need v < 2^255 - 19. - - // If v >= 2^255 - 19, then v + 19 >= 2^255, which would overflow 2^255 - 1, - // generating a carry. That is, c will be 0 if v < 2^255 - 19, and 1 otherwise. - c := (v.l0 + 19) >> 51 - c = (v.l1 + c) >> 51 - c = (v.l2 + c) >> 51 - c = (v.l3 + c) >> 51 - c = (v.l4 + c) >> 51 - - // If v < 2^255 - 19 and c = 0, this will be a no-op. Otherwise, it's - // effectively applying the reduction identity to the carry. - v.l0 += 19 * c - - v.l1 += v.l0 >> 51 - v.l0 = v.l0 & maskLow51Bits - v.l2 += v.l1 >> 51 - v.l1 = v.l1 & maskLow51Bits - v.l3 += v.l2 >> 51 - v.l2 = v.l2 & maskLow51Bits - v.l4 += v.l3 >> 51 - v.l3 = v.l3 & maskLow51Bits - // no additional carry - v.l4 = v.l4 & maskLow51Bits - - return v -} - -// Add sets v = a + b, and returns v. -func (v *Element) Add(a, b *Element) *Element { - v.l0 = a.l0 + b.l0 - v.l1 = a.l1 + b.l1 - v.l2 = a.l2 + b.l2 - v.l3 = a.l3 + b.l3 - v.l4 = a.l4 + b.l4 - return v.carryPropagate() -} - -// Subtract sets v = a - b, and returns v. -func (v *Element) Subtract(a, b *Element) *Element { - // We first add 2 * p, to guarantee the subtraction won't underflow, and - // then subtract b (which can be up to 2^255 + 2^13 * 19). - v.l0 = (a.l0 + 0xFFFFFFFFFFFDA) - b.l0 - v.l1 = (a.l1 + 0xFFFFFFFFFFFFE) - b.l1 - v.l2 = (a.l2 + 0xFFFFFFFFFFFFE) - b.l2 - v.l3 = (a.l3 + 0xFFFFFFFFFFFFE) - b.l3 - v.l4 = (a.l4 + 0xFFFFFFFFFFFFE) - b.l4 - return v.carryPropagate() -} - -// Negate sets v = -a, and returns v. -func (v *Element) Negate(a *Element) *Element { - return v.Subtract(feZero, a) -} - -// Invert sets v = 1/z mod p, and returns v. -// -// If z == 0, Invert returns v = 0. -func (v *Element) Invert(z *Element) *Element { - // Inversion is implemented as exponentiation with exponent p − 2. It uses the - // same sequence of 255 squarings and 11 multiplications as [Curve25519]. - var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t Element - - z2.Square(z) // 2 - t.Square(&z2) // 4 - t.Square(&t) // 8 - z9.Multiply(&t, z) // 9 - z11.Multiply(&z9, &z2) // 11 - t.Square(&z11) // 22 - z2_5_0.Multiply(&t, &z9) // 31 = 2^5 - 2^0 - - t.Square(&z2_5_0) // 2^6 - 2^1 - for i := 0; i < 4; i++ { - t.Square(&t) // 2^10 - 2^5 - } - z2_10_0.Multiply(&t, &z2_5_0) // 2^10 - 2^0 - - t.Square(&z2_10_0) // 2^11 - 2^1 - for i := 0; i < 9; i++ { - t.Square(&t) // 2^20 - 2^10 - } - z2_20_0.Multiply(&t, &z2_10_0) // 2^20 - 2^0 - - t.Square(&z2_20_0) // 2^21 - 2^1 - for i := 0; i < 19; i++ { - t.Square(&t) // 2^40 - 2^20 - } - t.Multiply(&t, &z2_20_0) // 2^40 - 2^0 - - t.Square(&t) // 2^41 - 2^1 - for i := 0; i < 9; i++ { - t.Square(&t) // 2^50 - 2^10 - } - z2_50_0.Multiply(&t, &z2_10_0) // 2^50 - 2^0 - - t.Square(&z2_50_0) // 2^51 - 2^1 - for i := 0; i < 49; i++ { - t.Square(&t) // 2^100 - 2^50 - } - z2_100_0.Multiply(&t, &z2_50_0) // 2^100 - 2^0 - - t.Square(&z2_100_0) // 2^101 - 2^1 - for i := 0; i < 99; i++ { - t.Square(&t) // 2^200 - 2^100 - } - t.Multiply(&t, &z2_100_0) // 2^200 - 2^0 - - t.Square(&t) // 2^201 - 2^1 - for i := 0; i < 49; i++ { - t.Square(&t) // 2^250 - 2^50 - } - t.Multiply(&t, &z2_50_0) // 2^250 - 2^0 - - t.Square(&t) // 2^251 - 2^1 - t.Square(&t) // 2^252 - 2^2 - t.Square(&t) // 2^253 - 2^3 - t.Square(&t) // 2^254 - 2^4 - t.Square(&t) // 2^255 - 2^5 - - return v.Multiply(&t, &z11) // 2^255 - 21 -} - -// Set sets v = a, and returns v. -func (v *Element) Set(a *Element) *Element { - *v = *a - return v -} - -// SetBytes sets v to x, where x is a 32-byte little-endian encoding. If x is -// not of the right length, SetBytes returns nil and an error, and the -// receiver is unchanged. -// -// Consistent with RFC 7748, the most significant bit (the high bit of the -// last byte) is ignored, and non-canonical values (2^255-19 through 2^255-1) -// are accepted. Note that this is laxer than specified by RFC 8032, but -// consistent with most Ed25519 implementations. -func (v *Element) SetBytes(x []byte) (*Element, error) { - if len(x) != 32 { - return nil, errors.New("edwards25519: invalid field element input size") - } - - // Bits 0:51 (bytes 0:8, bits 0:64, shift 0, mask 51). - v.l0 = byteorder.LEUint64(x[0:8]) - v.l0 &= maskLow51Bits - // Bits 51:102 (bytes 6:14, bits 48:112, shift 3, mask 51). - v.l1 = byteorder.LEUint64(x[6:14]) >> 3 - v.l1 &= maskLow51Bits - // Bits 102:153 (bytes 12:20, bits 96:160, shift 6, mask 51). - v.l2 = byteorder.LEUint64(x[12:20]) >> 6 - v.l2 &= maskLow51Bits - // Bits 153:204 (bytes 19:27, bits 152:216, shift 1, mask 51). - v.l3 = byteorder.LEUint64(x[19:27]) >> 1 - v.l3 &= maskLow51Bits - // Bits 204:255 (bytes 24:32, bits 192:256, shift 12, mask 51). - // Note: not bytes 25:33, shift 4, to avoid overread. - v.l4 = byteorder.LEUint64(x[24:32]) >> 12 - v.l4 &= maskLow51Bits - - return v, nil -} - -// Bytes returns the canonical 32-byte little-endian encoding of v. -func (v *Element) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [32]byte - return v.bytes(&out) -} - -func (v *Element) bytes(out *[32]byte) []byte { - t := *v - t.reduce() - - // Pack five 51-bit limbs into four 64-bit words: - // - // 255 204 153 102 51 0 - // ├──l4──┼──l3──┼──l2──┼──l1──┼──l0──┤ - // ├───u3───┼───u2───┼───u1───┼───u0───┤ - // 256 192 128 64 0 - - u0 := t.l1<<51 | t.l0 - u1 := t.l2<<(102-64) | t.l1>>(64-51) - u2 := t.l3<<(153-128) | t.l2>>(128-102) - u3 := t.l4<<(204-192) | t.l3>>(192-153) - - byteorder.LEPutUint64(out[0*8:], u0) - byteorder.LEPutUint64(out[1*8:], u1) - byteorder.LEPutUint64(out[2*8:], u2) - byteorder.LEPutUint64(out[3*8:], u3) - - return out[:] -} - -// Equal returns 1 if v and u are equal, and 0 otherwise. -func (v *Element) Equal(u *Element) int { - sa, sv := u.Bytes(), v.Bytes() - return subtle.ConstantTimeCompare(sa, sv) -} - -// mask64Bits returns 0xffffffff if cond is 1, and 0 otherwise. -func mask64Bits(cond int) uint64 { return ^(uint64(cond) - 1) } - -// Select sets v to a if cond == 1, and to b if cond == 0. -func (v *Element) Select(a, b *Element, cond int) *Element { - m := mask64Bits(cond) - v.l0 = (m & a.l0) | (^m & b.l0) - v.l1 = (m & a.l1) | (^m & b.l1) - v.l2 = (m & a.l2) | (^m & b.l2) - v.l3 = (m & a.l3) | (^m & b.l3) - v.l4 = (m & a.l4) | (^m & b.l4) - return v -} - -// Swap swaps v and u if cond == 1 or leaves them unchanged if cond == 0, and returns v. -func (v *Element) Swap(u *Element, cond int) { - m := mask64Bits(cond) - t := m & (v.l0 ^ u.l0) - v.l0 ^= t - u.l0 ^= t - t = m & (v.l1 ^ u.l1) - v.l1 ^= t - u.l1 ^= t - t = m & (v.l2 ^ u.l2) - v.l2 ^= t - u.l2 ^= t - t = m & (v.l3 ^ u.l3) - v.l3 ^= t - u.l3 ^= t - t = m & (v.l4 ^ u.l4) - v.l4 ^= t - u.l4 ^= t -} - -// IsNegative returns 1 if v is negative, and 0 otherwise. -func (v *Element) IsNegative() int { - return int(v.Bytes()[0] & 1) -} - -// Absolute sets v to |u|, and returns v. -func (v *Element) Absolute(u *Element) *Element { - return v.Select(new(Element).Negate(u), u, u.IsNegative()) -} - -// Multiply sets v = x * y, and returns v. -func (v *Element) Multiply(x, y *Element) *Element { - feMul(v, x, y) - return v -} - -// Square sets v = x * x, and returns v. -func (v *Element) Square(x *Element) *Element { - feSquare(v, x) - return v -} - -// Mult32 sets v = x * y, and returns v. -func (v *Element) Mult32(x *Element, y uint32) *Element { - x0lo, x0hi := mul51(x.l0, y) - x1lo, x1hi := mul51(x.l1, y) - x2lo, x2hi := mul51(x.l2, y) - x3lo, x3hi := mul51(x.l3, y) - x4lo, x4hi := mul51(x.l4, y) - v.l0 = x0lo + 19*x4hi // carried over per the reduction identity - v.l1 = x1lo + x0hi - v.l2 = x2lo + x1hi - v.l3 = x3lo + x2hi - v.l4 = x4lo + x3hi - // The hi portions are going to be only 32 bits, plus any previous excess, - // so we can skip the carry propagation. - return v -} - -// mul51 returns lo + hi * 2⁵¹ = a * b. -func mul51(a uint64, b uint32) (lo uint64, hi uint64) { - mh, ml := bits.Mul64(a, uint64(b)) - lo = ml & maskLow51Bits - hi = (mh << 13) | (ml >> 51) - return -} - -// Pow22523 set v = x^((p-5)/8), and returns v. (p-5)/8 is 2^252-3. -func (v *Element) Pow22523(x *Element) *Element { - var t0, t1, t2 Element - - t0.Square(x) // x^2 - t1.Square(&t0) // x^4 - t1.Square(&t1) // x^8 - t1.Multiply(x, &t1) // x^9 - t0.Multiply(&t0, &t1) // x^11 - t0.Square(&t0) // x^22 - t0.Multiply(&t1, &t0) // x^31 - t1.Square(&t0) // x^62 - for i := 1; i < 5; i++ { // x^992 - t1.Square(&t1) - } - t0.Multiply(&t1, &t0) // x^1023 -> 1023 = 2^10 - 1 - t1.Square(&t0) // 2^11 - 2 - for i := 1; i < 10; i++ { // 2^20 - 2^10 - t1.Square(&t1) - } - t1.Multiply(&t1, &t0) // 2^20 - 1 - t2.Square(&t1) // 2^21 - 2 - for i := 1; i < 20; i++ { // 2^40 - 2^20 - t2.Square(&t2) - } - t1.Multiply(&t2, &t1) // 2^40 - 1 - t1.Square(&t1) // 2^41 - 2 - for i := 1; i < 10; i++ { // 2^50 - 2^10 - t1.Square(&t1) - } - t0.Multiply(&t1, &t0) // 2^50 - 1 - t1.Square(&t0) // 2^51 - 2 - for i := 1; i < 50; i++ { // 2^100 - 2^50 - t1.Square(&t1) - } - t1.Multiply(&t1, &t0) // 2^100 - 1 - t2.Square(&t1) // 2^101 - 2 - for i := 1; i < 100; i++ { // 2^200 - 2^100 - t2.Square(&t2) - } - t1.Multiply(&t2, &t1) // 2^200 - 1 - t1.Square(&t1) // 2^201 - 2 - for i := 1; i < 50; i++ { // 2^250 - 2^50 - t1.Square(&t1) - } - t0.Multiply(&t1, &t0) // 2^250 - 1 - t0.Square(&t0) // 2^251 - 2 - t0.Square(&t0) // 2^252 - 4 - return v.Multiply(&t0, x) // 2^252 - 3 -> x^(2^252-3) -} - -// sqrtM1 is 2^((p-1)/4), which squared is equal to -1 by Euler's Criterion. -var sqrtM1 = &Element{1718705420411056, 234908883556509, - 2233514472574048, 2117202627021982, 765476049583133} - -// SqrtRatio sets r to the non-negative square root of the ratio of u and v. -// -// If u/v is square, SqrtRatio returns r and 1. If u/v is not square, SqrtRatio -// sets r according to Section 4.3 of draft-irtf-cfrg-ristretto255-decaf448-00, -// and returns r and 0. -func (r *Element) SqrtRatio(u, v *Element) (R *Element, wasSquare int) { - t0 := new(Element) - - // r = (u * v3) * (u * v7)^((p-5)/8) - v2 := new(Element).Square(v) - uv3 := new(Element).Multiply(u, t0.Multiply(v2, v)) - uv7 := new(Element).Multiply(uv3, t0.Square(v2)) - rr := new(Element).Multiply(uv3, t0.Pow22523(uv7)) - - check := new(Element).Multiply(v, t0.Square(rr)) // check = v * r^2 - - uNeg := new(Element).Negate(u) - correctSignSqrt := check.Equal(u) - flippedSignSqrt := check.Equal(uNeg) - flippedSignSqrtI := check.Equal(t0.Multiply(uNeg, sqrtM1)) - - rPrime := new(Element).Multiply(rr, sqrtM1) // r_prime = SQRT_M1 * r - // r = CT_SELECT(r_prime IF flipped_sign_sqrt | flipped_sign_sqrt_i ELSE r) - rr.Select(rPrime, rr, flippedSignSqrt|flippedSignSqrtI) - - r.Absolute(rr) // Choose the nonnegative square root. - return r, correctSignSqrt | flippedSignSqrt -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64.go deleted file mode 100644 index 00bf8f44792..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64.go +++ /dev/null @@ -1,15 +0,0 @@ -// Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT. - -//go:build !purego - -package field - -// feMul sets out = a * b. It works like feMulGeneric. -// -//go:noescape -func feMul(out *Element, a *Element, b *Element) - -// feSquare sets out = a * a. It works like feSquareGeneric. -// -//go:noescape -func feSquare(out *Element, a *Element) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64.s deleted file mode 100644 index 5e06e242ed8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64.s +++ /dev/null @@ -1,398 +0,0 @@ -// Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func feMul(out *Element, a *Element, b *Element) -TEXT ·feMul(SB), NOSPLIT, $0-24 - MOVQ a+8(FP), CX - MOVQ b+16(FP), BX - - // r0 = a0×b0 - MOVQ (CX), AX - MULQ (BX) - MOVQ AX, DI - MOVQ DX, SI - - // r0 += 19×a1×b4 - MOVQ 8(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 32(BX) - ADDQ AX, DI - ADCQ DX, SI - - // r0 += 19×a2×b3 - MOVQ 16(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 24(BX) - ADDQ AX, DI - ADCQ DX, SI - - // r0 += 19×a3×b2 - MOVQ 24(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 16(BX) - ADDQ AX, DI - ADCQ DX, SI - - // r0 += 19×a4×b1 - MOVQ 32(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 8(BX) - ADDQ AX, DI - ADCQ DX, SI - - // r1 = a0×b1 - MOVQ (CX), AX - MULQ 8(BX) - MOVQ AX, R9 - MOVQ DX, R8 - - // r1 += a1×b0 - MOVQ 8(CX), AX - MULQ (BX) - ADDQ AX, R9 - ADCQ DX, R8 - - // r1 += 19×a2×b4 - MOVQ 16(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 32(BX) - ADDQ AX, R9 - ADCQ DX, R8 - - // r1 += 19×a3×b3 - MOVQ 24(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 24(BX) - ADDQ AX, R9 - ADCQ DX, R8 - - // r1 += 19×a4×b2 - MOVQ 32(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 16(BX) - ADDQ AX, R9 - ADCQ DX, R8 - - // r2 = a0×b2 - MOVQ (CX), AX - MULQ 16(BX) - MOVQ AX, R11 - MOVQ DX, R10 - - // r2 += a1×b1 - MOVQ 8(CX), AX - MULQ 8(BX) - ADDQ AX, R11 - ADCQ DX, R10 - - // r2 += a2×b0 - MOVQ 16(CX), AX - MULQ (BX) - ADDQ AX, R11 - ADCQ DX, R10 - - // r2 += 19×a3×b4 - MOVQ 24(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 32(BX) - ADDQ AX, R11 - ADCQ DX, R10 - - // r2 += 19×a4×b3 - MOVQ 32(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 24(BX) - ADDQ AX, R11 - ADCQ DX, R10 - - // r3 = a0×b3 - MOVQ (CX), AX - MULQ 24(BX) - MOVQ AX, R13 - MOVQ DX, R12 - - // r3 += a1×b2 - MOVQ 8(CX), AX - MULQ 16(BX) - ADDQ AX, R13 - ADCQ DX, R12 - - // r3 += a2×b1 - MOVQ 16(CX), AX - MULQ 8(BX) - ADDQ AX, R13 - ADCQ DX, R12 - - // r3 += a3×b0 - MOVQ 24(CX), AX - MULQ (BX) - ADDQ AX, R13 - ADCQ DX, R12 - - // r3 += 19×a4×b4 - MOVQ 32(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 32(BX) - ADDQ AX, R13 - ADCQ DX, R12 - - // r4 = a0×b4 - MOVQ (CX), AX - MULQ 32(BX) - MOVQ AX, R15 - MOVQ DX, R14 - - // r4 += a1×b3 - MOVQ 8(CX), AX - MULQ 24(BX) - ADDQ AX, R15 - ADCQ DX, R14 - - // r4 += a2×b2 - MOVQ 16(CX), AX - MULQ 16(BX) - ADDQ AX, R15 - ADCQ DX, R14 - - // r4 += a3×b1 - MOVQ 24(CX), AX - MULQ 8(BX) - ADDQ AX, R15 - ADCQ DX, R14 - - // r4 += a4×b0 - MOVQ 32(CX), AX - MULQ (BX) - ADDQ AX, R15 - ADCQ DX, R14 - - // First reduction chain - MOVQ $0x0007ffffffffffff, AX - SHLQ $0x0d, DI, SI - SHLQ $0x0d, R9, R8 - SHLQ $0x0d, R11, R10 - SHLQ $0x0d, R13, R12 - SHLQ $0x0d, R15, R14 - ANDQ AX, DI - IMUL3Q $0x13, R14, R14 - ADDQ R14, DI - ANDQ AX, R9 - ADDQ SI, R9 - ANDQ AX, R11 - ADDQ R8, R11 - ANDQ AX, R13 - ADDQ R10, R13 - ANDQ AX, R15 - ADDQ R12, R15 - - // Second reduction chain (carryPropagate) - MOVQ DI, SI - SHRQ $0x33, SI - MOVQ R9, R8 - SHRQ $0x33, R8 - MOVQ R11, R10 - SHRQ $0x33, R10 - MOVQ R13, R12 - SHRQ $0x33, R12 - MOVQ R15, R14 - SHRQ $0x33, R14 - ANDQ AX, DI - IMUL3Q $0x13, R14, R14 - ADDQ R14, DI - ANDQ AX, R9 - ADDQ SI, R9 - ANDQ AX, R11 - ADDQ R8, R11 - ANDQ AX, R13 - ADDQ R10, R13 - ANDQ AX, R15 - ADDQ R12, R15 - - // Store output - MOVQ out+0(FP), AX - MOVQ DI, (AX) - MOVQ R9, 8(AX) - MOVQ R11, 16(AX) - MOVQ R13, 24(AX) - MOVQ R15, 32(AX) - RET - -// func feSquare(out *Element, a *Element) -TEXT ·feSquare(SB), NOSPLIT, $0-16 - MOVQ a+8(FP), CX - - // r0 = l0×l0 - MOVQ (CX), AX - MULQ (CX) - MOVQ AX, SI - MOVQ DX, BX - - // r0 += 38×l1×l4 - MOVQ 8(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - SHLQ $0x01, AX - MULQ 32(CX) - ADDQ AX, SI - ADCQ DX, BX - - // r0 += 38×l2×l3 - MOVQ 16(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - SHLQ $0x01, AX - MULQ 24(CX) - ADDQ AX, SI - ADCQ DX, BX - - // r1 = 2×l0×l1 - MOVQ (CX), AX - SHLQ $0x01, AX - MULQ 8(CX) - MOVQ AX, R8 - MOVQ DX, DI - - // r1 += 38×l2×l4 - MOVQ 16(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - SHLQ $0x01, AX - MULQ 32(CX) - ADDQ AX, R8 - ADCQ DX, DI - - // r1 += 19×l3×l3 - MOVQ 24(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 24(CX) - ADDQ AX, R8 - ADCQ DX, DI - - // r2 = 2×l0×l2 - MOVQ (CX), AX - SHLQ $0x01, AX - MULQ 16(CX) - MOVQ AX, R10 - MOVQ DX, R9 - - // r2 += l1×l1 - MOVQ 8(CX), AX - MULQ 8(CX) - ADDQ AX, R10 - ADCQ DX, R9 - - // r2 += 38×l3×l4 - MOVQ 24(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - SHLQ $0x01, AX - MULQ 32(CX) - ADDQ AX, R10 - ADCQ DX, R9 - - // r3 = 2×l0×l3 - MOVQ (CX), AX - SHLQ $0x01, AX - MULQ 24(CX) - MOVQ AX, R12 - MOVQ DX, R11 - - // r3 += 2×l1×l2 - MOVQ 8(CX), AX - SHLQ $0x01, AX - MULQ 16(CX) - ADDQ AX, R12 - ADCQ DX, R11 - - // r3 += 19×l4×l4 - MOVQ 32(CX), DX - LEAQ (DX)(DX*8), AX - LEAQ (DX)(AX*2), AX - MULQ 32(CX) - ADDQ AX, R12 - ADCQ DX, R11 - - // r4 = 2×l0×l4 - MOVQ (CX), AX - SHLQ $0x01, AX - MULQ 32(CX) - MOVQ AX, R14 - MOVQ DX, R13 - - // r4 += 2×l1×l3 - MOVQ 8(CX), AX - SHLQ $0x01, AX - MULQ 24(CX) - ADDQ AX, R14 - ADCQ DX, R13 - - // r4 += l2×l2 - MOVQ 16(CX), AX - MULQ 16(CX) - ADDQ AX, R14 - ADCQ DX, R13 - - // First reduction chain - MOVQ $0x0007ffffffffffff, AX - SHLQ $0x0d, SI, BX - SHLQ $0x0d, R8, DI - SHLQ $0x0d, R10, R9 - SHLQ $0x0d, R12, R11 - SHLQ $0x0d, R14, R13 - ANDQ AX, SI - IMUL3Q $0x13, R13, R13 - ADDQ R13, SI - ANDQ AX, R8 - ADDQ BX, R8 - ANDQ AX, R10 - ADDQ DI, R10 - ANDQ AX, R12 - ADDQ R9, R12 - ANDQ AX, R14 - ADDQ R11, R14 - - // Second reduction chain (carryPropagate) - MOVQ SI, BX - SHRQ $0x33, BX - MOVQ R8, DI - SHRQ $0x33, DI - MOVQ R10, R9 - SHRQ $0x33, R9 - MOVQ R12, R11 - SHRQ $0x33, R11 - MOVQ R14, R13 - SHRQ $0x33, R13 - ANDQ AX, SI - IMUL3Q $0x13, R13, R13 - ADDQ R13, SI - ANDQ AX, R8 - ADDQ BX, R8 - ANDQ AX, R10 - ADDQ DI, R10 - ANDQ AX, R12 - ADDQ R9, R12 - ANDQ AX, R14 - ADDQ R11, R14 - - // Store output - MOVQ out+0(FP), AX - MOVQ SI, (AX) - MOVQ R8, 8(AX) - MOVQ R10, 16(AX) - MOVQ R12, 24(AX) - MOVQ R14, 32(AX) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64_noasm.go deleted file mode 100644 index 4b81f25d1d0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_amd64_noasm.go +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright (c) 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !amd64 || purego - -package field - -func feMul(v, x, y *Element) { feMulGeneric(v, x, y) } - -func feSquare(v, x *Element) { feSquareGeneric(v, x) } diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_generic.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_generic.go deleted file mode 100644 index ef1f15a5dc0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/fe_generic.go +++ /dev/null @@ -1,272 +0,0 @@ -// Copyright (c) 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package field - -import "math/bits" - -// uint128 holds a 128-bit number as two 64-bit limbs, for use with the -// bits.Mul64 and bits.Add64 intrinsics. -type uint128 struct { - lo, hi uint64 -} - -// mul returns a * b. -func mul(a, b uint64) uint128 { - hi, lo := bits.Mul64(a, b) - return uint128{lo, hi} -} - -// addMul returns v + a * b. -func addMul(v uint128, a, b uint64) uint128 { - hi, lo := bits.Mul64(a, b) - lo, c := bits.Add64(lo, v.lo, 0) - hi, _ = bits.Add64(hi, v.hi, c) - return uint128{lo, hi} -} - -// mul19 returns v * 19. -func mul19(v uint64) uint64 { - // Using this approach seems to yield better optimizations than *19. - return v + (v+v<<3)<<1 -} - -// addMul19 returns v + 19 * a * b, where a and b are at most 52 bits. -func addMul19(v uint128, a, b uint64) uint128 { - hi, lo := bits.Mul64(mul19(a), b) - lo, c := bits.Add64(lo, v.lo, 0) - hi, _ = bits.Add64(hi, v.hi, c) - return uint128{lo, hi} -} - -// addMul38 returns v + 38 * a * b, where a and b are at most 52 bits. -func addMul38(v uint128, a, b uint64) uint128 { - hi, lo := bits.Mul64(mul19(a), b*2) - lo, c := bits.Add64(lo, v.lo, 0) - hi, _ = bits.Add64(hi, v.hi, c) - return uint128{lo, hi} -} - -// shiftRightBy51 returns a >> 51. a is assumed to be at most 115 bits. -func shiftRightBy51(a uint128) uint64 { - return (a.hi << (64 - 51)) | (a.lo >> 51) -} - -func feMulGeneric(v, a, b *Element) { - a0 := a.l0 - a1 := a.l1 - a2 := a.l2 - a3 := a.l3 - a4 := a.l4 - - b0 := b.l0 - b1 := b.l1 - b2 := b.l2 - b3 := b.l3 - b4 := b.l4 - - // Limb multiplication works like pen-and-paper columnar multiplication, but - // with 51-bit limbs instead of digits. - // - // a4 a3 a2 a1 a0 x - // b4 b3 b2 b1 b0 = - // ------------------------ - // a4b0 a3b0 a2b0 a1b0 a0b0 + - // a4b1 a3b1 a2b1 a1b1 a0b1 + - // a4b2 a3b2 a2b2 a1b2 a0b2 + - // a4b3 a3b3 a2b3 a1b3 a0b3 + - // a4b4 a3b4 a2b4 a1b4 a0b4 = - // ---------------------------------------------- - // r8 r7 r6 r5 r4 r3 r2 r1 r0 - // - // We can then use the reduction identity (a * 2²⁵⁵ + b = a * 19 + b) to - // reduce the limbs that would overflow 255 bits. r5 * 2²⁵⁵ becomes 19 * r5, - // r6 * 2³⁰⁶ becomes 19 * r6 * 2⁵¹, etc. - // - // Reduction can be carried out simultaneously to multiplication. For - // example, we do not compute r5: whenever the result of a multiplication - // belongs to r5, like a1b4, we multiply it by 19 and add the result to r0. - // - // a4b0 a3b0 a2b0 a1b0 a0b0 + - // a3b1 a2b1 a1b1 a0b1 19×a4b1 + - // a2b2 a1b2 a0b2 19×a4b2 19×a3b2 + - // a1b3 a0b3 19×a4b3 19×a3b3 19×a2b3 + - // a0b4 19×a4b4 19×a3b4 19×a2b4 19×a1b4 = - // -------------------------------------- - // r4 r3 r2 r1 r0 - // - // Finally we add up the columns into wide, overlapping limbs. - - // r0 = a0×b0 + 19×(a1×b4 + a2×b3 + a3×b2 + a4×b1) - r0 := mul(a0, b0) - r0 = addMul19(r0, a1, b4) - r0 = addMul19(r0, a2, b3) - r0 = addMul19(r0, a3, b2) - r0 = addMul19(r0, a4, b1) - - // r1 = a0×b1 + a1×b0 + 19×(a2×b4 + a3×b3 + a4×b2) - r1 := mul(a0, b1) - r1 = addMul(r1, a1, b0) - r1 = addMul19(r1, a2, b4) - r1 = addMul19(r1, a3, b3) - r1 = addMul19(r1, a4, b2) - - // r2 = a0×b2 + a1×b1 + a2×b0 + 19×(a3×b4 + a4×b3) - r2 := mul(a0, b2) - r2 = addMul(r2, a1, b1) - r2 = addMul(r2, a2, b0) - r2 = addMul19(r2, a3, b4) - r2 = addMul19(r2, a4, b3) - - // r3 = a0×b3 + a1×b2 + a2×b1 + a3×b0 + 19×a4×b4 - r3 := mul(a0, b3) - r3 = addMul(r3, a1, b2) - r3 = addMul(r3, a2, b1) - r3 = addMul(r3, a3, b0) - r3 = addMul19(r3, a4, b4) - - // r4 = a0×b4 + a1×b3 + a2×b2 + a3×b1 + a4×b0 - r4 := mul(a0, b4) - r4 = addMul(r4, a1, b3) - r4 = addMul(r4, a2, b2) - r4 = addMul(r4, a3, b1) - r4 = addMul(r4, a4, b0) - - // After the multiplication, we need to reduce (carry) the five coefficients - // to obtain a result with limbs that are at most slightly larger than 2⁵¹, - // to respect the Element invariant. - // - // Overall, the reduction works the same as carryPropagate, except with - // wider inputs: we take the carry for each coefficient by shifting it right - // by 51, and add it to the limb above it. The top carry is multiplied by 19 - // according to the reduction identity and added to the lowest limb. - // - // The largest coefficient (r0) will be at most 111 bits, which guarantees - // that all carries are at most 111 - 51 = 60 bits, which fits in a uint64. - // - // r0 = a0×b0 + 19×(a1×b4 + a2×b3 + a3×b2 + a4×b1) - // r0 < 2⁵²×2⁵² + 19×(2⁵²×2⁵² + 2⁵²×2⁵² + 2⁵²×2⁵² + 2⁵²×2⁵²) - // r0 < (1 + 19 × 4) × 2⁵² × 2⁵² - // r0 < 2⁷ × 2⁵² × 2⁵² - // r0 < 2¹¹¹ - // - // Moreover, the top coefficient (r4) is at most 107 bits, so c4 is at most - // 56 bits, and c4 * 19 is at most 61 bits, which again fits in a uint64 and - // allows us to easily apply the reduction identity. - // - // r4 = a0×b4 + a1×b3 + a2×b2 + a3×b1 + a4×b0 - // r4 < 5 × 2⁵² × 2⁵² - // r4 < 2¹⁰⁷ - // - - c0 := shiftRightBy51(r0) - c1 := shiftRightBy51(r1) - c2 := shiftRightBy51(r2) - c3 := shiftRightBy51(r3) - c4 := shiftRightBy51(r4) - - rr0 := r0.lo&maskLow51Bits + mul19(c4) - rr1 := r1.lo&maskLow51Bits + c0 - rr2 := r2.lo&maskLow51Bits + c1 - rr3 := r3.lo&maskLow51Bits + c2 - rr4 := r4.lo&maskLow51Bits + c3 - - // Now all coefficients fit into 64-bit registers but are still too large to - // be passed around as an Element. We therefore do one last carry chain, - // where the carries will be small enough to fit in the wiggle room above 2⁵¹. - - v.l0 = rr0&maskLow51Bits + mul19(rr4>>51) - v.l1 = rr1&maskLow51Bits + rr0>>51 - v.l2 = rr2&maskLow51Bits + rr1>>51 - v.l3 = rr3&maskLow51Bits + rr2>>51 - v.l4 = rr4&maskLow51Bits + rr3>>51 -} - -func feSquareGeneric(v, a *Element) { - l0 := a.l0 - l1 := a.l1 - l2 := a.l2 - l3 := a.l3 - l4 := a.l4 - - // Squaring works precisely like multiplication above, but thanks to its - // symmetry we get to group a few terms together. - // - // l4 l3 l2 l1 l0 x - // l4 l3 l2 l1 l0 = - // ------------------------ - // l4l0 l3l0 l2l0 l1l0 l0l0 + - // l4l1 l3l1 l2l1 l1l1 l0l1 + - // l4l2 l3l2 l2l2 l1l2 l0l2 + - // l4l3 l3l3 l2l3 l1l3 l0l3 + - // l4l4 l3l4 l2l4 l1l4 l0l4 = - // ---------------------------------------------- - // r8 r7 r6 r5 r4 r3 r2 r1 r0 - // - // l4l0 l3l0 l2l0 l1l0 l0l0 + - // l3l1 l2l1 l1l1 l0l1 19×l4l1 + - // l2l2 l1l2 l0l2 19×l4l2 19×l3l2 + - // l1l3 l0l3 19×l4l3 19×l3l3 19×l2l3 + - // l0l4 19×l4l4 19×l3l4 19×l2l4 19×l1l4 = - // -------------------------------------- - // r4 r3 r2 r1 r0 - - // r0 = l0×l0 + 19×(l1×l4 + l2×l3 + l3×l2 + l4×l1) = l0×l0 + 19×2×(l1×l4 + l2×l3) - r0 := mul(l0, l0) - r0 = addMul38(r0, l1, l4) - r0 = addMul38(r0, l2, l3) - - // r1 = l0×l1 + l1×l0 + 19×(l2×l4 + l3×l3 + l4×l2) = 2×l0×l1 + 19×2×l2×l4 + 19×l3×l3 - r1 := mul(l0*2, l1) - r1 = addMul38(r1, l2, l4) - r1 = addMul19(r1, l3, l3) - - // r2 = l0×l2 + l1×l1 + l2×l0 + 19×(l3×l4 + l4×l3) = 2×l0×l2 + l1×l1 + 19×2×l3×l4 - r2 := mul(l0*2, l2) - r2 = addMul(r2, l1, l1) - r2 = addMul38(r2, l3, l4) - - // r3 = l0×l3 + l1×l2 + l2×l1 + l3×l0 + 19×l4×l4 = 2×l0×l3 + 2×l1×l2 + 19×l4×l4 - r3 := mul(l0*2, l3) - r3 = addMul(r3, l1*2, l2) - r3 = addMul19(r3, l4, l4) - - // r4 = l0×l4 + l1×l3 + l2×l2 + l3×l1 + l4×l0 = 2×l0×l4 + 2×l1×l3 + l2×l2 - r4 := mul(l0*2, l4) - r4 = addMul(r4, l1*2, l3) - r4 = addMul(r4, l2, l2) - - c0 := shiftRightBy51(r0) - c1 := shiftRightBy51(r1) - c2 := shiftRightBy51(r2) - c3 := shiftRightBy51(r3) - c4 := shiftRightBy51(r4) - - rr0 := r0.lo&maskLow51Bits + mul19(c4) - rr1 := r1.lo&maskLow51Bits + c0 - rr2 := r2.lo&maskLow51Bits + c1 - rr3 := r3.lo&maskLow51Bits + c2 - rr4 := r4.lo&maskLow51Bits + c3 - - v.l0 = rr0&maskLow51Bits + mul19(rr4>>51) - v.l1 = rr1&maskLow51Bits + rr0>>51 - v.l2 = rr2&maskLow51Bits + rr1>>51 - v.l3 = rr3&maskLow51Bits + rr2>>51 - v.l4 = rr4&maskLow51Bits + rr3>>51 -} - -// carryPropagate brings the limbs below 52 bits by applying the reduction -// identity (a * 2²⁵⁵ + b = a * 19 + b) to the l4 carry. -func (v *Element) carryPropagate() *Element { - // (l4>>51) is at most 64 - 51 = 13 bits, so (l4>>51)*19 is at most 18 bits, and - // the final l0 will be at most 52 bits. Similarly for the rest. - l0 := v.l0 - v.l0 = v.l0&maskLow51Bits + mul19(v.l4>>51) - v.l4 = v.l4&maskLow51Bits + v.l3>>51 - v.l3 = v.l3&maskLow51Bits + v.l2>>51 - v.l2 = v.l2&maskLow51Bits + v.l1>>51 - v.l1 = v.l1&maskLow51Bits + l0>>51 - - return v -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/ya.make deleted file mode 100644 index c9f5cef5237..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/field/ya.make +++ /dev/null @@ -1,21 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - fe.go - fe_amd64_noasm.go - fe_generic.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - fe.go - fe_amd64.go - fe_amd64.s - fe_generic.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalar.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalar.go deleted file mode 100644 index 22bbebfbb41..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalar.go +++ /dev/null @@ -1,352 +0,0 @@ -// Copyright (c) 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package edwards25519 - -import ( - "crypto/internal/fips140deps/byteorder" - "errors" - "math/bits" -) - -// A Scalar is an integer modulo -// -// l = 2^252 + 27742317777372353535851937790883648493 -// -// which is the prime order of the edwards25519 group. -// -// This type works similarly to math/big.Int, and all arguments and -// receivers are allowed to alias. -// -// The zero value is a valid zero element. -type Scalar struct { - // s is the scalar in the Montgomery domain, in the format of the - // fiat-crypto implementation. - s fiatScalarMontgomeryDomainFieldElement -} - -// The field implementation in scalar_fiat.go is generated by the fiat-crypto -// project (https://github.com/mit-plv/fiat-crypto) at version v0.0.9 (23d2dbc) -// from a formally verified model. -// -// fiat-crypto code comes under the following license. -// -// Copyright (c) 2015-2020 The fiat-crypto Authors. All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are -// met: -// -// 1. Redistributions of source code must retain the above copyright -// notice, this list of conditions and the following disclaimer. -// -// THIS SOFTWARE IS PROVIDED BY the fiat-crypto authors "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, -// THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -// PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Berkeley Software Design, -// Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -// NewScalar returns a new zero Scalar. -func NewScalar() *Scalar { - return &Scalar{} -} - -// MultiplyAdd sets s = x * y + z mod l, and returns s. It is equivalent to -// using Multiply and then Add. -func (s *Scalar) MultiplyAdd(x, y, z *Scalar) *Scalar { - // Make a copy of z in case it aliases s. - zCopy := new(Scalar).Set(z) - return s.Multiply(x, y).Add(s, zCopy) -} - -// Add sets s = x + y mod l, and returns s. -func (s *Scalar) Add(x, y *Scalar) *Scalar { - // s = 1 * x + y mod l - fiatScalarAdd(&s.s, &x.s, &y.s) - return s -} - -// Subtract sets s = x - y mod l, and returns s. -func (s *Scalar) Subtract(x, y *Scalar) *Scalar { - // s = -1 * y + x mod l - fiatScalarSub(&s.s, &x.s, &y.s) - return s -} - -// Negate sets s = -x mod l, and returns s. -func (s *Scalar) Negate(x *Scalar) *Scalar { - // s = -1 * x + 0 mod l - fiatScalarOpp(&s.s, &x.s) - return s -} - -// Multiply sets s = x * y mod l, and returns s. -func (s *Scalar) Multiply(x, y *Scalar) *Scalar { - // s = x * y + 0 mod l - fiatScalarMul(&s.s, &x.s, &y.s) - return s -} - -// Set sets s = x, and returns s. -func (s *Scalar) Set(x *Scalar) *Scalar { - *s = *x - return s -} - -// SetUniformBytes sets s = x mod l, where x is a 64-byte little-endian integer. -// If x is not of the right length, SetUniformBytes returns nil and an error, -// and the receiver is unchanged. -// -// SetUniformBytes can be used to set s to a uniformly distributed value given -// 64 uniformly distributed random bytes. -func (s *Scalar) SetUniformBytes(x []byte) (*Scalar, error) { - if len(x) != 64 { - return nil, errors.New("edwards25519: invalid SetUniformBytes input length") - } - - // We have a value x of 512 bits, but our fiatScalarFromBytes function - // expects an input lower than l, which is a little over 252 bits. - // - // Instead of writing a reduction function that operates on wider inputs, we - // can interpret x as the sum of three shorter values a, b, and c. - // - // x = a + b * 2^168 + c * 2^336 mod l - // - // We then precompute 2^168 and 2^336 modulo l, and perform the reduction - // with two multiplications and two additions. - - s.setShortBytes(x[:21]) - t := new(Scalar).setShortBytes(x[21:42]) - s.Add(s, t.Multiply(t, scalarTwo168)) - t.setShortBytes(x[42:]) - s.Add(s, t.Multiply(t, scalarTwo336)) - - return s, nil -} - -// scalarTwo168 and scalarTwo336 are 2^168 and 2^336 modulo l, encoded as a -// fiatScalarMontgomeryDomainFieldElement, which is a little-endian 4-limb value -// in the 2^256 Montgomery domain. -var scalarTwo168 = &Scalar{s: [4]uint64{0x5b8ab432eac74798, 0x38afddd6de59d5d7, - 0xa2c131b399411b7c, 0x6329a7ed9ce5a30}} -var scalarTwo336 = &Scalar{s: [4]uint64{0xbd3d108e2b35ecc5, 0x5c3a3718bdf9c90b, - 0x63aa97a331b4f2ee, 0x3d217f5be65cb5c}} - -// setShortBytes sets s = x mod l, where x is a little-endian integer shorter -// than 32 bytes. -func (s *Scalar) setShortBytes(x []byte) *Scalar { - if len(x) >= 32 { - panic("edwards25519: internal error: setShortBytes called with a long string") - } - var buf [32]byte - copy(buf[:], x) - fiatScalarFromBytes((*[4]uint64)(&s.s), &buf) - fiatScalarToMontgomery(&s.s, (*fiatScalarNonMontgomeryDomainFieldElement)(&s.s)) - return s -} - -// SetCanonicalBytes sets s = x, where x is a 32-byte little-endian encoding of -// s, and returns s. If x is not a canonical encoding of s, SetCanonicalBytes -// returns nil and an error, and the receiver is unchanged. -func (s *Scalar) SetCanonicalBytes(x []byte) (*Scalar, error) { - if len(x) != 32 { - return nil, errors.New("invalid scalar length") - } - if !isReduced(x) { - return nil, errors.New("invalid scalar encoding") - } - - fiatScalarFromBytes((*[4]uint64)(&s.s), (*[32]byte)(x)) - fiatScalarToMontgomery(&s.s, (*fiatScalarNonMontgomeryDomainFieldElement)(&s.s)) - - return s, nil -} - -// scalarMinusOneBytes is l - 1 in little endian. -var scalarMinusOneBytes = [32]byte{236, 211, 245, 92, 26, 99, 18, 88, 214, 156, 247, 162, 222, 249, 222, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16} - -// isReduced returns whether the given scalar in 32-byte little endian encoded -// form is reduced modulo l. -func isReduced(s []byte) bool { - if len(s) != 32 { - return false - } - - s0 := byteorder.LEUint64(s[:8]) - s1 := byteorder.LEUint64(s[8:16]) - s2 := byteorder.LEUint64(s[16:24]) - s3 := byteorder.LEUint64(s[24:]) - - l0 := byteorder.LEUint64(scalarMinusOneBytes[:8]) - l1 := byteorder.LEUint64(scalarMinusOneBytes[8:16]) - l2 := byteorder.LEUint64(scalarMinusOneBytes[16:24]) - l3 := byteorder.LEUint64(scalarMinusOneBytes[24:]) - - // Do a constant time subtraction chain scalarMinusOneBytes - s. If there is - // a borrow at the end, then s > scalarMinusOneBytes. - _, b := bits.Sub64(l0, s0, 0) - _, b = bits.Sub64(l1, s1, b) - _, b = bits.Sub64(l2, s2, b) - _, b = bits.Sub64(l3, s3, b) - return b == 0 -} - -// SetBytesWithClamping applies the buffer pruning described in RFC 8032, -// Section 5.1.5 (also known as clamping) and sets s to the result. The input -// must be 32 bytes, and it is not modified. If x is not of the right length, -// SetBytesWithClamping returns nil and an error, and the receiver is unchanged. -// -// Note that since Scalar values are always reduced modulo the prime order of -// the curve, the resulting value will not preserve any of the cofactor-clearing -// properties that clamping is meant to provide. It will however work as -// expected as long as it is applied to points on the prime order subgroup, like -// in Ed25519. In fact, it is lost to history why RFC 8032 adopted the -// irrelevant RFC 7748 clamping, but it is now required for compatibility. -func (s *Scalar) SetBytesWithClamping(x []byte) (*Scalar, error) { - // The description above omits the purpose of the high bits of the clamping - // for brevity, but those are also lost to reductions, and are also - // irrelevant to edwards25519 as they protect against a specific - // implementation bug that was once observed in a generic Montgomery ladder. - if len(x) != 32 { - return nil, errors.New("edwards25519: invalid SetBytesWithClamping input length") - } - - // We need to use the wide reduction from SetUniformBytes, since clamping - // sets the 2^254 bit, making the value higher than the order. - var wideBytes [64]byte - copy(wideBytes[:], x[:]) - wideBytes[0] &= 248 - wideBytes[31] &= 63 - wideBytes[31] |= 64 - return s.SetUniformBytes(wideBytes[:]) -} - -// Bytes returns the canonical 32-byte little-endian encoding of s. -func (s *Scalar) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var encoded [32]byte - return s.bytes(&encoded) -} - -func (s *Scalar) bytes(out *[32]byte) []byte { - var ss fiatScalarNonMontgomeryDomainFieldElement - fiatScalarFromMontgomery(&ss, &s.s) - fiatScalarToBytes(out, (*[4]uint64)(&ss)) - return out[:] -} - -// Equal returns 1 if s and t are equal, and 0 otherwise. -func (s *Scalar) Equal(t *Scalar) int { - var diff fiatScalarMontgomeryDomainFieldElement - fiatScalarSub(&diff, &s.s, &t.s) - var nonzero uint64 - fiatScalarNonzero(&nonzero, (*[4]uint64)(&diff)) - nonzero |= nonzero >> 32 - nonzero |= nonzero >> 16 - nonzero |= nonzero >> 8 - nonzero |= nonzero >> 4 - nonzero |= nonzero >> 2 - nonzero |= nonzero >> 1 - return int(^nonzero) & 1 -} - -// nonAdjacentForm computes a width-w non-adjacent form for this scalar. -// -// w must be between 2 and 8, or nonAdjacentForm will panic. -func (s *Scalar) nonAdjacentForm(w uint) [256]int8 { - // This implementation is adapted from the one - // in curve25519-dalek and is documented there: - // https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871 - b := s.Bytes() - if b[31] > 127 { - panic("scalar has high bit set illegally") - } - if w < 2 { - panic("w must be at least 2 by the definition of NAF") - } else if w > 8 { - panic("NAF digits must fit in int8") - } - - var naf [256]int8 - var digits [5]uint64 - - for i := 0; i < 4; i++ { - digits[i] = byteorder.LEUint64(b[i*8:]) - } - - width := uint64(1 << w) - windowMask := uint64(width - 1) - - pos := uint(0) - carry := uint64(0) - for pos < 256 { - indexU64 := pos / 64 - indexBit := pos % 64 - var bitBuf uint64 - if indexBit < 64-w { - // This window's bits are contained in a single u64 - bitBuf = digits[indexU64] >> indexBit - } else { - // Combine the current 64 bits with bits from the next 64 - bitBuf = (digits[indexU64] >> indexBit) | (digits[1+indexU64] << (64 - indexBit)) - } - - // Add carry into the current window - window := carry + (bitBuf & windowMask) - - if window&1 == 0 { - // If the window value is even, preserve the carry and continue. - // Why is the carry preserved? - // If carry == 0 and window & 1 == 0, - // then the next carry should be 0 - // If carry == 1 and window & 1 == 0, - // then bit_buf & 1 == 1 so the next carry should be 1 - pos += 1 - continue - } - - if window < width/2 { - carry = 0 - naf[pos] = int8(window) - } else { - carry = 1 - naf[pos] = int8(window) - int8(width) - } - - pos += w - } - return naf -} - -func (s *Scalar) signedRadix16() [64]int8 { - b := s.Bytes() - if b[31] > 127 { - panic("scalar has high bit set illegally") - } - - var digits [64]int8 - - // Compute unsigned radix-16 digits: - for i := 0; i < 32; i++ { - digits[2*i] = int8(b[i] & 15) - digits[2*i+1] = int8((b[i] >> 4) & 15) - } - - // Recenter coefficients: - for i := 0; i < 63; i++ { - carry := (digits[i] + 8) >> 4 - digits[i] -= carry << 4 - digits[i+1] += carry - } - - return digits -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalar_fiat.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalar_fiat.go deleted file mode 100644 index 2e5782b6058..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalar_fiat.go +++ /dev/null @@ -1,1147 +0,0 @@ -// Code generated by Fiat Cryptography. DO NOT EDIT. -// -// Autogenerated: word_by_word_montgomery --lang Go --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name edwards25519 Scalar 64 '2^252 + 27742317777372353535851937790883648493' mul add sub opp nonzero from_montgomery to_montgomery to_bytes from_bytes -// -// curve description: Scalar -// -// machine_wordsize = 64 (from "64") -// -// requested operations: mul, add, sub, opp, nonzero, from_montgomery, to_montgomery, to_bytes, from_bytes -// -// m = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed (from "2^252 + 27742317777372353535851937790883648493") -// -// -// -// NOTE: In addition to the bounds specified above each function, all -// -// functions synthesized for this Montgomery arithmetic require the -// -// input to be strictly less than the prime modulus (m), and also -// -// require the input to be in the unique saturated representation. -// -// All functions also ensure that these two properties are true of -// -// return values. -// -// -// -// Computed values: -// -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -// -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -// -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - -package edwards25519 - -import "math/bits" - -type fiatScalarUint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -type fiatScalarInt1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 - -// The type fiatScalarMontgomeryDomainFieldElement is a field element in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type fiatScalarMontgomeryDomainFieldElement [4]uint64 - -// The type fiatScalarNonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type fiatScalarNonMontgomeryDomainFieldElement [4]uint64 - -// fiatScalarCmovznzU64 is a single-word conditional move. -// -// Postconditions: -// -// out1 = (if arg1 = 0 then arg2 else arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [0x0 ~> 0xffffffffffffffff] -// arg3: [0x0 ~> 0xffffffffffffffff] -// -// Output Bounds: -// -// out1: [0x0 ~> 0xffffffffffffffff] -func fiatScalarCmovznzU64(out1 *uint64, arg1 fiatScalarUint1, arg2 uint64, arg3 uint64) { - x1 := (uint64(arg1) * 0xffffffffffffffff) - x2 := ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 -} - -// fiatScalarMul multiplies two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func fiatScalarMul(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, arg2[3]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, arg2[2]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, arg2[1]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, arg2[0]) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(fiatScalarUint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(fiatScalarUint1(x16))) - x19 := (uint64(fiatScalarUint1(x18)) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xd2b51da312547e1b) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0x1000000000000000) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0x14def9dea2f79cd6) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0x5812631a5cf5d3ed) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x27, x24, uint64(0x0)) - x30 := (uint64(fiatScalarUint1(x29)) + x25) - var x32 uint64 - _, x32 = bits.Add64(x11, x26, uint64(0x0)) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x13, x28, uint64(fiatScalarUint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x15, x30, uint64(fiatScalarUint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x17, x22, uint64(fiatScalarUint1(x36))) - var x39 uint64 - var x40 uint64 - x39, x40 = bits.Add64(x19, x23, uint64(fiatScalarUint1(x38))) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, arg2[3]) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, arg2[2]) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, arg2[1]) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, arg2[0]) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x48, x45, uint64(0x0)) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x46, x43, uint64(fiatScalarUint1(x50))) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x44, x41, uint64(fiatScalarUint1(x52))) - x55 := (uint64(fiatScalarUint1(x54)) + x42) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x33, x47, uint64(0x0)) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x35, x49, uint64(fiatScalarUint1(x57))) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x37, x51, uint64(fiatScalarUint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x39, x53, uint64(fiatScalarUint1(x61))) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(uint64(fiatScalarUint1(x40)), x55, uint64(fiatScalarUint1(x63))) - var x66 uint64 - _, x66 = bits.Mul64(x56, 0xd2b51da312547e1b) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64(x66, 0x1000000000000000) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x66, 0x14def9dea2f79cd6) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x66, 0x5812631a5cf5d3ed) - var x74 uint64 - var x75 uint64 - x74, x75 = bits.Add64(x73, x70, uint64(0x0)) - x76 := (uint64(fiatScalarUint1(x75)) + x71) - var x78 uint64 - _, x78 = bits.Add64(x56, x72, uint64(0x0)) - var x79 uint64 - var x80 uint64 - x79, x80 = bits.Add64(x58, x74, uint64(fiatScalarUint1(x78))) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Add64(x60, x76, uint64(fiatScalarUint1(x80))) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Add64(x62, x68, uint64(fiatScalarUint1(x82))) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x64, x69, uint64(fiatScalarUint1(x84))) - x87 := (uint64(fiatScalarUint1(x86)) + uint64(fiatScalarUint1(x65))) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x2, arg2[3]) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x2, arg2[2]) - var x92 uint64 - var x93 uint64 - x93, x92 = bits.Mul64(x2, arg2[1]) - var x94 uint64 - var x95 uint64 - x95, x94 = bits.Mul64(x2, arg2[0]) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x95, x92, uint64(0x0)) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x93, x90, uint64(fiatScalarUint1(x97))) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x91, x88, uint64(fiatScalarUint1(x99))) - x102 := (uint64(fiatScalarUint1(x101)) + x89) - var x103 uint64 - var x104 uint64 - x103, x104 = bits.Add64(x79, x94, uint64(0x0)) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Add64(x81, x96, uint64(fiatScalarUint1(x104))) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x83, x98, uint64(fiatScalarUint1(x106))) - var x109 uint64 - var x110 uint64 - x109, x110 = bits.Add64(x85, x100, uint64(fiatScalarUint1(x108))) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x87, x102, uint64(fiatScalarUint1(x110))) - var x113 uint64 - _, x113 = bits.Mul64(x103, 0xd2b51da312547e1b) - var x115 uint64 - var x116 uint64 - x116, x115 = bits.Mul64(x113, 0x1000000000000000) - var x117 uint64 - var x118 uint64 - x118, x117 = bits.Mul64(x113, 0x14def9dea2f79cd6) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x113, 0x5812631a5cf5d3ed) - var x121 uint64 - var x122 uint64 - x121, x122 = bits.Add64(x120, x117, uint64(0x0)) - x123 := (uint64(fiatScalarUint1(x122)) + x118) - var x125 uint64 - _, x125 = bits.Add64(x103, x119, uint64(0x0)) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x105, x121, uint64(fiatScalarUint1(x125))) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x107, x123, uint64(fiatScalarUint1(x127))) - var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x109, x115, uint64(fiatScalarUint1(x129))) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x111, x116, uint64(fiatScalarUint1(x131))) - x134 := (uint64(fiatScalarUint1(x133)) + uint64(fiatScalarUint1(x112))) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64(x3, arg2[3]) - var x137 uint64 - var x138 uint64 - x138, x137 = bits.Mul64(x3, arg2[2]) - var x139 uint64 - var x140 uint64 - x140, x139 = bits.Mul64(x3, arg2[1]) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x3, arg2[0]) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(x142, x139, uint64(0x0)) - var x145 uint64 - var x146 uint64 - x145, x146 = bits.Add64(x140, x137, uint64(fiatScalarUint1(x144))) - var x147 uint64 - var x148 uint64 - x147, x148 = bits.Add64(x138, x135, uint64(fiatScalarUint1(x146))) - x149 := (uint64(fiatScalarUint1(x148)) + x136) - var x150 uint64 - var x151 uint64 - x150, x151 = bits.Add64(x126, x141, uint64(0x0)) - var x152 uint64 - var x153 uint64 - x152, x153 = bits.Add64(x128, x143, uint64(fiatScalarUint1(x151))) - var x154 uint64 - var x155 uint64 - x154, x155 = bits.Add64(x130, x145, uint64(fiatScalarUint1(x153))) - var x156 uint64 - var x157 uint64 - x156, x157 = bits.Add64(x132, x147, uint64(fiatScalarUint1(x155))) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Add64(x134, x149, uint64(fiatScalarUint1(x157))) - var x160 uint64 - _, x160 = bits.Mul64(x150, 0xd2b51da312547e1b) - var x162 uint64 - var x163 uint64 - x163, x162 = bits.Mul64(x160, 0x1000000000000000) - var x164 uint64 - var x165 uint64 - x165, x164 = bits.Mul64(x160, 0x14def9dea2f79cd6) - var x166 uint64 - var x167 uint64 - x167, x166 = bits.Mul64(x160, 0x5812631a5cf5d3ed) - var x168 uint64 - var x169 uint64 - x168, x169 = bits.Add64(x167, x164, uint64(0x0)) - x170 := (uint64(fiatScalarUint1(x169)) + x165) - var x172 uint64 - _, x172 = bits.Add64(x150, x166, uint64(0x0)) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x152, x168, uint64(fiatScalarUint1(x172))) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x154, x170, uint64(fiatScalarUint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x156, x162, uint64(fiatScalarUint1(x176))) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x158, x163, uint64(fiatScalarUint1(x178))) - x181 := (uint64(fiatScalarUint1(x180)) + uint64(fiatScalarUint1(x159))) - var x182 uint64 - var x183 uint64 - x182, x183 = bits.Sub64(x173, 0x5812631a5cf5d3ed, uint64(0x0)) - var x184 uint64 - var x185 uint64 - x184, x185 = bits.Sub64(x175, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x183))) - var x186 uint64 - var x187 uint64 - x186, x187 = bits.Sub64(x177, uint64(0x0), uint64(fiatScalarUint1(x185))) - var x188 uint64 - var x189 uint64 - x188, x189 = bits.Sub64(x179, 0x1000000000000000, uint64(fiatScalarUint1(x187))) - var x191 uint64 - _, x191 = bits.Sub64(x181, uint64(0x0), uint64(fiatScalarUint1(x189))) - var x192 uint64 - fiatScalarCmovznzU64(&x192, fiatScalarUint1(x191), x182, x173) - var x193 uint64 - fiatScalarCmovznzU64(&x193, fiatScalarUint1(x191), x184, x175) - var x194 uint64 - fiatScalarCmovznzU64(&x194, fiatScalarUint1(x191), x186, x177) - var x195 uint64 - fiatScalarCmovznzU64(&x195, fiatScalarUint1(x191), x188, x179) - out1[0] = x192 - out1[1] = x193 - out1[2] = x194 - out1[3] = x195 -} - -// fiatScalarAdd adds two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func fiatScalarAdd(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(fiatScalarUint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(fiatScalarUint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(fiatScalarUint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Sub64(x1, 0x5812631a5cf5d3ed, uint64(0x0)) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Sub64(x3, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x10))) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Sub64(x5, uint64(0x0), uint64(fiatScalarUint1(x12))) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Sub64(x7, 0x1000000000000000, uint64(fiatScalarUint1(x14))) - var x18 uint64 - _, x18 = bits.Sub64(uint64(fiatScalarUint1(x8)), uint64(0x0), uint64(fiatScalarUint1(x16))) - var x19 uint64 - fiatScalarCmovznzU64(&x19, fiatScalarUint1(x18), x9, x1) - var x20 uint64 - fiatScalarCmovznzU64(&x20, fiatScalarUint1(x18), x11, x3) - var x21 uint64 - fiatScalarCmovznzU64(&x21, fiatScalarUint1(x18), x13, x5) - var x22 uint64 - fiatScalarCmovznzU64(&x22, fiatScalarUint1(x18), x15, x7) - out1[0] = x19 - out1[1] = x20 - out1[2] = x21 - out1[3] = x22 -} - -// fiatScalarSub subtracts two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func fiatScalarSub(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement, arg2 *fiatScalarMontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(fiatScalarUint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(fiatScalarUint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(fiatScalarUint1(x6))) - var x9 uint64 - fiatScalarCmovznzU64(&x9, fiatScalarUint1(x8), uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x10, x11 = bits.Add64(x1, (x9 & 0x5812631a5cf5d3ed), uint64(0x0)) - var x12 uint64 - var x13 uint64 - x12, x13 = bits.Add64(x3, (x9 & 0x14def9dea2f79cd6), uint64(fiatScalarUint1(x11))) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(x5, uint64(0x0), uint64(fiatScalarUint1(x13))) - var x16 uint64 - x16, _ = bits.Add64(x7, (x9 & 0x1000000000000000), uint64(fiatScalarUint1(x15))) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 -} - -// fiatScalarOpp negates a field element in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m -// 0 ≤ eval out1 < m -func fiatScalarOpp(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Sub64(uint64(0x0), arg1[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Sub64(uint64(0x0), arg1[1], uint64(fiatScalarUint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Sub64(uint64(0x0), arg1[2], uint64(fiatScalarUint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Sub64(uint64(0x0), arg1[3], uint64(fiatScalarUint1(x6))) - var x9 uint64 - fiatScalarCmovznzU64(&x9, fiatScalarUint1(x8), uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x10, x11 = bits.Add64(x1, (x9 & 0x5812631a5cf5d3ed), uint64(0x0)) - var x12 uint64 - var x13 uint64 - x12, x13 = bits.Add64(x3, (x9 & 0x14def9dea2f79cd6), uint64(fiatScalarUint1(x11))) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(x5, uint64(0x0), uint64(fiatScalarUint1(x13))) - var x16 uint64 - x16, _ = bits.Add64(x7, (x9 & 0x1000000000000000), uint64(fiatScalarUint1(x15))) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 -} - -// fiatScalarNonzero outputs a single non-zero word if the input is non-zero and zero otherwise. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [0x0 ~> 0xffffffffffffffff] -func fiatScalarNonzero(out1 *uint64, arg1 *[4]uint64) { - x1 := (arg1[0] | (arg1[1] | (arg1[2] | arg1[3]))) - *out1 = x1 -} - -// fiatScalarFromMontgomery translates a field element out of the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m -// 0 ≤ eval out1 < m -func fiatScalarFromMontgomery(out1 *fiatScalarNonMontgomeryDomainFieldElement, arg1 *fiatScalarMontgomeryDomainFieldElement) { - x1 := arg1[0] - var x2 uint64 - _, x2 = bits.Mul64(x1, 0xd2b51da312547e1b) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x2, 0x1000000000000000) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x2, 0x14def9dea2f79cd6) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x2, 0x5812631a5cf5d3ed) - var x10 uint64 - var x11 uint64 - x10, x11 = bits.Add64(x9, x6, uint64(0x0)) - var x13 uint64 - _, x13 = bits.Add64(x1, x8, uint64(0x0)) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(uint64(0x0), x10, uint64(fiatScalarUint1(x13))) - var x16 uint64 - var x17 uint64 - x16, x17 = bits.Add64(x14, arg1[1], uint64(0x0)) - var x18 uint64 - _, x18 = bits.Mul64(x16, 0xd2b51da312547e1b) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x18, 0x1000000000000000) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x18, 0x14def9dea2f79cd6) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x18, 0x5812631a5cf5d3ed) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64(x25, x22, uint64(0x0)) - var x29 uint64 - _, x29 = bits.Add64(x16, x24, uint64(0x0)) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64((uint64(fiatScalarUint1(x17)) + (uint64(fiatScalarUint1(x15)) + (uint64(fiatScalarUint1(x11)) + x7))), x26, uint64(fiatScalarUint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(x4, (uint64(fiatScalarUint1(x27)) + x23), uint64(fiatScalarUint1(x31))) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(x5, x20, uint64(fiatScalarUint1(x33))) - var x36 uint64 - var x37 uint64 - x36, x37 = bits.Add64(x30, arg1[2], uint64(0x0)) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(x32, uint64(0x0), uint64(fiatScalarUint1(x37))) - var x40 uint64 - var x41 uint64 - x40, x41 = bits.Add64(x34, uint64(0x0), uint64(fiatScalarUint1(x39))) - var x42 uint64 - _, x42 = bits.Mul64(x36, 0xd2b51da312547e1b) - var x44 uint64 - var x45 uint64 - x45, x44 = bits.Mul64(x42, 0x1000000000000000) - var x46 uint64 - var x47 uint64 - x47, x46 = bits.Mul64(x42, 0x14def9dea2f79cd6) - var x48 uint64 - var x49 uint64 - x49, x48 = bits.Mul64(x42, 0x5812631a5cf5d3ed) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(x49, x46, uint64(0x0)) - var x53 uint64 - _, x53 = bits.Add64(x36, x48, uint64(0x0)) - var x54 uint64 - var x55 uint64 - x54, x55 = bits.Add64(x38, x50, uint64(fiatScalarUint1(x53))) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x40, (uint64(fiatScalarUint1(x51)) + x47), uint64(fiatScalarUint1(x55))) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64((uint64(fiatScalarUint1(x41)) + (uint64(fiatScalarUint1(x35)) + x21)), x44, uint64(fiatScalarUint1(x57))) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x54, arg1[3], uint64(0x0)) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x56, uint64(0x0), uint64(fiatScalarUint1(x61))) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(x58, uint64(0x0), uint64(fiatScalarUint1(x63))) - var x66 uint64 - _, x66 = bits.Mul64(x60, 0xd2b51da312547e1b) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64(x66, 0x1000000000000000) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x66, 0x14def9dea2f79cd6) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x66, 0x5812631a5cf5d3ed) - var x74 uint64 - var x75 uint64 - x74, x75 = bits.Add64(x73, x70, uint64(0x0)) - var x77 uint64 - _, x77 = bits.Add64(x60, x72, uint64(0x0)) - var x78 uint64 - var x79 uint64 - x78, x79 = bits.Add64(x62, x74, uint64(fiatScalarUint1(x77))) - var x80 uint64 - var x81 uint64 - x80, x81 = bits.Add64(x64, (uint64(fiatScalarUint1(x75)) + x71), uint64(fiatScalarUint1(x79))) - var x82 uint64 - var x83 uint64 - x82, x83 = bits.Add64((uint64(fiatScalarUint1(x65)) + (uint64(fiatScalarUint1(x59)) + x45)), x68, uint64(fiatScalarUint1(x81))) - x84 := (uint64(fiatScalarUint1(x83)) + x69) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Sub64(x78, 0x5812631a5cf5d3ed, uint64(0x0)) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Sub64(x80, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Sub64(x82, uint64(0x0), uint64(fiatScalarUint1(x88))) - var x91 uint64 - var x92 uint64 - x91, x92 = bits.Sub64(x84, 0x1000000000000000, uint64(fiatScalarUint1(x90))) - var x94 uint64 - _, x94 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(fiatScalarUint1(x92))) - var x95 uint64 - fiatScalarCmovznzU64(&x95, fiatScalarUint1(x94), x85, x78) - var x96 uint64 - fiatScalarCmovznzU64(&x96, fiatScalarUint1(x94), x87, x80) - var x97 uint64 - fiatScalarCmovznzU64(&x97, fiatScalarUint1(x94), x89, x82) - var x98 uint64 - fiatScalarCmovznzU64(&x98, fiatScalarUint1(x94), x91, x84) - out1[0] = x95 - out1[1] = x96 - out1[2] = x97 - out1[3] = x98 -} - -// fiatScalarToMontgomery translates a field element into the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = eval arg1 mod m -// 0 ≤ eval out1 < m -func fiatScalarToMontgomery(out1 *fiatScalarMontgomeryDomainFieldElement, arg1 *fiatScalarNonMontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, 0x399411b7c309a3d) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, 0xceec73d217f5be65) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, 0xd00e1ba768859347) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, 0xa40611e3449c0f01) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(fiatScalarUint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(fiatScalarUint1(x16))) - var x19 uint64 - _, x19 = bits.Mul64(x11, 0xd2b51da312547e1b) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(x19, 0x1000000000000000) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(x19, 0x14def9dea2f79cd6) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64(x19, 0x5812631a5cf5d3ed) - var x27 uint64 - var x28 uint64 - x27, x28 = bits.Add64(x26, x23, uint64(0x0)) - var x30 uint64 - _, x30 = bits.Add64(x11, x25, uint64(0x0)) - var x31 uint64 - var x32 uint64 - x31, x32 = bits.Add64(x13, x27, uint64(fiatScalarUint1(x30))) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x15, (uint64(fiatScalarUint1(x28)) + x24), uint64(fiatScalarUint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x17, x21, uint64(fiatScalarUint1(x34))) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64(x1, 0x399411b7c309a3d) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, 0xceec73d217f5be65) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, 0xd00e1ba768859347) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, 0xa40611e3449c0f01) - var x45 uint64 - var x46 uint64 - x45, x46 = bits.Add64(x44, x41, uint64(0x0)) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(x42, x39, uint64(fiatScalarUint1(x46))) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x40, x37, uint64(fiatScalarUint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x31, x43, uint64(0x0)) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x33, x45, uint64(fiatScalarUint1(x52))) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(x35, x47, uint64(fiatScalarUint1(x54))) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(((uint64(fiatScalarUint1(x36)) + (uint64(fiatScalarUint1(x18)) + x6)) + x22), x49, uint64(fiatScalarUint1(x56))) - var x59 uint64 - _, x59 = bits.Mul64(x51, 0xd2b51da312547e1b) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x59, 0x1000000000000000) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x59, 0x14def9dea2f79cd6) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64(x59, 0x5812631a5cf5d3ed) - var x67 uint64 - var x68 uint64 - x67, x68 = bits.Add64(x66, x63, uint64(0x0)) - var x70 uint64 - _, x70 = bits.Add64(x51, x65, uint64(0x0)) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x53, x67, uint64(fiatScalarUint1(x70))) - var x73 uint64 - var x74 uint64 - x73, x74 = bits.Add64(x55, (uint64(fiatScalarUint1(x68)) + x64), uint64(fiatScalarUint1(x72))) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x57, x61, uint64(fiatScalarUint1(x74))) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x2, 0x399411b7c309a3d) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x2, 0xceec73d217f5be65) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64(x2, 0xd00e1ba768859347) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64(x2, 0xa40611e3449c0f01) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x84, x81, uint64(0x0)) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x82, x79, uint64(fiatScalarUint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x80, x77, uint64(fiatScalarUint1(x88))) - var x91 uint64 - var x92 uint64 - x91, x92 = bits.Add64(x71, x83, uint64(0x0)) - var x93 uint64 - var x94 uint64 - x93, x94 = bits.Add64(x73, x85, uint64(fiatScalarUint1(x92))) - var x95 uint64 - var x96 uint64 - x95, x96 = bits.Add64(x75, x87, uint64(fiatScalarUint1(x94))) - var x97 uint64 - var x98 uint64 - x97, x98 = bits.Add64(((uint64(fiatScalarUint1(x76)) + (uint64(fiatScalarUint1(x58)) + (uint64(fiatScalarUint1(x50)) + x38))) + x62), x89, uint64(fiatScalarUint1(x96))) - var x99 uint64 - _, x99 = bits.Mul64(x91, 0xd2b51da312547e1b) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64(x99, 0x1000000000000000) - var x103 uint64 - var x104 uint64 - x104, x103 = bits.Mul64(x99, 0x14def9dea2f79cd6) - var x105 uint64 - var x106 uint64 - x106, x105 = bits.Mul64(x99, 0x5812631a5cf5d3ed) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x106, x103, uint64(0x0)) - var x110 uint64 - _, x110 = bits.Add64(x91, x105, uint64(0x0)) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x93, x107, uint64(fiatScalarUint1(x110))) - var x113 uint64 - var x114 uint64 - x113, x114 = bits.Add64(x95, (uint64(fiatScalarUint1(x108)) + x104), uint64(fiatScalarUint1(x112))) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x97, x101, uint64(fiatScalarUint1(x114))) - var x117 uint64 - var x118 uint64 - x118, x117 = bits.Mul64(x3, 0x399411b7c309a3d) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x3, 0xceec73d217f5be65) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x3, 0xd00e1ba768859347) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x3, 0xa40611e3449c0f01) - var x125 uint64 - var x126 uint64 - x125, x126 = bits.Add64(x124, x121, uint64(0x0)) - var x127 uint64 - var x128 uint64 - x127, x128 = bits.Add64(x122, x119, uint64(fiatScalarUint1(x126))) - var x129 uint64 - var x130 uint64 - x129, x130 = bits.Add64(x120, x117, uint64(fiatScalarUint1(x128))) - var x131 uint64 - var x132 uint64 - x131, x132 = bits.Add64(x111, x123, uint64(0x0)) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x113, x125, uint64(fiatScalarUint1(x132))) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x115, x127, uint64(fiatScalarUint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(((uint64(fiatScalarUint1(x116)) + (uint64(fiatScalarUint1(x98)) + (uint64(fiatScalarUint1(x90)) + x78))) + x102), x129, uint64(fiatScalarUint1(x136))) - var x139 uint64 - _, x139 = bits.Mul64(x131, 0xd2b51da312547e1b) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x139, 0x1000000000000000) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x139, 0x14def9dea2f79cd6) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64(x139, 0x5812631a5cf5d3ed) - var x147 uint64 - var x148 uint64 - x147, x148 = bits.Add64(x146, x143, uint64(0x0)) - var x150 uint64 - _, x150 = bits.Add64(x131, x145, uint64(0x0)) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x133, x147, uint64(fiatScalarUint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x135, (uint64(fiatScalarUint1(x148)) + x144), uint64(fiatScalarUint1(x152))) - var x155 uint64 - var x156 uint64 - x155, x156 = bits.Add64(x137, x141, uint64(fiatScalarUint1(x154))) - x157 := ((uint64(fiatScalarUint1(x156)) + (uint64(fiatScalarUint1(x138)) + (uint64(fiatScalarUint1(x130)) + x118))) + x142) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Sub64(x151, 0x5812631a5cf5d3ed, uint64(0x0)) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Sub64(x153, 0x14def9dea2f79cd6, uint64(fiatScalarUint1(x159))) - var x162 uint64 - var x163 uint64 - x162, x163 = bits.Sub64(x155, uint64(0x0), uint64(fiatScalarUint1(x161))) - var x164 uint64 - var x165 uint64 - x164, x165 = bits.Sub64(x157, 0x1000000000000000, uint64(fiatScalarUint1(x163))) - var x167 uint64 - _, x167 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(fiatScalarUint1(x165))) - var x168 uint64 - fiatScalarCmovznzU64(&x168, fiatScalarUint1(x167), x158, x151) - var x169 uint64 - fiatScalarCmovznzU64(&x169, fiatScalarUint1(x167), x160, x153) - var x170 uint64 - fiatScalarCmovznzU64(&x170, fiatScalarUint1(x167), x162, x155) - var x171 uint64 - fiatScalarCmovznzU64(&x171, fiatScalarUint1(x167), x164, x157) - out1[0] = x168 - out1[1] = x169 - out1[2] = x170 - out1[3] = x171 -} - -// fiatScalarToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1fffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1f]] -func fiatScalarToBytes(out1 *[32]uint8, arg1 *[4]uint64) { - x1 := arg1[3] - x2 := arg1[2] - x3 := arg1[1] - x4 := arg1[0] - x5 := (uint8(x4) & 0xff) - x6 := (x4 >> 8) - x7 := (uint8(x6) & 0xff) - x8 := (x6 >> 8) - x9 := (uint8(x8) & 0xff) - x10 := (x8 >> 8) - x11 := (uint8(x10) & 0xff) - x12 := (x10 >> 8) - x13 := (uint8(x12) & 0xff) - x14 := (x12 >> 8) - x15 := (uint8(x14) & 0xff) - x16 := (x14 >> 8) - x17 := (uint8(x16) & 0xff) - x18 := uint8((x16 >> 8)) - x19 := (uint8(x3) & 0xff) - x20 := (x3 >> 8) - x21 := (uint8(x20) & 0xff) - x22 := (x20 >> 8) - x23 := (uint8(x22) & 0xff) - x24 := (x22 >> 8) - x25 := (uint8(x24) & 0xff) - x26 := (x24 >> 8) - x27 := (uint8(x26) & 0xff) - x28 := (x26 >> 8) - x29 := (uint8(x28) & 0xff) - x30 := (x28 >> 8) - x31 := (uint8(x30) & 0xff) - x32 := uint8((x30 >> 8)) - x33 := (uint8(x2) & 0xff) - x34 := (x2 >> 8) - x35 := (uint8(x34) & 0xff) - x36 := (x34 >> 8) - x37 := (uint8(x36) & 0xff) - x38 := (x36 >> 8) - x39 := (uint8(x38) & 0xff) - x40 := (x38 >> 8) - x41 := (uint8(x40) & 0xff) - x42 := (x40 >> 8) - x43 := (uint8(x42) & 0xff) - x44 := (x42 >> 8) - x45 := (uint8(x44) & 0xff) - x46 := uint8((x44 >> 8)) - x47 := (uint8(x1) & 0xff) - x48 := (x1 >> 8) - x49 := (uint8(x48) & 0xff) - x50 := (x48 >> 8) - x51 := (uint8(x50) & 0xff) - x52 := (x50 >> 8) - x53 := (uint8(x52) & 0xff) - x54 := (x52 >> 8) - x55 := (uint8(x54) & 0xff) - x56 := (x54 >> 8) - x57 := (uint8(x56) & 0xff) - x58 := (x56 >> 8) - x59 := (uint8(x58) & 0xff) - x60 := uint8((x58 >> 8)) - out1[0] = x5 - out1[1] = x7 - out1[2] = x9 - out1[3] = x11 - out1[4] = x13 - out1[5] = x15 - out1[6] = x17 - out1[7] = x18 - out1[8] = x19 - out1[9] = x21 - out1[10] = x23 - out1[11] = x25 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x39 - out1[20] = x41 - out1[21] = x43 - out1[22] = x45 - out1[23] = x46 - out1[24] = x47 - out1[25] = x49 - out1[26] = x51 - out1[27] = x53 - out1[28] = x55 - out1[29] = x57 - out1[30] = x59 - out1[31] = x60 -} - -// fiatScalarFromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ bytes_eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = bytes_eval arg1 mod m -// 0 ≤ eval out1 < m -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1f]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1fffffffffffffff]] -func fiatScalarFromBytes(out1 *[4]uint64, arg1 *[32]uint8) { - x1 := (uint64(arg1[31]) << 56) - x2 := (uint64(arg1[30]) << 48) - x3 := (uint64(arg1[29]) << 40) - x4 := (uint64(arg1[28]) << 32) - x5 := (uint64(arg1[27]) << 24) - x6 := (uint64(arg1[26]) << 16) - x7 := (uint64(arg1[25]) << 8) - x8 := arg1[24] - x9 := (uint64(arg1[23]) << 56) - x10 := (uint64(arg1[22]) << 48) - x11 := (uint64(arg1[21]) << 40) - x12 := (uint64(arg1[20]) << 32) - x13 := (uint64(arg1[19]) << 24) - x14 := (uint64(arg1[18]) << 16) - x15 := (uint64(arg1[17]) << 8) - x16 := arg1[16] - x17 := (uint64(arg1[15]) << 56) - x18 := (uint64(arg1[14]) << 48) - x19 := (uint64(arg1[13]) << 40) - x20 := (uint64(arg1[12]) << 32) - x21 := (uint64(arg1[11]) << 24) - x22 := (uint64(arg1[10]) << 16) - x23 := (uint64(arg1[9]) << 8) - x24 := arg1[8] - x25 := (uint64(arg1[7]) << 56) - x26 := (uint64(arg1[6]) << 48) - x27 := (uint64(arg1[5]) << 40) - x28 := (uint64(arg1[4]) << 32) - x29 := (uint64(arg1[3]) << 24) - x30 := (uint64(arg1[2]) << 16) - x31 := (uint64(arg1[1]) << 8) - x32 := arg1[0] - x33 := (x31 + uint64(x32)) - x34 := (x30 + x33) - x35 := (x29 + x34) - x36 := (x28 + x35) - x37 := (x27 + x36) - x38 := (x26 + x37) - x39 := (x25 + x38) - x40 := (x23 + uint64(x24)) - x41 := (x22 + x40) - x42 := (x21 + x41) - x43 := (x20 + x42) - x44 := (x19 + x43) - x45 := (x18 + x44) - x46 := (x17 + x45) - x47 := (x15 + uint64(x16)) - x48 := (x14 + x47) - x49 := (x13 + x48) - x50 := (x12 + x49) - x51 := (x11 + x50) - x52 := (x10 + x51) - x53 := (x9 + x52) - x54 := (x7 + uint64(x8)) - x55 := (x6 + x54) - x56 := (x5 + x55) - x57 := (x4 + x56) - x58 := (x3 + x57) - x59 := (x2 + x58) - x60 := (x1 + x59) - out1[0] = x39 - out1[1] = x46 - out1[2] = x53 - out1[3] = x60 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalarmult.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalarmult.go deleted file mode 100644 index f7ca3cef993..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/scalarmult.go +++ /dev/null @@ -1,214 +0,0 @@ -// Copyright (c) 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package edwards25519 - -import "sync" - -// basepointTable is a set of 32 affineLookupTables, where table i is generated -// from 256i * basepoint. It is precomputed the first time it's used. -func basepointTable() *[32]affineLookupTable { - basepointTablePrecomp.initOnce.Do(func() { - p := NewGeneratorPoint() - for i := 0; i < 32; i++ { - basepointTablePrecomp.table[i].FromP3(p) - for j := 0; j < 8; j++ { - p.Add(p, p) - } - } - }) - return &basepointTablePrecomp.table -} - -var basepointTablePrecomp struct { - table [32]affineLookupTable - initOnce sync.Once -} - -// ScalarBaseMult sets v = x * B, where B is the canonical generator, and -// returns v. -// -// The scalar multiplication is done in constant time. -func (v *Point) ScalarBaseMult(x *Scalar) *Point { - basepointTable := basepointTable() - - // Write x = sum(x_i * 16^i) so x*B = sum( B*x_i*16^i ) - // as described in the Ed25519 paper - // - // Group even and odd coefficients - // x*B = x_0*16^0*B + x_2*16^2*B + ... + x_62*16^62*B - // + x_1*16^1*B + x_3*16^3*B + ... + x_63*16^63*B - // x*B = x_0*16^0*B + x_2*16^2*B + ... + x_62*16^62*B - // + 16*( x_1*16^0*B + x_3*16^2*B + ... + x_63*16^62*B) - // - // We use a lookup table for each i to get x_i*16^(2*i)*B - // and do four doublings to multiply by 16. - digits := x.signedRadix16() - - multiple := &affineCached{} - tmp1 := &projP1xP1{} - tmp2 := &projP2{} - - // Accumulate the odd components first - v.Set(NewIdentityPoint()) - for i := 1; i < 64; i += 2 { - basepointTable[i/2].SelectInto(multiple, digits[i]) - tmp1.AddAffine(v, multiple) - v.fromP1xP1(tmp1) - } - - // Multiply by 16 - tmp2.FromP3(v) // tmp2 = v in P2 coords - tmp1.Double(tmp2) // tmp1 = 2*v in P1xP1 coords - tmp2.FromP1xP1(tmp1) // tmp2 = 2*v in P2 coords - tmp1.Double(tmp2) // tmp1 = 4*v in P1xP1 coords - tmp2.FromP1xP1(tmp1) // tmp2 = 4*v in P2 coords - tmp1.Double(tmp2) // tmp1 = 8*v in P1xP1 coords - tmp2.FromP1xP1(tmp1) // tmp2 = 8*v in P2 coords - tmp1.Double(tmp2) // tmp1 = 16*v in P1xP1 coords - v.fromP1xP1(tmp1) // now v = 16*(odd components) - - // Accumulate the even components - for i := 0; i < 64; i += 2 { - basepointTable[i/2].SelectInto(multiple, digits[i]) - tmp1.AddAffine(v, multiple) - v.fromP1xP1(tmp1) - } - - return v -} - -// ScalarMult sets v = x * q, and returns v. -// -// The scalar multiplication is done in constant time. -func (v *Point) ScalarMult(x *Scalar, q *Point) *Point { - checkInitialized(q) - - var table projLookupTable - table.FromP3(q) - - // Write x = sum(x_i * 16^i) - // so x*Q = sum( Q*x_i*16^i ) - // = Q*x_0 + 16*(Q*x_1 + 16*( ... + Q*x_63) ... ) - // <------compute inside out--------- - // - // We use the lookup table to get the x_i*Q values - // and do four doublings to compute 16*Q - digits := x.signedRadix16() - - // Unwrap first loop iteration to save computing 16*identity - multiple := &projCached{} - tmp1 := &projP1xP1{} - tmp2 := &projP2{} - table.SelectInto(multiple, digits[63]) - - v.Set(NewIdentityPoint()) - tmp1.Add(v, multiple) // tmp1 = x_63*Q in P1xP1 coords - for i := 62; i >= 0; i-- { - tmp2.FromP1xP1(tmp1) // tmp2 = (prev) in P2 coords - tmp1.Double(tmp2) // tmp1 = 2*(prev) in P1xP1 coords - tmp2.FromP1xP1(tmp1) // tmp2 = 2*(prev) in P2 coords - tmp1.Double(tmp2) // tmp1 = 4*(prev) in P1xP1 coords - tmp2.FromP1xP1(tmp1) // tmp2 = 4*(prev) in P2 coords - tmp1.Double(tmp2) // tmp1 = 8*(prev) in P1xP1 coords - tmp2.FromP1xP1(tmp1) // tmp2 = 8*(prev) in P2 coords - tmp1.Double(tmp2) // tmp1 = 16*(prev) in P1xP1 coords - v.fromP1xP1(tmp1) // v = 16*(prev) in P3 coords - table.SelectInto(multiple, digits[i]) - tmp1.Add(v, multiple) // tmp1 = x_i*Q + 16*(prev) in P1xP1 coords - } - v.fromP1xP1(tmp1) - return v -} - -// basepointNafTable is the nafLookupTable8 for the basepoint. -// It is precomputed the first time it's used. -func basepointNafTable() *nafLookupTable8 { - basepointNafTablePrecomp.initOnce.Do(func() { - basepointNafTablePrecomp.table.FromP3(NewGeneratorPoint()) - }) - return &basepointNafTablePrecomp.table -} - -var basepointNafTablePrecomp struct { - table nafLookupTable8 - initOnce sync.Once -} - -// VarTimeDoubleScalarBaseMult sets v = a * A + b * B, where B is the canonical -// generator, and returns v. -// -// Execution time depends on the inputs. -func (v *Point) VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point { - checkInitialized(A) - - // Similarly to the single variable-base approach, we compute - // digits and use them with a lookup table. However, because - // we are allowed to do variable-time operations, we don't - // need constant-time lookups or constant-time digit - // computations. - // - // So we use a non-adjacent form of some width w instead of - // radix 16. This is like a binary representation (one digit - // for each binary place) but we allow the digits to grow in - // magnitude up to 2^{w-1} so that the nonzero digits are as - // sparse as possible. Intuitively, this "condenses" the - // "mass" of the scalar onto sparse coefficients (meaning - // fewer additions). - - basepointNafTable := basepointNafTable() - var aTable nafLookupTable5 - aTable.FromP3(A) - // Because the basepoint is fixed, we can use a wider NAF - // corresponding to a bigger table. - aNaf := a.nonAdjacentForm(5) - bNaf := b.nonAdjacentForm(8) - - // Find the first nonzero coefficient. - i := 255 - for j := i; j >= 0; j-- { - if aNaf[j] != 0 || bNaf[j] != 0 { - break - } - } - - multA := &projCached{} - multB := &affineCached{} - tmp1 := &projP1xP1{} - tmp2 := &projP2{} - tmp2.Zero() - - // Move from high to low bits, doubling the accumulator - // at each iteration and checking whether there is a nonzero - // coefficient to look up a multiple of. - for ; i >= 0; i-- { - tmp1.Double(tmp2) - - // Only update v if we have a nonzero coeff to add in. - if aNaf[i] > 0 { - v.fromP1xP1(tmp1) - aTable.SelectInto(multA, aNaf[i]) - tmp1.Add(v, multA) - } else if aNaf[i] < 0 { - v.fromP1xP1(tmp1) - aTable.SelectInto(multA, -aNaf[i]) - tmp1.Sub(v, multA) - } - - if bNaf[i] > 0 { - v.fromP1xP1(tmp1) - basepointNafTable.SelectInto(multB, bNaf[i]) - tmp1.AddAffine(v, multB) - } else if bNaf[i] < 0 { - v.fromP1xP1(tmp1) - basepointNafTable.SelectInto(multB, -bNaf[i]) - tmp1.SubAffine(v, multB) - } - - tmp2.FromP1xP1(tmp1) - } - - v.fromP2(tmp2) - return v -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/tables.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/tables.go deleted file mode 100644 index 801b76771d1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/tables.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright (c) 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package edwards25519 - -import ( - "crypto/internal/fips140/subtle" -) - -// A dynamic lookup table for variable-base, constant-time scalar muls. -type projLookupTable struct { - points [8]projCached -} - -// A precomputed lookup table for fixed-base, constant-time scalar muls. -type affineLookupTable struct { - points [8]affineCached -} - -// A dynamic lookup table for variable-base, variable-time scalar muls. -type nafLookupTable5 struct { - points [8]projCached -} - -// A precomputed lookup table for fixed-base, variable-time scalar muls. -type nafLookupTable8 struct { - points [64]affineCached -} - -// Constructors. - -// Builds a lookup table at runtime. Fast. -func (v *projLookupTable) FromP3(q *Point) { - // Goal: v.points[i] = (i+1)*Q, i.e., Q, 2Q, ..., 8Q - // This allows lookup of -8Q, ..., -Q, 0, Q, ..., 8Q - v.points[0].FromP3(q) - tmpP3 := Point{} - tmpP1xP1 := projP1xP1{} - for i := 0; i < 7; i++ { - // Compute (i+1)*Q as Q + i*Q and convert to a projCached - // This is needlessly complicated because the API has explicit - // receivers instead of creating stack objects and relying on RVO - v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.Add(q, &v.points[i]))) - } -} - -// This is not optimised for speed; fixed-base tables should be precomputed. -func (v *affineLookupTable) FromP3(q *Point) { - // Goal: v.points[i] = (i+1)*Q, i.e., Q, 2Q, ..., 8Q - // This allows lookup of -8Q, ..., -Q, 0, Q, ..., 8Q - v.points[0].FromP3(q) - tmpP3 := Point{} - tmpP1xP1 := projP1xP1{} - for i := 0; i < 7; i++ { - // Compute (i+1)*Q as Q + i*Q and convert to affineCached - v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.AddAffine(q, &v.points[i]))) - } -} - -// Builds a lookup table at runtime. Fast. -func (v *nafLookupTable5) FromP3(q *Point) { - // Goal: v.points[i] = (2*i+1)*Q, i.e., Q, 3Q, 5Q, ..., 15Q - // This allows lookup of -15Q, ..., -3Q, -Q, 0, Q, 3Q, ..., 15Q - v.points[0].FromP3(q) - q2 := Point{} - q2.Add(q, q) - tmpP3 := Point{} - tmpP1xP1 := projP1xP1{} - for i := 0; i < 7; i++ { - v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.Add(&q2, &v.points[i]))) - } -} - -// This is not optimised for speed; fixed-base tables should be precomputed. -func (v *nafLookupTable8) FromP3(q *Point) { - v.points[0].FromP3(q) - q2 := Point{} - q2.Add(q, q) - tmpP3 := Point{} - tmpP1xP1 := projP1xP1{} - for i := 0; i < 63; i++ { - v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.AddAffine(&q2, &v.points[i]))) - } -} - -// Selectors. - -// Set dest to x*Q, where -8 <= x <= 8, in constant time. -func (v *projLookupTable) SelectInto(dest *projCached, x int8) { - // Compute xabs = |x| - xmask := x >> 7 - xabs := uint8((x + xmask) ^ xmask) - - dest.Zero() - for j := 1; j <= 8; j++ { - // Set dest = j*Q if |x| = j - cond := subtle.ConstantTimeByteEq(xabs, uint8(j)) - dest.Select(&v.points[j-1], dest, cond) - } - // Now dest = |x|*Q, conditionally negate to get x*Q - dest.CondNeg(int(xmask & 1)) -} - -// Set dest to x*Q, where -8 <= x <= 8, in constant time. -func (v *affineLookupTable) SelectInto(dest *affineCached, x int8) { - // Compute xabs = |x| - xmask := x >> 7 - xabs := uint8((x + xmask) ^ xmask) - - dest.Zero() - for j := 1; j <= 8; j++ { - // Set dest = j*Q if |x| = j - cond := subtle.ConstantTimeByteEq(xabs, uint8(j)) - dest.Select(&v.points[j-1], dest, cond) - } - // Now dest = |x|*Q, conditionally negate to get x*Q - dest.CondNeg(int(xmask & 1)) -} - -// Given odd x with 0 < x < 2^4, return x*Q (in variable time). -func (v *nafLookupTable5) SelectInto(dest *projCached, x int8) { - *dest = v.points[x/2] -} - -// Given odd x with 0 < x < 2^7, return x*Q (in variable time). -func (v *nafLookupTable8) SelectInto(dest *affineCached, x int8) { - *dest = v.points[x/2] -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/ya.make deleted file mode 100644 index 235bb4a9b5f..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/edwards25519/ya.make +++ /dev/null @@ -1,17 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - doc.go - edwards25519.go - scalar.go - scalar_fiat.go - scalarmult.go - tables.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/fips140.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/fips140.go deleted file mode 100644 index e48706fbd50..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/fips140.go +++ /dev/null @@ -1,71 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package fips140 - -import ( - "crypto/internal/fips140deps/godebug" - "errors" - "runtime" -) - -var Enabled bool - -var debug bool - -func init() { - v := godebug.Value("#fips140") - switch v { - case "on", "only": - Enabled = true - case "debug": - Enabled = true - debug = true - case "off", "": - default: - panic("fips140: unknown GODEBUG setting fips140=" + v) - } -} - -// Supported returns an error if FIPS 140-3 mode can't be enabled. -func Supported() error { - // Keep this in sync with fipsSupported in cmd/dist/test.go. - - // ASAN disapproves of reading swaths of global memory in fips140/check. - // One option would be to expose runtime.asanunpoison through - // crypto/internal/fips140deps and then call it to unpoison the range - // before reading it, but it is unclear whether that would then cause - // false negatives. For now, FIPS+ASAN doesn't need to work. - if asanEnabled { - return errors.New("FIPS 140-3 mode is incompatible with ASAN") - } - - // See EnableFIPS in cmd/internal/obj/fips.go for commentary. - switch { - case runtime.GOARCH == "wasm", - runtime.GOOS == "windows" && runtime.GOARCH == "386", - runtime.GOOS == "windows" && runtime.GOARCH == "arm", - runtime.GOOS == "openbsd", // due to -fexecute-only, see #70880 - runtime.GOOS == "aix": - return errors.New("FIPS 140-3 mode is not supported on " + runtime.GOOS + "-" + runtime.GOARCH) - } - - if boringEnabled { - return errors.New("FIPS 140-3 mode is incompatible with GOEXPERIMENT=boringcrypto") - } - - return nil -} - -func Name() string { - return "Go Cryptographic Module" -} - -// Version returns the formal version (such as "v1.0.0") if building against a -// frozen module with GOFIPS140. Otherwise, it returns "latest". -func Version() string { - // This return value is replaced by mkzip.go, it must not be changed or - // moved to a different file. - return "latest" //mkzip:version -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/cast.go deleted file mode 100644 index 8ddcadc0166..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/cast.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package hkdf - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/sha256" - "errors" -) - -func init() { - fips140.CAST("HKDF-SHA2-256", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - want := []byte{ - 0xb6, 0x53, 0x00, 0x5b, 0x51, 0x6d, 0x2b, 0xc9, - 0x4a, 0xe4, 0xf9, 0x51, 0x73, 0x1f, 0x71, 0x21, - 0xa6, 0xc1, 0xde, 0x42, 0x4f, 0x2c, 0x99, 0x60, - 0x64, 0xdb, 0x66, 0x3e, 0xec, 0xa6, 0x37, 0xff, - } - got := Key(sha256.New, input, input, string(input), len(want)) - if !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/hkdf.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/hkdf.go deleted file mode 100644 index 2e8b83d41d5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/hkdf.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package hkdf - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/hmac" - "hash" -) - -func Extract[H hash.Hash](h func() H, secret, salt []byte) []byte { - if len(secret) < 112/8 { - fips140.RecordNonApproved() - } - if salt == nil { - salt = make([]byte, h().Size()) - } - extractor := hmac.New(h, salt) - hmac.MarkAsUsedInKDF(extractor) - extractor.Write(secret) - - return extractor.Sum(nil) -} - -func Expand[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLen int) []byte { - out := make([]byte, 0, keyLen) - expander := hmac.New(h, pseudorandomKey) - hmac.MarkAsUsedInKDF(expander) - var counter uint8 - var buf []byte - - for len(out) < keyLen { - counter++ - if counter == 0 { - panic("hkdf: counter overflow") - } - if counter > 1 { - expander.Reset() - } - expander.Write(buf) - expander.Write([]byte(info)) - expander.Write([]byte{counter}) - buf = expander.Sum(buf[:0]) - remain := keyLen - len(out) - remain = min(remain, len(buf)) - out = append(out, buf[:remain]...) - } - - return out -} - -func Key[H hash.Hash](h func() H, secret, salt []byte, info string, keyLen int) []byte { - prk := Extract(h, secret, salt) - return Expand(h, prk, info, keyLen) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/ya.make deleted file mode 100644 index 42c88d3c35d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/hkdf/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - hkdf.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/cast.go deleted file mode 100644 index 9573e39e5b7..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/cast.go +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package hmac - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/sha256" - "errors" -) - -func init() { - fips140.CAST("HMAC-SHA2-256", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - want := []byte{ - 0xf0, 0x8d, 0x82, 0x8d, 0x4c, 0x9e, 0xad, 0x3d, - 0xdc, 0x12, 0x9c, 0x4e, 0x70, 0xc4, 0x19, 0x2a, - 0x4f, 0x12, 0x73, 0x23, 0x73, 0x77, 0x66, 0x05, - 0x10, 0xee, 0x57, 0x6b, 0x3a, 0xc7, 0x14, 0x41, - } - h := New(sha256.New, input) - h.Write(input) - h.Write(input) - if got := h.Sum(nil); !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/hmac.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/hmac.go deleted file mode 100644 index a18b22650d1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/hmac.go +++ /dev/null @@ -1,209 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package hmac implements HMAC according to [FIPS 198-1]. -// -// [FIPS 198-1]: https://doi.org/10.6028/NIST.FIPS.198-1 -package hmac - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/sha256" - "crypto/internal/fips140/sha3" - "crypto/internal/fips140/sha512" - "errors" - "hash" -) - -// key is zero padded to the block size of the hash function -// ipad = 0x36 byte repeated for key length -// opad = 0x5c byte repeated for key length -// hmac = H([key ^ opad] H([key ^ ipad] text)) - -// marshalable is the combination of encoding.BinaryMarshaler and -// encoding.BinaryUnmarshaler. Their method definitions are repeated here to -// avoid a dependency on the encoding package. -type marshalable interface { - MarshalBinary() ([]byte, error) - UnmarshalBinary([]byte) error -} - -type HMAC struct { - // opad and ipad may share underlying storage with HMAC clones. - opad, ipad []byte - outer, inner hash.Hash - - // If marshaled is true, then opad and ipad do not contain a padded - // copy of the key, but rather the marshaled state of outer/inner after - // opad/ipad has been fed into it. - marshaled bool - - // forHKDF and keyLen are stored to inform the service indicator decision. - forHKDF bool - keyLen int -} - -func (h *HMAC) Sum(in []byte) []byte { - // Per FIPS 140-3 IG C.M, key lengths below 112 bits are only allowed for - // legacy use (i.e. verification only) and we don't support that. However, - // HKDF uses the HMAC key for the salt, which is allowed to be shorter. - if h.keyLen < 112/8 && !h.forHKDF { - fips140.RecordNonApproved() - } - switch h.inner.(type) { - case *sha256.Digest, *sha512.Digest, *sha3.Digest: - default: - fips140.RecordNonApproved() - } - - origLen := len(in) - in = h.inner.Sum(in) - - if h.marshaled { - if err := h.outer.(marshalable).UnmarshalBinary(h.opad); err != nil { - panic(err) - } - } else { - h.outer.Reset() - h.outer.Write(h.opad) - } - h.outer.Write(in[origLen:]) - return h.outer.Sum(in[:origLen]) -} - -func (h *HMAC) Write(p []byte) (n int, err error) { - return h.inner.Write(p) -} - -func (h *HMAC) Size() int { return h.outer.Size() } -func (h *HMAC) BlockSize() int { return h.inner.BlockSize() } - -func (h *HMAC) Reset() { - if h.marshaled { - if err := h.inner.(marshalable).UnmarshalBinary(h.ipad); err != nil { - panic(err) - } - return - } - - h.inner.Reset() - h.inner.Write(h.ipad) - - // If the underlying hash is marshalable, we can save some time by saving a - // copy of the hash state now, and restoring it on future calls to Reset and - // Sum instead of writing ipad/opad every time. - // - // We do this on Reset to avoid slowing down the common single-use case. - // - // This is allowed by FIPS 198-1, Section 6: "Conceptually, the intermediate - // results of the compression function on the B-byte blocks (K0 ⊕ ipad) and - // (K0 ⊕ opad) can be precomputed once, at the time of generation of the key - // K, or before its first use. These intermediate results can be stored and - // then used to initialize H each time that a message needs to be - // authenticated using the same key. [...] These stored intermediate values - // shall be treated and protected in the same manner as secret keys." - marshalableInner, innerOK := h.inner.(marshalable) - if !innerOK { - return - } - marshalableOuter, outerOK := h.outer.(marshalable) - if !outerOK { - return - } - - imarshal, err := marshalableInner.MarshalBinary() - if err != nil { - return - } - - h.outer.Reset() - h.outer.Write(h.opad) - omarshal, err := marshalableOuter.MarshalBinary() - if err != nil { - return - } - - // Marshaling succeeded; save the marshaled state for later - h.ipad = imarshal - h.opad = omarshal - h.marshaled = true -} - -type errCloneUnsupported struct{} - -func (e errCloneUnsupported) Error() string { - return "crypto/hmac: hash does not support hash.Cloner" -} - -func (e errCloneUnsupported) Unwrap() error { - return errors.ErrUnsupported -} - -// Clone implements [hash.Cloner] if the underlying hash does. -// Otherwise, it returns an error wrapping [errors.ErrUnsupported]. -func (h *HMAC) Clone() (hash.Cloner, error) { - r := *h - ic, ok := h.inner.(hash.Cloner) - if !ok { - return nil, errCloneUnsupported{} - } - oc, ok := h.outer.(hash.Cloner) - if !ok { - return nil, errCloneUnsupported{} - } - var err error - r.inner, err = ic.Clone() - if err != nil { - return nil, errCloneUnsupported{} - } - r.outer, err = oc.Clone() - if err != nil { - return nil, errCloneUnsupported{} - } - return &r, nil -} - -// New returns a new HMAC hash using the given [hash.Hash] type and key. -func New[H hash.Hash](h func() H, key []byte) *HMAC { - hm := &HMAC{keyLen: len(key)} - hm.outer = h() - hm.inner = h() - unique := true - func() { - defer func() { - // The comparison might panic if the underlying types are not comparable. - _ = recover() - }() - if hm.outer == hm.inner { - unique = false - } - }() - if !unique { - panic("crypto/hmac: hash generation function does not produce unique values") - } - blocksize := hm.inner.BlockSize() - hm.ipad = make([]byte, blocksize) - hm.opad = make([]byte, blocksize) - if len(key) > blocksize { - // If key is too big, hash it. - hm.outer.Write(key) - key = hm.outer.Sum(nil) - } - copy(hm.ipad, key) - copy(hm.opad, key) - for i := range hm.ipad { - hm.ipad[i] ^= 0x36 - } - for i := range hm.opad { - hm.opad[i] ^= 0x5c - } - hm.inner.Write(hm.ipad) - - return hm -} - -// MarkAsUsedInKDF records that this HMAC instance is used as part of a KDF. -func MarkAsUsedInKDF(h *HMAC) { - h.forHKDF = true -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/ya.make deleted file mode 100644 index 7244e312255..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/hmac/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - hmac.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/indicator.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/indicator.go deleted file mode 100644 index 229e0715e73..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/indicator.go +++ /dev/null @@ -1,62 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package fips140 - -import _ "unsafe" // for go:linkname - -// The service indicator lets users of the module query whether invoked services -// are approved. Three states are stored in a per-goroutine value by the -// runtime. The indicator starts at indicatorUnset after a reset. Invoking an -// approved service transitions to indicatorTrue. Invoking a non-approved -// service transitions to indicatorFalse, and it can't leave that state until a -// reset. The idea is that functions can "delegate" checks to inner functions, -// and if there's anything non-approved in the stack, the final result is -// negative. Finally, we expose indicatorUnset as negative to the user, so that -// we don't need to explicitly annotate fully non-approved services. - -//go:linkname getIndicator crypto/internal/fips140.getIndicator -func getIndicator() uint8 - -//go:linkname setIndicator crypto/internal/fips140.setIndicator -func setIndicator(uint8) - -const ( - indicatorUnset uint8 = iota - indicatorFalse - indicatorTrue -) - -// ResetServiceIndicator clears the service indicator for the running goroutine. -func ResetServiceIndicator() { - setIndicator(indicatorUnset) -} - -// ServiceIndicator returns true if and only if all services invoked by this -// goroutine since the last ResetServiceIndicator call are approved. -// -// If ResetServiceIndicator was not called before by this goroutine, its return -// value is undefined. -func ServiceIndicator() bool { - return getIndicator() == indicatorTrue -} - -// RecordApproved is an internal function that records the use of an approved -// service. It does not override RecordNonApproved calls in the same span. -// -// It should be called by exposed functions that perform a whole cryptographic -// alrgorithm (e.g. by Sum, not by New, unless a cryptographic Instantiate -// algorithm is performed) and should be called after any checks that may cause -// the function to error out or panic. -func RecordApproved() { - if getIndicator() == indicatorUnset { - setIndicator(indicatorTrue) - } -} - -// RecordNonApproved is an internal function that records the use of a -// non-approved service. It overrides any RecordApproved calls in the same span. -func RecordNonApproved() { - setIndicator(indicatorFalse) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/cast.go deleted file mode 100644 index a432d1fdab0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/cast.go +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package mlkem - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "errors" -) - -func init() { - fips140.CAST("ML-KEM-768", func() error { - var d = &[32]byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - var z = &[32]byte{ - 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, - 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, - 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, - 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, - } - var m = &[32]byte{ - 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, - 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, - 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, - 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, - } - var K = []byte{ - 0x55, 0x01, 0xfc, 0x52, 0x3b, 0x74, 0x5f, 0x41, - 0x76, 0x2a, 0x18, 0x8d, 0xe4, 0x4a, 0x59, 0xb9, - 0x20, 0xf4, 0x30, 0x14, 0x62, 0x04, 0xee, 0x4e, - 0x79, 0x37, 0x32, 0x39, 0x6d, 0xf7, 0xaa, 0x48, - } - dk := &DecapsulationKey768{} - kemKeyGen(dk, d, z) - ek := dk.EncapsulationKey() - Ke, c := ek.EncapsulateInternal(m) - Kd, err := dk.Decapsulate(c) - if err != nil { - return err - } - if !bytes.Equal(Ke, K) || !bytes.Equal(Kd, K) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/field.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/field.go deleted file mode 100644 index 1a428182472..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/field.go +++ /dev/null @@ -1,550 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package mlkem - -import ( - "crypto/internal/fips140/sha3" - "crypto/internal/fips140deps/byteorder" - "errors" -) - -// fieldElement is an integer modulo q, an element of ℤ_q. It is always reduced. -type fieldElement uint16 - -// fieldCheckReduced checks that a value a is < q. -func fieldCheckReduced(a uint16) (fieldElement, error) { - if a >= q { - return 0, errors.New("unreduced field element") - } - return fieldElement(a), nil -} - -// fieldReduceOnce reduces a value a < 2q. -func fieldReduceOnce(a uint16) fieldElement { - x := a - q - // If x underflowed, then x >= 2¹⁶ - q > 2¹⁵, so the top bit is set. - x += (x >> 15) * q - return fieldElement(x) -} - -func fieldAdd(a, b fieldElement) fieldElement { - x := uint16(a + b) - return fieldReduceOnce(x) -} - -func fieldSub(a, b fieldElement) fieldElement { - x := uint16(a - b + q) - return fieldReduceOnce(x) -} - -const ( - barrettMultiplier = 5039 // 2¹² * 2¹² / q - barrettShift = 24 // log₂(2¹² * 2¹²) -) - -// fieldReduce reduces a value a < 2q² using Barrett reduction, to avoid -// potentially variable-time division. -func fieldReduce(a uint32) fieldElement { - quotient := uint32((uint64(a) * barrettMultiplier) >> barrettShift) - return fieldReduceOnce(uint16(a - quotient*q)) -} - -func fieldMul(a, b fieldElement) fieldElement { - x := uint32(a) * uint32(b) - return fieldReduce(x) -} - -// fieldMulSub returns a * (b - c). This operation is fused to save a -// fieldReduceOnce after the subtraction. -func fieldMulSub(a, b, c fieldElement) fieldElement { - x := uint32(a) * uint32(b-c+q) - return fieldReduce(x) -} - -// fieldAddMul returns a * b + c * d. This operation is fused to save a -// fieldReduceOnce and a fieldReduce. -func fieldAddMul(a, b, c, d fieldElement) fieldElement { - x := uint32(a) * uint32(b) - x += uint32(c) * uint32(d) - return fieldReduce(x) -} - -// compress maps a field element uniformly to the range 0 to 2ᵈ-1, according to -// FIPS 203, Definition 4.7. -func compress(x fieldElement, d uint8) uint16 { - // We want to compute (x * 2ᵈ) / q, rounded to nearest integer, with 1/2 - // rounding up (see FIPS 203, Section 2.3). - - // Barrett reduction produces a quotient and a remainder in the range [0, 2q), - // such that dividend = quotient * q + remainder. - dividend := uint32(x) << d // x * 2ᵈ - quotient := uint32(uint64(dividend) * barrettMultiplier >> barrettShift) - remainder := dividend - quotient*q - - // Since the remainder is in the range [0, 2q), not [0, q), we need to - // portion it into three spans for rounding. - // - // [ 0, q/2 ) -> round to 0 - // [ q/2, q + q/2 ) -> round to 1 - // [ q + q/2, 2q ) -> round to 2 - // - // We can convert that to the following logic: add 1 if remainder > q/2, - // then add 1 again if remainder > q + q/2. - // - // Note that if remainder > x, then ⌊x⌋ - remainder underflows, and the top - // bit of the difference will be set. - quotient += (q/2 - remainder) >> 31 & 1 - quotient += (q + q/2 - remainder) >> 31 & 1 - - // quotient might have overflowed at this point, so reduce it by masking. - var mask uint32 = (1 << d) - 1 - return uint16(quotient & mask) -} - -// decompress maps a number x between 0 and 2ᵈ-1 uniformly to the full range of -// field elements, according to FIPS 203, Definition 4.8. -func decompress(y uint16, d uint8) fieldElement { - // We want to compute (y * q) / 2ᵈ, rounded to nearest integer, with 1/2 - // rounding up (see FIPS 203, Section 2.3). - - dividend := uint32(y) * q - quotient := dividend >> d // (y * q) / 2ᵈ - - // The d'th least-significant bit of the dividend (the most significant bit - // of the remainder) is 1 for the top half of the values that divide to the - // same quotient, which are the ones that round up. - quotient += dividend >> (d - 1) & 1 - - // quotient is at most (2¹¹-1) * q / 2¹¹ + 1 = 3328, so it didn't overflow. - return fieldElement(quotient) -} - -// ringElement is a polynomial, an element of R_q, represented as an array -// according to FIPS 203, Section 2.4.4. -type ringElement [n]fieldElement - -// polyAdd adds two ringElements or nttElements. -func polyAdd[T ~[n]fieldElement](a, b T) (s T) { - for i := range s { - s[i] = fieldAdd(a[i], b[i]) - } - return s -} - -// polySub subtracts two ringElements or nttElements. -func polySub[T ~[n]fieldElement](a, b T) (s T) { - for i := range s { - s[i] = fieldSub(a[i], b[i]) - } - return s -} - -// polyByteEncode appends the 384-byte encoding of f to b. -// -// It implements ByteEncode₁₂, according to FIPS 203, Algorithm 5. -func polyByteEncode[T ~[n]fieldElement](b []byte, f T) []byte { - out, B := sliceForAppend(b, encodingSize12) - for i := 0; i < n; i += 2 { - x := uint32(f[i]) | uint32(f[i+1])<<12 - B[0] = uint8(x) - B[1] = uint8(x >> 8) - B[2] = uint8(x >> 16) - B = B[3:] - } - return out -} - -// polyByteDecode decodes the 384-byte encoding of a polynomial, checking that -// all the coefficients are properly reduced. This fulfills the "Modulus check" -// step of ML-KEM Encapsulation. -// -// It implements ByteDecode₁₂, according to FIPS 203, Algorithm 6. -func polyByteDecode[T ~[n]fieldElement](b []byte) (T, error) { - if len(b) != encodingSize12 { - return T{}, errors.New("mlkem: invalid encoding length") - } - var f T - for i := 0; i < n; i += 2 { - d := uint32(b[0]) | uint32(b[1])<<8 | uint32(b[2])<<16 - const mask12 = 0b1111_1111_1111 - var err error - if f[i], err = fieldCheckReduced(uint16(d & mask12)); err != nil { - return T{}, errors.New("mlkem: invalid polynomial encoding") - } - if f[i+1], err = fieldCheckReduced(uint16(d >> 12)); err != nil { - return T{}, errors.New("mlkem: invalid polynomial encoding") - } - b = b[3:] - } - return f, nil -} - -// sliceForAppend takes a slice and a requested number of bytes. It returns a -// slice with the contents of the given slice followed by that many bytes and a -// second slice that aliases into it and contains only the extra bytes. If the -// original slice has sufficient capacity then no allocation is performed. -func sliceForAppend(in []byte, n int) (head, tail []byte) { - if total := len(in) + n; cap(in) >= total { - head = in[:total] - } else { - head = make([]byte, total) - copy(head, in) - } - tail = head[len(in):] - return -} - -// ringCompressAndEncode1 appends a 32-byte encoding of a ring element to s, -// compressing one coefficients per bit. -// -// It implements Compress₁, according to FIPS 203, Definition 4.7, -// followed by ByteEncode₁, according to FIPS 203, Algorithm 5. -func ringCompressAndEncode1(s []byte, f ringElement) []byte { - s, b := sliceForAppend(s, encodingSize1) - for i := range b { - b[i] = 0 - } - for i := range f { - b[i/8] |= uint8(compress(f[i], 1) << (i % 8)) - } - return s -} - -// ringDecodeAndDecompress1 decodes a 32-byte slice to a ring element where each -// bit is mapped to 0 or ⌈q/2⌋. -// -// It implements ByteDecode₁, according to FIPS 203, Algorithm 6, -// followed by Decompress₁, according to FIPS 203, Definition 4.8. -func ringDecodeAndDecompress1(b *[encodingSize1]byte) ringElement { - var f ringElement - for i := range f { - b_i := b[i/8] >> (i % 8) & 1 - const halfQ = (q + 1) / 2 // ⌈q/2⌋, rounded up per FIPS 203, Section 2.3 - f[i] = fieldElement(b_i) * halfQ // 0 decompresses to 0, and 1 to ⌈q/2⌋ - } - return f -} - -// ringCompressAndEncode4 appends a 128-byte encoding of a ring element to s, -// compressing two coefficients per byte. -// -// It implements Compress₄, according to FIPS 203, Definition 4.7, -// followed by ByteEncode₄, according to FIPS 203, Algorithm 5. -func ringCompressAndEncode4(s []byte, f ringElement) []byte { - s, b := sliceForAppend(s, encodingSize4) - for i := 0; i < n; i += 2 { - b[i/2] = uint8(compress(f[i], 4) | compress(f[i+1], 4)<<4) - } - return s -} - -// ringDecodeAndDecompress4 decodes a 128-byte encoding of a ring element where -// each four bits are mapped to an equidistant distribution. -// -// It implements ByteDecode₄, according to FIPS 203, Algorithm 6, -// followed by Decompress₄, according to FIPS 203, Definition 4.8. -func ringDecodeAndDecompress4(b *[encodingSize4]byte) ringElement { - var f ringElement - for i := 0; i < n; i += 2 { - f[i] = fieldElement(decompress(uint16(b[i/2]&0b1111), 4)) - f[i+1] = fieldElement(decompress(uint16(b[i/2]>>4), 4)) - } - return f -} - -// ringCompressAndEncode10 appends a 320-byte encoding of a ring element to s, -// compressing four coefficients per five bytes. -// -// It implements Compress₁₀, according to FIPS 203, Definition 4.7, -// followed by ByteEncode₁₀, according to FIPS 203, Algorithm 5. -func ringCompressAndEncode10(s []byte, f ringElement) []byte { - s, b := sliceForAppend(s, encodingSize10) - for i := 0; i < n; i += 4 { - var x uint64 - x |= uint64(compress(f[i], 10)) - x |= uint64(compress(f[i+1], 10)) << 10 - x |= uint64(compress(f[i+2], 10)) << 20 - x |= uint64(compress(f[i+3], 10)) << 30 - b[0] = uint8(x) - b[1] = uint8(x >> 8) - b[2] = uint8(x >> 16) - b[3] = uint8(x >> 24) - b[4] = uint8(x >> 32) - b = b[5:] - } - return s -} - -// ringDecodeAndDecompress10 decodes a 320-byte encoding of a ring element where -// each ten bits are mapped to an equidistant distribution. -// -// It implements ByteDecode₁₀, according to FIPS 203, Algorithm 6, -// followed by Decompress₁₀, according to FIPS 203, Definition 4.8. -func ringDecodeAndDecompress10(bb *[encodingSize10]byte) ringElement { - b := bb[:] - var f ringElement - for i := 0; i < n; i += 4 { - x := uint64(b[0]) | uint64(b[1])<<8 | uint64(b[2])<<16 | uint64(b[3])<<24 | uint64(b[4])<<32 - b = b[5:] - f[i] = fieldElement(decompress(uint16(x>>0&0b11_1111_1111), 10)) - f[i+1] = fieldElement(decompress(uint16(x>>10&0b11_1111_1111), 10)) - f[i+2] = fieldElement(decompress(uint16(x>>20&0b11_1111_1111), 10)) - f[i+3] = fieldElement(decompress(uint16(x>>30&0b11_1111_1111), 10)) - } - return f -} - -// ringCompressAndEncode appends an encoding of a ring element to s, -// compressing each coefficient to d bits. -// -// It implements Compress, according to FIPS 203, Definition 4.7, -// followed by ByteEncode, according to FIPS 203, Algorithm 5. -func ringCompressAndEncode(s []byte, f ringElement, d uint8) []byte { - var b byte - var bIdx uint8 - for i := 0; i < n; i++ { - c := compress(f[i], d) - var cIdx uint8 - for cIdx < d { - b |= byte(c>>cIdx) << bIdx - bits := min(8-bIdx, d-cIdx) - bIdx += bits - cIdx += bits - if bIdx == 8 { - s = append(s, b) - b = 0 - bIdx = 0 - } - } - } - if bIdx != 0 { - panic("mlkem: internal error: bitsFilled != 0") - } - return s -} - -// ringDecodeAndDecompress decodes an encoding of a ring element where -// each d bits are mapped to an equidistant distribution. -// -// It implements ByteDecode, according to FIPS 203, Algorithm 6, -// followed by Decompress, according to FIPS 203, Definition 4.8. -func ringDecodeAndDecompress(b []byte, d uint8) ringElement { - var f ringElement - var bIdx uint8 - for i := 0; i < n; i++ { - var c uint16 - var cIdx uint8 - for cIdx < d { - c |= uint16(b[0]>>bIdx) << cIdx - c &= (1 << d) - 1 - bits := min(8-bIdx, d-cIdx) - bIdx += bits - cIdx += bits - if bIdx == 8 { - b = b[1:] - bIdx = 0 - } - } - f[i] = fieldElement(decompress(c, d)) - } - if len(b) != 0 { - panic("mlkem: internal error: leftover bytes") - } - return f -} - -// ringCompressAndEncode5 appends a 160-byte encoding of a ring element to s, -// compressing eight coefficients per five bytes. -// -// It implements Compress₅, according to FIPS 203, Definition 4.7, -// followed by ByteEncode₅, according to FIPS 203, Algorithm 5. -func ringCompressAndEncode5(s []byte, f ringElement) []byte { - return ringCompressAndEncode(s, f, 5) -} - -// ringDecodeAndDecompress5 decodes a 160-byte encoding of a ring element where -// each five bits are mapped to an equidistant distribution. -// -// It implements ByteDecode₅, according to FIPS 203, Algorithm 6, -// followed by Decompress₅, according to FIPS 203, Definition 4.8. -func ringDecodeAndDecompress5(bb *[encodingSize5]byte) ringElement { - return ringDecodeAndDecompress(bb[:], 5) -} - -// ringCompressAndEncode11 appends a 352-byte encoding of a ring element to s, -// compressing eight coefficients per eleven bytes. -// -// It implements Compress₁₁, according to FIPS 203, Definition 4.7, -// followed by ByteEncode₁₁, according to FIPS 203, Algorithm 5. -func ringCompressAndEncode11(s []byte, f ringElement) []byte { - return ringCompressAndEncode(s, f, 11) -} - -// ringDecodeAndDecompress11 decodes a 352-byte encoding of a ring element where -// each eleven bits are mapped to an equidistant distribution. -// -// It implements ByteDecode₁₁, according to FIPS 203, Algorithm 6, -// followed by Decompress₁₁, according to FIPS 203, Definition 4.8. -func ringDecodeAndDecompress11(bb *[encodingSize11]byte) ringElement { - return ringDecodeAndDecompress(bb[:], 11) -} - -// samplePolyCBD draws a ringElement from the special Dη distribution given a -// stream of random bytes generated by the PRF function, according to FIPS 203, -// Algorithm 8 and Definition 4.3. -func samplePolyCBD(s []byte, b byte) ringElement { - prf := sha3.NewShake256() - prf.Write(s) - prf.Write([]byte{b}) - B := make([]byte, 64*2) // η = 2 - prf.Read(B) - - // SamplePolyCBD simply draws four (2η) bits for each coefficient, and adds - // the first two and subtracts the last two. - - var f ringElement - for i := 0; i < n; i += 2 { - b := B[i/2] - b_7, b_6, b_5, b_4 := b>>7, b>>6&1, b>>5&1, b>>4&1 - b_3, b_2, b_1, b_0 := b>>3&1, b>>2&1, b>>1&1, b&1 - f[i] = fieldSub(fieldElement(b_0+b_1), fieldElement(b_2+b_3)) - f[i+1] = fieldSub(fieldElement(b_4+b_5), fieldElement(b_6+b_7)) - } - return f -} - -// nttElement is an NTT representation, an element of T_q, represented as an -// array according to FIPS 203, Section 2.4.4. -type nttElement [n]fieldElement - -// gammas are the values ζ^2BitRev7(i)+1 mod q for each index i, according to -// FIPS 203, Appendix A (with negative values reduced to positive). -var gammas = [128]fieldElement{17, 3312, 2761, 568, 583, 2746, 2649, 680, 1637, 1692, 723, 2606, 2288, 1041, 1100, 2229, 1409, 1920, 2662, 667, 3281, 48, 233, 3096, 756, 2573, 2156, 1173, 3015, 314, 3050, 279, 1703, 1626, 1651, 1678, 2789, 540, 1789, 1540, 1847, 1482, 952, 2377, 1461, 1868, 2687, 642, 939, 2390, 2308, 1021, 2437, 892, 2388, 941, 733, 2596, 2337, 992, 268, 3061, 641, 2688, 1584, 1745, 2298, 1031, 2037, 1292, 3220, 109, 375, 2954, 2549, 780, 2090, 1239, 1645, 1684, 1063, 2266, 319, 3010, 2773, 556, 757, 2572, 2099, 1230, 561, 2768, 2466, 863, 2594, 735, 2804, 525, 1092, 2237, 403, 2926, 1026, 2303, 1143, 2186, 2150, 1179, 2775, 554, 886, 2443, 1722, 1607, 1212, 2117, 1874, 1455, 1029, 2300, 2110, 1219, 2935, 394, 885, 2444, 2154, 1175} - -// nttMul multiplies two nttElements. -// -// It implements MultiplyNTTs, according to FIPS 203, Algorithm 11. -func nttMul(f, g nttElement) nttElement { - var h nttElement - // We use i += 2 for bounds check elimination. See https://go.dev/issue/66826. - for i := 0; i < 256; i += 2 { - a0, a1 := f[i], f[i+1] - b0, b1 := g[i], g[i+1] - h[i] = fieldAddMul(a0, b0, fieldMul(a1, b1), gammas[i/2]) - h[i+1] = fieldAddMul(a0, b1, a1, b0) - } - return h -} - -// zetas are the values ζ^BitRev7(k) mod q for each index k, according to FIPS -// 203, Appendix A. -var zetas = [128]fieldElement{1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797, 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333, 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756, 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915, 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648, 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100, 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789, 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641, 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757, 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886, 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154} - -// ntt maps a ringElement to its nttElement representation. -// -// It implements NTT, according to FIPS 203, Algorithm 9. -func ntt(f ringElement) nttElement { - k := 1 - for len := 128; len >= 2; len /= 2 { - for start := 0; start < 256; start += 2 * len { - zeta := zetas[k] - k++ - // Bounds check elimination hint. - f, flen := f[start:start+len], f[start+len:start+len+len] - for j := 0; j < len; j++ { - t := fieldMul(zeta, flen[j]) - flen[j] = fieldSub(f[j], t) - f[j] = fieldAdd(f[j], t) - } - } - } - return nttElement(f) -} - -// inverseNTT maps a nttElement back to the ringElement it represents. -// -// It implements NTT⁻¹, according to FIPS 203, Algorithm 10. -func inverseNTT(f nttElement) ringElement { - k := 127 - for len := 2; len <= 128; len *= 2 { - for start := 0; start < 256; start += 2 * len { - zeta := zetas[k] - k-- - // Bounds check elimination hint. - f, flen := f[start:start+len], f[start+len:start+len+len] - for j := 0; j < len; j++ { - t := f[j] - f[j] = fieldAdd(t, flen[j]) - flen[j] = fieldMulSub(zeta, flen[j], t) - } - } - } - for i := range f { - f[i] = fieldMul(f[i], 3303) // 3303 = 128⁻¹ mod q - } - return ringElement(f) -} - -// sampleNTT draws a uniformly random nttElement from a stream of uniformly -// random bytes generated by the XOF function, according to FIPS 203, -// Algorithm 7. -func sampleNTT(rho []byte, ii, jj byte) nttElement { - B := sha3.NewShake128() - B.Write(rho) - B.Write([]byte{ii, jj}) - - // SampleNTT essentially draws 12 bits at a time from r, interprets them in - // little-endian, and rejects values higher than q, until it drew 256 - // values. (The rejection rate is approximately 19%.) - // - // To do this from a bytes stream, it draws three bytes at a time, and - // splits them into two uint16 appropriately masked. - // - // r₀ r₁ r₂ - // |- - - - - - - -|- - - - - - - -|- - - - - - - -| - // - // Uint16(r₀ || r₁) - // |- - - - - - - - - - - - - - - -| - // |- - - - - - - - - - - -| - // d₁ - // - // Uint16(r₁ || r₂) - // |- - - - - - - - - - - - - - - -| - // |- - - - - - - - - - - -| - // d₂ - // - // Note that in little-endian, the rightmost bits are the most significant - // bits (dropped with a mask) and the leftmost bits are the least - // significant bits (dropped with a right shift). - - var a nttElement - var j int // index into a - var buf [24]byte // buffered reads from B - off := len(buf) // index into buf, starts in a "buffer fully consumed" state - for { - if off >= len(buf) { - B.Read(buf[:]) - off = 0 - } - d1 := byteorder.LEUint16(buf[off:]) & 0b1111_1111_1111 - d2 := byteorder.LEUint16(buf[off+1:]) >> 4 - off += 3 - if d1 < q { - a[j] = fieldElement(d1) - j++ - } - if j >= len(a) { - break - } - if d2 < q { - a[j] = fieldElement(d2) - j++ - } - if j >= len(a) { - break - } - } - return a -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/generate1024.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/generate1024.go deleted file mode 100644 index 9e38ad00df9..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/generate1024.go +++ /dev/null @@ -1,128 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build ignore - -package main - -import ( - "flag" - "go/ast" - "go/format" - "go/parser" - "go/token" - "log" - "os" - "strings" -) - -var replacements = map[string]string{ - "k": "k1024", - - "CiphertextSize768": "CiphertextSize1024", - "EncapsulationKeySize768": "EncapsulationKeySize1024", - "decapsulationKeySize768": "decapsulationKeySize1024", - - "encryptionKey": "encryptionKey1024", - "decryptionKey": "decryptionKey1024", - - "EncapsulationKey768": "EncapsulationKey1024", - "NewEncapsulationKey768": "NewEncapsulationKey1024", - "parseEK": "parseEK1024", - - "kemEncaps": "kemEncaps1024", - "pkeEncrypt": "pkeEncrypt1024", - - "DecapsulationKey768": "DecapsulationKey1024", - "NewDecapsulationKey768": "NewDecapsulationKey1024", - "TestingOnlyNewDecapsulationKey768": "TestingOnlyNewDecapsulationKey1024", - "newKeyFromSeed": "newKeyFromSeed1024", - "TestingOnlyExpandedBytes768": "TestingOnlyExpandedBytes1024", - - "kemDecaps": "kemDecaps1024", - "pkeDecrypt": "pkeDecrypt1024", - - "GenerateKey768": "GenerateKey1024", - "GenerateKeyInternal768": "GenerateKeyInternal1024", - "generateKey": "generateKey1024", - - "kemKeyGen": "kemKeyGen1024", - "kemPCT": "kemPCT1024", - - "encodingSize4": "encodingSize5", - "encodingSize10": "encodingSize11", - "ringCompressAndEncode4": "ringCompressAndEncode5", - "ringCompressAndEncode10": "ringCompressAndEncode11", - "ringDecodeAndDecompress4": "ringDecodeAndDecompress5", - "ringDecodeAndDecompress10": "ringDecodeAndDecompress11", -} - -func main() { - inputFile := flag.String("input", "", "") - outputFile := flag.String("output", "", "") - flag.Parse() - - fset := token.NewFileSet() - f, err := parser.ParseFile(fset, *inputFile, nil, parser.SkipObjectResolution|parser.ParseComments) - if err != nil { - log.Fatal(err) - } - cmap := ast.NewCommentMap(fset, f, f.Comments) - - // Drop header comments. - cmap[ast.Node(f)] = nil - - // Remove top-level consts used across the main and generated files. - var newDecls []ast.Decl - for _, decl := range f.Decls { - switch d := decl.(type) { - case *ast.GenDecl: - if d.Tok == token.CONST { - continue // Skip const declarations - } - if d.Tok == token.IMPORT { - cmap[decl] = nil // Drop pre-import comments. - } - } - newDecls = append(newDecls, decl) - } - f.Decls = newDecls - - // Replace identifiers. - ast.Inspect(f, func(n ast.Node) bool { - switch x := n.(type) { - case *ast.Ident: - if replacement, ok := replacements[x.Name]; ok { - x.Name = replacement - } - } - return true - }) - - // Replace identifiers in comments. - for _, c := range f.Comments { - for _, l := range c.List { - for k, v := range replacements { - if k == "k" { - continue - } - l.Text = strings.ReplaceAll(l.Text, k, v) - } - } - } - - out, err := os.Create(*outputFile) - if err != nil { - log.Fatal(err) - } - defer out.Close() - - out.WriteString("// Code generated by generate1024.go. DO NOT EDIT.\n\n") - - f.Comments = cmap.Filter(f).Comments() - err = format.Node(out, fset, f) - if err != nil { - log.Fatal(err) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/mlkem1024.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/mlkem1024.go deleted file mode 100644 index 1419cf20fa9..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/mlkem1024.go +++ /dev/null @@ -1,451 +0,0 @@ -// Code generated by generate1024.go. DO NOT EDIT. - -package mlkem - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140/sha3" - "crypto/internal/fips140/subtle" - "errors" -) - -// A DecapsulationKey1024 is the secret key used to decapsulate a shared key from a -// ciphertext. It includes various precomputed values. -type DecapsulationKey1024 struct { - d [32]byte // decapsulation key seed - z [32]byte // implicit rejection sampling seed - - ρ [32]byte // sampleNTT seed for A, stored for the encapsulation key - h [32]byte // H(ek), stored for ML-KEM.Decaps_internal - - encryptionKey1024 - decryptionKey1024 -} - -// Bytes returns the decapsulation key as a 64-byte seed in the "d || z" form. -// -// The decapsulation key must be kept secret. -func (dk *DecapsulationKey1024) Bytes() []byte { - var b [SeedSize]byte - copy(b[:], dk.d[:]) - copy(b[32:], dk.z[:]) - return b[:] -} - -// TestingOnlyExpandedBytes1024 returns the decapsulation key as a byte slice -// using the full expanded NIST encoding. -// -// This should only be used for ACVP testing. For all other purposes prefer -// the Bytes method that returns the (much smaller) seed. -func TestingOnlyExpandedBytes1024(dk *DecapsulationKey1024) []byte { - b := make([]byte, 0, decapsulationKeySize1024) - - // ByteEncode₁₂(s) - for i := range dk.s { - b = polyByteEncode(b, dk.s[i]) - } - - // ByteEncode₁₂(t) || ρ - for i := range dk.t { - b = polyByteEncode(b, dk.t[i]) - } - b = append(b, dk.ρ[:]...) - - // H(ek) || z - b = append(b, dk.h[:]...) - b = append(b, dk.z[:]...) - - return b -} - -// EncapsulationKey returns the public encapsulation key necessary to produce -// ciphertexts. -func (dk *DecapsulationKey1024) EncapsulationKey() *EncapsulationKey1024 { - return &EncapsulationKey1024{ - ρ: dk.ρ, - h: dk.h, - encryptionKey1024: dk.encryptionKey1024, - } -} - -// An EncapsulationKey1024 is the public key used to produce ciphertexts to be -// decapsulated by the corresponding [DecapsulationKey1024]. -type EncapsulationKey1024 struct { - ρ [32]byte // sampleNTT seed for A - h [32]byte // H(ek) - encryptionKey1024 -} - -// Bytes returns the encapsulation key as a byte slice. -func (ek *EncapsulationKey1024) Bytes() []byte { - // The actual logic is in a separate function to outline this allocation. - b := make([]byte, 0, EncapsulationKeySize1024) - return ek.bytes(b) -} - -func (ek *EncapsulationKey1024) bytes(b []byte) []byte { - for i := range ek.t { - b = polyByteEncode(b, ek.t[i]) - } - b = append(b, ek.ρ[:]...) - return b -} - -// encryptionKey1024 is the parsed and expanded form of a PKE encryption key. -type encryptionKey1024 struct { - t [k1024]nttElement // ByteDecode₁₂(ek[:384k]) - a [k1024 * k1024]nttElement // A[i*k+j] = sampleNTT(ρ, j, i) -} - -// decryptionKey1024 is the parsed and expanded form of a PKE decryption key. -type decryptionKey1024 struct { - s [k1024]nttElement // ByteDecode₁₂(dk[:decryptionKey1024Size]) -} - -// GenerateKey1024 generates a new decapsulation key, drawing random bytes from -// a DRBG. The decapsulation key must be kept secret. -func GenerateKey1024() (*DecapsulationKey1024, error) { - // The actual logic is in a separate function to outline this allocation. - dk := &DecapsulationKey1024{} - return generateKey1024(dk) -} - -func generateKey1024(dk *DecapsulationKey1024) (*DecapsulationKey1024, error) { - var d [32]byte - drbg.Read(d[:]) - var z [32]byte - drbg.Read(z[:]) - kemKeyGen1024(dk, &d, &z) - fips140.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }) - fips140.RecordApproved() - return dk, nil -} - -// GenerateKeyInternal1024 is a derandomized version of GenerateKey1024, -// exclusively for use in tests. -func GenerateKeyInternal1024(d, z *[32]byte) *DecapsulationKey1024 { - dk := &DecapsulationKey1024{} - kemKeyGen1024(dk, d, z) - return dk -} - -// NewDecapsulationKey1024 parses a decapsulation key from a 64-byte -// seed in the "d || z" form. The seed must be uniformly random. -func NewDecapsulationKey1024(seed []byte) (*DecapsulationKey1024, error) { - // The actual logic is in a separate function to outline this allocation. - dk := &DecapsulationKey1024{} - return newKeyFromSeed1024(dk, seed) -} - -func newKeyFromSeed1024(dk *DecapsulationKey1024, seed []byte) (*DecapsulationKey1024, error) { - if len(seed) != SeedSize { - return nil, errors.New("mlkem: invalid seed length") - } - d := (*[32]byte)(seed[:32]) - z := (*[32]byte)(seed[32:]) - kemKeyGen1024(dk, d, z) - fips140.RecordApproved() - return dk, nil -} - -// TestingOnlyNewDecapsulationKey1024 parses a decapsulation key from its expanded NIST format. -// -// Bytes() must not be called on the returned key, as it will not produce the -// original seed. -// -// This function should only be used for ACVP testing. Prefer NewDecapsulationKey1024 for all -// other purposes. -func TestingOnlyNewDecapsulationKey1024(b []byte) (*DecapsulationKey1024, error) { - if len(b) != decapsulationKeySize1024 { - return nil, errors.New("mlkem: invalid NIST decapsulation key length") - } - - dk := &DecapsulationKey1024{} - for i := range dk.s { - var err error - dk.s[i], err = polyByteDecode[nttElement](b[:encodingSize12]) - if err != nil { - return nil, errors.New("mlkem: invalid secret key encoding") - } - b = b[encodingSize12:] - } - - ek, err := NewEncapsulationKey1024(b[:EncapsulationKeySize1024]) - if err != nil { - return nil, err - } - dk.ρ = ek.ρ - dk.h = ek.h - dk.encryptionKey1024 = ek.encryptionKey1024 - b = b[EncapsulationKeySize1024:] - - if !bytes.Equal(dk.h[:], b[:32]) { - return nil, errors.New("mlkem: inconsistent H(ek) in encoded bytes") - } - b = b[32:] - - copy(dk.z[:], b) - - // Generate a random d value for use in Bytes(). This is a safety mechanism - // that avoids returning a broken key vs a random key if this function is - // called in contravention of the TestingOnlyNewDecapsulationKey1024 function - // comment advising against it. - drbg.Read(dk.d[:]) - - return dk, nil -} - -// kemKeyGen1024 generates a decapsulation key. -// -// It implements ML-KEM.KeyGen_internal according to FIPS 203, Algorithm 16, and -// K-PKE.KeyGen according to FIPS 203, Algorithm 13. The two are merged to save -// copies and allocations. -func kemKeyGen1024(dk *DecapsulationKey1024, d, z *[32]byte) { - dk.d = *d - dk.z = *z - - g := sha3.New512() - g.Write(d[:]) - g.Write([]byte{k1024}) // Module dimension as a domain separator. - G := g.Sum(make([]byte, 0, 64)) - ρ, σ := G[:32], G[32:] - dk.ρ = [32]byte(ρ) - - A := &dk.a - for i := byte(0); i < k1024; i++ { - for j := byte(0); j < k1024; j++ { - A[i*k1024+j] = sampleNTT(ρ, j, i) - } - } - - var N byte - s := &dk.s - for i := range s { - s[i] = ntt(samplePolyCBD(σ, N)) - N++ - } - e := make([]nttElement, k1024) - for i := range e { - e[i] = ntt(samplePolyCBD(σ, N)) - N++ - } - - t := &dk.t - for i := range t { // t = A ◦ s + e - t[i] = e[i] - for j := range s { - t[i] = polyAdd(t[i], nttMul(A[i*k1024+j], s[j])) - } - } - - H := sha3.New256() - ek := dk.EncapsulationKey().Bytes() - H.Write(ek) - H.Sum(dk.h[:0]) -} - -// kemPCT1024 performs a Pairwise Consistency Test per FIPS 140-3 IG 10.3.A -// Additional Comment 1: "For key pairs generated for use with approved KEMs in -// FIPS 203, the PCT shall consist of applying the encapsulation key ek to -// encapsulate a shared secret K leading to ciphertext c, and then applying -// decapsulation key dk to retrieve the same shared secret K. The PCT passes if -// the two shared secret K values are equal. The PCT shall be performed either -// when keys are generated/imported, prior to the first exportation, or prior to -// the first operational use (if not exported before the first use)." -func kemPCT1024(dk *DecapsulationKey1024) error { - ek := dk.EncapsulationKey() - K, c := ek.Encapsulate() - K1, err := dk.Decapsulate(c) - if err != nil { - return err - } - if subtle.ConstantTimeCompare(K, K1) != 1 { - return errors.New("mlkem: PCT failed") - } - return nil -} - -// Encapsulate generates a shared key and an associated ciphertext from an -// encapsulation key, drawing random bytes from a DRBG. -// -// The shared key must be kept secret. -func (ek *EncapsulationKey1024) Encapsulate() (sharedKey, ciphertext []byte) { - // The actual logic is in a separate function to outline this allocation. - var cc [CiphertextSize1024]byte - return ek.encapsulate(&cc) -} - -func (ek *EncapsulationKey1024) encapsulate(cc *[CiphertextSize1024]byte) (sharedKey, ciphertext []byte) { - var m [messageSize]byte - drbg.Read(m[:]) - // Note that the modulus check (step 2 of the encapsulation key check from - // FIPS 203, Section 7.2) is performed by polyByteDecode in parseEK1024. - fips140.RecordApproved() - return kemEncaps1024(cc, ek, &m) -} - -// EncapsulateInternal is a derandomized version of Encapsulate, exclusively for -// use in tests. -func (ek *EncapsulationKey1024) EncapsulateInternal(m *[32]byte) (sharedKey, ciphertext []byte) { - cc := &[CiphertextSize1024]byte{} - return kemEncaps1024(cc, ek, m) -} - -// kemEncaps1024 generates a shared key and an associated ciphertext. -// -// It implements ML-KEM.Encaps_internal according to FIPS 203, Algorithm 17. -func kemEncaps1024(cc *[CiphertextSize1024]byte, ek *EncapsulationKey1024, m *[messageSize]byte) (K, c []byte) { - g := sha3.New512() - g.Write(m[:]) - g.Write(ek.h[:]) - G := g.Sum(nil) - K, r := G[:SharedKeySize], G[SharedKeySize:] - c = pkeEncrypt1024(cc, &ek.encryptionKey1024, m, r) - return K, c -} - -// NewEncapsulationKey1024 parses an encapsulation key from its encoded form. -// If the encapsulation key is not valid, NewEncapsulationKey1024 returns an error. -func NewEncapsulationKey1024(encapsulationKey []byte) (*EncapsulationKey1024, error) { - // The actual logic is in a separate function to outline this allocation. - ek := &EncapsulationKey1024{} - return parseEK1024(ek, encapsulationKey) -} - -// parseEK1024 parses an encryption key from its encoded form. -// -// It implements the initial stages of K-PKE.Encrypt according to FIPS 203, -// Algorithm 14. -func parseEK1024(ek *EncapsulationKey1024, ekPKE []byte) (*EncapsulationKey1024, error) { - if len(ekPKE) != EncapsulationKeySize1024 { - return nil, errors.New("mlkem: invalid encapsulation key length") - } - - h := sha3.New256() - h.Write(ekPKE) - h.Sum(ek.h[:0]) - - for i := range ek.t { - var err error - ek.t[i], err = polyByteDecode[nttElement](ekPKE[:encodingSize12]) - if err != nil { - return nil, err - } - ekPKE = ekPKE[encodingSize12:] - } - copy(ek.ρ[:], ekPKE) - - for i := byte(0); i < k1024; i++ { - for j := byte(0); j < k1024; j++ { - ek.a[i*k1024+j] = sampleNTT(ek.ρ[:], j, i) - } - } - - return ek, nil -} - -// pkeEncrypt1024 encrypt a plaintext message. -// -// It implements K-PKE.Encrypt according to FIPS 203, Algorithm 14, although the -// computation of t and AT is done in parseEK1024. -func pkeEncrypt1024(cc *[CiphertextSize1024]byte, ex *encryptionKey1024, m *[messageSize]byte, rnd []byte) []byte { - var N byte - r, e1 := make([]nttElement, k1024), make([]ringElement, k1024) - for i := range r { - r[i] = ntt(samplePolyCBD(rnd, N)) - N++ - } - for i := range e1 { - e1[i] = samplePolyCBD(rnd, N) - N++ - } - e2 := samplePolyCBD(rnd, N) - - u := make([]ringElement, k1024) // NTT⁻¹(AT ◦ r) + e1 - for i := range u { - u[i] = e1[i] - for j := range r { - // Note that i and j are inverted, as we need the transposed of A. - u[i] = polyAdd(u[i], inverseNTT(nttMul(ex.a[j*k1024+i], r[j]))) - } - } - - μ := ringDecodeAndDecompress1(m) - - var vNTT nttElement // t⊺ ◦ r - for i := range ex.t { - vNTT = polyAdd(vNTT, nttMul(ex.t[i], r[i])) - } - v := polyAdd(polyAdd(inverseNTT(vNTT), e2), μ) - - c := cc[:0] - for _, f := range u { - c = ringCompressAndEncode11(c, f) - } - c = ringCompressAndEncode5(c, v) - - return c -} - -// Decapsulate generates a shared key from a ciphertext and a decapsulation key. -// If the ciphertext is not valid, Decapsulate returns an error. -// -// The shared key must be kept secret. -func (dk *DecapsulationKey1024) Decapsulate(ciphertext []byte) (sharedKey []byte, err error) { - if len(ciphertext) != CiphertextSize1024 { - return nil, errors.New("mlkem: invalid ciphertext length") - } - c := (*[CiphertextSize1024]byte)(ciphertext) - // Note that the hash check (step 3 of the decapsulation input check from - // FIPS 203, Section 7.3) is foregone as a DecapsulationKey is always - // validly generated by ML-KEM.KeyGen_internal. - return kemDecaps1024(dk, c), nil -} - -// kemDecaps1024 produces a shared key from a ciphertext. -// -// It implements ML-KEM.Decaps_internal according to FIPS 203, Algorithm 18. -func kemDecaps1024(dk *DecapsulationKey1024, c *[CiphertextSize1024]byte) (K []byte) { - fips140.RecordApproved() - m := pkeDecrypt1024(&dk.decryptionKey1024, c) - g := sha3.New512() - g.Write(m[:]) - g.Write(dk.h[:]) - G := g.Sum(make([]byte, 0, 64)) - Kprime, r := G[:SharedKeySize], G[SharedKeySize:] - J := sha3.NewShake256() - J.Write(dk.z[:]) - J.Write(c[:]) - Kout := make([]byte, SharedKeySize) - J.Read(Kout) - var cc [CiphertextSize1024]byte - c1 := pkeEncrypt1024(&cc, &dk.encryptionKey1024, (*[32]byte)(m), r) - - subtle.ConstantTimeCopy(subtle.ConstantTimeCompare(c[:], c1), Kout, Kprime) - return Kout -} - -// pkeDecrypt1024 decrypts a ciphertext. -// -// It implements K-PKE.Decrypt according to FIPS 203, Algorithm 15, -// although s is retained from kemKeyGen1024. -func pkeDecrypt1024(dx *decryptionKey1024, c *[CiphertextSize1024]byte) []byte { - u := make([]ringElement, k1024) - for i := range u { - b := (*[encodingSize11]byte)(c[encodingSize11*i : encodingSize11*(i+1)]) - u[i] = ringDecodeAndDecompress11(b) - } - - b := (*[encodingSize5]byte)(c[encodingSize11*k1024:]) - v := ringDecodeAndDecompress5(b) - - var mask nttElement // s⊺ ◦ NTT(u) - for i := range dx.s { - mask = polyAdd(mask, nttMul(dx.s[i], ntt(u[i]))) - } - w := polySub(v, inverseNTT(mask)) - - return ringCompressAndEncode1(nil, w) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/mlkem768.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/mlkem768.go deleted file mode 100644 index 298660e4e97..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/mlkem768.go +++ /dev/null @@ -1,510 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package mlkem implements the quantum-resistant key encapsulation method -// ML-KEM (formerly known as Kyber), as specified in [NIST FIPS 203]. -// -// [NIST FIPS 203]: https://doi.org/10.6028/NIST.FIPS.203 -package mlkem - -// This package targets security, correctness, simplicity, readability, and -// reviewability as its primary goals. All critical operations are performed in -// constant time. -// -// Variable and function names, as well as code layout, are selected to -// facilitate reviewing the implementation against the NIST FIPS 203 document. -// -// Reviewers unfamiliar with polynomials or linear algebra might find the -// background at https://words.filippo.io/kyber-math/ useful. -// -// This file implements the recommended parameter set ML-KEM-768. The ML-KEM-1024 -// parameter set implementation is auto-generated from this file. -// -//go:generate go run generate1024.go -input mlkem768.go -output mlkem1024.go - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140/sha3" - "crypto/internal/fips140/subtle" - "errors" -) - -const ( - // ML-KEM global constants. - n = 256 - q = 3329 - - // encodingSizeX is the byte size of a ringElement or nttElement encoded - // by ByteEncode_X (FIPS 203, Algorithm 5). - encodingSize12 = n * 12 / 8 - encodingSize11 = n * 11 / 8 - encodingSize10 = n * 10 / 8 - encodingSize5 = n * 5 / 8 - encodingSize4 = n * 4 / 8 - encodingSize1 = n * 1 / 8 - - messageSize = encodingSize1 - - SharedKeySize = 32 - SeedSize = 32 + 32 -) - -// ML-KEM-768 parameters. -const ( - k = 3 - - CiphertextSize768 = k*encodingSize10 + encodingSize4 - EncapsulationKeySize768 = k*encodingSize12 + 32 - decapsulationKeySize768 = k*encodingSize12 + EncapsulationKeySize768 + 32 + 32 -) - -// ML-KEM-1024 parameters. -const ( - k1024 = 4 - - CiphertextSize1024 = k1024*encodingSize11 + encodingSize5 - EncapsulationKeySize1024 = k1024*encodingSize12 + 32 - decapsulationKeySize1024 = k1024*encodingSize12 + EncapsulationKeySize1024 + 32 + 32 -) - -// A DecapsulationKey768 is the secret key used to decapsulate a shared key from a -// ciphertext. It includes various precomputed values. -type DecapsulationKey768 struct { - d [32]byte // decapsulation key seed - z [32]byte // implicit rejection sampling seed - - ρ [32]byte // sampleNTT seed for A, stored for the encapsulation key - h [32]byte // H(ek), stored for ML-KEM.Decaps_internal - - encryptionKey - decryptionKey -} - -// Bytes returns the decapsulation key as a 64-byte seed in the "d || z" form. -// -// The decapsulation key must be kept secret. -func (dk *DecapsulationKey768) Bytes() []byte { - var b [SeedSize]byte - copy(b[:], dk.d[:]) - copy(b[32:], dk.z[:]) - return b[:] -} - -// TestingOnlyExpandedBytes768 returns the decapsulation key as a byte slice -// using the full expanded NIST encoding. -// -// This should only be used for ACVP testing. For all other purposes prefer -// the Bytes method that returns the (much smaller) seed. -func TestingOnlyExpandedBytes768(dk *DecapsulationKey768) []byte { - b := make([]byte, 0, decapsulationKeySize768) - - // ByteEncode₁₂(s) - for i := range dk.s { - b = polyByteEncode(b, dk.s[i]) - } - - // ByteEncode₁₂(t) || ρ - for i := range dk.t { - b = polyByteEncode(b, dk.t[i]) - } - b = append(b, dk.ρ[:]...) - - // H(ek) || z - b = append(b, dk.h[:]...) - b = append(b, dk.z[:]...) - - return b -} - -// EncapsulationKey returns the public encapsulation key necessary to produce -// ciphertexts. -func (dk *DecapsulationKey768) EncapsulationKey() *EncapsulationKey768 { - return &EncapsulationKey768{ - ρ: dk.ρ, - h: dk.h, - encryptionKey: dk.encryptionKey, - } -} - -// An EncapsulationKey768 is the public key used to produce ciphertexts to be -// decapsulated by the corresponding [DecapsulationKey768]. -type EncapsulationKey768 struct { - ρ [32]byte // sampleNTT seed for A - h [32]byte // H(ek) - encryptionKey -} - -// Bytes returns the encapsulation key as a byte slice. -func (ek *EncapsulationKey768) Bytes() []byte { - // The actual logic is in a separate function to outline this allocation. - b := make([]byte, 0, EncapsulationKeySize768) - return ek.bytes(b) -} - -func (ek *EncapsulationKey768) bytes(b []byte) []byte { - for i := range ek.t { - b = polyByteEncode(b, ek.t[i]) - } - b = append(b, ek.ρ[:]...) - return b -} - -// encryptionKey is the parsed and expanded form of a PKE encryption key. -type encryptionKey struct { - t [k]nttElement // ByteDecode₁₂(ek[:384k]) - a [k * k]nttElement // A[i*k+j] = sampleNTT(ρ, j, i) -} - -// decryptionKey is the parsed and expanded form of a PKE decryption key. -type decryptionKey struct { - s [k]nttElement // ByteDecode₁₂(dk[:decryptionKeySize]) -} - -// GenerateKey768 generates a new decapsulation key, drawing random bytes from -// a DRBG. The decapsulation key must be kept secret. -func GenerateKey768() (*DecapsulationKey768, error) { - // The actual logic is in a separate function to outline this allocation. - dk := &DecapsulationKey768{} - return generateKey(dk) -} - -func generateKey(dk *DecapsulationKey768) (*DecapsulationKey768, error) { - var d [32]byte - drbg.Read(d[:]) - var z [32]byte - drbg.Read(z[:]) - kemKeyGen(dk, &d, &z) - fips140.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }) - fips140.RecordApproved() - return dk, nil -} - -// GenerateKeyInternal768 is a derandomized version of GenerateKey768, -// exclusively for use in tests. -func GenerateKeyInternal768(d, z *[32]byte) *DecapsulationKey768 { - dk := &DecapsulationKey768{} - kemKeyGen(dk, d, z) - return dk -} - -// NewDecapsulationKey768 parses a decapsulation key from a 64-byte -// seed in the "d || z" form. The seed must be uniformly random. -func NewDecapsulationKey768(seed []byte) (*DecapsulationKey768, error) { - // The actual logic is in a separate function to outline this allocation. - dk := &DecapsulationKey768{} - return newKeyFromSeed(dk, seed) -} - -func newKeyFromSeed(dk *DecapsulationKey768, seed []byte) (*DecapsulationKey768, error) { - if len(seed) != SeedSize { - return nil, errors.New("mlkem: invalid seed length") - } - d := (*[32]byte)(seed[:32]) - z := (*[32]byte)(seed[32:]) - kemKeyGen(dk, d, z) - fips140.RecordApproved() - return dk, nil -} - -// TestingOnlyNewDecapsulationKey768 parses a decapsulation key from its expanded NIST format. -// -// Bytes() must not be called on the returned key, as it will not produce the -// original seed. -// -// This function should only be used for ACVP testing. Prefer NewDecapsulationKey768 for all -// other purposes. -func TestingOnlyNewDecapsulationKey768(b []byte) (*DecapsulationKey768, error) { - if len(b) != decapsulationKeySize768 { - return nil, errors.New("mlkem: invalid NIST decapsulation key length") - } - - dk := &DecapsulationKey768{} - for i := range dk.s { - var err error - dk.s[i], err = polyByteDecode[nttElement](b[:encodingSize12]) - if err != nil { - return nil, errors.New("mlkem: invalid secret key encoding") - } - b = b[encodingSize12:] - } - - ek, err := NewEncapsulationKey768(b[:EncapsulationKeySize768]) - if err != nil { - return nil, err - } - dk.ρ = ek.ρ - dk.h = ek.h - dk.encryptionKey = ek.encryptionKey - b = b[EncapsulationKeySize768:] - - if !bytes.Equal(dk.h[:], b[:32]) { - return nil, errors.New("mlkem: inconsistent H(ek) in encoded bytes") - } - b = b[32:] - - copy(dk.z[:], b) - - // Generate a random d value for use in Bytes(). This is a safety mechanism - // that avoids returning a broken key vs a random key if this function is - // called in contravention of the TestingOnlyNewDecapsulationKey768 function - // comment advising against it. - drbg.Read(dk.d[:]) - - return dk, nil -} - -// kemKeyGen generates a decapsulation key. -// -// It implements ML-KEM.KeyGen_internal according to FIPS 203, Algorithm 16, and -// K-PKE.KeyGen according to FIPS 203, Algorithm 13. The two are merged to save -// copies and allocations. -func kemKeyGen(dk *DecapsulationKey768, d, z *[32]byte) { - dk.d = *d - dk.z = *z - - g := sha3.New512() - g.Write(d[:]) - g.Write([]byte{k}) // Module dimension as a domain separator. - G := g.Sum(make([]byte, 0, 64)) - ρ, σ := G[:32], G[32:] - dk.ρ = [32]byte(ρ) - - A := &dk.a - for i := byte(0); i < k; i++ { - for j := byte(0); j < k; j++ { - A[i*k+j] = sampleNTT(ρ, j, i) - } - } - - var N byte - s := &dk.s - for i := range s { - s[i] = ntt(samplePolyCBD(σ, N)) - N++ - } - e := make([]nttElement, k) - for i := range e { - e[i] = ntt(samplePolyCBD(σ, N)) - N++ - } - - t := &dk.t - for i := range t { // t = A ◦ s + e - t[i] = e[i] - for j := range s { - t[i] = polyAdd(t[i], nttMul(A[i*k+j], s[j])) - } - } - - H := sha3.New256() - ek := dk.EncapsulationKey().Bytes() - H.Write(ek) - H.Sum(dk.h[:0]) -} - -// kemPCT performs a Pairwise Consistency Test per FIPS 140-3 IG 10.3.A -// Additional Comment 1: "For key pairs generated for use with approved KEMs in -// FIPS 203, the PCT shall consist of applying the encapsulation key ek to -// encapsulate a shared secret K leading to ciphertext c, and then applying -// decapsulation key dk to retrieve the same shared secret K. The PCT passes if -// the two shared secret K values are equal. The PCT shall be performed either -// when keys are generated/imported, prior to the first exportation, or prior to -// the first operational use (if not exported before the first use)." -func kemPCT(dk *DecapsulationKey768) error { - ek := dk.EncapsulationKey() - K, c := ek.Encapsulate() - K1, err := dk.Decapsulate(c) - if err != nil { - return err - } - if subtle.ConstantTimeCompare(K, K1) != 1 { - return errors.New("mlkem: PCT failed") - } - return nil -} - -// Encapsulate generates a shared key and an associated ciphertext from an -// encapsulation key, drawing random bytes from a DRBG. -// -// The shared key must be kept secret. -func (ek *EncapsulationKey768) Encapsulate() (sharedKey, ciphertext []byte) { - // The actual logic is in a separate function to outline this allocation. - var cc [CiphertextSize768]byte - return ek.encapsulate(&cc) -} - -func (ek *EncapsulationKey768) encapsulate(cc *[CiphertextSize768]byte) (sharedKey, ciphertext []byte) { - var m [messageSize]byte - drbg.Read(m[:]) - // Note that the modulus check (step 2 of the encapsulation key check from - // FIPS 203, Section 7.2) is performed by polyByteDecode in parseEK. - fips140.RecordApproved() - return kemEncaps(cc, ek, &m) -} - -// EncapsulateInternal is a derandomized version of Encapsulate, exclusively for -// use in tests. -func (ek *EncapsulationKey768) EncapsulateInternal(m *[32]byte) (sharedKey, ciphertext []byte) { - cc := &[CiphertextSize768]byte{} - return kemEncaps(cc, ek, m) -} - -// kemEncaps generates a shared key and an associated ciphertext. -// -// It implements ML-KEM.Encaps_internal according to FIPS 203, Algorithm 17. -func kemEncaps(cc *[CiphertextSize768]byte, ek *EncapsulationKey768, m *[messageSize]byte) (K, c []byte) { - g := sha3.New512() - g.Write(m[:]) - g.Write(ek.h[:]) - G := g.Sum(nil) - K, r := G[:SharedKeySize], G[SharedKeySize:] - c = pkeEncrypt(cc, &ek.encryptionKey, m, r) - return K, c -} - -// NewEncapsulationKey768 parses an encapsulation key from its encoded form. -// If the encapsulation key is not valid, NewEncapsulationKey768 returns an error. -func NewEncapsulationKey768(encapsulationKey []byte) (*EncapsulationKey768, error) { - // The actual logic is in a separate function to outline this allocation. - ek := &EncapsulationKey768{} - return parseEK(ek, encapsulationKey) -} - -// parseEK parses an encryption key from its encoded form. -// -// It implements the initial stages of K-PKE.Encrypt according to FIPS 203, -// Algorithm 14. -func parseEK(ek *EncapsulationKey768, ekPKE []byte) (*EncapsulationKey768, error) { - if len(ekPKE) != EncapsulationKeySize768 { - return nil, errors.New("mlkem: invalid encapsulation key length") - } - - h := sha3.New256() - h.Write(ekPKE) - h.Sum(ek.h[:0]) - - for i := range ek.t { - var err error - ek.t[i], err = polyByteDecode[nttElement](ekPKE[:encodingSize12]) - if err != nil { - return nil, err - } - ekPKE = ekPKE[encodingSize12:] - } - copy(ek.ρ[:], ekPKE) - - for i := byte(0); i < k; i++ { - for j := byte(0); j < k; j++ { - ek.a[i*k+j] = sampleNTT(ek.ρ[:], j, i) - } - } - - return ek, nil -} - -// pkeEncrypt encrypt a plaintext message. -// -// It implements K-PKE.Encrypt according to FIPS 203, Algorithm 14, although the -// computation of t and AT is done in parseEK. -func pkeEncrypt(cc *[CiphertextSize768]byte, ex *encryptionKey, m *[messageSize]byte, rnd []byte) []byte { - var N byte - r, e1 := make([]nttElement, k), make([]ringElement, k) - for i := range r { - r[i] = ntt(samplePolyCBD(rnd, N)) - N++ - } - for i := range e1 { - e1[i] = samplePolyCBD(rnd, N) - N++ - } - e2 := samplePolyCBD(rnd, N) - - u := make([]ringElement, k) // NTT⁻¹(AT ◦ r) + e1 - for i := range u { - u[i] = e1[i] - for j := range r { - // Note that i and j are inverted, as we need the transposed of A. - u[i] = polyAdd(u[i], inverseNTT(nttMul(ex.a[j*k+i], r[j]))) - } - } - - μ := ringDecodeAndDecompress1(m) - - var vNTT nttElement // t⊺ ◦ r - for i := range ex.t { - vNTT = polyAdd(vNTT, nttMul(ex.t[i], r[i])) - } - v := polyAdd(polyAdd(inverseNTT(vNTT), e2), μ) - - c := cc[:0] - for _, f := range u { - c = ringCompressAndEncode10(c, f) - } - c = ringCompressAndEncode4(c, v) - - return c -} - -// Decapsulate generates a shared key from a ciphertext and a decapsulation key. -// If the ciphertext is not valid, Decapsulate returns an error. -// -// The shared key must be kept secret. -func (dk *DecapsulationKey768) Decapsulate(ciphertext []byte) (sharedKey []byte, err error) { - if len(ciphertext) != CiphertextSize768 { - return nil, errors.New("mlkem: invalid ciphertext length") - } - c := (*[CiphertextSize768]byte)(ciphertext) - // Note that the hash check (step 3 of the decapsulation input check from - // FIPS 203, Section 7.3) is foregone as a DecapsulationKey is always - // validly generated by ML-KEM.KeyGen_internal. - return kemDecaps(dk, c), nil -} - -// kemDecaps produces a shared key from a ciphertext. -// -// It implements ML-KEM.Decaps_internal according to FIPS 203, Algorithm 18. -func kemDecaps(dk *DecapsulationKey768, c *[CiphertextSize768]byte) (K []byte) { - fips140.RecordApproved() - m := pkeDecrypt(&dk.decryptionKey, c) - g := sha3.New512() - g.Write(m[:]) - g.Write(dk.h[:]) - G := g.Sum(make([]byte, 0, 64)) - Kprime, r := G[:SharedKeySize], G[SharedKeySize:] - J := sha3.NewShake256() - J.Write(dk.z[:]) - J.Write(c[:]) - Kout := make([]byte, SharedKeySize) - J.Read(Kout) - var cc [CiphertextSize768]byte - c1 := pkeEncrypt(&cc, &dk.encryptionKey, (*[32]byte)(m), r) - - subtle.ConstantTimeCopy(subtle.ConstantTimeCompare(c[:], c1), Kout, Kprime) - return Kout -} - -// pkeDecrypt decrypts a ciphertext. -// -// It implements K-PKE.Decrypt according to FIPS 203, Algorithm 15, -// although s is retained from kemKeyGen. -func pkeDecrypt(dx *decryptionKey, c *[CiphertextSize768]byte) []byte { - u := make([]ringElement, k) - for i := range u { - b := (*[encodingSize10]byte)(c[encodingSize10*i : encodingSize10*(i+1)]) - u[i] = ringDecodeAndDecompress10(b) - } - - b := (*[encodingSize4]byte)(c[encodingSize10*k:]) - v := ringDecodeAndDecompress4(b) - - var mask nttElement // s⊺ ◦ NTT(u) - for i := range dx.s { - mask = polyAdd(mask, nttMul(dx.s[i], ntt(u[i]))) - } - w := polySub(v, inverseNTT(mask)) - - return ringCompressAndEncode1(nil, w) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/ya.make deleted file mode 100644 index 2b28dd3a684..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/mlkem/ya.make +++ /dev/null @@ -1,15 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - field.go - mlkem1024.go - mlkem768.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/go.mod deleted file mode 100644 index 09daa240276..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module crypto/internal/fips140/nistec/_asm - -go 1.24 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.20.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/tools v0.24.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/go.sum deleted file mode 100644 index 76af484b2eb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/p256_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/p256_asm.go deleted file mode 100644 index c32e7edf74a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/_asm/p256_asm.go +++ /dev/null @@ -1,2708 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This file contains constant-time, 64-bit assembly implementation of -// P256. The optimizations performed here are described in detail in: -// S.Gueron and V.Krasnov, "Fast prime field elliptic-curve cryptography with -// 256-bit primes" -// https://link.springer.com/article/10.1007%2Fs13389-014-0090-x -// https://eprint.iacr.org/2013/816.pdf - -package main - -import ( - "os" - "strings" - - . "github.com/mmcloughlin/avo/build" - "github.com/mmcloughlin/avo/ir" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../p256_asm_amd64.s - -var ( - res_ptr GPPhysical = RDI - x_ptr = RSI - y_ptr = RCX -) - -// These variables have been versioned as they get redfined in the reference implementation. -// This is done to produce a minimal semantic diff. -var ( - acc0_v1 GPPhysical = R8 - acc1_v1 = R9 - acc2_v1 = R10 - acc3_v1 = R11 - acc4_v1 = R12 - acc5_v1 = R13 - t0_v1 = R14 - t1_v1 = R15 -) - -func main() { - Package("crypto/internal/fips140/nistec") - ConstraintExpr("!purego") - p256MovCond() - p256NegCond() - p256Sqr() - p256Mul() - p256FromMont() - p256Select() - p256SelectAffine() - p256OrdMul() - p256OrdSqr() - p256SubInternal() - p256MulInternal() - p256SqrInternal() - p256PointAddAffineAsm() - p256IsZero() - p256PointAddAsm() - p256PointDoubleAsm() - Generate() - - internalFunctions := []string{ - "·p256SubInternal", - "·p256MulInternal", - "·p256SqrInternal", - "·p256IsZero", - } - removePeskyUnicodeDot(internalFunctions, "../p256_asm_amd64.s") -} - -// Implements: -// -// func p256MovCond(res, a, b *P256Point, cond int) -func p256MovCond() { - Implement("p256MovCond") - Attributes(NOSPLIT) - - Load(Param("res"), res_ptr) - Load(Param("a"), x_ptr) - Load(Param("b"), y_ptr) - Load(Param("cond"), X12) - - PXOR(X13, X13) - PSHUFD(Imm(0), X12, X12) - PCMPEQL(X13, X12) - - MOVOU(X12, X0) - MOVOU(Mem{Base: x_ptr}.Offset(16*0), X6) - PANDN(X6, X0) - MOVOU(X12, X1) - MOVOU(Mem{Base: x_ptr}.Offset(16*1), X7) - PANDN(X7, X1) - MOVOU(X12, X2) - MOVOU(Mem{Base: x_ptr}.Offset(16*2), X8) - PANDN(X8, X2) - MOVOU(X12, X3) - MOVOU(Mem{Base: x_ptr}.Offset(16*3), X9) - PANDN(X9, X3) - MOVOU(X12, X4) - MOVOU(Mem{Base: x_ptr}.Offset(16*4), X10) - PANDN(X10, X4) - MOVOU(X12, X5) - MOVOU(Mem{Base: x_ptr}.Offset(16*5), X11) - PANDN(X11, X5) - - MOVOU(Mem{Base: y_ptr}.Offset(16*0), X6) - MOVOU(Mem{Base: y_ptr}.Offset(16*1), X7) - MOVOU(Mem{Base: y_ptr}.Offset(16*2), X8) - MOVOU(Mem{Base: y_ptr}.Offset(16*3), X9) - MOVOU(Mem{Base: y_ptr}.Offset(16*4), X10) - MOVOU(Mem{Base: y_ptr}.Offset(16*5), X11) - - PAND(X12, X6) - PAND(X12, X7) - PAND(X12, X8) - PAND(X12, X9) - PAND(X12, X10) - PAND(X12, X11) - - PXOR(X6, X0) - PXOR(X7, X1) - PXOR(X8, X2) - PXOR(X9, X3) - PXOR(X10, X4) - PXOR(X11, X5) - - MOVOU(X0, Mem{Base: res_ptr}.Offset(16*0)) - MOVOU(X1, Mem{Base: res_ptr}.Offset(16*1)) - MOVOU(X2, Mem{Base: res_ptr}.Offset(16*2)) - MOVOU(X3, Mem{Base: res_ptr}.Offset(16*3)) - MOVOU(X4, Mem{Base: res_ptr}.Offset(16*4)) - MOVOU(X5, Mem{Base: res_ptr}.Offset(16*5)) - - RET() -} - -// Implements: -// -// func p256NegCond(val *p256Element, cond int) -func p256NegCond() { - Implement("p256NegCond") - Attributes(NOSPLIT) - - Load(Param("val"), res_ptr) - Load(Param("cond"), t0_v1) - - Comment("acc = poly") - MOVQ(I32(-1), acc0_v1) - p256const0 := p256const0_DATA() - MOVQ(p256const0, acc1_v1) - MOVQ(I32(0), acc2_v1) - p256const1 := p256const1_DATA() - MOVQ(p256const1, acc3_v1) - - Comment("Load the original value") - MOVQ(Mem{Base: res_ptr}.Offset(8*0), acc5_v1) - MOVQ(Mem{Base: res_ptr}.Offset(8*1), x_ptr) - MOVQ(Mem{Base: res_ptr}.Offset(8*2), y_ptr) - MOVQ(Mem{Base: res_ptr}.Offset(8*3), t1_v1) - - Comment("Speculatively subtract") - SUBQ(acc5_v1, acc0_v1) - SBBQ(x_ptr, acc1_v1) - SBBQ(y_ptr, acc2_v1) - SBBQ(t1_v1, acc3_v1) - - Comment("If condition is 0, keep original value") - TESTQ(t0_v1, t0_v1) - CMOVQEQ(acc5_v1, acc0_v1) - CMOVQEQ(x_ptr, acc1_v1) - CMOVQEQ(y_ptr, acc2_v1) - CMOVQEQ(t1_v1, acc3_v1) - - Comment("Store result") - MOVQ(acc0_v1, Mem{Base: res_ptr}.Offset(8*0)) - MOVQ(acc1_v1, Mem{Base: res_ptr}.Offset(8*1)) - MOVQ(acc2_v1, Mem{Base: res_ptr}.Offset(8*2)) - MOVQ(acc3_v1, Mem{Base: res_ptr}.Offset(8*3)) - - RET() -} - -// Implements: -// -// func p256Sqr(res, in *p256Element, n int) -func p256Sqr() { - Implement("p256Sqr") - Attributes(NOSPLIT) - - Load(Param("res"), res_ptr) - Load(Param("in"), x_ptr) - Load(Param("n"), RBX) - - Label("sqrLoop") - - Comment("y[1:] * y[0]") - MOVQ(Mem{Base: x_ptr}.Offset(8*0), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - MOVQ(RAX, acc1_v1) - MOVQ(RDX, acc2_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc3_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc4_v1) - - Comment("y[2:] * y[1]") - MOVQ(Mem{Base: x_ptr}.Offset(8*1), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc5_v1) - - Comment("y[3] * y[2]") - MOVQ(Mem{Base: x_ptr}.Offset(8*2), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc5_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, y_ptr) - XORQ(t1_v1, t1_v1) - - Comment("*2") - ADDQ(acc1_v1, acc1_v1) - ADCQ(acc2_v1, acc2_v1) - ADCQ(acc3_v1, acc3_v1) - ADCQ(acc4_v1, acc4_v1) - ADCQ(acc5_v1, acc5_v1) - ADCQ(y_ptr, y_ptr) - ADCQ(Imm(0), t1_v1) - - Comment("Missing products") - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(RAX) - MOVQ(RAX, acc0_v1) - MOVQ(RDX, t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(RAX) - ADDQ(t0_v1, acc1_v1) - ADCQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(RAX) - ADDQ(t0_v1, acc3_v1) - ADCQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(RAX) - ADDQ(t0_v1, acc5_v1) - ADCQ(RAX, y_ptr) - ADCQ(RDX, t1_v1) - MOVQ(t1_v1, x_ptr) - - Comment("First reduction step") - MOVQ(acc0_v1, RAX) - MOVQ(acc0_v1, t1_v1) - SHLQ(Imm(32), acc0_v1) - - p256const1 := p256const1_DATA() - MULQ(p256const1) - - SHRQ(Imm(32), t1_v1) - ADDQ(acc0_v1, acc1_v1) - ADCQ(t1_v1, acc2_v1) - ADCQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc0_v1) - - Comment("Second reduction step") - MOVQ(acc1_v1, RAX) - MOVQ(acc1_v1, t1_v1) - SHLQ(Imm(32), acc1_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc1_v1, acc2_v1) - ADCQ(t1_v1, acc3_v1) - ADCQ(RAX, acc0_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc1_v1) - - Comment("Third reduction step") - MOVQ(acc2_v1, RAX) - MOVQ(acc2_v1, t1_v1) - SHLQ(Imm(32), acc2_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc2_v1, acc3_v1) - ADCQ(t1_v1, acc0_v1) - ADCQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc2_v1) - - Comment("Last reduction step") - XORQ(t0_v1, t0_v1) - MOVQ(acc3_v1, RAX) - MOVQ(acc3_v1, t1_v1) - SHLQ(Imm(32), acc3_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc3_v1, acc0_v1) - ADCQ(t1_v1, acc1_v1) - ADCQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc3_v1) - - Comment("Add bits [511:256] of the sqr result") - ADCQ(acc4_v1, acc0_v1) - ADCQ(acc5_v1, acc1_v1) - ADCQ(y_ptr, acc2_v1) - ADCQ(x_ptr, acc3_v1) - ADCQ(Imm(0), t0_v1) - - MOVQ(acc0_v1, acc4_v1) - MOVQ(acc1_v1, acc5_v1) - MOVQ(acc2_v1, y_ptr) - MOVQ(acc3_v1, t1_v1) - - Comment("Subtract p256") - SUBQ(I8(-1), acc0_v1) - - p256const0 := p256const0_DATA() - SBBQ(p256const0, acc1_v1) - SBBQ(Imm(0), acc2_v1) - SBBQ(p256const1, acc3_v1) - SBBQ(Imm(0), t0_v1) - - CMOVQCS(acc4_v1, acc0_v1) - CMOVQCS(acc5_v1, acc1_v1) - CMOVQCS(y_ptr, acc2_v1) - CMOVQCS(t1_v1, acc3_v1) - - MOVQ(acc0_v1, Mem{Base: res_ptr}.Offset(8*0)) - MOVQ(acc1_v1, Mem{Base: res_ptr}.Offset(8*1)) - MOVQ(acc2_v1, Mem{Base: res_ptr}.Offset(8*2)) - MOVQ(acc3_v1, Mem{Base: res_ptr}.Offset(8*3)) - MOVQ(res_ptr, x_ptr) - DECQ(RBX) - JNE(LabelRef("sqrLoop")) - - RET() -} - -// Implements: -// -// func p256Mul(res, in1, in2 *p256Element) -func p256Mul() { - Implement("p256Mul") - Attributes(NOSPLIT) - - Load(Param("res"), res_ptr) - Load(Param("in1"), x_ptr) - Load(Param("in2"), y_ptr) - - Comment("x * y[0]") - MOVQ(Mem{Base: y_ptr}.Offset(8*0), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - MOVQ(RAX, acc0_v1) - MOVQ(RDX, acc1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc2_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc3_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc4_v1) - XORQ(acc5_v1, acc5_v1) - - Comment("First reduction step") - MOVQ(acc0_v1, RAX) - MOVQ(acc0_v1, t1_v1) - SHLQ(Imm(32), acc0_v1) - p256const1 := p256const1_DATA() - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc0_v1, acc1_v1) - ADCQ(t1_v1, acc2_v1) - ADCQ(RAX, acc3_v1) - ADCQ(RDX, acc4_v1) - ADCQ(Imm(0), acc5_v1) - XORQ(acc0_v1, acc0_v1) - - Comment("x * y[1]") - MOVQ(Mem{Base: y_ptr}.Offset(8*1), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc2_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(RDX, acc5_v1) - ADCQ(Imm(0), acc0_v1) - - Comment("Second reduction step") - MOVQ(acc1_v1, RAX) - MOVQ(acc1_v1, t1_v1) - SHLQ(Imm(32), acc1_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc1_v1, acc2_v1) - ADCQ(t1_v1, acc3_v1) - ADCQ(RAX, acc4_v1) - ADCQ(RDX, acc5_v1) - ADCQ(Imm(0), acc0_v1) - XORQ(acc1_v1, acc1_v1) - - Comment("x * y[2]") - MOVQ(Mem{Base: y_ptr}.Offset(8*2), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc5_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc5_v1) - ADCQ(RDX, acc0_v1) - ADCQ(Imm(0), acc1_v1) - - Comment("Third reduction step") - MOVQ(acc2_v1, RAX) - MOVQ(acc2_v1, t1_v1) - SHLQ(Imm(32), acc2_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc2_v1, acc3_v1) - ADCQ(t1_v1, acc4_v1) - ADCQ(RAX, acc5_v1) - ADCQ(RDX, acc0_v1) - ADCQ(Imm(0), acc1_v1) - XORQ(acc2_v1, acc2_v1) - Comment("x * y[3]") - - MOVQ(Mem{Base: y_ptr}.Offset(8*3), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc5_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc5_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc0_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc0_v1) - ADCQ(RDX, acc1_v1) - ADCQ(Imm(0), acc2_v1) - - Comment("Last reduction step") - MOVQ(acc3_v1, RAX) - MOVQ(acc3_v1, t1_v1) - SHLQ(Imm(32), acc3_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc3_v1, acc4_v1) - ADCQ(t1_v1, acc5_v1) - ADCQ(RAX, acc0_v1) - ADCQ(RDX, acc1_v1) - ADCQ(Imm(0), acc2_v1) - - Comment("Copy result [255:0]") - MOVQ(acc4_v1, x_ptr) - MOVQ(acc5_v1, acc3_v1) - MOVQ(acc0_v1, t0_v1) - MOVQ(acc1_v1, t1_v1) - - Comment("Subtract p256") - SUBQ(I8(-1), acc4_v1) - p256const0 := p256const0_DATA() - SBBQ(p256const0, acc5_v1) - SBBQ(Imm(0), acc0_v1) - // SBBQ p256const1<>(SB), acc1_v1 - SBBQ(p256const1, acc1_v1) - SBBQ(Imm(0), acc2_v1) - - CMOVQCS(x_ptr, acc4_v1) - CMOVQCS(acc3_v1, acc5_v1) - CMOVQCS(t0_v1, acc0_v1) - CMOVQCS(t1_v1, acc1_v1) - - MOVQ(acc4_v1, Mem{Base: res_ptr}.Offset(8*0)) - MOVQ(acc5_v1, Mem{Base: res_ptr}.Offset(8*1)) - MOVQ(acc0_v1, Mem{Base: res_ptr}.Offset(8*2)) - MOVQ(acc1_v1, Mem{Base: res_ptr}.Offset(8*3)) - - RET() -} - -// Implements: -// -// func p256FromMont(res, in *p256Element) -func p256FromMont() { - Implement("p256FromMont") - Attributes(NOSPLIT) - - Load(Param("res"), res_ptr) - Load(Param("in"), x_ptr) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), acc0_v1) - MOVQ(Mem{Base: x_ptr}.Offset(8*1), acc1_v1) - MOVQ(Mem{Base: x_ptr}.Offset(8*2), acc2_v1) - MOVQ(Mem{Base: x_ptr}.Offset(8*3), acc3_v1) - XORQ(acc4_v1, acc4_v1) - - Comment("Only reduce, no multiplications are needed") - Comment("First stage") - MOVQ(acc0_v1, RAX) - MOVQ(acc0_v1, t1_v1) - SHLQ(Imm(32), acc0_v1) - p256const1 := p256const1_DATA() - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc0_v1, acc1_v1) - ADCQ(t1_v1, acc2_v1) - ADCQ(RAX, acc3_v1) - ADCQ(RDX, acc4_v1) - XORQ(acc5_v1, acc5_v1) - - Comment("Second stage") - MOVQ(acc1_v1, RAX) - MOVQ(acc1_v1, t1_v1) - SHLQ(Imm(32), acc1_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc1_v1, acc2_v1) - ADCQ(t1_v1, acc3_v1) - ADCQ(RAX, acc4_v1) - ADCQ(RDX, acc5_v1) - XORQ(acc0_v1, acc0_v1) - - Comment("Third stage") - MOVQ(acc2_v1, RAX) - MOVQ(acc2_v1, t1_v1) - SHLQ(Imm(32), acc2_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc2_v1, acc3_v1) - ADCQ(t1_v1, acc4_v1) - ADCQ(RAX, acc5_v1) - ADCQ(RDX, acc0_v1) - XORQ(acc1_v1, acc1_v1) - - Comment("Last stage") - MOVQ(acc3_v1, RAX) - MOVQ(acc3_v1, t1_v1) - SHLQ(Imm(32), acc3_v1) - MULQ(p256const1) - SHRQ(Imm(32), t1_v1) - ADDQ(acc3_v1, acc4_v1) - ADCQ(t1_v1, acc5_v1) - ADCQ(RAX, acc0_v1) - ADCQ(RDX, acc1_v1) - - MOVQ(acc4_v1, x_ptr) - MOVQ(acc5_v1, acc3_v1) - MOVQ(acc0_v1, t0_v1) - MOVQ(acc1_v1, t1_v1) - - SUBQ(I8(-1), acc4_v1) - p256const0 := p256const0_DATA() - SBBQ(p256const0, acc5_v1) - SBBQ(Imm(0), acc0_v1) - SBBQ(p256const1, acc1_v1) - - CMOVQCS(x_ptr, acc4_v1) - CMOVQCS(acc3_v1, acc5_v1) - CMOVQCS(t0_v1, acc0_v1) - CMOVQCS(t1_v1, acc1_v1) - - MOVQ(acc4_v1, Mem{Base: res_ptr}.Offset(8*0)) - MOVQ(acc5_v1, Mem{Base: res_ptr}.Offset(8*1)) - MOVQ(acc0_v1, Mem{Base: res_ptr}.Offset(8*2)) - MOVQ(acc1_v1, Mem{Base: res_ptr}.Offset(8*3)) - - RET() -} - -// Implements: -// -// func p256Select(res *P256Point, table *p256Table, idx int) -func p256Select() { - Implement("p256Select") - Attributes(NOSPLIT) - - Load(Param("idx"), RAX) - Load(Param("table"), RDI) - Load(Param("res"), RDX) - - PXOR(X15, X15) // X15 = 0 - PCMPEQL(X14, X14) // X14 = -1 - PSUBL(X14, X15) // X15 = 1 - // Force Avo to emit: - // MOVL AX, X14 - Instruction(&ir.Instruction{ - Opcode: "MOVL", - Operands: []Op{ - EAX, X14, - }, - }) - PSHUFD(Imm(0), X14, X14) - - PXOR(X0, X0) - PXOR(X1, X1) - PXOR(X2, X2) - PXOR(X3, X3) - PXOR(X4, X4) - PXOR(X5, X5) - MOVQ(U32(16), RAX) - - MOVOU(X15, X13) - - Label("loop_select") - - MOVOU(X13, X12) - PADDL(X15, X13) - PCMPEQL(X14, X12) - - MOVOU(Mem{Base: DI}.Offset(16*0), X6) - MOVOU(Mem{Base: DI}.Offset(16*1), X7) - MOVOU(Mem{Base: DI}.Offset(16*2), X8) - MOVOU(Mem{Base: DI}.Offset(16*3), X9) - MOVOU(Mem{Base: DI}.Offset(16*4), X10) - MOVOU(Mem{Base: DI}.Offset(16*5), X11) - ADDQ(U8(16*6), RDI) - - PAND(X12, X6) - PAND(X12, X7) - PAND(X12, X8) - PAND(X12, X9) - PAND(X12, X10) - PAND(X12, X11) - - PXOR(X6, X0) - PXOR(X7, X1) - PXOR(X8, X2) - PXOR(X9, X3) - PXOR(X10, X4) - PXOR(X11, X5) - - DECQ(RAX) - JNE(LabelRef("loop_select")) - - MOVOU(X0, Mem{Base: DX}.Offset(16*0)) - MOVOU(X1, Mem{Base: DX}.Offset(16*1)) - MOVOU(X2, Mem{Base: DX}.Offset(16*2)) - MOVOU(X3, Mem{Base: DX}.Offset(16*3)) - MOVOU(X4, Mem{Base: DX}.Offset(16*4)) - MOVOU(X5, Mem{Base: DX}.Offset(16*5)) - - RET() -} - -// Implements: -// -// func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int) -func p256SelectAffine() { - Implement("p256SelectAffine") - Attributes(NOSPLIT) - - Load(Param("idx"), RAX) - Load(Param("table"), RDI) - Load(Param("res"), RDX) - - PXOR(X15, X15) // X15 = 0 - PCMPEQL(X14, X14) // X14 = -1 - PSUBL(X14, X15) // X15 = 1 - - // Hack to get Avo to emit: - // MOVL AX, X14 - Instruction(&ir.Instruction{Opcode: "MOVL", Operands: []Op{RAX, X14}}) - - PSHUFD(Imm(0), X14, X14) - - PXOR(X0, X0) - PXOR(X1, X1) - PXOR(X2, X2) - PXOR(X3, X3) - MOVQ(U32(16), RAX) - - MOVOU(X15, X13) - - Label("loop_select_base") - - MOVOU(X13, X12) - PADDL(X15, X13) - PCMPEQL(X14, X12) - - MOVOU(Mem{Base: DI}.Offset(16*0), X4) - MOVOU(Mem{Base: DI}.Offset(16*1), X5) - MOVOU(Mem{Base: DI}.Offset(16*2), X6) - MOVOU(Mem{Base: DI}.Offset(16*3), X7) - - MOVOU(Mem{Base: DI}.Offset(16*4), X8) - MOVOU(Mem{Base: DI}.Offset(16*5), X9) - MOVOU(Mem{Base: DI}.Offset(16*6), X10) - MOVOU(Mem{Base: DI}.Offset(16*7), X11) - - ADDQ(Imm(16*8), RDI) - - PAND(X12, X4) - PAND(X12, X5) - PAND(X12, X6) - PAND(X12, X7) - - MOVOU(X13, X12) - PADDL(X15, X13) - PCMPEQL(X14, X12) - - PAND(X12, X8) - PAND(X12, X9) - PAND(X12, X10) - PAND(X12, X11) - - PXOR(X4, X0) - PXOR(X5, X1) - PXOR(X6, X2) - PXOR(X7, X3) - - PXOR(X8, X0) - PXOR(X9, X1) - PXOR(X10, X2) - PXOR(X11, X3) - - DECQ(RAX) - JNE(LabelRef("loop_select_base")) - - MOVOU(X0, Mem{Base: DX}.Offset(16*0)) - MOVOU(X1, Mem{Base: DX}.Offset(16*1)) - MOVOU(X2, Mem{Base: DX}.Offset(16*2)) - MOVOU(X3, Mem{Base: DX}.Offset(16*3)) - - RET() -} - -// Implements: -// -// func p256OrdMul(res, in1, in2 *p256OrdElement) -func p256OrdMul() { - Implement("p256OrdMul") - Attributes(NOSPLIT) - - Load(Param("res"), res_ptr) - Load(Param("in1"), x_ptr) - Load(Param("in2"), y_ptr) - - Comment("x * y[0]") - MOVQ(Mem{Base: y_ptr}.Offset(8*0), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - MOVQ(RAX, acc0_v1) - MOVQ(RDX, acc1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc2_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc3_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc4_v1) - XORQ(acc5_v1, acc5_v1) - - Comment("First reduction step") - MOVQ(acc0_v1, RAX) - p256ordK0 := p256ordK0_DATA() - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - p256ord := p256ord_DATA() - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc0_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc1_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x10), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc2_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x18), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(RDX, acc4_v1) - ADCQ(Imm(0), acc5_v1) - - Comment("x * y[1]") - MOVQ(Mem{Base: y_ptr}.Offset(8*1), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc2_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(RDX, acc5_v1) - ADCQ(Imm(0), acc0_v1) - - Comment("Second reduction step") - MOVQ(acc1_v1, RAX) - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc2_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x10), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x18), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(RDX, acc5_v1) - ADCQ(Imm(0), acc0_v1) - - Comment("x * y[2]") - MOVQ(Mem{Base: y_ptr}.Offset(8*2), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc5_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc5_v1) - ADCQ(RDX, acc0_v1) - ADCQ(Imm(0), acc1_v1) - - Comment("Third reduction step") - MOVQ(acc2_v1, RAX) - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x10), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x18), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc5_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc5_v1) - ADCQ(RDX, acc0_v1) - ADCQ(Imm(0), acc1_v1) - - Comment("x * y[3]") - MOVQ(Mem{Base: y_ptr}.Offset(8*3), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc5_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc5_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc0_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc0_v1) - ADCQ(RDX, acc1_v1) - ADCQ(Imm(0), acc2_v1) - - Comment("Last reduction step") - MOVQ(acc3_v1, RAX) - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x10), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc5_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc5_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x18), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc0_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc0_v1) - ADCQ(RDX, acc1_v1) - ADCQ(Imm(0), acc2_v1) - - Comment("Copy result [255:0]") - MOVQ(acc4_v1, x_ptr) - MOVQ(acc5_v1, acc3_v1) - MOVQ(acc0_v1, t0_v1) - MOVQ(acc1_v1, t1_v1) - - Comment("Subtract p256") - SUBQ(p256ord.Offset(0x00), acc4_v1) - SBBQ(p256ord.Offset(0x08), acc5_v1) - SBBQ(p256ord.Offset(0x10), acc0_v1) - SBBQ(p256ord.Offset(0x18), acc1_v1) - SBBQ(Imm(0), acc2_v1) - - CMOVQCS(x_ptr, acc4_v1) - CMOVQCS(acc3_v1, acc5_v1) - CMOVQCS(t0_v1, acc0_v1) - CMOVQCS(t1_v1, acc1_v1) - - MOVQ(acc4_v1, Mem{Base: res_ptr}.Offset(8*0)) - MOVQ(acc5_v1, Mem{Base: res_ptr}.Offset(8*1)) - MOVQ(acc0_v1, Mem{Base: res_ptr}.Offset(8*2)) - MOVQ(acc1_v1, Mem{Base: res_ptr}.Offset(8*3)) - - RET() -} - -// Implements: -// -// func p256OrdSqr(res, in *p256OrdElement, n int) -func p256OrdSqr() { - Implement("p256OrdSqr") - Attributes(NOSPLIT) - - Load(Param("res"), res_ptr) - Load(Param("in"), x_ptr) - Load(Param("n"), RBX) - - Label("ordSqrLoop") - - Comment("y[1:] * y[0]") - MOVQ(Mem{Base: x_ptr}.Offset(8*0), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(t0_v1) - MOVQ(RAX, acc1_v1) - MOVQ(RDX, acc2_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc3_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc4_v1) - - Comment("y[2:] * y[1]") - MOVQ(Mem{Base: x_ptr}.Offset(8*1), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc4_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc5_v1) - - Comment("y[3] * y[2]") - MOVQ(Mem{Base: x_ptr}.Offset(8*2), t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc5_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, y_ptr) - XORQ(t1_v1, t1_v1) - - Comment("*2") - ADDQ(acc1_v1, acc1_v1) - ADCQ(acc2_v1, acc2_v1) - ADCQ(acc3_v1, acc3_v1) - ADCQ(acc4_v1, acc4_v1) - ADCQ(acc5_v1, acc5_v1) - ADCQ(y_ptr, y_ptr) - ADCQ(Imm(0), t1_v1) - - Comment("Missing products") - MOVQ(Mem{Base: x_ptr}.Offset(8*0), RAX) - MULQ(RAX) - MOVQ(RAX, acc0_v1) - MOVQ(RDX, t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*1), RAX) - MULQ(RAX) - ADDQ(t0_v1, acc1_v1) - ADCQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*2), RAX) - MULQ(RAX) - ADDQ(t0_v1, acc3_v1) - ADCQ(RAX, acc4_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t0_v1) - - MOVQ(Mem{Base: x_ptr}.Offset(8*3), RAX) - MULQ(RAX) - ADDQ(t0_v1, acc5_v1) - ADCQ(RAX, y_ptr) - ADCQ(RDX, t1_v1) - MOVQ(t1_v1, x_ptr) - - Comment("First reduction step") - MOVQ(acc0_v1, RAX) - p256ordK0 := p256ordK0_DATA() - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - p256ord := p256ord_DATA() - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc0_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc1_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc1_v1) - - MOVQ(t0_v1, t1_v1) - ADCQ(RDX, acc2_v1) - ADCQ(Imm(0), t1_v1) - SUBQ(t0_v1, acc2_v1) - SBBQ(Imm(0), t1_v1) - - MOVQ(t0_v1, RAX) - MOVQ(t0_v1, RDX) - MOVQ(t0_v1, acc0_v1) - SHLQ(Imm(32), RAX) - SHRQ(Imm(32), RDX) - - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), acc0_v1) - SUBQ(RAX, acc3_v1) - SBBQ(RDX, acc0_v1) - - Comment("Second reduction step") - MOVQ(acc1_v1, RAX) - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc1_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc2_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc2_v1) - - MOVQ(t0_v1, t1_v1) - ADCQ(RDX, acc3_v1) - ADCQ(Imm(0), t1_v1) - SUBQ(t0_v1, acc3_v1) - SBBQ(Imm(0), t1_v1) - - MOVQ(t0_v1, RAX) - MOVQ(t0_v1, RDX) - MOVQ(t0_v1, acc1_v1) - SHLQ(Imm(32), RAX) - SHRQ(Imm(32), RDX) - - ADDQ(t1_v1, acc0_v1) - ADCQ(Imm(0), acc1_v1) - SUBQ(RAX, acc0_v1) - SBBQ(RDX, acc1_v1) - - Comment("Third reduction step") - MOVQ(acc2_v1, RAX) - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc2_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc3_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc3_v1) - - MOVQ(t0_v1, t1_v1) - ADCQ(RDX, acc0_v1) - ADCQ(Imm(0), t1_v1) - SUBQ(t0_v1, acc0_v1) - SBBQ(Imm(0), t1_v1) - - MOVQ(t0_v1, RAX) - MOVQ(t0_v1, RDX) - MOVQ(t0_v1, acc2_v1) - SHLQ(Imm(32), RAX) - SHRQ(Imm(32), RDX) - - ADDQ(t1_v1, acc1_v1) - ADCQ(Imm(0), acc2_v1) - SUBQ(RAX, acc1_v1) - SBBQ(RDX, acc2_v1) - - Comment("Last reduction step") - MOVQ(acc3_v1, RAX) - MULQ(p256ordK0) - MOVQ(RAX, t0_v1) - - MOVQ(p256ord.Offset(0x00), RAX) - MULQ(t0_v1) - ADDQ(RAX, acc3_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(p256ord.Offset(0x08), RAX) - MULQ(t0_v1) - ADDQ(t1_v1, acc0_v1) - ADCQ(Imm(0), RDX) - ADDQ(RAX, acc0_v1) - ADCQ(Imm(0), RDX) - MOVQ(RDX, t1_v1) - - MOVQ(t0_v1, t1_v1) - ADCQ(RDX, acc1_v1) - ADCQ(Imm(0), t1_v1) - SUBQ(t0_v1, acc1_v1) - SBBQ(Imm(0), t1_v1) - - MOVQ(t0_v1, RAX) - MOVQ(t0_v1, RDX) - MOVQ(t0_v1, acc3_v1) - SHLQ(Imm(32), RAX) - SHRQ(Imm(32), RDX) - - ADDQ(t1_v1, acc2_v1) - ADCQ(Imm(0), acc3_v1) - SUBQ(RAX, acc2_v1) - SBBQ(RDX, acc3_v1) - XORQ(t0_v1, t0_v1) - - Comment("Add bits [511:256] of the sqr result") - ADCQ(acc4_v1, acc0_v1) - ADCQ(acc5_v1, acc1_v1) - ADCQ(y_ptr, acc2_v1) - ADCQ(x_ptr, acc3_v1) - ADCQ(Imm(0), t0_v1) - - MOVQ(acc0_v1, acc4_v1) - MOVQ(acc1_v1, acc5_v1) - MOVQ(acc2_v1, y_ptr) - MOVQ(acc3_v1, t1_v1) - - Comment("Subtract p256") - SUBQ(p256ord.Offset(0x00), acc0_v1) - SBBQ(p256ord.Offset(0x08), acc1_v1) - SBBQ(p256ord.Offset(0x10), acc2_v1) - SBBQ(p256ord.Offset(0x18), acc3_v1) - SBBQ(Imm(0), t0_v1) - - CMOVQCS(acc4_v1, acc0_v1) - CMOVQCS(acc5_v1, acc1_v1) - CMOVQCS(y_ptr, acc2_v1) - CMOVQCS(t1_v1, acc3_v1) - - MOVQ(acc0_v1, Mem{Base: res_ptr}.Offset(8*0)) - MOVQ(acc1_v1, Mem{Base: res_ptr}.Offset(8*1)) - MOVQ(acc2_v1, Mem{Base: res_ptr}.Offset(8*2)) - MOVQ(acc3_v1, Mem{Base: res_ptr}.Offset(8*3)) - MOVQ(res_ptr, x_ptr) - DECQ(RBX) - JNE(LabelRef("ordSqrLoop")) - - RET() -} - -// These variables have been versioned as they get redfined in the reference implementation. -// This is done to produce a minimal semantic diff. -var ( - mul0_v2 = RAX - mul1_v2 = RDX - acc0_v2 = RBX - acc1_v2 = RCX - acc2_v2 = R8 - acc3_v2 = R9 - acc4_v2 = R10 - acc5_v2 = R11 - acc6_v2 = R12 - acc7_v2 = R13 - t0_v2 = R14 - t1_v2 = R15 - t2_v2 = RDI - t3_v2 = RSI - hlp_v2 = RBP -) - -func p256SubInternal() { - Function("p256SubInternal") - Attributes(NOSPLIT) - - XORQ(mul0_v2, mul0_v2) - SUBQ(t0_v2, acc4_v2) - SBBQ(t1_v2, acc5_v2) - SBBQ(t2_v2, acc6_v2) - SBBQ(t3_v2, acc7_v2) - SBBQ(Imm(0), mul0_v2) - - MOVQ(acc4_v2, acc0_v2) - MOVQ(acc5_v2, acc1_v2) - MOVQ(acc6_v2, acc2_v2) - MOVQ(acc7_v2, acc3_v2) - - ADDQ(I8(-1), acc4_v2) - p256const0 := p256const0_DATA() - ADCQ(p256const0, acc5_v2) - ADCQ(Imm(0), acc6_v2) - p256const1 := p256const1_DATA() - ADCQ(p256const1, acc7_v2) - ANDQ(Imm(1), mul0_v2) - - CMOVQEQ(acc0_v2, acc4_v2) - CMOVQEQ(acc1_v2, acc5_v2) - CMOVQEQ(acc2_v2, acc6_v2) - CMOVQEQ(acc3_v2, acc7_v2) - - RET() -} - -func p256MulInternal() { - Function("p256MulInternal") - Attributes(NOSPLIT) - - MOVQ(acc4_v2, mul0_v2) - MULQ(t0_v2) - MOVQ(mul0_v2, acc0_v2) - MOVQ(mul1_v2, acc1_v2) - - MOVQ(acc4_v2, mul0_v2) - MULQ(t1_v2) - ADDQ(mul0_v2, acc1_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc2_v2) - - MOVQ(acc4_v2, mul0_v2) - MULQ(t2_v2) - ADDQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc3_v2) - - MOVQ(acc4_v2, mul0_v2) - MULQ(t3_v2) - ADDQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc4_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(t0_v2) - ADDQ(mul0_v2, acc1_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(t1_v2) - ADDQ(hlp_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(t2_v2) - ADDQ(hlp_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(t3_v2) - ADDQ(hlp_v2, acc4_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc4_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc5_v2) - - MOVQ(acc6_v2, mul0_v2) - MULQ(t0_v2) - ADDQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc6_v2, mul0_v2) - MULQ(t1_v2) - ADDQ(hlp_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc6_v2, mul0_v2) - MULQ(t2_v2) - ADDQ(hlp_v2, acc4_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc4_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc6_v2, mul0_v2) - MULQ(t3_v2) - ADDQ(hlp_v2, acc5_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc5_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc6_v2) - - MOVQ(acc7_v2, mul0_v2) - MULQ(t0_v2) - ADDQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc7_v2, mul0_v2) - MULQ(t1_v2) - ADDQ(hlp_v2, acc4_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc4_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc7_v2, mul0_v2) - MULQ(t2_v2) - ADDQ(hlp_v2, acc5_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc5_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc7_v2, mul0_v2) - MULQ(t3_v2) - ADDQ(hlp_v2, acc6_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, acc6_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc7_v2) - - Comment("First reduction step") - MOVQ(acc0_v2, mul0_v2) - MOVQ(acc0_v2, hlp_v2) - SHLQ(Imm(32), acc0_v2) - p256const1 := p256const1_DATA() - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc0_v2, acc1_v2) - ADCQ(hlp_v2, acc2_v2) - ADCQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc0_v2) - - Comment("Second reduction step") - MOVQ(acc1_v2, mul0_v2) - MOVQ(acc1_v2, hlp_v2) - SHLQ(Imm(32), acc1_v2) - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc1_v2, acc2_v2) - ADCQ(hlp_v2, acc3_v2) - ADCQ(mul0_v2, acc0_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc1_v2) - - Comment("Third reduction step") - MOVQ(acc2_v2, mul0_v2) - MOVQ(acc2_v2, hlp_v2) - SHLQ(Imm(32), acc2_v2) - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc2_v2, acc3_v2) - ADCQ(hlp_v2, acc0_v2) - ADCQ(mul0_v2, acc1_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc2_v2) - - Comment("Last reduction step") - MOVQ(acc3_v2, mul0_v2) - MOVQ(acc3_v2, hlp_v2) - SHLQ(Imm(32), acc3_v2) - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc3_v2, acc0_v2) - ADCQ(hlp_v2, acc1_v2) - ADCQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc3_v2) - MOVQ(U32(0), RBP) - - Comment("Add bits [511:256] of the result") - ADCQ(acc0_v2, acc4_v2) - ADCQ(acc1_v2, acc5_v2) - ADCQ(acc2_v2, acc6_v2) - ADCQ(acc3_v2, acc7_v2) - ADCQ(Imm(0), hlp_v2) - - Comment("Copy result") - MOVQ(acc4_v2, acc0_v2) - MOVQ(acc5_v2, acc1_v2) - MOVQ(acc6_v2, acc2_v2) - MOVQ(acc7_v2, acc3_v2) - - Comment("Subtract p256") - SUBQ(I8(-1), acc4_v2) - p256const0 := p256const0_DATA() - SBBQ(p256const0, acc5_v2) - SBBQ(Imm(0), acc6_v2) - SBBQ(p256const1, acc7_v2) - SBBQ(Imm(0), hlp_v2) - - Comment("If the result of the subtraction is negative, restore the previous result") - CMOVQCS(acc0_v2, acc4_v2) - CMOVQCS(acc1_v2, acc5_v2) - CMOVQCS(acc2_v2, acc6_v2) - CMOVQCS(acc3_v2, acc7_v2) - - RET() -} - -func p256SqrInternal() { - Function("p256SqrInternal") - Attributes(NOSPLIT) - - MOVQ(acc4_v2, mul0_v2) - MULQ(acc5_v2) - MOVQ(mul0_v2, acc1_v2) - MOVQ(mul1_v2, acc2_v2) - - MOVQ(acc4_v2, mul0_v2) - MULQ(acc6_v2) - ADDQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc3_v2) - - MOVQ(acc4_v2, mul0_v2) - MULQ(acc7_v2) - ADDQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, t0_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(acc6_v2) - ADDQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, hlp_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(acc7_v2) - ADDQ(hlp_v2, t0_v2) - ADCQ(Imm(0), mul1_v2) - ADDQ(mul0_v2, t0_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, t1_v2) - - MOVQ(acc6_v2, mul0_v2) - MULQ(acc7_v2) - ADDQ(mul0_v2, t1_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, t2_v2) - XORQ(t3_v2, t3_v2) - - Comment("*2") - ADDQ(acc1_v2, acc1_v2) - ADCQ(acc2_v2, acc2_v2) - ADCQ(acc3_v2, acc3_v2) - ADCQ(t0_v2, t0_v2) - ADCQ(t1_v2, t1_v2) - ADCQ(t2_v2, t2_v2) - ADCQ(Imm(0), t3_v2) - - Comment("Missing products") - MOVQ(acc4_v2, mul0_v2) - MULQ(mul0_v2) - MOVQ(mul0_v2, acc0_v2) - MOVQ(RDX, acc4_v2) - - MOVQ(acc5_v2, mul0_v2) - MULQ(mul0_v2) - ADDQ(acc4_v2, acc1_v2) - ADCQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc4_v2) - - MOVQ(acc6_v2, mul0_v2) - MULQ(mul0_v2) - ADDQ(acc4_v2, acc3_v2) - ADCQ(mul0_v2, t0_v2) - ADCQ(Imm(0), RDX) - MOVQ(RDX, acc4_v2) - - MOVQ(acc7_v2, mul0_v2) - MULQ(mul0_v2) - ADDQ(acc4_v2, t1_v2) - ADCQ(mul0_v2, t2_v2) - ADCQ(RDX, t3_v2) - - Comment("First reduction step") - MOVQ(acc0_v2, mul0_v2) - MOVQ(acc0_v2, hlp_v2) - SHLQ(Imm(32), acc0_v2) - p256const1 := p256const1_DATA() - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc0_v2, acc1_v2) - ADCQ(hlp_v2, acc2_v2) - ADCQ(mul0_v2, acc3_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc0_v2) - - Comment("Second reduction step") - MOVQ(acc1_v2, mul0_v2) - MOVQ(acc1_v2, hlp_v2) - SHLQ(Imm(32), acc1_v2) - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc1_v2, acc2_v2) - ADCQ(hlp_v2, acc3_v2) - ADCQ(mul0_v2, acc0_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc1_v2) - - Comment("Third reduction step") - MOVQ(acc2_v2, mul0_v2) - MOVQ(acc2_v2, hlp_v2) - SHLQ(Imm(32), acc2_v2) - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc2_v2, acc3_v2) - ADCQ(hlp_v2, acc0_v2) - ADCQ(mul0_v2, acc1_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc2_v2) - - Comment("Last reduction step") - MOVQ(acc3_v2, mul0_v2) - MOVQ(acc3_v2, hlp_v2) - SHLQ(Imm(32), acc3_v2) - MULQ(p256const1) - SHRQ(Imm(32), hlp_v2) - ADDQ(acc3_v2, acc0_v2) - ADCQ(hlp_v2, acc1_v2) - ADCQ(mul0_v2, acc2_v2) - ADCQ(Imm(0), mul1_v2) - MOVQ(mul1_v2, acc3_v2) - MOVQ(U32(0), RBP) - - Comment("Add bits [511:256] of the result") - ADCQ(acc0_v2, t0_v2) - ADCQ(acc1_v2, t1_v2) - ADCQ(acc2_v2, t2_v2) - ADCQ(acc3_v2, t3_v2) - ADCQ(Imm(0), hlp_v2) - - Comment("Copy result") - MOVQ(t0_v2, acc4_v2) - MOVQ(t1_v2, acc5_v2) - MOVQ(t2_v2, acc6_v2) - MOVQ(t3_v2, acc7_v2) - - Comment("Subtract p256") - SUBQ(I8(-1), acc4_v2) - p256const0 := p256const0_DATA() - SBBQ(p256const0, acc5_v2) - SBBQ(Imm(0), acc6_v2) - SBBQ(p256const1, acc7_v2) - SBBQ(Imm(0), hlp_v2) - - Comment("If the result of the subtraction is negative, restore the previous result") - CMOVQCS(t0_v2, acc4_v2) - CMOVQCS(t1_v2, acc5_v2) - CMOVQCS(t2_v2, acc6_v2) - CMOVQCS(t3_v2, acc7_v2) - - RET() -} - -func p256MulBy2Inline() { - XORQ(mul0_v2, mul0_v2) - ADDQ(acc4_v2, acc4_v2) - ADCQ(acc5_v2, acc5_v2) - ADCQ(acc6_v2, acc6_v2) - ADCQ(acc7_v2, acc7_v2) - ADCQ(I8(0), mul0_v2) - MOVQ(acc4_v2, t0_v2) - MOVQ(acc5_v2, t1_v2) - MOVQ(acc6_v2, t2_v2) - MOVQ(acc7_v2, t3_v2) - SUBQ(I8(-1), t0_v2) - p256const0 := p256const0_DATA() - SBBQ(p256const0, t1_v2) - SBBQ(I8(0), t2_v2) - p256const1 := p256const1_DATA() - SBBQ(p256const1, t3_v2) - SBBQ(I8(0), mul0_v2) - CMOVQCS(acc4_v2, t0_v2) - CMOVQCS(acc5_v2, t1_v2) - CMOVQCS(acc6_v2, t2_v2) - CMOVQCS(acc7_v2, t3_v2) -} - -func p256AddInline() { - XORQ(mul0_v2, mul0_v2) - ADDQ(t0_v2, acc4_v2) - ADCQ(t1_v2, acc5_v2) - ADCQ(t2_v2, acc6_v2) - ADCQ(t3_v2, acc7_v2) - ADCQ(I8(0), mul0_v2) - MOVQ(acc4_v2, t0_v2) - MOVQ(acc5_v2, t1_v2) - MOVQ(acc6_v2, t2_v2) - MOVQ(acc7_v2, t3_v2) - SUBQ(I8(-1), t0_v2) - p256const0 := p256const0_DATA() - SBBQ(p256const0, t1_v2) - SBBQ(I8(0), t2_v2) - p256const1 := p256const1_DATA() - SBBQ(p256const1, t3_v2) - SBBQ(I8(0), mul0_v2) - CMOVQCS(acc4_v2, t0_v2) - CMOVQCS(acc5_v2, t1_v2) - CMOVQCS(acc6_v2, t2_v2) - CMOVQCS(acc7_v2, t3_v2) -} - -/* ---------------------------------------*/ - -type MemFunc func(off int) Mem - -func LDacc(src MemFunc) { - MOVQ(src(8*0), acc4_v2) - MOVQ(src(8*1), acc5_v2) - MOVQ(src(8*2), acc6_v2) - MOVQ(src(8*3), acc7_v2) -} - -func LDt(src MemFunc) { - MOVQ(src(8*0), t0_v2) - MOVQ(src(8*1), t1_v2) - MOVQ(src(8*2), t2_v2) - MOVQ(src(8*3), t3_v2) -} - -func ST(dst MemFunc) { - MOVQ(acc4_v2, dst(8*0)) - MOVQ(acc5_v2, dst(8*1)) - MOVQ(acc6_v2, dst(8*2)) - MOVQ(acc7_v2, dst(8*3)) -} - -func STt(dst MemFunc) { - MOVQ(t0_v2, dst(8*0)) - MOVQ(t1_v2, dst(8*1)) - MOVQ(t2_v2, dst(8*2)) - MOVQ(t3_v2, dst(8*3)) -} - -func acc2t() { - MOVQ(acc4_v2, t0_v2) - MOVQ(acc5_v2, t1_v2) - MOVQ(acc6_v2, t2_v2) - MOVQ(acc7_v2, t3_v2) -} - -func t2acc() { - MOVQ(t0_v2, acc4_v2) - MOVQ(t1_v2, acc5_v2) - MOVQ(t2_v2, acc6_v2) - MOVQ(t3_v2, acc7_v2) -} - -/* ---------------------------------------*/ - -// These functions exist as #define macros in the reference implementation. -// -// In the reference assembly, these macros are later undefined and redefined. -// They are implemented here as versioned functions. - -func x1in_v1(off int) Mem { return Mem{Base: SP}.Offset(32*0 + off) } -func y1in_v1(off int) Mem { return Mem{Base: SP}.Offset(32*1 + off) } -func z1in_v1(off int) Mem { return Mem{Base: SP}.Offset(32*2 + off) } -func x2in_v1(off int) Mem { return Mem{Base: SP}.Offset(32*3 + off) } -func y2in_v1(off int) Mem { return Mem{Base: SP}.Offset(32*4 + off) } -func xout_v1(off int) Mem { return Mem{Base: SP}.Offset(32*5 + off) } -func yout_v1(off int) Mem { return Mem{Base: SP}.Offset(32*6 + off) } -func zout_v1(off int) Mem { return Mem{Base: SP}.Offset(32*7 + off) } -func s2_v1(off int) Mem { return Mem{Base: SP}.Offset(32*8 + off) } -func z1sqr_v1(off int) Mem { return Mem{Base: SP}.Offset(32*9 + off) } -func h_v1(off int) Mem { return Mem{Base: SP}.Offset(32*10 + off) } -func r_v1(off int) Mem { return Mem{Base: SP}.Offset(32*11 + off) } -func hsqr_v1(off int) Mem { return Mem{Base: SP}.Offset(32*12 + off) } -func rsqr_v1(off int) Mem { return Mem{Base: SP}.Offset(32*13 + off) } -func hcub_v1(off int) Mem { return Mem{Base: SP}.Offset(32*14 + off) } - -var ( - rptr_v1 Mem = Mem{Base: SP}.Offset(32*15 + 0) - sel_save_v1 = Mem{Base: SP}.Offset(32*15 + 8) - zero_save_v1 = Mem{Base: SP}.Offset(32*15 + 8 + 4) -) - -// Implements: -// -// func p256PointAddAffineAsm(res, in1 *P256Point, in2 *p256AffinePoint, sign, sel, zero int) -func p256PointAddAffineAsm() { - Implement("p256PointAddAffineAsm") - AllocLocal(512) - - Load(Param("res"), RAX) - Load(Param("in1"), RBX) - Load(Param("in2"), RCX) - Load(Param("sign"), RDX) - Load(Param("sel"), t1_v2) - Load(Param("zero"), t2_v2) - - MOVOU(Mem{Base: BX}.Offset(16*0), X0) - MOVOU(Mem{Base: BX}.Offset(16*1), X1) - MOVOU(Mem{Base: BX}.Offset(16*2), X2) - MOVOU(Mem{Base: BX}.Offset(16*3), X3) - MOVOU(Mem{Base: BX}.Offset(16*4), X4) - MOVOU(Mem{Base: BX}.Offset(16*5), X5) - - MOVOU(X0, x1in_v1(16*0)) - MOVOU(X1, x1in_v1(16*1)) - MOVOU(X2, y1in_v1(16*0)) - MOVOU(X3, y1in_v1(16*1)) - MOVOU(X4, z1in_v1(16*0)) - MOVOU(X5, z1in_v1(16*1)) - - MOVOU(Mem{Base: CX}.Offset(16*0), X0) - MOVOU(Mem{Base: CX}.Offset(16*1), X1) - - MOVOU(X0, x2in_v1(16*0)) - MOVOU(X1, x2in_v1(16*1)) - - Comment("Store pointer to result") - MOVQ(mul0_v2, rptr_v1) - - // Hack to get Avo to emit: - // MOVL t1, sel_save_v1 - Instruction(&ir.Instruction{ - Opcode: "MOVL", - Operands: []Op{t1_v2, sel_save_v1}, - }) - - // Hack to get Avo to emit: - // MOVL t2_v2, zero_save_v1 - Instruction(&ir.Instruction{ - Opcode: "MOVL", - Operands: []Op{t2_v2, zero_save_v1}, - }) - - Comment("Negate y2in based on sign") - MOVQ(Mem{Base: CX}.Offset(16*2+8*0), acc4_v2) - MOVQ(Mem{Base: CX}.Offset(16*2+8*1), acc5_v2) - MOVQ(Mem{Base: CX}.Offset(16*2+8*2), acc6_v2) - MOVQ(Mem{Base: CX}.Offset(16*2+8*3), acc7_v2) - MOVQ(I32(-1), acc0_v2) - p256const0 := p256const0_DATA() - MOVQ(p256const0, acc1_v2) - MOVQ(U32(0), acc2_v2) - p256const1 := p256const1_DATA() - MOVQ(p256const1, acc3_v2) - XORQ(mul0_v2, mul0_v2) - - Comment("Speculatively subtract") - SUBQ(acc4_v2, acc0_v2) - SBBQ(acc5_v2, acc1_v2) - SBBQ(acc6_v2, acc2_v2) - SBBQ(acc7_v2, acc3_v2) - SBBQ(Imm(0), mul0_v2) - MOVQ(acc0_v2, t0_v2) - MOVQ(acc1_v2, t1_v2) - MOVQ(acc2_v2, t2_v2) - MOVQ(acc3_v2, t3_v2) - - Comment("Add in case the operand was > p256") - ADDQ(I8(-1), acc0_v2) - ADCQ(p256const0, acc1_v2) - ADCQ(Imm(0), acc2_v2) - ADCQ(p256const1, acc3_v2) - ADCQ(Imm(0), mul0_v2) - CMOVQNE(t0_v2, acc0_v2) - CMOVQNE(t1_v2, acc1_v2) - CMOVQNE(t2_v2, acc2_v2) - CMOVQNE(t3_v2, acc3_v2) - - Comment("If condition is 0, keep original value") - TESTQ(RDX, RDX) - CMOVQEQ(acc4_v2, acc0_v2) - CMOVQEQ(acc5_v2, acc1_v2) - CMOVQEQ(acc6_v2, acc2_v2) - CMOVQEQ(acc7_v2, acc3_v2) - - Comment("Store result") - MOVQ(acc0_v2, y2in_v1(8*0)) - MOVQ(acc1_v2, y2in_v1(8*1)) - MOVQ(acc2_v2, y2in_v1(8*2)) - MOVQ(acc3_v2, y2in_v1(8*3)) - - Comment("Begin point add") - LDacc(z1in_v1) - CALL(LabelRef("p256SqrInternal(SB)")) // z1ˆ2 - ST(z1sqr_v1) - - LDt(x2in_v1) - CALL(LabelRef("p256MulInternal(SB)")) // x2 * z1ˆ2 - - LDt(x1in_v1) - CALL(LabelRef("p256SubInternal(SB)")) // h = u2 - u1) - ST(h_v1) - - LDt(z1in_v1) - CALL(LabelRef("p256MulInternal(SB)")) // z3 = h * z1 - ST(zout_v1) - - LDacc(z1sqr_v1) - CALL(LabelRef("p256MulInternal(SB)")) // z1ˆ3 - - LDt(y2in_v1) - CALL(LabelRef("p256MulInternal(SB)")) // s2 = y2 * z1ˆ3 - ST(s2_v1) - - LDt(y1in_v1) - CALL(LabelRef("p256SubInternal(SB)")) // r = s2 - s1) - ST(r_v1) - - CALL(LabelRef("p256SqrInternal(SB)")) // rsqr = rˆ2 - ST(rsqr_v1) - - LDacc(h_v1) - CALL(LabelRef("p256SqrInternal(SB)")) // hsqr = hˆ2 - ST(hsqr_v1) - - LDt(h_v1) - CALL(LabelRef("p256MulInternal(SB)")) // hcub = hˆ3 - ST(hcub_v1) - - LDt(y1in_v1) - CALL(LabelRef("p256MulInternal(SB)")) // y1 * hˆ3 - ST(s2_v1) - - LDacc(x1in_v1) - LDt(hsqr_v1) - CALL(LabelRef("p256MulInternal(SB)")) // u1 * hˆ2 - ST(h_v1) - - p256MulBy2Inline() // u1 * hˆ2 * 2, inline - LDacc(rsqr_v1) - CALL(LabelRef("p256SubInternal(SB)")) // rˆ2 - u1 * hˆ2 * 2) - - LDt(hcub_v1) - CALL(LabelRef("p256SubInternal(SB)")) - ST(xout_v1) - - MOVQ(acc4_v2, t0_v2) - MOVQ(acc5_v2, t1_v2) - MOVQ(acc6_v2, t2_v2) - MOVQ(acc7_v2, t3_v2) - LDacc(h_v1) - CALL(LabelRef("p256SubInternal(SB)")) - - LDt(r_v1) - CALL(LabelRef("p256MulInternal(SB)")) - - LDt(s2_v1) - CALL(LabelRef("p256SubInternal(SB)")) - ST(yout_v1) - - Comment("Load stored values from stack") - MOVQ(rptr_v1, RAX) - MOVL(sel_save_v1, EBX) - MOVL(zero_save_v1, ECX) - - Comment("The result is not valid if (sel == 0), conditional choose") - MOVOU(xout_v1(16*0), X0) - MOVOU(xout_v1(16*1), X1) - MOVOU(yout_v1(16*0), X2) - MOVOU(yout_v1(16*1), X3) - MOVOU(zout_v1(16*0), X4) - MOVOU(zout_v1(16*1), X5) - - // Hack to get Avo to emit: - // MOVL BX, X6 - Instruction(&ir.Instruction{ - Opcode: "MOVL", - Operands: []Op{EBX, X6}, - }) - - // Hack to get Avo to emit: - // MOVL CX, X7 - Instruction(&ir.Instruction{ - Opcode: "MOVL", - Operands: []Op{ECX, X7}, - }) - - PXOR(X8, X8) - PCMPEQL(X9, X9) - - PSHUFD(Imm(0), X6, X6) - PSHUFD(Imm(0), X7, X7) - - PCMPEQL(X8, X6) - PCMPEQL(X8, X7) - - MOVOU(X6, X15) - PANDN(X9, X15) - - MOVOU(x1in_v1(16*0), X9) - MOVOU(x1in_v1(16*1), X10) - MOVOU(y1in_v1(16*0), X11) - MOVOU(y1in_v1(16*1), X12) - MOVOU(z1in_v1(16*0), X13) - MOVOU(z1in_v1(16*1), X14) - - PAND(X15, X0) - PAND(X15, X1) - PAND(X15, X2) - PAND(X15, X3) - PAND(X15, X4) - PAND(X15, X5) - - PAND(X6, X9) - PAND(X6, X10) - PAND(X6, X11) - PAND(X6, X12) - PAND(X6, X13) - PAND(X6, X14) - - PXOR(X9, X0) - PXOR(X10, X1) - PXOR(X11, X2) - PXOR(X12, X3) - PXOR(X13, X4) - PXOR(X14, X5) - - Comment("Similarly if zero == 0") - PCMPEQL(X9, X9) - MOVOU(X7, X15) - PANDN(X9, X15) - - MOVOU(x2in_v1(16*0), X9) - MOVOU(x2in_v1(16*1), X10) - MOVOU(y2in_v1(16*0), X11) - MOVOU(y2in_v1(16*1), X12) - p256one := p256one_DATA() - MOVOU(p256one.Offset(0x00), X13) - MOVOU(p256one.Offset(0x10), X14) - - PAND(X15, X0) - PAND(X15, X1) - PAND(X15, X2) - PAND(X15, X3) - PAND(X15, X4) - PAND(X15, X5) - - PAND(X7, X9) - PAND(X7, X10) - PAND(X7, X11) - PAND(X7, X12) - PAND(X7, X13) - PAND(X7, X14) - - PXOR(X9, X0) - PXOR(X10, X1) - PXOR(X11, X2) - PXOR(X12, X3) - PXOR(X13, X4) - PXOR(X14, X5) - - Comment("Finally output the result") - MOVOU(X0, Mem{Base: AX}.Offset(16*0)) - MOVOU(X1, Mem{Base: AX}.Offset(16*1)) - MOVOU(X2, Mem{Base: AX}.Offset(16*2)) - MOVOU(X3, Mem{Base: AX}.Offset(16*3)) - MOVOU(X4, Mem{Base: AX}.Offset(16*4)) - MOVOU(X5, Mem{Base: AX}.Offset(16*5)) - MOVQ(U32(0), rptr_v1) - - RET() -} - -// p256IsZero returns 1 in AX if [acc4..acc7] represents zero and zero -// otherwise. It writes to [acc4..acc7], t0 and t1. -func p256IsZero() { - Function("p256IsZero") - Attributes(NOSPLIT) - - Comment("AX contains a flag that is set if the input is zero.") - XORQ(RAX, RAX) - MOVQ(U32(1), t1_v2) - - Comment("Check whether [acc4..acc7] are all zero.") - MOVQ(acc4_v2, t0_v2) - ORQ(acc5_v2, t0_v2) - ORQ(acc6_v2, t0_v2) - ORQ(acc7_v2, t0_v2) - - Comment("Set the zero flag if so. (CMOV of a constant to a register doesn't") - Comment("appear to be supported in Go. Thus t1 = 1.)") - CMOVQEQ(t1_v2, RAX) - - Comment("XOR [acc4..acc7] with P and compare with zero again.") - XORQ(I8(-1), acc4_v2) - p256const0 := p256const0_DATA() - XORQ(p256const0, acc5_v2) - p256const1 := p256const1_DATA() - XORQ(p256const1, acc7_v2) - ORQ(acc5_v2, acc4_v2) - ORQ(acc6_v2, acc4_v2) - ORQ(acc7_v2, acc4_v2) - - Comment("Set the zero flag if so.") - CMOVQEQ(t1_v2, RAX) - RET() -} - -func x1in_v2(off int) Mem { return Mem{Base: SP}.Offset(32*0 + off) } -func y1in_v2(off int) Mem { return Mem{Base: SP}.Offset(32*1 + off) } -func z1in_v2(off int) Mem { return Mem{Base: SP}.Offset(32*2 + off) } -func x2in_v2(off int) Mem { return Mem{Base: SP}.Offset(32*3 + off) } -func y2in_v2(off int) Mem { return Mem{Base: SP}.Offset(32*4 + off) } -func z2in_v2(off int) Mem { return Mem{Base: SP}.Offset(32*5 + off) } - -func xout_v2(off int) Mem { return Mem{Base: SP}.Offset(32*6 + off) } -func yout_v2(off int) Mem { return Mem{Base: SP}.Offset(32*7 + off) } -func zout_v2(off int) Mem { return Mem{Base: SP}.Offset(32*8 + off) } - -func u1_v2(off int) Mem { return Mem{Base: SP}.Offset(32*9 + off) } -func u2_v2(off int) Mem { return Mem{Base: SP}.Offset(32*10 + off) } -func s1_v2(off int) Mem { return Mem{Base: SP}.Offset(32*11 + off) } -func s2_v2(off int) Mem { return Mem{Base: SP}.Offset(32*12 + off) } -func z1sqr_v2(off int) Mem { return Mem{Base: SP}.Offset(32*13 + off) } -func z2sqr_v2(off int) Mem { return Mem{Base: SP}.Offset(32*14 + off) } -func h_v2(off int) Mem { return Mem{Base: SP}.Offset(32*15 + off) } -func r_v2(off int) Mem { return Mem{Base: SP}.Offset(32*16 + off) } -func hsqr_v2(off int) Mem { return Mem{Base: SP}.Offset(32*17 + off) } -func rsqr_v2(off int) Mem { return Mem{Base: SP}.Offset(32*18 + off) } -func hcub_v2(off int) Mem { return Mem{Base: SP}.Offset(32*19 + off) } - -var ( - rptr_v2 Mem = Mem{Base: SP}.Offset(32 * 20) - points_eq_v2 = Mem{Base: SP}.Offset(32*20 + 8) -) - -// Implements: -// -// func p256PointAddAsm(res, in1, in2 *P256Point) int -// -// See https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl -func p256PointAddAsm() { - Implement("p256PointAddAsm") - AllocLocal(680) - - Comment("Move input to stack in order to free registers") - Load(Param("res"), RAX) - Load(Param("in1"), RBX) - Load(Param("in2"), RCX) - - MOVOU(Mem{Base: BX}.Offset(16*0), X0) - MOVOU(Mem{Base: BX}.Offset(16*1), X1) - MOVOU(Mem{Base: BX}.Offset(16*2), X2) - MOVOU(Mem{Base: BX}.Offset(16*3), X3) - MOVOU(Mem{Base: BX}.Offset(16*4), X4) - MOVOU(Mem{Base: BX}.Offset(16*5), X5) - - MOVOU(X0, x1in_v2(16*0)) - MOVOU(X1, x1in_v2(16*1)) - MOVOU(X2, y1in_v2(16*0)) - MOVOU(X3, y1in_v2(16*1)) - MOVOU(X4, z1in_v2(16*0)) - MOVOU(X5, z1in_v2(16*1)) - - MOVOU(Mem{Base: CX}.Offset(16*0), X0) - MOVOU(Mem{Base: CX}.Offset(16*1), X1) - MOVOU(Mem{Base: CX}.Offset(16*2), X2) - MOVOU(Mem{Base: CX}.Offset(16*3), X3) - MOVOU(Mem{Base: CX}.Offset(16*4), X4) - MOVOU(Mem{Base: CX}.Offset(16*5), X5) - - MOVOU(X0, x2in_v2(16*0)) - MOVOU(X1, x2in_v2(16*1)) - MOVOU(X2, y2in_v2(16*0)) - MOVOU(X3, y2in_v2(16*1)) - MOVOU(X4, z2in_v2(16*0)) - MOVOU(X5, z2in_v2(16*1)) - - Comment("Store pointer to result") - MOVQ(RAX, rptr_v2) - - Comment("Begin point add") - LDacc(z2in_v2) - CALL(LabelRef("p256SqrInternal(SB)")) // z2ˆ2 - ST(z2sqr_v2) - LDt(z2in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // z2ˆ3 - LDt(y1in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // s1 = z2ˆ3*y1 - ST(s1_v2) - - LDacc(z1in_v2) - CALL(LabelRef("p256SqrInternal(SB)")) // z1ˆ2 - ST(z1sqr_v2) - LDt(z1in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // z1ˆ3 - LDt(y2in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // s2 = z1ˆ3*y2 - ST(s2_v2) - - LDt(s1_v2) - CALL(LabelRef("p256SubInternal(SB)")) // r = s2 - s1 - ST(r_v2) - CALL(LabelRef("p256IsZero(SB)")) - MOVQ(RAX, points_eq_v2) - - LDacc(z2sqr_v2) - LDt(x1in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // u1 = x1 * z2ˆ2 - ST(u1_v2) - LDacc(z1sqr_v2) - LDt(x2in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // u2 = x2 * z1ˆ2 - ST(u2_v2) - - LDt(u1_v2) - CALL(LabelRef("p256SubInternal(SB)")) // h = u2 - u1 - ST(h_v2) - CALL(LabelRef("p256IsZero(SB)")) - ANDQ(points_eq_v2, RAX) - MOVQ(RAX, points_eq_v2) - - LDacc(r_v2) - CALL(LabelRef("p256SqrInternal(SB)")) // rsqr = rˆ2 - ST(rsqr_v2) - - LDacc(h_v2) - CALL(LabelRef("p256SqrInternal(SB)")) // hsqr = hˆ2 - ST(hsqr_v2) - - LDt(h_v2) - CALL(LabelRef("p256MulInternal(SB)")) // hcub = hˆ3 - ST(hcub_v2) - - LDt(s1_v2) - CALL(LabelRef("p256MulInternal(SB)")) - ST(s2_v2) - - LDacc(z1in_v2) - LDt(z2in_v2) - CALL(LabelRef("p256MulInternal(SB)")) // z1 * z2 - LDt(h_v2) - CALL(LabelRef("p256MulInternal(SB)")) // z1 * z2 * h - ST(zout_v2) - - LDacc(hsqr_v2) - LDt(u1_v2) - CALL(LabelRef("p256MulInternal(SB)")) // hˆ2 * u1 - ST(u2_v2) - - p256MulBy2Inline() // u1 * hˆ2 * 2, inline - LDacc(rsqr_v2) - CALL(LabelRef("p256SubInternal(SB)")) // rˆ2 - u1 * hˆ2 * 2 - - LDt(hcub_v2) - CALL(LabelRef("p256SubInternal(SB)")) - ST(xout_v2) - - MOVQ(acc4_v2, t0_v2) - MOVQ(acc5_v2, t1_v2) - MOVQ(acc6_v2, t2_v2) - MOVQ(acc7_v2, t3_v2) - LDacc(u2_v2) - CALL(LabelRef("p256SubInternal(SB)")) - - LDt(r_v2) - CALL(LabelRef("p256MulInternal(SB)")) - - LDt(s2_v2) - CALL(LabelRef("p256SubInternal(SB)")) - ST(yout_v2) - - MOVOU(xout_v2(16*0), X0) - MOVOU(xout_v2(16*1), X1) - MOVOU(yout_v2(16*0), X2) - MOVOU(yout_v2(16*1), X3) - MOVOU(zout_v2(16*0), X4) - MOVOU(zout_v2(16*1), X5) - - Comment("Finally output the result") - MOVQ(rptr_v2, RAX) - MOVQ(U32(0), rptr_v2) - MOVOU(X0, Mem{Base: AX}.Offset(16*0)) - MOVOU(X1, Mem{Base: AX}.Offset(16*1)) - MOVOU(X2, Mem{Base: AX}.Offset(16*2)) - MOVOU(X3, Mem{Base: AX}.Offset(16*3)) - MOVOU(X4, Mem{Base: AX}.Offset(16*4)) - MOVOU(X5, Mem{Base: AX}.Offset(16*5)) - - MOVQ(points_eq_v2, RAX) - ret := NewParamAddr("ret", 24) - MOVQ(RAX, ret) - - RET() -} - -func x(off int) Mem { return Mem{Base: SP}.Offset(32*0 + off) } -func y(off int) Mem { return Mem{Base: SP}.Offset(32*1 + off) } -func z(off int) Mem { return Mem{Base: SP}.Offset(32*2 + off) } - -func s(off int) Mem { return Mem{Base: SP}.Offset(32*3 + off) } -func m(off int) Mem { return Mem{Base: SP}.Offset(32*4 + off) } -func zsqr(off int) Mem { return Mem{Base: SP}.Offset(32*5 + off) } -func tmp(off int) Mem { return Mem{Base: SP}.Offset(32*6 + off) } - -var rptr_v3 = Mem{Base: SP}.Offset(32 * 7) - -// Implements: -// -// func p256PointDoubleAsm(res, in *P256Point) -func p256PointDoubleAsm() { - Implement("p256PointDoubleAsm") - Attributes(NOSPLIT) - AllocLocal(256) - - Load(Param("res"), RAX) - Load(Param("in"), RBX) - - MOVOU(Mem{Base: BX}.Offset(16*0), X0) - MOVOU(Mem{Base: BX}.Offset(16*1), X1) - MOVOU(Mem{Base: BX}.Offset(16*2), X2) - MOVOU(Mem{Base: BX}.Offset(16*3), X3) - MOVOU(Mem{Base: BX}.Offset(16*4), X4) - MOVOU(Mem{Base: BX}.Offset(16*5), X5) - - MOVOU(X0, x(16*0)) - MOVOU(X1, x(16*1)) - MOVOU(X2, y(16*0)) - MOVOU(X3, y(16*1)) - MOVOU(X4, z(16*0)) - MOVOU(X5, z(16*1)) - - Comment("Store pointer to result") - MOVQ(RAX, rptr_v3) - - Comment("Begin point double") - LDacc(z) - CALL(LabelRef("p256SqrInternal(SB)")) - ST(zsqr) - - LDt(x) - p256AddInline() - STt(m) - - LDacc(z) - LDt(y) - CALL(LabelRef("p256MulInternal(SB)")) - p256MulBy2Inline() - MOVQ(rptr_v3, RAX) - - Comment("Store z") - MOVQ(t0_v2, Mem{Base: AX}.Offset(16*4+8*0)) - MOVQ(t1_v2, Mem{Base: AX}.Offset(16*4+8*1)) - MOVQ(t2_v2, Mem{Base: AX}.Offset(16*4+8*2)) - MOVQ(t3_v2, Mem{Base: AX}.Offset(16*4+8*3)) - - LDacc(x) - LDt(zsqr) - CALL(LabelRef("p256SubInternal(SB)")) - LDt(m) - CALL(LabelRef("p256MulInternal(SB)")) - ST(m) - - Comment("Multiply by 3") - p256MulBy2Inline() - LDacc(m) - p256AddInline() - STt(m) - Comment("////////////////////////") - LDacc(y) - p256MulBy2Inline() - t2acc() - CALL(LabelRef("p256SqrInternal(SB)")) - ST(s) - CALL(LabelRef("p256SqrInternal(SB)")) - - Comment("Divide by 2") - XORQ(mul0_v2, mul0_v2) - MOVQ(acc4_v2, t0_v2) - MOVQ(acc5_v2, t1_v2) - MOVQ(acc6_v2, t2_v2) - MOVQ(acc7_v2, t3_v2) - - ADDQ(I8(-1), acc4_v2) - p256const0 := p256const0_DATA() - ADCQ(p256const0, acc5_v2) - ADCQ(Imm(0), acc6_v2) - p256const1 := p256const1_DATA() - ADCQ(p256const1, acc7_v2) - ADCQ(Imm(0), mul0_v2) - TESTQ(U32(1), t0_v2) - - CMOVQEQ(t0_v2, acc4_v2) - CMOVQEQ(t1_v2, acc5_v2) - CMOVQEQ(t2_v2, acc6_v2) - CMOVQEQ(t3_v2, acc7_v2) - ANDQ(t0_v2, mul0_v2) - - SHRQ(Imm(1), acc5_v2, acc4_v2) - SHRQ(Imm(1), acc6_v2, acc5_v2) - SHRQ(Imm(1), acc7_v2, acc6_v2) - SHRQ(Imm(1), mul0_v2, acc7_v2) - ST(y) - Comment("/////////////////////////") - LDacc(x) - LDt(s) - CALL(LabelRef("p256MulInternal(SB)")) - ST(s) - p256MulBy2Inline() - STt(tmp) - - LDacc(m) - CALL(LabelRef("p256SqrInternal(SB)")) - LDt(tmp) - CALL(LabelRef("p256SubInternal(SB)")) - - MOVQ(rptr_v3, RAX) - - Comment("Store x") - MOVQ(acc4_v2, Mem{Base: AX}.Offset(16*0+8*0)) - MOVQ(acc5_v2, Mem{Base: AX}.Offset(16*0+8*1)) - MOVQ(acc6_v2, Mem{Base: AX}.Offset(16*0+8*2)) - MOVQ(acc7_v2, Mem{Base: AX}.Offset(16*0+8*3)) - - acc2t() - LDacc(s) - CALL(LabelRef("p256SubInternal(SB)")) - - LDt(m) - CALL(LabelRef("p256MulInternal(SB)")) - - LDt(y) - CALL(LabelRef("p256SubInternal(SB)")) - MOVQ(rptr_v3, RAX) - - Comment("Store y") - MOVQ(acc4_v2, Mem{Base: AX}.Offset(16*2+8*0)) - MOVQ(acc5_v2, Mem{Base: AX}.Offset(16*2+8*1)) - MOVQ(acc6_v2, Mem{Base: AX}.Offset(16*2+8*2)) - MOVQ(acc7_v2, Mem{Base: AX}.Offset(16*2+8*3)) - Comment("///////////////////////") - MOVQ(U32(0), rptr_v3) - - RET() -} - -// #----------------------------DATA SECTION-----------------------------------## - -// Pointers for memoizing Data section symbols -var p256const0_ptr, p256const1_ptr, p256ordK0_ptr, p256ord_ptr, p256one_ptr *Mem - -func p256const0_DATA() Mem { - if p256const0_ptr != nil { - return *p256const0_ptr - } - - p256const0 := GLOBL("p256const0", 8) - p256const0_ptr = &p256const0 - DATA(0, U64(0x00000000ffffffff)) - return p256const0 -} - -func p256const1_DATA() Mem { - if p256const1_ptr != nil { - return *p256const1_ptr - } - - p256const1 := GLOBL("p256const1", 8) - p256const1_ptr = &p256const1 - DATA(0, U64(0xffffffff00000001)) - return p256const1 -} - -func p256ordK0_DATA() Mem { - if p256ordK0_ptr != nil { - return *p256ordK0_ptr - } - - p256ordK0 := GLOBL("p256ordK0", 8) - p256ordK0_ptr = &p256ordK0 - DATA(0, U64(0xccd1c8aaee00bc4f)) - return p256ordK0 -} - -var p256ordConstants = [4]uint64{ - 0xf3b9cac2fc632551, - 0xbce6faada7179e84, - 0xffffffffffffffff, - 0xffffffff00000000, -} - -func p256ord_DATA() Mem { - if p256ord_ptr != nil { - return *p256ord_ptr - } - - p256ord := GLOBL("p256ord", 8) - p256ord_ptr = &p256ord - - for i, k := range p256ordConstants { - DATA(i*8, U64(k)) - } - - return p256ord -} - -var p256oneConstants = [4]uint64{ - 0x0000000000000001, - 0xffffffff00000000, - 0xffffffffffffffff, - 0x00000000fffffffe, -} - -func p256one_DATA() Mem { - if p256one_ptr != nil { - return *p256one_ptr - } - - p256one := GLOBL("p256one", 8) - p256one_ptr = &p256one - - for i, k := range p256oneConstants { - DATA(i*8, U64(k)) - } - - return p256one -} - -const ThatPeskyUnicodeDot = "\u00b7" - -// removePeskyUnicodeDot strips the dot from the relevant TEXT directives such that they -// can exist as internal assembly functions -// -// Avo v0.6.0 does not support the generation of internal assembly functions. Go's unicode -// dot tells the compiler to link a TEXT symbol to a function in the current Go package -// (or another package if specified). Avo unconditionally prepends the unicode dot to all -// TEXT symbols, making it impossible to emit an internal function without this hack. -// -// There is a pending PR to add internal functions to Avo: -// https://github.com/mmcloughlin/avo/pull/443 -// -// If merged it should allow the usage of InternalFunction("NAME") for the specified functions -func removePeskyUnicodeDot(internalFunctions []string, target string) { - bytes, err := os.ReadFile(target) - if err != nil { - panic(err) - } - - content := string(bytes) - - for _, from := range internalFunctions { - to := strings.ReplaceAll(from, ThatPeskyUnicodeDot, "") - content = strings.ReplaceAll(content, from, to) - } - - err = os.WriteFile(target, []byte(content), 0644) - if err != nil { - panic(err) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/Dockerfile b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/Dockerfile deleted file mode 100644 index 2877e0b2c12..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright 2021 The Go Authors. All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - -FROM coqorg/coq:8.13.2 - -RUN git clone https://github.com/mit-plv/fiat-crypto && cd fiat-crypto && \ - git checkout 23d2dbc4ab897d14bde4404f70cd6991635f9c01 && \ - git submodule update --init --recursive -RUN cd fiat-crypto && eval $(opam env) && make -j4 standalone-ocaml SKIP_BEDROCK2=1 - -ENV PATH /home/coq/fiat-crypto/src/ExtractionOCaml:$PATH diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/README b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/README deleted file mode 100644 index 916ebc14ce8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/README +++ /dev/null @@ -1,34 +0,0 @@ -The code in this package was autogenerated by the fiat-crypto project -at version v0.0.9 from a formally verified model, and by the addchain -project at a recent tip version. - - docker build -t fiat-crypto:v0.0.9 . - go install github.com/mmcloughlin/addchain/cmd/[email protected] - ../../../../../bin/go run generate.go - -fiat-crypto code comes under the following license. - - Copyright (c) 2015-2020 The fiat-crypto Authors. All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are - met: - - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - - THIS SOFTWARE IS PROVIDED BY the fiat-crypto authors "AS IS" - AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Berkeley Software Design, - Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -The authors are listed at - - https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/cast.go deleted file mode 100644 index 39fecd42498..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/cast.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package fiat - -import _ "crypto/internal/fips140/check" diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/generate.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/generate.go deleted file mode 100644 index 5dda9434d41..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/generate.go +++ /dev/null @@ -1,325 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build ignore - -package main - -import ( - "bytes" - "go/format" - "io" - "log" - "os" - "os/exec" - "text/template" -) - -var curves = []struct { - Element string - Prime string - Prefix string - FiatType string - BytesLen int -}{ - { - Element: "P224Element", - Prime: "2^224 - 2^96 + 1", - Prefix: "p224", - FiatType: "[4]uint64", - BytesLen: 28, - }, - // The P-256 fiat implementation is used only on 32-bit architectures, but - // the uint32 fiat code is for some reason slower than the uint64 one. That - // suggests there is a wide margin for improvement. - { - Element: "P256Element", - Prime: "2^256 - 2^224 + 2^192 + 2^96 - 1", - Prefix: "p256", - FiatType: "[4]uint64", - BytesLen: 32, - }, - { - Element: "P384Element", - Prime: "2^384 - 2^128 - 2^96 + 2^32 - 1", - Prefix: "p384", - FiatType: "[6]uint64", - BytesLen: 48, - }, - // Note that unsaturated_solinas would be about 2x faster than - // word_by_word_montgomery for P-521, but this curve is used rarely enough - // that it's not worth carrying unsaturated_solinas support for it. - { - Element: "P521Element", - Prime: "2^521 - 1", - Prefix: "p521", - FiatType: "[9]uint64", - BytesLen: 66, - }, -} - -func main() { - t := template.Must(template.New("montgomery").Parse(tmplWrapper)) - - tmplAddchainFile, err := os.CreateTemp("", "addchain-template") - if err != nil { - log.Fatal(err) - } - defer os.Remove(tmplAddchainFile.Name()) - if _, err := io.WriteString(tmplAddchainFile, tmplAddchain); err != nil { - log.Fatal(err) - } - if err := tmplAddchainFile.Close(); err != nil { - log.Fatal(err) - } - - for _, c := range curves { - log.Printf("Generating %s.go...", c.Prefix) - f, err := os.Create(c.Prefix + ".go") - if err != nil { - log.Fatal(err) - } - if err := t.Execute(f, c); err != nil { - log.Fatal(err) - } - if err := f.Close(); err != nil { - log.Fatal(err) - } - - log.Printf("Generating %s_fiat64.go...", c.Prefix) - cmd := exec.Command("docker", "run", "--rm", "--entrypoint", "word_by_word_montgomery", - "fiat-crypto:v0.0.9", "--lang", "Go", "--no-wide-int", "--cmovznz-by-mul", - "--relax-primitive-carry-to-bitwidth", "32,64", "--internal-static", - "--public-function-case", "camelCase", "--public-type-case", "camelCase", - "--private-function-case", "camelCase", "--private-type-case", "camelCase", - "--doc-text-before-function-name", "", "--doc-newline-before-package-declaration", - "--doc-prepend-header", "Code generated by Fiat Cryptography. DO NOT EDIT.", - "--package-name", "fiat", "--no-prefix-fiat", c.Prefix, "64", c.Prime, - "mul", "square", "add", "sub", "one", "from_montgomery", "to_montgomery", - "selectznz", "to_bytes", "from_bytes") - cmd.Stderr = os.Stderr - out, err := cmd.Output() - if err != nil { - log.Fatal(err) - } - out, err = format.Source(out) - if err != nil { - log.Fatal(err) - } - if err := os.WriteFile(c.Prefix+"_fiat64.go", out, 0644); err != nil { - log.Fatal(err) - } - - log.Printf("Generating %s_invert.go...", c.Prefix) - f, err = os.CreateTemp("", "addchain-"+c.Prefix) - if err != nil { - log.Fatal(err) - } - defer os.Remove(f.Name()) - cmd = exec.Command("addchain", "search", c.Prime+" - 2") - cmd.Stderr = os.Stderr - cmd.Stdout = f - if err := cmd.Run(); err != nil { - log.Fatal(err) - } - if err := f.Close(); err != nil { - log.Fatal(err) - } - cmd = exec.Command("addchain", "gen", "-tmpl", tmplAddchainFile.Name(), f.Name()) - cmd.Stderr = os.Stderr - out, err = cmd.Output() - if err != nil { - log.Fatal(err) - } - out = bytes.Replace(out, []byte("Element"), []byte(c.Element), -1) - out, err = format.Source(out) - if err != nil { - log.Fatal(err) - } - if err := os.WriteFile(c.Prefix+"_invert.go", out, 0644); err != nil { - log.Fatal(err) - } - } -} - -const tmplWrapper = `// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package fiat - -import ( - "crypto/internal/fips140/subtle" - "errors" -) - -// {{ .Element }} is an integer modulo {{ .Prime }}. -// -// The zero value is a valid zero element. -type {{ .Element }} struct { - // Values are represented internally always in the Montgomery domain, and - // converted in Bytes and SetBytes. - x {{ .Prefix }}MontgomeryDomainFieldElement -} - -const {{ .Prefix }}ElementLen = {{ .BytesLen }} - -type {{ .Prefix }}UntypedFieldElement = {{ .FiatType }} - -// One sets e = 1, and returns e. -func (e *{{ .Element }}) One() *{{ .Element }} { - {{ .Prefix }}SetOne(&e.x) - return e -} - -// Equal returns 1 if e == t, and zero otherwise. -func (e *{{ .Element }}) Equal(t *{{ .Element }}) int { - eBytes := e.Bytes() - tBytes := t.Bytes() - return subtle.ConstantTimeCompare(eBytes, tBytes) -} - -// IsZero returns 1 if e == 0, and zero otherwise. -func (e *{{ .Element }}) IsZero() int { - zero := make([]byte, {{ .Prefix }}ElementLen) - eBytes := e.Bytes() - return subtle.ConstantTimeCompare(eBytes, zero) -} - -// Set sets e = t, and returns e. -func (e *{{ .Element }}) Set(t *{{ .Element }}) *{{ .Element }} { - e.x = t.x - return e -} - -// Bytes returns the {{ .BytesLen }}-byte big-endian encoding of e. -func (e *{{ .Element }}) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [{{ .Prefix }}ElementLen]byte - return e.bytes(&out) -} - -func (e *{{ .Element }}) bytes(out *[{{ .Prefix }}ElementLen]byte) []byte { - var tmp {{ .Prefix }}NonMontgomeryDomainFieldElement - {{ .Prefix }}FromMontgomery(&tmp, &e.x) - {{ .Prefix }}ToBytes(out, (*{{ .Prefix }}UntypedFieldElement)(&tmp)) - {{ .Prefix }}InvertEndianness(out[:]) - return out[:] -} - -// SetBytes sets e = v, where v is a big-endian {{ .BytesLen }}-byte encoding, and returns e. -// If v is not {{ .BytesLen }} bytes or it encodes a value higher than {{ .Prime }}, -// SetBytes returns nil and an error, and e is unchanged. -func (e *{{ .Element }}) SetBytes(v []byte) (*{{ .Element }}, error) { - if len(v) != {{ .Prefix }}ElementLen { - return nil, errors.New("invalid {{ .Element }} encoding") - } - - // Check for non-canonical encodings (p + k, 2p + k, etc.) by comparing to - // the encoding of -1 mod p, so p - 1, the highest canonical encoding. - var minusOneEncoding = new({{ .Element }}).Sub( - new({{ .Element }}), new({{ .Element }}).One()).Bytes() - if subtle.ConstantTimeLessOrEqBytes(v, minusOneEncoding) == 0 { - return nil, errors.New("invalid {{ .Element }} encoding") - } - - var in [{{ .Prefix }}ElementLen]byte - copy(in[:], v) - {{ .Prefix }}InvertEndianness(in[:]) - var tmp {{ .Prefix }}NonMontgomeryDomainFieldElement - {{ .Prefix }}FromBytes((*{{ .Prefix }}UntypedFieldElement)(&tmp), &in) - {{ .Prefix }}ToMontgomery(&e.x, &tmp) - return e, nil -} - -// Add sets e = t1 + t2, and returns e. -func (e *{{ .Element }}) Add(t1, t2 *{{ .Element }}) *{{ .Element }} { - {{ .Prefix }}Add(&e.x, &t1.x, &t2.x) - return e -} - -// Sub sets e = t1 - t2, and returns e. -func (e *{{ .Element }}) Sub(t1, t2 *{{ .Element }}) *{{ .Element }} { - {{ .Prefix }}Sub(&e.x, &t1.x, &t2.x) - return e -} - -// Mul sets e = t1 * t2, and returns e. -func (e *{{ .Element }}) Mul(t1, t2 *{{ .Element }}) *{{ .Element }} { - {{ .Prefix }}Mul(&e.x, &t1.x, &t2.x) - return e -} - -// Square sets e = t * t, and returns e. -func (e *{{ .Element }}) Square(t *{{ .Element }}) *{{ .Element }} { - {{ .Prefix }}Square(&e.x, &t.x) - return e -} - -// Select sets v to a if cond == 1, and to b if cond == 0. -func (v *{{ .Element }}) Select(a, b *{{ .Element }}, cond int) *{{ .Element }} { - {{ .Prefix }}Selectznz((*{{ .Prefix }}UntypedFieldElement)(&v.x), {{ .Prefix }}Uint1(cond), - (*{{ .Prefix }}UntypedFieldElement)(&b.x), (*{{ .Prefix }}UntypedFieldElement)(&a.x)) - return v -} - -func {{ .Prefix }}InvertEndianness(v []byte) { - for i := 0; i < len(v)/2; i++ { - v[i], v[len(v)-1-i] = v[len(v)-1-i], v[i] - } -} -` - -const tmplAddchain = `// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by {{ .Meta.Name }}. DO NOT EDIT. - -package fiat - -// Invert sets e = 1/x, and returns e. -// -// If x == 0, Invert returns e = 0. -func (e *Element) Invert(x *Element) *Element { - // Inversion is implemented as exponentiation with exponent p − 2. - // The sequence of {{ .Ops.Adds }} multiplications and {{ .Ops.Doubles }} squarings is derived from the - // following addition chain generated with {{ .Meta.Module }} {{ .Meta.ReleaseTag }}. - // - {{- range lines (format .Script) }} - // {{ . }} - {{- end }} - // - - var z = new(Element).Set(e) - {{- range .Program.Temporaries }} - var {{ . }} = new(Element) - {{- end }} - {{ range $i := .Program.Instructions -}} - {{- with add $i.Op }} - {{ $i.Output }}.Mul({{ .X }}, {{ .Y }}) - {{- end -}} - - {{- with double $i.Op }} - {{ $i.Output }}.Square({{ .X }}) - {{- end -}} - - {{- with shift $i.Op -}} - {{- $first := 0 -}} - {{- if ne $i.Output.Identifier .X.Identifier }} - {{ $i.Output }}.Square({{ .X }}) - {{- $first = 1 -}} - {{- end }} - for s := {{ $first }}; s < {{ .S }}; s++ { - {{ $i.Output }}.Square({{ $i.Output }}) - } - {{- end -}} - {{- end }} - - return e.Set(z) -} -` diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224.go deleted file mode 100644 index 335fa42cdad..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package fiat - -import ( - "crypto/internal/fips140/subtle" - "errors" -) - -// P224Element is an integer modulo 2^224 - 2^96 + 1. -// -// The zero value is a valid zero element. -type P224Element struct { - // Values are represented internally always in the Montgomery domain, and - // converted in Bytes and SetBytes. - x p224MontgomeryDomainFieldElement -} - -const p224ElementLen = 28 - -type p224UntypedFieldElement = [4]uint64 - -// One sets e = 1, and returns e. -func (e *P224Element) One() *P224Element { - p224SetOne(&e.x) - return e -} - -// Equal returns 1 if e == t, and zero otherwise. -func (e *P224Element) Equal(t *P224Element) int { - eBytes := e.Bytes() - tBytes := t.Bytes() - return subtle.ConstantTimeCompare(eBytes, tBytes) -} - -// IsZero returns 1 if e == 0, and zero otherwise. -func (e *P224Element) IsZero() int { - zero := make([]byte, p224ElementLen) - eBytes := e.Bytes() - return subtle.ConstantTimeCompare(eBytes, zero) -} - -// Set sets e = t, and returns e. -func (e *P224Element) Set(t *P224Element) *P224Element { - e.x = t.x - return e -} - -// Bytes returns the 28-byte big-endian encoding of e. -func (e *P224Element) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p224ElementLen]byte - return e.bytes(&out) -} - -func (e *P224Element) bytes(out *[p224ElementLen]byte) []byte { - var tmp p224NonMontgomeryDomainFieldElement - p224FromMontgomery(&tmp, &e.x) - p224ToBytes(out, (*p224UntypedFieldElement)(&tmp)) - p224InvertEndianness(out[:]) - return out[:] -} - -// SetBytes sets e = v, where v is a big-endian 28-byte encoding, and returns e. -// If v is not 28 bytes or it encodes a value higher than 2^224 - 2^96 + 1, -// SetBytes returns nil and an error, and e is unchanged. -func (e *P224Element) SetBytes(v []byte) (*P224Element, error) { - if len(v) != p224ElementLen { - return nil, errors.New("invalid P224Element encoding") - } - - // Check for non-canonical encodings (p + k, 2p + k, etc.) by comparing to - // the encoding of -1 mod p, so p - 1, the highest canonical encoding. - var minusOneEncoding = new(P224Element).Sub( - new(P224Element), new(P224Element).One()).Bytes() - if subtle.ConstantTimeLessOrEqBytes(v, minusOneEncoding) == 0 { - return nil, errors.New("invalid P224Element encoding") - } - - var in [p224ElementLen]byte - copy(in[:], v) - p224InvertEndianness(in[:]) - var tmp p224NonMontgomeryDomainFieldElement - p224FromBytes((*p224UntypedFieldElement)(&tmp), &in) - p224ToMontgomery(&e.x, &tmp) - return e, nil -} - -// Add sets e = t1 + t2, and returns e. -func (e *P224Element) Add(t1, t2 *P224Element) *P224Element { - p224Add(&e.x, &t1.x, &t2.x) - return e -} - -// Sub sets e = t1 - t2, and returns e. -func (e *P224Element) Sub(t1, t2 *P224Element) *P224Element { - p224Sub(&e.x, &t1.x, &t2.x) - return e -} - -// Mul sets e = t1 * t2, and returns e. -func (e *P224Element) Mul(t1, t2 *P224Element) *P224Element { - p224Mul(&e.x, &t1.x, &t2.x) - return e -} - -// Square sets e = t * t, and returns e. -func (e *P224Element) Square(t *P224Element) *P224Element { - p224Square(&e.x, &t.x) - return e -} - -// Select sets v to a if cond == 1, and to b if cond == 0. -func (v *P224Element) Select(a, b *P224Element, cond int) *P224Element { - p224Selectznz((*p224UntypedFieldElement)(&v.x), p224Uint1(cond), - (*p224UntypedFieldElement)(&b.x), (*p224UntypedFieldElement)(&a.x)) - return v -} - -func p224InvertEndianness(v []byte) { - for i := 0; i < len(v)/2; i++ { - v[i], v[len(v)-1-i] = v[len(v)-1-i], v[i] - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224_fiat64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224_fiat64.go deleted file mode 100644 index 9337bfefef0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224_fiat64.go +++ /dev/null @@ -1,1461 +0,0 @@ -// Code generated by Fiat Cryptography. DO NOT EDIT. -// -// Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat p224 64 '2^224 - 2^96 + 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes -// -// curve description: p224 -// -// machine_wordsize = 64 (from "64") -// -// requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes -// -// m = 0xffffffffffffffffffffffffffffffff000000000000000000000001 (from "2^224 - 2^96 + 1") -// -// -// -// NOTE: In addition to the bounds specified above each function, all -// -// functions synthesized for this Montgomery arithmetic require the -// -// input to be strictly less than the prime modulus (m), and also -// -// require the input to be in the unique saturated representation. -// -// All functions also ensure that these two properties are true of -// -// return values. -// -// -// -// Computed values: -// -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -// -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) -// -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -// -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - -package fiat - -import "math/bits" - -type p224Uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -type p224Int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 - -// The type p224MontgomeryDomainFieldElement is a field element in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p224MontgomeryDomainFieldElement [4]uint64 - -// The type p224NonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p224NonMontgomeryDomainFieldElement [4]uint64 - -// p224CmovznzU64 is a single-word conditional move. -// -// Postconditions: -// -// out1 = (if arg1 = 0 then arg2 else arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [0x0 ~> 0xffffffffffffffff] -// arg3: [0x0 ~> 0xffffffffffffffff] -// -// Output Bounds: -// -// out1: [0x0 ~> 0xffffffffffffffff] -func p224CmovznzU64(out1 *uint64, arg1 p224Uint1, arg2 uint64, arg3 uint64) { - x1 := (uint64(arg1) * 0xffffffffffffffff) - x2 := ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 -} - -// p224Mul multiplies two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p224Mul(out1 *p224MontgomeryDomainFieldElement, arg1 *p224MontgomeryDomainFieldElement, arg2 *p224MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, arg2[3]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, arg2[2]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, arg2[1]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, arg2[0]) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(p224Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(p224Uint1(x16))) - x19 := (uint64(p224Uint1(x18)) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xffffffffffffffff) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0xffffffff00000000) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x27, x24, uint64(0x0)) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x25, x22, uint64(p224Uint1(x29))) - x32 := (uint64(p224Uint1(x31)) + x23) - var x34 uint64 - _, x34 = bits.Add64(x11, x20, uint64(0x0)) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x13, x26, uint64(p224Uint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x15, x28, uint64(p224Uint1(x36))) - var x39 uint64 - var x40 uint64 - x39, x40 = bits.Add64(x17, x30, uint64(p224Uint1(x38))) - var x41 uint64 - var x42 uint64 - x41, x42 = bits.Add64(x19, x32, uint64(p224Uint1(x40))) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, arg2[3]) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, arg2[2]) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, arg2[1]) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x1, arg2[0]) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x50, x47, uint64(0x0)) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x48, x45, uint64(p224Uint1(x52))) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(x46, x43, uint64(p224Uint1(x54))) - x57 := (uint64(p224Uint1(x56)) + x44) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x35, x49, uint64(0x0)) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x37, x51, uint64(p224Uint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x39, x53, uint64(p224Uint1(x61))) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(x41, x55, uint64(p224Uint1(x63))) - var x66 uint64 - var x67 uint64 - x66, x67 = bits.Add64(uint64(p224Uint1(x42)), x57, uint64(p224Uint1(x65))) - var x68 uint64 - _, x68 = bits.Mul64(x58, 0xffffffffffffffff) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x68, 0xffffffff) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x68, 0xffffffffffffffff) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x68, 0xffffffff00000000) - var x76 uint64 - var x77 uint64 - x76, x77 = bits.Add64(x75, x72, uint64(0x0)) - var x78 uint64 - var x79 uint64 - x78, x79 = bits.Add64(x73, x70, uint64(p224Uint1(x77))) - x80 := (uint64(p224Uint1(x79)) + x71) - var x82 uint64 - _, x82 = bits.Add64(x58, x68, uint64(0x0)) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Add64(x60, x74, uint64(p224Uint1(x82))) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x62, x76, uint64(p224Uint1(x84))) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x64, x78, uint64(p224Uint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x66, x80, uint64(p224Uint1(x88))) - x91 := (uint64(p224Uint1(x90)) + uint64(p224Uint1(x67))) - var x92 uint64 - var x93 uint64 - x93, x92 = bits.Mul64(x2, arg2[3]) - var x94 uint64 - var x95 uint64 - x95, x94 = bits.Mul64(x2, arg2[2]) - var x96 uint64 - var x97 uint64 - x97, x96 = bits.Mul64(x2, arg2[1]) - var x98 uint64 - var x99 uint64 - x99, x98 = bits.Mul64(x2, arg2[0]) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x99, x96, uint64(0x0)) - var x102 uint64 - var x103 uint64 - x102, x103 = bits.Add64(x97, x94, uint64(p224Uint1(x101))) - var x104 uint64 - var x105 uint64 - x104, x105 = bits.Add64(x95, x92, uint64(p224Uint1(x103))) - x106 := (uint64(p224Uint1(x105)) + x93) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x83, x98, uint64(0x0)) - var x109 uint64 - var x110 uint64 - x109, x110 = bits.Add64(x85, x100, uint64(p224Uint1(x108))) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x87, x102, uint64(p224Uint1(x110))) - var x113 uint64 - var x114 uint64 - x113, x114 = bits.Add64(x89, x104, uint64(p224Uint1(x112))) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x91, x106, uint64(p224Uint1(x114))) - var x117 uint64 - _, x117 = bits.Mul64(x107, 0xffffffffffffffff) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x117, 0xffffffff) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x117, 0xffffffffffffffff) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x117, 0xffffffff00000000) - var x125 uint64 - var x126 uint64 - x125, x126 = bits.Add64(x124, x121, uint64(0x0)) - var x127 uint64 - var x128 uint64 - x127, x128 = bits.Add64(x122, x119, uint64(p224Uint1(x126))) - x129 := (uint64(p224Uint1(x128)) + x120) - var x131 uint64 - _, x131 = bits.Add64(x107, x117, uint64(0x0)) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x109, x123, uint64(p224Uint1(x131))) - var x134 uint64 - var x135 uint64 - x134, x135 = bits.Add64(x111, x125, uint64(p224Uint1(x133))) - var x136 uint64 - var x137 uint64 - x136, x137 = bits.Add64(x113, x127, uint64(p224Uint1(x135))) - var x138 uint64 - var x139 uint64 - x138, x139 = bits.Add64(x115, x129, uint64(p224Uint1(x137))) - x140 := (uint64(p224Uint1(x139)) + uint64(p224Uint1(x116))) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x3, arg2[3]) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x3, arg2[2]) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64(x3, arg2[1]) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x3, arg2[0]) - var x149 uint64 - var x150 uint64 - x149, x150 = bits.Add64(x148, x145, uint64(0x0)) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x146, x143, uint64(p224Uint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x144, x141, uint64(p224Uint1(x152))) - x155 := (uint64(p224Uint1(x154)) + x142) - var x156 uint64 - var x157 uint64 - x156, x157 = bits.Add64(x132, x147, uint64(0x0)) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Add64(x134, x149, uint64(p224Uint1(x157))) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x136, x151, uint64(p224Uint1(x159))) - var x162 uint64 - var x163 uint64 - x162, x163 = bits.Add64(x138, x153, uint64(p224Uint1(x161))) - var x164 uint64 - var x165 uint64 - x164, x165 = bits.Add64(x140, x155, uint64(p224Uint1(x163))) - var x166 uint64 - _, x166 = bits.Mul64(x156, 0xffffffffffffffff) - var x168 uint64 - var x169 uint64 - x169, x168 = bits.Mul64(x166, 0xffffffff) - var x170 uint64 - var x171 uint64 - x171, x170 = bits.Mul64(x166, 0xffffffffffffffff) - var x172 uint64 - var x173 uint64 - x173, x172 = bits.Mul64(x166, 0xffffffff00000000) - var x174 uint64 - var x175 uint64 - x174, x175 = bits.Add64(x173, x170, uint64(0x0)) - var x176 uint64 - var x177 uint64 - x176, x177 = bits.Add64(x171, x168, uint64(p224Uint1(x175))) - x178 := (uint64(p224Uint1(x177)) + x169) - var x180 uint64 - _, x180 = bits.Add64(x156, x166, uint64(0x0)) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x158, x172, uint64(p224Uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x160, x174, uint64(p224Uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x162, x176, uint64(p224Uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x164, x178, uint64(p224Uint1(x186))) - x189 := (uint64(p224Uint1(x188)) + uint64(p224Uint1(x165))) - var x190 uint64 - var x191 uint64 - x190, x191 = bits.Sub64(x181, uint64(0x1), uint64(0x0)) - var x192 uint64 - var x193 uint64 - x192, x193 = bits.Sub64(x183, 0xffffffff00000000, uint64(p224Uint1(x191))) - var x194 uint64 - var x195 uint64 - x194, x195 = bits.Sub64(x185, 0xffffffffffffffff, uint64(p224Uint1(x193))) - var x196 uint64 - var x197 uint64 - x196, x197 = bits.Sub64(x187, 0xffffffff, uint64(p224Uint1(x195))) - var x199 uint64 - _, x199 = bits.Sub64(x189, uint64(0x0), uint64(p224Uint1(x197))) - var x200 uint64 - p224CmovznzU64(&x200, p224Uint1(x199), x190, x181) - var x201 uint64 - p224CmovznzU64(&x201, p224Uint1(x199), x192, x183) - var x202 uint64 - p224CmovznzU64(&x202, p224Uint1(x199), x194, x185) - var x203 uint64 - p224CmovznzU64(&x203, p224Uint1(x199), x196, x187) - out1[0] = x200 - out1[1] = x201 - out1[2] = x202 - out1[3] = x203 -} - -// p224Square squares a field element in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m -// 0 ≤ eval out1 < m -func p224Square(out1 *p224MontgomeryDomainFieldElement, arg1 *p224MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, arg1[3]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, arg1[2]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, arg1[1]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, arg1[0]) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(p224Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(p224Uint1(x16))) - x19 := (uint64(p224Uint1(x18)) + x6) - var x20 uint64 - _, x20 = bits.Mul64(x11, 0xffffffffffffffff) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x20, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x20, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x20, 0xffffffff00000000) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x27, x24, uint64(0x0)) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x25, x22, uint64(p224Uint1(x29))) - x32 := (uint64(p224Uint1(x31)) + x23) - var x34 uint64 - _, x34 = bits.Add64(x11, x20, uint64(0x0)) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x13, x26, uint64(p224Uint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x15, x28, uint64(p224Uint1(x36))) - var x39 uint64 - var x40 uint64 - x39, x40 = bits.Add64(x17, x30, uint64(p224Uint1(x38))) - var x41 uint64 - var x42 uint64 - x41, x42 = bits.Add64(x19, x32, uint64(p224Uint1(x40))) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, arg1[3]) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, arg1[2]) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x1, arg1[1]) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x1, arg1[0]) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x50, x47, uint64(0x0)) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x48, x45, uint64(p224Uint1(x52))) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(x46, x43, uint64(p224Uint1(x54))) - x57 := (uint64(p224Uint1(x56)) + x44) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x35, x49, uint64(0x0)) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x37, x51, uint64(p224Uint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x39, x53, uint64(p224Uint1(x61))) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(x41, x55, uint64(p224Uint1(x63))) - var x66 uint64 - var x67 uint64 - x66, x67 = bits.Add64(uint64(p224Uint1(x42)), x57, uint64(p224Uint1(x65))) - var x68 uint64 - _, x68 = bits.Mul64(x58, 0xffffffffffffffff) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x68, 0xffffffff) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x68, 0xffffffffffffffff) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x68, 0xffffffff00000000) - var x76 uint64 - var x77 uint64 - x76, x77 = bits.Add64(x75, x72, uint64(0x0)) - var x78 uint64 - var x79 uint64 - x78, x79 = bits.Add64(x73, x70, uint64(p224Uint1(x77))) - x80 := (uint64(p224Uint1(x79)) + x71) - var x82 uint64 - _, x82 = bits.Add64(x58, x68, uint64(0x0)) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Add64(x60, x74, uint64(p224Uint1(x82))) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x62, x76, uint64(p224Uint1(x84))) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x64, x78, uint64(p224Uint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x66, x80, uint64(p224Uint1(x88))) - x91 := (uint64(p224Uint1(x90)) + uint64(p224Uint1(x67))) - var x92 uint64 - var x93 uint64 - x93, x92 = bits.Mul64(x2, arg1[3]) - var x94 uint64 - var x95 uint64 - x95, x94 = bits.Mul64(x2, arg1[2]) - var x96 uint64 - var x97 uint64 - x97, x96 = bits.Mul64(x2, arg1[1]) - var x98 uint64 - var x99 uint64 - x99, x98 = bits.Mul64(x2, arg1[0]) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x99, x96, uint64(0x0)) - var x102 uint64 - var x103 uint64 - x102, x103 = bits.Add64(x97, x94, uint64(p224Uint1(x101))) - var x104 uint64 - var x105 uint64 - x104, x105 = bits.Add64(x95, x92, uint64(p224Uint1(x103))) - x106 := (uint64(p224Uint1(x105)) + x93) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x83, x98, uint64(0x0)) - var x109 uint64 - var x110 uint64 - x109, x110 = bits.Add64(x85, x100, uint64(p224Uint1(x108))) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x87, x102, uint64(p224Uint1(x110))) - var x113 uint64 - var x114 uint64 - x113, x114 = bits.Add64(x89, x104, uint64(p224Uint1(x112))) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x91, x106, uint64(p224Uint1(x114))) - var x117 uint64 - _, x117 = bits.Mul64(x107, 0xffffffffffffffff) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x117, 0xffffffff) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x117, 0xffffffffffffffff) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x117, 0xffffffff00000000) - var x125 uint64 - var x126 uint64 - x125, x126 = bits.Add64(x124, x121, uint64(0x0)) - var x127 uint64 - var x128 uint64 - x127, x128 = bits.Add64(x122, x119, uint64(p224Uint1(x126))) - x129 := (uint64(p224Uint1(x128)) + x120) - var x131 uint64 - _, x131 = bits.Add64(x107, x117, uint64(0x0)) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x109, x123, uint64(p224Uint1(x131))) - var x134 uint64 - var x135 uint64 - x134, x135 = bits.Add64(x111, x125, uint64(p224Uint1(x133))) - var x136 uint64 - var x137 uint64 - x136, x137 = bits.Add64(x113, x127, uint64(p224Uint1(x135))) - var x138 uint64 - var x139 uint64 - x138, x139 = bits.Add64(x115, x129, uint64(p224Uint1(x137))) - x140 := (uint64(p224Uint1(x139)) + uint64(p224Uint1(x116))) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x3, arg1[3]) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x3, arg1[2]) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64(x3, arg1[1]) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x3, arg1[0]) - var x149 uint64 - var x150 uint64 - x149, x150 = bits.Add64(x148, x145, uint64(0x0)) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x146, x143, uint64(p224Uint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x144, x141, uint64(p224Uint1(x152))) - x155 := (uint64(p224Uint1(x154)) + x142) - var x156 uint64 - var x157 uint64 - x156, x157 = bits.Add64(x132, x147, uint64(0x0)) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Add64(x134, x149, uint64(p224Uint1(x157))) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x136, x151, uint64(p224Uint1(x159))) - var x162 uint64 - var x163 uint64 - x162, x163 = bits.Add64(x138, x153, uint64(p224Uint1(x161))) - var x164 uint64 - var x165 uint64 - x164, x165 = bits.Add64(x140, x155, uint64(p224Uint1(x163))) - var x166 uint64 - _, x166 = bits.Mul64(x156, 0xffffffffffffffff) - var x168 uint64 - var x169 uint64 - x169, x168 = bits.Mul64(x166, 0xffffffff) - var x170 uint64 - var x171 uint64 - x171, x170 = bits.Mul64(x166, 0xffffffffffffffff) - var x172 uint64 - var x173 uint64 - x173, x172 = bits.Mul64(x166, 0xffffffff00000000) - var x174 uint64 - var x175 uint64 - x174, x175 = bits.Add64(x173, x170, uint64(0x0)) - var x176 uint64 - var x177 uint64 - x176, x177 = bits.Add64(x171, x168, uint64(p224Uint1(x175))) - x178 := (uint64(p224Uint1(x177)) + x169) - var x180 uint64 - _, x180 = bits.Add64(x156, x166, uint64(0x0)) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x158, x172, uint64(p224Uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x160, x174, uint64(p224Uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x162, x176, uint64(p224Uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x164, x178, uint64(p224Uint1(x186))) - x189 := (uint64(p224Uint1(x188)) + uint64(p224Uint1(x165))) - var x190 uint64 - var x191 uint64 - x190, x191 = bits.Sub64(x181, uint64(0x1), uint64(0x0)) - var x192 uint64 - var x193 uint64 - x192, x193 = bits.Sub64(x183, 0xffffffff00000000, uint64(p224Uint1(x191))) - var x194 uint64 - var x195 uint64 - x194, x195 = bits.Sub64(x185, 0xffffffffffffffff, uint64(p224Uint1(x193))) - var x196 uint64 - var x197 uint64 - x196, x197 = bits.Sub64(x187, 0xffffffff, uint64(p224Uint1(x195))) - var x199 uint64 - _, x199 = bits.Sub64(x189, uint64(0x0), uint64(p224Uint1(x197))) - var x200 uint64 - p224CmovznzU64(&x200, p224Uint1(x199), x190, x181) - var x201 uint64 - p224CmovznzU64(&x201, p224Uint1(x199), x192, x183) - var x202 uint64 - p224CmovznzU64(&x202, p224Uint1(x199), x194, x185) - var x203 uint64 - p224CmovznzU64(&x203, p224Uint1(x199), x196, x187) - out1[0] = x200 - out1[1] = x201 - out1[2] = x202 - out1[3] = x203 -} - -// p224Add adds two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p224Add(out1 *p224MontgomeryDomainFieldElement, arg1 *p224MontgomeryDomainFieldElement, arg2 *p224MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(p224Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(p224Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(p224Uint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Sub64(x1, uint64(0x1), uint64(0x0)) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Sub64(x3, 0xffffffff00000000, uint64(p224Uint1(x10))) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Sub64(x5, 0xffffffffffffffff, uint64(p224Uint1(x12))) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Sub64(x7, 0xffffffff, uint64(p224Uint1(x14))) - var x18 uint64 - _, x18 = bits.Sub64(uint64(p224Uint1(x8)), uint64(0x0), uint64(p224Uint1(x16))) - var x19 uint64 - p224CmovznzU64(&x19, p224Uint1(x18), x9, x1) - var x20 uint64 - p224CmovznzU64(&x20, p224Uint1(x18), x11, x3) - var x21 uint64 - p224CmovznzU64(&x21, p224Uint1(x18), x13, x5) - var x22 uint64 - p224CmovznzU64(&x22, p224Uint1(x18), x15, x7) - out1[0] = x19 - out1[1] = x20 - out1[2] = x21 - out1[3] = x22 -} - -// p224Sub subtracts two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p224Sub(out1 *p224MontgomeryDomainFieldElement, arg1 *p224MontgomeryDomainFieldElement, arg2 *p224MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(p224Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(p224Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(p224Uint1(x6))) - var x9 uint64 - p224CmovznzU64(&x9, p224Uint1(x8), uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x10, x11 = bits.Add64(x1, uint64((p224Uint1(x9) & 0x1)), uint64(0x0)) - var x12 uint64 - var x13 uint64 - x12, x13 = bits.Add64(x3, (x9 & 0xffffffff00000000), uint64(p224Uint1(x11))) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(x5, x9, uint64(p224Uint1(x13))) - var x16 uint64 - x16, _ = bits.Add64(x7, (x9 & 0xffffffff), uint64(p224Uint1(x15))) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 -} - -// p224SetOne returns the field element one in the Montgomery domain. -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = 1 mod m -// 0 ≤ eval out1 < m -func p224SetOne(out1 *p224MontgomeryDomainFieldElement) { - out1[0] = 0xffffffff00000000 - out1[1] = 0xffffffffffffffff - out1[2] = uint64(0x0) - out1[3] = uint64(0x0) -} - -// p224FromMontgomery translates a field element out of the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m -// 0 ≤ eval out1 < m -func p224FromMontgomery(out1 *p224NonMontgomeryDomainFieldElement, arg1 *p224MontgomeryDomainFieldElement) { - x1 := arg1[0] - var x2 uint64 - _, x2 = bits.Mul64(x1, 0xffffffffffffffff) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x2, 0xffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x2, 0xffffffff00000000) - var x10 uint64 - var x11 uint64 - x10, x11 = bits.Add64(x9, x6, uint64(0x0)) - var x12 uint64 - var x13 uint64 - x12, x13 = bits.Add64(x7, x4, uint64(p224Uint1(x11))) - var x15 uint64 - _, x15 = bits.Add64(x1, x2, uint64(0x0)) - var x16 uint64 - var x17 uint64 - x16, x17 = bits.Add64(uint64(0x0), x8, uint64(p224Uint1(x15))) - var x18 uint64 - var x19 uint64 - x18, x19 = bits.Add64(uint64(0x0), x10, uint64(p224Uint1(x17))) - var x20 uint64 - var x21 uint64 - x20, x21 = bits.Add64(uint64(0x0), x12, uint64(p224Uint1(x19))) - var x22 uint64 - var x23 uint64 - x22, x23 = bits.Add64(x16, arg1[1], uint64(0x0)) - var x24 uint64 - var x25 uint64 - x24, x25 = bits.Add64(x18, uint64(0x0), uint64(p224Uint1(x23))) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64(x20, uint64(0x0), uint64(p224Uint1(x25))) - var x28 uint64 - _, x28 = bits.Mul64(x22, 0xffffffffffffffff) - var x30 uint64 - var x31 uint64 - x31, x30 = bits.Mul64(x28, 0xffffffff) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64(x28, 0xffffffffffffffff) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x28, 0xffffffff00000000) - var x36 uint64 - var x37 uint64 - x36, x37 = bits.Add64(x35, x32, uint64(0x0)) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(x33, x30, uint64(p224Uint1(x37))) - var x41 uint64 - _, x41 = bits.Add64(x22, x28, uint64(0x0)) - var x42 uint64 - var x43 uint64 - x42, x43 = bits.Add64(x24, x34, uint64(p224Uint1(x41))) - var x44 uint64 - var x45 uint64 - x44, x45 = bits.Add64(x26, x36, uint64(p224Uint1(x43))) - var x46 uint64 - var x47 uint64 - x46, x47 = bits.Add64((uint64(p224Uint1(x27)) + (uint64(p224Uint1(x21)) + (uint64(p224Uint1(x13)) + x5))), x38, uint64(p224Uint1(x45))) - var x48 uint64 - var x49 uint64 - x48, x49 = bits.Add64(x42, arg1[2], uint64(0x0)) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(x44, uint64(0x0), uint64(p224Uint1(x49))) - var x52 uint64 - var x53 uint64 - x52, x53 = bits.Add64(x46, uint64(0x0), uint64(p224Uint1(x51))) - var x54 uint64 - _, x54 = bits.Mul64(x48, 0xffffffffffffffff) - var x56 uint64 - var x57 uint64 - x57, x56 = bits.Mul64(x54, 0xffffffff) - var x58 uint64 - var x59 uint64 - x59, x58 = bits.Mul64(x54, 0xffffffffffffffff) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x54, 0xffffffff00000000) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x61, x58, uint64(0x0)) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(x59, x56, uint64(p224Uint1(x63))) - var x67 uint64 - _, x67 = bits.Add64(x48, x54, uint64(0x0)) - var x68 uint64 - var x69 uint64 - x68, x69 = bits.Add64(x50, x60, uint64(p224Uint1(x67))) - var x70 uint64 - var x71 uint64 - x70, x71 = bits.Add64(x52, x62, uint64(p224Uint1(x69))) - var x72 uint64 - var x73 uint64 - x72, x73 = bits.Add64((uint64(p224Uint1(x53)) + (uint64(p224Uint1(x47)) + (uint64(p224Uint1(x39)) + x31))), x64, uint64(p224Uint1(x71))) - var x74 uint64 - var x75 uint64 - x74, x75 = bits.Add64(x68, arg1[3], uint64(0x0)) - var x76 uint64 - var x77 uint64 - x76, x77 = bits.Add64(x70, uint64(0x0), uint64(p224Uint1(x75))) - var x78 uint64 - var x79 uint64 - x78, x79 = bits.Add64(x72, uint64(0x0), uint64(p224Uint1(x77))) - var x80 uint64 - _, x80 = bits.Mul64(x74, 0xffffffffffffffff) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64(x80, 0xffffffff) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x80, 0xffffffffffffffff) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x80, 0xffffffff00000000) - var x88 uint64 - var x89 uint64 - x88, x89 = bits.Add64(x87, x84, uint64(0x0)) - var x90 uint64 - var x91 uint64 - x90, x91 = bits.Add64(x85, x82, uint64(p224Uint1(x89))) - var x93 uint64 - _, x93 = bits.Add64(x74, x80, uint64(0x0)) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x76, x86, uint64(p224Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x78, x88, uint64(p224Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64((uint64(p224Uint1(x79)) + (uint64(p224Uint1(x73)) + (uint64(p224Uint1(x65)) + x57))), x90, uint64(p224Uint1(x97))) - x100 := (uint64(p224Uint1(x99)) + (uint64(p224Uint1(x91)) + x83)) - var x101 uint64 - var x102 uint64 - x101, x102 = bits.Sub64(x94, uint64(0x1), uint64(0x0)) - var x103 uint64 - var x104 uint64 - x103, x104 = bits.Sub64(x96, 0xffffffff00000000, uint64(p224Uint1(x102))) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Sub64(x98, 0xffffffffffffffff, uint64(p224Uint1(x104))) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Sub64(x100, 0xffffffff, uint64(p224Uint1(x106))) - var x110 uint64 - _, x110 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(p224Uint1(x108))) - var x111 uint64 - p224CmovznzU64(&x111, p224Uint1(x110), x101, x94) - var x112 uint64 - p224CmovznzU64(&x112, p224Uint1(x110), x103, x96) - var x113 uint64 - p224CmovznzU64(&x113, p224Uint1(x110), x105, x98) - var x114 uint64 - p224CmovznzU64(&x114, p224Uint1(x110), x107, x100) - out1[0] = x111 - out1[1] = x112 - out1[2] = x113 - out1[3] = x114 -} - -// p224ToMontgomery translates a field element into the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = eval arg1 mod m -// 0 ≤ eval out1 < m -func p224ToMontgomery(out1 *p224MontgomeryDomainFieldElement, arg1 *p224NonMontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, 0xffffffff) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, 0xfffffffe00000000) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, 0xffffffff00000000) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, 0xffffffff00000001) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(p224Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(p224Uint1(x16))) - var x19 uint64 - _, x19 = bits.Mul64(x11, 0xffffffffffffffff) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(x19, 0xffffffff) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(x19, 0xffffffffffffffff) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64(x19, 0xffffffff00000000) - var x27 uint64 - var x28 uint64 - x27, x28 = bits.Add64(x26, x23, uint64(0x0)) - var x29 uint64 - var x30 uint64 - x29, x30 = bits.Add64(x24, x21, uint64(p224Uint1(x28))) - var x32 uint64 - _, x32 = bits.Add64(x11, x19, uint64(0x0)) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x13, x25, uint64(p224Uint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x15, x27, uint64(p224Uint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x17, x29, uint64(p224Uint1(x36))) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, 0xffffffff) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, 0xfffffffe00000000) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, 0xffffffff00000000) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, 0xffffffff00000001) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(x46, x43, uint64(0x0)) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x44, x41, uint64(p224Uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x42, x39, uint64(p224Uint1(x50))) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x33, x45, uint64(0x0)) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(x35, x47, uint64(p224Uint1(x54))) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(x37, x49, uint64(p224Uint1(x56))) - var x59 uint64 - var x60 uint64 - x59, x60 = bits.Add64(((uint64(p224Uint1(x38)) + (uint64(p224Uint1(x18)) + x6)) + (uint64(p224Uint1(x30)) + x22)), x51, uint64(p224Uint1(x58))) - var x61 uint64 - _, x61 = bits.Mul64(x53, 0xffffffffffffffff) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x61, 0xffffffff) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64(x61, 0xffffffffffffffff) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64(x61, 0xffffffff00000000) - var x69 uint64 - var x70 uint64 - x69, x70 = bits.Add64(x68, x65, uint64(0x0)) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x66, x63, uint64(p224Uint1(x70))) - var x74 uint64 - _, x74 = bits.Add64(x53, x61, uint64(0x0)) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x55, x67, uint64(p224Uint1(x74))) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Add64(x57, x69, uint64(p224Uint1(x76))) - var x79 uint64 - var x80 uint64 - x79, x80 = bits.Add64(x59, x71, uint64(p224Uint1(x78))) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64(x2, 0xffffffff) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64(x2, 0xfffffffe00000000) - var x85 uint64 - var x86 uint64 - x86, x85 = bits.Mul64(x2, 0xffffffff00000000) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64(x2, 0xffffffff00000001) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x88, x85, uint64(0x0)) - var x91 uint64 - var x92 uint64 - x91, x92 = bits.Add64(x86, x83, uint64(p224Uint1(x90))) - var x93 uint64 - var x94 uint64 - x93, x94 = bits.Add64(x84, x81, uint64(p224Uint1(x92))) - var x95 uint64 - var x96 uint64 - x95, x96 = bits.Add64(x75, x87, uint64(0x0)) - var x97 uint64 - var x98 uint64 - x97, x98 = bits.Add64(x77, x89, uint64(p224Uint1(x96))) - var x99 uint64 - var x100 uint64 - x99, x100 = bits.Add64(x79, x91, uint64(p224Uint1(x98))) - var x101 uint64 - var x102 uint64 - x101, x102 = bits.Add64(((uint64(p224Uint1(x80)) + (uint64(p224Uint1(x60)) + (uint64(p224Uint1(x52)) + x40))) + (uint64(p224Uint1(x72)) + x64)), x93, uint64(p224Uint1(x100))) - var x103 uint64 - _, x103 = bits.Mul64(x95, 0xffffffffffffffff) - var x105 uint64 - var x106 uint64 - x106, x105 = bits.Mul64(x103, 0xffffffff) - var x107 uint64 - var x108 uint64 - x108, x107 = bits.Mul64(x103, 0xffffffffffffffff) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64(x103, 0xffffffff00000000) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x110, x107, uint64(0x0)) - var x113 uint64 - var x114 uint64 - x113, x114 = bits.Add64(x108, x105, uint64(p224Uint1(x112))) - var x116 uint64 - _, x116 = bits.Add64(x95, x103, uint64(0x0)) - var x117 uint64 - var x118 uint64 - x117, x118 = bits.Add64(x97, x109, uint64(p224Uint1(x116))) - var x119 uint64 - var x120 uint64 - x119, x120 = bits.Add64(x99, x111, uint64(p224Uint1(x118))) - var x121 uint64 - var x122 uint64 - x121, x122 = bits.Add64(x101, x113, uint64(p224Uint1(x120))) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x3, 0xffffffff) - var x125 uint64 - var x126 uint64 - x126, x125 = bits.Mul64(x3, 0xfffffffe00000000) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x3, 0xffffffff00000000) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x3, 0xffffffff00000001) - var x131 uint64 - var x132 uint64 - x131, x132 = bits.Add64(x130, x127, uint64(0x0)) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x128, x125, uint64(p224Uint1(x132))) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x126, x123, uint64(p224Uint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x117, x129, uint64(0x0)) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x119, x131, uint64(p224Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x121, x133, uint64(p224Uint1(x140))) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(((uint64(p224Uint1(x122)) + (uint64(p224Uint1(x102)) + (uint64(p224Uint1(x94)) + x82))) + (uint64(p224Uint1(x114)) + x106)), x135, uint64(p224Uint1(x142))) - var x145 uint64 - _, x145 = bits.Mul64(x137, 0xffffffffffffffff) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x145, 0xffffffff) - var x149 uint64 - var x150 uint64 - x150, x149 = bits.Mul64(x145, 0xffffffffffffffff) - var x151 uint64 - var x152 uint64 - x152, x151 = bits.Mul64(x145, 0xffffffff00000000) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x152, x149, uint64(0x0)) - var x155 uint64 - var x156 uint64 - x155, x156 = bits.Add64(x150, x147, uint64(p224Uint1(x154))) - var x158 uint64 - _, x158 = bits.Add64(x137, x145, uint64(0x0)) - var x159 uint64 - var x160 uint64 - x159, x160 = bits.Add64(x139, x151, uint64(p224Uint1(x158))) - var x161 uint64 - var x162 uint64 - x161, x162 = bits.Add64(x141, x153, uint64(p224Uint1(x160))) - var x163 uint64 - var x164 uint64 - x163, x164 = bits.Add64(x143, x155, uint64(p224Uint1(x162))) - x165 := ((uint64(p224Uint1(x164)) + (uint64(p224Uint1(x144)) + (uint64(p224Uint1(x136)) + x124))) + (uint64(p224Uint1(x156)) + x148)) - var x166 uint64 - var x167 uint64 - x166, x167 = bits.Sub64(x159, uint64(0x1), uint64(0x0)) - var x168 uint64 - var x169 uint64 - x168, x169 = bits.Sub64(x161, 0xffffffff00000000, uint64(p224Uint1(x167))) - var x170 uint64 - var x171 uint64 - x170, x171 = bits.Sub64(x163, 0xffffffffffffffff, uint64(p224Uint1(x169))) - var x172 uint64 - var x173 uint64 - x172, x173 = bits.Sub64(x165, 0xffffffff, uint64(p224Uint1(x171))) - var x175 uint64 - _, x175 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(p224Uint1(x173))) - var x176 uint64 - p224CmovznzU64(&x176, p224Uint1(x175), x166, x159) - var x177 uint64 - p224CmovznzU64(&x177, p224Uint1(x175), x168, x161) - var x178 uint64 - p224CmovznzU64(&x178, p224Uint1(x175), x170, x163) - var x179 uint64 - p224CmovznzU64(&x179, p224Uint1(x175), x172, x165) - out1[0] = x176 - out1[1] = x177 - out1[2] = x178 - out1[3] = x179 -} - -// p224Selectznz is a multi-limb conditional select. -// -// Postconditions: -// -// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func p224Selectznz(out1 *[4]uint64, arg1 p224Uint1, arg2 *[4]uint64, arg3 *[4]uint64) { - var x1 uint64 - p224CmovznzU64(&x1, arg1, arg2[0], arg3[0]) - var x2 uint64 - p224CmovznzU64(&x2, arg1, arg2[1], arg3[1]) - var x3 uint64 - p224CmovznzU64(&x3, arg1, arg2[2], arg3[2]) - var x4 uint64 - p224CmovznzU64(&x4, arg1, arg2[3], arg3[3]) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 -} - -// p224ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..27] -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -func p224ToBytes(out1 *[28]uint8, arg1 *[4]uint64) { - x1 := arg1[3] - x2 := arg1[2] - x3 := arg1[1] - x4 := arg1[0] - x5 := (uint8(x4) & 0xff) - x6 := (x4 >> 8) - x7 := (uint8(x6) & 0xff) - x8 := (x6 >> 8) - x9 := (uint8(x8) & 0xff) - x10 := (x8 >> 8) - x11 := (uint8(x10) & 0xff) - x12 := (x10 >> 8) - x13 := (uint8(x12) & 0xff) - x14 := (x12 >> 8) - x15 := (uint8(x14) & 0xff) - x16 := (x14 >> 8) - x17 := (uint8(x16) & 0xff) - x18 := uint8((x16 >> 8)) - x19 := (uint8(x3) & 0xff) - x20 := (x3 >> 8) - x21 := (uint8(x20) & 0xff) - x22 := (x20 >> 8) - x23 := (uint8(x22) & 0xff) - x24 := (x22 >> 8) - x25 := (uint8(x24) & 0xff) - x26 := (x24 >> 8) - x27 := (uint8(x26) & 0xff) - x28 := (x26 >> 8) - x29 := (uint8(x28) & 0xff) - x30 := (x28 >> 8) - x31 := (uint8(x30) & 0xff) - x32 := uint8((x30 >> 8)) - x33 := (uint8(x2) & 0xff) - x34 := (x2 >> 8) - x35 := (uint8(x34) & 0xff) - x36 := (x34 >> 8) - x37 := (uint8(x36) & 0xff) - x38 := (x36 >> 8) - x39 := (uint8(x38) & 0xff) - x40 := (x38 >> 8) - x41 := (uint8(x40) & 0xff) - x42 := (x40 >> 8) - x43 := (uint8(x42) & 0xff) - x44 := (x42 >> 8) - x45 := (uint8(x44) & 0xff) - x46 := uint8((x44 >> 8)) - x47 := (uint8(x1) & 0xff) - x48 := (x1 >> 8) - x49 := (uint8(x48) & 0xff) - x50 := (x48 >> 8) - x51 := (uint8(x50) & 0xff) - x52 := uint8((x50 >> 8)) - out1[0] = x5 - out1[1] = x7 - out1[2] = x9 - out1[3] = x11 - out1[4] = x13 - out1[5] = x15 - out1[6] = x17 - out1[7] = x18 - out1[8] = x19 - out1[9] = x21 - out1[10] = x23 - out1[11] = x25 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x39 - out1[20] = x41 - out1[21] = x43 - out1[22] = x45 - out1[23] = x46 - out1[24] = x47 - out1[25] = x49 - out1[26] = x51 - out1[27] = x52 -} - -// p224FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ bytes_eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = bytes_eval arg1 mod m -// 0 ≤ eval out1 < m -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffff]] -func p224FromBytes(out1 *[4]uint64, arg1 *[28]uint8) { - x1 := (uint64(arg1[27]) << 24) - x2 := (uint64(arg1[26]) << 16) - x3 := (uint64(arg1[25]) << 8) - x4 := arg1[24] - x5 := (uint64(arg1[23]) << 56) - x6 := (uint64(arg1[22]) << 48) - x7 := (uint64(arg1[21]) << 40) - x8 := (uint64(arg1[20]) << 32) - x9 := (uint64(arg1[19]) << 24) - x10 := (uint64(arg1[18]) << 16) - x11 := (uint64(arg1[17]) << 8) - x12 := arg1[16] - x13 := (uint64(arg1[15]) << 56) - x14 := (uint64(arg1[14]) << 48) - x15 := (uint64(arg1[13]) << 40) - x16 := (uint64(arg1[12]) << 32) - x17 := (uint64(arg1[11]) << 24) - x18 := (uint64(arg1[10]) << 16) - x19 := (uint64(arg1[9]) << 8) - x20 := arg1[8] - x21 := (uint64(arg1[7]) << 56) - x22 := (uint64(arg1[6]) << 48) - x23 := (uint64(arg1[5]) << 40) - x24 := (uint64(arg1[4]) << 32) - x25 := (uint64(arg1[3]) << 24) - x26 := (uint64(arg1[2]) << 16) - x27 := (uint64(arg1[1]) << 8) - x28 := arg1[0] - x29 := (x27 + uint64(x28)) - x30 := (x26 + x29) - x31 := (x25 + x30) - x32 := (x24 + x31) - x33 := (x23 + x32) - x34 := (x22 + x33) - x35 := (x21 + x34) - x36 := (x19 + uint64(x20)) - x37 := (x18 + x36) - x38 := (x17 + x37) - x39 := (x16 + x38) - x40 := (x15 + x39) - x41 := (x14 + x40) - x42 := (x13 + x41) - x43 := (x11 + uint64(x12)) - x44 := (x10 + x43) - x45 := (x9 + x44) - x46 := (x8 + x45) - x47 := (x7 + x46) - x48 := (x6 + x47) - x49 := (x5 + x48) - x50 := (x3 + uint64(x4)) - x51 := (x2 + x50) - x52 := (x1 + x51) - out1[0] = x35 - out1[1] = x42 - out1[2] = x49 - out1[3] = x52 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224_invert.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224_invert.go deleted file mode 100644 index 3cf528639ff..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p224_invert.go +++ /dev/null @@ -1,87 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by addchain. DO NOT EDIT. - -package fiat - -// Invert sets e = 1/x, and returns e. -// -// If x == 0, Invert returns e = 0. -func (e *P224Element) Invert(x *P224Element) *P224Element { - // Inversion is implemented as exponentiation with exponent p − 2. - // The sequence of 11 multiplications and 223 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _110 = 2*_11 - // _111 = 1 + _110 - // _111000 = _111 << 3 - // _111111 = _111 + _111000 - // x12 = _111111 << 6 + _111111 - // x14 = x12 << 2 + _11 - // x17 = x14 << 3 + _111 - // x31 = x17 << 14 + x14 - // x48 = x31 << 17 + x17 - // x96 = x48 << 48 + x48 - // x127 = x96 << 31 + x31 - // return x127 << 97 + x96 - // - - var z = new(P224Element).Set(e) - var t0 = new(P224Element) - var t1 = new(P224Element) - var t2 = new(P224Element) - - z.Square(x) - t0.Mul(x, z) - z.Square(t0) - z.Mul(x, z) - t1.Square(z) - for s := 1; s < 3; s++ { - t1.Square(t1) - } - t1.Mul(z, t1) - t2.Square(t1) - for s := 1; s < 6; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - for s := 0; s < 2; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - t1.Square(t0) - for s := 1; s < 3; s++ { - t1.Square(t1) - } - z.Mul(z, t1) - t1.Square(z) - for s := 1; s < 14; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - t1.Square(t0) - for s := 1; s < 17; s++ { - t1.Square(t1) - } - z.Mul(z, t1) - t1.Square(z) - for s := 1; s < 48; s++ { - t1.Square(t1) - } - z.Mul(z, t1) - t1.Square(z) - for s := 1; s < 31; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - for s := 0; s < 97; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - - return e.Set(z) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256.go deleted file mode 100644 index 2301656b591..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package fiat - -import ( - "crypto/internal/fips140/subtle" - "errors" -) - -// P256Element is an integer modulo 2^256 - 2^224 + 2^192 + 2^96 - 1. -// -// The zero value is a valid zero element. -type P256Element struct { - // Values are represented internally always in the Montgomery domain, and - // converted in Bytes and SetBytes. - x p256MontgomeryDomainFieldElement -} - -const p256ElementLen = 32 - -type p256UntypedFieldElement = [4]uint64 - -// One sets e = 1, and returns e. -func (e *P256Element) One() *P256Element { - p256SetOne(&e.x) - return e -} - -// Equal returns 1 if e == t, and zero otherwise. -func (e *P256Element) Equal(t *P256Element) int { - eBytes := e.Bytes() - tBytes := t.Bytes() - return subtle.ConstantTimeCompare(eBytes, tBytes) -} - -// IsZero returns 1 if e == 0, and zero otherwise. -func (e *P256Element) IsZero() int { - zero := make([]byte, p256ElementLen) - eBytes := e.Bytes() - return subtle.ConstantTimeCompare(eBytes, zero) -} - -// Set sets e = t, and returns e. -func (e *P256Element) Set(t *P256Element) *P256Element { - e.x = t.x - return e -} - -// Bytes returns the 32-byte big-endian encoding of e. -func (e *P256Element) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256ElementLen]byte - return e.bytes(&out) -} - -func (e *P256Element) bytes(out *[p256ElementLen]byte) []byte { - var tmp p256NonMontgomeryDomainFieldElement - p256FromMontgomery(&tmp, &e.x) - p256ToBytes(out, (*p256UntypedFieldElement)(&tmp)) - p256InvertEndianness(out[:]) - return out[:] -} - -// SetBytes sets e = v, where v is a big-endian 32-byte encoding, and returns e. -// If v is not 32 bytes or it encodes a value higher than 2^256 - 2^224 + 2^192 + 2^96 - 1, -// SetBytes returns nil and an error, and e is unchanged. -func (e *P256Element) SetBytes(v []byte) (*P256Element, error) { - if len(v) != p256ElementLen { - return nil, errors.New("invalid P256Element encoding") - } - - // Check for non-canonical encodings (p + k, 2p + k, etc.) by comparing to - // the encoding of -1 mod p, so p - 1, the highest canonical encoding. - var minusOneEncoding = new(P256Element).Sub( - new(P256Element), new(P256Element).One()).Bytes() - if subtle.ConstantTimeLessOrEqBytes(v, minusOneEncoding) == 0 { - return nil, errors.New("invalid P256Element encoding") - } - - var in [p256ElementLen]byte - copy(in[:], v) - p256InvertEndianness(in[:]) - var tmp p256NonMontgomeryDomainFieldElement - p256FromBytes((*p256UntypedFieldElement)(&tmp), &in) - p256ToMontgomery(&e.x, &tmp) - return e, nil -} - -// Add sets e = t1 + t2, and returns e. -func (e *P256Element) Add(t1, t2 *P256Element) *P256Element { - p256Add(&e.x, &t1.x, &t2.x) - return e -} - -// Sub sets e = t1 - t2, and returns e. -func (e *P256Element) Sub(t1, t2 *P256Element) *P256Element { - p256Sub(&e.x, &t1.x, &t2.x) - return e -} - -// Mul sets e = t1 * t2, and returns e. -func (e *P256Element) Mul(t1, t2 *P256Element) *P256Element { - p256Mul(&e.x, &t1.x, &t2.x) - return e -} - -// Square sets e = t * t, and returns e. -func (e *P256Element) Square(t *P256Element) *P256Element { - p256Square(&e.x, &t.x) - return e -} - -// Select sets v to a if cond == 1, and to b if cond == 0. -func (v *P256Element) Select(a, b *P256Element, cond int) *P256Element { - p256Selectznz((*p256UntypedFieldElement)(&v.x), p256Uint1(cond), - (*p256UntypedFieldElement)(&b.x), (*p256UntypedFieldElement)(&a.x)) - return v -} - -func p256InvertEndianness(v []byte) { - for i := 0; i < len(v)/2; i++ { - v[i], v[len(v)-1-i] = v[len(v)-1-i], v[i] - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256_fiat64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256_fiat64.go deleted file mode 100644 index 75352d5d267..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256_fiat64.go +++ /dev/null @@ -1,1400 +0,0 @@ -// Code generated by Fiat Cryptography. DO NOT EDIT. -// -// Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes -// -// curve description: p256 -// -// machine_wordsize = 64 (from "64") -// -// requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes -// -// m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") -// -// -// -// NOTE: In addition to the bounds specified above each function, all -// -// functions synthesized for this Montgomery arithmetic require the -// -// input to be strictly less than the prime modulus (m), and also -// -// require the input to be in the unique saturated representation. -// -// All functions also ensure that these two properties are true of -// -// return values. -// -// -// -// Computed values: -// -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) -// -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) -// -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in -// -// if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 - -package fiat - -import "math/bits" - -type p256Uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -type p256Int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 - -// The type p256MontgomeryDomainFieldElement is a field element in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p256MontgomeryDomainFieldElement [4]uint64 - -// The type p256NonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p256NonMontgomeryDomainFieldElement [4]uint64 - -// p256CmovznzU64 is a single-word conditional move. -// -// Postconditions: -// -// out1 = (if arg1 = 0 then arg2 else arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [0x0 ~> 0xffffffffffffffff] -// arg3: [0x0 ~> 0xffffffffffffffff] -// -// Output Bounds: -// -// out1: [0x0 ~> 0xffffffffffffffff] -func p256CmovznzU64(out1 *uint64, arg1 p256Uint1, arg2 uint64, arg3 uint64) { - x1 := (uint64(arg1) * 0xffffffffffffffff) - x2 := ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 -} - -// p256Mul multiplies two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p256Mul(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement, arg2 *p256MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, arg2[3]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, arg2[2]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, arg2[1]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, arg2[0]) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(p256Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(p256Uint1(x16))) - x19 := (uint64(p256Uint1(x18)) + x6) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x11, 0xffffffff00000001) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x11, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64(x25, x22, uint64(0x0)) - x28 := (uint64(p256Uint1(x27)) + x23) - var x30 uint64 - _, x30 = bits.Add64(x11, x24, uint64(0x0)) - var x31 uint64 - var x32 uint64 - x31, x32 = bits.Add64(x13, x26, uint64(p256Uint1(x30))) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x15, x28, uint64(p256Uint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x17, x20, uint64(p256Uint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x19, x21, uint64(p256Uint1(x36))) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, arg2[3]) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, arg2[2]) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, arg2[1]) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, arg2[0]) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(x46, x43, uint64(0x0)) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x44, x41, uint64(p256Uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x42, x39, uint64(p256Uint1(x50))) - x53 := (uint64(p256Uint1(x52)) + x40) - var x54 uint64 - var x55 uint64 - x54, x55 = bits.Add64(x31, x45, uint64(0x0)) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x33, x47, uint64(p256Uint1(x55))) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x35, x49, uint64(p256Uint1(x57))) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x37, x51, uint64(p256Uint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(uint64(p256Uint1(x38)), x53, uint64(p256Uint1(x61))) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x54, 0xffffffff00000001) - var x66 uint64 - var x67 uint64 - x67, x66 = bits.Mul64(x54, 0xffffffff) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) - var x70 uint64 - var x71 uint64 - x70, x71 = bits.Add64(x69, x66, uint64(0x0)) - x72 := (uint64(p256Uint1(x71)) + x67) - var x74 uint64 - _, x74 = bits.Add64(x54, x68, uint64(0x0)) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x56, x70, uint64(p256Uint1(x74))) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Add64(x58, x72, uint64(p256Uint1(x76))) - var x79 uint64 - var x80 uint64 - x79, x80 = bits.Add64(x60, x64, uint64(p256Uint1(x78))) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Add64(x62, x65, uint64(p256Uint1(x80))) - x83 := (uint64(p256Uint1(x82)) + uint64(p256Uint1(x63))) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x2, arg2[3]) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x2, arg2[2]) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x2, arg2[1]) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x2, arg2[0]) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x91, x88, uint64(0x0)) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x89, x86, uint64(p256Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x87, x84, uint64(p256Uint1(x95))) - x98 := (uint64(p256Uint1(x97)) + x85) - var x99 uint64 - var x100 uint64 - x99, x100 = bits.Add64(x75, x90, uint64(0x0)) - var x101 uint64 - var x102 uint64 - x101, x102 = bits.Add64(x77, x92, uint64(p256Uint1(x100))) - var x103 uint64 - var x104 uint64 - x103, x104 = bits.Add64(x79, x94, uint64(p256Uint1(x102))) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Add64(x81, x96, uint64(p256Uint1(x104))) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x83, x98, uint64(p256Uint1(x106))) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64(x99, 0xffffffff00000001) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64(x99, 0xffffffff) - var x113 uint64 - var x114 uint64 - x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x114, x111, uint64(0x0)) - x117 := (uint64(p256Uint1(x116)) + x112) - var x119 uint64 - _, x119 = bits.Add64(x99, x113, uint64(0x0)) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x101, x115, uint64(p256Uint1(x119))) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x103, x117, uint64(p256Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x105, x109, uint64(p256Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x107, x110, uint64(p256Uint1(x125))) - x128 := (uint64(p256Uint1(x127)) + uint64(p256Uint1(x108))) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x3, arg2[3]) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x3, arg2[2]) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x3, arg2[1]) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64(x3, arg2[0]) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x136, x133, uint64(0x0)) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x134, x131, uint64(p256Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x132, x129, uint64(p256Uint1(x140))) - x143 := (uint64(p256Uint1(x142)) + x130) - var x144 uint64 - var x145 uint64 - x144, x145 = bits.Add64(x120, x135, uint64(0x0)) - var x146 uint64 - var x147 uint64 - x146, x147 = bits.Add64(x122, x137, uint64(p256Uint1(x145))) - var x148 uint64 - var x149 uint64 - x148, x149 = bits.Add64(x124, x139, uint64(p256Uint1(x147))) - var x150 uint64 - var x151 uint64 - x150, x151 = bits.Add64(x126, x141, uint64(p256Uint1(x149))) - var x152 uint64 - var x153 uint64 - x152, x153 = bits.Add64(x128, x143, uint64(p256Uint1(x151))) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x144, 0xffffffff00000001) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x144, 0xffffffff) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x159, x156, uint64(0x0)) - x162 := (uint64(p256Uint1(x161)) + x157) - var x164 uint64 - _, x164 = bits.Add64(x144, x158, uint64(0x0)) - var x165 uint64 - var x166 uint64 - x165, x166 = bits.Add64(x146, x160, uint64(p256Uint1(x164))) - var x167 uint64 - var x168 uint64 - x167, x168 = bits.Add64(x148, x162, uint64(p256Uint1(x166))) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x150, x154, uint64(p256Uint1(x168))) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x152, x155, uint64(p256Uint1(x170))) - x173 := (uint64(p256Uint1(x172)) + uint64(p256Uint1(x153))) - var x174 uint64 - var x175 uint64 - x174, x175 = bits.Sub64(x165, 0xffffffffffffffff, uint64(0x0)) - var x176 uint64 - var x177 uint64 - x176, x177 = bits.Sub64(x167, 0xffffffff, uint64(p256Uint1(x175))) - var x178 uint64 - var x179 uint64 - x178, x179 = bits.Sub64(x169, uint64(0x0), uint64(p256Uint1(x177))) - var x180 uint64 - var x181 uint64 - x180, x181 = bits.Sub64(x171, 0xffffffff00000001, uint64(p256Uint1(x179))) - var x183 uint64 - _, x183 = bits.Sub64(x173, uint64(0x0), uint64(p256Uint1(x181))) - var x184 uint64 - p256CmovznzU64(&x184, p256Uint1(x183), x174, x165) - var x185 uint64 - p256CmovznzU64(&x185, p256Uint1(x183), x176, x167) - var x186 uint64 - p256CmovznzU64(&x186, p256Uint1(x183), x178, x169) - var x187 uint64 - p256CmovznzU64(&x187, p256Uint1(x183), x180, x171) - out1[0] = x184 - out1[1] = x185 - out1[2] = x186 - out1[3] = x187 -} - -// p256Square squares a field element in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m -// 0 ≤ eval out1 < m -func p256Square(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, arg1[3]) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, arg1[2]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, arg1[1]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, arg1[0]) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(p256Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(p256Uint1(x16))) - x19 := (uint64(p256Uint1(x18)) + x6) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x11, 0xffffffff00000001) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x11, 0xffffffff) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x11, 0xffffffffffffffff) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64(x25, x22, uint64(0x0)) - x28 := (uint64(p256Uint1(x27)) + x23) - var x30 uint64 - _, x30 = bits.Add64(x11, x24, uint64(0x0)) - var x31 uint64 - var x32 uint64 - x31, x32 = bits.Add64(x13, x26, uint64(p256Uint1(x30))) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x15, x28, uint64(p256Uint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x17, x20, uint64(p256Uint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x19, x21, uint64(p256Uint1(x36))) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, arg1[3]) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, arg1[2]) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, arg1[1]) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x1, arg1[0]) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(x46, x43, uint64(0x0)) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x44, x41, uint64(p256Uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x42, x39, uint64(p256Uint1(x50))) - x53 := (uint64(p256Uint1(x52)) + x40) - var x54 uint64 - var x55 uint64 - x54, x55 = bits.Add64(x31, x45, uint64(0x0)) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x33, x47, uint64(p256Uint1(x55))) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x35, x49, uint64(p256Uint1(x57))) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x37, x51, uint64(p256Uint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(uint64(p256Uint1(x38)), x53, uint64(p256Uint1(x61))) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x54, 0xffffffff00000001) - var x66 uint64 - var x67 uint64 - x67, x66 = bits.Mul64(x54, 0xffffffff) - var x68 uint64 - var x69 uint64 - x69, x68 = bits.Mul64(x54, 0xffffffffffffffff) - var x70 uint64 - var x71 uint64 - x70, x71 = bits.Add64(x69, x66, uint64(0x0)) - x72 := (uint64(p256Uint1(x71)) + x67) - var x74 uint64 - _, x74 = bits.Add64(x54, x68, uint64(0x0)) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x56, x70, uint64(p256Uint1(x74))) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Add64(x58, x72, uint64(p256Uint1(x76))) - var x79 uint64 - var x80 uint64 - x79, x80 = bits.Add64(x60, x64, uint64(p256Uint1(x78))) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Add64(x62, x65, uint64(p256Uint1(x80))) - x83 := (uint64(p256Uint1(x82)) + uint64(p256Uint1(x63))) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x2, arg1[3]) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x2, arg1[2]) - var x88 uint64 - var x89 uint64 - x89, x88 = bits.Mul64(x2, arg1[1]) - var x90 uint64 - var x91 uint64 - x91, x90 = bits.Mul64(x2, arg1[0]) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x91, x88, uint64(0x0)) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x89, x86, uint64(p256Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x87, x84, uint64(p256Uint1(x95))) - x98 := (uint64(p256Uint1(x97)) + x85) - var x99 uint64 - var x100 uint64 - x99, x100 = bits.Add64(x75, x90, uint64(0x0)) - var x101 uint64 - var x102 uint64 - x101, x102 = bits.Add64(x77, x92, uint64(p256Uint1(x100))) - var x103 uint64 - var x104 uint64 - x103, x104 = bits.Add64(x79, x94, uint64(p256Uint1(x102))) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Add64(x81, x96, uint64(p256Uint1(x104))) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x83, x98, uint64(p256Uint1(x106))) - var x109 uint64 - var x110 uint64 - x110, x109 = bits.Mul64(x99, 0xffffffff00000001) - var x111 uint64 - var x112 uint64 - x112, x111 = bits.Mul64(x99, 0xffffffff) - var x113 uint64 - var x114 uint64 - x114, x113 = bits.Mul64(x99, 0xffffffffffffffff) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x114, x111, uint64(0x0)) - x117 := (uint64(p256Uint1(x116)) + x112) - var x119 uint64 - _, x119 = bits.Add64(x99, x113, uint64(0x0)) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x101, x115, uint64(p256Uint1(x119))) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x103, x117, uint64(p256Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x105, x109, uint64(p256Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x107, x110, uint64(p256Uint1(x125))) - x128 := (uint64(p256Uint1(x127)) + uint64(p256Uint1(x108))) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x3, arg1[3]) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x3, arg1[2]) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x3, arg1[1]) - var x135 uint64 - var x136 uint64 - x136, x135 = bits.Mul64(x3, arg1[0]) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x136, x133, uint64(0x0)) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x134, x131, uint64(p256Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x132, x129, uint64(p256Uint1(x140))) - x143 := (uint64(p256Uint1(x142)) + x130) - var x144 uint64 - var x145 uint64 - x144, x145 = bits.Add64(x120, x135, uint64(0x0)) - var x146 uint64 - var x147 uint64 - x146, x147 = bits.Add64(x122, x137, uint64(p256Uint1(x145))) - var x148 uint64 - var x149 uint64 - x148, x149 = bits.Add64(x124, x139, uint64(p256Uint1(x147))) - var x150 uint64 - var x151 uint64 - x150, x151 = bits.Add64(x126, x141, uint64(p256Uint1(x149))) - var x152 uint64 - var x153 uint64 - x152, x153 = bits.Add64(x128, x143, uint64(p256Uint1(x151))) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x144, 0xffffffff00000001) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x144, 0xffffffff) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x144, 0xffffffffffffffff) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x159, x156, uint64(0x0)) - x162 := (uint64(p256Uint1(x161)) + x157) - var x164 uint64 - _, x164 = bits.Add64(x144, x158, uint64(0x0)) - var x165 uint64 - var x166 uint64 - x165, x166 = bits.Add64(x146, x160, uint64(p256Uint1(x164))) - var x167 uint64 - var x168 uint64 - x167, x168 = bits.Add64(x148, x162, uint64(p256Uint1(x166))) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x150, x154, uint64(p256Uint1(x168))) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x152, x155, uint64(p256Uint1(x170))) - x173 := (uint64(p256Uint1(x172)) + uint64(p256Uint1(x153))) - var x174 uint64 - var x175 uint64 - x174, x175 = bits.Sub64(x165, 0xffffffffffffffff, uint64(0x0)) - var x176 uint64 - var x177 uint64 - x176, x177 = bits.Sub64(x167, 0xffffffff, uint64(p256Uint1(x175))) - var x178 uint64 - var x179 uint64 - x178, x179 = bits.Sub64(x169, uint64(0x0), uint64(p256Uint1(x177))) - var x180 uint64 - var x181 uint64 - x180, x181 = bits.Sub64(x171, 0xffffffff00000001, uint64(p256Uint1(x179))) - var x183 uint64 - _, x183 = bits.Sub64(x173, uint64(0x0), uint64(p256Uint1(x181))) - var x184 uint64 - p256CmovznzU64(&x184, p256Uint1(x183), x174, x165) - var x185 uint64 - p256CmovznzU64(&x185, p256Uint1(x183), x176, x167) - var x186 uint64 - p256CmovznzU64(&x186, p256Uint1(x183), x178, x169) - var x187 uint64 - p256CmovznzU64(&x187, p256Uint1(x183), x180, x171) - out1[0] = x184 - out1[1] = x185 - out1[2] = x186 - out1[3] = x187 -} - -// p256Add adds two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p256Add(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement, arg2 *p256MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(p256Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(p256Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(p256Uint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Sub64(x1, 0xffffffffffffffff, uint64(0x0)) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Sub64(x3, 0xffffffff, uint64(p256Uint1(x10))) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Sub64(x5, uint64(0x0), uint64(p256Uint1(x12))) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Sub64(x7, 0xffffffff00000001, uint64(p256Uint1(x14))) - var x18 uint64 - _, x18 = bits.Sub64(uint64(p256Uint1(x8)), uint64(0x0), uint64(p256Uint1(x16))) - var x19 uint64 - p256CmovznzU64(&x19, p256Uint1(x18), x9, x1) - var x20 uint64 - p256CmovznzU64(&x20, p256Uint1(x18), x11, x3) - var x21 uint64 - p256CmovznzU64(&x21, p256Uint1(x18), x13, x5) - var x22 uint64 - p256CmovznzU64(&x22, p256Uint1(x18), x15, x7) - out1[0] = x19 - out1[1] = x20 - out1[2] = x21 - out1[3] = x22 -} - -// p256Sub subtracts two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p256Sub(out1 *p256MontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement, arg2 *p256MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(p256Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(p256Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(p256Uint1(x6))) - var x9 uint64 - p256CmovznzU64(&x9, p256Uint1(x8), uint64(0x0), 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x10, x11 = bits.Add64(x1, x9, uint64(0x0)) - var x12 uint64 - var x13 uint64 - x12, x13 = bits.Add64(x3, (x9 & 0xffffffff), uint64(p256Uint1(x11))) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(x5, uint64(0x0), uint64(p256Uint1(x13))) - var x16 uint64 - x16, _ = bits.Add64(x7, (x9 & 0xffffffff00000001), uint64(p256Uint1(x15))) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 -} - -// p256SetOne returns the field element one in the Montgomery domain. -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = 1 mod m -// 0 ≤ eval out1 < m -func p256SetOne(out1 *p256MontgomeryDomainFieldElement) { - out1[0] = uint64(0x1) - out1[1] = 0xffffffff00000000 - out1[2] = 0xffffffffffffffff - out1[3] = 0xfffffffe -} - -// p256FromMontgomery translates a field element out of the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m -// 0 ≤ eval out1 < m -func p256FromMontgomery(out1 *p256NonMontgomeryDomainFieldElement, arg1 *p256MontgomeryDomainFieldElement) { - x1 := arg1[0] - var x2 uint64 - var x3 uint64 - x3, x2 = bits.Mul64(x1, 0xffffffff00000001) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x1, 0xffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x1, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x8, x9 = bits.Add64(x7, x4, uint64(0x0)) - var x11 uint64 - _, x11 = bits.Add64(x1, x6, uint64(0x0)) - var x12 uint64 - var x13 uint64 - x12, x13 = bits.Add64(uint64(0x0), x8, uint64(p256Uint1(x11))) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(x12, arg1[1], uint64(0x0)) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x14, 0xffffffff00000001) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x14, 0xffffffff) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x14, 0xffffffffffffffff) - var x22 uint64 - var x23 uint64 - x22, x23 = bits.Add64(x21, x18, uint64(0x0)) - var x25 uint64 - _, x25 = bits.Add64(x14, x20, uint64(0x0)) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64((uint64(p256Uint1(x15)) + (uint64(p256Uint1(x13)) + (uint64(p256Uint1(x9)) + x5))), x22, uint64(p256Uint1(x25))) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x2, (uint64(p256Uint1(x23)) + x19), uint64(p256Uint1(x27))) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x3, x16, uint64(p256Uint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(x26, arg1[2], uint64(0x0)) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(x28, uint64(0x0), uint64(p256Uint1(x33))) - var x36 uint64 - var x37 uint64 - x36, x37 = bits.Add64(x30, uint64(0x0), uint64(p256Uint1(x35))) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x32, 0xffffffff00000001) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x32, 0xffffffff) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x32, 0xffffffffffffffff) - var x44 uint64 - var x45 uint64 - x44, x45 = bits.Add64(x43, x40, uint64(0x0)) - var x47 uint64 - _, x47 = bits.Add64(x32, x42, uint64(0x0)) - var x48 uint64 - var x49 uint64 - x48, x49 = bits.Add64(x34, x44, uint64(p256Uint1(x47))) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(x36, (uint64(p256Uint1(x45)) + x41), uint64(p256Uint1(x49))) - var x52 uint64 - var x53 uint64 - x52, x53 = bits.Add64((uint64(p256Uint1(x37)) + (uint64(p256Uint1(x31)) + x17)), x38, uint64(p256Uint1(x51))) - var x54 uint64 - var x55 uint64 - x54, x55 = bits.Add64(x48, arg1[3], uint64(0x0)) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x50, uint64(0x0), uint64(p256Uint1(x55))) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x52, uint64(0x0), uint64(p256Uint1(x57))) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x54, 0xffffffff00000001) - var x62 uint64 - var x63 uint64 - x63, x62 = bits.Mul64(x54, 0xffffffff) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x54, 0xffffffffffffffff) - var x66 uint64 - var x67 uint64 - x66, x67 = bits.Add64(x65, x62, uint64(0x0)) - var x69 uint64 - _, x69 = bits.Add64(x54, x64, uint64(0x0)) - var x70 uint64 - var x71 uint64 - x70, x71 = bits.Add64(x56, x66, uint64(p256Uint1(x69))) - var x72 uint64 - var x73 uint64 - x72, x73 = bits.Add64(x58, (uint64(p256Uint1(x67)) + x63), uint64(p256Uint1(x71))) - var x74 uint64 - var x75 uint64 - x74, x75 = bits.Add64((uint64(p256Uint1(x59)) + (uint64(p256Uint1(x53)) + x39)), x60, uint64(p256Uint1(x73))) - x76 := (uint64(p256Uint1(x75)) + x61) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Sub64(x70, 0xffffffffffffffff, uint64(0x0)) - var x79 uint64 - var x80 uint64 - x79, x80 = bits.Sub64(x72, 0xffffffff, uint64(p256Uint1(x78))) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Sub64(x74, uint64(0x0), uint64(p256Uint1(x80))) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Sub64(x76, 0xffffffff00000001, uint64(p256Uint1(x82))) - var x86 uint64 - _, x86 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(p256Uint1(x84))) - var x87 uint64 - p256CmovznzU64(&x87, p256Uint1(x86), x77, x70) - var x88 uint64 - p256CmovznzU64(&x88, p256Uint1(x86), x79, x72) - var x89 uint64 - p256CmovznzU64(&x89, p256Uint1(x86), x81, x74) - var x90 uint64 - p256CmovznzU64(&x90, p256Uint1(x86), x83, x76) - out1[0] = x87 - out1[1] = x88 - out1[2] = x89 - out1[3] = x90 -} - -// p256ToMontgomery translates a field element into the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = eval arg1 mod m -// 0 ≤ eval out1 < m -func p256ToMontgomery(out1 *p256MontgomeryDomainFieldElement, arg1 *p256NonMontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[0] - var x5 uint64 - var x6 uint64 - x6, x5 = bits.Mul64(x4, 0x4fffffffd) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x4, 0xfffffffffffffffe) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x4, 0xfffffffbffffffff) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x4, 0x3) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(x12, x9, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x10, x7, uint64(p256Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x8, x5, uint64(p256Uint1(x16))) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64(x11, 0xffffffff00000001) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(x11, 0xffffffff) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(x11, 0xffffffffffffffff) - var x25 uint64 - var x26 uint64 - x25, x26 = bits.Add64(x24, x21, uint64(0x0)) - var x28 uint64 - _, x28 = bits.Add64(x11, x23, uint64(0x0)) - var x29 uint64 - var x30 uint64 - x29, x30 = bits.Add64(x13, x25, uint64(p256Uint1(x28))) - var x31 uint64 - var x32 uint64 - x31, x32 = bits.Add64(x15, (uint64(p256Uint1(x26)) + x22), uint64(p256Uint1(x30))) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x17, x19, uint64(p256Uint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64((uint64(p256Uint1(x18)) + x6), x20, uint64(p256Uint1(x34))) - var x37 uint64 - var x38 uint64 - x38, x37 = bits.Mul64(x1, 0x4fffffffd) - var x39 uint64 - var x40 uint64 - x40, x39 = bits.Mul64(x1, 0xfffffffffffffffe) - var x41 uint64 - var x42 uint64 - x42, x41 = bits.Mul64(x1, 0xfffffffbffffffff) - var x43 uint64 - var x44 uint64 - x44, x43 = bits.Mul64(x1, 0x3) - var x45 uint64 - var x46 uint64 - x45, x46 = bits.Add64(x44, x41, uint64(0x0)) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(x42, x39, uint64(p256Uint1(x46))) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x40, x37, uint64(p256Uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x29, x43, uint64(0x0)) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x31, x45, uint64(p256Uint1(x52))) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(x33, x47, uint64(p256Uint1(x54))) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(x35, x49, uint64(p256Uint1(x56))) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64(x51, 0xffffffff00000001) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x51, 0xffffffff) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x51, 0xffffffffffffffff) - var x65 uint64 - var x66 uint64 - x65, x66 = bits.Add64(x64, x61, uint64(0x0)) - var x68 uint64 - _, x68 = bits.Add64(x51, x63, uint64(0x0)) - var x69 uint64 - var x70 uint64 - x69, x70 = bits.Add64(x53, x65, uint64(p256Uint1(x68))) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x55, (uint64(p256Uint1(x66)) + x62), uint64(p256Uint1(x70))) - var x73 uint64 - var x74 uint64 - x73, x74 = bits.Add64(x57, x59, uint64(p256Uint1(x72))) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(((uint64(p256Uint1(x58)) + uint64(p256Uint1(x36))) + (uint64(p256Uint1(x50)) + x38)), x60, uint64(p256Uint1(x74))) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x2, 0x4fffffffd) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x2, 0xfffffffffffffffe) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64(x2, 0xfffffffbffffffff) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64(x2, 0x3) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x84, x81, uint64(0x0)) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x82, x79, uint64(p256Uint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x80, x77, uint64(p256Uint1(x88))) - var x91 uint64 - var x92 uint64 - x91, x92 = bits.Add64(x69, x83, uint64(0x0)) - var x93 uint64 - var x94 uint64 - x93, x94 = bits.Add64(x71, x85, uint64(p256Uint1(x92))) - var x95 uint64 - var x96 uint64 - x95, x96 = bits.Add64(x73, x87, uint64(p256Uint1(x94))) - var x97 uint64 - var x98 uint64 - x97, x98 = bits.Add64(x75, x89, uint64(p256Uint1(x96))) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64(x91, 0xffffffff00000001) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64(x91, 0xffffffff) - var x103 uint64 - var x104 uint64 - x104, x103 = bits.Mul64(x91, 0xffffffffffffffff) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Add64(x104, x101, uint64(0x0)) - var x108 uint64 - _, x108 = bits.Add64(x91, x103, uint64(0x0)) - var x109 uint64 - var x110 uint64 - x109, x110 = bits.Add64(x93, x105, uint64(p256Uint1(x108))) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x95, (uint64(p256Uint1(x106)) + x102), uint64(p256Uint1(x110))) - var x113 uint64 - var x114 uint64 - x113, x114 = bits.Add64(x97, x99, uint64(p256Uint1(x112))) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(((uint64(p256Uint1(x98)) + uint64(p256Uint1(x76))) + (uint64(p256Uint1(x90)) + x78)), x100, uint64(p256Uint1(x114))) - var x117 uint64 - var x118 uint64 - x118, x117 = bits.Mul64(x3, 0x4fffffffd) - var x119 uint64 - var x120 uint64 - x120, x119 = bits.Mul64(x3, 0xfffffffffffffffe) - var x121 uint64 - var x122 uint64 - x122, x121 = bits.Mul64(x3, 0xfffffffbffffffff) - var x123 uint64 - var x124 uint64 - x124, x123 = bits.Mul64(x3, 0x3) - var x125 uint64 - var x126 uint64 - x125, x126 = bits.Add64(x124, x121, uint64(0x0)) - var x127 uint64 - var x128 uint64 - x127, x128 = bits.Add64(x122, x119, uint64(p256Uint1(x126))) - var x129 uint64 - var x130 uint64 - x129, x130 = bits.Add64(x120, x117, uint64(p256Uint1(x128))) - var x131 uint64 - var x132 uint64 - x131, x132 = bits.Add64(x109, x123, uint64(0x0)) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x111, x125, uint64(p256Uint1(x132))) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x113, x127, uint64(p256Uint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x115, x129, uint64(p256Uint1(x136))) - var x139 uint64 - var x140 uint64 - x140, x139 = bits.Mul64(x131, 0xffffffff00000001) - var x141 uint64 - var x142 uint64 - x142, x141 = bits.Mul64(x131, 0xffffffff) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x131, 0xffffffffffffffff) - var x145 uint64 - var x146 uint64 - x145, x146 = bits.Add64(x144, x141, uint64(0x0)) - var x148 uint64 - _, x148 = bits.Add64(x131, x143, uint64(0x0)) - var x149 uint64 - var x150 uint64 - x149, x150 = bits.Add64(x133, x145, uint64(p256Uint1(x148))) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x135, (uint64(p256Uint1(x146)) + x142), uint64(p256Uint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x137, x139, uint64(p256Uint1(x152))) - var x155 uint64 - var x156 uint64 - x155, x156 = bits.Add64(((uint64(p256Uint1(x138)) + uint64(p256Uint1(x116))) + (uint64(p256Uint1(x130)) + x118)), x140, uint64(p256Uint1(x154))) - var x157 uint64 - var x158 uint64 - x157, x158 = bits.Sub64(x149, 0xffffffffffffffff, uint64(0x0)) - var x159 uint64 - var x160 uint64 - x159, x160 = bits.Sub64(x151, 0xffffffff, uint64(p256Uint1(x158))) - var x161 uint64 - var x162 uint64 - x161, x162 = bits.Sub64(x153, uint64(0x0), uint64(p256Uint1(x160))) - var x163 uint64 - var x164 uint64 - x163, x164 = bits.Sub64(x155, 0xffffffff00000001, uint64(p256Uint1(x162))) - var x166 uint64 - _, x166 = bits.Sub64(uint64(p256Uint1(x156)), uint64(0x0), uint64(p256Uint1(x164))) - var x167 uint64 - p256CmovznzU64(&x167, p256Uint1(x166), x157, x149) - var x168 uint64 - p256CmovznzU64(&x168, p256Uint1(x166), x159, x151) - var x169 uint64 - p256CmovznzU64(&x169, p256Uint1(x166), x161, x153) - var x170 uint64 - p256CmovznzU64(&x170, p256Uint1(x166), x163, x155) - out1[0] = x167 - out1[1] = x168 - out1[2] = x169 - out1[3] = x170 -} - -// p256Selectznz is a multi-limb conditional select. -// -// Postconditions: -// -// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func p256Selectznz(out1 *[4]uint64, arg1 p256Uint1, arg2 *[4]uint64, arg3 *[4]uint64) { - var x1 uint64 - p256CmovznzU64(&x1, arg1, arg2[0], arg3[0]) - var x2 uint64 - p256CmovznzU64(&x2, arg1, arg2[1], arg3[1]) - var x3 uint64 - p256CmovznzU64(&x3, arg1, arg2[2], arg3[2]) - var x4 uint64 - p256CmovznzU64(&x4, arg1, arg2[3], arg3[3]) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 -} - -// p256ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -func p256ToBytes(out1 *[32]uint8, arg1 *[4]uint64) { - x1 := arg1[3] - x2 := arg1[2] - x3 := arg1[1] - x4 := arg1[0] - x5 := (uint8(x4) & 0xff) - x6 := (x4 >> 8) - x7 := (uint8(x6) & 0xff) - x8 := (x6 >> 8) - x9 := (uint8(x8) & 0xff) - x10 := (x8 >> 8) - x11 := (uint8(x10) & 0xff) - x12 := (x10 >> 8) - x13 := (uint8(x12) & 0xff) - x14 := (x12 >> 8) - x15 := (uint8(x14) & 0xff) - x16 := (x14 >> 8) - x17 := (uint8(x16) & 0xff) - x18 := uint8((x16 >> 8)) - x19 := (uint8(x3) & 0xff) - x20 := (x3 >> 8) - x21 := (uint8(x20) & 0xff) - x22 := (x20 >> 8) - x23 := (uint8(x22) & 0xff) - x24 := (x22 >> 8) - x25 := (uint8(x24) & 0xff) - x26 := (x24 >> 8) - x27 := (uint8(x26) & 0xff) - x28 := (x26 >> 8) - x29 := (uint8(x28) & 0xff) - x30 := (x28 >> 8) - x31 := (uint8(x30) & 0xff) - x32 := uint8((x30 >> 8)) - x33 := (uint8(x2) & 0xff) - x34 := (x2 >> 8) - x35 := (uint8(x34) & 0xff) - x36 := (x34 >> 8) - x37 := (uint8(x36) & 0xff) - x38 := (x36 >> 8) - x39 := (uint8(x38) & 0xff) - x40 := (x38 >> 8) - x41 := (uint8(x40) & 0xff) - x42 := (x40 >> 8) - x43 := (uint8(x42) & 0xff) - x44 := (x42 >> 8) - x45 := (uint8(x44) & 0xff) - x46 := uint8((x44 >> 8)) - x47 := (uint8(x1) & 0xff) - x48 := (x1 >> 8) - x49 := (uint8(x48) & 0xff) - x50 := (x48 >> 8) - x51 := (uint8(x50) & 0xff) - x52 := (x50 >> 8) - x53 := (uint8(x52) & 0xff) - x54 := (x52 >> 8) - x55 := (uint8(x54) & 0xff) - x56 := (x54 >> 8) - x57 := (uint8(x56) & 0xff) - x58 := (x56 >> 8) - x59 := (uint8(x58) & 0xff) - x60 := uint8((x58 >> 8)) - out1[0] = x5 - out1[1] = x7 - out1[2] = x9 - out1[3] = x11 - out1[4] = x13 - out1[5] = x15 - out1[6] = x17 - out1[7] = x18 - out1[8] = x19 - out1[9] = x21 - out1[10] = x23 - out1[11] = x25 - out1[12] = x27 - out1[13] = x29 - out1[14] = x31 - out1[15] = x32 - out1[16] = x33 - out1[17] = x35 - out1[18] = x37 - out1[19] = x39 - out1[20] = x41 - out1[21] = x43 - out1[22] = x45 - out1[23] = x46 - out1[24] = x47 - out1[25] = x49 - out1[26] = x51 - out1[27] = x53 - out1[28] = x55 - out1[29] = x57 - out1[30] = x59 - out1[31] = x60 -} - -// p256FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ bytes_eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = bytes_eval arg1 mod m -// 0 ≤ eval out1 < m -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func p256FromBytes(out1 *[4]uint64, arg1 *[32]uint8) { - x1 := (uint64(arg1[31]) << 56) - x2 := (uint64(arg1[30]) << 48) - x3 := (uint64(arg1[29]) << 40) - x4 := (uint64(arg1[28]) << 32) - x5 := (uint64(arg1[27]) << 24) - x6 := (uint64(arg1[26]) << 16) - x7 := (uint64(arg1[25]) << 8) - x8 := arg1[24] - x9 := (uint64(arg1[23]) << 56) - x10 := (uint64(arg1[22]) << 48) - x11 := (uint64(arg1[21]) << 40) - x12 := (uint64(arg1[20]) << 32) - x13 := (uint64(arg1[19]) << 24) - x14 := (uint64(arg1[18]) << 16) - x15 := (uint64(arg1[17]) << 8) - x16 := arg1[16] - x17 := (uint64(arg1[15]) << 56) - x18 := (uint64(arg1[14]) << 48) - x19 := (uint64(arg1[13]) << 40) - x20 := (uint64(arg1[12]) << 32) - x21 := (uint64(arg1[11]) << 24) - x22 := (uint64(arg1[10]) << 16) - x23 := (uint64(arg1[9]) << 8) - x24 := arg1[8] - x25 := (uint64(arg1[7]) << 56) - x26 := (uint64(arg1[6]) << 48) - x27 := (uint64(arg1[5]) << 40) - x28 := (uint64(arg1[4]) << 32) - x29 := (uint64(arg1[3]) << 24) - x30 := (uint64(arg1[2]) << 16) - x31 := (uint64(arg1[1]) << 8) - x32 := arg1[0] - x33 := (x31 + uint64(x32)) - x34 := (x30 + x33) - x35 := (x29 + x34) - x36 := (x28 + x35) - x37 := (x27 + x36) - x38 := (x26 + x37) - x39 := (x25 + x38) - x40 := (x23 + uint64(x24)) - x41 := (x22 + x40) - x42 := (x21 + x41) - x43 := (x20 + x42) - x44 := (x19 + x43) - x45 := (x18 + x44) - x46 := (x17 + x45) - x47 := (x15 + uint64(x16)) - x48 := (x14 + x47) - x49 := (x13 + x48) - x50 := (x12 + x49) - x51 := (x11 + x50) - x52 := (x10 + x51) - x53 := (x9 + x52) - x54 := (x7 + uint64(x8)) - x55 := (x6 + x54) - x56 := (x5 + x55) - x57 := (x4 + x56) - x58 := (x3 + x57) - x59 := (x2 + x58) - x60 := (x1 + x59) - out1[0] = x39 - out1[1] = x46 - out1[2] = x53 - out1[3] = x60 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256_invert.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256_invert.go deleted file mode 100644 index d0101e1d4fe..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p256_invert.go +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by addchain. DO NOT EDIT. - -package fiat - -// Invert sets e = 1/x, and returns e. -// -// If x == 0, Invert returns e = 0. -func (e *P256Element) Invert(x *P256Element) *P256Element { - // Inversion is implemented as exponentiation with exponent p − 2. - // The sequence of 12 multiplications and 255 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _110 = 2*_11 - // _111 = 1 + _110 - // _111000 = _111 << 3 - // _111111 = _111 + _111000 - // x12 = _111111 << 6 + _111111 - // x15 = x12 << 3 + _111 - // x16 = 2*x15 + 1 - // x32 = x16 << 16 + x16 - // i53 = x32 << 15 - // x47 = x15 + i53 - // i263 = ((i53 << 17 + 1) << 143 + x47) << 47 - // return (x47 + i263) << 2 + 1 - // - - var z = new(P256Element).Set(e) - var t0 = new(P256Element) - var t1 = new(P256Element) - - z.Square(x) - z.Mul(x, z) - z.Square(z) - z.Mul(x, z) - t0.Square(z) - for s := 1; s < 3; s++ { - t0.Square(t0) - } - t0.Mul(z, t0) - t1.Square(t0) - for s := 1; s < 6; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - for s := 0; s < 3; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - t0.Mul(x, t0) - t1.Square(t0) - for s := 1; s < 16; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - for s := 0; s < 15; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - for s := 0; s < 17; s++ { - t0.Square(t0) - } - t0.Mul(x, t0) - for s := 0; s < 143; s++ { - t0.Square(t0) - } - t0.Mul(z, t0) - for s := 0; s < 47; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - for s := 0; s < 2; s++ { - z.Square(z) - } - z.Mul(x, z) - - return e.Set(z) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384.go deleted file mode 100644 index f514ab2d603..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package fiat - -import ( - "crypto/internal/fips140/subtle" - "errors" -) - -// P384Element is an integer modulo 2^384 - 2^128 - 2^96 + 2^32 - 1. -// -// The zero value is a valid zero element. -type P384Element struct { - // Values are represented internally always in the Montgomery domain, and - // converted in Bytes and SetBytes. - x p384MontgomeryDomainFieldElement -} - -const p384ElementLen = 48 - -type p384UntypedFieldElement = [6]uint64 - -// One sets e = 1, and returns e. -func (e *P384Element) One() *P384Element { - p384SetOne(&e.x) - return e -} - -// Equal returns 1 if e == t, and zero otherwise. -func (e *P384Element) Equal(t *P384Element) int { - eBytes := e.Bytes() - tBytes := t.Bytes() - return subtle.ConstantTimeCompare(eBytes, tBytes) -} - -// IsZero returns 1 if e == 0, and zero otherwise. -func (e *P384Element) IsZero() int { - zero := make([]byte, p384ElementLen) - eBytes := e.Bytes() - return subtle.ConstantTimeCompare(eBytes, zero) -} - -// Set sets e = t, and returns e. -func (e *P384Element) Set(t *P384Element) *P384Element { - e.x = t.x - return e -} - -// Bytes returns the 48-byte big-endian encoding of e. -func (e *P384Element) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p384ElementLen]byte - return e.bytes(&out) -} - -func (e *P384Element) bytes(out *[p384ElementLen]byte) []byte { - var tmp p384NonMontgomeryDomainFieldElement - p384FromMontgomery(&tmp, &e.x) - p384ToBytes(out, (*p384UntypedFieldElement)(&tmp)) - p384InvertEndianness(out[:]) - return out[:] -} - -// SetBytes sets e = v, where v is a big-endian 48-byte encoding, and returns e. -// If v is not 48 bytes or it encodes a value higher than 2^384 - 2^128 - 2^96 + 2^32 - 1, -// SetBytes returns nil and an error, and e is unchanged. -func (e *P384Element) SetBytes(v []byte) (*P384Element, error) { - if len(v) != p384ElementLen { - return nil, errors.New("invalid P384Element encoding") - } - - // Check for non-canonical encodings (p + k, 2p + k, etc.) by comparing to - // the encoding of -1 mod p, so p - 1, the highest canonical encoding. - var minusOneEncoding = new(P384Element).Sub( - new(P384Element), new(P384Element).One()).Bytes() - if subtle.ConstantTimeLessOrEqBytes(v, minusOneEncoding) == 0 { - return nil, errors.New("invalid P384Element encoding") - } - - var in [p384ElementLen]byte - copy(in[:], v) - p384InvertEndianness(in[:]) - var tmp p384NonMontgomeryDomainFieldElement - p384FromBytes((*p384UntypedFieldElement)(&tmp), &in) - p384ToMontgomery(&e.x, &tmp) - return e, nil -} - -// Add sets e = t1 + t2, and returns e. -func (e *P384Element) Add(t1, t2 *P384Element) *P384Element { - p384Add(&e.x, &t1.x, &t2.x) - return e -} - -// Sub sets e = t1 - t2, and returns e. -func (e *P384Element) Sub(t1, t2 *P384Element) *P384Element { - p384Sub(&e.x, &t1.x, &t2.x) - return e -} - -// Mul sets e = t1 * t2, and returns e. -func (e *P384Element) Mul(t1, t2 *P384Element) *P384Element { - p384Mul(&e.x, &t1.x, &t2.x) - return e -} - -// Square sets e = t * t, and returns e. -func (e *P384Element) Square(t *P384Element) *P384Element { - p384Square(&e.x, &t.x) - return e -} - -// Select sets v to a if cond == 1, and to b if cond == 0. -func (v *P384Element) Select(a, b *P384Element, cond int) *P384Element { - p384Selectznz((*p384UntypedFieldElement)(&v.x), p384Uint1(cond), - (*p384UntypedFieldElement)(&b.x), (*p384UntypedFieldElement)(&a.x)) - return v -} - -func p384InvertEndianness(v []byte) { - for i := 0; i < len(v)/2; i++ { - v[i], v[len(v)-1-i] = v[len(v)-1-i], v[i] - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384_fiat64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384_fiat64.go deleted file mode 100644 index 979eadd2df3..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384_fiat64.go +++ /dev/null @@ -1,3036 +0,0 @@ -// Code generated by Fiat Cryptography. DO NOT EDIT. -// -// Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat p384 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes -// -// curve description: p384 -// -// machine_wordsize = 64 (from "64") -// -// requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes -// -// m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") -// -// -// -// NOTE: In addition to the bounds specified above each function, all -// -// functions synthesized for this Montgomery arithmetic require the -// -// input to be strictly less than the prime modulus (m), and also -// -// require the input to be in the unique saturated representation. -// -// All functions also ensure that these two properties are true of -// -// return values. -// -// -// -// Computed values: -// -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) -// -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) -// -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in -// -// if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 - -package fiat - -import "math/bits" - -type p384Uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -type p384Int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 - -// The type p384MontgomeryDomainFieldElement is a field element in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p384MontgomeryDomainFieldElement [6]uint64 - -// The type p384NonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p384NonMontgomeryDomainFieldElement [6]uint64 - -// p384CmovznzU64 is a single-word conditional move. -// -// Postconditions: -// -// out1 = (if arg1 = 0 then arg2 else arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [0x0 ~> 0xffffffffffffffff] -// arg3: [0x0 ~> 0xffffffffffffffff] -// -// Output Bounds: -// -// out1: [0x0 ~> 0xffffffffffffffff] -func p384CmovznzU64(out1 *uint64, arg1 p384Uint1, arg2 uint64, arg3 uint64) { - x1 := (uint64(arg1) * 0xffffffffffffffff) - x2 := ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 -} - -// p384Mul multiplies two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p384Mul(out1 *p384MontgomeryDomainFieldElement, arg1 *p384MontgomeryDomainFieldElement, arg2 *p384MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[4] - x5 := arg1[5] - x6 := arg1[0] - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x6, arg2[5]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x6, arg2[4]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x6, arg2[3]) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x6, arg2[2]) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(x6, arg2[1]) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(x6, arg2[0]) - var x19 uint64 - var x20 uint64 - x19, x20 = bits.Add64(x18, x15, uint64(0x0)) - var x21 uint64 - var x22 uint64 - x21, x22 = bits.Add64(x16, x13, uint64(p384Uint1(x20))) - var x23 uint64 - var x24 uint64 - x23, x24 = bits.Add64(x14, x11, uint64(p384Uint1(x22))) - var x25 uint64 - var x26 uint64 - x25, x26 = bits.Add64(x12, x9, uint64(p384Uint1(x24))) - var x27 uint64 - var x28 uint64 - x27, x28 = bits.Add64(x10, x7, uint64(p384Uint1(x26))) - x29 := (uint64(p384Uint1(x28)) + x8) - var x30 uint64 - _, x30 = bits.Mul64(x17, 0x100000001) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64(x30, 0xffffffffffffffff) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x30, 0xffffffffffffffff) - var x36 uint64 - var x37 uint64 - x37, x36 = bits.Mul64(x30, 0xffffffffffffffff) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x30, 0xfffffffffffffffe) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x30, 0xffffffff00000000) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x30, 0xffffffff) - var x44 uint64 - var x45 uint64 - x44, x45 = bits.Add64(x43, x40, uint64(0x0)) - var x46 uint64 - var x47 uint64 - x46, x47 = bits.Add64(x41, x38, uint64(p384Uint1(x45))) - var x48 uint64 - var x49 uint64 - x48, x49 = bits.Add64(x39, x36, uint64(p384Uint1(x47))) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(x37, x34, uint64(p384Uint1(x49))) - var x52 uint64 - var x53 uint64 - x52, x53 = bits.Add64(x35, x32, uint64(p384Uint1(x51))) - x54 := (uint64(p384Uint1(x53)) + x33) - var x56 uint64 - _, x56 = bits.Add64(x17, x42, uint64(0x0)) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(x19, x44, uint64(p384Uint1(x56))) - var x59 uint64 - var x60 uint64 - x59, x60 = bits.Add64(x21, x46, uint64(p384Uint1(x58))) - var x61 uint64 - var x62 uint64 - x61, x62 = bits.Add64(x23, x48, uint64(p384Uint1(x60))) - var x63 uint64 - var x64 uint64 - x63, x64 = bits.Add64(x25, x50, uint64(p384Uint1(x62))) - var x65 uint64 - var x66 uint64 - x65, x66 = bits.Add64(x27, x52, uint64(p384Uint1(x64))) - var x67 uint64 - var x68 uint64 - x67, x68 = bits.Add64(x29, x54, uint64(p384Uint1(x66))) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64(x1, arg2[5]) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64(x1, arg2[4]) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64(x1, arg2[3]) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64(x1, arg2[2]) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x1, arg2[1]) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x1, arg2[0]) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Add64(x80, x77, uint64(0x0)) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Add64(x78, x75, uint64(p384Uint1(x82))) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x76, x73, uint64(p384Uint1(x84))) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x74, x71, uint64(p384Uint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x72, x69, uint64(p384Uint1(x88))) - x91 := (uint64(p384Uint1(x90)) + x70) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x57, x79, uint64(0x0)) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x59, x81, uint64(p384Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x61, x83, uint64(p384Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x63, x85, uint64(p384Uint1(x97))) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x65, x87, uint64(p384Uint1(x99))) - var x102 uint64 - var x103 uint64 - x102, x103 = bits.Add64(x67, x89, uint64(p384Uint1(x101))) - var x104 uint64 - var x105 uint64 - x104, x105 = bits.Add64(uint64(p384Uint1(x68)), x91, uint64(p384Uint1(x103))) - var x106 uint64 - _, x106 = bits.Mul64(x92, 0x100000001) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x106, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x106, 0xffffffffffffffff) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x106, 0xffffffffffffffff) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x106, 0xfffffffffffffffe) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x106, 0xffffffff00000000) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(x106, 0xffffffff) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x119, x116, uint64(0x0)) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x117, x114, uint64(p384Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x115, x112, uint64(p384Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x113, x110, uint64(p384Uint1(x125))) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x111, x108, uint64(p384Uint1(x127))) - x130 := (uint64(p384Uint1(x129)) + x109) - var x132 uint64 - _, x132 = bits.Add64(x92, x118, uint64(0x0)) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x94, x120, uint64(p384Uint1(x132))) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x96, x122, uint64(p384Uint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x98, x124, uint64(p384Uint1(x136))) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x100, x126, uint64(p384Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x102, x128, uint64(p384Uint1(x140))) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(x104, x130, uint64(p384Uint1(x142))) - x145 := (uint64(p384Uint1(x144)) + uint64(p384Uint1(x105))) - var x146 uint64 - var x147 uint64 - x147, x146 = bits.Mul64(x2, arg2[5]) - var x148 uint64 - var x149 uint64 - x149, x148 = bits.Mul64(x2, arg2[4]) - var x150 uint64 - var x151 uint64 - x151, x150 = bits.Mul64(x2, arg2[3]) - var x152 uint64 - var x153 uint64 - x153, x152 = bits.Mul64(x2, arg2[2]) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x2, arg2[1]) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x2, arg2[0]) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Add64(x157, x154, uint64(0x0)) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x155, x152, uint64(p384Uint1(x159))) - var x162 uint64 - var x163 uint64 - x162, x163 = bits.Add64(x153, x150, uint64(p384Uint1(x161))) - var x164 uint64 - var x165 uint64 - x164, x165 = bits.Add64(x151, x148, uint64(p384Uint1(x163))) - var x166 uint64 - var x167 uint64 - x166, x167 = bits.Add64(x149, x146, uint64(p384Uint1(x165))) - x168 := (uint64(p384Uint1(x167)) + x147) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x133, x156, uint64(0x0)) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x135, x158, uint64(p384Uint1(x170))) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x137, x160, uint64(p384Uint1(x172))) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x139, x162, uint64(p384Uint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x141, x164, uint64(p384Uint1(x176))) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x143, x166, uint64(p384Uint1(x178))) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x145, x168, uint64(p384Uint1(x180))) - var x183 uint64 - _, x183 = bits.Mul64(x169, 0x100000001) - var x185 uint64 - var x186 uint64 - x186, x185 = bits.Mul64(x183, 0xffffffffffffffff) - var x187 uint64 - var x188 uint64 - x188, x187 = bits.Mul64(x183, 0xffffffffffffffff) - var x189 uint64 - var x190 uint64 - x190, x189 = bits.Mul64(x183, 0xffffffffffffffff) - var x191 uint64 - var x192 uint64 - x192, x191 = bits.Mul64(x183, 0xfffffffffffffffe) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(x183, 0xffffffff00000000) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(x183, 0xffffffff) - var x197 uint64 - var x198 uint64 - x197, x198 = bits.Add64(x196, x193, uint64(0x0)) - var x199 uint64 - var x200 uint64 - x199, x200 = bits.Add64(x194, x191, uint64(p384Uint1(x198))) - var x201 uint64 - var x202 uint64 - x201, x202 = bits.Add64(x192, x189, uint64(p384Uint1(x200))) - var x203 uint64 - var x204 uint64 - x203, x204 = bits.Add64(x190, x187, uint64(p384Uint1(x202))) - var x205 uint64 - var x206 uint64 - x205, x206 = bits.Add64(x188, x185, uint64(p384Uint1(x204))) - x207 := (uint64(p384Uint1(x206)) + x186) - var x209 uint64 - _, x209 = bits.Add64(x169, x195, uint64(0x0)) - var x210 uint64 - var x211 uint64 - x210, x211 = bits.Add64(x171, x197, uint64(p384Uint1(x209))) - var x212 uint64 - var x213 uint64 - x212, x213 = bits.Add64(x173, x199, uint64(p384Uint1(x211))) - var x214 uint64 - var x215 uint64 - x214, x215 = bits.Add64(x175, x201, uint64(p384Uint1(x213))) - var x216 uint64 - var x217 uint64 - x216, x217 = bits.Add64(x177, x203, uint64(p384Uint1(x215))) - var x218 uint64 - var x219 uint64 - x218, x219 = bits.Add64(x179, x205, uint64(p384Uint1(x217))) - var x220 uint64 - var x221 uint64 - x220, x221 = bits.Add64(x181, x207, uint64(p384Uint1(x219))) - x222 := (uint64(p384Uint1(x221)) + uint64(p384Uint1(x182))) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x3, arg2[5]) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x3, arg2[4]) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x3, arg2[3]) - var x229 uint64 - var x230 uint64 - x230, x229 = bits.Mul64(x3, arg2[2]) - var x231 uint64 - var x232 uint64 - x232, x231 = bits.Mul64(x3, arg2[1]) - var x233 uint64 - var x234 uint64 - x234, x233 = bits.Mul64(x3, arg2[0]) - var x235 uint64 - var x236 uint64 - x235, x236 = bits.Add64(x234, x231, uint64(0x0)) - var x237 uint64 - var x238 uint64 - x237, x238 = bits.Add64(x232, x229, uint64(p384Uint1(x236))) - var x239 uint64 - var x240 uint64 - x239, x240 = bits.Add64(x230, x227, uint64(p384Uint1(x238))) - var x241 uint64 - var x242 uint64 - x241, x242 = bits.Add64(x228, x225, uint64(p384Uint1(x240))) - var x243 uint64 - var x244 uint64 - x243, x244 = bits.Add64(x226, x223, uint64(p384Uint1(x242))) - x245 := (uint64(p384Uint1(x244)) + x224) - var x246 uint64 - var x247 uint64 - x246, x247 = bits.Add64(x210, x233, uint64(0x0)) - var x248 uint64 - var x249 uint64 - x248, x249 = bits.Add64(x212, x235, uint64(p384Uint1(x247))) - var x250 uint64 - var x251 uint64 - x250, x251 = bits.Add64(x214, x237, uint64(p384Uint1(x249))) - var x252 uint64 - var x253 uint64 - x252, x253 = bits.Add64(x216, x239, uint64(p384Uint1(x251))) - var x254 uint64 - var x255 uint64 - x254, x255 = bits.Add64(x218, x241, uint64(p384Uint1(x253))) - var x256 uint64 - var x257 uint64 - x256, x257 = bits.Add64(x220, x243, uint64(p384Uint1(x255))) - var x258 uint64 - var x259 uint64 - x258, x259 = bits.Add64(x222, x245, uint64(p384Uint1(x257))) - var x260 uint64 - _, x260 = bits.Mul64(x246, 0x100000001) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x260, 0xffffffffffffffff) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x260, 0xffffffffffffffff) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x260, 0xffffffffffffffff) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x260, 0xfffffffffffffffe) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x260, 0xffffffff00000000) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x260, 0xffffffff) - var x274 uint64 - var x275 uint64 - x274, x275 = bits.Add64(x273, x270, uint64(0x0)) - var x276 uint64 - var x277 uint64 - x276, x277 = bits.Add64(x271, x268, uint64(p384Uint1(x275))) - var x278 uint64 - var x279 uint64 - x278, x279 = bits.Add64(x269, x266, uint64(p384Uint1(x277))) - var x280 uint64 - var x281 uint64 - x280, x281 = bits.Add64(x267, x264, uint64(p384Uint1(x279))) - var x282 uint64 - var x283 uint64 - x282, x283 = bits.Add64(x265, x262, uint64(p384Uint1(x281))) - x284 := (uint64(p384Uint1(x283)) + x263) - var x286 uint64 - _, x286 = bits.Add64(x246, x272, uint64(0x0)) - var x287 uint64 - var x288 uint64 - x287, x288 = bits.Add64(x248, x274, uint64(p384Uint1(x286))) - var x289 uint64 - var x290 uint64 - x289, x290 = bits.Add64(x250, x276, uint64(p384Uint1(x288))) - var x291 uint64 - var x292 uint64 - x291, x292 = bits.Add64(x252, x278, uint64(p384Uint1(x290))) - var x293 uint64 - var x294 uint64 - x293, x294 = bits.Add64(x254, x280, uint64(p384Uint1(x292))) - var x295 uint64 - var x296 uint64 - x295, x296 = bits.Add64(x256, x282, uint64(p384Uint1(x294))) - var x297 uint64 - var x298 uint64 - x297, x298 = bits.Add64(x258, x284, uint64(p384Uint1(x296))) - x299 := (uint64(p384Uint1(x298)) + uint64(p384Uint1(x259))) - var x300 uint64 - var x301 uint64 - x301, x300 = bits.Mul64(x4, arg2[5]) - var x302 uint64 - var x303 uint64 - x303, x302 = bits.Mul64(x4, arg2[4]) - var x304 uint64 - var x305 uint64 - x305, x304 = bits.Mul64(x4, arg2[3]) - var x306 uint64 - var x307 uint64 - x307, x306 = bits.Mul64(x4, arg2[2]) - var x308 uint64 - var x309 uint64 - x309, x308 = bits.Mul64(x4, arg2[1]) - var x310 uint64 - var x311 uint64 - x311, x310 = bits.Mul64(x4, arg2[0]) - var x312 uint64 - var x313 uint64 - x312, x313 = bits.Add64(x311, x308, uint64(0x0)) - var x314 uint64 - var x315 uint64 - x314, x315 = bits.Add64(x309, x306, uint64(p384Uint1(x313))) - var x316 uint64 - var x317 uint64 - x316, x317 = bits.Add64(x307, x304, uint64(p384Uint1(x315))) - var x318 uint64 - var x319 uint64 - x318, x319 = bits.Add64(x305, x302, uint64(p384Uint1(x317))) - var x320 uint64 - var x321 uint64 - x320, x321 = bits.Add64(x303, x300, uint64(p384Uint1(x319))) - x322 := (uint64(p384Uint1(x321)) + x301) - var x323 uint64 - var x324 uint64 - x323, x324 = bits.Add64(x287, x310, uint64(0x0)) - var x325 uint64 - var x326 uint64 - x325, x326 = bits.Add64(x289, x312, uint64(p384Uint1(x324))) - var x327 uint64 - var x328 uint64 - x327, x328 = bits.Add64(x291, x314, uint64(p384Uint1(x326))) - var x329 uint64 - var x330 uint64 - x329, x330 = bits.Add64(x293, x316, uint64(p384Uint1(x328))) - var x331 uint64 - var x332 uint64 - x331, x332 = bits.Add64(x295, x318, uint64(p384Uint1(x330))) - var x333 uint64 - var x334 uint64 - x333, x334 = bits.Add64(x297, x320, uint64(p384Uint1(x332))) - var x335 uint64 - var x336 uint64 - x335, x336 = bits.Add64(x299, x322, uint64(p384Uint1(x334))) - var x337 uint64 - _, x337 = bits.Mul64(x323, 0x100000001) - var x339 uint64 - var x340 uint64 - x340, x339 = bits.Mul64(x337, 0xffffffffffffffff) - var x341 uint64 - var x342 uint64 - x342, x341 = bits.Mul64(x337, 0xffffffffffffffff) - var x343 uint64 - var x344 uint64 - x344, x343 = bits.Mul64(x337, 0xffffffffffffffff) - var x345 uint64 - var x346 uint64 - x346, x345 = bits.Mul64(x337, 0xfffffffffffffffe) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x337, 0xffffffff00000000) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x337, 0xffffffff) - var x351 uint64 - var x352 uint64 - x351, x352 = bits.Add64(x350, x347, uint64(0x0)) - var x353 uint64 - var x354 uint64 - x353, x354 = bits.Add64(x348, x345, uint64(p384Uint1(x352))) - var x355 uint64 - var x356 uint64 - x355, x356 = bits.Add64(x346, x343, uint64(p384Uint1(x354))) - var x357 uint64 - var x358 uint64 - x357, x358 = bits.Add64(x344, x341, uint64(p384Uint1(x356))) - var x359 uint64 - var x360 uint64 - x359, x360 = bits.Add64(x342, x339, uint64(p384Uint1(x358))) - x361 := (uint64(p384Uint1(x360)) + x340) - var x363 uint64 - _, x363 = bits.Add64(x323, x349, uint64(0x0)) - var x364 uint64 - var x365 uint64 - x364, x365 = bits.Add64(x325, x351, uint64(p384Uint1(x363))) - var x366 uint64 - var x367 uint64 - x366, x367 = bits.Add64(x327, x353, uint64(p384Uint1(x365))) - var x368 uint64 - var x369 uint64 - x368, x369 = bits.Add64(x329, x355, uint64(p384Uint1(x367))) - var x370 uint64 - var x371 uint64 - x370, x371 = bits.Add64(x331, x357, uint64(p384Uint1(x369))) - var x372 uint64 - var x373 uint64 - x372, x373 = bits.Add64(x333, x359, uint64(p384Uint1(x371))) - var x374 uint64 - var x375 uint64 - x374, x375 = bits.Add64(x335, x361, uint64(p384Uint1(x373))) - x376 := (uint64(p384Uint1(x375)) + uint64(p384Uint1(x336))) - var x377 uint64 - var x378 uint64 - x378, x377 = bits.Mul64(x5, arg2[5]) - var x379 uint64 - var x380 uint64 - x380, x379 = bits.Mul64(x5, arg2[4]) - var x381 uint64 - var x382 uint64 - x382, x381 = bits.Mul64(x5, arg2[3]) - var x383 uint64 - var x384 uint64 - x384, x383 = bits.Mul64(x5, arg2[2]) - var x385 uint64 - var x386 uint64 - x386, x385 = bits.Mul64(x5, arg2[1]) - var x387 uint64 - var x388 uint64 - x388, x387 = bits.Mul64(x5, arg2[0]) - var x389 uint64 - var x390 uint64 - x389, x390 = bits.Add64(x388, x385, uint64(0x0)) - var x391 uint64 - var x392 uint64 - x391, x392 = bits.Add64(x386, x383, uint64(p384Uint1(x390))) - var x393 uint64 - var x394 uint64 - x393, x394 = bits.Add64(x384, x381, uint64(p384Uint1(x392))) - var x395 uint64 - var x396 uint64 - x395, x396 = bits.Add64(x382, x379, uint64(p384Uint1(x394))) - var x397 uint64 - var x398 uint64 - x397, x398 = bits.Add64(x380, x377, uint64(p384Uint1(x396))) - x399 := (uint64(p384Uint1(x398)) + x378) - var x400 uint64 - var x401 uint64 - x400, x401 = bits.Add64(x364, x387, uint64(0x0)) - var x402 uint64 - var x403 uint64 - x402, x403 = bits.Add64(x366, x389, uint64(p384Uint1(x401))) - var x404 uint64 - var x405 uint64 - x404, x405 = bits.Add64(x368, x391, uint64(p384Uint1(x403))) - var x406 uint64 - var x407 uint64 - x406, x407 = bits.Add64(x370, x393, uint64(p384Uint1(x405))) - var x408 uint64 - var x409 uint64 - x408, x409 = bits.Add64(x372, x395, uint64(p384Uint1(x407))) - var x410 uint64 - var x411 uint64 - x410, x411 = bits.Add64(x374, x397, uint64(p384Uint1(x409))) - var x412 uint64 - var x413 uint64 - x412, x413 = bits.Add64(x376, x399, uint64(p384Uint1(x411))) - var x414 uint64 - _, x414 = bits.Mul64(x400, 0x100000001) - var x416 uint64 - var x417 uint64 - x417, x416 = bits.Mul64(x414, 0xffffffffffffffff) - var x418 uint64 - var x419 uint64 - x419, x418 = bits.Mul64(x414, 0xffffffffffffffff) - var x420 uint64 - var x421 uint64 - x421, x420 = bits.Mul64(x414, 0xffffffffffffffff) - var x422 uint64 - var x423 uint64 - x423, x422 = bits.Mul64(x414, 0xfffffffffffffffe) - var x424 uint64 - var x425 uint64 - x425, x424 = bits.Mul64(x414, 0xffffffff00000000) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x414, 0xffffffff) - var x428 uint64 - var x429 uint64 - x428, x429 = bits.Add64(x427, x424, uint64(0x0)) - var x430 uint64 - var x431 uint64 - x430, x431 = bits.Add64(x425, x422, uint64(p384Uint1(x429))) - var x432 uint64 - var x433 uint64 - x432, x433 = bits.Add64(x423, x420, uint64(p384Uint1(x431))) - var x434 uint64 - var x435 uint64 - x434, x435 = bits.Add64(x421, x418, uint64(p384Uint1(x433))) - var x436 uint64 - var x437 uint64 - x436, x437 = bits.Add64(x419, x416, uint64(p384Uint1(x435))) - x438 := (uint64(p384Uint1(x437)) + x417) - var x440 uint64 - _, x440 = bits.Add64(x400, x426, uint64(0x0)) - var x441 uint64 - var x442 uint64 - x441, x442 = bits.Add64(x402, x428, uint64(p384Uint1(x440))) - var x443 uint64 - var x444 uint64 - x443, x444 = bits.Add64(x404, x430, uint64(p384Uint1(x442))) - var x445 uint64 - var x446 uint64 - x445, x446 = bits.Add64(x406, x432, uint64(p384Uint1(x444))) - var x447 uint64 - var x448 uint64 - x447, x448 = bits.Add64(x408, x434, uint64(p384Uint1(x446))) - var x449 uint64 - var x450 uint64 - x449, x450 = bits.Add64(x410, x436, uint64(p384Uint1(x448))) - var x451 uint64 - var x452 uint64 - x451, x452 = bits.Add64(x412, x438, uint64(p384Uint1(x450))) - x453 := (uint64(p384Uint1(x452)) + uint64(p384Uint1(x413))) - var x454 uint64 - var x455 uint64 - x454, x455 = bits.Sub64(x441, 0xffffffff, uint64(0x0)) - var x456 uint64 - var x457 uint64 - x456, x457 = bits.Sub64(x443, 0xffffffff00000000, uint64(p384Uint1(x455))) - var x458 uint64 - var x459 uint64 - x458, x459 = bits.Sub64(x445, 0xfffffffffffffffe, uint64(p384Uint1(x457))) - var x460 uint64 - var x461 uint64 - x460, x461 = bits.Sub64(x447, 0xffffffffffffffff, uint64(p384Uint1(x459))) - var x462 uint64 - var x463 uint64 - x462, x463 = bits.Sub64(x449, 0xffffffffffffffff, uint64(p384Uint1(x461))) - var x464 uint64 - var x465 uint64 - x464, x465 = bits.Sub64(x451, 0xffffffffffffffff, uint64(p384Uint1(x463))) - var x467 uint64 - _, x467 = bits.Sub64(x453, uint64(0x0), uint64(p384Uint1(x465))) - var x468 uint64 - p384CmovznzU64(&x468, p384Uint1(x467), x454, x441) - var x469 uint64 - p384CmovznzU64(&x469, p384Uint1(x467), x456, x443) - var x470 uint64 - p384CmovznzU64(&x470, p384Uint1(x467), x458, x445) - var x471 uint64 - p384CmovznzU64(&x471, p384Uint1(x467), x460, x447) - var x472 uint64 - p384CmovznzU64(&x472, p384Uint1(x467), x462, x449) - var x473 uint64 - p384CmovznzU64(&x473, p384Uint1(x467), x464, x451) - out1[0] = x468 - out1[1] = x469 - out1[2] = x470 - out1[3] = x471 - out1[4] = x472 - out1[5] = x473 -} - -// p384Square squares a field element in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m -// 0 ≤ eval out1 < m -func p384Square(out1 *p384MontgomeryDomainFieldElement, arg1 *p384MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[4] - x5 := arg1[5] - x6 := arg1[0] - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x6, arg1[5]) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x6, arg1[4]) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x6, arg1[3]) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x6, arg1[2]) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(x6, arg1[1]) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(x6, arg1[0]) - var x19 uint64 - var x20 uint64 - x19, x20 = bits.Add64(x18, x15, uint64(0x0)) - var x21 uint64 - var x22 uint64 - x21, x22 = bits.Add64(x16, x13, uint64(p384Uint1(x20))) - var x23 uint64 - var x24 uint64 - x23, x24 = bits.Add64(x14, x11, uint64(p384Uint1(x22))) - var x25 uint64 - var x26 uint64 - x25, x26 = bits.Add64(x12, x9, uint64(p384Uint1(x24))) - var x27 uint64 - var x28 uint64 - x27, x28 = bits.Add64(x10, x7, uint64(p384Uint1(x26))) - x29 := (uint64(p384Uint1(x28)) + x8) - var x30 uint64 - _, x30 = bits.Mul64(x17, 0x100000001) - var x32 uint64 - var x33 uint64 - x33, x32 = bits.Mul64(x30, 0xffffffffffffffff) - var x34 uint64 - var x35 uint64 - x35, x34 = bits.Mul64(x30, 0xffffffffffffffff) - var x36 uint64 - var x37 uint64 - x37, x36 = bits.Mul64(x30, 0xffffffffffffffff) - var x38 uint64 - var x39 uint64 - x39, x38 = bits.Mul64(x30, 0xfffffffffffffffe) - var x40 uint64 - var x41 uint64 - x41, x40 = bits.Mul64(x30, 0xffffffff00000000) - var x42 uint64 - var x43 uint64 - x43, x42 = bits.Mul64(x30, 0xffffffff) - var x44 uint64 - var x45 uint64 - x44, x45 = bits.Add64(x43, x40, uint64(0x0)) - var x46 uint64 - var x47 uint64 - x46, x47 = bits.Add64(x41, x38, uint64(p384Uint1(x45))) - var x48 uint64 - var x49 uint64 - x48, x49 = bits.Add64(x39, x36, uint64(p384Uint1(x47))) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(x37, x34, uint64(p384Uint1(x49))) - var x52 uint64 - var x53 uint64 - x52, x53 = bits.Add64(x35, x32, uint64(p384Uint1(x51))) - x54 := (uint64(p384Uint1(x53)) + x33) - var x56 uint64 - _, x56 = bits.Add64(x17, x42, uint64(0x0)) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(x19, x44, uint64(p384Uint1(x56))) - var x59 uint64 - var x60 uint64 - x59, x60 = bits.Add64(x21, x46, uint64(p384Uint1(x58))) - var x61 uint64 - var x62 uint64 - x61, x62 = bits.Add64(x23, x48, uint64(p384Uint1(x60))) - var x63 uint64 - var x64 uint64 - x63, x64 = bits.Add64(x25, x50, uint64(p384Uint1(x62))) - var x65 uint64 - var x66 uint64 - x65, x66 = bits.Add64(x27, x52, uint64(p384Uint1(x64))) - var x67 uint64 - var x68 uint64 - x67, x68 = bits.Add64(x29, x54, uint64(p384Uint1(x66))) - var x69 uint64 - var x70 uint64 - x70, x69 = bits.Mul64(x1, arg1[5]) - var x71 uint64 - var x72 uint64 - x72, x71 = bits.Mul64(x1, arg1[4]) - var x73 uint64 - var x74 uint64 - x74, x73 = bits.Mul64(x1, arg1[3]) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64(x1, arg1[2]) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x1, arg1[1]) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x1, arg1[0]) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Add64(x80, x77, uint64(0x0)) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Add64(x78, x75, uint64(p384Uint1(x82))) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x76, x73, uint64(p384Uint1(x84))) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x74, x71, uint64(p384Uint1(x86))) - var x89 uint64 - var x90 uint64 - x89, x90 = bits.Add64(x72, x69, uint64(p384Uint1(x88))) - x91 := (uint64(p384Uint1(x90)) + x70) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x57, x79, uint64(0x0)) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x59, x81, uint64(p384Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x61, x83, uint64(p384Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x63, x85, uint64(p384Uint1(x97))) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x65, x87, uint64(p384Uint1(x99))) - var x102 uint64 - var x103 uint64 - x102, x103 = bits.Add64(x67, x89, uint64(p384Uint1(x101))) - var x104 uint64 - var x105 uint64 - x104, x105 = bits.Add64(uint64(p384Uint1(x68)), x91, uint64(p384Uint1(x103))) - var x106 uint64 - _, x106 = bits.Mul64(x92, 0x100000001) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x106, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x106, 0xffffffffffffffff) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x106, 0xffffffffffffffff) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x106, 0xfffffffffffffffe) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x106, 0xffffffff00000000) - var x118 uint64 - var x119 uint64 - x119, x118 = bits.Mul64(x106, 0xffffffff) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x119, x116, uint64(0x0)) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x117, x114, uint64(p384Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x115, x112, uint64(p384Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x113, x110, uint64(p384Uint1(x125))) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x111, x108, uint64(p384Uint1(x127))) - x130 := (uint64(p384Uint1(x129)) + x109) - var x132 uint64 - _, x132 = bits.Add64(x92, x118, uint64(0x0)) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x94, x120, uint64(p384Uint1(x132))) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x96, x122, uint64(p384Uint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x98, x124, uint64(p384Uint1(x136))) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x100, x126, uint64(p384Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x102, x128, uint64(p384Uint1(x140))) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(x104, x130, uint64(p384Uint1(x142))) - x145 := (uint64(p384Uint1(x144)) + uint64(p384Uint1(x105))) - var x146 uint64 - var x147 uint64 - x147, x146 = bits.Mul64(x2, arg1[5]) - var x148 uint64 - var x149 uint64 - x149, x148 = bits.Mul64(x2, arg1[4]) - var x150 uint64 - var x151 uint64 - x151, x150 = bits.Mul64(x2, arg1[3]) - var x152 uint64 - var x153 uint64 - x153, x152 = bits.Mul64(x2, arg1[2]) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x2, arg1[1]) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x2, arg1[0]) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Add64(x157, x154, uint64(0x0)) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x155, x152, uint64(p384Uint1(x159))) - var x162 uint64 - var x163 uint64 - x162, x163 = bits.Add64(x153, x150, uint64(p384Uint1(x161))) - var x164 uint64 - var x165 uint64 - x164, x165 = bits.Add64(x151, x148, uint64(p384Uint1(x163))) - var x166 uint64 - var x167 uint64 - x166, x167 = bits.Add64(x149, x146, uint64(p384Uint1(x165))) - x168 := (uint64(p384Uint1(x167)) + x147) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x133, x156, uint64(0x0)) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x135, x158, uint64(p384Uint1(x170))) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x137, x160, uint64(p384Uint1(x172))) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x139, x162, uint64(p384Uint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x141, x164, uint64(p384Uint1(x176))) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x143, x166, uint64(p384Uint1(x178))) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x145, x168, uint64(p384Uint1(x180))) - var x183 uint64 - _, x183 = bits.Mul64(x169, 0x100000001) - var x185 uint64 - var x186 uint64 - x186, x185 = bits.Mul64(x183, 0xffffffffffffffff) - var x187 uint64 - var x188 uint64 - x188, x187 = bits.Mul64(x183, 0xffffffffffffffff) - var x189 uint64 - var x190 uint64 - x190, x189 = bits.Mul64(x183, 0xffffffffffffffff) - var x191 uint64 - var x192 uint64 - x192, x191 = bits.Mul64(x183, 0xfffffffffffffffe) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(x183, 0xffffffff00000000) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(x183, 0xffffffff) - var x197 uint64 - var x198 uint64 - x197, x198 = bits.Add64(x196, x193, uint64(0x0)) - var x199 uint64 - var x200 uint64 - x199, x200 = bits.Add64(x194, x191, uint64(p384Uint1(x198))) - var x201 uint64 - var x202 uint64 - x201, x202 = bits.Add64(x192, x189, uint64(p384Uint1(x200))) - var x203 uint64 - var x204 uint64 - x203, x204 = bits.Add64(x190, x187, uint64(p384Uint1(x202))) - var x205 uint64 - var x206 uint64 - x205, x206 = bits.Add64(x188, x185, uint64(p384Uint1(x204))) - x207 := (uint64(p384Uint1(x206)) + x186) - var x209 uint64 - _, x209 = bits.Add64(x169, x195, uint64(0x0)) - var x210 uint64 - var x211 uint64 - x210, x211 = bits.Add64(x171, x197, uint64(p384Uint1(x209))) - var x212 uint64 - var x213 uint64 - x212, x213 = bits.Add64(x173, x199, uint64(p384Uint1(x211))) - var x214 uint64 - var x215 uint64 - x214, x215 = bits.Add64(x175, x201, uint64(p384Uint1(x213))) - var x216 uint64 - var x217 uint64 - x216, x217 = bits.Add64(x177, x203, uint64(p384Uint1(x215))) - var x218 uint64 - var x219 uint64 - x218, x219 = bits.Add64(x179, x205, uint64(p384Uint1(x217))) - var x220 uint64 - var x221 uint64 - x220, x221 = bits.Add64(x181, x207, uint64(p384Uint1(x219))) - x222 := (uint64(p384Uint1(x221)) + uint64(p384Uint1(x182))) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x3, arg1[5]) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x3, arg1[4]) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x3, arg1[3]) - var x229 uint64 - var x230 uint64 - x230, x229 = bits.Mul64(x3, arg1[2]) - var x231 uint64 - var x232 uint64 - x232, x231 = bits.Mul64(x3, arg1[1]) - var x233 uint64 - var x234 uint64 - x234, x233 = bits.Mul64(x3, arg1[0]) - var x235 uint64 - var x236 uint64 - x235, x236 = bits.Add64(x234, x231, uint64(0x0)) - var x237 uint64 - var x238 uint64 - x237, x238 = bits.Add64(x232, x229, uint64(p384Uint1(x236))) - var x239 uint64 - var x240 uint64 - x239, x240 = bits.Add64(x230, x227, uint64(p384Uint1(x238))) - var x241 uint64 - var x242 uint64 - x241, x242 = bits.Add64(x228, x225, uint64(p384Uint1(x240))) - var x243 uint64 - var x244 uint64 - x243, x244 = bits.Add64(x226, x223, uint64(p384Uint1(x242))) - x245 := (uint64(p384Uint1(x244)) + x224) - var x246 uint64 - var x247 uint64 - x246, x247 = bits.Add64(x210, x233, uint64(0x0)) - var x248 uint64 - var x249 uint64 - x248, x249 = bits.Add64(x212, x235, uint64(p384Uint1(x247))) - var x250 uint64 - var x251 uint64 - x250, x251 = bits.Add64(x214, x237, uint64(p384Uint1(x249))) - var x252 uint64 - var x253 uint64 - x252, x253 = bits.Add64(x216, x239, uint64(p384Uint1(x251))) - var x254 uint64 - var x255 uint64 - x254, x255 = bits.Add64(x218, x241, uint64(p384Uint1(x253))) - var x256 uint64 - var x257 uint64 - x256, x257 = bits.Add64(x220, x243, uint64(p384Uint1(x255))) - var x258 uint64 - var x259 uint64 - x258, x259 = bits.Add64(x222, x245, uint64(p384Uint1(x257))) - var x260 uint64 - _, x260 = bits.Mul64(x246, 0x100000001) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x260, 0xffffffffffffffff) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x260, 0xffffffffffffffff) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x260, 0xffffffffffffffff) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x260, 0xfffffffffffffffe) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x260, 0xffffffff00000000) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x260, 0xffffffff) - var x274 uint64 - var x275 uint64 - x274, x275 = bits.Add64(x273, x270, uint64(0x0)) - var x276 uint64 - var x277 uint64 - x276, x277 = bits.Add64(x271, x268, uint64(p384Uint1(x275))) - var x278 uint64 - var x279 uint64 - x278, x279 = bits.Add64(x269, x266, uint64(p384Uint1(x277))) - var x280 uint64 - var x281 uint64 - x280, x281 = bits.Add64(x267, x264, uint64(p384Uint1(x279))) - var x282 uint64 - var x283 uint64 - x282, x283 = bits.Add64(x265, x262, uint64(p384Uint1(x281))) - x284 := (uint64(p384Uint1(x283)) + x263) - var x286 uint64 - _, x286 = bits.Add64(x246, x272, uint64(0x0)) - var x287 uint64 - var x288 uint64 - x287, x288 = bits.Add64(x248, x274, uint64(p384Uint1(x286))) - var x289 uint64 - var x290 uint64 - x289, x290 = bits.Add64(x250, x276, uint64(p384Uint1(x288))) - var x291 uint64 - var x292 uint64 - x291, x292 = bits.Add64(x252, x278, uint64(p384Uint1(x290))) - var x293 uint64 - var x294 uint64 - x293, x294 = bits.Add64(x254, x280, uint64(p384Uint1(x292))) - var x295 uint64 - var x296 uint64 - x295, x296 = bits.Add64(x256, x282, uint64(p384Uint1(x294))) - var x297 uint64 - var x298 uint64 - x297, x298 = bits.Add64(x258, x284, uint64(p384Uint1(x296))) - x299 := (uint64(p384Uint1(x298)) + uint64(p384Uint1(x259))) - var x300 uint64 - var x301 uint64 - x301, x300 = bits.Mul64(x4, arg1[5]) - var x302 uint64 - var x303 uint64 - x303, x302 = bits.Mul64(x4, arg1[4]) - var x304 uint64 - var x305 uint64 - x305, x304 = bits.Mul64(x4, arg1[3]) - var x306 uint64 - var x307 uint64 - x307, x306 = bits.Mul64(x4, arg1[2]) - var x308 uint64 - var x309 uint64 - x309, x308 = bits.Mul64(x4, arg1[1]) - var x310 uint64 - var x311 uint64 - x311, x310 = bits.Mul64(x4, arg1[0]) - var x312 uint64 - var x313 uint64 - x312, x313 = bits.Add64(x311, x308, uint64(0x0)) - var x314 uint64 - var x315 uint64 - x314, x315 = bits.Add64(x309, x306, uint64(p384Uint1(x313))) - var x316 uint64 - var x317 uint64 - x316, x317 = bits.Add64(x307, x304, uint64(p384Uint1(x315))) - var x318 uint64 - var x319 uint64 - x318, x319 = bits.Add64(x305, x302, uint64(p384Uint1(x317))) - var x320 uint64 - var x321 uint64 - x320, x321 = bits.Add64(x303, x300, uint64(p384Uint1(x319))) - x322 := (uint64(p384Uint1(x321)) + x301) - var x323 uint64 - var x324 uint64 - x323, x324 = bits.Add64(x287, x310, uint64(0x0)) - var x325 uint64 - var x326 uint64 - x325, x326 = bits.Add64(x289, x312, uint64(p384Uint1(x324))) - var x327 uint64 - var x328 uint64 - x327, x328 = bits.Add64(x291, x314, uint64(p384Uint1(x326))) - var x329 uint64 - var x330 uint64 - x329, x330 = bits.Add64(x293, x316, uint64(p384Uint1(x328))) - var x331 uint64 - var x332 uint64 - x331, x332 = bits.Add64(x295, x318, uint64(p384Uint1(x330))) - var x333 uint64 - var x334 uint64 - x333, x334 = bits.Add64(x297, x320, uint64(p384Uint1(x332))) - var x335 uint64 - var x336 uint64 - x335, x336 = bits.Add64(x299, x322, uint64(p384Uint1(x334))) - var x337 uint64 - _, x337 = bits.Mul64(x323, 0x100000001) - var x339 uint64 - var x340 uint64 - x340, x339 = bits.Mul64(x337, 0xffffffffffffffff) - var x341 uint64 - var x342 uint64 - x342, x341 = bits.Mul64(x337, 0xffffffffffffffff) - var x343 uint64 - var x344 uint64 - x344, x343 = bits.Mul64(x337, 0xffffffffffffffff) - var x345 uint64 - var x346 uint64 - x346, x345 = bits.Mul64(x337, 0xfffffffffffffffe) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x337, 0xffffffff00000000) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x337, 0xffffffff) - var x351 uint64 - var x352 uint64 - x351, x352 = bits.Add64(x350, x347, uint64(0x0)) - var x353 uint64 - var x354 uint64 - x353, x354 = bits.Add64(x348, x345, uint64(p384Uint1(x352))) - var x355 uint64 - var x356 uint64 - x355, x356 = bits.Add64(x346, x343, uint64(p384Uint1(x354))) - var x357 uint64 - var x358 uint64 - x357, x358 = bits.Add64(x344, x341, uint64(p384Uint1(x356))) - var x359 uint64 - var x360 uint64 - x359, x360 = bits.Add64(x342, x339, uint64(p384Uint1(x358))) - x361 := (uint64(p384Uint1(x360)) + x340) - var x363 uint64 - _, x363 = bits.Add64(x323, x349, uint64(0x0)) - var x364 uint64 - var x365 uint64 - x364, x365 = bits.Add64(x325, x351, uint64(p384Uint1(x363))) - var x366 uint64 - var x367 uint64 - x366, x367 = bits.Add64(x327, x353, uint64(p384Uint1(x365))) - var x368 uint64 - var x369 uint64 - x368, x369 = bits.Add64(x329, x355, uint64(p384Uint1(x367))) - var x370 uint64 - var x371 uint64 - x370, x371 = bits.Add64(x331, x357, uint64(p384Uint1(x369))) - var x372 uint64 - var x373 uint64 - x372, x373 = bits.Add64(x333, x359, uint64(p384Uint1(x371))) - var x374 uint64 - var x375 uint64 - x374, x375 = bits.Add64(x335, x361, uint64(p384Uint1(x373))) - x376 := (uint64(p384Uint1(x375)) + uint64(p384Uint1(x336))) - var x377 uint64 - var x378 uint64 - x378, x377 = bits.Mul64(x5, arg1[5]) - var x379 uint64 - var x380 uint64 - x380, x379 = bits.Mul64(x5, arg1[4]) - var x381 uint64 - var x382 uint64 - x382, x381 = bits.Mul64(x5, arg1[3]) - var x383 uint64 - var x384 uint64 - x384, x383 = bits.Mul64(x5, arg1[2]) - var x385 uint64 - var x386 uint64 - x386, x385 = bits.Mul64(x5, arg1[1]) - var x387 uint64 - var x388 uint64 - x388, x387 = bits.Mul64(x5, arg1[0]) - var x389 uint64 - var x390 uint64 - x389, x390 = bits.Add64(x388, x385, uint64(0x0)) - var x391 uint64 - var x392 uint64 - x391, x392 = bits.Add64(x386, x383, uint64(p384Uint1(x390))) - var x393 uint64 - var x394 uint64 - x393, x394 = bits.Add64(x384, x381, uint64(p384Uint1(x392))) - var x395 uint64 - var x396 uint64 - x395, x396 = bits.Add64(x382, x379, uint64(p384Uint1(x394))) - var x397 uint64 - var x398 uint64 - x397, x398 = bits.Add64(x380, x377, uint64(p384Uint1(x396))) - x399 := (uint64(p384Uint1(x398)) + x378) - var x400 uint64 - var x401 uint64 - x400, x401 = bits.Add64(x364, x387, uint64(0x0)) - var x402 uint64 - var x403 uint64 - x402, x403 = bits.Add64(x366, x389, uint64(p384Uint1(x401))) - var x404 uint64 - var x405 uint64 - x404, x405 = bits.Add64(x368, x391, uint64(p384Uint1(x403))) - var x406 uint64 - var x407 uint64 - x406, x407 = bits.Add64(x370, x393, uint64(p384Uint1(x405))) - var x408 uint64 - var x409 uint64 - x408, x409 = bits.Add64(x372, x395, uint64(p384Uint1(x407))) - var x410 uint64 - var x411 uint64 - x410, x411 = bits.Add64(x374, x397, uint64(p384Uint1(x409))) - var x412 uint64 - var x413 uint64 - x412, x413 = bits.Add64(x376, x399, uint64(p384Uint1(x411))) - var x414 uint64 - _, x414 = bits.Mul64(x400, 0x100000001) - var x416 uint64 - var x417 uint64 - x417, x416 = bits.Mul64(x414, 0xffffffffffffffff) - var x418 uint64 - var x419 uint64 - x419, x418 = bits.Mul64(x414, 0xffffffffffffffff) - var x420 uint64 - var x421 uint64 - x421, x420 = bits.Mul64(x414, 0xffffffffffffffff) - var x422 uint64 - var x423 uint64 - x423, x422 = bits.Mul64(x414, 0xfffffffffffffffe) - var x424 uint64 - var x425 uint64 - x425, x424 = bits.Mul64(x414, 0xffffffff00000000) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x414, 0xffffffff) - var x428 uint64 - var x429 uint64 - x428, x429 = bits.Add64(x427, x424, uint64(0x0)) - var x430 uint64 - var x431 uint64 - x430, x431 = bits.Add64(x425, x422, uint64(p384Uint1(x429))) - var x432 uint64 - var x433 uint64 - x432, x433 = bits.Add64(x423, x420, uint64(p384Uint1(x431))) - var x434 uint64 - var x435 uint64 - x434, x435 = bits.Add64(x421, x418, uint64(p384Uint1(x433))) - var x436 uint64 - var x437 uint64 - x436, x437 = bits.Add64(x419, x416, uint64(p384Uint1(x435))) - x438 := (uint64(p384Uint1(x437)) + x417) - var x440 uint64 - _, x440 = bits.Add64(x400, x426, uint64(0x0)) - var x441 uint64 - var x442 uint64 - x441, x442 = bits.Add64(x402, x428, uint64(p384Uint1(x440))) - var x443 uint64 - var x444 uint64 - x443, x444 = bits.Add64(x404, x430, uint64(p384Uint1(x442))) - var x445 uint64 - var x446 uint64 - x445, x446 = bits.Add64(x406, x432, uint64(p384Uint1(x444))) - var x447 uint64 - var x448 uint64 - x447, x448 = bits.Add64(x408, x434, uint64(p384Uint1(x446))) - var x449 uint64 - var x450 uint64 - x449, x450 = bits.Add64(x410, x436, uint64(p384Uint1(x448))) - var x451 uint64 - var x452 uint64 - x451, x452 = bits.Add64(x412, x438, uint64(p384Uint1(x450))) - x453 := (uint64(p384Uint1(x452)) + uint64(p384Uint1(x413))) - var x454 uint64 - var x455 uint64 - x454, x455 = bits.Sub64(x441, 0xffffffff, uint64(0x0)) - var x456 uint64 - var x457 uint64 - x456, x457 = bits.Sub64(x443, 0xffffffff00000000, uint64(p384Uint1(x455))) - var x458 uint64 - var x459 uint64 - x458, x459 = bits.Sub64(x445, 0xfffffffffffffffe, uint64(p384Uint1(x457))) - var x460 uint64 - var x461 uint64 - x460, x461 = bits.Sub64(x447, 0xffffffffffffffff, uint64(p384Uint1(x459))) - var x462 uint64 - var x463 uint64 - x462, x463 = bits.Sub64(x449, 0xffffffffffffffff, uint64(p384Uint1(x461))) - var x464 uint64 - var x465 uint64 - x464, x465 = bits.Sub64(x451, 0xffffffffffffffff, uint64(p384Uint1(x463))) - var x467 uint64 - _, x467 = bits.Sub64(x453, uint64(0x0), uint64(p384Uint1(x465))) - var x468 uint64 - p384CmovznzU64(&x468, p384Uint1(x467), x454, x441) - var x469 uint64 - p384CmovznzU64(&x469, p384Uint1(x467), x456, x443) - var x470 uint64 - p384CmovznzU64(&x470, p384Uint1(x467), x458, x445) - var x471 uint64 - p384CmovznzU64(&x471, p384Uint1(x467), x460, x447) - var x472 uint64 - p384CmovznzU64(&x472, p384Uint1(x467), x462, x449) - var x473 uint64 - p384CmovznzU64(&x473, p384Uint1(x467), x464, x451) - out1[0] = x468 - out1[1] = x469 - out1[2] = x470 - out1[3] = x471 - out1[4] = x472 - out1[5] = x473 -} - -// p384Add adds two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p384Add(out1 *p384MontgomeryDomainFieldElement, arg1 *p384MontgomeryDomainFieldElement, arg2 *p384MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(p384Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(p384Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(p384Uint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Add64(arg1[4], arg2[4], uint64(p384Uint1(x8))) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Add64(arg1[5], arg2[5], uint64(p384Uint1(x10))) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Sub64(x1, 0xffffffff, uint64(0x0)) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Sub64(x3, 0xffffffff00000000, uint64(p384Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Sub64(x5, 0xfffffffffffffffe, uint64(p384Uint1(x16))) - var x19 uint64 - var x20 uint64 - x19, x20 = bits.Sub64(x7, 0xffffffffffffffff, uint64(p384Uint1(x18))) - var x21 uint64 - var x22 uint64 - x21, x22 = bits.Sub64(x9, 0xffffffffffffffff, uint64(p384Uint1(x20))) - var x23 uint64 - var x24 uint64 - x23, x24 = bits.Sub64(x11, 0xffffffffffffffff, uint64(p384Uint1(x22))) - var x26 uint64 - _, x26 = bits.Sub64(uint64(p384Uint1(x12)), uint64(0x0), uint64(p384Uint1(x24))) - var x27 uint64 - p384CmovznzU64(&x27, p384Uint1(x26), x13, x1) - var x28 uint64 - p384CmovznzU64(&x28, p384Uint1(x26), x15, x3) - var x29 uint64 - p384CmovznzU64(&x29, p384Uint1(x26), x17, x5) - var x30 uint64 - p384CmovznzU64(&x30, p384Uint1(x26), x19, x7) - var x31 uint64 - p384CmovznzU64(&x31, p384Uint1(x26), x21, x9) - var x32 uint64 - p384CmovznzU64(&x32, p384Uint1(x26), x23, x11) - out1[0] = x27 - out1[1] = x28 - out1[2] = x29 - out1[3] = x30 - out1[4] = x31 - out1[5] = x32 -} - -// p384Sub subtracts two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p384Sub(out1 *p384MontgomeryDomainFieldElement, arg1 *p384MontgomeryDomainFieldElement, arg2 *p384MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(p384Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(p384Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(p384Uint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Sub64(arg1[4], arg2[4], uint64(p384Uint1(x8))) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Sub64(arg1[5], arg2[5], uint64(p384Uint1(x10))) - var x13 uint64 - p384CmovznzU64(&x13, p384Uint1(x12), uint64(0x0), 0xffffffffffffffff) - var x14 uint64 - var x15 uint64 - x14, x15 = bits.Add64(x1, (x13 & 0xffffffff), uint64(0x0)) - var x16 uint64 - var x17 uint64 - x16, x17 = bits.Add64(x3, (x13 & 0xffffffff00000000), uint64(p384Uint1(x15))) - var x18 uint64 - var x19 uint64 - x18, x19 = bits.Add64(x5, (x13 & 0xfffffffffffffffe), uint64(p384Uint1(x17))) - var x20 uint64 - var x21 uint64 - x20, x21 = bits.Add64(x7, x13, uint64(p384Uint1(x19))) - var x22 uint64 - var x23 uint64 - x22, x23 = bits.Add64(x9, x13, uint64(p384Uint1(x21))) - var x24 uint64 - x24, _ = bits.Add64(x11, x13, uint64(p384Uint1(x23))) - out1[0] = x14 - out1[1] = x16 - out1[2] = x18 - out1[3] = x20 - out1[4] = x22 - out1[5] = x24 -} - -// p384SetOne returns the field element one in the Montgomery domain. -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = 1 mod m -// 0 ≤ eval out1 < m -func p384SetOne(out1 *p384MontgomeryDomainFieldElement) { - out1[0] = 0xffffffff00000001 - out1[1] = 0xffffffff - out1[2] = uint64(0x1) - out1[3] = uint64(0x0) - out1[4] = uint64(0x0) - out1[5] = uint64(0x0) -} - -// p384FromMontgomery translates a field element out of the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m -// 0 ≤ eval out1 < m -func p384FromMontgomery(out1 *p384NonMontgomeryDomainFieldElement, arg1 *p384MontgomeryDomainFieldElement) { - x1 := arg1[0] - var x2 uint64 - _, x2 = bits.Mul64(x1, 0x100000001) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x2, 0xffffffffffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x2, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x2, 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x2, 0xfffffffffffffffe) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x2, 0xffffffff00000000) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x2, 0xffffffff) - var x16 uint64 - var x17 uint64 - x16, x17 = bits.Add64(x15, x12, uint64(0x0)) - var x18 uint64 - var x19 uint64 - x18, x19 = bits.Add64(x13, x10, uint64(p384Uint1(x17))) - var x20 uint64 - var x21 uint64 - x20, x21 = bits.Add64(x11, x8, uint64(p384Uint1(x19))) - var x22 uint64 - var x23 uint64 - x22, x23 = bits.Add64(x9, x6, uint64(p384Uint1(x21))) - var x24 uint64 - var x25 uint64 - x24, x25 = bits.Add64(x7, x4, uint64(p384Uint1(x23))) - var x27 uint64 - _, x27 = bits.Add64(x1, x14, uint64(0x0)) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(uint64(0x0), x16, uint64(p384Uint1(x27))) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(uint64(0x0), x18, uint64(p384Uint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(uint64(0x0), x20, uint64(p384Uint1(x31))) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(uint64(0x0), x22, uint64(p384Uint1(x33))) - var x36 uint64 - var x37 uint64 - x36, x37 = bits.Add64(uint64(0x0), x24, uint64(p384Uint1(x35))) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(uint64(0x0), (uint64(p384Uint1(x25)) + x5), uint64(p384Uint1(x37))) - var x40 uint64 - var x41 uint64 - x40, x41 = bits.Add64(x28, arg1[1], uint64(0x0)) - var x42 uint64 - var x43 uint64 - x42, x43 = bits.Add64(x30, uint64(0x0), uint64(p384Uint1(x41))) - var x44 uint64 - var x45 uint64 - x44, x45 = bits.Add64(x32, uint64(0x0), uint64(p384Uint1(x43))) - var x46 uint64 - var x47 uint64 - x46, x47 = bits.Add64(x34, uint64(0x0), uint64(p384Uint1(x45))) - var x48 uint64 - var x49 uint64 - x48, x49 = bits.Add64(x36, uint64(0x0), uint64(p384Uint1(x47))) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(x38, uint64(0x0), uint64(p384Uint1(x49))) - var x52 uint64 - _, x52 = bits.Mul64(x40, 0x100000001) - var x54 uint64 - var x55 uint64 - x55, x54 = bits.Mul64(x52, 0xffffffffffffffff) - var x56 uint64 - var x57 uint64 - x57, x56 = bits.Mul64(x52, 0xffffffffffffffff) - var x58 uint64 - var x59 uint64 - x59, x58 = bits.Mul64(x52, 0xffffffffffffffff) - var x60 uint64 - var x61 uint64 - x61, x60 = bits.Mul64(x52, 0xfffffffffffffffe) - var x62 uint64 - var x63 uint64 - x63, x62 = bits.Mul64(x52, 0xffffffff00000000) - var x64 uint64 - var x65 uint64 - x65, x64 = bits.Mul64(x52, 0xffffffff) - var x66 uint64 - var x67 uint64 - x66, x67 = bits.Add64(x65, x62, uint64(0x0)) - var x68 uint64 - var x69 uint64 - x68, x69 = bits.Add64(x63, x60, uint64(p384Uint1(x67))) - var x70 uint64 - var x71 uint64 - x70, x71 = bits.Add64(x61, x58, uint64(p384Uint1(x69))) - var x72 uint64 - var x73 uint64 - x72, x73 = bits.Add64(x59, x56, uint64(p384Uint1(x71))) - var x74 uint64 - var x75 uint64 - x74, x75 = bits.Add64(x57, x54, uint64(p384Uint1(x73))) - var x77 uint64 - _, x77 = bits.Add64(x40, x64, uint64(0x0)) - var x78 uint64 - var x79 uint64 - x78, x79 = bits.Add64(x42, x66, uint64(p384Uint1(x77))) - var x80 uint64 - var x81 uint64 - x80, x81 = bits.Add64(x44, x68, uint64(p384Uint1(x79))) - var x82 uint64 - var x83 uint64 - x82, x83 = bits.Add64(x46, x70, uint64(p384Uint1(x81))) - var x84 uint64 - var x85 uint64 - x84, x85 = bits.Add64(x48, x72, uint64(p384Uint1(x83))) - var x86 uint64 - var x87 uint64 - x86, x87 = bits.Add64(x50, x74, uint64(p384Uint1(x85))) - var x88 uint64 - var x89 uint64 - x88, x89 = bits.Add64((uint64(p384Uint1(x51)) + uint64(p384Uint1(x39))), (uint64(p384Uint1(x75)) + x55), uint64(p384Uint1(x87))) - var x90 uint64 - var x91 uint64 - x90, x91 = bits.Add64(x78, arg1[2], uint64(0x0)) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x80, uint64(0x0), uint64(p384Uint1(x91))) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x82, uint64(0x0), uint64(p384Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x84, uint64(0x0), uint64(p384Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x86, uint64(0x0), uint64(p384Uint1(x97))) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x88, uint64(0x0), uint64(p384Uint1(x99))) - var x102 uint64 - _, x102 = bits.Mul64(x90, 0x100000001) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(x102, 0xffffffffffffffff) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x102, 0xffffffffffffffff) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x102, 0xffffffffffffffff) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x102, 0xfffffffffffffffe) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x102, 0xffffffff00000000) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x102, 0xffffffff) - var x116 uint64 - var x117 uint64 - x116, x117 = bits.Add64(x115, x112, uint64(0x0)) - var x118 uint64 - var x119 uint64 - x118, x119 = bits.Add64(x113, x110, uint64(p384Uint1(x117))) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x111, x108, uint64(p384Uint1(x119))) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x109, x106, uint64(p384Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x107, x104, uint64(p384Uint1(x123))) - var x127 uint64 - _, x127 = bits.Add64(x90, x114, uint64(0x0)) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x92, x116, uint64(p384Uint1(x127))) - var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x94, x118, uint64(p384Uint1(x129))) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x96, x120, uint64(p384Uint1(x131))) - var x134 uint64 - var x135 uint64 - x134, x135 = bits.Add64(x98, x122, uint64(p384Uint1(x133))) - var x136 uint64 - var x137 uint64 - x136, x137 = bits.Add64(x100, x124, uint64(p384Uint1(x135))) - var x138 uint64 - var x139 uint64 - x138, x139 = bits.Add64((uint64(p384Uint1(x101)) + uint64(p384Uint1(x89))), (uint64(p384Uint1(x125)) + x105), uint64(p384Uint1(x137))) - var x140 uint64 - var x141 uint64 - x140, x141 = bits.Add64(x128, arg1[3], uint64(0x0)) - var x142 uint64 - var x143 uint64 - x142, x143 = bits.Add64(x130, uint64(0x0), uint64(p384Uint1(x141))) - var x144 uint64 - var x145 uint64 - x144, x145 = bits.Add64(x132, uint64(0x0), uint64(p384Uint1(x143))) - var x146 uint64 - var x147 uint64 - x146, x147 = bits.Add64(x134, uint64(0x0), uint64(p384Uint1(x145))) - var x148 uint64 - var x149 uint64 - x148, x149 = bits.Add64(x136, uint64(0x0), uint64(p384Uint1(x147))) - var x150 uint64 - var x151 uint64 - x150, x151 = bits.Add64(x138, uint64(0x0), uint64(p384Uint1(x149))) - var x152 uint64 - _, x152 = bits.Mul64(x140, 0x100000001) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x152, 0xffffffffffffffff) - var x156 uint64 - var x157 uint64 - x157, x156 = bits.Mul64(x152, 0xffffffffffffffff) - var x158 uint64 - var x159 uint64 - x159, x158 = bits.Mul64(x152, 0xffffffffffffffff) - var x160 uint64 - var x161 uint64 - x161, x160 = bits.Mul64(x152, 0xfffffffffffffffe) - var x162 uint64 - var x163 uint64 - x163, x162 = bits.Mul64(x152, 0xffffffff00000000) - var x164 uint64 - var x165 uint64 - x165, x164 = bits.Mul64(x152, 0xffffffff) - var x166 uint64 - var x167 uint64 - x166, x167 = bits.Add64(x165, x162, uint64(0x0)) - var x168 uint64 - var x169 uint64 - x168, x169 = bits.Add64(x163, x160, uint64(p384Uint1(x167))) - var x170 uint64 - var x171 uint64 - x170, x171 = bits.Add64(x161, x158, uint64(p384Uint1(x169))) - var x172 uint64 - var x173 uint64 - x172, x173 = bits.Add64(x159, x156, uint64(p384Uint1(x171))) - var x174 uint64 - var x175 uint64 - x174, x175 = bits.Add64(x157, x154, uint64(p384Uint1(x173))) - var x177 uint64 - _, x177 = bits.Add64(x140, x164, uint64(0x0)) - var x178 uint64 - var x179 uint64 - x178, x179 = bits.Add64(x142, x166, uint64(p384Uint1(x177))) - var x180 uint64 - var x181 uint64 - x180, x181 = bits.Add64(x144, x168, uint64(p384Uint1(x179))) - var x182 uint64 - var x183 uint64 - x182, x183 = bits.Add64(x146, x170, uint64(p384Uint1(x181))) - var x184 uint64 - var x185 uint64 - x184, x185 = bits.Add64(x148, x172, uint64(p384Uint1(x183))) - var x186 uint64 - var x187 uint64 - x186, x187 = bits.Add64(x150, x174, uint64(p384Uint1(x185))) - var x188 uint64 - var x189 uint64 - x188, x189 = bits.Add64((uint64(p384Uint1(x151)) + uint64(p384Uint1(x139))), (uint64(p384Uint1(x175)) + x155), uint64(p384Uint1(x187))) - var x190 uint64 - var x191 uint64 - x190, x191 = bits.Add64(x178, arg1[4], uint64(0x0)) - var x192 uint64 - var x193 uint64 - x192, x193 = bits.Add64(x180, uint64(0x0), uint64(p384Uint1(x191))) - var x194 uint64 - var x195 uint64 - x194, x195 = bits.Add64(x182, uint64(0x0), uint64(p384Uint1(x193))) - var x196 uint64 - var x197 uint64 - x196, x197 = bits.Add64(x184, uint64(0x0), uint64(p384Uint1(x195))) - var x198 uint64 - var x199 uint64 - x198, x199 = bits.Add64(x186, uint64(0x0), uint64(p384Uint1(x197))) - var x200 uint64 - var x201 uint64 - x200, x201 = bits.Add64(x188, uint64(0x0), uint64(p384Uint1(x199))) - var x202 uint64 - _, x202 = bits.Mul64(x190, 0x100000001) - var x204 uint64 - var x205 uint64 - x205, x204 = bits.Mul64(x202, 0xffffffffffffffff) - var x206 uint64 - var x207 uint64 - x207, x206 = bits.Mul64(x202, 0xffffffffffffffff) - var x208 uint64 - var x209 uint64 - x209, x208 = bits.Mul64(x202, 0xffffffffffffffff) - var x210 uint64 - var x211 uint64 - x211, x210 = bits.Mul64(x202, 0xfffffffffffffffe) - var x212 uint64 - var x213 uint64 - x213, x212 = bits.Mul64(x202, 0xffffffff00000000) - var x214 uint64 - var x215 uint64 - x215, x214 = bits.Mul64(x202, 0xffffffff) - var x216 uint64 - var x217 uint64 - x216, x217 = bits.Add64(x215, x212, uint64(0x0)) - var x218 uint64 - var x219 uint64 - x218, x219 = bits.Add64(x213, x210, uint64(p384Uint1(x217))) - var x220 uint64 - var x221 uint64 - x220, x221 = bits.Add64(x211, x208, uint64(p384Uint1(x219))) - var x222 uint64 - var x223 uint64 - x222, x223 = bits.Add64(x209, x206, uint64(p384Uint1(x221))) - var x224 uint64 - var x225 uint64 - x224, x225 = bits.Add64(x207, x204, uint64(p384Uint1(x223))) - var x227 uint64 - _, x227 = bits.Add64(x190, x214, uint64(0x0)) - var x228 uint64 - var x229 uint64 - x228, x229 = bits.Add64(x192, x216, uint64(p384Uint1(x227))) - var x230 uint64 - var x231 uint64 - x230, x231 = bits.Add64(x194, x218, uint64(p384Uint1(x229))) - var x232 uint64 - var x233 uint64 - x232, x233 = bits.Add64(x196, x220, uint64(p384Uint1(x231))) - var x234 uint64 - var x235 uint64 - x234, x235 = bits.Add64(x198, x222, uint64(p384Uint1(x233))) - var x236 uint64 - var x237 uint64 - x236, x237 = bits.Add64(x200, x224, uint64(p384Uint1(x235))) - var x238 uint64 - var x239 uint64 - x238, x239 = bits.Add64((uint64(p384Uint1(x201)) + uint64(p384Uint1(x189))), (uint64(p384Uint1(x225)) + x205), uint64(p384Uint1(x237))) - var x240 uint64 - var x241 uint64 - x240, x241 = bits.Add64(x228, arg1[5], uint64(0x0)) - var x242 uint64 - var x243 uint64 - x242, x243 = bits.Add64(x230, uint64(0x0), uint64(p384Uint1(x241))) - var x244 uint64 - var x245 uint64 - x244, x245 = bits.Add64(x232, uint64(0x0), uint64(p384Uint1(x243))) - var x246 uint64 - var x247 uint64 - x246, x247 = bits.Add64(x234, uint64(0x0), uint64(p384Uint1(x245))) - var x248 uint64 - var x249 uint64 - x248, x249 = bits.Add64(x236, uint64(0x0), uint64(p384Uint1(x247))) - var x250 uint64 - var x251 uint64 - x250, x251 = bits.Add64(x238, uint64(0x0), uint64(p384Uint1(x249))) - var x252 uint64 - _, x252 = bits.Mul64(x240, 0x100000001) - var x254 uint64 - var x255 uint64 - x255, x254 = bits.Mul64(x252, 0xffffffffffffffff) - var x256 uint64 - var x257 uint64 - x257, x256 = bits.Mul64(x252, 0xffffffffffffffff) - var x258 uint64 - var x259 uint64 - x259, x258 = bits.Mul64(x252, 0xffffffffffffffff) - var x260 uint64 - var x261 uint64 - x261, x260 = bits.Mul64(x252, 0xfffffffffffffffe) - var x262 uint64 - var x263 uint64 - x263, x262 = bits.Mul64(x252, 0xffffffff00000000) - var x264 uint64 - var x265 uint64 - x265, x264 = bits.Mul64(x252, 0xffffffff) - var x266 uint64 - var x267 uint64 - x266, x267 = bits.Add64(x265, x262, uint64(0x0)) - var x268 uint64 - var x269 uint64 - x268, x269 = bits.Add64(x263, x260, uint64(p384Uint1(x267))) - var x270 uint64 - var x271 uint64 - x270, x271 = bits.Add64(x261, x258, uint64(p384Uint1(x269))) - var x272 uint64 - var x273 uint64 - x272, x273 = bits.Add64(x259, x256, uint64(p384Uint1(x271))) - var x274 uint64 - var x275 uint64 - x274, x275 = bits.Add64(x257, x254, uint64(p384Uint1(x273))) - var x277 uint64 - _, x277 = bits.Add64(x240, x264, uint64(0x0)) - var x278 uint64 - var x279 uint64 - x278, x279 = bits.Add64(x242, x266, uint64(p384Uint1(x277))) - var x280 uint64 - var x281 uint64 - x280, x281 = bits.Add64(x244, x268, uint64(p384Uint1(x279))) - var x282 uint64 - var x283 uint64 - x282, x283 = bits.Add64(x246, x270, uint64(p384Uint1(x281))) - var x284 uint64 - var x285 uint64 - x284, x285 = bits.Add64(x248, x272, uint64(p384Uint1(x283))) - var x286 uint64 - var x287 uint64 - x286, x287 = bits.Add64(x250, x274, uint64(p384Uint1(x285))) - var x288 uint64 - var x289 uint64 - x288, x289 = bits.Add64((uint64(p384Uint1(x251)) + uint64(p384Uint1(x239))), (uint64(p384Uint1(x275)) + x255), uint64(p384Uint1(x287))) - var x290 uint64 - var x291 uint64 - x290, x291 = bits.Sub64(x278, 0xffffffff, uint64(0x0)) - var x292 uint64 - var x293 uint64 - x292, x293 = bits.Sub64(x280, 0xffffffff00000000, uint64(p384Uint1(x291))) - var x294 uint64 - var x295 uint64 - x294, x295 = bits.Sub64(x282, 0xfffffffffffffffe, uint64(p384Uint1(x293))) - var x296 uint64 - var x297 uint64 - x296, x297 = bits.Sub64(x284, 0xffffffffffffffff, uint64(p384Uint1(x295))) - var x298 uint64 - var x299 uint64 - x298, x299 = bits.Sub64(x286, 0xffffffffffffffff, uint64(p384Uint1(x297))) - var x300 uint64 - var x301 uint64 - x300, x301 = bits.Sub64(x288, 0xffffffffffffffff, uint64(p384Uint1(x299))) - var x303 uint64 - _, x303 = bits.Sub64(uint64(p384Uint1(x289)), uint64(0x0), uint64(p384Uint1(x301))) - var x304 uint64 - p384CmovznzU64(&x304, p384Uint1(x303), x290, x278) - var x305 uint64 - p384CmovznzU64(&x305, p384Uint1(x303), x292, x280) - var x306 uint64 - p384CmovznzU64(&x306, p384Uint1(x303), x294, x282) - var x307 uint64 - p384CmovznzU64(&x307, p384Uint1(x303), x296, x284) - var x308 uint64 - p384CmovznzU64(&x308, p384Uint1(x303), x298, x286) - var x309 uint64 - p384CmovznzU64(&x309, p384Uint1(x303), x300, x288) - out1[0] = x304 - out1[1] = x305 - out1[2] = x306 - out1[3] = x307 - out1[4] = x308 - out1[5] = x309 -} - -// p384ToMontgomery translates a field element into the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = eval arg1 mod m -// 0 ≤ eval out1 < m -func p384ToMontgomery(out1 *p384MontgomeryDomainFieldElement, arg1 *p384NonMontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[4] - x5 := arg1[5] - x6 := arg1[0] - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x6, 0x200000000) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x6, 0xfffffffe00000000) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x6, 0x200000000) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x6, 0xfffffffe00000001) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(x14, x11, uint64(0x0)) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(x12, x9, uint64(p384Uint1(x16))) - var x19 uint64 - var x20 uint64 - x19, x20 = bits.Add64(x10, x7, uint64(p384Uint1(x18))) - var x21 uint64 - var x22 uint64 - x21, x22 = bits.Add64(x8, x6, uint64(p384Uint1(x20))) - var x23 uint64 - _, x23 = bits.Mul64(x13, 0x100000001) - var x25 uint64 - var x26 uint64 - x26, x25 = bits.Mul64(x23, 0xffffffffffffffff) - var x27 uint64 - var x28 uint64 - x28, x27 = bits.Mul64(x23, 0xffffffffffffffff) - var x29 uint64 - var x30 uint64 - x30, x29 = bits.Mul64(x23, 0xffffffffffffffff) - var x31 uint64 - var x32 uint64 - x32, x31 = bits.Mul64(x23, 0xfffffffffffffffe) - var x33 uint64 - var x34 uint64 - x34, x33 = bits.Mul64(x23, 0xffffffff00000000) - var x35 uint64 - var x36 uint64 - x36, x35 = bits.Mul64(x23, 0xffffffff) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x36, x33, uint64(0x0)) - var x39 uint64 - var x40 uint64 - x39, x40 = bits.Add64(x34, x31, uint64(p384Uint1(x38))) - var x41 uint64 - var x42 uint64 - x41, x42 = bits.Add64(x32, x29, uint64(p384Uint1(x40))) - var x43 uint64 - var x44 uint64 - x43, x44 = bits.Add64(x30, x27, uint64(p384Uint1(x42))) - var x45 uint64 - var x46 uint64 - x45, x46 = bits.Add64(x28, x25, uint64(p384Uint1(x44))) - var x48 uint64 - _, x48 = bits.Add64(x13, x35, uint64(0x0)) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(x15, x37, uint64(p384Uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(x17, x39, uint64(p384Uint1(x50))) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(x19, x41, uint64(p384Uint1(x52))) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(x21, x43, uint64(p384Uint1(x54))) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(uint64(p384Uint1(x22)), x45, uint64(p384Uint1(x56))) - var x59 uint64 - var x60 uint64 - x59, x60 = bits.Add64(uint64(0x0), (uint64(p384Uint1(x46)) + x26), uint64(p384Uint1(x58))) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x1, 0x200000000) - var x63 uint64 - var x64 uint64 - x64, x63 = bits.Mul64(x1, 0xfffffffe00000000) - var x65 uint64 - var x66 uint64 - x66, x65 = bits.Mul64(x1, 0x200000000) - var x67 uint64 - var x68 uint64 - x68, x67 = bits.Mul64(x1, 0xfffffffe00000001) - var x69 uint64 - var x70 uint64 - x69, x70 = bits.Add64(x68, x65, uint64(0x0)) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x66, x63, uint64(p384Uint1(x70))) - var x73 uint64 - var x74 uint64 - x73, x74 = bits.Add64(x64, x61, uint64(p384Uint1(x72))) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x62, x1, uint64(p384Uint1(x74))) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Add64(x49, x67, uint64(0x0)) - var x79 uint64 - var x80 uint64 - x79, x80 = bits.Add64(x51, x69, uint64(p384Uint1(x78))) - var x81 uint64 - var x82 uint64 - x81, x82 = bits.Add64(x53, x71, uint64(p384Uint1(x80))) - var x83 uint64 - var x84 uint64 - x83, x84 = bits.Add64(x55, x73, uint64(p384Uint1(x82))) - var x85 uint64 - var x86 uint64 - x85, x86 = bits.Add64(x57, x75, uint64(p384Uint1(x84))) - var x87 uint64 - var x88 uint64 - x87, x88 = bits.Add64(x59, uint64(p384Uint1(x76)), uint64(p384Uint1(x86))) - var x89 uint64 - _, x89 = bits.Mul64(x77, 0x100000001) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64(x89, 0xffffffffffffffff) - var x93 uint64 - var x94 uint64 - x94, x93 = bits.Mul64(x89, 0xffffffffffffffff) - var x95 uint64 - var x96 uint64 - x96, x95 = bits.Mul64(x89, 0xffffffffffffffff) - var x97 uint64 - var x98 uint64 - x98, x97 = bits.Mul64(x89, 0xfffffffffffffffe) - var x99 uint64 - var x100 uint64 - x100, x99 = bits.Mul64(x89, 0xffffffff00000000) - var x101 uint64 - var x102 uint64 - x102, x101 = bits.Mul64(x89, 0xffffffff) - var x103 uint64 - var x104 uint64 - x103, x104 = bits.Add64(x102, x99, uint64(0x0)) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Add64(x100, x97, uint64(p384Uint1(x104))) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x98, x95, uint64(p384Uint1(x106))) - var x109 uint64 - var x110 uint64 - x109, x110 = bits.Add64(x96, x93, uint64(p384Uint1(x108))) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x94, x91, uint64(p384Uint1(x110))) - var x114 uint64 - _, x114 = bits.Add64(x77, x101, uint64(0x0)) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x79, x103, uint64(p384Uint1(x114))) - var x117 uint64 - var x118 uint64 - x117, x118 = bits.Add64(x81, x105, uint64(p384Uint1(x116))) - var x119 uint64 - var x120 uint64 - x119, x120 = bits.Add64(x83, x107, uint64(p384Uint1(x118))) - var x121 uint64 - var x122 uint64 - x121, x122 = bits.Add64(x85, x109, uint64(p384Uint1(x120))) - var x123 uint64 - var x124 uint64 - x123, x124 = bits.Add64(x87, x111, uint64(p384Uint1(x122))) - var x125 uint64 - var x126 uint64 - x125, x126 = bits.Add64((uint64(p384Uint1(x88)) + uint64(p384Uint1(x60))), (uint64(p384Uint1(x112)) + x92), uint64(p384Uint1(x124))) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(x2, 0x200000000) - var x129 uint64 - var x130 uint64 - x130, x129 = bits.Mul64(x2, 0xfffffffe00000000) - var x131 uint64 - var x132 uint64 - x132, x131 = bits.Mul64(x2, 0x200000000) - var x133 uint64 - var x134 uint64 - x134, x133 = bits.Mul64(x2, 0xfffffffe00000001) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x134, x131, uint64(0x0)) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x132, x129, uint64(p384Uint1(x136))) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x130, x127, uint64(p384Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x128, x2, uint64(p384Uint1(x140))) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(x115, x133, uint64(0x0)) - var x145 uint64 - var x146 uint64 - x145, x146 = bits.Add64(x117, x135, uint64(p384Uint1(x144))) - var x147 uint64 - var x148 uint64 - x147, x148 = bits.Add64(x119, x137, uint64(p384Uint1(x146))) - var x149 uint64 - var x150 uint64 - x149, x150 = bits.Add64(x121, x139, uint64(p384Uint1(x148))) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x123, x141, uint64(p384Uint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(x125, uint64(p384Uint1(x142)), uint64(p384Uint1(x152))) - var x155 uint64 - _, x155 = bits.Mul64(x143, 0x100000001) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x155, 0xffffffffffffffff) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x155, 0xffffffffffffffff) - var x161 uint64 - var x162 uint64 - x162, x161 = bits.Mul64(x155, 0xffffffffffffffff) - var x163 uint64 - var x164 uint64 - x164, x163 = bits.Mul64(x155, 0xfffffffffffffffe) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64(x155, 0xffffffff00000000) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64(x155, 0xffffffff) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x168, x165, uint64(0x0)) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x166, x163, uint64(p384Uint1(x170))) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x164, x161, uint64(p384Uint1(x172))) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x162, x159, uint64(p384Uint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x160, x157, uint64(p384Uint1(x176))) - var x180 uint64 - _, x180 = bits.Add64(x143, x167, uint64(0x0)) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x145, x169, uint64(p384Uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x147, x171, uint64(p384Uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x149, x173, uint64(p384Uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x151, x175, uint64(p384Uint1(x186))) - var x189 uint64 - var x190 uint64 - x189, x190 = bits.Add64(x153, x177, uint64(p384Uint1(x188))) - var x191 uint64 - var x192 uint64 - x191, x192 = bits.Add64((uint64(p384Uint1(x154)) + uint64(p384Uint1(x126))), (uint64(p384Uint1(x178)) + x158), uint64(p384Uint1(x190))) - var x193 uint64 - var x194 uint64 - x194, x193 = bits.Mul64(x3, 0x200000000) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(x3, 0xfffffffe00000000) - var x197 uint64 - var x198 uint64 - x198, x197 = bits.Mul64(x3, 0x200000000) - var x199 uint64 - var x200 uint64 - x200, x199 = bits.Mul64(x3, 0xfffffffe00000001) - var x201 uint64 - var x202 uint64 - x201, x202 = bits.Add64(x200, x197, uint64(0x0)) - var x203 uint64 - var x204 uint64 - x203, x204 = bits.Add64(x198, x195, uint64(p384Uint1(x202))) - var x205 uint64 - var x206 uint64 - x205, x206 = bits.Add64(x196, x193, uint64(p384Uint1(x204))) - var x207 uint64 - var x208 uint64 - x207, x208 = bits.Add64(x194, x3, uint64(p384Uint1(x206))) - var x209 uint64 - var x210 uint64 - x209, x210 = bits.Add64(x181, x199, uint64(0x0)) - var x211 uint64 - var x212 uint64 - x211, x212 = bits.Add64(x183, x201, uint64(p384Uint1(x210))) - var x213 uint64 - var x214 uint64 - x213, x214 = bits.Add64(x185, x203, uint64(p384Uint1(x212))) - var x215 uint64 - var x216 uint64 - x215, x216 = bits.Add64(x187, x205, uint64(p384Uint1(x214))) - var x217 uint64 - var x218 uint64 - x217, x218 = bits.Add64(x189, x207, uint64(p384Uint1(x216))) - var x219 uint64 - var x220 uint64 - x219, x220 = bits.Add64(x191, uint64(p384Uint1(x208)), uint64(p384Uint1(x218))) - var x221 uint64 - _, x221 = bits.Mul64(x209, 0x100000001) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x221, 0xffffffffffffffff) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x221, 0xffffffffffffffff) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x221, 0xffffffffffffffff) - var x229 uint64 - var x230 uint64 - x230, x229 = bits.Mul64(x221, 0xfffffffffffffffe) - var x231 uint64 - var x232 uint64 - x232, x231 = bits.Mul64(x221, 0xffffffff00000000) - var x233 uint64 - var x234 uint64 - x234, x233 = bits.Mul64(x221, 0xffffffff) - var x235 uint64 - var x236 uint64 - x235, x236 = bits.Add64(x234, x231, uint64(0x0)) - var x237 uint64 - var x238 uint64 - x237, x238 = bits.Add64(x232, x229, uint64(p384Uint1(x236))) - var x239 uint64 - var x240 uint64 - x239, x240 = bits.Add64(x230, x227, uint64(p384Uint1(x238))) - var x241 uint64 - var x242 uint64 - x241, x242 = bits.Add64(x228, x225, uint64(p384Uint1(x240))) - var x243 uint64 - var x244 uint64 - x243, x244 = bits.Add64(x226, x223, uint64(p384Uint1(x242))) - var x246 uint64 - _, x246 = bits.Add64(x209, x233, uint64(0x0)) - var x247 uint64 - var x248 uint64 - x247, x248 = bits.Add64(x211, x235, uint64(p384Uint1(x246))) - var x249 uint64 - var x250 uint64 - x249, x250 = bits.Add64(x213, x237, uint64(p384Uint1(x248))) - var x251 uint64 - var x252 uint64 - x251, x252 = bits.Add64(x215, x239, uint64(p384Uint1(x250))) - var x253 uint64 - var x254 uint64 - x253, x254 = bits.Add64(x217, x241, uint64(p384Uint1(x252))) - var x255 uint64 - var x256 uint64 - x255, x256 = bits.Add64(x219, x243, uint64(p384Uint1(x254))) - var x257 uint64 - var x258 uint64 - x257, x258 = bits.Add64((uint64(p384Uint1(x220)) + uint64(p384Uint1(x192))), (uint64(p384Uint1(x244)) + x224), uint64(p384Uint1(x256))) - var x259 uint64 - var x260 uint64 - x260, x259 = bits.Mul64(x4, 0x200000000) - var x261 uint64 - var x262 uint64 - x262, x261 = bits.Mul64(x4, 0xfffffffe00000000) - var x263 uint64 - var x264 uint64 - x264, x263 = bits.Mul64(x4, 0x200000000) - var x265 uint64 - var x266 uint64 - x266, x265 = bits.Mul64(x4, 0xfffffffe00000001) - var x267 uint64 - var x268 uint64 - x267, x268 = bits.Add64(x266, x263, uint64(0x0)) - var x269 uint64 - var x270 uint64 - x269, x270 = bits.Add64(x264, x261, uint64(p384Uint1(x268))) - var x271 uint64 - var x272 uint64 - x271, x272 = bits.Add64(x262, x259, uint64(p384Uint1(x270))) - var x273 uint64 - var x274 uint64 - x273, x274 = bits.Add64(x260, x4, uint64(p384Uint1(x272))) - var x275 uint64 - var x276 uint64 - x275, x276 = bits.Add64(x247, x265, uint64(0x0)) - var x277 uint64 - var x278 uint64 - x277, x278 = bits.Add64(x249, x267, uint64(p384Uint1(x276))) - var x279 uint64 - var x280 uint64 - x279, x280 = bits.Add64(x251, x269, uint64(p384Uint1(x278))) - var x281 uint64 - var x282 uint64 - x281, x282 = bits.Add64(x253, x271, uint64(p384Uint1(x280))) - var x283 uint64 - var x284 uint64 - x283, x284 = bits.Add64(x255, x273, uint64(p384Uint1(x282))) - var x285 uint64 - var x286 uint64 - x285, x286 = bits.Add64(x257, uint64(p384Uint1(x274)), uint64(p384Uint1(x284))) - var x287 uint64 - _, x287 = bits.Mul64(x275, 0x100000001) - var x289 uint64 - var x290 uint64 - x290, x289 = bits.Mul64(x287, 0xffffffffffffffff) - var x291 uint64 - var x292 uint64 - x292, x291 = bits.Mul64(x287, 0xffffffffffffffff) - var x293 uint64 - var x294 uint64 - x294, x293 = bits.Mul64(x287, 0xffffffffffffffff) - var x295 uint64 - var x296 uint64 - x296, x295 = bits.Mul64(x287, 0xfffffffffffffffe) - var x297 uint64 - var x298 uint64 - x298, x297 = bits.Mul64(x287, 0xffffffff00000000) - var x299 uint64 - var x300 uint64 - x300, x299 = bits.Mul64(x287, 0xffffffff) - var x301 uint64 - var x302 uint64 - x301, x302 = bits.Add64(x300, x297, uint64(0x0)) - var x303 uint64 - var x304 uint64 - x303, x304 = bits.Add64(x298, x295, uint64(p384Uint1(x302))) - var x305 uint64 - var x306 uint64 - x305, x306 = bits.Add64(x296, x293, uint64(p384Uint1(x304))) - var x307 uint64 - var x308 uint64 - x307, x308 = bits.Add64(x294, x291, uint64(p384Uint1(x306))) - var x309 uint64 - var x310 uint64 - x309, x310 = bits.Add64(x292, x289, uint64(p384Uint1(x308))) - var x312 uint64 - _, x312 = bits.Add64(x275, x299, uint64(0x0)) - var x313 uint64 - var x314 uint64 - x313, x314 = bits.Add64(x277, x301, uint64(p384Uint1(x312))) - var x315 uint64 - var x316 uint64 - x315, x316 = bits.Add64(x279, x303, uint64(p384Uint1(x314))) - var x317 uint64 - var x318 uint64 - x317, x318 = bits.Add64(x281, x305, uint64(p384Uint1(x316))) - var x319 uint64 - var x320 uint64 - x319, x320 = bits.Add64(x283, x307, uint64(p384Uint1(x318))) - var x321 uint64 - var x322 uint64 - x321, x322 = bits.Add64(x285, x309, uint64(p384Uint1(x320))) - var x323 uint64 - var x324 uint64 - x323, x324 = bits.Add64((uint64(p384Uint1(x286)) + uint64(p384Uint1(x258))), (uint64(p384Uint1(x310)) + x290), uint64(p384Uint1(x322))) - var x325 uint64 - var x326 uint64 - x326, x325 = bits.Mul64(x5, 0x200000000) - var x327 uint64 - var x328 uint64 - x328, x327 = bits.Mul64(x5, 0xfffffffe00000000) - var x329 uint64 - var x330 uint64 - x330, x329 = bits.Mul64(x5, 0x200000000) - var x331 uint64 - var x332 uint64 - x332, x331 = bits.Mul64(x5, 0xfffffffe00000001) - var x333 uint64 - var x334 uint64 - x333, x334 = bits.Add64(x332, x329, uint64(0x0)) - var x335 uint64 - var x336 uint64 - x335, x336 = bits.Add64(x330, x327, uint64(p384Uint1(x334))) - var x337 uint64 - var x338 uint64 - x337, x338 = bits.Add64(x328, x325, uint64(p384Uint1(x336))) - var x339 uint64 - var x340 uint64 - x339, x340 = bits.Add64(x326, x5, uint64(p384Uint1(x338))) - var x341 uint64 - var x342 uint64 - x341, x342 = bits.Add64(x313, x331, uint64(0x0)) - var x343 uint64 - var x344 uint64 - x343, x344 = bits.Add64(x315, x333, uint64(p384Uint1(x342))) - var x345 uint64 - var x346 uint64 - x345, x346 = bits.Add64(x317, x335, uint64(p384Uint1(x344))) - var x347 uint64 - var x348 uint64 - x347, x348 = bits.Add64(x319, x337, uint64(p384Uint1(x346))) - var x349 uint64 - var x350 uint64 - x349, x350 = bits.Add64(x321, x339, uint64(p384Uint1(x348))) - var x351 uint64 - var x352 uint64 - x351, x352 = bits.Add64(x323, uint64(p384Uint1(x340)), uint64(p384Uint1(x350))) - var x353 uint64 - _, x353 = bits.Mul64(x341, 0x100000001) - var x355 uint64 - var x356 uint64 - x356, x355 = bits.Mul64(x353, 0xffffffffffffffff) - var x357 uint64 - var x358 uint64 - x358, x357 = bits.Mul64(x353, 0xffffffffffffffff) - var x359 uint64 - var x360 uint64 - x360, x359 = bits.Mul64(x353, 0xffffffffffffffff) - var x361 uint64 - var x362 uint64 - x362, x361 = bits.Mul64(x353, 0xfffffffffffffffe) - var x363 uint64 - var x364 uint64 - x364, x363 = bits.Mul64(x353, 0xffffffff00000000) - var x365 uint64 - var x366 uint64 - x366, x365 = bits.Mul64(x353, 0xffffffff) - var x367 uint64 - var x368 uint64 - x367, x368 = bits.Add64(x366, x363, uint64(0x0)) - var x369 uint64 - var x370 uint64 - x369, x370 = bits.Add64(x364, x361, uint64(p384Uint1(x368))) - var x371 uint64 - var x372 uint64 - x371, x372 = bits.Add64(x362, x359, uint64(p384Uint1(x370))) - var x373 uint64 - var x374 uint64 - x373, x374 = bits.Add64(x360, x357, uint64(p384Uint1(x372))) - var x375 uint64 - var x376 uint64 - x375, x376 = bits.Add64(x358, x355, uint64(p384Uint1(x374))) - var x378 uint64 - _, x378 = bits.Add64(x341, x365, uint64(0x0)) - var x379 uint64 - var x380 uint64 - x379, x380 = bits.Add64(x343, x367, uint64(p384Uint1(x378))) - var x381 uint64 - var x382 uint64 - x381, x382 = bits.Add64(x345, x369, uint64(p384Uint1(x380))) - var x383 uint64 - var x384 uint64 - x383, x384 = bits.Add64(x347, x371, uint64(p384Uint1(x382))) - var x385 uint64 - var x386 uint64 - x385, x386 = bits.Add64(x349, x373, uint64(p384Uint1(x384))) - var x387 uint64 - var x388 uint64 - x387, x388 = bits.Add64(x351, x375, uint64(p384Uint1(x386))) - var x389 uint64 - var x390 uint64 - x389, x390 = bits.Add64((uint64(p384Uint1(x352)) + uint64(p384Uint1(x324))), (uint64(p384Uint1(x376)) + x356), uint64(p384Uint1(x388))) - var x391 uint64 - var x392 uint64 - x391, x392 = bits.Sub64(x379, 0xffffffff, uint64(0x0)) - var x393 uint64 - var x394 uint64 - x393, x394 = bits.Sub64(x381, 0xffffffff00000000, uint64(p384Uint1(x392))) - var x395 uint64 - var x396 uint64 - x395, x396 = bits.Sub64(x383, 0xfffffffffffffffe, uint64(p384Uint1(x394))) - var x397 uint64 - var x398 uint64 - x397, x398 = bits.Sub64(x385, 0xffffffffffffffff, uint64(p384Uint1(x396))) - var x399 uint64 - var x400 uint64 - x399, x400 = bits.Sub64(x387, 0xffffffffffffffff, uint64(p384Uint1(x398))) - var x401 uint64 - var x402 uint64 - x401, x402 = bits.Sub64(x389, 0xffffffffffffffff, uint64(p384Uint1(x400))) - var x404 uint64 - _, x404 = bits.Sub64(uint64(p384Uint1(x390)), uint64(0x0), uint64(p384Uint1(x402))) - var x405 uint64 - p384CmovznzU64(&x405, p384Uint1(x404), x391, x379) - var x406 uint64 - p384CmovznzU64(&x406, p384Uint1(x404), x393, x381) - var x407 uint64 - p384CmovznzU64(&x407, p384Uint1(x404), x395, x383) - var x408 uint64 - p384CmovznzU64(&x408, p384Uint1(x404), x397, x385) - var x409 uint64 - p384CmovznzU64(&x409, p384Uint1(x404), x399, x387) - var x410 uint64 - p384CmovznzU64(&x410, p384Uint1(x404), x401, x389) - out1[0] = x405 - out1[1] = x406 - out1[2] = x407 - out1[3] = x408 - out1[4] = x409 - out1[5] = x410 -} - -// p384Selectznz is a multi-limb conditional select. -// -// Postconditions: -// -// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func p384Selectznz(out1 *[6]uint64, arg1 p384Uint1, arg2 *[6]uint64, arg3 *[6]uint64) { - var x1 uint64 - p384CmovznzU64(&x1, arg1, arg2[0], arg3[0]) - var x2 uint64 - p384CmovznzU64(&x2, arg1, arg2[1], arg3[1]) - var x3 uint64 - p384CmovznzU64(&x3, arg1, arg2[2], arg3[2]) - var x4 uint64 - p384CmovznzU64(&x4, arg1, arg2[3], arg3[3]) - var x5 uint64 - p384CmovznzU64(&x5, arg1, arg2[4], arg3[4]) - var x6 uint64 - p384CmovznzU64(&x6, arg1, arg2[5], arg3[5]) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 -} - -// p384ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -func p384ToBytes(out1 *[48]uint8, arg1 *[6]uint64) { - x1 := arg1[5] - x2 := arg1[4] - x3 := arg1[3] - x4 := arg1[2] - x5 := arg1[1] - x6 := arg1[0] - x7 := (uint8(x6) & 0xff) - x8 := (x6 >> 8) - x9 := (uint8(x8) & 0xff) - x10 := (x8 >> 8) - x11 := (uint8(x10) & 0xff) - x12 := (x10 >> 8) - x13 := (uint8(x12) & 0xff) - x14 := (x12 >> 8) - x15 := (uint8(x14) & 0xff) - x16 := (x14 >> 8) - x17 := (uint8(x16) & 0xff) - x18 := (x16 >> 8) - x19 := (uint8(x18) & 0xff) - x20 := uint8((x18 >> 8)) - x21 := (uint8(x5) & 0xff) - x22 := (x5 >> 8) - x23 := (uint8(x22) & 0xff) - x24 := (x22 >> 8) - x25 := (uint8(x24) & 0xff) - x26 := (x24 >> 8) - x27 := (uint8(x26) & 0xff) - x28 := (x26 >> 8) - x29 := (uint8(x28) & 0xff) - x30 := (x28 >> 8) - x31 := (uint8(x30) & 0xff) - x32 := (x30 >> 8) - x33 := (uint8(x32) & 0xff) - x34 := uint8((x32 >> 8)) - x35 := (uint8(x4) & 0xff) - x36 := (x4 >> 8) - x37 := (uint8(x36) & 0xff) - x38 := (x36 >> 8) - x39 := (uint8(x38) & 0xff) - x40 := (x38 >> 8) - x41 := (uint8(x40) & 0xff) - x42 := (x40 >> 8) - x43 := (uint8(x42) & 0xff) - x44 := (x42 >> 8) - x45 := (uint8(x44) & 0xff) - x46 := (x44 >> 8) - x47 := (uint8(x46) & 0xff) - x48 := uint8((x46 >> 8)) - x49 := (uint8(x3) & 0xff) - x50 := (x3 >> 8) - x51 := (uint8(x50) & 0xff) - x52 := (x50 >> 8) - x53 := (uint8(x52) & 0xff) - x54 := (x52 >> 8) - x55 := (uint8(x54) & 0xff) - x56 := (x54 >> 8) - x57 := (uint8(x56) & 0xff) - x58 := (x56 >> 8) - x59 := (uint8(x58) & 0xff) - x60 := (x58 >> 8) - x61 := (uint8(x60) & 0xff) - x62 := uint8((x60 >> 8)) - x63 := (uint8(x2) & 0xff) - x64 := (x2 >> 8) - x65 := (uint8(x64) & 0xff) - x66 := (x64 >> 8) - x67 := (uint8(x66) & 0xff) - x68 := (x66 >> 8) - x69 := (uint8(x68) & 0xff) - x70 := (x68 >> 8) - x71 := (uint8(x70) & 0xff) - x72 := (x70 >> 8) - x73 := (uint8(x72) & 0xff) - x74 := (x72 >> 8) - x75 := (uint8(x74) & 0xff) - x76 := uint8((x74 >> 8)) - x77 := (uint8(x1) & 0xff) - x78 := (x1 >> 8) - x79 := (uint8(x78) & 0xff) - x80 := (x78 >> 8) - x81 := (uint8(x80) & 0xff) - x82 := (x80 >> 8) - x83 := (uint8(x82) & 0xff) - x84 := (x82 >> 8) - x85 := (uint8(x84) & 0xff) - x86 := (x84 >> 8) - x87 := (uint8(x86) & 0xff) - x88 := (x86 >> 8) - x89 := (uint8(x88) & 0xff) - x90 := uint8((x88 >> 8)) - out1[0] = x7 - out1[1] = x9 - out1[2] = x11 - out1[3] = x13 - out1[4] = x15 - out1[5] = x17 - out1[6] = x19 - out1[7] = x20 - out1[8] = x21 - out1[9] = x23 - out1[10] = x25 - out1[11] = x27 - out1[12] = x29 - out1[13] = x31 - out1[14] = x33 - out1[15] = x34 - out1[16] = x35 - out1[17] = x37 - out1[18] = x39 - out1[19] = x41 - out1[20] = x43 - out1[21] = x45 - out1[22] = x47 - out1[23] = x48 - out1[24] = x49 - out1[25] = x51 - out1[26] = x53 - out1[27] = x55 - out1[28] = x57 - out1[29] = x59 - out1[30] = x61 - out1[31] = x62 - out1[32] = x63 - out1[33] = x65 - out1[34] = x67 - out1[35] = x69 - out1[36] = x71 - out1[37] = x73 - out1[38] = x75 - out1[39] = x76 - out1[40] = x77 - out1[41] = x79 - out1[42] = x81 - out1[43] = x83 - out1[44] = x85 - out1[45] = x87 - out1[46] = x89 - out1[47] = x90 -} - -// p384FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ bytes_eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = bytes_eval arg1 mod m -// 0 ≤ eval out1 < m -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func p384FromBytes(out1 *[6]uint64, arg1 *[48]uint8) { - x1 := (uint64(arg1[47]) << 56) - x2 := (uint64(arg1[46]) << 48) - x3 := (uint64(arg1[45]) << 40) - x4 := (uint64(arg1[44]) << 32) - x5 := (uint64(arg1[43]) << 24) - x6 := (uint64(arg1[42]) << 16) - x7 := (uint64(arg1[41]) << 8) - x8 := arg1[40] - x9 := (uint64(arg1[39]) << 56) - x10 := (uint64(arg1[38]) << 48) - x11 := (uint64(arg1[37]) << 40) - x12 := (uint64(arg1[36]) << 32) - x13 := (uint64(arg1[35]) << 24) - x14 := (uint64(arg1[34]) << 16) - x15 := (uint64(arg1[33]) << 8) - x16 := arg1[32] - x17 := (uint64(arg1[31]) << 56) - x18 := (uint64(arg1[30]) << 48) - x19 := (uint64(arg1[29]) << 40) - x20 := (uint64(arg1[28]) << 32) - x21 := (uint64(arg1[27]) << 24) - x22 := (uint64(arg1[26]) << 16) - x23 := (uint64(arg1[25]) << 8) - x24 := arg1[24] - x25 := (uint64(arg1[23]) << 56) - x26 := (uint64(arg1[22]) << 48) - x27 := (uint64(arg1[21]) << 40) - x28 := (uint64(arg1[20]) << 32) - x29 := (uint64(arg1[19]) << 24) - x30 := (uint64(arg1[18]) << 16) - x31 := (uint64(arg1[17]) << 8) - x32 := arg1[16] - x33 := (uint64(arg1[15]) << 56) - x34 := (uint64(arg1[14]) << 48) - x35 := (uint64(arg1[13]) << 40) - x36 := (uint64(arg1[12]) << 32) - x37 := (uint64(arg1[11]) << 24) - x38 := (uint64(arg1[10]) << 16) - x39 := (uint64(arg1[9]) << 8) - x40 := arg1[8] - x41 := (uint64(arg1[7]) << 56) - x42 := (uint64(arg1[6]) << 48) - x43 := (uint64(arg1[5]) << 40) - x44 := (uint64(arg1[4]) << 32) - x45 := (uint64(arg1[3]) << 24) - x46 := (uint64(arg1[2]) << 16) - x47 := (uint64(arg1[1]) << 8) - x48 := arg1[0] - x49 := (x47 + uint64(x48)) - x50 := (x46 + x49) - x51 := (x45 + x50) - x52 := (x44 + x51) - x53 := (x43 + x52) - x54 := (x42 + x53) - x55 := (x41 + x54) - x56 := (x39 + uint64(x40)) - x57 := (x38 + x56) - x58 := (x37 + x57) - x59 := (x36 + x58) - x60 := (x35 + x59) - x61 := (x34 + x60) - x62 := (x33 + x61) - x63 := (x31 + uint64(x32)) - x64 := (x30 + x63) - x65 := (x29 + x64) - x66 := (x28 + x65) - x67 := (x27 + x66) - x68 := (x26 + x67) - x69 := (x25 + x68) - x70 := (x23 + uint64(x24)) - x71 := (x22 + x70) - x72 := (x21 + x71) - x73 := (x20 + x72) - x74 := (x19 + x73) - x75 := (x18 + x74) - x76 := (x17 + x75) - x77 := (x15 + uint64(x16)) - x78 := (x14 + x77) - x79 := (x13 + x78) - x80 := (x12 + x79) - x81 := (x11 + x80) - x82 := (x10 + x81) - x83 := (x9 + x82) - x84 := (x7 + uint64(x8)) - x85 := (x6 + x84) - x86 := (x5 + x85) - x87 := (x4 + x86) - x88 := (x3 + x87) - x89 := (x2 + x88) - x90 := (x1 + x89) - out1[0] = x55 - out1[1] = x62 - out1[2] = x69 - out1[3] = x76 - out1[4] = x83 - out1[5] = x90 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384_invert.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384_invert.go deleted file mode 100644 index 31591ac1536..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p384_invert.go +++ /dev/null @@ -1,102 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by addchain. DO NOT EDIT. - -package fiat - -// Invert sets e = 1/x, and returns e. -// -// If x == 0, Invert returns e = 0. -func (e *P384Element) Invert(x *P384Element) *P384Element { - // Inversion is implemented as exponentiation with exponent p − 2. - // The sequence of 15 multiplications and 383 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _110 = 2*_11 - // _111 = 1 + _110 - // _111000 = _111 << 3 - // _111111 = _111 + _111000 - // x12 = _111111 << 6 + _111111 - // x24 = x12 << 12 + x12 - // x30 = x24 << 6 + _111111 - // x31 = 2*x30 + 1 - // x32 = 2*x31 + 1 - // x63 = x32 << 31 + x31 - // x126 = x63 << 63 + x63 - // x252 = x126 << 126 + x126 - // x255 = x252 << 3 + _111 - // i397 = ((x255 << 33 + x32) << 94 + x30) << 2 - // return 1 + i397 - // - - var z = new(P384Element).Set(e) - var t0 = new(P384Element) - var t1 = new(P384Element) - var t2 = new(P384Element) - var t3 = new(P384Element) - - z.Square(x) - z.Mul(x, z) - z.Square(z) - t1.Mul(x, z) - z.Square(t1) - for s := 1; s < 3; s++ { - z.Square(z) - } - z.Mul(t1, z) - t0.Square(z) - for s := 1; s < 6; s++ { - t0.Square(t0) - } - t0.Mul(z, t0) - t2.Square(t0) - for s := 1; s < 12; s++ { - t2.Square(t2) - } - t0.Mul(t0, t2) - for s := 0; s < 6; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - t2.Mul(x, t0) - t0.Square(t2) - t0.Mul(x, t0) - t3.Square(t0) - for s := 1; s < 31; s++ { - t3.Square(t3) - } - t2.Mul(t2, t3) - t3.Square(t2) - for s := 1; s < 63; s++ { - t3.Square(t3) - } - t2.Mul(t2, t3) - t3.Square(t2) - for s := 1; s < 126; s++ { - t3.Square(t3) - } - t2.Mul(t2, t3) - for s := 0; s < 3; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - for s := 0; s < 33; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - for s := 0; s < 94; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - for s := 0; s < 2; s++ { - z.Square(z) - } - z.Mul(x, z) - - return e.Set(z) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521.go deleted file mode 100644 index d4d576503d4..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521.go +++ /dev/null @@ -1,129 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package fiat - -import ( - "crypto/internal/fips140/subtle" - "errors" -) - -// P521Element is an integer modulo 2^521 - 1. -// -// The zero value is a valid zero element. -type P521Element struct { - // Values are represented internally always in the Montgomery domain, and - // converted in Bytes and SetBytes. - x p521MontgomeryDomainFieldElement -} - -const p521ElementLen = 66 - -type p521UntypedFieldElement = [9]uint64 - -// One sets e = 1, and returns e. -func (e *P521Element) One() *P521Element { - p521SetOne(&e.x) - return e -} - -// Equal returns 1 if e == t, and zero otherwise. -func (e *P521Element) Equal(t *P521Element) int { - eBytes := e.Bytes() - tBytes := t.Bytes() - return subtle.ConstantTimeCompare(eBytes, tBytes) -} - -// IsZero returns 1 if e == 0, and zero otherwise. -func (e *P521Element) IsZero() int { - zero := make([]byte, p521ElementLen) - eBytes := e.Bytes() - return subtle.ConstantTimeCompare(eBytes, zero) -} - -// Set sets e = t, and returns e. -func (e *P521Element) Set(t *P521Element) *P521Element { - e.x = t.x - return e -} - -// Bytes returns the 66-byte big-endian encoding of e. -func (e *P521Element) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p521ElementLen]byte - return e.bytes(&out) -} - -func (e *P521Element) bytes(out *[p521ElementLen]byte) []byte { - var tmp p521NonMontgomeryDomainFieldElement - p521FromMontgomery(&tmp, &e.x) - p521ToBytes(out, (*p521UntypedFieldElement)(&tmp)) - p521InvertEndianness(out[:]) - return out[:] -} - -// SetBytes sets e = v, where v is a big-endian 66-byte encoding, and returns e. -// If v is not 66 bytes or it encodes a value higher than 2^521 - 1, -// SetBytes returns nil and an error, and e is unchanged. -func (e *P521Element) SetBytes(v []byte) (*P521Element, error) { - if len(v) != p521ElementLen { - return nil, errors.New("invalid P521Element encoding") - } - - // Check for non-canonical encodings (p + k, 2p + k, etc.) by comparing to - // the encoding of -1 mod p, so p - 1, the highest canonical encoding. - var minusOneEncoding = new(P521Element).Sub( - new(P521Element), new(P521Element).One()).Bytes() - if subtle.ConstantTimeLessOrEqBytes(v, minusOneEncoding) == 0 { - return nil, errors.New("invalid P521Element encoding") - } - - var in [p521ElementLen]byte - copy(in[:], v) - p521InvertEndianness(in[:]) - var tmp p521NonMontgomeryDomainFieldElement - p521FromBytes((*p521UntypedFieldElement)(&tmp), &in) - p521ToMontgomery(&e.x, &tmp) - return e, nil -} - -// Add sets e = t1 + t2, and returns e. -func (e *P521Element) Add(t1, t2 *P521Element) *P521Element { - p521Add(&e.x, &t1.x, &t2.x) - return e -} - -// Sub sets e = t1 - t2, and returns e. -func (e *P521Element) Sub(t1, t2 *P521Element) *P521Element { - p521Sub(&e.x, &t1.x, &t2.x) - return e -} - -// Mul sets e = t1 * t2, and returns e. -func (e *P521Element) Mul(t1, t2 *P521Element) *P521Element { - p521Mul(&e.x, &t1.x, &t2.x) - return e -} - -// Square sets e = t * t, and returns e. -func (e *P521Element) Square(t *P521Element) *P521Element { - p521Square(&e.x, &t.x) - return e -} - -// Select sets v to a if cond == 1, and to b if cond == 0. -func (v *P521Element) Select(a, b *P521Element, cond int) *P521Element { - p521Selectznz((*p521UntypedFieldElement)(&v.x), p521Uint1(cond), - (*p521UntypedFieldElement)(&b.x), (*p521UntypedFieldElement)(&a.x)) - return v -} - -func p521InvertEndianness(v []byte) { - for i := 0; i < len(v)/2; i++ { - v[i], v[len(v)-1-i] = v[len(v)-1-i], v[i] - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521_fiat64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521_fiat64.go deleted file mode 100644 index 87a359e88ed..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521_fiat64.go +++ /dev/null @@ -1,5541 +0,0 @@ -// Code generated by Fiat Cryptography. DO NOT EDIT. -// -// Autogenerated: word_by_word_montgomery --lang Go --no-wide-int --cmovznz-by-mul --relax-primitive-carry-to-bitwidth 32,64 --internal-static --public-function-case camelCase --public-type-case camelCase --private-function-case camelCase --private-type-case camelCase --doc-text-before-function-name '' --doc-newline-before-package-declaration --doc-prepend-header 'Code generated by Fiat Cryptography. DO NOT EDIT.' --package-name fiat --no-prefix-fiat p521 64 '2^521 - 1' mul square add sub one from_montgomery to_montgomery selectznz to_bytes from_bytes -// -// curve description: p521 -// -// machine_wordsize = 64 (from "64") -// -// requested operations: mul, square, add, sub, one, from_montgomery, to_montgomery, selectznz, to_bytes, from_bytes -// -// m = 0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff (from "2^521 - 1") -// -// -// -// NOTE: In addition to the bounds specified above each function, all -// -// functions synthesized for this Montgomery arithmetic require the -// -// input to be strictly less than the prime modulus (m), and also -// -// require the input to be in the unique saturated representation. -// -// All functions also ensure that these two properties are true of -// -// return values. -// -// -// -// Computed values: -// -// eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) -// -// bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) + (z[48] << 0x180) + (z[49] << 0x188) + (z[50] << 0x190) + (z[51] << 0x198) + (z[52] << 0x1a0) + (z[53] << 0x1a8) + (z[54] << 0x1b0) + (z[55] << 0x1b8) + (z[56] << 0x1c0) + (z[57] << 0x1c8) + (z[58] << 0x1d0) + (z[59] << 0x1d8) + (z[60] << 0x1e0) + (z[61] << 0x1e8) + (z[62] << 0x1f0) + (z[63] << 0x1f8) + (z[64] << 2^9) + (z[65] << 0x208) -// -// twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) + (z[6] << 0x180) + (z[7] << 0x1c0) + (z[8] << 2^9) in -// -// if x1 & (2^576-1) < 2^575 then x1 & (2^576-1) else (x1 & (2^576-1)) - 2^576 - -package fiat - -import "math/bits" - -type p521Uint1 uint64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 -type p521Int1 int64 // We use uint64 instead of a more narrow type for performance reasons; see https://github.com/mit-plv/fiat-crypto/pull/1006#issuecomment-892625927 - -// The type p521MontgomeryDomainFieldElement is a field element in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p521MontgomeryDomainFieldElement [9]uint64 - -// The type p521NonMontgomeryDomainFieldElement is a field element NOT in the Montgomery domain. -// -// Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -type p521NonMontgomeryDomainFieldElement [9]uint64 - -// p521CmovznzU64 is a single-word conditional move. -// -// Postconditions: -// -// out1 = (if arg1 = 0 then arg2 else arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [0x0 ~> 0xffffffffffffffff] -// arg3: [0x0 ~> 0xffffffffffffffff] -// -// Output Bounds: -// -// out1: [0x0 ~> 0xffffffffffffffff] -func p521CmovznzU64(out1 *uint64, arg1 p521Uint1, arg2 uint64, arg3 uint64) { - x1 := (uint64(arg1) * 0xffffffffffffffff) - x2 := ((x1 & arg3) | ((^x1) & arg2)) - *out1 = x2 -} - -// p521Mul multiplies two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p521Mul(out1 *p521MontgomeryDomainFieldElement, arg1 *p521MontgomeryDomainFieldElement, arg2 *p521MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[4] - x5 := arg1[5] - x6 := arg1[6] - x7 := arg1[7] - x8 := arg1[8] - x9 := arg1[0] - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x9, arg2[8]) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x9, arg2[7]) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x9, arg2[6]) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x9, arg2[5]) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x9, arg2[4]) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x9, arg2[3]) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x9, arg2[2]) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x9, arg2[1]) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x9, arg2[0]) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x27, x24, uint64(0x0)) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x25, x22, uint64(p521Uint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(x23, x20, uint64(p521Uint1(x31))) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(x21, x18, uint64(p521Uint1(x33))) - var x36 uint64 - var x37 uint64 - x36, x37 = bits.Add64(x19, x16, uint64(p521Uint1(x35))) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(x17, x14, uint64(p521Uint1(x37))) - var x40 uint64 - var x41 uint64 - x40, x41 = bits.Add64(x15, x12, uint64(p521Uint1(x39))) - var x42 uint64 - var x43 uint64 - x42, x43 = bits.Add64(x13, x10, uint64(p521Uint1(x41))) - x44 := (uint64(p521Uint1(x43)) + x11) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x26, 0x1ff) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x26, 0xffffffffffffffff) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x26, 0xffffffffffffffff) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64(x26, 0xffffffffffffffff) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64(x26, 0xffffffffffffffff) - var x55 uint64 - var x56 uint64 - x56, x55 = bits.Mul64(x26, 0xffffffffffffffff) - var x57 uint64 - var x58 uint64 - x58, x57 = bits.Mul64(x26, 0xffffffffffffffff) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64(x26, 0xffffffffffffffff) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x26, 0xffffffffffffffff) - var x63 uint64 - var x64 uint64 - x63, x64 = bits.Add64(x62, x59, uint64(0x0)) - var x65 uint64 - var x66 uint64 - x65, x66 = bits.Add64(x60, x57, uint64(p521Uint1(x64))) - var x67 uint64 - var x68 uint64 - x67, x68 = bits.Add64(x58, x55, uint64(p521Uint1(x66))) - var x69 uint64 - var x70 uint64 - x69, x70 = bits.Add64(x56, x53, uint64(p521Uint1(x68))) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x54, x51, uint64(p521Uint1(x70))) - var x73 uint64 - var x74 uint64 - x73, x74 = bits.Add64(x52, x49, uint64(p521Uint1(x72))) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x50, x47, uint64(p521Uint1(x74))) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Add64(x48, x45, uint64(p521Uint1(x76))) - x79 := (uint64(p521Uint1(x78)) + x46) - var x81 uint64 - _, x81 = bits.Add64(x26, x61, uint64(0x0)) - var x82 uint64 - var x83 uint64 - x82, x83 = bits.Add64(x28, x63, uint64(p521Uint1(x81))) - var x84 uint64 - var x85 uint64 - x84, x85 = bits.Add64(x30, x65, uint64(p521Uint1(x83))) - var x86 uint64 - var x87 uint64 - x86, x87 = bits.Add64(x32, x67, uint64(p521Uint1(x85))) - var x88 uint64 - var x89 uint64 - x88, x89 = bits.Add64(x34, x69, uint64(p521Uint1(x87))) - var x90 uint64 - var x91 uint64 - x90, x91 = bits.Add64(x36, x71, uint64(p521Uint1(x89))) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x38, x73, uint64(p521Uint1(x91))) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x40, x75, uint64(p521Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x42, x77, uint64(p521Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x44, x79, uint64(p521Uint1(x97))) - var x100 uint64 - var x101 uint64 - x101, x100 = bits.Mul64(x1, arg2[8]) - var x102 uint64 - var x103 uint64 - x103, x102 = bits.Mul64(x1, arg2[7]) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(x1, arg2[6]) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x1, arg2[5]) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x1, arg2[4]) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x1, arg2[3]) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x1, arg2[2]) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x1, arg2[1]) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x1, arg2[0]) - var x118 uint64 - var x119 uint64 - x118, x119 = bits.Add64(x117, x114, uint64(0x0)) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x115, x112, uint64(p521Uint1(x119))) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x113, x110, uint64(p521Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x111, x108, uint64(p521Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x109, x106, uint64(p521Uint1(x125))) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x107, x104, uint64(p521Uint1(x127))) - var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x105, x102, uint64(p521Uint1(x129))) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x103, x100, uint64(p521Uint1(x131))) - x134 := (uint64(p521Uint1(x133)) + x101) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x82, x116, uint64(0x0)) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x84, x118, uint64(p521Uint1(x136))) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x86, x120, uint64(p521Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x88, x122, uint64(p521Uint1(x140))) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(x90, x124, uint64(p521Uint1(x142))) - var x145 uint64 - var x146 uint64 - x145, x146 = bits.Add64(x92, x126, uint64(p521Uint1(x144))) - var x147 uint64 - var x148 uint64 - x147, x148 = bits.Add64(x94, x128, uint64(p521Uint1(x146))) - var x149 uint64 - var x150 uint64 - x149, x150 = bits.Add64(x96, x130, uint64(p521Uint1(x148))) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x98, x132, uint64(p521Uint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(uint64(p521Uint1(x99)), x134, uint64(p521Uint1(x152))) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64(x135, 0x1ff) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x135, 0xffffffffffffffff) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x135, 0xffffffffffffffff) - var x161 uint64 - var x162 uint64 - x162, x161 = bits.Mul64(x135, 0xffffffffffffffff) - var x163 uint64 - var x164 uint64 - x164, x163 = bits.Mul64(x135, 0xffffffffffffffff) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64(x135, 0xffffffffffffffff) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64(x135, 0xffffffffffffffff) - var x169 uint64 - var x170 uint64 - x170, x169 = bits.Mul64(x135, 0xffffffffffffffff) - var x171 uint64 - var x172 uint64 - x172, x171 = bits.Mul64(x135, 0xffffffffffffffff) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x172, x169, uint64(0x0)) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x170, x167, uint64(p521Uint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x168, x165, uint64(p521Uint1(x176))) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x166, x163, uint64(p521Uint1(x178))) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x164, x161, uint64(p521Uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x162, x159, uint64(p521Uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x160, x157, uint64(p521Uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x158, x155, uint64(p521Uint1(x186))) - x189 := (uint64(p521Uint1(x188)) + x156) - var x191 uint64 - _, x191 = bits.Add64(x135, x171, uint64(0x0)) - var x192 uint64 - var x193 uint64 - x192, x193 = bits.Add64(x137, x173, uint64(p521Uint1(x191))) - var x194 uint64 - var x195 uint64 - x194, x195 = bits.Add64(x139, x175, uint64(p521Uint1(x193))) - var x196 uint64 - var x197 uint64 - x196, x197 = bits.Add64(x141, x177, uint64(p521Uint1(x195))) - var x198 uint64 - var x199 uint64 - x198, x199 = bits.Add64(x143, x179, uint64(p521Uint1(x197))) - var x200 uint64 - var x201 uint64 - x200, x201 = bits.Add64(x145, x181, uint64(p521Uint1(x199))) - var x202 uint64 - var x203 uint64 - x202, x203 = bits.Add64(x147, x183, uint64(p521Uint1(x201))) - var x204 uint64 - var x205 uint64 - x204, x205 = bits.Add64(x149, x185, uint64(p521Uint1(x203))) - var x206 uint64 - var x207 uint64 - x206, x207 = bits.Add64(x151, x187, uint64(p521Uint1(x205))) - var x208 uint64 - var x209 uint64 - x208, x209 = bits.Add64(x153, x189, uint64(p521Uint1(x207))) - x210 := (uint64(p521Uint1(x209)) + uint64(p521Uint1(x154))) - var x211 uint64 - var x212 uint64 - x212, x211 = bits.Mul64(x2, arg2[8]) - var x213 uint64 - var x214 uint64 - x214, x213 = bits.Mul64(x2, arg2[7]) - var x215 uint64 - var x216 uint64 - x216, x215 = bits.Mul64(x2, arg2[6]) - var x217 uint64 - var x218 uint64 - x218, x217 = bits.Mul64(x2, arg2[5]) - var x219 uint64 - var x220 uint64 - x220, x219 = bits.Mul64(x2, arg2[4]) - var x221 uint64 - var x222 uint64 - x222, x221 = bits.Mul64(x2, arg2[3]) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x2, arg2[2]) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x2, arg2[1]) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x2, arg2[0]) - var x229 uint64 - var x230 uint64 - x229, x230 = bits.Add64(x228, x225, uint64(0x0)) - var x231 uint64 - var x232 uint64 - x231, x232 = bits.Add64(x226, x223, uint64(p521Uint1(x230))) - var x233 uint64 - var x234 uint64 - x233, x234 = bits.Add64(x224, x221, uint64(p521Uint1(x232))) - var x235 uint64 - var x236 uint64 - x235, x236 = bits.Add64(x222, x219, uint64(p521Uint1(x234))) - var x237 uint64 - var x238 uint64 - x237, x238 = bits.Add64(x220, x217, uint64(p521Uint1(x236))) - var x239 uint64 - var x240 uint64 - x239, x240 = bits.Add64(x218, x215, uint64(p521Uint1(x238))) - var x241 uint64 - var x242 uint64 - x241, x242 = bits.Add64(x216, x213, uint64(p521Uint1(x240))) - var x243 uint64 - var x244 uint64 - x243, x244 = bits.Add64(x214, x211, uint64(p521Uint1(x242))) - x245 := (uint64(p521Uint1(x244)) + x212) - var x246 uint64 - var x247 uint64 - x246, x247 = bits.Add64(x192, x227, uint64(0x0)) - var x248 uint64 - var x249 uint64 - x248, x249 = bits.Add64(x194, x229, uint64(p521Uint1(x247))) - var x250 uint64 - var x251 uint64 - x250, x251 = bits.Add64(x196, x231, uint64(p521Uint1(x249))) - var x252 uint64 - var x253 uint64 - x252, x253 = bits.Add64(x198, x233, uint64(p521Uint1(x251))) - var x254 uint64 - var x255 uint64 - x254, x255 = bits.Add64(x200, x235, uint64(p521Uint1(x253))) - var x256 uint64 - var x257 uint64 - x256, x257 = bits.Add64(x202, x237, uint64(p521Uint1(x255))) - var x258 uint64 - var x259 uint64 - x258, x259 = bits.Add64(x204, x239, uint64(p521Uint1(x257))) - var x260 uint64 - var x261 uint64 - x260, x261 = bits.Add64(x206, x241, uint64(p521Uint1(x259))) - var x262 uint64 - var x263 uint64 - x262, x263 = bits.Add64(x208, x243, uint64(p521Uint1(x261))) - var x264 uint64 - var x265 uint64 - x264, x265 = bits.Add64(x210, x245, uint64(p521Uint1(x263))) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x246, 0x1ff) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x246, 0xffffffffffffffff) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x246, 0xffffffffffffffff) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x246, 0xffffffffffffffff) - var x274 uint64 - var x275 uint64 - x275, x274 = bits.Mul64(x246, 0xffffffffffffffff) - var x276 uint64 - var x277 uint64 - x277, x276 = bits.Mul64(x246, 0xffffffffffffffff) - var x278 uint64 - var x279 uint64 - x279, x278 = bits.Mul64(x246, 0xffffffffffffffff) - var x280 uint64 - var x281 uint64 - x281, x280 = bits.Mul64(x246, 0xffffffffffffffff) - var x282 uint64 - var x283 uint64 - x283, x282 = bits.Mul64(x246, 0xffffffffffffffff) - var x284 uint64 - var x285 uint64 - x284, x285 = bits.Add64(x283, x280, uint64(0x0)) - var x286 uint64 - var x287 uint64 - x286, x287 = bits.Add64(x281, x278, uint64(p521Uint1(x285))) - var x288 uint64 - var x289 uint64 - x288, x289 = bits.Add64(x279, x276, uint64(p521Uint1(x287))) - var x290 uint64 - var x291 uint64 - x290, x291 = bits.Add64(x277, x274, uint64(p521Uint1(x289))) - var x292 uint64 - var x293 uint64 - x292, x293 = bits.Add64(x275, x272, uint64(p521Uint1(x291))) - var x294 uint64 - var x295 uint64 - x294, x295 = bits.Add64(x273, x270, uint64(p521Uint1(x293))) - var x296 uint64 - var x297 uint64 - x296, x297 = bits.Add64(x271, x268, uint64(p521Uint1(x295))) - var x298 uint64 - var x299 uint64 - x298, x299 = bits.Add64(x269, x266, uint64(p521Uint1(x297))) - x300 := (uint64(p521Uint1(x299)) + x267) - var x302 uint64 - _, x302 = bits.Add64(x246, x282, uint64(0x0)) - var x303 uint64 - var x304 uint64 - x303, x304 = bits.Add64(x248, x284, uint64(p521Uint1(x302))) - var x305 uint64 - var x306 uint64 - x305, x306 = bits.Add64(x250, x286, uint64(p521Uint1(x304))) - var x307 uint64 - var x308 uint64 - x307, x308 = bits.Add64(x252, x288, uint64(p521Uint1(x306))) - var x309 uint64 - var x310 uint64 - x309, x310 = bits.Add64(x254, x290, uint64(p521Uint1(x308))) - var x311 uint64 - var x312 uint64 - x311, x312 = bits.Add64(x256, x292, uint64(p521Uint1(x310))) - var x313 uint64 - var x314 uint64 - x313, x314 = bits.Add64(x258, x294, uint64(p521Uint1(x312))) - var x315 uint64 - var x316 uint64 - x315, x316 = bits.Add64(x260, x296, uint64(p521Uint1(x314))) - var x317 uint64 - var x318 uint64 - x317, x318 = bits.Add64(x262, x298, uint64(p521Uint1(x316))) - var x319 uint64 - var x320 uint64 - x319, x320 = bits.Add64(x264, x300, uint64(p521Uint1(x318))) - x321 := (uint64(p521Uint1(x320)) + uint64(p521Uint1(x265))) - var x322 uint64 - var x323 uint64 - x323, x322 = bits.Mul64(x3, arg2[8]) - var x324 uint64 - var x325 uint64 - x325, x324 = bits.Mul64(x3, arg2[7]) - var x326 uint64 - var x327 uint64 - x327, x326 = bits.Mul64(x3, arg2[6]) - var x328 uint64 - var x329 uint64 - x329, x328 = bits.Mul64(x3, arg2[5]) - var x330 uint64 - var x331 uint64 - x331, x330 = bits.Mul64(x3, arg2[4]) - var x332 uint64 - var x333 uint64 - x333, x332 = bits.Mul64(x3, arg2[3]) - var x334 uint64 - var x335 uint64 - x335, x334 = bits.Mul64(x3, arg2[2]) - var x336 uint64 - var x337 uint64 - x337, x336 = bits.Mul64(x3, arg2[1]) - var x338 uint64 - var x339 uint64 - x339, x338 = bits.Mul64(x3, arg2[0]) - var x340 uint64 - var x341 uint64 - x340, x341 = bits.Add64(x339, x336, uint64(0x0)) - var x342 uint64 - var x343 uint64 - x342, x343 = bits.Add64(x337, x334, uint64(p521Uint1(x341))) - var x344 uint64 - var x345 uint64 - x344, x345 = bits.Add64(x335, x332, uint64(p521Uint1(x343))) - var x346 uint64 - var x347 uint64 - x346, x347 = bits.Add64(x333, x330, uint64(p521Uint1(x345))) - var x348 uint64 - var x349 uint64 - x348, x349 = bits.Add64(x331, x328, uint64(p521Uint1(x347))) - var x350 uint64 - var x351 uint64 - x350, x351 = bits.Add64(x329, x326, uint64(p521Uint1(x349))) - var x352 uint64 - var x353 uint64 - x352, x353 = bits.Add64(x327, x324, uint64(p521Uint1(x351))) - var x354 uint64 - var x355 uint64 - x354, x355 = bits.Add64(x325, x322, uint64(p521Uint1(x353))) - x356 := (uint64(p521Uint1(x355)) + x323) - var x357 uint64 - var x358 uint64 - x357, x358 = bits.Add64(x303, x338, uint64(0x0)) - var x359 uint64 - var x360 uint64 - x359, x360 = bits.Add64(x305, x340, uint64(p521Uint1(x358))) - var x361 uint64 - var x362 uint64 - x361, x362 = bits.Add64(x307, x342, uint64(p521Uint1(x360))) - var x363 uint64 - var x364 uint64 - x363, x364 = bits.Add64(x309, x344, uint64(p521Uint1(x362))) - var x365 uint64 - var x366 uint64 - x365, x366 = bits.Add64(x311, x346, uint64(p521Uint1(x364))) - var x367 uint64 - var x368 uint64 - x367, x368 = bits.Add64(x313, x348, uint64(p521Uint1(x366))) - var x369 uint64 - var x370 uint64 - x369, x370 = bits.Add64(x315, x350, uint64(p521Uint1(x368))) - var x371 uint64 - var x372 uint64 - x371, x372 = bits.Add64(x317, x352, uint64(p521Uint1(x370))) - var x373 uint64 - var x374 uint64 - x373, x374 = bits.Add64(x319, x354, uint64(p521Uint1(x372))) - var x375 uint64 - var x376 uint64 - x375, x376 = bits.Add64(x321, x356, uint64(p521Uint1(x374))) - var x377 uint64 - var x378 uint64 - x378, x377 = bits.Mul64(x357, 0x1ff) - var x379 uint64 - var x380 uint64 - x380, x379 = bits.Mul64(x357, 0xffffffffffffffff) - var x381 uint64 - var x382 uint64 - x382, x381 = bits.Mul64(x357, 0xffffffffffffffff) - var x383 uint64 - var x384 uint64 - x384, x383 = bits.Mul64(x357, 0xffffffffffffffff) - var x385 uint64 - var x386 uint64 - x386, x385 = bits.Mul64(x357, 0xffffffffffffffff) - var x387 uint64 - var x388 uint64 - x388, x387 = bits.Mul64(x357, 0xffffffffffffffff) - var x389 uint64 - var x390 uint64 - x390, x389 = bits.Mul64(x357, 0xffffffffffffffff) - var x391 uint64 - var x392 uint64 - x392, x391 = bits.Mul64(x357, 0xffffffffffffffff) - var x393 uint64 - var x394 uint64 - x394, x393 = bits.Mul64(x357, 0xffffffffffffffff) - var x395 uint64 - var x396 uint64 - x395, x396 = bits.Add64(x394, x391, uint64(0x0)) - var x397 uint64 - var x398 uint64 - x397, x398 = bits.Add64(x392, x389, uint64(p521Uint1(x396))) - var x399 uint64 - var x400 uint64 - x399, x400 = bits.Add64(x390, x387, uint64(p521Uint1(x398))) - var x401 uint64 - var x402 uint64 - x401, x402 = bits.Add64(x388, x385, uint64(p521Uint1(x400))) - var x403 uint64 - var x404 uint64 - x403, x404 = bits.Add64(x386, x383, uint64(p521Uint1(x402))) - var x405 uint64 - var x406 uint64 - x405, x406 = bits.Add64(x384, x381, uint64(p521Uint1(x404))) - var x407 uint64 - var x408 uint64 - x407, x408 = bits.Add64(x382, x379, uint64(p521Uint1(x406))) - var x409 uint64 - var x410 uint64 - x409, x410 = bits.Add64(x380, x377, uint64(p521Uint1(x408))) - x411 := (uint64(p521Uint1(x410)) + x378) - var x413 uint64 - _, x413 = bits.Add64(x357, x393, uint64(0x0)) - var x414 uint64 - var x415 uint64 - x414, x415 = bits.Add64(x359, x395, uint64(p521Uint1(x413))) - var x416 uint64 - var x417 uint64 - x416, x417 = bits.Add64(x361, x397, uint64(p521Uint1(x415))) - var x418 uint64 - var x419 uint64 - x418, x419 = bits.Add64(x363, x399, uint64(p521Uint1(x417))) - var x420 uint64 - var x421 uint64 - x420, x421 = bits.Add64(x365, x401, uint64(p521Uint1(x419))) - var x422 uint64 - var x423 uint64 - x422, x423 = bits.Add64(x367, x403, uint64(p521Uint1(x421))) - var x424 uint64 - var x425 uint64 - x424, x425 = bits.Add64(x369, x405, uint64(p521Uint1(x423))) - var x426 uint64 - var x427 uint64 - x426, x427 = bits.Add64(x371, x407, uint64(p521Uint1(x425))) - var x428 uint64 - var x429 uint64 - x428, x429 = bits.Add64(x373, x409, uint64(p521Uint1(x427))) - var x430 uint64 - var x431 uint64 - x430, x431 = bits.Add64(x375, x411, uint64(p521Uint1(x429))) - x432 := (uint64(p521Uint1(x431)) + uint64(p521Uint1(x376))) - var x433 uint64 - var x434 uint64 - x434, x433 = bits.Mul64(x4, arg2[8]) - var x435 uint64 - var x436 uint64 - x436, x435 = bits.Mul64(x4, arg2[7]) - var x437 uint64 - var x438 uint64 - x438, x437 = bits.Mul64(x4, arg2[6]) - var x439 uint64 - var x440 uint64 - x440, x439 = bits.Mul64(x4, arg2[5]) - var x441 uint64 - var x442 uint64 - x442, x441 = bits.Mul64(x4, arg2[4]) - var x443 uint64 - var x444 uint64 - x444, x443 = bits.Mul64(x4, arg2[3]) - var x445 uint64 - var x446 uint64 - x446, x445 = bits.Mul64(x4, arg2[2]) - var x447 uint64 - var x448 uint64 - x448, x447 = bits.Mul64(x4, arg2[1]) - var x449 uint64 - var x450 uint64 - x450, x449 = bits.Mul64(x4, arg2[0]) - var x451 uint64 - var x452 uint64 - x451, x452 = bits.Add64(x450, x447, uint64(0x0)) - var x453 uint64 - var x454 uint64 - x453, x454 = bits.Add64(x448, x445, uint64(p521Uint1(x452))) - var x455 uint64 - var x456 uint64 - x455, x456 = bits.Add64(x446, x443, uint64(p521Uint1(x454))) - var x457 uint64 - var x458 uint64 - x457, x458 = bits.Add64(x444, x441, uint64(p521Uint1(x456))) - var x459 uint64 - var x460 uint64 - x459, x460 = bits.Add64(x442, x439, uint64(p521Uint1(x458))) - var x461 uint64 - var x462 uint64 - x461, x462 = bits.Add64(x440, x437, uint64(p521Uint1(x460))) - var x463 uint64 - var x464 uint64 - x463, x464 = bits.Add64(x438, x435, uint64(p521Uint1(x462))) - var x465 uint64 - var x466 uint64 - x465, x466 = bits.Add64(x436, x433, uint64(p521Uint1(x464))) - x467 := (uint64(p521Uint1(x466)) + x434) - var x468 uint64 - var x469 uint64 - x468, x469 = bits.Add64(x414, x449, uint64(0x0)) - var x470 uint64 - var x471 uint64 - x470, x471 = bits.Add64(x416, x451, uint64(p521Uint1(x469))) - var x472 uint64 - var x473 uint64 - x472, x473 = bits.Add64(x418, x453, uint64(p521Uint1(x471))) - var x474 uint64 - var x475 uint64 - x474, x475 = bits.Add64(x420, x455, uint64(p521Uint1(x473))) - var x476 uint64 - var x477 uint64 - x476, x477 = bits.Add64(x422, x457, uint64(p521Uint1(x475))) - var x478 uint64 - var x479 uint64 - x478, x479 = bits.Add64(x424, x459, uint64(p521Uint1(x477))) - var x480 uint64 - var x481 uint64 - x480, x481 = bits.Add64(x426, x461, uint64(p521Uint1(x479))) - var x482 uint64 - var x483 uint64 - x482, x483 = bits.Add64(x428, x463, uint64(p521Uint1(x481))) - var x484 uint64 - var x485 uint64 - x484, x485 = bits.Add64(x430, x465, uint64(p521Uint1(x483))) - var x486 uint64 - var x487 uint64 - x486, x487 = bits.Add64(x432, x467, uint64(p521Uint1(x485))) - var x488 uint64 - var x489 uint64 - x489, x488 = bits.Mul64(x468, 0x1ff) - var x490 uint64 - var x491 uint64 - x491, x490 = bits.Mul64(x468, 0xffffffffffffffff) - var x492 uint64 - var x493 uint64 - x493, x492 = bits.Mul64(x468, 0xffffffffffffffff) - var x494 uint64 - var x495 uint64 - x495, x494 = bits.Mul64(x468, 0xffffffffffffffff) - var x496 uint64 - var x497 uint64 - x497, x496 = bits.Mul64(x468, 0xffffffffffffffff) - var x498 uint64 - var x499 uint64 - x499, x498 = bits.Mul64(x468, 0xffffffffffffffff) - var x500 uint64 - var x501 uint64 - x501, x500 = bits.Mul64(x468, 0xffffffffffffffff) - var x502 uint64 - var x503 uint64 - x503, x502 = bits.Mul64(x468, 0xffffffffffffffff) - var x504 uint64 - var x505 uint64 - x505, x504 = bits.Mul64(x468, 0xffffffffffffffff) - var x506 uint64 - var x507 uint64 - x506, x507 = bits.Add64(x505, x502, uint64(0x0)) - var x508 uint64 - var x509 uint64 - x508, x509 = bits.Add64(x503, x500, uint64(p521Uint1(x507))) - var x510 uint64 - var x511 uint64 - x510, x511 = bits.Add64(x501, x498, uint64(p521Uint1(x509))) - var x512 uint64 - var x513 uint64 - x512, x513 = bits.Add64(x499, x496, uint64(p521Uint1(x511))) - var x514 uint64 - var x515 uint64 - x514, x515 = bits.Add64(x497, x494, uint64(p521Uint1(x513))) - var x516 uint64 - var x517 uint64 - x516, x517 = bits.Add64(x495, x492, uint64(p521Uint1(x515))) - var x518 uint64 - var x519 uint64 - x518, x519 = bits.Add64(x493, x490, uint64(p521Uint1(x517))) - var x520 uint64 - var x521 uint64 - x520, x521 = bits.Add64(x491, x488, uint64(p521Uint1(x519))) - x522 := (uint64(p521Uint1(x521)) + x489) - var x524 uint64 - _, x524 = bits.Add64(x468, x504, uint64(0x0)) - var x525 uint64 - var x526 uint64 - x525, x526 = bits.Add64(x470, x506, uint64(p521Uint1(x524))) - var x527 uint64 - var x528 uint64 - x527, x528 = bits.Add64(x472, x508, uint64(p521Uint1(x526))) - var x529 uint64 - var x530 uint64 - x529, x530 = bits.Add64(x474, x510, uint64(p521Uint1(x528))) - var x531 uint64 - var x532 uint64 - x531, x532 = bits.Add64(x476, x512, uint64(p521Uint1(x530))) - var x533 uint64 - var x534 uint64 - x533, x534 = bits.Add64(x478, x514, uint64(p521Uint1(x532))) - var x535 uint64 - var x536 uint64 - x535, x536 = bits.Add64(x480, x516, uint64(p521Uint1(x534))) - var x537 uint64 - var x538 uint64 - x537, x538 = bits.Add64(x482, x518, uint64(p521Uint1(x536))) - var x539 uint64 - var x540 uint64 - x539, x540 = bits.Add64(x484, x520, uint64(p521Uint1(x538))) - var x541 uint64 - var x542 uint64 - x541, x542 = bits.Add64(x486, x522, uint64(p521Uint1(x540))) - x543 := (uint64(p521Uint1(x542)) + uint64(p521Uint1(x487))) - var x544 uint64 - var x545 uint64 - x545, x544 = bits.Mul64(x5, arg2[8]) - var x546 uint64 - var x547 uint64 - x547, x546 = bits.Mul64(x5, arg2[7]) - var x548 uint64 - var x549 uint64 - x549, x548 = bits.Mul64(x5, arg2[6]) - var x550 uint64 - var x551 uint64 - x551, x550 = bits.Mul64(x5, arg2[5]) - var x552 uint64 - var x553 uint64 - x553, x552 = bits.Mul64(x5, arg2[4]) - var x554 uint64 - var x555 uint64 - x555, x554 = bits.Mul64(x5, arg2[3]) - var x556 uint64 - var x557 uint64 - x557, x556 = bits.Mul64(x5, arg2[2]) - var x558 uint64 - var x559 uint64 - x559, x558 = bits.Mul64(x5, arg2[1]) - var x560 uint64 - var x561 uint64 - x561, x560 = bits.Mul64(x5, arg2[0]) - var x562 uint64 - var x563 uint64 - x562, x563 = bits.Add64(x561, x558, uint64(0x0)) - var x564 uint64 - var x565 uint64 - x564, x565 = bits.Add64(x559, x556, uint64(p521Uint1(x563))) - var x566 uint64 - var x567 uint64 - x566, x567 = bits.Add64(x557, x554, uint64(p521Uint1(x565))) - var x568 uint64 - var x569 uint64 - x568, x569 = bits.Add64(x555, x552, uint64(p521Uint1(x567))) - var x570 uint64 - var x571 uint64 - x570, x571 = bits.Add64(x553, x550, uint64(p521Uint1(x569))) - var x572 uint64 - var x573 uint64 - x572, x573 = bits.Add64(x551, x548, uint64(p521Uint1(x571))) - var x574 uint64 - var x575 uint64 - x574, x575 = bits.Add64(x549, x546, uint64(p521Uint1(x573))) - var x576 uint64 - var x577 uint64 - x576, x577 = bits.Add64(x547, x544, uint64(p521Uint1(x575))) - x578 := (uint64(p521Uint1(x577)) + x545) - var x579 uint64 - var x580 uint64 - x579, x580 = bits.Add64(x525, x560, uint64(0x0)) - var x581 uint64 - var x582 uint64 - x581, x582 = bits.Add64(x527, x562, uint64(p521Uint1(x580))) - var x583 uint64 - var x584 uint64 - x583, x584 = bits.Add64(x529, x564, uint64(p521Uint1(x582))) - var x585 uint64 - var x586 uint64 - x585, x586 = bits.Add64(x531, x566, uint64(p521Uint1(x584))) - var x587 uint64 - var x588 uint64 - x587, x588 = bits.Add64(x533, x568, uint64(p521Uint1(x586))) - var x589 uint64 - var x590 uint64 - x589, x590 = bits.Add64(x535, x570, uint64(p521Uint1(x588))) - var x591 uint64 - var x592 uint64 - x591, x592 = bits.Add64(x537, x572, uint64(p521Uint1(x590))) - var x593 uint64 - var x594 uint64 - x593, x594 = bits.Add64(x539, x574, uint64(p521Uint1(x592))) - var x595 uint64 - var x596 uint64 - x595, x596 = bits.Add64(x541, x576, uint64(p521Uint1(x594))) - var x597 uint64 - var x598 uint64 - x597, x598 = bits.Add64(x543, x578, uint64(p521Uint1(x596))) - var x599 uint64 - var x600 uint64 - x600, x599 = bits.Mul64(x579, 0x1ff) - var x601 uint64 - var x602 uint64 - x602, x601 = bits.Mul64(x579, 0xffffffffffffffff) - var x603 uint64 - var x604 uint64 - x604, x603 = bits.Mul64(x579, 0xffffffffffffffff) - var x605 uint64 - var x606 uint64 - x606, x605 = bits.Mul64(x579, 0xffffffffffffffff) - var x607 uint64 - var x608 uint64 - x608, x607 = bits.Mul64(x579, 0xffffffffffffffff) - var x609 uint64 - var x610 uint64 - x610, x609 = bits.Mul64(x579, 0xffffffffffffffff) - var x611 uint64 - var x612 uint64 - x612, x611 = bits.Mul64(x579, 0xffffffffffffffff) - var x613 uint64 - var x614 uint64 - x614, x613 = bits.Mul64(x579, 0xffffffffffffffff) - var x615 uint64 - var x616 uint64 - x616, x615 = bits.Mul64(x579, 0xffffffffffffffff) - var x617 uint64 - var x618 uint64 - x617, x618 = bits.Add64(x616, x613, uint64(0x0)) - var x619 uint64 - var x620 uint64 - x619, x620 = bits.Add64(x614, x611, uint64(p521Uint1(x618))) - var x621 uint64 - var x622 uint64 - x621, x622 = bits.Add64(x612, x609, uint64(p521Uint1(x620))) - var x623 uint64 - var x624 uint64 - x623, x624 = bits.Add64(x610, x607, uint64(p521Uint1(x622))) - var x625 uint64 - var x626 uint64 - x625, x626 = bits.Add64(x608, x605, uint64(p521Uint1(x624))) - var x627 uint64 - var x628 uint64 - x627, x628 = bits.Add64(x606, x603, uint64(p521Uint1(x626))) - var x629 uint64 - var x630 uint64 - x629, x630 = bits.Add64(x604, x601, uint64(p521Uint1(x628))) - var x631 uint64 - var x632 uint64 - x631, x632 = bits.Add64(x602, x599, uint64(p521Uint1(x630))) - x633 := (uint64(p521Uint1(x632)) + x600) - var x635 uint64 - _, x635 = bits.Add64(x579, x615, uint64(0x0)) - var x636 uint64 - var x637 uint64 - x636, x637 = bits.Add64(x581, x617, uint64(p521Uint1(x635))) - var x638 uint64 - var x639 uint64 - x638, x639 = bits.Add64(x583, x619, uint64(p521Uint1(x637))) - var x640 uint64 - var x641 uint64 - x640, x641 = bits.Add64(x585, x621, uint64(p521Uint1(x639))) - var x642 uint64 - var x643 uint64 - x642, x643 = bits.Add64(x587, x623, uint64(p521Uint1(x641))) - var x644 uint64 - var x645 uint64 - x644, x645 = bits.Add64(x589, x625, uint64(p521Uint1(x643))) - var x646 uint64 - var x647 uint64 - x646, x647 = bits.Add64(x591, x627, uint64(p521Uint1(x645))) - var x648 uint64 - var x649 uint64 - x648, x649 = bits.Add64(x593, x629, uint64(p521Uint1(x647))) - var x650 uint64 - var x651 uint64 - x650, x651 = bits.Add64(x595, x631, uint64(p521Uint1(x649))) - var x652 uint64 - var x653 uint64 - x652, x653 = bits.Add64(x597, x633, uint64(p521Uint1(x651))) - x654 := (uint64(p521Uint1(x653)) + uint64(p521Uint1(x598))) - var x655 uint64 - var x656 uint64 - x656, x655 = bits.Mul64(x6, arg2[8]) - var x657 uint64 - var x658 uint64 - x658, x657 = bits.Mul64(x6, arg2[7]) - var x659 uint64 - var x660 uint64 - x660, x659 = bits.Mul64(x6, arg2[6]) - var x661 uint64 - var x662 uint64 - x662, x661 = bits.Mul64(x6, arg2[5]) - var x663 uint64 - var x664 uint64 - x664, x663 = bits.Mul64(x6, arg2[4]) - var x665 uint64 - var x666 uint64 - x666, x665 = bits.Mul64(x6, arg2[3]) - var x667 uint64 - var x668 uint64 - x668, x667 = bits.Mul64(x6, arg2[2]) - var x669 uint64 - var x670 uint64 - x670, x669 = bits.Mul64(x6, arg2[1]) - var x671 uint64 - var x672 uint64 - x672, x671 = bits.Mul64(x6, arg2[0]) - var x673 uint64 - var x674 uint64 - x673, x674 = bits.Add64(x672, x669, uint64(0x0)) - var x675 uint64 - var x676 uint64 - x675, x676 = bits.Add64(x670, x667, uint64(p521Uint1(x674))) - var x677 uint64 - var x678 uint64 - x677, x678 = bits.Add64(x668, x665, uint64(p521Uint1(x676))) - var x679 uint64 - var x680 uint64 - x679, x680 = bits.Add64(x666, x663, uint64(p521Uint1(x678))) - var x681 uint64 - var x682 uint64 - x681, x682 = bits.Add64(x664, x661, uint64(p521Uint1(x680))) - var x683 uint64 - var x684 uint64 - x683, x684 = bits.Add64(x662, x659, uint64(p521Uint1(x682))) - var x685 uint64 - var x686 uint64 - x685, x686 = bits.Add64(x660, x657, uint64(p521Uint1(x684))) - var x687 uint64 - var x688 uint64 - x687, x688 = bits.Add64(x658, x655, uint64(p521Uint1(x686))) - x689 := (uint64(p521Uint1(x688)) + x656) - var x690 uint64 - var x691 uint64 - x690, x691 = bits.Add64(x636, x671, uint64(0x0)) - var x692 uint64 - var x693 uint64 - x692, x693 = bits.Add64(x638, x673, uint64(p521Uint1(x691))) - var x694 uint64 - var x695 uint64 - x694, x695 = bits.Add64(x640, x675, uint64(p521Uint1(x693))) - var x696 uint64 - var x697 uint64 - x696, x697 = bits.Add64(x642, x677, uint64(p521Uint1(x695))) - var x698 uint64 - var x699 uint64 - x698, x699 = bits.Add64(x644, x679, uint64(p521Uint1(x697))) - var x700 uint64 - var x701 uint64 - x700, x701 = bits.Add64(x646, x681, uint64(p521Uint1(x699))) - var x702 uint64 - var x703 uint64 - x702, x703 = bits.Add64(x648, x683, uint64(p521Uint1(x701))) - var x704 uint64 - var x705 uint64 - x704, x705 = bits.Add64(x650, x685, uint64(p521Uint1(x703))) - var x706 uint64 - var x707 uint64 - x706, x707 = bits.Add64(x652, x687, uint64(p521Uint1(x705))) - var x708 uint64 - var x709 uint64 - x708, x709 = bits.Add64(x654, x689, uint64(p521Uint1(x707))) - var x710 uint64 - var x711 uint64 - x711, x710 = bits.Mul64(x690, 0x1ff) - var x712 uint64 - var x713 uint64 - x713, x712 = bits.Mul64(x690, 0xffffffffffffffff) - var x714 uint64 - var x715 uint64 - x715, x714 = bits.Mul64(x690, 0xffffffffffffffff) - var x716 uint64 - var x717 uint64 - x717, x716 = bits.Mul64(x690, 0xffffffffffffffff) - var x718 uint64 - var x719 uint64 - x719, x718 = bits.Mul64(x690, 0xffffffffffffffff) - var x720 uint64 - var x721 uint64 - x721, x720 = bits.Mul64(x690, 0xffffffffffffffff) - var x722 uint64 - var x723 uint64 - x723, x722 = bits.Mul64(x690, 0xffffffffffffffff) - var x724 uint64 - var x725 uint64 - x725, x724 = bits.Mul64(x690, 0xffffffffffffffff) - var x726 uint64 - var x727 uint64 - x727, x726 = bits.Mul64(x690, 0xffffffffffffffff) - var x728 uint64 - var x729 uint64 - x728, x729 = bits.Add64(x727, x724, uint64(0x0)) - var x730 uint64 - var x731 uint64 - x730, x731 = bits.Add64(x725, x722, uint64(p521Uint1(x729))) - var x732 uint64 - var x733 uint64 - x732, x733 = bits.Add64(x723, x720, uint64(p521Uint1(x731))) - var x734 uint64 - var x735 uint64 - x734, x735 = bits.Add64(x721, x718, uint64(p521Uint1(x733))) - var x736 uint64 - var x737 uint64 - x736, x737 = bits.Add64(x719, x716, uint64(p521Uint1(x735))) - var x738 uint64 - var x739 uint64 - x738, x739 = bits.Add64(x717, x714, uint64(p521Uint1(x737))) - var x740 uint64 - var x741 uint64 - x740, x741 = bits.Add64(x715, x712, uint64(p521Uint1(x739))) - var x742 uint64 - var x743 uint64 - x742, x743 = bits.Add64(x713, x710, uint64(p521Uint1(x741))) - x744 := (uint64(p521Uint1(x743)) + x711) - var x746 uint64 - _, x746 = bits.Add64(x690, x726, uint64(0x0)) - var x747 uint64 - var x748 uint64 - x747, x748 = bits.Add64(x692, x728, uint64(p521Uint1(x746))) - var x749 uint64 - var x750 uint64 - x749, x750 = bits.Add64(x694, x730, uint64(p521Uint1(x748))) - var x751 uint64 - var x752 uint64 - x751, x752 = bits.Add64(x696, x732, uint64(p521Uint1(x750))) - var x753 uint64 - var x754 uint64 - x753, x754 = bits.Add64(x698, x734, uint64(p521Uint1(x752))) - var x755 uint64 - var x756 uint64 - x755, x756 = bits.Add64(x700, x736, uint64(p521Uint1(x754))) - var x757 uint64 - var x758 uint64 - x757, x758 = bits.Add64(x702, x738, uint64(p521Uint1(x756))) - var x759 uint64 - var x760 uint64 - x759, x760 = bits.Add64(x704, x740, uint64(p521Uint1(x758))) - var x761 uint64 - var x762 uint64 - x761, x762 = bits.Add64(x706, x742, uint64(p521Uint1(x760))) - var x763 uint64 - var x764 uint64 - x763, x764 = bits.Add64(x708, x744, uint64(p521Uint1(x762))) - x765 := (uint64(p521Uint1(x764)) + uint64(p521Uint1(x709))) - var x766 uint64 - var x767 uint64 - x767, x766 = bits.Mul64(x7, arg2[8]) - var x768 uint64 - var x769 uint64 - x769, x768 = bits.Mul64(x7, arg2[7]) - var x770 uint64 - var x771 uint64 - x771, x770 = bits.Mul64(x7, arg2[6]) - var x772 uint64 - var x773 uint64 - x773, x772 = bits.Mul64(x7, arg2[5]) - var x774 uint64 - var x775 uint64 - x775, x774 = bits.Mul64(x7, arg2[4]) - var x776 uint64 - var x777 uint64 - x777, x776 = bits.Mul64(x7, arg2[3]) - var x778 uint64 - var x779 uint64 - x779, x778 = bits.Mul64(x7, arg2[2]) - var x780 uint64 - var x781 uint64 - x781, x780 = bits.Mul64(x7, arg2[1]) - var x782 uint64 - var x783 uint64 - x783, x782 = bits.Mul64(x7, arg2[0]) - var x784 uint64 - var x785 uint64 - x784, x785 = bits.Add64(x783, x780, uint64(0x0)) - var x786 uint64 - var x787 uint64 - x786, x787 = bits.Add64(x781, x778, uint64(p521Uint1(x785))) - var x788 uint64 - var x789 uint64 - x788, x789 = bits.Add64(x779, x776, uint64(p521Uint1(x787))) - var x790 uint64 - var x791 uint64 - x790, x791 = bits.Add64(x777, x774, uint64(p521Uint1(x789))) - var x792 uint64 - var x793 uint64 - x792, x793 = bits.Add64(x775, x772, uint64(p521Uint1(x791))) - var x794 uint64 - var x795 uint64 - x794, x795 = bits.Add64(x773, x770, uint64(p521Uint1(x793))) - var x796 uint64 - var x797 uint64 - x796, x797 = bits.Add64(x771, x768, uint64(p521Uint1(x795))) - var x798 uint64 - var x799 uint64 - x798, x799 = bits.Add64(x769, x766, uint64(p521Uint1(x797))) - x800 := (uint64(p521Uint1(x799)) + x767) - var x801 uint64 - var x802 uint64 - x801, x802 = bits.Add64(x747, x782, uint64(0x0)) - var x803 uint64 - var x804 uint64 - x803, x804 = bits.Add64(x749, x784, uint64(p521Uint1(x802))) - var x805 uint64 - var x806 uint64 - x805, x806 = bits.Add64(x751, x786, uint64(p521Uint1(x804))) - var x807 uint64 - var x808 uint64 - x807, x808 = bits.Add64(x753, x788, uint64(p521Uint1(x806))) - var x809 uint64 - var x810 uint64 - x809, x810 = bits.Add64(x755, x790, uint64(p521Uint1(x808))) - var x811 uint64 - var x812 uint64 - x811, x812 = bits.Add64(x757, x792, uint64(p521Uint1(x810))) - var x813 uint64 - var x814 uint64 - x813, x814 = bits.Add64(x759, x794, uint64(p521Uint1(x812))) - var x815 uint64 - var x816 uint64 - x815, x816 = bits.Add64(x761, x796, uint64(p521Uint1(x814))) - var x817 uint64 - var x818 uint64 - x817, x818 = bits.Add64(x763, x798, uint64(p521Uint1(x816))) - var x819 uint64 - var x820 uint64 - x819, x820 = bits.Add64(x765, x800, uint64(p521Uint1(x818))) - var x821 uint64 - var x822 uint64 - x822, x821 = bits.Mul64(x801, 0x1ff) - var x823 uint64 - var x824 uint64 - x824, x823 = bits.Mul64(x801, 0xffffffffffffffff) - var x825 uint64 - var x826 uint64 - x826, x825 = bits.Mul64(x801, 0xffffffffffffffff) - var x827 uint64 - var x828 uint64 - x828, x827 = bits.Mul64(x801, 0xffffffffffffffff) - var x829 uint64 - var x830 uint64 - x830, x829 = bits.Mul64(x801, 0xffffffffffffffff) - var x831 uint64 - var x832 uint64 - x832, x831 = bits.Mul64(x801, 0xffffffffffffffff) - var x833 uint64 - var x834 uint64 - x834, x833 = bits.Mul64(x801, 0xffffffffffffffff) - var x835 uint64 - var x836 uint64 - x836, x835 = bits.Mul64(x801, 0xffffffffffffffff) - var x837 uint64 - var x838 uint64 - x838, x837 = bits.Mul64(x801, 0xffffffffffffffff) - var x839 uint64 - var x840 uint64 - x839, x840 = bits.Add64(x838, x835, uint64(0x0)) - var x841 uint64 - var x842 uint64 - x841, x842 = bits.Add64(x836, x833, uint64(p521Uint1(x840))) - var x843 uint64 - var x844 uint64 - x843, x844 = bits.Add64(x834, x831, uint64(p521Uint1(x842))) - var x845 uint64 - var x846 uint64 - x845, x846 = bits.Add64(x832, x829, uint64(p521Uint1(x844))) - var x847 uint64 - var x848 uint64 - x847, x848 = bits.Add64(x830, x827, uint64(p521Uint1(x846))) - var x849 uint64 - var x850 uint64 - x849, x850 = bits.Add64(x828, x825, uint64(p521Uint1(x848))) - var x851 uint64 - var x852 uint64 - x851, x852 = bits.Add64(x826, x823, uint64(p521Uint1(x850))) - var x853 uint64 - var x854 uint64 - x853, x854 = bits.Add64(x824, x821, uint64(p521Uint1(x852))) - x855 := (uint64(p521Uint1(x854)) + x822) - var x857 uint64 - _, x857 = bits.Add64(x801, x837, uint64(0x0)) - var x858 uint64 - var x859 uint64 - x858, x859 = bits.Add64(x803, x839, uint64(p521Uint1(x857))) - var x860 uint64 - var x861 uint64 - x860, x861 = bits.Add64(x805, x841, uint64(p521Uint1(x859))) - var x862 uint64 - var x863 uint64 - x862, x863 = bits.Add64(x807, x843, uint64(p521Uint1(x861))) - var x864 uint64 - var x865 uint64 - x864, x865 = bits.Add64(x809, x845, uint64(p521Uint1(x863))) - var x866 uint64 - var x867 uint64 - x866, x867 = bits.Add64(x811, x847, uint64(p521Uint1(x865))) - var x868 uint64 - var x869 uint64 - x868, x869 = bits.Add64(x813, x849, uint64(p521Uint1(x867))) - var x870 uint64 - var x871 uint64 - x870, x871 = bits.Add64(x815, x851, uint64(p521Uint1(x869))) - var x872 uint64 - var x873 uint64 - x872, x873 = bits.Add64(x817, x853, uint64(p521Uint1(x871))) - var x874 uint64 - var x875 uint64 - x874, x875 = bits.Add64(x819, x855, uint64(p521Uint1(x873))) - x876 := (uint64(p521Uint1(x875)) + uint64(p521Uint1(x820))) - var x877 uint64 - var x878 uint64 - x878, x877 = bits.Mul64(x8, arg2[8]) - var x879 uint64 - var x880 uint64 - x880, x879 = bits.Mul64(x8, arg2[7]) - var x881 uint64 - var x882 uint64 - x882, x881 = bits.Mul64(x8, arg2[6]) - var x883 uint64 - var x884 uint64 - x884, x883 = bits.Mul64(x8, arg2[5]) - var x885 uint64 - var x886 uint64 - x886, x885 = bits.Mul64(x8, arg2[4]) - var x887 uint64 - var x888 uint64 - x888, x887 = bits.Mul64(x8, arg2[3]) - var x889 uint64 - var x890 uint64 - x890, x889 = bits.Mul64(x8, arg2[2]) - var x891 uint64 - var x892 uint64 - x892, x891 = bits.Mul64(x8, arg2[1]) - var x893 uint64 - var x894 uint64 - x894, x893 = bits.Mul64(x8, arg2[0]) - var x895 uint64 - var x896 uint64 - x895, x896 = bits.Add64(x894, x891, uint64(0x0)) - var x897 uint64 - var x898 uint64 - x897, x898 = bits.Add64(x892, x889, uint64(p521Uint1(x896))) - var x899 uint64 - var x900 uint64 - x899, x900 = bits.Add64(x890, x887, uint64(p521Uint1(x898))) - var x901 uint64 - var x902 uint64 - x901, x902 = bits.Add64(x888, x885, uint64(p521Uint1(x900))) - var x903 uint64 - var x904 uint64 - x903, x904 = bits.Add64(x886, x883, uint64(p521Uint1(x902))) - var x905 uint64 - var x906 uint64 - x905, x906 = bits.Add64(x884, x881, uint64(p521Uint1(x904))) - var x907 uint64 - var x908 uint64 - x907, x908 = bits.Add64(x882, x879, uint64(p521Uint1(x906))) - var x909 uint64 - var x910 uint64 - x909, x910 = bits.Add64(x880, x877, uint64(p521Uint1(x908))) - x911 := (uint64(p521Uint1(x910)) + x878) - var x912 uint64 - var x913 uint64 - x912, x913 = bits.Add64(x858, x893, uint64(0x0)) - var x914 uint64 - var x915 uint64 - x914, x915 = bits.Add64(x860, x895, uint64(p521Uint1(x913))) - var x916 uint64 - var x917 uint64 - x916, x917 = bits.Add64(x862, x897, uint64(p521Uint1(x915))) - var x918 uint64 - var x919 uint64 - x918, x919 = bits.Add64(x864, x899, uint64(p521Uint1(x917))) - var x920 uint64 - var x921 uint64 - x920, x921 = bits.Add64(x866, x901, uint64(p521Uint1(x919))) - var x922 uint64 - var x923 uint64 - x922, x923 = bits.Add64(x868, x903, uint64(p521Uint1(x921))) - var x924 uint64 - var x925 uint64 - x924, x925 = bits.Add64(x870, x905, uint64(p521Uint1(x923))) - var x926 uint64 - var x927 uint64 - x926, x927 = bits.Add64(x872, x907, uint64(p521Uint1(x925))) - var x928 uint64 - var x929 uint64 - x928, x929 = bits.Add64(x874, x909, uint64(p521Uint1(x927))) - var x930 uint64 - var x931 uint64 - x930, x931 = bits.Add64(x876, x911, uint64(p521Uint1(x929))) - var x932 uint64 - var x933 uint64 - x933, x932 = bits.Mul64(x912, 0x1ff) - var x934 uint64 - var x935 uint64 - x935, x934 = bits.Mul64(x912, 0xffffffffffffffff) - var x936 uint64 - var x937 uint64 - x937, x936 = bits.Mul64(x912, 0xffffffffffffffff) - var x938 uint64 - var x939 uint64 - x939, x938 = bits.Mul64(x912, 0xffffffffffffffff) - var x940 uint64 - var x941 uint64 - x941, x940 = bits.Mul64(x912, 0xffffffffffffffff) - var x942 uint64 - var x943 uint64 - x943, x942 = bits.Mul64(x912, 0xffffffffffffffff) - var x944 uint64 - var x945 uint64 - x945, x944 = bits.Mul64(x912, 0xffffffffffffffff) - var x946 uint64 - var x947 uint64 - x947, x946 = bits.Mul64(x912, 0xffffffffffffffff) - var x948 uint64 - var x949 uint64 - x949, x948 = bits.Mul64(x912, 0xffffffffffffffff) - var x950 uint64 - var x951 uint64 - x950, x951 = bits.Add64(x949, x946, uint64(0x0)) - var x952 uint64 - var x953 uint64 - x952, x953 = bits.Add64(x947, x944, uint64(p521Uint1(x951))) - var x954 uint64 - var x955 uint64 - x954, x955 = bits.Add64(x945, x942, uint64(p521Uint1(x953))) - var x956 uint64 - var x957 uint64 - x956, x957 = bits.Add64(x943, x940, uint64(p521Uint1(x955))) - var x958 uint64 - var x959 uint64 - x958, x959 = bits.Add64(x941, x938, uint64(p521Uint1(x957))) - var x960 uint64 - var x961 uint64 - x960, x961 = bits.Add64(x939, x936, uint64(p521Uint1(x959))) - var x962 uint64 - var x963 uint64 - x962, x963 = bits.Add64(x937, x934, uint64(p521Uint1(x961))) - var x964 uint64 - var x965 uint64 - x964, x965 = bits.Add64(x935, x932, uint64(p521Uint1(x963))) - x966 := (uint64(p521Uint1(x965)) + x933) - var x968 uint64 - _, x968 = bits.Add64(x912, x948, uint64(0x0)) - var x969 uint64 - var x970 uint64 - x969, x970 = bits.Add64(x914, x950, uint64(p521Uint1(x968))) - var x971 uint64 - var x972 uint64 - x971, x972 = bits.Add64(x916, x952, uint64(p521Uint1(x970))) - var x973 uint64 - var x974 uint64 - x973, x974 = bits.Add64(x918, x954, uint64(p521Uint1(x972))) - var x975 uint64 - var x976 uint64 - x975, x976 = bits.Add64(x920, x956, uint64(p521Uint1(x974))) - var x977 uint64 - var x978 uint64 - x977, x978 = bits.Add64(x922, x958, uint64(p521Uint1(x976))) - var x979 uint64 - var x980 uint64 - x979, x980 = bits.Add64(x924, x960, uint64(p521Uint1(x978))) - var x981 uint64 - var x982 uint64 - x981, x982 = bits.Add64(x926, x962, uint64(p521Uint1(x980))) - var x983 uint64 - var x984 uint64 - x983, x984 = bits.Add64(x928, x964, uint64(p521Uint1(x982))) - var x985 uint64 - var x986 uint64 - x985, x986 = bits.Add64(x930, x966, uint64(p521Uint1(x984))) - x987 := (uint64(p521Uint1(x986)) + uint64(p521Uint1(x931))) - var x988 uint64 - var x989 uint64 - x988, x989 = bits.Sub64(x969, 0xffffffffffffffff, uint64(0x0)) - var x990 uint64 - var x991 uint64 - x990, x991 = bits.Sub64(x971, 0xffffffffffffffff, uint64(p521Uint1(x989))) - var x992 uint64 - var x993 uint64 - x992, x993 = bits.Sub64(x973, 0xffffffffffffffff, uint64(p521Uint1(x991))) - var x994 uint64 - var x995 uint64 - x994, x995 = bits.Sub64(x975, 0xffffffffffffffff, uint64(p521Uint1(x993))) - var x996 uint64 - var x997 uint64 - x996, x997 = bits.Sub64(x977, 0xffffffffffffffff, uint64(p521Uint1(x995))) - var x998 uint64 - var x999 uint64 - x998, x999 = bits.Sub64(x979, 0xffffffffffffffff, uint64(p521Uint1(x997))) - var x1000 uint64 - var x1001 uint64 - x1000, x1001 = bits.Sub64(x981, 0xffffffffffffffff, uint64(p521Uint1(x999))) - var x1002 uint64 - var x1003 uint64 - x1002, x1003 = bits.Sub64(x983, 0xffffffffffffffff, uint64(p521Uint1(x1001))) - var x1004 uint64 - var x1005 uint64 - x1004, x1005 = bits.Sub64(x985, 0x1ff, uint64(p521Uint1(x1003))) - var x1007 uint64 - _, x1007 = bits.Sub64(x987, uint64(0x0), uint64(p521Uint1(x1005))) - var x1008 uint64 - p521CmovznzU64(&x1008, p521Uint1(x1007), x988, x969) - var x1009 uint64 - p521CmovznzU64(&x1009, p521Uint1(x1007), x990, x971) - var x1010 uint64 - p521CmovznzU64(&x1010, p521Uint1(x1007), x992, x973) - var x1011 uint64 - p521CmovznzU64(&x1011, p521Uint1(x1007), x994, x975) - var x1012 uint64 - p521CmovznzU64(&x1012, p521Uint1(x1007), x996, x977) - var x1013 uint64 - p521CmovznzU64(&x1013, p521Uint1(x1007), x998, x979) - var x1014 uint64 - p521CmovznzU64(&x1014, p521Uint1(x1007), x1000, x981) - var x1015 uint64 - p521CmovznzU64(&x1015, p521Uint1(x1007), x1002, x983) - var x1016 uint64 - p521CmovznzU64(&x1016, p521Uint1(x1007), x1004, x985) - out1[0] = x1008 - out1[1] = x1009 - out1[2] = x1010 - out1[3] = x1011 - out1[4] = x1012 - out1[5] = x1013 - out1[6] = x1014 - out1[7] = x1015 - out1[8] = x1016 -} - -// p521Square squares a field element in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m -// 0 ≤ eval out1 < m -func p521Square(out1 *p521MontgomeryDomainFieldElement, arg1 *p521MontgomeryDomainFieldElement) { - x1 := arg1[1] - x2 := arg1[2] - x3 := arg1[3] - x4 := arg1[4] - x5 := arg1[5] - x6 := arg1[6] - x7 := arg1[7] - x8 := arg1[8] - x9 := arg1[0] - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x9, arg1[8]) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x9, arg1[7]) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x9, arg1[6]) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x9, arg1[5]) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x9, arg1[4]) - var x20 uint64 - var x21 uint64 - x21, x20 = bits.Mul64(x9, arg1[3]) - var x22 uint64 - var x23 uint64 - x23, x22 = bits.Mul64(x9, arg1[2]) - var x24 uint64 - var x25 uint64 - x25, x24 = bits.Mul64(x9, arg1[1]) - var x26 uint64 - var x27 uint64 - x27, x26 = bits.Mul64(x9, arg1[0]) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x27, x24, uint64(0x0)) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x25, x22, uint64(p521Uint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(x23, x20, uint64(p521Uint1(x31))) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(x21, x18, uint64(p521Uint1(x33))) - var x36 uint64 - var x37 uint64 - x36, x37 = bits.Add64(x19, x16, uint64(p521Uint1(x35))) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(x17, x14, uint64(p521Uint1(x37))) - var x40 uint64 - var x41 uint64 - x40, x41 = bits.Add64(x15, x12, uint64(p521Uint1(x39))) - var x42 uint64 - var x43 uint64 - x42, x43 = bits.Add64(x13, x10, uint64(p521Uint1(x41))) - x44 := (uint64(p521Uint1(x43)) + x11) - var x45 uint64 - var x46 uint64 - x46, x45 = bits.Mul64(x26, 0x1ff) - var x47 uint64 - var x48 uint64 - x48, x47 = bits.Mul64(x26, 0xffffffffffffffff) - var x49 uint64 - var x50 uint64 - x50, x49 = bits.Mul64(x26, 0xffffffffffffffff) - var x51 uint64 - var x52 uint64 - x52, x51 = bits.Mul64(x26, 0xffffffffffffffff) - var x53 uint64 - var x54 uint64 - x54, x53 = bits.Mul64(x26, 0xffffffffffffffff) - var x55 uint64 - var x56 uint64 - x56, x55 = bits.Mul64(x26, 0xffffffffffffffff) - var x57 uint64 - var x58 uint64 - x58, x57 = bits.Mul64(x26, 0xffffffffffffffff) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64(x26, 0xffffffffffffffff) - var x61 uint64 - var x62 uint64 - x62, x61 = bits.Mul64(x26, 0xffffffffffffffff) - var x63 uint64 - var x64 uint64 - x63, x64 = bits.Add64(x62, x59, uint64(0x0)) - var x65 uint64 - var x66 uint64 - x65, x66 = bits.Add64(x60, x57, uint64(p521Uint1(x64))) - var x67 uint64 - var x68 uint64 - x67, x68 = bits.Add64(x58, x55, uint64(p521Uint1(x66))) - var x69 uint64 - var x70 uint64 - x69, x70 = bits.Add64(x56, x53, uint64(p521Uint1(x68))) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x54, x51, uint64(p521Uint1(x70))) - var x73 uint64 - var x74 uint64 - x73, x74 = bits.Add64(x52, x49, uint64(p521Uint1(x72))) - var x75 uint64 - var x76 uint64 - x75, x76 = bits.Add64(x50, x47, uint64(p521Uint1(x74))) - var x77 uint64 - var x78 uint64 - x77, x78 = bits.Add64(x48, x45, uint64(p521Uint1(x76))) - x79 := (uint64(p521Uint1(x78)) + x46) - var x81 uint64 - _, x81 = bits.Add64(x26, x61, uint64(0x0)) - var x82 uint64 - var x83 uint64 - x82, x83 = bits.Add64(x28, x63, uint64(p521Uint1(x81))) - var x84 uint64 - var x85 uint64 - x84, x85 = bits.Add64(x30, x65, uint64(p521Uint1(x83))) - var x86 uint64 - var x87 uint64 - x86, x87 = bits.Add64(x32, x67, uint64(p521Uint1(x85))) - var x88 uint64 - var x89 uint64 - x88, x89 = bits.Add64(x34, x69, uint64(p521Uint1(x87))) - var x90 uint64 - var x91 uint64 - x90, x91 = bits.Add64(x36, x71, uint64(p521Uint1(x89))) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x38, x73, uint64(p521Uint1(x91))) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x40, x75, uint64(p521Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x42, x77, uint64(p521Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x44, x79, uint64(p521Uint1(x97))) - var x100 uint64 - var x101 uint64 - x101, x100 = bits.Mul64(x1, arg1[8]) - var x102 uint64 - var x103 uint64 - x103, x102 = bits.Mul64(x1, arg1[7]) - var x104 uint64 - var x105 uint64 - x105, x104 = bits.Mul64(x1, arg1[6]) - var x106 uint64 - var x107 uint64 - x107, x106 = bits.Mul64(x1, arg1[5]) - var x108 uint64 - var x109 uint64 - x109, x108 = bits.Mul64(x1, arg1[4]) - var x110 uint64 - var x111 uint64 - x111, x110 = bits.Mul64(x1, arg1[3]) - var x112 uint64 - var x113 uint64 - x113, x112 = bits.Mul64(x1, arg1[2]) - var x114 uint64 - var x115 uint64 - x115, x114 = bits.Mul64(x1, arg1[1]) - var x116 uint64 - var x117 uint64 - x117, x116 = bits.Mul64(x1, arg1[0]) - var x118 uint64 - var x119 uint64 - x118, x119 = bits.Add64(x117, x114, uint64(0x0)) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64(x115, x112, uint64(p521Uint1(x119))) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x113, x110, uint64(p521Uint1(x121))) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x111, x108, uint64(p521Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x109, x106, uint64(p521Uint1(x125))) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x107, x104, uint64(p521Uint1(x127))) - var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x105, x102, uint64(p521Uint1(x129))) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x103, x100, uint64(p521Uint1(x131))) - x134 := (uint64(p521Uint1(x133)) + x101) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x82, x116, uint64(0x0)) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x84, x118, uint64(p521Uint1(x136))) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x86, x120, uint64(p521Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x88, x122, uint64(p521Uint1(x140))) - var x143 uint64 - var x144 uint64 - x143, x144 = bits.Add64(x90, x124, uint64(p521Uint1(x142))) - var x145 uint64 - var x146 uint64 - x145, x146 = bits.Add64(x92, x126, uint64(p521Uint1(x144))) - var x147 uint64 - var x148 uint64 - x147, x148 = bits.Add64(x94, x128, uint64(p521Uint1(x146))) - var x149 uint64 - var x150 uint64 - x149, x150 = bits.Add64(x96, x130, uint64(p521Uint1(x148))) - var x151 uint64 - var x152 uint64 - x151, x152 = bits.Add64(x98, x132, uint64(p521Uint1(x150))) - var x153 uint64 - var x154 uint64 - x153, x154 = bits.Add64(uint64(p521Uint1(x99)), x134, uint64(p521Uint1(x152))) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64(x135, 0x1ff) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x135, 0xffffffffffffffff) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x135, 0xffffffffffffffff) - var x161 uint64 - var x162 uint64 - x162, x161 = bits.Mul64(x135, 0xffffffffffffffff) - var x163 uint64 - var x164 uint64 - x164, x163 = bits.Mul64(x135, 0xffffffffffffffff) - var x165 uint64 - var x166 uint64 - x166, x165 = bits.Mul64(x135, 0xffffffffffffffff) - var x167 uint64 - var x168 uint64 - x168, x167 = bits.Mul64(x135, 0xffffffffffffffff) - var x169 uint64 - var x170 uint64 - x170, x169 = bits.Mul64(x135, 0xffffffffffffffff) - var x171 uint64 - var x172 uint64 - x172, x171 = bits.Mul64(x135, 0xffffffffffffffff) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x172, x169, uint64(0x0)) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x170, x167, uint64(p521Uint1(x174))) - var x177 uint64 - var x178 uint64 - x177, x178 = bits.Add64(x168, x165, uint64(p521Uint1(x176))) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x166, x163, uint64(p521Uint1(x178))) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x164, x161, uint64(p521Uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x162, x159, uint64(p521Uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x160, x157, uint64(p521Uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x158, x155, uint64(p521Uint1(x186))) - x189 := (uint64(p521Uint1(x188)) + x156) - var x191 uint64 - _, x191 = bits.Add64(x135, x171, uint64(0x0)) - var x192 uint64 - var x193 uint64 - x192, x193 = bits.Add64(x137, x173, uint64(p521Uint1(x191))) - var x194 uint64 - var x195 uint64 - x194, x195 = bits.Add64(x139, x175, uint64(p521Uint1(x193))) - var x196 uint64 - var x197 uint64 - x196, x197 = bits.Add64(x141, x177, uint64(p521Uint1(x195))) - var x198 uint64 - var x199 uint64 - x198, x199 = bits.Add64(x143, x179, uint64(p521Uint1(x197))) - var x200 uint64 - var x201 uint64 - x200, x201 = bits.Add64(x145, x181, uint64(p521Uint1(x199))) - var x202 uint64 - var x203 uint64 - x202, x203 = bits.Add64(x147, x183, uint64(p521Uint1(x201))) - var x204 uint64 - var x205 uint64 - x204, x205 = bits.Add64(x149, x185, uint64(p521Uint1(x203))) - var x206 uint64 - var x207 uint64 - x206, x207 = bits.Add64(x151, x187, uint64(p521Uint1(x205))) - var x208 uint64 - var x209 uint64 - x208, x209 = bits.Add64(x153, x189, uint64(p521Uint1(x207))) - x210 := (uint64(p521Uint1(x209)) + uint64(p521Uint1(x154))) - var x211 uint64 - var x212 uint64 - x212, x211 = bits.Mul64(x2, arg1[8]) - var x213 uint64 - var x214 uint64 - x214, x213 = bits.Mul64(x2, arg1[7]) - var x215 uint64 - var x216 uint64 - x216, x215 = bits.Mul64(x2, arg1[6]) - var x217 uint64 - var x218 uint64 - x218, x217 = bits.Mul64(x2, arg1[5]) - var x219 uint64 - var x220 uint64 - x220, x219 = bits.Mul64(x2, arg1[4]) - var x221 uint64 - var x222 uint64 - x222, x221 = bits.Mul64(x2, arg1[3]) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x2, arg1[2]) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x2, arg1[1]) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x2, arg1[0]) - var x229 uint64 - var x230 uint64 - x229, x230 = bits.Add64(x228, x225, uint64(0x0)) - var x231 uint64 - var x232 uint64 - x231, x232 = bits.Add64(x226, x223, uint64(p521Uint1(x230))) - var x233 uint64 - var x234 uint64 - x233, x234 = bits.Add64(x224, x221, uint64(p521Uint1(x232))) - var x235 uint64 - var x236 uint64 - x235, x236 = bits.Add64(x222, x219, uint64(p521Uint1(x234))) - var x237 uint64 - var x238 uint64 - x237, x238 = bits.Add64(x220, x217, uint64(p521Uint1(x236))) - var x239 uint64 - var x240 uint64 - x239, x240 = bits.Add64(x218, x215, uint64(p521Uint1(x238))) - var x241 uint64 - var x242 uint64 - x241, x242 = bits.Add64(x216, x213, uint64(p521Uint1(x240))) - var x243 uint64 - var x244 uint64 - x243, x244 = bits.Add64(x214, x211, uint64(p521Uint1(x242))) - x245 := (uint64(p521Uint1(x244)) + x212) - var x246 uint64 - var x247 uint64 - x246, x247 = bits.Add64(x192, x227, uint64(0x0)) - var x248 uint64 - var x249 uint64 - x248, x249 = bits.Add64(x194, x229, uint64(p521Uint1(x247))) - var x250 uint64 - var x251 uint64 - x250, x251 = bits.Add64(x196, x231, uint64(p521Uint1(x249))) - var x252 uint64 - var x253 uint64 - x252, x253 = bits.Add64(x198, x233, uint64(p521Uint1(x251))) - var x254 uint64 - var x255 uint64 - x254, x255 = bits.Add64(x200, x235, uint64(p521Uint1(x253))) - var x256 uint64 - var x257 uint64 - x256, x257 = bits.Add64(x202, x237, uint64(p521Uint1(x255))) - var x258 uint64 - var x259 uint64 - x258, x259 = bits.Add64(x204, x239, uint64(p521Uint1(x257))) - var x260 uint64 - var x261 uint64 - x260, x261 = bits.Add64(x206, x241, uint64(p521Uint1(x259))) - var x262 uint64 - var x263 uint64 - x262, x263 = bits.Add64(x208, x243, uint64(p521Uint1(x261))) - var x264 uint64 - var x265 uint64 - x264, x265 = bits.Add64(x210, x245, uint64(p521Uint1(x263))) - var x266 uint64 - var x267 uint64 - x267, x266 = bits.Mul64(x246, 0x1ff) - var x268 uint64 - var x269 uint64 - x269, x268 = bits.Mul64(x246, 0xffffffffffffffff) - var x270 uint64 - var x271 uint64 - x271, x270 = bits.Mul64(x246, 0xffffffffffffffff) - var x272 uint64 - var x273 uint64 - x273, x272 = bits.Mul64(x246, 0xffffffffffffffff) - var x274 uint64 - var x275 uint64 - x275, x274 = bits.Mul64(x246, 0xffffffffffffffff) - var x276 uint64 - var x277 uint64 - x277, x276 = bits.Mul64(x246, 0xffffffffffffffff) - var x278 uint64 - var x279 uint64 - x279, x278 = bits.Mul64(x246, 0xffffffffffffffff) - var x280 uint64 - var x281 uint64 - x281, x280 = bits.Mul64(x246, 0xffffffffffffffff) - var x282 uint64 - var x283 uint64 - x283, x282 = bits.Mul64(x246, 0xffffffffffffffff) - var x284 uint64 - var x285 uint64 - x284, x285 = bits.Add64(x283, x280, uint64(0x0)) - var x286 uint64 - var x287 uint64 - x286, x287 = bits.Add64(x281, x278, uint64(p521Uint1(x285))) - var x288 uint64 - var x289 uint64 - x288, x289 = bits.Add64(x279, x276, uint64(p521Uint1(x287))) - var x290 uint64 - var x291 uint64 - x290, x291 = bits.Add64(x277, x274, uint64(p521Uint1(x289))) - var x292 uint64 - var x293 uint64 - x292, x293 = bits.Add64(x275, x272, uint64(p521Uint1(x291))) - var x294 uint64 - var x295 uint64 - x294, x295 = bits.Add64(x273, x270, uint64(p521Uint1(x293))) - var x296 uint64 - var x297 uint64 - x296, x297 = bits.Add64(x271, x268, uint64(p521Uint1(x295))) - var x298 uint64 - var x299 uint64 - x298, x299 = bits.Add64(x269, x266, uint64(p521Uint1(x297))) - x300 := (uint64(p521Uint1(x299)) + x267) - var x302 uint64 - _, x302 = bits.Add64(x246, x282, uint64(0x0)) - var x303 uint64 - var x304 uint64 - x303, x304 = bits.Add64(x248, x284, uint64(p521Uint1(x302))) - var x305 uint64 - var x306 uint64 - x305, x306 = bits.Add64(x250, x286, uint64(p521Uint1(x304))) - var x307 uint64 - var x308 uint64 - x307, x308 = bits.Add64(x252, x288, uint64(p521Uint1(x306))) - var x309 uint64 - var x310 uint64 - x309, x310 = bits.Add64(x254, x290, uint64(p521Uint1(x308))) - var x311 uint64 - var x312 uint64 - x311, x312 = bits.Add64(x256, x292, uint64(p521Uint1(x310))) - var x313 uint64 - var x314 uint64 - x313, x314 = bits.Add64(x258, x294, uint64(p521Uint1(x312))) - var x315 uint64 - var x316 uint64 - x315, x316 = bits.Add64(x260, x296, uint64(p521Uint1(x314))) - var x317 uint64 - var x318 uint64 - x317, x318 = bits.Add64(x262, x298, uint64(p521Uint1(x316))) - var x319 uint64 - var x320 uint64 - x319, x320 = bits.Add64(x264, x300, uint64(p521Uint1(x318))) - x321 := (uint64(p521Uint1(x320)) + uint64(p521Uint1(x265))) - var x322 uint64 - var x323 uint64 - x323, x322 = bits.Mul64(x3, arg1[8]) - var x324 uint64 - var x325 uint64 - x325, x324 = bits.Mul64(x3, arg1[7]) - var x326 uint64 - var x327 uint64 - x327, x326 = bits.Mul64(x3, arg1[6]) - var x328 uint64 - var x329 uint64 - x329, x328 = bits.Mul64(x3, arg1[5]) - var x330 uint64 - var x331 uint64 - x331, x330 = bits.Mul64(x3, arg1[4]) - var x332 uint64 - var x333 uint64 - x333, x332 = bits.Mul64(x3, arg1[3]) - var x334 uint64 - var x335 uint64 - x335, x334 = bits.Mul64(x3, arg1[2]) - var x336 uint64 - var x337 uint64 - x337, x336 = bits.Mul64(x3, arg1[1]) - var x338 uint64 - var x339 uint64 - x339, x338 = bits.Mul64(x3, arg1[0]) - var x340 uint64 - var x341 uint64 - x340, x341 = bits.Add64(x339, x336, uint64(0x0)) - var x342 uint64 - var x343 uint64 - x342, x343 = bits.Add64(x337, x334, uint64(p521Uint1(x341))) - var x344 uint64 - var x345 uint64 - x344, x345 = bits.Add64(x335, x332, uint64(p521Uint1(x343))) - var x346 uint64 - var x347 uint64 - x346, x347 = bits.Add64(x333, x330, uint64(p521Uint1(x345))) - var x348 uint64 - var x349 uint64 - x348, x349 = bits.Add64(x331, x328, uint64(p521Uint1(x347))) - var x350 uint64 - var x351 uint64 - x350, x351 = bits.Add64(x329, x326, uint64(p521Uint1(x349))) - var x352 uint64 - var x353 uint64 - x352, x353 = bits.Add64(x327, x324, uint64(p521Uint1(x351))) - var x354 uint64 - var x355 uint64 - x354, x355 = bits.Add64(x325, x322, uint64(p521Uint1(x353))) - x356 := (uint64(p521Uint1(x355)) + x323) - var x357 uint64 - var x358 uint64 - x357, x358 = bits.Add64(x303, x338, uint64(0x0)) - var x359 uint64 - var x360 uint64 - x359, x360 = bits.Add64(x305, x340, uint64(p521Uint1(x358))) - var x361 uint64 - var x362 uint64 - x361, x362 = bits.Add64(x307, x342, uint64(p521Uint1(x360))) - var x363 uint64 - var x364 uint64 - x363, x364 = bits.Add64(x309, x344, uint64(p521Uint1(x362))) - var x365 uint64 - var x366 uint64 - x365, x366 = bits.Add64(x311, x346, uint64(p521Uint1(x364))) - var x367 uint64 - var x368 uint64 - x367, x368 = bits.Add64(x313, x348, uint64(p521Uint1(x366))) - var x369 uint64 - var x370 uint64 - x369, x370 = bits.Add64(x315, x350, uint64(p521Uint1(x368))) - var x371 uint64 - var x372 uint64 - x371, x372 = bits.Add64(x317, x352, uint64(p521Uint1(x370))) - var x373 uint64 - var x374 uint64 - x373, x374 = bits.Add64(x319, x354, uint64(p521Uint1(x372))) - var x375 uint64 - var x376 uint64 - x375, x376 = bits.Add64(x321, x356, uint64(p521Uint1(x374))) - var x377 uint64 - var x378 uint64 - x378, x377 = bits.Mul64(x357, 0x1ff) - var x379 uint64 - var x380 uint64 - x380, x379 = bits.Mul64(x357, 0xffffffffffffffff) - var x381 uint64 - var x382 uint64 - x382, x381 = bits.Mul64(x357, 0xffffffffffffffff) - var x383 uint64 - var x384 uint64 - x384, x383 = bits.Mul64(x357, 0xffffffffffffffff) - var x385 uint64 - var x386 uint64 - x386, x385 = bits.Mul64(x357, 0xffffffffffffffff) - var x387 uint64 - var x388 uint64 - x388, x387 = bits.Mul64(x357, 0xffffffffffffffff) - var x389 uint64 - var x390 uint64 - x390, x389 = bits.Mul64(x357, 0xffffffffffffffff) - var x391 uint64 - var x392 uint64 - x392, x391 = bits.Mul64(x357, 0xffffffffffffffff) - var x393 uint64 - var x394 uint64 - x394, x393 = bits.Mul64(x357, 0xffffffffffffffff) - var x395 uint64 - var x396 uint64 - x395, x396 = bits.Add64(x394, x391, uint64(0x0)) - var x397 uint64 - var x398 uint64 - x397, x398 = bits.Add64(x392, x389, uint64(p521Uint1(x396))) - var x399 uint64 - var x400 uint64 - x399, x400 = bits.Add64(x390, x387, uint64(p521Uint1(x398))) - var x401 uint64 - var x402 uint64 - x401, x402 = bits.Add64(x388, x385, uint64(p521Uint1(x400))) - var x403 uint64 - var x404 uint64 - x403, x404 = bits.Add64(x386, x383, uint64(p521Uint1(x402))) - var x405 uint64 - var x406 uint64 - x405, x406 = bits.Add64(x384, x381, uint64(p521Uint1(x404))) - var x407 uint64 - var x408 uint64 - x407, x408 = bits.Add64(x382, x379, uint64(p521Uint1(x406))) - var x409 uint64 - var x410 uint64 - x409, x410 = bits.Add64(x380, x377, uint64(p521Uint1(x408))) - x411 := (uint64(p521Uint1(x410)) + x378) - var x413 uint64 - _, x413 = bits.Add64(x357, x393, uint64(0x0)) - var x414 uint64 - var x415 uint64 - x414, x415 = bits.Add64(x359, x395, uint64(p521Uint1(x413))) - var x416 uint64 - var x417 uint64 - x416, x417 = bits.Add64(x361, x397, uint64(p521Uint1(x415))) - var x418 uint64 - var x419 uint64 - x418, x419 = bits.Add64(x363, x399, uint64(p521Uint1(x417))) - var x420 uint64 - var x421 uint64 - x420, x421 = bits.Add64(x365, x401, uint64(p521Uint1(x419))) - var x422 uint64 - var x423 uint64 - x422, x423 = bits.Add64(x367, x403, uint64(p521Uint1(x421))) - var x424 uint64 - var x425 uint64 - x424, x425 = bits.Add64(x369, x405, uint64(p521Uint1(x423))) - var x426 uint64 - var x427 uint64 - x426, x427 = bits.Add64(x371, x407, uint64(p521Uint1(x425))) - var x428 uint64 - var x429 uint64 - x428, x429 = bits.Add64(x373, x409, uint64(p521Uint1(x427))) - var x430 uint64 - var x431 uint64 - x430, x431 = bits.Add64(x375, x411, uint64(p521Uint1(x429))) - x432 := (uint64(p521Uint1(x431)) + uint64(p521Uint1(x376))) - var x433 uint64 - var x434 uint64 - x434, x433 = bits.Mul64(x4, arg1[8]) - var x435 uint64 - var x436 uint64 - x436, x435 = bits.Mul64(x4, arg1[7]) - var x437 uint64 - var x438 uint64 - x438, x437 = bits.Mul64(x4, arg1[6]) - var x439 uint64 - var x440 uint64 - x440, x439 = bits.Mul64(x4, arg1[5]) - var x441 uint64 - var x442 uint64 - x442, x441 = bits.Mul64(x4, arg1[4]) - var x443 uint64 - var x444 uint64 - x444, x443 = bits.Mul64(x4, arg1[3]) - var x445 uint64 - var x446 uint64 - x446, x445 = bits.Mul64(x4, arg1[2]) - var x447 uint64 - var x448 uint64 - x448, x447 = bits.Mul64(x4, arg1[1]) - var x449 uint64 - var x450 uint64 - x450, x449 = bits.Mul64(x4, arg1[0]) - var x451 uint64 - var x452 uint64 - x451, x452 = bits.Add64(x450, x447, uint64(0x0)) - var x453 uint64 - var x454 uint64 - x453, x454 = bits.Add64(x448, x445, uint64(p521Uint1(x452))) - var x455 uint64 - var x456 uint64 - x455, x456 = bits.Add64(x446, x443, uint64(p521Uint1(x454))) - var x457 uint64 - var x458 uint64 - x457, x458 = bits.Add64(x444, x441, uint64(p521Uint1(x456))) - var x459 uint64 - var x460 uint64 - x459, x460 = bits.Add64(x442, x439, uint64(p521Uint1(x458))) - var x461 uint64 - var x462 uint64 - x461, x462 = bits.Add64(x440, x437, uint64(p521Uint1(x460))) - var x463 uint64 - var x464 uint64 - x463, x464 = bits.Add64(x438, x435, uint64(p521Uint1(x462))) - var x465 uint64 - var x466 uint64 - x465, x466 = bits.Add64(x436, x433, uint64(p521Uint1(x464))) - x467 := (uint64(p521Uint1(x466)) + x434) - var x468 uint64 - var x469 uint64 - x468, x469 = bits.Add64(x414, x449, uint64(0x0)) - var x470 uint64 - var x471 uint64 - x470, x471 = bits.Add64(x416, x451, uint64(p521Uint1(x469))) - var x472 uint64 - var x473 uint64 - x472, x473 = bits.Add64(x418, x453, uint64(p521Uint1(x471))) - var x474 uint64 - var x475 uint64 - x474, x475 = bits.Add64(x420, x455, uint64(p521Uint1(x473))) - var x476 uint64 - var x477 uint64 - x476, x477 = bits.Add64(x422, x457, uint64(p521Uint1(x475))) - var x478 uint64 - var x479 uint64 - x478, x479 = bits.Add64(x424, x459, uint64(p521Uint1(x477))) - var x480 uint64 - var x481 uint64 - x480, x481 = bits.Add64(x426, x461, uint64(p521Uint1(x479))) - var x482 uint64 - var x483 uint64 - x482, x483 = bits.Add64(x428, x463, uint64(p521Uint1(x481))) - var x484 uint64 - var x485 uint64 - x484, x485 = bits.Add64(x430, x465, uint64(p521Uint1(x483))) - var x486 uint64 - var x487 uint64 - x486, x487 = bits.Add64(x432, x467, uint64(p521Uint1(x485))) - var x488 uint64 - var x489 uint64 - x489, x488 = bits.Mul64(x468, 0x1ff) - var x490 uint64 - var x491 uint64 - x491, x490 = bits.Mul64(x468, 0xffffffffffffffff) - var x492 uint64 - var x493 uint64 - x493, x492 = bits.Mul64(x468, 0xffffffffffffffff) - var x494 uint64 - var x495 uint64 - x495, x494 = bits.Mul64(x468, 0xffffffffffffffff) - var x496 uint64 - var x497 uint64 - x497, x496 = bits.Mul64(x468, 0xffffffffffffffff) - var x498 uint64 - var x499 uint64 - x499, x498 = bits.Mul64(x468, 0xffffffffffffffff) - var x500 uint64 - var x501 uint64 - x501, x500 = bits.Mul64(x468, 0xffffffffffffffff) - var x502 uint64 - var x503 uint64 - x503, x502 = bits.Mul64(x468, 0xffffffffffffffff) - var x504 uint64 - var x505 uint64 - x505, x504 = bits.Mul64(x468, 0xffffffffffffffff) - var x506 uint64 - var x507 uint64 - x506, x507 = bits.Add64(x505, x502, uint64(0x0)) - var x508 uint64 - var x509 uint64 - x508, x509 = bits.Add64(x503, x500, uint64(p521Uint1(x507))) - var x510 uint64 - var x511 uint64 - x510, x511 = bits.Add64(x501, x498, uint64(p521Uint1(x509))) - var x512 uint64 - var x513 uint64 - x512, x513 = bits.Add64(x499, x496, uint64(p521Uint1(x511))) - var x514 uint64 - var x515 uint64 - x514, x515 = bits.Add64(x497, x494, uint64(p521Uint1(x513))) - var x516 uint64 - var x517 uint64 - x516, x517 = bits.Add64(x495, x492, uint64(p521Uint1(x515))) - var x518 uint64 - var x519 uint64 - x518, x519 = bits.Add64(x493, x490, uint64(p521Uint1(x517))) - var x520 uint64 - var x521 uint64 - x520, x521 = bits.Add64(x491, x488, uint64(p521Uint1(x519))) - x522 := (uint64(p521Uint1(x521)) + x489) - var x524 uint64 - _, x524 = bits.Add64(x468, x504, uint64(0x0)) - var x525 uint64 - var x526 uint64 - x525, x526 = bits.Add64(x470, x506, uint64(p521Uint1(x524))) - var x527 uint64 - var x528 uint64 - x527, x528 = bits.Add64(x472, x508, uint64(p521Uint1(x526))) - var x529 uint64 - var x530 uint64 - x529, x530 = bits.Add64(x474, x510, uint64(p521Uint1(x528))) - var x531 uint64 - var x532 uint64 - x531, x532 = bits.Add64(x476, x512, uint64(p521Uint1(x530))) - var x533 uint64 - var x534 uint64 - x533, x534 = bits.Add64(x478, x514, uint64(p521Uint1(x532))) - var x535 uint64 - var x536 uint64 - x535, x536 = bits.Add64(x480, x516, uint64(p521Uint1(x534))) - var x537 uint64 - var x538 uint64 - x537, x538 = bits.Add64(x482, x518, uint64(p521Uint1(x536))) - var x539 uint64 - var x540 uint64 - x539, x540 = bits.Add64(x484, x520, uint64(p521Uint1(x538))) - var x541 uint64 - var x542 uint64 - x541, x542 = bits.Add64(x486, x522, uint64(p521Uint1(x540))) - x543 := (uint64(p521Uint1(x542)) + uint64(p521Uint1(x487))) - var x544 uint64 - var x545 uint64 - x545, x544 = bits.Mul64(x5, arg1[8]) - var x546 uint64 - var x547 uint64 - x547, x546 = bits.Mul64(x5, arg1[7]) - var x548 uint64 - var x549 uint64 - x549, x548 = bits.Mul64(x5, arg1[6]) - var x550 uint64 - var x551 uint64 - x551, x550 = bits.Mul64(x5, arg1[5]) - var x552 uint64 - var x553 uint64 - x553, x552 = bits.Mul64(x5, arg1[4]) - var x554 uint64 - var x555 uint64 - x555, x554 = bits.Mul64(x5, arg1[3]) - var x556 uint64 - var x557 uint64 - x557, x556 = bits.Mul64(x5, arg1[2]) - var x558 uint64 - var x559 uint64 - x559, x558 = bits.Mul64(x5, arg1[1]) - var x560 uint64 - var x561 uint64 - x561, x560 = bits.Mul64(x5, arg1[0]) - var x562 uint64 - var x563 uint64 - x562, x563 = bits.Add64(x561, x558, uint64(0x0)) - var x564 uint64 - var x565 uint64 - x564, x565 = bits.Add64(x559, x556, uint64(p521Uint1(x563))) - var x566 uint64 - var x567 uint64 - x566, x567 = bits.Add64(x557, x554, uint64(p521Uint1(x565))) - var x568 uint64 - var x569 uint64 - x568, x569 = bits.Add64(x555, x552, uint64(p521Uint1(x567))) - var x570 uint64 - var x571 uint64 - x570, x571 = bits.Add64(x553, x550, uint64(p521Uint1(x569))) - var x572 uint64 - var x573 uint64 - x572, x573 = bits.Add64(x551, x548, uint64(p521Uint1(x571))) - var x574 uint64 - var x575 uint64 - x574, x575 = bits.Add64(x549, x546, uint64(p521Uint1(x573))) - var x576 uint64 - var x577 uint64 - x576, x577 = bits.Add64(x547, x544, uint64(p521Uint1(x575))) - x578 := (uint64(p521Uint1(x577)) + x545) - var x579 uint64 - var x580 uint64 - x579, x580 = bits.Add64(x525, x560, uint64(0x0)) - var x581 uint64 - var x582 uint64 - x581, x582 = bits.Add64(x527, x562, uint64(p521Uint1(x580))) - var x583 uint64 - var x584 uint64 - x583, x584 = bits.Add64(x529, x564, uint64(p521Uint1(x582))) - var x585 uint64 - var x586 uint64 - x585, x586 = bits.Add64(x531, x566, uint64(p521Uint1(x584))) - var x587 uint64 - var x588 uint64 - x587, x588 = bits.Add64(x533, x568, uint64(p521Uint1(x586))) - var x589 uint64 - var x590 uint64 - x589, x590 = bits.Add64(x535, x570, uint64(p521Uint1(x588))) - var x591 uint64 - var x592 uint64 - x591, x592 = bits.Add64(x537, x572, uint64(p521Uint1(x590))) - var x593 uint64 - var x594 uint64 - x593, x594 = bits.Add64(x539, x574, uint64(p521Uint1(x592))) - var x595 uint64 - var x596 uint64 - x595, x596 = bits.Add64(x541, x576, uint64(p521Uint1(x594))) - var x597 uint64 - var x598 uint64 - x597, x598 = bits.Add64(x543, x578, uint64(p521Uint1(x596))) - var x599 uint64 - var x600 uint64 - x600, x599 = bits.Mul64(x579, 0x1ff) - var x601 uint64 - var x602 uint64 - x602, x601 = bits.Mul64(x579, 0xffffffffffffffff) - var x603 uint64 - var x604 uint64 - x604, x603 = bits.Mul64(x579, 0xffffffffffffffff) - var x605 uint64 - var x606 uint64 - x606, x605 = bits.Mul64(x579, 0xffffffffffffffff) - var x607 uint64 - var x608 uint64 - x608, x607 = bits.Mul64(x579, 0xffffffffffffffff) - var x609 uint64 - var x610 uint64 - x610, x609 = bits.Mul64(x579, 0xffffffffffffffff) - var x611 uint64 - var x612 uint64 - x612, x611 = bits.Mul64(x579, 0xffffffffffffffff) - var x613 uint64 - var x614 uint64 - x614, x613 = bits.Mul64(x579, 0xffffffffffffffff) - var x615 uint64 - var x616 uint64 - x616, x615 = bits.Mul64(x579, 0xffffffffffffffff) - var x617 uint64 - var x618 uint64 - x617, x618 = bits.Add64(x616, x613, uint64(0x0)) - var x619 uint64 - var x620 uint64 - x619, x620 = bits.Add64(x614, x611, uint64(p521Uint1(x618))) - var x621 uint64 - var x622 uint64 - x621, x622 = bits.Add64(x612, x609, uint64(p521Uint1(x620))) - var x623 uint64 - var x624 uint64 - x623, x624 = bits.Add64(x610, x607, uint64(p521Uint1(x622))) - var x625 uint64 - var x626 uint64 - x625, x626 = bits.Add64(x608, x605, uint64(p521Uint1(x624))) - var x627 uint64 - var x628 uint64 - x627, x628 = bits.Add64(x606, x603, uint64(p521Uint1(x626))) - var x629 uint64 - var x630 uint64 - x629, x630 = bits.Add64(x604, x601, uint64(p521Uint1(x628))) - var x631 uint64 - var x632 uint64 - x631, x632 = bits.Add64(x602, x599, uint64(p521Uint1(x630))) - x633 := (uint64(p521Uint1(x632)) + x600) - var x635 uint64 - _, x635 = bits.Add64(x579, x615, uint64(0x0)) - var x636 uint64 - var x637 uint64 - x636, x637 = bits.Add64(x581, x617, uint64(p521Uint1(x635))) - var x638 uint64 - var x639 uint64 - x638, x639 = bits.Add64(x583, x619, uint64(p521Uint1(x637))) - var x640 uint64 - var x641 uint64 - x640, x641 = bits.Add64(x585, x621, uint64(p521Uint1(x639))) - var x642 uint64 - var x643 uint64 - x642, x643 = bits.Add64(x587, x623, uint64(p521Uint1(x641))) - var x644 uint64 - var x645 uint64 - x644, x645 = bits.Add64(x589, x625, uint64(p521Uint1(x643))) - var x646 uint64 - var x647 uint64 - x646, x647 = bits.Add64(x591, x627, uint64(p521Uint1(x645))) - var x648 uint64 - var x649 uint64 - x648, x649 = bits.Add64(x593, x629, uint64(p521Uint1(x647))) - var x650 uint64 - var x651 uint64 - x650, x651 = bits.Add64(x595, x631, uint64(p521Uint1(x649))) - var x652 uint64 - var x653 uint64 - x652, x653 = bits.Add64(x597, x633, uint64(p521Uint1(x651))) - x654 := (uint64(p521Uint1(x653)) + uint64(p521Uint1(x598))) - var x655 uint64 - var x656 uint64 - x656, x655 = bits.Mul64(x6, arg1[8]) - var x657 uint64 - var x658 uint64 - x658, x657 = bits.Mul64(x6, arg1[7]) - var x659 uint64 - var x660 uint64 - x660, x659 = bits.Mul64(x6, arg1[6]) - var x661 uint64 - var x662 uint64 - x662, x661 = bits.Mul64(x6, arg1[5]) - var x663 uint64 - var x664 uint64 - x664, x663 = bits.Mul64(x6, arg1[4]) - var x665 uint64 - var x666 uint64 - x666, x665 = bits.Mul64(x6, arg1[3]) - var x667 uint64 - var x668 uint64 - x668, x667 = bits.Mul64(x6, arg1[2]) - var x669 uint64 - var x670 uint64 - x670, x669 = bits.Mul64(x6, arg1[1]) - var x671 uint64 - var x672 uint64 - x672, x671 = bits.Mul64(x6, arg1[0]) - var x673 uint64 - var x674 uint64 - x673, x674 = bits.Add64(x672, x669, uint64(0x0)) - var x675 uint64 - var x676 uint64 - x675, x676 = bits.Add64(x670, x667, uint64(p521Uint1(x674))) - var x677 uint64 - var x678 uint64 - x677, x678 = bits.Add64(x668, x665, uint64(p521Uint1(x676))) - var x679 uint64 - var x680 uint64 - x679, x680 = bits.Add64(x666, x663, uint64(p521Uint1(x678))) - var x681 uint64 - var x682 uint64 - x681, x682 = bits.Add64(x664, x661, uint64(p521Uint1(x680))) - var x683 uint64 - var x684 uint64 - x683, x684 = bits.Add64(x662, x659, uint64(p521Uint1(x682))) - var x685 uint64 - var x686 uint64 - x685, x686 = bits.Add64(x660, x657, uint64(p521Uint1(x684))) - var x687 uint64 - var x688 uint64 - x687, x688 = bits.Add64(x658, x655, uint64(p521Uint1(x686))) - x689 := (uint64(p521Uint1(x688)) + x656) - var x690 uint64 - var x691 uint64 - x690, x691 = bits.Add64(x636, x671, uint64(0x0)) - var x692 uint64 - var x693 uint64 - x692, x693 = bits.Add64(x638, x673, uint64(p521Uint1(x691))) - var x694 uint64 - var x695 uint64 - x694, x695 = bits.Add64(x640, x675, uint64(p521Uint1(x693))) - var x696 uint64 - var x697 uint64 - x696, x697 = bits.Add64(x642, x677, uint64(p521Uint1(x695))) - var x698 uint64 - var x699 uint64 - x698, x699 = bits.Add64(x644, x679, uint64(p521Uint1(x697))) - var x700 uint64 - var x701 uint64 - x700, x701 = bits.Add64(x646, x681, uint64(p521Uint1(x699))) - var x702 uint64 - var x703 uint64 - x702, x703 = bits.Add64(x648, x683, uint64(p521Uint1(x701))) - var x704 uint64 - var x705 uint64 - x704, x705 = bits.Add64(x650, x685, uint64(p521Uint1(x703))) - var x706 uint64 - var x707 uint64 - x706, x707 = bits.Add64(x652, x687, uint64(p521Uint1(x705))) - var x708 uint64 - var x709 uint64 - x708, x709 = bits.Add64(x654, x689, uint64(p521Uint1(x707))) - var x710 uint64 - var x711 uint64 - x711, x710 = bits.Mul64(x690, 0x1ff) - var x712 uint64 - var x713 uint64 - x713, x712 = bits.Mul64(x690, 0xffffffffffffffff) - var x714 uint64 - var x715 uint64 - x715, x714 = bits.Mul64(x690, 0xffffffffffffffff) - var x716 uint64 - var x717 uint64 - x717, x716 = bits.Mul64(x690, 0xffffffffffffffff) - var x718 uint64 - var x719 uint64 - x719, x718 = bits.Mul64(x690, 0xffffffffffffffff) - var x720 uint64 - var x721 uint64 - x721, x720 = bits.Mul64(x690, 0xffffffffffffffff) - var x722 uint64 - var x723 uint64 - x723, x722 = bits.Mul64(x690, 0xffffffffffffffff) - var x724 uint64 - var x725 uint64 - x725, x724 = bits.Mul64(x690, 0xffffffffffffffff) - var x726 uint64 - var x727 uint64 - x727, x726 = bits.Mul64(x690, 0xffffffffffffffff) - var x728 uint64 - var x729 uint64 - x728, x729 = bits.Add64(x727, x724, uint64(0x0)) - var x730 uint64 - var x731 uint64 - x730, x731 = bits.Add64(x725, x722, uint64(p521Uint1(x729))) - var x732 uint64 - var x733 uint64 - x732, x733 = bits.Add64(x723, x720, uint64(p521Uint1(x731))) - var x734 uint64 - var x735 uint64 - x734, x735 = bits.Add64(x721, x718, uint64(p521Uint1(x733))) - var x736 uint64 - var x737 uint64 - x736, x737 = bits.Add64(x719, x716, uint64(p521Uint1(x735))) - var x738 uint64 - var x739 uint64 - x738, x739 = bits.Add64(x717, x714, uint64(p521Uint1(x737))) - var x740 uint64 - var x741 uint64 - x740, x741 = bits.Add64(x715, x712, uint64(p521Uint1(x739))) - var x742 uint64 - var x743 uint64 - x742, x743 = bits.Add64(x713, x710, uint64(p521Uint1(x741))) - x744 := (uint64(p521Uint1(x743)) + x711) - var x746 uint64 - _, x746 = bits.Add64(x690, x726, uint64(0x0)) - var x747 uint64 - var x748 uint64 - x747, x748 = bits.Add64(x692, x728, uint64(p521Uint1(x746))) - var x749 uint64 - var x750 uint64 - x749, x750 = bits.Add64(x694, x730, uint64(p521Uint1(x748))) - var x751 uint64 - var x752 uint64 - x751, x752 = bits.Add64(x696, x732, uint64(p521Uint1(x750))) - var x753 uint64 - var x754 uint64 - x753, x754 = bits.Add64(x698, x734, uint64(p521Uint1(x752))) - var x755 uint64 - var x756 uint64 - x755, x756 = bits.Add64(x700, x736, uint64(p521Uint1(x754))) - var x757 uint64 - var x758 uint64 - x757, x758 = bits.Add64(x702, x738, uint64(p521Uint1(x756))) - var x759 uint64 - var x760 uint64 - x759, x760 = bits.Add64(x704, x740, uint64(p521Uint1(x758))) - var x761 uint64 - var x762 uint64 - x761, x762 = bits.Add64(x706, x742, uint64(p521Uint1(x760))) - var x763 uint64 - var x764 uint64 - x763, x764 = bits.Add64(x708, x744, uint64(p521Uint1(x762))) - x765 := (uint64(p521Uint1(x764)) + uint64(p521Uint1(x709))) - var x766 uint64 - var x767 uint64 - x767, x766 = bits.Mul64(x7, arg1[8]) - var x768 uint64 - var x769 uint64 - x769, x768 = bits.Mul64(x7, arg1[7]) - var x770 uint64 - var x771 uint64 - x771, x770 = bits.Mul64(x7, arg1[6]) - var x772 uint64 - var x773 uint64 - x773, x772 = bits.Mul64(x7, arg1[5]) - var x774 uint64 - var x775 uint64 - x775, x774 = bits.Mul64(x7, arg1[4]) - var x776 uint64 - var x777 uint64 - x777, x776 = bits.Mul64(x7, arg1[3]) - var x778 uint64 - var x779 uint64 - x779, x778 = bits.Mul64(x7, arg1[2]) - var x780 uint64 - var x781 uint64 - x781, x780 = bits.Mul64(x7, arg1[1]) - var x782 uint64 - var x783 uint64 - x783, x782 = bits.Mul64(x7, arg1[0]) - var x784 uint64 - var x785 uint64 - x784, x785 = bits.Add64(x783, x780, uint64(0x0)) - var x786 uint64 - var x787 uint64 - x786, x787 = bits.Add64(x781, x778, uint64(p521Uint1(x785))) - var x788 uint64 - var x789 uint64 - x788, x789 = bits.Add64(x779, x776, uint64(p521Uint1(x787))) - var x790 uint64 - var x791 uint64 - x790, x791 = bits.Add64(x777, x774, uint64(p521Uint1(x789))) - var x792 uint64 - var x793 uint64 - x792, x793 = bits.Add64(x775, x772, uint64(p521Uint1(x791))) - var x794 uint64 - var x795 uint64 - x794, x795 = bits.Add64(x773, x770, uint64(p521Uint1(x793))) - var x796 uint64 - var x797 uint64 - x796, x797 = bits.Add64(x771, x768, uint64(p521Uint1(x795))) - var x798 uint64 - var x799 uint64 - x798, x799 = bits.Add64(x769, x766, uint64(p521Uint1(x797))) - x800 := (uint64(p521Uint1(x799)) + x767) - var x801 uint64 - var x802 uint64 - x801, x802 = bits.Add64(x747, x782, uint64(0x0)) - var x803 uint64 - var x804 uint64 - x803, x804 = bits.Add64(x749, x784, uint64(p521Uint1(x802))) - var x805 uint64 - var x806 uint64 - x805, x806 = bits.Add64(x751, x786, uint64(p521Uint1(x804))) - var x807 uint64 - var x808 uint64 - x807, x808 = bits.Add64(x753, x788, uint64(p521Uint1(x806))) - var x809 uint64 - var x810 uint64 - x809, x810 = bits.Add64(x755, x790, uint64(p521Uint1(x808))) - var x811 uint64 - var x812 uint64 - x811, x812 = bits.Add64(x757, x792, uint64(p521Uint1(x810))) - var x813 uint64 - var x814 uint64 - x813, x814 = bits.Add64(x759, x794, uint64(p521Uint1(x812))) - var x815 uint64 - var x816 uint64 - x815, x816 = bits.Add64(x761, x796, uint64(p521Uint1(x814))) - var x817 uint64 - var x818 uint64 - x817, x818 = bits.Add64(x763, x798, uint64(p521Uint1(x816))) - var x819 uint64 - var x820 uint64 - x819, x820 = bits.Add64(x765, x800, uint64(p521Uint1(x818))) - var x821 uint64 - var x822 uint64 - x822, x821 = bits.Mul64(x801, 0x1ff) - var x823 uint64 - var x824 uint64 - x824, x823 = bits.Mul64(x801, 0xffffffffffffffff) - var x825 uint64 - var x826 uint64 - x826, x825 = bits.Mul64(x801, 0xffffffffffffffff) - var x827 uint64 - var x828 uint64 - x828, x827 = bits.Mul64(x801, 0xffffffffffffffff) - var x829 uint64 - var x830 uint64 - x830, x829 = bits.Mul64(x801, 0xffffffffffffffff) - var x831 uint64 - var x832 uint64 - x832, x831 = bits.Mul64(x801, 0xffffffffffffffff) - var x833 uint64 - var x834 uint64 - x834, x833 = bits.Mul64(x801, 0xffffffffffffffff) - var x835 uint64 - var x836 uint64 - x836, x835 = bits.Mul64(x801, 0xffffffffffffffff) - var x837 uint64 - var x838 uint64 - x838, x837 = bits.Mul64(x801, 0xffffffffffffffff) - var x839 uint64 - var x840 uint64 - x839, x840 = bits.Add64(x838, x835, uint64(0x0)) - var x841 uint64 - var x842 uint64 - x841, x842 = bits.Add64(x836, x833, uint64(p521Uint1(x840))) - var x843 uint64 - var x844 uint64 - x843, x844 = bits.Add64(x834, x831, uint64(p521Uint1(x842))) - var x845 uint64 - var x846 uint64 - x845, x846 = bits.Add64(x832, x829, uint64(p521Uint1(x844))) - var x847 uint64 - var x848 uint64 - x847, x848 = bits.Add64(x830, x827, uint64(p521Uint1(x846))) - var x849 uint64 - var x850 uint64 - x849, x850 = bits.Add64(x828, x825, uint64(p521Uint1(x848))) - var x851 uint64 - var x852 uint64 - x851, x852 = bits.Add64(x826, x823, uint64(p521Uint1(x850))) - var x853 uint64 - var x854 uint64 - x853, x854 = bits.Add64(x824, x821, uint64(p521Uint1(x852))) - x855 := (uint64(p521Uint1(x854)) + x822) - var x857 uint64 - _, x857 = bits.Add64(x801, x837, uint64(0x0)) - var x858 uint64 - var x859 uint64 - x858, x859 = bits.Add64(x803, x839, uint64(p521Uint1(x857))) - var x860 uint64 - var x861 uint64 - x860, x861 = bits.Add64(x805, x841, uint64(p521Uint1(x859))) - var x862 uint64 - var x863 uint64 - x862, x863 = bits.Add64(x807, x843, uint64(p521Uint1(x861))) - var x864 uint64 - var x865 uint64 - x864, x865 = bits.Add64(x809, x845, uint64(p521Uint1(x863))) - var x866 uint64 - var x867 uint64 - x866, x867 = bits.Add64(x811, x847, uint64(p521Uint1(x865))) - var x868 uint64 - var x869 uint64 - x868, x869 = bits.Add64(x813, x849, uint64(p521Uint1(x867))) - var x870 uint64 - var x871 uint64 - x870, x871 = bits.Add64(x815, x851, uint64(p521Uint1(x869))) - var x872 uint64 - var x873 uint64 - x872, x873 = bits.Add64(x817, x853, uint64(p521Uint1(x871))) - var x874 uint64 - var x875 uint64 - x874, x875 = bits.Add64(x819, x855, uint64(p521Uint1(x873))) - x876 := (uint64(p521Uint1(x875)) + uint64(p521Uint1(x820))) - var x877 uint64 - var x878 uint64 - x878, x877 = bits.Mul64(x8, arg1[8]) - var x879 uint64 - var x880 uint64 - x880, x879 = bits.Mul64(x8, arg1[7]) - var x881 uint64 - var x882 uint64 - x882, x881 = bits.Mul64(x8, arg1[6]) - var x883 uint64 - var x884 uint64 - x884, x883 = bits.Mul64(x8, arg1[5]) - var x885 uint64 - var x886 uint64 - x886, x885 = bits.Mul64(x8, arg1[4]) - var x887 uint64 - var x888 uint64 - x888, x887 = bits.Mul64(x8, arg1[3]) - var x889 uint64 - var x890 uint64 - x890, x889 = bits.Mul64(x8, arg1[2]) - var x891 uint64 - var x892 uint64 - x892, x891 = bits.Mul64(x8, arg1[1]) - var x893 uint64 - var x894 uint64 - x894, x893 = bits.Mul64(x8, arg1[0]) - var x895 uint64 - var x896 uint64 - x895, x896 = bits.Add64(x894, x891, uint64(0x0)) - var x897 uint64 - var x898 uint64 - x897, x898 = bits.Add64(x892, x889, uint64(p521Uint1(x896))) - var x899 uint64 - var x900 uint64 - x899, x900 = bits.Add64(x890, x887, uint64(p521Uint1(x898))) - var x901 uint64 - var x902 uint64 - x901, x902 = bits.Add64(x888, x885, uint64(p521Uint1(x900))) - var x903 uint64 - var x904 uint64 - x903, x904 = bits.Add64(x886, x883, uint64(p521Uint1(x902))) - var x905 uint64 - var x906 uint64 - x905, x906 = bits.Add64(x884, x881, uint64(p521Uint1(x904))) - var x907 uint64 - var x908 uint64 - x907, x908 = bits.Add64(x882, x879, uint64(p521Uint1(x906))) - var x909 uint64 - var x910 uint64 - x909, x910 = bits.Add64(x880, x877, uint64(p521Uint1(x908))) - x911 := (uint64(p521Uint1(x910)) + x878) - var x912 uint64 - var x913 uint64 - x912, x913 = bits.Add64(x858, x893, uint64(0x0)) - var x914 uint64 - var x915 uint64 - x914, x915 = bits.Add64(x860, x895, uint64(p521Uint1(x913))) - var x916 uint64 - var x917 uint64 - x916, x917 = bits.Add64(x862, x897, uint64(p521Uint1(x915))) - var x918 uint64 - var x919 uint64 - x918, x919 = bits.Add64(x864, x899, uint64(p521Uint1(x917))) - var x920 uint64 - var x921 uint64 - x920, x921 = bits.Add64(x866, x901, uint64(p521Uint1(x919))) - var x922 uint64 - var x923 uint64 - x922, x923 = bits.Add64(x868, x903, uint64(p521Uint1(x921))) - var x924 uint64 - var x925 uint64 - x924, x925 = bits.Add64(x870, x905, uint64(p521Uint1(x923))) - var x926 uint64 - var x927 uint64 - x926, x927 = bits.Add64(x872, x907, uint64(p521Uint1(x925))) - var x928 uint64 - var x929 uint64 - x928, x929 = bits.Add64(x874, x909, uint64(p521Uint1(x927))) - var x930 uint64 - var x931 uint64 - x930, x931 = bits.Add64(x876, x911, uint64(p521Uint1(x929))) - var x932 uint64 - var x933 uint64 - x933, x932 = bits.Mul64(x912, 0x1ff) - var x934 uint64 - var x935 uint64 - x935, x934 = bits.Mul64(x912, 0xffffffffffffffff) - var x936 uint64 - var x937 uint64 - x937, x936 = bits.Mul64(x912, 0xffffffffffffffff) - var x938 uint64 - var x939 uint64 - x939, x938 = bits.Mul64(x912, 0xffffffffffffffff) - var x940 uint64 - var x941 uint64 - x941, x940 = bits.Mul64(x912, 0xffffffffffffffff) - var x942 uint64 - var x943 uint64 - x943, x942 = bits.Mul64(x912, 0xffffffffffffffff) - var x944 uint64 - var x945 uint64 - x945, x944 = bits.Mul64(x912, 0xffffffffffffffff) - var x946 uint64 - var x947 uint64 - x947, x946 = bits.Mul64(x912, 0xffffffffffffffff) - var x948 uint64 - var x949 uint64 - x949, x948 = bits.Mul64(x912, 0xffffffffffffffff) - var x950 uint64 - var x951 uint64 - x950, x951 = bits.Add64(x949, x946, uint64(0x0)) - var x952 uint64 - var x953 uint64 - x952, x953 = bits.Add64(x947, x944, uint64(p521Uint1(x951))) - var x954 uint64 - var x955 uint64 - x954, x955 = bits.Add64(x945, x942, uint64(p521Uint1(x953))) - var x956 uint64 - var x957 uint64 - x956, x957 = bits.Add64(x943, x940, uint64(p521Uint1(x955))) - var x958 uint64 - var x959 uint64 - x958, x959 = bits.Add64(x941, x938, uint64(p521Uint1(x957))) - var x960 uint64 - var x961 uint64 - x960, x961 = bits.Add64(x939, x936, uint64(p521Uint1(x959))) - var x962 uint64 - var x963 uint64 - x962, x963 = bits.Add64(x937, x934, uint64(p521Uint1(x961))) - var x964 uint64 - var x965 uint64 - x964, x965 = bits.Add64(x935, x932, uint64(p521Uint1(x963))) - x966 := (uint64(p521Uint1(x965)) + x933) - var x968 uint64 - _, x968 = bits.Add64(x912, x948, uint64(0x0)) - var x969 uint64 - var x970 uint64 - x969, x970 = bits.Add64(x914, x950, uint64(p521Uint1(x968))) - var x971 uint64 - var x972 uint64 - x971, x972 = bits.Add64(x916, x952, uint64(p521Uint1(x970))) - var x973 uint64 - var x974 uint64 - x973, x974 = bits.Add64(x918, x954, uint64(p521Uint1(x972))) - var x975 uint64 - var x976 uint64 - x975, x976 = bits.Add64(x920, x956, uint64(p521Uint1(x974))) - var x977 uint64 - var x978 uint64 - x977, x978 = bits.Add64(x922, x958, uint64(p521Uint1(x976))) - var x979 uint64 - var x980 uint64 - x979, x980 = bits.Add64(x924, x960, uint64(p521Uint1(x978))) - var x981 uint64 - var x982 uint64 - x981, x982 = bits.Add64(x926, x962, uint64(p521Uint1(x980))) - var x983 uint64 - var x984 uint64 - x983, x984 = bits.Add64(x928, x964, uint64(p521Uint1(x982))) - var x985 uint64 - var x986 uint64 - x985, x986 = bits.Add64(x930, x966, uint64(p521Uint1(x984))) - x987 := (uint64(p521Uint1(x986)) + uint64(p521Uint1(x931))) - var x988 uint64 - var x989 uint64 - x988, x989 = bits.Sub64(x969, 0xffffffffffffffff, uint64(0x0)) - var x990 uint64 - var x991 uint64 - x990, x991 = bits.Sub64(x971, 0xffffffffffffffff, uint64(p521Uint1(x989))) - var x992 uint64 - var x993 uint64 - x992, x993 = bits.Sub64(x973, 0xffffffffffffffff, uint64(p521Uint1(x991))) - var x994 uint64 - var x995 uint64 - x994, x995 = bits.Sub64(x975, 0xffffffffffffffff, uint64(p521Uint1(x993))) - var x996 uint64 - var x997 uint64 - x996, x997 = bits.Sub64(x977, 0xffffffffffffffff, uint64(p521Uint1(x995))) - var x998 uint64 - var x999 uint64 - x998, x999 = bits.Sub64(x979, 0xffffffffffffffff, uint64(p521Uint1(x997))) - var x1000 uint64 - var x1001 uint64 - x1000, x1001 = bits.Sub64(x981, 0xffffffffffffffff, uint64(p521Uint1(x999))) - var x1002 uint64 - var x1003 uint64 - x1002, x1003 = bits.Sub64(x983, 0xffffffffffffffff, uint64(p521Uint1(x1001))) - var x1004 uint64 - var x1005 uint64 - x1004, x1005 = bits.Sub64(x985, 0x1ff, uint64(p521Uint1(x1003))) - var x1007 uint64 - _, x1007 = bits.Sub64(x987, uint64(0x0), uint64(p521Uint1(x1005))) - var x1008 uint64 - p521CmovznzU64(&x1008, p521Uint1(x1007), x988, x969) - var x1009 uint64 - p521CmovznzU64(&x1009, p521Uint1(x1007), x990, x971) - var x1010 uint64 - p521CmovznzU64(&x1010, p521Uint1(x1007), x992, x973) - var x1011 uint64 - p521CmovznzU64(&x1011, p521Uint1(x1007), x994, x975) - var x1012 uint64 - p521CmovznzU64(&x1012, p521Uint1(x1007), x996, x977) - var x1013 uint64 - p521CmovznzU64(&x1013, p521Uint1(x1007), x998, x979) - var x1014 uint64 - p521CmovznzU64(&x1014, p521Uint1(x1007), x1000, x981) - var x1015 uint64 - p521CmovznzU64(&x1015, p521Uint1(x1007), x1002, x983) - var x1016 uint64 - p521CmovznzU64(&x1016, p521Uint1(x1007), x1004, x985) - out1[0] = x1008 - out1[1] = x1009 - out1[2] = x1010 - out1[3] = x1011 - out1[4] = x1012 - out1[5] = x1013 - out1[6] = x1014 - out1[7] = x1015 - out1[8] = x1016 -} - -// p521Add adds two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p521Add(out1 *p521MontgomeryDomainFieldElement, arg1 *p521MontgomeryDomainFieldElement, arg2 *p521MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Add64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Add64(arg1[1], arg2[1], uint64(p521Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Add64(arg1[2], arg2[2], uint64(p521Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Add64(arg1[3], arg2[3], uint64(p521Uint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Add64(arg1[4], arg2[4], uint64(p521Uint1(x8))) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Add64(arg1[5], arg2[5], uint64(p521Uint1(x10))) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Add64(arg1[6], arg2[6], uint64(p521Uint1(x12))) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Add64(arg1[7], arg2[7], uint64(p521Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Add64(arg1[8], arg2[8], uint64(p521Uint1(x16))) - var x19 uint64 - var x20 uint64 - x19, x20 = bits.Sub64(x1, 0xffffffffffffffff, uint64(0x0)) - var x21 uint64 - var x22 uint64 - x21, x22 = bits.Sub64(x3, 0xffffffffffffffff, uint64(p521Uint1(x20))) - var x23 uint64 - var x24 uint64 - x23, x24 = bits.Sub64(x5, 0xffffffffffffffff, uint64(p521Uint1(x22))) - var x25 uint64 - var x26 uint64 - x25, x26 = bits.Sub64(x7, 0xffffffffffffffff, uint64(p521Uint1(x24))) - var x27 uint64 - var x28 uint64 - x27, x28 = bits.Sub64(x9, 0xffffffffffffffff, uint64(p521Uint1(x26))) - var x29 uint64 - var x30 uint64 - x29, x30 = bits.Sub64(x11, 0xffffffffffffffff, uint64(p521Uint1(x28))) - var x31 uint64 - var x32 uint64 - x31, x32 = bits.Sub64(x13, 0xffffffffffffffff, uint64(p521Uint1(x30))) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Sub64(x15, 0xffffffffffffffff, uint64(p521Uint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Sub64(x17, 0x1ff, uint64(p521Uint1(x34))) - var x38 uint64 - _, x38 = bits.Sub64(uint64(p521Uint1(x18)), uint64(0x0), uint64(p521Uint1(x36))) - var x39 uint64 - p521CmovznzU64(&x39, p521Uint1(x38), x19, x1) - var x40 uint64 - p521CmovznzU64(&x40, p521Uint1(x38), x21, x3) - var x41 uint64 - p521CmovznzU64(&x41, p521Uint1(x38), x23, x5) - var x42 uint64 - p521CmovznzU64(&x42, p521Uint1(x38), x25, x7) - var x43 uint64 - p521CmovznzU64(&x43, p521Uint1(x38), x27, x9) - var x44 uint64 - p521CmovznzU64(&x44, p521Uint1(x38), x29, x11) - var x45 uint64 - p521CmovznzU64(&x45, p521Uint1(x38), x31, x13) - var x46 uint64 - p521CmovznzU64(&x46, p521Uint1(x38), x33, x15) - var x47 uint64 - p521CmovznzU64(&x47, p521Uint1(x38), x35, x17) - out1[0] = x39 - out1[1] = x40 - out1[2] = x41 - out1[3] = x42 - out1[4] = x43 - out1[5] = x44 - out1[6] = x45 - out1[7] = x46 - out1[8] = x47 -} - -// p521Sub subtracts two field elements in the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// 0 ≤ eval arg2 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -// 0 ≤ eval out1 < m -func p521Sub(out1 *p521MontgomeryDomainFieldElement, arg1 *p521MontgomeryDomainFieldElement, arg2 *p521MontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x1, x2 = bits.Sub64(arg1[0], arg2[0], uint64(0x0)) - var x3 uint64 - var x4 uint64 - x3, x4 = bits.Sub64(arg1[1], arg2[1], uint64(p521Uint1(x2))) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Sub64(arg1[2], arg2[2], uint64(p521Uint1(x4))) - var x7 uint64 - var x8 uint64 - x7, x8 = bits.Sub64(arg1[3], arg2[3], uint64(p521Uint1(x6))) - var x9 uint64 - var x10 uint64 - x9, x10 = bits.Sub64(arg1[4], arg2[4], uint64(p521Uint1(x8))) - var x11 uint64 - var x12 uint64 - x11, x12 = bits.Sub64(arg1[5], arg2[5], uint64(p521Uint1(x10))) - var x13 uint64 - var x14 uint64 - x13, x14 = bits.Sub64(arg1[6], arg2[6], uint64(p521Uint1(x12))) - var x15 uint64 - var x16 uint64 - x15, x16 = bits.Sub64(arg1[7], arg2[7], uint64(p521Uint1(x14))) - var x17 uint64 - var x18 uint64 - x17, x18 = bits.Sub64(arg1[8], arg2[8], uint64(p521Uint1(x16))) - var x19 uint64 - p521CmovznzU64(&x19, p521Uint1(x18), uint64(0x0), 0xffffffffffffffff) - var x20 uint64 - var x21 uint64 - x20, x21 = bits.Add64(x1, x19, uint64(0x0)) - var x22 uint64 - var x23 uint64 - x22, x23 = bits.Add64(x3, x19, uint64(p521Uint1(x21))) - var x24 uint64 - var x25 uint64 - x24, x25 = bits.Add64(x5, x19, uint64(p521Uint1(x23))) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64(x7, x19, uint64(p521Uint1(x25))) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x9, x19, uint64(p521Uint1(x27))) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x11, x19, uint64(p521Uint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(x13, x19, uint64(p521Uint1(x31))) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(x15, x19, uint64(p521Uint1(x33))) - var x36 uint64 - x36, _ = bits.Add64(x17, (x19 & 0x1ff), uint64(p521Uint1(x35))) - out1[0] = x20 - out1[1] = x22 - out1[2] = x24 - out1[3] = x26 - out1[4] = x28 - out1[5] = x30 - out1[6] = x32 - out1[7] = x34 - out1[8] = x36 -} - -// p521SetOne returns the field element one in the Montgomery domain. -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = 1 mod m -// 0 ≤ eval out1 < m -func p521SetOne(out1 *p521MontgomeryDomainFieldElement) { - out1[0] = 0x80000000000000 - out1[1] = uint64(0x0) - out1[2] = uint64(0x0) - out1[3] = uint64(0x0) - out1[4] = uint64(0x0) - out1[5] = uint64(0x0) - out1[6] = uint64(0x0) - out1[7] = uint64(0x0) - out1[8] = uint64(0x0) -} - -// p521FromMontgomery translates a field element out of the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^9) mod m -// 0 ≤ eval out1 < m -func p521FromMontgomery(out1 *p521NonMontgomeryDomainFieldElement, arg1 *p521MontgomeryDomainFieldElement) { - x1 := arg1[0] - var x2 uint64 - var x3 uint64 - x3, x2 = bits.Mul64(x1, 0x1ff) - var x4 uint64 - var x5 uint64 - x5, x4 = bits.Mul64(x1, 0xffffffffffffffff) - var x6 uint64 - var x7 uint64 - x7, x6 = bits.Mul64(x1, 0xffffffffffffffff) - var x8 uint64 - var x9 uint64 - x9, x8 = bits.Mul64(x1, 0xffffffffffffffff) - var x10 uint64 - var x11 uint64 - x11, x10 = bits.Mul64(x1, 0xffffffffffffffff) - var x12 uint64 - var x13 uint64 - x13, x12 = bits.Mul64(x1, 0xffffffffffffffff) - var x14 uint64 - var x15 uint64 - x15, x14 = bits.Mul64(x1, 0xffffffffffffffff) - var x16 uint64 - var x17 uint64 - x17, x16 = bits.Mul64(x1, 0xffffffffffffffff) - var x18 uint64 - var x19 uint64 - x19, x18 = bits.Mul64(x1, 0xffffffffffffffff) - var x20 uint64 - var x21 uint64 - x20, x21 = bits.Add64(x19, x16, uint64(0x0)) - var x22 uint64 - var x23 uint64 - x22, x23 = bits.Add64(x17, x14, uint64(p521Uint1(x21))) - var x24 uint64 - var x25 uint64 - x24, x25 = bits.Add64(x15, x12, uint64(p521Uint1(x23))) - var x26 uint64 - var x27 uint64 - x26, x27 = bits.Add64(x13, x10, uint64(p521Uint1(x25))) - var x28 uint64 - var x29 uint64 - x28, x29 = bits.Add64(x11, x8, uint64(p521Uint1(x27))) - var x30 uint64 - var x31 uint64 - x30, x31 = bits.Add64(x9, x6, uint64(p521Uint1(x29))) - var x32 uint64 - var x33 uint64 - x32, x33 = bits.Add64(x7, x4, uint64(p521Uint1(x31))) - var x34 uint64 - var x35 uint64 - x34, x35 = bits.Add64(x5, x2, uint64(p521Uint1(x33))) - var x37 uint64 - _, x37 = bits.Add64(x1, x18, uint64(0x0)) - var x38 uint64 - var x39 uint64 - x38, x39 = bits.Add64(uint64(0x0), x20, uint64(p521Uint1(x37))) - var x40 uint64 - var x41 uint64 - x40, x41 = bits.Add64(uint64(0x0), x22, uint64(p521Uint1(x39))) - var x42 uint64 - var x43 uint64 - x42, x43 = bits.Add64(uint64(0x0), x24, uint64(p521Uint1(x41))) - var x44 uint64 - var x45 uint64 - x44, x45 = bits.Add64(uint64(0x0), x26, uint64(p521Uint1(x43))) - var x46 uint64 - var x47 uint64 - x46, x47 = bits.Add64(uint64(0x0), x28, uint64(p521Uint1(x45))) - var x48 uint64 - var x49 uint64 - x48, x49 = bits.Add64(uint64(0x0), x30, uint64(p521Uint1(x47))) - var x50 uint64 - var x51 uint64 - x50, x51 = bits.Add64(uint64(0x0), x32, uint64(p521Uint1(x49))) - var x52 uint64 - var x53 uint64 - x52, x53 = bits.Add64(uint64(0x0), x34, uint64(p521Uint1(x51))) - var x54 uint64 - var x55 uint64 - x54, x55 = bits.Add64(x38, arg1[1], uint64(0x0)) - var x56 uint64 - var x57 uint64 - x56, x57 = bits.Add64(x40, uint64(0x0), uint64(p521Uint1(x55))) - var x58 uint64 - var x59 uint64 - x58, x59 = bits.Add64(x42, uint64(0x0), uint64(p521Uint1(x57))) - var x60 uint64 - var x61 uint64 - x60, x61 = bits.Add64(x44, uint64(0x0), uint64(p521Uint1(x59))) - var x62 uint64 - var x63 uint64 - x62, x63 = bits.Add64(x46, uint64(0x0), uint64(p521Uint1(x61))) - var x64 uint64 - var x65 uint64 - x64, x65 = bits.Add64(x48, uint64(0x0), uint64(p521Uint1(x63))) - var x66 uint64 - var x67 uint64 - x66, x67 = bits.Add64(x50, uint64(0x0), uint64(p521Uint1(x65))) - var x68 uint64 - var x69 uint64 - x68, x69 = bits.Add64(x52, uint64(0x0), uint64(p521Uint1(x67))) - var x70 uint64 - var x71 uint64 - x71, x70 = bits.Mul64(x54, 0x1ff) - var x72 uint64 - var x73 uint64 - x73, x72 = bits.Mul64(x54, 0xffffffffffffffff) - var x74 uint64 - var x75 uint64 - x75, x74 = bits.Mul64(x54, 0xffffffffffffffff) - var x76 uint64 - var x77 uint64 - x77, x76 = bits.Mul64(x54, 0xffffffffffffffff) - var x78 uint64 - var x79 uint64 - x79, x78 = bits.Mul64(x54, 0xffffffffffffffff) - var x80 uint64 - var x81 uint64 - x81, x80 = bits.Mul64(x54, 0xffffffffffffffff) - var x82 uint64 - var x83 uint64 - x83, x82 = bits.Mul64(x54, 0xffffffffffffffff) - var x84 uint64 - var x85 uint64 - x85, x84 = bits.Mul64(x54, 0xffffffffffffffff) - var x86 uint64 - var x87 uint64 - x87, x86 = bits.Mul64(x54, 0xffffffffffffffff) - var x88 uint64 - var x89 uint64 - x88, x89 = bits.Add64(x87, x84, uint64(0x0)) - var x90 uint64 - var x91 uint64 - x90, x91 = bits.Add64(x85, x82, uint64(p521Uint1(x89))) - var x92 uint64 - var x93 uint64 - x92, x93 = bits.Add64(x83, x80, uint64(p521Uint1(x91))) - var x94 uint64 - var x95 uint64 - x94, x95 = bits.Add64(x81, x78, uint64(p521Uint1(x93))) - var x96 uint64 - var x97 uint64 - x96, x97 = bits.Add64(x79, x76, uint64(p521Uint1(x95))) - var x98 uint64 - var x99 uint64 - x98, x99 = bits.Add64(x77, x74, uint64(p521Uint1(x97))) - var x100 uint64 - var x101 uint64 - x100, x101 = bits.Add64(x75, x72, uint64(p521Uint1(x99))) - var x102 uint64 - var x103 uint64 - x102, x103 = bits.Add64(x73, x70, uint64(p521Uint1(x101))) - var x105 uint64 - _, x105 = bits.Add64(x54, x86, uint64(0x0)) - var x106 uint64 - var x107 uint64 - x106, x107 = bits.Add64(x56, x88, uint64(p521Uint1(x105))) - var x108 uint64 - var x109 uint64 - x108, x109 = bits.Add64(x58, x90, uint64(p521Uint1(x107))) - var x110 uint64 - var x111 uint64 - x110, x111 = bits.Add64(x60, x92, uint64(p521Uint1(x109))) - var x112 uint64 - var x113 uint64 - x112, x113 = bits.Add64(x62, x94, uint64(p521Uint1(x111))) - var x114 uint64 - var x115 uint64 - x114, x115 = bits.Add64(x64, x96, uint64(p521Uint1(x113))) - var x116 uint64 - var x117 uint64 - x116, x117 = bits.Add64(x66, x98, uint64(p521Uint1(x115))) - var x118 uint64 - var x119 uint64 - x118, x119 = bits.Add64(x68, x100, uint64(p521Uint1(x117))) - var x120 uint64 - var x121 uint64 - x120, x121 = bits.Add64((uint64(p521Uint1(x69)) + (uint64(p521Uint1(x53)) + (uint64(p521Uint1(x35)) + x3))), x102, uint64(p521Uint1(x119))) - var x122 uint64 - var x123 uint64 - x122, x123 = bits.Add64(x106, arg1[2], uint64(0x0)) - var x124 uint64 - var x125 uint64 - x124, x125 = bits.Add64(x108, uint64(0x0), uint64(p521Uint1(x123))) - var x126 uint64 - var x127 uint64 - x126, x127 = bits.Add64(x110, uint64(0x0), uint64(p521Uint1(x125))) - var x128 uint64 - var x129 uint64 - x128, x129 = bits.Add64(x112, uint64(0x0), uint64(p521Uint1(x127))) - var x130 uint64 - var x131 uint64 - x130, x131 = bits.Add64(x114, uint64(0x0), uint64(p521Uint1(x129))) - var x132 uint64 - var x133 uint64 - x132, x133 = bits.Add64(x116, uint64(0x0), uint64(p521Uint1(x131))) - var x134 uint64 - var x135 uint64 - x134, x135 = bits.Add64(x118, uint64(0x0), uint64(p521Uint1(x133))) - var x136 uint64 - var x137 uint64 - x136, x137 = bits.Add64(x120, uint64(0x0), uint64(p521Uint1(x135))) - var x138 uint64 - var x139 uint64 - x139, x138 = bits.Mul64(x122, 0x1ff) - var x140 uint64 - var x141 uint64 - x141, x140 = bits.Mul64(x122, 0xffffffffffffffff) - var x142 uint64 - var x143 uint64 - x143, x142 = bits.Mul64(x122, 0xffffffffffffffff) - var x144 uint64 - var x145 uint64 - x145, x144 = bits.Mul64(x122, 0xffffffffffffffff) - var x146 uint64 - var x147 uint64 - x147, x146 = bits.Mul64(x122, 0xffffffffffffffff) - var x148 uint64 - var x149 uint64 - x149, x148 = bits.Mul64(x122, 0xffffffffffffffff) - var x150 uint64 - var x151 uint64 - x151, x150 = bits.Mul64(x122, 0xffffffffffffffff) - var x152 uint64 - var x153 uint64 - x153, x152 = bits.Mul64(x122, 0xffffffffffffffff) - var x154 uint64 - var x155 uint64 - x155, x154 = bits.Mul64(x122, 0xffffffffffffffff) - var x156 uint64 - var x157 uint64 - x156, x157 = bits.Add64(x155, x152, uint64(0x0)) - var x158 uint64 - var x159 uint64 - x158, x159 = bits.Add64(x153, x150, uint64(p521Uint1(x157))) - var x160 uint64 - var x161 uint64 - x160, x161 = bits.Add64(x151, x148, uint64(p521Uint1(x159))) - var x162 uint64 - var x163 uint64 - x162, x163 = bits.Add64(x149, x146, uint64(p521Uint1(x161))) - var x164 uint64 - var x165 uint64 - x164, x165 = bits.Add64(x147, x144, uint64(p521Uint1(x163))) - var x166 uint64 - var x167 uint64 - x166, x167 = bits.Add64(x145, x142, uint64(p521Uint1(x165))) - var x168 uint64 - var x169 uint64 - x168, x169 = bits.Add64(x143, x140, uint64(p521Uint1(x167))) - var x170 uint64 - var x171 uint64 - x170, x171 = bits.Add64(x141, x138, uint64(p521Uint1(x169))) - var x173 uint64 - _, x173 = bits.Add64(x122, x154, uint64(0x0)) - var x174 uint64 - var x175 uint64 - x174, x175 = bits.Add64(x124, x156, uint64(p521Uint1(x173))) - var x176 uint64 - var x177 uint64 - x176, x177 = bits.Add64(x126, x158, uint64(p521Uint1(x175))) - var x178 uint64 - var x179 uint64 - x178, x179 = bits.Add64(x128, x160, uint64(p521Uint1(x177))) - var x180 uint64 - var x181 uint64 - x180, x181 = bits.Add64(x130, x162, uint64(p521Uint1(x179))) - var x182 uint64 - var x183 uint64 - x182, x183 = bits.Add64(x132, x164, uint64(p521Uint1(x181))) - var x184 uint64 - var x185 uint64 - x184, x185 = bits.Add64(x134, x166, uint64(p521Uint1(x183))) - var x186 uint64 - var x187 uint64 - x186, x187 = bits.Add64(x136, x168, uint64(p521Uint1(x185))) - var x188 uint64 - var x189 uint64 - x188, x189 = bits.Add64((uint64(p521Uint1(x137)) + (uint64(p521Uint1(x121)) + (uint64(p521Uint1(x103)) + x71))), x170, uint64(p521Uint1(x187))) - var x190 uint64 - var x191 uint64 - x190, x191 = bits.Add64(x174, arg1[3], uint64(0x0)) - var x192 uint64 - var x193 uint64 - x192, x193 = bits.Add64(x176, uint64(0x0), uint64(p521Uint1(x191))) - var x194 uint64 - var x195 uint64 - x194, x195 = bits.Add64(x178, uint64(0x0), uint64(p521Uint1(x193))) - var x196 uint64 - var x197 uint64 - x196, x197 = bits.Add64(x180, uint64(0x0), uint64(p521Uint1(x195))) - var x198 uint64 - var x199 uint64 - x198, x199 = bits.Add64(x182, uint64(0x0), uint64(p521Uint1(x197))) - var x200 uint64 - var x201 uint64 - x200, x201 = bits.Add64(x184, uint64(0x0), uint64(p521Uint1(x199))) - var x202 uint64 - var x203 uint64 - x202, x203 = bits.Add64(x186, uint64(0x0), uint64(p521Uint1(x201))) - var x204 uint64 - var x205 uint64 - x204, x205 = bits.Add64(x188, uint64(0x0), uint64(p521Uint1(x203))) - var x206 uint64 - var x207 uint64 - x207, x206 = bits.Mul64(x190, 0x1ff) - var x208 uint64 - var x209 uint64 - x209, x208 = bits.Mul64(x190, 0xffffffffffffffff) - var x210 uint64 - var x211 uint64 - x211, x210 = bits.Mul64(x190, 0xffffffffffffffff) - var x212 uint64 - var x213 uint64 - x213, x212 = bits.Mul64(x190, 0xffffffffffffffff) - var x214 uint64 - var x215 uint64 - x215, x214 = bits.Mul64(x190, 0xffffffffffffffff) - var x216 uint64 - var x217 uint64 - x217, x216 = bits.Mul64(x190, 0xffffffffffffffff) - var x218 uint64 - var x219 uint64 - x219, x218 = bits.Mul64(x190, 0xffffffffffffffff) - var x220 uint64 - var x221 uint64 - x221, x220 = bits.Mul64(x190, 0xffffffffffffffff) - var x222 uint64 - var x223 uint64 - x223, x222 = bits.Mul64(x190, 0xffffffffffffffff) - var x224 uint64 - var x225 uint64 - x224, x225 = bits.Add64(x223, x220, uint64(0x0)) - var x226 uint64 - var x227 uint64 - x226, x227 = bits.Add64(x221, x218, uint64(p521Uint1(x225))) - var x228 uint64 - var x229 uint64 - x228, x229 = bits.Add64(x219, x216, uint64(p521Uint1(x227))) - var x230 uint64 - var x231 uint64 - x230, x231 = bits.Add64(x217, x214, uint64(p521Uint1(x229))) - var x232 uint64 - var x233 uint64 - x232, x233 = bits.Add64(x215, x212, uint64(p521Uint1(x231))) - var x234 uint64 - var x235 uint64 - x234, x235 = bits.Add64(x213, x210, uint64(p521Uint1(x233))) - var x236 uint64 - var x237 uint64 - x236, x237 = bits.Add64(x211, x208, uint64(p521Uint1(x235))) - var x238 uint64 - var x239 uint64 - x238, x239 = bits.Add64(x209, x206, uint64(p521Uint1(x237))) - var x241 uint64 - _, x241 = bits.Add64(x190, x222, uint64(0x0)) - var x242 uint64 - var x243 uint64 - x242, x243 = bits.Add64(x192, x224, uint64(p521Uint1(x241))) - var x244 uint64 - var x245 uint64 - x244, x245 = bits.Add64(x194, x226, uint64(p521Uint1(x243))) - var x246 uint64 - var x247 uint64 - x246, x247 = bits.Add64(x196, x228, uint64(p521Uint1(x245))) - var x248 uint64 - var x249 uint64 - x248, x249 = bits.Add64(x198, x230, uint64(p521Uint1(x247))) - var x250 uint64 - var x251 uint64 - x250, x251 = bits.Add64(x200, x232, uint64(p521Uint1(x249))) - var x252 uint64 - var x253 uint64 - x252, x253 = bits.Add64(x202, x234, uint64(p521Uint1(x251))) - var x254 uint64 - var x255 uint64 - x254, x255 = bits.Add64(x204, x236, uint64(p521Uint1(x253))) - var x256 uint64 - var x257 uint64 - x256, x257 = bits.Add64((uint64(p521Uint1(x205)) + (uint64(p521Uint1(x189)) + (uint64(p521Uint1(x171)) + x139))), x238, uint64(p521Uint1(x255))) - var x258 uint64 - var x259 uint64 - x258, x259 = bits.Add64(x242, arg1[4], uint64(0x0)) - var x260 uint64 - var x261 uint64 - x260, x261 = bits.Add64(x244, uint64(0x0), uint64(p521Uint1(x259))) - var x262 uint64 - var x263 uint64 - x262, x263 = bits.Add64(x246, uint64(0x0), uint64(p521Uint1(x261))) - var x264 uint64 - var x265 uint64 - x264, x265 = bits.Add64(x248, uint64(0x0), uint64(p521Uint1(x263))) - var x266 uint64 - var x267 uint64 - x266, x267 = bits.Add64(x250, uint64(0x0), uint64(p521Uint1(x265))) - var x268 uint64 - var x269 uint64 - x268, x269 = bits.Add64(x252, uint64(0x0), uint64(p521Uint1(x267))) - var x270 uint64 - var x271 uint64 - x270, x271 = bits.Add64(x254, uint64(0x0), uint64(p521Uint1(x269))) - var x272 uint64 - var x273 uint64 - x272, x273 = bits.Add64(x256, uint64(0x0), uint64(p521Uint1(x271))) - var x274 uint64 - var x275 uint64 - x275, x274 = bits.Mul64(x258, 0x1ff) - var x276 uint64 - var x277 uint64 - x277, x276 = bits.Mul64(x258, 0xffffffffffffffff) - var x278 uint64 - var x279 uint64 - x279, x278 = bits.Mul64(x258, 0xffffffffffffffff) - var x280 uint64 - var x281 uint64 - x281, x280 = bits.Mul64(x258, 0xffffffffffffffff) - var x282 uint64 - var x283 uint64 - x283, x282 = bits.Mul64(x258, 0xffffffffffffffff) - var x284 uint64 - var x285 uint64 - x285, x284 = bits.Mul64(x258, 0xffffffffffffffff) - var x286 uint64 - var x287 uint64 - x287, x286 = bits.Mul64(x258, 0xffffffffffffffff) - var x288 uint64 - var x289 uint64 - x289, x288 = bits.Mul64(x258, 0xffffffffffffffff) - var x290 uint64 - var x291 uint64 - x291, x290 = bits.Mul64(x258, 0xffffffffffffffff) - var x292 uint64 - var x293 uint64 - x292, x293 = bits.Add64(x291, x288, uint64(0x0)) - var x294 uint64 - var x295 uint64 - x294, x295 = bits.Add64(x289, x286, uint64(p521Uint1(x293))) - var x296 uint64 - var x297 uint64 - x296, x297 = bits.Add64(x287, x284, uint64(p521Uint1(x295))) - var x298 uint64 - var x299 uint64 - x298, x299 = bits.Add64(x285, x282, uint64(p521Uint1(x297))) - var x300 uint64 - var x301 uint64 - x300, x301 = bits.Add64(x283, x280, uint64(p521Uint1(x299))) - var x302 uint64 - var x303 uint64 - x302, x303 = bits.Add64(x281, x278, uint64(p521Uint1(x301))) - var x304 uint64 - var x305 uint64 - x304, x305 = bits.Add64(x279, x276, uint64(p521Uint1(x303))) - var x306 uint64 - var x307 uint64 - x306, x307 = bits.Add64(x277, x274, uint64(p521Uint1(x305))) - var x309 uint64 - _, x309 = bits.Add64(x258, x290, uint64(0x0)) - var x310 uint64 - var x311 uint64 - x310, x311 = bits.Add64(x260, x292, uint64(p521Uint1(x309))) - var x312 uint64 - var x313 uint64 - x312, x313 = bits.Add64(x262, x294, uint64(p521Uint1(x311))) - var x314 uint64 - var x315 uint64 - x314, x315 = bits.Add64(x264, x296, uint64(p521Uint1(x313))) - var x316 uint64 - var x317 uint64 - x316, x317 = bits.Add64(x266, x298, uint64(p521Uint1(x315))) - var x318 uint64 - var x319 uint64 - x318, x319 = bits.Add64(x268, x300, uint64(p521Uint1(x317))) - var x320 uint64 - var x321 uint64 - x320, x321 = bits.Add64(x270, x302, uint64(p521Uint1(x319))) - var x322 uint64 - var x323 uint64 - x322, x323 = bits.Add64(x272, x304, uint64(p521Uint1(x321))) - var x324 uint64 - var x325 uint64 - x324, x325 = bits.Add64((uint64(p521Uint1(x273)) + (uint64(p521Uint1(x257)) + (uint64(p521Uint1(x239)) + x207))), x306, uint64(p521Uint1(x323))) - var x326 uint64 - var x327 uint64 - x326, x327 = bits.Add64(x310, arg1[5], uint64(0x0)) - var x328 uint64 - var x329 uint64 - x328, x329 = bits.Add64(x312, uint64(0x0), uint64(p521Uint1(x327))) - var x330 uint64 - var x331 uint64 - x330, x331 = bits.Add64(x314, uint64(0x0), uint64(p521Uint1(x329))) - var x332 uint64 - var x333 uint64 - x332, x333 = bits.Add64(x316, uint64(0x0), uint64(p521Uint1(x331))) - var x334 uint64 - var x335 uint64 - x334, x335 = bits.Add64(x318, uint64(0x0), uint64(p521Uint1(x333))) - var x336 uint64 - var x337 uint64 - x336, x337 = bits.Add64(x320, uint64(0x0), uint64(p521Uint1(x335))) - var x338 uint64 - var x339 uint64 - x338, x339 = bits.Add64(x322, uint64(0x0), uint64(p521Uint1(x337))) - var x340 uint64 - var x341 uint64 - x340, x341 = bits.Add64(x324, uint64(0x0), uint64(p521Uint1(x339))) - var x342 uint64 - var x343 uint64 - x343, x342 = bits.Mul64(x326, 0x1ff) - var x344 uint64 - var x345 uint64 - x345, x344 = bits.Mul64(x326, 0xffffffffffffffff) - var x346 uint64 - var x347 uint64 - x347, x346 = bits.Mul64(x326, 0xffffffffffffffff) - var x348 uint64 - var x349 uint64 - x349, x348 = bits.Mul64(x326, 0xffffffffffffffff) - var x350 uint64 - var x351 uint64 - x351, x350 = bits.Mul64(x326, 0xffffffffffffffff) - var x352 uint64 - var x353 uint64 - x353, x352 = bits.Mul64(x326, 0xffffffffffffffff) - var x354 uint64 - var x355 uint64 - x355, x354 = bits.Mul64(x326, 0xffffffffffffffff) - var x356 uint64 - var x357 uint64 - x357, x356 = bits.Mul64(x326, 0xffffffffffffffff) - var x358 uint64 - var x359 uint64 - x359, x358 = bits.Mul64(x326, 0xffffffffffffffff) - var x360 uint64 - var x361 uint64 - x360, x361 = bits.Add64(x359, x356, uint64(0x0)) - var x362 uint64 - var x363 uint64 - x362, x363 = bits.Add64(x357, x354, uint64(p521Uint1(x361))) - var x364 uint64 - var x365 uint64 - x364, x365 = bits.Add64(x355, x352, uint64(p521Uint1(x363))) - var x366 uint64 - var x367 uint64 - x366, x367 = bits.Add64(x353, x350, uint64(p521Uint1(x365))) - var x368 uint64 - var x369 uint64 - x368, x369 = bits.Add64(x351, x348, uint64(p521Uint1(x367))) - var x370 uint64 - var x371 uint64 - x370, x371 = bits.Add64(x349, x346, uint64(p521Uint1(x369))) - var x372 uint64 - var x373 uint64 - x372, x373 = bits.Add64(x347, x344, uint64(p521Uint1(x371))) - var x374 uint64 - var x375 uint64 - x374, x375 = bits.Add64(x345, x342, uint64(p521Uint1(x373))) - var x377 uint64 - _, x377 = bits.Add64(x326, x358, uint64(0x0)) - var x378 uint64 - var x379 uint64 - x378, x379 = bits.Add64(x328, x360, uint64(p521Uint1(x377))) - var x380 uint64 - var x381 uint64 - x380, x381 = bits.Add64(x330, x362, uint64(p521Uint1(x379))) - var x382 uint64 - var x383 uint64 - x382, x383 = bits.Add64(x332, x364, uint64(p521Uint1(x381))) - var x384 uint64 - var x385 uint64 - x384, x385 = bits.Add64(x334, x366, uint64(p521Uint1(x383))) - var x386 uint64 - var x387 uint64 - x386, x387 = bits.Add64(x336, x368, uint64(p521Uint1(x385))) - var x388 uint64 - var x389 uint64 - x388, x389 = bits.Add64(x338, x370, uint64(p521Uint1(x387))) - var x390 uint64 - var x391 uint64 - x390, x391 = bits.Add64(x340, x372, uint64(p521Uint1(x389))) - var x392 uint64 - var x393 uint64 - x392, x393 = bits.Add64((uint64(p521Uint1(x341)) + (uint64(p521Uint1(x325)) + (uint64(p521Uint1(x307)) + x275))), x374, uint64(p521Uint1(x391))) - var x394 uint64 - var x395 uint64 - x394, x395 = bits.Add64(x378, arg1[6], uint64(0x0)) - var x396 uint64 - var x397 uint64 - x396, x397 = bits.Add64(x380, uint64(0x0), uint64(p521Uint1(x395))) - var x398 uint64 - var x399 uint64 - x398, x399 = bits.Add64(x382, uint64(0x0), uint64(p521Uint1(x397))) - var x400 uint64 - var x401 uint64 - x400, x401 = bits.Add64(x384, uint64(0x0), uint64(p521Uint1(x399))) - var x402 uint64 - var x403 uint64 - x402, x403 = bits.Add64(x386, uint64(0x0), uint64(p521Uint1(x401))) - var x404 uint64 - var x405 uint64 - x404, x405 = bits.Add64(x388, uint64(0x0), uint64(p521Uint1(x403))) - var x406 uint64 - var x407 uint64 - x406, x407 = bits.Add64(x390, uint64(0x0), uint64(p521Uint1(x405))) - var x408 uint64 - var x409 uint64 - x408, x409 = bits.Add64(x392, uint64(0x0), uint64(p521Uint1(x407))) - var x410 uint64 - var x411 uint64 - x411, x410 = bits.Mul64(x394, 0x1ff) - var x412 uint64 - var x413 uint64 - x413, x412 = bits.Mul64(x394, 0xffffffffffffffff) - var x414 uint64 - var x415 uint64 - x415, x414 = bits.Mul64(x394, 0xffffffffffffffff) - var x416 uint64 - var x417 uint64 - x417, x416 = bits.Mul64(x394, 0xffffffffffffffff) - var x418 uint64 - var x419 uint64 - x419, x418 = bits.Mul64(x394, 0xffffffffffffffff) - var x420 uint64 - var x421 uint64 - x421, x420 = bits.Mul64(x394, 0xffffffffffffffff) - var x422 uint64 - var x423 uint64 - x423, x422 = bits.Mul64(x394, 0xffffffffffffffff) - var x424 uint64 - var x425 uint64 - x425, x424 = bits.Mul64(x394, 0xffffffffffffffff) - var x426 uint64 - var x427 uint64 - x427, x426 = bits.Mul64(x394, 0xffffffffffffffff) - var x428 uint64 - var x429 uint64 - x428, x429 = bits.Add64(x427, x424, uint64(0x0)) - var x430 uint64 - var x431 uint64 - x430, x431 = bits.Add64(x425, x422, uint64(p521Uint1(x429))) - var x432 uint64 - var x433 uint64 - x432, x433 = bits.Add64(x423, x420, uint64(p521Uint1(x431))) - var x434 uint64 - var x435 uint64 - x434, x435 = bits.Add64(x421, x418, uint64(p521Uint1(x433))) - var x436 uint64 - var x437 uint64 - x436, x437 = bits.Add64(x419, x416, uint64(p521Uint1(x435))) - var x438 uint64 - var x439 uint64 - x438, x439 = bits.Add64(x417, x414, uint64(p521Uint1(x437))) - var x440 uint64 - var x441 uint64 - x440, x441 = bits.Add64(x415, x412, uint64(p521Uint1(x439))) - var x442 uint64 - var x443 uint64 - x442, x443 = bits.Add64(x413, x410, uint64(p521Uint1(x441))) - var x445 uint64 - _, x445 = bits.Add64(x394, x426, uint64(0x0)) - var x446 uint64 - var x447 uint64 - x446, x447 = bits.Add64(x396, x428, uint64(p521Uint1(x445))) - var x448 uint64 - var x449 uint64 - x448, x449 = bits.Add64(x398, x430, uint64(p521Uint1(x447))) - var x450 uint64 - var x451 uint64 - x450, x451 = bits.Add64(x400, x432, uint64(p521Uint1(x449))) - var x452 uint64 - var x453 uint64 - x452, x453 = bits.Add64(x402, x434, uint64(p521Uint1(x451))) - var x454 uint64 - var x455 uint64 - x454, x455 = bits.Add64(x404, x436, uint64(p521Uint1(x453))) - var x456 uint64 - var x457 uint64 - x456, x457 = bits.Add64(x406, x438, uint64(p521Uint1(x455))) - var x458 uint64 - var x459 uint64 - x458, x459 = bits.Add64(x408, x440, uint64(p521Uint1(x457))) - var x460 uint64 - var x461 uint64 - x460, x461 = bits.Add64((uint64(p521Uint1(x409)) + (uint64(p521Uint1(x393)) + (uint64(p521Uint1(x375)) + x343))), x442, uint64(p521Uint1(x459))) - var x462 uint64 - var x463 uint64 - x462, x463 = bits.Add64(x446, arg1[7], uint64(0x0)) - var x464 uint64 - var x465 uint64 - x464, x465 = bits.Add64(x448, uint64(0x0), uint64(p521Uint1(x463))) - var x466 uint64 - var x467 uint64 - x466, x467 = bits.Add64(x450, uint64(0x0), uint64(p521Uint1(x465))) - var x468 uint64 - var x469 uint64 - x468, x469 = bits.Add64(x452, uint64(0x0), uint64(p521Uint1(x467))) - var x470 uint64 - var x471 uint64 - x470, x471 = bits.Add64(x454, uint64(0x0), uint64(p521Uint1(x469))) - var x472 uint64 - var x473 uint64 - x472, x473 = bits.Add64(x456, uint64(0x0), uint64(p521Uint1(x471))) - var x474 uint64 - var x475 uint64 - x474, x475 = bits.Add64(x458, uint64(0x0), uint64(p521Uint1(x473))) - var x476 uint64 - var x477 uint64 - x476, x477 = bits.Add64(x460, uint64(0x0), uint64(p521Uint1(x475))) - var x478 uint64 - var x479 uint64 - x479, x478 = bits.Mul64(x462, 0x1ff) - var x480 uint64 - var x481 uint64 - x481, x480 = bits.Mul64(x462, 0xffffffffffffffff) - var x482 uint64 - var x483 uint64 - x483, x482 = bits.Mul64(x462, 0xffffffffffffffff) - var x484 uint64 - var x485 uint64 - x485, x484 = bits.Mul64(x462, 0xffffffffffffffff) - var x486 uint64 - var x487 uint64 - x487, x486 = bits.Mul64(x462, 0xffffffffffffffff) - var x488 uint64 - var x489 uint64 - x489, x488 = bits.Mul64(x462, 0xffffffffffffffff) - var x490 uint64 - var x491 uint64 - x491, x490 = bits.Mul64(x462, 0xffffffffffffffff) - var x492 uint64 - var x493 uint64 - x493, x492 = bits.Mul64(x462, 0xffffffffffffffff) - var x494 uint64 - var x495 uint64 - x495, x494 = bits.Mul64(x462, 0xffffffffffffffff) - var x496 uint64 - var x497 uint64 - x496, x497 = bits.Add64(x495, x492, uint64(0x0)) - var x498 uint64 - var x499 uint64 - x498, x499 = bits.Add64(x493, x490, uint64(p521Uint1(x497))) - var x500 uint64 - var x501 uint64 - x500, x501 = bits.Add64(x491, x488, uint64(p521Uint1(x499))) - var x502 uint64 - var x503 uint64 - x502, x503 = bits.Add64(x489, x486, uint64(p521Uint1(x501))) - var x504 uint64 - var x505 uint64 - x504, x505 = bits.Add64(x487, x484, uint64(p521Uint1(x503))) - var x506 uint64 - var x507 uint64 - x506, x507 = bits.Add64(x485, x482, uint64(p521Uint1(x505))) - var x508 uint64 - var x509 uint64 - x508, x509 = bits.Add64(x483, x480, uint64(p521Uint1(x507))) - var x510 uint64 - var x511 uint64 - x510, x511 = bits.Add64(x481, x478, uint64(p521Uint1(x509))) - var x513 uint64 - _, x513 = bits.Add64(x462, x494, uint64(0x0)) - var x514 uint64 - var x515 uint64 - x514, x515 = bits.Add64(x464, x496, uint64(p521Uint1(x513))) - var x516 uint64 - var x517 uint64 - x516, x517 = bits.Add64(x466, x498, uint64(p521Uint1(x515))) - var x518 uint64 - var x519 uint64 - x518, x519 = bits.Add64(x468, x500, uint64(p521Uint1(x517))) - var x520 uint64 - var x521 uint64 - x520, x521 = bits.Add64(x470, x502, uint64(p521Uint1(x519))) - var x522 uint64 - var x523 uint64 - x522, x523 = bits.Add64(x472, x504, uint64(p521Uint1(x521))) - var x524 uint64 - var x525 uint64 - x524, x525 = bits.Add64(x474, x506, uint64(p521Uint1(x523))) - var x526 uint64 - var x527 uint64 - x526, x527 = bits.Add64(x476, x508, uint64(p521Uint1(x525))) - var x528 uint64 - var x529 uint64 - x528, x529 = bits.Add64((uint64(p521Uint1(x477)) + (uint64(p521Uint1(x461)) + (uint64(p521Uint1(x443)) + x411))), x510, uint64(p521Uint1(x527))) - var x530 uint64 - var x531 uint64 - x530, x531 = bits.Add64(x514, arg1[8], uint64(0x0)) - var x532 uint64 - var x533 uint64 - x532, x533 = bits.Add64(x516, uint64(0x0), uint64(p521Uint1(x531))) - var x534 uint64 - var x535 uint64 - x534, x535 = bits.Add64(x518, uint64(0x0), uint64(p521Uint1(x533))) - var x536 uint64 - var x537 uint64 - x536, x537 = bits.Add64(x520, uint64(0x0), uint64(p521Uint1(x535))) - var x538 uint64 - var x539 uint64 - x538, x539 = bits.Add64(x522, uint64(0x0), uint64(p521Uint1(x537))) - var x540 uint64 - var x541 uint64 - x540, x541 = bits.Add64(x524, uint64(0x0), uint64(p521Uint1(x539))) - var x542 uint64 - var x543 uint64 - x542, x543 = bits.Add64(x526, uint64(0x0), uint64(p521Uint1(x541))) - var x544 uint64 - var x545 uint64 - x544, x545 = bits.Add64(x528, uint64(0x0), uint64(p521Uint1(x543))) - var x546 uint64 - var x547 uint64 - x547, x546 = bits.Mul64(x530, 0x1ff) - var x548 uint64 - var x549 uint64 - x549, x548 = bits.Mul64(x530, 0xffffffffffffffff) - var x550 uint64 - var x551 uint64 - x551, x550 = bits.Mul64(x530, 0xffffffffffffffff) - var x552 uint64 - var x553 uint64 - x553, x552 = bits.Mul64(x530, 0xffffffffffffffff) - var x554 uint64 - var x555 uint64 - x555, x554 = bits.Mul64(x530, 0xffffffffffffffff) - var x556 uint64 - var x557 uint64 - x557, x556 = bits.Mul64(x530, 0xffffffffffffffff) - var x558 uint64 - var x559 uint64 - x559, x558 = bits.Mul64(x530, 0xffffffffffffffff) - var x560 uint64 - var x561 uint64 - x561, x560 = bits.Mul64(x530, 0xffffffffffffffff) - var x562 uint64 - var x563 uint64 - x563, x562 = bits.Mul64(x530, 0xffffffffffffffff) - var x564 uint64 - var x565 uint64 - x564, x565 = bits.Add64(x563, x560, uint64(0x0)) - var x566 uint64 - var x567 uint64 - x566, x567 = bits.Add64(x561, x558, uint64(p521Uint1(x565))) - var x568 uint64 - var x569 uint64 - x568, x569 = bits.Add64(x559, x556, uint64(p521Uint1(x567))) - var x570 uint64 - var x571 uint64 - x570, x571 = bits.Add64(x557, x554, uint64(p521Uint1(x569))) - var x572 uint64 - var x573 uint64 - x572, x573 = bits.Add64(x555, x552, uint64(p521Uint1(x571))) - var x574 uint64 - var x575 uint64 - x574, x575 = bits.Add64(x553, x550, uint64(p521Uint1(x573))) - var x576 uint64 - var x577 uint64 - x576, x577 = bits.Add64(x551, x548, uint64(p521Uint1(x575))) - var x578 uint64 - var x579 uint64 - x578, x579 = bits.Add64(x549, x546, uint64(p521Uint1(x577))) - var x581 uint64 - _, x581 = bits.Add64(x530, x562, uint64(0x0)) - var x582 uint64 - var x583 uint64 - x582, x583 = bits.Add64(x532, x564, uint64(p521Uint1(x581))) - var x584 uint64 - var x585 uint64 - x584, x585 = bits.Add64(x534, x566, uint64(p521Uint1(x583))) - var x586 uint64 - var x587 uint64 - x586, x587 = bits.Add64(x536, x568, uint64(p521Uint1(x585))) - var x588 uint64 - var x589 uint64 - x588, x589 = bits.Add64(x538, x570, uint64(p521Uint1(x587))) - var x590 uint64 - var x591 uint64 - x590, x591 = bits.Add64(x540, x572, uint64(p521Uint1(x589))) - var x592 uint64 - var x593 uint64 - x592, x593 = bits.Add64(x542, x574, uint64(p521Uint1(x591))) - var x594 uint64 - var x595 uint64 - x594, x595 = bits.Add64(x544, x576, uint64(p521Uint1(x593))) - var x596 uint64 - var x597 uint64 - x596, x597 = bits.Add64((uint64(p521Uint1(x545)) + (uint64(p521Uint1(x529)) + (uint64(p521Uint1(x511)) + x479))), x578, uint64(p521Uint1(x595))) - x598 := (uint64(p521Uint1(x597)) + (uint64(p521Uint1(x579)) + x547)) - var x599 uint64 - var x600 uint64 - x599, x600 = bits.Sub64(x582, 0xffffffffffffffff, uint64(0x0)) - var x601 uint64 - var x602 uint64 - x601, x602 = bits.Sub64(x584, 0xffffffffffffffff, uint64(p521Uint1(x600))) - var x603 uint64 - var x604 uint64 - x603, x604 = bits.Sub64(x586, 0xffffffffffffffff, uint64(p521Uint1(x602))) - var x605 uint64 - var x606 uint64 - x605, x606 = bits.Sub64(x588, 0xffffffffffffffff, uint64(p521Uint1(x604))) - var x607 uint64 - var x608 uint64 - x607, x608 = bits.Sub64(x590, 0xffffffffffffffff, uint64(p521Uint1(x606))) - var x609 uint64 - var x610 uint64 - x609, x610 = bits.Sub64(x592, 0xffffffffffffffff, uint64(p521Uint1(x608))) - var x611 uint64 - var x612 uint64 - x611, x612 = bits.Sub64(x594, 0xffffffffffffffff, uint64(p521Uint1(x610))) - var x613 uint64 - var x614 uint64 - x613, x614 = bits.Sub64(x596, 0xffffffffffffffff, uint64(p521Uint1(x612))) - var x615 uint64 - var x616 uint64 - x615, x616 = bits.Sub64(x598, 0x1ff, uint64(p521Uint1(x614))) - var x618 uint64 - _, x618 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(p521Uint1(x616))) - var x619 uint64 - p521CmovznzU64(&x619, p521Uint1(x618), x599, x582) - var x620 uint64 - p521CmovznzU64(&x620, p521Uint1(x618), x601, x584) - var x621 uint64 - p521CmovznzU64(&x621, p521Uint1(x618), x603, x586) - var x622 uint64 - p521CmovznzU64(&x622, p521Uint1(x618), x605, x588) - var x623 uint64 - p521CmovznzU64(&x623, p521Uint1(x618), x607, x590) - var x624 uint64 - p521CmovznzU64(&x624, p521Uint1(x618), x609, x592) - var x625 uint64 - p521CmovznzU64(&x625, p521Uint1(x618), x611, x594) - var x626 uint64 - p521CmovznzU64(&x626, p521Uint1(x618), x613, x596) - var x627 uint64 - p521CmovznzU64(&x627, p521Uint1(x618), x615, x598) - out1[0] = x619 - out1[1] = x620 - out1[2] = x621 - out1[3] = x622 - out1[4] = x623 - out1[5] = x624 - out1[6] = x625 - out1[7] = x626 - out1[8] = x627 -} - -// p521ToMontgomery translates a field element into the Montgomery domain. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// eval (from_montgomery out1) mod m = eval arg1 mod m -// 0 ≤ eval out1 < m -func p521ToMontgomery(out1 *p521MontgomeryDomainFieldElement, arg1 *p521NonMontgomeryDomainFieldElement) { - var x1 uint64 - var x2 uint64 - x2, x1 = bits.Mul64(arg1[0], 0x400000000000) - var x3 uint64 - var x4 uint64 - x4, x3 = bits.Mul64(arg1[1], 0x400000000000) - var x5 uint64 - var x6 uint64 - x5, x6 = bits.Add64(x2, x3, uint64(0x0)) - var x7 uint64 - var x8 uint64 - x8, x7 = bits.Mul64(x1, 0x1ff) - var x9 uint64 - var x10 uint64 - x10, x9 = bits.Mul64(x1, 0xffffffffffffffff) - var x11 uint64 - var x12 uint64 - x12, x11 = bits.Mul64(x1, 0xffffffffffffffff) - var x13 uint64 - var x14 uint64 - x14, x13 = bits.Mul64(x1, 0xffffffffffffffff) - var x15 uint64 - var x16 uint64 - x16, x15 = bits.Mul64(x1, 0xffffffffffffffff) - var x17 uint64 - var x18 uint64 - x18, x17 = bits.Mul64(x1, 0xffffffffffffffff) - var x19 uint64 - var x20 uint64 - x20, x19 = bits.Mul64(x1, 0xffffffffffffffff) - var x21 uint64 - var x22 uint64 - x22, x21 = bits.Mul64(x1, 0xffffffffffffffff) - var x23 uint64 - var x24 uint64 - x24, x23 = bits.Mul64(x1, 0xffffffffffffffff) - var x25 uint64 - var x26 uint64 - x25, x26 = bits.Add64(x24, x21, uint64(0x0)) - var x27 uint64 - var x28 uint64 - x27, x28 = bits.Add64(x22, x19, uint64(p521Uint1(x26))) - var x29 uint64 - var x30 uint64 - x29, x30 = bits.Add64(x20, x17, uint64(p521Uint1(x28))) - var x31 uint64 - var x32 uint64 - x31, x32 = bits.Add64(x18, x15, uint64(p521Uint1(x30))) - var x33 uint64 - var x34 uint64 - x33, x34 = bits.Add64(x16, x13, uint64(p521Uint1(x32))) - var x35 uint64 - var x36 uint64 - x35, x36 = bits.Add64(x14, x11, uint64(p521Uint1(x34))) - var x37 uint64 - var x38 uint64 - x37, x38 = bits.Add64(x12, x9, uint64(p521Uint1(x36))) - var x39 uint64 - var x40 uint64 - x39, x40 = bits.Add64(x10, x7, uint64(p521Uint1(x38))) - var x42 uint64 - _, x42 = bits.Add64(x1, x23, uint64(0x0)) - var x43 uint64 - var x44 uint64 - x43, x44 = bits.Add64(x5, x25, uint64(p521Uint1(x42))) - var x45 uint64 - var x46 uint64 - x45, x46 = bits.Add64((uint64(p521Uint1(x6)) + x4), x27, uint64(p521Uint1(x44))) - var x47 uint64 - var x48 uint64 - x47, x48 = bits.Add64(uint64(0x0), x29, uint64(p521Uint1(x46))) - var x49 uint64 - var x50 uint64 - x49, x50 = bits.Add64(uint64(0x0), x31, uint64(p521Uint1(x48))) - var x51 uint64 - var x52 uint64 - x51, x52 = bits.Add64(uint64(0x0), x33, uint64(p521Uint1(x50))) - var x53 uint64 - var x54 uint64 - x53, x54 = bits.Add64(uint64(0x0), x35, uint64(p521Uint1(x52))) - var x55 uint64 - var x56 uint64 - x55, x56 = bits.Add64(uint64(0x0), x37, uint64(p521Uint1(x54))) - var x57 uint64 - var x58 uint64 - x57, x58 = bits.Add64(uint64(0x0), x39, uint64(p521Uint1(x56))) - var x59 uint64 - var x60 uint64 - x60, x59 = bits.Mul64(arg1[2], 0x400000000000) - var x61 uint64 - var x62 uint64 - x61, x62 = bits.Add64(x45, x59, uint64(0x0)) - var x63 uint64 - var x64 uint64 - x63, x64 = bits.Add64(x47, x60, uint64(p521Uint1(x62))) - var x65 uint64 - var x66 uint64 - x65, x66 = bits.Add64(x49, uint64(0x0), uint64(p521Uint1(x64))) - var x67 uint64 - var x68 uint64 - x67, x68 = bits.Add64(x51, uint64(0x0), uint64(p521Uint1(x66))) - var x69 uint64 - var x70 uint64 - x69, x70 = bits.Add64(x53, uint64(0x0), uint64(p521Uint1(x68))) - var x71 uint64 - var x72 uint64 - x71, x72 = bits.Add64(x55, uint64(0x0), uint64(p521Uint1(x70))) - var x73 uint64 - var x74 uint64 - x73, x74 = bits.Add64(x57, uint64(0x0), uint64(p521Uint1(x72))) - var x75 uint64 - var x76 uint64 - x76, x75 = bits.Mul64(x43, 0x1ff) - var x77 uint64 - var x78 uint64 - x78, x77 = bits.Mul64(x43, 0xffffffffffffffff) - var x79 uint64 - var x80 uint64 - x80, x79 = bits.Mul64(x43, 0xffffffffffffffff) - var x81 uint64 - var x82 uint64 - x82, x81 = bits.Mul64(x43, 0xffffffffffffffff) - var x83 uint64 - var x84 uint64 - x84, x83 = bits.Mul64(x43, 0xffffffffffffffff) - var x85 uint64 - var x86 uint64 - x86, x85 = bits.Mul64(x43, 0xffffffffffffffff) - var x87 uint64 - var x88 uint64 - x88, x87 = bits.Mul64(x43, 0xffffffffffffffff) - var x89 uint64 - var x90 uint64 - x90, x89 = bits.Mul64(x43, 0xffffffffffffffff) - var x91 uint64 - var x92 uint64 - x92, x91 = bits.Mul64(x43, 0xffffffffffffffff) - var x93 uint64 - var x94 uint64 - x93, x94 = bits.Add64(x92, x89, uint64(0x0)) - var x95 uint64 - var x96 uint64 - x95, x96 = bits.Add64(x90, x87, uint64(p521Uint1(x94))) - var x97 uint64 - var x98 uint64 - x97, x98 = bits.Add64(x88, x85, uint64(p521Uint1(x96))) - var x99 uint64 - var x100 uint64 - x99, x100 = bits.Add64(x86, x83, uint64(p521Uint1(x98))) - var x101 uint64 - var x102 uint64 - x101, x102 = bits.Add64(x84, x81, uint64(p521Uint1(x100))) - var x103 uint64 - var x104 uint64 - x103, x104 = bits.Add64(x82, x79, uint64(p521Uint1(x102))) - var x105 uint64 - var x106 uint64 - x105, x106 = bits.Add64(x80, x77, uint64(p521Uint1(x104))) - var x107 uint64 - var x108 uint64 - x107, x108 = bits.Add64(x78, x75, uint64(p521Uint1(x106))) - var x110 uint64 - _, x110 = bits.Add64(x43, x91, uint64(0x0)) - var x111 uint64 - var x112 uint64 - x111, x112 = bits.Add64(x61, x93, uint64(p521Uint1(x110))) - var x113 uint64 - var x114 uint64 - x113, x114 = bits.Add64(x63, x95, uint64(p521Uint1(x112))) - var x115 uint64 - var x116 uint64 - x115, x116 = bits.Add64(x65, x97, uint64(p521Uint1(x114))) - var x117 uint64 - var x118 uint64 - x117, x118 = bits.Add64(x67, x99, uint64(p521Uint1(x116))) - var x119 uint64 - var x120 uint64 - x119, x120 = bits.Add64(x69, x101, uint64(p521Uint1(x118))) - var x121 uint64 - var x122 uint64 - x121, x122 = bits.Add64(x71, x103, uint64(p521Uint1(x120))) - var x123 uint64 - var x124 uint64 - x123, x124 = bits.Add64(x73, x105, uint64(p521Uint1(x122))) - var x125 uint64 - var x126 uint64 - x125, x126 = bits.Add64((uint64(p521Uint1(x74)) + (uint64(p521Uint1(x58)) + (uint64(p521Uint1(x40)) + x8))), x107, uint64(p521Uint1(x124))) - var x127 uint64 - var x128 uint64 - x128, x127 = bits.Mul64(arg1[3], 0x400000000000) - var x129 uint64 - var x130 uint64 - x129, x130 = bits.Add64(x113, x127, uint64(0x0)) - var x131 uint64 - var x132 uint64 - x131, x132 = bits.Add64(x115, x128, uint64(p521Uint1(x130))) - var x133 uint64 - var x134 uint64 - x133, x134 = bits.Add64(x117, uint64(0x0), uint64(p521Uint1(x132))) - var x135 uint64 - var x136 uint64 - x135, x136 = bits.Add64(x119, uint64(0x0), uint64(p521Uint1(x134))) - var x137 uint64 - var x138 uint64 - x137, x138 = bits.Add64(x121, uint64(0x0), uint64(p521Uint1(x136))) - var x139 uint64 - var x140 uint64 - x139, x140 = bits.Add64(x123, uint64(0x0), uint64(p521Uint1(x138))) - var x141 uint64 - var x142 uint64 - x141, x142 = bits.Add64(x125, uint64(0x0), uint64(p521Uint1(x140))) - var x143 uint64 - var x144 uint64 - x144, x143 = bits.Mul64(x111, 0x1ff) - var x145 uint64 - var x146 uint64 - x146, x145 = bits.Mul64(x111, 0xffffffffffffffff) - var x147 uint64 - var x148 uint64 - x148, x147 = bits.Mul64(x111, 0xffffffffffffffff) - var x149 uint64 - var x150 uint64 - x150, x149 = bits.Mul64(x111, 0xffffffffffffffff) - var x151 uint64 - var x152 uint64 - x152, x151 = bits.Mul64(x111, 0xffffffffffffffff) - var x153 uint64 - var x154 uint64 - x154, x153 = bits.Mul64(x111, 0xffffffffffffffff) - var x155 uint64 - var x156 uint64 - x156, x155 = bits.Mul64(x111, 0xffffffffffffffff) - var x157 uint64 - var x158 uint64 - x158, x157 = bits.Mul64(x111, 0xffffffffffffffff) - var x159 uint64 - var x160 uint64 - x160, x159 = bits.Mul64(x111, 0xffffffffffffffff) - var x161 uint64 - var x162 uint64 - x161, x162 = bits.Add64(x160, x157, uint64(0x0)) - var x163 uint64 - var x164 uint64 - x163, x164 = bits.Add64(x158, x155, uint64(p521Uint1(x162))) - var x165 uint64 - var x166 uint64 - x165, x166 = bits.Add64(x156, x153, uint64(p521Uint1(x164))) - var x167 uint64 - var x168 uint64 - x167, x168 = bits.Add64(x154, x151, uint64(p521Uint1(x166))) - var x169 uint64 - var x170 uint64 - x169, x170 = bits.Add64(x152, x149, uint64(p521Uint1(x168))) - var x171 uint64 - var x172 uint64 - x171, x172 = bits.Add64(x150, x147, uint64(p521Uint1(x170))) - var x173 uint64 - var x174 uint64 - x173, x174 = bits.Add64(x148, x145, uint64(p521Uint1(x172))) - var x175 uint64 - var x176 uint64 - x175, x176 = bits.Add64(x146, x143, uint64(p521Uint1(x174))) - var x178 uint64 - _, x178 = bits.Add64(x111, x159, uint64(0x0)) - var x179 uint64 - var x180 uint64 - x179, x180 = bits.Add64(x129, x161, uint64(p521Uint1(x178))) - var x181 uint64 - var x182 uint64 - x181, x182 = bits.Add64(x131, x163, uint64(p521Uint1(x180))) - var x183 uint64 - var x184 uint64 - x183, x184 = bits.Add64(x133, x165, uint64(p521Uint1(x182))) - var x185 uint64 - var x186 uint64 - x185, x186 = bits.Add64(x135, x167, uint64(p521Uint1(x184))) - var x187 uint64 - var x188 uint64 - x187, x188 = bits.Add64(x137, x169, uint64(p521Uint1(x186))) - var x189 uint64 - var x190 uint64 - x189, x190 = bits.Add64(x139, x171, uint64(p521Uint1(x188))) - var x191 uint64 - var x192 uint64 - x191, x192 = bits.Add64(x141, x173, uint64(p521Uint1(x190))) - var x193 uint64 - var x194 uint64 - x193, x194 = bits.Add64((uint64(p521Uint1(x142)) + (uint64(p521Uint1(x126)) + (uint64(p521Uint1(x108)) + x76))), x175, uint64(p521Uint1(x192))) - var x195 uint64 - var x196 uint64 - x196, x195 = bits.Mul64(arg1[4], 0x400000000000) - var x197 uint64 - var x198 uint64 - x197, x198 = bits.Add64(x181, x195, uint64(0x0)) - var x199 uint64 - var x200 uint64 - x199, x200 = bits.Add64(x183, x196, uint64(p521Uint1(x198))) - var x201 uint64 - var x202 uint64 - x201, x202 = bits.Add64(x185, uint64(0x0), uint64(p521Uint1(x200))) - var x203 uint64 - var x204 uint64 - x203, x204 = bits.Add64(x187, uint64(0x0), uint64(p521Uint1(x202))) - var x205 uint64 - var x206 uint64 - x205, x206 = bits.Add64(x189, uint64(0x0), uint64(p521Uint1(x204))) - var x207 uint64 - var x208 uint64 - x207, x208 = bits.Add64(x191, uint64(0x0), uint64(p521Uint1(x206))) - var x209 uint64 - var x210 uint64 - x209, x210 = bits.Add64(x193, uint64(0x0), uint64(p521Uint1(x208))) - var x211 uint64 - var x212 uint64 - x212, x211 = bits.Mul64(x179, 0x1ff) - var x213 uint64 - var x214 uint64 - x214, x213 = bits.Mul64(x179, 0xffffffffffffffff) - var x215 uint64 - var x216 uint64 - x216, x215 = bits.Mul64(x179, 0xffffffffffffffff) - var x217 uint64 - var x218 uint64 - x218, x217 = bits.Mul64(x179, 0xffffffffffffffff) - var x219 uint64 - var x220 uint64 - x220, x219 = bits.Mul64(x179, 0xffffffffffffffff) - var x221 uint64 - var x222 uint64 - x222, x221 = bits.Mul64(x179, 0xffffffffffffffff) - var x223 uint64 - var x224 uint64 - x224, x223 = bits.Mul64(x179, 0xffffffffffffffff) - var x225 uint64 - var x226 uint64 - x226, x225 = bits.Mul64(x179, 0xffffffffffffffff) - var x227 uint64 - var x228 uint64 - x228, x227 = bits.Mul64(x179, 0xffffffffffffffff) - var x229 uint64 - var x230 uint64 - x229, x230 = bits.Add64(x228, x225, uint64(0x0)) - var x231 uint64 - var x232 uint64 - x231, x232 = bits.Add64(x226, x223, uint64(p521Uint1(x230))) - var x233 uint64 - var x234 uint64 - x233, x234 = bits.Add64(x224, x221, uint64(p521Uint1(x232))) - var x235 uint64 - var x236 uint64 - x235, x236 = bits.Add64(x222, x219, uint64(p521Uint1(x234))) - var x237 uint64 - var x238 uint64 - x237, x238 = bits.Add64(x220, x217, uint64(p521Uint1(x236))) - var x239 uint64 - var x240 uint64 - x239, x240 = bits.Add64(x218, x215, uint64(p521Uint1(x238))) - var x241 uint64 - var x242 uint64 - x241, x242 = bits.Add64(x216, x213, uint64(p521Uint1(x240))) - var x243 uint64 - var x244 uint64 - x243, x244 = bits.Add64(x214, x211, uint64(p521Uint1(x242))) - var x246 uint64 - _, x246 = bits.Add64(x179, x227, uint64(0x0)) - var x247 uint64 - var x248 uint64 - x247, x248 = bits.Add64(x197, x229, uint64(p521Uint1(x246))) - var x249 uint64 - var x250 uint64 - x249, x250 = bits.Add64(x199, x231, uint64(p521Uint1(x248))) - var x251 uint64 - var x252 uint64 - x251, x252 = bits.Add64(x201, x233, uint64(p521Uint1(x250))) - var x253 uint64 - var x254 uint64 - x253, x254 = bits.Add64(x203, x235, uint64(p521Uint1(x252))) - var x255 uint64 - var x256 uint64 - x255, x256 = bits.Add64(x205, x237, uint64(p521Uint1(x254))) - var x257 uint64 - var x258 uint64 - x257, x258 = bits.Add64(x207, x239, uint64(p521Uint1(x256))) - var x259 uint64 - var x260 uint64 - x259, x260 = bits.Add64(x209, x241, uint64(p521Uint1(x258))) - var x261 uint64 - var x262 uint64 - x261, x262 = bits.Add64((uint64(p521Uint1(x210)) + (uint64(p521Uint1(x194)) + (uint64(p521Uint1(x176)) + x144))), x243, uint64(p521Uint1(x260))) - var x263 uint64 - var x264 uint64 - x264, x263 = bits.Mul64(arg1[5], 0x400000000000) - var x265 uint64 - var x266 uint64 - x265, x266 = bits.Add64(x249, x263, uint64(0x0)) - var x267 uint64 - var x268 uint64 - x267, x268 = bits.Add64(x251, x264, uint64(p521Uint1(x266))) - var x269 uint64 - var x270 uint64 - x269, x270 = bits.Add64(x253, uint64(0x0), uint64(p521Uint1(x268))) - var x271 uint64 - var x272 uint64 - x271, x272 = bits.Add64(x255, uint64(0x0), uint64(p521Uint1(x270))) - var x273 uint64 - var x274 uint64 - x273, x274 = bits.Add64(x257, uint64(0x0), uint64(p521Uint1(x272))) - var x275 uint64 - var x276 uint64 - x275, x276 = bits.Add64(x259, uint64(0x0), uint64(p521Uint1(x274))) - var x277 uint64 - var x278 uint64 - x277, x278 = bits.Add64(x261, uint64(0x0), uint64(p521Uint1(x276))) - var x279 uint64 - var x280 uint64 - x280, x279 = bits.Mul64(x247, 0x1ff) - var x281 uint64 - var x282 uint64 - x282, x281 = bits.Mul64(x247, 0xffffffffffffffff) - var x283 uint64 - var x284 uint64 - x284, x283 = bits.Mul64(x247, 0xffffffffffffffff) - var x285 uint64 - var x286 uint64 - x286, x285 = bits.Mul64(x247, 0xffffffffffffffff) - var x287 uint64 - var x288 uint64 - x288, x287 = bits.Mul64(x247, 0xffffffffffffffff) - var x289 uint64 - var x290 uint64 - x290, x289 = bits.Mul64(x247, 0xffffffffffffffff) - var x291 uint64 - var x292 uint64 - x292, x291 = bits.Mul64(x247, 0xffffffffffffffff) - var x293 uint64 - var x294 uint64 - x294, x293 = bits.Mul64(x247, 0xffffffffffffffff) - var x295 uint64 - var x296 uint64 - x296, x295 = bits.Mul64(x247, 0xffffffffffffffff) - var x297 uint64 - var x298 uint64 - x297, x298 = bits.Add64(x296, x293, uint64(0x0)) - var x299 uint64 - var x300 uint64 - x299, x300 = bits.Add64(x294, x291, uint64(p521Uint1(x298))) - var x301 uint64 - var x302 uint64 - x301, x302 = bits.Add64(x292, x289, uint64(p521Uint1(x300))) - var x303 uint64 - var x304 uint64 - x303, x304 = bits.Add64(x290, x287, uint64(p521Uint1(x302))) - var x305 uint64 - var x306 uint64 - x305, x306 = bits.Add64(x288, x285, uint64(p521Uint1(x304))) - var x307 uint64 - var x308 uint64 - x307, x308 = bits.Add64(x286, x283, uint64(p521Uint1(x306))) - var x309 uint64 - var x310 uint64 - x309, x310 = bits.Add64(x284, x281, uint64(p521Uint1(x308))) - var x311 uint64 - var x312 uint64 - x311, x312 = bits.Add64(x282, x279, uint64(p521Uint1(x310))) - var x314 uint64 - _, x314 = bits.Add64(x247, x295, uint64(0x0)) - var x315 uint64 - var x316 uint64 - x315, x316 = bits.Add64(x265, x297, uint64(p521Uint1(x314))) - var x317 uint64 - var x318 uint64 - x317, x318 = bits.Add64(x267, x299, uint64(p521Uint1(x316))) - var x319 uint64 - var x320 uint64 - x319, x320 = bits.Add64(x269, x301, uint64(p521Uint1(x318))) - var x321 uint64 - var x322 uint64 - x321, x322 = bits.Add64(x271, x303, uint64(p521Uint1(x320))) - var x323 uint64 - var x324 uint64 - x323, x324 = bits.Add64(x273, x305, uint64(p521Uint1(x322))) - var x325 uint64 - var x326 uint64 - x325, x326 = bits.Add64(x275, x307, uint64(p521Uint1(x324))) - var x327 uint64 - var x328 uint64 - x327, x328 = bits.Add64(x277, x309, uint64(p521Uint1(x326))) - var x329 uint64 - var x330 uint64 - x329, x330 = bits.Add64((uint64(p521Uint1(x278)) + (uint64(p521Uint1(x262)) + (uint64(p521Uint1(x244)) + x212))), x311, uint64(p521Uint1(x328))) - var x331 uint64 - var x332 uint64 - x332, x331 = bits.Mul64(arg1[6], 0x400000000000) - var x333 uint64 - var x334 uint64 - x333, x334 = bits.Add64(x317, x331, uint64(0x0)) - var x335 uint64 - var x336 uint64 - x335, x336 = bits.Add64(x319, x332, uint64(p521Uint1(x334))) - var x337 uint64 - var x338 uint64 - x337, x338 = bits.Add64(x321, uint64(0x0), uint64(p521Uint1(x336))) - var x339 uint64 - var x340 uint64 - x339, x340 = bits.Add64(x323, uint64(0x0), uint64(p521Uint1(x338))) - var x341 uint64 - var x342 uint64 - x341, x342 = bits.Add64(x325, uint64(0x0), uint64(p521Uint1(x340))) - var x343 uint64 - var x344 uint64 - x343, x344 = bits.Add64(x327, uint64(0x0), uint64(p521Uint1(x342))) - var x345 uint64 - var x346 uint64 - x345, x346 = bits.Add64(x329, uint64(0x0), uint64(p521Uint1(x344))) - var x347 uint64 - var x348 uint64 - x348, x347 = bits.Mul64(x315, 0x1ff) - var x349 uint64 - var x350 uint64 - x350, x349 = bits.Mul64(x315, 0xffffffffffffffff) - var x351 uint64 - var x352 uint64 - x352, x351 = bits.Mul64(x315, 0xffffffffffffffff) - var x353 uint64 - var x354 uint64 - x354, x353 = bits.Mul64(x315, 0xffffffffffffffff) - var x355 uint64 - var x356 uint64 - x356, x355 = bits.Mul64(x315, 0xffffffffffffffff) - var x357 uint64 - var x358 uint64 - x358, x357 = bits.Mul64(x315, 0xffffffffffffffff) - var x359 uint64 - var x360 uint64 - x360, x359 = bits.Mul64(x315, 0xffffffffffffffff) - var x361 uint64 - var x362 uint64 - x362, x361 = bits.Mul64(x315, 0xffffffffffffffff) - var x363 uint64 - var x364 uint64 - x364, x363 = bits.Mul64(x315, 0xffffffffffffffff) - var x365 uint64 - var x366 uint64 - x365, x366 = bits.Add64(x364, x361, uint64(0x0)) - var x367 uint64 - var x368 uint64 - x367, x368 = bits.Add64(x362, x359, uint64(p521Uint1(x366))) - var x369 uint64 - var x370 uint64 - x369, x370 = bits.Add64(x360, x357, uint64(p521Uint1(x368))) - var x371 uint64 - var x372 uint64 - x371, x372 = bits.Add64(x358, x355, uint64(p521Uint1(x370))) - var x373 uint64 - var x374 uint64 - x373, x374 = bits.Add64(x356, x353, uint64(p521Uint1(x372))) - var x375 uint64 - var x376 uint64 - x375, x376 = bits.Add64(x354, x351, uint64(p521Uint1(x374))) - var x377 uint64 - var x378 uint64 - x377, x378 = bits.Add64(x352, x349, uint64(p521Uint1(x376))) - var x379 uint64 - var x380 uint64 - x379, x380 = bits.Add64(x350, x347, uint64(p521Uint1(x378))) - var x382 uint64 - _, x382 = bits.Add64(x315, x363, uint64(0x0)) - var x383 uint64 - var x384 uint64 - x383, x384 = bits.Add64(x333, x365, uint64(p521Uint1(x382))) - var x385 uint64 - var x386 uint64 - x385, x386 = bits.Add64(x335, x367, uint64(p521Uint1(x384))) - var x387 uint64 - var x388 uint64 - x387, x388 = bits.Add64(x337, x369, uint64(p521Uint1(x386))) - var x389 uint64 - var x390 uint64 - x389, x390 = bits.Add64(x339, x371, uint64(p521Uint1(x388))) - var x391 uint64 - var x392 uint64 - x391, x392 = bits.Add64(x341, x373, uint64(p521Uint1(x390))) - var x393 uint64 - var x394 uint64 - x393, x394 = bits.Add64(x343, x375, uint64(p521Uint1(x392))) - var x395 uint64 - var x396 uint64 - x395, x396 = bits.Add64(x345, x377, uint64(p521Uint1(x394))) - var x397 uint64 - var x398 uint64 - x397, x398 = bits.Add64((uint64(p521Uint1(x346)) + (uint64(p521Uint1(x330)) + (uint64(p521Uint1(x312)) + x280))), x379, uint64(p521Uint1(x396))) - var x399 uint64 - var x400 uint64 - x400, x399 = bits.Mul64(arg1[7], 0x400000000000) - var x401 uint64 - var x402 uint64 - x401, x402 = bits.Add64(x385, x399, uint64(0x0)) - var x403 uint64 - var x404 uint64 - x403, x404 = bits.Add64(x387, x400, uint64(p521Uint1(x402))) - var x405 uint64 - var x406 uint64 - x405, x406 = bits.Add64(x389, uint64(0x0), uint64(p521Uint1(x404))) - var x407 uint64 - var x408 uint64 - x407, x408 = bits.Add64(x391, uint64(0x0), uint64(p521Uint1(x406))) - var x409 uint64 - var x410 uint64 - x409, x410 = bits.Add64(x393, uint64(0x0), uint64(p521Uint1(x408))) - var x411 uint64 - var x412 uint64 - x411, x412 = bits.Add64(x395, uint64(0x0), uint64(p521Uint1(x410))) - var x413 uint64 - var x414 uint64 - x413, x414 = bits.Add64(x397, uint64(0x0), uint64(p521Uint1(x412))) - var x415 uint64 - var x416 uint64 - x416, x415 = bits.Mul64(x383, 0x1ff) - var x417 uint64 - var x418 uint64 - x418, x417 = bits.Mul64(x383, 0xffffffffffffffff) - var x419 uint64 - var x420 uint64 - x420, x419 = bits.Mul64(x383, 0xffffffffffffffff) - var x421 uint64 - var x422 uint64 - x422, x421 = bits.Mul64(x383, 0xffffffffffffffff) - var x423 uint64 - var x424 uint64 - x424, x423 = bits.Mul64(x383, 0xffffffffffffffff) - var x425 uint64 - var x426 uint64 - x426, x425 = bits.Mul64(x383, 0xffffffffffffffff) - var x427 uint64 - var x428 uint64 - x428, x427 = bits.Mul64(x383, 0xffffffffffffffff) - var x429 uint64 - var x430 uint64 - x430, x429 = bits.Mul64(x383, 0xffffffffffffffff) - var x431 uint64 - var x432 uint64 - x432, x431 = bits.Mul64(x383, 0xffffffffffffffff) - var x433 uint64 - var x434 uint64 - x433, x434 = bits.Add64(x432, x429, uint64(0x0)) - var x435 uint64 - var x436 uint64 - x435, x436 = bits.Add64(x430, x427, uint64(p521Uint1(x434))) - var x437 uint64 - var x438 uint64 - x437, x438 = bits.Add64(x428, x425, uint64(p521Uint1(x436))) - var x439 uint64 - var x440 uint64 - x439, x440 = bits.Add64(x426, x423, uint64(p521Uint1(x438))) - var x441 uint64 - var x442 uint64 - x441, x442 = bits.Add64(x424, x421, uint64(p521Uint1(x440))) - var x443 uint64 - var x444 uint64 - x443, x444 = bits.Add64(x422, x419, uint64(p521Uint1(x442))) - var x445 uint64 - var x446 uint64 - x445, x446 = bits.Add64(x420, x417, uint64(p521Uint1(x444))) - var x447 uint64 - var x448 uint64 - x447, x448 = bits.Add64(x418, x415, uint64(p521Uint1(x446))) - var x450 uint64 - _, x450 = bits.Add64(x383, x431, uint64(0x0)) - var x451 uint64 - var x452 uint64 - x451, x452 = bits.Add64(x401, x433, uint64(p521Uint1(x450))) - var x453 uint64 - var x454 uint64 - x453, x454 = bits.Add64(x403, x435, uint64(p521Uint1(x452))) - var x455 uint64 - var x456 uint64 - x455, x456 = bits.Add64(x405, x437, uint64(p521Uint1(x454))) - var x457 uint64 - var x458 uint64 - x457, x458 = bits.Add64(x407, x439, uint64(p521Uint1(x456))) - var x459 uint64 - var x460 uint64 - x459, x460 = bits.Add64(x409, x441, uint64(p521Uint1(x458))) - var x461 uint64 - var x462 uint64 - x461, x462 = bits.Add64(x411, x443, uint64(p521Uint1(x460))) - var x463 uint64 - var x464 uint64 - x463, x464 = bits.Add64(x413, x445, uint64(p521Uint1(x462))) - var x465 uint64 - var x466 uint64 - x465, x466 = bits.Add64((uint64(p521Uint1(x414)) + (uint64(p521Uint1(x398)) + (uint64(p521Uint1(x380)) + x348))), x447, uint64(p521Uint1(x464))) - var x467 uint64 - var x468 uint64 - x468, x467 = bits.Mul64(arg1[8], 0x400000000000) - var x469 uint64 - var x470 uint64 - x469, x470 = bits.Add64(x453, x467, uint64(0x0)) - var x471 uint64 - var x472 uint64 - x471, x472 = bits.Add64(x455, x468, uint64(p521Uint1(x470))) - var x473 uint64 - var x474 uint64 - x473, x474 = bits.Add64(x457, uint64(0x0), uint64(p521Uint1(x472))) - var x475 uint64 - var x476 uint64 - x475, x476 = bits.Add64(x459, uint64(0x0), uint64(p521Uint1(x474))) - var x477 uint64 - var x478 uint64 - x477, x478 = bits.Add64(x461, uint64(0x0), uint64(p521Uint1(x476))) - var x479 uint64 - var x480 uint64 - x479, x480 = bits.Add64(x463, uint64(0x0), uint64(p521Uint1(x478))) - var x481 uint64 - var x482 uint64 - x481, x482 = bits.Add64(x465, uint64(0x0), uint64(p521Uint1(x480))) - var x483 uint64 - var x484 uint64 - x484, x483 = bits.Mul64(x451, 0x1ff) - var x485 uint64 - var x486 uint64 - x486, x485 = bits.Mul64(x451, 0xffffffffffffffff) - var x487 uint64 - var x488 uint64 - x488, x487 = bits.Mul64(x451, 0xffffffffffffffff) - var x489 uint64 - var x490 uint64 - x490, x489 = bits.Mul64(x451, 0xffffffffffffffff) - var x491 uint64 - var x492 uint64 - x492, x491 = bits.Mul64(x451, 0xffffffffffffffff) - var x493 uint64 - var x494 uint64 - x494, x493 = bits.Mul64(x451, 0xffffffffffffffff) - var x495 uint64 - var x496 uint64 - x496, x495 = bits.Mul64(x451, 0xffffffffffffffff) - var x497 uint64 - var x498 uint64 - x498, x497 = bits.Mul64(x451, 0xffffffffffffffff) - var x499 uint64 - var x500 uint64 - x500, x499 = bits.Mul64(x451, 0xffffffffffffffff) - var x501 uint64 - var x502 uint64 - x501, x502 = bits.Add64(x500, x497, uint64(0x0)) - var x503 uint64 - var x504 uint64 - x503, x504 = bits.Add64(x498, x495, uint64(p521Uint1(x502))) - var x505 uint64 - var x506 uint64 - x505, x506 = bits.Add64(x496, x493, uint64(p521Uint1(x504))) - var x507 uint64 - var x508 uint64 - x507, x508 = bits.Add64(x494, x491, uint64(p521Uint1(x506))) - var x509 uint64 - var x510 uint64 - x509, x510 = bits.Add64(x492, x489, uint64(p521Uint1(x508))) - var x511 uint64 - var x512 uint64 - x511, x512 = bits.Add64(x490, x487, uint64(p521Uint1(x510))) - var x513 uint64 - var x514 uint64 - x513, x514 = bits.Add64(x488, x485, uint64(p521Uint1(x512))) - var x515 uint64 - var x516 uint64 - x515, x516 = bits.Add64(x486, x483, uint64(p521Uint1(x514))) - var x518 uint64 - _, x518 = bits.Add64(x451, x499, uint64(0x0)) - var x519 uint64 - var x520 uint64 - x519, x520 = bits.Add64(x469, x501, uint64(p521Uint1(x518))) - var x521 uint64 - var x522 uint64 - x521, x522 = bits.Add64(x471, x503, uint64(p521Uint1(x520))) - var x523 uint64 - var x524 uint64 - x523, x524 = bits.Add64(x473, x505, uint64(p521Uint1(x522))) - var x525 uint64 - var x526 uint64 - x525, x526 = bits.Add64(x475, x507, uint64(p521Uint1(x524))) - var x527 uint64 - var x528 uint64 - x527, x528 = bits.Add64(x477, x509, uint64(p521Uint1(x526))) - var x529 uint64 - var x530 uint64 - x529, x530 = bits.Add64(x479, x511, uint64(p521Uint1(x528))) - var x531 uint64 - var x532 uint64 - x531, x532 = bits.Add64(x481, x513, uint64(p521Uint1(x530))) - var x533 uint64 - var x534 uint64 - x533, x534 = bits.Add64((uint64(p521Uint1(x482)) + (uint64(p521Uint1(x466)) + (uint64(p521Uint1(x448)) + x416))), x515, uint64(p521Uint1(x532))) - x535 := (uint64(p521Uint1(x534)) + (uint64(p521Uint1(x516)) + x484)) - var x536 uint64 - var x537 uint64 - x536, x537 = bits.Sub64(x519, 0xffffffffffffffff, uint64(0x0)) - var x538 uint64 - var x539 uint64 - x538, x539 = bits.Sub64(x521, 0xffffffffffffffff, uint64(p521Uint1(x537))) - var x540 uint64 - var x541 uint64 - x540, x541 = bits.Sub64(x523, 0xffffffffffffffff, uint64(p521Uint1(x539))) - var x542 uint64 - var x543 uint64 - x542, x543 = bits.Sub64(x525, 0xffffffffffffffff, uint64(p521Uint1(x541))) - var x544 uint64 - var x545 uint64 - x544, x545 = bits.Sub64(x527, 0xffffffffffffffff, uint64(p521Uint1(x543))) - var x546 uint64 - var x547 uint64 - x546, x547 = bits.Sub64(x529, 0xffffffffffffffff, uint64(p521Uint1(x545))) - var x548 uint64 - var x549 uint64 - x548, x549 = bits.Sub64(x531, 0xffffffffffffffff, uint64(p521Uint1(x547))) - var x550 uint64 - var x551 uint64 - x550, x551 = bits.Sub64(x533, 0xffffffffffffffff, uint64(p521Uint1(x549))) - var x552 uint64 - var x553 uint64 - x552, x553 = bits.Sub64(x535, 0x1ff, uint64(p521Uint1(x551))) - var x555 uint64 - _, x555 = bits.Sub64(uint64(0x0), uint64(0x0), uint64(p521Uint1(x553))) - var x556 uint64 - p521CmovznzU64(&x556, p521Uint1(x555), x536, x519) - var x557 uint64 - p521CmovznzU64(&x557, p521Uint1(x555), x538, x521) - var x558 uint64 - p521CmovznzU64(&x558, p521Uint1(x555), x540, x523) - var x559 uint64 - p521CmovznzU64(&x559, p521Uint1(x555), x542, x525) - var x560 uint64 - p521CmovznzU64(&x560, p521Uint1(x555), x544, x527) - var x561 uint64 - p521CmovznzU64(&x561, p521Uint1(x555), x546, x529) - var x562 uint64 - p521CmovznzU64(&x562, p521Uint1(x555), x548, x531) - var x563 uint64 - p521CmovznzU64(&x563, p521Uint1(x555), x550, x533) - var x564 uint64 - p521CmovznzU64(&x564, p521Uint1(x555), x552, x535) - out1[0] = x556 - out1[1] = x557 - out1[2] = x558 - out1[3] = x559 - out1[4] = x560 - out1[5] = x561 - out1[6] = x562 - out1[7] = x563 - out1[8] = x564 -} - -// p521Selectznz is a multi-limb conditional select. -// -// Postconditions: -// -// eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) -// -// Input Bounds: -// -// arg1: [0x0 ~> 0x1] -// arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -func p521Selectznz(out1 *[9]uint64, arg1 p521Uint1, arg2 *[9]uint64, arg3 *[9]uint64) { - var x1 uint64 - p521CmovznzU64(&x1, arg1, arg2[0], arg3[0]) - var x2 uint64 - p521CmovznzU64(&x2, arg1, arg2[1], arg3[1]) - var x3 uint64 - p521CmovznzU64(&x3, arg1, arg2[2], arg3[2]) - var x4 uint64 - p521CmovznzU64(&x4, arg1, arg2[3], arg3[3]) - var x5 uint64 - p521CmovznzU64(&x5, arg1, arg2[4], arg3[4]) - var x6 uint64 - p521CmovznzU64(&x6, arg1, arg2[5], arg3[5]) - var x7 uint64 - p521CmovznzU64(&x7, arg1, arg2[6], arg3[6]) - var x8 uint64 - p521CmovznzU64(&x8, arg1, arg2[7], arg3[7]) - var x9 uint64 - p521CmovznzU64(&x9, arg1, arg2[8], arg3[8]) - out1[0] = x1 - out1[1] = x2 - out1[2] = x3 - out1[3] = x4 - out1[4] = x5 - out1[5] = x6 - out1[6] = x7 - out1[7] = x8 - out1[8] = x9 -} - -// p521ToBytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ eval arg1 < m -// -// Postconditions: -// -// out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..65] -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1ff]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] -func p521ToBytes(out1 *[66]uint8, arg1 *[9]uint64) { - x1 := arg1[8] - x2 := arg1[7] - x3 := arg1[6] - x4 := arg1[5] - x5 := arg1[4] - x6 := arg1[3] - x7 := arg1[2] - x8 := arg1[1] - x9 := arg1[0] - x10 := (uint8(x9) & 0xff) - x11 := (x9 >> 8) - x12 := (uint8(x11) & 0xff) - x13 := (x11 >> 8) - x14 := (uint8(x13) & 0xff) - x15 := (x13 >> 8) - x16 := (uint8(x15) & 0xff) - x17 := (x15 >> 8) - x18 := (uint8(x17) & 0xff) - x19 := (x17 >> 8) - x20 := (uint8(x19) & 0xff) - x21 := (x19 >> 8) - x22 := (uint8(x21) & 0xff) - x23 := uint8((x21 >> 8)) - x24 := (uint8(x8) & 0xff) - x25 := (x8 >> 8) - x26 := (uint8(x25) & 0xff) - x27 := (x25 >> 8) - x28 := (uint8(x27) & 0xff) - x29 := (x27 >> 8) - x30 := (uint8(x29) & 0xff) - x31 := (x29 >> 8) - x32 := (uint8(x31) & 0xff) - x33 := (x31 >> 8) - x34 := (uint8(x33) & 0xff) - x35 := (x33 >> 8) - x36 := (uint8(x35) & 0xff) - x37 := uint8((x35 >> 8)) - x38 := (uint8(x7) & 0xff) - x39 := (x7 >> 8) - x40 := (uint8(x39) & 0xff) - x41 := (x39 >> 8) - x42 := (uint8(x41) & 0xff) - x43 := (x41 >> 8) - x44 := (uint8(x43) & 0xff) - x45 := (x43 >> 8) - x46 := (uint8(x45) & 0xff) - x47 := (x45 >> 8) - x48 := (uint8(x47) & 0xff) - x49 := (x47 >> 8) - x50 := (uint8(x49) & 0xff) - x51 := uint8((x49 >> 8)) - x52 := (uint8(x6) & 0xff) - x53 := (x6 >> 8) - x54 := (uint8(x53) & 0xff) - x55 := (x53 >> 8) - x56 := (uint8(x55) & 0xff) - x57 := (x55 >> 8) - x58 := (uint8(x57) & 0xff) - x59 := (x57 >> 8) - x60 := (uint8(x59) & 0xff) - x61 := (x59 >> 8) - x62 := (uint8(x61) & 0xff) - x63 := (x61 >> 8) - x64 := (uint8(x63) & 0xff) - x65 := uint8((x63 >> 8)) - x66 := (uint8(x5) & 0xff) - x67 := (x5 >> 8) - x68 := (uint8(x67) & 0xff) - x69 := (x67 >> 8) - x70 := (uint8(x69) & 0xff) - x71 := (x69 >> 8) - x72 := (uint8(x71) & 0xff) - x73 := (x71 >> 8) - x74 := (uint8(x73) & 0xff) - x75 := (x73 >> 8) - x76 := (uint8(x75) & 0xff) - x77 := (x75 >> 8) - x78 := (uint8(x77) & 0xff) - x79 := uint8((x77 >> 8)) - x80 := (uint8(x4) & 0xff) - x81 := (x4 >> 8) - x82 := (uint8(x81) & 0xff) - x83 := (x81 >> 8) - x84 := (uint8(x83) & 0xff) - x85 := (x83 >> 8) - x86 := (uint8(x85) & 0xff) - x87 := (x85 >> 8) - x88 := (uint8(x87) & 0xff) - x89 := (x87 >> 8) - x90 := (uint8(x89) & 0xff) - x91 := (x89 >> 8) - x92 := (uint8(x91) & 0xff) - x93 := uint8((x91 >> 8)) - x94 := (uint8(x3) & 0xff) - x95 := (x3 >> 8) - x96 := (uint8(x95) & 0xff) - x97 := (x95 >> 8) - x98 := (uint8(x97) & 0xff) - x99 := (x97 >> 8) - x100 := (uint8(x99) & 0xff) - x101 := (x99 >> 8) - x102 := (uint8(x101) & 0xff) - x103 := (x101 >> 8) - x104 := (uint8(x103) & 0xff) - x105 := (x103 >> 8) - x106 := (uint8(x105) & 0xff) - x107 := uint8((x105 >> 8)) - x108 := (uint8(x2) & 0xff) - x109 := (x2 >> 8) - x110 := (uint8(x109) & 0xff) - x111 := (x109 >> 8) - x112 := (uint8(x111) & 0xff) - x113 := (x111 >> 8) - x114 := (uint8(x113) & 0xff) - x115 := (x113 >> 8) - x116 := (uint8(x115) & 0xff) - x117 := (x115 >> 8) - x118 := (uint8(x117) & 0xff) - x119 := (x117 >> 8) - x120 := (uint8(x119) & 0xff) - x121 := uint8((x119 >> 8)) - x122 := (uint8(x1) & 0xff) - x123 := p521Uint1((x1 >> 8)) - out1[0] = x10 - out1[1] = x12 - out1[2] = x14 - out1[3] = x16 - out1[4] = x18 - out1[5] = x20 - out1[6] = x22 - out1[7] = x23 - out1[8] = x24 - out1[9] = x26 - out1[10] = x28 - out1[11] = x30 - out1[12] = x32 - out1[13] = x34 - out1[14] = x36 - out1[15] = x37 - out1[16] = x38 - out1[17] = x40 - out1[18] = x42 - out1[19] = x44 - out1[20] = x46 - out1[21] = x48 - out1[22] = x50 - out1[23] = x51 - out1[24] = x52 - out1[25] = x54 - out1[26] = x56 - out1[27] = x58 - out1[28] = x60 - out1[29] = x62 - out1[30] = x64 - out1[31] = x65 - out1[32] = x66 - out1[33] = x68 - out1[34] = x70 - out1[35] = x72 - out1[36] = x74 - out1[37] = x76 - out1[38] = x78 - out1[39] = x79 - out1[40] = x80 - out1[41] = x82 - out1[42] = x84 - out1[43] = x86 - out1[44] = x88 - out1[45] = x90 - out1[46] = x92 - out1[47] = x93 - out1[48] = x94 - out1[49] = x96 - out1[50] = x98 - out1[51] = x100 - out1[52] = x102 - out1[53] = x104 - out1[54] = x106 - out1[55] = x107 - out1[56] = x108 - out1[57] = x110 - out1[58] = x112 - out1[59] = x114 - out1[60] = x116 - out1[61] = x118 - out1[62] = x120 - out1[63] = x121 - out1[64] = x122 - out1[65] = uint8(x123) -} - -// p521FromBytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. -// -// Preconditions: -// -// 0 ≤ bytes_eval arg1 < m -// -// Postconditions: -// -// eval out1 mod m = bytes_eval arg1 mod m -// 0 ≤ eval out1 < m -// -// Input Bounds: -// -// arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x1]] -// -// Output Bounds: -// -// out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0x1ff]] -func p521FromBytes(out1 *[9]uint64, arg1 *[66]uint8) { - x1 := (uint64(p521Uint1(arg1[65])) << 8) - x2 := arg1[64] - x3 := (uint64(arg1[63]) << 56) - x4 := (uint64(arg1[62]) << 48) - x5 := (uint64(arg1[61]) << 40) - x6 := (uint64(arg1[60]) << 32) - x7 := (uint64(arg1[59]) << 24) - x8 := (uint64(arg1[58]) << 16) - x9 := (uint64(arg1[57]) << 8) - x10 := arg1[56] - x11 := (uint64(arg1[55]) << 56) - x12 := (uint64(arg1[54]) << 48) - x13 := (uint64(arg1[53]) << 40) - x14 := (uint64(arg1[52]) << 32) - x15 := (uint64(arg1[51]) << 24) - x16 := (uint64(arg1[50]) << 16) - x17 := (uint64(arg1[49]) << 8) - x18 := arg1[48] - x19 := (uint64(arg1[47]) << 56) - x20 := (uint64(arg1[46]) << 48) - x21 := (uint64(arg1[45]) << 40) - x22 := (uint64(arg1[44]) << 32) - x23 := (uint64(arg1[43]) << 24) - x24 := (uint64(arg1[42]) << 16) - x25 := (uint64(arg1[41]) << 8) - x26 := arg1[40] - x27 := (uint64(arg1[39]) << 56) - x28 := (uint64(arg1[38]) << 48) - x29 := (uint64(arg1[37]) << 40) - x30 := (uint64(arg1[36]) << 32) - x31 := (uint64(arg1[35]) << 24) - x32 := (uint64(arg1[34]) << 16) - x33 := (uint64(arg1[33]) << 8) - x34 := arg1[32] - x35 := (uint64(arg1[31]) << 56) - x36 := (uint64(arg1[30]) << 48) - x37 := (uint64(arg1[29]) << 40) - x38 := (uint64(arg1[28]) << 32) - x39 := (uint64(arg1[27]) << 24) - x40 := (uint64(arg1[26]) << 16) - x41 := (uint64(arg1[25]) << 8) - x42 := arg1[24] - x43 := (uint64(arg1[23]) << 56) - x44 := (uint64(arg1[22]) << 48) - x45 := (uint64(arg1[21]) << 40) - x46 := (uint64(arg1[20]) << 32) - x47 := (uint64(arg1[19]) << 24) - x48 := (uint64(arg1[18]) << 16) - x49 := (uint64(arg1[17]) << 8) - x50 := arg1[16] - x51 := (uint64(arg1[15]) << 56) - x52 := (uint64(arg1[14]) << 48) - x53 := (uint64(arg1[13]) << 40) - x54 := (uint64(arg1[12]) << 32) - x55 := (uint64(arg1[11]) << 24) - x56 := (uint64(arg1[10]) << 16) - x57 := (uint64(arg1[9]) << 8) - x58 := arg1[8] - x59 := (uint64(arg1[7]) << 56) - x60 := (uint64(arg1[6]) << 48) - x61 := (uint64(arg1[5]) << 40) - x62 := (uint64(arg1[4]) << 32) - x63 := (uint64(arg1[3]) << 24) - x64 := (uint64(arg1[2]) << 16) - x65 := (uint64(arg1[1]) << 8) - x66 := arg1[0] - x67 := (x65 + uint64(x66)) - x68 := (x64 + x67) - x69 := (x63 + x68) - x70 := (x62 + x69) - x71 := (x61 + x70) - x72 := (x60 + x71) - x73 := (x59 + x72) - x74 := (x57 + uint64(x58)) - x75 := (x56 + x74) - x76 := (x55 + x75) - x77 := (x54 + x76) - x78 := (x53 + x77) - x79 := (x52 + x78) - x80 := (x51 + x79) - x81 := (x49 + uint64(x50)) - x82 := (x48 + x81) - x83 := (x47 + x82) - x84 := (x46 + x83) - x85 := (x45 + x84) - x86 := (x44 + x85) - x87 := (x43 + x86) - x88 := (x41 + uint64(x42)) - x89 := (x40 + x88) - x90 := (x39 + x89) - x91 := (x38 + x90) - x92 := (x37 + x91) - x93 := (x36 + x92) - x94 := (x35 + x93) - x95 := (x33 + uint64(x34)) - x96 := (x32 + x95) - x97 := (x31 + x96) - x98 := (x30 + x97) - x99 := (x29 + x98) - x100 := (x28 + x99) - x101 := (x27 + x100) - x102 := (x25 + uint64(x26)) - x103 := (x24 + x102) - x104 := (x23 + x103) - x105 := (x22 + x104) - x106 := (x21 + x105) - x107 := (x20 + x106) - x108 := (x19 + x107) - x109 := (x17 + uint64(x18)) - x110 := (x16 + x109) - x111 := (x15 + x110) - x112 := (x14 + x111) - x113 := (x13 + x112) - x114 := (x12 + x113) - x115 := (x11 + x114) - x116 := (x9 + uint64(x10)) - x117 := (x8 + x116) - x118 := (x7 + x117) - x119 := (x6 + x118) - x120 := (x5 + x119) - x121 := (x4 + x120) - x122 := (x3 + x121) - x123 := (x1 + uint64(x2)) - out1[0] = x73 - out1[1] = x80 - out1[2] = x87 - out1[3] = x94 - out1[4] = x101 - out1[5] = x108 - out1[6] = x115 - out1[7] = x122 - out1[8] = x123 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521_invert.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521_invert.go deleted file mode 100644 index 16c53e186d6..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/p521_invert.go +++ /dev/null @@ -1,89 +0,0 @@ -// Copyright 2021 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by addchain. DO NOT EDIT. - -package fiat - -// Invert sets e = 1/x, and returns e. -// -// If x == 0, Invert returns e = 0. -func (e *P521Element) Invert(x *P521Element) *P521Element { - // Inversion is implemented as exponentiation with exponent p − 2. - // The sequence of 13 multiplications and 520 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _1100 = _11 << 2 - // _1111 = _11 + _1100 - // _11110000 = _1111 << 4 - // _11111111 = _1111 + _11110000 - // x16 = _11111111 << 8 + _11111111 - // x32 = x16 << 16 + x16 - // x64 = x32 << 32 + x32 - // x65 = 2*x64 + 1 - // x129 = x65 << 64 + x64 - // x130 = 2*x129 + 1 - // x259 = x130 << 129 + x129 - // x260 = 2*x259 + 1 - // x519 = x260 << 259 + x259 - // return x519 << 2 + 1 - // - - var z = new(P521Element).Set(e) - var t0 = new(P521Element) - - z.Square(x) - z.Mul(x, z) - t0.Square(z) - for s := 1; s < 2; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - for s := 1; s < 4; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - for s := 1; s < 8; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - for s := 1; s < 16; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - for s := 1; s < 32; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - t0.Mul(x, t0) - for s := 0; s < 64; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - t0.Mul(x, t0) - for s := 0; s < 129; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - t0.Square(z) - t0.Mul(x, t0) - for s := 0; s < 259; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - for s := 0; s < 2; s++ { - z.Square(z) - } - z.Mul(x, z) - - return e.Set(z) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/ya.make deleted file mode 100644 index ecfa56a6ded..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/fiat/ya.make +++ /dev/null @@ -1,24 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - p224.go - p224_fiat64.go - p224_invert.go - p256.go - p256_fiat64.go - p256_invert.go - p384.go - p384_fiat64.go - p384_invert.go - p521.go - p521_fiat64.go - p521_invert.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/generate.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/generate.go deleted file mode 100644 index 7786dc556f5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/generate.go +++ /dev/null @@ -1,627 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build ignore - -package main - -// Running this generator requires addchain v0.4.0, which can be installed with -// -// go install github.com/mmcloughlin/addchain/cmd/[email protected] -// - -import ( - "bytes" - "crypto/elliptic" - "fmt" - "go/format" - "io" - "log" - "math/big" - "os" - "os/exec" - "strings" - "text/template" -) - -var curves = []struct { - P string - Element string - Params *elliptic.CurveParams -}{ - { - P: "P224", - Element: "fiat.P224Element", - Params: elliptic.P224().Params(), - }, - { - P: "P384", - Element: "fiat.P384Element", - Params: elliptic.P384().Params(), - }, - { - P: "P521", - Element: "fiat.P521Element", - Params: elliptic.P521().Params(), - }, -} - -func main() { - t := template.Must(template.New("tmplNISTEC").Parse(tmplNISTEC)) - - tmplAddchainFile, err := os.CreateTemp("", "addchain-template") - if err != nil { - log.Fatal(err) - } - defer os.Remove(tmplAddchainFile.Name()) - if _, err := io.WriteString(tmplAddchainFile, tmplAddchain); err != nil { - log.Fatal(err) - } - if err := tmplAddchainFile.Close(); err != nil { - log.Fatal(err) - } - - for _, c := range curves { - p := strings.ToLower(c.P) - elementLen := (c.Params.BitSize + 7) / 8 - B := fmt.Sprintf("%#v", c.Params.B.FillBytes(make([]byte, elementLen))) - Gx := fmt.Sprintf("%#v", c.Params.Gx.FillBytes(make([]byte, elementLen))) - Gy := fmt.Sprintf("%#v", c.Params.Gy.FillBytes(make([]byte, elementLen))) - - log.Printf("Generating %s.go...", p) - f, err := os.Create(p + ".go") - if err != nil { - log.Fatal(err) - } - defer f.Close() - buf := &bytes.Buffer{} - if err := t.Execute(buf, map[string]interface{}{ - "P": c.P, "p": p, "B": B, "Gx": Gx, "Gy": Gy, - "Element": c.Element, "ElementLen": elementLen, - }); err != nil { - log.Fatal(err) - } - out, err := format.Source(buf.Bytes()) - if err != nil { - log.Fatal(err) - } - if _, err := f.Write(out); err != nil { - log.Fatal(err) - } - - // If p = 3 mod 4, implement modular square root by exponentiation. - mod4 := new(big.Int).Mod(c.Params.P, big.NewInt(4)) - if mod4.Cmp(big.NewInt(3)) != 0 { - continue - } - - exp := new(big.Int).Add(c.Params.P, big.NewInt(1)) - exp.Div(exp, big.NewInt(4)) - - tmp, err := os.CreateTemp("", "addchain-"+p) - if err != nil { - log.Fatal(err) - } - defer os.Remove(tmp.Name()) - cmd := exec.Command("addchain", "search", fmt.Sprintf("%d", exp)) - cmd.Stderr = os.Stderr - cmd.Stdout = tmp - if err := cmd.Run(); err != nil { - log.Fatal(err) - } - if err := tmp.Close(); err != nil { - log.Fatal(err) - } - cmd = exec.Command("addchain", "gen", "-tmpl", tmplAddchainFile.Name(), tmp.Name()) - cmd.Stderr = os.Stderr - out, err = cmd.Output() - if err != nil { - log.Fatal(err) - } - out = bytes.Replace(out, []byte("Element"), []byte(c.Element), -1) - out = bytes.Replace(out, []byte("sqrtCandidate"), []byte(p+"SqrtCandidate"), -1) - out, err = format.Source(out) - if err != nil { - log.Fatal(err) - } - if _, err := f.Write(out); err != nil { - log.Fatal(err) - } - } -} - -const tmplNISTEC = `// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package nistec - -import ( - "crypto/internal/fips140/nistec/fiat" - "crypto/internal/fips140/subtle" - "errors" - "sync" -) - -// {{.p}}ElementLength is the length of an element of the base or scalar field, -// which have the same bytes length for all NIST P curves. -const {{.p}}ElementLength = {{ .ElementLen }} - -// {{.P}}Point is a {{.P}} point. The zero value is NOT valid. -type {{.P}}Point struct { - // The point is represented in projective coordinates (X:Y:Z), - // where x = X/Z and y = Y/Z. - x, y, z *{{.Element}} -} - -// New{{.P}}Point returns a new {{.P}}Point representing the point at infinity point. -func New{{.P}}Point() *{{.P}}Point { - return &{{.P}}Point{ - x: new({{.Element}}), - y: new({{.Element}}).One(), - z: new({{.Element}}), - } -} - -// SetGenerator sets p to the canonical generator and returns p. -func (p *{{.P}}Point) SetGenerator() *{{.P}}Point { - p.x.SetBytes({{.Gx}}) - p.y.SetBytes({{.Gy}}) - p.z.One() - return p -} - -// Set sets p = q and returns p. -func (p *{{.P}}Point) Set(q *{{.P}}Point) *{{.P}}Point { - p.x.Set(q.x) - p.y.Set(q.y) - p.z.Set(q.z) - return p -} - -// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in -// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on -// the curve, it returns nil and an error, and the receiver is unchanged. -// Otherwise, it returns p. -func (p *{{.P}}Point) SetBytes(b []byte) (*{{.P}}Point, error) { - switch { - // Point at infinity. - case len(b) == 1 && b[0] == 0: - return p.Set(New{{.P}}Point()), nil - - // Uncompressed form. - case len(b) == 1+2*{{.p}}ElementLength && b[0] == 4: - x, err := new({{.Element}}).SetBytes(b[1 : 1+{{.p}}ElementLength]) - if err != nil { - return nil, err - } - y, err := new({{.Element}}).SetBytes(b[1+{{.p}}ElementLength:]) - if err != nil { - return nil, err - } - if err := {{.p}}CheckOnCurve(x, y); err != nil { - return nil, err - } - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - // Compressed form. - case len(b) == 1+{{.p}}ElementLength && (b[0] == 2 || b[0] == 3): - x, err := new({{.Element}}).SetBytes(b[1:]) - if err != nil { - return nil, err - } - - // y² = x³ - 3x + b - y := {{.p}}Polynomial(new({{.Element}}), x) - if !{{.p}}Sqrt(y, y) { - return nil, errors.New("invalid {{.P}} compressed point encoding") - } - - // Select the positive or negative root, as indicated by the least - // significant bit, based on the encoding type byte. - otherRoot := new({{.Element}}) - otherRoot.Sub(otherRoot, y) - cond := y.Bytes()[{{.p}}ElementLength-1]&1 ^ b[0]&1 - y.Select(otherRoot, y, int(cond)) - - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - default: - return nil, errors.New("invalid {{.P}} point encoding") - } -} - - -var _{{.p}}B *{{.Element}} -var _{{.p}}BOnce sync.Once - -func {{.p}}B() *{{.Element}} { - _{{.p}}BOnce.Do(func() { - _{{.p}}B, _ = new({{.Element}}).SetBytes({{.B}}) - }) - return _{{.p}}B -} - -// {{.p}}Polynomial sets y2 to x³ - 3x + b, and returns y2. -func {{.p}}Polynomial(y2, x *{{.Element}}) *{{.Element}} { - y2.Square(x) - y2.Mul(y2, x) - - threeX := new({{.Element}}).Add(x, x) - threeX.Add(threeX, x) - y2.Sub(y2, threeX) - - return y2.Add(y2, {{.p}}B()) -} - -func {{.p}}CheckOnCurve(x, y *{{.Element}}) error { - // y² = x³ - 3x + b - rhs := {{.p}}Polynomial(new({{.Element}}), x) - lhs := new({{.Element}}).Square(y) - if rhs.Equal(lhs) != 1 { - return errors.New("{{.P}} point not on curve") - } - return nil -} - -// Bytes returns the uncompressed or infinity encoding of p, as specified in -// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at -// infinity is shorter than all other encodings. -func (p *{{.P}}Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1+2*{{.p}}ElementLength]byte - return p.bytes(&out) -} - -func (p *{{.P}}Point) bytes(out *[1+2*{{.p}}ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new({{.Element}}).Invert(p.z) - x := new({{.Element}}).Mul(p.x, zinv) - y := new({{.Element}}).Mul(p.y, zinv) - - buf := append(out[:0], 4) - buf = append(buf, x.Bytes()...) - buf = append(buf, y.Bytes()...) - return buf -} - -// BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, -// Version 2.0, Section 2.3.5, or an error if p is the point at infinity. -func (p *{{.P}}Point) BytesX() ([]byte, error) { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [{{.p}}ElementLength]byte - return p.bytesX(&out) -} - -func (p *{{.P}}Point) bytesX(out *[{{.p}}ElementLength]byte) ([]byte, error) { - if p.z.IsZero() == 1 { - return nil, errors.New("{{.P}} point is the point at infinity") - } - - zinv := new({{.Element}}).Invert(p.z) - x := new({{.Element}}).Mul(p.x, zinv) - - return append(out[:0], x.Bytes()...), nil -} - -// BytesCompressed returns the compressed or infinity encoding of p, as -// specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the -// point at infinity is shorter than all other encodings. -func (p *{{.P}}Point) BytesCompressed() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + {{.p}}ElementLength]byte - return p.bytesCompressed(&out) -} - -func (p *{{.P}}Point) bytesCompressed(out *[1 + {{.p}}ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new({{.Element}}).Invert(p.z) - x := new({{.Element}}).Mul(p.x, zinv) - y := new({{.Element}}).Mul(p.y, zinv) - - // Encode the sign of the y coordinate (indicated by the least significant - // bit) as the encoding type (2 or 3). - buf := append(out[:0], 2) - buf[0] |= y.Bytes()[{{.p}}ElementLength-1] & 1 - buf = append(buf, x.Bytes()...) - return buf -} - -// Add sets q = p1 + p2, and returns q. The points may overlap. -func (q *{{.P}}Point) Add(p1, p2 *{{.P}}Point) *{{.P}}Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new({{.Element}}).Mul(p1.x, p2.x) // t0 := X1 * X2 - t1 := new({{.Element}}).Mul(p1.y, p2.y) // t1 := Y1 * Y2 - t2 := new({{.Element}}).Mul(p1.z, p2.z) // t2 := Z1 * Z2 - t3 := new({{.Element}}).Add(p1.x, p1.y) // t3 := X1 + Y1 - t4 := new({{.Element}}).Add(p2.x, p2.y) // t4 := X2 + Y2 - t3.Mul(t3, t4) // t3 := t3 * t4 - t4.Add(t0, t1) // t4 := t0 + t1 - t3.Sub(t3, t4) // t3 := t3 - t4 - t4.Add(p1.y, p1.z) // t4 := Y1 + Z1 - x3 := new({{.Element}}).Add(p2.y, p2.z) // X3 := Y2 + Z2 - t4.Mul(t4, x3) // t4 := t4 * X3 - x3.Add(t1, t2) // X3 := t1 + t2 - t4.Sub(t4, x3) // t4 := t4 - X3 - x3.Add(p1.x, p1.z) // X3 := X1 + Z1 - y3 := new({{.Element}}).Add(p2.x, p2.z) // Y3 := X2 + Z2 - x3.Mul(x3, y3) // X3 := X3 * Y3 - y3.Add(t0, t2) // Y3 := t0 + t2 - y3.Sub(x3, y3) // Y3 := X3 - Y3 - z3 := new({{.Element}}).Mul({{.p}}B(), t2) // Z3 := b * t2 - x3.Sub(y3, z3) // X3 := Y3 - Z3 - z3.Add(x3, x3) // Z3 := X3 + X3 - x3.Add(x3, z3) // X3 := X3 + Z3 - z3.Sub(t1, x3) // Z3 := t1 - X3 - x3.Add(t1, x3) // X3 := t1 + X3 - y3.Mul({{.p}}B(), y3) // Y3 := b * Y3 - t1.Add(t2, t2) // t1 := t2 + t2 - t2.Add(t1, t2) // t2 := t1 + t2 - y3.Sub(y3, t2) // Y3 := Y3 - t2 - y3.Sub(y3, t0) // Y3 := Y3 - t0 - t1.Add(y3, y3) // t1 := Y3 + Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - t1.Add(t0, t0) // t1 := t0 + t0 - t0.Add(t1, t0) // t0 := t1 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t1.Mul(t4, y3) // t1 := t4 * Y3 - t2.Mul(t0, y3) // t2 := t0 * Y3 - y3.Mul(x3, z3) // Y3 := X3 * Z3 - y3.Add(y3, t2) // Y3 := Y3 + t2 - x3.Mul(t3, x3) // X3 := t3 * X3 - x3.Sub(x3, t1) // X3 := X3 - t1 - z3.Mul(t4, z3) // Z3 := t4 * Z3 - t1.Mul(t3, t0) // t1 := t3 * t0 - z3.Add(z3, t1) // Z3 := Z3 + t1 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Double sets q = p + p, and returns q. The points may overlap. -func (q *{{.P}}Point) Double(p *{{.P}}Point) *{{.P}}Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new({{.Element}}).Square(p.x) // t0 := X ^ 2 - t1 := new({{.Element}}).Square(p.y) // t1 := Y ^ 2 - t2 := new({{.Element}}).Square(p.z) // t2 := Z ^ 2 - t3 := new({{.Element}}).Mul(p.x, p.y) // t3 := X * Y - t3.Add(t3, t3) // t3 := t3 + t3 - z3 := new({{.Element}}).Mul(p.x, p.z) // Z3 := X * Z - z3.Add(z3, z3) // Z3 := Z3 + Z3 - y3 := new({{.Element}}).Mul({{.p}}B(), t2) // Y3 := b * t2 - y3.Sub(y3, z3) // Y3 := Y3 - Z3 - x3 := new({{.Element}}).Add(y3, y3) // X3 := Y3 + Y3 - y3.Add(x3, y3) // Y3 := X3 + Y3 - x3.Sub(t1, y3) // X3 := t1 - Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - y3.Mul(x3, y3) // Y3 := X3 * Y3 - x3.Mul(x3, t3) // X3 := X3 * t3 - t3.Add(t2, t2) // t3 := t2 + t2 - t2.Add(t2, t3) // t2 := t2 + t3 - z3.Mul({{.p}}B(), z3) // Z3 := b * Z3 - z3.Sub(z3, t2) // Z3 := Z3 - t2 - z3.Sub(z3, t0) // Z3 := Z3 - t0 - t3.Add(z3, z3) // t3 := Z3 + Z3 - z3.Add(z3, t3) // Z3 := Z3 + t3 - t3.Add(t0, t0) // t3 := t0 + t0 - t0.Add(t3, t0) // t0 := t3 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t0.Mul(t0, z3) // t0 := t0 * Z3 - y3.Add(y3, t0) // Y3 := Y3 + t0 - t0.Mul(p.y, p.z) // t0 := Y * Z - t0.Add(t0, t0) // t0 := t0 + t0 - z3.Mul(t0, z3) // Z3 := t0 * Z3 - x3.Sub(x3, z3) // X3 := X3 - Z3 - z3.Mul(t0, t1) // Z3 := t0 * t1 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Select sets q to p1 if cond == 1, and to p2 if cond == 0. -func (q *{{.P}}Point) Select(p1, p2 *{{.P}}Point, cond int) *{{.P}}Point { - q.x.Select(p1.x, p2.x, cond) - q.y.Select(p1.y, p2.y, cond) - q.z.Select(p1.z, p2.z, cond) - return q -} - -// A {{.p}}Table holds the first 15 multiples of a point at offset -1, so [1]P -// is at table[0], [15]P is at table[14], and [0]P is implicitly the identity -// point. -type {{.p}}Table [15]*{{.P}}Point - -// Select selects the n-th multiple of the table base point into p. It works in -// constant time by iterating over every entry of the table. n must be in [0, 15]. -func (table *{{.p}}Table) Select(p *{{.P}}Point, n uint8) { - if n >= 16 { - panic("nistec: internal error: {{.p}}Table called with out-of-bounds value") - } - p.Set(New{{.P}}Point()) - for i := uint8(1); i < 16; i++ { - cond := subtle.ConstantTimeByteEq(i, n) - p.Select(table[i-1], p, cond) - } -} - -// ScalarMult sets p = scalar * q, and returns p. -func (p *{{.P}}Point) ScalarMult(q *{{.P}}Point, scalar []byte) (*{{.P}}Point, error) { - // Compute a {{.p}}Table for the base point q. The explicit New{{.P}}Point - // calls get inlined, letting the allocations live on the stack. - var table = {{.p}}Table{New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point(), - New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point(), - New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point(), - New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point(), New{{.P}}Point()} - table[0].Set(q) - for i := 1; i < 15; i += 2 { - table[i].Double(table[i/2]) - table[i+1].Add(table[i], q) - } - - // Instead of doing the classic double-and-add chain, we do it with a - // four-bit window: we double four times, and then add [0-15]P. - t := New{{.P}}Point() - p.Set(New{{.P}}Point()) - for i, byte := range scalar { - // No need to double on the first iteration, as p is the identity at - // this point, and [N]∞ = ∞. - if i != 0 { - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - } - - windowValue := byte >> 4 - table.Select(t, windowValue) - p.Add(p, t) - - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - - windowValue = byte & 0b1111 - table.Select(t, windowValue) - p.Add(p, t) - } - - return p, nil -} - -var {{.p}}GeneratorTable *[{{.p}}ElementLength * 2]{{.p}}Table -var {{.p}}GeneratorTableOnce sync.Once - -// generatorTable returns a sequence of {{.p}}Tables. The first table contains -// multiples of G. Each successive table is the previous table doubled four -// times. -func (p *{{.P}}Point) generatorTable() *[{{.p}}ElementLength * 2]{{.p}}Table { - {{.p}}GeneratorTableOnce.Do(func() { - {{.p}}GeneratorTable = new([{{.p}}ElementLength * 2]{{.p}}Table) - base := New{{.P}}Point().SetGenerator() - for i := 0; i < {{.p}}ElementLength*2; i++ { - {{.p}}GeneratorTable[i][0] = New{{.P}}Point().Set(base) - for j := 1; j < 15; j++ { - {{.p}}GeneratorTable[i][j] = New{{.P}}Point().Add({{.p}}GeneratorTable[i][j-1], base) - } - base.Double(base) - base.Double(base) - base.Double(base) - base.Double(base) - } - }) - return {{.p}}GeneratorTable -} - -// ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and -// returns p. -func (p *{{.P}}Point) ScalarBaseMult(scalar []byte) (*{{.P}}Point, error) { - if len(scalar) != {{.p}}ElementLength { - return nil, errors.New("invalid scalar length") - } - tables := p.generatorTable() - - // This is also a scalar multiplication with a four-bit window like in - // ScalarMult, but in this case the doublings are precomputed. The value - // [windowValue]G added at iteration k would normally get doubled - // (totIterations-k)×4 times, but with a larger precomputation we can - // instead add [2^((totIterations-k)×4)][windowValue]G and avoid the - // doublings between iterations. - t := New{{.P}}Point() - p.Set(New{{.P}}Point()) - tableIndex := len(tables) - 1 - for _, byte := range scalar { - windowValue := byte >> 4 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - - windowValue = byte & 0b1111 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - } - - return p, nil -} - -// {{.p}}Sqrt sets e to a square root of x. If x is not a square, {{.p}}Sqrt returns -// false and e is unchanged. e and x can overlap. -func {{.p}}Sqrt(e, x *{{ .Element }}) (isSquare bool) { - candidate := new({{ .Element }}) - {{.p}}SqrtCandidate(candidate, x) - square := new({{ .Element }}).Square(candidate) - if square.Equal(x) != 1 { - return false - } - e.Set(candidate) - return true -} -` - -const tmplAddchain = ` -// sqrtCandidate sets z to a square root candidate for x. z and x must not overlap. -func sqrtCandidate(z, x *Element) { - // Since p = 3 mod 4, exponentiation by (p + 1) / 4 yields a square root candidate. - // - // The sequence of {{ .Ops.Adds }} multiplications and {{ .Ops.Doubles }} squarings is derived from the - // following addition chain generated with {{ .Meta.Module }} {{ .Meta.ReleaseTag }}. - // - {{- range lines (format .Script) }} - // {{ . }} - {{- end }} - // - - {{- range .Program.Temporaries }} - var {{ . }} = new(Element) - {{- end }} - {{ range $i := .Program.Instructions -}} - {{- with add $i.Op }} - {{ $i.Output }}.Mul({{ .X }}, {{ .Y }}) - {{- end -}} - - {{- with double $i.Op }} - {{ $i.Output }}.Square({{ .X }}) - {{- end -}} - - {{- with shift $i.Op -}} - {{- $first := 0 -}} - {{- if ne $i.Output.Identifier .X.Identifier }} - {{ $i.Output }}.Square({{ .X }}) - {{- $first = 1 -}} - {{- end }} - for s := {{ $first }}; s < {{ .S }}; s++ { - {{ $i.Output }}.Square({{ $i.Output }}) - } - {{- end -}} - {{- end }} -} -` diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/nistec.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/nistec.go deleted file mode 100644 index 7ec98188184..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/nistec.go +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package nistec implements the elliptic curves from NIST SP 800-186. -// -// This package uses fiat-crypto or specialized assembly and Go code for its -// backend field arithmetic (not math/big) and exposes constant-time, heap -// allocation-free, byte slice-based safe APIs. Group operations use modern and -// safe complete addition formulas where possible. The point at infinity is -// handled and encoded according to SEC 1, Version 2.0, and invalid curve points -// can't be represented. -package nistec - -import _ "crypto/internal/fips140/check" - -//go:generate go run generate.go diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p224.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p224.go deleted file mode 100644 index 82bced251fe..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p224.go +++ /dev/null @@ -1,453 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package nistec - -import ( - "crypto/internal/fips140/nistec/fiat" - "crypto/internal/fips140/subtle" - "errors" - "sync" -) - -// p224ElementLength is the length of an element of the base or scalar field, -// which have the same bytes length for all NIST P curves. -const p224ElementLength = 28 - -// P224Point is a P224 point. The zero value is NOT valid. -type P224Point struct { - // The point is represented in projective coordinates (X:Y:Z), - // where x = X/Z and y = Y/Z. - x, y, z *fiat.P224Element -} - -// NewP224Point returns a new P224Point representing the point at infinity point. -func NewP224Point() *P224Point { - return &P224Point{ - x: new(fiat.P224Element), - y: new(fiat.P224Element).One(), - z: new(fiat.P224Element), - } -} - -// SetGenerator sets p to the canonical generator and returns p. -func (p *P224Point) SetGenerator() *P224Point { - p.x.SetBytes([]byte{0xb7, 0xe, 0xc, 0xbd, 0x6b, 0xb4, 0xbf, 0x7f, 0x32, 0x13, 0x90, 0xb9, 0x4a, 0x3, 0xc1, 0xd3, 0x56, 0xc2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xd6, 0x11, 0x5c, 0x1d, 0x21}) - p.y.SetBytes([]byte{0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x7, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, 0x85, 0x0, 0x7e, 0x34}) - p.z.One() - return p -} - -// Set sets p = q and returns p. -func (p *P224Point) Set(q *P224Point) *P224Point { - p.x.Set(q.x) - p.y.Set(q.y) - p.z.Set(q.z) - return p -} - -// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in -// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on -// the curve, it returns nil and an error, and the receiver is unchanged. -// Otherwise, it returns p. -func (p *P224Point) SetBytes(b []byte) (*P224Point, error) { - switch { - // Point at infinity. - case len(b) == 1 && b[0] == 0: - return p.Set(NewP224Point()), nil - - // Uncompressed form. - case len(b) == 1+2*p224ElementLength && b[0] == 4: - x, err := new(fiat.P224Element).SetBytes(b[1 : 1+p224ElementLength]) - if err != nil { - return nil, err - } - y, err := new(fiat.P224Element).SetBytes(b[1+p224ElementLength:]) - if err != nil { - return nil, err - } - if err := p224CheckOnCurve(x, y); err != nil { - return nil, err - } - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - // Compressed form. - case len(b) == 1+p224ElementLength && (b[0] == 2 || b[0] == 3): - x, err := new(fiat.P224Element).SetBytes(b[1:]) - if err != nil { - return nil, err - } - - // y² = x³ - 3x + b - y := p224Polynomial(new(fiat.P224Element), x) - if !p224Sqrt(y, y) { - return nil, errors.New("invalid P224 compressed point encoding") - } - - // Select the positive or negative root, as indicated by the least - // significant bit, based on the encoding type byte. - otherRoot := new(fiat.P224Element) - otherRoot.Sub(otherRoot, y) - cond := y.Bytes()[p224ElementLength-1]&1 ^ b[0]&1 - y.Select(otherRoot, y, int(cond)) - - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - default: - return nil, errors.New("invalid P224 point encoding") - } -} - -var _p224B *fiat.P224Element -var _p224BOnce sync.Once - -func p224B() *fiat.P224Element { - _p224BOnce.Do(func() { - _p224B, _ = new(fiat.P224Element).SetBytes([]byte{0xb4, 0x5, 0xa, 0x85, 0xc, 0x4, 0xb3, 0xab, 0xf5, 0x41, 0x32, 0x56, 0x50, 0x44, 0xb0, 0xb7, 0xd7, 0xbf, 0xd8, 0xba, 0x27, 0xb, 0x39, 0x43, 0x23, 0x55, 0xff, 0xb4}) - }) - return _p224B -} - -// p224Polynomial sets y2 to x³ - 3x + b, and returns y2. -func p224Polynomial(y2, x *fiat.P224Element) *fiat.P224Element { - y2.Square(x) - y2.Mul(y2, x) - - threeX := new(fiat.P224Element).Add(x, x) - threeX.Add(threeX, x) - y2.Sub(y2, threeX) - - return y2.Add(y2, p224B()) -} - -func p224CheckOnCurve(x, y *fiat.P224Element) error { - // y² = x³ - 3x + b - rhs := p224Polynomial(new(fiat.P224Element), x) - lhs := new(fiat.P224Element).Square(y) - if rhs.Equal(lhs) != 1 { - return errors.New("P224 point not on curve") - } - return nil -} - -// Bytes returns the uncompressed or infinity encoding of p, as specified in -// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at -// infinity is shorter than all other encodings. -func (p *P224Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + 2*p224ElementLength]byte - return p.bytes(&out) -} - -func (p *P224Point) bytes(out *[1 + 2*p224ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P224Element).Invert(p.z) - x := new(fiat.P224Element).Mul(p.x, zinv) - y := new(fiat.P224Element).Mul(p.y, zinv) - - buf := append(out[:0], 4) - buf = append(buf, x.Bytes()...) - buf = append(buf, y.Bytes()...) - return buf -} - -// BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, -// Version 2.0, Section 2.3.5, or an error if p is the point at infinity. -func (p *P224Point) BytesX() ([]byte, error) { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p224ElementLength]byte - return p.bytesX(&out) -} - -func (p *P224Point) bytesX(out *[p224ElementLength]byte) ([]byte, error) { - if p.z.IsZero() == 1 { - return nil, errors.New("P224 point is the point at infinity") - } - - zinv := new(fiat.P224Element).Invert(p.z) - x := new(fiat.P224Element).Mul(p.x, zinv) - - return append(out[:0], x.Bytes()...), nil -} - -// BytesCompressed returns the compressed or infinity encoding of p, as -// specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the -// point at infinity is shorter than all other encodings. -func (p *P224Point) BytesCompressed() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + p224ElementLength]byte - return p.bytesCompressed(&out) -} - -func (p *P224Point) bytesCompressed(out *[1 + p224ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P224Element).Invert(p.z) - x := new(fiat.P224Element).Mul(p.x, zinv) - y := new(fiat.P224Element).Mul(p.y, zinv) - - // Encode the sign of the y coordinate (indicated by the least significant - // bit) as the encoding type (2 or 3). - buf := append(out[:0], 2) - buf[0] |= y.Bytes()[p224ElementLength-1] & 1 - buf = append(buf, x.Bytes()...) - return buf -} - -// Add sets q = p1 + p2, and returns q. The points may overlap. -func (q *P224Point) Add(p1, p2 *P224Point) *P224Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P224Element).Mul(p1.x, p2.x) // t0 := X1 * X2 - t1 := new(fiat.P224Element).Mul(p1.y, p2.y) // t1 := Y1 * Y2 - t2 := new(fiat.P224Element).Mul(p1.z, p2.z) // t2 := Z1 * Z2 - t3 := new(fiat.P224Element).Add(p1.x, p1.y) // t3 := X1 + Y1 - t4 := new(fiat.P224Element).Add(p2.x, p2.y) // t4 := X2 + Y2 - t3.Mul(t3, t4) // t3 := t3 * t4 - t4.Add(t0, t1) // t4 := t0 + t1 - t3.Sub(t3, t4) // t3 := t3 - t4 - t4.Add(p1.y, p1.z) // t4 := Y1 + Z1 - x3 := new(fiat.P224Element).Add(p2.y, p2.z) // X3 := Y2 + Z2 - t4.Mul(t4, x3) // t4 := t4 * X3 - x3.Add(t1, t2) // X3 := t1 + t2 - t4.Sub(t4, x3) // t4 := t4 - X3 - x3.Add(p1.x, p1.z) // X3 := X1 + Z1 - y3 := new(fiat.P224Element).Add(p2.x, p2.z) // Y3 := X2 + Z2 - x3.Mul(x3, y3) // X3 := X3 * Y3 - y3.Add(t0, t2) // Y3 := t0 + t2 - y3.Sub(x3, y3) // Y3 := X3 - Y3 - z3 := new(fiat.P224Element).Mul(p224B(), t2) // Z3 := b * t2 - x3.Sub(y3, z3) // X3 := Y3 - Z3 - z3.Add(x3, x3) // Z3 := X3 + X3 - x3.Add(x3, z3) // X3 := X3 + Z3 - z3.Sub(t1, x3) // Z3 := t1 - X3 - x3.Add(t1, x3) // X3 := t1 + X3 - y3.Mul(p224B(), y3) // Y3 := b * Y3 - t1.Add(t2, t2) // t1 := t2 + t2 - t2.Add(t1, t2) // t2 := t1 + t2 - y3.Sub(y3, t2) // Y3 := Y3 - t2 - y3.Sub(y3, t0) // Y3 := Y3 - t0 - t1.Add(y3, y3) // t1 := Y3 + Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - t1.Add(t0, t0) // t1 := t0 + t0 - t0.Add(t1, t0) // t0 := t1 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t1.Mul(t4, y3) // t1 := t4 * Y3 - t2.Mul(t0, y3) // t2 := t0 * Y3 - y3.Mul(x3, z3) // Y3 := X3 * Z3 - y3.Add(y3, t2) // Y3 := Y3 + t2 - x3.Mul(t3, x3) // X3 := t3 * X3 - x3.Sub(x3, t1) // X3 := X3 - t1 - z3.Mul(t4, z3) // Z3 := t4 * Z3 - t1.Mul(t3, t0) // t1 := t3 * t0 - z3.Add(z3, t1) // Z3 := Z3 + t1 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Double sets q = p + p, and returns q. The points may overlap. -func (q *P224Point) Double(p *P224Point) *P224Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P224Element).Square(p.x) // t0 := X ^ 2 - t1 := new(fiat.P224Element).Square(p.y) // t1 := Y ^ 2 - t2 := new(fiat.P224Element).Square(p.z) // t2 := Z ^ 2 - t3 := new(fiat.P224Element).Mul(p.x, p.y) // t3 := X * Y - t3.Add(t3, t3) // t3 := t3 + t3 - z3 := new(fiat.P224Element).Mul(p.x, p.z) // Z3 := X * Z - z3.Add(z3, z3) // Z3 := Z3 + Z3 - y3 := new(fiat.P224Element).Mul(p224B(), t2) // Y3 := b * t2 - y3.Sub(y3, z3) // Y3 := Y3 - Z3 - x3 := new(fiat.P224Element).Add(y3, y3) // X3 := Y3 + Y3 - y3.Add(x3, y3) // Y3 := X3 + Y3 - x3.Sub(t1, y3) // X3 := t1 - Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - y3.Mul(x3, y3) // Y3 := X3 * Y3 - x3.Mul(x3, t3) // X3 := X3 * t3 - t3.Add(t2, t2) // t3 := t2 + t2 - t2.Add(t2, t3) // t2 := t2 + t3 - z3.Mul(p224B(), z3) // Z3 := b * Z3 - z3.Sub(z3, t2) // Z3 := Z3 - t2 - z3.Sub(z3, t0) // Z3 := Z3 - t0 - t3.Add(z3, z3) // t3 := Z3 + Z3 - z3.Add(z3, t3) // Z3 := Z3 + t3 - t3.Add(t0, t0) // t3 := t0 + t0 - t0.Add(t3, t0) // t0 := t3 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t0.Mul(t0, z3) // t0 := t0 * Z3 - y3.Add(y3, t0) // Y3 := Y3 + t0 - t0.Mul(p.y, p.z) // t0 := Y * Z - t0.Add(t0, t0) // t0 := t0 + t0 - z3.Mul(t0, z3) // Z3 := t0 * Z3 - x3.Sub(x3, z3) // X3 := X3 - Z3 - z3.Mul(t0, t1) // Z3 := t0 * t1 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Select sets q to p1 if cond == 1, and to p2 if cond == 0. -func (q *P224Point) Select(p1, p2 *P224Point, cond int) *P224Point { - q.x.Select(p1.x, p2.x, cond) - q.y.Select(p1.y, p2.y, cond) - q.z.Select(p1.z, p2.z, cond) - return q -} - -// A p224Table holds the first 15 multiples of a point at offset -1, so [1]P -// is at table[0], [15]P is at table[14], and [0]P is implicitly the identity -// point. -type p224Table [15]*P224Point - -// Select selects the n-th multiple of the table base point into p. It works in -// constant time by iterating over every entry of the table. n must be in [0, 15]. -func (table *p224Table) Select(p *P224Point, n uint8) { - if n >= 16 { - panic("nistec: internal error: p224Table called with out-of-bounds value") - } - p.Set(NewP224Point()) - for i := uint8(1); i < 16; i++ { - cond := subtle.ConstantTimeByteEq(i, n) - p.Select(table[i-1], p, cond) - } -} - -// ScalarMult sets p = scalar * q, and returns p. -func (p *P224Point) ScalarMult(q *P224Point, scalar []byte) (*P224Point, error) { - // Compute a p224Table for the base point q. The explicit NewP224Point - // calls get inlined, letting the allocations live on the stack. - var table = p224Table{NewP224Point(), NewP224Point(), NewP224Point(), - NewP224Point(), NewP224Point(), NewP224Point(), NewP224Point(), - NewP224Point(), NewP224Point(), NewP224Point(), NewP224Point(), - NewP224Point(), NewP224Point(), NewP224Point(), NewP224Point()} - table[0].Set(q) - for i := 1; i < 15; i += 2 { - table[i].Double(table[i/2]) - table[i+1].Add(table[i], q) - } - - // Instead of doing the classic double-and-add chain, we do it with a - // four-bit window: we double four times, and then add [0-15]P. - t := NewP224Point() - p.Set(NewP224Point()) - for i, byte := range scalar { - // No need to double on the first iteration, as p is the identity at - // this point, and [N]∞ = ∞. - if i != 0 { - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - } - - windowValue := byte >> 4 - table.Select(t, windowValue) - p.Add(p, t) - - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - - windowValue = byte & 0b1111 - table.Select(t, windowValue) - p.Add(p, t) - } - - return p, nil -} - -var p224GeneratorTable *[p224ElementLength * 2]p224Table -var p224GeneratorTableOnce sync.Once - -// generatorTable returns a sequence of p224Tables. The first table contains -// multiples of G. Each successive table is the previous table doubled four -// times. -func (p *P224Point) generatorTable() *[p224ElementLength * 2]p224Table { - p224GeneratorTableOnce.Do(func() { - p224GeneratorTable = new([p224ElementLength * 2]p224Table) - base := NewP224Point().SetGenerator() - for i := 0; i < p224ElementLength*2; i++ { - p224GeneratorTable[i][0] = NewP224Point().Set(base) - for j := 1; j < 15; j++ { - p224GeneratorTable[i][j] = NewP224Point().Add(p224GeneratorTable[i][j-1], base) - } - base.Double(base) - base.Double(base) - base.Double(base) - base.Double(base) - } - }) - return p224GeneratorTable -} - -// ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and -// returns p. -func (p *P224Point) ScalarBaseMult(scalar []byte) (*P224Point, error) { - if len(scalar) != p224ElementLength { - return nil, errors.New("invalid scalar length") - } - tables := p.generatorTable() - - // This is also a scalar multiplication with a four-bit window like in - // ScalarMult, but in this case the doublings are precomputed. The value - // [windowValue]G added at iteration k would normally get doubled - // (totIterations-k)×4 times, but with a larger precomputation we can - // instead add [2^((totIterations-k)×4)][windowValue]G and avoid the - // doublings between iterations. - t := NewP224Point() - p.Set(NewP224Point()) - tableIndex := len(tables) - 1 - for _, byte := range scalar { - windowValue := byte >> 4 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - - windowValue = byte & 0b1111 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - } - - return p, nil -} - -// p224Sqrt sets e to a square root of x. If x is not a square, p224Sqrt returns -// false and e is unchanged. e and x can overlap. -func p224Sqrt(e, x *fiat.P224Element) (isSquare bool) { - candidate := new(fiat.P224Element) - p224SqrtCandidate(candidate, x) - square := new(fiat.P224Element).Square(candidate) - if square.Equal(x) != 1 { - return false - } - e.Set(candidate) - return true -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p224_sqrt.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p224_sqrt.go deleted file mode 100644 index 338c2491ed1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p224_sqrt.go +++ /dev/null @@ -1,132 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package nistec - -import ( - "crypto/internal/fips140/nistec/fiat" - "sync" -) - -var p224GG *[96]fiat.P224Element -var p224GGOnce sync.Once - -// p224SqrtCandidate sets r to a square root candidate for x. r and x must not overlap. -func p224SqrtCandidate(r, x *fiat.P224Element) { - // Since p = 1 mod 4, we can't use the exponentiation by (p + 1) / 4 like - // for the other primes. Instead, implement a variation of Tonelli–Shanks. - // The constant-time implementation is adapted from Thomas Pornin's ecGFp5. - // - // https://github.com/pornin/ecgfp5/blob/82325b965/rust/src/field.rs#L337-L385 - - // p = q*2^n + 1 with q odd -> q = 2^128 - 1 and n = 96 - // g^(2^n) = 1 -> g = 11 ^ q (where 11 is the smallest non-square) - // GG[j] = g^(2^j) for j = 0 to n-1 - - p224GGOnce.Do(func() { - p224GG = new([96]fiat.P224Element) - for i := range p224GG { - if i == 0 { - p224GG[i].SetBytes([]byte{0x6a, 0x0f, 0xec, 0x67, - 0x85, 0x98, 0xa7, 0x92, 0x0c, 0x55, 0xb2, 0xd4, - 0x0b, 0x2d, 0x6f, 0xfb, 0xbe, 0xa3, 0xd8, 0xce, - 0xf3, 0xfb, 0x36, 0x32, 0xdc, 0x69, 0x1b, 0x74}) - } else { - p224GG[i].Square(&p224GG[i-1]) - } - } - }) - - // r <- x^((q+1)/2) = x^(2^127) - // v <- x^q = x^(2^128-1) - - // Compute x^(2^127-1) first. - // - // The sequence of 10 multiplications and 126 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _110 = 2*_11 - // _111 = 1 + _110 - // _111000 = _111 << 3 - // _111111 = _111 + _111000 - // _1111110 = 2*_111111 - // _1111111 = 1 + _1111110 - // x12 = _1111110 << 5 + _111111 - // x24 = x12 << 12 + x12 - // i36 = x24 << 7 - // x31 = _1111111 + i36 - // x48 = i36 << 17 + x24 - // x96 = x48 << 48 + x48 - // return x96 << 31 + x31 - // - var t0 = new(fiat.P224Element) - var t1 = new(fiat.P224Element) - - r.Square(x) - r.Mul(x, r) - r.Square(r) - r.Mul(x, r) - t0.Square(r) - for s := 1; s < 3; s++ { - t0.Square(t0) - } - t0.Mul(r, t0) - t1.Square(t0) - r.Mul(x, t1) - for s := 0; s < 5; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - t1.Square(t0) - for s := 1; s < 12; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - t1.Square(t0) - for s := 1; s < 7; s++ { - t1.Square(t1) - } - r.Mul(r, t1) - for s := 0; s < 17; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - t1.Square(t0) - for s := 1; s < 48; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - for s := 0; s < 31; s++ { - t0.Square(t0) - } - r.Mul(r, t0) - - // v = x^(2^127-1)^2 * x - v := new(fiat.P224Element).Square(r) - v.Mul(v, x) - - // r = x^(2^127-1) * x - r.Mul(r, x) - - // for i = n-1 down to 1: - // w = v^(2^(i-1)) - // if w == -1 then: - // v <- v*GG[n-i] - // r <- r*GG[n-i-1] - - var p224MinusOne = new(fiat.P224Element).Sub( - new(fiat.P224Element), new(fiat.P224Element).One()) - - for i := 96 - 1; i >= 1; i-- { - w := new(fiat.P224Element).Set(v) - for j := 0; j < i-1; j++ { - w.Square(w) - } - cond := w.Equal(p224MinusOne) - v.Select(t0.Mul(v, &p224GG[96-i]), v, cond) - r.Select(t0.Mul(r, &p224GG[96-i-1]), r, cond) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256.go deleted file mode 100644 index c957c542473..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256.go +++ /dev/null @@ -1,705 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !arm64 && !ppc64le && !s390x) || purego - -package nistec - -import ( - "crypto/internal/fips140/nistec/fiat" - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/byteorder" - "crypto/internal/fips140deps/cpu" - "errors" - "math/bits" - "sync" - "unsafe" -) - -// P256Point is a P-256 point. The zero value is NOT valid. -type P256Point struct { - // The point is represented in projective coordinates (X:Y:Z), where x = X/Z - // and y = Y/Z. Infinity is (0:1:0). - // - // fiat.P256Element is a base field element in [0, P-1] in the Montgomery - // domain (with R 2²⁵⁶ and P 2²⁵⁶ - 2²²⁴ + 2¹⁹² + 2⁹⁶ - 1) as four limbs in - // little-endian order value. - x, y, z fiat.P256Element -} - -// NewP256Point returns a new P256Point representing the point at infinity point. -func NewP256Point() *P256Point { - p := &P256Point{} - p.y.One() - return p -} - -// SetGenerator sets p to the canonical generator and returns p. -func (p *P256Point) SetGenerator() *P256Point { - p.x.SetBytes([]byte{0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x3, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96}) - p.y.SetBytes([]byte{0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0xf, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}) - p.z.One() - return p -} - -// Set sets p = q and returns p. -func (p *P256Point) Set(q *P256Point) *P256Point { - p.x.Set(&q.x) - p.y.Set(&q.y) - p.z.Set(&q.z) - return p -} - -const p256ElementLength = 32 -const p256UncompressedLength = 1 + 2*p256ElementLength -const p256CompressedLength = 1 + p256ElementLength - -// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in -// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on -// the curve, it returns nil and an error, and the receiver is unchanged. -// Otherwise, it returns p. -func (p *P256Point) SetBytes(b []byte) (*P256Point, error) { - switch { - // Point at infinity. - case len(b) == 1 && b[0] == 0: - return p.Set(NewP256Point()), nil - - // Uncompressed form. - case len(b) == p256UncompressedLength && b[0] == 4: - x, err := new(fiat.P256Element).SetBytes(b[1 : 1+p256ElementLength]) - if err != nil { - return nil, err - } - y, err := new(fiat.P256Element).SetBytes(b[1+p256ElementLength:]) - if err != nil { - return nil, err - } - if err := p256CheckOnCurve(x, y); err != nil { - return nil, err - } - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - // Compressed form. - case len(b) == p256CompressedLength && (b[0] == 2 || b[0] == 3): - x, err := new(fiat.P256Element).SetBytes(b[1:]) - if err != nil { - return nil, err - } - - // y² = x³ - 3x + b - y := p256Polynomial(new(fiat.P256Element), x) - if !p256Sqrt(y, y) { - return nil, errors.New("invalid P256 compressed point encoding") - } - - // Select the positive or negative root, as indicated by the least - // significant bit, based on the encoding type byte. - otherRoot := new(fiat.P256Element) - otherRoot.Sub(otherRoot, y) - cond := y.Bytes()[p256ElementLength-1]&1 ^ b[0]&1 - y.Select(otherRoot, y, int(cond)) - - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - default: - return nil, errors.New("invalid P256 point encoding") - } -} - -var _p256B *fiat.P256Element -var _p256BOnce sync.Once - -func p256B() *fiat.P256Element { - _p256BOnce.Do(func() { - _p256B, _ = new(fiat.P256Element).SetBytes([]byte{0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x6, 0xb0, 0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b}) - }) - return _p256B -} - -// p256Polynomial sets y2 to x³ - 3x + b, and returns y2. -func p256Polynomial(y2, x *fiat.P256Element) *fiat.P256Element { - y2.Square(x) - y2.Mul(y2, x) - - threeX := new(fiat.P256Element).Add(x, x) - threeX.Add(threeX, x) - y2.Sub(y2, threeX) - - return y2.Add(y2, p256B()) -} - -func p256CheckOnCurve(x, y *fiat.P256Element) error { - // y² = x³ - 3x + b - rhs := p256Polynomial(new(fiat.P256Element), x) - lhs := new(fiat.P256Element).Square(y) - if rhs.Equal(lhs) != 1 { - return errors.New("P256 point not on curve") - } - return nil -} - -// Bytes returns the uncompressed or infinity encoding of p, as specified in -// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at -// infinity is shorter than all other encodings. -func (p *P256Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256UncompressedLength]byte - return p.bytes(&out) -} - -func (p *P256Point) bytes(out *[p256UncompressedLength]byte) []byte { - // The SEC 1 representation of the point at infinity is a single zero byte, - // and only infinity has z = 0. - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P256Element).Invert(&p.z) - x := new(fiat.P256Element).Mul(&p.x, zinv) - y := new(fiat.P256Element).Mul(&p.y, zinv) - - buf := append(out[:0], 4) - buf = append(buf, x.Bytes()...) - buf = append(buf, y.Bytes()...) - return buf -} - -// BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, -// Version 2.0, Section 2.3.5, or an error if p is the point at infinity. -func (p *P256Point) BytesX() ([]byte, error) { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256ElementLength]byte - return p.bytesX(&out) -} - -func (p *P256Point) bytesX(out *[p256ElementLength]byte) ([]byte, error) { - if p.z.IsZero() == 1 { - return nil, errors.New("P256 point is the point at infinity") - } - - zinv := new(fiat.P256Element).Invert(&p.z) - x := new(fiat.P256Element).Mul(&p.x, zinv) - - return append(out[:0], x.Bytes()...), nil -} - -// BytesCompressed returns the compressed or infinity encoding of p, as -// specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the -// point at infinity is shorter than all other encodings. -func (p *P256Point) BytesCompressed() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256CompressedLength]byte - return p.bytesCompressed(&out) -} - -func (p *P256Point) bytesCompressed(out *[p256CompressedLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P256Element).Invert(&p.z) - x := new(fiat.P256Element).Mul(&p.x, zinv) - y := new(fiat.P256Element).Mul(&p.y, zinv) - - // Encode the sign of the y coordinate (indicated by the least significant - // bit) as the encoding type (2 or 3). - buf := append(out[:0], 2) - buf[0] |= y.Bytes()[p256ElementLength-1] & 1 - buf = append(buf, x.Bytes()...) - return buf -} - -// Add sets q = p1 + p2, and returns q. The points may overlap. -func (q *P256Point) Add(p1, p2 *P256Point) *P256Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P256Element).Mul(&p1.x, &p2.x) // t0 := X1 * X2 - t1 := new(fiat.P256Element).Mul(&p1.y, &p2.y) // t1 := Y1 * Y2 - t2 := new(fiat.P256Element).Mul(&p1.z, &p2.z) // t2 := Z1 * Z2 - t3 := new(fiat.P256Element).Add(&p1.x, &p1.y) // t3 := X1 + Y1 - t4 := new(fiat.P256Element).Add(&p2.x, &p2.y) // t4 := X2 + Y2 - t3.Mul(t3, t4) // t3 := t3 * t4 - t4.Add(t0, t1) // t4 := t0 + t1 - t3.Sub(t3, t4) // t3 := t3 - t4 - t4.Add(&p1.y, &p1.z) // t4 := Y1 + Z1 - x3 := new(fiat.P256Element).Add(&p2.y, &p2.z) // X3 := Y2 + Z2 - t4.Mul(t4, x3) // t4 := t4 * X3 - x3.Add(t1, t2) // X3 := t1 + t2 - t4.Sub(t4, x3) // t4 := t4 - X3 - x3.Add(&p1.x, &p1.z) // X3 := X1 + Z1 - y3 := new(fiat.P256Element).Add(&p2.x, &p2.z) // Y3 := X2 + Z2 - x3.Mul(x3, y3) // X3 := X3 * Y3 - y3.Add(t0, t2) // Y3 := t0 + t2 - y3.Sub(x3, y3) // Y3 := X3 - Y3 - z3 := new(fiat.P256Element).Mul(p256B(), t2) // Z3 := b * t2 - x3.Sub(y3, z3) // X3 := Y3 - Z3 - z3.Add(x3, x3) // Z3 := X3 + X3 - x3.Add(x3, z3) // X3 := X3 + Z3 - z3.Sub(t1, x3) // Z3 := t1 - X3 - x3.Add(t1, x3) // X3 := t1 + X3 - y3.Mul(p256B(), y3) // Y3 := b * Y3 - t1.Add(t2, t2) // t1 := t2 + t2 - t2.Add(t1, t2) // t2 := t1 + t2 - y3.Sub(y3, t2) // Y3 := Y3 - t2 - y3.Sub(y3, t0) // Y3 := Y3 - t0 - t1.Add(y3, y3) // t1 := Y3 + Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - t1.Add(t0, t0) // t1 := t0 + t0 - t0.Add(t1, t0) // t0 := t1 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t1.Mul(t4, y3) // t1 := t4 * Y3 - t2.Mul(t0, y3) // t2 := t0 * Y3 - y3.Mul(x3, z3) // Y3 := X3 * Z3 - y3.Add(y3, t2) // Y3 := Y3 + t2 - x3.Mul(t3, x3) // X3 := t3 * X3 - x3.Sub(x3, t1) // X3 := X3 - t1 - z3.Mul(t4, z3) // Z3 := t4 * Z3 - t1.Mul(t3, t0) // t1 := t3 * t0 - z3.Add(z3, t1) // Z3 := Z3 + t1 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Double sets q = p + p, and returns q. The points may overlap. -func (q *P256Point) Double(p *P256Point) *P256Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P256Element).Square(&p.x) // t0 := X ^ 2 - t1 := new(fiat.P256Element).Square(&p.y) // t1 := Y ^ 2 - t2 := new(fiat.P256Element).Square(&p.z) // t2 := Z ^ 2 - t3 := new(fiat.P256Element).Mul(&p.x, &p.y) // t3 := X * Y - t3.Add(t3, t3) // t3 := t3 + t3 - z3 := new(fiat.P256Element).Mul(&p.x, &p.z) // Z3 := X * Z - z3.Add(z3, z3) // Z3 := Z3 + Z3 - y3 := new(fiat.P256Element).Mul(p256B(), t2) // Y3 := b * t2 - y3.Sub(y3, z3) // Y3 := Y3 - Z3 - x3 := new(fiat.P256Element).Add(y3, y3) // X3 := Y3 + Y3 - y3.Add(x3, y3) // Y3 := X3 + Y3 - x3.Sub(t1, y3) // X3 := t1 - Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - y3.Mul(x3, y3) // Y3 := X3 * Y3 - x3.Mul(x3, t3) // X3 := X3 * t3 - t3.Add(t2, t2) // t3 := t2 + t2 - t2.Add(t2, t3) // t2 := t2 + t3 - z3.Mul(p256B(), z3) // Z3 := b * Z3 - z3.Sub(z3, t2) // Z3 := Z3 - t2 - z3.Sub(z3, t0) // Z3 := Z3 - t0 - t3.Add(z3, z3) // t3 := Z3 + Z3 - z3.Add(z3, t3) // Z3 := Z3 + t3 - t3.Add(t0, t0) // t3 := t0 + t0 - t0.Add(t3, t0) // t0 := t3 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t0.Mul(t0, z3) // t0 := t0 * Z3 - y3.Add(y3, t0) // Y3 := Y3 + t0 - t0.Mul(&p.y, &p.z) // t0 := Y * Z - t0.Add(t0, t0) // t0 := t0 + t0 - z3.Mul(t0, z3) // Z3 := t0 * Z3 - x3.Sub(x3, z3) // X3 := X3 - Z3 - z3.Mul(t0, t1) // Z3 := t0 * t1 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// p256AffinePoint is a point in affine coordinates (x, y). x and y are still -// Montgomery domain elements. The point can't be the point at infinity. -type p256AffinePoint struct { - x, y fiat.P256Element -} - -func (p *p256AffinePoint) Projective() *P256Point { - pp := &P256Point{x: p.x, y: p.y} - pp.z.One() - return pp -} - -// AddAffine sets q = p1 + p2, if infinity == 0, and to p1 if infinity == 1. -// p2 can't be the point at infinity as it can't be represented in affine -// coordinates, instead callers can set p2 to an arbitrary point and set -// infinity to 1. -func (q *P256Point) AddAffine(p1 *P256Point, p2 *p256AffinePoint, infinity int) *P256Point { - // Complete mixed addition formula for a = -3 from "Complete addition - // formulas for prime order elliptic curves" - // (https://eprint.iacr.org/2015/1060), Algorithm 5. - - t0 := new(fiat.P256Element).Mul(&p1.x, &p2.x) // t0 ← X1 · X2 - t1 := new(fiat.P256Element).Mul(&p1.y, &p2.y) // t1 ← Y1 · Y2 - t3 := new(fiat.P256Element).Add(&p2.x, &p2.y) // t3 ← X2 + Y2 - t4 := new(fiat.P256Element).Add(&p1.x, &p1.y) // t4 ← X1 + Y1 - t3.Mul(t3, t4) // t3 ← t3 · t4 - t4.Add(t0, t1) // t4 ← t0 + t1 - t3.Sub(t3, t4) // t3 ← t3 − t4 - t4.Mul(&p2.y, &p1.z) // t4 ← Y2 · Z1 - t4.Add(t4, &p1.y) // t4 ← t4 + Y1 - y3 := new(fiat.P256Element).Mul(&p2.x, &p1.z) // Y3 ← X2 · Z1 - y3.Add(y3, &p1.x) // Y3 ← Y3 + X1 - z3 := new(fiat.P256Element).Mul(p256B(), &p1.z) // Z3 ← b · Z1 - x3 := new(fiat.P256Element).Sub(y3, z3) // X3 ← Y3 − Z3 - z3.Add(x3, x3) // Z3 ← X3 + X3 - x3.Add(x3, z3) // X3 ← X3 + Z3 - z3.Sub(t1, x3) // Z3 ← t1 − X3 - x3.Add(t1, x3) // X3 ← t1 + X3 - y3.Mul(p256B(), y3) // Y3 ← b · Y3 - t1.Add(&p1.z, &p1.z) // t1 ← Z1 + Z1 - t2 := new(fiat.P256Element).Add(t1, &p1.z) // t2 ← t1 + Z1 - y3.Sub(y3, t2) // Y3 ← Y3 − t2 - y3.Sub(y3, t0) // Y3 ← Y3 − t0 - t1.Add(y3, y3) // t1 ← Y3 + Y3 - y3.Add(t1, y3) // Y3 ← t1 + Y3 - t1.Add(t0, t0) // t1 ← t0 + t0 - t0.Add(t1, t0) // t0 ← t1 + t0 - t0.Sub(t0, t2) // t0 ← t0 − t2 - t1.Mul(t4, y3) // t1 ← t4 · Y3 - t2.Mul(t0, y3) // t2 ← t0 · Y3 - y3.Mul(x3, z3) // Y3 ← X3 · Z3 - y3.Add(y3, t2) // Y3 ← Y3 + t2 - x3.Mul(t3, x3) // X3 ← t3 · X3 - x3.Sub(x3, t1) // X3 ← X3 − t1 - z3.Mul(t4, z3) // Z3 ← t4 · Z3 - t1.Mul(t3, t0) // t1 ← t3 · t0 - z3.Add(z3, t1) // Z3 ← Z3 + t1 - - q.x.Select(&p1.x, x3, infinity) - q.y.Select(&p1.y, y3, infinity) - q.z.Select(&p1.z, z3, infinity) - return q -} - -// Select sets q to p1 if cond == 1, and to p2 if cond == 0. -func (q *P256Point) Select(p1, p2 *P256Point, cond int) *P256Point { - q.x.Select(&p1.x, &p2.x, cond) - q.y.Select(&p1.y, &p2.y, cond) - q.z.Select(&p1.z, &p2.z, cond) - return q -} - -// p256OrdElement is a P-256 scalar field element in [0, ord(G)-1] in the -// Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order. -type p256OrdElement [4]uint64 - -// SetBytes sets s to the big-endian value of x, reducing it as necessary. -func (s *p256OrdElement) SetBytes(x []byte) (*p256OrdElement, error) { - if len(x) != 32 { - return nil, errors.New("invalid scalar length") - } - - s[0] = byteorder.BEUint64(x[24:]) - s[1] = byteorder.BEUint64(x[16:]) - s[2] = byteorder.BEUint64(x[8:]) - s[3] = byteorder.BEUint64(x[:]) - - // Ensure s is in the range [0, ord(G)-1]. Since 2 * ord(G) > 2²⁵⁶, we can - // just conditionally subtract ord(G), keeping the result if it doesn't - // underflow. - t0, b := bits.Sub64(s[0], 0xf3b9cac2fc632551, 0) - t1, b := bits.Sub64(s[1], 0xbce6faada7179e84, b) - t2, b := bits.Sub64(s[2], 0xffffffffffffffff, b) - t3, b := bits.Sub64(s[3], 0xffffffff00000000, b) - tMask := b - 1 // zero if subtraction underflowed - s[0] ^= (t0 ^ s[0]) & tMask - s[1] ^= (t1 ^ s[1]) & tMask - s[2] ^= (t2 ^ s[2]) & tMask - s[3] ^= (t3 ^ s[3]) & tMask - - return s, nil -} - -func (s *p256OrdElement) Bytes() []byte { - var out [32]byte - byteorder.BEPutUint64(out[24:], s[0]) - byteorder.BEPutUint64(out[16:], s[1]) - byteorder.BEPutUint64(out[8:], s[2]) - byteorder.BEPutUint64(out[:], s[3]) - return out[:] -} - -// Rsh returns the 64 least significant bits of x >> n. n must be lower -// than 256. The value of n leaks through timing side-channels. -func (s *p256OrdElement) Rsh(n int) uint64 { - i := n / 64 - n = n % 64 - res := s[i] >> n - // Shift in the more significant limb, if present. - if i := i + 1; i < len(s) { - res |= s[i] << (64 - n) - } - return res -} - -// p256Table is a table of the first 16 multiples of a point. Points are stored -// at an index offset of -1 so [8]P is at index 7, P is at 0, and [16]P is at 15. -// [0]P is the point at infinity and it's not stored. -type p256Table [16]P256Point - -// Select selects the n-th multiple of the table base point into p. It works in -// constant time. n must be in [0, 16]. If n is 0, p is set to the identity point. -func (table *p256Table) Select(p *P256Point, n uint8) { - if n > 16 { - panic("nistec: internal error: p256Table called with out-of-bounds value") - } - p.Set(NewP256Point()) - for i := uint8(1); i <= 16; i++ { - cond := subtle.ConstantTimeByteEq(i, n) - p.Select(&table[i-1], p, cond) - } -} - -// Compute populates the table to the first 16 multiples of q. -func (table *p256Table) Compute(q *P256Point) *p256Table { - table[0].Set(q) - for i := 1; i < 16; i += 2 { - table[i].Double(&table[i/2]) - if i+1 < 16 { - table[i+1].Add(&table[i], q) - } - } - return table -} - -func boothW5(in uint64) (uint8, int) { - s := ^((in >> 5) - 1) - d := (1 << 6) - in - 1 - d = (d & s) | (in & (^s)) - d = (d >> 1) + (d & 1) - return uint8(d), int(s & 1) -} - -// ScalarMult sets r = scalar * q, where scalar is a 32-byte big endian value, -// and returns r. If scalar is not 32 bytes long, ScalarMult returns an error -// and the receiver is unchanged. -func (p *P256Point) ScalarMult(q *P256Point, scalar []byte) (*P256Point, error) { - s, err := new(p256OrdElement).SetBytes(scalar) - if err != nil { - return nil, err - } - - // Start scanning the window from the most significant bits. We move by - // 5 bits at a time and need to finish at -1, so -1 + 5 * 51 = 254. - index := 254 - - sel, sign := boothW5(s.Rsh(index)) - // sign is always zero because the boothW5 input here is at - // most two bits long, so the top bit is never set. - _ = sign - - // Neither Select nor Add have exceptions for the point at infinity / - // selector zero, so we don't need to check for it here or in the loop. - table := new(p256Table).Compute(q) - table.Select(p, sel) - - t := NewP256Point() - for index >= 4 { - index -= 5 - - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - - if index >= 0 { - sel, sign = boothW5(s.Rsh(index) & 0b111111) - } else { - // Booth encoding considers a virtual zero bit at index -1, - // so we shift left the least significant limb. - wvalue := (s[0] << 1) & 0b111111 - sel, sign = boothW5(wvalue) - } - - table.Select(t, sel) - t.Negate(sign) - p.Add(p, t) - } - - return p, nil -} - -// Negate sets p to -p, if cond == 1, and to p if cond == 0. -func (p *P256Point) Negate(cond int) *P256Point { - negY := new(fiat.P256Element) - negY.Sub(negY, &p.y) - p.y.Select(negY, &p.y, cond) - return p -} - -// p256AffineTable is a table of the first 32 multiples of a point. Points are -// stored at an index offset of -1 like in p256Table, and [0]P is not stored. -type p256AffineTable [32]p256AffinePoint - -// Select selects the n-th multiple of the table base point into p. It works in -// constant time. n can be in [0, 32], but (unlike p256Table.Select) if n is 0, -// p is set to an undefined value. -func (table *p256AffineTable) Select(p *p256AffinePoint, n uint8) { - if n > 32 { - panic("nistec: internal error: p256AffineTable.Select called with out-of-bounds value") - } - for i := uint8(1); i <= 32; i++ { - cond := subtle.ConstantTimeByteEq(i, n) - p.x.Select(&table[i-1].x, &p.x, cond) - p.y.Select(&table[i-1].y, &p.y, cond) - } -} - -// p256GeneratorTables is a series of precomputed multiples of G, the canonical -// generator. The first p256AffineTable contains multiples of G. The second one -// multiples of [2⁶]G, the third one of [2¹²]G, and so on, where each successive -// table is the previous table doubled six times. Six is the width of the -// sliding window used in ScalarBaseMult, and having each table already -// pre-doubled lets us avoid the doublings between windows entirely. This table -// aliases into p256PrecomputedEmbed. -var p256GeneratorTables *[43]p256AffineTable - -func init() { - p256GeneratorTablesPtr := unsafe.Pointer(&p256PrecomputedEmbed) - if cpu.BigEndian { - var newTable [43 * 32 * 2 * 4]uint64 - for i, x := range (*[43 * 32 * 2 * 4][8]byte)(p256GeneratorTablesPtr) { - newTable[i] = byteorder.LEUint64(x[:]) - } - p256GeneratorTablesPtr = unsafe.Pointer(&newTable) - } - p256GeneratorTables = (*[43]p256AffineTable)(p256GeneratorTablesPtr) -} - -func boothW6(in uint64) (uint8, int) { - s := ^((in >> 6) - 1) - d := (1 << 7) - in - 1 - d = (d & s) | (in & (^s)) - d = (d >> 1) + (d & 1) - return uint8(d), int(s & 1) -} - -// ScalarBaseMult sets p = scalar * generator, where scalar is a 32-byte big -// endian value, and returns r. If scalar is not 32 bytes long, ScalarBaseMult -// returns an error and the receiver is unchanged. -func (p *P256Point) ScalarBaseMult(scalar []byte) (*P256Point, error) { - // This function works like ScalarMult above, but the table is fixed and - // "pre-doubled" for each iteration, so instead of doubling we move to the - // next table at each iteration. - - s, err := new(p256OrdElement).SetBytes(scalar) - if err != nil { - return nil, err - } - - // Start scanning the window from the most significant bits. We move by - // 6 bits at a time and need to finish at -1, so -1 + 6 * 42 = 251. - index := 251 - - sel, sign := boothW6(s.Rsh(index)) - // sign is always zero because the boothW6 input here is at - // most five bits long, so the top bit is never set. - _ = sign - - t := &p256AffinePoint{} - table := &p256GeneratorTables[(index+1)/6] - table.Select(t, sel) - - // Select's output is undefined if the selector is zero, when it should be - // the point at infinity (because infinity can't be represented in affine - // coordinates). Here we conditionally set p to the infinity if sel is zero. - // In the loop, that's handled by AddAffine. - selIsZero := subtle.ConstantTimeByteEq(sel, 0) - p.Select(NewP256Point(), t.Projective(), selIsZero) - - for index >= 5 { - index -= 6 - - if index >= 0 { - sel, sign = boothW6(s.Rsh(index) & 0b1111111) - } else { - // Booth encoding considers a virtual zero bit at index -1, - // so we shift left the least significant limb. - wvalue := (s[0] << 1) & 0b1111111 - sel, sign = boothW6(wvalue) - } - - table := &p256GeneratorTables[(index+1)/6] - table.Select(t, sel) - t.Negate(sign) - selIsZero := subtle.ConstantTimeByteEq(sel, 0) - p.AddAffine(p, t, selIsZero) - } - - return p, nil -} - -// Negate sets p to -p, if cond == 1, and to p if cond == 0. -func (p *p256AffinePoint) Negate(cond int) *p256AffinePoint { - negY := new(fiat.P256Element) - negY.Sub(negY, &p.y) - p.y.Select(negY, &p.y, cond) - return p -} - -// p256Sqrt sets e to a square root of x. If x is not a square, p256Sqrt returns -// false and e is unchanged. e and x can overlap. -func p256Sqrt(e, x *fiat.P256Element) (isSquare bool) { - t0, t1 := new(fiat.P256Element), new(fiat.P256Element) - - // Since p = 3 mod 4, exponentiation by (p + 1) / 4 yields a square root candidate. - // - // The sequence of 7 multiplications and 253 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _1100 = _11 << 2 - // _1111 = _11 + _1100 - // _11110000 = _1111 << 4 - // _11111111 = _1111 + _11110000 - // x16 = _11111111 << 8 + _11111111 - // x32 = x16 << 16 + x16 - // return ((x32 << 32 + 1) << 96 + 1) << 94 - // - p256Square(t0, x, 1) - t0.Mul(x, t0) - p256Square(t1, t0, 2) - t0.Mul(t0, t1) - p256Square(t1, t0, 4) - t0.Mul(t0, t1) - p256Square(t1, t0, 8) - t0.Mul(t0, t1) - p256Square(t1, t0, 16) - t0.Mul(t0, t1) - p256Square(t0, t0, 32) - t0.Mul(x, t0) - p256Square(t0, t0, 96) - t0.Mul(x, t0) - p256Square(t0, t0, 94) - - // Check if the candidate t0 is indeed a square root of x. - t1.Square(t0) - if t1.Equal(x) != 1 { - return false - } - e.Set(t0) - return true -} - -// p256Square sets e to the square of x, repeated n times > 1. -func p256Square(e, x *fiat.P256Element, n int) { - e.Square(x) - for i := 1; i < n; i++ { - e.Square(e) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm.go deleted file mode 100644 index f00e70d99d1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm.go +++ /dev/null @@ -1,757 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This file contains the Go wrapper for the constant-time, 64-bit assembly -// implementation of P256. The optimizations performed here are described in -// detail in: -// S.Gueron and V.Krasnov, "Fast prime field elliptic-curve cryptography with -// 256-bit primes" -// https://link.springer.com/article/10.1007%2Fs13389-014-0090-x -// https://eprint.iacr.org/2013/816.pdf - -//go:build (amd64 || arm64 || ppc64le || s390x) && !purego - -package nistec - -import ( - "crypto/internal/fips140deps/byteorder" - "errors" - "math/bits" - "runtime" - "unsafe" -) - -// p256Element is a P-256 base field element in [0, P-1] in the Montgomery -// domain (with R 2²⁵⁶) as four limbs in little-endian order value. -type p256Element [4]uint64 - -// p256One is one in the Montgomery domain. -var p256One = p256Element{0x0000000000000001, 0xffffffff00000000, - 0xffffffffffffffff, 0x00000000fffffffe} - -var p256Zero = p256Element{} - -// p256P is 2²⁵⁶ - 2²²⁴ + 2¹⁹² + 2⁹⁶ - 1 in the Montgomery domain. -var p256P = p256Element{0xffffffffffffffff, 0x00000000ffffffff, - 0x0000000000000000, 0xffffffff00000001} - -// P256Point is a P-256 point. The zero value should not be assumed to be valid -// (although it is in this implementation). -type P256Point struct { - // (X:Y:Z) are Jacobian coordinates where x = X/Z² and y = Y/Z³. The point - // at infinity can be represented by any set of coordinates with Z = 0. - x, y, z p256Element -} - -// NewP256Point returns a new P256Point representing the point at infinity. -func NewP256Point() *P256Point { - return &P256Point{ - x: p256One, y: p256One, z: p256Zero, - } -} - -// SetGenerator sets p to the canonical generator and returns p. -func (p *P256Point) SetGenerator() *P256Point { - p.x = p256Element{0x79e730d418a9143c, 0x75ba95fc5fedb601, - 0x79fb732b77622510, 0x18905f76a53755c6} - p.y = p256Element{0xddf25357ce95560a, 0x8b4ab8e4ba19e45c, - 0xd2e88688dd21f325, 0x8571ff1825885d85} - p.z = p256One - return p -} - -// Set sets p = q and returns p. -func (p *P256Point) Set(q *P256Point) *P256Point { - p.x, p.y, p.z = q.x, q.y, q.z - return p -} - -const p256ElementLength = 32 -const p256UncompressedLength = 1 + 2*p256ElementLength -const p256CompressedLength = 1 + p256ElementLength - -// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in -// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on -// the curve, it returns nil and an error, and the receiver is unchanged. -// Otherwise, it returns p. -func (p *P256Point) SetBytes(b []byte) (*P256Point, error) { - // p256Mul operates in the Montgomery domain with R = 2²⁵⁶ mod p. Thus rr - // here is R in the Montgomery domain, or R×R mod p. See comment in - // P256OrdInverse about how this is used. - rr := p256Element{0x0000000000000003, 0xfffffffbffffffff, - 0xfffffffffffffffe, 0x00000004fffffffd} - - switch { - // Point at infinity. - case len(b) == 1 && b[0] == 0: - return p.Set(NewP256Point()), nil - - // Uncompressed form. - case len(b) == p256UncompressedLength && b[0] == 4: - var r P256Point - p256BigToLittle(&r.x, (*[32]byte)(b[1:33])) - p256BigToLittle(&r.y, (*[32]byte)(b[33:65])) - if p256LessThanP(&r.x) == 0 || p256LessThanP(&r.y) == 0 { - return nil, errors.New("invalid P256 element encoding") - } - p256Mul(&r.x, &r.x, &rr) - p256Mul(&r.y, &r.y, &rr) - if err := p256CheckOnCurve(&r.x, &r.y); err != nil { - return nil, err - } - r.z = p256One - return p.Set(&r), nil - - // Compressed form. - case len(b) == p256CompressedLength && (b[0] == 2 || b[0] == 3): - var r P256Point - p256BigToLittle(&r.x, (*[32]byte)(b[1:33])) - if p256LessThanP(&r.x) == 0 { - return nil, errors.New("invalid P256 element encoding") - } - p256Mul(&r.x, &r.x, &rr) - - // y² = x³ - 3x + b - p256Polynomial(&r.y, &r.x) - if !p256Sqrt(&r.y, &r.y) { - return nil, errors.New("invalid P256 compressed point encoding") - } - - // Select the positive or negative root, as indicated by the least - // significant bit, based on the encoding type byte. - yy := new(p256Element) - p256FromMont(yy, &r.y) - cond := int(yy[0]&1) ^ int(b[0]&1) - p256NegCond(&r.y, cond) - - r.z = p256One - return p.Set(&r), nil - - default: - return nil, errors.New("invalid P256 point encoding") - } -} - -// p256Polynomial sets y2 to x³ - 3x + b, and returns y2. -func p256Polynomial(y2, x *p256Element) *p256Element { - x3 := new(p256Element) - p256Sqr(x3, x, 1) - p256Mul(x3, x3, x) - - threeX := new(p256Element) - p256Add(threeX, x, x) - p256Add(threeX, threeX, x) - p256NegCond(threeX, 1) - - p256B := &p256Element{0xd89cdf6229c4bddf, 0xacf005cd78843090, - 0xe5a220abf7212ed6, 0xdc30061d04874834} - - p256Add(x3, x3, threeX) - p256Add(x3, x3, p256B) - - *y2 = *x3 - return y2 -} - -func p256CheckOnCurve(x, y *p256Element) error { - // y² = x³ - 3x + b - rhs := p256Polynomial(new(p256Element), x) - lhs := new(p256Element) - p256Sqr(lhs, y, 1) - if p256Equal(lhs, rhs) != 1 { - return errors.New("P256 point not on curve") - } - return nil -} - -// p256LessThanP returns 1 if x < p, and 0 otherwise. Note that a p256Element is -// not allowed to be equal to or greater than p, so if this function returns 0 -// then x is invalid. -func p256LessThanP(x *p256Element) int { - var b uint64 - _, b = bits.Sub64(x[0], p256P[0], b) - _, b = bits.Sub64(x[1], p256P[1], b) - _, b = bits.Sub64(x[2], p256P[2], b) - _, b = bits.Sub64(x[3], p256P[3], b) - return int(b) -} - -func p256BigToLittle(l *p256Element, b *[32]byte) { - bytesToLimbs((*[4]uint64)(l), b) -} - -func bytesToLimbs(l *[4]uint64, b *[32]byte) { - l[0] = byteorder.BEUint64(b[24:]) - l[1] = byteorder.BEUint64(b[16:]) - l[2] = byteorder.BEUint64(b[8:]) - l[3] = byteorder.BEUint64(b[:]) -} - -func p256LittleToBig(b *[32]byte, l *p256Element) { - limbsToBytes(b, (*[4]uint64)(l)) -} - -func limbsToBytes(b *[32]byte, l *[4]uint64) { - byteorder.BEPutUint64(b[24:], l[0]) - byteorder.BEPutUint64(b[16:], l[1]) - byteorder.BEPutUint64(b[8:], l[2]) - byteorder.BEPutUint64(b[:], l[3]) -} - -// p256Add sets res = x + y. -func p256Add(res, x, y *p256Element) { - var c, b uint64 - t1 := make([]uint64, 4) - t1[0], c = bits.Add64(x[0], y[0], 0) - t1[1], c = bits.Add64(x[1], y[1], c) - t1[2], c = bits.Add64(x[2], y[2], c) - t1[3], c = bits.Add64(x[3], y[3], c) - t2 := make([]uint64, 4) - t2[0], b = bits.Sub64(t1[0], p256P[0], 0) - t2[1], b = bits.Sub64(t1[1], p256P[1], b) - t2[2], b = bits.Sub64(t1[2], p256P[2], b) - t2[3], b = bits.Sub64(t1[3], p256P[3], b) - // Three options: - // - a+b < p - // then c is 0, b is 1, and t1 is correct - // - p <= a+b < 2^256 - // then c is 0, b is 0, and t2 is correct - // - 2^256 <= a+b - // then c is 1, b is 1, and t2 is correct - t2Mask := (c ^ b) - 1 - res[0] = (t1[0] & ^t2Mask) | (t2[0] & t2Mask) - res[1] = (t1[1] & ^t2Mask) | (t2[1] & t2Mask) - res[2] = (t1[2] & ^t2Mask) | (t2[2] & t2Mask) - res[3] = (t1[3] & ^t2Mask) | (t2[3] & t2Mask) -} - -// p256Sqrt sets e to a square root of x. If x is not a square, p256Sqrt returns -// false and e is unchanged. e and x can overlap. -func p256Sqrt(e, x *p256Element) (isSquare bool) { - t0, t1 := new(p256Element), new(p256Element) - - // Since p = 3 mod 4, exponentiation by (p + 1) / 4 yields a square root candidate. - // - // The sequence of 7 multiplications and 253 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _1100 = _11 << 2 - // _1111 = _11 + _1100 - // _11110000 = _1111 << 4 - // _11111111 = _1111 + _11110000 - // x16 = _11111111 << 8 + _11111111 - // x32 = x16 << 16 + x16 - // return ((x32 << 32 + 1) << 96 + 1) << 94 - // - p256Sqr(t0, x, 1) - p256Mul(t0, x, t0) - p256Sqr(t1, t0, 2) - p256Mul(t0, t0, t1) - p256Sqr(t1, t0, 4) - p256Mul(t0, t0, t1) - p256Sqr(t1, t0, 8) - p256Mul(t0, t0, t1) - p256Sqr(t1, t0, 16) - p256Mul(t0, t0, t1) - p256Sqr(t0, t0, 32) - p256Mul(t0, x, t0) - p256Sqr(t0, t0, 96) - p256Mul(t0, x, t0) - p256Sqr(t0, t0, 94) - - p256Sqr(t1, t0, 1) - if p256Equal(t1, x) != 1 { - return false - } - *e = *t0 - return true -} - -// The following assembly functions are implemented in p256_asm_*.s - -// Montgomery multiplication. Sets res = in1 * in2 * R⁻¹ mod p. -// -//go:noescape -func p256Mul(res, in1, in2 *p256Element) - -// Montgomery square, repeated n times (n >= 1). -// -//go:noescape -func p256Sqr(res, in *p256Element, n int) - -// Montgomery multiplication by R⁻¹, or 1 outside the domain. -// Sets res = in * R⁻¹, bringing res out of the Montgomery domain. -// -//go:noescape -func p256FromMont(res, in *p256Element) - -// If cond is not 0, sets val = -val mod p. -// -//go:noescape -func p256NegCond(val *p256Element, cond int) - -// If cond is 0, sets res = b, otherwise sets res = a. -// -//go:noescape -func p256MovCond(res, a, b *P256Point, cond int) - -// p256Table is a table of the first 16 multiples of a point. Points are stored -// at an index offset of -1 so [8]P is at index 7, P is at 0, and [16]P is at 15. -// [0]P is the point at infinity and it's not stored. -type p256Table [16]P256Point - -// p256Select sets res to the point at index idx in the table. -// idx must be in [0, 15]. It executes in constant time. -// -//go:noescape -func p256Select(res *P256Point, table *p256Table, idx int) - -// p256AffinePoint is a point in affine coordinates (x, y). x and y are still -// Montgomery domain elements. The point can't be the point at infinity. -type p256AffinePoint struct { - x, y p256Element -} - -// p256AffineTable is a table of the first 32 multiples of a point. Points are -// stored at an index offset of -1 like in p256Table, and [0]P is not stored. -type p256AffineTable [32]p256AffinePoint - -// p256Precomputed is a series of precomputed multiples of G, the canonical -// generator. The first p256AffineTable contains multiples of G. The second one -// multiples of [2⁶]G, the third one of [2¹²]G, and so on, where each successive -// table is the previous table doubled six times. Six is the width of the -// sliding window used in p256ScalarBaseMult, and having each table already -// pre-doubled lets us avoid the doublings between windows entirely. This table -// aliases into p256PrecomputedEmbed. -var p256Precomputed *[43]p256AffineTable - -func init() { - p256PrecomputedPtr := unsafe.Pointer(&p256PrecomputedEmbed) - if runtime.GOARCH == "s390x" { - var newTable [43 * 32 * 2 * 4]uint64 - for i, x := range (*[43 * 32 * 2 * 4][8]byte)(p256PrecomputedPtr) { - newTable[i] = byteorder.LEUint64(x[:]) - } - p256PrecomputedPtr = unsafe.Pointer(&newTable) - } - p256Precomputed = (*[43]p256AffineTable)(p256PrecomputedPtr) -} - -// p256SelectAffine sets res to the point at index idx in the table. -// idx must be in [0, 31]. It executes in constant time. -// -//go:noescape -func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int) - -// Point addition with an affine point and constant time conditions. -// If zero is 0, sets res = in2. If sel is 0, sets res = in1. -// If sign is not 0, sets res = in1 + -in2. Otherwise, sets res = in1 + in2 -// -//go:noescape -func p256PointAddAffineAsm(res, in1 *P256Point, in2 *p256AffinePoint, sign, sel, zero int) - -// Point addition. Sets res = in1 + in2. Returns one if the two input points -// were equal and zero otherwise. If in1 or in2 are the point at infinity, res -// and the return value are undefined. -// -//go:noescape -func p256PointAddAsm(res, in1, in2 *P256Point) int - -// Point doubling. Sets res = in + in. in can be the point at infinity. -// -//go:noescape -func p256PointDoubleAsm(res, in *P256Point) - -// p256OrdElement is a P-256 scalar field element in [0, ord(G)-1] in the -// Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order. -type p256OrdElement [4]uint64 - -// p256OrdReduce ensures s is in the range [0, ord(G)-1]. -func p256OrdReduce(s *p256OrdElement) { - // Since 2 * ord(G) > 2²⁵⁶, we can just conditionally subtract ord(G), - // keeping the result if it doesn't underflow. - t0, b := bits.Sub64(s[0], 0xf3b9cac2fc632551, 0) - t1, b := bits.Sub64(s[1], 0xbce6faada7179e84, b) - t2, b := bits.Sub64(s[2], 0xffffffffffffffff, b) - t3, b := bits.Sub64(s[3], 0xffffffff00000000, b) - tMask := b - 1 // zero if subtraction underflowed - s[0] ^= (t0 ^ s[0]) & tMask - s[1] ^= (t1 ^ s[1]) & tMask - s[2] ^= (t2 ^ s[2]) & tMask - s[3] ^= (t3 ^ s[3]) & tMask -} - -func p256OrdLittleToBig(b *[32]byte, l *p256OrdElement) { - limbsToBytes(b, (*[4]uint64)(l)) -} - -func p256OrdBigToLittle(l *p256OrdElement, b *[32]byte) { - bytesToLimbs((*[4]uint64)(l), b) -} - -// Add sets q = p1 + p2, and returns q. The points may overlap. -func (q *P256Point) Add(r1, r2 *P256Point) *P256Point { - var sum, double P256Point - r1IsInfinity := r1.isInfinity() - r2IsInfinity := r2.isInfinity() - pointsEqual := p256PointAddAsm(&sum, r1, r2) - p256PointDoubleAsm(&double, r1) - p256MovCond(&sum, &double, &sum, pointsEqual) - p256MovCond(&sum, r1, &sum, r2IsInfinity) - p256MovCond(&sum, r2, &sum, r1IsInfinity) - return q.Set(&sum) -} - -// Double sets q = p + p, and returns q. The points may overlap. -func (q *P256Point) Double(p *P256Point) *P256Point { - var double P256Point - p256PointDoubleAsm(&double, p) - return q.Set(&double) -} - -// ScalarBaseMult sets r = scalar * generator, where scalar is a 32-byte big -// endian value, and returns r. If scalar is not 32 bytes long, ScalarBaseMult -// returns an error and the receiver is unchanged. -func (r *P256Point) ScalarBaseMult(scalar []byte) (*P256Point, error) { - if len(scalar) != 32 { - return nil, errors.New("invalid scalar length") - } - scalarReversed := new(p256OrdElement) - p256OrdBigToLittle(scalarReversed, (*[32]byte)(scalar)) - p256OrdReduce(scalarReversed) - - r.p256BaseMult(scalarReversed) - return r, nil -} - -// ScalarMult sets r = scalar * q, where scalar is a 32-byte big endian value, -// and returns r. If scalar is not 32 bytes long, ScalarBaseMult returns an -// error and the receiver is unchanged. -func (r *P256Point) ScalarMult(q *P256Point, scalar []byte) (*P256Point, error) { - if len(scalar) != 32 { - return nil, errors.New("invalid scalar length") - } - scalarReversed := new(p256OrdElement) - p256OrdBigToLittle(scalarReversed, (*[32]byte)(scalar)) - p256OrdReduce(scalarReversed) - - r.Set(q).p256ScalarMult(scalarReversed) - return r, nil -} - -// uint64IsZero returns 1 if x is zero and zero otherwise. -func uint64IsZero(x uint64) int { - x = ^x - x &= x >> 32 - x &= x >> 16 - x &= x >> 8 - x &= x >> 4 - x &= x >> 2 - x &= x >> 1 - return int(x & 1) -} - -// p256Equal returns 1 if a and b are equal and 0 otherwise. -func p256Equal(a, b *p256Element) int { - var acc uint64 - for i := range a { - acc |= a[i] ^ b[i] - } - return uint64IsZero(acc) -} - -// isInfinity returns 1 if p is the point at infinity and 0 otherwise. -func (p *P256Point) isInfinity() int { - return p256Equal(&p.z, &p256Zero) -} - -// Bytes returns the uncompressed or infinity encoding of p, as specified in -// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at -// infinity is shorter than all other encodings. -func (p *P256Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256UncompressedLength]byte - return p.bytes(&out) -} - -func (p *P256Point) bytes(out *[p256UncompressedLength]byte) []byte { - // The proper representation of the point at infinity is a single zero byte. - if p.isInfinity() == 1 { - return append(out[:0], 0) - } - - x, y := new(p256Element), new(p256Element) - p.affineFromMont(x, y) - - out[0] = 4 // Uncompressed form. - p256LittleToBig((*[32]byte)(out[1:33]), x) - p256LittleToBig((*[32]byte)(out[33:65]), y) - - return out[:] -} - -// affineFromMont sets (x, y) to the affine coordinates of p, converted out of the -// Montgomery domain. -func (p *P256Point) affineFromMont(x, y *p256Element) { - p256Inverse(y, &p.z) - p256Sqr(x, y, 1) - p256Mul(y, y, x) - - p256Mul(x, &p.x, x) - p256Mul(y, &p.y, y) - - p256FromMont(x, x) - p256FromMont(y, y) -} - -// BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, -// Version 2.0, Section 2.3.5, or an error if p is the point at infinity. -func (p *P256Point) BytesX() ([]byte, error) { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256ElementLength]byte - return p.bytesX(&out) -} - -func (p *P256Point) bytesX(out *[p256ElementLength]byte) ([]byte, error) { - if p.isInfinity() == 1 { - return nil, errors.New("P256 point is the point at infinity") - } - - x := new(p256Element) - p256Inverse(x, &p.z) - p256Sqr(x, x, 1) - p256Mul(x, &p.x, x) - p256FromMont(x, x) - p256LittleToBig((*[32]byte)(out[:]), x) - - return out[:], nil -} - -// BytesCompressed returns the compressed or infinity encoding of p, as -// specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the -// point at infinity is shorter than all other encodings. -func (p *P256Point) BytesCompressed() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p256CompressedLength]byte - return p.bytesCompressed(&out) -} - -func (p *P256Point) bytesCompressed(out *[p256CompressedLength]byte) []byte { - if p.isInfinity() == 1 { - return append(out[:0], 0) - } - - x, y := new(p256Element), new(p256Element) - p.affineFromMont(x, y) - - out[0] = 2 | byte(y[0]&1) - p256LittleToBig((*[32]byte)(out[1:33]), x) - - return out[:] -} - -// Select sets q to p1 if cond == 1, and to p2 if cond == 0. -func (q *P256Point) Select(p1, p2 *P256Point, cond int) *P256Point { - p256MovCond(q, p1, p2, cond) - return q -} - -// p256Inverse sets out to in⁻¹ mod p. If in is zero, out will be zero. -func p256Inverse(out, in *p256Element) { - // Inversion is calculated through exponentiation by p - 2, per Fermat's - // little theorem. - // - // The sequence of 12 multiplications and 255 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain - // v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _110 = 2*_11 - // _111 = 1 + _110 - // _111000 = _111 << 3 - // _111111 = _111 + _111000 - // x12 = _111111 << 6 + _111111 - // x15 = x12 << 3 + _111 - // x16 = 2*x15 + 1 - // x32 = x16 << 16 + x16 - // i53 = x32 << 15 - // x47 = x15 + i53 - // i263 = ((i53 << 17 + 1) << 143 + x47) << 47 - // return (x47 + i263) << 2 + 1 - // - var z = new(p256Element) - var t0 = new(p256Element) - var t1 = new(p256Element) - - p256Sqr(z, in, 1) - p256Mul(z, in, z) - p256Sqr(z, z, 1) - p256Mul(z, in, z) - p256Sqr(t0, z, 3) - p256Mul(t0, z, t0) - p256Sqr(t1, t0, 6) - p256Mul(t0, t0, t1) - p256Sqr(t0, t0, 3) - p256Mul(z, z, t0) - p256Sqr(t0, z, 1) - p256Mul(t0, in, t0) - p256Sqr(t1, t0, 16) - p256Mul(t0, t0, t1) - p256Sqr(t0, t0, 15) - p256Mul(z, z, t0) - p256Sqr(t0, t0, 17) - p256Mul(t0, in, t0) - p256Sqr(t0, t0, 143) - p256Mul(t0, z, t0) - p256Sqr(t0, t0, 47) - p256Mul(z, z, t0) - p256Sqr(z, z, 2) - p256Mul(out, in, z) -} - -func boothW5(in uint) (int, int) { - var s uint = ^((in >> 5) - 1) - var d uint = (1 << 6) - in - 1 - d = (d & s) | (in & (^s)) - d = (d >> 1) + (d & 1) - return int(d), int(s & 1) -} - -func boothW6(in uint) (int, int) { - var s uint = ^((in >> 6) - 1) - var d uint = (1 << 7) - in - 1 - d = (d & s) | (in & (^s)) - d = (d >> 1) + (d & 1) - return int(d), int(s & 1) -} - -func (p *P256Point) p256BaseMult(scalar *p256OrdElement) { - var t0 p256AffinePoint - - wvalue := (scalar[0] << 1) & 0x7f - sel, sign := boothW6(uint(wvalue)) - p256SelectAffine(&t0, &p256Precomputed[0], sel) - p.x, p.y, p.z = t0.x, t0.y, p256One - p256NegCond(&p.y, sign) - - index := uint(5) - zero := sel - - for i := 1; i < 43; i++ { - if index < 192 { - wvalue = ((scalar[index/64] >> (index % 64)) + (scalar[index/64+1] << (64 - (index % 64)))) & 0x7f - } else { - wvalue = (scalar[index/64] >> (index % 64)) & 0x7f - } - index += 6 - sel, sign = boothW6(uint(wvalue)) - p256SelectAffine(&t0, &p256Precomputed[i], sel) - p256PointAddAffineAsm(p, p, &t0, sign, sel, zero) - zero |= sel - } - - // If the whole scalar was zero, set to the point at infinity. - p256MovCond(p, p, NewP256Point(), zero) -} - -func (p *P256Point) p256ScalarMult(scalar *p256OrdElement) { - // precomp is a table of precomputed points that stores powers of p - // from p^1 to p^16. - var precomp p256Table - var t0, t1, t2, t3 P256Point - - // Prepare the table - precomp[0] = *p // 1 - - p256PointDoubleAsm(&t0, p) - p256PointDoubleAsm(&t1, &t0) - p256PointDoubleAsm(&t2, &t1) - p256PointDoubleAsm(&t3, &t2) - precomp[1] = t0 // 2 - precomp[3] = t1 // 4 - precomp[7] = t2 // 8 - precomp[15] = t3 // 16 - - p256PointAddAsm(&t0, &t0, p) - p256PointAddAsm(&t1, &t1, p) - p256PointAddAsm(&t2, &t2, p) - precomp[2] = t0 // 3 - precomp[4] = t1 // 5 - precomp[8] = t2 // 9 - - p256PointDoubleAsm(&t0, &t0) - p256PointDoubleAsm(&t1, &t1) - precomp[5] = t0 // 6 - precomp[9] = t1 // 10 - - p256PointAddAsm(&t2, &t0, p) - p256PointAddAsm(&t1, &t1, p) - precomp[6] = t2 // 7 - precomp[10] = t1 // 11 - - p256PointDoubleAsm(&t0, &t0) - p256PointDoubleAsm(&t2, &t2) - precomp[11] = t0 // 12 - precomp[13] = t2 // 14 - - p256PointAddAsm(&t0, &t0, p) - p256PointAddAsm(&t2, &t2, p) - precomp[12] = t0 // 13 - precomp[14] = t2 // 15 - - // Start scanning the window from top bit - index := uint(254) - var sel, sign int - - wvalue := (scalar[index/64] >> (index % 64)) & 0x3f - sel, _ = boothW5(uint(wvalue)) - - p256Select(p, &precomp, sel) - zero := sel - - for index > 4 { - index -= 5 - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - - if index < 192 { - wvalue = ((scalar[index/64] >> (index % 64)) + (scalar[index/64+1] << (64 - (index % 64)))) & 0x3f - } else { - wvalue = (scalar[index/64] >> (index % 64)) & 0x3f - } - - sel, sign = boothW5(uint(wvalue)) - - p256Select(&t0, &precomp, sel) - p256NegCond(&t0.y, sign) - p256PointAddAsm(&t1, p, &t0) - p256MovCond(&t1, &t1, p, sel) - p256MovCond(p, &t1, &t0, zero) - zero |= sel - } - - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - p256PointDoubleAsm(p, p) - - wvalue = (scalar[0] << 1) & 0x3f - sel, sign = boothW5(uint(wvalue)) - - p256Select(&t0, &precomp, sel) - p256NegCond(&t0.y, sign) - p256PointAddAsm(&t1, p, &t0) - p256MovCond(&t1, &t1, p, sel) - p256MovCond(p, &t1, &t0, zero) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_amd64.s deleted file mode 100644 index 64894891e98..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_amd64.s +++ /dev/null @@ -1,2425 +0,0 @@ -// Code generated by command: go run p256_asm.go -out ../p256_asm_amd64.s. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func p256MovCond(res *P256Point, a *P256Point, b *P256Point, cond int) -// Requires: SSE2 -TEXT ·p256MovCond(SB), NOSPLIT, $0-32 - MOVQ res+0(FP), DI - MOVQ a+8(FP), SI - MOVQ b+16(FP), CX - MOVQ cond+24(FP), X12 - PXOR X13, X13 - PSHUFD $0x00, X12, X12 - PCMPEQL X13, X12 - MOVOU X12, X0 - MOVOU (SI), X6 - PANDN X6, X0 - MOVOU X12, X1 - MOVOU 16(SI), X7 - PANDN X7, X1 - MOVOU X12, X2 - MOVOU 32(SI), X8 - PANDN X8, X2 - MOVOU X12, X3 - MOVOU 48(SI), X9 - PANDN X9, X3 - MOVOU X12, X4 - MOVOU 64(SI), X10 - PANDN X10, X4 - MOVOU X12, X5 - MOVOU 80(SI), X11 - PANDN X11, X5 - MOVOU (CX), X6 - MOVOU 16(CX), X7 - MOVOU 32(CX), X8 - MOVOU 48(CX), X9 - MOVOU 64(CX), X10 - MOVOU 80(CX), X11 - PAND X12, X6 - PAND X12, X7 - PAND X12, X8 - PAND X12, X9 - PAND X12, X10 - PAND X12, X11 - PXOR X6, X0 - PXOR X7, X1 - PXOR X8, X2 - PXOR X9, X3 - PXOR X10, X4 - PXOR X11, X5 - MOVOU X0, (DI) - MOVOU X1, 16(DI) - MOVOU X2, 32(DI) - MOVOU X3, 48(DI) - MOVOU X4, 64(DI) - MOVOU X5, 80(DI) - RET - -// func p256NegCond(val *p256Element, cond int) -// Requires: CMOV -TEXT ·p256NegCond(SB), NOSPLIT, $0-16 - MOVQ val+0(FP), DI - MOVQ cond+8(FP), R14 - - // acc = poly - MOVQ $-1, R8 - MOVQ p256const0<>+0(SB), R9 - MOVQ $+0, R10 - MOVQ p256const1<>+0(SB), R11 - - // Load the original value - MOVQ (DI), R13 - MOVQ 8(DI), SI - MOVQ 16(DI), CX - MOVQ 24(DI), R15 - - // Speculatively subtract - SUBQ R13, R8 - SBBQ SI, R9 - SBBQ CX, R10 - SBBQ R15, R11 - - // If condition is 0, keep original value - TESTQ R14, R14 - CMOVQEQ R13, R8 - CMOVQEQ SI, R9 - CMOVQEQ CX, R10 - CMOVQEQ R15, R11 - - // Store result - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - RET - -DATA p256const0<>+0(SB)/8, $0x00000000ffffffff -GLOBL p256const0<>(SB), RODATA, $8 - -DATA p256const1<>+0(SB)/8, $0xffffffff00000001 -GLOBL p256const1<>(SB), RODATA, $8 - -// func p256Sqr(res *p256Element, in *p256Element, n int) -// Requires: CMOV -TEXT ·p256Sqr(SB), NOSPLIT, $0-24 - MOVQ res+0(FP), DI - MOVQ in+8(FP), SI - MOVQ n+16(FP), BX - -sqrLoop: - // y[1:] * y[0] - MOVQ (SI), R14 - MOVQ 8(SI), AX - MULQ R14 - MOVQ AX, R9 - MOVQ DX, R10 - MOVQ 16(SI), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R11 - MOVQ 24(SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R12 - - // y[2:] * y[1] - MOVQ 8(SI), R14 - MOVQ 16(SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R13 - - // y[3] * y[2] - MOVQ 16(SI), R14 - MOVQ 24(SI), AX - MULQ R14 - ADDQ AX, R13 - ADCQ $0x00, DX - MOVQ DX, CX - XORQ R15, R15 - - // *2 - ADDQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ CX, CX - ADCQ $0x00, R15 - - // Missing products - MOVQ (SI), AX - MULQ AX - MOVQ AX, R8 - MOVQ DX, R14 - MOVQ 8(SI), AX - MULQ AX - ADDQ R14, R9 - ADCQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R14 - MOVQ 16(SI), AX - MULQ AX - ADDQ R14, R11 - ADCQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R14 - MOVQ 24(SI), AX - MULQ AX - ADDQ R14, R13 - ADCQ AX, CX - ADCQ DX, R15 - MOVQ R15, SI - - // First reduction step - MOVQ R8, AX - MOVQ R8, R15 - SHLQ $0x20, R8 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R8, R9 - ADCQ R15, R10 - ADCQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R8 - - // Second reduction step - MOVQ R9, AX - MOVQ R9, R15 - SHLQ $0x20, R9 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R9, R10 - ADCQ R15, R11 - ADCQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R9 - - // Third reduction step - MOVQ R10, AX - MOVQ R10, R15 - SHLQ $0x20, R10 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R10, R11 - ADCQ R15, R8 - ADCQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R10 - - // Last reduction step - XORQ R14, R14 - MOVQ R11, AX - MOVQ R11, R15 - SHLQ $0x20, R11 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R11, R8 - ADCQ R15, R9 - ADCQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R11 - - // Add bits [511:256] of the sqr result - ADCQ R12, R8 - ADCQ R13, R9 - ADCQ CX, R10 - ADCQ SI, R11 - ADCQ $0x00, R14 - MOVQ R8, R12 - MOVQ R9, R13 - MOVQ R10, CX - MOVQ R11, R15 - - // Subtract p256 - SUBQ $-1, R8 - SBBQ p256const0<>+0(SB), R9 - SBBQ $0x00, R10 - SBBQ p256const1<>+0(SB), R11 - SBBQ $0x00, R14 - CMOVQCS R12, R8 - CMOVQCS R13, R9 - CMOVQCS CX, R10 - CMOVQCS R15, R11 - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ DI, SI - DECQ BX - JNE sqrLoop - RET - -// func p256Mul(res *p256Element, in1 *p256Element, in2 *p256Element) -// Requires: CMOV -TEXT ·p256Mul(SB), NOSPLIT, $0-24 - MOVQ res+0(FP), DI - MOVQ in1+8(FP), SI - MOVQ in2+16(FP), CX - - // x * y[0] - MOVQ (CX), R14 - MOVQ (SI), AX - MULQ R14 - MOVQ AX, R8 - MOVQ DX, R9 - MOVQ 8(SI), AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R10 - MOVQ 16(SI), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R11 - MOVQ 24(SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R12 - XORQ R13, R13 - - // First reduction step - MOVQ R8, AX - MOVQ R8, R15 - SHLQ $0x20, R8 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R8, R9 - ADCQ R15, R10 - ADCQ AX, R11 - ADCQ DX, R12 - ADCQ $0x00, R13 - XORQ R8, R8 - - // x * y[1] - MOVQ 8(CX), R14 - MOVQ (SI), AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 8(SI), AX - MULQ R14 - ADDQ R15, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 16(SI), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ $0x00, R8 - - // Second reduction step - MOVQ R9, AX - MOVQ R9, R15 - SHLQ $0x20, R9 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R9, R10 - ADCQ R15, R11 - ADCQ AX, R12 - ADCQ DX, R13 - ADCQ $0x00, R8 - XORQ R9, R9 - - // x * y[2] - MOVQ 16(CX), R14 - MOVQ (SI), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 8(SI), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 16(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R13 - ADCQ $0x00, DX - ADDQ AX, R13 - ADCQ DX, R8 - ADCQ $0x00, R9 - - // Third reduction step - MOVQ R10, AX - MOVQ R10, R15 - SHLQ $0x20, R10 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R10, R11 - ADCQ R15, R12 - ADCQ AX, R13 - ADCQ DX, R8 - ADCQ $0x00, R9 - XORQ R10, R10 - - // x * y[3] - MOVQ 24(CX), R14 - MOVQ (SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 8(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 16(SI), AX - MULQ R14 - ADDQ R15, R13 - ADCQ $0x00, DX - ADDQ AX, R13 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R8 - ADCQ $0x00, DX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, R10 - - // Last reduction step - MOVQ R11, AX - MOVQ R11, R15 - SHLQ $0x20, R11 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R11, R12 - ADCQ R15, R13 - ADCQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, R10 - - // Copy result [255:0] - MOVQ R12, SI - MOVQ R13, R11 - MOVQ R8, R14 - MOVQ R9, R15 - - // Subtract p256 - SUBQ $-1, R12 - SBBQ p256const0<>+0(SB), R13 - SBBQ $0x00, R8 - SBBQ p256const1<>+0(SB), R9 - SBBQ $0x00, R10 - CMOVQCS SI, R12 - CMOVQCS R11, R13 - CMOVQCS R14, R8 - CMOVQCS R15, R9 - MOVQ R12, (DI) - MOVQ R13, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET - -// func p256FromMont(res *p256Element, in *p256Element) -// Requires: CMOV -TEXT ·p256FromMont(SB), NOSPLIT, $0-16 - MOVQ res+0(FP), DI - MOVQ in+8(FP), SI - MOVQ (SI), R8 - MOVQ 8(SI), R9 - MOVQ 16(SI), R10 - MOVQ 24(SI), R11 - XORQ R12, R12 - - // Only reduce, no multiplications are needed - // First stage - MOVQ R8, AX - MOVQ R8, R15 - SHLQ $0x20, R8 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R8, R9 - ADCQ R15, R10 - ADCQ AX, R11 - ADCQ DX, R12 - XORQ R13, R13 - - // Second stage - MOVQ R9, AX - MOVQ R9, R15 - SHLQ $0x20, R9 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R9, R10 - ADCQ R15, R11 - ADCQ AX, R12 - ADCQ DX, R13 - XORQ R8, R8 - - // Third stage - MOVQ R10, AX - MOVQ R10, R15 - SHLQ $0x20, R10 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R10, R11 - ADCQ R15, R12 - ADCQ AX, R13 - ADCQ DX, R8 - XORQ R9, R9 - - // Last stage - MOVQ R11, AX - MOVQ R11, R15 - SHLQ $0x20, R11 - MULQ p256const1<>+0(SB) - SHRQ $0x20, R15 - ADDQ R11, R12 - ADCQ R15, R13 - ADCQ AX, R8 - ADCQ DX, R9 - MOVQ R12, SI - MOVQ R13, R11 - MOVQ R8, R14 - MOVQ R9, R15 - SUBQ $-1, R12 - SBBQ p256const0<>+0(SB), R13 - SBBQ $0x00, R8 - SBBQ p256const1<>+0(SB), R9 - CMOVQCS SI, R12 - CMOVQCS R11, R13 - CMOVQCS R14, R8 - CMOVQCS R15, R9 - MOVQ R12, (DI) - MOVQ R13, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET - -// func p256Select(res *P256Point, table *p256Table, idx int) -// Requires: SSE2 -TEXT ·p256Select(SB), NOSPLIT, $0-24 - MOVQ idx+16(FP), AX - MOVQ table+8(FP), DI - MOVQ res+0(FP), DX - PXOR X15, X15 - PCMPEQL X14, X14 - PSUBL X14, X15 - MOVL AX, X14 - PSHUFD $0x00, X14, X14 - PXOR X0, X0 - PXOR X1, X1 - PXOR X2, X2 - PXOR X3, X3 - PXOR X4, X4 - PXOR X5, X5 - MOVQ $0x00000010, AX - MOVOU X15, X13 - -loop_select: - MOVOU X13, X12 - PADDL X15, X13 - PCMPEQL X14, X12 - MOVOU (DI), X6 - MOVOU 16(DI), X7 - MOVOU 32(DI), X8 - MOVOU 48(DI), X9 - MOVOU 64(DI), X10 - MOVOU 80(DI), X11 - ADDQ $0x60, DI - PAND X12, X6 - PAND X12, X7 - PAND X12, X8 - PAND X12, X9 - PAND X12, X10 - PAND X12, X11 - PXOR X6, X0 - PXOR X7, X1 - PXOR X8, X2 - PXOR X9, X3 - PXOR X10, X4 - PXOR X11, X5 - DECQ AX - JNE loop_select - MOVOU X0, (DX) - MOVOU X1, 16(DX) - MOVOU X2, 32(DX) - MOVOU X3, 48(DX) - MOVOU X4, 64(DX) - MOVOU X5, 80(DX) - RET - -// func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int) -// Requires: SSE2 -TEXT ·p256SelectAffine(SB), NOSPLIT, $0-24 - MOVQ idx+16(FP), AX - MOVQ table+8(FP), DI - MOVQ res+0(FP), DX - PXOR X15, X15 - PCMPEQL X14, X14 - PSUBL X14, X15 - MOVL AX, X14 - PSHUFD $0x00, X14, X14 - PXOR X0, X0 - PXOR X1, X1 - PXOR X2, X2 - PXOR X3, X3 - MOVQ $0x00000010, AX - MOVOU X15, X13 - -loop_select_base: - MOVOU X13, X12 - PADDL X15, X13 - PCMPEQL X14, X12 - MOVOU (DI), X4 - MOVOU 16(DI), X5 - MOVOU 32(DI), X6 - MOVOU 48(DI), X7 - MOVOU 64(DI), X8 - MOVOU 80(DI), X9 - MOVOU 96(DI), X10 - MOVOU 112(DI), X11 - ADDQ $0x80, DI - PAND X12, X4 - PAND X12, X5 - PAND X12, X6 - PAND X12, X7 - MOVOU X13, X12 - PADDL X15, X13 - PCMPEQL X14, X12 - PAND X12, X8 - PAND X12, X9 - PAND X12, X10 - PAND X12, X11 - PXOR X4, X0 - PXOR X5, X1 - PXOR X6, X2 - PXOR X7, X3 - PXOR X8, X0 - PXOR X9, X1 - PXOR X10, X2 - PXOR X11, X3 - DECQ AX - JNE loop_select_base - MOVOU X0, (DX) - MOVOU X1, 16(DX) - MOVOU X2, 32(DX) - MOVOU X3, 48(DX) - RET - -// func p256OrdMul(res *p256OrdElement, in1 *p256OrdElement, in2 *p256OrdElement) -// Requires: CMOV -TEXT ·p256OrdMul(SB), NOSPLIT, $0-24 - MOVQ res+0(FP), DI - MOVQ in1+8(FP), SI - MOVQ in2+16(FP), CX - - // x * y[0] - MOVQ (CX), R14 - MOVQ (SI), AX - MULQ R14 - MOVQ AX, R8 - MOVQ DX, R9 - MOVQ 8(SI), AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R10 - MOVQ 16(SI), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R11 - MOVQ 24(SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R12 - XORQ R13, R13 - - // First reduction step - MOVQ R8, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R9 - ADCQ $0x00, DX - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+16(SB), AX - MULQ R14 - ADDQ R15, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+24(SB), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ DX, R12 - ADCQ $0x00, R13 - - // x * y[1] - MOVQ 8(CX), R14 - MOVQ (SI), AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 8(SI), AX - MULQ R14 - ADDQ R15, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 16(SI), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ $0x00, R8 - - // Second reduction step - MOVQ R9, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+16(SB), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+24(SB), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ DX, R13 - ADCQ $0x00, R8 - - // x * y[2] - MOVQ 16(CX), R14 - MOVQ (SI), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 8(SI), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 16(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R13 - ADCQ $0x00, DX - ADDQ AX, R13 - ADCQ DX, R8 - ADCQ $0x00, R9 - - // Third reduction step - MOVQ R10, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+16(SB), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+24(SB), AX - MULQ R14 - ADDQ R15, R13 - ADCQ $0x00, DX - ADDQ AX, R13 - ADCQ DX, R8 - ADCQ $0x00, R9 - - // x * y[3] - MOVQ 24(CX), R14 - MOVQ (SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 8(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 16(SI), AX - MULQ R14 - ADDQ R15, R13 - ADCQ $0x00, DX - ADDQ AX, R13 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R8 - ADCQ $0x00, DX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, R10 - - // Last reduction step - MOVQ R11, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+16(SB), AX - MULQ R14 - ADDQ R15, R13 - ADCQ $0x00, DX - ADDQ AX, R13 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+24(SB), AX - MULQ R14 - ADDQ R15, R8 - ADCQ $0x00, DX - ADDQ AX, R8 - ADCQ DX, R9 - ADCQ $0x00, R10 - - // Copy result [255:0] - MOVQ R12, SI - MOVQ R13, R11 - MOVQ R8, R14 - MOVQ R9, R15 - - // Subtract p256 - SUBQ p256ord<>+0(SB), R12 - SBBQ p256ord<>+8(SB), R13 - SBBQ p256ord<>+16(SB), R8 - SBBQ p256ord<>+24(SB), R9 - SBBQ $0x00, R10 - CMOVQCS SI, R12 - CMOVQCS R11, R13 - CMOVQCS R14, R8 - CMOVQCS R15, R9 - MOVQ R12, (DI) - MOVQ R13, 8(DI) - MOVQ R8, 16(DI) - MOVQ R9, 24(DI) - RET - -DATA p256ordK0<>+0(SB)/8, $0xccd1c8aaee00bc4f -GLOBL p256ordK0<>(SB), RODATA, $8 - -DATA p256ord<>+0(SB)/8, $0xf3b9cac2fc632551 -DATA p256ord<>+8(SB)/8, $0xbce6faada7179e84 -DATA p256ord<>+16(SB)/8, $0xffffffffffffffff -DATA p256ord<>+24(SB)/8, $0xffffffff00000000 -GLOBL p256ord<>(SB), RODATA, $32 - -// func p256OrdSqr(res *p256OrdElement, in *p256OrdElement, n int) -// Requires: CMOV -TEXT ·p256OrdSqr(SB), NOSPLIT, $0-24 - MOVQ res+0(FP), DI - MOVQ in+8(FP), SI - MOVQ n+16(FP), BX - -ordSqrLoop: - // y[1:] * y[0] - MOVQ (SI), R14 - MOVQ 8(SI), AX - MULQ R14 - MOVQ AX, R9 - MOVQ DX, R10 - MOVQ 16(SI), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R11 - MOVQ 24(SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R12 - - // y[2:] * y[1] - MOVQ 8(SI), R14 - MOVQ 16(SI), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ 24(SI), AX - MULQ R14 - ADDQ R15, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R13 - - // y[3] * y[2] - MOVQ 16(SI), R14 - MOVQ 24(SI), AX - MULQ R14 - ADDQ AX, R13 - ADCQ $0x00, DX - MOVQ DX, CX - XORQ R15, R15 - - // *2 - ADDQ R9, R9 - ADCQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ CX, CX - ADCQ $0x00, R15 - - // Missing products - MOVQ (SI), AX - MULQ AX - MOVQ AX, R8 - MOVQ DX, R14 - MOVQ 8(SI), AX - MULQ AX - ADDQ R14, R9 - ADCQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R14 - MOVQ 16(SI), AX - MULQ AX - ADDQ R14, R11 - ADCQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R14 - MOVQ 24(SI), AX - MULQ AX - ADDQ R14, R13 - ADCQ AX, CX - ADCQ DX, R15 - MOVQ R15, SI - - // First reduction step - MOVQ R8, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R9 - ADCQ $0x00, DX - ADDQ AX, R9 - MOVQ R14, R15 - ADCQ DX, R10 - ADCQ $0x00, R15 - SUBQ R14, R10 - SBBQ $0x00, R15 - MOVQ R14, AX - MOVQ R14, DX - MOVQ R14, R8 - SHLQ $0x20, AX - SHRQ $0x20, DX - ADDQ R15, R11 - ADCQ $0x00, R8 - SUBQ AX, R11 - SBBQ DX, R8 - - // Second reduction step - MOVQ R9, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - MOVQ R14, R15 - ADCQ DX, R11 - ADCQ $0x00, R15 - SUBQ R14, R11 - SBBQ $0x00, R15 - MOVQ R14, AX - MOVQ R14, DX - MOVQ R14, R9 - SHLQ $0x20, AX - SHRQ $0x20, DX - ADDQ R15, R8 - ADCQ $0x00, R9 - SUBQ AX, R8 - SBBQ DX, R9 - - // Third reduction step - MOVQ R10, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - MOVQ R14, R15 - ADCQ DX, R8 - ADCQ $0x00, R15 - SUBQ R14, R8 - SBBQ $0x00, R15 - MOVQ R14, AX - MOVQ R14, DX - MOVQ R14, R10 - SHLQ $0x20, AX - SHRQ $0x20, DX - ADDQ R15, R9 - ADCQ $0x00, R10 - SUBQ AX, R9 - SBBQ DX, R10 - - // Last reduction step - MOVQ R11, AX - MULQ p256ordK0<>+0(SB) - MOVQ AX, R14 - MOVQ p256ord<>+0(SB), AX - MULQ R14 - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ p256ord<>+8(SB), AX - MULQ R14 - ADDQ R15, R8 - ADCQ $0x00, DX - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ R14, R15 - ADCQ DX, R9 - ADCQ $0x00, R15 - SUBQ R14, R9 - SBBQ $0x00, R15 - MOVQ R14, AX - MOVQ R14, DX - MOVQ R14, R11 - SHLQ $0x20, AX - SHRQ $0x20, DX - ADDQ R15, R10 - ADCQ $0x00, R11 - SUBQ AX, R10 - SBBQ DX, R11 - XORQ R14, R14 - - // Add bits [511:256] of the sqr result - ADCQ R12, R8 - ADCQ R13, R9 - ADCQ CX, R10 - ADCQ SI, R11 - ADCQ $0x00, R14 - MOVQ R8, R12 - MOVQ R9, R13 - MOVQ R10, CX - MOVQ R11, R15 - - // Subtract p256 - SUBQ p256ord<>+0(SB), R8 - SBBQ p256ord<>+8(SB), R9 - SBBQ p256ord<>+16(SB), R10 - SBBQ p256ord<>+24(SB), R11 - SBBQ $0x00, R14 - CMOVQCS R12, R8 - CMOVQCS R13, R9 - CMOVQCS CX, R10 - CMOVQCS R15, R11 - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - MOVQ R11, 24(DI) - MOVQ DI, SI - DECQ BX - JNE ordSqrLoop - RET - -// func p256SubInternal() -// Requires: CMOV -TEXT p256SubInternal(SB), NOSPLIT, $0 - XORQ AX, AX - SUBQ R14, R10 - SBBQ R15, R11 - SBBQ DI, R12 - SBBQ SI, R13 - SBBQ $0x00, AX - MOVQ R10, BX - MOVQ R11, CX - MOVQ R12, R8 - MOVQ R13, R9 - ADDQ $-1, R10 - ADCQ p256const0<>+0(SB), R11 - ADCQ $0x00, R12 - ADCQ p256const1<>+0(SB), R13 - ANDQ $0x01, AX - CMOVQEQ BX, R10 - CMOVQEQ CX, R11 - CMOVQEQ R8, R12 - CMOVQEQ R9, R13 - RET - -// func p256MulInternal() -// Requires: CMOV -TEXT p256MulInternal(SB), NOSPLIT, $8 - MOVQ R10, AX - MULQ R14 - MOVQ AX, BX - MOVQ DX, CX - MOVQ R10, AX - MULQ R15 - ADDQ AX, CX - ADCQ $0x00, DX - MOVQ DX, R8 - MOVQ R10, AX - MULQ DI - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R9 - MOVQ R10, AX - MULQ SI - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R10 - MOVQ R11, AX - MULQ R14 - ADDQ AX, CX - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R11, AX - MULQ R15 - ADDQ BP, R8 - ADCQ $0x00, DX - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R11, AX - MULQ DI - ADDQ BP, R9 - ADCQ $0x00, DX - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R11, AX - MULQ SI - ADDQ BP, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, R11 - MOVQ R12, AX - MULQ R14 - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R12, AX - MULQ R15 - ADDQ BP, R9 - ADCQ $0x00, DX - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R12, AX - MULQ DI - ADDQ BP, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R12, AX - MULQ SI - ADDQ BP, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, R12 - MOVQ R13, AX - MULQ R14 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R13, AX - MULQ R15 - ADDQ BP, R10 - ADCQ $0x00, DX - ADDQ AX, R10 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R13, AX - MULQ DI - ADDQ BP, R11 - ADCQ $0x00, DX - ADDQ AX, R11 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R13, AX - MULQ SI - ADDQ BP, R12 - ADCQ $0x00, DX - ADDQ AX, R12 - ADCQ $0x00, DX - MOVQ DX, R13 - - // First reduction step - MOVQ BX, AX - MOVQ BX, BP - SHLQ $0x20, BX - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ BX, CX - ADCQ BP, R8 - ADCQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, BX - - // Second reduction step - MOVQ CX, AX - MOVQ CX, BP - SHLQ $0x20, CX - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ CX, R8 - ADCQ BP, R9 - ADCQ AX, BX - ADCQ $0x00, DX - MOVQ DX, CX - - // Third reduction step - MOVQ R8, AX - MOVQ R8, BP - SHLQ $0x20, R8 - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ R8, R9 - ADCQ BP, BX - ADCQ AX, CX - ADCQ $0x00, DX - MOVQ DX, R8 - - // Last reduction step - MOVQ R9, AX - MOVQ R9, BP - SHLQ $0x20, R9 - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ R9, BX - ADCQ BP, CX - ADCQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R9 - MOVQ $0x00000000, BP - - // Add bits [511:256] of the result - ADCQ BX, R10 - ADCQ CX, R11 - ADCQ R8, R12 - ADCQ R9, R13 - ADCQ $0x00, BP - - // Copy result - MOVQ R10, BX - MOVQ R11, CX - MOVQ R12, R8 - MOVQ R13, R9 - - // Subtract p256 - SUBQ $-1, R10 - SBBQ p256const0<>+0(SB), R11 - SBBQ $0x00, R12 - SBBQ p256const1<>+0(SB), R13 - SBBQ $0x00, BP - - // If the result of the subtraction is negative, restore the previous result - CMOVQCS BX, R10 - CMOVQCS CX, R11 - CMOVQCS R8, R12 - CMOVQCS R9, R13 - RET - -// func p256SqrInternal() -// Requires: CMOV -TEXT p256SqrInternal(SB), NOSPLIT, $8 - MOVQ R10, AX - MULQ R11 - MOVQ AX, CX - MOVQ DX, R8 - MOVQ R10, AX - MULQ R12 - ADDQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R9 - MOVQ R10, AX - MULQ R13 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, R14 - MOVQ R11, AX - MULQ R12 - ADDQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, BP - MOVQ R11, AX - MULQ R13 - ADDQ BP, R14 - ADCQ $0x00, DX - ADDQ AX, R14 - ADCQ $0x00, DX - MOVQ DX, R15 - MOVQ R12, AX - MULQ R13 - ADDQ AX, R15 - ADCQ $0x00, DX - MOVQ DX, DI - XORQ SI, SI - - // *2 - ADDQ CX, CX - ADCQ R8, R8 - ADCQ R9, R9 - ADCQ R14, R14 - ADCQ R15, R15 - ADCQ DI, DI - ADCQ $0x00, SI - - // Missing products - MOVQ R10, AX - MULQ AX - MOVQ AX, BX - MOVQ DX, R10 - MOVQ R11, AX - MULQ AX - ADDQ R10, CX - ADCQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R10 - MOVQ R12, AX - MULQ AX - ADDQ R10, R9 - ADCQ AX, R14 - ADCQ $0x00, DX - MOVQ DX, R10 - MOVQ R13, AX - MULQ AX - ADDQ R10, R15 - ADCQ AX, DI - ADCQ DX, SI - - // First reduction step - MOVQ BX, AX - MOVQ BX, BP - SHLQ $0x20, BX - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ BX, CX - ADCQ BP, R8 - ADCQ AX, R9 - ADCQ $0x00, DX - MOVQ DX, BX - - // Second reduction step - MOVQ CX, AX - MOVQ CX, BP - SHLQ $0x20, CX - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ CX, R8 - ADCQ BP, R9 - ADCQ AX, BX - ADCQ $0x00, DX - MOVQ DX, CX - - // Third reduction step - MOVQ R8, AX - MOVQ R8, BP - SHLQ $0x20, R8 - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ R8, R9 - ADCQ BP, BX - ADCQ AX, CX - ADCQ $0x00, DX - MOVQ DX, R8 - - // Last reduction step - MOVQ R9, AX - MOVQ R9, BP - SHLQ $0x20, R9 - MULQ p256const1<>+0(SB) - SHRQ $0x20, BP - ADDQ R9, BX - ADCQ BP, CX - ADCQ AX, R8 - ADCQ $0x00, DX - MOVQ DX, R9 - MOVQ $0x00000000, BP - - // Add bits [511:256] of the result - ADCQ BX, R14 - ADCQ CX, R15 - ADCQ R8, DI - ADCQ R9, SI - ADCQ $0x00, BP - - // Copy result - MOVQ R14, R10 - MOVQ R15, R11 - MOVQ DI, R12 - MOVQ SI, R13 - - // Subtract p256 - SUBQ $-1, R10 - SBBQ p256const0<>+0(SB), R11 - SBBQ $0x00, R12 - SBBQ p256const1<>+0(SB), R13 - SBBQ $0x00, BP - - // If the result of the subtraction is negative, restore the previous result - CMOVQCS R14, R10 - CMOVQCS R15, R11 - CMOVQCS DI, R12 - CMOVQCS SI, R13 - RET - -// func p256PointAddAffineAsm(res *P256Point, in1 *P256Point, in2 *p256AffinePoint, sign int, sel int, zero int) -// Requires: CMOV, SSE2 -TEXT ·p256PointAddAffineAsm(SB), $512-48 - MOVQ res+0(FP), AX - MOVQ in1+8(FP), BX - MOVQ in2+16(FP), CX - MOVQ sign+24(FP), DX - MOVQ sel+32(FP), R15 - MOVQ zero+40(FP), DI - MOVOU (BX), X0 - MOVOU 16(BX), X1 - MOVOU 32(BX), X2 - MOVOU 48(BX), X3 - MOVOU 64(BX), X4 - MOVOU 80(BX), X5 - MOVOU X0, (SP) - MOVOU X1, 16(SP) - MOVOU X2, 32(SP) - MOVOU X3, 48(SP) - MOVOU X4, 64(SP) - MOVOU X5, 80(SP) - MOVOU (CX), X0 - MOVOU 16(CX), X1 - MOVOU X0, 96(SP) - MOVOU X1, 112(SP) - - // Store pointer to result - MOVQ AX, 480(SP) - MOVL R15, 488(SP) - MOVL DI, 492(SP) - - // Negate y2in based on sign - MOVQ 32(CX), R10 - MOVQ 40(CX), R11 - MOVQ 48(CX), R12 - MOVQ 56(CX), R13 - MOVQ $-1, BX - MOVQ p256const0<>+0(SB), CX - MOVQ $0x00000000, R8 - MOVQ p256const1<>+0(SB), R9 - XORQ AX, AX - - // Speculatively subtract - SUBQ R10, BX - SBBQ R11, CX - SBBQ R12, R8 - SBBQ R13, R9 - SBBQ $0x00, AX - MOVQ BX, R14 - MOVQ CX, R15 - MOVQ R8, DI - MOVQ R9, SI - - // Add in case the operand was > p256 - ADDQ $-1, BX - ADCQ p256const0<>+0(SB), CX - ADCQ $0x00, R8 - ADCQ p256const1<>+0(SB), R9 - ADCQ $0x00, AX - CMOVQNE R14, BX - CMOVQNE R15, CX - CMOVQNE DI, R8 - CMOVQNE SI, R9 - - // If condition is 0, keep original value - TESTQ DX, DX - CMOVQEQ R10, BX - CMOVQEQ R11, CX - CMOVQEQ R12, R8 - CMOVQEQ R13, R9 - - // Store result - MOVQ BX, 128(SP) - MOVQ CX, 136(SP) - MOVQ R8, 144(SP) - MOVQ R9, 152(SP) - - // Begin point add - MOVQ 64(SP), R10 - MOVQ 72(SP), R11 - MOVQ 80(SP), R12 - MOVQ 88(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 288(SP) - MOVQ R11, 296(SP) - MOVQ R12, 304(SP) - MOVQ R13, 312(SP) - MOVQ 96(SP), R14 - MOVQ 104(SP), R15 - MOVQ 112(SP), DI - MOVQ 120(SP), SI - CALL p256MulInternal(SB) - MOVQ (SP), R14 - MOVQ 8(SP), R15 - MOVQ 16(SP), DI - MOVQ 24(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 320(SP) - MOVQ R11, 328(SP) - MOVQ R12, 336(SP) - MOVQ R13, 344(SP) - MOVQ 64(SP), R14 - MOVQ 72(SP), R15 - MOVQ 80(SP), DI - MOVQ 88(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 224(SP) - MOVQ R11, 232(SP) - MOVQ R12, 240(SP) - MOVQ R13, 248(SP) - MOVQ 288(SP), R10 - MOVQ 296(SP), R11 - MOVQ 304(SP), R12 - MOVQ 312(SP), R13 - CALL p256MulInternal(SB) - MOVQ 128(SP), R14 - MOVQ 136(SP), R15 - MOVQ 144(SP), DI - MOVQ 152(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 256(SP) - MOVQ R11, 264(SP) - MOVQ R12, 272(SP) - MOVQ R13, 280(SP) - MOVQ 32(SP), R14 - MOVQ 40(SP), R15 - MOVQ 48(SP), DI - MOVQ 56(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 352(SP) - MOVQ R11, 360(SP) - MOVQ R12, 368(SP) - MOVQ R13, 376(SP) - CALL p256SqrInternal(SB) - MOVQ R10, 416(SP) - MOVQ R11, 424(SP) - MOVQ R12, 432(SP) - MOVQ R13, 440(SP) - MOVQ 320(SP), R10 - MOVQ 328(SP), R11 - MOVQ 336(SP), R12 - MOVQ 344(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 384(SP) - MOVQ R11, 392(SP) - MOVQ R12, 400(SP) - MOVQ R13, 408(SP) - MOVQ 320(SP), R14 - MOVQ 328(SP), R15 - MOVQ 336(SP), DI - MOVQ 344(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 448(SP) - MOVQ R11, 456(SP) - MOVQ R12, 464(SP) - MOVQ R13, 472(SP) - MOVQ 32(SP), R14 - MOVQ 40(SP), R15 - MOVQ 48(SP), DI - MOVQ 56(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 256(SP) - MOVQ R11, 264(SP) - MOVQ R12, 272(SP) - MOVQ R13, 280(SP) - MOVQ (SP), R10 - MOVQ 8(SP), R11 - MOVQ 16(SP), R12 - MOVQ 24(SP), R13 - MOVQ 384(SP), R14 - MOVQ 392(SP), R15 - MOVQ 400(SP), DI - MOVQ 408(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 320(SP) - MOVQ R11, 328(SP) - MOVQ R12, 336(SP) - MOVQ R13, 344(SP) - XORQ AX, AX - ADDQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ 416(SP), R10 - MOVQ 424(SP), R11 - MOVQ 432(SP), R12 - MOVQ 440(SP), R13 - CALL p256SubInternal(SB) - MOVQ 448(SP), R14 - MOVQ 456(SP), R15 - MOVQ 464(SP), DI - MOVQ 472(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 160(SP) - MOVQ R11, 168(SP) - MOVQ R12, 176(SP) - MOVQ R13, 184(SP) - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - MOVQ 320(SP), R10 - MOVQ 328(SP), R11 - MOVQ 336(SP), R12 - MOVQ 344(SP), R13 - CALL p256SubInternal(SB) - MOVQ 352(SP), R14 - MOVQ 360(SP), R15 - MOVQ 368(SP), DI - MOVQ 376(SP), SI - CALL p256MulInternal(SB) - MOVQ 256(SP), R14 - MOVQ 264(SP), R15 - MOVQ 272(SP), DI - MOVQ 280(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 192(SP) - MOVQ R11, 200(SP) - MOVQ R12, 208(SP) - MOVQ R13, 216(SP) - - // Load stored values from stack - MOVQ 480(SP), AX - MOVL 488(SP), BX - MOVL 492(SP), CX - - // The result is not valid if (sel == 0), conditional choose - MOVOU 160(SP), X0 - MOVOU 176(SP), X1 - MOVOU 192(SP), X2 - MOVOU 208(SP), X3 - MOVOU 224(SP), X4 - MOVOU 240(SP), X5 - MOVL BX, X6 - MOVL CX, X7 - PXOR X8, X8 - PCMPEQL X9, X9 - PSHUFD $0x00, X6, X6 - PSHUFD $0x00, X7, X7 - PCMPEQL X8, X6 - PCMPEQL X8, X7 - MOVOU X6, X15 - PANDN X9, X15 - MOVOU (SP), X9 - MOVOU 16(SP), X10 - MOVOU 32(SP), X11 - MOVOU 48(SP), X12 - MOVOU 64(SP), X13 - MOVOU 80(SP), X14 - PAND X15, X0 - PAND X15, X1 - PAND X15, X2 - PAND X15, X3 - PAND X15, X4 - PAND X15, X5 - PAND X6, X9 - PAND X6, X10 - PAND X6, X11 - PAND X6, X12 - PAND X6, X13 - PAND X6, X14 - PXOR X9, X0 - PXOR X10, X1 - PXOR X11, X2 - PXOR X12, X3 - PXOR X13, X4 - PXOR X14, X5 - - // Similarly if zero == 0 - PCMPEQL X9, X9 - MOVOU X7, X15 - PANDN X9, X15 - MOVOU 96(SP), X9 - MOVOU 112(SP), X10 - MOVOU 128(SP), X11 - MOVOU 144(SP), X12 - MOVOU p256one<>+0(SB), X13 - MOVOU p256one<>+16(SB), X14 - PAND X15, X0 - PAND X15, X1 - PAND X15, X2 - PAND X15, X3 - PAND X15, X4 - PAND X15, X5 - PAND X7, X9 - PAND X7, X10 - PAND X7, X11 - PAND X7, X12 - PAND X7, X13 - PAND X7, X14 - PXOR X9, X0 - PXOR X10, X1 - PXOR X11, X2 - PXOR X12, X3 - PXOR X13, X4 - PXOR X14, X5 - - // Finally output the result - MOVOU X0, (AX) - MOVOU X1, 16(AX) - MOVOU X2, 32(AX) - MOVOU X3, 48(AX) - MOVOU X4, 64(AX) - MOVOU X5, 80(AX) - MOVQ $0x00000000, 480(SP) - RET - -DATA p256one<>+0(SB)/8, $0x0000000000000001 -DATA p256one<>+8(SB)/8, $0xffffffff00000000 -DATA p256one<>+16(SB)/8, $0xffffffffffffffff -DATA p256one<>+24(SB)/8, $0x00000000fffffffe -GLOBL p256one<>(SB), RODATA, $32 - -// func p256IsZero() -// Requires: CMOV -TEXT p256IsZero(SB), NOSPLIT, $0 - // AX contains a flag that is set if the input is zero. - XORQ AX, AX - MOVQ $0x00000001, R15 - - // Check whether [acc4..acc7] are all zero. - MOVQ R10, R14 - ORQ R11, R14 - ORQ R12, R14 - ORQ R13, R14 - - // Set the zero flag if so. (CMOV of a constant to a register doesn't - // appear to be supported in Go. Thus t1 = 1.) - CMOVQEQ R15, AX - - // XOR [acc4..acc7] with P and compare with zero again. - XORQ $-1, R10 - XORQ p256const0<>+0(SB), R11 - XORQ p256const1<>+0(SB), R13 - ORQ R11, R10 - ORQ R12, R10 - ORQ R13, R10 - - // Set the zero flag if so. - CMOVQEQ R15, AX - RET - -// func p256PointAddAsm(res *P256Point, in1 *P256Point, in2 *P256Point) int -// Requires: CMOV, SSE2 -TEXT ·p256PointAddAsm(SB), $680-32 - // Move input to stack in order to free registers - MOVQ res+0(FP), AX - MOVQ in1+8(FP), BX - MOVQ in2+16(FP), CX - MOVOU (BX), X0 - MOVOU 16(BX), X1 - MOVOU 32(BX), X2 - MOVOU 48(BX), X3 - MOVOU 64(BX), X4 - MOVOU 80(BX), X5 - MOVOU X0, (SP) - MOVOU X1, 16(SP) - MOVOU X2, 32(SP) - MOVOU X3, 48(SP) - MOVOU X4, 64(SP) - MOVOU X5, 80(SP) - MOVOU (CX), X0 - MOVOU 16(CX), X1 - MOVOU 32(CX), X2 - MOVOU 48(CX), X3 - MOVOU 64(CX), X4 - MOVOU 80(CX), X5 - MOVOU X0, 96(SP) - MOVOU X1, 112(SP) - MOVOU X2, 128(SP) - MOVOU X3, 144(SP) - MOVOU X4, 160(SP) - MOVOU X5, 176(SP) - - // Store pointer to result - MOVQ AX, 640(SP) - - // Begin point add - MOVQ 160(SP), R10 - MOVQ 168(SP), R11 - MOVQ 176(SP), R12 - MOVQ 184(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 448(SP) - MOVQ R11, 456(SP) - MOVQ R12, 464(SP) - MOVQ R13, 472(SP) - MOVQ 160(SP), R14 - MOVQ 168(SP), R15 - MOVQ 176(SP), DI - MOVQ 184(SP), SI - CALL p256MulInternal(SB) - MOVQ 32(SP), R14 - MOVQ 40(SP), R15 - MOVQ 48(SP), DI - MOVQ 56(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 352(SP) - MOVQ R11, 360(SP) - MOVQ R12, 368(SP) - MOVQ R13, 376(SP) - MOVQ 64(SP), R10 - MOVQ 72(SP), R11 - MOVQ 80(SP), R12 - MOVQ 88(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 416(SP) - MOVQ R11, 424(SP) - MOVQ R12, 432(SP) - MOVQ R13, 440(SP) - MOVQ 64(SP), R14 - MOVQ 72(SP), R15 - MOVQ 80(SP), DI - MOVQ 88(SP), SI - CALL p256MulInternal(SB) - MOVQ 128(SP), R14 - MOVQ 136(SP), R15 - MOVQ 144(SP), DI - MOVQ 152(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 384(SP) - MOVQ R11, 392(SP) - MOVQ R12, 400(SP) - MOVQ R13, 408(SP) - MOVQ 352(SP), R14 - MOVQ 360(SP), R15 - MOVQ 368(SP), DI - MOVQ 376(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 512(SP) - MOVQ R11, 520(SP) - MOVQ R12, 528(SP) - MOVQ R13, 536(SP) - CALL p256IsZero(SB) - MOVQ AX, 648(SP) - MOVQ 448(SP), R10 - MOVQ 456(SP), R11 - MOVQ 464(SP), R12 - MOVQ 472(SP), R13 - MOVQ (SP), R14 - MOVQ 8(SP), R15 - MOVQ 16(SP), DI - MOVQ 24(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 288(SP) - MOVQ R11, 296(SP) - MOVQ R12, 304(SP) - MOVQ R13, 312(SP) - MOVQ 416(SP), R10 - MOVQ 424(SP), R11 - MOVQ 432(SP), R12 - MOVQ 440(SP), R13 - MOVQ 96(SP), R14 - MOVQ 104(SP), R15 - MOVQ 112(SP), DI - MOVQ 120(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 320(SP) - MOVQ R11, 328(SP) - MOVQ R12, 336(SP) - MOVQ R13, 344(SP) - MOVQ 288(SP), R14 - MOVQ 296(SP), R15 - MOVQ 304(SP), DI - MOVQ 312(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 480(SP) - MOVQ R11, 488(SP) - MOVQ R12, 496(SP) - MOVQ R13, 504(SP) - CALL p256IsZero(SB) - ANDQ 648(SP), AX - MOVQ AX, 648(SP) - MOVQ 512(SP), R10 - MOVQ 520(SP), R11 - MOVQ 528(SP), R12 - MOVQ 536(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 576(SP) - MOVQ R11, 584(SP) - MOVQ R12, 592(SP) - MOVQ R13, 600(SP) - MOVQ 480(SP), R10 - MOVQ 488(SP), R11 - MOVQ 496(SP), R12 - MOVQ 504(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 544(SP) - MOVQ R11, 552(SP) - MOVQ R12, 560(SP) - MOVQ R13, 568(SP) - MOVQ 480(SP), R14 - MOVQ 488(SP), R15 - MOVQ 496(SP), DI - MOVQ 504(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 608(SP) - MOVQ R11, 616(SP) - MOVQ R12, 624(SP) - MOVQ R13, 632(SP) - MOVQ 352(SP), R14 - MOVQ 360(SP), R15 - MOVQ 368(SP), DI - MOVQ 376(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 384(SP) - MOVQ R11, 392(SP) - MOVQ R12, 400(SP) - MOVQ R13, 408(SP) - MOVQ 64(SP), R10 - MOVQ 72(SP), R11 - MOVQ 80(SP), R12 - MOVQ 88(SP), R13 - MOVQ 160(SP), R14 - MOVQ 168(SP), R15 - MOVQ 176(SP), DI - MOVQ 184(SP), SI - CALL p256MulInternal(SB) - MOVQ 480(SP), R14 - MOVQ 488(SP), R15 - MOVQ 496(SP), DI - MOVQ 504(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 256(SP) - MOVQ R11, 264(SP) - MOVQ R12, 272(SP) - MOVQ R13, 280(SP) - MOVQ 544(SP), R10 - MOVQ 552(SP), R11 - MOVQ 560(SP), R12 - MOVQ 568(SP), R13 - MOVQ 288(SP), R14 - MOVQ 296(SP), R15 - MOVQ 304(SP), DI - MOVQ 312(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 320(SP) - MOVQ R11, 328(SP) - MOVQ R12, 336(SP) - MOVQ R13, 344(SP) - XORQ AX, AX - ADDQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ 576(SP), R10 - MOVQ 584(SP), R11 - MOVQ 592(SP), R12 - MOVQ 600(SP), R13 - CALL p256SubInternal(SB) - MOVQ 608(SP), R14 - MOVQ 616(SP), R15 - MOVQ 624(SP), DI - MOVQ 632(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 192(SP) - MOVQ R11, 200(SP) - MOVQ R12, 208(SP) - MOVQ R13, 216(SP) - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - MOVQ 320(SP), R10 - MOVQ 328(SP), R11 - MOVQ 336(SP), R12 - MOVQ 344(SP), R13 - CALL p256SubInternal(SB) - MOVQ 512(SP), R14 - MOVQ 520(SP), R15 - MOVQ 528(SP), DI - MOVQ 536(SP), SI - CALL p256MulInternal(SB) - MOVQ 384(SP), R14 - MOVQ 392(SP), R15 - MOVQ 400(SP), DI - MOVQ 408(SP), SI - CALL p256SubInternal(SB) - MOVQ R10, 224(SP) - MOVQ R11, 232(SP) - MOVQ R12, 240(SP) - MOVQ R13, 248(SP) - MOVOU 192(SP), X0 - MOVOU 208(SP), X1 - MOVOU 224(SP), X2 - MOVOU 240(SP), X3 - MOVOU 256(SP), X4 - MOVOU 272(SP), X5 - - // Finally output the result - MOVQ 640(SP), AX - MOVQ $0x00000000, 640(SP) - MOVOU X0, (AX) - MOVOU X1, 16(AX) - MOVOU X2, 32(AX) - MOVOU X3, 48(AX) - MOVOU X4, 64(AX) - MOVOU X5, 80(AX) - MOVQ 648(SP), AX - MOVQ AX, ret+24(FP) - RET - -// func p256PointDoubleAsm(res *P256Point, in *P256Point) -// Requires: CMOV, SSE2 -TEXT ·p256PointDoubleAsm(SB), NOSPLIT, $256-16 - MOVQ res+0(FP), AX - MOVQ in+8(FP), BX - MOVOU (BX), X0 - MOVOU 16(BX), X1 - MOVOU 32(BX), X2 - MOVOU 48(BX), X3 - MOVOU 64(BX), X4 - MOVOU 80(BX), X5 - MOVOU X0, (SP) - MOVOU X1, 16(SP) - MOVOU X2, 32(SP) - MOVOU X3, 48(SP) - MOVOU X4, 64(SP) - MOVOU X5, 80(SP) - - // Store pointer to result - MOVQ AX, 224(SP) - - // Begin point double - MOVQ 64(SP), R10 - MOVQ 72(SP), R11 - MOVQ 80(SP), R12 - MOVQ 88(SP), R13 - CALL p256SqrInternal(SB) - MOVQ R10, 160(SP) - MOVQ R11, 168(SP) - MOVQ R12, 176(SP) - MOVQ R13, 184(SP) - MOVQ (SP), R14 - MOVQ 8(SP), R15 - MOVQ 16(SP), DI - MOVQ 24(SP), SI - XORQ AX, AX - ADDQ R14, R10 - ADCQ R15, R11 - ADCQ DI, R12 - ADCQ SI, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ R14, 128(SP) - MOVQ R15, 136(SP) - MOVQ DI, 144(SP) - MOVQ SI, 152(SP) - MOVQ 64(SP), R10 - MOVQ 72(SP), R11 - MOVQ 80(SP), R12 - MOVQ 88(SP), R13 - MOVQ 32(SP), R14 - MOVQ 40(SP), R15 - MOVQ 48(SP), DI - MOVQ 56(SP), SI - CALL p256MulInternal(SB) - XORQ AX, AX - ADDQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ 224(SP), AX - - // Store z - MOVQ R14, 64(AX) - MOVQ R15, 72(AX) - MOVQ DI, 80(AX) - MOVQ SI, 88(AX) - MOVQ (SP), R10 - MOVQ 8(SP), R11 - MOVQ 16(SP), R12 - MOVQ 24(SP), R13 - MOVQ 160(SP), R14 - MOVQ 168(SP), R15 - MOVQ 176(SP), DI - MOVQ 184(SP), SI - CALL p256SubInternal(SB) - MOVQ 128(SP), R14 - MOVQ 136(SP), R15 - MOVQ 144(SP), DI - MOVQ 152(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 128(SP) - MOVQ R11, 136(SP) - MOVQ R12, 144(SP) - MOVQ R13, 152(SP) - - // Multiply by 3 - XORQ AX, AX - ADDQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ 128(SP), R10 - MOVQ 136(SP), R11 - MOVQ 144(SP), R12 - MOVQ 152(SP), R13 - XORQ AX, AX - ADDQ R14, R10 - ADCQ R15, R11 - ADCQ DI, R12 - ADCQ SI, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ R14, 128(SP) - MOVQ R15, 136(SP) - MOVQ DI, 144(SP) - MOVQ SI, 152(SP) - - // //////////////////////// - MOVQ 32(SP), R10 - MOVQ 40(SP), R11 - MOVQ 48(SP), R12 - MOVQ 56(SP), R13 - XORQ AX, AX - ADDQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ R14, R10 - MOVQ R15, R11 - MOVQ DI, R12 - MOVQ SI, R13 - CALL p256SqrInternal(SB) - MOVQ R10, 96(SP) - MOVQ R11, 104(SP) - MOVQ R12, 112(SP) - MOVQ R13, 120(SP) - CALL p256SqrInternal(SB) - - // Divide by 2 - XORQ AX, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - ADDQ $-1, R10 - ADCQ p256const0<>+0(SB), R11 - ADCQ $0x00, R12 - ADCQ p256const1<>+0(SB), R13 - ADCQ $0x00, AX - TESTQ $0x00000001, R14 - CMOVQEQ R14, R10 - CMOVQEQ R15, R11 - CMOVQEQ DI, R12 - CMOVQEQ SI, R13 - ANDQ R14, AX - SHRQ $0x01, R11, R10 - SHRQ $0x01, R12, R11 - SHRQ $0x01, R13, R12 - SHRQ $0x01, AX, R13 - MOVQ R10, 32(SP) - MOVQ R11, 40(SP) - MOVQ R12, 48(SP) - MOVQ R13, 56(SP) - - // ///////////////////////// - MOVQ (SP), R10 - MOVQ 8(SP), R11 - MOVQ 16(SP), R12 - MOVQ 24(SP), R13 - MOVQ 96(SP), R14 - MOVQ 104(SP), R15 - MOVQ 112(SP), DI - MOVQ 120(SP), SI - CALL p256MulInternal(SB) - MOVQ R10, 96(SP) - MOVQ R11, 104(SP) - MOVQ R12, 112(SP) - MOVQ R13, 120(SP) - XORQ AX, AX - ADDQ R10, R10 - ADCQ R11, R11 - ADCQ R12, R12 - ADCQ R13, R13 - ADCQ $+0, AX - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - SUBQ $-1, R14 - SBBQ p256const0<>+0(SB), R15 - SBBQ $+0, DI - SBBQ p256const1<>+0(SB), SI - SBBQ $+0, AX - CMOVQCS R10, R14 - CMOVQCS R11, R15 - CMOVQCS R12, DI - CMOVQCS R13, SI - MOVQ R14, 192(SP) - MOVQ R15, 200(SP) - MOVQ DI, 208(SP) - MOVQ SI, 216(SP) - MOVQ 128(SP), R10 - MOVQ 136(SP), R11 - MOVQ 144(SP), R12 - MOVQ 152(SP), R13 - CALL p256SqrInternal(SB) - MOVQ 192(SP), R14 - MOVQ 200(SP), R15 - MOVQ 208(SP), DI - MOVQ 216(SP), SI - CALL p256SubInternal(SB) - MOVQ 224(SP), AX - - // Store x - MOVQ R10, (AX) - MOVQ R11, 8(AX) - MOVQ R12, 16(AX) - MOVQ R13, 24(AX) - MOVQ R10, R14 - MOVQ R11, R15 - MOVQ R12, DI - MOVQ R13, SI - MOVQ 96(SP), R10 - MOVQ 104(SP), R11 - MOVQ 112(SP), R12 - MOVQ 120(SP), R13 - CALL p256SubInternal(SB) - MOVQ 128(SP), R14 - MOVQ 136(SP), R15 - MOVQ 144(SP), DI - MOVQ 152(SP), SI - CALL p256MulInternal(SB) - MOVQ 32(SP), R14 - MOVQ 40(SP), R15 - MOVQ 48(SP), DI - MOVQ 56(SP), SI - CALL p256SubInternal(SB) - MOVQ 224(SP), AX - - // Store y - MOVQ R10, 32(AX) - MOVQ R11, 40(AX) - MOVQ R12, 48(AX) - MOVQ R13, 56(AX) - - // /////////////////////// - MOVQ $0x00000000, 224(SP) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_arm64.s deleted file mode 100644 index 33da24508e2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_arm64.s +++ /dev/null @@ -1,1506 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -// This file contains constant-time, 64-bit assembly implementation of -// P256. The optimizations performed here are described in detail in: -// S.Gueron and V.Krasnov, "Fast prime field elliptic-curve cryptography with -// 256-bit primes" -// http://link.springer.com/article/10.1007%2Fs13389-014-0090-x -// https://eprint.iacr.org/2013/816.pdf - -#include "textflag.h" - -#define res_ptr R0 -#define a_ptr R1 -#define b_ptr R2 - -#define acc0 R3 -#define acc1 R4 -#define acc2 R5 -#define acc3 R6 - -#define acc4 R7 -#define acc5 R8 -#define acc6 R9 -#define acc7 R10 -#define t0 R11 -#define t1 R12 -#define t2 R13 -#define t3 R14 -#define const0 R15 -#define const1 R16 - -#define hlp0 R17 -#define hlp1 res_ptr - -#define x0 R19 -#define x1 R20 -#define x2 R21 -#define x3 R22 -#define y0 R23 -#define y1 R24 -#define y2 R25 -#define y3 R26 - -#define const2 t2 -#define const3 t3 - -DATA p256const0<>+0x00(SB)/8, $0x00000000ffffffff -DATA p256const1<>+0x00(SB)/8, $0xffffffff00000001 -DATA p256ordK0<>+0x00(SB)/8, $0xccd1c8aaee00bc4f -DATA p256ord<>+0x00(SB)/8, $0xf3b9cac2fc632551 -DATA p256ord<>+0x08(SB)/8, $0xbce6faada7179e84 -DATA p256ord<>+0x10(SB)/8, $0xffffffffffffffff -DATA p256ord<>+0x18(SB)/8, $0xffffffff00000000 -DATA p256one<>+0x00(SB)/8, $0x0000000000000001 -DATA p256one<>+0x08(SB)/8, $0xffffffff00000000 -DATA p256one<>+0x10(SB)/8, $0xffffffffffffffff -DATA p256one<>+0x18(SB)/8, $0x00000000fffffffe -GLOBL p256const0<>(SB), 8, $8 -GLOBL p256const1<>(SB), 8, $8 -GLOBL p256ordK0<>(SB), 8, $8 -GLOBL p256ord<>(SB), 8, $32 -GLOBL p256one<>(SB), 8, $32 - -/* ---------------------------------------*/ -// func p256MovCond(res, a, b *P256Point, cond int) -// If cond == 0 res=b, else res=a -TEXT ·p256MovCond(SB),NOSPLIT,$0 - MOVD res+0(FP), res_ptr - MOVD a+8(FP), a_ptr - MOVD b+16(FP), b_ptr - MOVD cond+24(FP), R3 - - CMP $0, R3 - // Two remarks: - // 1) Will want to revisit NEON, when support is better - // 2) CSEL might not be constant time on all ARM processors - LDP 0*16(a_ptr), (R4, R5) - LDP 1*16(a_ptr), (R6, R7) - LDP 2*16(a_ptr), (R8, R9) - LDP 0*16(b_ptr), (R16, R17) - LDP 1*16(b_ptr), (R19, R20) - LDP 2*16(b_ptr), (R21, R22) - CSEL EQ, R16, R4, R4 - CSEL EQ, R17, R5, R5 - CSEL EQ, R19, R6, R6 - CSEL EQ, R20, R7, R7 - CSEL EQ, R21, R8, R8 - CSEL EQ, R22, R9, R9 - STP (R4, R5), 0*16(res_ptr) - STP (R6, R7), 1*16(res_ptr) - STP (R8, R9), 2*16(res_ptr) - - LDP 3*16(a_ptr), (R4, R5) - LDP 4*16(a_ptr), (R6, R7) - LDP 5*16(a_ptr), (R8, R9) - LDP 3*16(b_ptr), (R16, R17) - LDP 4*16(b_ptr), (R19, R20) - LDP 5*16(b_ptr), (R21, R22) - CSEL EQ, R16, R4, R4 - CSEL EQ, R17, R5, R5 - CSEL EQ, R19, R6, R6 - CSEL EQ, R20, R7, R7 - CSEL EQ, R21, R8, R8 - CSEL EQ, R22, R9, R9 - STP (R4, R5), 3*16(res_ptr) - STP (R6, R7), 4*16(res_ptr) - STP (R8, R9), 5*16(res_ptr) - - RET -/* ---------------------------------------*/ -// func p256NegCond(val *p256Element, cond int) -TEXT ·p256NegCond(SB),NOSPLIT,$0 - MOVD val+0(FP), a_ptr - MOVD cond+8(FP), hlp0 - MOVD a_ptr, res_ptr - // acc = poly - MOVD $-1, acc0 - MOVD p256const0<>(SB), acc1 - MOVD $0, acc2 - MOVD p256const1<>(SB), acc3 - // Load the original value - LDP 0*16(a_ptr), (t0, t1) - LDP 1*16(a_ptr), (t2, t3) - // Speculatively subtract - SUBS t0, acc0 - SBCS t1, acc1 - SBCS t2, acc2 - SBC t3, acc3 - // If condition is 0, keep original value - CMP $0, hlp0 - CSEL EQ, t0, acc0, acc0 - CSEL EQ, t1, acc1, acc1 - CSEL EQ, t2, acc2, acc2 - CSEL EQ, t3, acc3, acc3 - // Store result - STP (acc0, acc1), 0*16(res_ptr) - STP (acc2, acc3), 1*16(res_ptr) - - RET -/* ---------------------------------------*/ -// func p256Sqr(res, in *p256Element, n int) -TEXT ·p256Sqr(SB),NOSPLIT,$0 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), a_ptr - MOVD n+16(FP), b_ptr - - MOVD p256const0<>(SB), const0 - MOVD p256const1<>(SB), const1 - - LDP 0*16(a_ptr), (x0, x1) - LDP 1*16(a_ptr), (x2, x3) - -sqrLoop: - SUB $1, b_ptr - CALL p256SqrInternal<>(SB) - MOVD y0, x0 - MOVD y1, x1 - MOVD y2, x2 - MOVD y3, x3 - CBNZ b_ptr, sqrLoop - - STP (y0, y1), 0*16(res_ptr) - STP (y2, y3), 1*16(res_ptr) - RET -/* ---------------------------------------*/ -// func p256Mul(res, in1, in2 *p256Element) -TEXT ·p256Mul(SB),NOSPLIT,$0 - MOVD res+0(FP), res_ptr - MOVD in1+8(FP), a_ptr - MOVD in2+16(FP), b_ptr - - MOVD p256const0<>(SB), const0 - MOVD p256const1<>(SB), const1 - - LDP 0*16(a_ptr), (x0, x1) - LDP 1*16(a_ptr), (x2, x3) - - LDP 0*16(b_ptr), (y0, y1) - LDP 1*16(b_ptr), (y2, y3) - - CALL p256MulInternal<>(SB) - - STP (y0, y1), 0*16(res_ptr) - STP (y2, y3), 1*16(res_ptr) - RET -/* ---------------------------------------*/ -// func p256FromMont(res, in *p256Element) -TEXT ·p256FromMont(SB),NOSPLIT,$0 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), a_ptr - - MOVD p256const0<>(SB), const0 - MOVD p256const1<>(SB), const1 - - LDP 0*16(a_ptr), (acc0, acc1) - LDP 1*16(a_ptr), (acc2, acc3) - // Only reduce, no multiplications are needed - // First reduction step - ADDS acc0<<32, acc1, acc1 - LSR $32, acc0, t0 - MUL acc0, const1, t1 - UMULH acc0, const1, acc0 - ADCS t0, acc2 - ADCS t1, acc3 - ADC $0, acc0 - // Second reduction step - ADDS acc1<<32, acc2, acc2 - LSR $32, acc1, t0 - MUL acc1, const1, t1 - UMULH acc1, const1, acc1 - ADCS t0, acc3 - ADCS t1, acc0 - ADC $0, acc1 - // Third reduction step - ADDS acc2<<32, acc3, acc3 - LSR $32, acc2, t0 - MUL acc2, const1, t1 - UMULH acc2, const1, acc2 - ADCS t0, acc0 - ADCS t1, acc1 - ADC $0, acc2 - // Last reduction step - ADDS acc3<<32, acc0, acc0 - LSR $32, acc3, t0 - MUL acc3, const1, t1 - UMULH acc3, const1, acc3 - ADCS t0, acc1 - ADCS t1, acc2 - ADC $0, acc3 - - SUBS $-1, acc0, t0 - SBCS const0, acc1, t1 - SBCS $0, acc2, t2 - SBCS const1, acc3, t3 - - CSEL CS, t0, acc0, acc0 - CSEL CS, t1, acc1, acc1 - CSEL CS, t2, acc2, acc2 - CSEL CS, t3, acc3, acc3 - - STP (acc0, acc1), 0*16(res_ptr) - STP (acc2, acc3), 1*16(res_ptr) - - RET -/* ---------------------------------------*/ -// func p256Select(res *P256Point, table *p256Table, idx int) -TEXT ·p256Select(SB),NOSPLIT,$0 - MOVD idx+16(FP), const0 - MOVD table+8(FP), b_ptr - MOVD res+0(FP), res_ptr - - EOR x0, x0, x0 - EOR x1, x1, x1 - EOR x2, x2, x2 - EOR x3, x3, x3 - EOR y0, y0, y0 - EOR y1, y1, y1 - EOR y2, y2, y2 - EOR y3, y3, y3 - EOR t0, t0, t0 - EOR t1, t1, t1 - EOR t2, t2, t2 - EOR t3, t3, t3 - - MOVD $0, const1 - -loop_select: - ADD $1, const1 - CMP const0, const1 - LDP.P 16(b_ptr), (acc0, acc1) - CSEL EQ, acc0, x0, x0 - CSEL EQ, acc1, x1, x1 - LDP.P 16(b_ptr), (acc2, acc3) - CSEL EQ, acc2, x2, x2 - CSEL EQ, acc3, x3, x3 - LDP.P 16(b_ptr), (acc4, acc5) - CSEL EQ, acc4, y0, y0 - CSEL EQ, acc5, y1, y1 - LDP.P 16(b_ptr), (acc6, acc7) - CSEL EQ, acc6, y2, y2 - CSEL EQ, acc7, y3, y3 - LDP.P 16(b_ptr), (acc0, acc1) - CSEL EQ, acc0, t0, t0 - CSEL EQ, acc1, t1, t1 - LDP.P 16(b_ptr), (acc2, acc3) - CSEL EQ, acc2, t2, t2 - CSEL EQ, acc3, t3, t3 - - CMP $16, const1 - BNE loop_select - - STP (x0, x1), 0*16(res_ptr) - STP (x2, x3), 1*16(res_ptr) - STP (y0, y1), 2*16(res_ptr) - STP (y2, y3), 3*16(res_ptr) - STP (t0, t1), 4*16(res_ptr) - STP (t2, t3), 5*16(res_ptr) - RET -/* ---------------------------------------*/ -// func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int) -TEXT ·p256SelectAffine(SB),NOSPLIT,$0 - MOVD idx+16(FP), t0 - MOVD table+8(FP), t1 - MOVD res+0(FP), res_ptr - - EOR x0, x0, x0 - EOR x1, x1, x1 - EOR x2, x2, x2 - EOR x3, x3, x3 - EOR y0, y0, y0 - EOR y1, y1, y1 - EOR y2, y2, y2 - EOR y3, y3, y3 - - MOVD $0, t2 - -loop_select: - ADD $1, t2 - CMP t0, t2 - LDP.P 16(t1), (acc0, acc1) - CSEL EQ, acc0, x0, x0 - CSEL EQ, acc1, x1, x1 - LDP.P 16(t1), (acc2, acc3) - CSEL EQ, acc2, x2, x2 - CSEL EQ, acc3, x3, x3 - LDP.P 16(t1), (acc4, acc5) - CSEL EQ, acc4, y0, y0 - CSEL EQ, acc5, y1, y1 - LDP.P 16(t1), (acc6, acc7) - CSEL EQ, acc6, y2, y2 - CSEL EQ, acc7, y3, y3 - - CMP $32, t2 - BNE loop_select - - STP (x0, x1), 0*16(res_ptr) - STP (x2, x3), 1*16(res_ptr) - STP (y0, y1), 2*16(res_ptr) - STP (y2, y3), 3*16(res_ptr) - RET -/* ---------------------------------------*/ -// func p256OrdSqr(res, in *p256OrdElement, n int) -TEXT ·p256OrdSqr(SB),NOSPLIT,$0 - MOVD in+8(FP), a_ptr - MOVD n+16(FP), b_ptr - - MOVD p256ordK0<>(SB), hlp1 - LDP p256ord<>+0x00(SB), (const0, const1) - LDP p256ord<>+0x10(SB), (const2, const3) - - LDP 0*16(a_ptr), (x0, x1) - LDP 1*16(a_ptr), (x2, x3) - -ordSqrLoop: - SUB $1, b_ptr - - // x[1:] * x[0] - MUL x0, x1, acc1 - UMULH x0, x1, acc2 - - MUL x0, x2, t0 - ADDS t0, acc2, acc2 - UMULH x0, x2, acc3 - - MUL x0, x3, t0 - ADCS t0, acc3, acc3 - UMULH x0, x3, acc4 - ADC $0, acc4, acc4 - // x[2:] * x[1] - MUL x1, x2, t0 - ADDS t0, acc3 - UMULH x1, x2, t1 - ADCS t1, acc4 - ADC $0, ZR, acc5 - - MUL x1, x3, t0 - ADDS t0, acc4 - UMULH x1, x3, t1 - ADC t1, acc5 - // x[3] * x[2] - MUL x2, x3, t0 - ADDS t0, acc5 - UMULH x2, x3, acc6 - ADC $0, acc6 - - MOVD $0, acc7 - // *2 - ADDS acc1, acc1 - ADCS acc2, acc2 - ADCS acc3, acc3 - ADCS acc4, acc4 - ADCS acc5, acc5 - ADCS acc6, acc6 - ADC $0, acc7 - // Missing products - MUL x0, x0, acc0 - UMULH x0, x0, t0 - ADDS t0, acc1, acc1 - - MUL x1, x1, t0 - ADCS t0, acc2, acc2 - UMULH x1, x1, t1 - ADCS t1, acc3, acc3 - - MUL x2, x2, t0 - ADCS t0, acc4, acc4 - UMULH x2, x2, t1 - ADCS t1, acc5, acc5 - - MUL x3, x3, t0 - ADCS t0, acc6, acc6 - UMULH x3, x3, t1 - ADC t1, acc7, acc7 - // First reduction step - MUL acc0, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc0, acc0 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc1, acc1 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc2, acc2 - UMULH const2, hlp0, acc0 - - MUL const3, hlp0, t0 - ADCS t0, acc3, acc3 - - UMULH const3, hlp0, hlp0 - ADC $0, hlp0 - - ADDS t1, acc1, acc1 - ADCS y0, acc2, acc2 - ADCS acc0, acc3, acc3 - ADC $0, hlp0, acc0 - // Second reduction step - MUL acc1, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc1, acc1 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc2, acc2 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc3, acc3 - UMULH const2, hlp0, acc1 - - MUL const3, hlp0, t0 - ADCS t0, acc0, acc0 - - UMULH const3, hlp0, hlp0 - ADC $0, hlp0 - - ADDS t1, acc2, acc2 - ADCS y0, acc3, acc3 - ADCS acc1, acc0, acc0 - ADC $0, hlp0, acc1 - // Third reduction step - MUL acc2, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc2, acc2 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc3, acc3 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc0, acc0 - UMULH const2, hlp0, acc2 - - MUL const3, hlp0, t0 - ADCS t0, acc1, acc1 - - UMULH const3, hlp0, hlp0 - ADC $0, hlp0 - - ADDS t1, acc3, acc3 - ADCS y0, acc0, acc0 - ADCS acc2, acc1, acc1 - ADC $0, hlp0, acc2 - - // Last reduction step - MUL acc3, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc3, acc3 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc0, acc0 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc1, acc1 - UMULH const2, hlp0, acc3 - - MUL const3, hlp0, t0 - ADCS t0, acc2, acc2 - - UMULH const3, hlp0, hlp0 - ADC $0, acc7 - - ADDS t1, acc0, acc0 - ADCS y0, acc1, acc1 - ADCS acc3, acc2, acc2 - ADC $0, hlp0, acc3 - - ADDS acc4, acc0, acc0 - ADCS acc5, acc1, acc1 - ADCS acc6, acc2, acc2 - ADCS acc7, acc3, acc3 - ADC $0, ZR, acc4 - - SUBS const0, acc0, y0 - SBCS const1, acc1, y1 - SBCS const2, acc2, y2 - SBCS const3, acc3, y3 - SBCS $0, acc4, acc4 - - CSEL CS, y0, acc0, x0 - CSEL CS, y1, acc1, x1 - CSEL CS, y2, acc2, x2 - CSEL CS, y3, acc3, x3 - - CBNZ b_ptr, ordSqrLoop - - MOVD res+0(FP), res_ptr - STP (x0, x1), 0*16(res_ptr) - STP (x2, x3), 1*16(res_ptr) - - RET -/* ---------------------------------------*/ -// func p256OrdMul(res, in1, in2 *p256OrdElement) -TEXT ·p256OrdMul(SB),NOSPLIT,$0 - MOVD in1+8(FP), a_ptr - MOVD in2+16(FP), b_ptr - - MOVD p256ordK0<>(SB), hlp1 - LDP p256ord<>+0x00(SB), (const0, const1) - LDP p256ord<>+0x10(SB), (const2, const3) - - LDP 0*16(a_ptr), (x0, x1) - LDP 1*16(a_ptr), (x2, x3) - LDP 0*16(b_ptr), (y0, y1) - LDP 1*16(b_ptr), (y2, y3) - - // y[0] * x - MUL y0, x0, acc0 - UMULH y0, x0, acc1 - - MUL y0, x1, t0 - ADDS t0, acc1 - UMULH y0, x1, acc2 - - MUL y0, x2, t0 - ADCS t0, acc2 - UMULH y0, x2, acc3 - - MUL y0, x3, t0 - ADCS t0, acc3 - UMULH y0, x3, acc4 - ADC $0, acc4 - // First reduction step - MUL acc0, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc0, acc0 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc1, acc1 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc2, acc2 - UMULH const2, hlp0, acc0 - - MUL const3, hlp0, t0 - ADCS t0, acc3, acc3 - - UMULH const3, hlp0, hlp0 - ADC $0, acc4 - - ADDS t1, acc1, acc1 - ADCS y0, acc2, acc2 - ADCS acc0, acc3, acc3 - ADC $0, hlp0, acc0 - // y[1] * x - MUL y1, x0, t0 - ADDS t0, acc1 - UMULH y1, x0, t1 - - MUL y1, x1, t0 - ADCS t0, acc2 - UMULH y1, x1, hlp0 - - MUL y1, x2, t0 - ADCS t0, acc3 - UMULH y1, x2, y0 - - MUL y1, x3, t0 - ADCS t0, acc4 - UMULH y1, x3, y1 - ADC $0, ZR, acc5 - - ADDS t1, acc2 - ADCS hlp0, acc3 - ADCS y0, acc4 - ADC y1, acc5 - // Second reduction step - MUL acc1, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc1, acc1 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc2, acc2 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc3, acc3 - UMULH const2, hlp0, acc1 - - MUL const3, hlp0, t0 - ADCS t0, acc0, acc0 - - UMULH const3, hlp0, hlp0 - ADC $0, acc5 - - ADDS t1, acc2, acc2 - ADCS y0, acc3, acc3 - ADCS acc1, acc0, acc0 - ADC $0, hlp0, acc1 - // y[2] * x - MUL y2, x0, t0 - ADDS t0, acc2 - UMULH y2, x0, t1 - - MUL y2, x1, t0 - ADCS t0, acc3 - UMULH y2, x1, hlp0 - - MUL y2, x2, t0 - ADCS t0, acc4 - UMULH y2, x2, y0 - - MUL y2, x3, t0 - ADCS t0, acc5 - UMULH y2, x3, y1 - ADC $0, ZR, acc6 - - ADDS t1, acc3 - ADCS hlp0, acc4 - ADCS y0, acc5 - ADC y1, acc6 - // Third reduction step - MUL acc2, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc2, acc2 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc3, acc3 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc0, acc0 - UMULH const2, hlp0, acc2 - - MUL const3, hlp0, t0 - ADCS t0, acc1, acc1 - - UMULH const3, hlp0, hlp0 - ADC $0, acc6 - - ADDS t1, acc3, acc3 - ADCS y0, acc0, acc0 - ADCS acc2, acc1, acc1 - ADC $0, hlp0, acc2 - // y[3] * x - MUL y3, x0, t0 - ADDS t0, acc3 - UMULH y3, x0, t1 - - MUL y3, x1, t0 - ADCS t0, acc4 - UMULH y3, x1, hlp0 - - MUL y3, x2, t0 - ADCS t0, acc5 - UMULH y3, x2, y0 - - MUL y3, x3, t0 - ADCS t0, acc6 - UMULH y3, x3, y1 - ADC $0, ZR, acc7 - - ADDS t1, acc4 - ADCS hlp0, acc5 - ADCS y0, acc6 - ADC y1, acc7 - // Last reduction step - MUL acc3, hlp1, hlp0 - - MUL const0, hlp1, t0 - ADDS t0, acc3, acc3 - UMULH const0, hlp0, t1 - - MUL const1, hlp0, t0 - ADCS t0, acc0, acc0 - UMULH const1, hlp0, y0 - - MUL const2, hlp0, t0 - ADCS t0, acc1, acc1 - UMULH const2, hlp0, acc3 - - MUL const3, hlp0, t0 - ADCS t0, acc2, acc2 - - UMULH const3, hlp0, hlp0 - ADC $0, acc7 - - ADDS t1, acc0, acc0 - ADCS y0, acc1, acc1 - ADCS acc3, acc2, acc2 - ADC $0, hlp0, acc3 - - ADDS acc4, acc0, acc0 - ADCS acc5, acc1, acc1 - ADCS acc6, acc2, acc2 - ADCS acc7, acc3, acc3 - ADC $0, ZR, acc4 - - SUBS const0, acc0, t0 - SBCS const1, acc1, t1 - SBCS const2, acc2, t2 - SBCS const3, acc3, t3 - SBCS $0, acc4, acc4 - - CSEL CS, t0, acc0, acc0 - CSEL CS, t1, acc1, acc1 - CSEL CS, t2, acc2, acc2 - CSEL CS, t3, acc3, acc3 - - MOVD res+0(FP), res_ptr - STP (acc0, acc1), 0*16(res_ptr) - STP (acc2, acc3), 1*16(res_ptr) - - RET -/* ---------------------------------------*/ -TEXT p256SubInternal<>(SB),NOSPLIT,$0 - SUBS x0, y0, acc0 - SBCS x1, y1, acc1 - SBCS x2, y2, acc2 - SBCS x3, y3, acc3 - SBC $0, ZR, t0 - - ADDS $-1, acc0, acc4 - ADCS const0, acc1, acc5 - ADCS $0, acc2, acc6 - ADC const1, acc3, acc7 - - ANDS $1, t0 - CSEL EQ, acc0, acc4, x0 - CSEL EQ, acc1, acc5, x1 - CSEL EQ, acc2, acc6, x2 - CSEL EQ, acc3, acc7, x3 - - RET -/* ---------------------------------------*/ -TEXT p256SqrInternal<>(SB),NOSPLIT,$0 - // x[1:] * x[0] - MUL x0, x1, acc1 - UMULH x0, x1, acc2 - - MUL x0, x2, t0 - ADDS t0, acc2, acc2 - UMULH x0, x2, acc3 - - MUL x0, x3, t0 - ADCS t0, acc3, acc3 - UMULH x0, x3, acc4 - ADC $0, acc4, acc4 - // x[2:] * x[1] - MUL x1, x2, t0 - ADDS t0, acc3 - UMULH x1, x2, t1 - ADCS t1, acc4 - ADC $0, ZR, acc5 - - MUL x1, x3, t0 - ADDS t0, acc4 - UMULH x1, x3, t1 - ADC t1, acc5 - // x[3] * x[2] - MUL x2, x3, t0 - ADDS t0, acc5 - UMULH x2, x3, acc6 - ADC $0, acc6 - - MOVD $0, acc7 - // *2 - ADDS acc1, acc1 - ADCS acc2, acc2 - ADCS acc3, acc3 - ADCS acc4, acc4 - ADCS acc5, acc5 - ADCS acc6, acc6 - ADC $0, acc7 - // Missing products - MUL x0, x0, acc0 - UMULH x0, x0, t0 - ADDS t0, acc1, acc1 - - MUL x1, x1, t0 - ADCS t0, acc2, acc2 - UMULH x1, x1, t1 - ADCS t1, acc3, acc3 - - MUL x2, x2, t0 - ADCS t0, acc4, acc4 - UMULH x2, x2, t1 - ADCS t1, acc5, acc5 - - MUL x3, x3, t0 - ADCS t0, acc6, acc6 - UMULH x3, x3, t1 - ADCS t1, acc7, acc7 - // First reduction step - ADDS acc0<<32, acc1, acc1 - LSR $32, acc0, t0 - MUL acc0, const1, t1 - UMULH acc0, const1, acc0 - ADCS t0, acc2, acc2 - ADCS t1, acc3, acc3 - ADC $0, acc0, acc0 - // Second reduction step - ADDS acc1<<32, acc2, acc2 - LSR $32, acc1, t0 - MUL acc1, const1, t1 - UMULH acc1, const1, acc1 - ADCS t0, acc3, acc3 - ADCS t1, acc0, acc0 - ADC $0, acc1, acc1 - // Third reduction step - ADDS acc2<<32, acc3, acc3 - LSR $32, acc2, t0 - MUL acc2, const1, t1 - UMULH acc2, const1, acc2 - ADCS t0, acc0, acc0 - ADCS t1, acc1, acc1 - ADC $0, acc2, acc2 - // Last reduction step - ADDS acc3<<32, acc0, acc0 - LSR $32, acc3, t0 - MUL acc3, const1, t1 - UMULH acc3, const1, acc3 - ADCS t0, acc1, acc1 - ADCS t1, acc2, acc2 - ADC $0, acc3, acc3 - // Add bits [511:256] of the sqr result - ADDS acc4, acc0, acc0 - ADCS acc5, acc1, acc1 - ADCS acc6, acc2, acc2 - ADCS acc7, acc3, acc3 - ADC $0, ZR, acc4 - - SUBS $-1, acc0, t0 - SBCS const0, acc1, t1 - SBCS $0, acc2, t2 - SBCS const1, acc3, t3 - SBCS $0, acc4, acc4 - - CSEL CS, t0, acc0, y0 - CSEL CS, t1, acc1, y1 - CSEL CS, t2, acc2, y2 - CSEL CS, t3, acc3, y3 - RET -/* ---------------------------------------*/ -TEXT p256MulInternal<>(SB),NOSPLIT,$0 - // y[0] * x - MUL y0, x0, acc0 - UMULH y0, x0, acc1 - - MUL y0, x1, t0 - ADDS t0, acc1 - UMULH y0, x1, acc2 - - MUL y0, x2, t0 - ADCS t0, acc2 - UMULH y0, x2, acc3 - - MUL y0, x3, t0 - ADCS t0, acc3 - UMULH y0, x3, acc4 - ADC $0, acc4 - // First reduction step - ADDS acc0<<32, acc1, acc1 - LSR $32, acc0, t0 - MUL acc0, const1, t1 - UMULH acc0, const1, acc0 - ADCS t0, acc2 - ADCS t1, acc3 - ADC $0, acc0 - // y[1] * x - MUL y1, x0, t0 - ADDS t0, acc1 - UMULH y1, x0, t1 - - MUL y1, x1, t0 - ADCS t0, acc2 - UMULH y1, x1, t2 - - MUL y1, x2, t0 - ADCS t0, acc3 - UMULH y1, x2, t3 - - MUL y1, x3, t0 - ADCS t0, acc4 - UMULH y1, x3, hlp0 - ADC $0, ZR, acc5 - - ADDS t1, acc2 - ADCS t2, acc3 - ADCS t3, acc4 - ADC hlp0, acc5 - // Second reduction step - ADDS acc1<<32, acc2, acc2 - LSR $32, acc1, t0 - MUL acc1, const1, t1 - UMULH acc1, const1, acc1 - ADCS t0, acc3 - ADCS t1, acc0 - ADC $0, acc1 - // y[2] * x - MUL y2, x0, t0 - ADDS t0, acc2 - UMULH y2, x0, t1 - - MUL y2, x1, t0 - ADCS t0, acc3 - UMULH y2, x1, t2 - - MUL y2, x2, t0 - ADCS t0, acc4 - UMULH y2, x2, t3 - - MUL y2, x3, t0 - ADCS t0, acc5 - UMULH y2, x3, hlp0 - ADC $0, ZR, acc6 - - ADDS t1, acc3 - ADCS t2, acc4 - ADCS t3, acc5 - ADC hlp0, acc6 - // Third reduction step - ADDS acc2<<32, acc3, acc3 - LSR $32, acc2, t0 - MUL acc2, const1, t1 - UMULH acc2, const1, acc2 - ADCS t0, acc0 - ADCS t1, acc1 - ADC $0, acc2 - // y[3] * x - MUL y3, x0, t0 - ADDS t0, acc3 - UMULH y3, x0, t1 - - MUL y3, x1, t0 - ADCS t0, acc4 - UMULH y3, x1, t2 - - MUL y3, x2, t0 - ADCS t0, acc5 - UMULH y3, x2, t3 - - MUL y3, x3, t0 - ADCS t0, acc6 - UMULH y3, x3, hlp0 - ADC $0, ZR, acc7 - - ADDS t1, acc4 - ADCS t2, acc5 - ADCS t3, acc6 - ADC hlp0, acc7 - // Last reduction step - ADDS acc3<<32, acc0, acc0 - LSR $32, acc3, t0 - MUL acc3, const1, t1 - UMULH acc3, const1, acc3 - ADCS t0, acc1 - ADCS t1, acc2 - ADC $0, acc3 - // Add bits [511:256] of the mul result - ADDS acc4, acc0, acc0 - ADCS acc5, acc1, acc1 - ADCS acc6, acc2, acc2 - ADCS acc7, acc3, acc3 - ADC $0, ZR, acc4 - - SUBS $-1, acc0, t0 - SBCS const0, acc1, t1 - SBCS $0, acc2, t2 - SBCS const1, acc3, t3 - SBCS $0, acc4, acc4 - - CSEL CS, t0, acc0, y0 - CSEL CS, t1, acc1, y1 - CSEL CS, t2, acc2, y2 - CSEL CS, t3, acc3, y3 - RET -/* ---------------------------------------*/ -#define p256MulBy2Inline \ - ADDS y0, y0, x0; \ - ADCS y1, y1, x1; \ - ADCS y2, y2, x2; \ - ADCS y3, y3, x3; \ - ADC $0, ZR, hlp0; \ - SUBS $-1, x0, t0; \ - SBCS const0, x1, t1;\ - SBCS $0, x2, t2; \ - SBCS const1, x3, t3;\ - SBCS $0, hlp0, hlp0;\ - CSEL CC, x0, t0, x0;\ - CSEL CC, x1, t1, x1;\ - CSEL CC, x2, t2, x2;\ - CSEL CC, x3, t3, x3; -/* ---------------------------------------*/ -#define x1in(off) (off)(a_ptr) -#define y1in(off) (off + 32)(a_ptr) -#define z1in(off) (off + 64)(a_ptr) -#define x2in(off) (off)(b_ptr) -#define z2in(off) (off + 64)(b_ptr) -#define x3out(off) (off)(res_ptr) -#define y3out(off) (off + 32)(res_ptr) -#define z3out(off) (off + 64)(res_ptr) -#define LDx(src) LDP src(0), (x0, x1); LDP src(16), (x2, x3) -#define LDy(src) LDP src(0), (y0, y1); LDP src(16), (y2, y3) -#define STx(src) STP (x0, x1), src(0); STP (x2, x3), src(16) -#define STy(src) STP (y0, y1), src(0); STP (y2, y3), src(16) -/* ---------------------------------------*/ -#define y2in(off) (32*0 + 8 + off)(RSP) -#define s2(off) (32*1 + 8 + off)(RSP) -#define z1sqr(off) (32*2 + 8 + off)(RSP) -#define h(off) (32*3 + 8 + off)(RSP) -#define r(off) (32*4 + 8 + off)(RSP) -#define hsqr(off) (32*5 + 8 + off)(RSP) -#define rsqr(off) (32*6 + 8 + off)(RSP) -#define hcub(off) (32*7 + 8 + off)(RSP) - -#define z2sqr(off) (32*8 + 8 + off)(RSP) -#define s1(off) (32*9 + 8 + off)(RSP) -#define u1(off) (32*10 + 8 + off)(RSP) -#define u2(off) (32*11 + 8 + off)(RSP) - -// func p256PointAddAffineAsm(res, in1 *P256Point, in2 *p256AffinePoint, sign, sel, zero int) -TEXT ·p256PointAddAffineAsm(SB),0,$264-48 - MOVD in1+8(FP), a_ptr - MOVD in2+16(FP), b_ptr - MOVD sign+24(FP), hlp0 - MOVD sel+32(FP), hlp1 - MOVD zero+40(FP), t2 - - MOVD $1, t0 - CMP $0, t2 - CSEL EQ, ZR, t0, t2 - CMP $0, hlp1 - CSEL EQ, ZR, t0, hlp1 - - MOVD p256const0<>(SB), const0 - MOVD p256const1<>(SB), const1 - EOR t2<<1, hlp1 - - // Negate y2in based on sign - LDP 2*16(b_ptr), (y0, y1) - LDP 3*16(b_ptr), (y2, y3) - MOVD $-1, acc0 - - SUBS y0, acc0, acc0 - SBCS y1, const0, acc1 - SBCS y2, ZR, acc2 - SBCS y3, const1, acc3 - SBC $0, ZR, t0 - - ADDS $-1, acc0, acc4 - ADCS const0, acc1, acc5 - ADCS $0, acc2, acc6 - ADCS const1, acc3, acc7 - ADC $0, t0, t0 - - CMP $0, t0 - CSEL EQ, acc4, acc0, acc0 - CSEL EQ, acc5, acc1, acc1 - CSEL EQ, acc6, acc2, acc2 - CSEL EQ, acc7, acc3, acc3 - // If condition is 0, keep original value - CMP $0, hlp0 - CSEL EQ, y0, acc0, y0 - CSEL EQ, y1, acc1, y1 - CSEL EQ, y2, acc2, y2 - CSEL EQ, y3, acc3, y3 - // Store result - STy(y2in) - // Begin point add - LDx(z1in) - CALL p256SqrInternal<>(SB) // z1ˆ2 - STy(z1sqr) - - LDx(x2in) - CALL p256MulInternal<>(SB) // x2 * z1ˆ2 - - LDx(x1in) - CALL p256SubInternal<>(SB) // h = u2 - u1 - STx(h) - - LDy(z1in) - CALL p256MulInternal<>(SB) // z3 = h * z1 - - LDP 4*16(a_ptr), (acc0, acc1)// iff select[0] == 0, z3 = z1 - LDP 5*16(a_ptr), (acc2, acc3) - ANDS $1, hlp1, ZR - CSEL EQ, acc0, y0, y0 - CSEL EQ, acc1, y1, y1 - CSEL EQ, acc2, y2, y2 - CSEL EQ, acc3, y3, y3 - LDP p256one<>+0x00(SB), (acc0, acc1) - LDP p256one<>+0x10(SB), (acc2, acc3) - ANDS $2, hlp1, ZR // iff select[1] == 0, z3 = 1 - CSEL EQ, acc0, y0, y0 - CSEL EQ, acc1, y1, y1 - CSEL EQ, acc2, y2, y2 - CSEL EQ, acc3, y3, y3 - LDx(z1in) - MOVD res+0(FP), t0 - STP (y0, y1), 4*16(t0) - STP (y2, y3), 5*16(t0) - - LDy(z1sqr) - CALL p256MulInternal<>(SB) // z1 ^ 3 - - LDx(y2in) - CALL p256MulInternal<>(SB) // s2 = y2 * z1ˆ3 - STy(s2) - - LDx(y1in) - CALL p256SubInternal<>(SB) // r = s2 - s1 - STx(r) - - CALL p256SqrInternal<>(SB) // rsqr = rˆ2 - STy (rsqr) - - LDx(h) - CALL p256SqrInternal<>(SB) // hsqr = hˆ2 - STy(hsqr) - - CALL p256MulInternal<>(SB) // hcub = hˆ3 - STy(hcub) - - LDx(y1in) - CALL p256MulInternal<>(SB) // y1 * hˆ3 - STy(s2) - - LDP hsqr(0*8), (x0, x1) - LDP hsqr(2*8), (x2, x3) - LDP 0*16(a_ptr), (y0, y1) - LDP 1*16(a_ptr), (y2, y3) - CALL p256MulInternal<>(SB) // u1 * hˆ2 - STP (y0, y1), h(0*8) - STP (y2, y3), h(2*8) - - p256MulBy2Inline // u1 * hˆ2 * 2, inline - - LDy(rsqr) - CALL p256SubInternal<>(SB) // rˆ2 - u1 * hˆ2 * 2 - - MOVD x0, y0 - MOVD x1, y1 - MOVD x2, y2 - MOVD x3, y3 - LDx(hcub) - CALL p256SubInternal<>(SB) - - LDP 0*16(a_ptr), (acc0, acc1) - LDP 1*16(a_ptr), (acc2, acc3) - ANDS $1, hlp1, ZR // iff select[0] == 0, x3 = x1 - CSEL EQ, acc0, x0, x0 - CSEL EQ, acc1, x1, x1 - CSEL EQ, acc2, x2, x2 - CSEL EQ, acc3, x3, x3 - LDP 0*16(b_ptr), (acc0, acc1) - LDP 1*16(b_ptr), (acc2, acc3) - ANDS $2, hlp1, ZR // iff select[1] == 0, x3 = x2 - CSEL EQ, acc0, x0, x0 - CSEL EQ, acc1, x1, x1 - CSEL EQ, acc2, x2, x2 - CSEL EQ, acc3, x3, x3 - MOVD res+0(FP), t0 - STP (x0, x1), 0*16(t0) - STP (x2, x3), 1*16(t0) - - LDP h(0*8), (y0, y1) - LDP h(2*8), (y2, y3) - CALL p256SubInternal<>(SB) - - LDP r(0*8), (y0, y1) - LDP r(2*8), (y2, y3) - CALL p256MulInternal<>(SB) - - LDP s2(0*8), (x0, x1) - LDP s2(2*8), (x2, x3) - CALL p256SubInternal<>(SB) - LDP 2*16(a_ptr), (acc0, acc1) - LDP 3*16(a_ptr), (acc2, acc3) - ANDS $1, hlp1, ZR // iff select[0] == 0, y3 = y1 - CSEL EQ, acc0, x0, x0 - CSEL EQ, acc1, x1, x1 - CSEL EQ, acc2, x2, x2 - CSEL EQ, acc3, x3, x3 - LDP y2in(0*8), (acc0, acc1) - LDP y2in(2*8), (acc2, acc3) - ANDS $2, hlp1, ZR // iff select[1] == 0, y3 = y2 - CSEL EQ, acc0, x0, x0 - CSEL EQ, acc1, x1, x1 - CSEL EQ, acc2, x2, x2 - CSEL EQ, acc3, x3, x3 - MOVD res+0(FP), t0 - STP (x0, x1), 2*16(t0) - STP (x2, x3), 3*16(t0) - - RET - -#define p256AddInline \ - ADDS y0, x0, x0; \ - ADCS y1, x1, x1; \ - ADCS y2, x2, x2; \ - ADCS y3, x3, x3; \ - ADC $0, ZR, hlp0; \ - SUBS $-1, x0, t0; \ - SBCS const0, x1, t1;\ - SBCS $0, x2, t2; \ - SBCS const1, x3, t3;\ - SBCS $0, hlp0, hlp0;\ - CSEL CC, x0, t0, x0;\ - CSEL CC, x1, t1, x1;\ - CSEL CC, x2, t2, x2;\ - CSEL CC, x3, t3, x3; - -#define s(off) (32*0 + 8 + off)(RSP) -#define m(off) (32*1 + 8 + off)(RSP) -#define zsqr(off) (32*2 + 8 + off)(RSP) -#define tmp(off) (32*3 + 8 + off)(RSP) - -//func p256PointDoubleAsm(res, in *P256Point) -TEXT ·p256PointDoubleAsm(SB),NOSPLIT,$136-16 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), a_ptr - - MOVD p256const0<>(SB), const0 - MOVD p256const1<>(SB), const1 - - // Begin point double - LDP 4*16(a_ptr), (x0, x1) - LDP 5*16(a_ptr), (x2, x3) - CALL p256SqrInternal<>(SB) - STP (y0, y1), zsqr(0*8) - STP (y2, y3), zsqr(2*8) - - LDP 0*16(a_ptr), (x0, x1) - LDP 1*16(a_ptr), (x2, x3) - p256AddInline - STx(m) - - LDx(z1in) - LDy(y1in) - CALL p256MulInternal<>(SB) - p256MulBy2Inline - STx(z3out) - - LDy(x1in) - LDx(zsqr) - CALL p256SubInternal<>(SB) - LDy(m) - CALL p256MulInternal<>(SB) - - // Multiply by 3 - p256MulBy2Inline - p256AddInline - STx(m) - - LDy(y1in) - p256MulBy2Inline - CALL p256SqrInternal<>(SB) - STy(s) - MOVD y0, x0 - MOVD y1, x1 - MOVD y2, x2 - MOVD y3, x3 - CALL p256SqrInternal<>(SB) - - // Divide by 2 - ADDS $-1, y0, t0 - ADCS const0, y1, t1 - ADCS $0, y2, t2 - ADCS const1, y3, t3 - ADC $0, ZR, hlp0 - - ANDS $1, y0, ZR - CSEL EQ, y0, t0, t0 - CSEL EQ, y1, t1, t1 - CSEL EQ, y2, t2, t2 - CSEL EQ, y3, t3, t3 - AND y0, hlp0, hlp0 - - EXTR $1, t0, t1, y0 - EXTR $1, t1, t2, y1 - EXTR $1, t2, t3, y2 - EXTR $1, t3, hlp0, y3 - STy(y3out) - - LDx(x1in) - LDy(s) - CALL p256MulInternal<>(SB) - STy(s) - p256MulBy2Inline - STx(tmp) - - LDx(m) - CALL p256SqrInternal<>(SB) - LDx(tmp) - CALL p256SubInternal<>(SB) - - STx(x3out) - - LDy(s) - CALL p256SubInternal<>(SB) - - LDy(m) - CALL p256MulInternal<>(SB) - - LDx(y3out) - CALL p256SubInternal<>(SB) - STx(y3out) - RET -/* ---------------------------------------*/ -#undef y2in -#undef x3out -#undef y3out -#undef z3out -#define y2in(off) (off + 32)(b_ptr) -#define x3out(off) (off)(b_ptr) -#define y3out(off) (off + 32)(b_ptr) -#define z3out(off) (off + 64)(b_ptr) -// func p256PointAddAsm(res, in1, in2 *P256Point) int -TEXT ·p256PointAddAsm(SB),0,$392-32 - // See https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl - // Move input to stack in order to free registers - MOVD in1+8(FP), a_ptr - MOVD in2+16(FP), b_ptr - - MOVD p256const0<>(SB), const0 - MOVD p256const1<>(SB), const1 - - // Begin point add - LDx(z2in) - CALL p256SqrInternal<>(SB) // z2^2 - STy(z2sqr) - - CALL p256MulInternal<>(SB) // z2^3 - - LDx(y1in) - CALL p256MulInternal<>(SB) // s1 = z2ˆ3*y1 - STy(s1) - - LDx(z1in) - CALL p256SqrInternal<>(SB) // z1^2 - STy(z1sqr) - - CALL p256MulInternal<>(SB) // z1^3 - - LDx(y2in) - CALL p256MulInternal<>(SB) // s2 = z1ˆ3*y2 - - LDx(s1) - CALL p256SubInternal<>(SB) // r = s2 - s1 - STx(r) - - MOVD $1, t2 - ORR x0, x1, t0 // Check if zero mod p256 - ORR x2, x3, t1 - ORR t1, t0, t0 - CMP $0, t0 - CSEL EQ, t2, ZR, hlp1 - - EOR $-1, x0, t0 - EOR const0, x1, t1 - EOR const1, x3, t3 - - ORR t0, t1, t0 - ORR x2, t3, t1 - ORR t1, t0, t0 - CMP $0, t0 - CSEL EQ, t2, hlp1, hlp1 - - LDx(z2sqr) - LDy(x1in) - CALL p256MulInternal<>(SB) // u1 = x1 * z2ˆ2 - STy(u1) - - LDx(z1sqr) - LDy(x2in) - CALL p256MulInternal<>(SB) // u2 = x2 * z1ˆ2 - STy(u2) - - LDx(u1) - CALL p256SubInternal<>(SB) // h = u2 - u1 - STx(h) - - MOVD $1, t2 - ORR x0, x1, t0 // Check if zero mod p256 - ORR x2, x3, t1 - ORR t1, t0, t0 - CMP $0, t0 - CSEL EQ, t2, ZR, hlp0 - - EOR $-1, x0, t0 - EOR const0, x1, t1 - EOR const1, x3, t3 - - ORR t0, t1, t0 - ORR x2, t3, t1 - ORR t1, t0, t0 - CMP $0, t0 - CSEL EQ, t2, hlp0, hlp0 - - AND hlp0, hlp1, hlp1 - - LDx(r) - CALL p256SqrInternal<>(SB) // rsqr = rˆ2 - STy(rsqr) - - LDx(h) - CALL p256SqrInternal<>(SB) // hsqr = hˆ2 - STy(hsqr) - - LDx(h) - CALL p256MulInternal<>(SB) // hcub = hˆ3 - STy(hcub) - - LDx(s1) - CALL p256MulInternal<>(SB) - STy(s2) - - LDx(z1in) - LDy(z2in) - CALL p256MulInternal<>(SB) // z1 * z2 - LDx(h) - CALL p256MulInternal<>(SB) // z1 * z2 * h - MOVD res+0(FP), b_ptr - STy(z3out) - - LDx(hsqr) - LDy(u1) - CALL p256MulInternal<>(SB) // hˆ2 * u1 - STy(u2) - - p256MulBy2Inline // u1 * hˆ2 * 2, inline - LDy(rsqr) - CALL p256SubInternal<>(SB) // rˆ2 - u1 * hˆ2 * 2 - - MOVD x0, y0 - MOVD x1, y1 - MOVD x2, y2 - MOVD x3, y3 - LDx(hcub) - CALL p256SubInternal<>(SB) - STx(x3out) - - LDy(u2) - CALL p256SubInternal<>(SB) - - LDy(r) - CALL p256MulInternal<>(SB) - - LDx(s2) - CALL p256SubInternal<>(SB) - STx(y3out) - - MOVD hlp1, R0 - MOVD R0, ret+24(FP) - - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s deleted file mode 100644 index 7efaa6ac187..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_ppc64le.s +++ /dev/null @@ -1,2180 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// This is a port of the s390x asm implementation. -// to ppc64le. - -// Some changes were needed due to differences in -// the Go opcodes and/or available instructions -// between s390x and ppc64le. - -// 1. There were operand order differences in the -// VSUBUQM, VSUBCUQ, and VSEL instructions. - -// 2. ppc64 does not have a multiply high and low -// like s390x, so those were implemented using -// macros to compute the equivalent values. - -// 3. The LVX, STVX instructions on ppc64 require -// 16 byte alignment of the data. To avoid that -// requirement, data is loaded using LXVD2X and -// STXVD2X with VPERM to reorder bytes correctly. - -// I have identified some areas where I believe -// changes would be needed to make this work for big -// endian; however additional changes beyond what I -// have noted are most likely needed to make it work. -// - The string used with VPERM to swap the byte order -// for loads and stores. -// - The constants that are loaded from CPOOL. -// - -// The following constants are defined in an order -// that is correct for use with LXVD2X/STXVD2X -// on little endian. -DATA p256<>+0x00(SB)/8, $0xffffffff00000001 // P256 -DATA p256<>+0x08(SB)/8, $0x0000000000000000 // P256 -DATA p256<>+0x10(SB)/8, $0x00000000ffffffff // P256 -DATA p256<>+0x18(SB)/8, $0xffffffffffffffff // P256 -DATA p256<>+0x20(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x28(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x30(SB)/8, $0x0000000010111213 // SEL 0 d1 d0 0 -DATA p256<>+0x38(SB)/8, $0x1415161700000000 // SEL 0 d1 d0 0 -DATA p256<>+0x40(SB)/8, $0x18191a1b1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x48(SB)/8, $0x18191a1b1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256mul<>+0x00(SB)/8, $0x00000000ffffffff // P256 original -DATA p256mul<>+0x08(SB)/8, $0xffffffffffffffff // P256 -DATA p256mul<>+0x10(SB)/8, $0xffffffff00000001 // P256 original -DATA p256mul<>+0x18(SB)/8, $0x0000000000000000 // P256 -DATA p256mul<>+0x20(SB)/8, $0x1c1d1e1f00000000 // SEL d0 0 0 d0 -DATA p256mul<>+0x28(SB)/8, $0x000000001c1d1e1f // SEL d0 0 0 d0 -DATA p256mul<>+0x30(SB)/8, $0x0001020304050607 // SEL d0 0 d1 d0 -DATA p256mul<>+0x38(SB)/8, $0x1c1d1e1f0c0d0e0f // SEL d0 0 d1 d0 -DATA p256mul<>+0x40(SB)/8, $0x040506071c1d1e1f // SEL 0 d1 d0 d1 -DATA p256mul<>+0x48(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL 0 d1 d0 d1 -DATA p256mul<>+0x50(SB)/8, $0x0405060704050607 // SEL 0 0 d1 d0 -DATA p256mul<>+0x58(SB)/8, $0x1c1d1e1f0c0d0e0f // SEL 0 0 d1 d0 -DATA p256mul<>+0x60(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256mul<>+0x68(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256mul<>+0x70(SB)/8, $0x141516170c0d0e0f // SEL 0 d1 d0 0 -DATA p256mul<>+0x78(SB)/8, $0x1c1d1e1f14151617 // SEL 0 d1 d0 0 -DATA p256mul<>+0x80(SB)/8, $0xffffffff00000000 // (1*2^256)%P256 -DATA p256mul<>+0x88(SB)/8, $0x0000000000000001 // (1*2^256)%P256 -DATA p256mul<>+0x90(SB)/8, $0x00000000fffffffe // (1*2^256)%P256 -DATA p256mul<>+0x98(SB)/8, $0xffffffffffffffff // (1*2^256)%P256 - -// External declarations for constants -GLOBL p256ord<>(SB), 8, $32 -GLOBL p256<>(SB), 8, $80 -GLOBL p256mul<>(SB), 8, $160 - -// The following macros are used to implement the ppc64le -// equivalent function from the corresponding s390x -// instruction for vector multiply high, low, and add, -// since there aren't exact equivalent instructions. -// The corresponding s390x instructions appear in the -// comments. -// Implementation for big endian would have to be -// investigated, I think it would be different. -// -// -// Vector multiply word -// -// VMLF x0, x1, out_low -// VMLHF x0, x1, out_hi -#define VMULT(x1, x2, out_low, out_hi) \ - VMULEUW x1, x2, TMP1; \ - VMULOUW x1, x2, TMP2; \ - VMRGEW TMP1, TMP2, out_hi; \ - VMRGOW TMP1, TMP2, out_low - -// -// Vector multiply add word -// -// VMALF x0, x1, y, out_low -// VMALHF x0, x1, y, out_hi -#define VMULT_ADD(x1, x2, y, one, out_low, out_hi) \ - VMULEUW y, one, TMP2; \ - VMULOUW y, one, TMP1; \ - VMULEUW x1, x2, out_low; \ - VMULOUW x1, x2, out_hi; \ - VADDUDM TMP2, out_low, TMP2; \ - VADDUDM TMP1, out_hi, TMP1; \ - VMRGOW TMP2, TMP1, out_low; \ - VMRGEW TMP2, TMP1, out_hi - -#define res_ptr R3 -#define a_ptr R4 - -#undef res_ptr -#undef a_ptr - -#define P1ptr R3 -#define CPOOL R7 - -#define Y1L V0 -#define Y1H V1 -#define T1L V2 -#define T1H V3 - -#define PL V30 -#define PH V31 - -#define CAR1 V6 - -#define SEL V8 -#define ZER V9 - -// func p256NegCond(val *p256Point, cond int) -TEXT ·p256NegCond(SB), NOSPLIT, $0-16 - MOVD val+0(FP), P1ptr - MOVD $16, R16 - - // Copy cond into SEL (cond is R1 + 8 (cond offset) + 32) - MOVD $40, R17 - LXVDSX (R1)(R17), SEL - // Zeroize ZER - VSPLTISB $0, ZER - // SEL controls whether to return the original value (Y1H/Y1L) - // or the negated value (T1H/T1L). - VCMPEQUD SEL, ZER, SEL - - MOVD $p256mul<>+0x00(SB), CPOOL - - LXVD2X (P1ptr)(R0), Y1L - LXVD2X (P1ptr)(R16), Y1H - - XXPERMDI Y1H, Y1H, $2, Y1H - XXPERMDI Y1L, Y1L, $2, Y1L - - LXVD2X (CPOOL)(R0), PL - LXVD2X (CPOOL)(R16), PH - - VSUBCUQ PL, Y1L, CAR1 // subtract part2 giving carry - VSUBUQM PL, Y1L, T1L // subtract part2 giving result - VSUBEUQM PH, Y1H, CAR1, T1H // subtract part1 using carry from part2 - - VSEL T1H, Y1H, SEL, T1H - VSEL T1L, Y1L, SEL, T1L - - XXPERMDI T1H, T1H, $2, T1H - XXPERMDI T1L, T1L, $2, T1L - - STXVD2X T1L, (R0+P1ptr) - STXVD2X T1H, (R16+P1ptr) - RET - -#undef P1ptr -#undef CPOOL -#undef Y1L -#undef Y1H -#undef T1L -#undef T1H -#undef PL -#undef PH -#undef CAR1 -#undef SEL -#undef ZER - -#define P3ptr R3 -#define P1ptr R4 -#define P2ptr R5 - -#define X1L V0 -#define X1H V1 -#define Y1L V2 -#define Y1H V3 -#define Z1L V4 -#define Z1H V5 -#define X2L V6 -#define X2H V7 -#define Y2L V8 -#define Y2H V9 -#define Z2L V10 -#define Z2H V11 -#define SEL V12 -#define ZER V13 - -// This function uses LXVD2X and STXVD2X to avoid the -// data alignment requirement for LVX, STVX. Since -// this code is just moving bytes and not doing arithmetic, -// order of the bytes doesn't matter. -// -// func p256MovCond(res, a, b *p256Point, cond int) -TEXT ·p256MovCond(SB), NOSPLIT, $0-32 - MOVD res+0(FP), P3ptr - MOVD a+8(FP), P1ptr - MOVD b+16(FP), P2ptr - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $56, R21 - MOVD $64, R19 - MOVD $80, R20 - // cond is R1 + 24 (cond offset) + 32 - LXVDSX (R1)(R21), SEL - VSPLTISB $0, ZER - // SEL controls whether to store a or b - VCMPEQUD SEL, ZER, SEL - - LXVD2X (P1ptr+R0), X1H - LXVD2X (P1ptr+R16), X1L - LXVD2X (P1ptr+R17), Y1H - LXVD2X (P1ptr+R18), Y1L - LXVD2X (P1ptr+R19), Z1H - LXVD2X (P1ptr+R20), Z1L - - LXVD2X (P2ptr+R0), X2H - LXVD2X (P2ptr+R16), X2L - LXVD2X (P2ptr+R17), Y2H - LXVD2X (P2ptr+R18), Y2L - LXVD2X (P2ptr+R19), Z2H - LXVD2X (P2ptr+R20), Z2L - - VSEL X1H, X2H, SEL, X1H - VSEL X1L, X2L, SEL, X1L - VSEL Y1H, Y2H, SEL, Y1H - VSEL Y1L, Y2L, SEL, Y1L - VSEL Z1H, Z2H, SEL, Z1H - VSEL Z1L, Z2L, SEL, Z1L - - STXVD2X X1H, (P3ptr+R0) - STXVD2X X1L, (P3ptr+R16) - STXVD2X Y1H, (P3ptr+R17) - STXVD2X Y1L, (P3ptr+R18) - STXVD2X Z1H, (P3ptr+R19) - STXVD2X Z1L, (P3ptr+R20) - - RET - -#undef P3ptr -#undef P1ptr -#undef P2ptr -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Y2L -#undef Y2H -#undef Z2L -#undef Z2H -#undef SEL -#undef ZER - -#define P3ptr R3 -#define P1ptr R4 -#define COUNT R5 - -#define X1L V0 -#define X1H V1 -#define Y1L V2 -#define Y1H V3 -#define Z1L V4 -#define Z1H V5 -#define X2L V6 -#define X2H V7 -#define Y2L V8 -#define Y2H V9 -#define Z2L V10 -#define Z2H V11 - -#define ONE V18 -#define IDX V19 -#define SEL1 V20 -#define SEL2 V21 -// func p256Select(point *p256Point, table *p256Table, idx int) -TEXT ·p256Select(SB), NOSPLIT, $0-24 - MOVD res+0(FP), P3ptr - MOVD table+8(FP), P1ptr - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $64, R19 - MOVD $80, R20 - - LXVDSX (R1)(R18), SEL1 // VLREPG idx+32(FP), SEL1 - VSPLTB $7, SEL1, IDX // splat byte - VSPLTISB $1, ONE // VREPIB $1, ONE - VSPLTISB $1, SEL2 // VREPIB $1, SEL2 - MOVD $16, COUNT // len(p256Table) - MOVD COUNT, CTR // set up ctr - - VSPLTISB $0, X1H // VZERO X1H - VSPLTISB $0, X1L // VZERO X1L - VSPLTISB $0, Y1H // VZERO Y1H - VSPLTISB $0, Y1L // VZERO Y1L - VSPLTISB $0, Z1H // VZERO Z1H - VSPLTISB $0, Z1L // VZERO Z1L - -loop_select: - - // LVXD2X is used here since data alignment doesn't - // matter. - - LXVD2X (P1ptr+R0), X2H - LXVD2X (P1ptr+R16), X2L - LXVD2X (P1ptr+R17), Y2H - LXVD2X (P1ptr+R18), Y2L - LXVD2X (P1ptr+R19), Z2H - LXVD2X (P1ptr+R20), Z2L - - VCMPEQUD SEL2, IDX, SEL1 // VCEQG SEL2, IDX, SEL1 OK - - // This will result in SEL1 being all 0s or 1s, meaning - // the result is either X1L or X2L, no individual byte - // selection. - - VSEL X1L, X2L, SEL1, X1L - VSEL X1H, X2H, SEL1, X1H - VSEL Y1L, Y2L, SEL1, Y1L - VSEL Y1H, Y2H, SEL1, Y1H - VSEL Z1L, Z2L, SEL1, Z1L - VSEL Z1H, Z2H, SEL1, Z1H - - // Add 1 to all bytes in SEL2 - VADDUBM SEL2, ONE, SEL2 // VAB SEL2, ONE, SEL2 OK - ADD $96, P1ptr - BDNZ loop_select - - // STXVD2X is used here so that alignment doesn't - // need to be verified. Since values were loaded - // using LXVD2X this is OK. - STXVD2X X1H, (P3ptr+R0) - STXVD2X X1L, (P3ptr+R16) - STXVD2X Y1H, (P3ptr+R17) - STXVD2X Y1L, (P3ptr+R18) - STXVD2X Z1H, (P3ptr+R19) - STXVD2X Z1L, (P3ptr+R20) - RET - -#undef P3ptr -#undef P1ptr -#undef COUNT -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Y2L -#undef Y2H -#undef Z2L -#undef Z2H -#undef ONE -#undef IDX -#undef SEL1 -#undef SEL2 - -#define P3ptr R3 -#define P1ptr R4 -#define COUNT R5 - -#define X1L V0 -#define X1H V1 -#define Y1L V2 -#define Y1H V3 -#define Z1L V4 -#define Z1H V5 -#define X2L V6 -#define X2H V7 -#define Y2L V8 -#define Y2H V9 -#define Z2L V10 -#define Z2H V11 - -#define ONE V18 -#define IDX V19 -#define SEL1 V20 -#define SEL2 V21 - -// func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int) -TEXT ·p256SelectAffine(SB), NOSPLIT, $0-24 - MOVD res+0(FP), P3ptr - MOVD table+8(FP), P1ptr - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - - LXVDSX (R1)(R18), SEL1 - VSPLTB $7, SEL1, IDX // splat byte - - VSPLTISB $1, ONE // Vector with byte 1s - VSPLTISB $1, SEL2 // Vector with byte 1s - MOVD $32, COUNT // len(p256AffineTable) - MOVD COUNT, CTR // loop count - - VSPLTISB $0, X1H // VZERO X1H - VSPLTISB $0, X1L // VZERO X1L - VSPLTISB $0, Y1H // VZERO Y1H - VSPLTISB $0, Y1L // VZERO Y1L - -loop_select: - LXVD2X (P1ptr+R0), X2H - LXVD2X (P1ptr+R16), X2L - LXVD2X (P1ptr+R17), Y2H - LXVD2X (P1ptr+R18), Y2L - - VCMPEQUD SEL2, IDX, SEL1 // Compare against idx - - VSEL X1L, X2L, SEL1, X1L // Select if idx matched - VSEL X1H, X2H, SEL1, X1H - VSEL Y1L, Y2L, SEL1, Y1L - VSEL Y1H, Y2H, SEL1, Y1H - - VADDUBM SEL2, ONE, SEL2 // Increment SEL2 bytes by 1 - ADD $64, P1ptr // Next chunk - BDNZ loop_select - - STXVD2X X1H, (P3ptr+R0) - STXVD2X X1L, (P3ptr+R16) - STXVD2X Y1H, (P3ptr+R17) - STXVD2X Y1L, (P3ptr+R18) - RET - -#undef P3ptr -#undef P1ptr -#undef COUNT -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Y2L -#undef Y2H -#undef Z2L -#undef Z2H -#undef ONE -#undef IDX -#undef SEL1 -#undef SEL2 - -#define res_ptr R3 -#define x_ptr R4 -#define CPOOL R7 - -#define T0 V0 -#define T1 V1 -#define T2 V2 -#define TT0 V3 -#define TT1 V4 - -#define ZER V6 -#define SEL1 V7 -#define SEL2 V8 -#define CAR1 V9 -#define CAR2 V10 -#define RED1 V11 -#define RED2 V12 -#define PL V13 -#define PH V14 - -// func p256FromMont(res, in *p256Element) -TEXT ·p256FromMont(SB), NOSPLIT, $0-16 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), x_ptr - - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $64, R19 - MOVD $p256<>+0x00(SB), CPOOL - - VSPLTISB $0, T2 // VZERO T2 - VSPLTISB $0, ZER // VZERO ZER - - // Constants are defined so that the LXVD2X is correct - LXVD2X (CPOOL+R0), PH - LXVD2X (CPOOL+R16), PL - - // VPERM byte selections - LXVD2X (CPOOL+R18), SEL2 - LXVD2X (CPOOL+R19), SEL1 - - LXVD2X (R16)(x_ptr), T1 - LXVD2X (R0)(x_ptr), T0 - - // Put in true little endian order - XXPERMDI T0, T0, $2, T0 - XXPERMDI T1, T1, $2, T1 - - // First round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSUBUQM RED2, RED1, RED2 // VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDOI $8, T1, T0, T0 // VSLDB $8, T1, T0, T0 - VSLDOI $8, T2, T1, T1 // VSLDB $8, T2, T1, T1 - - VADDCUQ T0, RED1, CAR1 // VACCQ T0, RED1, CAR1 - VADDUQM T0, RED1, T0 // VAQ T0, RED1, T0 - VADDECUQ T1, RED2, CAR1, CAR2 // VACCCQ T1, RED2, CAR1, CAR2 - VADDEUQM T1, RED2, CAR1, T1 // VACQ T1, RED2, CAR1, T1 - VADDUQM T2, CAR2, T2 // VAQ T2, CAR2, T2 - - // Second round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSUBUQM RED2, RED1, RED2 // VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDOI $8, T1, T0, T0 // VSLDB $8, T1, T0, T0 - VSLDOI $8, T2, T1, T1 // VSLDB $8, T2, T1, T1 - - VADDCUQ T0, RED1, CAR1 // VACCQ T0, RED1, CAR1 - VADDUQM T0, RED1, T0 // VAQ T0, RED1, T0 - VADDECUQ T1, RED2, CAR1, CAR2 // VACCCQ T1, RED2, CAR1, CAR2 - VADDEUQM T1, RED2, CAR1, T1 // VACQ T1, RED2, CAR1, T1 - VADDUQM T2, CAR2, T2 // VAQ T2, CAR2, T2 - - // Third round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSUBUQM RED2, RED1, RED2 // VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDOI $8, T1, T0, T0 // VSLDB $8, T1, T0, T0 - VSLDOI $8, T2, T1, T1 // VSLDB $8, T2, T1, T1 - - VADDCUQ T0, RED1, CAR1 // VACCQ T0, RED1, CAR1 - VADDUQM T0, RED1, T0 // VAQ T0, RED1, T0 - VADDECUQ T1, RED2, CAR1, CAR2 // VACCCQ T1, RED2, CAR1, CAR2 - VADDEUQM T1, RED2, CAR1, T1 // VACQ T1, RED2, CAR1, T1 - VADDUQM T2, CAR2, T2 // VAQ T2, CAR2, T2 - - // Last round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSUBUQM RED2, RED1, RED2 // VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDOI $8, T1, T0, T0 // VSLDB $8, T1, T0, T0 - VSLDOI $8, T2, T1, T1 // VSLDB $8, T2, T1, T1 - - VADDCUQ T0, RED1, CAR1 // VACCQ T0, RED1, CAR1 - VADDUQM T0, RED1, T0 // VAQ T0, RED1, T0 - VADDECUQ T1, RED2, CAR1, CAR2 // VACCCQ T1, RED2, CAR1, CAR2 - VADDEUQM T1, RED2, CAR1, T1 // VACQ T1, RED2, CAR1, T1 - VADDUQM T2, CAR2, T2 // VAQ T2, CAR2, T2 - - // --------------------------------------------------- - - VSUBCUQ T0, PL, CAR1 // VSCBIQ PL, T0, CAR1 - VSUBUQM T0, PL, TT0 // VSQ PL, T0, TT0 - VSUBECUQ T1, PH, CAR1, CAR2 // VSBCBIQ T1, PH, CAR1, CAR2 - VSUBEUQM T1, PH, CAR1, TT1 // VSBIQ T1, PH, CAR1, TT1 - VSUBEUQM T2, ZER, CAR2, T2 // VSBIQ T2, ZER, CAR2, T2 - - VSEL TT0, T0, T2, T0 - VSEL TT1, T1, T2, T1 - - // Reorder the bytes so STXVD2X can be used. - // TT0, TT1 used for VPERM result in case - // the caller expects T0, T1 to be good. - XXPERMDI T0, T0, $2, TT0 - XXPERMDI T1, T1, $2, TT1 - - STXVD2X TT0, (R0)(res_ptr) - STXVD2X TT1, (R16)(res_ptr) - RET - -#undef res_ptr -#undef x_ptr -#undef CPOOL -#undef T0 -#undef T1 -#undef T2 -#undef TT0 -#undef TT1 -#undef ZER -#undef SEL1 -#undef SEL2 -#undef CAR1 -#undef CAR2 -#undef RED1 -#undef RED2 -#undef PL -#undef PH - -// --------------------------------------- -// p256MulInternal -// V0-V3 V30,V31 - Not Modified -// V4-V15 V27-V29 - Volatile - -#define CPOOL R7 - -// Parameters -#define X0 V0 // Not modified -#define X1 V1 // Not modified -#define Y0 V2 // Not modified -#define Y1 V3 // Not modified -#define T0 V4 // Result -#define T1 V5 // Result -#define P0 V30 // Not modified -#define P1 V31 // Not modified - -// Temporaries: lots of reused vector regs -#define YDIG V6 // Overloaded with CAR2 -#define ADD1H V7 // Overloaded with ADD3H -#define ADD2H V8 // Overloaded with ADD4H -#define ADD3 V9 // Overloaded with SEL2,SEL5 -#define ADD4 V10 // Overloaded with SEL3,SEL6 -#define RED1 V11 // Overloaded with CAR2 -#define RED2 V12 -#define RED3 V13 // Overloaded with SEL1 -#define T2 V14 -// Overloaded temporaries -#define ADD1 V4 // Overloaded with T0 -#define ADD2 V5 // Overloaded with T1 -#define ADD3H V7 // Overloaded with ADD1H -#define ADD4H V8 // Overloaded with ADD2H -#define ZER V28 // Overloaded with TMP1 -#define CAR1 V6 // Overloaded with YDIG -#define CAR2 V11 // Overloaded with RED1 -// Constant Selects -#define SEL1 V13 // Overloaded with RED3 -#define SEL2 V9 // Overloaded with ADD3,SEL5 -#define SEL3 V10 // Overloaded with ADD4,SEL6 -#define SEL4 V6 // Overloaded with YDIG,CAR1 -#define SEL5 V9 // Overloaded with ADD3,SEL2 -#define SEL6 V10 // Overloaded with ADD4,SEL3 - -// TMP1, TMP2 used in -// VMULT macros -#define TMP1 V13 // Overloaded with RED3 -#define TMP2 V27 -#define ONE V29 // 1s splatted by word - -/* * - * To follow the flow of bits, for your own sanity a stiff drink, need you shall. - * Of a single round, a 'helpful' picture, here is. Meaning, column position has. - * With you, SIMD be... - * - * +--------+--------+ - * +--------| RED2 | RED1 | - * | +--------+--------+ - * | ---+--------+--------+ - * | +---- T2| T1 | T0 |--+ - * | | ---+--------+--------+ | - * | | | - * | | ======================= | - * | | | - * | | +--------+--------+<-+ - * | +-------| ADD2 | ADD1 |--|-----+ - * | | +--------+--------+ | | - * | | +--------+--------+<---+ | - * | | | ADD2H | ADD1H |--+ | - * | | +--------+--------+ | | - * | | +--------+--------+<-+ | - * | | | ADD4 | ADD3 |--|-+ | - * | | +--------+--------+ | | | - * | | +--------+--------+<---+ | | - * | | | ADD4H | ADD3H |------|-+ |(+vzero) - * | | +--------+--------+ | | V - * | | ------------------------ | | +--------+ - * | | | | | RED3 | [d0 0 0 d0] - * | | | | +--------+ - * | +---->+--------+--------+ | | | - * (T2[1w]||ADD2[4w]||ADD1[3w]) +--------| T1 | T0 | | | | - * | +--------+--------+ | | | - * +---->---+--------+--------+ | | | - * T2| T1 | T0 |----+ | | - * ---+--------+--------+ | | | - * ---+--------+--------+<---+ | | - * +--- T2| T1 | T0 |----------+ - * | ---+--------+--------+ | | - * | +--------+--------+<-------------+ - * | | RED2 | RED1 |-----+ | | [0 d1 d0 d1] [d0 0 d1 d0] - * | +--------+--------+ | | | - * | +--------+<----------------------+ - * | | RED3 |--------------+ | [0 0 d1 d0] - * | +--------+ | | - * +--->+--------+--------+ | | - * | T1 | T0 |--------+ - * +--------+--------+ | | - * --------------------------- | | - * | | - * +--------+--------+<----+ | - * | RED2 | RED1 | | - * +--------+--------+ | - * ---+--------+--------+<-------+ - * T2| T1 | T0 | (H1P-H1P-H00RRAY!) - * ---+--------+--------+ - * - * *Mi obra de arte de siglo XXI @vpaprots - * - * - * First group is special, doesn't get the two inputs: - * +--------+--------+<-+ - * +-------| ADD2 | ADD1 |--|-----+ - * | +--------+--------+ | | - * | +--------+--------+<---+ | - * | | ADD2H | ADD1H |--+ | - * | +--------+--------+ | | - * | +--------+--------+<-+ | - * | | ADD4 | ADD3 |--|-+ | - * | +--------+--------+ | | | - * | +--------+--------+<---+ | | - * | | ADD4H | ADD3H |------|-+ |(+vzero) - * | +--------+--------+ | | V - * | ------------------------ | | +--------+ - * | | | | RED3 | [d0 0 0 d0] - * | | | +--------+ - * +---->+--------+--------+ | | | - * (T2[1w]||ADD2[4w]||ADD1[3w]) | T1 | T0 |----+ | | - * +--------+--------+ | | | - * ---+--------+--------+<---+ | | - * +--- T2| T1 | T0 |----------+ - * | ---+--------+--------+ | | - * | +--------+--------+<-------------+ - * | | RED2 | RED1 |-----+ | | [0 d1 d0 d1] [d0 0 d1 d0] - * | +--------+--------+ | | | - * | +--------+<----------------------+ - * | | RED3 |--------------+ | [0 0 d1 d0] - * | +--------+ | | - * +--->+--------+--------+ | | - * | T1 | T0 |--------+ - * +--------+--------+ | | - * --------------------------- | | - * | | - * +--------+--------+<----+ | - * | RED2 | RED1 | | - * +--------+--------+ | - * ---+--------+--------+<-------+ - * T2| T1 | T0 | (H1P-H1P-H00RRAY!) - * ---+--------+--------+ - * - * Last 'group' needs to RED2||RED1 shifted less - */ -TEXT p256MulInternal<>(SB), NOSPLIT, $0-16 - // CPOOL loaded from caller - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $64, R19 - MOVD $80, R20 - MOVD $96, R21 - MOVD $112, R22 - - // --------------------------------------------------- - - VSPLTW $3, Y0, YDIG // VREPF Y0 is input - - // VMLHF X0, YDIG, ADD1H - // VMLHF X1, YDIG, ADD2H - // VMLF X0, YDIG, ADD1 - // VMLF X1, YDIG, ADD2 - // - VMULT(X0, YDIG, ADD1, ADD1H) - VMULT(X1, YDIG, ADD2, ADD2H) - - VSPLTISW $1, ONE - VSPLTW $2, Y0, YDIG // VREPF - - // VMALF X0, YDIG, ADD1H, ADD3 - // VMALF X1, YDIG, ADD2H, ADD4 - // VMALHF X0, YDIG, ADD1H, ADD3H // ADD1H Free - // VMALHF X1, YDIG, ADD2H, ADD4H // ADD2H Free - VMULT_ADD(X0, YDIG, ADD1H, ONE, ADD3, ADD3H) - VMULT_ADD(X1, YDIG, ADD2H, ONE, ADD4, ADD4H) - - LXVD2X (R17)(CPOOL), SEL1 - VSPLTISB $0, ZER // VZERO ZER - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDOI $12, ADD2, ADD1, T0 // ADD1 Free // VSLDB - VSLDOI $12, ZER, ADD2, T1 // ADD2 Free // VSLDB - - VADDCUQ T0, ADD3, CAR1 // VACCQ - VADDUQM T0, ADD3, T0 // ADD3 Free // VAQ - VADDECUQ T1, ADD4, CAR1, T2 // VACCCQ - VADDEUQM T1, ADD4, CAR1, T1 // ADD4 Free // VACQ - - LXVD2X (R18)(CPOOL), SEL2 - LXVD2X (R19)(CPOOL), SEL3 - LXVD2X (R20)(CPOOL), SEL4 - VPERM RED3, T0, SEL2, RED1 // [d0 0 d1 d0] - VPERM RED3, T0, SEL3, RED2 // [ 0 d1 d0 d1] - VPERM RED3, T0, SEL4, RED3 // [ 0 0 d1 d0] - VSUBUQM RED2, RED3, RED2 // Guaranteed not to underflow -->? // VSQ - - VSLDOI $12, T1, T0, T0 // VSLDB - VSLDOI $12, T2, T1, T1 // VSLDB - - VADDCUQ T0, ADD3H, CAR1 // VACCQ - VADDUQM T0, ADD3H, T0 // VAQ - VADDECUQ T1, ADD4H, CAR1, T2 // VACCCQ - VADDEUQM T1, ADD4H, CAR1, T1 // VACQ - - // --------------------------------------------------- - - VSPLTW $1, Y0, YDIG // VREPF - - // VMALHF X0, YDIG, T0, ADD1H - // VMALHF X1, YDIG, T1, ADD2H - // VMALF X0, YDIG, T0, ADD1 // T0 Free->ADD1 - // VMALF X1, YDIG, T1, ADD2 // T1 Free->ADD2 - VMULT_ADD(X0, YDIG, T0, ONE, ADD1, ADD1H) - VMULT_ADD(X1, YDIG, T1, ONE, ADD2, ADD2H) - - VSPLTW $0, Y0, YDIG // VREPF - - // VMALF X0, YDIG, ADD1H, ADD3 - // VMALF X1, YDIG, ADD2H, ADD4 - // VMALHF X0, YDIG, ADD1H, ADD3H // ADD1H Free->ADD3H - // VMALHF X1, YDIG, ADD2H, ADD4H // ADD2H Free->ADD4H , YDIG Free->ZER - VMULT_ADD(X0, YDIG, ADD1H, ONE, ADD3, ADD3H) - VMULT_ADD(X1, YDIG, ADD2H, ONE, ADD4, ADD4H) - - VSPLTISB $0, ZER // VZERO ZER - LXVD2X (R17)(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDOI $12, ADD2, ADD1, T0 // ADD1 Free->T0 // VSLDB - VSLDOI $12, T2, ADD2, T1 // ADD2 Free->T1, T2 Free // VSLDB - - VADDCUQ T0, RED1, CAR1 // VACCQ - VADDUQM T0, RED1, T0 // VAQ - VADDECUQ T1, RED2, CAR1, T2 // VACCCQ - VADDEUQM T1, RED2, CAR1, T1 // VACQ - - VADDCUQ T0, ADD3, CAR1 // VACCQ - VADDUQM T0, ADD3, T0 // VAQ - VADDECUQ T1, ADD4, CAR1, CAR2 // VACCCQ - VADDEUQM T1, ADD4, CAR1, T1 // VACQ - VADDUQM T2, CAR2, T2 // VAQ - - LXVD2X (R18)(CPOOL), SEL2 - LXVD2X (R19)(CPOOL), SEL3 - LXVD2X (R20)(CPOOL), SEL4 - VPERM RED3, T0, SEL2, RED1 // [d0 0 d1 d0] - VPERM RED3, T0, SEL3, RED2 // [ 0 d1 d0 d1] - VPERM RED3, T0, SEL4, RED3 // [ 0 0 d1 d0] - VSUBUQM RED2, RED3, RED2 // Guaranteed not to underflow // VSQ - - VSLDOI $12, T1, T0, T0 // VSLDB - VSLDOI $12, T2, T1, T1 // VSLDB - - VADDCUQ T0, ADD3H, CAR1 // VACCQ - VADDUQM T0, ADD3H, T0 // VAQ - VADDECUQ T1, ADD4H, CAR1, T2 // VACCCQ - VADDEUQM T1, ADD4H, CAR1, T1 // VACQ - - // --------------------------------------------------- - - VSPLTW $3, Y1, YDIG // VREPF - - // VMALHF X0, YDIG, T0, ADD1H - // VMALHF X1, YDIG, T1, ADD2H - // VMALF X0, YDIG, T0, ADD1 - // VMALF X1, YDIG, T1, ADD2 - VMULT_ADD(X0, YDIG, T0, ONE, ADD1, ADD1H) - VMULT_ADD(X1, YDIG, T1, ONE, ADD2, ADD2H) - - VSPLTW $2, Y1, YDIG // VREPF - - // VMALF X0, YDIG, ADD1H, ADD3 - // VMALF X1, YDIG, ADD2H, ADD4 - // VMALHF X0, YDIG, ADD1H, ADD3H // ADD1H Free - // VMALHF X1, YDIG, ADD2H, ADD4H // ADD2H Free - VMULT_ADD(X0, YDIG, ADD1H, ONE, ADD3, ADD3H) - VMULT_ADD(X1, YDIG, ADD2H, ONE, ADD4, ADD4H) - - LXVD2X (R17)(CPOOL), SEL1 - VSPLTISB $0, ZER // VZERO ZER - LXVD2X (R17)(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDOI $12, ADD2, ADD1, T0 // ADD1 Free // VSLDB - VSLDOI $12, T2, ADD2, T1 // ADD2 Free // VSLDB - - VADDCUQ T0, RED1, CAR1 // VACCQ - VADDUQM T0, RED1, T0 // VAQ - VADDECUQ T1, RED2, CAR1, T2 // VACCCQ - VADDEUQM T1, RED2, CAR1, T1 // VACQ - - VADDCUQ T0, ADD3, CAR1 // VACCQ - VADDUQM T0, ADD3, T0 // VAQ - VADDECUQ T1, ADD4, CAR1, CAR2 // VACCCQ - VADDEUQM T1, ADD4, CAR1, T1 // VACQ - VADDUQM T2, CAR2, T2 // VAQ - - LXVD2X (R18)(CPOOL), SEL2 - LXVD2X (R19)(CPOOL), SEL3 - LXVD2X (R20)(CPOOL), SEL4 - VPERM RED3, T0, SEL2, RED1 // [d0 0 d1 d0] - VPERM RED3, T0, SEL3, RED2 // [ 0 d1 d0 d1] - VPERM RED3, T0, SEL4, RED3 // [ 0 0 d1 d0] - VSUBUQM RED2, RED3, RED2 // Guaranteed not to underflow // VSQ - - VSLDOI $12, T1, T0, T0 // VSLDB - VSLDOI $12, T2, T1, T1 // VSLDB - - VADDCUQ T0, ADD3H, CAR1 // VACCQ - VADDUQM T0, ADD3H, T0 // VAQ - VADDECUQ T1, ADD4H, CAR1, T2 // VACCCQ - VADDEUQM T1, ADD4H, CAR1, T1 // VACQ - - // --------------------------------------------------- - - VSPLTW $1, Y1, YDIG // VREPF - - // VMALHF X0, YDIG, T0, ADD1H - // VMALHF X1, YDIG, T1, ADD2H - // VMALF X0, YDIG, T0, ADD1 - // VMALF X1, YDIG, T1, ADD2 - VMULT_ADD(X0, YDIG, T0, ONE, ADD1, ADD1H) - VMULT_ADD(X1, YDIG, T1, ONE, ADD2, ADD2H) - - VSPLTW $0, Y1, YDIG // VREPF - - // VMALF X0, YDIG, ADD1H, ADD3 - // VMALF X1, YDIG, ADD2H, ADD4 - // VMALHF X0, YDIG, ADD1H, ADD3H - // VMALHF X1, YDIG, ADD2H, ADD4H - VMULT_ADD(X0, YDIG, ADD1H, ONE, ADD3, ADD3H) - VMULT_ADD(X1, YDIG, ADD2H, ONE, ADD4, ADD4H) - - VSPLTISB $0, ZER // VZERO ZER - LXVD2X (R17)(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDOI $12, ADD2, ADD1, T0 // VSLDB - VSLDOI $12, T2, ADD2, T1 // VSLDB - - VADDCUQ T0, RED1, CAR1 // VACCQ - VADDUQM T0, RED1, T0 // VAQ - VADDECUQ T1, RED2, CAR1, T2 // VACCCQ - VADDEUQM T1, RED2, CAR1, T1 // VACQ - - VADDCUQ T0, ADD3, CAR1 // VACCQ - VADDUQM T0, ADD3, T0 // VAQ - VADDECUQ T1, ADD4, CAR1, CAR2 // VACCCQ - VADDEUQM T1, ADD4, CAR1, T1 // VACQ - VADDUQM T2, CAR2, T2 // VAQ - - LXVD2X (R21)(CPOOL), SEL5 - LXVD2X (R22)(CPOOL), SEL6 - VPERM T0, RED3, SEL5, RED2 // [d1 d0 d1 d0] - VPERM T0, RED3, SEL6, RED1 // [ 0 d1 d0 0] - VSUBUQM RED2, RED1, RED2 // Guaranteed not to underflow // VSQ - - VSLDOI $12, T1, T0, T0 // VSLDB - VSLDOI $12, T2, T1, T1 // VSLDB - - VADDCUQ T0, ADD3H, CAR1 // VACCQ - VADDUQM T0, ADD3H, T0 // VAQ - VADDECUQ T1, ADD4H, CAR1, T2 // VACCCQ - VADDEUQM T1, ADD4H, CAR1, T1 // VACQ - - VADDCUQ T0, RED1, CAR1 // VACCQ - VADDUQM T0, RED1, T0 // VAQ - VADDECUQ T1, RED2, CAR1, CAR2 // VACCCQ - VADDEUQM T1, RED2, CAR1, T1 // VACQ - VADDUQM T2, CAR2, T2 // VAQ - - // --------------------------------------------------- - - VSPLTISB $0, RED3 // VZERO RED3 - VSUBCUQ T0, P0, CAR1 // VSCBIQ - VSUBUQM T0, P0, ADD1H // VSQ - VSUBECUQ T1, P1, CAR1, CAR2 // VSBCBIQ - VSUBEUQM T1, P1, CAR1, ADD2H // VSBIQ - VSUBEUQM T2, RED3, CAR2, T2 // VSBIQ - - // what output to use, ADD2H||ADD1H or T1||T0? - VSEL ADD1H, T0, T2, T0 - VSEL ADD2H, T1, T2, T1 - RET - -#undef CPOOL - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 -#undef P0 -#undef P1 - -#undef SEL1 -#undef SEL2 -#undef SEL3 -#undef SEL4 -#undef SEL5 -#undef SEL6 - -#undef YDIG -#undef ADD1H -#undef ADD2H -#undef ADD3 -#undef ADD4 -#undef RED1 -#undef RED2 -#undef RED3 -#undef T2 -#undef ADD1 -#undef ADD2 -#undef ADD3H -#undef ADD4H -#undef ZER -#undef CAR1 -#undef CAR2 - -#undef TMP1 -#undef TMP2 - -#define p256SubInternal(T1, T0, X1, X0, Y1, Y0) \ - VSPLTISB $0, ZER \ // VZERO - VSUBCUQ X0, Y0, CAR1 \ - VSUBUQM X0, Y0, T0 \ - VSUBECUQ X1, Y1, CAR1, SEL1 \ - VSUBEUQM X1, Y1, CAR1, T1 \ - VSUBUQM ZER, SEL1, SEL1 \ // VSQ - \ - VADDCUQ T0, PL, CAR1 \ // VACCQ - VADDUQM T0, PL, TT0 \ // VAQ - VADDEUQM T1, PH, CAR1, TT1 \ // VACQ - \ - VSEL TT0, T0, SEL1, T0 \ - VSEL TT1, T1, SEL1, T1 \ - -#define p256AddInternal(T1, T0, X1, X0, Y1, Y0) \ - VADDCUQ X0, Y0, CAR1 \ - VADDUQM X0, Y0, T0 \ - VADDECUQ X1, Y1, CAR1, T2 \ // VACCCQ - VADDEUQM X1, Y1, CAR1, T1 \ - \ - VSPLTISB $0, ZER \ - VSUBCUQ T0, PL, CAR1 \ // VSCBIQ - VSUBUQM T0, PL, TT0 \ - VSUBECUQ T1, PH, CAR1, CAR2 \ // VSBCBIQ - VSUBEUQM T1, PH, CAR1, TT1 \ // VSBIQ - VSUBEUQM T2, ZER, CAR2, SEL1 \ - \ - VSEL TT0, T0, SEL1, T0 \ - VSEL TT1, T1, SEL1, T1 - -#define p256HalfInternal(T1, T0, X1, X0) \ - VSPLTISB $0, ZER \ - VSUBEUQM ZER, ZER, X0, SEL1 \ - \ - VADDCUQ X0, PL, CAR1 \ - VADDUQM X0, PL, T0 \ - VADDECUQ X1, PH, CAR1, T2 \ - VADDEUQM X1, PH, CAR1, T1 \ - \ - VSEL T0, X0, SEL1, T0 \ - VSEL T1, X1, SEL1, T1 \ - VSEL T2, ZER, SEL1, T2 \ - \ - VSLDOI $15, T2, ZER, TT1 \ - VSLDOI $15, T1, ZER, TT0 \ - VSPLTISB $1, SEL1 \ - VSR T0, SEL1, T0 \ // VSRL - VSR T1, SEL1, T1 \ - VSPLTISB $7, SEL1 \ // VREPIB - VSL TT0, SEL1, TT0 \ - VSL TT1, SEL1, TT1 \ - VOR T0, TT0, T0 \ - VOR T1, TT1, T1 - -#define res_ptr R3 -#define x_ptr R4 -#define y_ptr R5 -#define CPOOL R7 -#define TEMP R8 -#define N R9 - -// Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -// Constants -#define P0 V30 -#define P1 V31 -// func p256MulAsm(res, in1, in2 *p256Element) -TEXT ·p256Mul(SB), NOSPLIT, $0-24 - MOVD res+0(FP), res_ptr - MOVD in1+8(FP), x_ptr - MOVD in2+16(FP), y_ptr - MOVD $16, R16 - MOVD $32, R17 - - MOVD $p256mul<>+0x00(SB), CPOOL - - - LXVD2X (R0)(x_ptr), X0 - LXVD2X (R16)(x_ptr), X1 - - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - - LXVD2X (R0)(y_ptr), Y0 - LXVD2X (R16)(y_ptr), Y1 - - XXPERMDI Y0, Y0, $2, Y0 - XXPERMDI Y1, Y1, $2, Y1 - - LXVD2X (R16)(CPOOL), P1 - LXVD2X (R0)(CPOOL), P0 - - CALL p256MulInternal<>(SB) - - MOVD $p256mul<>+0x00(SB), CPOOL - - XXPERMDI T0, T0, $2, T0 - XXPERMDI T1, T1, $2, T1 - STXVD2X T0, (R0)(res_ptr) - STXVD2X T1, (R16)(res_ptr) - RET - -// func p256Sqr(res, in *p256Element, n int) -TEXT ·p256Sqr(SB), NOSPLIT, $0-24 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), x_ptr - MOVD $16, R16 - MOVD $32, R17 - - MOVD $p256mul<>+0x00(SB), CPOOL - - LXVD2X (R0)(x_ptr), X0 - LXVD2X (R16)(x_ptr), X1 - - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - -sqrLoop: - // Sqr uses same value for both - - VOR X0, X0, Y0 - VOR X1, X1, Y1 - - LXVD2X (R16)(CPOOL), P1 - LXVD2X (R0)(CPOOL), P0 - - CALL p256MulInternal<>(SB) - - MOVD n+16(FP), N - ADD $-1, N - CMP $0, N - BEQ done - MOVD N, n+16(FP) // Save counter to avoid clobber - VOR T0, T0, X0 - VOR T1, T1, X1 - BR sqrLoop - -done: - MOVD $p256mul<>+0x00(SB), CPOOL - - XXPERMDI T0, T0, $2, T0 - XXPERMDI T1, T1, $2, T1 - STXVD2X T0, (R0)(res_ptr) - STXVD2X T1, (R16)(res_ptr) - RET - -#undef res_ptr -#undef x_ptr -#undef y_ptr -#undef CPOOL - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 -#undef P0 -#undef P1 - -#define P3ptr R3 -#define P1ptr R4 -#define P2ptr R5 -#define CPOOL R7 - -// Temporaries in REGs -#define Y2L V15 -#define Y2H V16 -#define T1L V17 -#define T1H V18 -#define T2L V19 -#define T2H V20 -#define T3L V21 -#define T3H V22 -#define T4L V23 -#define T4H V24 - -// Temps for Sub and Add -#define TT0 V11 -#define TT1 V12 -#define T2 V13 - -// p256MulAsm Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -#define PL V30 -#define PH V31 - -// Names for zero/sel selects -#define X1L V0 -#define X1H V1 -#define Y1L V2 // p256MulAsmParmY -#define Y1H V3 // p256MulAsmParmY -#define Z1L V4 -#define Z1H V5 -#define X2L V0 -#define X2H V1 -#define Z2L V4 -#define Z2H V5 -#define X3L V17 // T1L -#define X3H V18 // T1H -#define Y3L V21 // T3L -#define Y3H V22 // T3H -#define Z3L V25 -#define Z3H V26 - -#define ZER V6 -#define SEL1 V7 -#define CAR1 V8 -#define CAR2 V9 -/* * - * Three operand formula: - * Source: 2004 Hankerson–Menezes–Vanstone, page 91. - * T1 = Z1² - * T2 = T1*Z1 - * T1 = T1*X2 - * T2 = T2*Y2 - * T1 = T1-X1 - * T2 = T2-Y1 - * Z3 = Z1*T1 - * T3 = T1² - * T4 = T3*T1 - * T3 = T3*X1 - * T1 = 2*T3 - * X3 = T2² - * X3 = X3-T1 - * X3 = X3-T4 - * T3 = T3-X3 - * T3 = T3*T2 - * T4 = T4*Y1 - * Y3 = T3-T4 - - * Three operand formulas, but with MulInternal X,Y used to store temps -X=Z1; Y=Z1; MUL;T- // T1 = Z1² T1 -X=T ; Y- ; MUL;T2=T // T2 = T1*Z1 T1 T2 -X- ; Y=X2; MUL;T1=T // T1 = T1*X2 T1 T2 -X=T2; Y=Y2; MUL;T- // T2 = T2*Y2 T1 T2 -SUB(T2<T-Y1) // T2 = T2-Y1 T1 T2 -SUB(Y<T1-X1) // T1 = T1-X1 T1 T2 -X=Z1; Y- ; MUL;Z3:=T// Z3 = Z1*T1 T2 -X=Y; Y- ; MUL;X=T // T3 = T1*T1 T2 -X- ; Y- ; MUL;T4=T // T4 = T3*T1 T2 T4 -X- ; Y=X1; MUL;T3=T // T3 = T3*X1 T2 T3 T4 -ADD(T1<T+T) // T1 = T3+T3 T1 T2 T3 T4 -X=T2; Y=T2; MUL;T- // X3 = T2*T2 T1 T2 T3 T4 -SUB(T<T-T1) // X3 = X3-T1 T1 T2 T3 T4 -SUB(T<T-T4) X3:=T // X3 = X3-T4 T2 T3 T4 -SUB(X<T3-T) // T3 = T3-X3 T2 T3 T4 -X- ; Y- ; MUL;T3=T // T3 = T3*T2 T2 T3 T4 -X=T4; Y=Y1; MUL;T- // T4 = T4*Y1 T3 T4 -SUB(T<T3-T) Y3:=T // Y3 = T3-T4 T3 T4 - - */ -// -// V27 is clobbered by p256MulInternal so must be -// saved in a temp. -// -// func p256PointAddAffineAsm(res, in1 *P256Point, in2 *p256AffinePoint, sign, sel, zero int) -TEXT ·p256PointAddAffineAsm(SB), NOSPLIT, $16-48 - MOVD res+0(FP), P3ptr - MOVD in1+8(FP), P1ptr - MOVD in2+16(FP), P2ptr - - MOVD $p256mul<>+0x00(SB), CPOOL - - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $64, R19 - MOVD $80, R20 - MOVD $96, R21 - MOVD $112, R22 - MOVD $128, R23 - MOVD $144, R24 - MOVD $160, R25 - MOVD $104, R26 // offset of sign+24(FP) - - LXVD2X (R16)(CPOOL), PH - LXVD2X (R0)(CPOOL), PL - - LXVD2X (R17)(P2ptr), Y2L - LXVD2X (R18)(P2ptr), Y2H - XXPERMDI Y2H, Y2H, $2, Y2H - XXPERMDI Y2L, Y2L, $2, Y2L - - // Equivalent of VLREPG sign+24(FP), SEL1 - LXVDSX (R1)(R26), SEL1 - VSPLTISB $0, ZER - VCMPEQUD SEL1, ZER, SEL1 - - VSUBCUQ PL, Y2L, CAR1 - VSUBUQM PL, Y2L, T1L - VSUBEUQM PH, Y2H, CAR1, T1H - - VSEL T1L, Y2L, SEL1, Y2L - VSEL T1H, Y2H, SEL1, Y2H - -/* * - * Three operand formula: - * Source: 2004 Hankerson–Menezes–Vanstone, page 91. - */ - // X=Z1; Y=Z1; MUL; T- // T1 = Z1² T1 - LXVD2X (R19)(P1ptr), X0 // Z1H - LXVD2X (R20)(P1ptr), X1 // Z1L - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - VOR X0, X0, Y0 - VOR X1, X1, Y1 - CALL p256MulInternal<>(SB) - - // X=T ; Y- ; MUL; T2=T // T2 = T1*Z1 T1 T2 - VOR T0, T0, X0 - VOR T1, T1, X1 - CALL p256MulInternal<>(SB) - VOR T0, T0, T2L - VOR T1, T1, T2H - - // X- ; Y=X2; MUL; T1=T // T1 = T1*X2 T1 T2 - MOVD in2+16(FP), P2ptr - LXVD2X (R0)(P2ptr), Y0 // X2H - LXVD2X (R16)(P2ptr), Y1 // X2L - XXPERMDI Y0, Y0, $2, Y0 - XXPERMDI Y1, Y1, $2, Y1 - CALL p256MulInternal<>(SB) - VOR T0, T0, T1L - VOR T1, T1, T1H - - // X=T2; Y=Y2; MUL; T- // T2 = T2*Y2 T1 T2 - VOR T2L, T2L, X0 - VOR T2H, T2H, X1 - VOR Y2L, Y2L, Y0 - VOR Y2H, Y2H, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T2<T-Y1) // T2 = T2-Y1 T1 T2 - MOVD in1+8(FP), P1ptr - LXVD2X (R17)(P1ptr), Y1L - LXVD2X (R18)(P1ptr), Y1H - XXPERMDI Y1H, Y1H, $2, Y1H - XXPERMDI Y1L, Y1L, $2, Y1L - p256SubInternal(T2H,T2L,T1,T0,Y1H,Y1L) - - // SUB(Y<T1-X1) // T1 = T1-X1 T1 T2 - LXVD2X (R0)(P1ptr), X1L - LXVD2X (R16)(P1ptr), X1H - XXPERMDI X1H, X1H, $2, X1H - XXPERMDI X1L, X1L, $2, X1L - p256SubInternal(Y1,Y0,T1H,T1L,X1H,X1L) - - // X=Z1; Y- ; MUL; Z3:=T// Z3 = Z1*T1 T2 - LXVD2X (R19)(P1ptr), X0 // Z1H - LXVD2X (R20)(P1ptr), X1 // Z1L - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - CALL p256MulInternal<>(SB) - - VOR T0, T0, Z3L - VOR T1, T1, Z3H - - // X=Y; Y- ; MUL; X=T // T3 = T1*T1 T2 - VOR Y0, Y0, X0 - VOR Y1, Y1, X1 - CALL p256MulInternal<>(SB) - VOR T0, T0, X0 - VOR T1, T1, X1 - - // X- ; Y- ; MUL; T4=T // T4 = T3*T1 T2 T4 - CALL p256MulInternal<>(SB) - VOR T0, T0, T4L - VOR T1, T1, T4H - - // X- ; Y=X1; MUL; T3=T // T3 = T3*X1 T2 T3 T4 - MOVD in1+8(FP), P1ptr - LXVD2X (R0)(P1ptr), Y0 // X1H - LXVD2X (R16)(P1ptr), Y1 // X1L - XXPERMDI Y1, Y1, $2, Y1 - XXPERMDI Y0, Y0, $2, Y0 - CALL p256MulInternal<>(SB) - VOR T0, T0, T3L - VOR T1, T1, T3H - - // ADD(T1<T+T) // T1 = T3+T3 T1 T2 T3 T4 - p256AddInternal(T1H,T1L, T1,T0,T1,T0) - - // X=T2; Y=T2; MUL; T- // X3 = T2*T2 T1 T2 T3 T4 - VOR T2L, T2L, X0 - VOR T2H, T2H, X1 - VOR T2L, T2L, Y0 - VOR T2H, T2H, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T<T-T1) // X3 = X3-T1 T1 T2 T3 T4 (T1 = X3) - p256SubInternal(T1,T0,T1,T0,T1H,T1L) - - // SUB(T<T-T4) X3:=T // X3 = X3-T4 T2 T3 T4 - p256SubInternal(T1,T0,T1,T0,T4H,T4L) - VOR T0, T0, X3L - VOR T1, T1, X3H - - // SUB(X<T3-T) // T3 = T3-X3 T2 T3 T4 - p256SubInternal(X1,X0,T3H,T3L,T1,T0) - - // X- ; Y- ; MUL; T3=T // T3 = T3*T2 T2 T3 T4 - CALL p256MulInternal<>(SB) - VOR T0, T0, T3L - VOR T1, T1, T3H - - // X=T4; Y=Y1; MUL; T- // T4 = T4*Y1 T3 T4 - VOR T4L, T4L, X0 - VOR T4H, T4H, X1 - MOVD in1+8(FP), P1ptr - LXVD2X (R17)(P1ptr), Y0 // Y1H - LXVD2X (R18)(P1ptr), Y1 // Y1L - XXPERMDI Y0, Y0, $2, Y0 - XXPERMDI Y1, Y1, $2, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T<T3-T) Y3:=T // Y3 = T3-T4 T3 T4 (T3 = Y3) - p256SubInternal(Y3H,Y3L,T3H,T3L,T1,T0) - - // if (sel == 0) { - // copy(P3.x[:], X1) - // copy(P3.y[:], Y1) - // copy(P3.z[:], Z1) - // } - - LXVD2X (R0)(P1ptr), X1L - LXVD2X (R16)(P1ptr), X1H - XXPERMDI X1H, X1H, $2, X1H - XXPERMDI X1L, X1L, $2, X1L - - // Y1 already loaded, left over from addition - LXVD2X (R19)(P1ptr), Z1L - LXVD2X (R20)(P1ptr), Z1H - XXPERMDI Z1H, Z1H, $2, Z1H - XXPERMDI Z1L, Z1L, $2, Z1L - - MOVD $112, R26 // Get offset to sel+32 - LXVDSX (R1)(R26), SEL1 - VSPLTISB $0, ZER - VCMPEQUD SEL1, ZER, SEL1 - - VSEL X3L, X1L, SEL1, X3L - VSEL X3H, X1H, SEL1, X3H - VSEL Y3L, Y1L, SEL1, Y3L - VSEL Y3H, Y1H, SEL1, Y3H - VSEL Z3L, Z1L, SEL1, Z3L - VSEL Z3H, Z1H, SEL1, Z3H - - MOVD in2+16(FP), P2ptr - LXVD2X (R0)(P2ptr), X2L - LXVD2X (R16)(P2ptr), X2H - XXPERMDI X2H, X2H, $2, X2H - XXPERMDI X2L, X2L, $2, X2L - - // Y2 already loaded - LXVD2X (R23)(CPOOL), Z2L - LXVD2X (R24)(CPOOL), Z2H - - MOVD $120, R26 // Get the value from zero+40(FP) - LXVDSX (R1)(R26), SEL1 - VSPLTISB $0, ZER - VCMPEQUD SEL1, ZER, SEL1 - - VSEL X3L, X2L, SEL1, X3L - VSEL X3H, X2H, SEL1, X3H - VSEL Y3L, Y2L, SEL1, Y3L - VSEL Y3H, Y2H, SEL1, Y3H - VSEL Z3L, Z2L, SEL1, Z3L - VSEL Z3H, Z2H, SEL1, Z3H - - // Reorder the bytes so they can be stored using STXVD2X. - MOVD res+0(FP), P3ptr - XXPERMDI X3H, X3H, $2, X3H - XXPERMDI X3L, X3L, $2, X3L - XXPERMDI Y3H, Y3H, $2, Y3H - XXPERMDI Y3L, Y3L, $2, Y3L - XXPERMDI Z3H, Z3H, $2, Z3H - XXPERMDI Z3L, Z3L, $2, Z3L - STXVD2X X3L, (R0)(P3ptr) - STXVD2X X3H, (R16)(P3ptr) - STXVD2X Y3L, (R17)(P3ptr) - STXVD2X Y3H, (R18)(P3ptr) - STXVD2X Z3L, (R19)(P3ptr) - STXVD2X Z3H, (R20)(P3ptr) - - RET - -#undef P3ptr -#undef P1ptr -#undef P2ptr -#undef CPOOL - -#undef Y2L -#undef Y2H -#undef T1L -#undef T1H -#undef T2L -#undef T2H -#undef T3L -#undef T3H -#undef T4L -#undef T4H - -#undef TT0 -#undef TT1 -#undef T2 - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 - -#undef PL -#undef PH - -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Z2L -#undef Z2H -#undef X3L -#undef X3H -#undef Y3L -#undef Y3H -#undef Z3L -#undef Z3H - -#undef ZER -#undef SEL1 -#undef CAR1 -#undef CAR2 - -// http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl -// http://www.hyperelliptic.org/EFD/g1p/auto-shortw.html -// http://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective-3.html -#define P3ptr R3 -#define P1ptr R4 -#define CPOOL R7 - -// Temporaries in REGs -#define X3L V15 -#define X3H V16 -#define Y3L V17 -#define Y3H V18 -#define T1L V19 -#define T1H V20 -#define T2L V21 -#define T2H V22 -#define T3L V23 -#define T3H V24 - -#define X1L V6 -#define X1H V7 -#define Y1L V8 -#define Y1H V9 -#define Z1L V10 -#define Z1H V11 - -// Temps for Sub and Add -#define TT0 V11 -#define TT1 V12 -#define T2 V13 - -// p256MulAsm Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -#define PL V30 -#define PH V31 - -#define Z3L V23 -#define Z3H V24 - -#define ZER V26 -#define SEL1 V27 -#define CAR1 V28 -#define CAR2 V29 -/* - * http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2004-hmv - * Cost: 4M + 4S + 1*half + 5add + 2*2 + 1*3. - * Source: 2004 Hankerson–Menezes–Vanstone, page 91. - * A = 3(X₁-Z₁²)×(X₁+Z₁²) - * B = 2Y₁ - * Z₃ = B×Z₁ - * C = B² - * D = C×X₁ - * X₃ = A²-2D - * Y₃ = (D-X₃)×A-C²/2 - * - * Three-operand formula: - * T1 = Z1² - * T2 = X1-T1 - * T1 = X1+T1 - * T2 = T2*T1 - * T2 = 3*T2 - * Y3 = 2*Y1 - * Z3 = Y3*Z1 - * Y3 = Y3² - * T3 = Y3*X1 - * Y3 = Y3² - * Y3 = half*Y3 - * X3 = T2² - * T1 = 2*T3 - * X3 = X3-T1 - * T1 = T3-X3 - * T1 = T1*T2 - * Y3 = T1-Y3 - */ -// p256PointDoubleAsm(res, in1 *p256Point) -TEXT ·p256PointDoubleAsm(SB), NOSPLIT, $0-16 - MOVD res+0(FP), P3ptr - MOVD in+8(FP), P1ptr - - MOVD $p256mul<>+0x00(SB), CPOOL - - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $64, R19 - MOVD $80, R20 - - LXVD2X (R16)(CPOOL), PH - LXVD2X (R0)(CPOOL), PL - - // X=Z1; Y=Z1; MUL; T- // T1 = Z1² - LXVD2X (R19)(P1ptr), X0 // Z1H - LXVD2X (R20)(P1ptr), X1 // Z1L - - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - - VOR X0, X0, Y0 - VOR X1, X1, Y1 - CALL p256MulInternal<>(SB) - - // SUB(X<X1-T) // T2 = X1-T1 - LXVD2X (R0)(P1ptr), X1L - LXVD2X (R16)(P1ptr), X1H - XXPERMDI X1L, X1L, $2, X1L - XXPERMDI X1H, X1H, $2, X1H - - p256SubInternal(X1,X0,X1H,X1L,T1,T0) - - // ADD(Y<X1+T) // T1 = X1+T1 - p256AddInternal(Y1,Y0,X1H,X1L,T1,T0) - - // X- ; Y- ; MUL; T- // T2 = T2*T1 - CALL p256MulInternal<>(SB) - - // ADD(T2<T+T); ADD(T2<T2+T) // T2 = 3*T2 - p256AddInternal(T2H,T2L,T1,T0,T1,T0) - p256AddInternal(T2H,T2L,T2H,T2L,T1,T0) - - // ADD(X<Y1+Y1) // Y3 = 2*Y1 - LXVD2X (R17)(P1ptr), Y1L - LXVD2X (R18)(P1ptr), Y1H - XXPERMDI Y1L, Y1L, $2, Y1L - XXPERMDI Y1H, Y1H, $2, Y1H - - p256AddInternal(X1,X0,Y1H,Y1L,Y1H,Y1L) - - // X- ; Y=Z1; MUL; Z3:=T // Z3 = Y3*Z1 - LXVD2X (R19)(P1ptr), Y0 - LXVD2X (R20)(P1ptr), Y1 - XXPERMDI Y0, Y0, $2, Y0 - XXPERMDI Y1, Y1, $2, Y1 - - CALL p256MulInternal<>(SB) - - // Leave T0, T1 as is. - XXPERMDI T0, T0, $2, TT0 - XXPERMDI T1, T1, $2, TT1 - STXVD2X TT0, (R19)(P3ptr) - STXVD2X TT1, (R20)(P3ptr) - - // X- ; Y=X ; MUL; T- // Y3 = Y3² - VOR X0, X0, Y0 - VOR X1, X1, Y1 - CALL p256MulInternal<>(SB) - - // X=T ; Y=X1; MUL; T3=T // T3 = Y3*X1 - VOR T0, T0, X0 - VOR T1, T1, X1 - LXVD2X (R0)(P1ptr), Y0 - LXVD2X (R16)(P1ptr), Y1 - XXPERMDI Y0, Y0, $2, Y0 - XXPERMDI Y1, Y1, $2, Y1 - CALL p256MulInternal<>(SB) - VOR T0, T0, T3L - VOR T1, T1, T3H - - // X- ; Y=X ; MUL; T- // Y3 = Y3² - VOR X0, X0, Y0 - VOR X1, X1, Y1 - CALL p256MulInternal<>(SB) - - // HAL(Y3<T) // Y3 = half*Y3 - p256HalfInternal(Y3H,Y3L, T1,T0) - - // X=T2; Y=T2; MUL; T- // X3 = T2² - VOR T2L, T2L, X0 - VOR T2H, T2H, X1 - VOR T2L, T2L, Y0 - VOR T2H, T2H, Y1 - CALL p256MulInternal<>(SB) - - // ADD(T1<T3+T3) // T1 = 2*T3 - p256AddInternal(T1H,T1L,T3H,T3L,T3H,T3L) - - // SUB(X3<T-T1) X3:=X3 // X3 = X3-T1 - p256SubInternal(X3H,X3L,T1,T0,T1H,T1L) - - XXPERMDI X3L, X3L, $2, TT0 - XXPERMDI X3H, X3H, $2, TT1 - STXVD2X TT0, (R0)(P3ptr) - STXVD2X TT1, (R16)(P3ptr) - - // SUB(X<T3-X3) // T1 = T3-X3 - p256SubInternal(X1,X0,T3H,T3L,X3H,X3L) - - // X- ; Y- ; MUL; T- // T1 = T1*T2 - CALL p256MulInternal<>(SB) - - // SUB(Y3<T-Y3) // Y3 = T1-Y3 - p256SubInternal(Y3H,Y3L,T1,T0,Y3H,Y3L) - - XXPERMDI Y3L, Y3L, $2, Y3L - XXPERMDI Y3H, Y3H, $2, Y3H - STXVD2X Y3L, (R17)(P3ptr) - STXVD2X Y3H, (R18)(P3ptr) - RET - -#undef P3ptr -#undef P1ptr -#undef CPOOL -#undef X3L -#undef X3H -#undef Y3L -#undef Y3H -#undef T1L -#undef T1H -#undef T2L -#undef T2H -#undef T3L -#undef T3H -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef TT0 -#undef TT1 -#undef T2 -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 -#undef PL -#undef PH -#undef Z3L -#undef Z3H -#undef ZER -#undef SEL1 -#undef CAR1 -#undef CAR2 - -#define P3ptr R3 -#define P1ptr R4 -#define P2ptr R5 -#define CPOOL R7 -#define TRUE R14 -#define RES1 R9 -#define RES2 R10 - -// Temporaries in REGs -#define T1L V16 -#define T1H V17 -#define T2L V18 -#define T2H V19 -#define U1L V20 -#define U1H V21 -#define S1L V22 -#define S1H V23 -#define HL V24 -#define HH V25 -#define RL V26 -#define RH V27 - -// Temps for Sub and Add -#define ZER V6 -#define SEL1 V7 -#define CAR1 V8 -#define CAR2 V9 -#define TT0 V11 -#define TT1 V12 -#define T2 V13 - -// p256MulAsm Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -#define PL V30 -#define PH V31 -/* - * https://choucroutage.com/Papers/SideChannelAttacks/ctrsa-2011-brown.pdf "Software Implementation of the NIST Elliptic Curves Over Prime Fields" - * - * A = X₁×Z₂² - * B = Y₁×Z₂³ - * C = X₂×Z₁²-A - * D = Y₂×Z₁³-B - * X₃ = D² - 2A×C² - C³ - * Y₃ = D×(A×C² - X₃) - B×C³ - * Z₃ = Z₁×Z₂×C - * - * Three-operand formula (adopted): http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 - * Temp storage: T1,T2,U1,H,Z3=X3=Y3,S1,R - * - * T1 = Z1*Z1 - * T2 = Z2*Z2 - * U1 = X1*T2 - * H = X2*T1 - * H = H-U1 - * Z3 = Z1*Z2 - * Z3 = Z3*H << store-out Z3 result reg.. could override Z1, if slices have same backing array - * - * S1 = Z2*T2 - * S1 = Y1*S1 - * R = Z1*T1 - * R = Y2*R - * R = R-S1 - * - * T1 = H*H - * T2 = H*T1 - * U1 = U1*T1 - * - * X3 = R*R - * X3 = X3-T2 - * T1 = 2*U1 - * X3 = X3-T1 << store-out X3 result reg - * - * T2 = S1*T2 - * Y3 = U1-X3 - * Y3 = R*Y3 - * Y3 = Y3-T2 << store-out Y3 result reg - - // X=Z1; Y=Z1; MUL; T- // T1 = Z1*Z1 - // X- ; Y=T ; MUL; R=T // R = Z1*T1 - // X=X2; Y- ; MUL; H=T // H = X2*T1 - // X=Z2; Y=Z2; MUL; T- // T2 = Z2*Z2 - // X- ; Y=T ; MUL; S1=T // S1 = Z2*T2 - // X=X1; Y- ; MUL; U1=T // U1 = X1*T2 - // SUB(H<H-T) // H = H-U1 - // X=Z1; Y=Z2; MUL; T- // Z3 = Z1*Z2 - // X=T ; Y=H ; MUL; Z3:=T// Z3 = Z3*H << store-out Z3 result reg.. could override Z1, if slices have same backing array - // X=Y1; Y=S1; MUL; S1=T // S1 = Y1*S1 - // X=Y2; Y=R ; MUL; T- // R = Y2*R - // SUB(R<T-S1) // R = R-S1 - // X=H ; Y=H ; MUL; T- // T1 = H*H - // X- ; Y=T ; MUL; T2=T // T2 = H*T1 - // X=U1; Y- ; MUL; U1=T // U1 = U1*T1 - // X=R ; Y=R ; MUL; T- // X3 = R*R - // SUB(T<T-T2) // X3 = X3-T2 - // ADD(X<U1+U1) // T1 = 2*U1 - // SUB(T<T-X) X3:=T // X3 = X3-T1 << store-out X3 result reg - // SUB(Y<U1-T) // Y3 = U1-X3 - // X=R ; Y- ; MUL; U1=T // Y3 = R*Y3 - // X=S1; Y=T2; MUL; T- // T2 = S1*T2 - // SUB(T<U1-T); Y3:=T // Y3 = Y3-T2 << store-out Y3 result reg - */ -// p256PointAddAsm(res, in1, in2 *p256Point) -TEXT ·p256PointAddAsm(SB), NOSPLIT, $16-32 - MOVD res+0(FP), P3ptr - MOVD in1+8(FP), P1ptr - MOVD $p256mul<>+0x00(SB), CPOOL - MOVD $16, R16 - MOVD $32, R17 - MOVD $48, R18 - MOVD $64, R19 - MOVD $80, R20 - - LXVD2X (R16)(CPOOL), PH - LXVD2X (R0)(CPOOL), PL - - // X=Z1; Y=Z1; MUL; T- // T1 = Z1*Z1 - LXVD2X (R19)(P1ptr), X0 // Z1L - LXVD2X (R20)(P1ptr), X1 // Z1H - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - VOR X0, X0, Y0 - VOR X1, X1, Y1 - CALL p256MulInternal<>(SB) - - // X- ; Y=T ; MUL; R=T // R = Z1*T1 - VOR T0, T0, Y0 - VOR T1, T1, Y1 - CALL p256MulInternal<>(SB) - VOR T0, T0, RL // SAVE: RL - VOR T1, T1, RH // SAVE: RH - - STXVD2X RH, (R1)(R17) // V27 has to be saved - - // X=X2; Y- ; MUL; H=T // H = X2*T1 - MOVD in2+16(FP), P2ptr - LXVD2X (R0)(P2ptr), X0 // X2L - LXVD2X (R16)(P2ptr), X1 // X2H - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - CALL p256MulInternal<>(SB) - VOR T0, T0, HL // SAVE: HL - VOR T1, T1, HH // SAVE: HH - - // X=Z2; Y=Z2; MUL; T- // T2 = Z2*Z2 - MOVD in2+16(FP), P2ptr - LXVD2X (R19)(P2ptr), X0 // Z2L - LXVD2X (R20)(P2ptr), X1 // Z2H - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - VOR X0, X0, Y0 - VOR X1, X1, Y1 - CALL p256MulInternal<>(SB) - - // X- ; Y=T ; MUL; S1=T // S1 = Z2*T2 - VOR T0, T0, Y0 - VOR T1, T1, Y1 - CALL p256MulInternal<>(SB) - VOR T0, T0, S1L // SAVE: S1L - VOR T1, T1, S1H // SAVE: S1H - - // X=X1; Y- ; MUL; U1=T // U1 = X1*T2 - MOVD in1+8(FP), P1ptr - LXVD2X (R0)(P1ptr), X0 // X1L - LXVD2X (R16)(P1ptr), X1 // X1H - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - CALL p256MulInternal<>(SB) - VOR T0, T0, U1L // SAVE: U1L - VOR T1, T1, U1H // SAVE: U1H - - // SUB(H<H-T) // H = H-U1 - p256SubInternal(HH,HL,HH,HL,T1,T0) - - // if H == 0 or H^P == 0 then ret=1 else ret=0 - // clobbers T1H and T1L - MOVD $1, TRUE - VSPLTISB $0, ZER - VOR HL, HH, T1H - VCMPEQUDCC ZER, T1H, T1H - - // 26 = CR6 NE - ISEL $26, R0, TRUE, RES1 - VXOR HL, PL, T1L // SAVE: T1L - VXOR HH, PH, T1H // SAVE: T1H - VOR T1L, T1H, T1H - VCMPEQUDCC ZER, T1H, T1H - - // 26 = CR6 NE - ISEL $26, R0, TRUE, RES2 - OR RES2, RES1, RES1 - MOVD RES1, ret+24(FP) - - // X=Z1; Y=Z2; MUL; T- // Z3 = Z1*Z2 - MOVD in1+8(FP), P1ptr - MOVD in2+16(FP), P2ptr - LXVD2X (R19)(P1ptr), X0 // Z1L - LXVD2X (R20)(P1ptr), X1 // Z1H - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - LXVD2X (R19)(P2ptr), Y0 // Z2L - LXVD2X (R20)(P2ptr), Y1 // Z2H - XXPERMDI Y0, Y0, $2, Y0 - XXPERMDI Y1, Y1, $2, Y1 - CALL p256MulInternal<>(SB) - - // X=T ; Y=H ; MUL; Z3:=T// Z3 = Z3*H - VOR T0, T0, X0 - VOR T1, T1, X1 - VOR HL, HL, Y0 - VOR HH, HH, Y1 - CALL p256MulInternal<>(SB) - MOVD res+0(FP), P3ptr - XXPERMDI T1, T1, $2, TT1 - XXPERMDI T0, T0, $2, TT0 - STXVD2X TT0, (R19)(P3ptr) - STXVD2X TT1, (R20)(P3ptr) - - // X=Y1; Y=S1; MUL; S1=T // S1 = Y1*S1 - MOVD in1+8(FP), P1ptr - LXVD2X (R17)(P1ptr), X0 - LXVD2X (R18)(P1ptr), X1 - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - VOR S1L, S1L, Y0 - VOR S1H, S1H, Y1 - CALL p256MulInternal<>(SB) - VOR T0, T0, S1L - VOR T1, T1, S1H - - // X=Y2; Y=R ; MUL; T- // R = Y2*R - MOVD in2+16(FP), P2ptr - LXVD2X (R17)(P2ptr), X0 - LXVD2X (R18)(P2ptr), X1 - XXPERMDI X0, X0, $2, X0 - XXPERMDI X1, X1, $2, X1 - VOR RL, RL, Y0 - - // VOR RH, RH, Y1 RH was saved above in D2X format - LXVD2X (R1)(R17), Y1 - CALL p256MulInternal<>(SB) - - // SUB(R<T-S1) // R = T-S1 - p256SubInternal(RH,RL,T1,T0,S1H,S1L) - - STXVD2X RH, (R1)(R17) // Save RH - - // if R == 0 or R^P == 0 then ret=ret else ret=0 - // clobbers T1H and T1L - // Redo this using ISEL?? - MOVD $1, TRUE - VSPLTISB $0, ZER - VOR RL, RH, T1H - VCMPEQUDCC ZER, T1H, T1H - - // 24 = CR6 NE - ISEL $26, R0, TRUE, RES1 - VXOR RL, PL, T1L - VXOR RH, PH, T1H // SAVE: T1L - VOR T1L, T1H, T1H - VCMPEQUDCC ZER, T1H, T1H - - // 26 = CR6 NE - ISEL $26, R0, TRUE, RES2 - OR RES2, RES1, RES1 - MOVD ret+24(FP), RES2 - AND RES2, RES1, RES1 - MOVD RES1, ret+24(FP) - - // X=H ; Y=H ; MUL; T- // T1 = H*H - VOR HL, HL, X0 - VOR HH, HH, X1 - VOR HL, HL, Y0 - VOR HH, HH, Y1 - CALL p256MulInternal<>(SB) - - // X- ; Y=T ; MUL; T2=T // T2 = H*T1 - VOR T0, T0, Y0 - VOR T1, T1, Y1 - CALL p256MulInternal<>(SB) - VOR T0, T0, T2L - VOR T1, T1, T2H - - // X=U1; Y- ; MUL; U1=T // U1 = U1*T1 - VOR U1L, U1L, X0 - VOR U1H, U1H, X1 - CALL p256MulInternal<>(SB) - VOR T0, T0, U1L - VOR T1, T1, U1H - - // X=R ; Y=R ; MUL; T- // X3 = R*R - VOR RL, RL, X0 - - // VOR RH, RH, X1 - VOR RL, RL, Y0 - - // RH was saved above using STXVD2X - LXVD2X (R1)(R17), X1 - VOR X1, X1, Y1 - - // VOR RH, RH, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T<T-T2) // X3 = X3-T2 - p256SubInternal(T1,T0,T1,T0,T2H,T2L) - - // ADD(X<U1+U1) // T1 = 2*U1 - p256AddInternal(X1,X0,U1H,U1L,U1H,U1L) - - // SUB(T<T-X) X3:=T // X3 = X3-T1 << store-out X3 result reg - p256SubInternal(T1,T0,T1,T0,X1,X0) - MOVD res+0(FP), P3ptr - XXPERMDI T1, T1, $2, TT1 - XXPERMDI T0, T0, $2, TT0 - STXVD2X TT0, (R0)(P3ptr) - STXVD2X TT1, (R16)(P3ptr) - - // SUB(Y<U1-T) // Y3 = U1-X3 - p256SubInternal(Y1,Y0,U1H,U1L,T1,T0) - - // X=R ; Y- ; MUL; U1=T // Y3 = R*Y3 - VOR RL, RL, X0 - - // VOR RH, RH, X1 - LXVD2X (R1)(R17), X1 - CALL p256MulInternal<>(SB) - VOR T0, T0, U1L - VOR T1, T1, U1H - - // X=S1; Y=T2; MUL; T- // T2 = S1*T2 - VOR S1L, S1L, X0 - VOR S1H, S1H, X1 - VOR T2L, T2L, Y0 - VOR T2H, T2H, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T<U1-T); Y3:=T // Y3 = Y3-T2 << store-out Y3 result reg - p256SubInternal(T1,T0,U1H,U1L,T1,T0) - MOVD res+0(FP), P3ptr - XXPERMDI T1, T1, $2, TT1 - XXPERMDI T0, T0, $2, TT0 - STXVD2X TT0, (R17)(P3ptr) - STXVD2X TT1, (R18)(P3ptr) - - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_s390x.s deleted file mode 100644 index 190147ebb18..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_asm_s390x.s +++ /dev/null @@ -1,1989 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" -#include "go_asm.h" - -DATA p256<>+0x00(SB)/8, $0xffffffff00000001 // P256 -DATA p256<>+0x08(SB)/8, $0x0000000000000000 // P256 -DATA p256<>+0x10(SB)/8, $0x00000000ffffffff // P256 -DATA p256<>+0x18(SB)/8, $0xffffffffffffffff // P256 -DATA p256<>+0x20(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x28(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x30(SB)/8, $0x0000000010111213 // SEL 0 d1 d0 0 -DATA p256<>+0x38(SB)/8, $0x1415161700000000 // SEL 0 d1 d0 0 -DATA p256<>+0x40(SB)/8, $0x18191a1b1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x48(SB)/8, $0x18191a1b1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256<>+0x50(SB)/8, $0x0706050403020100 // LE2BE permute mask -DATA p256<>+0x58(SB)/8, $0x0f0e0d0c0b0a0908 // LE2BE permute mask -DATA p256mul<>+0x00(SB)/8, $0xffffffff00000001 // P256 -DATA p256mul<>+0x08(SB)/8, $0x0000000000000000 // P256 -DATA p256mul<>+0x10(SB)/8, $0x00000000ffffffff // P256 -DATA p256mul<>+0x18(SB)/8, $0xffffffffffffffff // P256 -DATA p256mul<>+0x20(SB)/8, $0x1c1d1e1f00000000 // SEL d0 0 0 d0 -DATA p256mul<>+0x28(SB)/8, $0x000000001c1d1e1f // SEL d0 0 0 d0 -DATA p256mul<>+0x30(SB)/8, $0x0001020304050607 // SEL d0 0 d1 d0 -DATA p256mul<>+0x38(SB)/8, $0x1c1d1e1f0c0d0e0f // SEL d0 0 d1 d0 -DATA p256mul<>+0x40(SB)/8, $0x040506071c1d1e1f // SEL 0 d1 d0 d1 -DATA p256mul<>+0x48(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL 0 d1 d0 d1 -DATA p256mul<>+0x50(SB)/8, $0x0405060704050607 // SEL 0 0 d1 d0 -DATA p256mul<>+0x58(SB)/8, $0x1c1d1e1f0c0d0e0f // SEL 0 0 d1 d0 -DATA p256mul<>+0x60(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256mul<>+0x68(SB)/8, $0x0c0d0e0f1c1d1e1f // SEL d1 d0 d1 d0 -DATA p256mul<>+0x70(SB)/8, $0x141516170c0d0e0f // SEL 0 d1 d0 0 -DATA p256mul<>+0x78(SB)/8, $0x1c1d1e1f14151617 // SEL 0 d1 d0 0 -DATA p256mul<>+0x80(SB)/8, $0x00000000fffffffe // (1*2^256)%P256 -DATA p256mul<>+0x88(SB)/8, $0xffffffffffffffff // (1*2^256)%P256 -DATA p256mul<>+0x90(SB)/8, $0xffffffff00000000 // (1*2^256)%P256 -DATA p256mul<>+0x98(SB)/8, $0x0000000000000001 // (1*2^256)%P256 -GLOBL p256<>(SB), 8, $96 -GLOBL p256mul<>(SB), 8, $160 - -// --------------------------------------- -// iff cond == 1 val <- -val -// func p256NegCond(val *p256Element, cond int) -#define P1ptr R1 -#define CPOOL R4 - -#define Y1L V0 -#define Y1H V1 -#define T1L V2 -#define T1H V3 - -#define PL V30 -#define PH V31 - -#define ZER V4 -#define SEL1 V5 -#define CAR1 V6 -TEXT ·p256NegCond(SB), NOSPLIT, $0 - MOVD val+0(FP), P1ptr - - MOVD $p256mul<>+0x00(SB), CPOOL - VL 16(CPOOL), PL - VL 0(CPOOL), PH - - VL 16(P1ptr), Y1H - VPDI $0x4, Y1H, Y1H, Y1H - VL 0(P1ptr), Y1L - VPDI $0x4, Y1L, Y1L, Y1L - - VLREPG cond+8(FP), SEL1 - VZERO ZER - VCEQG SEL1, ZER, SEL1 - - VSCBIQ Y1L, PL, CAR1 - VSQ Y1L, PL, T1L - VSBIQ PH, Y1H, CAR1, T1H - - VSEL Y1L, T1L, SEL1, Y1L - VSEL Y1H, T1H, SEL1, Y1H - - VPDI $0x4, Y1H, Y1H, Y1H - VST Y1H, 16(P1ptr) - VPDI $0x4, Y1L, Y1L, Y1L - VST Y1L, 0(P1ptr) - RET - -#undef P1ptr -#undef CPOOL -#undef Y1L -#undef Y1H -#undef T1L -#undef T1H -#undef PL -#undef PH -#undef ZER -#undef SEL1 -#undef CAR1 - -// --------------------------------------- -// if cond == 0 res <- b; else res <- a -// func p256MovCond(res, a, b *P256Point, cond int) -#define P3ptr R1 -#define P1ptr R2 -#define P2ptr R3 - -#define X1L V0 -#define X1H V1 -#define Y1L V2 -#define Y1H V3 -#define Z1L V4 -#define Z1H V5 -#define X2L V6 -#define X2H V7 -#define Y2L V8 -#define Y2H V9 -#define Z2L V10 -#define Z2H V11 - -#define ZER V18 -#define SEL1 V19 -TEXT ·p256MovCond(SB), NOSPLIT, $0 - MOVD res+0(FP), P3ptr - MOVD a+8(FP), P1ptr - MOVD b+16(FP), P2ptr - VLREPG cond+24(FP), SEL1 - VZERO ZER - VCEQG SEL1, ZER, SEL1 - - VL 0(P1ptr), X1H - VL 16(P1ptr), X1L - VL 32(P1ptr), Y1H - VL 48(P1ptr), Y1L - VL 64(P1ptr), Z1H - VL 80(P1ptr), Z1L - - VL 0(P2ptr), X2H - VL 16(P2ptr), X2L - VL 32(P2ptr), Y2H - VL 48(P2ptr), Y2L - VL 64(P2ptr), Z2H - VL 80(P2ptr), Z2L - - VSEL X2L, X1L, SEL1, X1L - VSEL X2H, X1H, SEL1, X1H - VSEL Y2L, Y1L, SEL1, Y1L - VSEL Y2H, Y1H, SEL1, Y1H - VSEL Z2L, Z1L, SEL1, Z1L - VSEL Z2H, Z1H, SEL1, Z1H - - VST X1H, 0(P3ptr) - VST X1L, 16(P3ptr) - VST Y1H, 32(P3ptr) - VST Y1L, 48(P3ptr) - VST Z1H, 64(P3ptr) - VST Z1L, 80(P3ptr) - - RET - -#undef P3ptr -#undef P1ptr -#undef P2ptr -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Y2L -#undef Y2H -#undef Z2L -#undef Z2H -#undef ZER -#undef SEL1 - -// --------------------------------------- -// Constant time table access -// Indexed from 1 to 15, with -1 offset -// (index 0 is implicitly point at infinity) -// func p256Select(res *P256Point, table *p256Table, idx int) -#define P3ptr R1 -#define P1ptr R2 -#define COUNT R4 - -#define X1L V0 -#define X1H V1 -#define Y1L V2 -#define Y1H V3 -#define Z1L V4 -#define Z1H V5 -#define X2L V6 -#define X2H V7 -#define Y2L V8 -#define Y2H V9 -#define Z2L V10 -#define Z2H V11 - -#define ONE V18 -#define IDX V19 -#define SEL1 V20 -#define SEL2 V21 -TEXT ·p256Select(SB), NOSPLIT, $0 - MOVD res+0(FP), P3ptr - MOVD table+8(FP), P1ptr - VLREPB idx+(16+7)(FP), IDX - VREPIB $1, ONE - VREPIB $1, SEL2 - MOVD $1, COUNT - - VZERO X1H - VZERO X1L - VZERO Y1H - VZERO Y1L - VZERO Z1H - VZERO Z1L - -loop_select: - VL 0(P1ptr), X2H - VL 16(P1ptr), X2L - VL 32(P1ptr), Y2H - VL 48(P1ptr), Y2L - VL 64(P1ptr), Z2H - VL 80(P1ptr), Z2L - - VCEQG SEL2, IDX, SEL1 - - VSEL X2L, X1L, SEL1, X1L - VSEL X2H, X1H, SEL1, X1H - VSEL Y2L, Y1L, SEL1, Y1L - VSEL Y2H, Y1H, SEL1, Y1H - VSEL Z2L, Z1L, SEL1, Z1L - VSEL Z2H, Z1H, SEL1, Z1H - - VAB SEL2, ONE, SEL2 - ADDW $1, COUNT - ADD $96, P1ptr - CMPW COUNT, $17 - BLT loop_select - - VST X1H, 0(P3ptr) - VST X1L, 16(P3ptr) - VST Y1H, 32(P3ptr) - VST Y1L, 48(P3ptr) - VST Z1H, 64(P3ptr) - VST Z1L, 80(P3ptr) - RET - -#undef P3ptr -#undef P1ptr -#undef COUNT -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Y2L -#undef Y2H -#undef Z2L -#undef Z2H -#undef ONE -#undef IDX -#undef SEL1 -#undef SEL2 - -// --------------------------------------- - -// func p256FromMont(res, in *p256Element) -#define res_ptr R1 -#define x_ptr R2 -#define CPOOL R4 - -#define T0 V0 -#define T1 V1 -#define T2 V2 -#define TT0 V3 -#define TT1 V4 - -#define ZER V6 -#define SEL1 V7 -#define SEL2 V8 -#define CAR1 V9 -#define CAR2 V10 -#define RED1 V11 -#define RED2 V12 -#define PL V13 -#define PH V14 - -TEXT ·p256FromMont(SB), NOSPLIT, $0 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), x_ptr - - VZERO T2 - VZERO ZER - MOVD $p256<>+0x00(SB), CPOOL - VL 16(CPOOL), PL - VL 0(CPOOL), PH - VL 48(CPOOL), SEL2 - VL 64(CPOOL), SEL1 - - VL (0*16)(x_ptr), T0 - VPDI $0x4, T0, T0, T0 - VL (1*16)(x_ptr), T1 - VPDI $0x4, T1, T1, T1 - - // First round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDB $8, T1, T0, T0 - VSLDB $8, T2, T1, T1 - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, CAR2 - VACQ T1, RED2, CAR1, T1 - VAQ T2, CAR2, T2 - - // Second round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDB $8, T1, T0, T0 - VSLDB $8, T2, T1, T1 - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, CAR2 - VACQ T1, RED2, CAR1, T1 - VAQ T2, CAR2, T2 - - // Third round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDB $8, T1, T0, T0 - VSLDB $8, T2, T1, T1 - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, CAR2 - VACQ T1, RED2, CAR1, T1 - VAQ T2, CAR2, T2 - - // Last round - VPERM T1, T0, SEL1, RED2 // d1 d0 d1 d0 - VPERM ZER, RED2, SEL2, RED1 // 0 d1 d0 0 - VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDB $8, T1, T0, T0 - VSLDB $8, T2, T1, T1 - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, CAR2 - VACQ T1, RED2, CAR1, T1 - VAQ T2, CAR2, T2 - - // --------------------------------------------------- - - VSCBIQ PL, T0, CAR1 - VSQ PL, T0, TT0 - VSBCBIQ T1, PH, CAR1, CAR2 - VSBIQ T1, PH, CAR1, TT1 - VSBIQ T2, ZER, CAR2, T2 - - // what output to use, TT1||TT0 or T1||T0? - VSEL T0, TT0, T2, T0 - VSEL T1, TT1, T2, T1 - - VPDI $0x4, T0, T0, TT0 - VST TT0, (0*16)(res_ptr) - VPDI $0x4, T1, T1, TT1 - VST TT1, (1*16)(res_ptr) - RET - -#undef res_ptr -#undef x_ptr -#undef CPOOL -#undef T0 -#undef T1 -#undef T2 -#undef TT0 -#undef TT1 -#undef ZER -#undef SEL1 -#undef SEL2 -#undef CAR1 -#undef CAR2 -#undef RED1 -#undef RED2 -#undef PL -#undef PH - -// Constant time table access -// Indexed from 1 to 15, with -1 offset -// (index 0 is implicitly point at infinity) -// func p256SelectBase(point *p256Point, table []p256Point, idx int) -// new : func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int) - -#define P3ptr R1 -#define P1ptr R2 -#define COUNT R4 -#define CPOOL R5 - -#define X1L V0 -#define X1H V1 -#define Y1L V2 -#define Y1H V3 -#define Z1L V4 -#define Z1H V5 -#define X2L V6 -#define X2H V7 -#define Y2L V8 -#define Y2H V9 -#define Z2L V10 -#define Z2H V11 -#define LE2BE V12 - -#define ONE V18 -#define IDX V19 -#define SEL1 V20 -#define SEL2 V21 - -TEXT ·p256SelectAffine(SB), NOSPLIT, $0 - MOVD res+0(FP), P3ptr - MOVD table+8(FP), P1ptr - MOVD $p256<>+0x00(SB), CPOOL - VLREPB idx+(16+7)(FP), IDX - VREPIB $1, ONE - VREPIB $1, SEL2 - MOVD $1, COUNT - VL 80(CPOOL), LE2BE - - VZERO X1H - VZERO X1L - VZERO Y1H - VZERO Y1L - -loop_select: - VL 0(P1ptr), X2H - VL 16(P1ptr), X2L - VL 32(P1ptr), Y2H - VL 48(P1ptr), Y2L - - VCEQG SEL2, IDX, SEL1 - - VSEL X2L, X1L, SEL1, X1L - VSEL X2H, X1H, SEL1, X1H - VSEL Y2L, Y1L, SEL1, Y1L - VSEL Y2H, Y1H, SEL1, Y1H - - VAB SEL2, ONE, SEL2 - ADDW $1, COUNT - ADD $64, P1ptr - CMPW COUNT, $33 // len(p256AffineTable) + 1 - BLT loop_select - VST X1H, 0(P3ptr) - VST X1L, 16(P3ptr) - VST Y1H, 32(P3ptr) - VST Y1L, 48(P3ptr) - - RET - -#undef P3ptr -#undef P1ptr -#undef COUNT -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Y2L -#undef Y2H -#undef Z2L -#undef Z2H -#undef ONE -#undef IDX -#undef SEL1 -#undef SEL2 -#undef CPOOL - -// --------------------------------------- -// p256MulInternal -// V0-V3,V30,V31 - Not Modified -// V4-V15 - Volatile - -#define CPOOL R4 - -// Parameters -#define X0 V0 // Not modified -#define X1 V1 // Not modified -#define Y0 V2 // Not modified -#define Y1 V3 // Not modified -#define T0 V4 -#define T1 V5 -#define P0 V30 // Not modified -#define P1 V31 // Not modified - -// Temporaries -#define YDIG V6 // Overloaded with CAR2, ZER -#define ADD1H V7 // Overloaded with ADD3H -#define ADD2H V8 // Overloaded with ADD4H -#define ADD3 V9 // Overloaded with SEL2,SEL5 -#define ADD4 V10 // Overloaded with SEL3,SEL6 -#define RED1 V11 // Overloaded with CAR2 -#define RED2 V12 -#define RED3 V13 // Overloaded with SEL1 -#define T2 V14 -// Overloaded temporaries -#define ADD1 V4 // Overloaded with T0 -#define ADD2 V5 // Overloaded with T1 -#define ADD3H V7 // Overloaded with ADD1H -#define ADD4H V8 // Overloaded with ADD2H -#define ZER V6 // Overloaded with YDIG, CAR2 -#define CAR1 V6 // Overloaded with YDIG, ZER -#define CAR2 V11 // Overloaded with RED1 -// Constant Selects -#define SEL1 V13 // Overloaded with RED3 -#define SEL2 V9 // Overloaded with ADD3,SEL5 -#define SEL3 V10 // Overloaded with ADD4,SEL6 -#define SEL4 V6 // Overloaded with YDIG,CAR2,ZER -#define SEL5 V9 // Overloaded with ADD3,SEL2 -#define SEL6 V10 // Overloaded with ADD4,SEL3 - -/* * - * To follow the flow of bits, for your own sanity a stiff drink, need you shall. - * Of a single round, a 'helpful' picture, here is. Meaning, column position has. - * With you, SIMD be... - * - * +--------+--------+ - * +--------| RED2 | RED1 | - * | +--------+--------+ - * | ---+--------+--------+ - * | +---- T2| T1 | T0 |--+ - * | | ---+--------+--------+ | - * | | | - * | | ======================= | - * | | | - * | | +--------+--------+<-+ - * | +-------| ADD2 | ADD1 |--|-----+ - * | | +--------+--------+ | | - * | | +--------+--------+<---+ | - * | | | ADD2H | ADD1H |--+ | - * | | +--------+--------+ | | - * | | +--------+--------+<-+ | - * | | | ADD4 | ADD3 |--|-+ | - * | | +--------+--------+ | | | - * | | +--------+--------+<---+ | | - * | | | ADD4H | ADD3H |------|-+ |(+vzero) - * | | +--------+--------+ | | V - * | | ------------------------ | | +--------+ - * | | | | | RED3 | [d0 0 0 d0] - * | | | | +--------+ - * | +---->+--------+--------+ | | | - * (T2[1w]||ADD2[4w]||ADD1[3w]) +--------| T1 | T0 | | | | - * | +--------+--------+ | | | - * +---->---+--------+--------+ | | | - * T2| T1 | T0 |----+ | | - * ---+--------+--------+ | | | - * ---+--------+--------+<---+ | | - * +--- T2| T1 | T0 |----------+ - * | ---+--------+--------+ | | - * | +--------+--------+<-------------+ - * | | RED2 | RED1 |-----+ | | [0 d1 d0 d1] [d0 0 d1 d0] - * | +--------+--------+ | | | - * | +--------+<----------------------+ - * | | RED3 |--------------+ | [0 0 d1 d0] - * | +--------+ | | - * +--->+--------+--------+ | | - * | T1 | T0 |--------+ - * +--------+--------+ | | - * --------------------------- | | - * | | - * +--------+--------+<----+ | - * | RED2 | RED1 | | - * +--------+--------+ | - * ---+--------+--------+<-------+ - * T2| T1 | T0 | (H1P-H1P-H00RRAY!) - * ---+--------+--------+ - * - * *Mi obra de arte de siglo XXI @vpaprots - * - * - * First group is special, doesn't get the two inputs: - * +--------+--------+<-+ - * +-------| ADD2 | ADD1 |--|-----+ - * | +--------+--------+ | | - * | +--------+--------+<---+ | - * | | ADD2H | ADD1H |--+ | - * | +--------+--------+ | | - * | +--------+--------+<-+ | - * | | ADD4 | ADD3 |--|-+ | - * | +--------+--------+ | | | - * | +--------+--------+<---+ | | - * | | ADD4H | ADD3H |------|-+ |(+vzero) - * | +--------+--------+ | | V - * | ------------------------ | | +--------+ - * | | | | RED3 | [d0 0 0 d0] - * | | | +--------+ - * +---->+--------+--------+ | | | - * (T2[1w]||ADD2[4w]||ADD1[3w]) | T1 | T0 |----+ | | - * +--------+--------+ | | | - * ---+--------+--------+<---+ | | - * +--- T2| T1 | T0 |----------+ - * | ---+--------+--------+ | | - * | +--------+--------+<-------------+ - * | | RED2 | RED1 |-----+ | | [0 d1 d0 d1] [d0 0 d1 d0] - * | +--------+--------+ | | | - * | +--------+<----------------------+ - * | | RED3 |--------------+ | [0 0 d1 d0] - * | +--------+ | | - * +--->+--------+--------+ | | - * | T1 | T0 |--------+ - * +--------+--------+ | | - * --------------------------- | | - * | | - * +--------+--------+<----+ | - * | RED2 | RED1 | | - * +--------+--------+ | - * ---+--------+--------+<-------+ - * T2| T1 | T0 | (H1P-H1P-H00RRAY!) - * ---+--------+--------+ - * - * Last 'group' needs to RED2||RED1 shifted less - */ -TEXT p256MulInternal<>(SB), NOSPLIT, $0-0 - VL 32(CPOOL), SEL1 - VL 48(CPOOL), SEL2 - VL 64(CPOOL), SEL3 - VL 80(CPOOL), SEL4 - - // --------------------------------------------------- - - VREPF $3, Y0, YDIG - VMLHF X0, YDIG, ADD1H - VMLHF X1, YDIG, ADD2H - VMLF X0, YDIG, ADD1 - VMLF X1, YDIG, ADD2 - - VREPF $2, Y0, YDIG - VMALF X0, YDIG, ADD1H, ADD3 - VMALF X1, YDIG, ADD2H, ADD4 - VMALHF X0, YDIG, ADD1H, ADD3H // ADD1H Free - VMALHF X1, YDIG, ADD2H, ADD4H // ADD2H Free - - VZERO ZER - VL 32(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDB $12, ADD2, ADD1, T0 // ADD1 Free - VSLDB $12, ZER, ADD2, T1 // ADD2 Free - - VACCQ T0, ADD3, CAR1 - VAQ T0, ADD3, T0 // ADD3 Free - VACCCQ T1, ADD4, CAR1, T2 - VACQ T1, ADD4, CAR1, T1 // ADD4 Free - - VL 48(CPOOL), SEL2 - VL 64(CPOOL), SEL3 - VL 80(CPOOL), SEL4 - VPERM RED3, T0, SEL2, RED1 // [d0 0 d1 d0] - VPERM RED3, T0, SEL3, RED2 // [ 0 d1 d0 d1] - VPERM RED3, T0, SEL4, RED3 // [ 0 0 d1 d0] - VSQ RED3, RED2, RED2 // Guaranteed not to underflow - - VSLDB $12, T1, T0, T0 - VSLDB $12, T2, T1, T1 - - VACCQ T0, ADD3H, CAR1 - VAQ T0, ADD3H, T0 - VACCCQ T1, ADD4H, CAR1, T2 - VACQ T1, ADD4H, CAR1, T1 - - // --------------------------------------------------- - - VREPF $1, Y0, YDIG - VMALHF X0, YDIG, T0, ADD1H - VMALHF X1, YDIG, T1, ADD2H - VMALF X0, YDIG, T0, ADD1 // T0 Free->ADD1 - VMALF X1, YDIG, T1, ADD2 // T1 Free->ADD2 - - VREPF $0, Y0, YDIG - VMALF X0, YDIG, ADD1H, ADD3 - VMALF X1, YDIG, ADD2H, ADD4 - VMALHF X0, YDIG, ADD1H, ADD3H // ADD1H Free->ADD3H - VMALHF X1, YDIG, ADD2H, ADD4H // ADD2H Free->ADD4H , YDIG Free->ZER - - VZERO ZER - VL 32(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDB $12, ADD2, ADD1, T0 // ADD1 Free->T0 - VSLDB $12, T2, ADD2, T1 // ADD2 Free->T1, T2 Free - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, T2 - VACQ T1, RED2, CAR1, T1 - - VACCQ T0, ADD3, CAR1 - VAQ T0, ADD3, T0 - VACCCQ T1, ADD4, CAR1, CAR2 - VACQ T1, ADD4, CAR1, T1 - VAQ T2, CAR2, T2 - - VL 48(CPOOL), SEL2 - VL 64(CPOOL), SEL3 - VL 80(CPOOL), SEL4 - VPERM RED3, T0, SEL2, RED1 // [d0 0 d1 d0] - VPERM RED3, T0, SEL3, RED2 // [ 0 d1 d0 d1] - VPERM RED3, T0, SEL4, RED3 // [ 0 0 d1 d0] - VSQ RED3, RED2, RED2 // Guaranteed not to underflow - - VSLDB $12, T1, T0, T0 - VSLDB $12, T2, T1, T1 - - VACCQ T0, ADD3H, CAR1 - VAQ T0, ADD3H, T0 - VACCCQ T1, ADD4H, CAR1, T2 - VACQ T1, ADD4H, CAR1, T1 - - // --------------------------------------------------- - - VREPF $3, Y1, YDIG - VMALHF X0, YDIG, T0, ADD1H - VMALHF X1, YDIG, T1, ADD2H - VMALF X0, YDIG, T0, ADD1 - VMALF X1, YDIG, T1, ADD2 - - VREPF $2, Y1, YDIG - VMALF X0, YDIG, ADD1H, ADD3 - VMALF X1, YDIG, ADD2H, ADD4 - VMALHF X0, YDIG, ADD1H, ADD3H // ADD1H Free - VMALHF X1, YDIG, ADD2H, ADD4H // ADD2H Free - - VZERO ZER - VL 32(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDB $12, ADD2, ADD1, T0 // ADD1 Free - VSLDB $12, T2, ADD2, T1 // ADD2 Free - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, T2 - VACQ T1, RED2, CAR1, T1 - - VACCQ T0, ADD3, CAR1 - VAQ T0, ADD3, T0 - VACCCQ T1, ADD4, CAR1, CAR2 - VACQ T1, ADD4, CAR1, T1 - VAQ T2, CAR2, T2 - - VL 48(CPOOL), SEL2 - VL 64(CPOOL), SEL3 - VL 80(CPOOL), SEL4 - VPERM RED3, T0, SEL2, RED1 // [d0 0 d1 d0] - VPERM RED3, T0, SEL3, RED2 // [ 0 d1 d0 d1] - VPERM RED3, T0, SEL4, RED3 // [ 0 0 d1 d0] - VSQ RED3, RED2, RED2 // Guaranteed not to underflow - - VSLDB $12, T1, T0, T0 - VSLDB $12, T2, T1, T1 - - VACCQ T0, ADD3H, CAR1 - VAQ T0, ADD3H, T0 - VACCCQ T1, ADD4H, CAR1, T2 - VACQ T1, ADD4H, CAR1, T1 - - // --------------------------------------------------- - - VREPF $1, Y1, YDIG - VMALHF X0, YDIG, T0, ADD1H - VMALHF X1, YDIG, T1, ADD2H - VMALF X0, YDIG, T0, ADD1 - VMALF X1, YDIG, T1, ADD2 - - VREPF $0, Y1, YDIG - VMALF X0, YDIG, ADD1H, ADD3 - VMALF X1, YDIG, ADD2H, ADD4 - VMALHF X0, YDIG, ADD1H, ADD3H - VMALHF X1, YDIG, ADD2H, ADD4H - - VZERO ZER - VL 32(CPOOL), SEL1 - VPERM ZER, ADD1, SEL1, RED3 // [d0 0 0 d0] - - VSLDB $12, ADD2, ADD1, T0 - VSLDB $12, T2, ADD2, T1 - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, T2 - VACQ T1, RED2, CAR1, T1 - - VACCQ T0, ADD3, CAR1 - VAQ T0, ADD3, T0 - VACCCQ T1, ADD4, CAR1, CAR2 - VACQ T1, ADD4, CAR1, T1 - VAQ T2, CAR2, T2 - - VL 96(CPOOL), SEL5 - VL 112(CPOOL), SEL6 - VPERM T0, RED3, SEL5, RED2 // [d1 d0 d1 d0] - VPERM T0, RED3, SEL6, RED1 // [ 0 d1 d0 0] - VSQ RED1, RED2, RED2 // Guaranteed not to underflow - - VSLDB $12, T1, T0, T0 - VSLDB $12, T2, T1, T1 - - VACCQ T0, ADD3H, CAR1 - VAQ T0, ADD3H, T0 - VACCCQ T1, ADD4H, CAR1, T2 - VACQ T1, ADD4H, CAR1, T1 - - VACCQ T0, RED1, CAR1 - VAQ T0, RED1, T0 - VACCCQ T1, RED2, CAR1, CAR2 - VACQ T1, RED2, CAR1, T1 - VAQ T2, CAR2, T2 - - // --------------------------------------------------- - - VZERO RED3 - VSCBIQ P0, T0, CAR1 - VSQ P0, T0, ADD1H - VSBCBIQ T1, P1, CAR1, CAR2 - VSBIQ T1, P1, CAR1, ADD2H - VSBIQ T2, RED3, CAR2, T2 - - // what output to use, ADD2H||ADD1H or T1||T0? - VSEL T0, ADD1H, T2, T0 - VSEL T1, ADD2H, T2, T1 - RET - -#undef CPOOL - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 -#undef P0 -#undef P1 - -#undef SEL1 -#undef SEL2 -#undef SEL3 -#undef SEL4 -#undef SEL5 -#undef SEL6 - -#undef YDIG -#undef ADD1H -#undef ADD2H -#undef ADD3 -#undef ADD4 -#undef RED1 -#undef RED2 -#undef RED3 -#undef T2 -#undef ADD1 -#undef ADD2 -#undef ADD3H -#undef ADD4H -#undef ZER -#undef CAR1 -#undef CAR2 - -// --------------------------------------- - -// Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 - -TEXT p256SqrInternal<>(SB), NOFRAME|NOSPLIT, $0 - VLR X0, Y0 - VLR X1, Y1 - BR p256MulInternal<>(SB) - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 - -#define p256SubInternal(T1, T0, X1, X0, Y1, Y0) \ - VZERO ZER \ - VSCBIQ Y0, X0, CAR1 \ - VSQ Y0, X0, T0 \ - VSBCBIQ X1, Y1, CAR1, SEL1 \ - VSBIQ X1, Y1, CAR1, T1 \ - VSQ SEL1, ZER, SEL1 \ - \ - VACCQ T0, PL, CAR1 \ - VAQ T0, PL, TT0 \ - VACQ T1, PH, CAR1, TT1 \ - \ - VSEL T0, TT0, SEL1, T0 \ - VSEL T1, TT1, SEL1, T1 \ - -#define p256AddInternal(T1, T0, X1, X0, Y1, Y0) \ - VACCQ X0, Y0, CAR1 \ - VAQ X0, Y0, T0 \ - VACCCQ X1, Y1, CAR1, T2 \ - VACQ X1, Y1, CAR1, T1 \ - \ - VZERO ZER \ - VSCBIQ PL, T0, CAR1 \ - VSQ PL, T0, TT0 \ - VSBCBIQ T1, PH, CAR1, CAR2 \ - VSBIQ T1, PH, CAR1, TT1 \ - VSBIQ T2, ZER, CAR2, SEL1 \ - \ - VSEL T0, TT0, SEL1, T0 \ - VSEL T1, TT1, SEL1, T1 - -#define p256HalfInternal(T1, T0, X1, X0) \ - VZERO ZER \ - VSBIQ ZER, ZER, X0, SEL1 \ - \ - VACCQ X0, PL, CAR1 \ - VAQ X0, PL, T0 \ - VACCCQ X1, PH, CAR1, T2 \ - VACQ X1, PH, CAR1, T1 \ - \ - VSEL X0, T0, SEL1, T0 \ - VSEL X1, T1, SEL1, T1 \ - VSEL ZER, T2, SEL1, T2 \ - \ - VSLDB $15, T2, ZER, TT1 \ - VSLDB $15, T1, ZER, TT0 \ - VREPIB $1, SEL1 \ - VSRL SEL1, T0, T0 \ - VSRL SEL1, T1, T1 \ - VREPIB $7, SEL1 \ - VSL SEL1, TT0, TT0 \ - VSL SEL1, TT1, TT1 \ - VO T0, TT0, T0 \ - VO T1, TT1, T1 - -// --------------------------------------- -// func p256Mul(res, in1, in2 *p256Element) -#define res_ptr R1 -#define x_ptr R2 -#define y_ptr R3 -#define CPOOL R4 - -// Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -// Constants -#define P0 V30 -#define P1 V31 -TEXT ·p256Mul(SB), NOSPLIT, $0 - MOVD res+0(FP), res_ptr - MOVD in1+8(FP), x_ptr - MOVD in2+16(FP), y_ptr - - VL (0*16)(x_ptr), X0 - VPDI $0x4, X0, X0, X0 - VL (1*16)(x_ptr), X1 - VPDI $0x4, X1, X1, X1 - VL (0*16)(y_ptr), Y0 - VPDI $0x4, Y0, Y0, Y0 - VL (1*16)(y_ptr), Y1 - VPDI $0x4, Y1, Y1, Y1 - - MOVD $p256mul<>+0x00(SB), CPOOL - VL 16(CPOOL), P0 - VL 0(CPOOL), P1 - - CALL p256MulInternal<>(SB) - - VPDI $0x4, T0, T0, T0 - VST T0, (0*16)(res_ptr) - VPDI $0x4, T1, T1, T1 - VST T1, (1*16)(res_ptr) - RET - -#undef res_ptr -#undef x_ptr -#undef y_ptr -#undef CPOOL - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 -#undef P0 -#undef P1 - -// --------------------------------------- -// func p256Sqr(res, in *p256Element, n int) -#define res_ptr R1 -#define x_ptr R2 -#define y_ptr R3 -#define CPOOL R4 -#define COUNT R5 -#define N R6 - -// Parameters -#define X0 V0 -#define X1 V1 -#define T0 V4 -#define T1 V5 - -// Constants -#define P0 V30 -#define P1 V31 -TEXT ·p256Sqr(SB), NOSPLIT, $0 - MOVD res+0(FP), res_ptr - MOVD in+8(FP), x_ptr - - VL (0*16)(x_ptr), X0 - VPDI $0x4, X0, X0, X0 - VL (1*16)(x_ptr), X1 - VPDI $0x4, X1, X1, X1 - - MOVD $p256mul<>+0x00(SB), CPOOL - MOVD $0, COUNT - MOVD n+16(FP), N - VL 16(CPOOL), P0 - VL 0(CPOOL), P1 - -loop: - CALL p256SqrInternal<>(SB) - VLR T0, X0 - VLR T1, X1 - ADDW $1, COUNT - CMPW COUNT, N - BLT loop - - VPDI $0x4, T0, T0, T0 - VST T0, (0*16)(res_ptr) - VPDI $0x4, T1, T1, T1 - VST T1, (1*16)(res_ptr) - RET - -#undef res_ptr -#undef x_ptr -#undef y_ptr -#undef CPOOL -#undef COUNT -#undef N - -#undef X0 -#undef X1 -#undef T0 -#undef T1 -#undef P0 -#undef P1 - -// Point add with P2 being affine point -// If sign == 1 -> P2 = -P2 -// If sel == 0 -> P3 = P1 -// if zero == 0 -> P3 = P2 -// func p256PointAddAffineAsm(res, in1 *P256Point, in2 *p256AffinePoint, sign, sel, zero int) -#define P3ptr R1 -#define P1ptr R2 -#define P2ptr R3 -#define CPOOL R4 - -// Temporaries in REGs -#define Y2L V15 -#define Y2H V16 -#define T1L V17 -#define T1H V18 -#define T2L V19 -#define T2H V20 -#define T3L V21 -#define T3H V22 -#define T4L V23 -#define T4H V24 - -// Temps for Sub and Add -#define TT0 V11 -#define TT1 V12 -#define T2 V13 - -// p256MulAsm Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -#define PL V30 -#define PH V31 - -// Names for zero/sel selects -#define X1L V0 -#define X1H V1 -#define Y1L V2 // p256MulAsmParmY -#define Y1H V3 // p256MulAsmParmY -#define Z1L V4 -#define Z1H V5 -#define X2L V0 -#define X2H V1 -#define Z2L V4 -#define Z2H V5 -#define X3L V17 // T1L -#define X3H V18 // T1H -#define Y3L V21 // T3L -#define Y3H V22 // T3H -#define Z3L V28 -#define Z3H V29 - -#define ZER V6 -#define SEL1 V7 -#define CAR1 V8 -#define CAR2 V9 -/* * - * Three operand formula: - * Source: 2004 Hankerson–Menezes–Vanstone, page 91. - * T1 = Z1² - * T2 = T1*Z1 - * T1 = T1*X2 - * T2 = T2*Y2 - * T1 = T1-X1 - * T2 = T2-Y1 - * Z3 = Z1*T1 - * T3 = T1² - * T4 = T3*T1 - * T3 = T3*X1 - * T1 = 2*T3 - * X3 = T2² - * X3 = X3-T1 - * X3 = X3-T4 - * T3 = T3-X3 - * T3 = T3*T2 - * T4 = T4*Y1 - * Y3 = T3-T4 - - * Three operand formulas, but with MulInternal X,Y used to store temps -X=Z1; Y=Z1; MUL;T- // T1 = Z1² T1 -X=T ; Y- ; MUL;T2=T // T2 = T1*Z1 T1 T2 -X- ; Y=X2; MUL;T1=T // T1 = T1*X2 T1 T2 -X=T2; Y=Y2; MUL;T- // T2 = T2*Y2 T1 T2 -SUB(T2<T-Y1) // T2 = T2-Y1 T1 T2 -SUB(Y<T1-X1) // T1 = T1-X1 T1 T2 -X=Z1; Y- ; MUL;Z3:=T// Z3 = Z1*T1 T2 -X=Y; Y- ; MUL;X=T // T3 = T1*T1 T2 -X- ; Y- ; MUL;T4=T // T4 = T3*T1 T2 T4 -X- ; Y=X1; MUL;T3=T // T3 = T3*X1 T2 T3 T4 -ADD(T1<T+T) // T1 = T3+T3 T1 T2 T3 T4 -X=T2; Y=T2; MUL;T- // X3 = T2*T2 T1 T2 T3 T4 -SUB(T<T-T1) // X3 = X3-T1 T1 T2 T3 T4 -SUB(T<T-T4) X3:=T // X3 = X3-T4 T2 T3 T4 -SUB(X<T3-T) // T3 = T3-X3 T2 T3 T4 -X- ; Y- ; MUL;T3=T // T3 = T3*T2 T2 T3 T4 -X=T4; Y=Y1; MUL;T- // T4 = T4*Y1 T3 T4 -SUB(T<T3-T) Y3:=T // Y3 = T3-T4 T3 T4 - - */ -TEXT ·p256PointAddAffineAsm(SB), NOSPLIT, $0 - MOVD res+0(FP), P3ptr - MOVD in1+8(FP), P1ptr - MOVD in2+16(FP), P2ptr - - MOVD $p256mul<>+0x00(SB), CPOOL - VL 16(CPOOL), PL - VL 0(CPOOL), PH - - // if (sign == 1) { - // Y2 = fromBig(new(big.Int).Mod(new(big.Int).Sub(p256.P, new(big.Int).SetBytes(Y2)), p256.P)) // Y2 = P-Y2 - // } - - VL 48(P2ptr), Y2H - VPDI $0x4, Y2H, Y2H, Y2H - VL 32(P2ptr), Y2L - VPDI $0x4, Y2L, Y2L, Y2L - - VLREPG sign+24(FP), SEL1 - VZERO ZER - VCEQG SEL1, ZER, SEL1 - - VSCBIQ Y2L, PL, CAR1 - VSQ Y2L, PL, T1L - VSBIQ PH, Y2H, CAR1, T1H - - VSEL Y2L, T1L, SEL1, Y2L - VSEL Y2H, T1H, SEL1, Y2H - -/* * - * Three operand formula: - * Source: 2004 Hankerson–Menezes–Vanstone, page 91. - */ - // X=Z1; Y=Z1; MUL; T- // T1 = Z1² T1 - VL 80(P1ptr), X1 // Z1H - VPDI $0x4, X1, X1, X1 - VL 64(P1ptr), X0 // Z1L - VPDI $0x4, X0, X0, X0 - VLR X0, Y0 - VLR X1, Y1 - CALL p256SqrInternal<>(SB) - - // X=T ; Y- ; MUL; T2=T // T2 = T1*Z1 T1 T2 - VLR T0, X0 - VLR T1, X1 - CALL p256MulInternal<>(SB) - VLR T0, T2L - VLR T1, T2H - - // X- ; Y=X2; MUL; T1=T // T1 = T1*X2 T1 T2 - VL 16(P2ptr), Y1 // X2H - VPDI $0x4, Y1, Y1, Y1 - VL 0(P2ptr), Y0 // X2L - VPDI $0x4, Y0, Y0, Y0 - CALL p256MulInternal<>(SB) - VLR T0, T1L - VLR T1, T1H - - // X=T2; Y=Y2; MUL; T- // T2 = T2*Y2 T1 T2 - VLR T2L, X0 - VLR T2H, X1 - VLR Y2L, Y0 - VLR Y2H, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T2<T-Y1) // T2 = T2-Y1 T1 T2 - VL 48(P1ptr), Y1H - VPDI $0x4, Y1H, Y1H, Y1H - VL 32(P1ptr), Y1L - VPDI $0x4, Y1L, Y1L, Y1L - p256SubInternal(T2H,T2L,T1,T0,Y1H,Y1L) - - // SUB(Y<T1-X1) // T1 = T1-X1 T1 T2 - VL 16(P1ptr), X1H - VPDI $0x4, X1H, X1H, X1H - VL 0(P1ptr), X1L - VPDI $0x4, X1L, X1L, X1L - p256SubInternal(Y1,Y0,T1H,T1L,X1H,X1L) - - // X=Z1; Y- ; MUL; Z3:=T// Z3 = Z1*T1 T2 - VL 80(P1ptr), X1 // Z1H - VPDI $0x4, X1, X1, X1 - VL 64(P1ptr), X0 // Z1L - VPDI $0x4, X0, X0, X0 - CALL p256MulInternal<>(SB) - - // VST T1, 64(P3ptr) - // VST T0, 80(P3ptr) - VLR T0, Z3L - VLR T1, Z3H - - // X=Y; Y- ; MUL; X=T // T3 = T1*T1 T2 - VLR Y0, X0 - VLR Y1, X1 - CALL p256SqrInternal<>(SB) - VLR T0, X0 - VLR T1, X1 - - // X- ; Y- ; MUL; T4=T // T4 = T3*T1 T2 T4 - CALL p256MulInternal<>(SB) - VLR T0, T4L - VLR T1, T4H - - // X- ; Y=X1; MUL; T3=T // T3 = T3*X1 T2 T3 T4 - VL 16(P1ptr), Y1 // X1H - VPDI $0x4, Y1, Y1, Y1 - VL 0(P1ptr), Y0 // X1L - VPDI $0x4, Y0, Y0, Y0 - CALL p256MulInternal<>(SB) - VLR T0, T3L - VLR T1, T3H - - // ADD(T1<T+T) // T1 = T3+T3 T1 T2 T3 T4 - p256AddInternal(T1H,T1L, T1,T0,T1,T0) - - // X=T2; Y=T2; MUL; T- // X3 = T2*T2 T1 T2 T3 T4 - VLR T2L, X0 - VLR T2H, X1 - VLR T2L, Y0 - VLR T2H, Y1 - CALL p256SqrInternal<>(SB) - - // SUB(T<T-T1) // X3 = X3-T1 T1 T2 T3 T4 (T1 = X3) - p256SubInternal(T1,T0,T1,T0,T1H,T1L) - - // SUB(T<T-T4) X3:=T // X3 = X3-T4 T2 T3 T4 - p256SubInternal(T1,T0,T1,T0,T4H,T4L) - VLR T0, X3L - VLR T1, X3H - - // SUB(X<T3-T) // T3 = T3-X3 T2 T3 T4 - p256SubInternal(X1,X0,T3H,T3L,T1,T0) - - // X- ; Y- ; MUL; T3=T // T3 = T3*T2 T2 T3 T4 - CALL p256MulInternal<>(SB) - VLR T0, T3L - VLR T1, T3H - - // X=T4; Y=Y1; MUL; T- // T4 = T4*Y1 T3 T4 - VLR T4L, X0 - VLR T4H, X1 - VL 48(P1ptr), Y1 // Y1H - VPDI $0x4, Y1, Y1, Y1 - VL 32(P1ptr), Y0 // Y1L - VPDI $0x4, Y0, Y0, Y0 - CALL p256MulInternal<>(SB) - - // SUB(T<T3-T) Y3:=T // Y3 = T3-T4 T3 T4 (T3 = Y3) - p256SubInternal(Y3H,Y3L,T3H,T3L,T1,T0) - - // if (sel == 0) { - // copy(P3.x[:], X1) - // copy(P3.y[:], Y1) - // copy(P3.z[:], Z1) - // } - - VL 16(P1ptr), X1H - VPDI $0x4, X1H, X1H, X1H - VL 0(P1ptr), X1L - VPDI $0x4, X1L, X1L, X1L - - // Y1 already loaded, left over from addition - VL 80(P1ptr), Z1H - VPDI $0x4, Z1H, Z1H, Z1H - VL 64(P1ptr), Z1L - VPDI $0x4, Z1L, Z1L, Z1L - - VLREPG sel+32(FP), SEL1 - VZERO ZER - VCEQG SEL1, ZER, SEL1 - - VSEL X1L, X3L, SEL1, X3L - VSEL X1H, X3H, SEL1, X3H - VSEL Y1L, Y3L, SEL1, Y3L - VSEL Y1H, Y3H, SEL1, Y3H - VSEL Z1L, Z3L, SEL1, Z3L - VSEL Z1H, Z3H, SEL1, Z3H - - // if (zero == 0) { - // copy(P3.x[:], X2) - // copy(P3.y[:], Y2) - // copy(P3.z[:], []byte{0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - // 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}) //(p256.z*2^256)%p - // } - VL 16(P2ptr), X2H - VPDI $0x4, X2H, X2H, X2H - VL 0(P2ptr), X2L - VPDI $0x4, X2L, X2L, X2L - - // Y2 already loaded - VL 128(CPOOL), Z2H - VL 144(CPOOL), Z2L - - VLREPG zero+40(FP), SEL1 - VZERO ZER - VCEQG SEL1, ZER, SEL1 - - VSEL X2L, X3L, SEL1, X3L - VSEL X2H, X3H, SEL1, X3H - VSEL Y2L, Y3L, SEL1, Y3L - VSEL Y2H, Y3H, SEL1, Y3H - VSEL Z2L, Z3L, SEL1, Z3L - VSEL Z2H, Z3H, SEL1, Z3H - - // All done, store out the result!!! - VPDI $0x4, X3H, X3H, X3H - VST X3H, 16(P3ptr) - VPDI $0x4, X3L, X3L, X3L - VST X3L, 0(P3ptr) - VPDI $0x4, Y3H, Y3H, Y3H - VST Y3H, 48(P3ptr) - VPDI $0x4, Y3L, Y3L, Y3L - VST Y3L, 32(P3ptr) - VPDI $0x4, Z3H, Z3H, Z3H - VST Z3H, 80(P3ptr) - VPDI $0x4, Z3L, Z3L, Z3L - VST Z3L, 64(P3ptr) - - RET - -#undef P3ptr -#undef P1ptr -#undef P2ptr -#undef CPOOL - -#undef Y2L -#undef Y2H -#undef T1L -#undef T1H -#undef T2L -#undef T2H -#undef T3L -#undef T3H -#undef T4L -#undef T4H - -#undef TT0 -#undef TT1 -#undef T2 - -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 - -#undef PL -#undef PH - -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef X2L -#undef X2H -#undef Z2L -#undef Z2H -#undef X3L -#undef X3H -#undef Y3L -#undef Y3H -#undef Z3L -#undef Z3H - -#undef ZER -#undef SEL1 -#undef CAR1 -#undef CAR2 - -// func p256PointDoubleAsm(res, in *P256Point) -// https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl -// https://www.hyperelliptic.org/EFD/g1p/auto-shortw.html -// https://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective-3.html -#define P3ptr R1 -#define P1ptr R2 -#define CPOOL R4 - -// Temporaries in REGs -#define X3L V15 -#define X3H V16 -#define Y3L V17 -#define Y3H V18 -#define T1L V19 -#define T1H V20 -#define T2L V21 -#define T2H V22 -#define T3L V23 -#define T3H V24 - -#define X1L V6 -#define X1H V7 -#define Y1L V8 -#define Y1H V9 -#define Z1L V10 -#define Z1H V11 - -// Temps for Sub and Add -#define TT0 V11 -#define TT1 V12 -#define T2 V13 - -// p256MulAsm Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -#define PL V30 -#define PH V31 - -#define Z3L V23 -#define Z3H V24 - -#define ZER V26 -#define SEL1 V27 -#define CAR1 V28 -#define CAR2 V29 -/* - * https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2004-hmv - * Cost: 4M + 4S + 1*half + 5add + 2*2 + 1*3. - * Source: 2004 Hankerson–Menezes–Vanstone, page 91. - * A = 3(X₁-Z₁²)×(X₁+Z₁²) - * B = 2Y₁ - * Z₃ = B×Z₁ - * C = B² - * D = C×X₁ - * X₃ = A²-2D - * Y₃ = (D-X₃)×A-C²/2 - * - * Three-operand formula: - * T1 = Z1² - * T2 = X1-T1 - * T1 = X1+T1 - * T2 = T2*T1 - * T2 = 3*T2 - * Y3 = 2*Y1 - * Z3 = Y3*Z1 - * Y3 = Y3² - * T3 = Y3*X1 - * Y3 = Y3² - * Y3 = half*Y3 - * X3 = T2² - * T1 = 2*T3 - * X3 = X3-T1 - * T1 = T3-X3 - * T1 = T1*T2 - * Y3 = T1-Y3 - */ - -TEXT ·p256PointDoubleAsm(SB), NOSPLIT, $0 - MOVD res+0(FP), P3ptr - MOVD in+8(FP), P1ptr - - MOVD $p256mul<>+0x00(SB), CPOOL - VL 16(CPOOL), PL - VL 0(CPOOL), PH - - // X=Z1; Y=Z1; MUL; T- // T1 = Z1² - VL 80(P1ptr), X1 // Z1H - VPDI $0x4, X1, X1, X1 - VL 64(P1ptr), X0 // Z1L - VPDI $0x4, X0, X0, X0 - VLR X0, Y0 - VLR X1, Y1 - CALL p256SqrInternal<>(SB) - - // SUB(X<X1-T) // T2 = X1-T1 - VL 16(P1ptr), X1H - VPDI $0x4, X1H, X1H, X1H - VL 0(P1ptr), X1L - VPDI $0x4, X1L, X1L, X1L - p256SubInternal(X1,X0,X1H,X1L,T1,T0) - - // ADD(Y<X1+T) // T1 = X1+T1 - p256AddInternal(Y1,Y0,X1H,X1L,T1,T0) - - // X- ; Y- ; MUL; T- // T2 = T2*T1 - CALL p256MulInternal<>(SB) - - // ADD(T2<T+T); ADD(T2<T2+T) // T2 = 3*T2 - p256AddInternal(T2H,T2L,T1,T0,T1,T0) - p256AddInternal(T2H,T2L,T2H,T2L,T1,T0) - - // ADD(X<Y1+Y1) // Y3 = 2*Y1 - VL 48(P1ptr), Y1H - VPDI $0x4, Y1H, Y1H, Y1H - VL 32(P1ptr), Y1L - VPDI $0x4, Y1L, Y1L, Y1L - p256AddInternal(X1,X0,Y1H,Y1L,Y1H,Y1L) - - // X- ; Y=Z1; MUL; Z3:=T // Z3 = Y3*Z1 - VL 80(P1ptr), Y1 // Z1H - VPDI $0x4, Y1, Y1, Y1 - VL 64(P1ptr), Y0 // Z1L - VPDI $0x4, Y0, Y0, Y0 - CALL p256MulInternal<>(SB) - VPDI $0x4, T1, T1, TT1 - VST TT1, 80(P3ptr) - VPDI $0x4, T0, T0, TT0 - VST TT0, 64(P3ptr) - - // X- ; Y=X ; MUL; T- // Y3 = Y3² - VLR X0, Y0 - VLR X1, Y1 - CALL p256SqrInternal<>(SB) - - // X=T ; Y=X1; MUL; T3=T // T3 = Y3*X1 - VLR T0, X0 - VLR T1, X1 - VL 16(P1ptr), Y1 - VPDI $0x4, Y1, Y1, Y1 - VL 0(P1ptr), Y0 - VPDI $0x4, Y0, Y0, Y0 - CALL p256MulInternal<>(SB) - VLR T0, T3L - VLR T1, T3H - - // X- ; Y=X ; MUL; T- // Y3 = Y3² - VLR X0, Y0 - VLR X1, Y1 - CALL p256SqrInternal<>(SB) - - // HAL(Y3<T) // Y3 = half*Y3 - p256HalfInternal(Y3H,Y3L, T1,T0) - - // X=T2; Y=T2; MUL; T- // X3 = T2² - VLR T2L, X0 - VLR T2H, X1 - VLR T2L, Y0 - VLR T2H, Y1 - CALL p256SqrInternal<>(SB) - - // ADD(T1<T3+T3) // T1 = 2*T3 - p256AddInternal(T1H,T1L,T3H,T3L,T3H,T3L) - - // SUB(X3<T-T1) X3:=X3 // X3 = X3-T1 - p256SubInternal(X3H,X3L,T1,T0,T1H,T1L) - VPDI $0x4, X3H, X3H, TT1 - VST TT1, 16(P3ptr) - VPDI $0x4, X3L, X3L, TT0 - VST TT0, 0(P3ptr) - - // SUB(X<T3-X3) // T1 = T3-X3 - p256SubInternal(X1,X0,T3H,T3L,X3H,X3L) - - // X- ; Y- ; MUL; T- // T1 = T1*T2 - CALL p256MulInternal<>(SB) - - // SUB(Y3<T-Y3) // Y3 = T1-Y3 - p256SubInternal(Y3H,Y3L,T1,T0,Y3H,Y3L) - - VPDI $0x4, Y3H, Y3H, Y3H - VST Y3H, 48(P3ptr) - VPDI $0x4, Y3L, Y3L, Y3L - VST Y3L, 32(P3ptr) - RET - -#undef P3ptr -#undef P1ptr -#undef CPOOL -#undef X3L -#undef X3H -#undef Y3L -#undef Y3H -#undef T1L -#undef T1H -#undef T2L -#undef T2H -#undef T3L -#undef T3H -#undef X1L -#undef X1H -#undef Y1L -#undef Y1H -#undef Z1L -#undef Z1H -#undef TT0 -#undef TT1 -#undef T2 -#undef X0 -#undef X1 -#undef Y0 -#undef Y1 -#undef T0 -#undef T1 -#undef PL -#undef PH -#undef Z3L -#undef Z3H -#undef ZER -#undef SEL1 -#undef CAR1 -#undef CAR2 - -// func p256PointAddAsm(res, in1, in2 *P256Point) int -#define P3ptr R1 -#define P1ptr R2 -#define P2ptr R3 -#define CPOOL R4 -#define ISZERO R5 -#define TRUE R6 - -// Temporaries in REGs -#define T1L V16 -#define T1H V17 -#define T2L V18 -#define T2H V19 -#define U1L V20 -#define U1H V21 -#define S1L V22 -#define S1H V23 -#define HL V24 -#define HH V25 -#define RL V26 -#define RH V27 - -// Temps for Sub and Add -#define ZER V6 -#define SEL1 V7 -#define CAR1 V8 -#define CAR2 V9 -#define TT0 V11 -#define TT1 V12 -#define T2 V13 - -// p256MulAsm Parameters -#define X0 V0 -#define X1 V1 -#define Y0 V2 -#define Y1 V3 -#define T0 V4 -#define T1 V5 - -#define PL V30 -#define PH V31 -/* - * https://delta.cs.cinvestav.mx/~francisco/arith/julio.pdf "Software Implementation of the NIST Elliptic Curves Over Prime Fields" - * - * A = X₁×Z₂² - * B = Y₁×Z₂³ - * C = X₂×Z₁²-A - * D = Y₂×Z₁³-B - * X₃ = D² - 2A×C² - C³ - * Y₃ = D×(A×C² - X₃) - B×C³ - * Z₃ = Z₁×Z₂×C - * - * Three-operand formula (adopted): https://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2 - * Temp storage: T1,T2,U1,H,Z3=X3=Y3,S1,R - * - * T1 = Z1*Z1 - * T2 = Z2*Z2 - * U1 = X1*T2 - * H = X2*T1 - * H = H-U1 - * Z3 = Z1*Z2 - * Z3 = Z3*H << store-out Z3 result reg.. could override Z1, if slices have same backing array - * - * S1 = Z2*T2 - * S1 = Y1*S1 - * R = Z1*T1 - * R = Y2*R - * R = R-S1 - * - * T1 = H*H - * T2 = H*T1 - * U1 = U1*T1 - * - * X3 = R*R - * X3 = X3-T2 - * T1 = 2*U1 - * X3 = X3-T1 << store-out X3 result reg - * - * T2 = S1*T2 - * Y3 = U1-X3 - * Y3 = R*Y3 - * Y3 = Y3-T2 << store-out Y3 result reg - - // X=Z1; Y=Z1; MUL; T- // T1 = Z1*Z1 - // X- ; Y=T ; MUL; R=T // R = Z1*T1 - // X=X2; Y- ; MUL; H=T // H = X2*T1 - // X=Z2; Y=Z2; MUL; T- // T2 = Z2*Z2 - // X- ; Y=T ; MUL; S1=T // S1 = Z2*T2 - // X=X1; Y- ; MUL; U1=T // U1 = X1*T2 - // SUB(H<H-T) // H = H-U1 - // X=Z1; Y=Z2; MUL; T- // Z3 = Z1*Z2 - // X=T ; Y=H ; MUL; Z3:=T// Z3 = Z3*H << store-out Z3 result reg.. could override Z1, if slices have same backing array - // X=Y1; Y=S1; MUL; S1=T // S1 = Y1*S1 - // X=Y2; Y=R ; MUL; T- // R = Y2*R - // SUB(R<T-S1) // R = R-S1 - // X=H ; Y=H ; MUL; T- // T1 = H*H - // X- ; Y=T ; MUL; T2=T // T2 = H*T1 - // X=U1; Y- ; MUL; U1=T // U1 = U1*T1 - // X=R ; Y=R ; MUL; T- // X3 = R*R - // SUB(T<T-T2) // X3 = X3-T2 - // ADD(X<U1+U1) // T1 = 2*U1 - // SUB(T<T-X) X3:=T // X3 = X3-T1 << store-out X3 result reg - // SUB(Y<U1-T) // Y3 = U1-X3 - // X=R ; Y- ; MUL; U1=T // Y3 = R*Y3 - // X=S1; Y=T2; MUL; T- // T2 = S1*T2 - // SUB(T<U1-T); Y3:=T // Y3 = Y3-T2 << store-out Y3 result reg - */ -TEXT ·p256PointAddAsm(SB), NOSPLIT, $0 - MOVD res+0(FP), P3ptr - MOVD in1+8(FP), P1ptr - MOVD in2+16(FP), P2ptr - - MOVD $p256mul<>+0x00(SB), CPOOL - VL 16(CPOOL), PL - VL 0(CPOOL), PH - - // X=Z1; Y=Z1; MUL; T- // T1 = Z1*Z1 - VL 80(P1ptr), X1 // Z1H - VPDI $0x4, X1, X1, X1 - VL 64(P1ptr), X0 // Z1L - VPDI $0x4, X0, X0, X0 - VLR X0, Y0 - VLR X1, Y1 - CALL p256SqrInternal<>(SB) - - // X- ; Y=T ; MUL; R=T // R = Z1*T1 - VLR T0, Y0 - VLR T1, Y1 - CALL p256MulInternal<>(SB) - VLR T0, RL - VLR T1, RH - - // X=X2; Y- ; MUL; H=T // H = X2*T1 - VL 16(P2ptr), X1 // X2H - VPDI $0x4, X1, X1, X1 - VL 0(P2ptr), X0 // X2L - VPDI $0x4, X0, X0, X0 - CALL p256MulInternal<>(SB) - VLR T0, HL - VLR T1, HH - - // X=Z2; Y=Z2; MUL; T- // T2 = Z2*Z2 - VL 80(P2ptr), X1 // Z2H - VPDI $0x4, X1, X1, X1 - VL 64(P2ptr), X0 // Z2L - VPDI $0x4, X0, X0, X0 - VLR X0, Y0 - VLR X1, Y1 - CALL p256SqrInternal<>(SB) - - // X- ; Y=T ; MUL; S1=T // S1 = Z2*T2 - VLR T0, Y0 - VLR T1, Y1 - CALL p256MulInternal<>(SB) - VLR T0, S1L - VLR T1, S1H - - // X=X1; Y- ; MUL; U1=T // U1 = X1*T2 - VL 16(P1ptr), X1 // X1H - VPDI $0x4, X1, X1, X1 - VL 0(P1ptr), X0 // X1L - VPDI $0x4, X0, X0, X0 - CALL p256MulInternal<>(SB) - VLR T0, U1L - VLR T1, U1H - - // SUB(H<H-T) // H = H-U1 - p256SubInternal(HH,HL,HH,HL,T1,T0) - - // if H == 0 or H^P == 0 then ret=1 else ret=0 - // clobbers T1H and T1L - MOVD $0, ISZERO - MOVD $1, TRUE - VZERO ZER - VO HL, HH, T1H - VCEQGS ZER, T1H, T1H - MOVDEQ TRUE, ISZERO - VX HL, PL, T1L - VX HH, PH, T1H - VO T1L, T1H, T1H - VCEQGS ZER, T1H, T1H - MOVDEQ TRUE, ISZERO - MOVD ISZERO, ret+24(FP) - - // X=Z1; Y=Z2; MUL; T- // Z3 = Z1*Z2 - VL 80(P1ptr), X1 // Z1H - VPDI $0x4, X1, X1, X1 - VL 64(P1ptr), X0 // Z1L - VPDI $0x4, X0, X0, X0 - VL 80(P2ptr), Y1 // Z2H - VPDI $0x4, Y1, Y1, Y1 - VL 64(P2ptr), Y0 // Z2L - VPDI $0x4, Y0, Y0, Y0 - CALL p256MulInternal<>(SB) - - // X=T ; Y=H ; MUL; Z3:=T// Z3 = Z3*H - VLR T0, X0 - VLR T1, X1 - VLR HL, Y0 - VLR HH, Y1 - CALL p256MulInternal<>(SB) - VPDI $0x4, T1, T1, TT1 - VST TT1, 80(P3ptr) - VPDI $0x4, T0, T0, TT0 - VST TT0, 64(P3ptr) - - // X=Y1; Y=S1; MUL; S1=T // S1 = Y1*S1 - VL 48(P1ptr), X1 - VPDI $0x4, X1, X1, X1 - VL 32(P1ptr), X0 - VPDI $0x4, X0, X0, X0 - VLR S1L, Y0 - VLR S1H, Y1 - CALL p256MulInternal<>(SB) - VLR T0, S1L - VLR T1, S1H - - // X=Y2; Y=R ; MUL; T- // R = Y2*R - VL 48(P2ptr), X1 - VPDI $0x4, X1, X1, X1 - VL 32(P2ptr), X0 - VPDI $0x4, X0, X0, X0 - VLR RL, Y0 - VLR RH, Y1 - CALL p256MulInternal<>(SB) - - // SUB(R<T-S1) // R = T-S1 - p256SubInternal(RH,RL,T1,T0,S1H,S1L) - - // if R == 0 or R^P == 0 then ret=ret else ret=0 - // clobbers T1H and T1L - MOVD $0, ISZERO - MOVD $1, TRUE - VZERO ZER - VO RL, RH, T1H - VCEQGS ZER, T1H, T1H - MOVDEQ TRUE, ISZERO - VX RL, PL, T1L - VX RH, PH, T1H - VO T1L, T1H, T1H - VCEQGS ZER, T1H, T1H - MOVDEQ TRUE, ISZERO - AND ret+24(FP), ISZERO - MOVD ISZERO, ret+24(FP) - - // X=H ; Y=H ; MUL; T- // T1 = H*H - VLR HL, X0 - VLR HH, X1 - VLR HL, Y0 - VLR HH, Y1 - CALL p256SqrInternal<>(SB) - - // X- ; Y=T ; MUL; T2=T // T2 = H*T1 - VLR T0, Y0 - VLR T1, Y1 - CALL p256MulInternal<>(SB) - VLR T0, T2L - VLR T1, T2H - - // X=U1; Y- ; MUL; U1=T // U1 = U1*T1 - VLR U1L, X0 - VLR U1H, X1 - CALL p256MulInternal<>(SB) - VLR T0, U1L - VLR T1, U1H - - // X=R ; Y=R ; MUL; T- // X3 = R*R - VLR RL, X0 - VLR RH, X1 - VLR RL, Y0 - VLR RH, Y1 - CALL p256SqrInternal<>(SB) - - // SUB(T<T-T2) // X3 = X3-T2 - p256SubInternal(T1,T0,T1,T0,T2H,T2L) - - // ADD(X<U1+U1) // T1 = 2*U1 - p256AddInternal(X1,X0,U1H,U1L,U1H,U1L) - - // SUB(T<T-X) X3:=T // X3 = X3-T1 << store-out X3 result reg - p256SubInternal(T1,T0,T1,T0,X1,X0) - VPDI $0x4, T1, T1, TT1 - VST TT1, 16(P3ptr) - VPDI $0x4, T0, T0, TT0 - VST TT0, 0(P3ptr) - - // SUB(Y<U1-T) // Y3 = U1-X3 - p256SubInternal(Y1,Y0,U1H,U1L,T1,T0) - - // X=R ; Y- ; MUL; U1=T // Y3 = R*Y3 - VLR RL, X0 - VLR RH, X1 - CALL p256MulInternal<>(SB) - VLR T0, U1L - VLR T1, U1H - - // X=S1; Y=T2; MUL; T- // T2 = S1*T2 - VLR S1L, X0 - VLR S1H, X1 - VLR T2L, Y0 - VLR T2H, Y1 - CALL p256MulInternal<>(SB) - - // SUB(T<U1-T); Y3:=T // Y3 = Y3-T2 << store-out Y3 result reg - p256SubInternal(T1,T0,U1H,U1L,T1,T0) - VPDI $0x4, T1, T1, T1 - VST T1, 48(P3ptr) - VPDI $0x4, T0, T0, T0 - VST T0, 32(P3ptr) - - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_ordinv.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_ordinv.go deleted file mode 100644 index 156a873188c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_ordinv.go +++ /dev/null @@ -1,102 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (amd64 || arm64) && !purego - -package nistec - -import "errors" - -// Montgomery multiplication modulo org(G). Sets res = in1 * in2 * R⁻¹. -// -//go:noescape -func p256OrdMul(res, in1, in2 *p256OrdElement) - -// Montgomery square modulo org(G), repeated n times (n >= 1). -// -//go:noescape -func p256OrdSqr(res, in *p256OrdElement, n int) - -func P256OrdInverse(k []byte) ([]byte, error) { - if len(k) != 32 { - return nil, errors.New("invalid scalar length") - } - - x := new(p256OrdElement) - p256OrdBigToLittle(x, (*[32]byte)(k)) - p256OrdReduce(x) - - // Inversion is implemented as exponentiation by n - 2, per Fermat's little theorem. - // - // The sequence of 38 multiplications and 254 squarings is derived from - // https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion - _1 := new(p256OrdElement) - _11 := new(p256OrdElement) - _101 := new(p256OrdElement) - _111 := new(p256OrdElement) - _1111 := new(p256OrdElement) - _10101 := new(p256OrdElement) - _101111 := new(p256OrdElement) - t := new(p256OrdElement) - - // This code operates in the Montgomery domain where R = 2²⁵⁶ mod n and n is - // the order of the scalar field. Elements in the Montgomery domain take the - // form a×R and p256OrdMul calculates (a × b × R⁻¹) mod n. RR is R in the - // domain, or R×R mod n, thus p256OrdMul(x, RR) gives x×R, i.e. converts x - // into the Montgomery domain. - RR := &p256OrdElement{0x83244c95be79eea2, 0x4699799c49bd6fa6, - 0x2845b2392b6bec59, 0x66e12d94f3d95620} - - p256OrdMul(_1, x, RR) // _1 - p256OrdSqr(x, _1, 1) // _10 - p256OrdMul(_11, x, _1) // _11 - p256OrdMul(_101, x, _11) // _101 - p256OrdMul(_111, x, _101) // _111 - p256OrdSqr(x, _101, 1) // _1010 - p256OrdMul(_1111, _101, x) // _1111 - - p256OrdSqr(t, x, 1) // _10100 - p256OrdMul(_10101, t, _1) // _10101 - p256OrdSqr(x, _10101, 1) // _101010 - p256OrdMul(_101111, _101, x) // _101111 - p256OrdMul(x, _10101, x) // _111111 = x6 - p256OrdSqr(t, x, 2) // _11111100 - p256OrdMul(t, t, _11) // _11111111 = x8 - p256OrdSqr(x, t, 8) // _ff00 - p256OrdMul(x, x, t) // _ffff = x16 - p256OrdSqr(t, x, 16) // _ffff0000 - p256OrdMul(t, t, x) // _ffffffff = x32 - - p256OrdSqr(x, t, 64) - p256OrdMul(x, x, t) - p256OrdSqr(x, x, 32) - p256OrdMul(x, x, t) - - sqrs := []int{ - 6, 5, 4, 5, 5, - 4, 3, 3, 5, 9, - 6, 2, 5, 6, 5, - 4, 5, 5, 3, 10, - 2, 5, 5, 3, 7, 6} - muls := []*p256OrdElement{ - _101111, _111, _11, _1111, _10101, - _101, _101, _101, _111, _101111, - _1111, _1, _1, _1111, _111, - _111, _111, _101, _11, _101111, - _11, _11, _11, _1, _10101, _1111} - - for i, s := range sqrs { - p256OrdSqr(x, x, s) - p256OrdMul(x, x, muls[i]) - } - - // Montgomery multiplication by R⁻¹, or 1 outside the domain as R⁻¹×R = 1, - // converts a Montgomery value out of the domain. - one := &p256OrdElement{1} - p256OrdMul(x, x, one) - - var xOut [32]byte - p256OrdLittleToBig(&xOut, x) - return xOut[:], nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_ordinv_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_ordinv_noasm.go deleted file mode 100644 index 9cbb1a89dba..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_ordinv_noasm.go +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !arm64) || purego - -package nistec - -import "errors" - -func P256OrdInverse(k []byte) ([]byte, error) { - return nil, errors.New("unimplemented") -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_table.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_table.go deleted file mode 100644 index cfdada836ef..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p256_table.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package nistec - -// p256PrecomputedEmbed is the precomputed table of P-256 basepoint multiples. -// See [p256Precomputed]. It's not embedded with go:embed because it's not -// supported within the FIPS module boundary. -var p256PrecomputedEmbed = [...]byte{0x3c, 0x14, 0xa9, 0x18, 0xd4, 0x30, 0xe7, 0x79, 0x1, 0xb6, 0xed, 0x5f, 0xfc, 0x95, 0xba, 0x75, 0x10, 0x25, 0x62, 0x77, 0x2b, 0x73, 0xfb, 0x79, 0xc6, 0x55, 0x37, 0xa5, 0x76, 0x5f, 0x90, 0x18, 0xa, 0x56, 0x95, 0xce, 0x57, 0x53, 0xf2, 0xdd, 0x5c, 0xe4, 0x19, 0xba, 0xe4, 0xb8, 0x4a, 0x8b, 0x25, 0xf3, 0x21, 0xdd, 0x88, 0x86, 0xe8, 0xd2, 0x85, 0x5d, 0x88, 0x25, 0x18, 0xff, 0x71, 0x85, 0x4d, 0xd6, 0xdd, 0x10, 0xd4, 0x46, 0x0, 0x85, 0x7d, 0x82, 0x33, 0xa4, 0xc1, 0xe3, 0x6a, 0xaa, 0xd9, 0x90, 0x14, 0x8d, 0x3, 0x5, 0x22, 0x73, 0x3b, 0x3a, 0xcf, 0x3d, 0xe4, 0x32, 0xbb, 0xf6, 0xa5, 0xe1, 0xbe, 0x61, 0xd3, 0x48, 0x36, 0x2f, 0xf8, 0x6f, 0x23, 0xeb, 0xcb, 0xd7, 0x2c, 0x15, 0xbe, 0x2d, 0x4, 0x92, 0xe, 0xfb, 0xa8, 0x19, 0x3b, 0x8a, 0x5b, 0xa, 0x51, 0x77, 0xc5, 0x78, 0x27, 0xc1, 0xeb, 0x4e, 0x90, 0x3f, 0xac, 0xff, 0xfb, 0x81, 0x7d, 0x8, 0x4a, 0xf8, 0x27, 0xb0, 0x98, 0xbc, 0xcb, 0x87, 0xdd, 0x77, 0xad, 0x66, 0x7e, 0x74, 0xff, 0xb6, 0x3f, 0x6a, 0x93, 0x26, 0xeb, 0xa7, 0x83, 0xc9, 0x1f, 0x5c, 0x4c, 0xb0, 0x1a, 0xfe, 0x61, 0x8, 0xad, 0x47, 0x3e, 0x58, 0x8e, 0xe9, 0x2e, 0x1a, 0x31, 0x8, 0x82, 0x78, 0x7, 0xcc, 0x87, 0xe5, 0x29, 0x6a, 0xf0, 0xd5, 0xcc, 0x8d, 0x91, 0x46, 0xd, 0xb5, 0xb0, 0x74, 0x73, 0xc1, 0x23, 0xc6, 0xed, 0xa6, 0x50, 0x46, 0xf2, 0xa, 0x10, 0xe8, 0xac, 0xac, 0xda, 0xc, 0x6b, 0x17, 0xb0, 0x41, 0xf5, 0x62, 0x73, 0x57, 0xa6, 0xab, 0xcb, 0xe4, 0x4c, 0xf2, 0x96, 0x2d, 0x47, 0xf4, 0xd6, 0xfa, 0x71, 0x84, 0x62, 0x17, 0x2e, 0xd2, 0xdd, 0xe5, 0xde, 0x36, 0x6c, 0x6b, 0x63, 0xb8, 0x5a, 0x4c, 0x39, 0x4c, 0xb1, 0x84, 0xf5, 0x61, 0x5c, 0xc4, 0xae, 0x8a, 0x1b, 0xbe, 0x7d, 0x53, 0xb9, 0x94, 0x9a, 0x64, 0xec, 0x90, 0xc, 0xc2, 0x76, 0xd0, 0xaa, 0xb5, 0x1c, 0x94, 0xc8, 0x23, 0x5, 0x89, 0x5, 0x96, 0x7, 0xc9, 0x10, 0x4f, 0xba, 0xe7, 0x4a, 0x9b, 0x30, 0xeb, 0x2b, 0x88, 0xeb, 0xe5, 0xef, 0x68, 0xc5, 0x73, 0x68, 0x1f, 0x7a, 0x7e, 0x87, 0xa9, 0x40, 0x35, 0x16, 0xe9, 0xd1, 0x2d, 0xbb, 0x76, 0xa0, 0x73, 0x4a, 0x66, 0x77, 0x3e, 0x37, 0x47, 0x39, 0x40, 0x3e, 0xee, 0x6c, 0x34, 0x4f, 0x74, 0xae, 0x55, 0xad, 0xa3, 0x17, 0x5b, 0x1a, 0x96, 0xa, 0xd5, 0x73, 0x36, 0x21, 0x54, 0x59, 0x4b, 0x7, 0x13, 0x4b, 0xe4, 0x77, 0xd3, 0x20, 0x62, 0xd3, 0x93, 0xb5, 0x14, 0xff, 0xad, 0x53, 0x2b, 0x9c, 0x29, 0x11, 0x9f, 0x63, 0xef, 0x4c, 0xd4, 0x24, 0xf4, 0x5f, 0xf7, 0x7, 0x4a, 0x6d, 0x91, 0xc9, 0xa4, 0x4f, 0x3b, 0x17, 0xa0, 0x4e, 0x35, 0x46, 0x7, 0xf7, 0x0, 0x3c, 0xd2, 0x13, 0x2, 0xd2, 0x2b, 0x8, 0xbb, 0x23, 0xc, 0xb5, 0xaa, 0x3e, 0xf4, 0x3, 0x3e, 0x12, 0xc3, 0x19, 0x51, 0xba, 0x13, 0x4d, 0x9d, 0x5b, 0x3f, 0x30, 0xd0, 0x47, 0x28, 0xdd, 0x7b, 0xa6, 0x5d, 0xf2, 0xf2, 0x42, 0x67, 0x95, 0x41, 0xc9, 0x77, 0xdc, 0x3b, 0x93, 0xef, 0x67, 0x8, 0x24, 0x6e, 0x15, 0xd9, 0xed, 0xea, 0x8f, 0xa7, 0x99, 0x94, 0xd1, 0x4c, 0xf1, 0x27, 0x55, 0x34, 0x9b, 0x6f, 0xc5, 0xb5, 0x2a, 0x46, 0x6b, 0xfc, 0x2c, 0xf0, 0x2a, 0xf0, 0x90, 0x8f, 0xd, 0x23, 0x65, 0xb2, 0x1e, 0x89, 0x63, 0xb7, 0x77, 0x49, 0x2d, 0x53, 0xa9, 0xa3, 0x9d, 0xf5, 0x15, 0xba, 0x9e, 0xcf, 0x7d, 0x32, 0xe3, 0x21, 0xf0, 0xbb, 0x60, 0xbe, 0x84, 0x7b, 0x3c, 0x12, 0x76, 0xdf, 0x6, 0x77, 0xf2, 0x12, 0xec, 0x56, 0xe8, 0x20, 0x4e, 0x26, 0x8f, 0x6e, 0xc9, 0x75, 0x41, 0xa8, 0xa7, 0x59, 0xed, 0xbf, 0xe6, 0xab, 0x0, 0xeb, 0xc8, 0x44, 0x4, 0x9c, 0xc0, 0x2c, 0x6b, 0xe1, 0xc4, 0xf0, 0x80, 0x30, 0x5b, 0xe0, 0x14, 0x33, 0x5f, 0xa4, 0x7a, 0x77, 0xb7, 0x1e, 0xe3, 0x45, 0x5d, 0xce, 0xed, 0x7b, 0xaf, 0x56, 0x1a, 0x2f, 0xb1, 0x88, 0x9a, 0x1, 0x6e, 0x2b, 0x9b, 0x5f, 0x83, 0xfd, 0xcd, 0x59, 0x66, 0x8, 0xc8, 0x1e, 0xc2, 0x9d, 0xd1, 0xdb, 0x18, 0x2c, 0x39, 0x81, 0xcf, 0xf, 0x8a, 0x86, 0xf9, 0x98, 0x49, 0xb, 0x25, 0x48, 0xd6, 0x2c, 0x7d, 0x73, 0x8f, 0x42, 0xb3, 0x24, 0x47, 0xc9, 0x61, 0xcc, 0x76, 0x9e, 0xdd, 0x80, 0x78, 0x40, 0x2b, 0xc, 0x8, 0xbe, 0x3f, 0x38, 0x91, 0x89, 0x3a, 0xc4, 0xd2, 0xe5, 0x9b, 0x77, 0x65, 0x2d, 0x7d, 0x5f, 0xb5, 0x4a, 0x3b, 0xeb, 0x54, 0x9a, 0x71, 0x78, 0x4, 0xe4, 0x45, 0x62, 0xa, 0x26, 0x7d, 0xea, 0xe0, 0xdf, 0x7f, 0x6e, 0x95, 0x7, 0xe4, 0x9d, 0xb5, 0x1a, 0xac, 0x8d, 0x15, 0xa4, 0xf3, 0x1f, 0x73, 0x90, 0x9c, 0x64, 0xf1, 0x90, 0x70, 0x3e, 0x88, 0x4e, 0x94, 0x2b, 0x61, 0x85, 0x76, 0x1a, 0xc8, 0x61, 0x7f, 0xe5, 0x9e, 0x93, 0xf, 0x25, 0x3d, 0x64, 0xad, 0x1e, 0x89, 0xaa, 0xd, 0xc, 0x8e, 0xb8, 0x25, 0xe1, 0x23, 0x0, 0x93, 0x68, 0x68, 0x77, 0x69, 0xd2, 0xa7, 0x1a, 0xb7, 0x4, 0x33, 0x5a, 0x34, 0xca, 0xf5, 0xde, 0xde, 0xab, 0x5e, 0x38, 0x37, 0xee, 0x9d, 0xd2, 0x9, 0x24, 0x56, 0xe1, 0x83, 0xcb, 0x77, 0xdf, 0xe1, 0x4e, 0x43, 0x5b, 0xbb, 0x1c, 0xd9, 0x12, 0xac, 0xc, 0x37, 0x56, 0x89, 0xca, 0xf6, 0xd2, 0xe, 0x17, 0x66, 0x6d, 0xde, 0x8a, 0xfa, 0x8c, 0x22, 0x28, 0xca, 0x8a, 0x23, 0x53, 0x95, 0x7c, 0xf5, 0x7f, 0x9, 0xd7, 0x2e, 0x4b, 0x63, 0x25, 0xc4, 0xcc, 0xd, 0xd3, 0x6f, 0x85, 0x69, 0x67, 0x35, 0xe, 0x11, 0x98, 0x9e, 0x55, 0x3f, 0xd4, 0xbc, 0xbc, 0x59, 0xb7, 0x95, 0x53, 0xac, 0x77, 0x84, 0x73, 0x7f, 0xe1, 0xe, 0xc0, 0x90, 0x2b, 0x75, 0x35, 0xe3, 0xd2, 0x2e, 0x74, 0x90, 0x83, 0x74, 0x68, 0xc1, 0x5b, 0x1f, 0xbd, 0x22, 0x64, 0xd0, 0x7c, 0x97, 0xb7, 0xe7, 0xc9, 0x69, 0x87, 0xc0, 0xfb, 0x4a, 0x66, 0xcf, 0xb0, 0x5b, 0xa3, 0x42, 0xa2, 0xe3, 0x7, 0x97, 0x7f, 0xf7, 0x48, 0x6e, 0x12, 0x60, 0x26, 0x83, 0xc6, 0x54, 0xbf, 0x17, 0x17, 0x2e, 0xc7, 0x12, 0xfd, 0x32, 0x73, 0xae, 0xfa, 0x6b, 0x58, 0x5d, 0x99, 0xb7, 0x2d, 0xb5, 0x27, 0xc2, 0x37, 0x22, 0x83, 0x9e, 0x56, 0x29, 0xbe, 0xdb, 0xe7, 0x65, 0x2a, 0x3e, 0x19, 0xe4, 0xe8, 0xbb, 0x1b, 0xaa, 0x2e, 0xdc, 0x6, 0x27, 0x15, 0x5b, 0x5, 0x60, 0xbc, 0xb7, 0xd8, 0xbc, 0x72, 0x4b, 0x7e, 0xe2, 0x56, 0xee, 0x23, 0xcc, 0x3, 0x70, 0x93, 0x81, 0xe4, 0x24, 0x74, 0x33, 0xee, 0x9, 0xda, 0xd3, 0xa, 0x43, 0xe, 0xaa, 0xe2, 0x5d, 0xc4, 0x83, 0x63, 0x4f, 0x52, 0xb8, 0x40, 0x25, 0x1b, 0xa4, 0x42, 0x54, 0x35, 0x66, 0xd7, 0x97, 0x47, 0x8a, 0x77, 0xde, 0xa6, 0xef, 0x64, 0xf4, 0xad, 0x79, 0x70, 0xa, 0x17, 0x42, 0x20, 0x80, 0xfb, 0xc6, 0xb, 0x65, 0xb, 0x8b, 0x80, 0x6b, 0x2e, 0xfe, 0x3f, 0x75, 0xe0, 0x82, 0x58, 0x49, 0xf5, 0x83, 0x2c, 0x7c, 0x2f, 0xef, 0xd5, 0x23, 0xb7, 0x3, 0x91, 0x80, 0x3c, 0xd6, 0x54, 0x9b, 0x3f, 0xa2, 0x52, 0xd6, 0x1b, 0xf1, 0xf2, 0x87, 0x65, 0xb, 0x4b, 0x19, 0xc3, 0x70, 0x36, 0x9e, 0xe, 0x58, 0xb1, 0x3b, 0x62, 0xc4, 0x55, 0x20, 0xe2, 0xef, 0x1, 0xb2, 0xf7, 0xed, 0x64, 0x9d, 0x5c, 0x3c, 0xd5, 0xcb, 0x1d, 0x9, 0x97, 0x7b, 0x17, 0xa, 0xac, 0xb6, 0x24, 0x76, 0xf1, 0xff, 0x2d, 0xfe, 0x2c, 0x75, 0x39, 0xf1, 0xb0, 0x4e, 0x57, 0x7a, 0x6c, 0xa, 0x5c, 0xa3, 0xc1, 0x87, 0x99, 0xe7, 0x93, 0x46, 0x31, 0x7d, 0x22, 0xe, 0xb8, 0x9c, 0xe8, 0x30, 0xbf, 0x75, 0x5, 0xbb, 0x83, 0x18, 0xd, 0x7f, 0x24, 0x4e, 0x2f, 0xd0, 0xc3, 0x74, 0x32, 0x26, 0x12, 0xd5, 0xeb, 0x7a, 0xa9, 0xad, 0x56, 0xc8, 0x51, 0x3e, 0x5f, 0x3e, 0x40, 0x8b, 0x8f, 0x4d, 0x96, 0xfc, 0x4a, 0x79, 0x29, 0x2e, 0x41, 0xab, 0x47, 0xf2, 0xa6, 0xda, 0xeb, 0x80, 0x6f, 0x1b, 0xbd, 0x5a, 0x67, 0x1d, 0x5a, 0x48, 0x5e, 0x72, 0xbd, 0xa2, 0x66, 0x3c, 0xb, 0x4f, 0x8f, 0xaf, 0x5c, 0x2a, 0x4b, 0xba, 0x7b, 0x84, 0x1b, 0x7f, 0x92, 0x26, 0x26, 0x4d, 0x39, 0x2, 0x5, 0xd9, 0xc7, 0x6f, 0x6c, 0xe8, 0x9a, 0x65, 0xa5, 0xba, 0x12, 0xa9, 0xfe, 0x6e, 0xa1, 0xe1, 0x25, 0xba, 0x3a, 0x36, 0x68, 0xac, 0x41, 0x2c, 0x75, 0x77, 0x22, 0x84, 0xb8, 0xfc, 0xc3, 0x97, 0x28, 0x28, 0x5c, 0x54, 0xfe, 0x6b, 0x69, 0x4c, 0xdc, 0xe7, 0xe9, 0x36, 0x2d, 0xc5, 0x77, 0xa9, 0xfb, 0x4a, 0x24, 0x6, 0x58, 0xc1, 0x8, 0x95, 0xe3, 0x9b, 0x5e, 0x66, 0x85, 0x7b, 0x59, 0x12, 0x6d, 0x25, 0xee, 0x20, 0xf7, 0x31, 0x7a, 0x33, 0xd2, 0x29, 0x91, 0x97, 0x8a, 0xdc, 0x2b, 0x86, 0xf, 0x8f, 0x86, 0x16, 0x59, 0xba, 0x83, 0xd2, 0x5d, 0xd9, 0x99, 0x80, 0x4, 0x4e, 0xfb, 0x5b, 0xfe, 0xb6, 0xee, 0xd1, 0xe2, 0x5d, 0x0, 0x84, 0x78, 0x41, 0x1c, 0xef, 0x82, 0xae, 0xcb, 0xff, 0xff, 0x17, 0xec, 0xd4, 0xa2, 0x66, 0x5e, 0xa9, 0x8a, 0x3f, 0xc5, 0x61, 0x91, 0xd0, 0xe0, 0xfe, 0xc5, 0xe1, 0x4, 0xe1, 0x5e, 0x8, 0xb2, 0x35, 0xc1, 0xec, 0x4c, 0x2e, 0x56, 0x7d, 0xf4, 0x83, 0x47, 0x65, 0xb2, 0xe1, 0x74, 0x30, 0x3b, 0x3f, 0x5a, 0x6c, 0x50, 0x2a, 0x6d, 0xfc, 0x62, 0x67, 0xc1, 0xf4, 0xd9, 0xea, 0xec, 0xb9, 0xe5, 0x86, 0xe2, 0xb2, 0xd4, 0x9d, 0xf2, 0x61, 0x3c, 0xbb, 0x83, 0xc0, 0xad, 0xf, 0x1b, 0xa4, 0x29, 0xac, 0x7f, 0x3e, 0x2, 0x75, 0x7a, 0xa3, 0x7f, 0x47, 0xc9, 0xf1, 0xd5, 0x86, 0xc0, 0x76, 0x30, 0x6f, 0x2f, 0x35, 0x11, 0xc6, 0xf, 0x9a, 0x2a, 0x91, 0xe3, 0x23, 0xfa, 0x9f, 0xc9, 0x3d, 0xba, 0xf8, 0xd2, 0x85, 0x6, 0xb, 0x6a, 0xa4, 0x58, 0x33, 0xe9, 0xe8, 0x77, 0xc7, 0xfd, 0x4, 0x5f, 0x41, 0x35, 0xbb, 0x87, 0xa7, 0x94, 0xa4, 0xfe, 0x23, 0x4d, 0x6a, 0x2d, 0xc, 0x64, 0xb5, 0x35, 0x3a, 0x15, 0xda, 0x17, 0xe9, 0x9d, 0x74, 0xd0, 0x5c, 0x5d, 0x7, 0x8d, 0x3e, 0x79, 0x68, 0x50, 0xe4, 0x2d, 0x53, 0x76, 0xf8, 0xf4, 0x6e, 0x1f, 0x2e, 0x9e, 0xe8, 0xa7, 0xc7, 0x37, 0x69, 0x40, 0x58, 0xa3, 0xa2, 0x5f, 0x82, 0xd0, 0x42, 0xbf, 0x27, 0x17, 0x7c, 0xea, 0x2c, 0xaf, 0xa9, 0x85, 0x47, 0x9e, 0xfb, 0xa4, 0x60, 0x3, 0x4a, 0x9f, 0x29, 0x27, 0x9c, 0xa4, 0xfd, 0xe5, 0x71, 0x2f, 0xac, 0x71, 0x13, 0x8e, 0x6, 0x48, 0x6f, 0x66, 0x77, 0x90, 0x7b, 0x68, 0xd0, 0x83, 0x19, 0x28, 0xd0, 0x15, 0xb2, 0x83, 0x38, 0x6d, 0x35, 0x9a, 0xdd, 0x40, 0x50, 0x75, 0xd, 0x6d, 0x9f, 0x46, 0x2b, 0x1d, 0xf9, 0xcb, 0xd7, 0x61, 0x15, 0x31, 0xfc, 0x2e, 0x2f, 0x23, 0x7b, 0xf9, 0xc7, 0xcb, 0x4b, 0xb2, 0x50, 0xd7, 0x51, 0xa5, 0x56, 0xe3, 0xa1, 0x88, 0x49, 0x49, 0xea, 0x11, 0x1, 0x75, 0xcb, 0x93, 0x31, 0xf0, 0x69, 0x76, 0x8a, 0x7b, 0x73, 0xca, 0x5e, 0xc5, 0x5d, 0x59, 0x9f, 0x87, 0x37, 0xd8, 0xac, 0x19, 0xa3, 0xa4, 0xb0, 0x67, 0x6b, 0xed, 0x9e, 0xb4, 0xc1, 0x6f, 0xaf, 0xf3, 0xf1, 0x32, 0x33, 0x99, 0x95, 0xe3, 0x2e, 0x2a, 0x43, 0x65, 0xeb, 0x42, 0x67, 0x96, 0x28, 0x62, 0x96, 0xb4, 0xfe, 0xc9, 0x8d, 0x4b, 0x50, 0x39, 0xf4, 0x43, 0x12, 0x63, 0xcc, 0x96, 0xee, 0x31, 0xb7, 0xc9, 0x59, 0x88, 0x6, 0x12, 0x68, 0x99, 0xf7, 0x56, 0xc3, 0x8d, 0x94, 0x7b, 0x8, 0x80, 0x1f, 0xed, 0x32, 0xad, 0xe4, 0x61, 0x38, 0x75, 0xb1, 0xd8, 0x7a, 0x26, 0xc9, 0xe6, 0xfb, 0xf6, 0x7f, 0x85, 0xeb, 0xc5, 0xc7, 0x1a, 0x10, 0xfb, 0xf2, 0x55, 0xa8, 0xaa, 0x4b, 0x99, 0x18, 0x80, 0x24, 0x1d, 0xe1, 0x14, 0xcf, 0x84, 0x8, 0xc5, 0x8a, 0x62, 0x8b, 0x89, 0x39, 0x5a, 0xf5, 0x44, 0xa9, 0x5f, 0x7b, 0xe9, 0xfd, 0x14, 0xc7, 0x5a, 0x2e, 0xd1, 0x30, 0x80, 0x17, 0xed, 0xb4, 0xfe, 0xe2, 0x97, 0xf4, 0x2a, 0x2c, 0x4, 0x13, 0x73, 0xbf, 0xae, 0xd7, 0x42, 0x6a, 0xd3, 0xd7, 0xfd, 0x4f, 0x8, 0xeb, 0xc9, 0xd2, 0x49, 0x6a, 0xc7, 0xf7, 0x2e, 0x4b, 0xa5, 0x8a, 0x9f, 0x70, 0x5e, 0x89, 0x9, 0xba, 0xb7, 0x0, 0x92, 0x58, 0xfb, 0xb7, 0xdd, 0x6f, 0xc6, 0xd0, 0x3b, 0xbb, 0x4c, 0xeb, 0x78, 0x8, 0xd1, 0x97, 0x2d, 0x31, 0xde, 0x4b, 0xd8, 0x68, 0x10, 0x43, 0x2d, 0x1f, 0xcd, 0x2c, 0x17, 0xb7, 0x3e, 0x52, 0x4b, 0x92, 0xa8, 0xa6, 0x30, 0x28, 0xcb, 0x23, 0x73, 0xeb, 0x53, 0xe1, 0xcf, 0xc0, 0x2e, 0x8, 0x97, 0x97, 0xdb, 0xaa, 0xf2, 0x6a, 0x6b, 0x7f, 0xe9, 0xa1, 0x3d, 0xa8, 0xd1, 0x3e, 0x39, 0x3d, 0x1d, 0x68, 0x2a, 0x4b, 0x80, 0xc7, 0xf9, 0xa7, 0xa6, 0x1e, 0xb7, 0xc, 0x2d, 0x48, 0x8b, 0x68, 0x4a, 0x78, 0x52, 0x58, 0x40, 0x5f, 0xcc, 0xb4, 0xa9, 0x32, 0xe1, 0x66, 0xcb, 0x6a, 0xb4, 0x5d, 0x5e, 0x80, 0x58, 0x92, 0xd, 0x3a, 0x96, 0xbe, 0xf1, 0xe2, 0xb9, 0x17, 0x3, 0x27, 0x70, 0x4a, 0x94, 0x48, 0x3d, 0x60, 0x48, 0x59, 0xf9, 0x66, 0xe2, 0x99, 0x88, 0x20, 0x5c, 0x73, 0x66, 0xdb, 0x98, 0xa3, 0x18, 0xfb, 0xa2, 0x47, 0x24, 0x47, 0x90, 0x9f, 0x61, 0x7c, 0x77, 0x39, 0x69, 0x96, 0x8a, 0x1b, 0xe2, 0x3b, 0x2a, 0x2a, 0x14, 0x98, 0x37, 0x43, 0xb3, 0x98, 0x32, 0xb1, 0x1c, 0x24, 0xb4, 0xa1, 0x65, 0x4f, 0xb4, 0x49, 0x4e, 0xa1, 0xa3, 0xcd, 0x7a, 0xc7, 0x3a, 0xcd, 0xd6, 0xf4, 0xc5, 0x3c, 0xfc, 0xb6, 0x52, 0xb5, 0x8c, 0x28, 0xd0, 0xbc, 0xa, 0x4, 0x1c, 0x2f, 0x8c, 0xcc, 0xd5, 0x4a, 0x9b, 0xbf, 0x6, 0x1e, 0x51, 0x75, 0xb6, 0x41, 0xa4, 0x3a, 0x9b, 0x37, 0xda, 0x67, 0xd6, 0x72, 0x1f, 0x60, 0x51, 0xce, 0x45, 0xd, 0x46, 0x89, 0xff, 0x55, 0x67, 0x69, 0x3c, 0xf7, 0xe2, 0xe6, 0x17, 0x30, 0x47, 0xe7, 0xf7, 0x3c, 0xdd, 0xd, 0x60, 0xf7, 0x3c, 0x9d, 0x68, 0xf5, 0x8e, 0xb4, 0x87, 0xfc, 0xb1, 0xf8, 0xc4, 0x8d, 0x94, 0x99, 0x32, 0xa5, 0x4e, 0x81, 0xfe, 0xe9, 0xd9, 0x28, 0x60, 0xeb, 0x98, 0xa2, 0x1c, 0x92, 0x2d, 0xfc, 0x3, 0x98, 0xc, 0xfd, 0xed, 0xec, 0xfa, 0x45, 0x47, 0x7b, 0x4d, 0x91, 0xe8, 0x8a, 0xf3, 0xd8, 0xa3, 0xe3, 0xc5, 0xcf, 0xfc, 0xc5, 0xd8, 0xbf, 0xdf, 0x79, 0x40, 0x4c, 0x90, 0xfd, 0xbe, 0x97, 0x1, 0xad, 0xfe, 0x58, 0x6a, 0x6d, 0xbc, 0xa4, 0x32, 0x55, 0x69, 0x77, 0x70, 0x22, 0x39, 0xf5, 0x42, 0xef, 0xdb, 0x6d, 0x3e, 0xe2, 0x9, 0x8, 0x99, 0xa, 0x48, 0x64, 0x9b, 0x44, 0x7e, 0x40, 0x2e, 0x9a, 0xad, 0x1a, 0x9c, 0x96, 0x7b, 0xa4, 0xc2, 0x91, 0x95, 0x92, 0xd7, 0x31, 0x62, 0x80, 0x8b, 0x96, 0x5, 0xf3, 0x96, 0x6d, 0xdb, 0xb9, 0x73, 0x9f, 0x8, 0x13, 0x9, 0xa, 0x38, 0x1, 0x1e, 0xc6, 0xc2, 0x83, 0xb, 0xa7, 0x7d, 0xc7, 0x38, 0x9b, 0x56, 0x94, 0x83, 0xfb, 0x95, 0x2f, 0xfe, 0xed, 0x80, 0x12, 0x65, 0x3c, 0x9a, 0x82, 0xaf, 0xae, 0x8f, 0xb9, 0x6b, 0x72, 0x8f, 0xf8, 0x4b, 0x42, 0x78, 0xa0, 0xa4, 0x10, 0x80, 0x70, 0x49, 0x84, 0xe, 0x44, 0x20, 0x67, 0x29, 0x2a, 0xd6, 0x2a, 0x7a, 0x81, 0xcb, 0xc5, 0x63, 0x54, 0xff, 0x62, 0xac, 0xb9, 0xb6, 0xf2, 0x7e, 0xb5, 0x9d, 0xad, 0xb3, 0xa4, 0xbb, 0x49, 0x37, 0x17, 0xa6, 0xd5, 0x46, 0x2c, 0x1f, 0x31, 0xad, 0x6d, 0x3b, 0xff, 0xc2, 0x87, 0x80, 0x7a, 0xb7, 0xff, 0x34, 0x78, 0x36, 0xf3, 0xea, 0x6f, 0xb4, 0x38, 0xb1, 0xd6, 0x75, 0x6d, 0x26, 0xaa, 0xf8, 0x88, 0x81, 0x0, 0xec, 0x20, 0xd3, 0x38, 0xfa, 0xc6, 0x16, 0x69, 0x4e, 0xfc, 0xaf, 0xf2, 0xc0, 0xda, 0x42, 0x18, 0x81, 0x57, 0x49, 0xb9, 0x6f, 0x57, 0xd1, 0xb4, 0x24, 0xb6, 0xbc, 0x34, 0x60, 0x90, 0xfb, 0x2e, 0x99, 0xc7, 0xfd, 0x2e, 0xde, 0x87, 0x3c, 0x79, 0xac, 0xce, 0x7e, 0x6f, 0xd6, 0xcd, 0xfd, 0xc6, 0x7d, 0x26, 0x26, 0xf0, 0x2, 0x1, 0xc5, 0xa1, 0x9a, 0x5c, 0x23, 0xd3, 0x90, 0xf0, 0x66, 0x46, 0x2b, 0x96, 0x94, 0xe4, 0xf6, 0xfc, 0x46, 0x69, 0x69, 0xfa, 0x8f, 0x6d, 0x48, 0x6d, 0xa5, 0xcb, 0xb9, 0xd8, 0xc6, 0xfb, 0x50, 0x15, 0x5a, 0xf3, 0x90, 0x3e, 0x42, 0x3d, 0x7e, 0x2c, 0x96, 0xdd, 0xc0, 0x95, 0xa1, 0x3d, 0x7c, 0x8b, 0x5d, 0xfd, 0x3c, 0xb0, 0xfd, 0x73, 0xe6, 0xa5, 0xfc, 0x9d, 0x88, 0xc2, 0xb7, 0x4, 0x7, 0xaa, 0x5, 0x23, 0xf5, 0x1f, 0x58, 0xce, 0xf6, 0x53, 0x5e, 0x4d, 0x91, 0xeb, 0x49, 0x9d, 0x39, 0x53, 0xd4, 0x92, 0x7b, 0x36, 0x7c, 0xc9, 0x24, 0xc0, 0x26, 0x9a, 0x24, 0xa2, 0x71, 0xc2, 0xd2, 0x39, 0x4a, 0xd1, 0x89, 0x2b, 0x4b, 0xeb, 0x60, 0x5, 0x80, 0x2e, 0x43, 0x20, 0xde, 0x98, 0x11, 0xd9, 0x80, 0x9b, 0x79, 0x75, 0xea, 0xab, 0x9e, 0xe5, 0x6a, 0x82, 0x8f, 0x2b, 0xc, 0x6e, 0xab, 0xec, 0x61, 0x0, 0xd1, 0xed, 0x4e, 0x0, 0xca, 0xd8, 0x4f, 0x9c, 0xe9, 0x39, 0xf4, 0xa9, 0x31, 0xcd, 0x93, 0xc2, 0x6e, 0x6d, 0x49, 0xa, 0x38, 0xf5, 0x51, 0x70, 0x8e, 0xa7, 0xbd, 0x3d, 0x73, 0xa, 0x14, 0x49, 0xb8, 0x8d, 0x38, 0x7e, 0x3, 0xf6, 0xdb, 0x46, 0x59, 0xb0, 0x32, 0x4b, 0xee, 0xd1, 0x68, 0xe3, 0xca, 0xa9, 0xfd, 0xc4, 0xb1, 0xf3, 0xb2, 0xb0, 0xfd, 0xb0, 0xa7, 0x1, 0x50, 0x6e, 0xc4, 0x3a, 0x2e, 0x74, 0x93, 0xf5, 0x6d, 0x56, 0xe6, 0xb3, 0x39, 0xf2, 0x75, 0xf6, 0x4a, 0xeb, 0x26, 0x78, 0xd6, 0x44, 0x7c, 0xe, 0xb2, 0x37, 0x96, 0x37, 0xac, 0xcf, 0xd3, 0x12, 0x12, 0x5d, 0x3a, 0xe0, 0x7d, 0x87, 0x67, 0x4f, 0x61, 0x26, 0xaa, 0x2b, 0x80, 0xfc, 0xa2, 0x38, 0x75, 0x15, 0x24, 0x25, 0x9d, 0xa1, 0x37, 0x3c, 0x13, 0x87, 0xb5, 0xb4, 0x6e, 0x50, 0x90, 0xb3, 0x7d, 0xd9, 0xd1, 0x49, 0x4c, 0x57, 0xd7, 0x40, 0x5d, 0xba, 0xc4, 0x1, 0xa8, 0x99, 0x6b, 0x12, 0xf1, 0x96, 0x92, 0x94, 0x39, 0x10, 0x81, 0xe3, 0x44, 0xb5, 0xb1, 0x1d, 0x36, 0x7b, 0x82, 0x63, 0x5b, 0xf5, 0xaf, 0x6e, 0x20, 0xed, 0x23, 0x53, 0x3e, 0x90, 0x42, 0x1f, 0xc2, 0xd2, 0x70, 0x23, 0x94, 0xa1, 0x85, 0xd9, 0xe0, 0x2e, 0xaf, 0xca, 0xf2, 0x6d, 0x84, 0x39, 0x72, 0x4b, 0xc6, 0x2c, 0x19, 0xf8, 0x12, 0x63, 0xae, 0x47, 0x8f, 0xb, 0x7c, 0x8, 0x1, 0x62, 0x96, 0x91, 0x1f, 0xc6, 0x7d, 0x47, 0x11, 0x96, 0x70, 0x96, 0xc9, 0xff, 0x40, 0x8c, 0x2c, 0xc2, 0xc7, 0x42, 0x68, 0xe0, 0x79, 0xbd, 0xbb, 0x97, 0x1a, 0xcc, 0xab, 0xf1, 0x63, 0x88, 0x3, 0x73, 0xf0, 0xd0, 0x74, 0xea, 0xe9, 0x66, 0xff, 0xef, 0xd9, 0x4d, 0x50, 0xc3, 0xa6, 0x15, 0x20, 0xe0, 0x57, 0x38, 0xee, 0x54, 0x53, 0xfa, 0x40, 0x70, 0x6d, 0xfe, 0xd7, 0xfe, 0x3b, 0xac, 0x82, 0xca, 0x99, 0xcc, 0x95, 0x2c, 0x69, 0xe9, 0x7d, 0xda, 0xc2, 0x5b, 0xfb, 0x30, 0xb8, 0xbe, 0xd3, 0xf8, 0xf, 0xdf, 0x43, 0xe6, 0xd0, 0x41, 0x96, 0x8a, 0x18, 0xba, 0x77, 0xee, 0x31, 0x2, 0xd5, 0xf6, 0xbc, 0xaa, 0xa3, 0x8a, 0x4e, 0xf, 0x11, 0x49, 0x9a, 0x32, 0x65, 0xfb, 0xf9, 0x20, 0xb2, 0xd6, 0x2d, 0xf6, 0x17, 0x83, 0xd1, 0x5a, 0xea, 0xc3, 0x52, 0x41, 0xed, 0x3c, 0x7e, 0x4a, 0x9c, 0x57, 0x7d, 0x14, 0x6a, 0x29, 0xd, 0x58, 0x6c, 0x2f, 0x94, 0xca, 0x5a, 0x8b, 0x68, 0x39, 0x94, 0x5d, 0x49, 0xc5, 0x89, 0x27, 0x6f, 0x1d, 0x50, 0x4c, 0x50, 0xc, 0xdb, 0x4d, 0xd5, 0xa7, 0xe3, 0xac, 0xbc, 0xf, 0x4d, 0x6a, 0xf1, 0xeb, 0x41, 0x6a, 0x5, 0x6f, 0xbc, 0x6f, 0xb7, 0xc5, 0xd6, 0x5b, 0x82, 0x55, 0xc2, 0x88, 0xe2, 0xd3, 0xe2, 0x42, 0xf, 0x96, 0x77, 0x3, 0x95, 0x44, 0x7b, 0xb5, 0xde, 0xe3, 0x47, 0x3c, 0x9a, 0x17, 0x37, 0x4c, 0xed, 0x3e, 0xa5, 0xd6, 0x35, 0xa3, 0xd2, 0xe, 0x3d, 0xcf, 0x40, 0x82, 0x9f, 0xa5, 0x3a, 0x54, 0xe5, 0x5, 0x4d, 0xd, 0x8c, 0xb4, 0xb4, 0x33, 0xdd, 0xfb, 0xbb, 0xd5, 0x45, 0x8e, 0xd2, 0x7f, 0x13, 0x73, 0xcc, 0x4, 0xfa, 0xfd, 0x3f, 0x3b, 0xc7, 0xef, 0xc6, 0x2a, 0x86, 0xf2, 0x1e, 0xf5, 0x31, 0xf5, 0xf9, 0x3f, 0x40, 0xa2, 0xf5, 0x73, 0xbc, 0xfc, 0xe0, 0xd5, 0x34, 0xb0, 0xfa, 0x59, 0x95, 0x21, 0xef, 0x9a, 0x2c, 0x2d, 0x2f, 0x32, 0x62, 0xce, 0x61, 0x33, 0x83, 0xf9, 0xd, 0xba, 0x72, 0x2b, 0x5e, 0xfd, 0xd3, 0xa, 0x8c, 0x2d, 0x9d, 0x32, 0xe7, 0x85, 0xfc, 0xd4, 0xb8, 0x5d, 0xf1, 0x75, 0x46, 0x23, 0xce, 0x9a, 0x3f, 0x2d, 0xf5, 0x2e, 0xac, 0xf7, 0x6a, 0x92, 0x65, 0xbf, 0x3d, 0x69, 0xf1, 0x55, 0x2d, 0x38, 0x8e, 0x9, 0xd7, 0x6c, 0xcc, 0xc9, 0xb1, 0x4f, 0x3f, 0x91, 0x8, 0x20, 0x68, 0x52, 0xf2, 0x95, 0x3d, 0xc9, 0xea, 0x61, 0xed, 0x20, 0xea, 0x6c, 0xb2, 0xa6, 0x6c, 0xb4, 0x38, 0xed, 0x51, 0xb0, 0x27, 0x43, 0xea, 0xbc, 0xdc, 0x62, 0x86, 0xaa, 0x2a, 0x5d, 0x72, 0x5c, 0x29, 0xaf, 0x6d, 0xda, 0xdc, 0x52, 0x8e, 0x2f, 0x75, 0xd2, 0xba, 0xcc, 0xda, 0x17, 0xb, 0x21, 0xe7, 0x10, 0x22, 0x32, 0x82, 0x1e, 0xd5, 0x12, 0x79, 0x7f, 0xa3, 0xeb, 0xca, 0x40, 0xd5, 0xc, 0x16, 0x0, 0x2a, 0x88, 0x27, 0x1a, 0xa4, 0x5e, 0x14, 0x66, 0x6f, 0xfa, 0x11, 0xc8, 0x51, 0x33, 0x1c, 0xc8, 0xf9, 0x3, 0x54, 0x6f, 0x64, 0xf, 0x8e, 0xe5, 0xee, 0xe3, 0xfa, 0x18, 0xfc, 0xef, 0x20, 0xf9, 0x8d, 0x6c, 0xea, 0x71, 0x9, 0x5e, 0x42, 0x23, 0x79, 0xa7, 0xae, 0xa0, 0xcb, 0xb2, 0xdc, 0xe3, 0xe0, 0xfc, 0x2d, 0x85, 0x4a, 0x5e, 0xaf, 0x1d, 0xbf, 0xdd, 0x3a, 0xcc, 0x44, 0xe1, 0x81, 0x70, 0x4f, 0xcf, 0x82, 0xbe, 0x87, 0xd6, 0xa1, 0xff, 0xd5, 0x72, 0x64, 0xdd, 0xe, 0x6c, 0xb, 0x89, 0x89, 0x63, 0x78, 0xd1, 0x3e, 0x1a, 0x6e, 0xa2, 0xad, 0xaa, 0x3c, 0x48, 0x63, 0x15, 0x27, 0x6f, 0x27, 0xfd, 0x77, 0x60, 0x2f, 0xd9, 0x4c, 0x92, 0xe6, 0x3c, 0x6e, 0x46, 0xa, 0x98, 0xfe, 0xa7, 0x5, 0x1f, 0x2d, 0x90, 0xb1, 0xb0, 0x94, 0xc7, 0xf1, 0x1c, 0x9c, 0xf0, 0xaa, 0x57, 0x63, 0x6, 0xee, 0xd2, 0x76, 0x27, 0xab, 0x8d, 0x87, 0x53, 0x1c, 0x4a, 0x32, 0x4e, 0xae, 0x4c, 0x72, 0xb5, 0x2c, 0x52, 0x83, 0xfe, 0xe0, 0xad, 0x7c, 0x30, 0x13, 0x96, 0x56, 0x39, 0x54, 0x78, 0xbb, 0x2, 0xef, 0x31, 0x4d, 0xb6, 0xb3, 0xf3, 0x2d, 0x59, 0x2c, 0xeb, 0x6a, 0x8b, 0xbc, 0x1a, 0x95, 0x5, 0xf0, 0x5e, 0x27, 0x91, 0x6b, 0x82, 0xbe, 0x60, 0x57, 0x2c, 0x4, 0xa8, 0x82, 0x88, 0x36, 0x21, 0xe5, 0x98, 0x82, 0x27, 0xcd, 0xaf, 0xcf, 0x31, 0xd9, 0x40, 0xa7, 0x97, 0xf5, 0xe0, 0xa, 0x9a, 0x6, 0x7c, 0x10, 0x59, 0xeb, 0xf3, 0xb3, 0xdb, 0xa, 0xb8, 0x8e, 0xaa, 0x5e, 0x1e, 0x95, 0x3e, 0x98, 0x78, 0x8e, 0xb4, 0x11, 0xb5, 0xa8, 0x63, 0xe6, 0xc5, 0xf2, 0x3, 0x8a, 0xd, 0xcc, 0x31, 0x16, 0xe2, 0x71, 0xe2, 0x11, 0x1e, 0xc1, 0x77, 0x75, 0xf6, 0x8f, 0xa0, 0x74, 0x41, 0xbf, 0x5d, 0x8, 0xb, 0x46, 0x76, 0xa5, 0x40, 0xce, 0xba, 0x80, 0x49, 0xba, 0xc1, 0x27, 0xcf, 0xcb, 0x4, 0xd2, 0x49, 0x69, 0x80, 0xe4, 0x32, 0x2f, 0xd1, 0x64, 0xe3, 0xe8, 0xdf, 0x1, 0x22, 0x22, 0xd4, 0xcd, 0xd4, 0x83, 0x5c, 0xd0, 0x6e, 0x3c, 0x5b, 0x3b, 0xc0, 0x0, 0xeb, 0xfc, 0xb3, 0x81, 0xc0, 0xb2, 0x69, 0xd7, 0x67, 0xdd, 0xec, 0x3e, 0xc2, 0xe2, 0x90, 0x9a, 0x36, 0x8, 0x5c, 0x38, 0xb2, 0x33, 0xf8, 0xb4, 0xe, 0x19, 0x9b, 0xc5, 0x90, 0x29, 0x80, 0xac, 0x8e, 0xc6, 0x45, 0x61, 0x9a, 0x81, 0x14, 0xa0, 0xc4, 0x2e, 0x62, 0x6d, 0x78, 0x7a, 0x8d, 0x3a, 0xac, 0x20, 0xbe, 0xad, 0xfa, 0x33, 0x30, 0x2d, 0xba, 0x5a, 0x81, 0x17, 0xa2, 0x31, 0x65, 0xf5, 0xa4, 0xdb, 0x42, 0x27, 0x9d, 0x20, 0xbb, 0xf, 0xaa, 0x55, 0xe3, 0xe9, 0x2c, 0xdb, 0xad, 0xe1, 0xcc, 0x63, 0xb5, 0x24, 0x4f, 0x6f, 0x77, 0x3a, 0xb4, 0x9f, 0x2a, 0x67, 0x66, 0x51, 0x1f, 0x9d, 0xc7, 0x4f, 0x78, 0x40, 0x78, 0xbb, 0xf5, 0xbb, 0x74, 0xf7, 0x6c, 0x1a, 0x82, 0xb3, 0x41, 0xf4, 0x2, 0xdf, 0xce, 0xd4, 0x7b, 0xa2, 0xdf, 0x2a, 0x4e, 0xb8, 0xb9, 0x4e, 0xfa, 0xc5, 0xde, 0xcd, 0xb7, 0xf0, 0xd7, 0xcb, 0xb, 0x91, 0xec, 0x1e, 0x5a, 0x2e, 0x48, 0x40, 0xe6, 0xb7, 0xdf, 0x84, 0x89, 0x16, 0x4b, 0x33, 0xef, 0x8c, 0x38, 0x96, 0x87, 0x33, 0x17, 0xce, 0x1d, 0xe8, 0xf0, 0x20, 0x37, 0x26, 0x9c, 0x94, 0xe6, 0xf6, 0xec, 0xcb, 0x93, 0xf5, 0xaf, 0xfe, 0x56, 0x5c, 0x84, 0x8c, 0xe5, 0xfd, 0x1, 0x56, 0xff, 0x8b, 0x14, 0xb3, 0xcc, 0x2e, 0x17, 0x41, 0xe2, 0x74, 0x78, 0x8a, 0x9a, 0x4c, 0x61, 0x1b, 0xf0, 0xbc, 0x68, 0x98, 0x4c, 0x54, 0x5e, 0xe3, 0x33, 0xa2, 0xfb, 0xd8, 0x65, 0xc7, 0xc9, 0x4b, 0x93, 0x54, 0x1e, 0x75, 0xb, 0xb3, 0x71, 0x65, 0x96, 0xc1, 0x17, 0xc8, 0xa7, 0x91, 0xcf, 0x2f, 0xfd, 0xc4, 0x88, 0xc8, 0xb1, 0xdc, 0x7e, 0xbc, 0x6f, 0x24, 0xff, 0x1b, 0xcc, 0x59, 0xfd, 0x4f, 0x30, 0x27, 0x11, 0x58, 0x9c, 0xe5, 0x8d, 0x4d, 0x5c, 0xc3, 0x21, 0x99, 0x1f, 0x40, 0xb9, 0xff, 0x63, 0xd8, 0x61, 0x69, 0x80, 0x2e, 0x2e, 0x48, 0x14, 0x5b, 0xf1, 0xaf, 0xd7, 0x8b, 0xf3, 0x6b, 0x15, 0xb3, 0x46, 0xb1, 0x81, 0x1d, 0xcb, 0xe4, 0x5e, 0x1b, 0x15, 0xa9, 0x28, 0xd6, 0x41, 0xac, 0xa1, 0x7b, 0x9e, 0x69, 0x89, 0xfd, 0x9c, 0x8f, 0x3a, 0x8f, 0xe7, 0x8b, 0x74, 0xa0, 0xc9, 0xb9, 0x29, 0x73, 0x1f, 0x62, 0x2e, 0xa9, 0x95, 0x1c, 0x39, 0x1d, 0x37, 0xa8, 0x10, 0x4d, 0x21, 0x6b, 0x1e, 0xe5, 0x35, 0xb4, 0x47, 0x49, 0x3a, 0xf5, 0x55, 0xd2, 0x2b, 0x88, 0x20, 0x1f, 0x5a, 0x4, 0x37, 0xc1, 0xc, 0x5, 0x7a, 0x9b, 0xf4, 0x16, 0x4b, 0x92, 0xaf, 0x94, 0x66, 0xea, 0xf5, 0x26, 0xba, 0x8a, 0x3e, 0x6a, 0x82, 0x69, 0x54, 0x28, 0x6, 0x29, 0x27, 0x16, 0x8c, 0xb0, 0xcb, 0xd1, 0xf6, 0x2e, 0x34, 0xc, 0x8c, 0xc5, 0x84, 0x38, 0x31, 0x61, 0xb4, 0xf1, 0xf6, 0xd8, 0x99, 0xc2, 0xc7, 0xa5, 0x87, 0x9f, 0x3e, 0xff, 0xc0, 0xae, 0x5a, 0xcd, 0xe3, 0x8e, 0x78, 0xf1, 0x4, 0x9e, 0x66, 0x7, 0xa2, 0x38, 0x69, 0xa8, 0xaf, 0x27, 0x4f, 0xc1, 0xc0, 0x1, 0x3a, 0xe9, 0x34, 0xa3, 0x47, 0x8b, 0x8, 0x68, 0x36, 0xd9, 0x38, 0x74, 0x62, 0xff, 0x65, 0x59, 0x2a, 0xca, 0xd8, 0x85, 0x9, 0x7a, 0xb3, 0xb9, 0xe9, 0xd6, 0x42, 0x55, 0x9a, 0x3d, 0xe8, 0x72, 0xf9, 0x4c, 0xb, 0xb8, 0x3e, 0xc2, 0xfd, 0x72, 0xdf, 0x4f, 0xbb, 0x33, 0x1c, 0x5c, 0x5a, 0xd4, 0xb3, 0x4c, 0xdd, 0xbd, 0xca, 0x3b, 0xa1, 0x67, 0x7d, 0x41, 0x6b, 0x4d, 0x38, 0xa9, 0x54, 0xfa, 0xa8, 0x6a, 0xba, 0x5b, 0x9f, 0x65, 0xcb, 0xf0, 0xe, 0xcd, 0x21, 0x76, 0x93, 0x4, 0x47, 0x23, 0x8b, 0x51, 0xf5, 0xb2, 0x80, 0xd4, 0x80, 0x87, 0xe3, 0x1f, 0x1e, 0x97, 0x3c, 0x15, 0x38, 0xb5, 0x7, 0xfe, 0xed, 0x8, 0x71, 0x15, 0x29, 0x1, 0x11, 0xab, 0x3, 0x80, 0xd, 0xca, 0x8, 0x61, 0xa8, 0x74, 0xd4, 0x58, 0x4a, 0xc, 0x90, 0x5d, 0x4c, 0xee, 0x8f, 0x8a, 0x4, 0xf8, 0x80, 0x4c, 0x6d, 0xe8, 0x24, 0xc9, 0xc7, 0xe3, 0x60, 0x1e, 0x6a, 0x5, 0xde, 0x89, 0xc8, 0x28, 0x40, 0xa0, 0x14, 0xb2, 0x2e, 0x66, 0xe2, 0x57, 0x47, 0x3, 0xe1, 0x37, 0x98, 0x8e, 0xc4, 0xe8, 0x8a, 0x74, 0xac, 0x80, 0x62, 0x28, 0x74, 0x87, 0xf2, 0x6, 0x6b, 0x18, 0x22, 0x40, 0xc2, 0xf1, 0xd7, 0x51, 0x4e, 0x9, 0x76, 0x33, 0xbb, 0xd0, 0x7a, 0x87, 0xcd, 0x42, 0x22, 0xcc, 0x10, 0x51, 0xc6, 0x97, 0xd1, 0xcf, 0x29, 0x57, 0xd6, 0x7b, 0x71, 0x31, 0xca, 0x8a, 0x5, 0x94, 0x29, 0xf2, 0xa5, 0xae, 0x55, 0x21, 0x15, 0x75, 0x84, 0x7, 0x54, 0x1a, 0x82, 0x9a, 0x48, 0x2d, 0xf1, 0x84, 0x5c, 0xaf, 0x37, 0x37, 0xf9, 0xc1, 0x8c, 0xb1, 0x45, 0x58, 0x48, 0xba, 0xe2, 0xc, 0xba, 0x4f, 0xa, 0x4, 0x74, 0x5f, 0xc3, 0xd4, 0x2d, 0xac, 0x57, 0xc9, 0xea, 0xfc, 0x71, 0xeb, 0x9a, 0x40, 0x23, 0xec, 0xc4, 0x55, 0x82, 0xd7, 0xba, 0x4f, 0xec, 0x76, 0x7b, 0x8a, 0x61, 0xed, 0x59, 0xb3, 0x60, 0x4a, 0x6f, 0xed, 0x26, 0x49, 0x74, 0x12, 0xe3, 0x2d, 0x91, 0x4b, 0x7f, 0x8d, 0x1e, 0xe2, 0x59, 0x5a, 0x70, 0xfc, 0x59, 0x5a, 0x57, 0xe2, 0xe, 0xbc, 0x2d, 0xed, 0xde, 0xd4, 0xf1, 0x72, 0xd2, 0x72, 0x97, 0xb9, 0x5a, 0xd8, 0x79, 0x96, 0x25, 0x1c, 0xcd, 0xdd, 0x7c, 0x71, 0x69, 0x82, 0x77, 0xc3, 0xdc, 0xeb, 0x45, 0x20, 0x97, 0x50, 0xdf, 0xc9, 0xe2, 0x6e, 0x83, 0xde, 0x13, 0xed, 0x7a, 0x21, 0xa7, 0x50, 0x4, 0xf5, 0x39, 0x9f, 0xb6, 0x7, 0xe0, 0xae, 0x41, 0xa9, 0x3b, 0xd3, 0x9a, 0xec, 0x2b, 0xfc, 0x90, 0x71, 0x4f, 0x91, 0x87, 0x24, 0xd9, 0xb0, 0x4e, 0x25, 0xd2, 0x70, 0xb8, 0x26, 0x79, 0xeb, 0xb9, 0x24, 0x2b, 0x3d, 0x9, 0x55, 0xbe, 0xcd, 0xb3, 0x8c, 0xf8, 0xbf, 0xb, 0x64, 0xdd, 0xe4, 0xaf, 0x99, 0xf3, 0xd0, 0x45, 0xed, 0x76, 0x2f, 0x30, 0xe1, 0x5f, 0x3c, 0x3d, 0xfb, 0x64, 0x37, 0xf4, 0x62, 0x35, 0x6f, 0x2d, 0xb6, 0x51, 0x31, 0x18, 0xf3, 0x5a, 0x7b, 0xf3, 0xe5, 0x9c, 0xd7, 0xc7, 0xb, 0xbd, 0xd5, 0xf, 0x89, 0x66, 0xec, 0x20, 0x6b, 0xaf, 0xfd, 0xa2, 0x35, 0x4b, 0xab, 0xe5, 0xb0, 0x72, 0x67, 0xcf, 0xaa, 0xee, 0xf5, 0x1, 0x60, 0x8b, 0x1d, 0x80, 0x95, 0x5b, 0x79, 0xe4, 0x7c, 0x8f, 0x72, 0xda, 0x81, 0xfb, 0x41, 0x2a, 0xed, 0x20, 0x4a, 0xe6, 0x1, 0xec, 0x4f, 0xd4, 0x5c, 0x68, 0x9f, 0xad, 0x50, 0xff, 0xa7, 0xcc, 0xdd, 0xd7, 0x3e, 0xfd, 0x97, 0x2d, 0xc, 0x64, 0xd2, 0xf, 0x46, 0xf9, 0xf4, 0x82, 0xeb, 0x26, 0x14, 0x24, 0x3a, 0xd5, 0x21, 0xd7, 0xd5, 0x62, 0x98, 0x0, 0x80, 0x82, 0xa1, 0xd3, 0x5b, 0xa3, 0x57, 0x33, 0xc, 0xa4, 0xcd, 0xa2, 0x7a, 0x3b, 0xa8, 0xf3, 0x27, 0x85, 0x30, 0xf8, 0xf6, 0x4e, 0xe7, 0x8a, 0xb5, 0x6b, 0xad, 0x6d, 0x2e, 0x81, 0x1a, 0x91, 0x2a, 0x5b, 0x6c, 0x3d, 0xf4, 0x51, 0x60, 0x28, 0xde, 0xd8, 0xc4, 0x96, 0xf9, 0x41, 0xcc, 0xdc, 0x4b, 0x4e, 0xe2, 0xe1, 0xa, 0xc0, 0x2e, 0x31, 0xe7, 0x70, 0xee, 0xe6, 0xaa, 0xfe, 0x68, 0xaf, 0x6f, 0xc9, 0xb0, 0x2, 0x56, 0x15, 0xcc, 0xf4, 0x78, 0x2a, 0x5, 0x94, 0x6e, 0xa8, 0x21, 0x33, 0x7e, 0x80, 0x5d, 0x4d, 0x73, 0xd6, 0xa0, 0xb3, 0x2f, 0xba, 0x43, 0x5a, 0xb2, 0x3b, 0x8f, 0xb9, 0xf3, 0x51, 0x29, 0xee, 0x19, 0x31, 0x80, 0xbf, 0x30, 0x2a, 0x61, 0xb0, 0x21, 0x33, 0xe4, 0xfe, 0x7f, 0xd0, 0x21, 0xb8, 0x2e, 0xe4, 0x75, 0xf7, 0x12, 0xb3, 0x85, 0x64, 0x6e, 0xe7, 0x12, 0xd1, 0xf8, 0xf8, 0x52, 0x1c, 0x77, 0xdb, 0x24, 0x3e, 0x4d, 0x6d, 0x2f, 0x4a, 0x68, 0x41, 0xee, 0xe3, 0x48, 0x51, 0x55, 0xd9, 0x21, 0x7d, 0x95, 0x61, 0x71, 0x6c, 0x2a, 0xb1, 0xcd, 0x83, 0x12, 0x63, 0x19, 0x64, 0xe1, 0x50, 0x2e, 0x82, 0xa8, 0x3f, 0xbf, 0x73, 0xcc, 0x66, 0x31, 0x63, 0x4b, 0x25, 0xf6, 0x38, 0xcc, 0xe8, 0xae, 0xae, 0xa7, 0xef, 0x3a, 0xa9, 0x29, 0xa9, 0x37, 0x80, 0x0, 0xf7, 0x46, 0xbd, 0xc6, 0xfe, 0x19, 0x8e, 0x1a, 0x60, 0x65, 0x62, 0x8b, 0xab, 0x12, 0xdc, 0x5e, 0x7f, 0x53, 0xcf, 0x90, 0x59, 0x5e, 0x95, 0xcd, 0x97, 0xe4, 0xf9, 0xb2, 0xa5, 0x9a, 0x7f, 0x38, 0xcd, 0x2f, 0xe8, 0x8f, 0xb7, 0x67, 0xff, 0xa3, 0xfa, 0xe5, 0x30, 0x5e, 0x5d, 0x29, 0x8d, 0x53, 0xcf, 0x1b, 0xec, 0xa7, 0x13, 0xa8, 0x39, 0x32, 0x57, 0x3a, 0x9, 0x24, 0x7c, 0xd1, 0x6b, 0x28, 0xf5, 0xe9, 0x9b, 0x4d, 0x26, 0x63, 0x93, 0x47, 0x4e, 0x2c, 0xf, 0x88, 0xf6, 0x17, 0xb1, 0x42, 0x70, 0x17, 0x43, 0xee, 0xe1, 0x4c, 0xc8, 0xe2, 0xb7, 0x39, 0xa9, 0xf4, 0x96, 0xd0, 0x22, 0xe7, 0xc8, 0xce, 0x97, 0xe6, 0xd5, 0xbe, 0xcb, 0xae, 0x61, 0x68, 0x11, 0x19, 0x23, 0x6c, 0xf0, 0x53, 0xd1, 0xc2, 0x7a, 0x53, 0x90, 0x28, 0xb8, 0x42, 0x2f, 0xcc, 0xb4, 0x17, 0xa9, 0xd0, 0x51, 0xcb, 0xe2, 0x33, 0x31, 0xf9, 0x99, 0x48, 0xf3, 0xa3, 0xcf, 0xc2, 0xb6, 0xf6, 0xa2, 0xe9, 0x4b, 0x4f, 0xc9, 0xb2, 0xb7, 0x62, 0xa1, 0x7c, 0x81, 0xb1, 0x7, 0x97, 0xd, 0xb1, 0xf8, 0xd5, 0x72, 0xa1, 0x2, 0xb6, 0x2a, 0x54, 0xd4, 0x4f, 0x35, 0x78, 0x30, 0xfd, 0x92, 0x69, 0x99, 0xdd, 0xdd, 0x26, 0xf2, 0xee, 0xe1, 0x15, 0xa, 0xeb, 0x89, 0xa9, 0x1f, 0x22, 0xfd, 0xf9, 0x36, 0x3b, 0x62, 0xfe, 0xb0, 0x79, 0xc0, 0x9f, 0xe1, 0xfd, 0x23, 0x3b, 0x54, 0x26, 0xef, 0x82, 0x84, 0x95, 0xa0, 0x64, 0x6e, 0x13, 0x25, 0x58, 0x9, 0x9b, 0x71, 0x37, 0xf6, 0x23, 0x2e, 0x14, 0xa1, 0xb6, 0x96, 0xd5, 0xcf, 0x14, 0xb, 0xac, 0x5a, 0x33, 0xc6, 0xaa, 0xa6, 0x5e, 0xd5, 0x1d, 0x8, 0xf3, 0xbd, 0xe8, 0xa0, 0x86, 0x2a, 0xc1, 0x3d, 0x0, 0x79, 0x9d, 0xb8, 0x5f, 0xa3, 0x32, 0x11, 0xde, 0x77, 0x86, 0x62, 0x73, 0x47, 0x88, 0xa8, 0x2f, 0x64, 0x7e, 0x12, 0x75, 0x60, 0xe6, 0x49, 0x5b, 0x30, 0x7a, 0x2f, 0x19, 0xa9, 0x6a, 0x43, 0x11, 0xfe, 0x3c, 0x6, 0x1a, 0x89, 0x1, 0x71, 0x4b, 0x57, 0x14, 0x0, 0x72, 0x8d, 0x37, 0x57, 0x2a, 0xde, 0x46, 0xa9, 0xfa, 0x66, 0x30, 0x1c, 0x19, 0x63, 0x5c, 0x49, 0x5c, 0xdb, 0xb4, 0x7d, 0x6b, 0x65, 0x7e, 0x4b, 0x2b, 0x13, 0x4, 0x63, 0xd0, 0x7a, 0xd2, 0xe3, 0xa4, 0xeb, 0x56, 0xfa, 0x19, 0x82, 0xe3, 0x70, 0x57, 0x66, 0x6, 0x4c, 0x75, 0x7a, 0xcf, 0x65, 0x44, 0xf3, 0xc5, 0x69, 0x61, 0xd2, 0x61, 0x91, 0xfe, 0x48, 0xe3, 0xe, 0xdc, 0x22, 0x27, 0xf6, 0x5d, 0x54, 0x4, 0x89, 0x29, 0x6a, 0x59, 0xc6, 0x9c, 0x2a, 0x32, 0x5d, 0x9f, 0x18, 0xd6, 0x43, 0xf0, 0xe9, 0xe3, 0x1e, 0x18, 0x7a, 0x95, 0xce, 0xb4, 0xed, 0x62, 0x5c, 0xfe, 0x49, 0xa, 0x19, 0x8, 0x3d, 0x18, 0x91, 0x36, 0x3d, 0x54, 0x57, 0x2c, 0x23, 0x48, 0x4, 0xa9, 0x8b, 0x31, 0xee, 0x75, 0x58, 0x8f, 0xf2, 0xae, 0x9e, 0xe0, 0xc, 0xd2, 0x66, 0x4a, 0x8a, 0x84, 0x50, 0x3d, 0x61, 0x10, 0xfb, 0x2e, 0xcf, 0x9f, 0xa8, 0xa1, 0x98, 0x4b, 0x27, 0x64, 0xfc, 0x98, 0xd9, 0x1e, 0x5f, 0x41, 0x50, 0x2b, 0x85, 0xe3, 0x56, 0xbb, 0x6a, 0x8, 0xd4, 0x34, 0x2e, 0xf7, 0x3a, 0xc3, 0x15, 0xf6, 0x35, 0xec, 0xe, 0x11, 0x40, 0xea, 0xd9, 0xb, 0x4e, 0xa3, 0xde, 0xc1, 0x5b, 0xbc, 0x12, 0x1c, 0x99, 0x46, 0xae, 0x49, 0xc9, 0x84, 0x65, 0x68, 0x42, 0xb9, 0x97, 0x8c, 0xd3, 0x95, 0xad, 0x13, 0x62, 0x75, 0x5c, 0x4e, 0x1a, 0x56, 0x9, 0x46, 0x89, 0x7f, 0x73, 0xf2, 0xae, 0xa4, 0x94, 0x9e, 0xb6, 0x78, 0x1c, 0x37, 0xc6, 0x94, 0x75, 0xf5, 0xde, 0xa9, 0xed, 0x19, 0xd9, 0x8c, 0x76, 0x5a, 0xd2, 0x51, 0x2a, 0x8e, 0xf4, 0x6, 0x32, 0x6e, 0xef, 0xa3, 0x78, 0x86, 0xc0, 0xe8, 0x56, 0xd3, 0xc9, 0x91, 0x3f, 0x54, 0x6d, 0xd3, 0xf8, 0x93, 0x43, 0x67, 0x8, 0xa4, 0xf4, 0x31, 0xf2, 0xfe, 0xc9, 0xc6, 0x48, 0x91, 0x11, 0x9a, 0x37, 0x4d, 0xce, 0x32, 0x82, 0xdc, 0x1d, 0x58, 0xb5, 0x0, 0x4b, 0x21, 0x2, 0xd7, 0xef, 0x72, 0x7a, 0xa6, 0x92, 0xe8, 0xb4, 0x17, 0xf6, 0xa9, 0x45, 0x61, 0xf1, 0x9f, 0x22, 0x5f, 0x27, 0x2, 0x64, 0xfe, 0xa3, 0x6b, 0x4, 0xdc, 0xa8, 0x3e, 0xb0, 0x6d, 0xcc, 0xda, 0x51, 0x3, 0xd6, 0x73, 0xc8, 0x71, 0x5b, 0x7b, 0x94, 0xc2, 0x37, 0xe3, 0xae, 0x4b, 0x80, 0x43, 0x8b, 0xb0, 0xc7, 0x85, 0x8, 0x90, 0xb9, 0x79, 0x45, 0xc8, 0x61, 0xa6, 0x1e, 0x1f, 0x18, 0x78, 0x1, 0xa5, 0x93, 0xbb, 0xdd, 0xcc, 0x80, 0xb4, 0x9f, 0xcf, 0x3d, 0x88, 0x4d, 0x55, 0x4d, 0x9a, 0xfb, 0xd, 0xc5, 0x71, 0xca, 0x76, 0xea, 0x40, 0x42, 0xe0, 0x2b, 0x14, 0x51, 0xc2, 0x99, 0xfc, 0x7a, 0xfa, 0x3d, 0xa6, 0x9b, 0x89, 0xa3, 0xcd, 0xbb, 0x9f, 0x12, 0x5b, 0x94, 0xed, 0xcc, 0xa4, 0x99, 0xa2, 0x28, 0xd5, 0x4d, 0x3c, 0x92, 0xc0, 0x63, 0x8a, 0x9, 0xb6, 0xe8, 0x68, 0x1b, 0x62, 0x40, 0x3f, 0x6c, 0xa, 0xf5, 0xec, 0xe3, 0x9e, 0x77, 0xe3, 0xfc, 0x65, 0x1, 0xf, 0x9e, 0x5d, 0x49, 0xbd, 0x9d, 0x7f, 0xe, 0xe0, 0x7a, 0x4e, 0x28, 0x20, 0xa2, 0xef, 0xa4, 0x1f, 0x19, 0x62, 0xac, 0x47, 0xde, 0xba, 0x64, 0x45, 0x8e, 0x8e, 0x70, 0xc4, 0x2a, 0x31, 0xe6, 0x90, 0xdf, 0x9a, 0x1e, 0xa7, 0xfb, 0x25, 0x57, 0x4f, 0x9f, 0x4b, 0x68, 0x3d, 0xae, 0x55, 0x5f, 0xe9, 0x15, 0xb4, 0x94, 0x1e, 0xb1, 0xcc, 0xf7, 0x47, 0x1, 0xc2, 0xad, 0xa8, 0xbe, 0x48, 0xfd, 0x50, 0xa8, 0x6, 0xdf, 0x40, 0x0, 0x18, 0x18, 0xce, 0x22, 0xce, 0x82, 0xde, 0x42, 0xca, 0x7, 0x6c, 0x1a, 0x76, 0x24, 0x5a, 0x51, 0x6c, 0x64, 0x23, 0x2f, 0x39, 0x68, 0xb2, 0xf8, 0x91, 0xcf, 0x46, 0x86, 0x14, 0x81, 0x81, 0xff, 0x57, 0xb7, 0xe4, 0xa0, 0x2, 0x61, 0xd2, 0xb, 0x57, 0xdd, 0x94, 0x80, 0xdf, 0x65, 0x3e, 0x2d, 0x4d, 0xc3, 0x2d, 0xd3, 0x56, 0xde, 0x56, 0x44, 0xaf, 0xfe, 0x18, 0x22, 0x79, 0x2, 0x61, 0xe8, 0x68, 0x95, 0xb3, 0xdc, 0x58, 0xa4, 0x28, 0x5c, 0x68, 0xb8, 0xa2, 0x17, 0xa8, 0x95, 0x62, 0x6c, 0xbf, 0xa8, 0x41, 0xdc, 0xd1, 0x98, 0xca, 0x74, 0x40, 0x29, 0x7b, 0xbe, 0x13, 0xe0, 0xb3, 0x59, 0x82, 0xc4, 0x94, 0x56, 0x52, 0x4f, 0x2c, 0x24, 0xd5, 0x2e, 0xb4, 0xec, 0x9f, 0x7c, 0xda, 0x50, 0x89, 0x8e, 0x30, 0x1d, 0x54, 0x6c, 0x31, 0x83, 0x70, 0x2, 0x46, 0xcc, 0xab, 0x9e, 0xd3, 0x6b, 0xbc, 0x5, 0x7f, 0xdc, 0xc, 0xc2, 0x60, 0xa1, 0xfa, 0x37, 0xb8, 0x6, 0x9d, 0xd3, 0xac, 0x1a, 0xf3, 0x8b, 0x4f, 0x51, 0x20, 0x51, 0x0, 0x95, 0xdc, 0x31, 0x83, 0xac, 0xa2, 0x2a, 0xaf, 0x62, 0xf4, 0x74, 0x53, 0xa3, 0xb1, 0x2a, 0xf3, 0xb4, 0xd9, 0x73, 0x76, 0xfc, 0x49, 0x4f, 0xd6, 0xac, 0x51, 0xe1, 0xa6, 0x81, 0x65, 0x94, 0x8d, 0x1b, 0x85, 0x22, 0x73, 0x12, 0xa0, 0xf4, 0xbd, 0x33, 0x31, 0xd1, 0xf0, 0xe0, 0xda, 0x84, 0x65, 0x69, 0xf, 0x51, 0xa3, 0x6d, 0x6c, 0x9f, 0x3c, 0x71, 0xc1, 0xa7, 0x3, 0x1a, 0x38, 0x75, 0xe4, 0x38, 0x7f, 0xe9, 0x5b, 0x34, 0x33, 0x82, 0x85, 0x22, 0xa4, 0x1b, 0xca, 0xda, 0x7d, 0xe1, 0xb, 0xc7, 0xc5, 0x3c, 0xf8, 0xf, 0x8c, 0x91, 0xb, 0x94, 0x14, 0x8b, 0x15, 0x5, 0xf7, 0xa5, 0xdb, 0x88, 0x8a, 0x18, 0xb7, 0x8b, 0xd8, 0xfa, 0xa1, 0xa6, 0xfc, 0xfe, 0x5c, 0x95, 0x85, 0x8e, 0x33, 0x4, 0x88, 0x2d, 0xed, 0x81, 0x9, 0xb4, 0x7e, 0xf8, 0xb, 0x23, 0xc0, 0xc7, 0xf7, 0x87, 0x4b, 0x78, 0xf1, 0xd1, 0x3e, 0x2a, 0xd0, 0x9e, 0x7f, 0x76, 0x60, 0x1d, 0x9d, 0x5b, 0x8d, 0x3f, 0xf2, 0x8b, 0x26, 0x90, 0x22, 0xb9, 0x68, 0xd3, 0x86, 0x35, 0x4c, 0x90, 0xad, 0x82, 0xd6, 0xfb, 0x2a, 0x5, 0x96, 0x64, 0xdc, 0xb1, 0xb0, 0x37, 0x16, 0x13, 0xfb, 0x8, 0xac, 0x9d, 0xf3, 0x84, 0xa1, 0x88, 0xd4, 0x9f, 0xdf, 0xb2, 0x25, 0xe3, 0xac, 0x23, 0xbc, 0xc2, 0x1f, 0x84, 0x9a, 0x6c, 0xbd, 0x36, 0x3b, 0x87, 0x29, 0x9d, 0x52, 0xf8, 0x3c, 0x15, 0x11, 0x2c, 0x46, 0x2d, 0x21, 0x55, 0xc5, 0xd, 0x37, 0xe0, 0xb3, 0xc6, 0xec, 0xaa, 0x89, 0x75, 0x3f, 0xf8, 0x31, 0x99, 0x5a, 0xde, 0xb7, 0x31, 0x74, 0xdf, 0xb1, 0x3c, 0x87, 0x95, 0xf2, 0xe6, 0x8e, 0x52, 0xfb, 0x95, 0x3c, 0x30, 0xcc, 0xf, 0x50, 0xa1, 0xec, 0x60, 0xb7, 0x33, 0xce, 0x97, 0x5, 0x39, 0xdb, 0x36, 0x97, 0x76, 0xe4, 0x86, 0x14, 0x96, 0xd6, 0xa2, 0x9d, 0x33, 0xc3, 0x28, 0xe4, 0x45, 0xd2, 0xce, 0x6c, 0x10, 0xfa, 0x41, 0x7f, 0xca, 0xf5, 0xdd, 0xac, 0x80, 0x70, 0x32, 0xb1, 0xed, 0x37, 0x69, 0x6b, 0x2e, 0x52, 0xe5, 0x77, 0x3a, 0xda, 0x18, 0x6c, 0xcd, 0xbb, 0xc3, 0x8, 0xc9, 0x69, 0x56, 0xfd, 0x24, 0xd9, 0x48, 0x9e, 0x1b, 0x1f, 0xf7, 0xb3, 0x4b, 0xaa, 0x36, 0x4e, 0xc6, 0x37, 0x7d, 0x8d, 0x47, 0xee, 0xdf, 0xdb, 0x4f, 0x5a, 0xa0, 0xf7, 0x93, 0x1, 0xbc, 0xc8, 0x75, 0xba, 0xdf, 0x16, 0xcd, 0x56, 0x84, 0x1e, 0xbc, 0x84, 0x51, 0xd1, 0xfa, 0x46, 0x8, 0x8f, 0xb0, 0x1f, 0x36, 0xbb, 0x6b, 0xb2, 0xef, 0x1, 0x33, 0x29, 0xfa, 0x4d, 0x64, 0xa9, 0xf8, 0xca, 0x68, 0x45, 0xc, 0x3c, 0xc, 0x3e, 0x5, 0xae, 0xac, 0xd, 0xa8, 0x51, 0xa6, 0xec, 0x2, 0xd5, 0xa6, 0x2b, 0xb, 0x61, 0x4, 0x60, 0x68, 0x59, 0xbd, 0xe3, 0x45, 0x72, 0x2b, 0x28, 0xf6, 0x6a, 0x7, 0xc2, 0xa4, 0xe9, 0x94, 0x1e, 0x4a, 0xf2, 0x61, 0xae, 0x63, 0xf1, 0x76, 0x15, 0x5c, 0x99, 0x15, 0x3, 0x47, 0x15, 0x57, 0x74, 0x3d, 0xff, 0xf8, 0x2a, 0x19, 0x9b, 0xe1, 0x2c, 0x7, 0xea, 0xb3, 0x7e, 0x85, 0x99, 0x9, 0x9b, 0x88, 0x62, 0x1b, 0xb8, 0xc5, 0x9, 0xa3, 0xea, 0xd6, 0x22, 0xec, 0xdf, 0x19, 0x34, 0xc3, 0xcf, 0xe2, 0xa0, 0xb5, 0xf9, 0xa0, 0xb3, 0x65, 0xdb, 0x9c, 0xb6, 0xbf, 0x70, 0x95, 0x4d, 0x52, 0x3f, 0x56, 0x15, 0xec, 0x75, 0x30, 0x2f, 0x80, 0xe0, 0x37, 0x97, 0xed, 0xe5, 0xe0, 0x53, 0xc7, 0x4, 0x2b, 0xf4, 0xe7, 0x6a, 0x6c, 0xd4, 0x6, 0xe6, 0x0, 0x42, 0x9, 0x26, 0xa4, 0xdc, 0x80, 0xf6, 0x39, 0x2f, 0xb0, 0x3a, 0xda, 0x37, 0x3b, 0x73, 0xa9, 0x53, 0x88, 0x9b, 0x6a, 0x38, 0x5d, 0x85, 0xae, 0x34, 0x11, 0x2e, 0x61, 0x9b, 0xed, 0x88, 0xe1, 0xbe, 0xa8, 0xd8, 0x59, 0xd4, 0xed, 0x83, 0xc0, 0x8b, 0xa0, 0x2f, 0x68, 0xe1, 0xf, 0x2d, 0x51, 0x21, 0x4d, 0x94, 0x30, 0x9f, 0x2e, 0x84, 0xf9, 0xab, 0x7c, 0x8a, 0xaf, 0x83, 0xab, 0x5e, 0xbf, 0xd4, 0x31, 0xa3, 0x6a, 0x2a, 0x7f, 0x1, 0xba, 0xcf, 0x72, 0xd2, 0xe3, 0xa0, 0xab, 0x83, 0xbc, 0xa, 0x56, 0x27, 0x75, 0x6b, 0x3a, 0xe, 0x87, 0x33, 0xb8, 0x94, 0xf5, 0x50, 0x9f, 0x6b, 0xa2, 0xae, 0xc6, 0x25, 0xd0, 0xf6, 0xfd, 0xb5, 0x1d, 0x69, 0x3d, 0x80, 0x14, 0x35, 0x33, 0xe6, 0x9, 0x75, 0xb7, 0x3, 0x6f, 0xcf, 0x14, 0xbd, 0x34, 0xe2, 0x5e, 0x74, 0xbb, 0x24, 0xc0, 0x49, 0x84, 0x50, 0x8b, 0xde, 0xb4, 0xd7, 0x35, 0xef, 0xdd, 0x4f, 0x33, 0x9c, 0xb4, 0xb2, 0x64, 0xb7, 0x28, 0x77, 0x64, 0xff, 0x31, 0xe0, 0x21, 0xcc, 0xd7, 0xee, 0x4d, 0xf9, 0x85, 0x28, 0xd8, 0xa0, 0xb8, 0x40, 0x47, 0xe3, 0xfb, 0xd2, 0x85, 0xc7, 0xc4, 0x17, 0x3, 0xa7, 0xae, 0x8c, 0xa5, 0xf8, 0xc5, 0x6a, 0x5, 0xdc, 0x5f, 0x4, 0x78, 0x88, 0x8e, 0x4e, 0x27, 0xc4, 0xe0, 0x25, 0xc3, 0xeb, 0xeb, 0x98, 0x66, 0x21, 0x56, 0x6c, 0x39, 0x9, 0xcf, 0xbb, 0xef, 0xf, 0x5e, 0x80, 0x91, 0x4, 0x15, 0x19, 0x19, 0xdc, 0xa2, 0x80, 0x54, 0x5c, 0x87, 0x4e, 0x4c, 0xa7, 0xa, 0xce, 0xc8, 0x72, 0xb3, 0xd1, 0xa8, 0xde, 0xc1, 0xfa, 0x77, 0x7f, 0x1d, 0x70, 0x9f, 0x67, 0x70, 0xb5, 0x6a, 0x6d, 0xb5, 0x0, 0xba, 0x3e, 0xce, 0x50, 0x23, 0xf2, 0x20, 0x4e, 0x0, 0x8, 0x4e, 0x1c, 0x60, 0x8d, 0x19, 0x45, 0x45, 0x6b, 0xd5, 0x77, 0xe1, 0xd5, 0x5a, 0xdc, 0x9, 0xea, 0xd9, 0xba, 0x34, 0x75, 0xaa, 0x19, 0x3e, 0x92, 0x46, 0xc0, 0x80, 0x31, 0xa6, 0x5, 0x29, 0xa4, 0xaa, 0x64, 0xc8, 0xd3, 0xd0, 0x9e, 0x27, 0xc, 0x51, 0x5a, 0x90, 0xff, 0xb6, 0x41, 0xf3, 0x49, 0x32, 0x6b, 0x96, 0xa7, 0x88, 0x9, 0xe2, 0x2b, 0xc1, 0x41, 0xa3, 0x61, 0x3, 0x89, 0x17, 0x36, 0x42, 0x61, 0xfd, 0xc, 0x60, 0xdc, 0x4, 0x36, 0x6c, 0x31, 0x33, 0x85, 0xeb, 0x95, 0x22, 0x2, 0x22, 0x29, 0xaf, 0x44, 0xac, 0xe4, 0xbd, 0x3d, 0x69, 0xef, 0x7e, 0x1c, 0x5d, 0xfc, 0x8a, 0x89, 0xa1, 0x4f, 0x4f, 0xd1, 0x5, 0x68, 0x89, 0x58, 0xca, 0x21, 0x3c, 0x20, 0x60, 0x21, 0x0, 0x5, 0xb, 0x73, 0xef, 0x40, 0x30, 0x1f, 0xd, 0x6f, 0x5a, 0x19, 0xf7, 0x77, 0x9, 0x77, 0xbf, 0xfa, 0x8f, 0x83, 0xeb, 0xad, 0x67, 0x61, 0xc8, 0x8e, 0x2d, 0x1, 0x4f, 0xbb, 0xa8, 0x85, 0x12, 0xea, 0x3f, 0xab, 0x3e, 0x9a, 0x3, 0x35, 0x88, 0xd6, 0xc2, 0x4, 0x90, 0x30, 0xf8, 0x24, 0x5d, 0xee, 0x5e, 0xe9, 0xff, 0x13, 0x76, 0x4b, 0x6e, 0xa9, 0xa4, 0x3e, 0x22, 0xbd, 0x12, 0xfe, 0xdf, 0xc, 0x53, 0x9a, 0x73, 0xb6, 0xe5, 0x2e, 0x5c, 0x8f, 0x2, 0x38, 0x76, 0xbd, 0xa9, 0x6a, 0x40, 0xed, 0xa1, 0x3d, 0x30, 0x65, 0xa0, 0x86, 0x14, 0xc2, 0xc4, 0x2e, 0xe6, 0xc7, 0x1e, 0x29, 0xae, 0x61, 0x3e, 0x33, 0x99, 0xdf, 0x92, 0x4, 0x2a, 0x62, 0xe0, 0x8e, 0x7a, 0xbb, 0x9d, 0xc, 0xd8, 0x7f, 0xdb, 0xae, 0x1, 0x6c, 0xbc, 0xd3, 0x2e, 0xdc, 0xec, 0x74, 0xbe, 0x8, 0x12, 0x5a, 0xc3, 0x35, 0x1f, 0x67, 0x9f, 0x46, 0x1a, 0xcb, 0x40, 0xd5, 0x5b, 0x6f, 0x77, 0xbf, 0x5a, 0x3c, 0xe5, 0x2c, 0x5, 0x7b, 0x35, 0x60, 0x71, 0x40, 0x72, 0x6f, 0x7a, 0x3f, 0xbf, 0x71, 0x17, 0x37, 0x59, 0xb2, 0x9f, 0x4a, 0xc, 0x44, 0x1c, 0x50, 0xd2, 0x87, 0x40, 0x53, 0xb0, 0x87, 0xe1, 0x52, 0x5, 0x44, 0x32, 0x4c, 0x62, 0x21, 0xc8, 0x7c, 0xbf, 0xb7, 0xdb, 0xcd, 0xfa, 0x22, 0xce, 0xa6, 0x55, 0x41, 0xef, 0x37, 0x98, 0x88, 0xcb, 0x28, 0x42, 0x5a, 0x20, 0x5e, 0x4c, 0x58, 0x6a, 0x74, 0xa8, 0xa7, 0x35, 0x70, 0xdc, 0xb9, 0xa1, 0x4e, 0x7e, 0x26, 0x9b, 0x8c, 0x54, 0xb9, 0xcf, 0x15, 0x3a, 0x59, 0xf3, 0x12, 0xd0, 0x4b, 0x35, 0x21, 0x6e, 0x5e, 0x6e, 0x93, 0x8f, 0x8c, 0x6a, 0xcc, 0x31, 0xdf, 0xdc, 0x41, 0xc2, 0xb5, 0x4, 0x4d, 0xf8, 0x8a, 0x86, 0xfb, 0x5e, 0x34, 0x6f, 0xa, 0x99, 0x63, 0xcb, 0x62, 0xb9, 0xb9, 0x61, 0x4e, 0xef, 0x6f, 0x8d, 0xe4, 0xa2, 0xe1, 0x46, 0x82, 0xc4, 0x23, 0x5c, 0xce, 0x3d, 0x54, 0xd1, 0xe6, 0x15, 0xf0, 0xe9, 0x1d, 0x6d, 0x28, 0x52, 0xdb, 0x9e, 0xd1, 0x56, 0x6f, 0x82, 0xdf, 0xf6, 0x87, 0x7, 0xd6, 0xe3, 0x59, 0x14, 0x1c, 0xfe, 0x5d, 0x1d, 0x6e, 0xdc, 0x6c, 0xb0, 0x9e, 0xa4, 0x99, 0xe8, 0x26, 0xdb, 0xfb, 0xa1, 0x14, 0xc9, 0x60, 0x95, 0x2, 0xf5, 0xb4, 0xd3, 0xb3, 0x2f, 0x84, 0x78, 0x8b, 0xcb, 0xec, 0xbe, 0x22, 0x9c, 0xfa, 0x6d, 0xc5, 0xc0, 0xd7, 0x88, 0xa1, 0x4a, 0xa9, 0x41, 0x9c, 0x29, 0x47, 0x32, 0x70, 0xa1, 0x83, 0xc2, 0x36, 0x11, 0x65, 0x3f, 0xb6, 0x50, 0xe2, 0xa0, 0x2d, 0xa0, 0x24, 0x5e, 0x7b, 0xd2, 0x9f, 0x4d, 0x83, 0x42, 0xdd, 0x34, 0x6c, 0x1b, 0xb7, 0x26, 0xac, 0xd9, 0x36, 0x93, 0x32, 0x97, 0xb4, 0xf1, 0xe5, 0x9d, 0x4a, 0xe9, 0x39, 0xcf, 0x1a, 0x68, 0xdc, 0x30, 0x7b, 0xd7, 0x6c, 0xef, 0xcc, 0x80, 0x5c, 0xd0, 0xb6, 0x99, 0xec, 0x99, 0x82, 0x97, 0x49, 0x35, 0xd3, 0x39, 0xb9, 0x5e, 0x48, 0xf4, 0x6b, 0x47, 0xc1, 0xd7, 0x86, 0xab, 0x61, 0x3e, 0xc5, 0xdd, 0x1d, 0x60, 0xfb, 0x52, 0x80, 0x94, 0xdd, 0x48, 0xdd, 0x11, 0x35, 0x39, 0xeb, 0xc5, 0x34, 0x1c, 0xf6, 0xe6, 0x0, 0x76, 0xc6, 0xf5, 0x91, 0x34, 0x1f, 0xe7, 0xb1, 0x25, 0xb5, 0xf1, 0x33, 0x8, 0x26, 0x72, 0x25, 0x9, 0x8f, 0x36, 0xf6, 0xc6, 0xf5, 0x1c, 0x13, 0xdb, 0x60, 0x12, 0x13, 0xac, 0xf7, 0xb4, 0xfa, 0x3b, 0x35, 0xeb, 0x40, 0x29, 0xe8, 0xee, 0x37, 0x80, 0x88, 0xc7, 0x85, 0x4e, 0xf2, 0xbd, 0xc3, 0xff, 0x81, 0x15, 0x4c, 0xa8, 0xc5, 0xc3, 0xf5, 0xcb, 0x75, 0xff, 0x5b, 0x40, 0x6f, 0x4e, 0xa1, 0x3f, 0xc8, 0xe8, 0x35, 0xca, 0xe0, 0x95, 0x2, 0xf, 0x1c, 0x1d, 0xb8, 0x1d, 0xdd, 0xd9, 0xee, 0xf8, 0x53, 0x71, 0xde, 0x2e, 0xcb, 0xeb, 0x52, 0x11, 0xad, 0x9, 0xba, 0xb6, 0x3f, 0x84, 0xe1, 0x15, 0xb0, 0x41, 0xaa, 0xf0, 0xe6, 0x4c, 0xdd, 0xab, 0xa2, 0x33, 0xf9, 0x3f, 0xb8, 0xf6, 0x13, 0x43, 0x83, 0x7f, 0x77, 0x75, 0x3a, 0x11, 0xdb, 0xa4, 0x7d, 0xdf, 0x28, 0x43, 0xd1, 0xa5, 0x72, 0x3c, 0x1b, 0x7d, 0x6d, 0xdf, 0x6d, 0x6c, 0x96, 0x98, 0x96, 0x78, 0x6f, 0x54, 0xa0, 0x2b, 0xa7, 0x33, 0x9a, 0x43, 0xed, 0xba, 0x65, 0xd2, 0xea, 0x15, 0xa, 0x17, 0xa3, 0x8e, 0xa5, 0x99, 0xfe, 0x3, 0xb9, 0x7e, 0xcf, 0x26, 0xc, 0xd8, 0x33, 0xc6, 0xb0, 0x6d, 0xcf, 0x1a, 0xe7, 0x13, 0xf6, 0x5e, 0x25, 0x31, 0xd0, 0x5c, 0x25, 0xca, 0x18, 0x57, 0xbe, 0xcc, 0x12, 0xd, 0xc4, 0x8, 0x78, 0x53, 0xd0, 0x21, 0xdd, 0x6b, 0xbe, 0xf2, 0x3a, 0xbc, 0x8e, 0x48, 0xf5, 0xc5, 0xf9, 0xe3, 0x1b, 0x7c, 0xd, 0x11, 0x47, 0xdd, 0xb4, 0xad, 0x5e, 0x48, 0xe4, 0xb9, 0x12, 0x41, 0x3d, 0x71, 0xb, 0x87, 0x9, 0x8c, 0x6e, 0xae, 0x56, 0x3d, 0x73, 0x56, 0x3, 0xe2, 0xe1, 0x27, 0xa7, 0x5e, 0x44, 0xab, 0x6b, 0x8d, 0xe6, 0xa4, 0xa1, 0x34, 0xc9, 0xea, 0xf6, 0xf4, 0x9e, 0xc3, 0xf1, 0xce, 0xf8, 0x47, 0x55, 0x15, 0xe0, 0xbf, 0xdc, 0x9b, 0x15, 0x9, 0x39, 0x5c, 0xdb, 0xd1, 0x8a, 0x2a, 0x44, 0x3d, 0xe2, 0xef, 0xf2, 0x64, 0xc1, 0xb9, 0x6, 0x7d, 0x6a, 0x81, 0xc3, 0xe5, 0xa5, 0xa, 0xdc, 0x8b, 0x2d, 0xdf, 0xa9, 0x65, 0x8e, 0xa, 0x12, 0x6f, 0xe4, 0x1a, 0x19, 0x5b, 0x1c, 0x61, 0x0, 0x87, 0x7f, 0x66, 0x83, 0x48, 0x99, 0x10, 0xff, 0xd7, 0x1e, 0x17, 0x83, 0x52, 0x59, 0x69, 0xca, 0xf8, 0xec, 0xa2, 0x33, 0x13, 0x1a, 0x8d, 0xf4, 0xee, 0x73, 0x4a, 0xfa, 0x7d, 0x0, 0x4, 0x66, 0x84, 0xcf, 0xca, 0x97, 0xf1, 0xa9, 0x47, 0x2d, 0xb2, 0xb4, 0x92, 0x1e, 0x65, 0xd1, 0x4e, 0x37, 0xd6, 0xe0, 0x8a, 0x85, 0xb8, 0xef, 0x7a, 0x30, 0x6f, 0x3e, 0x97, 0x4c, 0x72, 0xeb, 0x10, 0x8a, 0x23, 0x4a, 0x52, 0x6f, 0xd6, 0x49, 0x28, 0xeb, 0xa9, 0x92, 0x4a, 0x7b, 0xdd, 0x1e, 0xe9, 0x2f, 0xa4, 0xbd, 0x78, 0x36, 0x5c, 0xc3, 0xf, 0x7c, 0xcd, 0x2a, 0x9, 0x56, 0x17, 0xe5, 0x10, 0xb, 0xf1, 0xe9, 0x13, 0x35, 0xd4, 0xc1, 0x81, 0x69, 0x44, 0x25, 0x7d, 0x40, 0xc1, 0xab, 0xd9, 0x60, 0x48, 0xa8, 0x53, 0x49, 0xd0, 0xd5, 0x4f, 0x8c, 0xe4, 0xbd, 0x8d, 0xe3, 0xb1, 0x5a, 0xbb, 0x81, 0xc5, 0x16, 0x52, 0x7e, 0xa1, 0xe0, 0xc5, 0x6, 0x6b, 0x4, 0x8a, 0x32, 0xa6, 0x5e, 0x16, 0x91, 0x44, 0xf6, 0x34, 0x52, 0x36, 0xd, 0xac, 0xcf, 0xf, 0x8b, 0xe6, 0xb6, 0x40, 0x3b, 0x9, 0x1a, 0x63, 0x5b, 0x1d, 0x9, 0x4a, 0xf2, 0x62, 0x58, 0x7, 0x1c, 0x5c, 0xb8, 0xbf, 0x85, 0x8f, 0x3e, 0xb5, 0x4e, 0xd7, 0xc5, 0x56, 0x24, 0xb2, 0xca, 0x46, 0x77, 0x1c, 0xf5, 0x89, 0xda, 0x61, 0xe7, 0xd9, 0xb8, 0x5c, 0xc2, 0xb5, 0x28, 0xf0, 0xc0, 0x2f, 0xec, 0x70, 0x26, 0x5c, 0xaf, 0xb9, 0x2d, 0xd, 0xd3, 0x3f, 0x87, 0x5e, 0x56, 0x62, 0x82, 0xa1, 0x1e, 0xf, 0x3d, 0xf, 0x73, 0x3a, 0xf4, 0xc8, 0x7c, 0xde, 0xfc, 0xe, 0x59, 0xab, 0x33, 0x3c, 0x6f, 0x9b, 0xe8, 0xb, 0x24, 0x3, 0xad, 0x29, 0xf5, 0x23, 0xc8, 0xdb, 0xa5, 0xbe, 0x98, 0xfe, 0x9a, 0xb7, 0x82, 0xde, 0xe5, 0x2f, 0x96, 0x56, 0x28, 0x8f, 0x56, 0xf3, 0x91, 0xc5, 0x60, 0xdb, 0xa, 0x59, 0xc, 0x58, 0xa8, 0x28, 0x4a, 0x14, 0x4a, 0xc7, 0x1f, 0x4c, 0x3f, 0x20, 0xb3, 0x98, 0x24, 0x66, 0x3b, 0x4f, 0x8c, 0xce, 0x88, 0xe2, 0x30, 0x5c, 0x75, 0x3d, 0x3c, 0x63, 0x21, 0xc8, 0x8f, 0x63, 0x56, 0x2d, 0x7c, 0x5a, 0xa0, 0xff, 0x0, 0x60, 0x88, 0xc6, 0x18, 0x2, 0x1, 0x31, 0xe5, 0x92, 0x8f, 0xa3, 0x64, 0x17, 0xb8, 0x3, 0x79, 0xee, 0x9, 0x91, 0x47, 0x63, 0x3c, 0x97, 0x36, 0xc2, 0x95, 0x13, 0x2f, 0x8e, 0x4e, 0x22, 0xf5, 0xec, 0x3c, 0xf8, 0x4f, 0xc3, 0x23, 0x6c, 0xd6, 0x1e, 0x5d, 0xbf, 0xb3, 0x30, 0x19, 0x22, 0xfb, 0xae, 0x9e, 0x73, 0x9c, 0xa1, 0x22, 0x8, 0x6b, 0xc0, 0x25, 0x98, 0xa4, 0xd3, 0x4b, 0x2a, 0x57, 0xa8, 0xd0, 0x51, 0x63, 0xd7, 0xc, 0x2f, 0x85, 0xbc, 0x20, 0xda, 0x25, 0x89, 0xb3, 0x6d, 0x38, 0x1, 0x83, 0x85, 0xf2, 0xec, 0x64, 0x6a, 0xe6, 0xfb, 0x85, 0x7f, 0x61, 0xc9, 0xc0, 0x84, 0x7e, 0x74, 0x53, 0x72, 0x17, 0xbe, 0x1d, 0x26, 0x1d, 0xd6, 0xb0, 0x8a, 0xff, 0xd, 0x8d, 0x95, 0xc2, 0x84, 0xe5, 0x5, 0x63, 0x24, 0xef, 0x8b, 0xf4, 0x2b, 0x55, 0x3e, 0xdb, 0x45, 0x4f, 0xa5, 0x21, 0x9c, 0xc0, 0x8f, 0xbb, 0xee, 0x3c, 0xec, 0x83, 0x30, 0xca, 0xe2, 0xc6, 0x6d, 0x40, 0x7c, 0xd0, 0x4d, 0xbf, 0x1, 0x30, 0xf6, 0xa7, 0x6d, 0x62, 0x96, 0xe, 0xd3, 0xcb, 0x16, 0xaa, 0xfe, 0xfb, 0xa9, 0x81, 0x0, 0x13, 0x3a, 0x67, 0x5c, 0xca, 0x7e, 0xfe, 0x6a, 0x1b, 0xdd, 0x82, 0xd0, 0x4e, 0xfc, 0x48, 0xaf, 0x3, 0xb7, 0x67, 0x38, 0xa1, 0x83, 0x57, 0xaa, 0x6a, 0x5d, 0x0, 0x9a, 0xcb, 0x63, 0x24, 0x43, 0xcd, 0x6e, 0x70, 0x5c, 0xc5, 0x1e, 0xd3, 0x41, 0x76, 0x9a, 0x8e, 0x3f, 0xd3, 0x8e, 0x9f, 0x7a, 0x9e, 0x8d, 0x9, 0xed, 0x53, 0x54, 0x62, 0x93, 0x74, 0x88, 0xec, 0xe4, 0xad, 0xbe, 0xa3, 0x66, 0x55, 0x79, 0x5a, 0x50, 0x80, 0x2b, 0x44, 0x17, 0x50, 0x96, 0xc, 0x31, 0x62, 0xc, 0x98, 0x4f, 0x7a, 0xd, 0x40, 0xb3, 0xc0, 0x8c, 0xaf, 0x97, 0xcf, 0xf4, 0x48, 0xe2, 0x12, 0x58, 0xee, 0x5e, 0xd9, 0x90, 0xbb, 0xb8, 0x7e, 0x58, 0xe4, 0x5e, 0x4, 0x52, 0x81, 0x7f, 0xa5, 0x42, 0x1b, 0x2e, 0x7c, 0x1c, 0x64, 0x6, 0xb9, 0x92, 0xd7, 0xda, 0x87, 0x1c, 0xa7, 0x93, 0xf5, 0xfc, 0x9d, 0xb9, 0x0, 0x4, 0x1b, 0x77, 0x7d, 0xab, 0xc7, 0xe2, 0x70, 0x5a, 0xd8, 0x34, 0x2d, 0x95, 0x16, 0x52, 0x1a, 0x2e, 0xc3, 0x97, 0xff, 0x9, 0x7d, 0xbf, 0x8a, 0x2d, 0xa6, 0x3e, 0xe4, 0xd6, 0xca, 0xbb, 0xfe, 0xaa, 0x25, 0xda, 0x46, 0x76, 0x74, 0xbd, 0x24, 0x4e, 0xe5, 0x96, 0xc4, 0x65, 0x3, 0xe3, 0x50, 0xe8, 0x24, 0x16, 0xa4, 0x99, 0x14, 0x2b, 0xd2, 0x81, 0x67, 0xf7, 0xdd, 0xf6, 0x24, 0x81, 0x59, 0xc3, 0xbf, 0xf1, 0x55, 0xe5, 0x42, 0x38, 0x33, 0xcd, 0xfa, 0xc2, 0x19, 0x23, 0x5b, 0xd1, 0x3e, 0x88, 0x6f, 0x47, 0x50, 0x96, 0xed, 0x19, 0x16, 0x83, 0x16, 0xc3, 0x96, 0x7, 0x37, 0xaa, 0x61, 0x6b, 0x20, 0x69, 0x34, 0xb7, 0x8d, 0xe8, 0x8, 0xa9, 0x1f, 0x17, 0x5d, 0xe, 0xa, 0xfa, 0x40, 0x54, 0xb4, 0xe3, 0x71, 0x72, 0xe8, 0x98, 0xdb, 0x2b, 0x7, 0x3e, 0xe0, 0x6a, 0x7f, 0x8a, 0xb9, 0xc3, 0x28, 0x55, 0xf7, 0x87, 0x6, 0x5a, 0x76, 0x39, 0x6c, 0xd, 0xcf, 0xe3, 0x91, 0xb, 0xca, 0x3c, 0xac, 0xcd, 0x3a, 0xdb, 0xa2, 0x50, 0x3b, 0x95, 0xcb, 0x8, 0x2f, 0x8f, 0x28, 0x1a, 0xcf, 0x43, 0xcf, 0x2c, 0x58, 0x14, 0x24, 0xa8, 0xe9, 0xee, 0x60, 0xbc, 0x8b, 0xec, 0x8d, 0x42, 0xa0, 0x9a, 0x72, 0x2, 0x9f, 0xc7, 0x54, 0xd5, 0xf5, 0x32, 0x65, 0xec, 0xd5, 0x1c, 0xd8, 0x5f, 0xe1, 0x82, 0xcf, 0x3a, 0x30, 0x72, 0xa6, 0xff, 0xf5, 0x73, 0xc3, 0xe2, 0x3, 0xbd, 0xb3, 0x41, 0x63, 0xfc, 0xe7, 0xb4, 0xa8, 0xa8, 0x80, 0xdf, 0x7b, 0x8, 0xa0, 0xd6, 0x52, 0x29, 0xb7, 0x8e, 0xa3, 0x48, 0xc0, 0x9d, 0xbb, 0x3c, 0x80, 0x0, 0xb0, 0xf8, 0xcc, 0x7e, 0x65, 0xa, 0xcf, 0x9, 0xeb, 0xe1, 0x67, 0x18, 0xc0, 0x54, 0x8c, 0xfc, 0x46, 0xb6, 0xf0, 0x26, 0x10, 0xf9, 0x88, 0xd8, 0x4b, 0xff, 0x7d, 0x53, 0xf2, 0xd, 0x9d, 0x42, 0xd5, 0xc6, 0x48, 0x80, 0xc9, 0xfb, 0x4e, 0x2e, 0xf4, 0x25, 0xc9, 0x0, 0xc2, 0x9c, 0x26, 0x3e, 0xfe, 0xf6, 0xbc, 0x6a, 0x44, 0x5a, 0xb5, 0xc5, 0xe5, 0x67, 0xac, 0xd5, 0xdb, 0x2, 0xb0, 0xd8, 0x8e, 0xda, 0xee, 0x64, 0xee, 0xec, 0x91, 0xd2, 0x71, 0xe0, 0xba, 0x2d, 0xf9, 0x89, 0x89, 0x53, 0xbf, 0x7e, 0xaf, 0xe0, 0xdb, 0x45, 0x92, 0x81, 0xa7, 0xef, 0x9e, 0xe7, 0xe6, 0x41, 0xd1, 0x9f, 0x7e, 0xeb, 0x2d, 0xb, 0x49, 0x28, 0x97, 0x6b, 0x25, 0xc7, 0x2, 0xc6, 0xc3, 0x77, 0x88, 0x73, 0xaf, 0x32, 0x22, 0x1d, 0xaa, 0x9d, 0xd2, 0xe8, 0x49, 0xb0, 0x1a, 0x21, 0x90, 0x4b, 0xc9, 0x94, 0xbf, 0xe4, 0xe6, 0x53, 0xdf, 0xe4, 0xdb, 0x6, 0x10, 0x7b, 0x4d, 0xe7, 0x24, 0x73, 0x4a, 0xdf, 0x8b, 0x6a, 0xa, 0x56, 0xd4, 0x46, 0x4, 0x89, 0x55, 0xa3, 0x5c, 0x8b, 0xf9, 0xf2, 0xab, 0x39, 0xb8, 0xfa, 0x3b, 0x2d, 0x58, 0xdf, 0x46, 0xde, 0xda, 0x8a, 0x2f, 0x4, 0x4e, 0x47, 0x92, 0xc3, 0x1b, 0x7a, 0x14, 0x6a, 0x76, 0xa7, 0x36, 0x79, 0xf9, 0xc0, 0xd, 0x54, 0xf, 0x94, 0xb6, 0x25, 0x9f, 0x75, 0xf2, 0xf2, 0x8e, 0x73, 0x44, 0xc6, 0xf4, 0x19, 0xa7, 0x89, 0x57, 0xd9, 0x9d, 0x45, 0xc3, 0x50, 0x7, 0xf4, 0xb7, 0x59, 0x28, 0xd5, 0x80, 0x21, 0xb2, 0xf2, 0x8b, 0x78, 0x5e, 0x7e, 0xb4, 0x71, 0x66, 0x1, 0x5f, 0x21, 0x4b, 0x2a, 0xae, 0x8d, 0x4a, 0xca, 0x33, 0x76, 0xb6, 0xdb, 0x3c, 0xfd, 0x79, 0xf, 0x12, 0x15, 0x29, 0xde, 0xe6, 0x64, 0xb0, 0x6f, 0xa0, 0xf8, 0xc1, 0x20, 0x74, 0xd5, 0xc1, 0x8c, 0x36, 0xd5, 0xf4, 0x75, 0xe4, 0x8d, 0xe1, 0xa8, 0x51, 0xda, 0x6a, 0xb0, 0xd4, 0x49, 0xc7, 0x7c, 0xd4, 0xf0, 0xa0, 0xa5, 0x6a, 0x52, 0x74, 0x0, 0x2c, 0xfa, 0xab, 0x3c, 0x17, 0x59, 0xfc, 0x73, 0xb7, 0xf2, 0x3f, 0x9c, 0x91, 0xa0, 0xa2, 0xa5, 0x12, 0x86, 0xf6, 0x15, 0x7b, 0x4c, 0x23, 0x28, 0xae, 0xa8, 0x9c, 0xdc, 0xe7, 0xbe, 0xed, 0xaf, 0x58, 0xf6, 0xfd, 0x5f, 0x96, 0x18, 0xab, 0xad, 0xd9, 0x55, 0x2c, 0x44, 0xde, 0x0, 0x5c, 0x12, 0x1f, 0x90, 0xb9, 0x51, 0xb, 0x36, 0xee, 0xf1, 0xaa, 0x70, 0x8b, 0xe0, 0x4f, 0x60, 0x5, 0xd5, 0xa9, 0x4b, 0x3e, 0x2b, 0x77, 0xd2, 0xf0, 0x82, 0xe4, 0xb8, 0xbe, 0x99, 0x6, 0xe6, 0x2d, 0x65, 0xab, 0x16, 0xc5, 0xf9, 0xf7, 0xd4, 0xc6, 0x34, 0x1e, 0x4f, 0x1e, 0xee, 0xe4, 0xec, 0x5c, 0xbf, 0x88, 0x98, 0x23, 0x38, 0xd2, 0x3, 0xbc, 0xfe, 0x86, 0xc5, 0x7a, 0x6f, 0x3a, 0x35, 0x7d, 0x15, 0xc7, 0xd3, 0x8c, 0x65, 0xfd, 0xf1, 0xb3, 0xde, 0xaa, 0x96, 0x2, 0x5f, 0x53, 0x1e, 0x3a, 0xd4, 0xed, 0xb8, 0xe3, 0x63, 0x5, 0x9c, 0x71, 0xa8, 0xaf, 0x6a, 0x37, 0x9f, 0xc7, 0x5f, 0xbc, 0xdc, 0xd2, 0x8a, 0xcd, 0xd3, 0xc, 0x75, 0xcb, 0x9f, 0xdb, 0x3f, 0x30, 0x8e, 0xb0, 0x18, 0x44, 0x2f, 0x5, 0xff, 0x14, 0x20, 0x65, 0x2d, 0x3e, 0xcf, 0x84, 0x50, 0xf7, 0x9, 0xd5, 0x4e, 0x14, 0xf8, 0xf0, 0xbd, 0x7e, 0x98, 0x5b, 0xf2, 0xd3, 0xf2, 0xf0, 0x3b, 0xf4, 0x37, 0xd8, 0x54, 0xa3, 0xcf, 0x71, 0xad, 0x86, 0x5d, 0xf7, 0x8a, 0x86, 0xc4, 0xc8, 0xd0, 0xd9, 0xea, 0xc7, 0xc8, 0x45, 0xff, 0x5c, 0x32, 0xd7, 0xb0, 0xec, 0x81, 0xcc, 0x96, 0x19, 0x47, 0xab, 0xed, 0x24, 0x18, 0x61, 0xf3, 0x55, 0x5d, 0xff, 0xee, 0xa0, 0x77, 0x19, 0x41, 0x45, 0x31, 0xbe, 0xc6, 0x38, 0x20, 0x72, 0xc5, 0xc4, 0x85, 0x50, 0x95, 0xb4, 0x4b, 0xf9, 0xbf, 0x35, 0x53, 0x2d, 0x82, 0xa0, 0xe2, 0xc8, 0xa6, 0xd8, 0x4a, 0x89, 0x37, 0xbb, 0x11, 0x2c, 0xb2, 0x34, 0x2, 0x54, 0xa3, 0x74, 0x4c, 0xed, 0xdd, 0x66, 0x3, 0x2d, 0x5d, 0xf2, 0xc5, 0xee, 0xda, 0x68, 0xa9, 0xf9, 0x42, 0x31, 0xb6, 0x67, 0x68, 0x10, 0x60, 0x36, 0xd4, 0xb6, 0xd7, 0x68, 0x2c, 0x6d, 0xcd, 0x7, 0x42, 0x29, 0x84, 0xc, 0x9, 0x4f, 0xf7, 0xa8, 0xee, 0xb1, 0x68, 0x77, 0x4, 0x14, 0x75, 0xe2, 0xe4, 0xae, 0x62, 0xfe, 0x89, 0x7e, 0x5f, 0x4b, 0x20, 0xef, 0x94, 0x19, 0xb2, 0x59, 0xe0, 0xd1, 0x18, 0xe3, 0x8a, 0x63, 0x69, 0x3b, 0x65, 0x2a, 0x10, 0x90, 0x69, 0x2f, 0x58, 0xeb, 0xd5, 0x70, 0x4a, 0xf8, 0xf5, 0x9, 0xf7, 0x39, 0x97, 0x27, 0x36, 0x93, 0x79, 0x8b, 0x3c, 0x66, 0xa4, 0x5d, 0xeb, 0x37, 0x3c, 0x20, 0x4d, 0xf1, 0xfd, 0xfd, 0x2d, 0xfb, 0xdb, 0xa1, 0xdc, 0xa9, 0xd8, 0x32, 0x9b, 0x8f, 0xd4, 0x77, 0xf0, 0xcf, 0x40, 0xab, 0xed, 0xbb, 0x9f, 0x87, 0xb, 0x9f, 0x36, 0xf2, 0x69, 0x18, 0x9d, 0xda, 0x86, 0xae, 0xf0, 0xf, 0x45, 0x6f, 0x76, 0x56, 0x59, 0xd7, 0x51, 0x52, 0xfc, 0xd0, 0xe8, 0x2b, 0xc0, 0xd8, 0x84, 0x49, 0xf0, 0x8, 0x10, 0xd2, 0xa6, 0x95, 0xcc, 0x7e, 0x49, 0x1c, 0x1a, 0x3a, 0xa0, 0x54, 0xbd, 0x29, 0xf3, 0x50, 0x6c, 0xd2, 0xc5, 0x28, 0x98, 0xab, 0x51, 0xd2, 0xd0, 0x51, 0x7c, 0x8, 0xc0, 0x32, 0xa5, 0x50, 0xaf, 0xfb, 0xab, 0x90, 0x17, 0xf6, 0x50, 0x7, 0x4e, 0x68, 0x6b, 0xe7, 0x55, 0xdf, 0x5, 0xb0, 0x76, 0xf1, 0xa7, 0x6d, 0x51, 0xec, 0xc7, 0xdd, 0x2d, 0x7a, 0xbb, 0x53, 0x55, 0x57, 0x73, 0xfa, 0x3a, 0x55, 0xa3, 0x7c, 0xc8, 0x37, 0x51, 0xc2, 0x55, 0x4d, 0xfc, 0x3f, 0x5f, 0x31, 0x35, 0x5d, 0x3e, 0xaf, 0x2a, 0x44, 0x46, 0xe8, 0x28, 0xff, 0x95, 0x64, 0x49, 0x11, 0xb9, 0x61, 0xaf, 0xf3, 0xb5, 0x62, 0x66, 0xeb, 0xfe, 0x47, 0x34, 0x37, 0xbb, 0xa, 0x61, 0xb5, 0xfa, 0xce, 0xb1, 0x5c, 0xf3, 0x19, 0xe, 0xe6, 0x9d, 0x44, 0xb9, 0xe, 0x7f, 0x15, 0x14, 0xdb, 0xf8, 0x39, 0xd6, 0xbf, 0x61, 0x3c, 0x5b, 0xcc, 0xae, 0xff, 0x3, 0x67, 0x21, 0x41, 0x1d, 0xd4, 0xa4, 0xa5, 0xc2, 0x1c, 0x4e, 0x22, 0xed, 0xab, 0x8f, 0x7f, 0x53, 0xd9, 0x1a, 0x87, 0x86, 0x81, 0x5a, 0xd, 0x23, 0x8, 0xf9, 0x56, 0x49, 0x3a, 0xdf, 0x4b, 0x7b, 0x77, 0x1d, 0x74, 0x80, 0x50, 0xf, 0xba, 0x60, 0xf7, 0x8b, 0xf3, 0xc3, 0x71, 0x1d, 0x9, 0x2, 0x5b, 0x62, 0x9b, 0xf, 0xd5, 0x33, 0x96, 0x61, 0xde, 0xc9, 0xb8, 0x43, 0xb7, 0xec, 0x3, 0x20, 0x47, 0xe7, 0x5d, 0x54, 0x12, 0x75, 0xb4, 0xb2, 0x1c, 0xce, 0x74, 0xc9, 0xef, 0x9d, 0x9f, 0xef, 0x32, 0xbd, 0x0, 0x6a, 0x4f, 0x4a, 0x77, 0x52, 0x9a, 0x79, 0x1, 0xa6, 0x8e, 0xd, 0x19, 0x52, 0x29, 0x6d, 0xb8, 0x41, 0xec, 0xc, 0xa2, 0x7c, 0x2a, 0xff, 0x7f, 0xb2, 0xff, 0x62, 0x30, 0x37, 0x9d, 0xf1, 0x79, 0xe5, 0x32, 0x1b, 0x74, 0x47, 0x7d, 0xb5, 0x4e, 0x81, 0x81, 0xd, 0xf8, 0x6b, 0xf0, 0xae, 0x16, 0xd4, 0xe, 0x2d, 0x7a, 0x88, 0xb5, 0xec, 0x1c, 0xb0, 0x5f, 0x73, 0x9, 0x5b, 0x1f, 0x6, 0xc6, 0xaa, 0xca, 0x41, 0x16, 0x5b, 0x1e, 0x13, 0xb0, 0x2, 0xc0, 0x7b, 0x32, 0xd9, 0x14, 0x25, 0xcb, 0xd5, 0xe6, 0x39, 0x17, 0x43, 0x15, 0xa8, 0x55, 0xfe, 0xda, 0xcb, 0xc8, 0x43, 0x72, 0x13, 0xe1, 0x6c, 0xa3, 0xb1, 0x5b, 0x27, 0x53, 0x32, 0x17, 0xc5, 0xa3, 0x5d, 0x20, 0x7e, 0x5, 0x5a, 0x51, 0x36, 0x1a, 0x5c, 0xc3, 0x9b, 0x5f, 0x92, 0x42, 0xc9, 0x64, 0xf, 0xf0, 0x7a, 0x9f, 0xd5, 0xb7, 0x3c, 0x63, 0x14, 0xbd, 0x3a, 0x8c, 0x6e, 0x65, 0x71, 0xd1, 0x2a, 0xae, 0x5, 0x7, 0xcd, 0x1a, 0x63, 0xa4, 0xe2, 0xc0, 0x5c, 0x5, 0xb6, 0xa0, 0x8a, 0x6a, 0x6f, 0x0, 0x6e, 0xa2, 0x65, 0x2b, 0xd7, 0x13, 0x45, 0xaf, 0xbc, 0xd5, 0x16, 0xd6, 0x14, 0x9e, 0x54, 0x3f, 0x1f, 0x3b, 0x25, 0x71, 0x55, 0x39, 0xee, 0x64, 0x3a, 0x24, 0xce, 0xb8, 0xc1, 0xb, 0xb1, 0xe8, 0x77, 0x4e, 0x3a, 0x91, 0xe5, 0xac, 0xbe, 0xbc, 0xbd, 0x7d, 0xf3, 0x41, 0x43, 0x0, 0xc1, 0x47, 0xf6, 0xec, 0x68, 0x61, 0xe3, 0xca, 0xec, 0x96, 0xa3, 0x6a, 0xa4, 0x1c, 0x9d, 0xe5, 0xbd, 0x65, 0xfa, 0x8f, 0x69, 0xb8, 0x7a, 0x2, 0xa7, 0x38, 0x37, 0x44, 0xc3, 0x6d, 0xc8, 0x9d, 0xb8, 0xa2, 0x3f, 0x15, 0xa4, 0x43, 0x8d, 0x11, 0xa, 0x5a, 0xd8, 0x2f, 0xe2, 0x1c, 0x86, 0xa, 0x33, 0x9e, 0xbc, 0xd3, 0xbb, 0xb3, 0xf6, 0x2a, 0x38, 0x28, 0xa7, 0xd6, 0x79, 0xf7, 0x56, 0x22, 0xd3, 0x68, 0x4e, 0x28, 0xe7, 0x19, 0x4d, 0x3b, 0x42, 0x20, 0x53, 0xb1, 0xf3, 0x38, 0x1b, 0xaa, 0x19, 0xde, 0x3, 0xf7, 0x44, 0x84, 0xc2, 0xb6, 0xd0, 0x73, 0xa3, 0xe6, 0x64, 0x9c, 0x48, 0x61, 0x61, 0x66, 0x24, 0x62, 0x25, 0x37, 0x37, 0x7c, 0x58, 0x99, 0x63, 0x15, 0x33, 0x61, 0xfe, 0x77, 0x52, 0x6f, 0x2e, 0x50, 0x56, 0xa6, 0x4a, 0xad, 0x74, 0x71, 0x71, 0x2, 0x1e, 0xd8, 0xc0, 0x27, 0x2e, 0xb, 0x7c, 0x31, 0x7a, 0x11, 0x96, 0x75, 0x7a, 0xa6, 0x99, 0x3d, 0x72, 0xa6, 0x28, 0x89, 0xf0, 0x17, 0xa3, 0x10, 0x53, 0x48, 0x81, 0x56, 0xa7, 0x71, 0xa9, 0x6c, 0xb6, 0xaf, 0x62, 0x54, 0x46, 0x90, 0x9d, 0x22, 0xbe, 0xfb, 0xcc, 0x97, 0x5e, 0x18, 0xc2, 0x8f, 0xad, 0xdd, 0x6a, 0x60, 0x1a, 0x6a, 0xcf, 0x97, 0xc7, 0xb3, 0x16, 0xf3, 0x31, 0x24, 0x8d, 0x91, 0x33, 0x1, 0x92, 0xfc, 0x1f, 0xec, 0x97, 0xef, 0xc9, 0xb2, 0x5e, 0xbf, 0xd9, 0x15, 0x9a, 0xbb, 0x6c, 0xfc, 0x42, 0xb5, 0x85, 0x78, 0x5d, 0xcf, 0x20, 0x57, 0x53, 0x64, 0xbe, 0x8a, 0xab, 0x68, 0xec, 0xd4, 0xce, 0x5d, 0x71, 0x4e, 0xa3, 0x24, 0x9c, 0x27, 0x14, 0x76, 0xa6, 0x57, 0xcf, 0x61, 0xbb, 0x31, 0x2a, 0xd5, 0x8e, 0x78, 0x3, 0xa0, 0x37, 0xf4, 0x44, 0x24, 0xa8, 0xab, 0x32, 0x94, 0x52, 0x93, 0x11, 0x40, 0x3, 0x47, 0x62, 0x34, 0x74, 0x30, 0xdd, 0x6b, 0x10, 0x1f, 0xca, 0xd8, 0x66, 0xcd, 0x64, 0x99, 0xfb, 0xab, 0xd5, 0xad, 0xbd, 0xe9, 0x5a, 0x9d, 0x4d, 0x93, 0x22, 0x3d, 0x8e, 0x90, 0x15, 0xd8, 0x76, 0x59, 0xbd, 0x57, 0xe0, 0x28, 0x2f, 0x36, 0x4a, 0x34, 0xb3, 0xdf, 0x43, 0x54, 0xdc, 0xda, 0x2c, 0xf9, 0x3b, 0x60, 0x89, 0xf0, 0xad, 0x97, 0x12, 0x0, 0x27, 0x14, 0x15, 0x20, 0x4f, 0x82, 0x99, 0x7f, 0x6, 0x2, 0x43, 0x92, 0xb6, 0x28, 0x68, 0x20, 0x57, 0x23, 0x11, 0xe1, 0xd7, 0x97, 0x90, 0xaa, 0xec, 0x14, 0xe4, 0x9, 0xf2, 0xa2, 0xf9, 0xac, 0x56, 0x53, 0x91, 0x27, 0xda, 0xc9, 0xda, 0xdb, 0xe3, 0xfe, 0x1e, 0x0, 0xb7, 0x34, 0x7, 0x7e, 0xe2, 0x88, 0xb2, 0xd2, 0xbb, 0xb5, 0xfa, 0x54, 0x9c, 0xd0, 0x2d, 0xf6, 0xc4, 0xf, 0x63, 0x4c, 0x6b, 0x6, 0x44, 0x50, 0x60, 0xce, 0x2f, 0x4a, 0xf4, 0x47, 0x3a, 0xfa, 0x9c, 0x1, 0x4a, 0x90, 0x60, 0xa, 0x5c, 0xc, 0x9c, 0xea, 0x81, 0xba, 0xbd, 0x98, 0xc0, 0x96, 0xd, 0xea, 0xe4, 0xd7, 0x2, 0xa, 0xd5, 0x9c, 0x41, 0x0, 0xe7, 0xef, 0x8c, 0x4, 0x7f, 0x2d, 0xd4, 0x39, 0xc8, 0xc0, 0x1f, 0x56, 0x9b, 0xe0, 0x64, 0xf2, 0xda, 0xe2, 0x8b, 0xb1, 0x34, 0x50, 0x18, 0x13, 0xbc, 0xc, 0xe1, 0xa5, 0x70, 0xbd, 0x66, 0x3e, 0x88, 0x6d, 0x13, 0xe7, 0x5d, 0xd0, 0xc1, 0x84, 0xd8, 0x9b, 0x7d, 0x48, 0xd8, 0xd4, 0x45, 0xd4, 0xd9, 0x48, 0x5, 0xe4, 0xea, 0xe, 0x8b, 0xcd, 0x40, 0x84, 0x3e, 0xf8, 0x26, 0x3d, 0x29, 0xf, 0xcd, 0xa3, 0xe4, 0xc5, 0xa3, 0x22, 0x30, 0x45, 0xd9, 0x3f, 0xa7, 0x2c, 0xfa, 0x3f, 0x66, 0x78, 0xa0, 0x63, 0x97, 0xa0, 0xd4, 0x0, 0x29, 0xdd, 0xea, 0xbf, 0x7a, 0x3f, 0x32, 0x88, 0xe3, 0xf2, 0xe5, 0x11, 0xcd, 0x84, 0x75, 0x92, 0xc2, 0x74, 0x7a, 0xe0, 0x2d, 0x3d, 0x61, 0x95, 0x34, 0x4b, 0x77, 0x1e, 0x88, 0x74, 0x78, 0x2c, 0xc5, 0x52, 0x9b, 0x9c, 0x8, 0x1f, 0x42, 0xbe, 0x3e, 0x3c, 0xdd, 0x3c, 0x5f, 0x3d, 0x3e, 0x22, 0x9e, 0x81, 0xf7, 0x5f, 0xb9, 0x9, 0xda, 0xc1, 0xb2, 0x39, 0x87, 0xba, 0x1b, 0x49, 0x8b, 0x4e, 0x16, 0x63, 0x72, 0x6b, 0xba, 0x32, 0x84, 0xd6, 0x59, 0xa5, 0xae, 0x13, 0xdb, 0x15, 0x39, 0xd3, 0xfb, 0x43, 0x0, 0x94, 0x8, 0xda, 0xe8, 0xe2, 0x94, 0x7c, 0x6c, 0x47, 0xbb, 0x65, 0x30, 0x44, 0xc4, 0x30, 0x16, 0x6b, 0x75, 0x6c, 0xf0, 0x19, 0x6d, 0x54, 0xd8, 0xd6, 0xbd, 0x5a, 0xb3, 0x2e, 0xc2, 0x98, 0x1e, 0x7e, 0x8e, 0x7d, 0x15, 0xf0, 0x10, 0x93, 0x1c, 0x75, 0x75, 0x60, 0xfa, 0xf6, 0x27, 0x43, 0xf8, 0xde, 0xef, 0x3b, 0x94, 0xa0, 0x3c, 0xd1, 0xaf, 0xb5, 0xcc, 0xb1, 0xab, 0x57, 0x29, 0x77, 0x51, 0xd6, 0xbc, 0xb5, 0x61, 0x9b, 0xdc, 0x52, 0x5a, 0x9d, 0xcd, 0x31, 0x6e, 0x80, 0xa6, 0xfa, 0xce, 0x85, 0xea, 0x1d, 0xa, 0x72, 0x7a, 0x25, 0x84, 0xab, 0x35, 0xd, 0xd7, 0xce, 0x1b, 0x26, 0x60, 0x6a, 0x61, 0xda, 0xd6, 0xb9, 0x4d, 0xf9, 0x23, 0xc0, 0xe, 0xae, 0xa0, 0x54, 0xec, 0x7e, 0x7f, 0x94, 0xe, 0x4e, 0x7a, 0x3a, 0x3c, 0x99, 0x5b, 0x76, 0x14, 0xd3, 0x79, 0x9d, 0xef, 0x4a, 0x8f, 0xfb, 0x24, 0xeb, 0x19, 0x2a, 0xe, 0xc5, 0xa2, 0x5e, 0x8c, 0xbc, 0x91, 0xb8, 0xe5, 0x16, 0x50, 0x92, 0xe7, 0xec, 0xd1, 0x3a, 0xdc, 0xaf, 0x70, 0x8f, 0xe2, 0xab, 0x8f, 0xf0, 0x4c, 0xa8, 0xbb, 0xa, 0x2b, 0x13, 0xf6, 0x15, 0xc8, 0x22, 0x99, 0xa, 0x77, 0x6d, 0x7, 0x5d, 0x73, 0x13, 0x2, 0x6c, 0x87, 0xb7, 0x83, 0x9f, 0x56, 0x87, 0xb7, 0xc3, 0xd7, 0xdd, 0x94, 0x36, 0x26, 0x49, 0xd2, 0xd6, 0x2e, 0xa0, 0x70, 0x5d, 0x94, 0x48, 0xd2, 0x58, 0x6a, 0x8c, 0x27, 0x8c, 0xe, 0x67, 0x16, 0xac, 0xe6, 0xb6, 0x70, 0xe3, 0x58, 0x4d, 0xa9, 0x71, 0x5, 0xdb, 0x53, 0x2, 0x84, 0x63, 0xd7, 0xe4, 0xfe, 0x2c, 0xb3, 0x14, 0x88, 0xc9, 0xb1, 0x99, 0x95, 0xcc, 0x78, 0xcc, 0x70, 0xd8, 0x6b, 0x4e, 0x61, 0x39, 0x45, 0xa4, 0x15, 0x26, 0xaf, 0x0, 0x2c, 0x11, 0x3d, 0x99, 0x4b, 0x49, 0x5, 0x17, 0x52, 0xd6, 0xcd, 0xa1, 0x2a, 0xe1, 0x32, 0x0, 0xb3, 0x9c, 0x6d, 0x4, 0x12, 0xa6, 0xbf, 0xe, 0x8c, 0x72, 0x63, 0x1b, 0xf3, 0xa9, 0x3, 0x9f, 0x5, 0x2b, 0x2, 0xde, 0xa2, 0x18, 0x36, 0x8f, 0xc9, 0xc5, 0x77, 0x3e, 0x90, 0x4d, 0xb2, 0xd5, 0x7c, 0xb7, 0xac, 0x72, 0xa3, 0x38, 0x78, 0x83, 0x14, 0x36, 0xb6, 0xc8, 0x79, 0xca, 0xf7, 0xf5, 0x3c, 0x90, 0xf4, 0x8a, 0x15, 0xb2, 0xbf, 0xf3, 0xd3, 0x7b, 0xd4, 0x96, 0x54, 0x9f, 0xdb, 0x2b, 0xba, 0x63, 0x8a, 0xe, 0x30, 0x15, 0xe7, 0xd6, 0xc4, 0xbe, 0x93, 0x7a, 0x49, 0xa, 0xe9, 0x67, 0xee, 0x63, 0x1e, 0x8c, 0x8b, 0x47, 0x13, 0x86, 0x61, 0xe5, 0xdd, 0xf2, 0xc8, 0xd9, 0x6b, 0xe3, 0x89, 0x86, 0x76, 0x8a, 0x51, 0x86, 0x14, 0x68, 0x47, 0xb0, 0xce, 0x8f, 0xd9, 0xcb, 0x65, 0xfe, 0xa1, 0x11, 0x8b, 0x3f, 0xf5, 0x2e, 0x87, 0xde, 0x2f, 0x80, 0xec, 0x8f, 0x3d, 0xd, 0xba, 0x9a, 0x1d, 0x38, 0x9f, 0x9a, 0x32, 0x1d, 0x9f, 0x13, 0x8d, 0x95, 0x87, 0xc5, 0xd9, 0xae, 0x21, 0x7, 0xda, 0xa7, 0xf6, 0xb9, 0x5c, 0x1, 0x6a, 0x6, 0x6, 0x9d, 0x5d, 0xed, 0xe3, 0xc4, 0x9e, 0x5, 0x1f, 0xca, 0xba, 0x6c, 0x71, 0x85, 0x42, 0x14, 0x1c, 0x53, 0xaa, 0x94, 0x94, 0x7a, 0x61, 0xef, 0x87, 0xad, 0xf4, 0xd6, 0x2f, 0x5e, 0xc3, 0x9a, 0xfb, 0x68, 0x24, 0x12, 0x47, 0xa0, 0xd2, 0xbc, 0xa6, 0x5c, 0x7c, 0xef, 0x3f, 0x42, 0x7a, 0xbd, 0x40, 0x80, 0x4c, 0x6, 0x52, 0xcb, 0x58, 0xab, 0x16, 0x47, 0x64, 0x4a, 0xd5, 0x4e, 0xef, 0x93, 0x8d, 0xd4, 0x2c, 0xc3, 0x97, 0x70, 0xd1, 0xf7, 0x42, 0xcf, 0x7f, 0xd1, 0x73, 0xa1, 0x49, 0xb2, 0xf5, 0xcd, 0x98, 0xe2, 0xff, 0xf, 0xfe, 0x66, 0xb6, 0x51, 0x2e, 0x7b, 0xa4, 0xbe, 0x61, 0x3f, 0xa4, 0xaf, 0xd3, 0xba, 0x17, 0x21, 0x37, 0x7d, 0x2f, 0x6e, 0x65, 0xef, 0x9c, 0xa0, 0x21, 0x65, 0xe7, 0x8f, 0xa5, 0xe8, 0x66, 0xc9, 0xb8, 0xb3, 0xc7, 0xeb, 0x47, 0x5a, 0x11, 0x3a, 0x20, 0x25, 0x73, 0xe5, 0x4b, 0x5c, 0x8d, 0x58, 0x81, 0xfe, 0x3c, 0xa0, 0x49, 0x1f, 0xf3, 0xe2, 0x32, 0x61, 0xc4, 0xec, 0xa7, 0xb7, 0x8, 0xc1, 0xe5, 0xbb, 0x4c, 0x2e, 0xd2, 0xbf, 0x8e, 0xa7, 0xa5, 0x62, 0xd2, 0x8b, 0x18, 0xdf, 0x33, 0x40, 0x97, 0xb7, 0xae, 0xd1, 0xf7, 0x4d, 0xea, 0xde, 0x11, 0xcf, 0xea, 0xe3, 0xac, 0x53, 0x4a, 0x77, 0xcc, 0x99, 0xf6, 0xc1, 0x5c, 0x10, 0x71, 0x3a, 0x37, 0xe0, 0x20, 0x7a, 0x3d, 0x13, 0x7f, 0x98, 0x51, 0xd7, 0x71, 0x58, 0x21, 0xae, 0x4, 0xee, 0x86, 0xab, 0x99, 0x2c, 0x8c, 0xf, 0x13, 0xb0, 0x1a, 0xec, 0xc2, 0x25, 0x77, 0xf1, 0x8f, 0x96, 0xe8, 0x60, 0xb, 0x98, 0xa, 0x94, 0x93, 0xa5, 0xa4, 0xe1, 0xb1, 0xcc, 0xe9, 0x20, 0xb0, 0x15, 0xed, 0x15, 0xec, 0xb, 0xa0, 0x64, 0xcc, 0x54, 0xd7, 0x77, 0x82, 0x73, 0x68, 0x41, 0x33, 0x9c, 0xd0, 0x90, 0x51, 0xb6, 0x1f, 0xc3, 0x2d, 0xe0, 0x4f, 0x29, 0x53, 0xae, 0x94, 0x1c, 0x1a, 0xcd, 0x72, 0x83, 0xe6, 0x10, 0xcd, 0x80, 0xa2, 0xf9, 0x94, 0x20, 0xa7, 0xd, 0x8a, 0x7b, 0xaa, 0x32, 0x52, 0x4, 0x4e, 0x24, 0x3, 0x9c, 0xb6, 0x81, 0x9a, 0x96, 0x55, 0xd9, 0x98, 0x7e, 0xca, 0xb4, 0x93, 0x12, 0xb0, 0x3a, 0x8f, 0xd6, 0x1d, 0x42, 0x31, 0x16, 0x82, 0x8c, 0x73, 0xc3, 0x22, 0x64, 0x10, 0xa0, 0xf9, 0x4f, 0x2c, 0xf8, 0x45, 0x38, 0xf4, 0xc5, 0x8f, 0xf5, 0xa0, 0x1a, 0xbe, 0xac, 0x79, 0xb4, 0x3b, 0x70, 0xc2, 0x1a, 0x7a, 0x10, 0x37, 0x85, 0xb5, 0x57, 0xc8, 0x6b, 0xd8, 0x58, 0x92, 0xb4, 0xd1, 0xcc, 0xda, 0xbc, 0xde, 0x14, 0xdf, 0x57, 0x29, 0x85, 0xae, 0xc4, 0xd7, 0x68, 0xab, 0x24, 0xd0, 0x59, 0x4e, 0x73, 0xd4, 0xb5, 0xd8, 0x7e, 0x80, 0xcc, 0x95, 0xc4, 0xc8, 0x40, 0x87, 0x5f, 0xb3, 0xb9, 0x1d, 0x29, 0x5a, 0xdd, 0xae, 0x84, 0xbe, 0x95, 0xb9, 0x4f, 0xf8, 0x60, 0xb3, 0x80, 0xfa, 0x76, 0x1a, 0xa6, 0x8d, 0xc6, 0xd5, 0x55, 0xdc, 0x54, 0x15, 0xca, 0x1d, 0x44, 0x8b, 0x59, 0x9c, 0x27, 0x3b, 0x77, 0xb9, 0x23, 0x99, 0xd3, 0xfc, 0x9e, 0xbf, 0x36, 0x3c, 0x1d, 0x33, 0x33, 0x99, 0xe3, 0x8d, 0x29, 0x8e, 0x84, 0x4c, 0x2d, 0x56, 0x7f, 0xa2, 0xa1, 0x77, 0x8e, 0xdb, 0xcf, 0x70, 0xab, 0xb8, 0x57, 0xea, 0x55, 0xc8, 0x94, 0xba, 0x79, 0x78, 0x6f, 0xae, 0x9d, 0xdb, 0xdc, 0x38, 0x6a, 0x63, 0x7f, 0x36, 0x7, 0x4f, 0x4c, 0xcb, 0xd5, 0x76, 0xe, 0xb7, 0x3f, 0x94, 0x9f, 0x8b, 0x8b, 0xb6, 0xa8, 0xba, 0x10, 0x35, 0xb0, 0x1f, 0x7a, 0xd0, 0x9e, 0xa, 0x78, 0x46, 0xc2, 0xc2, 0x9f, 0x54, 0x6d, 0x15, 0x14, 0x5, 0x3c, 0xca, 0x81, 0x77, 0x60, 0x31, 0x3f, 0x95, 0xc2, 0x13, 0x54, 0xd9, 0xd8, 0x69, 0x2c, 0x5e, 0x95, 0xe3, 0x82, 0xd2, 0x7b, 0xdc, 0xfa, 0x0, 0xb3, 0xb4, 0x1, 0x79, 0xc2, 0x63, 0x11, 0x4b, 0xa1, 0xf3, 0x8b, 0x9b, 0x89, 0xe0, 0x36, 0x92, 0xfd, 0xa, 0xda, 0xc6, 0xcb, 0xec, 0x91, 0xb0, 0x42, 0x97, 0xd2, 0xd1, 0x5a, 0x6f, 0xac, 0x1d, 0xbb, 0x6e, 0xf7, 0x1c, 0xa9, 0x53, 0x1d, 0xe6, 0x80, 0xe7, 0x1e, 0x1f, 0xd3, 0x12, 0xa4, 0x10, 0x41, 0x77, 0xcf, 0xef, 0x13, 0xba, 0xc3, 0x87, 0x2d, 0x76, 0xd, 0x45, 0xdf, 0xb4, 0x4b, 0x37, 0x1f, 0x9a, 0x51, 0x47, 0x41, 0x2, 0x86, 0x28, 0x20, 0xf0, 0x72, 0xb3, 0x26, 0xac, 0x1e, 0x98, 0xd0, 0xc8, 0xeb, 0x85, 0xa7, 0xca, 0xa7, 0xd4, 0xa9, 0xe9, 0x58, 0xdf, 0xdb, 0xd, 0xc5, 0x53, 0xd9, 0x8f, 0xf, 0x59, 0xfd, 0xcc, 0x61, 0x63, 0x9d, 0x17, 0xc9, 0xe6, 0x44, 0x6b, 0x62, 0xe9, 0x72, 0xcf, 0x64, 0xeb, 0x22, 0x10, 0x61, 0xd9, 0x7f, 0xf3, 0x88, 0xb2, 0x9e, 0x7e, 0xbb, 0x3e, 0x86, 0x3, 0x44, 0x7e, 0x9, 0xa, 0xa, 0xe1, 0x15, 0x65, 0x46, 0x85, 0x19, 0x86, 0xa, 0x3d, 0xcb, 0x26, 0x48, 0x7d, 0xd6, 0x11, 0xe2, 0xd8, 0x88, 0x39, 0x28, 0x9d, 0xb, 0x6e, 0xf6, 0x9a, 0xb3, 0xa8, 0x5c, 0x47, 0xbd, 0x88, 0x45, 0xf9, 0xa5, 0xb, 0xb8, 0x77, 0xc0, 0x66, 0x79, 0x6b, 0xe0, 0x6c, 0xc2, 0x27, 0xda, 0x85, 0x14, 0xdb, 0xfe, 0xe0, 0xd5, 0xf, 0xfe, 0x3a, 0xd3, 0x90, 0xd2, 0x3d, 0x58, 0x6, 0x13, 0xf3, 0x2, 0x62, 0x68, 0x2e, 0x62, 0x7c, 0x43, 0xa0, 0xd, 0xb1, 0x5, 0xc8, 0x7b, 0x6a, 0x7, 0xf, 0xaa, 0x9a, 0xbf, 0x43, 0x4e, 0x8f, 0x8f, 0xfb, 0x4e, 0xe9, 0x25, 0x6d, 0xc2, 0x3d, 0xfa, 0xb7, 0xc9, 0x35, 0x8a, 0xc5, 0x3, 0xff, 0x96, 0x93, 0xfb, 0xe5, 0xe0, 0xce, 0x94, 0xc3, 0xeb, 0x43, 0x38, 0x7e, 0xa7, 0x60, 0xde, 0x61, 0x83, 0x95, 0x65, 0xde, 0xce, 0x40, 0xb5, 0x22, 0xc, 0x9, 0x75, 0x90, 0xbf, 0xd4, 0x67, 0xc2, 0xb7, 0xaa, 0x42, 0xde, 0x2c, 0x93, 0xd6, 0xb0, 0x5a, 0xed, 0xf9, 0x18, 0xba, 0xd9, 0x60, 0x46, 0x6e, 0xa6, 0x2a, 0xa6, 0x3b, 0x6a, 0xa9, 0x9e, 0xab, 0x7b, 0xf9, 0x4b, 0xb2, 0x32, 0xe, 0xb6, 0xe3, 0x42, 0x96, 0x3, 0x5d, 0xd5, 0x9b, 0x4d, 0x7c, 0x6, 0x45, 0x6a, 0x4e, 0xa4, 0xa6, 0xd4, 0x7e, 0x9e, 0x5b, 0x6c, 0x66, 0xb0, 0x31, 0x8a, 0x67, 0xf5, 0x7c, 0x7b, 0x87, 0x20, 0xb6, 0x98, 0x39, 0xae, 0x1, 0x3, 0xd5, 0x96, 0xb3, 0xf, 0xc0, 0xc5, 0x57, 0x42, 0x73, 0xa6, 0x72, 0xe6, 0x4, 0xa0, 0x18, 0xfb, 0xf9, 0x51, 0x88, 0x75, 0xe8, 0xeb, 0xd8, 0x8b, 0xff, 0x44, 0xba, 0x99, 0x5d, 0xc6, 0xe4, 0x64, 0x1e, 0xb7, 0x93, 0xfd, 0x7d, 0xdf, 0xae, 0x8e, 0x4b, 0x8c, 0x6b, 0xe7, 0x4, 0x98, 0x2a, 0x2f, 0xba, 0xbd, 0xdd, 0x56, 0x9b, 0xf0, 0xa2, 0x2, 0xae, 0xf3, 0x1c, 0x2f, 0x8a, 0xac, 0xb5, 0x39, 0x13, 0xd, 0xff, 0x9d, 0x83, 0xc7, 0x69, 0xb5, 0xf2, 0x3d, 0xa4, 0xe9, 0xfe, 0x64, 0xe8, 0xb9, 0xb0, 0x4e, 0x6, 0xbb, 0x77, 0x41, 0xca, 0xf8, 0x4f, 0x63, 0x9f, 0x24, 0xfd, 0x12, 0x28, 0x5a, 0x14, 0x9a, 0x68, 0x6f, 0xf8, 0xac, 0xbe, 0xb7, 0x3a, 0x5e, 0x5f, 0xd3, 0x1, 0x27, 0xec, 0xaf, 0x9b, 0xb7, 0xc7, 0x57, 0xae, 0xdd, 0x3f, 0xa2, 0xbb, 0x22, 0x25, 0x93, 0x1b, 0xf2, 0x42, 0x53, 0x34, 0xa3, 0x4a, 0x6d, 0x55, 0xfe, 0x80, 0x9c, 0xfd, 0x61, 0xbb, 0x25, 0x65, 0xba, 0x7, 0x39, 0xa0, 0x33, 0x89, 0x21, 0xff, 0xe1, 0x10, 0xb0, 0x38, 0x7b, 0x11, 0x52, 0xaa, 0x54, 0xb6, 0x66, 0xc0, 0xea, 0xe6, 0xf2, 0x94, 0x20, 0x19, 0x14, 0x8e, 0xb2, 0xf2, 0x32, 0xd, 0xca, 0x7d, 0xa2, 0x66, 0x92, 0xbe, 0xab, 0xfb, 0x21, 0xb1, 0xe6, 0xb2, 0x76, 0x0, 0x33, 0xe1, 0xfb, 0x50, 0x18, 0x28, 0x15, 0x0, 0x89, 0x97, 0xec, 0x81, 0x35, 0x9, 0xf5, 0x77, 0xff, 0x75, 0xed, 0xdd, 0xb1, 0x69, 0x5, 0x51, 0x10, 0xab, 0x8f, 0xb1, 0xf0, 0x7c, 0xef, 0xcf, 0x9c, 0xa8, 0x31, 0xed, 0x3c, 0x95, 0x9, 0x40, 0x91, 0xeb, 0x5f, 0xf8, 0x51, 0x31, 0xad, 0x48, 0xed, 0x88, 0x87, 0x1b, 0x9f, 0x3c, 0x1e, 0xb2, 0xf, 0xe9, 0xe0, 0x7, 0x8f, 0xa1, 0xa1, 0xfc, 0xa7, 0xbb, 0x80, 0x2b, 0xfd, 0x0, 0xb5, 0x67, 0xcd, 0x95, 0x27, 0x7f, 0x38, 0x20, 0xf7, 0x7, 0x97, 0xd3, 0xe7, 0xa4, 0x89, 0x5b, 0xce, 0x7, 0x44, 0x89, 0x3f, 0xad, 0x83, 0x8f, 0x32, 0x61, 0x22, 0x6c, 0x94, 0x5b, 0x2, 0xa0, 0x3b, 0xc1, 0x6, 0xf9, 0xc7, 0x63, 0x95, 0xc7, 0x25, 0xb0, 0x7b, 0x4e, 0x31, 0x8f, 0x54, 0x5f, 0x1f, 0xc, 0xde, 0x4f, 0x49, 0x89, 0x75, 0xff, 0x20, 0xec, 0xb6, 0xe5, 0xbe, 0x1a, 0x8a, 0xbf, 0x6c, 0xdb, 0xe1, 0x87, 0xfb, 0x78, 0x22, 0x70, 0x8f, 0x65, 0xed, 0x35, 0x7a, 0xad, 0x47, 0xc4, 0xf2, 0xcc, 0xd0, 0x3, 0x38, 0xaa, 0xd4, 0x48, 0x3, 0x7c, 0x9a, 0x81, 0x38, 0xb3, 0xac, 0x80, 0xcc, 0xce, 0x17, 0x6e, 0x9e, 0xc8, 0xc7, 0x9b, 0x82, 0x1d, 0xbe, 0x3, 0x8b, 0x6b, 0x73, 0x46, 0xaa, 0x5e, 0x3b, 0xd4, 0x42, 0xf7, 0x26, 0x21, 0x85, 0x9b, 0xa5, 0xdf, 0x66, 0x7, 0x4a, 0x5, 0x45, 0xfd, 0x6b, 0x12, 0x36, 0x5e, 0xd, 0x9d, 0x8f, 0x8a, 0x4f, 0x38, 0xd7, 0xfb, 0xf8, 0xa1, 0xcc, 0xfc, 0x63, 0xd5, 0xf5, 0x80, 0x76, 0x31, 0x28, 0xa9, 0x80, 0xf2, 0x55, 0x50, 0xca, 0x48, 0xcf, 0x78, 0xb5, 0x27, 0xb2, 0x81, 0xb, 0xe0, 0x14, 0xa5, 0x94, 0x29, 0x18, 0xd9, 0xaa, 0x10, 0xc0, 0xcd, 0x8b, 0x35, 0x1f, 0x30, 0x3f, 0xe6, 0xf8, 0x47, 0x9d, 0xa, 0x99, 0x9e, 0x68, 0x7, 0x3a, 0xd4, 0x43, 0x4f, 0x2f, 0x9e, 0x68, 0x1f, 0x4, 0x9, 0x92, 0x90, 0x16, 0x2a, 0x54, 0x4d, 0x7, 0xa7, 0xa0, 0x9c, 0xd5, 0x93, 0xa2, 0xae, 0x65, 0x80, 0xc6, 0x8a, 0x45, 0xfe, 0x61, 0xd0, 0x8c, 0x0, 0x90, 0x0, 0x1b, 0xbf, 0x33, 0x10, 0xb6, 0x6d, 0x8a, 0xc0, 0x58, 0x95, 0x74, 0x29, 0x94, 0x87, 0x5d, 0xc3, 0xa7, 0xd3, 0xe6, 0xe, 0xe5, 0xba, 0x56, 0x3, 0x58, 0x65, 0x2e, 0x4, 0xfd, 0x22, 0x33, 0x64, 0x8d, 0x69, 0x59, 0x9f, 0x67, 0x19, 0xa6, 0x50, 0x15, 0xae, 0x79, 0x93, 0x1e, 0x98, 0xc9, 0xfc, 0x62, 0xae, 0xb9, 0x64, 0xc6, 0x34, 0x29, 0x6d, 0x31, 0xd6, 0xd3, 0xae, 0xeb, 0x65, 0x4e, 0x5e, 0x2, 0xb3, 0x54, 0x24, 0x28, 0x4, 0x95, 0xf9, 0x47, 0xf6, 0x9, 0xab, 0xcd, 0x71, 0x6e, 0xa6, 0x50, 0x9e, 0xc9, 0x34, 0xe9, 0x13, 0xb7, 0x75, 0x15, 0xf9, 0x94, 0x17, 0xb9, 0x57, 0x45, 0xe0, 0x90, 0xde, 0x40, 0x1e, 0x18, 0x56, 0x7d, 0x26, 0x8b, 0x8c, 0x17, 0x3c, 0xad, 0x32, 0x79, 0xc9, 0x7d, 0x10, 0x62, 0x90, 0xd3, 0x1b, 0x31, 0x81, 0x52, 0x1d, 0x20, 0xa2, 0x9e, 0xb7, 0x5b, 0xbc, 0xeb, 0x5e, 0xd6, 0x35, 0xd0, 0xf4, 0x5c, 0xb7, 0xa6, 0xf, 0x61, 0xef, 0x30, 0xca, 0xe0, 0x99, 0x61, 0x2a, 0x70, 0xc1, 0xe8, 0xa, 0x56, 0x99, 0x6b, 0x6a, 0xd4, 0xbf, 0xc, 0xc3, 0x1c, 0x61, 0xe6, 0xd5, 0x6b, 0xb7, 0x6a, 0x98, 0x5b, 0x75, 0x8b, 0xb7, 0xe, 0x1e, 0xbd, 0x4b, 0x91, 0x34, 0x77, 0x9f, 0xf3, 0x7e, 0xea, 0x56, 0x95, 0xa1, 0xff, 0x4c, 0xc0, 0xe2, 0x57, 0x31, 0xd5, 0x69, 0xce, 0x8e, 0x8b, 0xf7, 0x65, 0x4, 0xe1, 0xa6, 0x78, 0x26, 0xe5, 0xd4, 0x7b, 0xa3, 0x14, 0xf6, 0xec, 0xe5, 0x40, 0x3e, 0xc2, 0x74, 0xfa, 0x6, 0x4, 0x9d, 0xf2, 0x74, 0x86, 0xd, 0x28, 0x61, 0xd8, 0x95, 0xfc, 0x6a, 0x9f, 0x8, 0xf1, 0xae, 0x2, 0xc7, 0xea, 0xba, 0xab, 0xb4, 0x66, 0x34, 0x2b, 0x7d, 0x2a, 0xe4, 0x95, 0xd5, 0x5d, 0xc8, 0xd4, 0x19, 0xf3, 0x20, 0x54, 0xc2, 0xf5, 0xd4, 0x1e, 0x49, 0x48, 0xba, 0x8a, 0x43, 0x31, 0x33, 0xdb, 0xdd, 0xc1, 0xed, 0x9, 0x5f, 0xb8, 0x31, 0xd3, 0xd3, 0xb3, 0xc1, 0x4a, 0xe6, 0x8a, 0xa8, 0x4a, 0x35, 0x45, 0xf, 0xfd, 0x50, 0xec, 0x2f, 0xd3, 0x26, 0xb6, 0xa8, 0x4f, 0x83, 0x28, 0xe8, 0xd4, 0xfb, 0xdc, 0x1b, 0x39, 0x25, 0x52, 0xcd, 0x66, 0x28, 0x5a, 0xe4, 0xb3, 0x7a, 0xf, 0x81, 0x32, 0x47, 0x9d, 0xfa, 0x93, 0xf2, 0x5, 0xc9, 0xb4, 0xd6, 0xc1, 0xd8, 0x97, 0xb5, 0x61, 0x34, 0x47, 0x80, 0xac, 0x10, 0x5, 0x6a, 0x43, 0xc2, 0x36, 0x92, 0xef, 0x11, 0x3d, 0x30, 0x4b, 0xe5, 0xb6, 0x3e, 0x63, 0x97, 0xf1, 0xc, 0x9e, 0xfd, 0x94, 0x49, 0x17, 0xd2, 0x8d, 0xeb, 0xd5, 0x98, 0x44, 0xc1, 0x11, 0x95, 0x6c, 0x2e, 0x8c, 0xe7, 0xc1, 0xfd, 0x77, 0xe5, 0x77, 0x65, 0x4f, 0xbe, 0x1, 0x74, 0xf3, 0x8d, 0xa7, 0x56, 0x81, 0xd3, 0xa5, 0x82, 0x12, 0x3b, 0x53, 0xbe, 0x16, 0x7, 0xeb, 0x96, 0x7f, 0xe0, 0x91, 0x25, 0x1f, 0x74, 0x37, 0x38, 0xcd, 0x29, 0xe2, 0x6e, 0x39, 0x64, 0x9d, 0xc4, 0xdb, 0x4b, 0x8f, 0x26, 0x9d, 0x26, 0x2, 0x71, 0x59, 0xe6, 0x5, 0x63, 0x9a, 0xce, 0xc6, 0x39, 0x6b, 0x89, 0x45, 0x2, 0xb3, 0x10, 0x71, 0x24, 0x5e, 0xc0, 0x72, 0x0, 0x13, 0xa9, 0xa8, 0x19, 0x52, 0x84, 0xc2, 0x9f, 0x2a, 0xe, 0xb1, 0x8c, 0x15, 0x88, 0xc6, 0x91, 0xf1, 0x39, 0x41, 0xf6, 0xc6, 0xcb, 0x56, 0x82, 0xb6, 0xd3, 0x78, 0x46, 0xa3, 0x7e, 0x31, 0x8, 0xd9, 0x94, 0xf5, 0x4a, 0xfd, 0x1, 0x92, 0x95, 0x2f, 0x6f, 0x2f, 0x4f, 0x91, 0x7c, 0x8, 0x55, 0xb3, 0xf5, 0x23, 0xd6, 0x9, 0xba, 0x1a, 0x7c, 0x95, 0xc1, 0x74, 0xdd, 0xbb, 0x27, 0x7c, 0xd5, 0x16, 0xd7, 0x17, 0x55, 0x2a, 0xab, 0x52, 0x85, 0x3f, 0x8f, 0x2d, 0x29, 0xa4, 0xd3, 0x50, 0x7c, 0x4, 0xc6, 0xb2, 0x9c, 0x97, 0x46, 0x2c, 0xcd, 0x91, 0x6d, 0x36, 0x15, 0xc8, 0xe2, 0xe4, 0xf0, 0xa3, 0xda, 0xea, 0xbe, 0xa2, 0x40, 0x83, 0xe0, 0x41, 0x24, 0x59, 0x7a, 0x16, 0xfb, 0x47, 0x3, 0x24, 0xe9, 0xe9, 0x75, 0x46, 0x0, 0x6e, 0x44, 0xe, 0x84, 0xff, 0xaa, 0x48, 0x78, 0x72, 0x8f, 0x30, 0xea, 0x8f, 0x25, 0x9f, 0x9f, 0xd9, 0xfa, 0x9b, 0x63, 0x99, 0x28, 0xf1, 0x50, 0xf6, 0xa, 0x5c, 0x20, 0x63, 0xae, 0x39, 0x9, 0x38, 0x79, 0x6d, 0x48, 0x3e, 0xde, 0xcd, 0xbc, 0x45, 0x8f, 0xea, 0x81, 0xea, 0xc0, 0xb4, 0xaf, 0xda, 0x52, 0xb5, 0xb2, 0x5c, 0x2a, 0xf1, 0x3e, 0xe2, 0xea, 0x78, 0x38, 0x78, 0xa3, 0xe6, 0x6f, 0x55, 0x8f, 0x54, 0x8d, 0x98, 0x53, 0xb8, 0x3f, 0xaf, 0x33, 0x3c, 0x79, 0xc5, 0xa3, 0xaa, 0x47, 0x29, 0xab, 0x5a, 0x11, 0x21, 0x2d, 0x4e, 0x49, 0xde, 0xac, 0xbe, 0x50, 0xba, 0xce, 0xad, 0xd2, 0xe5, 0xaf, 0x95, 0xf1, 0x36, 0x12, 0x5d, 0x46, 0x13, 0x44, 0xcd, 0x2d, 0x12, 0x3c, 0xdb, 0x3, 0x5d, 0xb1, 0xf7, 0xc8, 0x35, 0x3b, 0xcf, 0xf1, 0x7f, 0xc1, 0x4f, 0xb5, 0xe2, 0x30, 0x8d, 0xbc, 0xae, 0x72, 0xe6, 0x40, 0xb9, 0xa3, 0x3a, 0xe7, 0x75, 0x8f, 0xf3, 0x2, 0x8d, 0x84, 0x32, 0xa0, 0x5, 0xa, 0xb1, 0x3b, 0x21, 0xdb, 0xa0, 0x1c, 0x2a, 0x90, 0x8d, 0x68, 0x2f, 0xa7, 0xe9, 0xc5, 0xbc, 0xdd, 0xe4, 0xe7, 0x5d, 0xdb, 0x67, 0xf5, 0x63, 0x3b, 0x61, 0xe7, 0x28, 0x9b, 0x83, 0xbe, 0xd, 0x4, 0xa6, 0x7d, 0xc6, 0x77, 0xcc, 0x81, 0x26, 0x10, 0x4d, 0x23, 0xfb, 0x88, 0x2b, 0x69, 0x82, 0x35, 0x59, 0xd0, 0xfa, 0x35, 0x9d, 0x6e, 0x98, 0x1b, 0x5, 0x56, 0xfe, 0x3c, 0x41, 0xc7, 0x52, 0x23, 0x6b, 0xf4, 0x5e, 0xed, 0xce, 0x3c, 0x85, 0x52, 0xa4, 0x3a, 0x21, 0x16, 0x6f, 0xb7, 0xe2, 0x27, 0xc6, 0x6f, 0x14, 0x75, 0xb1, 0xbb, 0x51, 0x3a, 0x57, 0x91, 0xc5, 0x9b, 0x56, 0xa0, 0xd5, 0x43, 0x82, 0x35, 0x9e, 0x6d, 0x1, 0xa7, 0x92, 0x66, 0x1d, 0xac, 0x56, 0xc, 0xac, 0xd, 0x5f, 0xd, 0x59, 0xda, 0xb5, 0x33, 0x38, 0x99, 0x91, 0x74, 0x81, 0xde, 0x3, 0x78, 0x6, 0xa8, 0xd0, 0x75, 0xbf, 0x4d, 0x12, 0xf2, 0xb4, 0x65, 0xfb, 0xc, 0xf8, 0xcc, 0x32, 0x2, 0x96, 0xcc, 0x5e, 0x3c, 0xcc, 0xbe, 0xf7, 0xf5, 0xdd, 0x87, 0xb9, 0xf8, 0x35, 0x6d, 0xa7, 0xaf, 0xfe, 0x21, 0xcf, 0x77, 0x1d, 0x75, 0x51, 0x9c, 0x27, 0x41, 0x50, 0x2b, 0xc9, 0x6f, 0xeb, 0x26, 0xc7, 0x47, 0xf4, 0x54, 0xfb, 0x4c, 0xc8, 0xb7, 0x18, 0x4b, 0xee, 0xcf, 0x18, 0xa6, 0xab, 0x8d, 0xf8, 0xb0, 0xc8, 0xe0, 0x95, 0x5c, 0x0, 0x9a, 0x46, 0x3f, 0xdf, 0x39, 0x18, 0xd1, 0xf3, 0x28, 0x12, 0xcf, 0x98, 0x7d, 0x5, 0xbd, 0x54, 0xcb, 0x32, 0x1f, 0x87, 0x57, 0xc4, 0xe1, 0x2, 0x1a, 0x5, 0x79, 0xcb, 0x32, 0x76, 0x7d, 0x20, 0x94, 0x85, 0xac, 0x21, 0x94, 0x3, 0xfe, 0x5b, 0x26, 0x8b, 0xce, 0x48, 0x68, 0x7e, 0x59, 0x3e, 0xd, 0x9e, 0x1f, 0x18, 0x9, 0x64, 0xe2, 0x14, 0xf4, 0x1, 0xd0, 0xc9, 0xd, 0x35, 0x8a, 0xcd, 0x48, 0x37, 0xe8, 0x44, 0x4, 0x4f, 0x7b, 0x1e, 0xc8, 0xdd, 0xe, 0xd0, 0xa9, 0xc6, 0x45, 0x8e, 0x94, 0x8, 0x7a, 0xb7, 0xd8, 0x20, 0xc, 0xe5, 0x3c, 0x29, 0xb7, 0x71, 0x3, 0x67, 0x74, 0x29, 0x57, 0x5a, 0x71, 0x40, 0x45, 0x72, 0xae, 0x98, 0xe7, 0xa9, 0x6a, 0x42, 0xb6, 0x71, 0xf9, 0xec, 0xeb, 0xd5, 0x79, 0xf3, 0x98, 0xd4, 0xaa, 0xbb, 0xb2, 0xd7, 0x6f, 0x6b, 0xd4, 0x69, 0x39, 0xf9, 0xb6, 0x46, 0xff, 0x55, 0xe1, 0xd2, 0x29, 0xe3, 0x9a, 0x38, 0xd7, 0xcc, 0x8a, 0x24, 0x22, 0x12, 0x3a, 0x8, 0xb2, 0x66, 0xe3, 0x64, 0x32, 0xef, 0xc0, 0x6e, 0x1f, 0x28, 0xee, 0xfd, 0x5a, 0x4, 0xb7, 0x59, 0x56, 0xb5, 0xb, 0x43, 0xe6, 0x40, 0x3a, 0x82, 0x7a, 0x79, 0xa, 0x90, 0xe1, 0x4, 0x2a, 0x59, 0x24, 0x76, 0x65, 0xee, 0xc9, 0x4a, 0x9d, 0xe0, 0xcd, 0x4a, 0xa5, 0x5e, 0x4b, 0x3f, 0x46, 0xb6, 0x52, 0xa7, 0x65, 0xca, 0xd3, 0xd3, 0x9e, 0xfe, 0x1e, 0xdd, 0x6, 0x54, 0x30, 0xbe, 0x6d, 0x7a, 0xe2, 0x57, 0x19, 0x5d, 0xdd, 0x7f, 0xdc, 0xb7, 0x8e, 0x8f, 0x4d, 0x7d, 0x38, 0x76, 0x68, 0x4a, 0xf5, 0xe4, 0x2d, 0x76, 0xc7, 0x9, 0x94, 0x47, 0x9c, 0x78, 0x7, 0xb3, 0x99, 0x5d, 0x5b, 0x4d, 0xbe, 0x82, 0x36, 0x79, 0x6e, 0x56, 0xc, 0x38, 0x25, 0xe3, 0x40, 0xc7, 0xda, 0xf3, 0x37, 0x2d, 0x60, 0xae, 0xe4, 0x66, 0x15, 0xbe, 0xea, 0xd, 0x14, 0x1e, 0x86, 0x9a, 0xc4, 0x26, 0x61, 0xee, 0xea, 0x6, 0xd, 0x4f, 0xe1, 0x65, 0x3b, 0x4f, 0x2, 0x17, 0xfc, 0x9b, 0xc6, 0xe8, 0xf1, 0xa3, 0x51, 0x81, 0x63, 0x68, 0xa7, 0xe9, 0xa8, 0xc3, 0xc3, 0xc8, 0xd4, 0x3, 0xb1, 0x2c, 0x75, 0x0, 0x34, 0x6b, 0xb3, 0x18, 0x92, 0x13, 0x46, 0xbc, 0x2, 0x4a, 0x50, 0x51, 0x76, 0xeb, 0x75, 0x7f, 0xc6, 0xfa, 0xeb, 0x2a, 0xd0, 0x56, 0x8b, 0x84, 0xd6, 0x9b, 0x26, 0x82, 0x17, 0xdb, 0x81, 0x83, 0x95, 0x50, 0xe5, 0x97, 0x25, 0x79, 0xbf, 0x34, 0xae, 0x53, 0x51, 0x38, 0x5f, 0x64, 0x60, 0x5c, 0xbb, 0x48, 0x80, 0x8, 0xe3, 0xaf, 0x96, 0xe, 0x6f, 0x56, 0x44, 0x88, 0x77, 0x15, 0x2, 0x6a, 0xbf, 0xa7, 0xe, 0x31, 0x69, 0x8c, 0x68, 0xb5, 0xb3, 0xde, 0xd2, 0xfa, 0x4, 0x95, 0x42, 0xc9, 0x17, 0x4d, 0x6d, 0x89, 0x17, 0xe5, 0xf0, 0x20, 0xe0, 0xa9, 0xa1, 0xe5, 0xbb, 0x8d, 0x42, 0xa4, 0xcc, 0x67, 0xbd, 0x26, 0x31, 0x5f, 0xfd, 0x87, 0x81, 0x26, 0x58, 0x10, 0x48, 0x3a, 0x97, 0x36, 0x0, 0xa0, 0x61, 0xbd, 0xb8, 0x63, 0x66, 0x9b, 0xa3, 0x8, 0xa8, 0x65, 0x2d, 0xef, 0xde, 0x42, 0x6d, 0x19, 0x6b, 0x63, 0x94, 0x4f, 0x4, 0x69, 0x49, 0x4c, 0x56, 0x5d, 0xdd, 0x47, 0xee, 0x11, 0xf6, 0x77, 0x30, 0x87, 0xd2, 0x49, 0x3a, 0x2f, 0x7b, 0x14, 0xb2, 0x82, 0xf, 0xdd, 0xd8, 0xb0, 0x3, 0xc6, 0xcb, 0x3, 0xf1, 0xf9, 0x34, 0xc, 0x46, 0x19, 0x9e, 0xd7, 0x18, 0x3, 0x5c, 0x2e, 0xf3, 0xf8, 0x17, 0x41, 0xa8, 0xba, 0x88, 0x88, 0x8b, 0x77, 0x26, 0x72, 0xc0, 0xdc, 0x37, 0x3c, 0x8f, 0x27, 0xf, 0x1c, 0x1c, 0xe9, 0x1b, 0xd2, 0x10, 0xc6, 0xa0, 0xf7, 0xe0, 0x68, 0x84, 0x7c, 0xd4, 0xe0, 0xc0, 0xec, 0xad, 0x13, 0x22, 0xf0, 0x9b, 0x6e, 0x7b, 0xfe, 0xb7, 0x60, 0x41, 0x55, 0x97, 0xb2, 0x3f, 0xa, 0x40, 0x9a, 0x18, 0x16, 0x7d, 0x1e, 0xca, 0x28, 0xe3, 0xea, 0x9b, 0x3e, 0xd7, 0xcc, 0xd8, 0x93, 0xe7, 0x97, 0x4b, 0xd0, 0xd, 0xcc, 0xb8, 0x6d, 0x50, 0x9b, 0x3c, 0xc8, 0xa9, 0x4c, 0x81, 0x38, 0xcf, 0xae, 0x7a, 0xd4, 0x5c, 0xe6, 0x45, 0x4b, 0xb6, 0xd, 0x43, 0xfc, 0x26, 0x84, 0xea, 0x18, 0xd8, 0x99, 0x54, 0x9b, 0x7, 0x41, 0x29, 0xac, 0xe0, 0x1a, 0xd2, 0xb5, 0x3, 0x37, 0x19, 0xd3, 0xc2, 0x54, 0x2, 0x9b, 0x27, 0xd0, 0x92, 0xc9, 0xca, 0x52, 0xc0, 0x7, 0x33, 0xf3, 0xb1, 0xa8, 0xef, 0x92, 0xcb, 0xa7, 0x6a, 0xa5, 0xc7, 0x37, 0xd, 0x80, 0x25, 0x18, 0x5a, 0x22, 0x54, 0x2d, 0x34, 0x37, 0xc, 0x38, 0x13, 0x92, 0xef, 0xd2, 0xd5, 0x66, 0x2d, 0xac, 0x92, 0xc6, 0x63, 0xc, 0x3, 0xc9, 0x70, 0x5a, 0x3, 0x61, 0x18, 0xba, 0x71, 0x85, 0xb7, 0x9, 0x51, 0x3d, 0xf9, 0xc8, 0xd0, 0x5c, 0x2d, 0xb2, 0x48, 0x93, 0xbb, 0x33, 0x86, 0xa7, 0x84, 0xfa, 0xe8, 0x8, 0xbd, 0xeb, 0x5a, 0xba, 0xa6, 0xfb, 0x53, 0xd8, 0xa7, 0xee, 0xe5, 0xf3, 0x7d, 0xf2, 0x7f, 0x58, 0x71, 0xca, 0x68, 0x96, 0x87, 0x1c, 0x52, 0x5, 0x1a, 0x6f, 0xce, 0x3b, 0x13, 0xd5, 0xb9, 0xe4, 0xbe, 0xe, 0xfd, 0x53, 0xcd, 0x50, 0x2d, 0x17, 0xff, 0x4c, 0xf7, 0x33, 0xa1, 0xeb, 0x14, 0xf2, 0x13, 0xb8, 0xec, 0x3, 0xaa, 0xa, 0x24, 0xee, 0x5b, 0x66, 0x6f, 0x40, 0x65, 0xbb, 0xcf, 0x73, 0xad, 0x25, 0xa4, 0xe4, 0x1f, 0x4b, 0x8, 0xa6, 0xf6, 0x81, 0xd0, 0x16, 0x5d, 0x9d, 0x0, 0x90, 0x2c, 0xf8, 0xee, 0xe8, 0x4f, 0x30, 0x35, 0x22, 0xaa, 0x9e, 0xaa, 0xd5, 0x46, 0x3, 0xf2, 0xe3, 0x91, 0x1c, 0xac, 0x7, 0x9f, 0xda, 0xa, 0xcf, 0xf1, 0xd, 0xb4, 0x23, 0x3e, 0x9b, 0x7d, 0xb4, 0x71, 0xe9, 0x94, 0x73, 0x73, 0x33, 0x59, 0x21, 0xf9, 0x9c, 0x66, 0x14, 0xbd, 0x57, 0xbf, 0x64, 0x10, 0x1a, 0xc, 0xdf, 0xae, 0x5d, 0x86, 0x25, 0x91, 0x27, 0x83, 0xd3, 0xb, 0xb7, 0x3e, 0xab, 0xda, 0xec, 0x34, 0x9f, 0x5b, 0x3d, 0xbc, 0xaf, 0x5c, 0x75, 0x5f, 0x7e, 0xed, 0xe3, 0x91, 0x2, 0x6f, 0x1e, 0xd4, 0x54, 0x9f, 0x69, 0x49, 0x34, 0x48, 0x3e, 0xf, 0x58, 0x77, 0x41, 0x30, 0xcb, 0xaf, 0xa9, 0x17, 0xc2, 0x21, 0xbb, 0xfd, 0xb3, 0x67, 0x9a, 0x2f, 0x7f, 0xa1, 0x6f, 0x75, 0xa8, 0xc1, 0x45, 0xa2, 0x21, 0x24, 0x6b, 0x2a, 0x91, 0x22, 0xf0, 0x4a, 0x94, 0x27, 0xbe, 0x64, 0xfe, 0x4, 0x58, 0x2a, 0xc6, 0x65, 0xe4, 0xad, 0xd7, 0x8f, 0xf0, 0xa6, 0x39, 0xbd, 0xff, 0x8d, 0x3b, 0x40, 0x14, 0xaa, 0x4c, 0xa8, 0xef, 0xc4, 0x27, 0x84, 0x71, 0x47, 0x46, 0x80, 0xb4, 0xda, 0x8b, 0xf, 0x83, 0x6e, 0x9b, 0xff, 0x17, 0xdf, 0x47, 0x13, 0x9a, 0xe4, 0xe8, 0x7e, 0x8d, 0x40, 0xae, 0xd4, 0xc1, 0x91, 0x23, 0x1e, 0xc7, 0x6a, 0x3c, 0xd7, 0xef, 0x1d, 0xfd, 0xb9, 0xcb, 0xc8, 0xc5, 0xfe, 0xbb, 0xbb, 0x57, 0x6, 0x84, 0x19, 0xea, 0xf8, 0x7e, 0x9e, 0xb5, 0x1c, 0xdb, 0x39, 0x30, 0x5f, 0x10, 0x64, 0x96, 0x82, 0xaa, 0x78, 0x4a, 0xef, 0x5f, 0x6, 0xc2, 0xf1, 0xbe, 0xcd, 0xe3, 0x92, 0x5b, 0xfd, 0x7d, 0xf, 0xe6, 0x77, 0x50, 0x83, 0x70, 0x26, 0xf0, 0x49, 0xc5, 0xd7, 0xbf, 0x21, 0xf1, 0x34, 0xd0, 0x3a, 0x1b, 0x20, 0x14, 0xfc, 0x34, 0x3, 0xa1, 0xc2, 0xca, 0x5f, 0xf6, 0x52, 0x45, 0x34, 0x9, 0x9e, 0x9a, 0x8a, 0x82, 0x30, 0x65, 0x97, 0xd3, 0xa1, 0xd8, 0x7d, 0x89, 0xf2, 0xd4, 0x79, 0x8f, 0x73, 0xc0, 0x5f, 0xba, 0x2, 0x35, 0xbd, 0x71, 0x8e, 0x60, 0x67, 0xa0, 0x75, 0xde, 0xb4, 0x24, 0x1f, 0xf4, 0x4e, 0xe5, 0x25, 0x61, 0xfd, 0x5e, 0xde, 0x8d, 0xb0, 0x3f, 0x54, 0x9, 0xa4, 0x25, 0x48, 0x48, 0xde, 0x95, 0x22, 0xcc, 0x65, 0x98, 0x8d, 0x19, 0x1f, 0xa2, 0xdf, 0xe, 0x6e, 0x71, 0x37, 0x8a, 0x42, 0xc7, 0x5f, 0xf3, 0xad, 0xa2, 0x97, 0x96, 0x4f, 0xc7, 0xc3, 0xca, 0xf7, 0x79, 0x3c, 0xa4, 0x1, 0xc, 0x44, 0xae, 0x7c, 0x5b, 0x8d, 0x25, 0xc1, 0x31, 0x75, 0x2b, 0x40, 0x41, 0x8b, 0xc0, 0x21, 0x21, 0x23, 0x93, 0xde, 0x55, 0x89, 0x1a, 0xf6, 0xaf, 0x8, 0x14, 0x2d, 0xf8, 0xfa, 0x68, 0x35, 0x5b, 0x96, 0xcf, 0x9e, 0x99, 0x5e, 0xb1, 0x71, 0x6f, 0x27, 0x17, 0xe9, 0x48, 0xd2, 0x4e, 0xf1, 0xe2, 0xf9, 0xc, 0x82, 0xa1, 0xca, 0xf4, 0xc6, 0x7e, 0x3c, 0xd8, 0x18, 0xb2, 0x20, 0x1b, 0x68, 0x17, 0xf2, 0x3e, 0x53, 0x65, 0x6d, 0x9f, 0x88, 0x87, 0x2e, 0xca, 0xc3, 0xe4, 0xc7, 0x58, 0x71, 0x67, 0x41, 0x2b, 0xdc, 0xfb, 0xd, 0x67, 0xfb, 0x7f, 0x25, 0x4c, 0x84, 0x1, 0xa, 0x91, 0x75, 0x7d, 0x57, 0x88, 0xcf, 0x7, 0xbf, 0x36, 0xf3, 0xce, 0x2a, 0x5e, 0xe4, 0x50, 0x52, 0x24, 0x22, 0x85, 0x3d, 0xa2, 0x7c, 0x8d, 0x2e, 0xd9, 0x2e, 0x58, 0x2f, 0x81, 0x2b, 0x4c, 0xbe, 0xf8, 0x29, 0x92, 0xba, 0x67, 0x34, 0x97, 0xf1, 0x5b, 0xd6, 0xb0, 0x54, 0x9, 0xf7, 0xdb, 0x46, 0x9b, 0x8c, 0x5d, 0xf1, 0x78, 0xe, 0xf3, 0xa0, 0xc8, 0x97, 0x61, 0xc9, 0xa4, 0x85, 0x9a, 0xa6, 0xf3, 0xa8, 0x9b, 0xce, 0xe4, 0x61, 0xf, 0x66, 0x42, 0x42, 0xc, 0x79, 0xa6, 0x6e, 0xb3, 0xaa, 0x6, 0xbf, 0x16, 0x64, 0x98, 0xec, 0x8e, 0x6f, 0x70, 0xc6, 0x25, 0xc2, 0x9f, 0x9a, 0xc1, 0xde, 0x56, 0x9e, 0xf1, 0x3, 0x51, 0x9a, 0x71, 0x32, 0xee, 0x4b, 0x6, 0xac, 0xe, 0xf5, 0xc6, 0xef, 0x43, 0x52, 0x19, 0xc1, 0xdc, 0x6a, 0xcb, 0x22, 0xe1, 0xb8, 0x8, 0xa, 0xb8, 0xc0, 0x84, 0xaa, 0x7f, 0x1b, 0x8c, 0xd0, 0xfc, 0x6d, 0xbd, 0xd1, 0xc3, 0x32, 0xde, 0x27, 0xe4, 0xb, 0x4e, 0xec, 0x9d, 0x12, 0x83, 0x3c, 0x26, 0x1d, 0x9c, 0x67, 0xab, 0x98, 0xff, 0x4e, 0xf6, 0xce, 0xb7, 0x3c, 0xc8, 0xaf, 0x51, 0x5a, 0xdf, 0x3f, 0x7d, 0xe4, 0x87, 0x1d, 0xb0, 0xca, 0xc9, 0x55, 0x93, 0x5f, 0xfb, 0x7a, 0x6e, 0x58, 0xe0, 0x89, 0x8f, 0xf5, 0xbb, 0x91, 0x9, 0x37, 0x84, 0xd, 0x18, 0xc0, 0x72, 0x7c, 0xdc, 0xc3, 0xb5, 0x99, 0xfb, 0xaa, 0xa5, 0xa9, 0xb0, 0xae, 0x44, 0x38, 0x1d, 0xf, 0x8a, 0xa4, 0x82, 0xe4, 0x67, 0xb6, 0xdd, 0xb7, 0x78, 0x71, 0x9a, 0xa5, 0x23, 0x6e, 0xe9, 0x85, 0x39, 0x45, 0xa5, 0xb8, 0xf4, 0xea, 0xe0, 0x4d, 0x6a, 0xaa, 0x32, 0xe, 0xc6, 0x4b, 0xca, 0xd9, 0xcf, 0x68, 0x70, 0x5e, 0xd1, 0x7f, 0x1, 0x4b, 0x8a, 0x66, 0x9d, 0xc0, 0x7d, 0xf2, 0x4a, 0x69, 0xf0, 0xd9, 0xcd, 0x8b, 0x70, 0xba, 0xd5, 0xca, 0xc3, 0xf6, 0x2a, 0x5c, 0xb9, 0x5b, 0x69, 0xba, 0xd2, 0x5c, 0x8f, 0xa5, 0xc0, 0x33, 0xd3, 0xc1, 0x28, 0xaa, 0x70, 0x78, 0xc7, 0xab, 0xe3, 0x74, 0xe2, 0x23, 0x4b, 0x88, 0xc1, 0x1c, 0x2d, 0xc8, 0xcf, 0xec, 0xb4, 0x53, 0x47, 0x5d, 0x1, 0xc2, 0x5a, 0xc8, 0x9f, 0x9, 0x8e, 0x65, 0xac, 0xca, 0xa6, 0xc7, 0x90, 0x73, 0xb2, 0x4, 0x9e, 0x36, 0x46, 0xcf, 0xea, 0x67, 0x64, 0x50, 0x49, 0xd0, 0xe7, 0xe2, 0xcc, 0xec, 0xcd, 0x37, 0xa2, 0x63, 0x1b, 0x48, 0x3a, 0x14, 0x80, 0xed, 0xd8, 0xab, 0x29, 0x40, 0x88, 0xb, 0xb0, 0xbc, 0xc7, 0xe3, 0xbf, 0x28, 0xb, 0x4a, 0xe2, 0x33, 0x2f, 0xf8, 0x57, 0xff, 0x79, 0x50, 0x56, 0xf2, 0x3f, 0xe2, 0xbe, 0x9c, 0x25, 0x58, 0x5f, 0xeb, 0x27, 0x34, 0x35, 0x16, 0x62, 0xd6, 0x48, 0xe9, 0xc4, 0xee, 0x6f, 0x27, 0x2b, 0x3, 0x10, 0xda, 0xc6, 0x2b, 0xb6, 0xd1, 0x53, 0x2a, 0xe7, 0xf0, 0xdd, 0x51, 0x83, 0x71, 0xba, 0xe7, 0x20, 0x24, 0x76, 0x20, 0x45, 0x93, 0x8d, 0x11, 0x0, 0x3a, 0xff, 0x8f, 0x36, 0x96, 0x6b, 0x4c, 0x7c, 0x9c, 0x15, 0x53, 0x97, 0xd8, 0xf7, 0x9a, 0x40, 0xd7, 0xc0, 0xa3, 0x3a, 0x60, 0xfb, 0x32, 0x71, 0x0, 0xc, 0x3d, 0xd5, 0xb8, 0x38, 0x92, 0x84, 0xa6, 0xf7, 0x2a, 0xd1, 0x68, 0x79, 0x92, 0x5d, 0xbf, 0xe7, 0x7, 0x6, 0xbe, 0xce, 0x74, 0xda, 0xaa, 0x55, 0x0, 0xa5, 0x9a, 0xcb, 0x8c, 0x7e, 0xba, 0xcb, 0x79, 0x10, 0xe8, 0x5e, 0xff, 0xf4, 0xa5, 0xd1, 0x71, 0xc, 0x61, 0x61, 0xa6, 0xb6, 0xe3, 0xbf, 0x81, 0x47, 0x18, 0xf7, 0x79, 0xd2, 0xe6, 0x1d, 0xcb, 0x51, 0x77, 0x62, 0xb6, 0x9e, 0xc5, 0xd6, 0x95, 0xff, 0xf8, 0xa7, 0xde, 0xd3, 0x58, 0xb7, 0x90, 0x6d, 0x18, 0x54, 0xf7, 0xb4, 0xdf, 0xc1, 0xb6, 0x4b, 0xe, 0xdc, 0x1, 0x28, 0x2b, 0x6b, 0xf5, 0x5c, 0x5c, 0x4d, 0x56, 0x54, 0x1f, 0x52, 0xe4, 0x61, 0xc5, 0x13, 0x7f, 0xdd, 0xf0, 0x60, 0x8c, 0xfb, 0xb4, 0xb3, 0x81, 0xfc, 0x29, 0xb, 0x20, 0x4c, 0xac, 0xc1, 0x87, 0x1d, 0x17, 0x9f, 0xe0, 0xc3, 0xeb, 0x9e, 0xaa, 0x81, 0x14, 0x30, 0x95, 0x79, 0x91, 0xfa, 0x14, 0xe1, 0x92, 0xe1, 0x92, 0x1b, 0x5, 0x7f, 0x53, 0xb5, 0xec, 0xe9, 0x92, 0x8f, 0xdf, 0x83, 0x74, 0xc, 0x29, 0xcc, 0xb2, 0xb1, 0x44, 0x16, 0xb0, 0xde, 0x2a, 0x5a, 0x45, 0x11, 0xa7, 0x2c, 0xc, 0xa1, 0x81, 0x56, 0x68, 0x4b, 0x96, 0x7a, 0x56, 0x88, 0x40, 0x8, 0x59, 0xf4, 0x73, 0x61, 0x4a, 0x21, 0x1f, 0xe, 0x28, 0x6b, 0xeb, 0x3d, 0xc1, 0xf0, 0xca, 0x34, 0xdc, 0x9a, 0x8c, 0x80, 0xfb, 0x61, 0xf5, 0x38, 0x29, 0xd1, 0x39, 0xb4, 0xdf, 0x6e, 0xbc, 0x5e, 0x3a, 0xdc, 0xb2, 0xe, 0x21, 0x4d, 0xfe, 0xb1, 0xb1, 0x85, 0x74, 0x72, 0xae, 0x86, 0xe1, 0x0, 0x4, 0x2e, 0x6, 0x88, 0x3b, 0xeb, 0x6e, 0x5c, 0x2d, 0xe3, 0x91, 0xfa, 0xde, 0x34, 0xb1, 0x85, 0xae, 0xe9, 0xc7, 0x75, 0xd4, 0xb2, 0x1b, 0xd0, 0xb1, 0x73, 0x60, 0xd, 0xc0, 0x63, 0x28, 0x5e, 0x61, 0xad, 0xb9, 0xc4, 0x4a, 0x5f, 0x52, 0x3d, 0x49, 0x29, 0x9e, 0x4f, 0xcf, 0x9a, 0x4e, 0xea, 0x1d, 0x2b, 0xc3, 0x8d, 0xb8, 0xd, 0xa5, 0xc8, 0x1, 0x1f, 0x3e, 0x6c, 0x91, 0xda, 0x4, 0xea, 0x70, 0x5d, 0xb0, 0x3e, 0x80, 0x65, 0xd8, 0xa, 0xd, 0x4b, 0x71, 0xee, 0xaf, 0x79, 0xe0, 0xc, 0x92, 0x45, 0x59, 0x1f, 0x83, 0x89, 0x67, 0xa0, 0x17, 0x6e, 0x68, 0xe5, 0x5a, 0x4a, 0xb7, 0xe8, 0xbe, 0x66, 0x59, 0x46, 0x8d, 0x25, 0x1e, 0xa2, 0x73, 0xa6, 0x38, 0x95, 0x1c, 0x14, 0x83, 0xf2, 0xc1, 0x1c, 0xbd, 0x86, 0xe4, 0x96, 0xe, 0x4f, 0xcf, 0x2e, 0x3b, 0x78, 0xfc, 0xe5, 0x74, 0x96, 0xa8, 0x3a, 0xcd, 0x7a, 0xfa, 0x82, 0x24, 0xc, 0xc1, 0x5e, 0x41, 0x10, 0xf5, 0xc3, 0x6e, 0x31, 0x5a, 0x20, 0x85, 0x75, 0x4, 0x98, 0xd2, 0x14, 0x4a, 0x7e, 0x2c, 0xfd, 0xeb, 0x30, 0x6f, 0xc0, 0x19, 0x3c, 0xde, 0x44, 0xe6, 0xb7, 0xd4, 0x38, 0x1f, 0x1c, 0xdb, 0x4a, 0x36, 0xce, 0x5d, 0x75, 0x1a, 0x29, 0xfe, 0xe3, 0x5b, 0x8f, 0x5, 0x3c, 0x2a, 0xb2, 0xb7, 0x8c, 0xa3, 0xfe, 0x37, 0x2, 0xc3, 0xd2, 0x2c, 0x17, 0xbe, 0x17, 0x2e, 0x7a, 0x96, 0x30, 0x29, 0x44, 0xa, 0x5b, 0xa1, 0x5e, 0x79, 0xf, 0x2, 0x58, 0xa9, 0x58, 0x89, 0xd7, 0xc8, 0x37, 0x8f, 0xb5, 0x75, 0xb6, 0xa4, 0x9b, 0xe8, 0xb7, 0x63, 0xea, 0x1a, 0xc3, 0xf, 0xc, 0xc, 0xfb, 0xb4, 0x2e, 0x1f, 0xff, 0xa7, 0x39, 0xe6, 0x95, 0xed, 0xfb, 0x14, 0x96, 0x61, 0xa3, 0xf5, 0x80, 0x98, 0xab, 0x51, 0x71, 0x94, 0x2, 0xff, 0xb6, 0xde, 0xdb, 0xdc, 0x68, 0xa8, 0x8c, 0x11, 0xc5, 0x5b, 0xed, 0x7a, 0x9f, 0x34, 0x91, 0xcb, 0x97, 0xf1, 0x20, 0x84, 0xca, 0x8f, 0x0, 0x5a, 0x2b, 0x3b, 0xd8, 0xf6, 0xaa, 0x23, 0xe8, 0x5e, 0x17, 0x7c, 0xb6, 0x32, 0xaf, 0x35, 0x21, 0xf4, 0xdc, 0x54, 0x1e, 0x56, 0xd6, 0x27, 0x7, 0x43, 0xa1, 0xb, 0xe2, 0xb1, 0x75, 0xd1, 0xe4, 0x5e, 0x9d, 0x87, 0xb5, 0x7d, 0x80, 0x99, 0x73, 0x36, 0xc4, 0xc7, 0xcd, 0x5b, 0xd5, 0x9c, 0x55, 0x44, 0xa5, 0x77, 0xd9, 0xff, 0x33, 0x21, 0x45, 0xb2, 0xb9, 0xfb, 0x20, 0x1a, 0xf, 0x83, 0xf1, 0xb2, 0xa8, 0x39, 0x2a, 0xf5, 0xa1, 0xd5, 0x7d, 0xc9, 0x4b, 0x48, 0xf8, 0xdd, 0xe, 0xa4, 0x56, 0xbf, 0xae, 0xd6, 0xc6, 0xda, 0xcc, 0x76, 0xcb, 0x7a, 0x25, 0x32, 0x27, 0xff, 0x86, 0x15, 0xec, 0x36, 0x4d, 0xaf, 0xd1, 0x7d, 0xde, 0xf8, 0x63, 0x88, 0xaa, 0x8e, 0x16, 0x7c, 0x64, 0x88, 0xcf, 0xd5, 0x45, 0x0, 0x9d, 0x97, 0x5, 0xc0, 0x74, 0xd5, 0xf3, 0xa6, 0x50, 0xe3, 0x40, 0x6a, 0x42, 0x2b, 0x7, 0xc2, 0xf9, 0xec, 0xe2, 0x8d, 0x56, 0xc1, 0xa5, 0xfc, 0x4e, 0x34, 0x15, 0xa5, 0x5b, 0xbf, 0xc8, 0xa8, 0x4a, 0xf1, 0x4d, 0x11, 0x55, 0xe5, 0xae, 0x97, 0x6b, 0xec, 0xc5, 0xfd, 0x4d, 0x4a, 0x37, 0xd4, 0x18, 0x54, 0xa8, 0x2c, 0x8f, 0xc2, 0x4c, 0x75, 0x78, 0x1f, 0xc4, 0xd3, 0x27, 0x9e, 0xcb, 0x71, 0x39, 0x5c, 0x60, 0x3, 0x79, 0x50, 0x10, 0x89, 0x6c, 0xc9, 0x42, 0xa1, 0x9e, 0x3d, 0x84, 0xf0, 0x84, 0x36, 0x92, 0x16, 0x34, 0x49, 0x74, 0xf3, 0x93, 0x28, 0xa, 0xfa, 0x2f, 0xaa, 0x2c, 0x73, 0x70, 0x1, 0x16, 0x61, 0x70, 0xc2, 0xe8, 0xb2, 0xa3, 0xba, 0x7f, 0x43, 0xcc, 0x88, 0x27, 0xc3, 0xac, 0xa3, 0xed, 0xa6, 0x8e, 0x81, 0xcd, 0x39, 0x7, 0x2e, 0x2b, 0x9e, 0x39, 0x42, 0xe9, 0xe2, 0x2a, 0xe5, 0x60, 0x2, 0x9b, 0xd3, 0x67, 0x69, 0x25, 0x33, 0x65, 0x90, 0xcc, 0x85, 0x25, 0xd4, 0x54, 0x79, 0xca, 0x21, 0x5, 0xd6, 0x9b, 0xd, 0xb3, 0x57, 0xed, 0x81, 0x77, 0x8, 0xa2, 0x4f, 0xbe, 0xb, 0x4a, 0xe3, 0xf8, 0xef, 0xc1, 0x60, 0x64, 0xef, 0xf6, 0x84, 0xc, 0x4, 0xb0, 0x56, 0x83, 0x84, 0xaf, 0xb1, 0x24, 0x2b, 0xbe, 0x28, 0x14, 0x16, 0x53, 0xf5, 0x63, 0x81, 0x27, 0xb2, 0x1c, 0xac, 0x22, 0x59, 0x45, 0x75, 0xf2, 0x8d, 0x63, 0x3f, 0x2b, 0xa5, 0x5c, 0xef, 0xb3, 0xa7, 0xc4, 0x57, 0xde, 0x71, 0x14, 0xb2, 0x77, 0x8e, 0x8b, 0x0, 0x4c, 0x83, 0x10, 0x2c, 0x68, 0x31, 0x31, 0x5d, 0xd5, 0x4b, 0xf0, 0x24, 0x68, 0xc7, 0x71, 0x1c, 0xb6, 0x17, 0x86, 0xc0, 0xd1, 0xb6, 0x9d, 0x8, 0xa5, 0xc2, 0x3, 0x9, 0xdb, 0x31, 0x3f, 0x5d, 0x4e, 0x18, 0x72, 0x21, 0x9, 0x9c, 0x38, 0xc6, 0xc, 0xc0, 0x5b, 0xed, 0x7c, 0xdd, 0xc2, 0x8f, 0x27, 0x61, 0xeb, 0x15, 0x20, 0x1a, 0xd6, 0xf8, 0x37, 0x6a, 0x88, 0x52, 0x8e, 0x2e, 0xad, 0x33, 0x99, 0xe7, 0x6f, 0x78, 0x57, 0xc4, 0x1a, 0x21, 0x51, 0x2c, 0xce, 0x4c, 0xfe, 0xb3, 0x98, 0x4, 0xc2, 0x24, 0xb2, 0x10, 0x9b, 0xad, 0xe5, 0xb5, 0x8d, 0xd2, 0x4f, 0x7a, 0xd8, 0x90, 0xc3, 0x2f, 0xca, 0x3a, 0x5, 0xd1, 0x8c, 0x69, 0x6d, 0x53, 0x1b, 0xe9, 0x7, 0x2d, 0x11, 0x4f, 0xd6, 0x9, 0xba, 0x9e, 0xf2, 0x82, 0xb9, 0xce, 0x6f, 0x39, 0x7c, 0x19, 0x2c, 0x7b, 0x15, 0x3c, 0x24, 0xeb, 0x66, 0x7b, 0x41, 0x2d, 0x3c, 0xe2, 0x37, 0xd, 0x33, 0x3f, 0xd9, 0x57, 0xc, 0x48, 0xeb, 0x8d, 0x10, 0x79, 0xa1, 0xc8, 0xa4, 0xb3, 0xe5, 0x9c, 0x19, 0xcb, 0xde, 0x88, 0x23, 0x70, 0xd4, 0xa8, 0x44, 0xb9, 0x11, 0x92, 0x1, 0xb, 0x36, 0xb3, 0xb, 0x84, 0x92, 0xa6, 0xf2, 0x24, 0x7b, 0xfa, 0x69, 0xa6, 0xdc, 0x3b, 0x35, 0x7c, 0x0, 0xc3, 0xc9, 0xde, 0xfc, 0xd6, 0x20, 0xda, 0x17, 0x4f, 0x3a, 0xa1, 0x2f, 0xbe, 0x5f, 0x62, 0x28, 0x73, 0xc1, 0xdb, 0x1a, 0xb6, 0xb1, 0xa2, 0x21, 0x56, 0x51, 0xa9, 0xbf, 0x65, 0x89, 0x0, 0x46, 0xff, 0x20, 0xc6, 0x39, 0x9, 0x69, 0x49, 0x1c, 0xe9, 0x17, 0x87, 0x7d, 0xd2, 0x2d, 0x18, 0x97, 0x39, 0x6c, 0xea, 0x35, 0x50, 0xce, 0x5a, 0xef, 0xb, 0x61, 0xc2, 0xaa, 0x9a, 0x25, 0x54, 0x39, 0xdd, 0x80, 0x3c, 0x3f, 0xbb, 0x18, 0xef, 0x39, 0xfa, 0xc3, 0x5f, 0x5b, 0xb9, 0x10, 0x69, 0xee, 0x9a, 0xe0, 0x43, 0x10, 0xf5, 0xe2, 0xfc, 0x65, 0x56, 0x67, 0xa7, 0x9f, 0x6c, 0xd5, 0xce, 0x61, 0xdb, 0x72, 0xd8, 0xac, 0x65, 0xe2, 0x10, 0x69, 0xce, 0x9f, 0xae, 0x2e, 0x81, 0x82, 0x69, 0x98, 0x9, 0x80, 0xce, 0xc6, 0x11, 0xbe, 0x29, 0xd9, 0x60, 0x3, 0xb9, 0x52, 0x17, 0xbb, 0x72, 0x90, 0xd5, 0x4a, 0x5a, 0x97, 0x31, 0x19, 0x2c, 0xc0, 0xdb, 0xc1, 0x9f, 0x48, 0xf5, 0xa2, 0x2b, 0xe0, 0xeb, 0x90, 0xe4, 0xbb, 0xee, 0xe4, 0x7f, 0xc0, 0x11, 0xae, 0x7f, 0xcd, 0xa4, 0xa0, 0x12, 0x37, 0xba, 0x3, 0xe9, 0x81, 0xcf, 0x97, 0x71, 0xd8, 0x6d, 0x1c, 0xde, 0xa8, 0x4a, 0x7d, 0xcf, 0x4c, 0x68, 0xd5, 0x3f, 0xf4, 0x6b, 0xaf, 0x92, 0xa1, 0xa, 0x36, 0x80, 0xcf, 0xee, 0x26, 0x2b, 0x82, 0x6a, 0x54, 0x0, 0x30, 0xf, 0x96, 0xbd, 0xfe, 0xd8, 0x9a, 0xf5, 0x43, 0x3c, 0x7b, 0x40, 0xba, 0x82, 0x9c, 0x24, 0xfe, 0xe5, 0xca, 0x86, 0x4c, 0x74, 0x63, 0x24, 0xc7, 0xae, 0xf, 0x9e, 0x72, 0x62, 0x91, 0x94, 0xe8, 0x51, 0xf5, 0x87, 0x15, 0x6, 0xeb, 0x6c, 0x44, 0x93, 0x3f, 0x3, 0x84, 0x2e, 0xe8, 0x8b, 0xd1, 0xb0, 0x5e, 0x1e, 0xef, 0x2f, 0x58, 0x7a, 0xe, 0x7f, 0x96, 0x89, 0xfa, 0x21, 0xe9, 0xa6, 0xd5, 0x87, 0xf6, 0xbc, 0xba, 0x9, 0x7a, 0xd3, 0xf3, 0x4c, 0xee, 0xdf, 0x65, 0xc4, 0x93, 0xb4, 0x65, 0x69, 0xf0, 0x94, 0x30, 0xc0, 0x35, 0x76, 0x1c, 0x9a, 0x8b, 0x63, 0x9f, 0x5e, 0xf0, 0x66, 0x64, 0x78, 0x66, 0x76, 0x25, 0xa7, 0x4d, 0xc0, 0x8, 0x68, 0xaf, 0xcc, 0xfc, 0xcc, 0x8f, 0x76, 0x90, 0xb6, 0x2e, 0xca, 0x62, 0xb3, 0x35, 0xb8, 0x7d, 0xd3, 0x2, 0xf4, 0xce, 0xfc, 0xfd, 0xe2, 0xd0, 0xc0, 0xfa, 0xe, 0x90, 0xd9, 0x38, 0xb6, 0xef, 0xcd, 0xc9, 0xef, 0x8b, 0x9a, 0x66, 0xd1, 0x72, 0x2b, 0xf1, 0x2a, 0xbd, 0xcc, 0x74, 0x57, 0xbc, 0x36, 0xc5, 0x33, 0xe, 0x87, 0x34, 0xfb, 0x9, 0x19, 0xb2, 0x30, 0xca, 0x5a, 0xf2, 0x7d, 0xf7, 0xa2, 0x8f, 0xc3, 0xf5, 0xf3, 0x81, 0xbf, 0x2b, 0xf0, 0xc5, 0x74, 0x81, 0x45, 0x7e, 0xaf, 0xae, 0xa5, 0x25, 0x5, 0xae, 0x54, 0x3c, 0x43, 0xba, 0xaa, 0xd2, 0x88, 0xc5, 0x56, 0x6a, 0x80, 0xdb, 0x75, 0x97, 0xed, 0x7d, 0xb3, 0xed, 0xc0, 0x8a, 0x73, 0x20, 0xd3, 0x51, 0x1f, 0xcc, 0x66, 0xee, 0xb6, 0xfd, 0x25, 0x76, 0xd, 0x60, 0x10, 0x17, 0x1d, 0x66, 0xac, 0x76, 0xed, 0xd1, 0xbd, 0xf3, 0xc1, 0x1e, 0x93, 0xf1, 0x43, 0xee, 0x19, 0x62, 0x1d, 0xc1, 0x65, 0x97, 0x9d, 0x82, 0x60, 0x3e, 0x7c, 0xd5, 0x5c, 0xe8, 0xe6, 0x4b, 0x98, 0xa3, 0x91, 0x6c, 0xd2, 0xbd, 0x53, 0xc, 0x8b, 0x9, 0x93, 0x8d, 0xf0, 0xea, 0xe4, 0x16, 0xc0, 0x5b, 0x9e, 0xbc, 0x94, 0x2b, 0x3d, 0xd4, 0x11, 0x39, 0x68, 0x91, 0xd3, 0x55, 0x11, 0x70, 0x73, 0xd7, 0x5a, 0x6c, 0x88, 0x15, 0x7, 0xb0, 0x20, 0x26, 0x76, 0x37, 0xe0, 0x59, 0xba, 0x80, 0xaa, 0xec, 0xc9, 0x1, 0x7f, 0x51, 0x8e, 0x53, 0x68, 0x1a, 0x41, 0x83, 0x30, 0xaf, 0x28, 0x81, 0xe8, 0xf1, 0x70, 0x3, 0x97, 0x4b, 0xc1, 0xde, 0x91, 0xdb, 0xc3, 0x5c, 0x62, 0x7, 0x31, 0xac, 0x1, 0x6c, 0x66, 0xf9, 0xfe, 0xc3, 0x7a, 0x5, 0xd5, 0x77, 0xd5, 0xa8, 0xb2, 0xf7, 0x5d, 0xbe, 0x92, 0x99, 0x62, 0xf2, 0xb0, 0x24, 0x39, 0x35, 0x0, 0xe5, 0xc8, 0x79, 0xf5, 0x7a, 0xed, 0x41, 0x13, 0x93, 0x3d, 0xfa, 0xb8, 0x49, 0x9d, 0xb5, 0xa7, 0x2c, 0x27, 0x23, 0x42, 0xa4, 0xc4, 0xb8, 0x83, 0x47, 0x19, 0xcb, 0x3d, 0xe4, 0x2, 0x13, 0xed, 0x1, 0x3c, 0x41, 0x4e, 0xce, 0x44, 0x7e, 0xe1, 0x27, 0x91, 0x99, 0x6d, 0xfb, 0xad, 0xb3, 0x33, 0x75, 0xbf, 0x86, 0xee, 0xca, 0x96, 0xaa, 0x25, 0xe6, 0x2f, 0x90, 0xf6, 0x7d, 0xe4, 0xaa, 0xe5, 0xe4, 0x40, 0x35, 0xb7, 0x8c, 0x15, 0x4a, 0x1b, 0x7b, 0x1d, 0x80, 0x32, 0x69, 0xa3, 0xe2, 0x27, 0x9e, 0xc9, 0x71, 0xe5, 0x97, 0xf1, 0xd9, 0x10, 0xc0, 0x76, 0xcb, 0x40, 0xae, 0xc0, 0x67, 0x31, 0x89, 0xc2, 0x8, 0xc3, 0xf2, 0x58, 0x79, 0xeb, 0xd3, 0x9d, 0xef, 0xa6, 0xb1, 0x79, 0x8, 0x30, 0xfc, 0x6d, 0x22, 0xa7, 0x36, 0x6, 0xdf, 0x7e, 0x62, 0xb3, 0xd0, 0x6c, 0xed, 0x7e, 0xc3, 0x7b, 0x6c, 0xce, 0xfb, 0x4e, 0x21, 0x90, 0x69, 0x8d, 0x5, 0x2a, 0xf9, 0x75, 0xe3, 0x66, 0x25, 0x77, 0x79, 0x4c, 0x6d, 0x58, 0x3a, 0xd2, 0x1a, 0x76, 0xf1, 0xa5, 0x8c, 0x37, 0xac, 0xa8, 0x65, 0x14, 0xfc, 0x86, 0xd, 0x65, 0x51, 0xa2, 0x2b, 0x84, 0x57, 0xd4, 0x4e, 0x7a, 0x33, 0x49, 0x23, 0x42, 0xe6, 0xe3, 0x65, 0x6b, 0x57, 0xd6, 0xaa, 0x31, 0xb7, 0x43, 0x15, 0xaf, 0x69, 0xc3, 0xfe, 0xcb, 0x98, 0xfe, 0xce, 0xa4, 0xfb, 0xbe, 0x47, 0x9f, 0x90, 0xda, 0x87, 0xb5, 0x13, 0x2d, 0x31, 0x41, 0xfb, 0xe9, 0x62, 0x65, 0xfe, 0xce, 0xf1, 0xef, 0x59, 0xea, 0x91, 0xa6, 0xf6, 0x4c, 0xfc, 0x5, 0x7a, 0x47, 0x30, 0xcc, 0x3d, 0xfd, 0xf, 0xb, 0x61, 0x24, 0x63, 0xa1, 0x56, 0x59, 0x35, 0x5b, 0x3b, 0x6f, 0xf1, 0xa1, 0x24, 0xec, 0x24, 0x42, 0x53, 0x8d, 0x14, 0x5b, 0x2a, 0x1, 0x77, 0xf9, 0x7b, 0x4e, 0x83, 0xdc, 0xbc, 0x9d, 0xc6, 0xb2, 0x75, 0x5e, 0xfc, 0x7b, 0x6c, 0xda, 0xc3, 0x3, 0x29, 0x7a, 0xa7, 0x3a, 0x71, 0x2, 0x91, 0xca, 0x3c, 0xf0, 0xd, 0xde, 0x55, 0xdc, 0x6, 0x78, 0x4a, 0xca, 0xd5, 0xcb, 0xcb, 0x76, 0xb4, 0x6d, 0x7, 0x58, 0xca, 0xe1, 0x1e, 0xa3, 0x37, 0x5f, 0x62, 0x5d, 0xe1, 0xfd, 0x16, 0xf4, 0x1a, 0xf4, 0x20, 0xf5, 0x9a, 0xf4, 0xb5, 0x2d, 0x34, 0x7d, 0xb1, 0xc5, 0xc5, 0x96, 0x9b, 0xeb, 0x4c, 0xeb, 0xb7, 0x43, 0x5c, 0x15, 0x1a, 0x37, 0x77, 0x4e, 0x10, 0x30, 0x99, 0x2e, 0xaf, 0x43, 0x5d, 0x67, 0xda, 0x87, 0x29, 0x1d, 0x72, 0xfd, 0x99, 0x85, 0xc0, 0xc1, 0x2b, 0xef, 0xb2, 0xf6, 0x42, 0x93, 0x7b, 0x4b, 0x89, 0x96, 0xf0, 0x71, 0x8e, 0x7c, 0xf2, 0xad, 0x1e, 0x20, 0xfc, 0x3e, 0x1f, 0x4a, 0x9f, 0x9d, 0x47, 0xf3, 0x4, 0x97, 0x2a, 0x70, 0x42, 0xa7, 0xf8, 0xe0, 0xc, 0xa4, 0xeb, 0xb3, 0xb6, 0x44, 0xfd, 0xea, 0xd0, 0xe0, 0xc1, 0xc1, 0x29, 0x9f, 0x73, 0xf9, 0x5e, 0x50, 0x9d, 0x61, 0x1a, 0x47, 0x91, 0x0, 0x3e, 0x26, 0x7c, 0x9d, 0x96, 0x9c, 0x5f, 0xc1, 0x33, 0xbe, 0xaf, 0x83, 0x85, 0x72, 0xe4, 0x5b, 0x92, 0xe0, 0xf1, 0x4, 0xaf, 0xd6, 0xb6, 0xa3, 0x11, 0x9d, 0x1a, 0x75, 0xb9, 0x26, 0x65, 0xe7, 0xd2, 0xe4, 0x4a, 0x9a, 0x6d, 0xb2, 0xc5, 0x2e, 0x8d, 0xfb, 0xf6, 0x2, 0xd9, 0xf4, 0x66, 0xeb, 0x64, 0x21, 0x91, 0x96, 0x61, 0xc5, 0x63, 0x40, 0x0, 0x30, 0xef, 0x80, 0xc1, 0x50, 0x70, 0xeb, 0xf0, 0xb3, 0xa5, 0xea, 0x33, 0x1c, 0x8d, 0x28, 0xd8, 0x6f, 0x80, 0x7, 0xd6, 0x68, 0x7c, 0xe8, 0xf, 0xf5, 0xbb, 0x4b, 0xd5, 0xf9, 0xf7, 0xb2, 0x27, 0x66, 0x8d, 0xac, 0x3a, 0x2f, 0x97, 0x25, 0x3b, 0xc1, 0xe8, 0x10, 0x74, 0x77, 0x54, 0xf8, 0x60, 0x4a, 0x2b, 0x87, 0x6c, 0xef, 0x50, 0xcc, 0x1b, 0x52, 0x13, 0x46, 0xa4, 0x34, 0x2a, 0xab, 0xd1, 0x15, 0x3e, 0x98, 0x90, 0xc1, 0xc5, 0x39, 0x12, 0x55, 0x90, 0x59, 0xdf, 0xe5, 0xdd, 0x61, 0xf3, 0x75, 0x22, 0x9f, 0x21, 0xf6, 0x17, 0xe4, 0x4b, 0x89, 0x1d, 0x45, 0xb6, 0xc8, 0x50, 0x7, 0xaa, 0xbd, 0xb0, 0x78, 0xb9, 0x4a, 0xb0, 0x75, 0xbd, 0x89, 0x85, 0x45, 0xd4, 0x9f, 0xfd, 0x3b, 0xb6, 0x20, 0x91, 0xee, 0x30, 0x3e, 0x1, 0xf1, 0x3e, 0x74, 0xa4, 0x23, 0x93, 0xaf, 0x51, 0x2b, 0x9e, 0x4d, 0xd1, 0x48, 0xae, 0xff, 0x96, 0xea, 0x32, 0x1d, 0x8a, 0x69, 0xbe, 0xd, 0xdc, 0x71, 0xa4, 0xcc, 0x80, 0x1, 0xd2, 0x62, 0x49, 0x91, 0x63, 0x89, 0x56, 0xc3, 0x77, 0x6, 0xe6, 0x1a, 0x44, 0xc4, 0x7b, 0x43, 0xb1, 0x27, 0xf2, 0x8c, 0x7a, 0x2c, 0x96, 0xc9, 0x3b, 0xc8, 0x50, 0xc6, 0xc4, 0xcf, 0x7c, 0xfe, 0xdd, 0xc7, 0xc2, 0x23, 0x48, 0x9d, 0x92, 0x1b, 0x9d, 0xc8, 0x25, 0xf9, 0x33, 0x3c, 0x78, 0x6, 0x4b, 0xf7, 0x60, 0x44, 0x5a, 0x47, 0x90, 0xa5, 0x49, 0x8d, 0x2c, 0xac, 0xa0, 0xbb, 0x7, 0xb8, 0x7, 0xb4, 0x40, 0xfb, 0x3a, 0x8f, 0xff, 0x69, 0x2d, 0x36, 0x1e, 0x9d, 0xa4, 0x64, 0xef, 0xcb, 0x81, 0x96, 0x3e, 0xa3, 0xb2, 0xb4, 0x2f, 0x33, 0xfa, 0xe5, 0xec, 0x67, 0xe3, 0x10, 0x9f, 0x73, 0x9b, 0xa9, 0x0, 0x69, 0x25, 0x59, 0x52, 0xff, 0xa9, 0x1c, 0x34, 0xc3, 0x41, 0xd0, 0xe2, 0xa9, 0x26, 0xa6, 0x18, 0xee, 0xdd, 0xd, 0x58, 0x29, 0x85, 0x36, 0xa8, 0xa5, 0xcd, 0xe3, 0x7d, 0x9d, 0x81, 0xc, 0x47, 0xf3, 0x9c, 0xcf, 0x62, 0x20, 0x86, 0x25, 0xf0, 0xed, 0xb0, 0xed, 0x10, 0xc0, 0xfa, 0x22, 0x35, 0xf4, 0xae, 0xb1, 0xa4, 0x13, 0x35, 0x41, 0x31, 0x30, 0x4b, 0xb9, 0x22, 0xdb, 0x2a, 0xe0, 0x92, 0xc7, 0x5b, 0xa4, 0xea, 0xa1, 0xe9, 0x8a, 0x3d, 0x99, 0x63, 0x1c, 0x1e, 0xcd, 0xd3, 0x6c, 0xad, 0x8a, 0x8a, 0x68, 0xce, 0xc5, 0xa7, 0x9c, 0x52, 0x89, 0x53, 0xa2, 0x72, 0xe5, 0xaa, 0xe3, 0xce, 0x2c, 0xfb, 0x1e, 0xa2, 0x2, 0x38, 0x64, 0x2b, 0xe0, 0x58, 0x3, 0x43, 0xc9, 0x6e, 0x1b, 0x9, 0xa7, 0x4, 0xb5, 0x7d, 0x9d, 0xfa, 0xb1, 0xd1, 0x6, 0x33, 0x47, 0x74, 0xc4, 0x32, 0x6d, 0x84, 0x58, 0x34, 0x9e, 0x9f, 0x37, 0x71, 0x7c, 0x51, 0x40, 0xca, 0xf6, 0xe, 0x13, 0x5f, 0x65, 0x65, 0x2f, 0x3f, 0x50, 0xf3, 0xf1, 0x88, 0x44, 0x6e, 0x52, 0x76, 0xa9, 0xe4, 0x7e, 0x17, 0xbd, 0x67, 0x84, 0xd1, 0x63, 0x13, 0x92, 0x13, 0xc9, 0x9d, 0x1d, 0x41, 0xe0, 0x69, 0xb0, 0x33, 0x4c, 0xd2, 0xd8, 0x51, 0x7f, 0xdf, 0x2c, 0xa, 0xda, 0xb5, 0x5e, 0x4f, 0x99, 0x7b, 0x19, 0xb1, 0x3c, 0xf, 0x1c, 0xe9, 0xea, 0x43, 0x28, 0xc5, 0xa6, 0x95, 0x3c, 0xa5, 0x7e, 0x9, 0xa6, 0xc9, 0xff, 0x66, 0x77, 0x67, 0xb8, 0x23, 0xd7, 0x93, 0x40, 0xea, 0x7b, 0xf9, 0x78, 0xb3, 0x4d, 0x73, 0x1f, 0x8e, 0xb4, 0xac, 0x77, 0x7b, 0xe3, 0x0, 0x5b, 0x2, 0x70, 0x46, 0xad, 0x24, 0xaf, 0xe7, 0xc8, 0x3d, 0x94, 0x85, 0xa, 0xd0, 0x16, 0xac, 0x15, 0x8a, 0xb9, 0x4, 0xb0, 0x43, 0x27, 0xba, 0x38, 0xdc, 0x3a, 0xee, 0x15, 0x44, 0x33, 0xf7, 0xf4, 0xc7, 0xb1, 0x5a, 0xd0, 0x62, 0x1e, 0x8f, 0xdf, 0x43, 0xea, 0xb6, 0xa3, 0x76, 0x9d, 0x5, 0x89, 0x61, 0x32, 0x46, 0xf, 0x3a, 0xa2, 0xb5, 0xb, 0xbd, 0x2f, 0x8c, 0x91, 0x1, 0x6a, 0xdb, 0x71, 0xc9, 0x5b, 0x94, 0x3f, 0x74, 0xb4, 0x4a, 0xd9, 0x1, 0x78, 0x2b, 0xe2, 0x6a, 0x67, 0x5e, 0xf6, 0x4d, 0xb9, 0x4c, 0x89, 0x95, 0xaf, 0xab, 0xbf, 0xfc, 0xaa, 0x41, 0x22, 0x6b, 0x27, 0x7, 0xdc, 0x9b, 0x7b, 0x8b, 0xa4, 0xdd, 0x5b, 0x62, 0x83, 0xf9, 0xea, 0xdf, 0xb4, 0xfc, 0xa3, 0xf2, 0xfa, 0x77, 0x59, 0x5b, 0x4b, 0x2c, 0x5, 0xef, 0x42, 0xd0, 0xbe, 0xf0, 0x91, 0x75, 0x6, 0x71, 0x7f, 0xe8, 0x9f, 0xc7, 0x4e, 0xf2, 0x22, 0xca, 0x73, 0x9c, 0xc8, 0x1b, 0x9f, 0x4a, 0xe6, 0x9e, 0xfa, 0x37, 0x7d, 0xf, 0xc, 0x75, 0xa, 0x88, 0x64, 0x7a, 0xcc, 0x83, 0x8e, 0x54, 0x4e, 0xe3, 0xcf, 0xba, 0x39, 0x5, 0xf, 0x11, 0xc, 0x76, 0x8c, 0x41, 0x3d, 0x88, 0x15, 0xf1, 0xb1, 0x4c, 0xaa, 0x4d, 0x3e, 0xff, 0x69, 0xfc, 0x5f, 0xb5, 0xe7, 0x33, 0x27, 0x27, 0x31, 0x5, 0x92, 0xbc, 0x47, 0xf1, 0x46, 0x94, 0xdf, 0x22, 0xd7, 0x34, 0x24, 0x5b, 0x88, 0x7c, 0x6b, 0xfc, 0xe6, 0x65, 0x4f, 0x44, 0x6a, 0xa8, 0x6e, 0xf1, 0xc3, 0x5a, 0x46, 0x1a, 0x7a, 0x1c, 0xd1, 0xf1, 0xb2, 0x1d, 0x46, 0x5a, 0x11, 0x72, 0xa1, 0x68, 0x6c, 0x95, 0xdd, 0x67, 0x47, 0x98, 0x46, 0x3a, 0xd1, 0xeb, 0xf2, 0x92, 0x33, 0xc7, 0xcd, 0x26, 0xe5, 0xcd, 0x9c, 0xa9, 0xc7, 0x81, 0x2b, 0x29, 0x22, 0xdc, 0x7f, 0x53, 0x8e, 0x98, 0x91, 0xd3, 0xa6, 0x69, 0xcf, 0xd8, 0x76, 0x2d, 0x85, 0x46, 0x24, 0x43, 0xff, 0xc5, 0xff, 0xbd, 0xdf, 0xae, 0xbd, 0xf4, 0x16, 0xb, 0x6d, 0xed, 0x6c, 0x74, 0x86, 0x60, 0x32, 0xfd, 0x23, 0x17, 0x3e, 0x4b, 0xff, 0x2f, 0x1d, 0xfb, 0x8b, 0xc8, 0x14, 0x9c, 0x1, 0x2d, 0xec, 0xf2, 0xc7, 0xd, 0x4b, 0x10, 0x45, 0xf2, 0x32, 0x8, 0x3e, 0x7e, 0x2b, 0xea, 0xad, 0xfb, 0xda, 0x0, 0x5f, 0xf, 0xfb, 0xfb, 0x99, 0x66, 0xcf, 0xe5, 0x29, 0xda, 0x7c, 0x82, 0x61, 0x23, 0x97, 0x4f, 0x26, 0xe6, 0x67, 0x5, 0xa9, 0x7e, 0x4f, 0xb1, 0x97, 0xb7, 0x5c, 0xae, 0xb6, 0xb7, 0x57, 0x32, 0x51, 0x3d, 0x90, 0x10, 0x9f, 0x3c, 0x4a, 0x45, 0x85, 0x24, 0x37, 0xbc, 0x69, 0xad, 0xc9, 0xd2, 0xd8, 0x44, 0xcb, 0x29, 0x6b, 0x24, 0x93, 0xda, 0x38, 0xac, 0xcb, 0xc8, 0x77, 0x1d, 0xa2, 0x40, 0xb5, 0x42, 0x8e, 0x91, 0x1, 0x35, 0xe4, 0xbf, 0x9b, 0x4e, 0x61, 0xc3, 0x56, 0x7a, 0x70, 0xfa, 0xff, 0x7f, 0xc2, 0xb, 0xe3, 0xf3, 0xa2, 0xb1, 0x6e, 0x11, 0x65, 0x83, 0xb0, 0x5a, 0xc0, 0xf0, 0xe5, 0xe, 0xab, 0x65, 0x49, 0xbf, 0x1b, 0x74, 0x4d, 0xbd, 0x4b, 0x46, 0x83, 0xca, 0x41, 0xec, 0xfe, 0x9f, 0xb0, 0xd0, 0x99, 0x5f, 0x70, 0xca, 0x1a, 0xfa, 0xa5, 0x2d, 0xf4, 0x56, 0xcc, 0xd6, 0xc5, 0x31, 0xb9, 0x52, 0xcc, 0xdd, 0x4e, 0x96, 0x49, 0xd8, 0xd8, 0x84, 0xc8, 0x15, 0x96, 0xe5, 0x8a, 0xb7, 0x53, 0xe3, 0xd4, 0xf1, 0xe3, 0xe4, 0xc, 0xa0, 0xb0, 0x46, 0xef, 0x14, 0x8a, 0x2d, 0x6, 0xfd, 0x73, 0x4b, 0x57, 0xab, 0xd5, 0x8, 0x64, 0xfd, 0x3f, 0x27, 0xd3, 0xc9, 0xd1, 0x41, 0xbc, 0x0, 0x78, 0xe7, 0x6b, 0xe7, 0xe1, 0x38, 0x35, 0x31, 0x50, 0x65, 0xc5, 0x37, 0x8b, 0xfe, 0x71, 0x1a, 0x33, 0x9b, 0x6b, 0x21, 0x16, 0xd9, 0x1c, 0x73, 0x8f, 0x38, 0xbb, 0xb, 0x5d, 0x82, 0xad, 0x8a, 0x86, 0xf8, 0x39, 0x7b, 0xb5, 0x34, 0xf6, 0xaf, 0x69, 0xcc, 0x75, 0xd4, 0x4f, 0x7f, 0xe2, 0x6e, 0x49, 0xd5, 0xd0, 0xcb, 0x58, 0x7e, 0xa4, 0x7f, 0xe0, 0x23, 0xd3, 0x3f, 0x79, 0x26, 0x8a, 0x49, 0xf3, 0x30, 0xfa, 0x72, 0x9b, 0x1a, 0xc6, 0x34, 0xd1, 0x96, 0xb6, 0xc9, 0xd9, 0xc9, 0x94, 0xd1, 0xa6, 0x80, 0x58, 0xa8, 0xec, 0x2b, 0x79, 0x95, 0x99, 0x3, 0xaf, 0x45, 0x46, 0xcc, 0xbd, 0x19, 0x62, 0xb7, 0x1c, 0x5b, 0xe0, 0xc2, 0x56, 0x7e, 0x7e, 0x56, 0x71, 0x91, 0xbf, 0xc0, 0xe, 0x10, 0xc9, 0xc4, 0x61, 0x86, 0x6f, 0x7, 0xe7, 0xd9, 0x4, 0xbc, 0xba, 0x5b, 0x8, 0x7b, 0xd6, 0x6a, 0xa9, 0x93, 0x5e, 0x59, 0x4, 0xb9, 0x9f, 0x9a, 0x24, 0xdc, 0xfb, 0xea, 0xc1, 0x26, 0x75, 0xb7, 0xb, 0xdd, 0xec, 0x67, 0xd3, 0x44, 0xd, 0x95, 0xd6, 0xc0, 0x9d, 0x17, 0x99, 0x39, 0x95, 0x3c, 0x6c, 0x79, 0x8c, 0xe5, 0xf8, 0x7e, 0xce, 0x7a, 0xe5, 0x66, 0xdd, 0x84, 0xae, 0xda, 0x9a, 0x33, 0x7f, 0x22, 0x45, 0x3e, 0xe1, 0x4a, 0x78, 0x57, 0xe7, 0x85, 0x2a, 0xb8, 0xc5, 0x46, 0xb0, 0x1f, 0x63, 0x37, 0xec, 0xae, 0x50, 0xaa, 0xb7, 0x58, 0x7, 0x30, 0x3b, 0xca, 0x4f, 0xdc, 0xbe, 0xb, 0x70, 0xc9, 0xa, 0x7e, 0x56, 0x82, 0xf, 0xd2, 0xf8, 0xf5, 0x4f, 0xd4, 0xd9, 0x71, 0x10, 0x18, 0xd, 0x24, 0x9e, 0xe9, 0xe, 0x36, 0x61, 0x66, 0x44, 0xb9, 0xb4, 0xac, 0xdc, 0x7c, 0x5, 0x5c, 0x32, 0xe5, 0x2f, 0xd1, 0x7c, 0x66, 0xe7, 0x3b, 0x4e, 0x97, 0x21, 0xb5, 0x97, 0xa2, 0x1f, 0x76, 0x3d, 0x8, 0xdb, 0xe7, 0x81, 0x40, 0xfa, 0x15, 0xbd, 0x6, 0xf2, 0xe6, 0x3b, 0x99, 0x31, 0x8c, 0x9f, 0xc1, 0x14, 0x9b, 0x26, 0x49, 0x89, 0x57, 0x23, 0xd9, 0xa9, 0x72, 0x8d, 0x46, 0x21, 0x11, 0x28, 0x1a, 0xe5, 0xc4, 0xf6, 0x9e, 0xd0, 0xb9, 0x66, 0xfb, 0xb8, 0x2b, 0x86, 0xf6, 0x39, 0x99, 0xaa, 0xdf, 0x22, 0x8d, 0x7f, 0xe7, 0x64, 0xac, 0x8a, 0xb0, 0x61, 0x44, 0x50, 0x10, 0x7b, 0x32, 0xf3, 0x7d, 0x4a, 0x4c, 0x4e, 0x70, 0x71, 0x5b, 0x1, 0xfe, 0x2f, 0x34, 0x34, 0x97, 0xd0, 0xe, 0x2, 0xd3, 0x8, 0x44, 0xaf, 0xe, 0xab, 0x7a, 0xb9, 0x63, 0xed, 0x9e, 0x90, 0xb1, 0x28, 0xec, 0x6, 0xc5, 0xa4, 0x83, 0xc5, 0xcb, 0x2c, 0x97, 0xfe, 0xac, 0xd1, 0x88, 0xd1, 0x7e, 0x95, 0xa2, 0xae, 0xf1, 0x12, 0x33, 0xd8, 0xae, 0x8b, 0x2d, 0x36, 0x25, 0x83, 0xb4, 0x6c, 0x2a, 0xef, 0x43, 0x5c, 0x19, 0x8e, 0x42, 0xde, 0xd, 0x13, 0xc6, 0x50, 0x60, 0xe, 0x5a, 0x2, 0x42, 0xc8, 0x5d, 0x6a, 0x68, 0x8, 0xa7, 0x72, 0xa9, 0x2d, 0xa8, 0xb4, 0x8, 0xe5, 0xa1, 0x99, 0x29, 0xb5, 0x4f, 0xcd, 0xad, 0xcd, 0x82, 0xa8, 0x3f, 0x2f, 0x95, 0x19, 0x63, 0x5f, 0x59, 0x68, 0xef, 0xa4, 0x6f, 0x76, 0x31, 0xe5, 0xf9, 0xa2, 0x2c, 0xe5, 0xd3, 0xc1, 0xe2, 0x57, 0x30, 0x5c, 0xaf, 0x20, 0xb8, 0x94, 0x1e, 0xe5, 0xf6, 0x28, 0x48, 0x1e, 0x4f, 0x5d, 0x2f, 0x1a, 0x75, 0xa1, 0x0, 0xf9, 0xa0, 0x58, 0x2c, 0x39, 0xb3, 0xad, 0x31, 0xe8, 0x66, 0x58, 0x6e, 0x1b, 0xca, 0x90, 0x5a, 0x4c, 0xbd, 0xa8, 0xa5, 0x10, 0xb9, 0x90, 0xf0, 0xd9, 0xda, 0x64, 0x68, 0x9, 0x49, 0xd2, 0x91, 0xca, 0xc1, 0xdb, 0x67, 0x3f, 0xbe, 0x93, 0x6a, 0x8e, 0x4c, 0x76, 0xf4, 0xf5, 0xba, 0x6f, 0xae, 0xac, 0xa0, 0x11, 0x14, 0xd2, 0xe0, 0xc6, 0x63, 0x15, 0xd8, 0x4a, 0xa, 0xda, 0x7f, 0x78, 0xfa, 0x28, 0x30, 0x80, 0x8c, 0x90, 0x1c, 0x49, 0x24, 0xd5, 0x7, 0x5f, 0x79, 0x4c, 0xe, 0xba, 0x57, 0x12, 0x7c, 0x82, 0x82, 0x61, 0xa8, 0xcb, 0x3d, 0x5f, 0x52, 0x72, 0x7e, 0xbd, 0xdd, 0x48, 0xa4, 0xd1, 0x15, 0xb8, 0x93, 0xf4, 0xfc, 0x96, 0x8f, 0x2d, 0x5f, 0xa9, 0xa, 0x3b, 0x26, 0x4c, 0xa, 0xba, 0x7f, 0x0, 0xa0, 0x63, 0x40, 0x51, 0xa1, 0x88, 0x46, 0x58, 0x9c, 0x6a, 0x5e, 0xc2, 0x64, 0x95, 0xca, 0xcb, 0xf, 0xdc, 0xf, 0x7b, 0x4d, 0x5a, 0xe, 0x74, 0x8a, 0x3f, 0xa3, 0xda, 0x75, 0x22, 0x54, 0x97, 0xca, 0xce, 0x67, 0x91, 0xf4, 0x83, 0xa0, 0x39, 0x79, 0x4b, 0xf6, 0x2c, 0x6d, 0x42, 0xbf, 0xd0, 0x3f, 0x72, 0x55, 0xe3, 0x55, 0x25, 0xe2, 0x44, 0xf1, 0xc4, 0x6, 0x6d, 0x6e, 0xa9, 0x61, 0xe, 0x88, 0x87, 0xdd, 0xa8, 0x68, 0x47, 0xd5, 0xe4, 0x8, 0xe5, 0x15, 0x38, 0x54, 0x15, 0x15, 0x5e, 0xb6, 0xb1, 0x72, 0xe7, 0xd7, 0x9, 0xa0, 0x2f, 0x30, 0xac, 0xd6, 0x9d, 0x43, 0x63, 0x6b, 0x8, 0x61, 0x4, 0xcc, 0x91, 0x95, 0x15, 0x51, 0x6e, 0xe6, 0x95, 0x94, 0xaa, 0x95, 0xb6, 0x31, 0xd5, 0xde, 0x79, 0x67, 0x94, 0x4c, 0x2d, 0x79, 0xbe, 0xc2, 0x89, 0xba, 0x82, 0x24, 0xbd, 0x19, 0xbf, 0xb, 0xa2, 0x8a, 0x65, 0xe2, 0x8e, 0x17, 0x79, 0x24, 0x32, 0x8a, 0x52, 0x0, 0xc0, 0x45, 0xe8, 0xea, 0xff, 0x4a, 0xbe, 0x24, 0xd9, 0x8b, 0x2c, 0x99, 0xed, 0xeb, 0x2b, 0x31, 0x51, 0xc2, 0x35, 0x4e, 0xc1, 0x2f, 0x80, 0x3f, 0xb9, 0x3c, 0x33, 0x41, 0x43, 0x7c, 0x5b, 0x73, 0x71, 0x62, 0xf3, 0xd4, 0x16, 0x4, 0x51, 0xa2, 0x3, 0x8e, 0x3c, 0x43, 0xbf, 0x9b, 0x6, 0x4d, 0x3f, 0x7c, 0x5a, 0x8f, 0xf7, 0x1, 0xae, 0x83, 0xd, 0x7, 0xed, 0x4e, 0x7c, 0xbe, 0xff, 0xa8, 0x50, 0x83, 0xf, 0xe1, 0x76, 0x6, 0x89, 0x4f, 0xc7, 0xe1, 0xf8, 0xda, 0x9d, 0x66, 0x9, 0x8, 0x7d, 0xd9, 0x2b, 0x75, 0xdc, 0x58, 0xb9, 0x1, 0x3a, 0x45, 0x5d, 0x21, 0xc, 0xc2, 0xdb, 0xab, 0x2b, 0xc1, 0x41, 0x16, 0x13, 0x9a, 0xd7, 0x89, 0xe6, 0xd4, 0x5e, 0xe0, 0x80, 0xda, 0xf0, 0xe8, 0x48, 0xc4, 0x70, 0xbb, 0x77, 0xeb, 0x5f, 0x50, 0x4b, 0xf7, 0x7e, 0x5, 0xb6, 0x2b, 0x3e, 0xbd, 0xef, 0xa5, 0x3c, 0x60, 0xce, 0x2d, 0xe2, 0x83, 0x75, 0xc7, 0x70, 0x5c, 0x2c, 0xf2, 0xb1, 0xe3, 0xfb, 0xcc, 0x4, 0x8e, 0x69, 0xe1, 0xf8, 0x1d, 0xb1, 0xc8, 0x5, 0x90, 0x16, 0x3, 0xe2, 0x7b, 0x87, 0x79, 0x61, 0x3c, 0x4f, 0x8c, 0x9e, 0x74, 0x32, 0x5, 0xfc, 0x53, 0x78, 0xa, 0x9d, 0xbc, 0x2d, 0x37, 0xd9, 0x54, 0x94, 0x93, 0x4f, 0x7d, 0x18, 0x1b, 0xe, 0x80, 0xb4, 0x9d, 0xce, 0x82, 0xe6, 0xe8, 0x68, 0x5e, 0x16, 0xd8, 0x9a, 0x12, 0xa9, 0x5b, 0x78, 0x7f, 0xbe, 0x35, 0x97, 0xe2, 0xf, 0x5a, 0xe3, 0xe5, 0x29, 0xf0, 0xec, 0xc1, 0x8e, 0xb3, 0xc2, 0x45, 0x86, 0xe5, 0x68, 0x31, 0x2f, 0xb2, 0x4c, 0xf9, 0xc7, 0x62, 0x73, 0x29, 0xe9, 0x39, 0xb, 0xc9, 0xd1, 0x66, 0x14, 0xbf, 0x4f, 0x2a, 0xae, 0xb, 0x92, 0x56, 0x76, 0x4f, 0x3e, 0x72, 0xb1, 0xbe, 0xf1, 0xb9, 0x4, 0x5d, 0x80, 0xb4, 0xd4, 0xdb, 0xdb, 0x8, 0x72, 0x9a, 0x72, 0x53, 0xca, 0xae, 0x87, 0x56, 0xe4, 0xad, 0x1a, 0xb7, 0x2, 0x9e, 0x5b, 0xc, 0xf4, 0x3, 0x53, 0xe8, 0x4, 0xee, 0x35, 0x92, 0x96, 0x7c, 0xa3, 0x2b, 0x63, 0xd6, 0x34, 0x20, 0xcc, 0x46, 0x5f, 0x5b, 0x54, 0xac, 0x96, 0xb2, 0x72, 0xef, 0x55, 0x62, 0xb0, 0x91, 0x7b, 0x1f, 0x5c, 0xec, 0xab, 0x21, 0xe8, 0x33, 0xbb, 0xc7, 0xe1, 0x79, 0xa, 0x17, 0x41, 0x9f, 0x3a, 0x28, 0xb4, 0x4, 0xbb, 0x5a, 0x47, 0x2a, 0xfd, 0x8f, 0xf2, 0xe1, 0xd, 0x8, 0xa5, 0x34, 0x19, 0x54, 0x1f, 0xff, 0xb0, 0x1a, 0xf3, 0xbb, 0x4, 0x76, 0x39, 0xe1, 0x19, 0xb4, 0xa6, 0x17, 0x37, 0x3, 0xe6, 0xa8, 0xb2, 0xb9, 0x2c, 0xf1, 0xe, 0x5d, 0xe4, 0x1, 0xd6, 0x8e, 0xe9, 0x15, 0xb5, 0xf5, 0xa, 0x3f, 0x56, 0x9b, 0x4f, 0x98, 0x33, 0xb6, 0x9d, 0x12, 0x9b, 0x65, 0x4a, 0x7e, 0xa4, 0x2f, 0xba, 0x4a, 0xe3, 0x82, 0x9d, 0x3f, 0x9e, 0xd1, 0x82, 0x6f, 0xb5, 0xb4, 0x34, 0x44, 0x3a, 0xcf, 0x9c, 0x1, 0x31, 0xdc, 0x54, 0x79, 0x1a, 0x11, 0x81, 0x45, 0xa3, 0xa7, 0x72, 0x49, 0xe3, 0xd, 0xc8, 0xda, 0xa9, 0xdd, 0xb8, 0xf6, 0x74, 0x54, 0xd0, 0x43, 0xb0, 0x1a, 0x7b, 0x13, 0x11, 0x9e, 0x31, 0x1c, 0x2, 0x3f, 0xc0, 0x5c, 0xed, 0xce, 0x54, 0xa7, 0x0, 0xd4, 0x5a, 0xea, 0xcb, 0x94, 0xc7, 0xa2, 0xa, 0xb6, 0x15, 0xc0, 0x70, 0xf4, 0x67, 0x3e, 0x9, 0x86, 0x9b, 0x20, 0xb1, 0xfd, 0xef, 0x3, 0x2, 0xbf, 0x6c, 0x9d, 0xb1, 0xed, 0x63, 0xf0, 0x21, 0x5b, 0x27, 0xf, 0x98, 0x76, 0x34, 0xf5, 0x59, 0x80, 0x5e, 0xac, 0xb7, 0xd7, 0x56, 0x24, 0x20, 0xc9, 0xed, 0x0, 0x49, 0x5f, 0xc0, 0xa8, 0xe5, 0x86, 0x1e, 0xf0, 0x70, 0xb4, 0x8e, 0xc0, 0x4, 0xce, 0x98, 0xcd, 0x1d, 0x24, 0xc2, 0x4a, 0xf7, 0xdb, 0x30, 0xe8, 0xe2, 0xc, 0xcc, 0x77, 0x7e, 0x6b, 0x3f, 0x7e, 0xc9, 0xe9, 0xfe, 0xcd, 0x72, 0x61, 0x74, 0xda, 0xb6, 0xb4, 0xca, 0xb, 0xc1, 0xb9, 0x6, 0x98, 0xb5, 0xfc, 0xd2, 0x2, 0x3b, 0x47, 0x6f, 0xde, 0xa1, 0x89, 0x5e, 0x18, 0x85, 0xd4, 0xc4, 0xb6, 0xe, 0x1f, 0x93, 0xe6, 0x39, 0x4, 0x5b, 0xfa, 0xd4, 0xbd, 0x40, 0x44, 0x4d, 0xb8, 0x7e, 0xbe, 0x34, 0x6e, 0x78, 0x18, 0x54, 0xbc, 0x59, 0x72, 0x9d, 0x21, 0xe5, 0x80, 0x63, 0xde, 0x7e, 0x74, 0xa9, 0x34, 0x72, 0xe3, 0x74, 0x13, 0x10, 0x1b, 0x36, 0xb1, 0xfb, 0xc9, 0x4f, 0xef, 0x57, 0xf3, 0x3c, 0x73, 0x33, 0xb5, 0xe7, 0x93, 0x41, 0x1c, 0x99, 0x2c, 0xdd, 0xa2, 0x6a, 0x7a, 0x91, 0x70, 0xa7, 0xd2, 0xe4, 0x87, 0x78, 0xcb, 0x24, 0xd, 0xc2, 0xb4, 0x9, 0x18, 0xdd, 0x3e, 0x2d, 0x9c, 0x8e, 0xc3, 0xd7, 0x4c, 0x0, 0xbe, 0xa, 0x97, 0xa9, 0xab, 0x5b, 0x7c, 0xc7, 0x10, 0xd7, 0x98, 0xd5, 0x51, 0x3, 0xac, 0x20, 0xa4, 0x4d, 0x3a, 0xcb, 0x66, 0x41, 0x2c, 0x27, 0x1f, 0xde, 0x71, 0xca, 0x1a, 0xfe, 0x82, 0xdb, 0xf, 0x4b, 0xf5, 0xd8, 0xf2, 0x79, 0x6e, 0x74, 0x9b, 0x3e, 0x57, 0x4b, 0x36, 0xc7, 0x7f, 0x6e, 0x40, 0x50, 0x4b, 0xfd, 0x46, 0x3f, 0xd0, 0x75, 0x7b, 0xd8, 0x98, 0xb, 0x6d, 0xc3, 0x1c, 0x5c, 0xa1, 0x2d, 0x47, 0x1f, 0xf1, 0xa3, 0x3b, 0x51, 0x7f, 0x23, 0xaf, 0xc3, 0xaa, 0x7e, 0x92, 0x52, 0x67, 0x87, 0x39, 0xd7, 0x65, 0x60, 0xa0, 0xfa, 0xb, 0xce, 0xc6, 0x97, 0xb4, 0x72, 0x2e, 0x4, 0x61, 0x23, 0x9f, 0xa, 0xc4, 0xc, 0xed, 0xda, 0x4a, 0xbb, 0xc1, 0x2f, 0x1c, 0xe1, 0xc2, 0xdd, 0xf8, 0x9e, 0x1a, 0xc, 0x77, 0xa5, 0x1d, 0x63, 0xbf, 0x72, 0x2, 0x68, 0x44, 0xfe, 0x4c, 0x8a, 0xc3, 0x5c, 0xfb, 0x62, 0x72, 0x9f, 0x6b, 0xc7, 0xdd, 0x77, 0xb1, 0xab, 0x26, 0xaf, 0xd0, 0x79, 0x64, 0xd5, 0x91, 0x78, 0x68, 0xb5, 0x2a, 0xf8, 0x73, 0x21, 0x23, 0x72, 0xa9, 0x68, 0x67, 0x2b, 0x19, 0x66, 0x1f, 0x8c, 0xb0, 0x3b, 0xbb, 0xef, 0x58, 0x83, 0xd1, 0xa6, 0xdb, 0x11, 0x9c, 0xb2, 0x3a, 0x6d, 0x91, 0xb0, 0x97, 0x27, 0x9e, 0x51, 0x90, 0xe2, 0x88, 0x91, 0xf0, 0x18, 0xdc, 0xd4, 0x7f, 0xca, 0xb0, 0x98, 0xe3, 0x86, 0x8e, 0x64, 0xe3, 0xaa, 0xb3, 0x38, 0x45, 0x81, 0x8f, 0x24, 0x34, 0x43, 0x20, 0xbc, 0x64, 0x58, 0x34, 0xb5, 0x24, 0x75, 0x12, 0x1d, 0xbc, 0xb5, 0xd6, 0x66, 0xd3, 0x72, 0xf5, 0x14, 0xd, 0x8, 0x12, 0xe3, 0xeb, 0xaf, 0xab, 0x16, 0xa7, 0x15, 0xed, 0x13, 0xbe, 0x67, 0xa9, 0xdb, 0x27, 0xce, 0x18, 0x6f, 0x2d, 0x55, 0x8, 0xef, 0x26, 0xe8, 0xc9, 0x96, 0xe0, 0x63, 0x2b, 0xbe, 0x6, 0x1b, 0x19, 0x2c, 0xb5, 0x38, 0x3c, 0x98, 0x45, 0x31, 0x9d, 0x85, 0x8b, 0xbc, 0x7a, 0x63, 0x6c, 0x17, 0x4f, 0xb1, 0xe6, 0x7b, 0xff, 0xca, 0x9d, 0xfb, 0x93, 0x27, 0x5a, 0x6a, 0xa6, 0x35, 0x5f, 0xa5, 0xe5, 0xeb, 0x59, 0xdc, 0x87, 0x9f, 0xcd, 0x1d, 0xec, 0x7c, 0x60, 0xf5, 0xdb, 0xfb, 0xd3, 0x5c, 0x59, 0x7c, 0x57, 0x32, 0xeb, 0x26, 0x22, 0x3b, 0x54, 0x5b, 0xfd, 0x35, 0xc9, 0xc4, 0x46, 0x6, 0x8, 0x69, 0x96, 0x16, 0x53, 0x1d, 0x38, 0x52, 0x34, 0xb9, 0x69, 0xde, 0xcd, 0x88, 0x0, 0x1c, 0x20, 0x57, 0xc7, 0xaf, 0x86, 0x9a, 0x51, 0x22, 0xe9, 0xdd, 0xa8, 0xce, 0x35, 0xbd, 0x95, 0x38, 0x4, 0xe3, 0xd, 0x97, 0x55, 0x85, 0xe1, 0xc1, 0x8, 0x76, 0x5e, 0x93, 0x35, 0x25, 0xa9, 0xdf, 0x67, 0x82, 0x8b, 0xa3, 0x2e, 0x32, 0x57, 0xa, 0xc6, 0xd4, 0xb5, 0xf8, 0x4e, 0x80, 0x77, 0x79, 0xbf, 0xe0, 0xb5, 0xdb, 0x94, 0xc0, 0x68, 0xea, 0x33, 0x62, 0x10, 0xd4, 0x68, 0xd9, 0x2e, 0x6, 0x7d, 0xb7, 0x2d, 0x0, 0xb3, 0x58, 0xbc, 0x9b, 0x71, 0x3e, 0x58, 0x9d, 0xc4, 0x3d, 0x3d, 0xdd, 0xe7, 0x68, 0x58, 0x5e, 0x3a, 0x1, 0x40, 0x57, 0x82, 0x8d, 0x1b, 0x3c, 0x9e, 0x3c, 0x47, 0x17, 0x31, 0x21, 0xab, 0xb6, 0x99, 0x7c, 0xa7, 0xa2, 0xb0, 0xc, 0xf2, 0x88, 0xf8, 0xc2, 0xb3, 0xa3, 0x48, 0x5c, 0xca, 0xd4, 0x27, 0x29, 0xe1, 0x4b, 0x5c, 0x4c, 0x8e, 0x84, 0x8f, 0x51, 0x16, 0x3f, 0xf2, 0xb0, 0xcb, 0x7b, 0x75, 0xc, 0x22, 0x89, 0xf7, 0x84, 0x96, 0xeb, 0x5d, 0x32, 0xbb, 0x1c, 0xbd, 0x35, 0xa, 0xe1, 0xd, 0x7d, 0xfb, 0x86, 0xb1, 0xbd, 0x85, 0x96, 0x2c, 0xb2, 0xe3, 0x50, 0x73, 0xd0, 0x41, 0xc6, 0x45, 0xef, 0x3e, 0x39, 0x95, 0x3f, 0x44, 0x6d, 0x7b, 0xd0, 0xf1, 0xf, 0x87, 0xb8, 0xf3, 0x24, 0x17, 0x99, 0x91, 0x3e, 0x91, 0xc7, 0x86, 0xd6, 0xcb, 0x39, 0x9c, 0x79, 0xda, 0x5e, 0x1e, 0xfc, 0xd4, 0x63, 0xc7, 0x95, 0xb5, 0xdd, 0x54, 0xed, 0x4f, 0xac, 0xb, 0xb8, 0x63, 0x6b, 0x16, 0xb5, 0x5f, 0x7e, 0x69, 0xfc, 0xa0, 0x6e, 0x64, 0xc9, 0xf1, 0xd0, 0xba, 0x8, 0x77, 0x73, 0xa5, 0x2c, 0xa9, 0x11, 0x5f, 0x74, 0x28, 0x96, 0x7a, 0x96, 0x86, 0x9a, 0x58, 0x79, 0xf3, 0x61, 0x9f, 0x65, 0xa2, 0x47, 0x65, 0xa, 0xcf, 0x64, 0xcb, 0xb, 0x38, 0x33, 0x30, 0xf4, 0x18, 0x12, 0x74, 0x8a, 0xd9, 0xf, 0xe4, 0xe4, 0x1d, 0xfc, 0xb8, 0xed, 0x9e, 0xf0, 0x8f, 0xec, 0xc4, 0xae, 0x83, 0x60, 0xc5, 0x95, 0xe1, 0xb5, 0x6d, 0xde, 0xa1, 0x16, 0xdc, 0x7, 0x56, 0xb0, 0x7, 0x33, 0x97, 0x70, 0xd4, 0xc0, 0x86, 0xc1, 0x82, 0x14, 0x66, 0x3a, 0x4c, 0x51, 0xac, 0x19, 0x83, 0xa0, 0xb3, 0xe6, 0x79, 0x9, 0x61, 0xfd, 0x20, 0x53, 0x23, 0x7, 0xd4, 0x93, 0xe5, 0xd3, 0xb, 0x1d, 0xcc, 0xba, 0x80, 0xaa, 0xfc, 0x6, 0xc0, 0xa, 0x15, 0x25, 0x0, 0xd2, 0xe, 0xc6, 0xd9, 0xb1, 0x92, 0xb, 0x78, 0xaf, 0xd0, 0x7e, 0xe, 0x61, 0x31, 0xce, 0xa9, 0x80, 0x6e, 0x44, 0xbf, 0xf5, 0x4b, 0xb5, 0x20, 0x3c, 0x1d, 0x1, 0x1c, 0x44, 0xc3, 0x96, 0x15, 0x19, 0xa1, 0x6d, 0xf7, 0x77, 0xb4, 0x94, 0x40, 0x4d, 0x2b, 0x5b, 0x2e, 0x97, 0x5f, 0xde, 0x96, 0x5e, 0x4f, 0x95, 0x49, 0x4b, 0x59, 0xd, 0x87, 0x4f, 0xa, 0xe4, 0xa8, 0x6c, 0xef, 0x8d, 0xa6, 0x45, 0x6f, 0x88, 0xe2, 0x9e, 0x13, 0x9a, 0x43, 0xc4, 0xec, 0x60, 0x2, 0xae, 0x1f, 0xb7, 0xcf, 0xb4, 0x3e, 0xcd, 0xae, 0x45, 0x20, 0x76, 0x32, 0x4e, 0xb6, 0xd9, 0xc5, 0x50, 0xf3, 0x2c, 0x18, 0x86, 0xdb, 0xda, 0xa, 0x47, 0x72, 0x50, 0x66, 0xaa, 0x2c, 0x9b, 0xf3, 0x9a, 0xef, 0x24, 0xd3, 0xef, 0xa4, 0x2f, 0x32, 0x78, 0x31, 0xbd, 0x27, 0xc3, 0x94, 0x33, 0x15, 0x3d, 0xb0, 0xda, 0x29, 0x31, 0x71, 0xf2, 0xd5, 0x81, 0xf5, 0x27, 0x80, 0xf4, 0x42, 0xc, 0x2e, 0xc7, 0x17, 0xe7, 0x36, 0x85, 0xbc, 0xcd, 0x40, 0xaa, 0xf, 0x9d, 0x36, 0x2d, 0x7a, 0x65, 0x5a, 0xf4, 0xe6, 0x74, 0x7f, 0xea, 0xc4, 0xbf, 0x3b, 0xb0, 0xf0, 0x69, 0x7c, 0xf3, 0x89, 0x7, 0xb7, 0x4a, 0x2d, 0x80, 0xc5, 0x1, 0x78, 0xd8, 0x26, 0x32, 0x97, 0xf4, 0xd, 0x36, 0x4c, 0x42, 0xe7, 0x4f, 0x50, 0xd, 0x89, 0x5f, 0xe5, 0xd4, 0xae, 0x9e, 0xc6, 0x29, 0x37, 0xdd, 0x5c, 0x99, 0x8e, 0x20, 0xf3, 0xea, 0xd, 0xd0, 0x5c, 0xbd, 0x43, 0xf7, 0x7d, 0x84, 0x61, 0xf1, 0x10, 0x13, 0x5a, 0xfe, 0x25, 0x3f, 0x1a, 0x94, 0xa2, 0x75, 0xe7, 0x34, 0xea, 0x42, 0x6a, 0x9b, 0x42, 0xd5, 0x4, 0x7a, 0xb9, 0x41, 0xaf, 0x3d, 0x85, 0x7e, 0x59, 0xfa, 0x89, 0xb, 0x6b, 0x72, 0x27, 0xec, 0x58, 0x4c, 0xde, 0x43, 0xd, 0x3, 0x6a, 0xb1, 0x8e, 0xed, 0x57, 0xcf, 0x9d, 0xec, 0xe1, 0xe5, 0xe1, 0x65, 0x81, 0xff, 0x7c, 0x69, 0xc1, 0x70, 0xa7, 0xb7, 0x22, 0x2b, 0x6e, 0x9f, 0x8f, 0x91, 0x6d, 0x1e, 0xb7, 0x82, 0x4e, 0xc6, 0x9a, 0x7a, 0x27, 0x7c, 0xcf, 0x35, 0x1f, 0x7b, 0xc8, 0x69, 0xc8, 0xe5, 0x37, 0xd2, 0xd1, 0x55, 0x37, 0x69, 0xfa, 0x29, 0x44, 0x9c, 0x57, 0xde, 0xee, 0x74, 0xc5, 0x5, 0xc, 0x59, 0x6d, 0x33, 0x2b, 0x91, 0xbb, 0x45, 0xeb, 0x4d, 0x7d, 0x77, 0x85, 0x2d, 0x17, 0x5d, 0x67, 0x65, 0x6c, 0x7b, 0xa9, 0xcc, 0x37, 0x1a, 0x8a, 0x3a, 0x37, 0x25, 0x3a, 0x43, 0xa1, 0x1c, 0x3a, 0x35, 0x77, 0x1c, 0xa8, 0x94, 0x3c, 0xd2, 0xed, 0x8d, 0x73, 0xd, 0x18, 0xc4, 0xa8, 0x46, 0x29, 0x57, 0xde, 0xe0, 0xb0, 0x5b, 0x1a, 0x6f, 0x75, 0x16, 0xa8, 0x8b, 0xb9, 0x30, 0x2, 0xf1, 0xd4, 0x33, 0x2b, 0x11, 0xc, 0xf3, 0xc6, 0x32, 0x62, 0xfb, 0xff, 0xd8, 0x9d, 0x12, 0x59, 0x75, 0x5, 0xbf, 0x59, 0xb4, 0x47, 0x1b, 0x28, 0x6a, 0x76, 0x67, 0x3b, 0xfa, 0x3a, 0xbd, 0xc1, 0x77, 0x3a, 0x97, 0x29, 0x78, 0x80, 0xb3, 0x9, 0x7, 0x61, 0xa3, 0x35, 0xc9, 0x7c, 0x22, 0x89, 0x79, 0x7e, 0xa, 0x9a, 0xe3, 0xaa, 0xf8, 0x17, 0xfd, 0xba, 0x63, 0x91, 0x26, 0x86, 0x5e, 0x5c, 0x2e, 0xf4, 0xea, 0x63, 0xc6, 0x78, 0x8e, 0xc9, 0x7, 0x6e, 0xa3, 0x2e, 0x42, 0x9a, 0x20, 0xe8, 0x64, 0x82, 0x8, 0x6a, 0x4c, 0x91, 0xb3, 0xe8, 0x1b, 0x5e, 0xa5, 0x4f, 0xec, 0x3, 0x45, 0xac, 0x4b, 0xdf, 0x68, 0x78, 0xad, 0xca, 0xa7, 0xee, 0xba, 0x47, 0xcb, 0x36, 0xda, 0xc1, 0xe0, 0x75, 0x8, 0xf0, 0x10, 0x2, 0x1e, 0xcb, 0xb7, 0xf5, 0xfd, 0xc8, 0x87, 0x37, 0x3a, 0x4d, 0x7e, 0xc, 0x7e, 0x1f, 0x74, 0x1c, 0x2b, 0x26, 0xf5, 0x43, 0xf0, 0x2d, 0xd7, 0x74, 0x6d, 0x0, 0x1b, 0xdf, 0x76, 0xa9, 0x5b, 0xb4, 0x38, 0x73, 0xdf, 0x14, 0x5, 0x7a, 0x79, 0x6b, 0xa, 0x3e, 0x7c, 0xcf, 0xae, 0x39, 0xac, 0xea, 0xdd, 0x85, 0xb2, 0x30, 0x5e, 0xdb, 0xe3, 0x69, 0xac, 0x9c, 0x33, 0x69, 0xff, 0xbd, 0xd6, 0xe9, 0x59, 0x3c, 0xc8, 0xec, 0x74, 0x82, 0x84, 0xa, 0x82, 0x37, 0x7b, 0x23, 0x67, 0x23, 0xfa, 0x2d, 0x7, 0x35, 0x30, 0x3a, 0x94, 0xb8, 0xbd, 0x48, 0x8f, 0xd2, 0x10, 0x42, 0x6e, 0xf4, 0xc7, 0xec, 0x2e, 0x16, 0x75, 0x51, 0x88, 0x7f, 0x18, 0x2a, 0x63, 0xf4, 0xc5, 0x5, 0xb, 0x4c, 0x1d, 0x7d, 0xd9, 0x5e, 0xfb, 0xfd, 0xca, 0x5, 0x65, 0x32, 0xa3, 0x32, 0xb2, 0x26, 0x8c, 0xbf, 0x41, 0x1d, 0xee, 0x72, 0x92, 0xd6, 0x38, 0xfa, 0x2a, 0xe3, 0xff, 0x3e, 0x45, 0x59, 0x4, 0x87, 0xea, 0xb3, 0x7c, 0xad, 0x43, 0x81, 0xce, 0x66, 0xb6, 0x6a, 0x7e, 0xfa, 0xc1, 0x2e, 0x93, 0x64, 0x62, 0x28, 0x22, 0x30, 0xd2, 0xd2, 0x6c, 0xed, 0xf8, 0x36, 0x67, 0xfe, 0x46, 0x9a, 0x45, 0xbb, 0x85, 0xca, 0x9e, 0x0, 0xd, 0xbf, 0x50, 0xb4, 0xeb, 0xa2, 0x3d, 0xba, 0x6b, 0xc1, 0x6, 0x3e, 0x7c, 0x55, 0x32, 0xbb, 0x21, 0x5b, 0xf3, 0x11, 0x67, 0x7, 0x30, 0x12, 0x23, 0xb1, 0x95, 0xf0, 0x11, 0x76, 0x1b, 0x76, 0xa0, 0x3a, 0x87, 0x61, 0x6d, 0x3a, 0xea, 0x26, 0x90, 0xf6, 0x31, 0x4c, 0xbe, 0xa6, 0x42, 0x6b, 0xb8, 0xc9, 0x7a, 0x2, 0x28, 0x6c, 0x4b, 0xc7, 0xd7, 0xb5, 0xd3, 0xe0, 0x1d, 0x28, 0xab, 0xac, 0x94, 0x48, 0xcd, 0xa5, 0x38, 0x52, 0x60, 0x7d, 0x8f, 0xc7, 0x15, 0xab, 0x96, 0x84, 0x44, 0x42, 0x78, 0xd8, 0xe9, 0xc1, 0xac, 0x10, 0xd2, 0xd0, 0x75, 0xcf, 0xcf, 0xe2, 0x14, 0x8c, 0x5c, 0x29, 0xf2, 0x48, 0x29, 0xcb, 0xf0, 0xda, 0xe8, 0x6d, 0xd7, 0x1f, 0xe8, 0x0, 0xe8, 0x3b, 0xa0, 0xe4, 0x11, 0x2d, 0xd0, 0xc, 0xd3, 0x78, 0x87, 0x51, 0xf3, 0x4d, 0xc, 0xcb, 0x39, 0x51, 0x96, 0x96, 0xbc, 0x82, 0x34, 0x68, 0x1d, 0x81, 0x49, 0x1, 0xd7, 0xa0, 0xef, 0x4e, 0xa0, 0xa1, 0x1e, 0xe5, 0xc8, 0xf6, 0xe4, 0x40, 0x76, 0x23, 0x82, 0xfd, 0xe1, 0x90, 0x59, 0x96, 0xdb, 0x80, 0x1d, 0xf9, 0x25, 0xa2, 0xef, 0xda, 0xcc, 0x96, 0x3a, 0x95, 0x1c, 0x43, 0x17, 0x92, 0xa1, 0x3f, 0xfc, 0xc1, 0xaa, 0x1b, 0x46, 0xb4, 0x84, 0xc1, 0xbb, 0x7, 0xf4, 0xe2, 0x3b, 0x9c, 0xd3, 0x5, 0xd, 0x1d, 0xde, 0x76, 0xd7, 0xec, 0x21, 0x7a, 0x87, 0x52, 0x58, 0x82, 0xb, 0x94, 0x7a, 0x53, 0xf, 0xa7, 0x14, 0x4, 0x30, 0xa2, 0xa6, 0xa9, 0x21, 0x40, 0xba, 0x1c, 0x3f, 0x0, 0x3c, 0x94, 0x76, 0xee, 0x4e, 0x82, 0x50, 0x5d, 0xba, 0x3c, 0xf8, 0xec, 0xfc, 0xdb, 0xa0, 0xc0, 0xf3, 0xb4, 0x93, 0x48, 0x81, 0x53, 0xf9, 0xd7, 0x4d, 0xf2, 0x48, 0x62, 0x41, 0x74, 0x61, 0xdd, 0x9, 0xfb, 0xe4, 0x4d, 0xd6, 0x22, 0x53, 0x5, 0xa7, 0x73, 0xdc, 0xd2, 0x9e, 0xb0, 0xf1, 0x6e, 0x1a, 0xa1, 0x1, 0xc8, 0x0, 0x2b, 0x14, 0xc9, 0x32, 0xa1, 0x98, 0xb0, 0x84, 0x64, 0x72, 0x7a, 0x56, 0xe1, 0x26, 0x63, 0xef, 0xb5, 0xf3, 0x3, 0xfc, 0x4b, 0x57, 0xd0, 0xd2, 0xbe, 0x43, 0x2f, 0x72, 0x8f, 0x76, 0x38, 0x1e, 0x79, 0x74, 0xd8, 0x7e, 0xe9, 0x4c, 0xb3, 0x9f, 0x18, 0x7a, 0x43, 0x5f, 0x8a, 0x16, 0x96, 0x2c, 0x9b, 0x2b, 0xbc, 0x8b, 0x44, 0x8a, 0x27, 0xcf, 0xb6, 0x56, 0xda, 0x51, 0x52, 0xc8, 0xdf, 0x98, 0xa8, 0xc, 0x24, 0x9b, 0xe7, 0x36, 0xd8, 0xca, 0x82, 0x90, 0xa7, 0x51, 0x8e, 0x1a, 0xd3, 0x9e, 0x7b, 0x2e, 0x2, 0xc8, 0xe1, 0x43, 0x8a, 0x31, 0x7d, 0xdc, 0x9d, 0x68, 0xf8, 0xcb, 0x23, 0xe5, 0x50, 0x47, 0x1a, 0x1b, 0x7, 0xf0, 0x72, 0xa0, 0x87, 0x98, 0xc1, 0xfd, 0x4b, 0x81, 0x87, 0xf, 0x9, 0x52, 0xb9, 0x6e, 0x73, 0x8d, 0x2e, 0x85, 0x21, 0x48, 0x6b, 0x1e, 0x4c, 0x54, 0xd3, 0x28, 0xa9, 0x29, 0x86, 0x5, 0x80, 0x77, 0xae, 0x11, 0xa4, 0x1a, 0x93, 0x57, 0xa, 0x1b, 0x7b, 0x6, 0x4d, 0xe9, 0xad, 0x46, 0x5e, 0xa6, 0x4b, 0x8b, 0x9d, 0xb5, 0x4, 0x18, 0x94, 0xcd, 0x87, 0xba, 0x62, 0x3c, 0x1b, 0xe6, 0x20, 0x99, 0x78, 0x4b, 0xb5, 0xfd, 0xac, 0x1a, 0x18, 0xa, 0x84, 0xf2, 0x23, 0xe9, 0xf3, 0x25, 0x93, 0x3d, 0x84, 0x73, 0x44, 0x57, 0x84, 0xcb, 0x71, 0xf3, 0xd0, 0xf2, 0xbe, 0xa9, 0xc5, 0x36, 0x1e, 0xa6, 0x8b, 0x18, 0xd2, 0x77, 0x72, 0xdf, 0x2, 0xc6, 0xd7, 0xa7, 0xd6, 0xbb, 0xb, 0xbc, 0x61, 0x8f, 0x2, 0xa9, 0x3a, 0xba, 0xa1, 0xb6, 0xd0, 0x6e, 0xed, 0x85, 0x90, 0xf4, 0x98, 0x82, 0x6e, 0xae, 0xd6, 0x25, 0xc6, 0x8b, 0x1d, 0xc0, 0xe9, 0xa2, 0x1d, 0xb, 0x2b, 0x83, 0xa0, 0xca, 0xd1, 0x70, 0x82, 0x5c, 0xb4, 0xc2, 0x57, 0xb5, 0x4a, 0x72, 0xd0, 0x41, 0xce, 0x44, 0xfd, 0x71, 0x82, 0x13, 0xac, 0x4b, 0x98, 0x57, 0xc8, 0x8, 0x36, 0xcb, 0x34, 0xc9, 0xe0, 0x67, 0x3, 0xf7, 0x55, 0x54, 0x45, 0xfa, 0x88, 0xc8, 0xb0, 0x2, 0x7b, 0x72, 0xb4, 0xb8, 0xc5, 0xe9, 0xa4, 0x30, 0x71, 0x7c, 0xf0, 0xf0, 0x3e, 0xdc, 0xc, 0x27, 0x9, 0x4b, 0xa3, 0xbe, 0xe4, 0xd9, 0x6e, 0xbc, 0x96, 0x61, 0x19, 0xf2, 0xeb, 0x5b, 0xfd, 0x7e, 0x9, 0xef, 0x6b, 0x73, 0x66, 0xe, 0x3a, 0x29, 0x87, 0xea, 0xb8, 0xf3, 0x28, 0x11, 0xde, 0xfc, 0xdd, 0x6a, 0x5, 0xe4, 0x98, 0x29, 0x61, 0xc9, 0x16, 0x5d, 0xb8, 0x31, 0xcc, 0x55, 0x56, 0xf0, 0x18, 0x24, 0xe1, 0x34, 0xa4, 0x87, 0x19, 0xe8, 0x9f, 0xdc, 0xcc, 0xaa, 0x94, 0x2e, 0xc6, 0x90, 0x64, 0xa5, 0xc1, 0x86, 0xa4, 0x94, 0xb3, 0x2b, 0x8d, 0xcb, 0xd4, 0x83, 0x4d, 0x8a, 0xfd, 0xb1, 0xd2, 0xff, 0xa8, 0x6a, 0x79, 0xea, 0xf6, 0x79, 0xca, 0x4, 0x51, 0xab, 0x75, 0x65, 0xcf, 0x86, 0x6b, 0xc4, 0x36, 0xd5, 0xf0, 0xf4, 0x58, 0x6b, 0xe, 0x67, 0xd9, 0xc5, 0x1e, 0x46, 0x8, 0xd1, 0xae, 0xe, 0xf8, 0x53, 0x50, 0x70, 0xf7, 0x16, 0xdd, 0x14, 0xce, 0x5b, 0xf4, 0xda, 0x65, 0xcf, 0xb2, 0xc4, 0x49, 0x2d, 0x6f, 0x40, 0xd1, 0xce, 0xf0, 0xf1, 0x47, 0xc4, 0x37, 0xa3, 0x2b, 0xdd, 0x92, 0x94, 0x93, 0xc7, 0xc, 0x80, 0xfa, 0x8e, 0xa0, 0xbe, 0x1d, 0x15, 0x93, 0x4b, 0x1e, 0x74, 0xa, 0xde, 0xf8, 0xf3, 0xc, 0x82, 0x13, 0x7d, 0xf, 0x1c, 0xdc, 0x82, 0x19, 0xff, 0xca, 0xe6, 0xdd, 0x84, 0x60, 0x19, 0x92, 0xef, 0xe3, 0x6e, 0xf9, 0x45, 0x72, 0xd9, 0xd7, 0x1a, 0xc7, 0xa0, 0xde, 0x29, 0xbe, 0x8d, 0x9c, 0x31, 0xf8, 0xf5, 0x2e, 0xe8, 0x80, 0xdc, 0x1c, 0x6d, 0xb3, 0x7f, 0x1c, 0x2f, 0xf0, 0xf9, 0x5d, 0x9, 0x88, 0xd8, 0xcf, 0xa3, 0xb9, 0x34, 0x7f, 0xc8, 0xe1, 0x8, 0x2, 0x34, 0x95, 0x70, 0xd7, 0xd5, 0xcb, 0x51, 0x88, 0x91, 0xe4, 0xec, 0x1a, 0x4a, 0x42, 0x71, 0x2b, 0x60, 0xc1, 0xf5, 0xb1, 0xd7, 0x82, 0x4f, 0x52, 0xc6, 0x13, 0x98, 0xd3, 0xf0, 0xb5, 0x1d, 0xb0, 0x6b, 0xae, 0x6e, 0xd9, 0xf6, 0xc8, 0x9e, 0x25, 0xde, 0x5b, 0x38, 0xf2, 0x1f, 0xd, 0x7b, 0xf6, 0x30, 0x6a, 0x83, 0xb0, 0xf6, 0xff, 0x1c, 0x66, 0x6, 0xb0, 0x65, 0xcc, 0x4, 0x5c, 0xf, 0x23, 0xd4, 0x58, 0x63, 0x7e, 0x46, 0xd3, 0xd3, 0xbe, 0x2d, 0x80, 0x8c, 0x46, 0xce, 0xa6, 0xd, 0x92, 0xf1, 0x62, 0x42, 0x98, 0x7b, 0x9f, 0x47, 0x37, 0x15, 0x42, 0x57, 0xd2, 0x34, 0xe1, 0x8d, 0xbb, 0x87, 0x8c, 0xa8, 0x8a, 0x5c, 0x6a, 0xa5, 0xaf, 0x54, 0xa1, 0x68, 0xf7, 0x32, 0xe5, 0x84, 0xf1, 0xfa, 0xa3, 0xec, 0x1e, 0xa5, 0x68, 0x74, 0x8c, 0x61, 0x44, 0xcb, 0xce, 0x20, 0xc0, 0x2c, 0x86, 0x87, 0x5f, 0xd1, 0x34, 0x34, 0xf6, 0x5d, 0xf5, 0xae, 0x11, 0x38, 0x3c, 0x71, 0xf0, 0xf8, 0xe3, 0x81, 0x49, 0xc0, 0xd7, 0x2c, 0xbe, 0x99, 0x2f, 0xff, 0x39, 0xd4, 0x68, 0xee, 0xa6, 0xa6, 0x5d, 0x2b, 0xe7, 0x4e, 0xb6, 0x79, 0x9b, 0xb9, 0x82, 0x7b, 0x71, 0x38, 0xea, 0xd3, 0x24, 0xb6, 0xe, 0x47, 0x4d, 0x2d, 0x92, 0x75, 0x66, 0xd4, 0x95, 0x3b, 0x54, 0xec, 0x66, 0x8f, 0x46, 0xe3, 0xe1, 0xbe, 0xcc, 0x73, 0xe6, 0x66, 0x9a, 0xb8, 0xf2, 0xb5, 0xc4, 0x67, 0xfe, 0x6a, 0xd3, 0x5c, 0xe, 0x29, 0xe6, 0xc1, 0xe9, 0x3d, 0xda, 0x2a, 0xa, 0x31, 0xb6, 0x8b, 0x27, 0x8c, 0x3b, 0x32, 0xdb, 0xb, 0x84, 0xa3, 0xf, 0x42, 0x9b, 0xc4, 0x24, 0x64, 0x79, 0x96, 0x6f, 0x64, 0xc9, 0x41, 0xc2, 0x67, 0xe8, 0xdf, 0x88, 0xf8, 0x49, 0x8b, 0xf6, 0x24, 0x93, 0x4b, 0x2d, 0xe1, 0x20, 0xdf, 0x71, 0xa5, 0xd8, 0x62, 0x6b, 0x9a, 0xcb, 0x83, 0x94, 0x17, 0x6d, 0xb2, 0xb4, 0x81, 0xe2, 0xfa, 0x11, 0x95, 0x32, 0x96, 0x6f, 0x66, 0x1f, 0xa5, 0x3a, 0xd5, 0xe4, 0xb3, 0x81, 0xd2, 0x16, 0xbd, 0x3d, 0x7f, 0x65, 0xa7, 0x96, 0x7f, 0x2b, 0xf6, 0x1a, 0x5, 0x7c, 0xd3, 0x53, 0x85, 0x96, 0x44, 0xf9, 0xb, 0xeb, 0x98, 0xa9, 0xe9, 0xa1, 0x9a, 0xd5, 0xb0, 0x9f, 0x4f, 0x84, 0xe0, 0x13, 0xb8, 0xaf, 0xe6, 0x58, 0xd5, 0x3f, 0x98, 0x4, 0x98, 0xd6, 0x65, 0xca, 0xc0, 0x70, 0x96, 0x2d, 0xff, 0xa5, 0x6e, 0xde, 0x22, 0x2b, 0x73, 0x3b, 0x62, 0xd8, 0x5f, 0xa9, 0xb, 0x64, 0xd7, 0x82, 0x17, 0x35, 0xa6, 0x63, 0x91, 0x61, 0x9f, 0x4f, 0xdd, 0xef, 0xbd, 0xe0, 0xb4, 0x67, 0xf1, 0x1, 0xe4, 0x66, 0xf3, 0x65, 0x84, 0x95, 0x69, 0xc0, 0xbe, 0x3b, 0xa7, 0xab, 0x68, 0xa3, 0x5a, 0x21, 0xc, 0x24, 0x7b, 0x9, 0x87, 0x14, 0x12, 0x6, 0x90, 0x96, 0x18, 0x33, 0x32, 0x8c, 0x37, 0xd1, 0x53, 0xfe, 0xe1, 0xce, 0x73, 0x4d, 0xcb, 0x61, 0x43, 0xc, 0x13, 0xe, 0xa8, 0x50, 0x5f, 0x2b, 0x21, 0xf5, 0x7e, 0x51, 0x59, 0x7f, 0xd6, 0xc0, 0x38, 0xad, 0x8c, 0x8, 0x81, 0x2f, 0x33, 0xe2, 0x8a, 0xd6, 0x6b, 0x90, 0x7e, 0x1b, 0x47, 0xa3, 0x27, 0x8e, 0xd, 0xb2, 0x3f, 0xac, 0x56, 0xd, 0x4b, 0x6b, 0x13, 0xdb, 0x60, 0x46, 0xb5, 0xe4, 0x8d, 0xfd, 0xa6, 0x11, 0x1e, 0x3a, 0x12, 0xef, 0x99, 0x77, 0xa3, 0xea, 0xff, 0xdb, 0x44, 0x7c, 0xc1, 0x6a, 0xce, 0x77, 0xb9, 0x40, 0x45, 0xef, 0xac, 0x60, 0xaf, 0xa8, 0x73, 0x51, 0x49, 0xb0, 0xea, 0x73, 0x45, 0x43, 0x37, 0x44, 0xeb, 0x31, 0x60, 0xac, 0xd1, 0xfb, 0xd, 0x57, 0x11, 0xfd, 0x9a, 0xdd, 0x44, 0x5b, 0xb4, 0xd9, 0xf7, 0x31, 0x72, 0x6, 0x22, 0xdd, 0x6a, 0x6, 0xb8, 0xb4, 0xf0, 0xa3, 0xf8, 0xd8, 0x2a, 0xf9, 0x15, 0xa2, 0xe2, 0xac, 0xe0, 0x99, 0x48, 0xe, 0x9e, 0x80, 0x8b, 0xb3, 0xfa, 0xad, 0xa, 0xcd, 0xbd, 0x52, 0x0, 0x2, 0x17, 0xe9, 0x6a, 0x50, 0x46, 0x9d, 0x39, 0xca, 0x8f, 0xf7, 0x69, 0x9a, 0x42, 0x63, 0xbb, 0x7, 0x2, 0xd2, 0x27, 0x9e, 0xfe, 0x82, 0xf5, 0x88, 0x87, 0xd6, 0x5e, 0x65, 0xec, 0x6e, 0x5f, 0xb7, 0xad, 0x48, 0xd7, 0x26, 0xa4, 0x6d, 0xc6, 0x81, 0xca, 0x2, 0x5c, 0x69, 0x18, 0x25, 0xd4, 0x31, 0xa5, 0x27, 0x8d, 0xfb, 0x84, 0xba, 0x48, 0xff, 0xde, 0x56, 0x89, 0x3a, 0x3a, 0x47, 0x22, 0x6d, 0x76, 0x56, 0xd, 0x1d, 0xaf, 0x5c, 0x4b, 0x2c, 0x35, 0x65, 0x95, 0x5, 0x5a, 0xe2, 0xc3, 0xb, 0x59, 0x31, 0x15, 0x26, 0x49, 0x5f, 0x9f, 0x6f, 0xf6, 0x21, 0x75, 0x9f, 0x80, 0x9b, 0x4a, 0xa, 0xc7, 0xbf, 0xf6, 0xae, 0x2b, 0x61, 0x35, 0xed, 0x9, 0x65, 0xfa, 0xe6, 0xe7, 0xc, 0x23, 0x4b, 0x98, 0x33, 0x2, 0x37, 0x11, 0x69, 0xdc, 0x4c, 0xd0, 0x9b, 0x65, 0x51, 0x21, 0x16, 0xd4, 0x7, 0xf0, 0x63, 0x3c, 0xb8, 0xbd, 0x82, 0x2a, 0x1c, 0x39, 0x4d, 0x28, 0xbb, 0x9e, 0xe8, 0x8, 0x83, 0x15, 0x63, 0x48, 0xdd, 0xbc, 0xca, 0xed, 0xf1, 0x83, 0xec, 0x16, 0x6f, 0x0, 0xc8, 0xc6, 0x5d, 0x69, 0x37, 0x2c, 0x3e, 0xa1, 0x87, 0x7a, 0x5, 0x4a, 0xf0, 0x56, 0xb7, 0x2a, 0x98, 0x8f, 0xb4, 0xa6, 0x0, 0x55, 0x76, 0xa8, 0x44, 0x1c, 0x65, 0x68, 0xce, 0xfa, 0x52, 0x42, 0x2, 0x5e, 0x76, 0xe1, 0xb, 0x54, 0x2b, 0xa5, 0xf0, 0x7f, 0xa3, 0x5c, 0xa8, 0xa1, 0x35, 0xcb, 0x8f, 0x1c, 0x2f, 0xcd, 0x1c, 0x4f, 0xa0, 0xe1, 0x12, 0x61, 0xa2, 0x15, 0xce, 0x16, 0x88, 0x23, 0x7e, 0x17, 0x5b, 0x9, 0x11, 0xa1, 0x6, 0xe2, 0x49, 0x41, 0x42, 0x8a, 0x4, 0xb6, 0x10, 0x3c, 0xfb, 0x2c, 0x75, 0x74, 0x67, 0xf5, 0xa3, 0xc6, 0xb8, 0xdb, 0xf1, 0x47, 0x7a, 0xa3, 0x16, 0xbf, 0xfb, 0x3d, 0x1a, 0xd3, 0x9a, 0x2f, 0x37, 0x7c, 0x2a, 0x4d, 0xb, 0xc2, 0xb5, 0x5, 0x2d, 0x12, 0x67, 0x2a, 0x66, 0xc, 0xf5, 0x9c, 0x65, 0xff, 0xe9, 0xc9, 0xff, 0xe8, 0x28, 0xc1, 0x57, 0xed, 0x83, 0x76, 0x98, 0x9e, 0x85, 0x15, 0xbb, 0xf, 0x2b, 0x9a, 0x31, 0x47, 0xf2, 0xd, 0xd7, 0xad, 0x70, 0xe4, 0x4b, 0x37, 0xba, 0xba, 0x98, 0x4b, 0x7, 0xb3, 0xa7, 0x56, 0x73, 0x74, 0x3d, 0xf0, 0x30, 0xbf, 0xfe, 0x3e, 0x6e, 0x69, 0x2e, 0x34, 0x37, 0xc5, 0x4a, 0x86, 0xf7, 0x48, 0x4b, 0xf8, 0x3d, 0xd, 0x94, 0xa6, 0x9, 0x34, 0x71, 0x4, 0xae, 0xc7, 0x74, 0x61, 0x2d, 0xb2, 0x4d, 0x1, 0x34, 0x30, 0x21, 0x8c, 0x43, 0x1c, 0x3a, 0xc7, 0xec, 0x93, 0xdd, 0xff, 0xa5, 0x4e, 0xac, 0x18, 0x3e, 0x78, 0x2, 0x61, 0x57, 0xc7, 0x4f, 0x72, 0x3f, 0xe8, 0xc3, 0x91, 0xcc, 0x3f, 0xe1, 0x9f, 0xf5, 0xb, 0x8f, 0xf0, 0xc8, 0xc2, 0xa8, 0x92, 0xde, 0xf6, 0x67, 0x8f, 0xfd, 0x22, 0x2e, 0x7f, 0x77, 0x31, 0x69, 0xd8, 0x33, 0x88, 0x1, 0xab, 0x95, 0xca, 0x3e, 0x86, 0xb6, 0x1d, 0x6d, 0x26, 0x2b, 0xef, 0xb5, 0x31, 0x2b, 0x73, 0xb7, 0x6b, 0xce, 0x80, 0x5f, 0x91, 0xc6, 0x27, 0xa9, 0x4f, 0xd8, 0xef, 0x90, 0x5f, 0xd2, 0xd6, 0xa1, 0x6f, 0xad, 0x48, 0x6b, 0x45, 0xe8, 0x5d, 0xd7, 0x7b, 0x29, 0x64, 0x5b, 0x84, 0x7a, 0x50, 0xcb, 0xd2, 0xec, 0xd7, 0x55, 0xe2, 0x2a, 0xf8, 0x2c, 0xa7, 0x4, 0xe2, 0x60, 0xa4, 0x23, 0x5c, 0x2, 0x52, 0x44, 0xa, 0x5b, 0x7d, 0x2d, 0x54, 0xae, 0x10, 0xda, 0xae, 0x5, 0x93, 0x10, 0x43, 0x51, 0xa8, 0xe8, 0xbf, 0x4b, 0xa1, 0xf5, 0x15, 0x83, 0x95, 0xfe, 0x65, 0x53, 0x38, 0x26, 0x18, 0x36, 0x3f, 0x40, 0x50, 0xd9, 0x66, 0x6b, 0xa3, 0xb3, 0xc2, 0xa2, 0xed, 0xf4, 0x7c, 0x34, 0xb3, 0xc7, 0x12, 0x9d, 0x11, 0x44, 0xe7, 0xd1, 0xb4, 0x45, 0xa5, 0xe7, 0x71, 0x9a, 0x82, 0x69, 0xb1, 0x93, 0x4c, 0xbf, 0xfc, 0x17, 0x61, 0x8c, 0x90, 0xbb, 0x2d, 0x85, 0x3d, 0x5a, 0xb3, 0x20, 0x73, 0xc9, 0x4d, 0x5, 0x81, 0xf8, 0x6b, 0x85, 0x4f, 0xc0, 0x94, 0x1f, 0xbc, 0x51, 0x1b, 0xce, 0x1b, 0x2e, 0x45, 0xf3, 0x3a, 0x1, 0xb3, 0x50, 0xff, 0x41, 0xc, 0x24, 0x7e, 0x4d, 0x22, 0x45, 0xf4, 0x7a, 0xf0, 0x6a, 0x4f, 0xd2, 0xa3, 0x7c, 0xe5, 0xb9, 0xbd, 0x63, 0xa7, 0x45, 0xf3, 0xd7, 0x46, 0x82, 0x8a, 0x5f, 0xbb, 0xcf, 0x98, 0x6d, 0x2a, 0xbd, 0x73, 0xdb, 0x4, 0xed, 0x86, 0x5e, 0xe8, 0xd8, 0x1d, 0xb, 0x42, 0x1f, 0xc0, 0x42, 0xda, 0xf2, 0x76, 0xc7, 0x7b, 0x40, 0x64, 0x73, 0x54, 0xf0, 0x7e, 0xf5, 0x48, 0xf5, 0xaf, 0x7f, 0xba, 0x98, 0x7e, 0x4a, 0xb6, 0x30, 0xfd, 0xee, 0xfb, 0x7a, 0x6b, 0xbb, 0xd2, 0xa0, 0x16, 0xc5, 0x2f, 0x92, 0x4f, 0x99, 0x34, 0x62, 0x1a, 0x6c, 0xc1, 0x5c, 0xd, 0x8b, 0x2c, 0xc6, 0x57, 0x3a, 0xcf, 0x41, 0x92, 0x7f, 0x66, 0x1b, 0xfd, 0x61, 0x69, 0x5e, 0x2f, 0x97, 0x17, 0xa0, 0xf5, 0xb, 0xc7, 0x15, 0x5c, 0x92, 0x61, 0x95, 0x60, 0x4d, 0xb4, 0x20, 0x3d, 0x52, 0xdb, 0x1f, 0x7, 0x37, 0x1b, 0x91, 0x4, 0x7b, 0xf, 0x6f, 0x8d, 0x16, 0xf9, 0x48, 0xf6, 0xf8, 0x72, 0x25, 0xeb, 0xea, 0x39, 0x76, 0x6, 0xce, 0x53, 0x8, 0xd7, 0x32, 0xf6, 0xce, 0xb0, 0x4, 0x90, 0x98, 0xe9, 0x31, 0x1f, 0x7f, 0xd8, 0xc0, 0x82, 0x65, 0xa2, 0x36, 0x72, 0xaa, 0x94, 0x56, 0xc6, 0xc2, 0xb0, 0xe5, 0xb8, 0x11, 0x42, 0x4e, 0x41, 0x57, 0xa2, 0x9b, 0xa7, 0xaa, 0x5, 0xb0, 0x9a, 0xf0, 0xe0, 0x41, 0xf8, 0x72, 0x6, 0x65, 0x1c, 0xc8, 0x3e, 0xbf, 0xf9, 0xc5, 0xa3, 0xfa, 0xf0, 0x3, 0xe0, 0x9a, 0x37, 0xf6, 0x4c, 0xb0, 0xc8, 0x75, 0x1e, 0x87, 0xe0, 0x17, 0x79, 0x9f, 0x3c, 0x38, 0xa1, 0xfc, 0x59, 0xc0, 0x1d, 0x67, 0x9, 0x48, 0x64, 0xa6, 0x4e, 0x61, 0xa8, 0xd1, 0x5d, 0x62, 0x79, 0x1, 0xd, 0x4d, 0xc3, 0x88, 0xe7, 0x0, 0x42, 0xe1, 0xa1, 0x47, 0x7d, 0x9d, 0xa5, 0x54, 0xa7, 0x1e, 0x9d, 0xf9, 0xae, 0x78, 0x41, 0xb1, 0x49, 0x0, 0x2d, 0x81, 0x1c, 0xa7, 0xb3, 0x77, 0x8, 0xb6, 0x1b, 0xa1, 0xa4, 0xa9, 0x21, 0xd5, 0x2c, 0xa6, 0x11, 0x4d, 0x24, 0x2c, 0xc6, 0xf5, 0xbf, 0xb7, 0x19, 0x4b, 0x46, 0x7c, 0x65, 0x76, 0x90, 0xa7, 0xeb, 0xf3, 0x27, 0xa9, 0x81, 0x75, 0xc, 0x97, 0xbf, 0x3a, 0x48, 0xf3, 0x22, 0xb, 0xae, 0xe0, 0x8, 0xf1, 0x2e, 0xd5, 0xbc, 0x64, 0x50, 0x66, 0xf3, 0x3, 0xd6, 0x5e, 0x2, 0xf5, 0x5b, 0xa7, 0x75, 0x48, 0xcf, 0x2c, 0xd2, 0xd5, 0xd0, 0xe5, 0x2, 0x93, 0xab, 0x30, 0x40, 0x12, 0x30, 0xb0, 0xe6, 0xa7, 0xd0, 0xf4, 0xa1, 0xa, 0x4f, 0x7b, 0xc5, 0x62, 0xe2, 0x2e, 0x20, 0xba, 0xb, 0xa5, 0x58, 0x7a, 0x49, 0xac, 0xcc, 0xcf, 0xe6, 0x1e, 0xd2, 0x9f, 0x10, 0xec, 0x27, 0x19, 0x8a, 0xe6, 0xcc, 0x96, 0xb5, 0x5a, 0xe8, 0x2, 0x3b, 0xe8, 0xf7, 0xb9, 0x48, 0x34, 0x11, 0x59, 0x8, 0x3c, 0xf8, 0x7e, 0xbf, 0x62, 0xc5, 0xed, 0x62, 0xb1, 0x91, 0x5e, 0xe0, 0x85, 0xd1, 0xbc, 0x62, 0x72, 0xfe, 0xe1, 0xb5, 0x19, 0x5b, 0x10, 0xb8, 0x8, 0x69, 0x52, 0x1d, 0x22, 0xbb, 0x6b, 0x89, 0x7e, 0x44, 0x11, 0xd, 0xf0, 0x13, 0x22, 0x2c, 0x49, 0xaa, 0x7a, 0x64, 0x4b, 0xc1, 0x2f, 0x2e, 0xc6, 0xf8, 0xc9, 0xf6, 0xc6, 0x68, 0x41, 0xbc, 0x9a, 0x25, 0xca, 0x90, 0x61, 0x34, 0x8e, 0xdd, 0x62, 0x27, 0xb9, 0x3b, 0x9a, 0x18, 0x20, 0x5b, 0x94, 0xc0, 0x7f, 0x15, 0xab, 0xc8, 0xf5, 0xb, 0x2d, 0xc6, 0x72, 0x6e, 0xb7, 0x50, 0x77, 0x35, 0xe1, 0x89, 0xf4, 0xf7, 0xc5, 0x31, 0x7d, 0xf8, 0xb2, 0x1a, 0x51, 0x18, 0xc5, 0x35, 0x5f, 0x0, 0x27, 0x78, 0x26, 0xa4, 0x6d, 0xed, 0x80, 0x94, 0x54, 0xa0, 0x8c, 0xa2, 0xb2, 0x7d, 0x24, 0x77, 0x7c, 0xde, 0xef, 0x20, 0x60, 0x9d, 0x14, 0xa4, 0x39, 0x4, 0x16, 0x5e, 0x70, 0xae, 0xde, 0xf3, 0x48, 0xb1, 0x10, 0x5c, 0x33, 0xc4, 0xab, 0x6e, 0x53, 0x4b, 0x4, 0x2, 0x8e, 0xf1, 0x63, 0xfe, 0xc, 0x79, 0x82, 0x1e, 0xf1, 0x5f, 0x69, 0xaa, 0x5a, 0xb6, 0x86, 0x28, 0xed, 0xa4, 0x27, 0x46, 0x93, 0xdf, 0x4f, 0x99, 0xb9, 0xb0, 0x2e, 0x87, 0xc0, 0xde, 0xb4, 0xe9, 0x8f, 0xa2, 0xf7, 0x58, 0x8d, 0xec, 0xb, 0x4c, 0xfe, 0xc5, 0xf9, 0xea, 0xed, 0x4d, 0xc, 0xc3, 0xf7, 0x7c, 0xb, 0xe6, 0xaf, 0xac, 0xc1, 0x6d, 0x69, 0xd8, 0xa9, 0x84, 0x50, 0xa, 0x86, 0x25, 0xc4, 0x8a, 0xba, 0xe7, 0x9, 0x6f, 0xfc, 0x56, 0x9e, 0xd2, 0x48, 0x61, 0xd0, 0x5b, 0x8c, 0x82, 0x5f, 0xae, 0x55, 0xdc, 0x5e, 0x43, 0x6b, 0xac, 0x11, 0x74, 0x11, 0xc0, 0x6c, 0xf5, 0x27, 0xa5, 0x2c, 0x34, 0x24, 0xfd, 0x5e, 0x4, 0xd5, 0x94, 0xd, 0x7c, 0xb6, 0x70, 0x35, 0xa, 0x4c, 0x2c, 0xcd, 0x79, 0x55, 0xb6, 0x38, 0x35, 0xf6, 0x69, 0xa1, 0x33, 0xf9, 0xad, 0x5c, 0x60, 0x70, 0xd0, 0x6c, 0x9f, 0xbe, 0x83, 0x5, 0x87, 0x7e, 0x1, 0xa1, 0xb8, 0x47, 0xb2, 0xaa, 0x2f, 0x44, 0xe9, 0x68, 0x3d, 0xd, 0x54, 0x9e, 0xff, 0xee, 0x54, 0x19, 0xbe, 0xe3, 0xca, 0xab, 0xde, 0x3e, 0x1f, 0x1b, 0x31, 0x35, 0x70, 0xb0, 0x28, 0xc5, 0x95, 0xa7, 0xc0, 0xbc, 0x96, 0xb7, 0x3a, 0x5d, 0xb3, 0xb5, 0x98, 0xd3, 0x5e, 0xfa, 0x3c, 0xca, 0x9b, 0xd7, 0xdd, 0x53, 0x13, 0x65, 0xb4, 0x60, 0x6a, 0xd1, 0x51, 0x1c, 0x1a, 0xbb, 0x17, 0x5c, 0x90, 0x1b, 0xf9, 0x5c, 0x7f, 0x81, 0x4, 0xa3, 0x27, 0xa, 0xbf, 0xd6, 0x9e, 0xf3, 0xc, 0x66, 0xc4, 0x56, 0x1d, 0x9e, 0xf7, 0xb1, 0x3f, 0xb0, 0xb0, 0x54, 0x13, 0x0, 0x36, 0xf1, 0x3b, 0xa1, 0xe3, 0x2a, 0x2b, 0x2b, 0x1f, 0x54, 0x50, 0x72, 0x9a, 0x6d, 0xe1, 0x6, 0x21, 0x5, 0x7d, 0x89, 0xb4, 0x8c, 0x7f, 0xa0, 0x50, 0x9b, 0xdf, 0xbb, 0x85, 0xd7, 0xff, 0x49, 0x6c, 0x3d, 0x2a, 0x63, 0x42, 0xb8, 0x20, 0x7, 0x60, 0x7c, 0x5e, 0x88, 0xb7, 0xac, 0x94, 0xb6, 0xde, 0xdc, 0x7f, 0xa4, 0x6f, 0x79, 0xd1, 0xe0, 0x8a, 0xf5, 0x14, 0x46, 0x38, 0xb3, 0x4a, 0x12, 0xbd, 0x29, 0xba, 0xfc, 0x78, 0xea, 0x12, 0x8f, 0x74, 0x9e, 0x3d, 0x11, 0xbb, 0x18, 0x30, 0xcd, 0xa7, 0x99, 0xef, 0x23, 0x3c, 0x8f, 0xfd, 0xde, 0x83, 0x6, 0xc5, 0x3f, 0x2c, 0x9b, 0x49, 0x88, 0x2b, 0xff, 0x45, 0x7a, 0xf9, 0x6a, 0x7f, 0x6e, 0x34, 0x21, 0x32, 0xaa, 0xae, 0x30, 0x27, 0xf3, 0x50, 0x84, 0x34, 0x47, 0xe7, 0x41, 0xca, 0xd6, 0xf, 0xbb, 0xb8, 0xc0, 0xc2, 0x14, 0xc1, 0x17, 0xaf, 0x79, 0x20, 0x88, 0xa9, 0x4, 0x72, 0xde, 0x1b, 0xa6, 0xf7, 0x35, 0x6, 0xfe, 0x93, 0x84, 0xf3, 0xd0, 0x13, 0xb0, 0xc3, 0x18, 0xf7, 0xba, 0x7, 0x96, 0xae, 0x2c, 0xa3, 0xba, 0xb3, 0x95, 0x20, 0xc2, 0xa6, 0x1d, 0x37, 0x9e, 0x90, 0x41, 0xb0, 0xbd, 0xa, 0x1c, 0x3, 0x60, 0x9e, 0x1a, 0x43, 0xbe, 0x6d, 0xcc, 0x11, 0x6e, 0x8f, 0xf3, 0x5b, 0x76, 0x94, 0x91, 0x7e, 0x33, 0x4a, 0x2a, 0x46, 0x76, 0xf0, 0x47, 0xbe, 0x30, 0xb8, 0x41, 0x30, 0xdf, 0xc9, 0xb3, 0x33, 0x85, 0xbd, 0x63, 0x7b, 0x4e, 0x4d, 0xd7, 0xa7, 0xa6, 0x3d, 0xe2, 0x43, 0x55, 0xc6, 0x36, 0xea, 0x29, 0x96, 0xa7, 0xe5, 0x7f, 0x7d, 0x7b, 0xcd, 0x1d, 0xc0, 0xca, 0x13, 0x47, 0xf7, 0xb1, 0x1f, 0xd3, 0xde, 0x28, 0x90, 0x45, 0xe1, 0xf, 0xaa, 0x97, 0x20, 0x57, 0x19, 0x3b, 0xca, 0x23, 0xb1, 0x77, 0x86, 0x83, 0x74, 0x6d, 0x74, 0xa8, 0x21, 0xc6, 0xcc, 0xab, 0x63, 0xcb, 0x7a, 0xfc, 0x1c, 0x70, 0x3d, 0x5, 0xe5, 0x2, 0x33, 0x65, 0x2, 0xc9, 0xbf, 0xc6, 0xb8, 0x5b, 0xe3, 0x33, 0x3c, 0xe9, 0x1e, 0x2, 0x9a, 0x40, 0x4b, 0x2c, 0xa7, 0xe4, 0x27, 0x65, 0x3f, 0xd, 0x80, 0x1b, 0xe1, 0xb5, 0x37, 0xdc, 0xb6, 0x4a, 0xd4, 0xc1, 0x8f, 0x74, 0xe4, 0x80, 0xf5, 0xb5, 0x6, 0x86, 0x5d, 0xfa, 0xb0, 0xb5, 0x87, 0x4a, 0x75, 0x25, 0xdf, 0x5e, 0x2a, 0x69, 0xbb, 0xe8, 0xc, 0xf5, 0xba, 0x9a, 0x1d, 0xc6, 0xfa, 0xb8, 0xc8, 0x7c, 0x2, 0x8a, 0xfe, 0xc6, 0xe3, 0x62, 0xe0, 0x25, 0x7d, 0x3, 0xf5, 0xbf, 0xe5, 0xbf, 0x5, 0x88, 0xe0, 0xf7, 0x32, 0xf6, 0x6f, 0x6c, 0x1e, 0x27, 0x13, 0xa5, 0x76, 0x2f, 0x23, 0xc0, 0xa6, 0xdc, 0x55, 0x26, 0xf4, 0x1e, 0x70, 0x2d, 0xc3, 0x57, 0x89, 0x78, 0x51, 0xa, 0xa1, 0xcb, 0x8b, 0x72, 0xee, 0x73, 0x51, 0x2c, 0xb6, 0x11, 0x4, 0xa6, 0x5e, 0x50, 0xbc, 0xd8, 0xb4, 0x2b, 0x46, 0xd5, 0x9a, 0x70, 0x57, 0x19, 0xa9, 0x16, 0xb, 0x1c, 0x18, 0x68, 0x2a, 0x41, 0x78, 0x1c, 0xfe, 0xd4, 0xeb, 0x8c, 0xf4, 0xdf, 0xc0, 0xbc, 0x41, 0x3, 0xae, 0x66, 0xe8, 0x3, 0x70, 0xcf, 0x45, 0xbc, 0xb6, 0x1b, 0xa4, 0x24, 0x8a, 0xea, 0x6d, 0x1a, 0xf1, 0xc2, 0x24, 0x4c, 0xd0, 0x1a, 0x15, 0x7, 0x54, 0x68, 0x7b, 0x5b, 0xda, 0x7d, 0xd2, 0xc9, 0x62, 0xf6, 0x8b, 0x3b, 0x52, 0x2e, 0xb1, 0x50, 0xa, 0x1b, 0xc, 0x91, 0x8f, 0x5b, 0xeb, 0x9, 0x80, 0x88, 0x75, 0x16, 0x4a, 0x82, 0xaf, 0x35, 0xf5, 0xbd, 0x2a, 0x2a, 0xfb, 0x9c, 0x5f, 0x83, 0xf, 0x62, 0xeb, 0xfc, 0x2a, 0x31, 0x29, 0x9b, 0xf5, 0x3f, 0x38, 0x9d, 0x16, 0x2a, 0xdf, 0x97, 0xc7, 0xb0, 0x2, 0xac, 0x66, 0xb0, 0x5f, 0x3f, 0xeb, 0xca, 0xd0, 0xa2, 0xda, 0x6f, 0x4c, 0x9d, 0x2, 0x42, 0xe5, 0x7c, 0x2b, 0x5, 0x26, 0x22, 0xb8, 0xe1, 0xbd, 0x72, 0x74, 0x99, 0xce, 0xd4, 0xe6, 0xda, 0xf4, 0xd2, 0x9, 0xbe, 0x6e, 0xe1, 0x53, 0x2e, 0x2b, 0xb9, 0x53, 0x2e, 0xf4, 0xf, 0x18, 0xc6, 0xa1, 0x34, 0x2c, 0x2, 0xcc, 0x9b, 0xc5, 0xc2, 0x46, 0x2c, 0x42, 0xf9, 0xd6, 0x3, 0x38, 0xa2, 0xa8, 0x14, 0x5c, 0x4f, 0xf7, 0xaf, 0x18, 0x28, 0x8b, 0xa0, 0x10, 0x80, 0xbf, 0xae, 0x55, 0xbc, 0x43, 0xb3, 0xf5, 0x10, 0x20, 0xaf, 0x58, 0xfe, 0x42, 0xf1, 0xf2, 0xa, 0x40, 0x2e, 0xf, 0xdf, 0x4b, 0x5f, 0xa8, 0xde, 0xbf, 0x83, 0x34, 0xa9, 0xea, 0xbf, 0x3, 0x93, 0xd0, 0xb1, 0xf0, 0x3, 0x16, 0x8, 0xc7, 0x95, 0x1b, 0xa0, 0x2e, 0x97, 0x10, 0xba, 0x3d, 0xc9, 0xe4, 0x43, 0xe9, 0xa6, 0xf3, 0x38, 0xb4, 0xad, 0x92, 0xbe, 0x47, 0x36, 0x66, 0xbf, 0xe5, 0x42, 0x77, 0xbb, 0x0, 0x61, 0x2a, 0xdf, 0x86, 0xb4, 0x4f, 0x7a, 0x13, 0xa2, 0xb4, 0xf7, 0xec, 0x7, 0x9c, 0xed, 0xa1, 0xff, 0x42, 0xd0, 0x7b, 0xe2, 0x60, 0xe4, 0xb2, 0xec, 0xf5, 0x62, 0x5f, 0xfa, 0xe2, 0xf5, 0xb7, 0xb7, 0x23, 0x24, 0xcc, 0x6b, 0xec, 0xa6, 0x7a, 0xa7, 0xee, 0x63, 0xba, 0x7f, 0xa, 0xce, 0x75, 0xe1, 0xa6, 0x50, 0xf2, 0xb1, 0x5f, 0xa4, 0x67, 0x9f, 0xdc, 0x3c, 0xe5, 0x9c, 0x91, 0xbc, 0x93, 0x45, 0x33, 0xce, 0xdd, 0xaa, 0xcc, 0x2f, 0xec, 0x50, 0x43, 0x2a, 0x1, 0xb7, 0x11, 0x68, 0x2a, 0xdc, 0x8b, 0x59, 0xac, 0xf1, 0xf, 0x76, 0x96, 0x28, 0x41, 0xbf, 0xd1, 0x2a, 0x65, 0x4d, 0x5, 0x5, 0x10, 0xa2, 0x92, 0xd4, 0x51, 0x11, 0xa, 0xdf, 0xf, 0x11, 0x33, 0x71, 0x39, 0x7f, 0xad, 0xf, 0x10, 0x60, 0x19, 0x8c, 0x92, 0x95, 0x8c, 0x62, 0x33, 0xf0, 0x7b, 0x25, 0xc8, 0x91, 0x6c, 0xec, 0x1d, 0x3f, 0xec, 0x5d, 0x12, 0xe6, 0x19, 0xda, 0x78, 0x11, 0x91, 0x40, 0xf0, 0xb1, 0x7, 0x38, 0x67, 0x4a, 0x90, 0xda, 0xde, 0x3e, 0xd9, 0xcd, 0xed, 0xeb, 0xb, 0x5a, 0x7a, 0x18, 0x55, 0x41, 0x9d, 0x32, 0xeb, 0x22, 0x47, 0xd0, 0xf7, 0x91, 0xb3, 0x70, 0xf1, 0x9e, 0x9, 0x49, 0xf4, 0x28, 0xf8, 0x99, 0xca, 0x69, 0x7a, 0x31, 0xfd, 0x6d, 0x97, 0xa4, 0x34, 0x2b, 0xdb, 0xc3, 0x50, 0x78, 0x71, 0xfe, 0x7b, 0x1b, 0x48, 0x74, 0xb6, 0x68, 0x58, 0x40, 0x65, 0xae, 0xeb, 0x1d, 0x4e, 0x7d, 0x86, 0x8c, 0xc4, 0x21, 0x28, 0x1b, 0x6, 0xea, 0x30, 0x3b, 0x51, 0x35, 0x5b, 0xc1, 0x69, 0x88, 0x10, 0x87, 0x36, 0x66, 0x16, 0x4a, 0x3b, 0xff, 0xb1, 0x20, 0x12, 0x5d, 0x9f, 0xe2, 0xe5, 0x4d, 0x9f, 0x3d, 0x23, 0x35, 0xbb, 0x82, 0x4b, 0x75, 0xc6, 0xcd, 0x18, 0x33, 0x63, 0x7, 0x4e, 0x73, 0x44, 0x56, 0xcb, 0xdf, 0xe8, 0xd2, 0x78, 0x1a, 0x62, 0xd5, 0x57, 0x73, 0xa9, 0x49, 0x43, 0x24, 0x8b, 0x8f, 0x21, 0x89, 0x5d, 0x83, 0x9d, 0xe2, 0x6e, 0x9b, 0x7, 0xc5, 0x7b, 0xfe, 0x1, 0xce, 0x5d, 0x3b, 0x5b, 0x2b, 0x2a, 0x7f, 0xe5, 0x65, 0x55, 0xe5, 0x5f, 0xb7, 0x37, 0x86, 0x5a, 0xe7, 0xba, 0x1d, 0xa4, 0xae, 0x34, 0xff, 0x83, 0x8f, 0x7a, 0xa, 0x95, 0x9c, 0x19, 0xe1, 0xfc, 0x6, 0x77, 0x70, 0x3e, 0x1f, 0x54, 0x4f, 0x37, 0xcf, 0xd0, 0x31, 0xa8, 0x38, 0x36, 0x4d, 0x9a, 0x4, 0xca, 0x18, 0x15, 0x83, 0xf4, 0xb4, 0x4a, 0x18, 0xc3, 0x38, 0xfe, 0x5d, 0xee, 0xe3, 0x54, 0x9b, 0x81, 0xc8, 0x3, 0x64, 0xe3, 0x3a, 0x38, 0x4c, 0x86, 0x17, 0x2e, 0xa1, 0xda, 0xd1, 0xa9, 0x5b, 0xaa, 0xee, 0x50, 0xb3, 0x97, 0x5a, 0x24, 0x83, 0x4e, 0xbf, 0x99, 0x9, 0xd0, 0x62, 0x53, 0x80, 0x39, 0xd4, 0x9b, 0xc2, 0x13, 0x3, 0xfc, 0x29, 0xdb, 0x72, 0xf1, 0x70, 0x4b, 0x95, 0x9c, 0x1a, 0xa2, 0x54, 0xf9, 0xb7, 0xdc, 0x9b, 0x67, 0xfc, 0xe4, 0xe2, 0x54, 0x9, 0x17, 0x48, 0x6b, 0xd0, 0xf1, 0xba, 0x30, 0xf5, 0xf5, 0x8a, 0x31, 0x60, 0x20, 0xf9, 0xcb, 0x3c, 0x8a, 0xea, 0x26, 0x58, 0xe2, 0x5a, 0xcd, 0x7c, 0x9d, 0xc6, 0xc3, 0xc9, 0x7, 0xad, 0xe, 0x47, 0xa0, 0x3b, 0xa7, 0x69, 0x5e, 0x81, 0x31, 0x97, 0xc3, 0x63, 0x3a, 0x2, 0x28, 0xdd, 0xdc, 0xd6, 0xcb, 0xf9, 0x6d, 0xaf, 0xf6, 0xb4, 0x15, 0x4a, 0xed, 0x47, 0x4c, 0x78, 0xf9, 0xc0, 0x6a, 0x82, 0x9d, 0x0, 0x62, 0xc7, 0x8f, 0x89, 0x8b, 0xd2, 0x80, 0x4d, 0x66, 0x1f, 0xc9, 0x17, 0x2c, 0xda, 0xee, 0xf1, 0x72, 0x9, 0x66, 0xae, 0x7a, 0xbc, 0xd3, 0x84, 0x9e, 0x95, 0x68, 0x37, 0x28, 0x95, 0xc1, 0xc7, 0x58, 0x7, 0x4f, 0x29, 0xd9, 0x30, 0x76, 0xff, 0xdc, 0xd0, 0x8f, 0xba, 0x8d, 0xd6, 0x65, 0xb7, 0x89, 0xcd, 0xac, 0xbc, 0x8d, 0xde, 0x55, 0x3e, 0x55, 0xf8, 0x2b, 0x70, 0xed, 0x9e, 0x0, 0x4a, 0x9b, 0xd, 0xca, 0xb8, 0x27, 0xdd, 0x34, 0xe5, 0xf6, 0x52, 0xfd, 0x77, 0x61, 0x34, 0x6b, 0x49, 0xc4, 0xb7, 0xb7, 0x7b, 0xc8, 0xf6, 0xe6, 0x8c, 0x37, 0xf0, 0x19, 0xcc, 0x44, 0x48, 0x3d, 0x63, 0x68, 0x63, 0x20, 0x42, 0x5e, 0x91, 0xb9, 0xde, 0x73, 0xc0, 0x1b, 0x75, 0x4a, 0x27, 0x64, 0xd2, 0x7a, 0x4f, 0x34, 0x14, 0x44, 0x22, 0xe2, 0xdc, 0xe6, 0x28, 0x1f, 0x81, 0x85, 0xf7, 0xef, 0x1, 0xad, 0x2b, 0xb7, 0x68, 0xba, 0x90, 0x65, 0x48, 0x25, 0xaf, 0x35, 0x36, 0x20, 0x4a, 0x26, 0x93, 0xdb, 0xa, 0x66, 0x22, 0x28, 0x8a, 0x1f, 0xb0, 0x1e, 0x64, 0x8c, 0x59, 0xee, 0xe8, 0xce, 0x2d, 0xae, 0x74, 0x78, 0xc1, 0x7d, 0xb6, 0xe7, 0x59, 0x35, 0x2a, 0xcc, 0x95, 0x81, 0xef, 0xf0, 0xca, 0xd0, 0xd9, 0x4d, 0xd2, 0xc, 0x88, 0x67, 0xc0, 0x7, 0x41, 0x7c, 0x85, 0x2, 0xa0, 0x9e, 0xa9, 0x1, 0x63, 0x2f, 0xf8, 0x90, 0xe4, 0x79, 0x65, 0xd8, 0x37, 0x92, 0x1c, 0xe4, 0x8a, 0x65, 0xe0, 0xb1, 0x79, 0x1e, 0xfd, 0x93, 0xfd, 0xfa, 0x5f, 0x7, 0x8f, 0xb, 0xf6, 0x47, 0x35, 0x40, 0x70, 0x6e, 0xed, 0xfc, 0xe6, 0xa3, 0xc7, 0xf5, 0x53, 0xd, 0xeb, 0xbd, 0x5f, 0xf4, 0xd5, 0xbd, 0xcb, 0xe8, 0x70, 0x9a, 0x33, 0x13, 0xdf, 0x1, 0x5c, 0xf8, 0x81, 0xeb, 0x2c, 0x14, 0x80, 0x18, 0xf7, 0xf, 0x7a, 0x43, 0x70, 0xbd, 0x74, 0x87, 0x4e, 0x4c, 0x6a, 0xda, 0xb, 0xba, 0x91, 0x28, 0xb3, 0x5f, 0x6e, 0xd2, 0x8b, 0xf1, 0xd2, 0xeb, 0xdb, 0x1c, 0x22, 0xd5, 0xa9, 0x3, 0xf1, 0x26, 0x95, 0x2f, 0xa6, 0xb0, 0x51, 0xbe, 0xda, 0x86, 0x51, 0x76, 0x88, 0x90, 0xce, 0x73, 0xf4, 0xe9, 0x76, 0x53, 0x5a, 0xd8, 0x5b, 0x5b, 0xb, 0x80, 0xed, 0xe3, 0x4, 0xe6, 0xc1, 0x4d, 0x52, 0x95, 0x28, 0x24, 0x5e, 0xd3, 0x27, 0xef, 0x47, 0xcc, 0x6d, 0xe7, 0x7d, 0xa6, 0x0, 0x90, 0xd6, 0xee, 0x96, 0x43, 0xc1, 0x92, 0xde, 0x84, 0xa0, 0x3b, 0xb3, 0x73, 0xfe, 0x1, 0x76, 0x37, 0xae, 0x53, 0x64, 0x22, 0xc2, 0xe9, 0xf7, 0xc1, 0x75, 0x60, 0xfc, 0xec, 0x34, 0xec, 0x5a, 0xbe, 0x20, 0x76, 0x21, 0x6a, 0xa8, 0x3b, 0xa3, 0x9e, 0x54, 0xd0, 0x81, 0x37, 0xd4, 0x85, 0x6b, 0xd8, 0xab, 0x35, 0xef, 0x84, 0x83, 0xee, 0x1f, 0x46, 0x3c, 0xa3, 0x4a, 0x91, 0x6c, 0x7d, 0x5f, 0xb2, 0xc9, 0xe5, 0x11, 0xf3, 0x5c, 0x49, 0x3d, 0xc3, 0xaa, 0xd, 0x11, 0xc6, 0xb9, 0x54, 0x85, 0x81, 0x83, 0xe5, 0x7e, 0x8a, 0xe, 0xec, 0xf4, 0xa7, 0x2a, 0x73, 0x12, 0x36, 0x8f, 0x34, 0x71, 0x9d, 0xd0, 0x88, 0x3e, 0xee, 0xdb, 0xcf, 0x99, 0x75, 0xe4, 0x7, 0xa1, 0xb7, 0xc6, 0x51, 0x1b, 0x61, 0xe8, 0xe7, 0x5d, 0x1f, 0xaa, 0xaa, 0x51, 0x10, 0x59, 0x1d, 0xa1, 0xd6, 0x86, 0xc3, 0xf0, 0x55, 0xf0, 0x31, 0xe5, 0x3d, 0x66, 0xe, 0xf2, 0x9, 0x73, 0x5c, 0xf9, 0x9, 0x79, 0x4b, 0x41, 0x9e, 0x1a, 0xaa, 0x21, 0x64, 0x7e, 0x1d, 0x27, 0xa8, 0x5, 0xc9, 0x52, 0xa7, 0xb, 0x81, 0xe5, 0x58, 0xa5, 0xdf, 0x35, 0x47, 0xeb, 0x5a, 0x92, 0x5d, 0xee, 0x44, 0x8a, 0xe1, 0x53, 0xa8, 0xc8, 0x13, 0x7f, 0x69, 0x8, 0x97, 0xb, 0x9a, 0xcc, 0xbf, 0x40, 0xd5, 0x77, 0x83, 0x3, 0xd4, 0x74, 0xe5, 0x1c, 0xe0, 0x27, 0x7b, 0xa6, 0xa8, 0x60, 0xcf, 0xc, 0x18, 0x3d, 0x3d, 0xbf, 0x98, 0xc2, 0xf1, 0x52, 0xf1, 0x8e, 0xe4, 0x60, 0xb0, 0x29, 0xb8, 0xb1, 0x60, 0xb6, 0xb8, 0x9b, 0xc6, 0x55, 0x5f, 0xf1, 0x3e, 0xa7, 0x9f, 0x88, 0x78, 0x20, 0xef, 0xec, 0x19, 0x5f, 0xc7, 0x9e, 0x12, 0x2b, 0x28, 0x60, 0x2b, 0x9b, 0xb1, 0xc7, 0x30, 0x47, 0xbf, 0xee, 0x27, 0xf3, 0xb2, 0xbe, 0xc0, 0x73, 0xc9, 0x59, 0xf6, 0x9d, 0xeb, 0x98, 0xdb, 0xc1, 0x65, 0xc1, 0x13, 0x49, 0xd1, 0x9c, 0x1a, 0x9d, 0xf7, 0xd4, 0x7d, 0xf5, 0x80, 0x21, 0x28, 0x39, 0x66, 0x6f, 0x2, 0x4, 0x11, 0x49, 0x84, 0x79, 0xe1, 0xf7, 0xbe, 0x3d, 0x25, 0x18, 0x56, 0x3e, 0x3f, 0x37, 0x34, 0x4b, 0x3c, 0x41, 0xe0, 0x64, 0x2c, 0xd6, 0x46, 0x55, 0x5b, 0x2b, 0x76, 0xc5, 0x57, 0x79, 0x32, 0xb5, 0xad, 0xf3, 0x8d, 0x95, 0x92, 0xf0, 0xd0, 0xcb, 0x5d, 0xbe, 0xbd, 0x4f, 0xf6, 0x44, 0x74, 0x45, 0x2c, 0x75, 0x81, 0x40, 0x1d, 0x82, 0xc3, 0xab, 0xb4, 0x79, 0xd7, 0x19, 0xe9, 0x9b, 0xe7, 0x2d, 0xc, 0xbd, 0x78, 0x2e, 0x24, 0x4a, 0x69, 0x84, 0x15, 0xc9, 0x76, 0x13, 0xf6, 0x94, 0x6d, 0x75, 0xa4, 0x98, 0x27, 0xdc, 0x34, 0xbc, 0xa7, 0xcc, 0xfb, 0xa1, 0xf0, 0x8d, 0x10, 0x19, 0x53, 0x87, 0x5e, 0x9d, 0x89, 0x3e, 0x29, 0xae, 0x1, 0xec, 0xe2, 0x91, 0x70, 0x35, 0x92, 0xef, 0xa4, 0x28, 0xc9, 0x65, 0xd0, 0x2e, 0xf6, 0x87, 0x89, 0xa2, 0xd5, 0xc0, 0xa3, 0xea, 0xa, 0x8c, 0x2e, 0x3a, 0x31, 0xa, 0x5b, 0xe8, 0xab, 0x9e, 0x6d, 0xf4, 0x89, 0x3a, 0x7d, 0xa9, 0x2d, 0xbd, 0x9e, 0x88, 0xd2, 0xba, 0x8c, 0x3f, 0x10, 0x6a, 0x2, 0x84, 0x94, 0x5f, 0x3b, 0xd8, 0x87, 0x8a, 0x9f, 0x15, 0x52, 0x95, 0x2, 0xef, 0xb1, 0xd6, 0x20, 0x22, 0xdb, 0xcf, 0x1a, 0xc0, 0x3, 0x6e, 0x74, 0xa0, 0xbd, 0xe3, 0x9f, 0x41, 0x14, 0xa7, 0xb2, 0x97, 0x4f, 0x9f, 0x20, 0x55, 0x25, 0xf7, 0x36, 0x4, 0xac, 0xec, 0x73, 0x27, 0x16, 0xa2, 0x66, 0x34, 0x20, 0xfe, 0x59, 0x8e, 0xb4, 0x39, 0x87, 0x3f, 0xc5, 0x60, 0x56, 0x84, 0x88, 0x2b, 0xda, 0x4c, 0xb2, 0x9a, 0x39, 0x5e, 0xfa, 0xf9, 0xb5, 0x74, 0x8d, 0x5e, 0x25, 0x92, 0x6f, 0xb, 0xed, 0x3d, 0xff, 0xa, 0x9e, 0x5c, 0x4, 0xfe, 0x31, 0x6c, 0xc7, 0x62, 0x46, 0x2b, 0x6d, 0x44, 0xa0, 0xba, 0x85, 0x51, 0x5d, 0xf0, 0xed, 0xbe, 0x8b, 0xaf, 0xb8, 0xb8, 0x8d, 0x8f, 0x71, 0xa6, 0xc7, 0x53, 0x86, 0xdd, 0xff, 0x0, 0xcf, 0x8b, 0xb4, 0xfe, 0x14, 0x40, 0xe1, 0xa9, 0x5c, 0xdb, 0xf7, 0xbc, 0xfc, 0xb7, 0xfd, 0xd8, 0xd9, 0xe8, 0xec, 0xb4, 0x73, 0x21, 0x99, 0x38, 0x2f, 0x68, 0xd3, 0x69, 0xdc, 0x19, 0xc2, 0x8b, 0xc8, 0xe4, 0x2e, 0xd3, 0x10, 0x96, 0x2d, 0x1c, 0x92, 0x27, 0x2c, 0x4d, 0xc0, 0xfd, 0x73, 0x10, 0x3d, 0xb8, 0xfd, 0x81, 0x69, 0xe, 0x20, 0x78, 0x6c, 0xd, 0xf7, 0x2a, 0x25, 0x7e, 0x57, 0xef, 0xa9, 0x67, 0xe8, 0xd0, 0x60, 0x67, 0xe0, 0x13, 0xa4, 0xe8, 0x3f, 0xe6, 0x66, 0x3a, 0x15, 0x14, 0xb9, 0x73, 0xb1, 0xdc, 0xbb, 0xa8, 0xa0, 0xb4, 0xcc, 0x23, 0xe6, 0x9a, 0xb5, 0xa0, 0xb8, 0x35, 0x3c, 0x20, 0x30, 0x5, 0x34, 0xff, 0xf2, 0xda, 0x30, 0x6f, 0x81, 0xb8, 0x19, 0xca, 0xe5, 0x80, 0xc8, 0xc2, 0x7a, 0xbf, 0xcc, 0x50, 0xc4, 0x11, 0x8d, 0xee, 0xdb, 0x99, 0x82, 0xbf, 0xa6, 0x77, 0xf, 0x1b, 0xd1, 0x27, 0xbb, 0x93, 0xe7, 0xdc, 0x5e, 0xb, 0x63, 0x1, 0xc6, 0xea, 0xf8, 0xe7, 0x79, 0xfb, 0xb9, 0x73, 0xdb, 0x88, 0x72, 0x36, 0xf4, 0xa7, 0xbb, 0x48, 0xe4, 0x1b, 0x57, 0x35, 0xb0, 0x6f, 0x41, 0xb6, 0xf5, 0xa2, 0x91, 0x88, 0xa4, 0x5d, 0x8f, 0x1b, 0x98, 0xa0, 0xfa, 0xfb, 0xb4, 0xff, 0x90, 0x96, 0x0, 0xdb, 0xc6, 0x19, 0x36, 0xb7, 0xda, 0xbb, 0x8b, 0xe8, 0x56, 0x83, 0x72, 0x73, 0x42, 0xd4, 0xc6, 0x35, 0xec, 0x53, 0xe4, 0xd8, 0xf0, 0x76, 0xfd, 0x29, 0x8a, 0xc2, 0xaa, 0x54, 0x25, 0x5c, 0x77, 0xf0, 0xe4, 0x55, 0x5c, 0x9d, 0xaf, 0xf7, 0x28, 0x4d, 0xad, 0xe8, 0x88, 0xa6, 0x54, 0xcf, 0xba, 0xdf, 0x6d, 0xa7, 0xa, 0xe8, 0x18, 0xb0, 0x85, 0x93, 0x7a, 0xc3, 0x9, 0xb9, 0xb3, 0xc8, 0x8f, 0x2c, 0xb0, 0x99, 0xa1, 0xcb, 0xeb, 0x8f, 0x75, 0x8c, 0x20, 0x3b, 0x8f, 0x38, 0x45, 0x9b, 0x5c, 0xf0, 0x90, 0xba, 0xf2, 0xde, 0x84, 0x85, 0x7c, 0xe3, 0xcc, 0x95, 0xb3, 0x1c, 0x1a, 0x75, 0x52, 0x50, 0x5f, 0xd4, 0xc1, 0xeb, 0xe4, 0x59, 0xbb, 0xac, 0x5d, 0x63, 0xb0, 0x11, 0xb9, 0xcd, 0xf7, 0x94, 0x36, 0x24, 0xd3, 0x71, 0xd3, 0x24, 0xe9, 0xd6, 0xa8, 0x53, 0x65, 0xfd, 0xc0, 0x32, 0x65, 0x6d, 0x5a, 0x16, 0x45, 0xa5, 0xcb, 0xb8, 0x42, 0x92, 0x2d, 0xf1, 0x3c, 0xea, 0x88, 0x6d, 0x9c, 0xc5, 0xb0, 0x6d, 0x90, 0x30, 0x35, 0xc9, 0xe, 0xdf, 0x6c, 0xcc, 0xec, 0xf8, 0x6, 0x46, 0x49, 0x99, 0x78, 0x38, 0xc6, 0xfc, 0x66, 0xed, 0xa7, 0x4c, 0xae, 0x35, 0x8a, 0x17, 0x2e, 0x2, 0x91, 0xc3, 0xbe, 0xa7, 0xec, 0xe6, 0xca, 0xdb, 0x28, 0x84, 0xd6, 0xc4, 0x92, 0x51, 0x30, 0xce, 0x40, 0xcd, 0xef, 0x12, 0x76, 0x25, 0xd7, 0x4, 0x8b, 0x20, 0xae, 0x9c, 0x6f, 0x36, 0xda, 0xdc, 0xb9, 0x6c, 0x85, 0x58, 0xf0, 0x24, 0x4d, 0xdc, 0xe, 0x0, 0x79, 0x42, 0x85, 0xbf, 0xe6, 0xf2, 0x64, 0xea, 0xdf, 0x9, 0xdc, 0x95, 0x12, 0xe8, 0x3d, 0x6c, 0xf2, 0x9b, 0x37, 0x87, 0x44, 0x1b, 0xd4, 0xa9, 0x35, 0xf1, 0x6d, 0x6d, 0x2c, 0xb6, 0x50, 0x2a, 0x83, 0x5, 0xd0, 0x5e, 0xfb, 0xb2, 0xd, 0x4f, 0x2e, 0x4, 0x91, 0x3b, 0xfd, 0x5e, 0x5f, 0xca, 0xf8, 0x70, 0xed, 0xc6, 0xfd, 0x4f, 0x8c, 0xcc, 0xa9, 0x2d, 0xb5, 0xb, 0x5d, 0x64, 0xe4, 0x1f, 0x1d, 0x0, 0xc9, 0x8b, 0xf5, 0x96, 0x95, 0x5, 0x72, 0x11, 0x4e, 0xbc, 0xf0, 0xc8, 0x52, 0x84, 0xa0, 0x98, 0xe3, 0xd2, 0xa0, 0x4a, 0xfd, 0xde, 0x49, 0x4f, 0x10, 0x3a, 0xfe, 0x5b, 0x81, 0x7b, 0xb3, 0x48, 0xe5, 0xcc, 0x3a, 0xeb, 0x54, 0x49, 0x5, 0xd4, 0x84, 0x42, 0x75, 0x8e, 0xb3, 0x4f, 0x1b, 0x34, 0x7b, 0x51, 0xaa, 0x3d, 0x8c, 0xfa, 0xf7, 0xb, 0x69, 0xec, 0x28, 0x69, 0x2f, 0x41, 0x6c, 0xce, 0x86, 0x23, 0xb3, 0x96, 0x4, 0xcd, 0xad, 0xad, 0x10, 0x55, 0x1c, 0xbe, 0x1, 0xf9, 0xfa, 0xb5, 0x4b, 0xe7, 0x67, 0x4e, 0xc0, 0x85, 0x99, 0x5c, 0xe1, 0x78, 0xf6, 0xba, 0x3c, 0x2d, 0x9a, 0xab, 0xd7, 0x6a, 0x22, 0x4d, 0x52, 0x58, 0xe9, 0xfa, 0x7d, 0xd, 0x9, 0x0, 0x9c, 0xc2, 0xd8, 0x51, 0x87, 0x39, 0xf5, 0xa5, 0xb, 0x2d, 0x26, 0xb8, 0x3a, 0xdd, 0xbc, 0xfc, 0x8a, 0x3b, 0x4, 0x9d, 0xe9, 0x29, 0x27, 0x39, 0x57, 0x3a, 0x94, 0xbc, 0xae, 0x3b, 0x26, 0x51, 0xef, 0x35, 0x29, 0x86, 0x20, 0x93, 0xce, 0xea, 0x9f, 0x7b, 0x81, 0x6c, 0xb0, 0x3, 0xfc, 0x9e, 0x63, 0xdc, 0x81, 0x1d, 0x34, 0x7d, 0xbe, 0x39, 0xe8, 0x79, 0x83, 0x14, 0x32, 0x89, 0x68, 0xdb, 0xcd, 0xad, 0x6e, 0x2, 0xf7, 0xa1, 0x11, 0x62, 0xda, 0x5e, 0xcc, 0xd1, 0xf4, 0x5f, 0x57, 0xb2, 0xf3, 0xe6, 0x3a, 0xa7, 0xa7, 0xf6, 0xc8, 0xcf, 0x40, 0x83, 0xb4, 0xd5, 0x61, 0x5e, 0x9a, 0x87, 0x83, 0xbc, 0xe, 0xa5, 0x41, 0xed, 0xb1, 0xac, 0xc5, 0xfa, 0xd8, 0x7, 0x3c, 0xc8, 0xc, 0xa6, 0x59, 0x90, 0x19, 0xb8, 0xc3, 0x4a, 0x8d, 0xc9, 0xde, 0xfe, 0xc8, 0xc, 0x9e, 0x22, 0x37, 0xb8, 0x1c, 0xb9, 0x27, 0xb4, 0xd2, 0x91, 0x4, 0xb, 0xfe, 0x6c, 0xa6, 0x83, 0xe9, 0xac, 0x86, 0x23, 0xf, 0x13, 0x12, 0x29, 0xb3, 0x1e, 0x4d, 0xc, 0x93, 0xe4, 0x2a, 0xa6, 0x59, 0x2e, 0x2b, 0xf8, 0xa2, 0xe3, 0x89, 0x3e, 0xf9, 0x53, 0x38, 0x23, 0x77, 0x7f, 0x7c, 0x77, 0x11, 0xac, 0x63, 0x80, 0x7f, 0x0, 0x10, 0x37, 0x59, 0x7c, 0xc9, 0x4a, 0x60, 0x18, 0x9c, 0x75, 0x7f, 0x70, 0x8c, 0xc4, 0xe1, 0x65, 0x6b, 0xdb, 0xa5, 0xc5, 0xec, 0x62, 0x3f, 0x95, 0x14, 0xa2, 0x38, 0x73, 0xb1, 0x78, 0xa, 0x94, 0xad, 0xc8, 0xbc, 0x9d, 0x81, 0xe1, 0x6b, 0x0, 0x34, 0x9c, 0xd8, 0xf6, 0x4, 0xdc, 0x70, 0xa, 0x84, 0xb4, 0xa6, 0xb4, 0x57, 0x25, 0x46, 0xc0, 0x21, 0xbd, 0x60, 0xde, 0x6a, 0x4c, 0x54, 0x72, 0x60, 0xff, 0x2, 0xcf, 0x7, 0xe6, 0x36, 0xdc, 0x8c, 0xd9, 0x8a, 0xa9, 0x2c, 0x7d, 0xa4, 0x9, 0x66, 0xf5, 0xf5, 0x1e, 0x1d, 0x47, 0xbf, 0xa0, 0xad, 0x64, 0xf2, 0x23, 0x66, 0xf8, 0xbc, 0xb6, 0x5c, 0x9e, 0xaa, 0x87, 0x6, 0xc, 0xb7, 0x6c, 0x1c, 0x40, 0x17, 0xf2, 0x24, 0x81, 0xc9, 0x35, 0x14, 0xa6, 0xd4, 0x5f, 0x63, 0x89, 0x81, 0xa6, 0x8e, 0xd9, 0xa9, 0xaf, 0xb8, 0x8f, 0xd2, 0x2d, 0x32, 0xc7, 0x65, 0xb6, 0x30, 0x95, 0x43, 0xfb, 0xb3, 0xc1, 0xb3, 0x1, 0xcc, 0x12, 0xcf, 0x85, 0xf6, 0x72, 0x1, 0x86, 0x1, 0xb, 0xc7, 0x1d, 0x39, 0x58, 0x1b, 0x22, 0xee, 0x15, 0xb9, 0x24, 0xdb, 0x17, 0xa3, 0x3b, 0xf0, 0xfd, 0x9a, 0xc4, 0xff, 0xb8, 0x17, 0x59, 0xc6, 0xde, 0x87, 0x50, 0xd0, 0xd3, 0xe4, 0x7b, 0x59, 0x46, 0x7f, 0xe7, 0x0, 0x65, 0x0, 0xed, 0xc1, 0xa1, 0x80, 0xf3, 0x25, 0x70, 0x1, 0xc3, 0xa8, 0x4d, 0x3d, 0xb4, 0x79, 0x95, 0xfb, 0x8c, 0x62, 0xcf, 0xef, 0xec, 0x16, 0x37, 0x1f, 0x16, 0x0, 0x4d, 0x5c, 0x6e, 0x11, 0x1, 0x68, 0xc4, 0xeb, 0x27, 0x9c, 0x7e, 0x76, 0xa1, 0x1d, 0xa1, 0xe, 0xba, 0x5e, 0x57, 0x4c, 0x0, 0x47, 0x52, 0x14, 0x15, 0xfe, 0xb7, 0x73, 0x23, 0x8c, 0xf6, 0x6d, 0xce, 0x3a, 0xac, 0x37, 0xbc, 0x5d, 0xfe, 0xdf, 0xc3, 0x75, 0x49, 0x7, 0x8a, 0xa2, 0xdb, 0x47, 0xa1, 0xa2, 0x65, 0x91, 0x51, 0xee, 0xd6, 0x20, 0x6c, 0x24, 0x15, 0x7, 0x81, 0xd3, 0xb1, 0xd1, 0x68, 0x50, 0xb9, 0x60, 0x81, 0x74, 0x8c, 0x1, 0xe7, 0xb1, 0x62, 0xff, 0x80, 0xf3, 0xfa, 0xb1, 0xf5, 0x3, 0x1e, 0x2c, 0xcb, 0xf3, 0xdd, 0xb1, 0x7f, 0xef, 0xda, 0xa7, 0x91, 0xfc, 0xa8, 0x39, 0xb5, 0xea, 0x61, 0xb5, 0xf9, 0xf3, 0x7, 0xb7, 0xdd, 0x83, 0x98, 0x1b, 0x10, 0x80, 0xd9, 0x76, 0x72, 0xb5, 0x66, 0xf, 0x2f, 0xb8, 0xfd, 0x83, 0x8, 0x76, 0xf3, 0xef, 0xc3, 0x4b, 0x75, 0xde, 0xd7, 0x89, 0x40, 0xab, 0xc2, 0x5d, 0x43, 0x6, 0xb6, 0x3, 0xac, 0xee, 0x5b, 0xe0, 0xdf, 0x53, 0x6e, 0xcd, 0xcd, 0x25, 0x33, 0xbc, 0x62, 0xe8, 0xf1, 0xf2, 0xc3, 0x3, 0x4f, 0x77, 0x21, 0x79, 0xf, 0xdd, 0x1b, 0xcc, 0x52, 0x45, 0x21, 0x72, 0xca, 0x97, 0xea, 0x46, 0xec, 0x9c, 0xf0, 0x4a, 0x9a, 0xe7, 0xc7, 0x9b, 0x8b, 0x65, 0xa1, 0x47, 0x53, 0xb1, 0x75, 0x2f, 0xaf, 0x35, 0x6f, 0x79, 0xd2, 0x6b, 0x35, 0xc4, 0x51, 0x40, 0x90, 0x79, 0x95, 0xac, 0x5d, 0x65, 0x3a, 0xc3, 0xa3, 0xdd, 0x69, 0x26, 0xa3, 0x4a, 0x51, 0x88, 0x2e, 0x3c, 0x50, 0x5d, 0x41, 0xdd, 0x53, 0x37, 0x37, 0x13, 0xa1, 0xdf, 0x78, 0x4f, 0x75, 0xb, 0x73, 0x46, 0x5, 0x3f, 0xd7, 0xc5, 0x24, 0xe2, 0xb5, 0xb3, 0xc, 0x76, 0x19, 0x69, 0x61, 0x68, 0x8c, 0xaf, 0x3b, 0xfa, 0x52, 0x25, 0x14, 0x8d, 0x13, 0xa1, 0xbc, 0x9f, 0xf5, 0xeb, 0x69, 0x76, 0xf1, 0x8b, 0xb1, 0x1a, 0xdd, 0x25, 0xdf, 0x9b, 0x3e, 0xf5, 0xe6, 0x55, 0x54, 0xd1, 0x6c, 0xcb, 0xf3, 0xb, 0xcc, 0x4, 0x80, 0x90, 0xe8, 0x95, 0x49, 0xef, 0x5b, 0x59, 0xc1, 0x9a, 0x4a, 0x10, 0xa8, 0x59, 0x94, 0xfe, 0xf0, 0x3e, 0x12, 0xa8, 0x16, 0x63, 0xd6, 0x49, 0x38, 0x54, 0xf9, 0xe7, 0xb4, 0x2d, 0xc3, 0x73, 0x54, 0x78, 0x9e, 0xd, 0x9, 0xd2, 0x2e, 0x2e, 0x7, 0x5, 0x9f, 0x9d, 0x29, 0x93, 0x8a, 0xf9, 0xa, 0xa2, 0x6a, 0xc, 0xf6, 0x3c, 0xd3, 0xc5, 0xb2, 0x9b, 0x27, 0x75, 0x14, 0xba, 0x32, 0x9a, 0x7, 0x73, 0x4a, 0x77, 0xcb, 0x2, 0x32, 0x7e, 0xbd, 0x2d, 0xc4, 0xe8, 0xc4, 0x4b, 0xed, 0x64, 0xe8, 0x20, 0xb0, 0xab, 0xc5, 0x64, 0x4b, 0x69, 0xc7, 0xee, 0xc4, 0x19, 0x84, 0xc1, 0x18, 0x3d, 0xe5, 0x93, 0x47, 0x1c, 0xef, 0x73, 0x46, 0x9c, 0xe6, 0x92, 0x60, 0x5, 0xb5, 0xae, 0xb8, 0xc7, 0x6b, 0xc1, 0xf8, 0xf0, 0x43, 0xca, 0xa1, 0x3a, 0xf6, 0xb2, 0x79, 0xd6, 0xec, 0xd5, 0x4e, 0x22, 0xc9, 0x5, 0xa2, 0x55, 0xaf, 0xee, 0x56, 0xd, 0x8b, 0x2, 0x8e, 0x4b, 0xba, 0x15, 0xe1, 0xbf, 0xec, 0xf4, 0xac, 0x97, 0xb3, 0xa7, 0x22, 0x3e, 0x40, 0xb6, 0xa8, 0x5e, 0x0, 0xc4, 0x26, 0x4, 0x85, 0x92, 0x96, 0x4e, 0xa6, 0x95, 0x32, 0x5e, 0x70, 0x56, 0xa4, 0xa6, 0x59, 0xbc, 0xaa, 0x22, 0xbc, 0x42, 0x59, 0x5f, 0x4c, 0x71, 0x29, 0xb9, 0xed, 0x82, 0x31, 0xfa, 0xbd, 0x68, 0x61, 0x9a, 0xba, 0x52, 0x41, 0x10, 0x65, 0xa6, 0x16, 0x22, 0x68, 0x63, 0x92, 0xb6, 0x3, 0x8d, 0x90, 0x46, 0x50, 0xa8, 0xcb, 0x7f, 0x24, 0xe0, 0x8b, 0x9b, 0x1e, 0x18, 0xa, 0x82, 0x97, 0x57, 0xeb, 0x81, 0x11, 0x12, 0xa0, 0x30, 0x22, 0x81, 0xf2, 0xa0, 0x21, 0x88, 0x7b, 0xae, 0x3c, 0xdc, 0x9c, 0x7e, 0xe7, 0x15, 0xce, 0x72, 0xcc, 0x32, 0x23, 0x20, 0xd7, 0x38, 0x82, 0xcb, 0xbb, 0xb2, 0x3c, 0xcd, 0x43, 0x2c, 0xe8, 0xc6, 0xdf, 0x63, 0xab, 0xe4, 0x17, 0xd7, 0x83, 0x31, 0x28, 0x0, 0xbd, 0x58, 0xab, 0x42, 0x29, 0xf3, 0xe8, 0x46, 0x8d, 0xd1, 0x18, 0x24, 0x88, 0x10, 0xf6, 0x6e, 0x76, 0x6c, 0x6b, 0xcd, 0xc6, 0xc, 0x1a, 0xcb, 0xff, 0x8e, 0x60, 0x59, 0xd8, 0x68, 0x5c, 0xa0, 0x1d, 0x5a, 0x1c, 0x6e, 0x29, 0x32, 0xa5, 0xf4, 0xa5, 0xc7, 0xc8, 0x2e, 0xd, 0xc9, 0x43, 0x1e, 0xf, 0x3d, 0xd9, 0x29, 0x97, 0x89, 0x22, 0x3a, 0x94, 0x29, 0x17, 0x53, 0xe, 0x36, 0x26, 0x8a, 0x7a, 0x87, 0xb5, 0xd7, 0x7e, 0x71, 0x7e, 0x7b, 0xd5, 0x2, 0xa2, 0xe1, 0xbc, 0x4d, 0x24, 0x5b, 0x2e, 0xd2, 0xf5, 0xdc, 0x4c, 0x2a, 0x71, 0xd7, 0x4b, 0x17, 0xbb, 0x5, 0x82, 0x40, 0x1, 0xb8, 0xfd, 0xa6, 0xe9, 0x87, 0x13, 0x5e, 0x69, 0xb0, 0xb4, 0x67, 0x42, 0xa4, 0x91, 0x5, 0xa1, 0x19, 0x2b, 0x33, 0x66, 0xf3, 0xac, 0xcc, 0x16, 0xd9, 0xed, 0x24, 0x50, 0x8a, 0x95, 0x34, 0x45, 0xcc, 0x34, 0xbe, 0x4b, 0x18, 0x1c, 0x6, 0x99, 0x76, 0x59, 0x81, 0x52, 0x89, 0x89, 0x63, 0x5c, 0x10, 0x3d, 0x65, 0xad, 0xfc, 0x5e, 0x7b, 0xde, 0x6, 0x91, 0xda, 0x52, 0x14, 0xa6, 0x8a, 0xa6, 0x5a, 0x33, 0xa0, 0x4, 0xba, 0xfa, 0x4f, 0x89, 0x7c, 0x7d, 0x33, 0xf6, 0x90, 0xa9, 0x8e, 0xfe, 0xd4, 0xce, 0x9d, 0x28, 0x57, 0x8c, 0x26, 0xb6, 0xb3, 0x28, 0x36, 0xec, 0x21, 0xaa, 0xc2, 0x89, 0x70, 0x93, 0xf9, 0x91, 0xd3, 0x66, 0x3e, 0x1e, 0x6e, 0xf4, 0xa3, 0xb2, 0x69, 0x63, 0x7d, 0xcd, 0x32, 0xa7, 0xb4, 0x22, 0x10, 0x2c, 0x40, 0x5d, 0xb8, 0xc3, 0x99, 0x2e, 0x93, 0x54, 0x2b, 0xbe, 0xfc, 0xcc, 0x7d, 0xe2, 0xdf, 0xb1, 0x56, 0x7b, 0xaa, 0xdd, 0xa6, 0xc9, 0x82, 0x4a, 0xe3, 0xa5, 0x78, 0xdc, 0x31, 0x41, 0x39, 0x4f, 0x70, 0xda, 0xb3, 0xbe, 0x8a, 0x98, 0xfa, 0x55, 0xca, 0x6c, 0xa3, 0x11, 0xdf, 0x66, 0x19, 0x86, 0x89, 0x34, 0x8e, 0x3b, 0xd5, 0x6b, 0x99, 0xea, 0xa0, 0xa1, 0x20, 0xfb, 0x79, 0x43, 0x7f, 0xd3, 0x5a, 0xd9, 0x47, 0x6, 0x30, 0xcd, 0xe3, 0xa7, 0x53, 0xa8, 0xb4, 0x4d, 0xb4, 0xfb, 0x59, 0x66, 0x2e, 0xb9, 0xe1, 0xe3, 0x9e, 0x20, 0x72, 0x68, 0x5f, 0x72, 0x63, 0x32, 0x4b, 0x43, 0x1, 0xa1, 0xb1, 0x25, 0x68, 0xc2, 0x6e, 0xb, 0x6f, 0x7d, 0x86, 0x2b, 0x76, 0xb6, 0xb4, 0x1b, 0xc, 0xe0, 0x16, 0x7a, 0xf7, 0x1, 0x6c, 0xac, 0xaa, 0x9e, 0x83, 0x90, 0x54, 0x51, 0x82, 0x34, 0xd3, 0x70, 0x34, 0xef, 0xa4, 0xf3, 0x62, 0x6c, 0xcd, 0x1d, 0x1c, 0x49, 0xa6, 0x29, 0x5a, 0x25, 0x7a, 0x99, 0xce, 0x2e, 0x78, 0xb6, 0x46, 0x53, 0x99, 0x57, 0xd3, 0x35, 0xfb, 0x78, 0x99, 0xce, 0xe0, 0x60, 0x9, 0xdf, 0xa9, 0xf5, 0x98, 0x4c, 0x7a, 0x52, 0x1f, 0x39, 0xc8, 0x7d, 0x54, 0xc1, 0xbc, 0xba, 0xc2, 0xc6, 0x8a, 0xcb, 0x52, 0x8d, 0xae, 0x81, 0xfe, 0x48, 0xd4, 0x48, 0x47, 0x11, 0xa7, 0xf1, 0x80, 0x3f, 0xf0, 0x44, 0x58, 0xc4, 0x4a, 0xdf, 0xf8, 0xb2, 0x84, 0xb7, 0x3d, 0x36, 0xfe, 0xf1, 0x2d, 0x12, 0x8f, 0x91, 0xad, 0xc0, 0xc7, 0x3c, 0xf3, 0xb9, 0x25, 0xf, 0xe4, 0x55, 0x55, 0x5e, 0x3b, 0xe7, 0xd0, 0x0, 0x47, 0xf9, 0x26, 0x33, 0xb0, 0x8, 0xfa, 0x28, 0x5c, 0x4f, 0xc2, 0x9d, 0x5d, 0x83, 0x15, 0x5b, 0x39, 0x80, 0xe6, 0x3a, 0xc7, 0x32, 0x69, 0x25, 0xa4, 0xe9, 0xc8, 0xa2, 0xfa, 0xe, 0x96, 0x42, 0x5, 0x6a, 0x8c, 0x6, 0x71, 0xee, 0xad, 0xb3, 0x2b, 0x54, 0x45, 0xb, 0x57, 0x9b, 0x9, 0x6, 0xa7, 0xd6, 0x78, 0xe2, 0xf4, 0xb5, 0x2b, 0xd1, 0x85, 0x43, 0x68, 0x29, 0x64, 0xf6, 0xf6, 0x8a, 0xd7, 0x33, 0xc6, 0x28, 0x84, 0x88, 0xb3, 0xd3, 0xc7, 0x58, 0x97, 0x3f, 0xdb, 0x9, 0x67, 0x3b, 0x4c, 0x1a, 0x8c, 0x1d, 0x34, 0x4e, 0xda, 0x9e, 0x16, 0xd2, 0xa6, 0x13, 0x96, 0x18, 0x2f, 0x4f, 0xbd, 0x36, 0xa5, 0xcd, 0xd7, 0x4e, 0x2b, 0x0, 0x9a, 0xb9, 0x3, 0x61, 0x77, 0xd1, 0xf8, 0xbd, 0x97, 0xba, 0x45, 0x79, 0xb3, 0x34, 0xd, 0x67, 0x9c, 0xbf, 0x5b, 0x8c, 0xd7, 0x84, 0xe3, 0x83, 0x9b, 0xb2, 0x14, 0x8d, 0x51, 0xcf, 0x3b, 0x2d, 0x6e, 0x97, 0xe5, 0xb7, 0x43, 0x93, 0x4f, 0xd4, 0x34, 0x42, 0xf, 0x53, 0xc2, 0xa7, 0x40, 0xe4, 0xdd, 0xb9, 0xbd, 0x56, 0x78, 0x81, 0xa0, 0x70, 0x72, 0x2f, 0x3, 0x53, 0x53, 0xeb, 0x45, 0xa9, 0x86, 0x10, 0x98, 0xd3, 0x66, 0x99, 0x8e, 0x2f, 0x6c, 0x6b, 0x4b, 0x8b, 0x9b, 0x1b, 0xa3, 0x42, 0x6, 0x82, 0x9d, 0x50, 0xd1, 0x62, 0x9e, 0x67, 0x51, 0x16, 0xff, 0xf8, 0x90, 0x1c, 0x0, 0x20, 0x1, 0x4a, 0xe3, 0x36, 0x2e, 0x6, 0xc1, 0xa1, 0x50, 0x1a, 0xed, 0x24, 0xe0, 0x8c, 0xf5, 0xe8, 0x74, 0x26, 0xd7, 0x0, 0x13, 0xfa, 0x1d, 0xf, 0x3f, 0x18, 0x2d, 0x4a, 0x7b, 0x26, 0xdf, 0x80, 0x66, 0xb7, 0xb3, 0x35, 0x82, 0x9d, 0x97, 0xb5, 0x12, 0x93, 0x14, 0x61, 0x8a, 0xcb, 0xaf, 0x2f, 0x1d, 0xe5, 0xec, 0x48, 0x88, 0x96, 0xda, 0xeb, 0x73, 0x99, 0xe3, 0x13, 0xa4, 0x75, 0xc2, 0x96, 0xe9, 0x0, 0xf0, 0x5f, 0x49, 0xc7, 0xd7, 0xb7, 0x46, 0xd1, 0x95, 0xed, 0xba, 0x97, 0xd0, 0xe, 0xe6, 0xc0, 0xf9, 0x38, 0x6e, 0xac, 0x4, 0x88, 0xaa, 0xbb, 0xf9, 0xc6, 0x45, 0x6, 0xc, 0x99, 0x92, 0x51, 0x98, 0x91, 0xc0, 0x39, 0xa4, 0xe6, 0xca, 0xf2, 0xe1, 0xf5, 0x1b, 0x15, 0xff, 0x3d, 0x71, 0xdb, 0x8c, 0xb3, 0x2e, 0x30, 0x2c, 0x26, 0x5d, 0xdf, 0x31, 0xdf, 0x90, 0x51, 0x50, 0x3d, 0xb7, 0xe5, 0x2f, 0x5b, 0xe5, 0xc2, 0x32, 0xc8, 0x85, 0xfc, 0xde, 0x19, 0x91, 0x65, 0x21, 0x51, 0xf2, 0xe4, 0xf, 0xb0, 0x99, 0xbc, 0xe3, 0xfd, 0xfc, 0x17, 0x8b, 0x90, 0xd1, 0xe3, 0xf5, 0x67, 0x80, 0x42, 0xae, 0x43, 0x14, 0xb3, 0xf6, 0x21, 0xe9, 0x3b, 0x59, 0xea, 0x64, 0x92, 0xed, 0xcf, 0xa2, 0x35, 0x7a, 0xe0, 0x59, 0x62, 0xb9, 0x89, 0x15, 0xdd, 0x62, 0xa7, 0xd, 0xa, 0x39, 0xbb, 0xc6, 0x8c, 0x26, 0xd9, 0x32, 0x1c, 0x7b, 0x1e, 0x92, 0xd4, 0xfa, 0x76, 0x42, 0x96, 0x2b, 0xdb, 0x34, 0x30, 0xe7, 0x44, 0xcc, 0x34, 0x6d, 0xc5, 0xe, 0xb7, 0x45, 0x65, 0x9, 0x46, 0x3a, 0xbe, 0x59, 0x6a, 0x3a, 0xcf, 0x66, 0x97, 0xbc, 0xfd, 0xe9, 0x53, 0x9b, 0x4e, 0xd0, 0xed, 0x83, 0x2f, 0x7b, 0xe7, 0xe3, 0xba, 0x8f, 0xcc, 0xb3, 0x99, 0x6d, 0x40, 0x3a, 0xda, 0x7a, 0x6c, 0x64, 0xb5, 0x8e, 0xfb, 0x51, 0x12, 0x5a, 0x74, 0xd8, 0xf5, 0xa9, 0xc7, 0x25, 0x27, 0xc7, 0xa8, 0x47, 0x77, 0x96, 0x9e, 0xe8, 0xff, 0x31, 0xe5, 0x33, 0x5c, 0x19, 0x5e, 0x93, 0x64, 0xe9, 0xf, 0x21, 0x9d, 0x60, 0x27, 0x22, 0xe1, 0x2f, 0xa8, 0x6c, 0xfd, 0xca, 0x9d, 0x46, 0x26, 0x4, 0x96, 0x5b, 0x9b, 0xaf, 0x3c, 0x18, 0x93, 0x56, 0x4c, 0xe0, 0x9e, 0x2e, 0xef, 0x6f, 0x14, 0xc8, 0x33, 0xa3, 0x84, 0x10, 0xf7, 0xd1, 0xd1, 0xae, 0x33, 0x99, 0x64, 0x96, 0x90, 0x30, 0x56, 0x50, 0xf3, 0xaf, 0x6e, 0x56, 0xcf, 0x39, 0x2e, 0xad, 0xf0, 0x57, 0x50, 0x34, 0x24, 0x21, 0x83, 0x1f, 0x5b, 0xf6, 0x8f, 0x14, 0xd, 0xcf, 0x94, 0xcf, 0xd4, 0x89, 0x2e, 0x4, 0xb3, 0x58, 0xc, 0x52, 0x84, 0xec, 0x9b, 0x31, 0xd, 0xaa, 0x61, 0x53, 0x26, 0x76, 0x26, 0x2a, 0xad, 0x87, 0xbc, 0x8f, 0x2, 0xa3, 0x6f, 0xc8, 0x6f, 0x69, 0xc1, 0xad, 0xe1, 0xd7, 0x66, 0x6b, 0xd0, 0x72, 0xcd, 0xa, 0x93, 0xe5, 0xeb, 0x98, 0x35, 0x74, 0x1b, 0xcc, 0x50, 0x45, 0xf2, 0x65, 0xec, 0xa5, 0xb9, 0xb4, 0x93, 0x13, 0x23, 0xce, 0xf9, 0x7d, 0x6, 0xdb, 0xd4, 0x22, 0x4a, 0x23, 0x0, 0x9b, 0xff, 0xca, 0x95, 0xa0, 0xdd, 0x98, 0xc1, 0xc9, 0x0, 0x61, 0xa0, 0x75, 0xbc, 0x1b, 0x95, 0xf6, 0x9c, 0x93, 0xc8, 0xa9, 0x60, 0x15, 0x74, 0xbf, 0x51, 0xfe, 0x5e, 0x32, 0x50, 0x8, 0x94, 0x0, 0x46, 0x5e, 0x9e, 0x57, 0x4f, 0x9c, 0x25, 0x2f, 0xda, 0x76, 0x2a, 0xb9, 0x87, 0x5c, 0x33, 0xef, 0xeb, 0x6f, 0xe0, 0xe4, 0x9d, 0x88, 0xce, 0x83, 0x60, 0x64, 0x6, 0xec, 0x0, 0x69, 0x73, 0x27, 0xe1, 0xbf, 0x35, 0x3, 0x2a, 0xbe, 0x10, 0x41, 0x34, 0xc5, 0x35, 0xda, 0xd1, 0xad, 0x20, 0xcd, 0x2, 0xb8, 0xb7, 0x68, 0x75, 0x75, 0xca, 0x67, 0xc3, 0xf1, 0x1c, 0xf, 0x5, 0xe4, 0x7d, 0xbc, 0xf, 0xc9, 0x9b, 0x5a, 0xc8, 0x9b, 0x32, 0x10, 0xa1, 0xe1, 0xa2, 0xc4, 0x73, 0xa3, 0xa9, 0x93, 0x3, 0xad, 0xb7, 0x32, 0x42, 0xb6, 0x29, 0xad, 0x7d, 0x16, 0xb0, 0x7e, 0x57, 0xf5, 0xb2, 0x8a, 0xb7, 0x94, 0x1, 0xf3, 0x4, 0x16, 0x8b, 0x34, 0x29, 0xe8, 0xaf, 0x94, 0xaa, 0xb, 0x42, 0x43, 0x65, 0x41, 0xdd, 0xd8, 0xfb, 0x77, 0x2e, 0xcd, 0xa7, 0x94, 0xb4, 0x51, 0xf6, 0x6f, 0x6c, 0x33, 0x99, 0x6, 0xd1, 0xff, 0x71, 0x56, 0x6a, 0x89, 0x9a, 0x97, 0xcc, 0xd2, 0x5f, 0x6f, 0xef, 0x8c, 0x14, 0xd8, 0xa8, 0x93, 0xe8, 0x11, 0x10, 0x7b, 0xcf, 0x65, 0xa1, 0x6, 0x89, 0x98, 0x85, 0x84, 0xd, 0xc5, 0x78, 0x71, 0xb6, 0x81, 0xde, 0xb3, 0x35, 0x8a, 0x35, 0xeb, 0xd, 0x7c, 0x99, 0x97, 0xd2, 0xc1, 0x55, 0xc8, 0x3a, 0x42, 0x8, 0x87, 0x61, 0x9, 0xe1, 0x69, 0x9f, 0x71, 0xb1, 0xf9, 0x83, 0xc1, 0x64, 0x83, 0x9e, 0xcc, 0xaf, 0x21, 0x6a, 0x36, 0x95, 0x3a, 0x20, 0xec, 0x1f, 0x14, 0x8b, 0x6, 0x6d, 0x5d, 0xec, 0x6a, 0xe9, 0x4, 0x4f, 0x99, 0x8a, 0xf7, 0x2d, 0xee, 0xb0, 0x45, 0x12, 0x27, 0xe8, 0xca, 0x9c, 0xb3, 0x4f, 0x3f, 0xe4, 0x97, 0xa9, 0xa4, 0x75, 0xb8, 0x98, 0xea, 0x2c, 0xdb, 0x11, 0xfe, 0x7d, 0x50, 0x3d, 0x12, 0x32, 0x52, 0xea, 0x7a, 0x4b, 0x31, 0xdb, 0x86, 0xae, 0x65, 0x8c, 0x7c, 0x30, 0x8, 0xed, 0x68, 0x46, 0xaa, 0x5c, 0x16, 0xe7, 0x6, 0x39, 0xec, 0xd3, 0xb4, 0x8b, 0x45, 0x70, 0xb1, 0x86, 0xb9, 0x9b, 0xc1, 0xc6, 0x3e, 0x2e, 0x4d, 0xed, 0x4, 0x3, 0xae, 0x46, 0x48, 0xf3, 0xc5, 0x22, 0x97, 0x9f, 0x6c, 0xa0, 0x95, 0x76, 0x91, 0xa, 0x1c, 0xab, 0x4c, 0x17, 0x73, 0x7f, 0x6c, 0xfd, 0xa7, 0xf0, 0xfc, 0x2, 0x48, 0xf1, 0x31, 0x1e, 0xb0, 0x88, 0x54, 0x89, 0x7, 0xfd, 0x42, 0x98, 0xb4, 0x52, 0x99, 0x6d, 0x8d, 0xd7, 0x71, 0x1, 0x52, 0xac, 0x7, 0xd9, 0x72, 0xb5, 0x8e, 0x88, 0x4a, 0x19, 0x4d, 0x4c, 0xa4, 0xa2, 0xe0, 0x66, 0x7e, 0x1, 0xba, 0xd9, 0x3f, 0xb6, 0xd2, 0xfc, 0xae, 0x88, 0xf8, 0xc8, 0xc6, 0xef, 0x78, 0x11, 0x1a, 0x88, 0x4a, 0xda, 0x6b, 0x6f, 0xb7, 0x38, 0x72, 0xa6, 0xb2, 0x1, 0xe1, 0xb, 0xbf, 0xf2, 0x14, 0x9c, 0xaf, 0x67, 0xd3, 0x56, 0x35, 0x75, 0x20, 0x66, 0xa5, 0x31, 0x78, 0x4b, 0x10, 0xa, 0xe6, 0xd9, 0x79, 0xbb, 0x59, 0xca, 0x58, 0x3b, 0xa7, 0x69, 0xa5, 0x92, 0x53, 0xc4, 0x4b, 0xc9, 0xf6, 0x98, 0x56, 0xe8, 0x52, 0x7a, 0x51, 0x55, 0xd7, 0xad, 0xae, 0xa5, 0x3d, 0x64, 0x85, 0x84, 0x1b, 0x58, 0x2a, 0xd5, 0xc, 0xed, 0x1a, 0x67, 0xe9, 0xf9, 0x19, 0xbc, 0x26, 0xf7, 0xa0, 0x4e, 0xbf, 0xfb, 0xe8, 0x52, 0x31, 0xd0, 0xd9, 0x40, 0x7d, 0x70, 0xb7, 0x1d, 0xf5, 0xd6, 0xcf, 0xe0, 0xe6, 0xf6, 0x63, 0xd9, 0x84, 0x30, 0x63, 0xaf, 0x7e, 0x66, 0x55, 0xdc, 0x9c, 0xcd, 0xed, 0x6f, 0xd5, 0x44, 0x2e, 0x2b, 0xf9, 0xb7, 0x73, 0x14, 0x2b, 0x96, 0x4e, 0xb6, 0x39, 0x2e, 0xfb, 0xbf, 0xfc, 0x71, 0xf6, 0x6e, 0x8f, 0x40, 0x7d, 0x8a, 0xcf, 0xdf, 0xf8, 0x75, 0x30, 0xea, 0x9e, 0x25, 0x98, 0x66, 0x95, 0xaa, 0xf0, 0x84, 0xa2, 0xd8, 0x3f, 0x7d, 0x86, 0x50, 0xa2, 0xfc, 0xb3, 0x1e, 0x69, 0x9d, 0x26, 0x5f, 0x7b, 0x75, 0x20, 0xde, 0xa5, 0xb8, 0x93, 0x20, 0x40, 0xc2, 0xf2, 0xa6, 0x6d, 0xc0, 0xeb, 0x59, 0x33, 0xf9, 0xd3, 0x33, 0x9c, 0x73, 0xb2, 0x3e, 0x29, 0x78, 0x11, 0xe5, 0x86, 0xd6, 0xbc, 0x70, 0xe7, 0xa3, 0xd2, 0xee, 0x43, 0xaf, 0x68, 0x2c, 0x93, 0xf7, 0xa2, 0xbd, 0x0, 0x3d, 0x70, 0x8e, 0x46, 0x2, 0x55, 0xf5, 0x61, 0xb0, 0x2f, 0x8f, 0x97, 0xdc, 0xe5, 0xad, 0x15, 0xc8, 0x28, 0x4a, 0x90, 0xa1, 0xc9, 0xa4, 0x56, 0xc, 0x47, 0x8d, 0x53, 0xaf, 0xd3, 0xed, 0x8c, 0x3d, 0x19, 0x5f, 0xbc, 0x9a, 0x15, 0xf3, 0x8e, 0x10, 0x20, 0x5f, 0x24, 0x37, 0x2a, 0x78, 0x71, 0x3f, 0x22, 0x1e, 0x8, 0x17, 0xfa, 0x3a, 0xa7, 0xf2, 0xec, 0x8d, 0x6e, 0x20, 0x2a, 0x94, 0x19, 0x55, 0x8e, 0x97, 0x63, 0x6a, 0x6, 0xa2, 0x53, 0x8d, 0xb9, 0x8a, 0x8, 0x6a, 0x3a, 0xaa, 0x24, 0x11, 0x2d, 0x7c, 0xc6, 0xe7, 0xc, 0x3c, 0x11, 0x9a, 0x75, 0x71, 0xc6, 0xce, 0x48, 0xfa, 0x67, 0x6f, 0x4f, 0xd3, 0x73, 0xb3, 0xe3, 0x7b, 0x72, 0x36, 0xfd, 0x79, 0xd4, 0x55, 0x54, 0x81, 0xd, 0x3c, 0xa1, 0xee, 0x28, 0xa4, 0xe5, 0x5e, 0xbd, 0xb1, 0x16, 0x5f, 0xea, 0xfe, 0x6b, 0xd3, 0xa, 0xe3, 0x4d, 0x20, 0xe4, 0x57, 0xf9, 0x9e, 0x3b, 0x35, 0x6a, 0x4e, 0x66, 0xaf, 0xcb, 0xeb, 0x4f, 0xd1, 0x26, 0x12, 0x33, 0x87, 0x5c, 0xcb, 0x57, 0x5f, 0xb6, 0x8c, 0xf9, 0x87, 0x4e, 0x41, 0xdd, 0xc, 0x5e, 0x21, 0xa6, 0x60, 0xdb, 0x40, 0x14, 0x88, 0xa6, 0x65, 0x68, 0xc1, 0x67, 0xaa, 0x52, 0xab, 0x46, 0x1a, 0xef, 0x93, 0x10, 0x64, 0xec, 0x2e, 0xbb, 0xba, 0xcb, 0xbc, 0x93, 0xbe, 0xad, 0x3, 0xda, 0x64, 0x3b, 0xc2, 0xa0, 0xc4, 0x6a, 0xe8, 0xe0, 0xa, 0xa0, 0x7a, 0x5f, 0xe6, 0x1, 0x14, 0xfc, 0x1e, 0x94, 0xb, 0x47, 0x74, 0x35, 0xf4, 0x9d, 0x79, 0xd6, 0xd8, 0x5a, 0x10, 0xd8, 0x65, 0xf, 0xa9, 0xb8, 0xcf, 0x4c, 0x81, 0xbd, 0x7f, 0xaa, 0xe3, 0x80, 0xce, 0x1b, 0xa, 0xd2, 0x8, 0x95, 0xad, 0x91, 0x32, 0x27, 0x7c, 0xb6, 0xb4, 0xb4, 0xb2, 0xa9, 0xe2, 0x1f, 0x4, 0x6, 0x2, 0xe8, 0xf0, 0xd, 0xd1, 0xc1, 0xd8, 0x58, 0x80, 0xbc, 0xfc, 0xab, 0x64, 0x9d, 0xbb, 0xf, 0x2a, 0x71, 0xb2, 0xb9, 0x43, 0x89, 0x4, 0xef, 0x3d, 0x3b, 0x14, 0xd9, 0xee, 0x90, 0xff, 0x75, 0xe7, 0x4c, 0xa2, 0x3a, 0xab, 0x85, 0x40, 0x90, 0xbc, 0x7b, 0xca, 0xd4, 0x5f, 0x60, 0xfb, 0x5d, 0xc7, 0xe2, 0x64, 0xa5, 0x34, 0x8b, 0xf, 0x36, 0x82, 0xe3, 0x7c, 0x9f, 0x75, 0x25, 0x57, 0x58, 0xbf, 0x88, 0xc9, 0x5, 0xdb, 0xb6, 0x6c, 0xd4, 0x58, 0x6c, 0x1d, 0xd6, 0x17, 0x29, 0x7a, 0xcb, 0x20, 0xfd, 0x91, 0xe4, 0xf8, 0x14, 0x40, 0x3, 0xc2, 0x11, 0x7a, 0x72, 0x8a, 0xb6, 0xb6, 0xcb, 0x7c, 0xaf, 0x6f, 0xf8, 0x86, 0x3, 0x20, 0x9a, 0xe0, 0xfe, 0xcc, 0xc6, 0x8b, 0x5c, 0x35, 0xea, 0x7e, 0xbb, 0x4a, 0xff, 0x76, 0x7d, 0x88, 0x52, 0x8a, 0xaa, 0xaa, 0xca, 0xab, 0x4d, 0xc9, 0xa1, 0x23, 0xaf, 0x8a, 0xc, 0xcc, 0x91, 0xc, 0xe, 0x22, 0x3f, 0x6a, 0x2c, 0xc7, 0x34, 0x4a, 0x14, 0x32, 0x12, 0xdf, 0xb, 0xc2, 0xbc, 0x1b, 0xde, 0xe, 0xa2, 0xda, 0x42, 0x2f, 0x6e, 0x15, 0x5, 0xa0, 0x74, 0xc, 0xf0, 0x41, 0xc4, 0x4b, 0x8c, 0x4b, 0x73, 0xb6, 0xa5, 0x46, 0xbf, 0xa4, 0xc9, 0x56, 0x7b, 0x3, 0x95, 0x40, 0x57, 0x1b, 0x57, 0xf3, 0x3f, 0xa5, 0x36, 0x68, 0xb4, 0xc1, 0x27, 0x79, 0x83, 0x78, 0x8b, 0xf9, 0x24, 0x16, 0xc7, 0x33, 0x45, 0x6a, 0x25, 0x54, 0x62, 0x96, 0xe1, 0x7e, 0xd0, 0xb, 0xbb, 0x7a, 0xf2, 0xfd, 0x5b, 0x6d, 0x5c, 0xfc, 0x64, 0xcf, 0xd7, 0x77, 0x7a, 0xcd, 0xf0, 0x51, 0xc7, 0x15, 0x69, 0x34, 0xf5, 0x98, 0x87, 0x12, 0x90, 0xf5, 0xd9, 0x5f, 0x8b, 0x1d, 0xf8, 0xa8, 0xd, 0x2b, 0x77, 0x90, 0x7d, 0x2f, 0x8e, 0xf8, 0xac, 0x18, 0x5c, 0xcd, 0x32, 0xbe, 0x77, 0xd7, 0x33, 0xbf, 0xfd, 0xe9, 0x5e, 0xeb, 0xd2, 0xd7, 0x5c, 0x8, 0xa, 0x15, 0x11, 0x20, 0xb3, 0xfb, 0x2c, 0x70, 0x2d, 0xe8, 0x8c, 0xc8, 0x85, 0xdb, 0xeb, 0xe0, 0xb6, 0x17, 0xd6, 0x1, 0x1e, 0x3c, 0xce, 0xa3, 0x23, 0xac, 0x33, 0x73, 0x56, 0x8e, 0x61, 0x41, 0x30, 0x6b, 0xdb, 0x7e, 0x15, 0x8f, 0xfd, 0xd0, 0x9d, 0xb0, 0xd1, 0x7, 0xce, 0x73, 0xda, 0x6b, 0x38, 0x78, 0x41, 0xad, 0x58, 0xc2, 0x10, 0x29, 0xd8, 0xf4, 0x17, 0x26, 0xcd, 0xcf, 0x82, 0x4f, 0x12, 0x70, 0x17, 0x69, 0xef, 0x8d, 0x5e, 0x2f, 0xcc, 0xcc, 0xc, 0xc3, 0xb8, 0x50, 0x25, 0x70, 0x82, 0x5a, 0x57, 0x8e, 0x1a, 0xea, 0x6a, 0x85, 0x7b, 0x59, 0x94, 0xab, 0xb1, 0xef, 0x2f, 0x82, 0xbb, 0x8e, 0xe3, 0x24, 0xec, 0xbc, 0x28, 0x59, 0x8, 0x71, 0x88, 0xb9, 0x8f, 0x11, 0x3d, 0x46, 0x80, 0xff, 0x6a, 0xc7, 0xbb, 0xc3, 0xf5, 0x26, 0xcb, 0x14, 0x36, 0xe0, 0xfb, 0xdd, 0x8e, 0xab, 0xd4, 0xee, 0x2d, 0xcf, 0xc0, 0x9b, 0x57, 0xeb, 0xc8, 0x41, 0xae, 0x3b, 0xc9, 0x15, 0x4c, 0x0, 0xcc, 0xb2, 0xa3, 0xec, 0x3a, 0x5d, 0xae, 0xfb, 0x46, 0xb1, 0x9a, 0x1e, 0xf, 0xcf, 0x35, 0x12, 0x67, 0xc1, 0x85, 0xc2, 0x9e, 0x34, 0xa9, 0xfb, 0xad, 0x77, 0x64, 0x7c, 0xb5, 0x6b, 0x93, 0x6c, 0xa3, 0xc6, 0xbc, 0x4d, 0xe9, 0x64, 0x8b, 0x1f, 0x87, 0x7b, 0xa6, 0x91, 0xa5, 0x62, 0xfb, 0xd0, 0x28, 0xf5, 0x26, 0xd9, 0xc1, 0x81, 0xe0, 0x40, 0x9d, 0x5a, 0x4b, 0xd8, 0xf2, 0xf6, 0xea, 0x11, 0x31, 0x44, 0xb6, 0x65, 0xa5, 0xf9, 0x93, 0x89, 0x22, 0x8b, 0x18, 0x83, 0x2c, 0x92, 0xf5, 0xcb, 0xc, 0x97, 0xe1, 0xf3, 0x3d, 0xab, 0x30, 0x7b, 0xf8, 0xaa, 0x7a, 0xfa, 0x98, 0x7, 0x61, 0xb2, 0xb2, 0x4e, 0xaa, 0x73, 0xf0, 0xe4, 0x9e, 0x20, 0x41, 0x9b, 0xb1, 0xd6, 0xf2, 0x59, 0x3, 0x57, 0xf1, 0xaf, 0x7c, 0x57, 0xfc, 0x8c, 0x86, 0xe6, 0xcb, 0xd3, 0x4d, 0xc0, 0x32, 0xdc, 0x4b, 0x6c, 0x18, 0x97, 0xe3, 0xee, 0xcf, 0xae, 0x5f, 0xc3, 0xa6, 0xcf, 0xc0, 0x86, 0xf0, 0x12, 0xb3, 0xa1, 0xb4, 0xe2, 0x1f, 0x46, 0xd9, 0xc6, 0xcc, 0xa5, 0xe0, 0xd3, 0xe5, 0xaa, 0xa7, 0x79, 0x26, 0x4e, 0xd2, 0xc4, 0xc1, 0xe5, 0xd, 0x3d, 0x1, 0x76, 0x70, 0x29, 0xb6, 0x5, 0xbb, 0xba, 0xf8, 0x50, 0x2d, 0xbb, 0xef, 0x66, 0x6e, 0xe2, 0xab, 0xc1, 0x73, 0xf7, 0x8a, 0x48, 0xf2, 0x22, 0xb4, 0xd4, 0xef, 0x75, 0xa5, 0x3b, 0x66, 0x2, 0x5d, 0x10, 0xe4, 0x57, 0x94, 0xa6, 0x53, 0x8b, 0xa, 0xb6, 0x7e, 0x3b, 0x97, 0x45, 0xc9, 0x8, 0x0, 0x21, 0x62, 0xfb, 0xab, 0x66, 0x4b, 0x86, 0x32, 0x8e, 0x1d, 0x0, 0x9, 0x3, 0x59, 0xe5, 0x52, 0x6f, 0xd2, 0x1a, 0x94, 0x84, 0x55, 0x43, 0xf6, 0xe3, 0x1e, 0x58, 0x59, 0x9f, 0x56, 0x30, 0x37, 0x3b, 0x6d, 0xa5, 0xdb, 0x89, 0x47, 0x2f, 0xa6, 0xf2, 0x9f, 0xb7, 0xc9, 0xb5, 0x72, 0x15, 0xb8, 0xfc, 0x91, 0xe, 0x9a, 0x8f, 0x6c, 0x7d, 0xcb, 0x46, 0xf4, 0xb5, 0xec, 0xb7, 0x39, 0xc1, 0x25, 0xf6, 0x48, 0x12, 0x81, 0x44, 0x30, 0x77, 0x14, 0x7c, 0x7b, 0x56, 0x86, 0xa3, 0xe4, 0xf1, 0x1a, 0xb5, 0x82, 0x10, 0x50, 0x31, 0x2f, 0x8a, 0x2, 0xf2, 0x2b, 0xd4, 0x8c, 0xa8, 0x6e, 0x1f, 0xa0, 0xa4, 0xc9, 0x18, 0x58, 0x7e, 0x25, 0xd8, 0x95, 0x3e, 0xf6, 0x16, 0x9b, 0x51, 0xb4, 0x10, 0xfa, 0x8e, 0xdd, 0xbf, 0x10, 0xa9, 0xd, 0xe0, 0x73, 0x89, 0xed, 0xa9, 0xe4, 0xf, 0x5c, 0x77, 0xd0, 0x49, 0xed, 0xc, 0x11, 0xa6, 0x6f, 0xa3, 0xf3, 0x6f, 0x51, 0x1f, 0x56, 0x93, 0xfb, 0xb1, 0x1e, 0xfb, 0x74, 0x2b, 0x52, 0x57, 0x84, 0x47, 0x90, 0xc, 0x6c, 0xc6, 0xbd, 0xb8, 0x6b, 0x4, 0x21, 0xd3, 0xcf, 0x57, 0xad, 0x80, 0xcc, 0xa2, 0x84, 0x68, 0x2d, 0x37, 0xb6, 0xa9, 0x86, 0x35, 0xfc, 0x27, 0x7c, 0xcd, 0xe8, 0xf4, 0xad, 0xed, 0xba, 0x61, 0x34, 0xf0, 0x42, 0x72, 0x61, 0x1a, 0x25, 0x56, 0x1d, 0x94, 0xe0, 0x95, 0xa9, 0xd1, 0x46, 0x99, 0x71, 0xd8, 0x4, 0x1e, 0xe5, 0xf6, 0x48, 0xe8, 0x65, 0x13, 0x31, 0x1e, 0x6a, 0x0, 0x33, 0x2f, 0xe6, 0x3, 0xe5, 0x1d, 0x50, 0xc1, 0xc7, 0x41, 0x15, 0xde, 0xfa, 0xac, 0xf4, 0xfa, 0xc9, 0xaa, 0x4d, 0x71, 0xb, 0xcd, 0x44, 0x97, 0x58, 0x58, 0xe, 0x77, 0xcd, 0x51, 0xa, 0x69, 0xd8, 0x4f, 0x54, 0x6d, 0x1, 0x31, 0x0, 0xed, 0x20, 0xfc, 0x60, 0x44, 0x44, 0xdb, 0x64, 0xaf, 0x12, 0xe7, 0x3f, 0x80, 0xd4, 0xcd, 0xbe, 0x34, 0xd6, 0xe9, 0x19, 0x8a, 0x97, 0x30, 0xa9, 0x47, 0xc0, 0x8b, 0xe0, 0x33, 0x7, 0x28, 0xa1, 0xec, 0x24, 0xbf, 0x2d, 0xb2, 0x6, 0xd7, 0x2c, 0x8c, 0xe3, 0xa, 0x3c, 0xb9, 0x17, 0x90, 0x35, 0x5b, 0x2a, 0x1, 0x5b, 0xae, 0xf5, 0xe0, 0x72, 0x8c, 0xc3, 0x43, 0x39, 0xa3, 0x6f, 0x17, 0x57, 0xea, 0x67, 0x61, 0x78, 0xb1, 0x49, 0xea, 0xab, 0xb7, 0x9f, 0x97, 0xfa, 0xc5, 0xc6, 0xe2, 0x10, 0x7d, 0xd2, 0xb1, 0xb4, 0x7a, 0xde, 0xaf, 0x23, 0xc4, 0xc2, 0x61, 0xbd, 0x58, 0xd3, 0x86, 0x97, 0xf8, 0x14, 0x66, 0xeb, 0x59, 0x74, 0x6f, 0x7f, 0x6b, 0x81, 0x5d, 0x4a, 0x7b, 0xe, 0x36, 0x9, 0x4f, 0xa4, 0x31, 0xe4, 0x4c, 0x91, 0x9, 0xc3, 0x32, 0xa0, 0x27, 0x8c, 0xd8, 0xe3, 0xed, 0xca, 0x8a, 0xd6, 0xa5, 0xce, 0xe, 0xd8, 0x1d, 0x43, 0xa9, 0x11, 0x40, 0xb8, 0xd9, 0x6c, 0x30, 0x73, 0xca, 0x7c, 0x7c, 0xeb, 0x30, 0xb7, 0xb3, 0xd1, 0x29, 0xdd, 0xfa, 0x20, 0xd3, 0xb3, 0x37, 0xfe, 0x5b, 0x8b, 0x85, 0x83, 0x5c, 0x1d, 0x25, 0xb6, 0x93, 0xd1, 0x4c, 0xbf, 0x52, 0xd9, 0x52, 0x13, 0xd3, 0x1f, 0xca, 0x1c, 0x51, 0xc0, 0xfb, 0x90, 0xa4, 0x57, 0x61, 0xc6, 0x36, 0x86, 0xb9, 0x89, 0x38, 0xa6, 0x90, 0x79, 0xe1, 0xc0, 0xde, 0x87, 0x2a, 0x69, 0xaa, 0xe5, 0x0, 0x9d, 0xb3, 0xf7, 0x8d, 0xed, 0xd, 0x1, 0xb5, 0xa0, 0xcf, 0x54, 0xc8, 0x80, 0x1b, 0x7b, 0x28, 0xea, 0xf8, 0xa0, 0x76, 0xb8, 0xbe, 0x66, 0xe, 0xcd, 0x76, 0x34, 0x31, 0xf5, 0xd7, 0x50, 0x49, 0x39, 0x8d, 0xb0, 0x65, 0xe, 0x3d, 0xa6, 0xc6, 0x9f, 0x47, 0x53, 0xa9, 0xee, 0x9, 0x1a, 0x42, 0xe7, 0x99, 0xf4, 0x91, 0x98, 0xae, 0x82, 0x66, 0xd8, 0xa7, 0x5c, 0x10, 0xb9, 0x58, 0xab, 0x34, 0x3b, 0xdb, 0x3a, 0xe2, 0x67, 0x29, 0x58, 0xbc, 0xc0, 0xea, 0xcc, 0x47, 0x44, 0xae, 0x89, 0xf5, 0x6a, 0xf5, 0x7b, 0x7c, 0x66, 0x9c, 0x91, 0xd7, 0xdc, 0xf5, 0x60, 0xb1, 0x17, 0xec, 0x9a, 0xbc, 0xad, 0xca, 0xdd, 0x9f, 0x7b, 0x69, 0xec, 0xf5, 0x67, 0x34, 0x46, 0x41, 0xf3, 0x98, 0xb, 0x2f, 0x13, 0x67, 0xa9, 0xf7, 0xf1, 0x87, 0xb1, 0x18, 0xeb, 0x4a, 0x21, 0x1d, 0x7a, 0xfe, 0x90, 0xf7, 0x32, 0x14, 0x74, 0x3c, 0xaf, 0x6, 0x15, 0xc4, 0xa0, 0x91, 0xe5, 0xf9, 0x65, 0x55, 0xbb, 0xc3, 0x1b, 0x4f, 0xb4, 0x77, 0x1a, 0xd4, 0x10, 0x96, 0xde, 0x4b, 0xa8, 0xe4, 0x65, 0x9d, 0xa0, 0x1c, 0x6a, 0xa, 0xf2, 0xd8, 0x60, 0xf0, 0x42, 0xe7, 0x9c, 0x7f, 0xf2, 0xfd, 0x3b, 0x2a, 0x65, 0x9f, 0x73, 0x3d, 0x3b, 0x5c, 0xb6, 0xbd, 0xb6, 0x9f, 0xae, 0x7f, 0xec, 0xb6, 0xdc, 0x5d, 0xeb, 0x5a, 0x6e, 0xb6, 0xef, 0x14, 0x27, 0x5f, 0x99, 0x52, 0x5d, 0x44, 0x69, 0x8e, 0x5d, 0xe9, 0xde, 0x20, 0x76, 0xe2, 0x9, 0x46, 0x2d, 0x6c, 0x1b, 0x16, 0xd7, 0x29, 0x81, 0x31, 0x1c, 0x62, 0x32, 0xaa, 0xc1, 0x58, 0x9, 0xf1, 0x9, 0x39, 0xb0, 0x63, 0xaf, 0xf4, 0x1a, 0xf9, 0x8e, 0x46, 0x8c, 0xf6, 0xcd, 0xa5, 0xfb, 0x9f, 0x42, 0x2c, 0x16, 0x71, 0x93, 0x3b, 0x75, 0x43, 0x23, 0x68, 0x2f, 0xd7, 0x9c, 0x1f, 0x5f, 0x5a, 0xb4, 0xca, 0x29, 0x96, 0xdb, 0x45, 0xb2, 0xab, 0x23, 0x16, 0x57, 0x99, 0x99, 0xd7, 0x3f, 0x9, 0xdb, 0x7, 0xc5, 0x32, 0x6c, 0x3, 0xaf, 0x52, 0xf6, 0x2e, 0x4e, 0x5c, 0x8e, 0x1, 0x5, 0x78, 0xcc, 0xf0, 0x86, 0x50, 0xe3, 0x8b, 0xab, 0xd4, 0x73, 0xa, 0xc1, 0x27, 0x63, 0x82, 0x7e, 0x97, 0xb3, 0x19, 0x65, 0xf7, 0x3d, 0x5, 0x9c, 0xef, 0x5e, 0xcb, 0xe8, 0x6f, 0xea, 0x0, 0xb3, 0x37, 0x5b, 0xe2, 0x8d, 0xfb, 0xcf, 0x49, 0xc8, 0x92, 0xfa, 0x3, 0xdb, 0xbb, 0x69, 0x41, 0xe8, 0xa7, 0x43, 0x2e, 0x24, 0x8e, 0x95, 0x6f, 0xdd, 0xf4, 0x51, 0xfa, 0xe4, 0x8d, 0x5a, 0x44, 0xf4, 0x7f, 0xa7, 0x25, 0x69, 0x49, 0x89, 0xd, 0xe9, 0x50, 0x2a, 0xe7, 0xe6, 0x90, 0x63, 0x1f, 0x2b, 0xe3, 0x48, 0x66, 0xc6, 0xc, 0x46, 0x3e, 0x17, 0x57, 0x19, 0xab, 0xb2, 0x90, 0x45, 0x70, 0x30, 0x75, 0xce, 0xbb, 0x1b, 0x62, 0x71, 0x1c, 0xdb, 0xbd, 0xd, 0xa9, 0xc0, 0x5d, 0xd6, 0xcd, 0x15, 0x9e, 0x39, 0x5e, 0x50, 0xb7, 0x7a, 0x79, 0x57, 0xcb, 0x4d, 0x43, 0x68, 0xe8, 0xa8, 0x2c, 0x6a, 0xba, 0x35, 0xad, 0x60, 0xc1, 0x36, 0x33, 0xde, 0xe0, 0xb1, 0xfd, 0x4b, 0x15, 0x90, 0xb3, 0xd8, 0xeb, 0x99, 0xef, 0xbb, 0xec, 0xeb, 0x11, 0x17, 0xf3, 0x96, 0x3b, 0x6c, 0xc4, 0xfd, 0x98, 0xce, 0x1f, 0xf, 0xa4, 0x2d, 0x1f, 0x41, 0xb4, 0x57, 0xd3, 0x74, 0x97, 0xb9, 0xb6, 0x5b, 0xb6, 0x15, 0xf4, 0xbd, 0xc8, 0x87, 0x2d, 0xf1, 0xee, 0xc2, 0xe3, 0x89, 0x3a, 0xda, 0xf3, 0x71, 0x74, 0x3c, 0x9b, 0xbb, 0x95, 0xde, 0x94, 0xc5, 0x12, 0xd8, 0x5b, 0x22, 0xf, 0x60, 0x6b, 0xa5, 0x75, 0x2b, 0x5d, 0x7c, 0x90, 0x54, 0x35, 0xe, 0xb6, 0x8d, 0xf0, 0xc5, 0x3c, 0xa9, 0x19, 0x33, 0x83, 0xfa, 0xd6, 0x3c, 0x3e, 0x74, 0xc9, 0x83, 0x16, 0xf8, 0x41, 0x5c, 0xad, 0x7d, 0x7e, 0x10, 0x34, 0x9c, 0xd9, 0xe7, 0xc1, 0x70, 0x7, 0x9, 0xbe, 0xa6, 0x39, 0x4a, 0xdc, 0xe, 0xd3, 0xb7, 0xd0, 0x86, 0x35, 0x70, 0xd4, 0x36, 0x60, 0xfa, 0x2b, 0x27, 0x3, 0xda, 0x76, 0x8c, 0x14, 0xa4, 0x8, 0xf, 0xea, 0x7, 0x4a, 0xb, 0x53, 0xdd, 0xc1, 0x45, 0x29, 0x4d, 0x9e, 0x69, 0xb5, 0xeb, 0x1d, 0x23, 0x98, 0x58, 0xdc, 0xca, 0xe0, 0x0, 0x7f, 0xa7, 0xc7, 0xfc, 0x49, 0xdf, 0xe, 0x5a, 0x3e, 0xa7, 0xbf, 0x7b, 0x5, 0x93, 0xd1, 0x4c, 0x7a, 0x2, 0xcd, 0x7e, 0x8b, 0x2f, 0x1a, 0x1, 0x14, 0xc6, 0xb3, 0x34, 0x47, 0x11, 0x68, 0x7c, 0x67, 0x67, 0xb7, 0x1d, 0xa0, 0xe7, 0x4f, 0x3f, 0x27, 0x7e, 0x5e, 0xbe, 0xd9, 0x89, 0xef, 0x8, 0x98, 0x8, 0x2e, 0xcb, 0x25, 0xd2, 0x7, 0x41, 0x9e, 0xd5, 0x7d, 0xa2, 0xf7, 0xf1, 0xc9, 0xb9, 0x11, 0x82, 0x61, 0xc7, 0xaf, 0x53, 0x59, 0x91, 0x81, 0xe6, 0x67, 0xbc, 0x61, 0x3, 0x26, 0x14, 0x7, 0x7f, 0xb, 0x5d, 0x86, 0x2a, 0x67, 0x25, 0x7, 0xe7, 0x10, 0x18, 0x3c, 0x6a, 0xbd, 0xca, 0x6b, 0xd, 0x1e, 0xca, 0x3b, 0x3e, 0xbc, 0x91, 0x85, 0x40, 0xc1, 0x2b, 0xb0, 0xa1, 0x39, 0xa2, 0xfb, 0x31, 0x59, 0xee, 0xde, 0xe0, 0xd1, 0x91, 0xbd, 0x98, 0xd3, 0x24, 0x74, 0xf4, 0x1d, 0x3c, 0x1a, 0x7, 0xf4, 0x86, 0x88, 0xf, 0x3b, 0x23, 0x19, 0xa8, 0xe8, 0x41, 0x7d, 0x3f, 0x98, 0xb9, 0x6e, 0xcf, 0xc2, 0x23, 0x86, 0x70, 0x7f, 0x28, 0x9a, 0x60, 0xaf, 0x49, 0xbb, 0x86, 0x62, 0x7, 0xc9, 0x63, 0x49, 0xb2, 0x2b, 0x94, 0x4b, 0x65, 0xa9, 0x55, 0xa5, 0xee, 0xf6, 0xe, 0xfe, 0xde, 0xf5, 0x36, 0x72, 0x2d, 0x6d, 0x5f, 0x76, 0x91, 0xf9, 0x56, 0xdc, 0x22, 0x99, 0xfa, 0xc7, 0xe0, 0x8c, 0xf7, 0xce, 0x5e, 0x8c, 0x6c, 0x5e, 0xb5, 0x9, 0xbe, 0x9d, 0x58, 0x44, 0x7b, 0x70, 0x37, 0xa8, 0x9e, 0xca, 0x3b, 0x1b, 0xe1, 0x47, 0x15, 0xb7, 0x2a, 0x7f, 0x2c, 0xfa, 0xd7, 0xc0, 0xdc, 0x1d, 0x2a, 0xfa, 0xd6, 0x3d, 0x2a, 0x7, 0x77, 0x7b, 0x5a, 0x30, 0xb4, 0xac, 0x9, 0x57, 0x4e, 0x9d, 0x64, 0x2e, 0x4a, 0xdd, 0x4a, 0x6e, 0x52, 0x17, 0x19, 0xb0, 0xa2, 0x53, 0xcd, 0xc4, 0x4a, 0xb4, 0x20, 0x30, 0x23, 0x26, 0xc5, 0x1d, 0xc3, 0xa2, 0xba, 0x6a, 0x74, 0x28, 0x40, 0x4c, 0x1d, 0x29, 0x64, 0x90, 0x83, 0x31, 0x51, 0x9, 0xd9, 0x5a, 0xee, 0x51, 0xf1, 0x48, 0xbf, 0x81, 0x56, 0x18, 0x7b, 0x59, 0x7f, 0xe5, 0xcc, 0x42, 0xd4, 0x54, 0x48, 0xb0, 0xc1, 0x3a, 0x7c, 0x71, 0xc1, 0x93, 0xc0, 0xc3, 0x7d, 0x58, 0x65, 0x65, 0x2b, 0xf4, 0x24, 0x24, 0xcb, 0x7a, 0xae, 0xcb, 0x96, 0x59, 0x95, 0xdb, 0x8a, 0x33, 0x5a, 0x1b, 0xf9, 0x51, 0x60, 0x75, 0x56, 0xe6, 0xc8, 0xb1, 0xd0, 0xb8, 0x28, 0xba, 0x1f, 0x71, 0x66, 0x90, 0xa, 0xc1, 0xb6, 0x37, 0x41, 0xd7, 0x15, 0x80, 0x2a, 0x23, 0x3a, 0xeb, 0xd7, 0xcd, 0x70, 0x24, 0xed, 0x91, 0x61, 0x7f, 0xf0, 0xe2, 0xc9, 0xc0, 0x88, 0x95, 0xf7, 0xb6, 0x1d, 0xd, 0xa8, 0xcc, 0x68, 0x57, 0xb5, 0x69, 0xfc, 0x52, 0xfa, 0x8a, 0x43, 0x54, 0x7f, 0xae, 0xf1, 0x4d, 0xb, 0x4f, 0x6a, 0xb4, 0xf9, 0xa7, 0xd1, 0xad, 0xc, 0x6f, 0xdd, 0x3, 0x18, 0xb3, 0xa6, 0xe, 0xb4, 0x35, 0xae, 0xea, 0x55, 0xa5, 0x4f, 0x8e, 0x48, 0x16, 0x4e, 0x2e, 0x38, 0x55, 0x7d, 0x4, 0x9f, 0x98, 0xc, 0x6e, 0x2f, 0xe0, 0xb7, 0xb5, 0xc9, 0x49, 0x26, 0x76, 0x95, 0xd3, 0xd2, 0x1b, 0x6b, 0xf6, 0xa3, 0xae, 0xc7, 0xe7, 0x4e, 0x60, 0xa9, 0x96, 0xf8, 0xc6, 0x6d, 0x27, 0xff, 0x46, 0x36, 0xd1, 0xba, 0x60, 0x28, 0xf5, 0xe7, 0xf0, 0x9b, 0x92, 0x4b, 0xb4, 0x7c, 0x21, 0xc8, 0x92, 0x2d, 0x82, 0xc1, 0xa9, 0xae, 0x63, 0xce, 0xf5, 0xa2, 0xfd, 0xa5, 0x54, 0x91, 0xb1, 0xaf, 0xa2, 0xd0, 0xa6, 0x1d, 0x80, 0x95, 0x4c, 0x47, 0x2e, 0x48, 0x4b, 0xc2, 0x11, 0xb6, 0xd0, 0x72, 0x99, 0xc1, 0x51, 0xf3, 0xa8, 0x60, 0x65, 0x8e, 0x46, 0x1d, 0x21, 0x64, 0xcf, 0x7b, 0x69, 0x80, 0x75, 0xeb, 0x91, 0xc4, 0xfb, 0x88, 0xee, 0xd0, 0x9d, 0xec, 0x32, 0x2e, 0x6c, 0x95, 0xbf, 0xd2, 0x59, 0x5b, 0x4e, 0xf9, 0xdd, 0xdc, 0x64, 0x68, 0xdc, 0x73, 0x65, 0x76, 0xee, 0xbc, 0x21, 0x23, 0x5e, 0xfd, 0xc4, 0x6, 0x9a, 0x5e, 0xef, 0xf8, 0xb4, 0xa7, 0x55, 0xf8, 0x80, 0x72, 0xdd, 0x18, 0xa9, 0xfb, 0x88, 0xc6, 0xae, 0x8b, 0x60, 0xc2, 0xaa, 0xbb, 0x42, 0xf, 0x40, 0x33, 0xf, 0xf0, 0xb3, 0xa3, 0xe4, 0xe6, 0xf2, 0x66, 0x29, 0xba, 0x2d, 0x3d, 0x75, 0x93, 0x50, 0x98, 0x94, 0x1a, 0xf7, 0xb6, 0xcc, 0x23, 0xa4, 0xce, 0x1f, 0x3, 0x33, 0x8f, 0xfb, 0xe6, 0x7, 0x48, 0xd0, 0x8d, 0x9b, 0x0, 0x4c, 0x95, 0xdb, 0x5c, 0xe5, 0xcf, 0x63, 0x51, 0xe8, 0xc6, 0x41, 0xcf, 0x17, 0x8f, 0xcc, 0x3, 0x5c, 0x92, 0x7b, 0x3, 0x2a, 0x3c, 0xf0, 0xf1, 0x7c, 0x42, 0xd2, 0x66, 0xcc, 0x19, 0x9c, 0xc3, 0xe4, 0x18, 0x6c, 0x7b, 0xba, 0x24, 0x3d, 0x82, 0x4f, 0xb, 0x1f, 0x90, 0x13, 0x90, 0xef, 0x32, 0x2e, 0x1c, 0x94, 0xf8, 0xf1, 0x60, 0x43, 0x68, 0x2e, 0x9, 0x28, 0x2c, 0x52, 0xff, 0xba, 0xe, 0x2f, 0x93, 0x6c, 0x25, 0xe3, 0xe4, 0x91, 0x78, 0x3d, 0x5e, 0x44, 0xac, 0x19, 0x43, 0x26, 0x51, 0x81, 0x43, 0xa7, 0x8e, 0xe7, 0x32, 0x34, 0x55, 0xa, 0xc5, 0xe9, 0x67, 0x69, 0xaa, 0xee, 0xe6, 0xc7, 0x28, 0xe6, 0x62, 0x84, 0xd2, 0xce, 0x27, 0x57, 0xfa, 0x4a, 0x7a, 0x75, 0xd3, 0x96, 0x3f, 0x50, 0xc1, 0x84, 0xe4, 0xc3, 0x14, 0xa, 0xde, 0x23, 0x99, 0xbd, 0x38, 0xeb, 0x24, 0x4a, 0x36, 0x22, 0x74, 0x17, 0xe5, 0xa0, 0x8d, 0xf1, 0x1d, 0x9b, 0x8a, 0xd3, 0xd8, 0x82, 0x8f, 0x4e, 0x17, 0x91, 0x13, 0xde, 0xe7, 0x0, 0xc6, 0x97, 0x2e, 0xdd, 0x75, 0xc1, 0xa1, 0x50, 0x98, 0x70, 0xc5, 0x35, 0x50, 0xae, 0x32, 0xa0, 0x41, 0x90, 0x96, 0x6b, 0x8, 0xa2, 0x76, 0x3b, 0x53, 0xfd, 0xcb, 0xfe, 0xe8, 0xc2, 0xd7, 0x1b, 0xa7, 0xbb, 0xd6, 0x67, 0xfb, 0x9d, 0x9, 0xe6, 0x8e, 0xd5, 0xb2, 0xd9, 0x85, 0x4a, 0x6, 0x2d, 0x34, 0x8b, 0x3a, 0xe3, 0x9b, 0x2f, 0x52, 0x49, 0x76, 0xc0, 0x3b, 0xa8, 0x49, 0x1f, 0xdf, 0x5b, 0x7, 0xc, 0x69, 0x42, 0xec, 0x54, 0x38, 0xe8, 0xae, 0xe1, 0x80, 0xc7, 0x9d, 0x68, 0x17, 0x44, 0xbf, 0x7d, 0x2a, 0x78, 0x40, 0xaf, 0x3f, 0xe, 0xfc, 0x4, 0xc0, 0x2c, 0x86, 0x11, 0xdf, 0x9e, 0x2e, 0xf0, 0xb2, 0xb3, 0xb7, 0xa1, 0xa0, 0xf, 0x5e, 0xa, 0xf1, 0x80, 0xec, 0x36, 0x89, 0x23, 0xa6, 0xac, 0x30, 0x9a, 0xd, 0xf4, 0x2, 0x5, 0xbf, 0x3c, 0xf8, 0x4d, 0x8a, 0x31, 0x2c, 0x68, 0xc4, 0x81, 0x46, 0x74, 0x26, 0x9c, 0xe, 0x18, 0x56, 0x57, 0x98, 0x2e, 0x9, 0x47, 0x18, 0x46, 0xd0, 0x79, 0xbe, 0xe0, 0x1, 0xbd, 0x78, 0xa, 0x48, 0x1e, 0xaf, 0xb9, 0x1d, 0xa5, 0x72, 0xe4, 0x59, 0xd3, 0x6d, 0xb6, 0xba, 0xaf, 0xe3, 0x21, 0x38, 0xce, 0x62, 0x99, 0x31, 0x73, 0x17, 0xb6, 0xe5, 0xce, 0xc5, 0xbb, 0x9f, 0xfd, 0x6f, 0xd4, 0x30, 0x8b, 0xe0, 0xb7, 0x10, 0xc6, 0x36, 0x99, 0xc6, 0x5b, 0x6e, 0xcf, 0x62, 0xe2, 0x9c, 0xf2, 0xcf, 0x43, 0xf3, 0xc1, 0x14, 0xb9, 0x68, 0x35, 0x4e, 0x2e, 0xca, 0xc5, 0x36, 0xde, 0x16, 0xc0, 0x64, 0x1d, 0x1, 0x29, 0xb8, 0xe2, 0x42, 0xdd, 0xf, 0xb1, 0xe0, 0xf8, 0xaa, 0x85, 0x66, 0x81, 0x29, 0x94, 0x78, 0x97, 0xde, 0xe, 0x23, 0x8, 0x17, 0x51, 0xe7, 0xf8, 0x2b, 0x92, 0x3b, 0xfc, 0xd8, 0x1e, 0x67, 0x33, 0xb1, 0x29, 0x4c, 0xa0, 0xc0, 0xd8, 0xe4, 0xc4, 0x99, 0x6e, 0x3b, 0x39, 0x12, 0xeb, 0x87, 0xba, 0xbe, 0x93, 0x87, 0x4c, 0x97, 0xf3, 0xaf, 0x9b, 0xdf, 0x18, 0x2c, 0x5, 0x94, 0x74, 0x3, 0x39, 0x71, 0x0, 0x91, 0x93, 0xa2, 0xc3, 0xc5, 0x95, 0xb, 0x7a, 0xe3, 0x4f, 0x23, 0x77, 0x6a, 0x6b, 0xc9, 0x61, 0xb6, 0x21, 0x9a, 0xc2, 0x2, 0x61, 0xcf, 0x1e, 0x14, 0xd6, 0xf1, 0xaa, 0xc3, 0x53, 0x2f, 0xb2, 0x3b, 0x9e, 0x50, 0x95, 0x91, 0x57, 0x13, 0xd5, 0x22, 0x4, 0x74, 0x59, 0x29, 0x60, 0xed, 0x7b, 0x53, 0x22, 0x38, 0x8, 0x1b, 0xf0, 0x89, 0x72, 0xe0, 0x35, 0x6e, 0x7d, 0xcd, 0xff, 0x6e, 0xd8, 0x6d, 0x8c, 0xc4, 0x94, 0x1f, 0xfa, 0x9c, 0xf, 0xeb, 0x82, 0x1f, 0xbb, 0xc8, 0x7d, 0xb9, 0x2e, 0x1b, 0xe6, 0xb7, 0xe0, 0x9e, 0x31, 0x4e, 0xd7, 0x34, 0x2e, 0xfe, 0x52, 0x5a, 0xb6, 0x9a, 0xf7, 0x3b, 0x10, 0xc3, 0x52, 0xa3, 0x8f, 0xeb, 0xfe, 0xab, 0x5a, 0x6c, 0xff, 0x97, 0x5, 0x73, 0xc9, 0xf5, 0xef, 0x8f, 0xbe, 0xbf, 0x8, 0x46, 0x90, 0xa7, 0xe6, 0x1c, 0x8, 0xd6, 0x49, 0xa2, 0xfc, 0xc4, 0x3a, 0x2f, 0x81, 0x1f, 0x0, 0xe2, 0xe5, 0xb9, 0x9a, 0xbc, 0x24, 0x9b, 0xe8, 0x2e, 0x1, 0x38, 0x67, 0x2c, 0x2, 0x91, 0xa1, 0x13, 0xa7, 0x30, 0x5d, 0x9c, 0x3d, 0xe8, 0x93, 0xf, 0xef, 0x84, 0xf0, 0xe3, 0x76, 0x48, 0x28, 0xf9, 0xfb, 0xc1, 0x29, 0x70, 0x77, 0xc9, 0xa4, 0xd2, 0xe7, 0xbc, 0xb3, 0x6b, 0x7a, 0xef, 0x59, 0xa6, 0xa2, 0xdf, 0x28, 0x72, 0x6, 0xb8, 0x8f, 0xa4, 0x77, 0xd8, 0x98, 0x33, 0xcd, 0xd5, 0x3f, 0xf, 0x5d, 0x2, 0x8f, 0xfd, 0xa4, 0xbe, 0x2b, 0x7c, 0xae, 0x2e, 0x35, 0x2e, 0x7d, 0xd6, 0x94, 0x43, 0x5f, 0xcc, 0xd7, 0xe7, 0x4d, 0x18, 0x42, 0xe1, 0x36, 0x45, 0x5c, 0x1b, 0x55, 0xb5, 0xa, 0xa6, 0x4a, 0xd3, 0x12, 0xb2, 0x89, 0x2e, 0xd5, 0x51, 0x0, 0xf5, 0xea, 0x6f, 0xa9, 0x14, 0xb, 0xbb, 0x12, 0xd, 0x74, 0xef, 0x21, 0x4e, 0x7e, 0x67, 0xb9, 0x60, 0x20, 0xf0, 0x22, 0xc5, 0x1d, 0x73, 0xf7, 0x2d, 0x67, 0xe4, 0x12, 0x8b, 0x31, 0x6d, 0x32, 0x7b, 0x82, 0x3, 0xf8, 0x39, 0x94, 0x4a, 0x2, 0x39, 0xc, 0x63, 0xb8, 0xdf, 0x52, 0x94, 0x31, 0x97, 0xa8, 0x96, 0xcb, 0xaa, 0x7c, 0x86, 0xa3, 0xed, 0x61, 0x39, 0x8a, 0xd6, 0xca, 0xff, 0xc4, 0x77, 0xb0, 0xe2, 0x58, 0xc, 0xfa, 0x19, 0xa9, 0x4d, 0x63, 0x5d, 0x54, 0x3d, 0x89, 0x22, 0x5e, 0xf1, 0x9a, 0xb6, 0x79, 0xef, 0x10, 0xab, 0x8b, 0x80, 0x3d, 0x3d, 0xbc, 0x54, 0x37, 0x2c, 0xf8, 0x45, 0x7, 0x30, 0xab, 0xc8, 0x8a, 0x65, 0x4a, 0x7c, 0xb6, 0x38, 0x27, 0xc1, 0x82, 0x21, 0xe7, 0x40, 0x39, 0x76, 0xc4, 0xb3, 0x4f, 0xe4, 0x98, 0x87, 0x46, 0xbe, 0x77, 0x3b, 0x5f, 0xf8, 0xa7, 0x17, 0xf2, 0x7d, 0x4, 0xdc, 0x2d, 0xd9, 0x59, 0x5e, 0xc5, 0xd4, 0x39, 0x24, 0x8d, 0x4d, 0xe6, 0xe8, 0x75, 0xa4, 0xdc, 0xce, 0x16, 0x9b, 0xca, 0x87, 0xd, 0xcd, 0x24, 0xa7, 0xfe, 0xd, 0x54, 0xa5, 0x59, 0xfd, 0xe4, 0x35, 0x7a, 0x46, 0x29, 0x3a, 0x4f, 0x34, 0x94, 0x98, 0x6d, 0xba, 0x1e, 0xc5, 0x49, 0xe9, 0x81, 0xde, 0xf2, 0xc2, 0xe5, 0xa5, 0x6b, 0x6, 0xea, 0xda, 0xb3, 0xc7, 0xc8, 0x8, 0x14, 0xa6, 0xc8, 0x3f, 0x9f, 0xde, 0xd0, 0x6, 0x8f, 0xf8, 0xdf, 0x7a, 0xa, 0xce, 0x75, 0x3b, 0xf5, 0x1c, 0xc1, 0xbb, 0xd5, 0x87, 0xbc, 0xfb, 0xcc, 0x7a, 0xbb, 0x9f, 0xe2, 0xfd, 0xad, 0x7b, 0x26, 0x8e, 0x45, 0xa1, 0x56, 0xc2, 0x39, 0xe0, 0x68, 0x36, 0xb4, 0x1c, 0x5d, 0xfd, 0x17, 0x7c, 0x8b, 0xfb, 0x26, 0x5f, 0x2b, 0x6, 0xaa, 0x79, 0xaf, 0x26, 0xe4, 0xee, 0x4, 0xbf, 0x8f, 0xd7, 0xd0, 0x2, 0x20, 0x7, 0xe3, 0xb7, 0x4f, 0xe8, 0x37, 0xa2, 0x9c, 0x4c, 0x3d, 0x13, 0x82, 0xc, 0xa1, 0xd8, 0x1, 0xb4, 0x81, 0x41, 0x7e, 0x6d, 0x92, 0x25, 0xa5, 0xaa, 0x52, 0xb1, 0xdb, 0x73, 0x33, 0x8, 0x43, 0xe9, 0x83, 0xc9, 0xe7, 0x6e, 0x1e, 0xad, 0x5f, 0x2f, 0xf5, 0x28, 0x13, 0xb4, 0x7c, 0x9d, 0xf, 0xeb, 0xf7, 0xd5, 0x78, 0x1d, 0x44, 0x8b, 0xa6, 0x9b, 0x6f, 0x72, 0xbc, 0x35, 0x9e, 0x3b, 0x6b, 0xa0, 0xf1, 0x1f, 0x3e, 0x59, 0x55, 0x2, 0x55, 0xa2, 0x15, 0xc1, 0xbe, 0xdf, 0x3d, 0xd4, 0x2d, 0x55, 0x46, 0xf0, 0xa8, 0xbb, 0xab, 0xa7, 0x48, 0x2c, 0x33, 0xf1, 0xb, 0xad, 0xa3, 0x56, 0xfc, 0xd4, 0x9a, 0x31, 0x24, 0xbe, 0x31, 0xda, 0x2d, 0xf9, 0xe7, 0xa8, 0x95, 0xe0, 0x8b, 0xd2, 0xf7, 0x3, 0x85, 0x21, 0x78, 0x98, 0x40, 0xe8, 0x2f, 0xa5, 0xbc, 0x4d, 0xc2, 0x29, 0xfe, 0xda, 0x6d, 0x27, 0xeb, 0x64, 0x7a, 0x1d, 0x96, 0x54, 0xcd, 0x80, 0x42, 0xbe, 0x1d, 0x7f, 0x89, 0x8, 0x36, 0xe4, 0xd5, 0xd2, 0x38, 0x84, 0x77, 0xa8, 0x81, 0x2f, 0x36, 0x90, 0x16, 0x85, 0xa8, 0x52, 0x4d, 0x7e, 0xd1, 0xb5, 0x4, 0xba, 0xef, 0x1c, 0xf2, 0x62, 0x52, 0x73, 0x4c, 0x22, 0x7, 0x27, 0x44, 0x9a, 0x1f, 0x17, 0xc6, 0x33, 0x6c, 0x96, 0x7, 0xbf, 0xb0, 0x16, 0x8, 0x1e, 0x91, 0xa8, 0x7b, 0xdb, 0xa9, 0x45, 0x37, 0x3, 0x59, 0xea, 0x6f, 0x30, 0x67, 0x8f, 0xa7, 0xc0, 0xe0, 0xf7, 0xac, 0x2a, 0xf9, 0x1b, 0x25, 0xad, 0x83, 0x38, 0xaa, 0xb5, 0x86, 0x70, 0xbd, 0x26, 0xe9, 0xed, 0x5a, 0x34, 0x5d, 0x71, 0x59, 0x1d, 0xb1, 0xd5, 0xe3, 0x19, 0x3e, 0x98, 0x88, 0xd7, 0x62, 0xa7, 0xea, 0xc7, 0x48, 0xf2, 0xf1, 0xab, 0xb0, 0x30, 0xa7, 0xe5, 0x83, 0xfd, 0xe3, 0xfa, 0x84, 0x80, 0xab, 0xfb, 0x2f, 0x5b, 0x76, 0x53, 0x21, 0xd, 0xe5, 0x65, 0x3d, 0x7f, 0x12, 0xfa, 0x83, 0xe0, 0xd4, 0xbd, 0x10, 0x1b, 0x7b, 0x39, 0x74, 0xc0, 0xf3, 0x9c, 0xd3, 0x9f, 0xb5, 0xb1, 0xc, 0x9, 0xf8, 0x59, 0x10, 0x9f, 0x11, 0x98, 0x7d, 0xe1, 0x1d, 0xdc, 0xa6, 0x36, 0x8c, 0x48, 0x5d, 0x3c, 0x35, 0x74, 0xdf, 0x23, 0x8e, 0x3d, 0x3a, 0xf3, 0xaa, 0x14, 0x93, 0xf5, 0xba, 0x78, 0xc0, 0x75, 0xe0, 0x31, 0x3c, 0xca, 0xd1, 0x46, 0x3a, 0xa0, 0x7c, 0xf, 0xc7, 0x60, 0xb6, 0x47, 0xac, 0xe3, 0xc5, 0x99, 0x59, 0x2e, 0xfe, 0x88, 0x13, 0x24, 0xd0, 0x70, 0x5, 0xc0, 0x7e, 0x2a, 0xe1, 0x6b, 0x9a, 0x2e, 0x8f, 0xaa, 0x5f, 0x61, 0x9d, 0xfd, 0x15, 0x7b, 0xed, 0x54, 0x85, 0x96, 0x40, 0xeb, 0xa1, 0x8f, 0x82, 0x48, 0xa4, 0x7a, 0x7e, 0x44, 0xb4, 0x7b, 0x32, 0xff, 0x9f, 0x2, 0xd1, 0xd0, 0xb2, 0x2b, 0x2f, 0x6d, 0xaa, 0x6c, 0x64, 0x2a, 0x5e, 0x7, 0x1b, 0x35, 0xe7, 0x22, 0xde, 0x79, 0xb8, 0x8e, 0x62, 0x6c, 0x50, 0x9a, 0x4e, 0x62, 0xd5, 0xbc, 0xdc, 0x24, 0x7e, 0xa8, 0xf0, 0xae, 0x8e, 0x21, 0x6f, 0xbd, 0x1f, 0x24, 0x95, 0x96, 0x44, 0xac, 0x23, 0x12, 0x1c, 0x8, 0x70, 0xb1, 0xc9, 0x67, 0x6f, 0xac, 0x6a, 0xb5, 0x21, 0x8f, 0x86, 0x16, 0x21, 0xb7, 0xbc, 0xf8, 0xa3, 0x8f, 0xbd, 0x34, 0x76, 0x1c, 0x69, 0xb6, 0x33, 0xbd, 0xb6, 0x6, 0x73, 0x79, 0x1a, 0x38, 0x66, 0x47, 0x92, 0x6c, 0xdb, 0x78, 0x40, 0xa5, 0x4c, 0x44, 0x12, 0x6a, 0xcc, 0x51, 0x10, 0x6d, 0xa9, 0x91, 0x2e, 0xd0, 0x35, 0xfa, 0xdd, 0x44, 0x47, 0x68, 0xe5, 0x37, 0x47, 0xf7, 0xb3, 0xda, 0xc5, 0xc5, 0xcf, 0x9c, 0xf4, 0x6c, 0xe9, 0x1e, 0x3f, 0xdf, 0xc1, 0x9a, 0x8f, 0xb, 0x48, 0x3b, 0xa1, 0x71, 0x5, 0xc, 0x3c, 0x7b, 0x3a, 0x4b, 0xd5, 0xb3, 0xbe, 0x2f, 0x99, 0xbb, 0xcd, 0x5d, 0x69, 0x36, 0xc0, 0x35, 0x3a, 0x5b, 0x41, 0xb2, 0xdc, 0xf5, 0xa0, 0x52, 0x9a, 0xed, 0x13, 0x44, 0xb4, 0x59, 0x77, 0xd5, 0xf8, 0xd3, 0x33, 0xb, 0xc0, 0x79, 0x73, 0x7, 0x9, 0xe4, 0x64, 0x70, 0xc6, 0x83, 0x18, 0x42, 0xf6, 0xc8, 0x29, 0x6c, 0xd7, 0x73, 0x8, 0x2d, 0xc8, 0xc0, 0x74, 0xd2, 0xa3, 0x33, 0xa4, 0xbf, 0x1e, 0x89, 0xa5, 0x23, 0x8f, 0x77, 0xdc, 0x56, 0x4, 0xde, 0xe2, 0x35, 0x65, 0xbf, 0x63, 0xd6, 0xce, 0x17, 0xb5, 0x5d, 0x48, 0xdb, 0x8f, 0x48, 0xc2, 0x26, 0xb2, 0x19, 0x5e, 0xa5, 0xbb, 0x0, 0xc5, 0xa2, 0x30, 0x3d, 0xd8, 0x47, 0xe6, 0x1f, 0xdc, 0x81, 0x8a, 0xf7, 0x7e, 0xf7, 0x57, 0x8, 0x9b, 0x4a, 0x1a, 0x13, 0x34, 0xa3, 0xd5, 0x11, 0xf5, 0x93, 0xd3, 0x29, 0xf9, 0x4a, 0xa9, 0xc0, 0x1a, 0xec, 0xa6, 0xda, 0xb, 0x5c, 0x3a, 0xbc, 0xed, 0xd7, 0xd2, 0x88, 0x93, 0xe4, 0x9f, 0xba, 0x97, 0x47, 0x61, 0xbb, 0xb4, 0x35, 0x43, 0xbb, 0x33, 0x35, 0xf8, 0x72, 0x68, 0x4d, 0x1c, 0x99, 0xb6, 0x8f, 0x5, 0x8a, 0xe7, 0xee, 0xbb, 0xed, 0x1a, 0x12, 0x9, 0xfb, 0xdc, 0x9d, 0xd1, 0xb9, 0xce, 0xdd, 0x4d, 0xd3, 0x5b, 0xb4, 0x1b, 0xa4, 0xc4, 0x4b, 0x96, 0x0, 0xb9, 0x80, 0xbc, 0x2d, 0x54, 0xb6, 0x6c, 0x1d, 0x7d, 0x13, 0xd9, 0x4e, 0xc5, 0x1, 0x3d, 0x48, 0xdb, 0x16, 0x90, 0x1b, 0x2e, 0xe2, 0x28, 0x65, 0xbc, 0x1, 0xc5, 0x5f, 0x6b, 0x64, 0xad, 0x6c, 0x81, 0xf8, 0xd2, 0xb2, 0xb3, 0x1c, 0xf0, 0xd2, 0x28, 0x8c, 0x25, 0x53, 0xb1, 0xb0, 0x5d, 0xd7, 0xa3, 0xea, 0xd6, 0x93, 0xb4, 0xd, 0x7d, 0xe8, 0xd, 0x2b, 0x9a, 0x41, 0x93, 0x84, 0xfe, 0xd8, 0x3, 0x8f, 0xe4, 0xa1, 0x3a, 0xb2, 0x8, 0xc5, 0xf6, 0xfa, 0x47, 0xf7, 0x49, 0x35, 0xd5, 0x35, 0x1a, 0x57, 0x37, 0xf1, 0x38, 0xb8, 0xf9, 0xfc, 0xe2, 0x58, 0x5e, 0x9f, 0xf5, 0x3c, 0xfd, 0xa7, 0xee, 0x6c, 0x18, 0xc7, 0x39, 0xad, 0x6b, 0x28, 0x2f, 0xfb, 0x76, 0x5e, 0xe2, 0xd1, 0xca, 0x9d, 0xe3, 0xef, 0xd9, 0xba, 0x4, 0xe9, 0xc7, 0xed, 0x90, 0x51, 0xe7, 0x60, 0xa5, 0xb5, 0xec, 0xf, 0x3e, 0x6, 0x6f, 0x6a, 0xc3, 0xac, 0xd8, 0xae, 0x85, 0xed, 0x50, 0x51, 0x6c, 0xaf, 0x20, 0x6d, 0xbc, 0xcf, 0x6c, 0xb5, 0xfa, 0xdb, 0x69, 0x2c, 0x98, 0x1e, 0xd, 0x7e, 0xa9, 0x10, 0x7e, 0x7c, 0x8a, 0x62, 0xf5, 0xab, 0xd3, 0xa1, 0x78, 0xe9, 0xce, 0x68, 0xb8, 0x77, 0x4, 0x2d, 0xb9, 0x7a, 0x33, 0x8b, 0xa6, 0xe3, 0x62, 0xb8, 0xa5, 0x87, 0x94, 0x97, 0x2, 0x51, 0x1d, 0xd4, 0x61, 0x3a, 0xc3, 0x6, 0x6, 0x5f, 0xf1, 0x26, 0x93, 0x6f, 0x27, 0xbe, 0x14, 0x28, 0x2e, 0x3c, 0xfe, 0xc6, 0x14, 0x1c, 0x52, 0x2f, 0x51, 0x73, 0xdf, 0xac, 0x7d, 0x4d, 0x46, 0x17, 0x44, 0x7e, 0x7f, 0x77, 0xd3, 0xf9, 0xf5, 0x10, 0xab, 0xa2, 0x8, 0x74, 0x19, 0x64, 0x21, 0x1d, 0x6a, 0x91, 0x28, 0x59, 0x18, 0xd5, 0x55, 0xae, 0xea, 0x5e, 0x16, 0xf3, 0x4a, 0x68, 0x75, 0xdf, 0x59, 0xef, 0x4e, 0xd8, 0xd5, 0x64, 0x83, 0x53, 0x1a, 0x3b, 0x56, 0x70, 0x15, 0x20, 0x4e, 0xb5, 0xff, 0xef, 0x4c, 0x6b, 0xa7, 0xbb, 0xd9, 0x74, 0xdc, 0x82, 0x6, 0x7a, 0xd8, 0xcb, 0xbe, 0xfc, 0x6c, 0x11, 0x93, 0xf1, 0x2, 0xa4, 0x0, 0xe, 0x7d, 0xb3, 0x9f, 0x26, 0x6b, 0x61, 0x8e, 0xce, 0xe5, 0x2d, 0xe6, 0x7d, 0x4, 0x38, 0xf7, 0xaa, 0x53, 0x41, 0xdd, 0x4f, 0x75, 0x11, 0xa1, 0xab, 0x9b, 0xb4, 0x70, 0x37, 0xba, 0x59, 0x57, 0x51, 0x61, 0x3a, 0x42, 0xaa, 0xf8, 0xeb, 0x9, 0x8b, 0x92, 0xfb, 0x41, 0xcd, 0xa1, 0x45, 0x22, 0x59, 0x36, 0x89, 0x4c, 0x9b, 0xc1, 0x8e, 0xba, 0x1c, 0xe, 0x71, 0x36, 0xaf, 0xe3, 0x91, 0x7e, 0xa8, 0x16, 0xc4, 0x9f, 0x84, 0x85, 0x89, 0xf6, 0x65, 0x3c, 0xa7, 0xba, 0xcd, 0x34, 0xa9, 0x3, 0x3c, 0x47, 0x66, 0xcb, 0xbf, 0x1b, 0x31, 0x2f, 0x11, 0xcd, 0x93, 0x4e, 0xde, 0x40, 0x13, 0xc1, 0x69, 0x7b, 0x53, 0xdb, 0x66, 0xb9, 0x58, 0x24, 0xbd, 0xe7, 0x7, 0x5b, 0x88, 0x18, 0xb0, 0x74, 0xf9, 0x32, 0xd3, 0xc8, 0x70, 0xa5, 0x45, 0xb1, 0x5d, 0x7b, 0x83, 0x9b, 0x54, 0xd1, 0xd0, 0xfd, 0x30, 0xe3, 0xa2, 0x34, 0x3d, 0xe4, 0x4c, 0xd8, 0x1f, 0x61, 0x5d, 0x3b, 0xb4, 0xce, 0x59, 0x37, 0xee, 0xc7, 0x86, 0x91, 0x61, 0x8c, 0xc7, 0x5b, 0x89, 0x5a, 0x72, 0xb9, 0xcb, 0x9, 0x38, 0x9c, 0xf1, 0x1f, 0x4b, 0x74, 0xde, 0xaa, 0x21, 0xbe, 0xc0, 0x6b, 0x5, 0xf8, 0x60, 0xb0, 0x22, 0xd2, 0xa7, 0x11, 0xfe, 0x3e, 0xb2, 0x57, 0x61, 0xbe, 0x74, 0x53, 0x82, 0xd6, 0xc, 0x4f, 0x2b, 0xab, 0x6f, 0xb4, 0x58, 0x23, 0x51, 0x73, 0x1d, 0x5c, 0x3e, 0xc9, 0x99, 0xbb, 0x30, 0xb2, 0x42, 0x57, 0xcb, 0x1a, 0x3, 0x2d, 0x3c, 0xa8, 0x2f, 0x2e, 0x4a, 0xb8, 0x78, 0x98, 0xfb, 0x2b, 0xc9, 0x1b, 0x37, 0x6c, 0x65, 0x75, 0x82, 0x9c, 0x1f, 0xa7, 0x1e, 0xa1, 0x0, 0x3, 0x1c, 0xa2, 0x94, 0xf7, 0x14, 0xe5, 0x54, 0xea, 0x26, 0x98, 0xe7, 0xea, 0x8, 0xc6, 0x54, 0x1a, 0x17, 0xe5, 0x54, 0x58, 0xcf, 0x25, 0xd7, 0xf1, 0x4b, 0x5f, 0xea, 0x33, 0xad, 0xf, 0x95, 0x6c, 0x4f, 0xe2, 0x8e, 0x1d, 0x9c, 0x6, 0xaf, 0x77, 0xa3, 0x8a, 0xe7, 0x4e, 0x54, 0xe1, 0x13, 0xa1, 0x94, 0xbb, 0x89, 0xf4, 0x54, 0xe8, 0xb7, 0x2f, 0x99, 0x34, 0xd6, 0x11, 0x8f, 0x47, 0x43, 0xa4, 0xa2, 0xaa, 0xa7, 0x69, 0x1, 0x0, 0xe, 0x2, 0x95, 0xaf, 0xd4, 0x49, 0x1d, 0xb, 0x12, 0x8e, 0xe0, 0x22, 0x57, 0x94, 0x95, 0x86, 0x38, 0xba, 0xb7, 0xb3, 0xfb, 0xa, 0x28, 0xa8, 0x34, 0x89, 0x36, 0x3e, 0x3a, 0x80, 0x8, 0xab, 0x71, 0xf6, 0x31, 0x65, 0xdf, 0x80, 0xf9, 0x91, 0x47, 0x72, 0x1a, 0xea, 0x4a, 0x89, 0x90, 0x50, 0xa3, 0x1d, 0x8d, 0xa9, 0x66, 0x5b, 0x54, 0xa5, 0x53, 0x13, 0x41, 0xbf, 0xfb, 0xf4, 0x9d, 0x8a, 0x8, 0x98, 0xa3, 0x3c, 0x74, 0x52, 0x15, 0x17, 0x57, 0x2d, 0xb8, 0xde, 0x4c, 0xc1, 0xd1, 0x82, 0x22, 0xd3, 0xa4, 0x78, 0x38, 0xe3, 0xb6, 0xe7, 0xa, 0x2, 0x48, 0x9d, 0x2, 0x6e, 0xe3, 0x50, 0xb7, 0xa9, 0x37, 0xfb, 0x47, 0x58, 0xe0, 0x19, 0x38, 0x9e, 0xb2, 0x2c, 0x81, 0x76, 0xf8, 0xf0, 0x17, 0x3a, 0xd2, 0x8e, 0x13, 0xad, 0x84, 0xe, 0x95, 0xb3, 0xf0, 0x80, 0x44, 0x7b, 0x6d, 0xe0, 0x7a, 0xd6, 0x2f, 0xf4, 0xae, 0xa8, 0xdf, 0xf6, 0x3a, 0x33, 0x52, 0x24, 0xea, 0x3e, 0x8d, 0x83, 0xec, 0xc5, 0xf5, 0xfd, 0x3a, 0x8d, 0xb2, 0xad, 0x9f, 0x4, 0x91, 0xc1, 0xf6, 0x6a, 0x8d, 0x1a, 0x1e, 0xbe, 0xff, 0xff, 0x64, 0x79, 0x41, 0xa, 0x79, 0x1c, 0xf5, 0xea, 0x9e, 0xce, 0xba, 0x79, 0x29, 0xf, 0xb2, 0x36, 0x22, 0x2, 0x42, 0x1, 0x38, 0x5d, 0x76, 0x29, 0xb7, 0x5, 0x6b, 0xe7, 0xe3, 0x6d, 0x6d, 0x0, 0xe2, 0xe, 0xbe, 0x3a, 0xaf, 0x1, 0x1e, 0x1, 0xd5, 0x6e, 0xb9, 0xcc, 0x5a, 0x5d, 0xb1, 0x75, 0x20, 0x5, 0xd, 0xc4, 0x5b, 0x81, 0xbd, 0x9f, 0xc7, 0xd9, 0xc6, 0xf2, 0x6c, 0xa3, 0xdf, 0x88, 0xfd, 0xca, 0x8d, 0x70, 0x90, 0xaa, 0x38, 0xe2, 0xcb, 0x8c, 0x90, 0xce, 0xaf, 0x35, 0xba, 0xc4, 0x22, 0x87, 0x63, 0xb, 0xbf, 0x6a, 0xfd, 0xb0, 0xa8, 0x3d, 0x5a, 0xc1, 0x35, 0xc3, 0xc9, 0x2c, 0x25, 0xce, 0x2d, 0x9b, 0x79, 0xaa, 0x65, 0xde, 0xf0, 0xe7, 0x84, 0x62, 0xbc, 0xed, 0xe0, 0xec, 0x62, 0x87, 0xef, 0xfb, 0x73, 0x27, 0x85, 0x28, 0x98, 0x44, 0x33, 0x85, 0x38, 0xae, 0xc3, 0xf3, 0x90, 0x9b, 0x2c, 0xb2, 0x56, 0x1e, 0x73, 0x12, 0x18, 0x19, 0xd8, 0xf0, 0x31, 0x68, 0x73, 0x95, 0x7e, 0x5d, 0x20, 0x5d, 0xc1, 0x41, 0xd6, 0x48, 0x8d, 0x81, 0xc3, 0x7c, 0x15, 0x3e, 0xf4, 0x39, 0x38, 0xb6, 0xc6, 0xf0, 0x51, 0xad, 0x36, 0x47, 0x4, 0x16, 0x55, 0xcb, 0x72, 0x9a, 0xb9, 0x22, 0xa5, 0x1, 0x21, 0x16, 0x80, 0x61, 0x87, 0x67, 0x6e, 0xde, 0x6, 0x3e, 0x65, 0xf3, 0xe6, 0xcd, 0xc7, 0xf8, 0x5f, 0x4a, 0x75, 0xa6, 0xc7, 0xb5, 0x1a, 0x82, 0xa, 0xa2, 0xb5, 0xb0, 0x7c, 0x2b, 0xa5, 0x3f, 0x7e, 0x90, 0x87, 0x4, 0xc9, 0x1c, 0x12, 0xfb, 0xa7, 0x3a, 0x5, 0xce, 0x6, 0x20, 0x50, 0x72, 0x1a, 0xb0, 0x29, 0xe9, 0x4, 0x1f, 0xa3, 0x90, 0xb4, 0x6e, 0x7e, 0x40, 0xbc, 0x19, 0x77, 0xbb, 0x70, 0x41, 0xeb, 0x4c, 0xd8, 0xef, 0x28, 0x13, 0x23, 0x20, 0xbb, 0x4, 0xc1, 0x1f, 0x6a, 0xca, 0x8b, 0x71, 0x90, 0xb, 0x28, 0x25, 0xe4, 0xf4, 0xd6, 0x82, 0x6a, 0x89, 0x92, 0xa2, 0x95, 0x1b, 0xb4, 0x67, 0xdf, 0x34, 0xfa, 0x35, 0xf4, 0x5c, 0x73, 0x69, 0xd7, 0xd6, 0xd9, 0x8, 0x1a, 0x33, 0xbc, 0x7e, 0x74, 0x82, 0x26, 0x5, 0x86, 0x97, 0x57, 0xad, 0x61, 0xdd, 0x62, 0x7d, 0xe4, 0x7b, 0xe1, 0x71, 0x13, 0xe0, 0x6b, 0x1c, 0x96, 0x1a, 0x78, 0xba, 0xcb, 0xe3, 0xda, 0xd3, 0xbf, 0x63, 0x10, 0xba, 0xc9, 0x73, 0x7f, 0x6, 0x74, 0x64, 0x35, 0x29, 0xa1, 0x36, 0x27, 0x7b, 0x95, 0xe, 0xf5, 0x56, 0xf2, 0x13, 0xed, 0x2, 0x37, 0x31, 0xa6, 0xc5, 0xfc, 0x19, 0x3a, 0x65, 0xee, 0x36, 0x94, 0xb6, 0xc8, 0xa4, 0xe7, 0x29, 0xdb, 0x2b, 0xcf, 0xbe, 0xb8, 0xf3, 0x87, 0x42, 0xf7, 0x8a, 0x69, 0x1d, 0x59, 0xa1, 0xd1, 0x1a, 0x9d, 0x5d, 0x4f, 0xe1, 0xac, 0xe4, 0xf, 0x3c, 0xac, 0xf, 0x54, 0x7d, 0x4a, 0x89, 0xc6, 0x24, 0x9b, 0xa6, 0x83, 0x46, 0xeb, 0x6f, 0xad, 0xee, 0x7, 0x5c, 0x93, 0xfa, 0x25, 0xf3, 0x7f, 0x88, 0xbd, 0x2c, 0xe0, 0xb, 0x38, 0xc6, 0xbc, 0x9d, 0x8c, 0xf0, 0xe8, 0xce, 0x45, 0xe0, 0xa6, 0xf, 0xf4, 0x7f, 0x9c, 0xd8, 0x5c, 0xf9, 0xc5, 0x44, 0x12, 0x6b, 0xb0, 0xf4, 0x95, 0xab, 0xf4, 0xf0, 0x8a, 0x8c, 0xda, 0x6d, 0x83, 0xe5, 0xb9, 0xc2, 0x59, 0xae, 0x1b, 0xfc, 0xff, 0xcf, 0x3a, 0x7e, 0x1e, 0xd5, 0x7, 0xda, 0xbc, 0xcc, 0xc2, 0x6a, 0x5e, 0xe1, 0x1, 0xe0, 0xc3, 0x28, 0x85, 0x3f, 0x92, 0xc1, 0x3b, 0xd4, 0xea, 0x9f, 0xa4, 0x77, 0x45, 0x32, 0x43, 0x11, 0xa7, 0xa7, 0x2a, 0x84, 0xb8, 0xa1, 0x61, 0x34, 0x3d, 0xe6, 0xb0, 0x31, 0xee, 0xe7, 0x4f, 0xab, 0x4f, 0xe5, 0xa9, 0x72, 0x5, 0x60, 0xf4, 0xa4, 0xb5, 0xe7, 0xd5, 0x34, 0x33, 0x49, 0xc0, 0x31, 0x48, 0xd5, 0x6, 0x92, 0xfb, 0x89, 0x85, 0x3a, 0x55, 0x83, 0x65, 0xcc, 0xf5, 0x70, 0xaa, 0xe5, 0x49, 0x56, 0xe2, 0x4a, 0x9, 0x79, 0x8, 0x52, 0x46, 0x4, 0x10, 0x7, 0x45, 0x90, 0xcc, 0x4f, 0x1c, 0x54, 0x2, 0x6d, 0x69, 0xb0, 0xeb, 0xa6, 0xe7, 0xde, 0xa2, 0x3e, 0x1a, 0x8c, 0x75, 0x84, 0x22, 0x4b, 0x73, 0x3c, 0x2f, 0xde, 0xdc, 0xad, 0xa6, 0xab, 0x4e, 0xd2, 0x45, 0xa4, 0xab, 0xa7, 0xe0, 0xce, 0x76, 0x68, 0xf6, 0xaa, 0x35, 0x9a, 0x4, 0xaa, 0xe5, 0xa9, 0x4, 0xb, 0x7e, 0x84, 0x3e, 0x10, 0x91, 0xad, 0x83, 0x40, 0xe7, 0xc3, 0xec, 0xaf, 0x40, 0xce, 0x83, 0xb1, 0xbe, 0x7a, 0x3f, 0x4, 0xea, 0x9f, 0xde, 0x89, 0x6b, 0x35, 0x52, 0x37, 0x99, 0x3, 0xe, 0x9f, 0xb9, 0x70, 0x79, 0x91, 0xb9, 0x47, 0xc8, 0x14, 0x76, 0x67, 0xc0, 0x4e, 0x52, 0xe9, 0x3c, 0xc9, 0xfe, 0x20, 0x25, 0x12, 0x9b, 0xf8, 0x7b, 0xe, 0xe4, 0x74, 0x47, 0x4c, 0xee, 0x31, 0x6, 0x67, 0xb5, 0x4c, 0x91, 0x4, 0x3b, 0x7a, 0x84, 0x3, 0x6f, 0x26, 0xd2, 0x9d, 0xdc, 0x29, 0x94, 0x6e, 0xc9, 0xf8, 0xc1, 0x57, 0x8c, 0x6c, 0x9b, 0x48, 0x43, 0x66, 0xba, 0x67, 0xfe, 0x23, 0x9d, 0x29, 0xe, 0x34, 0x2f, 0xcf, 0x93, 0x60, 0x7, 0x45, 0x91, 0x13, 0xf9, 0xfc, 0x97, 0xa9, 0x5e, 0x5b, 0xf4, 0xda, 0xdd, 0xd7, 0x8b, 0x43, 0x8, 0xe0, 0x5b, 0x4d, 0xf0, 0x3f, 0xd5, 0x5, 0x3e, 0x8c, 0x35, 0xf7, 0x1e, 0xe9, 0x5d, 0xc3, 0xcd, 0x7c, 0xbf, 0xa0, 0xc1, 0x9e, 0xb6, 0xbf, 0x4d, 0x68, 0xad, 0x97, 0xd9, 0x1f, 0x80, 0xf2, 0x7c, 0x7e, 0x36, 0xfb, 0x38, 0x23, 0xcc, 0x27, 0xd2, 0xff, 0x46, 0x53, 0x61, 0xe2, 0x90, 0xa9, 0x6f, 0xff, 0x89, 0x76, 0x0, 0x1a, 0x33, 0x79, 0x7, 0x57, 0xbe, 0xaf, 0xf3, 0xe1, 0x6, 0xc5, 0x41, 0xd2, 0x43, 0xa3, 0x62, 0x9b, 0xde, 0x7d, 0xb9, 0xcd, 0xfd, 0xea, 0x30, 0xae, 0xa0, 0x84, 0xe9, 0x6, 0x6a, 0x7d, 0xdf, 0xbd, 0x4f, 0x80, 0x16, 0xbf, 0xc9, 0xc4, 0x63, 0x61, 0xd3, 0xa2, 0x71, 0x4, 0x17, 0x5e, 0x65, 0x13, 0x31, 0xae, 0xa8, 0x5b, 0xff, 0x80, 0x31, 0xb8, 0x57, 0x2b, 0x6e, 0x2c, 0xfa, 0xbe, 0xea, 0xe0, 0x77, 0x19, 0x27, 0x48, 0x1c, 0x97, 0xea, 0x7f, 0x33, 0x55, 0xc5, 0xf3, 0xf9, 0xcb, 0x81, 0x25, 0xa4, 0x22, 0x70, 0xf, 0x34, 0xe3, 0x10, 0xf7, 0x18, 0xc2, 0xb, 0xde, 0xe1, 0xa8, 0x5a, 0x2e, 0xf6, 0xde, 0xa, 0x64, 0xee, 0x40, 0x89, 0x42, 0x49, 0x91, 0x38, 0xb2, 0x16, 0xc3, 0xc, 0x95, 0x55, 0xe4, 0x19, 0x16, 0x36, 0xb8, 0x6b, 0xb6, 0x56, 0x5c, 0x66, 0x1d, 0xc7, 0x84, 0x6d, 0xac, 0xaf, 0x34, 0x4b, 0x3, 0xea, 0xe3, 0xc7, 0xe4, 0xe5, 0x32, 0xf8, 0x87, 0xa9, 0xa7, 0xa6, 0x79, 0x7a, 0x72, 0x27, 0x74, 0xa0, 0x23, 0x6c, 0x6d, 0xe2, 0x17, 0xd0, 0xe5, 0x56, 0x10, 0x7e, 0x16, 0x38, 0x76, 0xb9, 0x50, 0x7e, 0x4e, 0xa8, 0x8a, 0xe8, 0xef, 0x81, 0x6c, 0xaa, 0x95, 0x85, 0xdc, 0xb0, 0xb7, 0xf3, 0xa1, 0xc, 0x2e, 0x9f, 0x1d, 0x9f, 0x8, 0x46, 0xde, 0x27, 0xa7, 0x82, 0xdd, 0xba, 0x39, 0xbf, 0xf3, 0x1a, 0x48, 0x24, 0x86, 0x65, 0x79, 0x6a, 0x35, 0x79, 0x52, 0xa0, 0xf9, 0xf5, 0x45, 0x23, 0x60, 0xc0, 0xf9, 0x42, 0x9a, 0x13, 0x89, 0xf, 0x8b, 0x1a, 0xfc, 0x40, 0x4d, 0x84, 0x42, 0xee, 0x3e, 0xb5, 0x68, 0x63, 0x5b, 0x4e, 0xe5, 0xbf, 0xb0, 0x93, 0xbf, 0x5b, 0x32, 0x4d, 0xd7, 0x59, 0x39, 0x47, 0xb9, 0x14, 0x61, 0x8d, 0xec, 0xbe, 0x61, 0x2a, 0xee, 0xe2, 0x4b, 0x92, 0x94, 0x2a, 0x67, 0x25, 0xc, 0x3d, 0xc2, 0xf2, 0xdb, 0x95, 0x85, 0xa4, 0x38, 0x18, 0x22, 0x6a, 0x8b, 0x84, 0x76, 0xe4, 0x73, 0xb6, 0xc1, 0x35, 0x9a, 0xe6, 0x43, 0xe7, 0x3, 0x85, 0x46, 0xd8, 0x99, 0x24, 0xb4, 0x2a, 0xa7, 0xb, 0xe9, 0xe9, 0x54, 0x0, 0xaa, 0x62, 0x11, 0x29, 0x48, 0xbc, 0xf1, 0x13, 0x8d, 0x35, 0x26, 0x7f, 0xfa, 0xb7, 0x71, 0x19, 0x5d, 0x68, 0xe4, 0xae, 0xe1, 0x2b, 0x1d, 0xa5, 0x67, 0x3e, 0xa9, 0x14, 0xd1, 0x98, 0x9, 0x85, 0x41, 0xe0, 0x61, 0x25, 0x5, 0x4e, 0x60, 0x9f, 0x63, 0x59, 0x18, 0x8, 0x5d, 0x15, 0x49, 0x5c, 0x7, 0x32, 0x1c, 0x4b, 0xb6, 0x67, 0x3b, 0x34, 0xa2, 0x2a, 0x6a, 0x3e, 0xf5, 0x67, 0x29, 0x5e, 0x44, 0x1b, 0xe0, 0x4, 0xa9, 0x73, 0x17, 0x27, 0xfb, 0xbd, 0x73, 0x8d, 0x88, 0x28, 0xb, 0xe4, 0xe1, 0x7c, 0x1b, 0x7d, 0xa9, 0xea, 0xf6, 0x35, 0x7e, 0x2e, 0x97, 0xa0, 0xaf, 0xa9, 0x2a, 0x77, 0x61, 0xd0, 0x59, 0x7c, 0x1f, 0x7a, 0xc4, 0xc7, 0x4a, 0x43, 0x9a, 0x7b, 0x9b, 0xe7, 0x4a, 0x12, 0x21, 0x6e, 0xc7, 0xec, 0x22, 0xbb, 0xf3, 0xcf, 0x5a, 0x5, 0xd3, 0x58, 0xc8, 0x84, 0xc9, 0x7a, 0xfd, 0x8b, 0x9c, 0x78, 0x24, 0xc0, 0x2, 0xdd, 0x34, 0x54, 0xfc, 0x7b, 0xb5, 0x41, 0xea, 0xa9, 0xdc, 0x90, 0xdf, 0x98, 0x33, 0x24, 0xe2, 0x98, 0xa8, 0x8a, 0xbb, 0x94, 0x4a, 0x89, 0x34, 0xc8, 0x7, 0xf6, 0x76, 0x9b, 0xc9, 0xc2, 0x97, 0xbe, 0x7, 0xbb, 0x2, 0x93, 0xc2, 0x18, 0x67, 0xba, 0x76, 0x65, 0x8c, 0xa8, 0x3, 0xe7, 0xcc, 0xef, 0x79, 0x3d, 0x6, 0xd1, 0xa0, 0xb6, 0xd7, 0xce, 0x59, 0xf2, 0xad, 0x68, 0x1f, 0x9f, 0xf5, 0x7d, 0xd5, 0x2f, 0xc8, 0x70, 0x64, 0xb0, 0xdb, 0xc6, 0xdc, 0x5d, 0x7, 0x73, 0xb4, 0xa9, 0x51, 0x64, 0x1b, 0x80, 0xf4, 0x1b, 0x55, 0x76, 0xe3, 0xc8, 0x51, 0x6b, 0xa9, 0x1d, 0x4e, 0xd4, 0xf7, 0xd1, 0xb, 0xef, 0xc, 0x60, 0x4e, 0x4d, 0x1d, 0xcb, 0x4b, 0x71, 0xc7, 0x40, 0x65, 0xc, 0xe4, 0xb9, 0x7b, 0xc5, 0x44, 0xc6, 0x7c, 0x32, 0xc2, 0x1e, 0xbd, 0x71, 0xa, 0x4f, 0xd8, 0xcf, 0xb5, 0x33, 0xcd, 0x0, 0xdd, 0xd, 0x6b, 0x4e, 0xf7, 0x68, 0xa5, 0xcf, 0xf4, 0x48, 0xf, 0x2d, 0xdb, 0x4e, 0x69, 0x1c, 0xd8, 0x7d, 0xff, 0xfe, 0xcc, 0xc7, 0x47, 0x27, 0xb2, 0x24, 0x8c, 0xac, 0xad, 0xec, 0xda, 0xce, 0xe5, 0xa5, 0x42, 0x7, 0x3f, 0xde, 0x29, 0xdb, 0x6d, 0x29, 0x90, 0x30, 0xbb, 0x8f, 0x5d, 0xe3, 0x4a, 0xb5, 0x1f, 0xb1, 0xf7, 0xab, 0x8c, 0x78, 0x1f, 0xd8, 0x4d, 0x7f, 0x7e, 0xcf, 0x52, 0x9a, 0x5e, 0xc0, 0x69, 0x5e, 0xe1, 0x2b, 0x13, 0xa0, 0x72, 0x4d, 0xf, 0x2a, 0x47, 0xb7, 0xda, 0x90, 0x6, 0x67, 0x2d, 0x31, 0x11, 0xf9, 0x42, 0xc1, 0x8b, 0x99, 0x61, 0x82, 0x1f, 0x63, 0xd3, 0xe8, 0x94, 0x1c, 0x5c, 0x61, 0xae, 0x2f, 0xf4, 0xf0, 0x5d, 0xfa, 0xc3, 0xae, 0x8c, 0x94, 0x4e, 0x2f, 0x1e, 0x10, 0x74, 0xa3, 0xa8, 0xe7, 0x2a, 0x24, 0xb, 0x61, 0xde, 0xc8, 0x5d, 0x3a, 0x89, 0xf, 0xce, 0x23, 0xe2, 0x67, 0xfb, 0x15, 0xc5, 0xe8, 0xc5, 0x6d, 0xad, 0x4e, 0xa6, 0xbf, 0x74, 0x77, 0x8f, 0x72, 0x5c, 0x92, 0x95, 0xf, 0xd2, 0x89, 0xce, 0x83, 0x85, 0x9, 0x66, 0x9, 0x1e, 0x7a, 0xd7, 0xa7, 0xf2, 0x93, 0x94, 0xdb, 0xee, 0xa2, 0x4a, 0x4d, 0x30, 0x4c, 0x97, 0x20, 0x28, 0x1b, 0x2d, 0x28, 0x77, 0xc0, 0xda, 0xe3, 0x42, 0x8, 0x52, 0xbe, 0x88, 0xd0, 0xca, 0x78, 0xa8, 0x1f, 0x56, 0xe6, 0xe1, 0xa9, 0x7, 0xcb, 0xc2, 0x89, 0xdb, 0x62, 0x9d, 0x21, 0xc3, 0xc5, 0x5b, 0x38, 0x52, 0x27, 0xda, 0x5f, 0x6b, 0x67, 0x2b, 0xd8, 0xfc, 0xea, 0x4, 0xe3, 0x9e, 0xdc, 0x49, 0x24, 0xa2, 0x4e, 0x2f, 0x63, 0x91, 0x79, 0x9e, 0x1e, 0xb9, 0xe0, 0xd5, 0xcd, 0x61, 0xe0, 0x36, 0x30, 0xbc, 0x25, 0x8, 0x83, 0xff, 0xf6, 0xa6, 0x75, 0x9b, 0x5e, 0xf6, 0x81, 0x4, 0x26, 0x5b, 0x2e, 0x37, 0xf8, 0x1, 0x49, 0xc0, 0x56, 0x1, 0x48, 0x33, 0xb7, 0x57, 0xb8, 0xab, 0x86, 0x7f, 0x55, 0x11, 0x44, 0x5b, 0x73, 0xe, 0xed, 0xe3, 0x88, 0x2e, 0x73, 0x33, 0x2a, 0xd, 0x68, 0x37, 0xc3, 0x1f, 0xc1, 0xc9, 0x31, 0xcb, 0xbf, 0x99, 0xa5, 0xc4, 0x1, 0x52, 0xa9, 0x51, 0xf8, 0x82, 0xb2, 0x95, 0xdf, 0x4d, 0x85, 0x8a, 0xda, 0x42, 0xd3, 0xb4, 0xed, 0x9d, 0x44, 0xdc, 0xcd, 0xf, 0xb1, 0xcf, 0x4a, 0x24, 0xd1, 0x42, 0x0, 0x89, 0x2c, 0x17, 0x70, 0xfc, 0xc7, 0xca, 0x72, 0x30, 0x9b, 0x3f, 0x6, 0xe8, 0x9c, 0x85, 0xa6, 0xcd, 0x1a, 0xf5, 0xe2, 0x51, 0x7f, 0x3c, 0x31, 0x43, 0xd2, 0x78, 0x95, 0x3d, 0xd7, 0xa4, 0xf1, 0xa3, 0x52, 0x6e, 0xce, 0xf0, 0x64, 0x7a, 0x5b, 0x78, 0xda, 0x2d, 0x4c, 0x2a, 0x44, 0x15, 0x63, 0x76, 0x2e, 0x7b, 0x2d, 0x9e, 0x3b, 0xa3, 0x72, 0xd9, 0xe4, 0xff, 0x18, 0x82, 0xc4, 0x27, 0xb, 0xc6, 0x7c, 0x91, 0x9d, 0x14, 0x84, 0x38, 0x8, 0xc7, 0x8f, 0xcc, 0x1e, 0x46, 0x2f, 0x6f, 0x34, 0x4, 0x5c, 0xa9, 0x50, 0x46, 0x61, 0xf2, 0xfd, 0xe9, 0xeb, 0xac, 0x66, 0xf6, 0xc1, 0x37, 0xb5, 0x35, 0x5e, 0x83, 0xbc, 0xba, 0x88, 0xd1, 0x13, 0x56, 0x64, 0x3e, 0xc9, 0xe1, 0xc5, 0x3a, 0xce, 0xca, 0x88, 0x1a, 0x11, 0x1f, 0x15, 0x4, 0xb0, 0xf9, 0x94, 0xfa, 0xc5, 0xdb, 0x7, 0x5b, 0x3, 0xa5, 0xc7, 0xd7, 0x49, 0x9e, 0x60, 0xa7, 0x8e, 0x95, 0x53, 0xc0, 0xf4, 0x13, 0x90, 0xd7, 0xb4, 0x26, 0x5, 0xbd, 0x2f, 0x3e, 0x59, 0xbb, 0x5e, 0xde, 0x66, 0x37, 0xc, 0x2e, 0x4c, 0xb4, 0xf8, 0x7c, 0x6e, 0x78, 0x3e, 0x98, 0x8c, 0x8b, 0xfc, 0x72, 0x6f, 0xd7, 0xf9, 0x48, 0x23, 0x63, 0x9b, 0xab, 0x6f, 0x59, 0xac, 0x70, 0xeb, 0x81, 0x2e, 0xd0, 0x58, 0xf7, 0xd8, 0x17, 0x44, 0x9b, 0x76, 0x22, 0xf5, 0xff, 0x74, 0x72, 0x7, 0xd5, 0x63, 0x30, 0x9f, 0xac, 0xe8, 0xf, 0x34, 0x4f, 0x6f, 0xac, 0xf5, 0xba, 0x14, 0x9, 0xb5, 0xd1, 0xd9, 0x72, 0xce, 0x5c, 0x25, 0xbc, 0xb7, 0x84, 0x59, 0x83, 0xb3, 0x8f, 0x3, 0xa5, 0x7c, 0xa7, 0x3f, 0x5d, 0x14, 0x13, 0xab, 0x8f, 0xad, 0xc6, 0xa3, 0xcd, 0x7a, 0x68, 0x84, 0x3d, 0x6a, 0x52, 0xa3, 0x48, 0xc7, 0x32, 0x80, 0xe3, 0x27, 0x99, 0x47, 0xab, 0x3f, 0xe7, 0xc, 0x43, 0xfa, 0x29, 0x36, 0xad, 0x91, 0x44, 0x4c, 0x61, 0x71, 0x2c, 0xb, 0xaf, 0xc5, 0x11, 0x16, 0x21, 0xc, 0xa5, 0x3f, 0xde, 0xce, 0x83, 0x80, 0x33, 0x2, 0xba, 0x89, 0x68, 0x6e, 0x32, 0xfe, 0xf0, 0x77, 0x59, 0x19, 0xa, 0xee, 0x5a, 0xbc, 0x4b, 0xf, 0x5d, 0x90, 0xea, 0x1, 0x23, 0x2e, 0xe9, 0x3d, 0x75, 0xa3, 0x9c, 0x20, 0xe3, 0xb6, 0xbb, 0x5f, 0xc8, 0x3c, 0xb0, 0xcc, 0x7e, 0x48, 0xb1, 0xd7, 0x3, 0xf, 0xb9, 0xcc, 0x1f, 0x94, 0x10, 0xc7, 0x38, 0x2a, 0x9c, 0xfa, 0xed, 0xce, 0x24, 0x67, 0x23, 0x38, 0x6c, 0x75, 0x23, 0x3, 0x2d, 0x19, 0x58, 0x22, 0x90, 0x3a, 0x8e, 0x3, 0x5e, 0xea, 0x19, 0xe5, 0x50, 0xb1, 0x91, 0x75, 0x42, 0xc7, 0x65, 0x28, 0xba, 0xdc, 0x48, 0xdb, 0x93, 0x81, 0x5e, 0xb2, 0xcf, 0x12, 0x8c, 0x70, 0xea, 0x3b, 0x63, 0xae, 0xb4, 0xdd, 0x21, 0xf8, 0x81, 0xf1, 0x2e, 0x10, 0xae, 0xda, 0xd9, 0x89, 0xa0, 0x24, 0x30, 0x92, 0x9d, 0x9d, 0xea, 0x6a, 0x87, 0xa0, 0x2d, 0x12, 0xc4, 0x71, 0x9, 0x9c, 0xe1, 0xbb, 0x3b, 0xea, 0x63, 0x1a, 0xc, 0x8d, 0x6f, 0x1, 0x76, 0x80, 0x89, 0x3b, 0x13, 0xb7, 0xa6, 0xae, 0x5d, 0xcc, 0xcc, 0xa5, 0x7d, 0xe9, 0xf6, 0x6, 0xe3, 0x8e, 0xe, 0x51, 0x8c, 0xaa, 0xe, 0xb0, 0xc5, 0x8f, 0x4a, 0x68, 0x33, 0xbf, 0x3f, 0xb9, 0x79, 0x35, 0x31, 0x15, 0x23, 0x17, 0x6b, 0xf6, 0xa6, 0x5f, 0x7f, 0xe6, 0x8c, 0x74, 0x86, 0xce, 0xf6, 0x81, 0x58, 0x81, 0x10, 0x8b, 0xd5, 0xea, 0x18, 0xd3, 0xce, 0xc1, 0x93, 0x33, 0xf3, 0xf2, 0x5b, 0x77, 0x62, 0x86, 0xf2, 0x6f, 0x83, 0x7d, 0x4, 0xc9, 0xc0, 0x7a, 0x61, 0x2f, 0x8e, 0x4a, 0xaf, 0x2b, 0xf2, 0xc3, 0xa6, 0xa6, 0x6d, 0x17, 0xde, 0x9e, 0xd2, 0x77, 0x63, 0xda, 0x7, 0x16, 0x21, 0x5f, 0xa5, 0x40, 0x91, 0xe3, 0x52, 0x14, 0x56, 0x38, 0x8b, 0x85, 0x56, 0x3c, 0x1b, 0xfe, 0x67, 0xc2, 0xd3, 0xd, 0x7a, 0x22, 0x55, 0x7d, 0xdd, 0x4b, 0xc0, 0x66, 0x9, 0x4e, 0x40, 0xe6, 0x55, 0xfe, 0xd2, 0xfb, 0xbc, 0xfc, 0x9c, 0xea, 0x49, 0xcf, 0x81, 0x59, 0x32, 0x7, 0x89, 0x78, 0x7f, 0x23, 0x49, 0xe5, 0xd9, 0xb4, 0xfc, 0x53, 0xf9, 0xbe, 0x43, 0xc4, 0xd6, 0x80, 0x34, 0xeb, 0xa6, 0xd8, 0x84, 0x98, 0x86, 0xb1, 0x48, 0x30, 0xa1, 0xb6, 0x35, 0x8a, 0xa, 0xa9, 0xe9, 0x65, 0x16, 0x47, 0xe4, 0xb4, 0xc0, 0x6, 0x30, 0x65, 0xd, 0x38, 0xbf, 0x45, 0x3b, 0xae, 0xe9, 0x4f, 0xd, 0x82, 0x3f, 0x8f, 0x71, 0x3b, 0x9a, 0x97, 0xa0, 0x35, 0x4a, 0x24, 0xaf, 0x70, 0xa8, 0xae, 0x2, 0xa9, 0x46, 0xae, 0x99, 0xdc, 0xbe, 0x7c, 0xf5, 0xfc, 0xb9, 0xa9, 0x93, 0xe7, 0xb7, 0x79, 0x3f, 0xca, 0xf2, 0x74, 0x28, 0xeb, 0xbe, 0x1d, 0x23, 0xf2, 0xb8, 0xad, 0x85, 0xdf, 0x64, 0x67, 0xe, 0x6, 0x2, 0x63, 0x54, 0xd5, 0xeb, 0x57, 0xd2, 0x20, 0x33, 0x36, 0xe1, 0x22, 0x8d, 0x79, 0x3e, 0x57, 0xfd, 0xd9, 0xed, 0x7d, 0xb6, 0xeb, 0xf5, 0x85, 0x5f, 0x28, 0xc9, 0x55, 0xeb, 0x8a, 0x13, 0xd6, 0xac, 0xa, 0xf0, 0x85, 0x68, 0xd8, 0xa4, 0x1d, 0x79, 0x79, 0x23, 0x5f, 0xb0, 0x44, 0x67, 0x82, 0x5e, 0x16, 0xed, 0x48, 0x45, 0x28, 0xe8, 0xf5, 0xe5, 0x9e, 0xb8, 0x61, 0xb6, 0x85, 0xcc, 0x48, 0xd5, 0x9f, 0x89, 0x86, 0xc5, 0x89, 0xc0, 0x37, 0x70, 0x25, 0xb2, 0xc, 0x29, 0xf9, 0x6f, 0x30, 0x47, 0x9b, 0xf4, 0xec, 0x77, 0x6, 0xeb, 0x2e, 0xba, 0x56, 0xb5, 0xa2, 0xca, 0x11, 0x92, 0x32, 0x6b, 0xd8, 0xd1, 0x7b, 0x33, 0x39, 0x8e, 0x25, 0x26, 0x2a, 0x91, 0xc2, 0xc8, 0x79, 0xb5, 0xa9, 0xc5, 0x4d, 0xe6, 0x42, 0x19, 0x74, 0x87, 0x3d, 0x44, 0x16, 0xc, 0x40, 0x11, 0xf8, 0xf8, 0xa2, 0xc9, 0x6b, 0xe, 0x4e, 0xeb, 0x9e, 0x35, 0x69, 0x9c, 0x81, 0x4b, 0x21, 0xc, 0xce, 0x73, 0x72, 0xbe, 0xe1, 0x81, 0x15, 0xb6, 0x84, 0x81, 0xfb, 0x9a, 0x42, 0xff, 0x6, 0xcd, 0x74, 0x9d, 0xe, 0x1, 0xa1, 0xac, 0xee, 0xa3, 0xac, 0xdf, 0xc7, 0x17, 0x9c, 0x2b, 0xaa, 0x63, 0x80, 0xd3, 0x6c, 0xc8, 0x74, 0xff, 0x14, 0x46, 0x73, 0xb3, 0xc4, 0x95, 0x85, 0xcc, 0x62, 0xf, 0x99, 0xca, 0x0, 0xde, 0xa3, 0xe5, 0x3b, 0xc, 0xca, 0x13, 0xd2, 0xbe, 0xd9, 0xf5, 0xe9, 0x8c, 0xdf, 0x8a, 0x7, 0x86, 0x78, 0x44, 0x44, 0xd4, 0x5c, 0xe3, 0x7c, 0xb2, 0xdd, 0x82, 0x83, 0xee, 0x26, 0x1d, 0x58, 0x7c, 0x9c, 0x8e, 0x63, 0x9d, 0x35, 0xc5, 0xdc, 0x17, 0xcf, 0x3d, 0xae, 0x28, 0xb7, 0xab, 0x73, 0x82, 0xee, 0x47, 0xf0, 0x21, 0xf8, 0x26, 0x29, 0x11, 0x1d, 0x74, 0x1a, 0x49, 0x50, 0x77, 0x84, 0x49, 0x11, 0xb9, 0xdf, 0xe0, 0xfd, 0x61, 0xa7, 0x7f, 0x68, 0xab, 0x35, 0xa4, 0x7e, 0x22, 0x80, 0x25, 0x2c, 0x3f, 0x7e, 0xce, 0x91, 0x94, 0xdb, 0x8b, 0x6b, 0x56, 0x2b, 0xfb, 0x53, 0xa5, 0x3, 0x3a, 0xb2, 0x78, 0x7f, 0x5, 0x4e, 0xe7, 0x41, 0xe1, 0x6c, 0xd9, 0x90, 0xe4, 0x89, 0xc3, 0x25, 0x65, 0x79, 0x75, 0x7e, 0x1a, 0xa3, 0x25, 0x57, 0xc9, 0xb, 0x6, 0xfd, 0x20, 0x12, 0x91, 0x67, 0xc5, 0x1e, 0xd6, 0xb, 0x8b, 0x40, 0x3c, 0x3a, 0x6e, 0x71, 0xa9, 0xeb, 0xeb, 0xe8, 0xf7, 0x6b, 0xcd, 0x31, 0x70, 0xb6, 0xe6, 0xbe, 0xa6, 0x6c, 0x32, 0xa7, 0xd7, 0x41, 0xf2, 0x99, 0x56, 0x35, 0x95, 0x60, 0x9d, 0x34, 0x1a, 0x0, 0xd7, 0xdb, 0x4a, 0xee, 0x91, 0xe4, 0x89, 0xaa, 0x6a, 0xbf, 0x35, 0xb, 0x46, 0x75, 0x6f, 0x13, 0xf4, 0x76, 0x0, 0x7f, 0x3d, 0xda, 0x64, 0x92, 0xba, 0x18, 0x9a, 0xd1, 0x8b, 0xa2, 0xa7, 0x62, 0xcd, 0xd2, 0xb2, 0x6e, 0x71, 0xc9, 0x61, 0x87, 0x1f, 0x94, 0xba, 0xcd, 0x5d, 0x4a, 0xbe, 0xa3, 0x8b, 0x51, 0x50, 0x15, 0xd2, 0x62, 0x7d, 0xcf, 0x82, 0xc9, 0xd3, 0x20, 0x50, 0x81, 0xba, 0x23, 0x9d, 0xe2, 0x36, 0x1f, 0x9e, 0x3f, 0x76, 0x92, 0xf0, 0xb, 0xae, 0x48, 0x7, 0x70, 0x3a, 0x1d, 0x6b, 0x7e, 0x52, 0x7a, 0xe3, 0x85, 0x1a, 0x58, 0x97, 0x90, 0xa8, 0xb4, 0xe5, 0x8b, 0x15, 0xdc, 0xf, 0x52, 0x1a, 0x1f, 0x6e, 0x72, 0x7d, 0x16, 0x7d, 0xb3, 0x8d, 0xf9, 0x62, 0xe8, 0x13, 0x11, 0x6e, 0x78, 0x2, 0x88, 0x18, 0xfc, 0xce, 0x6b, 0x96, 0x98, 0xc3, 0xc3, 0x0, 0x6e, 0x63, 0x18, 0x43, 0xb3, 0x54, 0xb7, 0x91, 0x19, 0x3b, 0xf5, 0x68, 0xa1, 0xb6, 0x6f, 0xe5, 0x2f, 0x4c, 0xb8, 0x55, 0x1b, 0x18, 0x87, 0x8c, 0xbc, 0x21, 0x27, 0x10, 0xc9, 0x86, 0x16, 0x2a, 0xe, 0x3, 0x95, 0x60, 0x6, 0x49, 0xc6, 0xda, 0x55, 0xdf, 0x97, 0x2f, 0xeb, 0xfd, 0x18, 0x31, 0xd2, 0x27, 0x7c, 0xfc, 0x2c, 0xd5, 0x10, 0xb9, 0x31, 0x87, 0x11, 0x9c, 0xe0, 0x1, 0x2a, 0xd8, 0x3c, 0x39, 0xcd, 0x82, 0x61, 0xc4, 0xb6, 0x28, 0xe3, 0x8, 0x75, 0x65, 0xdd, 0xd7, 0x5e, 0xfa, 0xa8, 0x1d, 0x68, 0x1b, 0xca, 0x2, 0x64, 0x2d, 0x27, 0x9f, 0xce, 0x86, 0xbe, 0x3a, 0x60, 0x9c, 0x7c, 0x16, 0x29, 0x5c, 0x43, 0x63, 0x93, 0x42, 0x2a, 0x5a, 0xc4, 0xc1, 0xf7, 0x14, 0x48, 0xcd, 0xca, 0x22, 0x9a, 0x22, 0x62, 0x65, 0x14, 0xc, 0x47, 0x3b, 0x32, 0x31, 0x64, 0x52, 0xb4, 0x18, 0xe4, 0x36, 0xd5, 0x1a, 0x4e, 0xcd, 0x40, 0xc0, 0x3b, 0x93, 0x1, 0x3d, 0xdd, 0xf, 0x43, 0x23, 0x90, 0x64, 0x7, 0xde, 0x6d, 0x3e, 0x3d, 0xb1, 0x23, 0x95, 0x2e, 0xef, 0x64, 0x5, 0x4b, 0x4f, 0xbc, 0x79, 0x90, 0x5, 0x31, 0xd, 0x8c, 0x58, 0x3d, 0x7d, 0x83, 0x67, 0x69, 0x6c, 0x49, 0x5f, 0x3b, 0x12, 0x89, 0x60, 0xf6, 0x79, 0x3a, 0xb0, 0x9a, 0xf0, 0x36, 0x9e, 0x14, 0xb2, 0xef, 0x5b, 0xbb, 0x10, 0x4a, 0xca, 0x63, 0xf1, 0x3, 0x98, 0x9, 0xe2, 0x6, 0x45, 0x70, 0x29, 0xd0, 0xab, 0x3b, 0x5a, 0x1b, 0x0, 0xaf, 0xf0, 0x56, 0xd, 0xe, 0x88, 0x70, 0xec, 0xcf, 0xf4, 0x7a, 0x3f, 0x91, 0x3d, 0xbe, 0x6f, 0xa6, 0x32, 0x73, 0xbd, 0xb4, 0xce, 0x7e, 0x4a, 0xc8, 0xe6, 0x32, 0x55, 0x8f, 0x22, 0x9c, 0x9a, 0xa7, 0xc4, 0xed, 0x9a, 0x69, 0x2f, 0xa3, 0x9e, 0x14, 0x99, 0x29, 0x70, 0x61, 0x18, 0x72, 0x11, 0x8e, 0x6c, 0x6d, 0x52, 0x6e, 0x54, 0x45, 0x4f, 0x49, 0x74, 0xad, 0xfe, 0xe7, 0xef, 0x89, 0x39, 0xb5, 0x3c, 0x2b, 0x31, 0xb0, 0x2f, 0xe4, 0xe, 0xe6, 0xa2, 0xb9, 0x23, 0x48, 0xe, 0x67, 0xd, 0xfd, 0x58, 0xf8, 0x6d, 0x63, 0x2c, 0x49, 0x7e, 0xab, 0xca, 0xeb, 0x70, 0x46, 0x2c, 0xd3, 0xfc, 0x72, 0xe0, 0x40, 0x1d, 0x4e, 0x34, 0xb2, 0x66, 0x6a, 0x7a, 0x45, 0xfe, 0xdc, 0x37, 0x8f, 0x2a, 0x1f, 0xc8, 0xde, 0xd5, 0xf9, 0x40, 0xab, 0x3e, 0xf8, 0xd5, 0x61, 0x3c, 0x4, 0xdf, 0xf1, 0x76, 0x27, 0xa8, 0x5c, 0x7c, 0x67, 0x46, 0xf8, 0x1e, 0x68, 0x74, 0x21, 0x28, 0x16, 0x6d, 0x51, 0x4f, 0x1f, 0x24, 0x7c, 0x4f, 0x37, 0x1, 0x1f, 0xc3, 0x94, 0x49, 0xf5, 0xc, 0x21, 0xf, 0xdf, 0x67, 0x83, 0x3c, 0x25, 0x20, 0x18, 0xe9, 0x20, 0xeb, 0xbe, 0x4d, 0xc9, 0xe7, 0x41, 0xb6, 0x62, 0x4, 0xc2, 0xaa, 0x19, 0x50, 0xcf, 0x49, 0x8b, 0xf0, 0x34, 0x28, 0xc2, 0x6d, 0x5a, 0x5d, 0x8e, 0x4b, 0xc7, 0xe8, 0x47, 0x6a, 0xcb, 0x2a, 0xf4, 0xdc, 0xc, 0x16, 0x78, 0xb9, 0x68, 0x35, 0x3a, 0x75, 0x64, 0x53, 0x7a, 0x71, 0xeb, 0xd1, 0x6c, 0x47, 0xd5, 0x28, 0x4a, 0x11, 0xbc, 0x8f, 0x8c, 0x3f, 0xbc, 0x60, 0x3, 0xec, 0xb6, 0xc6, 0xf4, 0xd1, 0x94, 0xe8, 0xf6, 0x9b, 0xcd, 0xb3, 0x18, 0x27, 0x8, 0x6b, 0x52, 0xbf, 0x7f, 0x11, 0x12, 0xa8, 0x52, 0xf9, 0x73, 0xf5, 0x5b, 0x94, 0x11, 0xb0, 0x64, 0xe8, 0x2b, 0x64, 0x9b, 0x9, 0x42, 0xa5, 0x8e, 0xf1, 0x86, 0xe2, 0x8c, 0x54, 0x7, 0x8a, 0xb2, 0x70, 0x27, 0x9c, 0x1c, 0x5c, 0x29, 0x28, 0xf, 0x39, 0x97, 0xc3, 0x6, 0x52, 0xcb, 0x43, 0x6a, 0x2e, 0x67, 0xf8, 0xda, 0xba, 0x8e, 0x73, 0x2b, 0x50, 0x66, 0x7, 0x4c, 0xa0, 0xf9, 0x8e, 0xfe, 0xba, 0x27, 0x4, 0xae, 0xf6, 0x1b, 0x2f, 0x43, 0xda, 0x74, 0x3b, 0x40, 0x8d, 0x27, 0x68, 0x82, 0x1d, 0x27, 0x57, 0x1b, 0x47, 0x93, 0xac, 0x91, 0x8b, 0x1, 0x1f, 0xc5, 0x76, 0xb2, 0x69, 0x68, 0x9, 0x1, 0xd2, 0x7d, 0xc5, 0x6d, 0x1, 0xc1, 0x79, 0x5b, 0xa5, 0x80, 0x6c, 0x80, 0x5e, 0x34, 0x23, 0xb6, 0x88, 0x20, 0xd7, 0xe9, 0x49, 0x43, 0xd2, 0x89, 0xe0, 0xf6, 0x9c, 0x3e, 0x3, 0x7a, 0x31, 0xd5, 0xea, 0xf8, 0xc8, 0x73, 0x9d, 0x1a, 0xc6, 0x5b, 0x3d, 0x5a, 0xf, 0xf1, 0xc8, 0xc2, 0xf9, 0x48, 0x7, 0x95, 0x6b, 0x8, 0xdf, 0x14, 0x24, 0x47, 0x92, 0x9b, 0x54, 0xae, 0xdf, 0x8c, 0x81, 0x79, 0xbf, 0x15, 0xa4, 0x62, 0x7a, 0xa7, 0x24, 0x3d, 0x76, 0x29, 0xb2, 0xd3, 0x9f, 0xf5, 0x2d, 0xb9, 0x44, 0xcf, 0x1f, 0xe7, 0x8e, 0xf, 0x45, 0x80, 0x86, 0x99, 0xa, 0xdb, 0xfd, 0xdd, 0x63, 0x27, 0xf2, 0xbc, 0x68, 0x96, 0x7a, 0x8c, 0x28, 0x8c, 0xf6, 0xe2, 0x92, 0x3, 0x35, 0x9b, 0xd0, 0xd7, 0x7a, 0xdd, 0x6, 0x65, 0x82, 0x54, 0x3d, 0xa, 0x4f, 0x9d, 0xce, 0xcd, 0xc1, 0xda, 0x43, 0x9b, 0xb8, 0x63, 0x8b, 0x45, 0x61, 0x4f, 0x15, 0x8d, 0x3b, 0x97, 0x9c, 0x12, 0xd0, 0xa4, 0xbd, 0x77, 0x96, 0x44, 0x5c, 0xc5, 0xd0, 0x7d, 0x7c, 0xc3, 0xd2, 0xab, 0xbb, 0x25, 0x57, 0x63, 0xa9, 0xa6, 0x63, 0xf3, 0xd7, 0xad, 0xf2, 0x63, 0x7e, 0x5b, 0xdf, 0xf1, 0x73, 0x2e, 0x82, 0x37, 0xce, 0x9d, 0x71, 0x1f, 0xb9, 0xb2, 0x6a, 0xa1, 0xe5, 0xe1, 0x3c, 0x16, 0xa0, 0x5b, 0x23, 0x98, 0x48, 0xe4, 0xad, 0x15, 0xe5, 0xf6, 0x32, 0x9c, 0x75, 0xf2, 0xcf, 0xee, 0x15, 0x86, 0xf8, 0xf1, 0xe2, 0xa5, 0xce, 0xab, 0xa6, 0xeb, 0x19, 0xd, 0x6c, 0xb, 0xe4, 0xee, 0x9e, 0x64, 0x45, 0xc4, 0xaa, 0x6c, 0xe, 0xe1, 0x65, 0xb4, 0x83, 0xf2, 0xb4, 0x59, 0x2d, 0x21, 0x29, 0xf7, 0xf2, 0x4, 0x67, 0xd7, 0x92, 0xee, 0xd1, 0x70, 0x83, 0x73, 0x4e, 0x8d, 0xb5, 0x1e, 0x6c, 0xea, 0x8b, 0xc2, 0xca, 0xfb, 0x5, 0x8e, 0xf2, 0x4e, 0x8b, 0x21, 0x84, 0x2c, 0xd, 0x6e, 0x6c, 0x7e, 0xd0, 0xf7, 0x52, 0x2c, 0x16, 0x96, 0xe0, 0xf, 0xf0, 0x4c, 0x13, 0xd8, 0xc3, 0x8c, 0x8c, 0xe4, 0x9a, 0xe5, 0x31, 0x4a, 0x82, 0x7b, 0xb8, 0x5f, 0x66, 0xe5, 0xa, 0x5c, 0xa7, 0x26, 0xbd, 0xb2, 0x5a, 0xf1, 0x2e, 0xdc, 0x65, 0x17, 0x78, 0x5b, 0xf5, 0xae, 0xeb, 0x63, 0x5e, 0x58, 0x39, 0x53, 0x3c, 0xc8, 0x6c, 0x4f, 0xe4, 0x78, 0xfc, 0xab, 0x1, 0xe2, 0x8a, 0xd0, 0x56, 0x2a, 0xbe, 0x1f, 0x9a, 0xee, 0xe7, 0x98, 0xa2, 0x89, 0x14, 0xe, 0xdd, 0x97, 0x48, 0xa, 0x7f, 0x98, 0x3d, 0xe9, 0x36, 0x87, 0x9f, 0xc0, 0x37, 0xa4, 0x79, 0xea, 0xb8, 0x0, 0x7a, 0x42, 0xfa, 0xe9, 0x89, 0xaf, 0xe4, 0x39, 0x2b, 0x3e, 0xf1, 0x38, 0x81, 0x7e, 0x2f, 0x2d, 0x1c, 0x45, 0xb0, 0x8b, 0x14, 0x37, 0x11, 0xe4, 0xcd, 0x8, 0x41, 0xe5, 0x50, 0xd, 0xc7, 0x68, 0x69, 0x1, 0x91, 0x12, 0x47, 0xdd, 0xe1, 0xee, 0xdc, 0x2b, 0x67, 0x43, 0xc6, 0x47, 0xc8, 0xe2, 0xcc, 0xca, 0xc0, 0x4e, 0xaf, 0x45, 0x9f, 0x6b, 0x49, 0x6a, 0x2c, 0x4, 0x34, 0x60, 0xf3, 0x36, 0x8, 0x2a, 0xea, 0x62, 0x6c, 0xb, 0x90, 0xf3, 0xa1, 0x14, 0x40, 0xf5, 0xf1, 0x3e, 0x63, 0x93, 0xfa, 0xe7, 0x93, 0x6d, 0xa7, 0x72, 0xa, 0xb3, 0x23, 0xd3, 0x51, 0xe4, 0xea, 0xf, 0xb5, 0xc8, 0xee, 0xff, 0x87, 0xef, 0x4, 0xbd, 0x72, 0xc1, 0xaf, 0x4e, 0x7, 0x40, 0x48, 0x6c, 0x1b, 0x1e, 0xdb, 0x3b, 0x2, 0x2, 0xbe, 0xe6, 0xa1, 0xd5, 0x10, 0xe1, 0xae, 0x5a, 0x66, 0x15, 0xae, 0xe1, 0x24, 0x1c, 0x27, 0x9d, 0x9c, 0x7c, 0x89, 0xf6, 0xe, 0xfa, 0x7, 0xb6, 0x22, 0x9d, 0x2a, 0x66, 0xa0, 0x1, 0x47, 0xf1, 0x22, 0x67, 0xce, 0x64, 0xc3, 0x18, 0x4c, 0xf7, 0x21, 0x75, 0x6d, 0x14, 0x46, 0x4, 0xb8, 0xab, 0xa8, 0x9f, 0x4e, 0x7a, 0x77, 0x39, 0x27, 0xe4, 0xea, 0x8d, 0xc, 0xb3, 0xa7, 0x36, 0x3e, 0x58, 0x2e, 0xb6, 0x5a, 0x5f, 0xac, 0xb4, 0xa9, 0x39, 0xa, 0xdf, 0xa2, 0x9f, 0xef, 0xac, 0x39, 0x90, 0x65, 0x5d, 0x4, 0xa6, 0x29, 0xc9, 0x7e, 0x2f, 0x26, 0xfc, 0x6e, 0x9d, 0x4d, 0xe1, 0x9d, 0x8d, 0x53, 0x5, 0x2d, 0xd6, 0xe6, 0x15, 0xe0, 0xf9, 0x88, 0xc4, 0x7e, 0xa7, 0x42, 0xee, 0x42, 0x8a, 0x2c, 0x89, 0x65, 0x63, 0x83, 0xae, 0xfd, 0x33, 0xf5, 0x1a, 0x1b, 0xdd, 0xab, 0x90, 0xcb, 0xa, 0xf, 0x75, 0x76, 0x25, 0x3d, 0x7c, 0xc8, 0xc9, 0x6c, 0xc7, 0x5a, 0xc5, 0xa, 0xfa, 0x5, 0xaa, 0x75, 0x52, 0x2e, 0x30, 0xb4, 0xc3, 0x9e, 0xc1, 0x2d, 0xef, 0x1d, 0xb3, 0xcb, 0xe2, 0x7b, 0x35, 0x6, 0x38, 0x51, 0xb7, 0x3d, 0x5f, 0x8e, 0xf9, 0x9, 0xf5, 0x0, 0xdf, 0x74, 0x64, 0x89, 0xbd, 0xeb, 0x28, 0x1e, 0x5f, 0xa7, 0x9b, 0x51, 0xd5, 0xde, 0xab, 0xe7, 0x9b, 0x51, 0x74, 0x10, 0x44, 0xb7, 0xc8, 0xb8, 0x58, 0xd3, 0x3, 0xa9, 0xd9, 0x10, 0xe, 0xb, 0xb1, 0x0, 0x4d, 0xb7, 0x52, 0xda, 0x28, 0xb1, 0xb0, 0x92, 0x63, 0x4, 0xc9, 0x75, 0xb, 0x98, 0xa2, 0x44, 0x67, 0x6c, 0xf9, 0xf7, 0xa8, 0xae, 0xb0, 0x5, 0xc3, 0x32, 0xf9, 0x2c, 0x18, 0x1d, 0x42, 0x2e, 0x4, 0xca, 0x36, 0x46, 0x9e, 0x50, 0x5d, 0xfc, 0xf6, 0xdf, 0x76, 0xd6, 0x5f, 0xe0, 0x1f, 0xcb, 0x47, 0xb, 0x96, 0xa8, 0x9b, 0x91, 0x42, 0xc6, 0x69, 0x6d, 0xde, 0x65, 0x1, 0x6, 0x23, 0xd0, 0x40, 0x9a, 0xb2, 0xb8, 0xd6, 0x4e, 0xf4, 0x3b, 0x78, 0xbd, 0x98, 0xd0, 0x6e, 0xfb, 0x19, 0x4e, 0xc8, 0x23, 0x61, 0xbe, 0xff, 0xf7, 0x9, 0x1f, 0x60, 0x3a, 0x4a, 0xe2, 0xa0, 0xc5, 0x89, 0xae, 0x87, 0x2a, 0xac, 0x5, 0x5e, 0x9c, 0x4e, 0x86, 0x7, 0x0, 0x5e, 0x2c, 0x39, 0xfd, 0x9e, 0xf, 0x85, 0xde, 0x1b, 0x51, 0xe2, 0x7f, 0x66, 0x9f, 0xc2, 0x8f, 0x29, 0x31, 0x84, 0x6d, 0x40, 0xcf, 0xf5, 0x5d, 0xd0, 0xc0, 0x79, 0xc8, 0x10, 0xb, 0xf9, 0x12, 0xf0, 0x38, 0x0, 0x1d, 0x9b, 0x3e, 0xfb, 0x99, 0x97, 0x8c, 0xa, 0x7a, 0x4e, 0xc0, 0x84, 0x86, 0xe9, 0xc8, 0x96, 0xd4, 0x2, 0x61, 0xb7, 0x75, 0xa6, 0x6d, 0x17, 0x13, 0x3b, 0xa6, 0xde, 0x69, 0x53, 0xf5, 0xdd, 0xef, 0xc2, 0xaf, 0x2f, 0xb9, 0x63, 0xac, 0x24, 0x6f, 0xf0, 0xbf, 0x70, 0xdd, 0x6a, 0x92, 0x6e, 0x42, 0x37, 0x1a, 0x1e, 0xcf, 0x18, 0xfa, 0xfd, 0xad, 0x37, 0x35, 0x77, 0x52, 0xb5, 0x84, 0x59, 0x63, 0xea, 0x11, 0xd2, 0x24, 0xed, 0x1a, 0x8c, 0x4d, 0xed, 0x7e, 0xb1, 0x67, 0x8b, 0xb, 0x14, 0x74, 0xde, 0xe9, 0x5d, 0x57, 0xff, 0x8b, 0x76, 0xc8, 0x1, 0x25, 0x74, 0x89, 0x9b, 0xe5, 0xb3, 0x51, 0x5a, 0x43, 0xe4, 0xc9, 0xa1, 0x33, 0x41, 0x55, 0x39, 0x61, 0x13, 0x59, 0xee, 0xb, 0x44, 0x73, 0x69, 0xf4, 0x87, 0xe4, 0x1, 0xc4, 0x0, 0xf8, 0x10, 0x47, 0x71, 0xc9, 0x46, 0xc4, 0xd6, 0xce, 0x4b, 0xcf, 0xc0, 0x68, 0x53, 0x4d, 0x6c, 0xd6, 0x7f, 0xaa, 0xe0, 0x37, 0xfc, 0x68, 0xfc, 0x1a, 0x81, 0x5d, 0xde, 0x57, 0xa0, 0xc2, 0xb7, 0x72, 0xbd, 0xfe, 0x61, 0xe8, 0x25, 0x47, 0xbe, 0x91, 0x2b, 0xff, 0x90, 0x1e, 0x0, 0x81, 0x5e, 0xf6, 0xbf, 0xa, 0x71, 0xf3, 0x4, 0xef, 0xc5, 0x76, 0x34, 0xeb, 0x15, 0xb7, 0xa2, 0xd, 0x3c, 0x1b, 0xb5, 0xda, 0xcc, 0x2b, 0x65, 0xc0, 0x2c, 0xa5, 0x40, 0x38, 0x88, 0x56, 0xa8, 0xe4, 0xf5, 0x9d, 0x7d, 0xfc, 0xd1, 0x88, 0xfc, 0xf, 0x7, 0x53, 0x39, 0xbc, 0xeb, 0xc1, 0xed, 0xef, 0x91, 0x7d, 0x94, 0xf, 0x34, 0xcf, 0x11, 0xbd, 0x6d, 0xbb, 0xbe, 0xdd, 0x1e, 0x3, 0xe2, 0x19, 0xc6, 0x45, 0xaa, 0x97, 0x82, 0xa6, 0xd2, 0x2b, 0x96, 0x6f, 0x82, 0x54, 0x63, 0xc7, 0xed, 0x12, 0xfa, 0x67, 0x3f, 0x3f, 0xba, 0x8d, 0xd8, 0x7a, 0xfc, 0x1d, 0xf, 0x22, 0x25, 0x1, 0xc8, 0x83, 0x86, 0x81, 0x9f, 0x5, 0x5d, 0x64, 0x57, 0x38, 0x2d, 0x6e, 0xf2, 0x77, 0x5, 0xd, 0xe8, 0x53, 0xa4, 0x46, 0xc6, 0x74, 0xa5, 0xc, 0xe3, 0xf4, 0xb8, 0x71, 0x6c, 0xd1, 0x89, 0x29, 0xfa, 0x3d, 0xc6, 0xfb, 0xab, 0x2d, 0x9e, 0xeb, 0x5c, 0xde, 0xdf, 0x5e, 0x6, 0x33, 0x60, 0xc6, 0x45, 0x3c, 0xf, 0x1f, 0x1d, 0x2b, 0x7, 0xec, 0x29, 0xd4, 0xb8, 0x2a, 0xbc, 0xd0, 0xc, 0x89, 0x1f, 0x47, 0xc2, 0x8c, 0x43, 0x47, 0xe7, 0x9e, 0x67, 0x9d, 0x31, 0x56, 0xe8, 0x1c, 0x13, 0xba, 0x4e, 0xb2, 0x87, 0x28, 0xa2, 0x20, 0x75, 0x8c, 0xc7, 0x4c, 0xd6, 0xc9, 0x47, 0x58, 0x79, 0x7b, 0xb2, 0x6c, 0x9b, 0x1b, 0x62, 0x50, 0x6c, 0xab, 0x22, 0x80, 0xdf, 0xf8, 0x9b, 0x9, 0x7, 0x1d, 0xda, 0x4e, 0xc0, 0xeb, 0x62, 0xf8, 0x48, 0x16, 0x3c, 0x60, 0xe1, 0xed, 0x32, 0x27, 0xd1, 0x50, 0x94, 0x9a, 0x5c, 0xf, 0xe, 0xa8, 0x19, 0xfc, 0xb4, 0x29, 0xb4, 0x54, 0x7f, 0x25, 0xe2, 0x15, 0x5, 0x46, 0x45, 0xc6, 0xb2, 0xd3, 0x66, 0xd6, 0xad, 0x3c, 0x45, 0xbc, 0xb7, 0xe2, 0x8d, 0xf8, 0xc1, 0xb, 0xbc, 0xa7, 0x0, 0x39, 0x20, 0xaf, 0xd3, 0xab, 0xa6, 0x47, 0x6e, 0xd8, 0xbc, 0xfb, 0xef, 0x2, 0x85, 0x12, 0xac, 0x1c, 0x91, 0x69, 0x54, 0x96, 0xec, 0x42, 0x2, 0x55, 0x2d, 0x7e, 0x1, 0xe0, 0x29, 0x92, 0x76, 0x9f, 0xe, 0x85, 0x98, 0x97, 0x65, 0x8f, 0x7, 0x3f, 0x63, 0xef, 0x51, 0xf7, 0x4c, 0x49, 0xd4, 0x87, 0xfb, 0x10, 0xee, 0x51, 0xd5, 0xa2, 0xe2, 0x66, 0x60, 0xa6, 0x9, 0x7e, 0x72, 0xd8, 0xf1, 0xa8, 0x87, 0x8d, 0x14, 0x1, 0x2c, 0xab, 0x8b, 0xd0, 0x0, 0xfe, 0x33, 0x4f, 0x42, 0xf1, 0xe4, 0xa8, 0x6d, 0x71, 0x4e, 0x9a, 0xcf, 0xf0, 0x17, 0x6d, 0x46, 0x19, 0xcb, 0xf5, 0x3b, 0x10, 0x20, 0x50, 0xff, 0xc0, 0xec, 0x62, 0xd0, 0xd8, 0x97, 0xcf, 0xdc, 0xc4, 0xa, 0xd8, 0x81, 0xaf, 0xd9, 0xc0, 0x80, 0xab, 0xad, 0x7a, 0x1d, 0xff, 0x45, 0x4, 0x1a, 0x7c, 0xa6, 0xf6, 0xd5, 0x60, 0x82, 0xd3, 0x65, 0x6f, 0xb2, 0xcf, 0x91, 0x8, 0xfb, 0x62, 0x6e, 0xd6, 0x91, 0x7d, 0x5c, 0xa5, 0xf, 0x1e, 0xef, 0xcd, 0x72, 0xdb, 0x33, 0xba, 0xc7, 0xe7, 0x47, 0xb2, 0x74, 0x7c, 0xfa, 0x9, 0xbc, 0x7c, 0x1, 0x3c, 0x50, 0xa, 0xf5, 0x90, 0x15, 0x93, 0x3c, 0x42, 0xaa, 0x6b, 0x61, 0x60, 0x4f, 0xc5, 0xca, 0x1c, 0x58, 0xf4, 0x1b, 0xeb, 0x7c, 0x85, 0x98, 0x66, 0xb1, 0xa7, 0xac, 0x86, 0xe1, 0x35, 0xe6, 0xac, 0x22, 0x97, 0x65, 0x22, 0xdd, 0x8d, 0x27, 0x7, 0x80, 0xb6, 0x1d, 0x4c, 0x3c, 0x90, 0xa0, 0x2, 0x14, 0xf2, 0x48, 0x89, 0x45, 0x6e, 0x36, 0xa2, 0xbd, 0x6a, 0xb9, 0x14, 0x9c, 0xb4, 0x31, 0x90, 0x31, 0x40, 0xe0, 0x9, 0x4b, 0x9c, 0x32, 0xfe, 0x43, 0x9f, 0xd2, 0xa3, 0x7c, 0x19, 0x97, 0xb1, 0xe2, 0x7, 0x4b, 0x5d, 0xdd, 0x73, 0x71, 0x21, 0xa2, 0x9e, 0x8d, 0xcb, 0xc4, 0x44, 0xd1, 0x14, 0xab, 0x5, 0x11, 0xa4, 0x4e, 0xb0, 0xe8, 0xf1, 0xd8, 0x80, 0xfe, 0x42, 0xa5, 0xdd, 0x92, 0xe6, 0xdc, 0x3, 0xcf, 0xa8, 0x2f, 0x98, 0xe9, 0xfc, 0xcf, 0x22, 0x1a, 0x65, 0xa9, 0x5e, 0x8b, 0xc4, 0x88, 0xad, 0x3f, 0x7f, 0xea, 0xf4, 0xf7, 0x5c, 0xa9, 0x5b, 0x6a, 0x3e, 0x77, 0xdb, 0x62, 0xc7, 0x57, 0x3, 0x82, 0xb4, 0x3f, 0xbd, 0x18, 0xad, 0x58, 0x14, 0x6f, 0xae, 0x39, 0x20, 0x99, 0xa1, 0x4a, 0xb4, 0x25, 0xc5, 0xf3, 0x1d, 0x9a, 0x81, 0x52, 0x3d, 0xed, 0x57, 0x3, 0x78, 0x2d, 0xd4, 0xd4, 0x7a, 0xc7, 0x4d, 0x7e, 0xcf, 0x58, 0xc4, 0x4f, 0xdf, 0xf9, 0x98, 0x79, 0x9a, 0xd4, 0x5e, 0x20, 0x71, 0x1d, 0xb5, 0xa8, 0x65, 0x44, 0xaa, 0x54, 0x92, 0x64, 0xa6, 0xe, 0xee, 0xa0, 0x35, 0xb2, 0x92, 0x9c, 0xe8, 0xe6, 0xaa, 0x4b, 0xa1, 0x93, 0x39, 0x6b, 0xe, 0xbd, 0x3b, 0xa7, 0x31, 0xd0, 0x3d, 0x69, 0xec, 0x60, 0x6d, 0xd0, 0x1c, 0x88, 0x56, 0x71, 0x1b, 0xb9, 0xca, 0x3, 0x4b, 0x57, 0xb3, 0x1d, 0x2f, 0x86, 0x15, 0xd6, 0x1a, 0x6, 0xbb, 0x64, 0x85, 0x1, 0x5b, 0x48, 0x6, 0x1e, 0x18, 0xa0, 0x88, 0x49, 0x43, 0x27, 0x57, 0xc7, 0xc0, 0xc1, 0xd4, 0x1a, 0xd6, 0x2c, 0x4a, 0xd, 0x48, 0xf3, 0x1c, 0xde, 0xe2, 0x3, 0x1a, 0xcf, 0x8a, 0xbc, 0xc7, 0xed, 0xd8, 0xf0, 0x9c, 0x5a, 0x29, 0x68, 0x3, 0x33, 0x3e, 0xf2, 0x7d, 0xa9, 0x46, 0xc5, 0x68, 0x5f, 0xdd, 0xfa, 0xb1, 0xac, 0xf8, 0x96, 0xad, 0x97, 0x55, 0x89, 0xe2, 0xda, 0x1b, 0x67, 0xd5, 0x49, 0xdd, 0xbd, 0xf4, 0x43, 0xdd, 0x21, 0x28, 0xd5, 0xfc, 0x16, 0x1a, 0x14, 0x19, 0x66, 0x12, 0x54, 0xa4, 0xa5, 0xa0, 0x86, 0xd, 0x3, 0xd3, 0x34, 0x5c, 0xc8, 0x5e, 0xe9, 0x3c, 0x21, 0x80, 0x2e, 0x4b, 0xf1, 0x7f, 0x6d, 0x7e, 0xf0, 0x9b, 0xed, 0x3e, 0xce, 0x79, 0xec, 0xa3, 0xa3, 0x21, 0x3e, 0x6c, 0x47, 0xd3, 0xa5, 0xde, 0xca, 0xf2, 0x11, 0xec, 0xb4, 0xaa, 0x36, 0xa9, 0xcc, 0x12, 0x5f, 0xad, 0xd1, 0x7d, 0x1c, 0xe6, 0x34, 0x9e, 0x60, 0x24, 0x17, 0xa2, 0x7b, 0xd6, 0x2f, 0xf3, 0xd, 0x52, 0xcc, 0x2a, 0x7f, 0xa1, 0xa9, 0xa8, 0xe2, 0xfb, 0x6b, 0x17, 0x50, 0xd9, 0x3, 0x60, 0x2f, 0xac, 0x1c, 0x8c, 0xb4, 0xa2, 0x8e, 0x57, 0x62, 0xc0, 0x38, 0x8a, 0xc3, 0x3c, 0xcc, 0x5c, 0x4d, 0xca, 0x21, 0x91, 0x20, 0x45, 0x67, 0x54, 0x7a, 0x6, 0xff, 0x2c, 0x46, 0x9d, 0x13, 0x5d, 0xdf, 0xbf, 0x63, 0x6f, 0x0, 0x50, 0x14, 0xa1, 0x76, 0x13, 0x22, 0xec, 0x9a, 0x2a, 0x33, 0x5e, 0xfe, 0x1a, 0xc8, 0x41, 0xa1, 0xfe, 0xba, 0x99, 0x9a, 0xa0, 0x11, 0x40, 0x16, 0xd4, 0x19, 0x4b, 0x41, 0xe0, 0x7f, 0xd1, 0x9, 0xb6, 0xf3, 0x2a, 0x7, 0x6b, 0xd6, 0xd2, 0x54, 0x55, 0xbc, 0x34, 0xde, 0xf7, 0x27, 0x45, 0x7b, 0x51, 0xbc, 0xaf, 0x29, 0x65, 0xd6, 0x9f, 0x8d, 0xd1, 0x12, 0x21, 0x35, 0xe4, 0x8b, 0xd7, 0xef, 0xd, 0x4e, 0xe1, 0x92, 0x21, 0x94, 0x1e, 0xaf, 0xc0, 0x90, 0x1f, 0x87, 0x65, 0xb4, 0xcf, 0x29, 0x9f, 0x43, 0x9f, 0xc7, 0x32, 0xfa, 0x3b, 0x2a, 0xd8, 0x4d, 0xc0, 0x21, 0xf3, 0x7b, 0xb1, 0xc1, 0xa2, 0xea, 0x54, 0x7f, 0x12, 0xff, 0x18, 0x96, 0x5e, 0xf3, 0x2d, 0x5f, 0x36, 0xa8, 0xdd, 0xf8, 0xe, 0x4d, 0x2, 0x29, 0x2d, 0x85, 0x4a, 0x8c, 0x22, 0x59, 0xc1, 0xe2, 0x5c, 0x39, 0xd3, 0xfe, 0x5a, 0x21, 0xe8, 0x44, 0x9f, 0xb6, 0xe3, 0x58, 0x74, 0xb2, 0x98, 0xf8, 0xc1, 0x16, 0xbc, 0x25, 0x3f, 0xf3, 0xe0, 0x87, 0xf, 0x17, 0x98, 0xc0, 0x39, 0xc3, 0x67, 0xb6, 0xdc, 0x24, 0xae, 0x3e, 0x7, 0xab, 0xa4, 0x2, 0x17, 0xbf, 0x44, 0xfb, 0x8c, 0x23, 0x9c, 0x91, 0xa6, 0xad, 0x75, 0x63, 0xee, 0xdd, 0x11, 0x85, 0x0, 0x53, 0xad, 0x60, 0xdb, 0xb8, 0x85, 0xfa, 0x92, 0xdb, 0xe, 0x21, 0x21, 0xa4, 0x66, 0xa3, 0xb6, 0x50, 0x8f, 0x55, 0x37, 0x4c, 0xeb, 0xf8, 0x7b, 0xdc, 0x7e, 0x25, 0x4f, 0x2e, 0x8, 0xa1, 0x7b, 0xe4, 0x7c, 0x9d, 0x68, 0x35, 0xdf, 0xe2, 0xe, 0xcf, 0xd0, 0xa0, 0x1b, 0x32, 0x8e, 0xc3, 0x8f, 0x8b, 0x8b, 0x5e, 0x74, 0xf, 0x4c, 0xc6, 0x70, 0x94, 0x2f, 0xa2, 0x5f, 0xd6, 0xf5, 0x87, 0x38, 0xa7, 0xbe, 0xef, 0xa7, 0xc2, 0x9b, 0xf8, 0x81, 0xa5, 0x8a, 0xc9, 0xe4, 0xee, 0xa6, 0xb, 0x5a, 0x83, 0x71, 0x1a, 0x29, 0xa3, 0xe9, 0x83, 0xe1, 0x86, 0x3b, 0x4, 0xe4, 0x89, 0xb0, 0x87, 0x54, 0xfb, 0xd2, 0x9b, 0x79, 0x9, 0xef, 0x9d, 0xe4, 0x4d, 0xbe, 0x60, 0xe7, 0xb3, 0xc0, 0x70, 0xa8, 0x9d, 0x39, 0x15, 0xee, 0x89, 0xd3, 0x1d, 0x4e, 0x5e, 0xdb, 0x5, 0x57, 0x91, 0xfa, 0x49, 0x38, 0x1b, 0x81, 0xe, 0xac, 0x5e, 0x94, 0xe1, 0xe5, 0x7c, 0x5c, 0x3f, 0xd, 0xb0, 0xa0, 0x72, 0x17, 0x7c, 0xa1, 0xb5, 0x0, 0x6c, 0x76, 0x26, 0x79, 0x54, 0x5a, 0xe2, 0x60, 0xc3, 0xbf, 0xb6, 0xe9, 0x8c, 0x78, 0x1a, 0x5a, 0x7, 0x95, 0x51, 0x42, 0xe6, 0xf4, 0x32, 0x17, 0x48, 0xa8, 0x56, 0xc7, 0x9d, 0x7a, 0xb5, 0x32, 0x54, 0xf, 0x44, 0xc0, 0x83, 0x1f, 0x28, 0x20, 0xd7, 0xf1, 0xb3, 0x70, 0xc6, 0x51, 0xe0, 0x35, 0xd1, 0xe, 0x91, 0x5, 0x22, 0xe7, 0x2b, 0x5, 0xdb, 0xe, 0x4b, 0xd1, 0xde, 0x39, 0xea, 0x68, 0xc5, 0x27, 0x3d, 0x7b, 0x69, 0x4b, 0x71, 0xf6, 0x1a, 0xf1, 0x6c, 0x3a, 0x2e, 0x6f, 0xb9, 0x13, 0x3c, 0xa6, 0x8e, 0xf, 0x77, 0x95, 0xff, 0x8c, 0x4c, 0xfb, 0x42, 0xc2, 0x98, 0x91, 0xbe, 0xa0, 0x95, 0xc, 0x9a, 0xec, 0x67, 0xcf, 0xe7, 0x8e, 0xeb, 0x5a, 0x33, 0xf0, 0xee, 0x24, 0xc4, 0x71, 0x33, 0xe7, 0x4c, 0xf3, 0x63, 0x5, 0xe5, 0xed, 0x31, 0x95, 0x39, 0xb, 0x98, 0x19, 0x36, 0x3f, 0x9b, 0xfe, 0x3a, 0xe8, 0x7c, 0x1c, 0x4a, 0x5e, 0x79, 0x2e, 0xbd, 0xf1, 0xb3, 0x89, 0xca, 0xcd, 0xa1, 0x7e, 0x18, 0xd3, 0x85, 0x3d, 0x68, 0x41, 0x35, 0x3c, 0x4e, 0xe4, 0x15, 0x67, 0x40, 0xed, 0x80, 0x9c, 0x23, 0x8c, 0x2a, 0xed, 0x8, 0xc5, 0xbf, 0x5a, 0x2, 0xe6, 0xbd, 0xed, 0xc5, 0xf2, 0x3b, 0x31, 0x1e, 0x63, 0xb1, 0x12, 0xa1, 0xd9, 0xe7, 0x3b, 0x3b, 0xcb, 0xb2, 0xcc, 0x38, 0x78, 0x7c, 0x4f, 0xc1, 0x54, 0x5, 0xbf, 0xe0, 0x88, 0xaa, 0x27, 0xb7, 0xe6, 0x1b, 0x7, 0x35, 0xe8, 0x64, 0xba, 0xc2, 0x64, 0xd7, 0x86, 0xeb, 0xd7, 0xba, 0x97, 0xf3, 0xbc, 0x4a, 0x4f, 0xb7, 0x20, 0x79, 0xbf, 0x1c, 0xfd, 0xb2, 0x2b, 0x3, 0x3d, 0xf1, 0x5b, 0x91, 0xe8, 0x65, 0x22, 0xd6, 0xfb, 0x19, 0xbb, 0x4a, 0x26, 0x9d, 0xb4, 0xa2, 0x48, 0x2f, 0x79, 0xaf, 0x62, 0x2f, 0xec, 0xba, 0x19, 0x86, 0x5f, 0xb0, 0xa9, 0x22, 0x33, 0x32, 0x45, 0xdc, 0x5, 0x90, 0xf2, 0xde, 0xcf, 0x4b, 0xac, 0x2f, 0x7a, 0xc4, 0x8, 0xc2, 0xac, 0x55, 0x3d, 0xac, 0xfe, 0xa3, 0x57, 0x60, 0x7, 0x12, 0x2c, 0x90, 0x5d, 0x72, 0x23, 0x17, 0xec, 0xf, 0xeb, 0x33, 0x27, 0xc6, 0x31, 0x9c, 0xbb, 0x63, 0x3c, 0xbb, 0xdb, 0xcc, 0x13, 0x49, 0x38, 0x58, 0x30, 0x7, 0x2b, 0x54, 0x3e, 0x11, 0x97, 0x2d, 0xc, 0x31, 0x2a, 0xe7, 0x48, 0x9d, 0x58, 0x6b, 0x31, 0xb8, 0x54, 0x27, 0xd5, 0xc1, 0x60, 0xab, 0x1f, 0x81, 0x42, 0xa3, 0x35, 0x94, 0x35, 0xc9, 0x2, 0x61, 0x76, 0xc3, 0x26, 0xe1, 0x2e, 0x29, 0x25, 0x3e, 0x95, 0x15, 0x4f, 0x7a, 0x59, 0xad, 0x2c, 0x3, 0xc3, 0xe7, 0xc3, 0x1b, 0xb6, 0x1c, 0x2a, 0xfe, 0x81, 0x7a, 0x2d, 0x4b, 0xcb, 0xa6, 0x8b, 0xe0, 0xe2, 0xf4, 0xb, 0xa8, 0x68, 0x2, 0xf9, 0x8c, 0xb2, 0xc9, 0xfc, 0xb7, 0x96, 0x82, 0x28, 0x51, 0xa7, 0xd1, 0xe2, 0xa2, 0xb0, 0xdb, 0x6d, 0xf6, 0x7b, 0x52, 0xca, 0xba, 0xd4, 0x3c, 0x31, 0x80, 0x8f, 0x41, 0x9b, 0x40, 0x8b, 0x6a, 0x3c, 0x87, 0xe8, 0x1a, 0x4b, 0x2b, 0x5f, 0x29, 0x93, 0x2a, 0xc7, 0x5e, 0xe9, 0xb8, 0x5f, 0x79, 0x5a, 0x2e, 0x90, 0x50, 0xf6, 0xe, 0xfa, 0x6a, 0x87, 0x2f, 0x88, 0xc8, 0x5a, 0x16, 0x3, 0xe2, 0xc1, 0x25, 0xd9, 0x87, 0xca, 0x90, 0x36, 0x79, 0xce, 0x93, 0xa7, 0x8d, 0x12, 0xbc, 0xf9, 0x9d, 0xbe, 0x39, 0xd6, 0x9a, 0xc6, 0x3c, 0x7c, 0xd3, 0xb6, 0xec, 0x1f, 0x99, 0x65, 0x69, 0xa3, 0xff, 0xb5, 0xb8, 0xbf, 0x1, 0xe0, 0x64, 0xd, 0x1, 0x34, 0x93, 0xbf, 0xa, 0x61, 0x5d, 0xc, 0x3f, 0xda, 0xdf, 0xb0, 0xee, 0x8f, 0x71, 0xd7, 0x40, 0x5, 0x3, 0xa8, 0x1e, 0x2b, 0x5b, 0x37, 0xd3, 0xb4, 0xf4, 0x73, 0x2f, 0xf2, 0x59, 0x3d, 0xeb, 0xbb, 0xd9, 0xc4, 0x4e, 0x42, 0x54, 0x1c, 0x92, 0xb2, 0xd7, 0xe3, 0xaf, 0xce, 0x34, 0xc5, 0x37, 0x6d, 0x29, 0x2e, 0x2, 0x68, 0x5e, 0xb0, 0x16, 0x9f, 0x35, 0x2b, 0xa, 0x8e, 0xa2, 0x73, 0x9d, 0x3f, 0xbc, 0xd9, 0x2d, 0xd8, 0xfd, 0xff, 0xe1, 0xf3, 0xba, 0xf9, 0xa8, 0x39, 0x69, 0xc4, 0x6d, 0x73, 0x31, 0x5c, 0xf4, 0xcf, 0x55, 0xe7, 0xe8, 0x92, 0x78, 0x42, 0x56, 0xf, 0x91, 0x2c, 0x4, 0xd0, 0xaa, 0x5, 0xbf, 0x35, 0xdf, 0xcc, 0x6a, 0xda, 0x28, 0x70, 0xec, 0x25, 0x29, 0x5c, 0x3f, 0xaa, 0xe1, 0x4, 0xa8, 0x2a, 0x82, 0x63, 0x8e, 0x34, 0x3d, 0x7d, 0xec, 0xed, 0xb5, 0xcf, 0xb2, 0xf6, 0xb4, 0x30, 0x28, 0x36, 0x3, 0x2a, 0xba, 0x6b, 0x9, 0xd, 0xcb, 0xbf, 0x8, 0x4, 0x3f, 0xec, 0x9f, 0x64, 0xe4, 0xfd, 0x8a, 0x17, 0x4e, 0x43, 0x1c, 0x4f, 0x2e, 0x40, 0xfb, 0x26, 0xc3, 0xce, 0x8a, 0x9d, 0x6c, 0xc4, 0xb6, 0xc0, 0xb8, 0x6c, 0x29, 0x3d, 0x58, 0xf5, 0xac, 0x8, 0x72, 0x7, 0xcf, 0xc6, 0xca, 0x52, 0x25, 0xd6, 0x3d, 0xa0, 0xd, 0x83, 0xef, 0x61, 0x52, 0xb4, 0x46, 0x0, 0x5d, 0x30, 0xee, 0xa7, 0xf6, 0x85, 0x3e, 0xa, 0xcb, 0x96, 0x5c, 0x86, 0x24, 0x89, 0x7a, 0xdf, 0x8b, 0x44, 0x91, 0x59, 0x71, 0x83, 0x23, 0xe4, 0xf8, 0xdb, 0x5c, 0x1d, 0x22, 0x9, 0xdc, 0x47, 0x35, 0xf4, 0xaa, 0x1d, 0x95, 0xd4, 0xac, 0xae, 0xd4, 0xb, 0xd5, 0x82, 0xb9, 0x56, 0x11, 0x9f, 0x45, 0x2b, 0x94, 0xc9, 0xdc, 0x72, 0xb2, 0x45, 0xfa, 0xe2, 0xb1, 0x67, 0x80, 0xb7, 0xfb, 0xa3, 0xd6, 0xc, 0xd0, 0xfb, 0xe2, 0x37, 0x2d, 0x74, 0xca, 0xdd, 0x24, 0xfc, 0x46, 0xdd, 0xfb, 0x26, 0x7b, 0x76, 0x44, 0x45, 0x66, 0x7c, 0xf6, 0xd8, 0x2f, 0x61, 0xa3, 0xa6, 0x3f, 0x60, 0x92, 0xe3, 0xdf, 0x49, 0xb3, 0x9, 0xde, 0x93, 0x90, 0x54, 0x73, 0xf7, 0x12, 0x46, 0x98, 0x2, 0x3b, 0x85, 0x67, 0x81, 0xe2, 0xed, 0x7c, 0x3, 0x77, 0xd1, 0x29, 0xb4, 0x9b, 0x80, 0x7d, 0xf0, 0xc4, 0x56, 0x27, 0xfb, 0x6b, 0xb, 0x45, 0x80, 0x2b, 0xf0, 0x93, 0xba, 0xf9, 0x9f, 0xc5, 0x61, 0x95, 0xad, 0x20, 0x57, 0x54, 0x69, 0x3e, 0xc7, 0xe2, 0x31, 0x33, 0xbe, 0xf0, 0x7c, 0xc, 0x3, 0x48, 0x9c, 0xca, 0x9b, 0x7c, 0x72, 0x42, 0x5e, 0xda, 0xdc, 0x29, 0x46, 0x3, 0x14, 0x7c, 0x17, 0xf6, 0x21, 0xba, 0x39, 0xab, 0xec, 0x0, 0xc1, 0xef, 0xba, 0xf0, 0x96, 0xb1, 0x2b, 0xb5, 0x74, 0x1c, 0xac, 0x73, 0xde, 0x3, 0xd5, 0x56, 0x2c, 0x9d, 0x9c, 0x53, 0xf, 0xce, 0x2d, 0x8, 0x87, 0x95, 0x3c, 0xfa, 0x8a, 0xa, 0x77, 0xf7, 0x7d, 0x7e, 0x5c, 0x59, 0x7a, 0x5a, 0x89, 0x96, 0x47, 0xfb, 0xfa, 0x6e, 0xd2, 0x69, 0xdb, 0x29, 0x29, 0x74, 0x5e, 0xee, 0xf2, 0xe9, 0xb9, 0x4, 0x3, 0x2, 0xe9, 0x88, 0x38, 0x1d, 0xf2, 0x91, 0x15, 0xa6, 0xdf, 0x7a, 0x79, 0x8e, 0x3f, 0xcf, 0x37, 0xe7, 0xeb, 0x61, 0x1c, 0x12, 0xf9, 0x89, 0xbd, 0x3, 0xba, 0x6, 0x6, 0x69, 0x59, 0x87, 0xb7, 0xfe, 0x78, 0x97, 0x72, 0x7a, 0xc2, 0x1a, 0x18, 0x60, 0x72, 0x34, 0x3c, 0x72, 0x18, 0xe0, 0x7e, 0x93, 0x70, 0xfc, 0x86, 0xcf, 0x42, 0x7c, 0x5, 0x8f, 0x11, 0xa1, 0x75, 0x33, 0xf8, 0x5b, 0x98, 0xbf, 0xe9, 0x39, 0x13, 0x54, 0xc0, 0x11, 0xf9, 0x8, 0xfa, 0xac, 0x4, 0xf3, 0xa2, 0x4a, 0xb3, 0x6f, 0x8b, 0xda, 0x1a, 0x4d, 0x61, 0xd6, 0xb, 0xad, 0x5, 0x5b, 0x77, 0x3b, 0x73, 0x92, 0x66, 0xdd, 0x15, 0x30, 0xf1, 0xd5, 0x8e, 0xcf, 0x32, 0xa, 0x15, 0xd8, 0x18, 0xef, 0xad, 0x1b, 0xed, 0xf9, 0x3f, 0xfb, 0x9a, 0x9b, 0x59, 0x2e, 0x5c, 0x51, 0xf6, 0x17, 0xab, 0xe0, 0xc2, 0x28, 0x49, 0xa4, 0x4d, 0x47, 0xfd, 0xe4, 0xbe, 0x1c, 0x52, 0x44, 0x36, 0x4f, 0xa4, 0x79, 0x12, 0x7, 0x55, 0xe8, 0xfb, 0x1, 0x66, 0xff, 0xab, 0x97, 0xc4, 0x51, 0xda, 0x5f, 0xe8, 0x94, 0xe3, 0x3e, 0xb, 0x7c, 0x59, 0x67, 0xf6, 0x85, 0x3, 0x19, 0x4b, 0xe3, 0x7e, 0xa2, 0xc6, 0xcc, 0x9f, 0x6e, 0xf8, 0x92, 0xa4, 0xdd, 0xde, 0x7a, 0xc7, 0x3b, 0x5, 0x72, 0x29, 0x78, 0xea, 0x3a, 0x1a, 0xc1, 0x4c, 0x1b, 0x93, 0x34, 0xe7, 0xa3, 0x89, 0x5e, 0xbb, 0x94, 0x56, 0x9f, 0x2e, 0x2e, 0x51, 0x17, 0xb6, 0xf8, 0x7b, 0x17, 0xf3, 0x49, 0xc3, 0x5d, 0x3e, 0xff, 0xc7, 0x8, 0xba, 0xa4, 0x2e, 0x23, 0x5d, 0x14, 0x11, 0xf5, 0x16, 0x9d, 0x4f, 0x9c, 0xc3, 0x79, 0xb3, 0x33, 0xa3, 0x9, 0xf1, 0xcc, 0xa9, 0x24, 0xeb, 0x80, 0x70, 0x85, 0xe2, 0x60, 0xfd, 0xc, 0x8e, 0x48, 0x4d, 0xfb, 0xed, 0x7b, 0xb8, 0xcd, 0x59, 0xc2, 0xd7, 0xbb, 0x1e, 0x72, 0xa9, 0x90, 0x63, 0xbc, 0x55, 0xa8, 0xd, 0xb, 0x70, 0x4c, 0x31, 0xde, 0xdb, 0x4, 0x4d, 0x2b, 0x46, 0xe8, 0x32, 0x6c, 0xbc, 0x1f, 0xbf, 0xcd, 0x9e, 0xfc, 0x62, 0xb1, 0xab, 0x3e, 0x83, 0x33, 0xb7, 0x3a, 0xdd, 0xb0, 0x8b, 0xb4, 0x39, 0x99, 0xb9, 0xdf, 0xc3, 0x97, 0xb1, 0x8a, 0x2b, 0xc4, 0x54, 0x81, 0x16, 0xcf, 0xb0, 0x49, 0xa5, 0x55, 0x92, 0x6, 0xb5, 0xc1, 0xe7, 0x48, 0x67, 0xad, 0xcb, 0xcb, 0xc5, 0x6f, 0xf, 0x78, 0x75, 0x27, 0xc8, 0xd7, 0xc9, 0xe1, 0xb8, 0x80, 0xab, 0x4e, 0x56, 0xcd, 0xdb, 0x3f, 0xe1, 0xda, 0x69, 0x8c, 0xce, 0xea, 0x69, 0x99, 0xfb, 0xb4, 0xe6, 0x47, 0x5a, 0xcb, 0x5, 0xa7, 0x85, 0x10, 0x2f, 0x0, 0xb9, 0xe, 0x1b, 0x71, 0x1f, 0x2c, 0x89, 0x96, 0x54, 0xb9, 0xa, 0x78, 0xc8, 0xf2, 0x5, 0xb9, 0xdb, 0x92, 0x7, 0xa2, 0x9, 0x63, 0xe2, 0xac, 0x26, 0xe1, 0x84, 0x6, 0xb3, 0xc9, 0x8a, 0xec, 0x47, 0x24, 0xa, 0xb4, 0xb6, 0xd8, 0x6a, 0x48, 0x24, 0xfb, 0xe3, 0x9f, 0xc1, 0x1f, 0x12, 0x60, 0x3f, 0x3b, 0x8e, 0x1a, 0xcf, 0xfc, 0x26, 0x56, 0x94, 0xf3, 0xd1, 0x6a, 0x22, 0x86, 0x56, 0x4e, 0x52, 0xbf, 0x37, 0x30, 0x18, 0x43, 0xfb, 0x2b, 0xd7, 0x25, 0xc7, 0x78, 0xb5, 0x6d, 0x1e, 0xb6, 0xd7, 0xe5, 0xb3, 0xbb, 0x60, 0x40, 0xfd, 0x8e, 0x8e, 0x48, 0xac, 0xdb, 0x1, 0x47, 0x1, 0x2e, 0x49, 0xa4, 0xa, 0x36, 0x9a, 0xcf, 0x75, 0xac, 0x8, 0x4d, 0x63, 0x79, 0x5, 0xfd, 0xc, 0xb7, 0xef, 0x15, 0xfb, 0xff, 0x6d, 0x53, 0x91, 0xa5, 0x6c, 0x10, 0x7c, 0xd0, 0x82, 0x75, 0xc3, 0xb2, 0x98, 0x4a, 0x6f, 0x23, 0x22, 0xbb, 0xfb, 0x5c, 0xbb, 0x0, 0x68, 0x6, 0xe9, 0x59, 0xc, 0xb, 0x74, 0x77, 0x9a, 0x5a, 0x8f, 0x9a, 0xc6, 0x4a, 0x48, 0xc9, 0xbe, 0xd6, 0x4, 0xf8, 0x33, 0x2b, 0x66, 0xc4, 0xe6, 0x32, 0x95, 0x92, 0x72, 0xb3, 0x73, 0x9c, 0x59, 0x4e, 0xf, 0x6d, 0x95, 0x68, 0xcc, 0x31, 0x5c, 0x15, 0x9f, 0x24, 0x7a, 0xa4, 0x4e, 0x28, 0xce, 0xe1, 0xd, 0xf, 0xd8, 0x24, 0x88, 0xd1, 0x57, 0x64, 0xd, 0xa7, 0x47, 0xf3, 0x8b, 0x38, 0x7a, 0x8b, 0x6b, 0xa8, 0xed, 0x86, 0x13, 0x60, 0xcd, 0xc, 0x6, 0xff, 0xcd, 0xb7, 0xb2, 0x3f, 0x5, 0xd0, 0xc7, 0xb6, 0xb1, 0xbe, 0x9f, 0xa, 0x24, 0x99, 0x87, 0x23, 0x2, 0xb, 0xb2, 0x89, 0x61, 0x77, 0x4f, 0x38, 0xbb, 0x1b, 0x3a, 0x19, 0x66, 0x90, 0x1e, 0xe7, 0x95, 0x86, 0x7e, 0xac, 0xff, 0x6, 0x97, 0x0, 0xb5, 0x2e, 0x62, 0x3d, 0x8a, 0x4a, 0xc6, 0x46, 0x4b, 0x5a, 0xd2, 0x43, 0x77, 0x24, 0xd0, 0xc4, 0x69, 0x84, 0x33, 0xe4, 0xf7, 0x88, 0x3d, 0xa1, 0xb3, 0x2b, 0x49, 0x58, 0xbe, 0x1, 0x10, 0x3a, 0xb2, 0x62, 0x4c, 0x1a, 0x3d, 0xa6, 0xb4, 0x96, 0x35, 0xe8, 0x3e, 0x3f, 0x18, 0x7d, 0xea, 0x7f, 0x4e, 0x45, 0x1c, 0xb0, 0xaf, 0x17, 0x61, 0xce, 0x3f, 0x64, 0x38, 0x36, 0x4c, 0x1c, 0xe6, 0xe5, 0x65, 0x4e, 0x5f, 0xcd, 0x5f, 0xa3, 0x8d, 0x50, 0x65, 0x40, 0xeb, 0xca, 0x5c, 0x49, 0x8c, 0xdf, 0x65, 0x89, 0x62, 0xa9, 0xe1, 0x12, 0x50, 0xa8, 0x2d, 0xf, 0xc4, 0x1c, 0xcf, 0xc1, 0x94, 0x1b, 0x47, 0xee, 0x75, 0xfb, 0x8, 0xa, 0xc8, 0x9b, 0xf1, 0xce, 0x91, 0x35, 0xde, 0x81, 0xf5, 0x58, 0x49, 0x70, 0x88, 0x4f, 0xef, 0x3a, 0xb2, 0xf8, 0x67, 0x28, 0x5f, 0x9a, 0x9f, 0xea, 0x84, 0x93, 0x74, 0x8d, 0x8b, 0x50, 0x9, 0xdc, 0xe3, 0x30, 0xe8, 0xb7, 0x55, 0x76, 0x31, 0x74, 0xcf, 0xd2, 0xf6, 0xfa, 0x55, 0x3, 0x69, 0xdf, 0xeb, 0x6c, 0x60, 0x72, 0xd6, 0xde, 0xc3, 0xd0, 0xb3, 0x92, 0xbb, 0x48, 0x92, 0xf8, 0x7c, 0x5c, 0x84, 0x54, 0xb7, 0x65, 0x1f, 0xf0, 0xd5, 0xd5, 0xc9, 0x7a, 0xcd, 0xf6, 0x69, 0x1d, 0x40, 0x96, 0x59, 0xa, 0xc3, 0xc2, 0x78, 0x18, 0x92, 0xed, 0x50, 0x86, 0x26, 0x91, 0xd5, 0x68, 0x26, 0x8d, 0xf9, 0x5f, 0x8b, 0xe3, 0x65, 0x19, 0xd8, 0x7a, 0x1a, 0x28, 0x15, 0x7, 0x11, 0xce, 0xc6, 0x3, 0x7c, 0xfc, 0xc8, 0x1b, 0x36, 0x4, 0x65, 0x8b, 0xe2, 0xe6, 0xbe, 0xcb, 0x8, 0x98, 0xdb, 0xc, 0xe8, 0xf, 0xb0, 0x6, 0x15, 0xd3, 0x3e, 0xfe, 0x66, 0xe0, 0xd6, 0x17, 0x18, 0x50, 0xb, 0x4d, 0xc6, 0x38, 0x9d, 0x2e, 0xef, 0xca, 0x4d, 0x84, 0x56, 0xfd, 0x8b, 0xab, 0x45, 0x85, 0xdd, 0x6a, 0x17, 0x77, 0xdb, 0xe5, 0x66, 0x9b, 0xc4, 0x72, 0x66, 0xcb, 0x71, 0x1b, 0x77, 0x1d, 0x42, 0x68, 0x39, 0x7, 0x56, 0xd8, 0xea, 0xaf, 0xe3, 0x83, 0xe8, 0xf, 0x84, 0x3, 0x77, 0x99, 0xc6, 0x1e, 0xd5, 0xda, 0x91, 0xb3, 0x26, 0x67, 0x7f, 0x30, 0xb9, 0x3f, 0x24, 0xae, 0xc, 0x16, 0xca, 0xe8, 0x7b, 0xc8, 0x8a, 0xc8, 0xf4, 0x55, 0xe3, 0x4c, 0xed, 0xcc, 0x74, 0x51, 0x66, 0xf5, 0xa4, 0x53, 0x7d, 0x49, 0xf9, 0xd4, 0x10, 0x68, 0xb5, 0x97, 0x64, 0x46, 0x73, 0x89, 0x21, 0xa6, 0x94, 0x4, 0x74, 0xda, 0xe1, 0xf8, 0x68, 0x1c, 0x1, 0x8d, 0x93, 0x6a, 0x54, 0x82, 0x62, 0xc1, 0x1a, 0xc6, 0x19, 0xcb, 0x3a, 0x1f, 0x3e, 0xd, 0xad, 0xab, 0x9c, 0xfa, 0xf8, 0x52, 0x43, 0xea, 0xb7, 0xb4, 0x23, 0x65, 0x35, 0x15, 0x25, 0x81, 0x60, 0xae, 0x61, 0xad, 0x16, 0x5a, 0x8e, 0x57, 0x81, 0xff, 0xf8, 0x67, 0x20, 0x75, 0x7d, 0x44, 0x45, 0x90, 0x50, 0x21, 0x62, 0x78, 0x6f, 0xaa, 0x5, 0x5, 0xcf, 0x2f, 0xc2, 0xc0, 0x77, 0x1c, 0xed, 0x6b, 0xa6, 0xf0, 0x30, 0x10, 0x39, 0xd7, 0xb, 0x1f, 0x15, 0x9f, 0xf2, 0x31, 0x85, 0xbe, 0xde, 0xe6, 0xc7, 0x89, 0x79, 0x2d, 0x98, 0x7e, 0x67, 0x8e, 0x72, 0xe, 0x7, 0x5c, 0xd5, 0x1f, 0xe8, 0x6, 0xd3, 0x7b, 0x81, 0xa, 0x99, 0x22, 0xe0, 0x7f, 0x72, 0x6a, 0x81, 0xf, 0x19, 0x33, 0x4f, 0x29, 0xc2, 0xcc, 0x35, 0x63, 0xbe, 0xc5, 0x45, 0x47, 0x9f, 0x17, 0x20, 0x38, 0x6e, 0x6, 0x2f, 0x92, 0x82, 0xb7, 0x47, 0xe6, 0x8a, 0xfb, 0xca, 0x2, 0xde, 0x49, 0x2e, 0xc2, 0xcc, 0xec, 0xc2, 0xfc, 0xff, 0xc2, 0x9b, 0x29, 0x82, 0x82, 0xe, 0x6e, 0xa2, 0xee, 0x8f, 0x9a, 0x5, 0x32, 0x89, 0xfe, 0x8b, 0x27, 0x27, 0xa6, 0xe5, 0x13, 0xc6, 0xcb, 0xb6, 0x7e, 0xe1, 0xc1, 0x1c, 0xa6, 0x7e, 0x49, 0x55, 0x1d, 0x13, 0x33, 0xd5, 0xde, 0x7e, 0xaf, 0x9e, 0xd3, 0x69, 0x2f, 0x1b, 0xf1, 0x6a, 0xde, 0x34, 0xf4, 0xc2, 0x73, 0xfa, 0x75, 0xa3, 0xa4, 0x93, 0x24, 0xa5, 0x4c, 0xc2, 0xc5, 0x33, 0xb8, 0x7c, 0x78, 0x6, 0x5f, 0xcf, 0x71, 0x6e, 0x3e, 0x1f, 0x9, 0x4e, 0x81, 0x66, 0x66, 0x74, 0x8b, 0x57, 0x1f, 0x45, 0x76, 0x2a, 0xe9, 0x33, 0xb5, 0x8c, 0xc1, 0x57, 0x6e, 0xde, 0xb5, 0xbf, 0x55, 0xfe, 0xca, 0x9b, 0x33, 0xeb, 0xa2, 0xee, 0x1, 0x9c, 0x8b, 0xea, 0xa1, 0xd6, 0xa7, 0xf8, 0xf4, 0xf5, 0xb4, 0x23, 0x60, 0x42, 0x4e, 0xb5, 0x52, 0xae, 0xe4, 0x52, 0x5e, 0xdc, 0x70, 0xbf, 0x84, 0xe0, 0x55, 0xba, 0x1c, 0x8d, 0xa4, 0x6, 0x3f, 0xba, 0x7a, 0x9, 0x22, 0xa9, 0xbf, 0xb, 0xe9, 0x3f, 0x63, 0x13, 0x55, 0x88, 0x93, 0x53, 0xe1, 0x82, 0xe0, 0xc7, 0x1, 0x6b, 0x9c, 0x9a, 0x75, 0x30, 0x6f, 0x28, 0xfd, 0xfb, 0xac, 0x6b, 0x17, 0x41, 0x10, 0x58, 0x94, 0x53, 0xde, 0xc3, 0x3b, 0x7c, 0xf0, 0x80, 0xe5, 0x2f, 0x77, 0x4d, 0x88, 0x75, 0x6f, 0xdb, 0xdc, 0x4f, 0x9d, 0xbb, 0x40, 0xb8, 0x3b, 0x5c, 0xd7, 0x11, 0x30, 0x8, 0xdb, 0x4e, 0x2e, 0x6c, 0xdc, 0x8d, 0x29, 0x9c, 0xcd, 0xa2, 0x89, 0x87, 0xe1, 0x82, 0xce, 0xa0, 0xff, 0x1c, 0x10, 0xf2, 0xa5, 0x40, 0x34, 0x34, 0x4b, 0xe5, 0x36, 0x6d, 0x7c, 0x3, 0xa3, 0x74, 0xc, 0x29, 0x8d, 0x52, 0x82, 0x17, 0xab, 0xd4, 0x4, 0xc2, 0xa8, 0x83, 0xd0, 0xd, 0x1e, 0x0, 0x76, 0xdd, 0x4e, 0xf1, 0xcf, 0xc7, 0x2e, 0x66, 0xc9, 0x2, 0xc2, 0x11, 0xc9, 0xc6, 0x78, 0x2, 0x81, 0x98, 0xfb, 0x34, 0xdb, 0x68, 0xe3, 0xe4, 0x5e, 0xe, 0x25, 0xb4, 0xa1, 0x47, 0x13, 0xfe, 0x95, 0x84, 0xab, 0xe6, 0x5e, 0x3c, 0x50, 0x24, 0x6f, 0x39, 0x6c, 0xf, 0xab, 0x6b, 0xdd, 0x86, 0x44, 0xfb, 0x3f, 0x7e, 0x80, 0xf5, 0xfe, 0x2, 0x80, 0x74, 0x6c, 0xb, 0xf0, 0x99, 0x29, 0x86, 0xa7, 0xa6, 0xf9, 0xbf, 0x48, 0x26, 0x9e, 0xd8, 0xbe, 0x6c, 0xa0, 0xe5, 0x85, 0xeb, 0x19, 0x84, 0x3d, 0xaf, 0x11, 0xd3, 0x86, 0x16, 0x3f, 0x73, 0x34, 0x78, 0xad, 0xf3, 0x24, 0xaa, 0xa2, 0x6f, 0x5a, 0x5e, 0xee, 0xac, 0x9c, 0x23, 0xe6, 0xd4, 0x75, 0x83, 0xd7, 0x86, 0x6, 0x5d, 0x18, 0x28, 0xb, 0xa, 0x8d, 0x72, 0x3f, 0x6f, 0xed, 0x3c, 0xdd, 0x60, 0xb0, 0x12, 0x79, 0x5a, 0xcc, 0x14, 0xf0, 0xfa, 0x29, 0x31, 0x8d, 0xea, 0x5a, 0x39, 0xd7, 0x5c, 0xde, 0x1d, 0x32, 0xab, 0xba, 0xf, 0x6b, 0xd6, 0xb2, 0x7, 0x96, 0x99, 0xbd, 0xaf, 0x7, 0xae, 0x11, 0x59, 0xbc, 0x44, 0xd, 0x82, 0x11, 0x13, 0x55, 0x20, 0x5e, 0x3a, 0x47, 0xc4, 0x86, 0xcc, 0x1b, 0x65, 0xc, 0xef, 0xe, 0xd8, 0x9b, 0x2b, 0xc, 0x23, 0x1d, 0xe5, 0x5b, 0x51, 0x7, 0x12, 0x4a, 0x2c, 0x4, 0x84, 0xe2, 0xe9, 0xbf, 0xa0, 0x7c, 0x51, 0x42, 0x7a, 0x82, 0x69, 0x23, 0x78, 0x5, 0xf6, 0xe8, 0x9d, 0x69, 0x38, 0x16, 0xf0, 0x4, 0x4f, 0x18, 0x5, 0x6d, 0xbc, 0xf2, 0xed, 0x18, 0x46, 0x17, 0x77, 0xf1, 0x1c, 0x65, 0xd5, 0x78, 0x37, 0x7c, 0xf, 0xbd, 0x52, 0xd8, 0x55, 0x55, 0x68, 0x1b, 0xf8, 0x1f, 0x46, 0xf3, 0x82, 0xf6, 0x3, 0x4a, 0x7b, 0xca, 0x12, 0x9b, 0x35, 0x8c, 0x9, 0xc1, 0x1, 0x34, 0x98, 0x5d, 0xd2, 0x53, 0x5, 0x6a, 0xb0, 0x87, 0xc6, 0x3d, 0x8f, 0x76, 0xc0, 0xe0, 0x2e, 0x73, 0x4b, 0x34, 0x3e, 0xa3, 0x44, 0x7c, 0x2, 0xa, 0xb7, 0x64, 0xc3, 0x71, 0xb1, 0x5e, 0x87, 0xd6, 0x68, 0x6c, 0xfc, 0x3, 0x3e, 0x5e, 0xc7, 0x52, 0xf0, 0x1f, 0x3d, 0x2c, 0x73, 0x3e, 0x7a, 0x6e, 0xd1, 0x6e, 0xa6, 0xef, 0xd0, 0xf2, 0x46, 0xb7, 0x5b, 0xb6, 0x26, 0x2b, 0xd9, 0x63, 0x7c, 0x86, 0x44, 0xdd, 0xba, 0x82, 0xcd, 0xff, 0xb8, 0x81, 0xc0, 0xf8, 0x9e, 0x4a, 0x1b, 0xa7, 0x85, 0x87, 0x6c, 0x73, 0xa7, 0x76, 0x16, 0x6c, 0xd0, 0x32, 0x89, 0x9d, 0x16, 0x6, 0x2c, 0xbe, 0xf2, 0x39, 0x9, 0xb5, 0x49, 0x88, 0x63, 0xd1, 0x8e, 0x85, 0x90, 0xba, 0x2c, 0x69, 0x33, 0xfc, 0x8e, 0x0, 0xa6, 0x2f, 0x91, 0xa, 0x4a, 0x2b, 0x40, 0x39, 0xa3, 0x97, 0xc7, 0x90, 0x1, 0xc0, 0x10, 0x3c, 0x2d, 0xd6, 0xfd, 0x14, 0xff, 0x8a, 0xc1, 0x89, 0x19, 0x57, 0x9, 0x4d, 0xc6, 0x98, 0xba, 0xfe, 0xe5, 0x0, 0x28, 0xea, 0x24, 0x82, 0xc1, 0xc5, 0xa9, 0xf9, 0xc, 0xb9, 0x3c, 0x91, 0x9f, 0x1c, 0xca, 0x9e, 0x4b, 0x1a, 0xfa, 0x7b, 0x35, 0xe5, 0xe5, 0x8c, 0xdc, 0xc1, 0xb, 0x96, 0xa, 0xc3, 0xee, 0x17, 0xf3, 0xd9, 0x67, 0xe2, 0x38, 0x7d, 0x25, 0x6c, 0xef, 0x89, 0xfb, 0x6, 0x6d, 0xa2, 0x64, 0xd3, 0x9a, 0x99, 0x28, 0x23, 0x58, 0xab, 0xea, 0x26, 0xcb, 0x94, 0xb7, 0x69, 0x96, 0xa5, 0x5b, 0xb8, 0x1f, 0xab, 0x28, 0xad, 0x94, 0xaa, 0xd0, 0x56, 0xf3, 0xbf, 0xdc, 0x5, 0x2, 0xa6, 0xa1, 0xa3, 0x80, 0x9e, 0xd7, 0x14, 0xaf, 0xd6, 0xc3, 0x22, 0x5e, 0x18, 0x4f, 0xfc, 0xc8, 0x67, 0xf6, 0xb7, 0x6b, 0xa5, 0x2f, 0x23, 0xf8, 0xea, 0x3e, 0x8f, 0x91, 0xbc, 0xd0, 0x49, 0x48, 0xe2, 0x70, 0x58, 0xb9, 0x51, 0x91, 0xe8, 0xab, 0x9, 0x44, 0x3d, 0x70, 0xe, 0xab, 0x70, 0xe8, 0x83, 0x7, 0x80, 0x10, 0xe9, 0xd8, 0x22, 0x62, 0x77, 0xac, 0xa2, 0xb2, 0x7b, 0x2c, 0x9b, 0xc4, 0xfb, 0xcf, 0x2b, 0x28, 0x6d, 0x37, 0x53, 0x7a, 0xdb, 0xea, 0x6, 0xa7, 0x17, 0x88, 0x70, 0x69, 0xae, 0x35, 0xcd, 0x5, 0xe, 0xf5, 0x6f, 0xde, 0x7f, 0xbc, 0x74, 0x75, 0xfb, 0xb5, 0x63, 0xc4, 0x8, 0xfe, 0xe7, 0x53, 0xe9, 0xc9, 0x71, 0x18, 0xca, 0x83, 0xf5, 0xd4, 0xbf, 0xd8, 0xb4, 0x5c, 0x1c, 0xe8, 0x45, 0x82, 0x78, 0x8d, 0xde, 0x38, 0x41, 0x47, 0xe0, 0x3c, 0xe9, 0xf5, 0xa5, 0x32, 0x19, 0x83, 0xf0, 0x4b, 0x5f, 0xd7, 0xd4, 0xc9, 0x8c, 0xfe, 0x77, 0xc4, 0xa, 0x77, 0x5e, 0xa2, 0x72, 0x2e, 0x86, 0x48, 0xe7, 0xb5, 0x52, 0xfe, 0x35, 0x1d, 0x50, 0x82, 0x54, 0xa4, 0xe9, 0x87, 0xb1, 0x9a, 0x4a, 0x42, 0xe7, 0x93, 0x8a, 0x17, 0xa0, 0x8c, 0xe8, 0x6d, 0x50, 0x72, 0x5a, 0xef, 0x2d, 0xeb, 0x1, 0xb2, 0xdc, 0x80, 0xe6, 0x9d, 0x20, 0x68, 0xba, 0xe6, 0xa4, 0x5a, 0xdc, 0x31, 0x9f, 0x3c, 0x29, 0xf, 0x16, 0x6c, 0x42, 0xa7, 0xd7, 0x64, 0xe8, 0x33, 0x63, 0xb5, 0x8e, 0x30, 0xba, 0xbb, 0x3e, 0x2, 0x64, 0x11, 0xbe, 0x2, 0xa3, 0xd5, 0x2f, 0xe3, 0xba, 0xc2, 0x64, 0x7b, 0xff, 0x5a, 0x26, 0xe1, 0x1, 0x6, 0x80, 0x14, 0x4b, 0xfd, 0x66, 0x80, 0xa8, 0xd8, 0x52, 0x9c, 0x5a, 0x7, 0x46, 0xe7, 0x20, 0xba, 0x5a, 0xc6, 0x34, 0x12, 0x7e, 0xf8, 0x2b, 0xa3, 0xda, 0xc8, 0x2f, 0x56, 0xc4, 0xa5, 0x97, 0x74, 0x45, 0xf8, 0xbf, 0xe2, 0xf3, 0x8a, 0x8e, 0xfd, 0x44, 0x59, 0x7d, 0xc9, 0x49, 0x35, 0x49, 0x23, 0x19, 0xe4, 0xbb, 0x36, 0x40, 0x56, 0x7, 0xe3, 0xda, 0xed, 0xa0, 0xad, 0x49, 0x51, 0x78, 0x37, 0xf1, 0xaa, 0x87, 0xef, 0x80, 0xc5, 0x62, 0xd3, 0xc6, 0x6a, 0x5c, 0xa5, 0x30, 0x12, 0x43, 0x97, 0xc5, 0x37, 0x5a, 0xec, 0x15, 0xe5, 0x7, 0x84, 0x56, 0xe0, 0xb7, 0x4d, 0x69, 0xef, 0xbd, 0xf9, 0x80, 0xc6, 0xdd, 0xfc, 0xb9, 0x87, 0x87, 0xca, 0xed, 0xe1, 0xdc, 0xb8, 0x3, 0x34, 0x1c, 0x98, 0x51, 0xa1, 0xb, 0xe1, 0x70, 0xf1, 0xdc, 0x74, 0x42, 0x1a, 0x6d, 0xef, 0x6d, 0xb8, 0x43, 0x27, 0xf7, 0x66, 0x18, 0xdb, 0xeb, 0x70, 0x16, 0x5b, 0xd2, 0x58, 0x6f, 0xc, 0x5, 0x8c, 0x1e, 0x49, 0xc4, 0xf5, 0xd7, 0xfb, 0x87, 0xab, 0xb2, 0xe2, 0x2b, 0xec, 0xf8, 0x11, 0xd1, 0x9d, 0x5c, 0xe, 0x3e, 0x60, 0xe7, 0xc4, 0xb7, 0x8d, 0x3f, 0xc3, 0xbc, 0x51, 0x2a, 0x39, 0xbd, 0x91, 0x9a, 0x2f, 0x70, 0x2d, 0xe9, 0x32, 0xc1, 0x95, 0xa7, 0xa4, 0x7d, 0x1b, 0x15, 0xb1, 0xb, 0xe3, 0xa, 0xb, 0x1a, 0x51, 0x22, 0xe3, 0x2, 0xc8, 0xba, 0xfe, 0x54, 0x78, 0x9e, 0x4e, 0x69, 0x82, 0x50, 0x3a, 0xea, 0xb8, 0x40, 0xfe, 0xe4, 0xc1, 0xfe, 0x8f, 0xe5, 0xb, 0x12, 0xc4, 0x29, 0x9d, 0x34, 0xb8, 0xfb, 0x15, 0xd9, 0xd0, 0xc0, 0x1f, 0x39, 0x94, 0x9f, 0x51, 0xba, 0x10, 0x54, 0xa7, 0x4f, 0x7, 0xc4, 0x11, 0x59, 0xa, 0x15, 0xf6, 0xdb, 0x6a, 0xa6, 0x38, 0xca, 0xbf, 0x34, 0x3c, 0x54, 0x64, 0xc1, 0xfc, 0xcc, 0xe1, 0xb9, 0x60, 0x75, 0xf2, 0xe0, 0x9c, 0x21, 0x20, 0xe8, 0x53, 0xf, 0xda, 0x99, 0x7a, 0x99, 0xb4, 0xc6, 0x98, 0x44, 0x23, 0xe8, 0xe4, 0x19, 0x6e, 0x51, 0x13, 0xc5, 0x23, 0x7b, 0x93, 0xd5, 0xc4, 0xc5, 0x47, 0xe8, 0xe2, 0x56, 0xf6, 0x1e, 0xe7, 0x5c, 0x73, 0x7d, 0x72, 0x9f, 0xc5, 0x44, 0x9a, 0xf7, 0xa6, 0x4, 0x63, 0x5b, 0x33, 0xe4, 0xb7, 0x3a, 0x36, 0xa7, 0x38, 0x66, 0x83, 0x2f, 0x74, 0xfe, 0x70, 0xa4, 0xde, 0x1a, 0x9f, 0xc1, 0x7f, 0x5b, 0x54, 0xb8, 0x54, 0xe0, 0x98, 0x6, 0x1d, 0xba, 0x1a, 0x38, 0x35, 0xf9, 0x36, 0x49, 0x8e, 0x91, 0x9d, 0x4f, 0x50, 0xb5, 0x82, 0x39, 0x51, 0xb2, 0xf6, 0x5e, 0x3, 0x65, 0xb9, 0x9c, 0x4d, 0x6f, 0xc2, 0xa0, 0x53, 0x5, 0x9, 0x55, 0xa8, 0xbe, 0x56, 0xd, 0xb1, 0x6c, 0x11, 0xda, 0x42, 0xa2, 0xb7, 0x57, 0xd9, 0x48, 0x68, 0x72, 0x2b, 0x67, 0xdd, 0xd3, 0xa4, 0x16, 0x6b, 0xa9, 0x2, 0x85, 0x7c, 0x63, 0x7e, 0x3d, 0x3b, 0x46, 0xd, 0x73, 0x2b, 0x3, 0xc7, 0x27, 0x6f, 0x42, 0x46, 0x58, 0x7d, 0x6b, 0x36, 0x55, 0x1d, 0x44, 0x7d, 0x24, 0x89, 0x9e, 0xd0, 0xe7, 0x48, 0xbf, 0x6f, 0x73, 0x4d, 0x40, 0xb, 0x51, 0x7d, 0xbd, 0x84, 0xe7, 0xd0, 0x3, 0xa0, 0x7f, 0x96, 0x95, 0xfd, 0x17, 0x4f, 0x61, 0xf7, 0x25, 0xdb, 0x98, 0xcb, 0x35, 0xa1, 0xe0, 0xe0, 0x49, 0x6a, 0xa7, 0x83, 0x2e, 0x7b, 0x95, 0x65, 0x2c, 0xf8, 0xe0, 0xdb, 0xcd, 0x8d, 0xda, 0x40, 0x5d, 0x9d, 0x93, 0x95, 0xa5, 0xb4, 0x8b, 0xf6, 0x37, 0x17, 0x2, 0x74, 0x28, 0x79, 0x64, 0x55, 0x3, 0x12, 0x76, 0xad, 0x84, 0x7c, 0xe, 0x74, 0x8e, 0x5f, 0x69, 0x44, 0x90, 0x43, 0xc8, 0x9b, 0xd8, 0x4d, 0x18, 0xa9, 0x85, 0x5d, 0xda, 0xf3, 0xf7, 0x74, 0xb0, 0xc0, 0x9f, 0xbb, 0x63, 0x25, 0x56, 0x8e, 0x88, 0x8a, 0xf8, 0xaa, 0xe6, 0xd2, 0x6, 0x7c, 0xbe, 0x1f, 0x16, 0x43, 0x86, 0x2d, 0x61, 0xb2, 0xb, 0x53, 0x54, 0xa3, 0xbb, 0xb3, 0x9f, 0xea, 0x69, 0x8, 0xcb, 0x77, 0xef, 0xe3, 0xbd, 0x63, 0x11, 0x43, 0xb, 0x46, 0x90, 0xbc, 0x89, 0x35, 0x9a, 0x81, 0xe4, 0xd2, 0xd7, 0x3, 0x4d, 0x82, 0xa7, 0xb6, 0x43, 0x9e, 0x4f, 0xae, 0x33, 0x86, 0xa6, 0x88, 0x9c, 0x7, 0xb3, 0x6d, 0x21, 0xd9, 0xed, 0xff, 0x0, 0xe0, 0x88, 0xdd, 0x91, 0x40, 0x48, 0xbd, 0x12, 0x9f, 0xda, 0x80, 0xb2, 0xd7, 0x8c, 0x53, 0x3e, 0x91, 0x86, 0x8f, 0x45, 0x53, 0xad, 0x8, 0x8e, 0x6c, 0x1f, 0x0, 0xa7, 0xff, 0x15, 0x5d, 0xbf, 0xe6, 0xc6, 0xb8, 0x52, 0xdd, 0x15, 0x12, 0x1, 0xa4, 0x34, 0x82, 0x54, 0x45, 0x40, 0x5b, 0x3d, 0x2d, 0x9d, 0x5a, 0xff, 0x90, 0x41, 0x90, 0x4a, 0xb6, 0xee, 0xff, 0xb0, 0x8b, 0x7f, 0x60, 0x48, 0xa4, 0xac, 0xa3, 0x55, 0x2a, 0x67, 0xa0, 0x30, 0x5c, 0x66, 0xbd, 0x8c, 0x37, 0x59, 0x7f, 0xf3, 0x73, 0x35, 0x7f, 0xa3, 0xa5, 0xfc, 0xe4, 0xd1, 0x7d, 0x6c, 0xf, 0xeb, 0xfc, 0xb0, 0x8a, 0xac, 0x54, 0xa5, 0x65, 0x29, 0xac, 0x76, 0x46, 0x27, 0x6c, 0xf5, 0xfb, 0x17, 0x20, 0xd7, 0xf7, 0xac, 0xd9, 0x6b, 0x2f, 0x2e, 0x66, 0x47, 0x22, 0x10, 0x88, 0x8f, 0xfc, 0x41, 0xef, 0x3b, 0xd5, 0x85, 0xb3, 0x14, 0x7a, 0x51, 0xd1, 0xa7, 0x76, 0x7d, 0xa5, 0x27, 0xe3, 0xda, 0xdc, 0x82, 0x5f, 0x1f, 0x89, 0x5c, 0x5d, 0x51, 0x9e, 0x7, 0x61, 0x63, 0xd7, 0x67, 0x7f, 0x9a, 0x30, 0x53, 0xa3, 0x11, 0xe3, 0x81, 0xda, 0xa8, 0x1b, 0xbe, 0x18, 0x4b, 0xc4, 0x90, 0x49, 0xe4, 0x59, 0x3e, 0x10, 0xaf, 0x95, 0xed, 0xd5, 0xc7, 0x61, 0x92, 0xac, 0x8d, 0xa7, 0xab, 0xe8, 0xec, 0xd3, 0xb8, 0x94, 0x93, 0x99, 0xb0, 0x82, 0xbe, 0x83, 0xfe, 0xad, 0x16, 0x9a, 0xf0, 0x30, 0x68, 0xb1, 0xd9, 0xd7, 0x94, 0xc1, 0x1a, 0xc4, 0x43, 0x17, 0x7f, 0x2e, 0xc8, 0x82, 0xdd, 0xaf, 0x5b, 0xca, 0xf, 0xda, 0x5f, 0xc1, 0x14, 0x6, 0xdf, 0xad, 0x37, 0xae, 0xa8, 0xa7, 0x43, 0xb0, 0x74, 0x4c, 0x73, 0x71, 0x9e, 0xa1, 0xaf, 0xa6, 0x3b, 0x2e, 0xf, 0x45, 0x9c, 0x7e, 0x43, 0xd5, 0x15, 0xb1, 0x42, 0xe2, 0x67, 0xfe, 0x83, 0x58, 0x4a, 0xc2, 0x53, 0x19, 0x2c, 0xc2, 0xbd, 0x43, 0x51, 0xf9, 0xf5, 0x53, 0x6b, 0x7c, 0xce, 0xa9, 0xa2, 0x99, 0x6d, 0x17, 0x1b, 0x95, 0x65, 0x24, 0x64, 0x1b, 0x8, 0x5c, 0xb9, 0x36, 0x8d, 0x29, 0xb1, 0xe6, 0x9e, 0x9a, 0x1d, 0xb8, 0x5b, 0x50, 0x53, 0xb0, 0x70, 0xba, 0xf2, 0x61, 0x9e, 0x6f, 0x3f, 0x53, 0xd4, 0xfa, 0x8a, 0xc9, 0x16, 0x7e, 0xd0, 0x6a, 0x4a, 0xeb, 0xe7, 0xbb, 0x94, 0x16, 0x9f, 0x8e, 0xbc, 0xb0, 0x3c, 0xd9, 0xce, 0xeb, 0xdf, 0xb, 0x39, 0xf3, 0xb1, 0xf2, 0xd7, 0x76, 0xc6, 0x72, 0x12, 0xb6, 0xa5, 0x8c, 0x1b, 0x7a, 0x9f, 0xa9, 0x27, 0xe1, 0xc2, 0xc9, 0xbf, 0xbe, 0x4e, 0xbf, 0x97, 0xd9, 0x5d, 0xc, 0x50, 0x2, 0x46, 0xf, 0x23, 0x11, 0x47, 0x1c, 0x77, 0x9, 0x7f, 0xc1, 0x9, 0xf, 0x2, 0x7c, 0xb3, 0x8e, 0x5, 0x8b, 0xe3, 0xe5, 0xfe, 0x4b, 0x3d, 0x69, 0xab, 0xc0, 0xcb, 0x53, 0x46, 0x1f, 0xeb, 0x89, 0x92, 0xa7, 0xf5, 0x70, 0x17, 0x39, 0x2b, 0x4d, 0xa4, 0x82, 0xeb, 0x44, 0xe, 0x91, 0xd7, 0xd4, 0xe4, 0x2a, 0x71, 0x69, 0x3f, 0x1e, 0x9d, 0xe6, 0x42, 0xe, 0x82, 0x6a, 0xac, 0xd6, 0xc4, 0x11, 0xbf, 0x4c, 0x22, 0xc4, 0x42, 0xe5, 0xf3, 0xe7, 0xb5, 0x1c, 0x94, 0x9d, 0x44, 0x1c, 0xe8, 0xb4, 0xd6, 0x78, 0xe8, 0x50, 0x54, 0x16, 0xbd, 0x72, 0x5d, 0x54, 0xac, 0x25, 0xee, 0x8a, 0xe2, 0x61, 0x6a, 0x78, 0x25, 0x95, 0xab, 0xc7, 0x9d, 0xda, 0x54, 0xb, 0x4d, 0xe8, 0x26, 0xf2, 0x3d, 0x42, 0xb5, 0x42, 0x20, 0x87, 0x9b, 0xeb, 0x4e, 0xb6, 0xa8, 0xdf, 0xf6, 0x90, 0x59, 0x82, 0x57, 0x20, 0xac, 0x7a, 0xc7, 0xf4, 0x21, 0xeb, 0x96, 0xf6, 0x4f, 0xaf, 0x73, 0xb2, 0xaa, 0xe4, 0xc3, 0x79, 0x1a, 0xf1, 0xb3, 0x36, 0x94, 0x2e, 0x92, 0xbc, 0x29, 0x7a, 0xa2, 0xd9, 0xd6, 0xf8, 0x7e, 0x80, 0xff, 0x6c, 0x74, 0xf6, 0x33, 0xf8, 0xa8, 0xf3, 0xc7, 0xca, 0x90, 0xa9, 0xfe, 0x65, 0x6f, 0xe4, 0x21, 0xa9, 0xb0, 0xdd, 0xca, 0xc5, 0xd5, 0x5f, 0x91, 0x55, 0x45, 0x61, 0x78, 0x16, 0xf0, 0x41, 0xbd, 0x58, 0xfb, 0x6f, 0x42, 0x34, 0x44, 0x6f, 0x34, 0x4, 0xc2, 0xdb, 0x14, 0x36, 0x94, 0x55, 0x80, 0x7f, 0x9b, 0x96, 0x5a, 0xfe, 0x20, 0xdd, 0xf3, 0x9a, 0xa3, 0x99, 0xe8, 0x56, 0xe9, 0x59, 0x9d, 0xc0, 0x56, 0x6f, 0xd0, 0x8f, 0x68, 0xca, 0xe4, 0x72, 0x79, 0x2, 0xdf, 0xd, 0xf7, 0x8a, 0xa4, 0x9d, 0x60, 0x9a, 0x5e, 0x4, 0xf, 0x1f, 0x69, 0xe, 0x27, 0x61, 0xee, 0xcd, 0x82, 0xdd, 0xa9, 0xd3, 0x18, 0xef, 0xa0, 0x63, 0xca, 0x3, 0x89, 0xbd, 0xa3, 0x6c, 0x3d, 0x35, 0xee, 0xb7, 0x9f, 0x3, 0x7d, 0xf4, 0xab, 0x9c, 0xa0, 0xb4, 0xa7, 0x8e, 0xde, 0x67, 0x1c, 0x1, 0xda, 0xda, 0x4c, 0x92, 0x15, 0x92, 0x74, 0x37, 0x56, 0xa0, 0xf9, 0x31, 0x9d, 0xbb, 0xb9, 0x1d, 0x26, 0xf1, 0xb4, 0x59, 0x54, 0x9c, 0x4e, 0xb7, 0x29, 0x14, 0x55, 0x53, 0x1f, 0xa7, 0x6e, 0x6f, 0x2e, 0x18, 0xbe, 0x73, 0x5, 0xc5, 0xdf, 0x7c, 0xb0, 0xa3, 0xd3, 0x44, 0x8d, 0xbe, 0x62, 0xda, 0xaf, 0xa1, 0x9b, 0xd3, 0x65, 0xab, 0x52, 0xcb, 0xd2, 0xcf, 0x9b, 0x2, 0x18, 0x57, 0xa9, 0x47, 0xd5, 0x11, 0xdf, 0x75, 0xa6, 0x38, 0xe0, 0xc1, 0x7d, 0x12, 0xac, 0x20, 0x63, 0x5c, 0x8c, 0xf3, 0xef, 0x9d, 0x72, 0x53, 0x2c, 0xd, 0xa9, 0xd4, 0x8f, 0xdf, 0xb7, 0xd3, 0x7c, 0x1e, 0x68, 0xec, 0xb0, 0x74, 0x9b, 0xe5, 0x7, 0xb4, 0xda, 0x23, 0xa6, 0xb5, 0x5c, 0xc6, 0x40, 0xb3, 0x76, 0x15, 0x36, 0xbd, 0xcd, 0x2c, 0x39, 0x28, 0x7d, 0x5a, 0x41, 0x84, 0xa1, 0x30, 0x78, 0x6f, 0xe9, 0xd8, 0xc1, 0x84, 0xc1, 0x61, 0xfc, 0x43, 0x5e, 0x84, 0xb6, 0x89, 0xb1, 0x57, 0xab, 0xd3, 0xe0, 0x75, 0x23, 0x28, 0xf3, 0xa8, 0x1d, 0x18, 0xb1, 0x67, 0x4b, 0xa3, 0x4f, 0xb8, 0x52, 0xee, 0x99, 0xb2, 0xd0, 0x1e, 0x62, 0x76, 0x6, 0x99, 0xad, 0xe1, 0x8d, 0x17, 0x9b, 0x65, 0x40, 0xd5, 0x56, 0x7b, 0xe6, 0x1d, 0xd5, 0x1, 0xc2, 0x38, 0x75, 0xc4, 0x27, 0x2c, 0x2a, 0x5c, 0xf, 0xa4, 0x38, 0xc8, 0x6e, 0x85, 0x33, 0xc3, 0x85, 0x7e, 0x2f, 0x3b, 0x30, 0xa9, 0x86, 0x9b, 0x8f, 0x98, 0x71, 0x21, 0x46, 0xce, 0x5f, 0xb5, 0xac, 0x38, 0xc1, 0xf6, 0x5b, 0x93, 0x5b, 0x12, 0x12, 0x66, 0x25, 0x67, 0x7d, 0xea, 0x30, 0xa2, 0xb9, 0x1a, 0xe5, 0xf4, 0xb5, 0x1e, 0xef, 0x78, 0x7c, 0x6, 0xae, 0x8a, 0xc9, 0x87, 0x5, 0xa6, 0x9c, 0xca, 0x77, 0x3c, 0x1b, 0xce, 0xb3, 0x57, 0xf0, 0xb5, 0x54, 0x4d, 0x3d, 0x55, 0x2a, 0x3d, 0xab, 0x21, 0xcd, 0xb2, 0x68, 0xe4, 0x89, 0x92, 0xd3, 0x93, 0xc3, 0x22, 0xf0, 0x4, 0xe5, 0xf9, 0x3a, 0x1, 0xa5, 0xd4, 0xe1, 0x21, 0xab, 0xcb, 0x8a, 0xc2, 0xc2, 0x78, 0x3f, 0x28, 0xe3, 0x9f, 0xf9, 0x6b, 0x22, 0xf6, 0x35, 0x8b, 0xf3, 0x69, 0x1e, 0x29, 0xe, 0x74, 0x42, 0x35, 0xe8, 0x2d, 0x16, 0xc, 0xb2, 0x15, 0x3a, 0x67, 0x61, 0xbe, 0xbd, 0x4f, 0xb0, 0x75, 0xdc, 0x1, 0xc1, 0xa0, 0x94, 0x18, 0xb, 0xe1, 0x56, 0x71, 0x2c, 0xc0, 0x68, 0x1c, 0xd8, 0x1, 0x40, 0x3, 0x92, 0xb5, 0x15, 0xb1, 0xc8, 0x0, 0x5d, 0x22, 0xed, 0xf2, 0x7, 0xb9, 0x83, 0x22, 0x9c, 0x7f, 0x23, 0xc0, 0xe2, 0x70, 0x44, 0x2f, 0xf3, 0xa2, 0xe, 0x95, 0x4e, 0xbe, 0x58, 0xc1, 0xf7, 0x25, 0xb7, 0x63, 0x54, 0xae, 0xb1, 0xfa, 0xca, 0x1d, 0xf, 0x4, 0xfc, 0xa2, 0x1b, 0x87, 0x51, 0xed, 0x59, 0x57, 0xd6, 0xdd, 0x6, 0xe2, 0xbe, 0xdb, 0x35, 0x6d, 0xa9, 0xf3, 0x2f, 0x11, 0xdd, 0xcb, 0xe7, 0x58, 0xe7, 0x6b, 0x7, 0x68, 0x19, 0x38, 0x88, 0x5d, 0x1f, 0xc9, 0x8, 0x72, 0x7e, 0x73, 0x2d, 0x76, 0x37, 0xec, 0x86, 0x62, 0xab, 0x83, 0x5f, 0xa1, 0xa7, 0x5f, 0x94, 0x9d, 0x64, 0xaa, 0x98, 0x33, 0x9, 0xef, 0x72, 0x37, 0xec, 0x77, 0xf4, 0xb1, 0x17, 0x8c, 0x9, 0x1e, 0x2b, 0xf5, 0x66, 0x11, 0x7, 0x52, 0xc9, 0xde, 0xcc, 0xb0, 0xd1, 0xbf, 0x84, 0x8b, 0x3c, 0xed, 0xe4, 0xa9, 0x55, 0x14, 0xf3, 0xfe, 0xa1, 0x39, 0xbd, 0x26, 0x94, 0x2b, 0x3f, 0xb9, 0x6e, 0x8e, 0x63, 0x5f, 0x4f, 0x1b, 0x34, 0xf9, 0x2b, 0xd3, 0x1e, 0x2a, 0xba, 0xa9, 0xd5, 0x42, 0x4d, 0x21, 0x13, 0x3c, 0xd6, 0xc5, 0xc7, 0x6d, 0x31, 0x89, 0x4a, 0x96, 0xd2, 0x51, 0x18, 0x51, 0xca, 0x6, 0x96, 0x75, 0xd1, 0xbd, 0x7b, 0xe5, 0xcf, 0xe, 0xc1, 0x2e, 0xb1, 0xb5, 0xc2, 0xa0, 0x35, 0x56, 0xb6, 0xc7, 0x82, 0xbd, 0x67, 0x1c, 0x16, 0xcd, 0xd5, 0xc7, 0xdd, 0xcc, 0x32, 0x3a, 0xae, 0x85, 0x89, 0x2e, 0xe3, 0x29, 0x55, 0x1a, 0xd1, 0x44, 0x94, 0xba, 0x7a, 0x1a, 0xfa, 0x27, 0x24, 0x2, 0xed, 0x64, 0xe9, 0xa, 0x77, 0xa1, 0x24, 0x2d, 0x39, 0x28, 0x15, 0xcd, 0x2f, 0xc7, 0x12, 0x2c, 0xce, 0x52, 0xa1, 0x87, 0x11, 0xc5, 0xf8, 0xea, 0x9f, 0xf6, 0xed, 0xa7, 0x4d, 0x1e, 0x74, 0xec, 0x67, 0xbb, 0x5, 0x45, 0x43, 0x11, 0x8, 0x32, 0xf, 0xdf, 0x47, 0xb1, 0x92, 0x97, 0xbb, 0x7, 0xcb, 0xfa, 0x56, 0xe4, 0x29, 0x62, 0x8f, 0xe9, 0x7, 0xe0, 0xf3, 0xf, 0xba, 0x6f, 0x52, 0xf4, 0x3, 0xd1, 0x62, 0x79, 0x9d, 0x33, 0xb0, 0xf7, 0xbe, 0x33, 0x4f, 0xc1, 0xfe, 0x9b, 0xb5, 0x7b, 0x35, 0x41, 0x98, 0xba, 0xf5, 0x8e, 0xe2, 0x67, 0xb, 0x1e, 0xae, 0x69, 0xe1, 0x18, 0xcb, 0x99, 0x46, 0x9a, 0x2c, 0x20, 0xbd, 0x6b, 0x1e, 0x33, 0xe, 0xcd, 0xe, 0xd2, 0x81, 0x5e, 0xaf, 0xe, 0x36, 0x1b, 0x57, 0x45, 0x1d, 0x1c, 0x10, 0x58, 0xea, 0x9f, 0xcd, 0x52, 0x4, 0x88, 0x18, 0x8e, 0x78, 0x51, 0x66, 0x46, 0xd4, 0x8d, 0x1f, 0x35, 0x26, 0x97, 0xa9, 0xd0, 0x81, 0x72, 0xe3, 0x22, 0xd0, 0xbe, 0x44, 0x1f, 0xac, 0xdb, 0x60, 0xea, 0x6e, 0xe, 0x83, 0xf7, 0xa2, 0x6, 0xda, 0x84, 0xc4, 0xd8, 0x23, 0x5b, 0x53, 0xca, 0x50, 0xb0, 0x14, 0x67, 0x89, 0x9b, 0x7a, 0xd9, 0xeb, 0x44, 0x36, 0x8d, 0xdc, 0xb4, 0x77, 0x21, 0xb1, 0xfa, 0xf9, 0x6e, 0x10, 0x9c, 0x5d, 0x4d, 0x53, 0x64, 0xf4, 0x9b, 0xf7, 0xb, 0x36, 0xab, 0xa6, 0x49, 0xa3, 0x37, 0x25, 0x4f, 0x74, 0xc, 0xa0, 0x53, 0x42, 0xc5, 0xc7, 0xd4, 0x69, 0xcf, 0xfa, 0xe5, 0x2d, 0xf8, 0xf0, 0x4c, 0x34, 0x75, 0x47, 0x76, 0x7e, 0x3b, 0x36, 0x4, 0x6d, 0xe3, 0xb2, 0x12, 0xf3, 0x94, 0x68, 0xa5, 0xc9, 0xd1, 0x11, 0xfe, 0xb4, 0x6c, 0x3c, 0xf2, 0xe1, 0x8, 0x40, 0x39, 0xc3, 0xd9, 0x85, 0x6c, 0x32, 0x9f, 0x24, 0xea, 0x85, 0x9a, 0x5e, 0x6, 0x5e, 0x8c, 0x67, 0xa, 0xc6, 0x35, 0xdc, 0xa9, 0xfb, 0x86, 0x9f, 0x4f, 0x94, 0x8b, 0xc0, 0xb0, 0x4a, 0x75, 0x68, 0xd1, 0x61, 0xd6, 0x24, 0x76, 0x9a, 0x42, 0x6f, 0x1d, 0xce, 0x1f, 0x80, 0x69, 0xe7, 0x8c, 0xa5, 0x5f, 0xa8, 0x68, 0xc0, 0x2b, 0xca, 0x5e, 0x5d, 0x54, 0x5c, 0xc3, 0xed, 0xd1, 0x60, 0xf6, 0xa3, 0x6f, 0x27, 0x31, 0xea, 0x67, 0x71, 0xfc, 0xb8, 0xbe, 0x4e, 0x18, 0xa0, 0xae, 0xb0, 0x8d, 0x1d, 0x1a, 0xf2, 0x20, 0xf, 0x12, 0x5e, 0xc3, 0x56, 0x5f, 0x9, 0x6d, 0xd9, 0x5f, 0xaa, 0x33, 0xb7, 0xa9, 0xb, 0x2f, 0x3c, 0x35, 0xf2, 0x5a, 0xf0, 0xcb, 0x47, 0xce, 0xde, 0xa5, 0x82, 0xac, 0xa2, 0x15, 0xf7, 0xe3, 0xf8, 0x8a, 0xf1, 0x3, 0x22, 0x41, 0xa6, 0x7b, 0xc9, 0x60, 0x10, 0xc1, 0x9, 0x4, 0x55, 0xaf, 0xc3, 0x2d, 0x51, 0xaf, 0x46, 0x5, 0x2c, 0xea, 0x56, 0x46, 0x81, 0xf2, 0xf3, 0xaf, 0x8d, 0xc2, 0xfa, 0x94, 0xf4, 0x9e, 0x95, 0x3a, 0xb4, 0xfa, 0x87, 0x5f, 0x10, 0xc5, 0xd4, 0x41, 0x16, 0x89, 0x9, 0x65, 0xbd, 0x7f, 0x6d, 0x8e, 0xf, 0xe8, 0x1a, 0xb0, 0xbd, 0xe6, 0xbe, 0x5f, 0x22, 0x67, 0x9d, 0x60, 0xd8, 0xc4, 0x7f, 0x59, 0x3b, 0x43, 0x3b, 0x38, 0x56, 0xe8, 0x93, 0xb6, 0x6d, 0xe6, 0x44, 0x2f, 0x86, 0xe9, 0xe3, 0x52, 0x92, 0xb5, 0xf7, 0xec, 0x32, 0x5c, 0x66, 0x57, 0x51, 0x78, 0xdb, 0x50, 0x2f, 0x36, 0xae, 0xd7, 0xef, 0x2f, 0x70, 0xc3, 0xb0, 0xef, 0xf, 0x5d, 0x47, 0x54, 0x37, 0x5d, 0xc3, 0xd7, 0x46, 0x6b, 0xb5, 0x8f, 0xd4, 0xa4, 0x98, 0x37, 0x36, 0x33, 0xb6, 0x70, 0xa0, 0xe6, 0x98, 0xdb, 0x8f, 0xd2, 0xf3, 0x89, 0xae, 0x4c, 0xd1, 0x63, 0x63, 0xc8, 0x89, 0xb, 0x97, 0x7d, 0xd2, 0xab, 0x67, 0x21, 0x75, 0x81, 0x89, 0x21, 0xa0, 0xd5, 0x44, 0x74, 0xd4, 0xf7, 0x9b, 0xee, 0x2a, 0xc7, 0xca, 0xaf, 0x3b, 0x8, 0xb3, 0x44, 0x9a, 0x94, 0xbe, 0xde, 0x41, 0x97, 0x38, 0xa5, 0x4f, 0x6a, 0x54, 0x88, 0x93, 0x8e, 0x63, 0xdc, 0x7b, 0x4, 0xa0, 0x9c, 0x41, 0xe6, 0x3f, 0xca, 0x57, 0xea, 0xaa, 0x48, 0xf6, 0x47, 0x70, 0x17, 0xab, 0xfb, 0x41, 0x90, 0x8a, 0xe4, 0x54, 0xa2, 0xdb, 0x6b, 0x57, 0x28, 0xb, 0x8e, 0xda, 0xdc, 0xfd, 0x2a, 0xc7, 0xbc, 0xee, 0x7, 0xe8, 0xbf, 0x77, 0x25, 0xf4, 0x6d, 0x33, 0xd3, 0x7, 0x25, 0x9, 0xe2, 0xbf, 0x44, 0xc2, 0xa8, 0x62, 0x67, 0xe8, 0xdc, 0x8f, 0xc3, 0x9a, 0xc1, 0x91, 0x63, 0x70, 0x38, 0xdd, 0xd5, 0xa5, 0x96, 0x5a, 0xf6, 0x24, 0xd3, 0x21, 0xd4, 0x87, 0xd5, 0x61, 0xea, 0x73, 0x71, 0xa3, 0xa2, 0x73, 0x76, 0xe8, 0x65, 0x8b, 0x77, 0x53, 0x8, 0x80, 0x84, 0x23, 0x3e, 0xb4, 0xba, 0x5, 0x1e, 0x44, 0xf8, 0x10, 0xbe, 0xef, 0x21, 0x46, 0x12, 0xfe, 0x11, 0xfa, 0x7b, 0x5d, 0x68, 0x81, 0x2e, 0x77, 0x7b, 0x4, 0x76, 0xa9, 0x34, 0xbf, 0x81, 0x7d, 0xf2, 0x23, 0xef, 0x48, 0x5f, 0x91, 0xe2, 0x8, 0x76, 0xc2, 0xc3, 0xd5, 0x21, 0xa5, 0xfa, 0x43, 0xb, 0x3b, 0x84, 0x72, 0xca, 0x63, 0x26, 0xfb, 0x13, 0x76, 0x37, 0xb8, 0x4d, 0x1d, 0xb4, 0x29, 0x57, 0x7f, 0x6b, 0x52, 0x3b, 0x58, 0x98, 0x48, 0xb1, 0x87, 0xd1, 0xd3, 0xad, 0xbb, 0xa6, 0x32, 0xb7, 0x0, 0x96, 0xe3, 0x48, 0x20, 0x26, 0xf4, 0x2, 0x8e, 0xe4, 0x9d, 0x3d, 0x38, 0xb6, 0x50, 0x6b, 0x43, 0xad, 0x85, 0x1e, 0x47, 0x81, 0x34, 0x8d, 0xf7, 0xd6, 0xc8, 0x5, 0xd0, 0x6a, 0xea, 0x1, 0x8b, 0x7, 0x5c, 0x1, 0x97, 0xee, 0xaf, 0xc7, 0xd3, 0xae, 0xa2, 0x3b, 0x4e, 0xa9, 0xf1, 0xcd, 0x46, 0xd2, 0xa1, 0xd3, 0x83, 0x1, 0xe5, 0x42, 0x7a, 0xf4, 0xdf, 0x41, 0xb5, 0x68, 0x52, 0x4b, 0xd5, 0xbc, 0xe9, 0x23, 0x4e, 0x30, 0xcf, 0x24, 0x3f, 0x24, 0x36, 0x6e, 0x12, 0x16, 0xf8, 0x87, 0x43, 0x61, 0x6d, 0xb, 0x3b, 0x3, 0x6a, 0xa4, 0x26, 0x7c, 0x77, 0x2d, 0x8b, 0x45, 0xc8, 0x1b, 0xaf, 0x9c, 0xe7, 0x7d, 0x52, 0xba, 0x1, 0xc4, 0x25, 0xb6, 0xbb, 0x61, 0x42, 0xd4, 0x46, 0x13, 0xe, 0xc7, 0x4b, 0x7b, 0x28, 0x4b, 0xc4, 0x96, 0x4b, 0x2f, 0x56, 0x54, 0x52, 0xc7, 0x93, 0x84, 0x65, 0x20, 0x4a, 0xa2, 0xb8, 0xfe, 0x49, 0xf9, 0x23, 0x3f, 0xa5, 0x2c, 0xf5, 0xd1, 0xfe, 0xeb, 0x17, 0x53, 0x48, 0xfb, 0xbc, 0xbe, 0x1b, 0x69, 0x9b, 0x5d, 0xa0, 0x78, 0x62, 0x6b, 0xff, 0x17, 0x56, 0xbd, 0x9e, 0xc9, 0xe3, 0xc5, 0x34, 0x1b, 0x24, 0x6a, 0x15, 0x84, 0x17, 0x2e, 0x24, 0x64, 0xfc, 0xdf, 0x67, 0x5d, 0x69, 0x2f, 0x48, 0x6, 0x42, 0x11, 0xc0, 0x27, 0xee, 0xe, 0xce, 0x67, 0xb9, 0x5d, 0xb, 0xc8, 0x21, 0x51, 0x37, 0xdb, 0x65, 0xa0, 0xcc, 0x1e, 0xa3, 0x3c, 0x56, 0x7a, 0x2e, 0x7e, 0xa0, 0x38, 0x52, 0x4e, 0xfc, 0x6f, 0xe5, 0x54, 0xd8, 0xce, 0x32, 0x66, 0x29, 0x6c, 0x3d, 0x85, 0xb8, 0x70, 0xaf, 0x1a, 0x7d, 0x9d, 0xe9, 0x59, 0x64, 0x68, 0x2d, 0xd9, 0xba, 0xc3, 0xaf, 0x5b, 0xba, 0xc8, 0xc, 0x46, 0xbf, 0x78, 0x9c, 0xa3, 0x5a, 0x95, 0x18, 0x19, 0x95, 0x43, 0x5a, 0x14, 0xe3, 0xe4, 0x5f, 0xa8, 0x17, 0xb5, 0xf8, 0x6f, 0x90, 0xb8, 0xfc, 0xd0, 0x34, 0x2, 0xe6, 0x23, 0x1b, 0x6, 0xf2, 0xac, 0x42, 0xe5, 0xff, 0x9c, 0xb5, 0x4c, 0x6b, 0x1f, 0x19, 0x7e, 0x28, 0xd8, 0x77, 0xd8, 0x9, 0xdc, 0x7d, 0x85, 0x21, 0x41, 0x89, 0x67, 0x14, 0x8c, 0x47, 0x23, 0x1c, 0xa4, 0x5e, 0xe0, 0xb6, 0x56, 0xc0, 0xf0, 0xbb, 0xfe, 0x94, 0x15, 0xb0, 0x53, 0x4b, 0xda, 0x82, 0x8, 0x86, 0xdb, 0xfa, 0x91, 0x67, 0x52, 0xf7, 0xf6, 0xcd, 0x74, 0x7b, 0x2d, 0x83, 0x9e, 0x4, 0x34, 0xa, 0xb9, 0xc2, 0xcc, 0x81, 0x35, 0xa4, 0xc, 0xb1, 0x60, 0x93, 0xb8, 0x9e, 0x63, 0x73, 0x1b, 0xa7, 0xe4, 0xe1, 0x1f, 0x33, 0xba, 0x4f, 0x19, 0xf9, 0x72, 0x80, 0x93, 0x6b, 0xfd, 0x6f, 0x32, 0x90, 0x67, 0x65, 0x1c, 0x27, 0x53, 0x6e, 0xce, 0x72, 0x42, 0xf1, 0x44, 0x64, 0x20, 0x67, 0x34, 0x58, 0x33, 0xb2, 0xa3, 0x34, 0xf7, 0xc0, 0x60, 0x68, 0xef, 0x90, 0x5a, 0x20, 0x26, 0x95, 0xd, 0xbb, 0xe2, 0x4, 0x17, 0xe7, 0x8b, 0xcb, 0xfa, 0x83, 0xf3, 0x2, 0x1e, 0x87, 0x18, 0x24, 0x57, 0xc1, 0x82, 0x40, 0x81, 0x76, 0x17, 0xd7, 0x73, 0x0, 0xc2, 0x29, 0xd0, 0x4a, 0x91, 0xcc, 0x28, 0xe7, 0x87, 0xe5, 0xeb, 0xc1, 0x86, 0xf1, 0xfd, 0xd5, 0xbc, 0x61, 0x22, 0x3c, 0xdb, 0x6f, 0xe9, 0xf8, 0xf9, 0xf2, 0xa6, 0x14, 0xd0, 0x30, 0xd2, 0x49, 0xec, 0x4f, 0x23, 0xce, 0x3e, 0x96, 0xd9, 0xa8, 0x5, 0x96, 0xc5, 0x25, 0x20, 0x86, 0x9a, 0x92, 0xf8, 0x19, 0x45, 0x44, 0x87, 0x39, 0x6a, 0x47, 0xbf, 0x12, 0x65, 0xff, 0xb6, 0x1, 0x91, 0x7d, 0xcf, 0x9, 0xd8, 0x64, 0x8a, 0x59, 0xca, 0x56, 0xbe, 0x93, 0x49, 0x77, 0xec, 0xd7, 0x15, 0x36, 0xb3, 0xcb, 0x85, 0x97, 0x89, 0x10, 0xad, 0xe3, 0xee, 0x2, 0xfd, 0x92, 0xa0, 0xb8, 0x70, 0x52, 0x14, 0x30, 0x35, 0x3d, 0x6b, 0xa8, 0x75, 0xb6, 0x12, 0x85, 0xc6, 0x98, 0x3d, 0x32, 0xf, 0xb4, 0xeb, 0x62, 0x85, 0xc7, 0x8b, 0x4b, 0xde, 0x9c, 0x3f, 0x41, 0x54, 0x1f, 0x30, 0x7d, 0x64, 0x56, 0xab, 0x2b, 0x4f, 0xfb, 0xe4, 0xa5, 0x23, 0xec, 0xbf, 0x1c, 0x2d, 0x25, 0x2b, 0x1d, 0xd, 0x12, 0x77, 0xe1, 0xbb, 0x76, 0xd5, 0xfc, 0x34, 0x1a, 0x73, 0x83, 0x3e, 0x7d, 0x42, 0x4, 0x8e, 0x6e, 0x83, 0xed, 0x8e, 0x2, 0xb9, 0x2b, 0x7c, 0xca, 0x12, 0xb6, 0xf8, 0xcf, 0x6a, 0xb3, 0x3a, 0xc7, 0xd9, 0xd3, 0xef, 0xe5, 0x8f, 0xb8, 0xb3, 0x4e, 0xea, 0xed, 0xc6, 0x6b, 0x2a, 0xbe, 0x77, 0xec, 0x8e, 0x48, 0x33, 0x31, 0xb9, 0x43, 0xe1, 0x6, 0x71, 0xb1, 0x66, 0xf5, 0x1f, 0xf4, 0x32, 0xfa, 0x4e, 0x65, 0x72, 0x91, 0x9e, 0x46, 0xa3, 0x3f, 0xc2, 0x41, 0x4, 0xf, 0x48, 0xb4, 0x2e, 0x9a, 0x98, 0xc1, 0xb0, 0x2e, 0x71, 0xb4, 0xa7, 0x9c, 0xa2, 0x93, 0xf, 0xba, 0xcb, 0x3c, 0x8c, 0x42, 0x19, 0xd6, 0x14, 0x5c, 0x20, 0x6e, 0x86, 0x16, 0x64, 0xb3, 0x57, 0x79, 0xdb, 0x90, 0x4e, 0x8b, 0xac, 0x45, 0x1d, 0x69, 0x32, 0x4, 0x50, 0x3, 0x4e, 0xf6, 0xac, 0x59, 0xa7, 0x7, 0x17, 0x25, 0x97, 0x9c, 0x9c, 0xd8, 0x14, 0x5, 0xc3, 0x7f, 0xe6, 0xa8, 0x7f, 0x14, 0x1, 0x17, 0xbe, 0x85, 0x20, 0xab, 0x8b, 0xb, 0x2e, 0x9e, 0x57, 0x4e, 0x28, 0xac, 0x24, 0x18, 0x65, 0xd5, 0x64, 0x36, 0x89, 0x74, 0x25, 0x43, 0xd, 0x89, 0xa3, 0x68, 0x5e, 0xc5, 0x6e, 0x5e, 0x7c, 0x8a, 0x5a, 0xc8, 0x39, 0x43, 0xb, 0xe9, 0x12, 0xbf, 0x55, 0xb6, 0x22, 0xf9, 0x85, 0x6b, 0x84, 0x31, 0x0, 0xd7, 0xf4, 0xb, 0x4d, 0xce, 0x54, 0x9a, 0x95, 0x42, 0xa1, 0xf1, 0x3a, 0xe8, 0xf4, 0xd7, 0xf9, 0xd4, 0x85, 0xb2, 0x5c, 0x95, 0x6f, 0x91, 0xba, 0xda, 0xff, 0x99, 0xe0, 0xb0, 0x7b, 0xe5, 0x52, 0xd1, 0xb0, 0xea, 0x34, 0x30, 0xa4, 0x28, 0xf8, 0xce, 0xa9, 0xb8, 0xa2, 0xff, 0x36, 0xa, 0x1a, 0x5, 0xec, 0xb9, 0x7e, 0x40, 0x17, 0x55, 0x72, 0xe6, 0x68, 0xea, 0x96, 0x60, 0x79, 0x9c, 0xfb, 0x77, 0x3c, 0xfb, 0xfb, 0xb5, 0x3d, 0x85, 0x1a, 0xa5, 0x64, 0xe8, 0xa9, 0x4b, 0x47, 0x21, 0x8b, 0x1b, 0x8a, 0x6e, 0x99, 0x76, 0x26, 0x6c, 0x28, 0xa, 0x12, 0x94, 0x26, 0x36, 0x82, 0x7c, 0xdb, 0xa5, 0x83, 0x83, 0x48, 0x9a, 0x1e, 0xe6, 0x6d, 0x21, 0x84, 0x9f, 0x3, 0x50, 0xd7, 0x7d, 0x85, 0xcd, 0x43, 0xad, 0x7, 0xd, 0x2, 0xab, 0x59, 0xc6, 0x12, 0xda, 0x48, 0xae, 0x37, 0x94, 0xad, 0x52, 0x54, 0xe6, 0xeb, 0xc2, 0x49, 0x64, 0xc1, 0xd7, 0xf9, 0x2c, 0x1c, 0x4c, 0x7c, 0xcc, 0xab, 0xe5, 0x95, 0xee, 0x6a, 0x88, 0x20, 0x13, 0xc, 0x17, 0xae, 0xbe, 0x56, 0x90, 0x7b, 0xbb, 0x62, 0xd6, 0xc0, 0xdb, 0x50, 0xb2, 0xa5, 0xc8, 0x3, 0x23, 0x1d, 0xc1, 0x32, 0x14, 0xd8, 0x4e, 0x9f, 0x76, 0x3, 0x1f, 0x12, 0x69, 0xa6, 0x7d, 0x28, 0x98, 0x53, 0x84, 0xfd, 0xa5, 0xc7, 0x3a, 0x2, 0xdd, 0xcc, 0x3b, 0x94, 0xda, 0xda, 0x14, 0xd1, 0xb0, 0xf6, 0x7e, 0x21, 0xc3, 0x84, 0x8b, 0x22, 0x3f, 0x93, 0x7c, 0x7a, 0x47, 0xa9, 0x52, 0x82, 0xb, 0x44, 0xfd, 0x8a, 0x72, 0xf6, 0x5e, 0x5e, 0xbd, 0xe4, 0x6c, 0x59, 0xd8, 0x3b, 0x5c, 0x3e, 0x2d, 0x2c, 0xf2, 0xf5, 0x80, 0x8b, 0x91, 0xc5, 0x6c, 0xbb, 0xb7, 0x40, 0x50, 0x8d, 0x36, 0x1c, 0xa1, 0x95, 0x26, 0xa1, 0x42, 0x61, 0xb6, 0x70, 0xea, 0x19, 0xeb, 0x3a, 0x58, 0xac, 0x60, 0x37, 0x24, 0xab, 0xe, 0x98, 0xbb, 0x7c, 0x31, 0xc8, 0x54, 0x26, 0x5e, 0x55, 0x8c, 0xc0, 0x8c, 0x7f, 0x30, 0xd8, 0xe6, 0x20, 0x65, 0x2d, 0xfe, 0x93, 0x89, 0x42, 0x57, 0xf3, 0x47, 0xf1, 0xe9, 0xf1, 0x6c, 0xfd, 0xd2, 0x14, 0x7d, 0x9c, 0x5f, 0xb0, 0xcb, 0x4f, 0x2d, 0x64, 0xd0, 0xec, 0xa3, 0xf7, 0x41, 0x73, 0x8e, 0xf0, 0xfe, 0x83, 0xad, 0x5c, 0x11, 0x63, 0x3a, 0xa0, 0x23, 0x3f, 0x64, 0x43, 0xb7, 0x5a, 0xe6, 0xab, 0x78, 0x8a, 0xd3, 0x9c, 0xc8, 0xed, 0x35, 0xb1, 0x75, 0x7c, 0xbf, 0x68, 0xf5, 0xd, 0x53, 0x2e, 0x75, 0xd8, 0x3d, 0x82, 0xc6, 0x8, 0xe3, 0x76, 0x4a, 0x5c, 0xf8, 0x37, 0xcf, 0x8a, 0xe6, 0xb2, 0x55, 0x99, 0x4c, 0x85, 0xaf, 0x32, 0xab, 0x3d, 0xdf, 0x44, 0xa5, 0x93, 0xf4, 0x5c, 0xa2, 0xf5, 0xc3, 0x8e, 0x4b, 0xeb, 0x2f, 0x62, 0x1a, 0x64, 0x27, 0x8f, 0x4d, 0x49, 0xbc, 0xdc, 0xf0, 0xaa, 0xf7, 0xb4, 0x7b, 0x5b, 0xb4, 0xbb, 0x70, 0xf9, 0x51, 0xe5, 0x7d, 0xe5, 0xa2, 0x2c, 0x9f, 0xe4, 0xf3, 0xd0, 0xcf, 0xef, 0x76, 0x5c, 0x1f, 0x9, 0x87, 0xe5, 0xec, 0xae, 0x79, 0x7d, 0x16, 0xdd, 0xe, 0x92, 0x32, 0xc1, 0x7e, 0x7d, 0xfa, 0xa2, 0xf8, 0x9d, 0x3, 0x91, 0xaf, 0x30, 0xbb, 0xc0, 0x6, 0x62, 0xf4, 0x59, 0x6b, 0x67, 0x22, 0xf5, 0xe2, 0xf5, 0x1f, 0x66, 0x1d, 0xa5, 0x6e, 0x39, 0xa0, 0xf4, 0x11, 0x26, 0x7a, 0x7d, 0x80, 0x45, 0x14, 0x6c, 0x50, 0x24, 0x9b, 0x5a, 0x75, 0x5, 0x57, 0xda, 0x60, 0x9e, 0x31, 0x1a, 0x1f, 0x32, 0xcc, 0xc8, 0x8f, 0x7d, 0xd6, 0x33, 0x94, 0x4d, 0x2d, 0x64, 0x83, 0x96, 0xd2, 0x7d, 0x6a, 0x8f, 0xcb, 0xa5, 0x7f, 0x7, 0xde, 0x7b, 0x9b, 0xdb, 0x91, 0x65, 0x57, 0xfb, 0x16, 0x97, 0x41, 0x25, 0x3d, 0x17, 0x13, 0xff, 0x40, 0xb3, 0xd5, 0x9d, 0x59, 0x30, 0xea, 0xc5, 0x76, 0xfe, 0xb0, 0x97, 0x52, 0x6b, 0xfc, 0xdc, 0x5a, 0x8f, 0xab, 0xc8, 0x68, 0x69, 0x1c, 0x8d, 0x92, 0x1c, 0x90, 0xf5, 0xc7, 0x23, 0xf7, 0x2, 0xd4, 0x73, 0x97, 0x21, 0xc3, 0x3, 0x42, 0x47, 0xdd, 0x51, 0x1b, 0xa3, 0x6a, 0x7c, 0xdf, 0x3c, 0xe2, 0x2b, 0x55, 0x7a, 0xe3, 0x49, 0x3d, 0x87, 0x6e, 0x5a, 0xb, 0xe8, 0xbe, 0xfe, 0x57, 0x39, 0xe7, 0xd8, 0x7b, 0xe4, 0xbe, 0xec, 0xc5, 0x75, 0xbf, 0x63, 0xae, 0x94, 0x49, 0xd4, 0x79, 0x23, 0x89, 0xfb, 0x38, 0xf, 0xd0, 0x8b, 0x16, 0x30, 0x31, 0x53, 0xd0, 0xe4, 0x8e, 0xd4, 0x75, 0x33, 0xdf, 0x5c, 0xdb, 0xaa, 0x77, 0x4f, 0x55, 0x69, 0x67, 0x69, 0x3c, 0x96, 0xe8, 0x96, 0x33, 0x4e, 0x67, 0xfd, 0xd3, 0xf2, 0xdb, 0xdd, 0x2f, 0xe5, 0xe3, 0xd0, 0x99, 0xee, 0xf6, 0xb8, 0xbb, 0x70, 0x2f, 0xae, 0xcb, 0x51, 0x6, 0xb9, 0x51, 0xeb, 0xa8, 0xaa, 0x93, 0x5, 0xbc, 0xc4, 0xef, 0x99, 0xf4, 0x1d, 0xdd, 0x89, 0x86, 0xcd, 0x8e, 0xa5, 0x67, 0xf3, 0x22, 0xa8, 0x99, 0xee, 0x1a, 0xc5, 0x74, 0x82, 0xae, 0xb9, 0x85, 0xd4, 0x95, 0x9c, 0xb3, 0x30, 0x7d, 0x45, 0xd4, 0x14, 0x6c, 0x81, 0xef, 0xc1, 0xbc, 0xb, 0xa9, 0xfe, 0xba, 0xed, 0xa2, 0x59, 0xa4, 0x7a, 0x31, 0x5f, 0x7c, 0x27, 0x42, 0xf4, 0x4e, 0x75, 0x10, 0x21, 0x1, 0x96, 0xf4, 0x20, 0xdc, 0x6e, 0xed, 0x7b, 0xa1, 0xcd, 0x53, 0x98, 0x81, 0x24, 0xe4, 0xdf, 0xc, 0xe7, 0x2c, 0x1e, 0xf7, 0x98, 0x32, 0x79, 0x13, 0x7b, 0x30, 0xbe, 0xdb, 0x78, 0x30, 0x1f, 0x3c, 0x36, 0x99, 0xee, 0x76, 0xe, 0xc2, 0xd1, 0x6d, 0x20, 0xaa, 0x3c, 0x42, 0x57, 0x4b, 0xee, 0x23, 0xe, 0x84, 0xfb, 0x8e, 0x3b, 0x79, 0xc3, 0x4a, 0xa0, 0x8c, 0x1f, 0xed, 0xeb, 0x38, 0x44, 0x93, 0xa2, 0x25, 0xbb, 0x4e, 0x58, 0x66, 0x54, 0x3e, 0x6f, 0x89, 0x69, 0xc0, 0xe, 0xaf, 0x15, 0xc4, 0x3d, 0xa4, 0x5a, 0x9a, 0xb0, 0xdd, 0x3e, 0xc1, 0xf6, 0xb8, 0x9e, 0xd4, 0x4f, 0x20, 0x4, 0x7a, 0x70, 0x16, 0x4f, 0xd7, 0xfc, 0xbd, 0xd5, 0xd0, 0x58, 0x5, 0xfc, 0x56, 0x86, 0xe2, 0x97, 0x36, 0xde, 0xba, 0xce, 0x1, 0x71, 0x73, 0x20, 0x10, 0x2b, 0xa8, 0x47, 0x6, 0x90, 0xe6, 0x87, 0x5f, 0x4f, 0x5, 0x40, 0x8f, 0xd4, 0xe, 0x8e, 0x90, 0x3, 0x38, 0x85, 0x79, 0xd4, 0x33, 0xf6, 0xa9, 0x52, 0xb2, 0x28, 0x4a, 0x9a, 0x3c, 0xd1, 0x8e, 0x64, 0xf, 0x46, 0x1f, 0x76, 0xf6, 0x2e, 0x3e, 0x36, 0x63, 0xd0, 0x36, 0x9b, 0xb, 0x93, 0x53, 0x9b, 0x97, 0xc4, 0x8f, 0xac, 0x73, 0x70, 0x34, 0x97, 0x55, 0xcd, 0x5e, 0xe, 0xe, 0x38, 0x84, 0x39, 0x3c, 0xfe, 0xc4, 0x6b, 0x2c, 0xb2, 0xe3, 0xdf, 0xeb, 0x7b, 0x6c, 0x53, 0x81, 0x4a, 0xba, 0x59, 0x34, 0x69, 0x25, 0xb7, 0xb6, 0x3a, 0xf2, 0x11, 0x2b, 0x92, 0x14, 0x70, 0x37, 0xbc, 0x53, 0xdb, 0x60, 0xfc, 0x5a, 0xab, 0xc8, 0x45, 0x46, 0xa3, 0xf2, 0xb9, 0x20, 0x55, 0x23, 0x2, 0xaa, 0x7, 0xc5, 0xf, 0xce, 0x4c, 0x95, 0xa2, 0x52, 0xe7, 0xc2, 0xe1, 0x7c, 0xbb, 0x31, 0x27, 0x8c, 0x89, 0xb8, 0x8f, 0xe4, 0xc2, 0x91, 0x70, 0x6a, 0x6, 0x9d, 0x8a, 0x7b, 0x13, 0x2c, 0x88, 0x26, 0xe2, 0xa0, 0x82, 0x1b, 0x63, 0x86, 0x49, 0xa2, 0x2d, 0x15, 0x18, 0x35, 0x36, 0xd7, 0x4e, 0x84, 0xc7, 0x27, 0x6e, 0xd8, 0x6f, 0x47, 0x2f, 0x28, 0xdc, 0xef, 0xaf, 0x4, 0xca, 0xda, 0x4e, 0xa0, 0x4d, 0xe3, 0x19, 0x61, 0xbc, 0x6e, 0x25, 0x8b, 0x8b, 0xd7, 0x87, 0x7, 0xe9, 0x13, 0xa4, 0x56, 0x50, 0xbe, 0x74, 0x5a, 0x1d, 0x6, 0xee, 0x82, 0xf5, 0x6f, 0xa1, 0xde, 0xc4, 0x81, 0x17, 0xe4, 0xa2, 0xc8, 0xbf, 0x99, 0x1e, 0xc8, 0xb0, 0xe0, 0x2d, 0x7e, 0x54, 0xb, 0x69, 0x4d, 0x4f, 0x62, 0xe4, 0x9a, 0xcc, 0xbd, 0x5d, 0x54, 0x83, 0x3a, 0x8e, 0x1e, 0x9b, 0x40, 0xb6, 0xdb, 0x73, 0x25, 0x39, 0x35, 0xc9, 0xa6, 0xc4, 0x60, 0x29, 0x48, 0x98, 0x87, 0xe1, 0x5a, 0xad, 0x59, 0x10, 0xf0, 0x96, 0x9d, 0x55, 0x4d, 0x27, 0x1e, 0x15, 0x38, 0x1, 0x6c, 0xdb, 0xb8, 0xd3, 0xc0, 0x18, 0x4f, 0xaf, 0x21, 0x99, 0x6f, 0x83, 0xaa, 0xa3, 0x49, 0x29, 0x60, 0x4, 0x8c, 0x7b, 0xb2, 0xea, 0xdb, 0x3b, 0xbf, 0x40, 0x70, 0xaa, 0x9e, 0x2b, 0x24, 0x91, 0xb0, 0x14, 0x16, 0xe5, 0x79, 0xc4, 0x39, 0x5d, 0xaf, 0x4b, 0xe, 0x2b, 0xde, 0x8e, 0x33, 0x45, 0x39, 0xa5, 0xf0, 0xb7, 0x92, 0xb1, 0x5b, 0x5f, 0x79, 0x12, 0x31, 0x97, 0x9f, 0x5c, 0x71, 0xe1, 0x6e, 0x4e, 0x98, 0x37, 0x44, 0x24, 0xe8, 0xcd, 0x6b, 0xb6, 0xec, 0x58, 0x48, 0xcb, 0x55, 0xee, 0xfb, 0xaf, 0xab, 0x35, 0x67, 0x13, 0x7c, 0x8e, 0xc3, 0xbe, 0x5d, 0x95, 0x15, 0x66, 0x54, 0x53, 0xd1, 0x8a, 0x38, 0x2c, 0x78, 0xc0, 0x51, 0x2f, 0x95, 0xe0, 0xc6, 0x3a, 0xc5, 0xa4, 0x9b, 0xa8, 0xdf, 0x21, 0x1b, 0x2a, 0x78, 0xe6, 0x27, 0x65, 0x7f, 0x5d, 0xec, 0x51, 0xc2, 0x89, 0x7d, 0x87, 0x40, 0x39, 0x90, 0x16, 0x56, 0x8f, 0xc, 0xb3, 0x1a, 0x69, 0xf0, 0xfc, 0x1c, 0x9e, 0x60, 0x21, 0xb, 0xb2, 0xe9, 0xbf, 0x0, 0x3, 0x2a, 0xf4, 0xfa, 0x14, 0xb1, 0xad, 0x2f, 0x53, 0xbf, 0xd1, 0xf5, 0x1b, 0x52, 0xb9, 0xc0, 0x8f, 0x32, 0xde, 0x36, 0xfc, 0x3b, 0x3c, 0xf9, 0x51, 0xbd, 0x60, 0x5f, 0x4e, 0x7a, 0xe, 0x5, 0x89, 0xd9, 0xc2, 0xdb, 0xd2, 0x4e, 0x3d, 0x90, 0x2f, 0x68, 0x83, 0x2d, 0x3b, 0x7c, 0xc8, 0x59, 0xba, 0xe, 0x35, 0x93, 0x7e, 0x9c, 0x4d, 0xc8, 0x9d, 0x8e, 0xd7, 0x26, 0xb2, 0xe, 0xb0, 0x21, 0x9b, 0x5f, 0xae, 0x7b, 0x26, 0xaf, 0x94, 0xd3, 0x3b, 0xe3, 0xae, 0x15, 0x2e, 0xbe, 0x25, 0xcc, 0x86, 0xaa, 0x0, 0xc5, 0x8e, 0x6a, 0x7d, 0xf6, 0xb, 0x4f, 0x58, 0x6, 0x63, 0xf9, 0x44, 0xaa, 0x46, 0x58, 0x78, 0xc2, 0xe0, 0xe7, 0x38, 0xba, 0x86, 0x67, 0x6f, 0x2e, 0x8b, 0x58, 0xce, 0x87, 0xbf, 0x9, 0x3a, 0xee, 0x5f, 0x46, 0x22, 0x70, 0x3b, 0x72, 0x94, 0x23, 0x68, 0x64, 0x14, 0x41, 0xb8, 0x8, 0x29, 0x46, 0xe6, 0x29, 0xe0, 0x2c, 0xb5, 0xe, 0x43, 0x8e, 0xa7, 0xcc, 0x8f, 0xe, 0xb6, 0xad, 0x91, 0xa9, 0x54, 0xb6, 0x62, 0x70, 0xdd, 0x20, 0xe5, 0x6f, 0x9a, 0xc6, 0x28, 0xd4, 0x81, 0x42, 0x15, 0xbf, 0xc2, 0xe2, 0x40, 0x97, 0xb0, 0xfe, 0x4, 0x97, 0xe9, 0xa9, 0x5, 0x22, 0x7a, 0x62, 0x65, 0xc5, 0xfb, 0xc2, 0xd0, 0x73, 0x8d, 0xec, 0xe8, 0x8d, 0xc, 0xc2, 0x8f, 0xed, 0x3e, 0x22, 0x49, 0x3b, 0x36, 0xa8, 0x83, 0x25, 0xe3, 0x1e, 0xa6, 0xb0, 0xc2, 0xc9, 0xb9, 0x6c, 0xb, 0x1a, 0x5c, 0xc8, 0xdb, 0x90, 0xd2, 0xc3, 0xf7, 0x49, 0xac, 0xc1, 0xf4, 0x1e, 0x97, 0xbb, 0xdf, 0xa8, 0xe1, 0x2e, 0x1e, 0xc0, 0xa3, 0x7c, 0x25, 0x5c, 0x61, 0x69, 0xc3, 0x27, 0x14, 0x3a, 0xb4, 0x1f, 0x24, 0xf3, 0x72, 0x34, 0xcb, 0xa7, 0x94, 0xd5, 0x10, 0xbe, 0xa, 0x66, 0x24, 0xc0, 0x5e, 0xc1, 0xed, 0x4c, 0x61, 0x6b, 0x49, 0xd4, 0x76, 0xb1, 0x85, 0xb8, 0xdb, 0x62, 0x4d, 0x73, 0x4, 0xb, 0x87, 0xb5, 0xdd, 0x36, 0xc6, 0x53, 0xb7, 0x2c, 0xc, 0x34, 0xcd, 0x14, 0xe6, 0x80, 0x1c, 0x9a, 0xab, 0xc2, 0xc7, 0x65, 0x4c, 0x4d, 0xb3, 0xaf, 0x84, 0xea, 0xc5, 0xe2, 0xe7, 0x10, 0x46, 0x1d, 0xb5, 0x4a, 0x3c, 0x97, 0x1b, 0x6d, 0x3f, 0x89, 0xc4, 0xa5, 0x5b, 0x94, 0xe9, 0xd7, 0xcd, 0xa3, 0xee, 0x17, 0x44, 0x6, 0x83, 0x49, 0x51, 0x60, 0x2b, 0xdf, 0x6b, 0xad, 0x3c, 0xb2, 0x59, 0x14, 0xc3, 0x26, 0xf7, 0x5c, 0x41, 0xc3, 0xb2, 0x23, 0x4a, 0x35, 0xd6, 0x32, 0x35, 0x96, 0x82, 0x3a, 0xcd, 0xe7, 0x6f, 0xc0, 0x96, 0x56, 0xf6, 0xe9, 0x15, 0x3a, 0xfd, 0x9a, 0x57, 0x30, 0x6, 0x51, 0xed, 0x60, 0x53, 0x18, 0xa6, 0xac, 0xcd, 0x3d, 0x2f, 0x3d, 0x85, 0xc1, 0x3d, 0x70, 0x41, 0x27, 0xa0, 0xf1, 0x33, 0x1a, 0x4a, 0xd8, 0x8a, 0xbd, 0x7c, 0xb0, 0x5c, 0xc3, 0x8c, 0x69, 0x6c, 0x5f, 0xb9, 0xe6, 0x61, 0x65, 0x19, 0xd1, 0x2b, 0x21, 0xd7, 0x4f, 0x7b, 0x61, 0x7e, 0xcd, 0x49, 0xf1, 0x18, 0x2c, 0x19, 0xab, 0x1f, 0x90, 0x4f, 0x29, 0x4f, 0x16, 0x30, 0x70, 0xfe, 0xcb, 0x5f, 0xec, 0xa6, 0x6b, 0x24, 0xe2, 0xb7, 0xfc, 0xe2, 0xe2, 0xc, 0x1a, 0x1a, 0x22, 0xb3, 0x88, 0x7c, 0x1e, 0xc5, 0x88, 0x2d, 0xc9, 0x93, 0xdd, 0xc7, 0x72, 0x59, 0xfb, 0x6, 0x11, 0x8e, 0x14, 0xc2, 0x41, 0x14, 0xf, 0xf6, 0xa0, 0xf5, 0xd4, 0x7d, 0x54, 0x31, 0xf, 0x96, 0x63, 0xb2, 0x52, 0x9b, 0xed, 0xf8, 0x2b, 0xe8, 0x30, 0xc5, 0xc9, 0xe3, 0x1c, 0x2a, 0x77, 0xbb, 0xd, 0x42, 0x25, 0x66, 0x4d, 0x14, 0x72, 0xc1, 0xd9, 0x60, 0x5a, 0xe2, 0x19, 0x55, 0xfa, 0x22, 0x77, 0x4c, 0xf8, 0xbc, 0x13, 0xa7, 0xf7, 0x9e, 0xf8, 0xe, 0xca, 0x8a, 0x22, 0x55, 0xd4, 0x3e, 0xfd, 0x2f, 0x4e, 0xd6, 0x3, 0x4, 0xc9, 0xe6, 0xdd, 0xf5, 0x90, 0xc3, 0xf1, 0x8a, 0xe1, 0x78, 0x76, 0xa6, 0x52, 0x14, 0x73, 0x58, 0xb3, 0xa5, 0xb0, 0xeb, 0x49, 0x83, 0x6c, 0xd6, 0x2e, 0x7e, 0x9e, 0xc2, 0xc5, 0x54, 0xb1, 0xdb, 0x62, 0xa4, 0xed, 0xcf, 0xec, 0xd5, 0xca, 0x69, 0x6b, 0xe6, 0x2d, 0xe4, 0xdb, 0xd6, 0xf2, 0xb2, 0xe5, 0x65, 0x86, 0xf3, 0xed, 0x6a, 0x42, 0x23, 0x57, 0x7f, 0x7b, 0x13, 0x85, 0x8a, 0x48, 0x86, 0xb3, 0xcb, 0x8b, 0xb3, 0x43, 0xcc, 0x15, 0x79, 0xd8, 0x91, 0xd7, 0xf3, 0xa, 0xad, 0x27, 0xba, 0x2c, 0x63, 0xa0, 0x61, 0x6e, 0x0, 0x3c, 0xcd, 0x5c, 0xb3, 0x45, 0x48, 0x92, 0xd, 0x92, 0x65, 0x7f, 0x5c, 0x7c, 0xfb, 0x79, 0x33, 0x4b, 0xb, 0x5, 0x5e, 0xb0, 0x10, 0xdf, 0x6c, 0x52, 0xae, 0xf1, 0x1b, 0xd2, 0x36, 0xe9, 0x88, 0x31, 0x2f, 0xbd, 0x4b, 0x62, 0x39, 0x7b, 0xe0, 0xb3, 0x41, 0xa5, 0x67, 0x13, 0xf3, 0xfc, 0x9b, 0x7b, 0x27, 0x79, 0x36, 0x8a, 0xc8, 0x8e, 0x9f, 0x3, 0x4f, 0x36, 0x6e, 0x84, 0x6e, 0x23, 0x6c, 0xc1, 0xa0, 0xc, 0xa5, 0xde, 0x7c, 0x52, 0x33, 0x7f, 0x6d, 0xb8, 0x26, 0x9, 0x75, 0x7, 0x81, 0xc4, 0xc, 0xe7, 0x98, 0x5, 0x9, 0x36, 0x2a, 0x6c, 0x24, 0xe9, 0x24, 0xf0, 0x52, 0x5e, 0x75, 0xa6, 0xca, 0xaf, 0xb4, 0x9d, 0xa4, 0x7, 0xfa, 0xe0, 0x90, 0x17, 0x83, 0x66, 0x7d, 0xce, 0xc3, 0x15, 0xd6, 0xb0, 0xcb, 0xa6, 0x50, 0xf3, 0x4e, 0x5b, 0xf4, 0x82, 0x69, 0x43, 0xe0, 0x4, 0x85, 0x34, 0x79, 0xec, 0xe3, 0xd8, 0xee, 0x5, 0x49, 0xc9, 0x9e, 0x17, 0x9, 0x35, 0xcb, 0xfd, 0x2c, 0xb9, 0x14, 0xd9, 0xe6, 0xf9, 0xd0, 0x66, 0x52, 0x24, 0x55, 0x69, 0x31, 0xad, 0xd0, 0x50, 0xaa, 0x8b, 0x60, 0x7f, 0x22, 0xca, 0x79, 0x5c, 0x23, 0x77, 0xd8, 0xf9, 0xe5, 0x51, 0xc9, 0x27, 0xc9, 0xf2, 0xf, 0x94, 0x79, 0xe6, 0x30, 0x8c, 0xbf, 0xeb, 0x69, 0x59, 0x20, 0xb6, 0xc4, 0xaf, 0x4a, 0x2c, 0x4f, 0x85, 0xc7, 0xf6, 0x2, 0x3f, 0x56, 0x42, 0x48, 0x3b, 0x98, 0x1d, 0xd5, 0xce, 0x6a, 0x1, 0x55, 0x97, 0x94, 0x99, 0xd8, 0x56, 0xb3, 0xfe, 0xd7, 0x9b, 0xa3, 0xd1, 0x81, 0x2c, 0x2a, 0x8c, 0xe9, 0x4a, 0x93, 0xe6, 0xf, 0x34, 0x44, 0x8f, 0xda, 0x4, 0x79, 0x44, 0x1c, 0xf9, 0x8c, 0x14, 0x26, 0xa9, 0x51, 0xf, 0x5f, 0x18, 0x40, 0x73, 0x90, 0x69, 0xac, 0xce, 0x66, 0x5f, 0xe9, 0xe4, 0xce, 0x16, 0x6c, 0xbe, 0x16, 0x1d, 0xdc, 0x17, 0xbe, 0xc, 0xad, 0x45, 0x55, 0xa0, 0x67, 0x29, 0xb6, 0x7e, 0x6f, 0x71, 0x97, 0x2f, 0xe, 0xdd, 0x91, 0x3b, 0xc3, 0x2d, 0xf3, 0x7f, 0x8b, 0x33, 0xde, 0x76, 0xe9, 0x2f, 0xf5, 0xae, 0xf6, 0xdc, 0x6e, 0x3f, 0x19, 0x43, 0x1c, 0xf7, 0x1c, 0xf5, 0xe3, 0x77, 0xc0, 0xe8, 0xc4, 0x44, 0xe4, 0x15, 0x46, 0xab, 0x9, 0x74, 0xfb, 0x0, 0x8f, 0x2f, 0xb2, 0x89, 0xe2, 0x80, 0xe6, 0x78, 0x7e, 0x5, 0xd1, 0xe5, 0x88, 0xa8, 0x2c, 0x2, 0xe5, 0x3, 0xe2, 0xe4, 0xed, 0x9d, 0x1a, 0x11, 0x87, 0x3c, 0xb, 0x46, 0x9, 0x78, 0x1c, 0xe, 0x9b, 0x5b, 0xc7, 0xab, 0xc9, 0x71, 0x52, 0xc8, 0x51, 0xe7, 0xc9, 0x1d, 0xcc, 0xc7, 0x28, 0x4e, 0x94, 0x8b, 0x8, 0xfa, 0x3c, 0x1d, 0xfa, 0x1f, 0x20, 0x4f, 0x49, 0xc0, 0x9f, 0xf, 0x2d, 0xfe, 0x78, 0x60, 0x1a, 0xd1, 0xf6, 0x40, 0x50, 0x97, 0x9d, 0xd9, 0xb7, 0xc0, 0x54, 0x8, 0x97, 0x9a, 0xae, 0x87, 0x79, 0xfb, 0x2, 0x93, 0x9c, 0xb0, 0xce, 0xf4, 0x3f, 0xa8, 0x32, 0x2c, 0x68, 0x1, 0x2f, 0x50, 0x24, 0x50, 0x68, 0xb1, 0x71, 0x27, 0x35, 0x1e, 0x19, 0x2b, 0x79, 0x66, 0xf2, 0xf6, 0xd, 0x97, 0xfd, 0x87, 0x8d, 0x9c, 0xbb, 0xd0, 0x7, 0xf5, 0xce, 0x21, 0x67, 0x3e, 0x5c, 0x90, 0xfc, 0x2, 0x4c, 0x67, 0xb3, 0xd0, 0xda, 0x70, 0x2d, 0xd5, 0xa4, 0xd, 0x81, 0x18, 0xca, 0xe5, 0xc2, 0x5d, 0x99, 0xdd, 0x69, 0x5c, 0x73, 0xb2, 0x84, 0xa9, 0xa4, 0x5c, 0xde, 0x84, 0x27, 0x25, 0xb9, 0x63, 0xc4, 0xde, 0x52, 0xc8, 0x72, 0x98, 0x1c, 0x2f, 0x9, 0xde, 0xe3, 0xc2, 0x93, 0x35, 0xb0, 0x18, 0x2f, 0xdc, 0x13, 0x98, 0x1, 0xb, 0xd7, 0x19, 0xb2, 0x38, 0x63, 0x42, 0xce, 0x40, 0x4e, 0x15, 0xc9, 0x88, 0xaa, 0x96, 0x0, 0xb0, 0x2c, 0x7b, 0x25, 0xf9, 0x51, 0xad, 0xfc, 0x1, 0xc9, 0xd5, 0x10, 0xee, 0xd0, 0x7e, 0x6c, 0x21, 0xbd, 0x5a, 0x64, 0xe1, 0x7d, 0xf8, 0x57, 0xd5, 0xc3, 0x73, 0x6d, 0x51, 0x39, 0xe1, 0xdc, 0xd1, 0x3a, 0x69, 0x7a, 0x54, 0xbd, 0x3e, 0x3a, 0x7b, 0x76, 0xb4, 0x82, 0xa9, 0xf4, 0x20, 0x4c, 0xc2, 0xb3, 0xb8, 0x29, 0x1d, 0xdc, 0xa6, 0x2d, 0x6b, 0x80, 0x42, 0x44, 0xe1, 0x71, 0xf8, 0x9, 0x0, 0x3, 0xd3, 0x76, 0x92, 0xf4, 0xaa, 0x33, 0xb3, 0xfe, 0xa1, 0x4b, 0xc0, 0xb, 0xc7, 0x9e, 0x3b, 0x58, 0xb5, 0x20, 0x5f, 0x69, 0x95, 0x78, 0xbe, 0xb0, 0x1d, 0xb5, 0x12, 0xd0, 0x89, 0x11, 0x18, 0x84, 0xfc, 0x43, 0x16, 0xf6, 0x5, 0x72, 0xf2, 0x9, 0x64, 0x28, 0x31, 0x88, 0xd5, 0x74, 0x41, 0xd3, 0x40, 0x7b, 0x7c, 0x56, 0x8, 0xcd, 0xa0, 0xfb, 0x64, 0x54, 0xfb, 0xcb, 0xa2, 0xd, 0x59, 0xea, 0xc9, 0x73, 0xd, 0x6d, 0x13, 0x16, 0x77, 0x6f, 0x66, 0xd, 0xa3, 0xf2, 0x38, 0x48, 0x96, 0xa0, 0x2c, 0xa9, 0xc, 0x4e, 0xf, 0x24, 0x45, 0xa5, 0x7f, 0x4b, 0xb8, 0xbe, 0xc1, 0xa8, 0x1, 0x33, 0xef, 0x2a, 0xb9, 0x62, 0xbc, 0xe, 0x93, 0xcb, 0x45, 0xea, 0xcb, 0xb6, 0x9b, 0x5, 0xc7, 0x4a, 0x96, 0x33, 0x98, 0x41, 0x67, 0xf5, 0x96, 0x91, 0xd7, 0x8, 0x7b, 0x3b, 0x86, 0x52, 0xe2, 0x59, 0x60, 0xc, 0x70, 0x56, 0x1c, 0x17, 0x18, 0xda, 0x84, 0xc4, 0x3e, 0x8d, 0xb2, 0x56, 0xee, 0x58, 0x57, 0xa6, 0xe, 0x3b, 0x1, 0x1d, 0x77, 0xa2, 0x7d, 0xb9, 0xe9, 0xc5, 0x54, 0x4b, 0x52, 0xdf, 0xfd, 0x80, 0x5d, 0x30, 0x24, 0xf8, 0xfa, 0xf4, 0x7d, 0x3f, 0x76, 0x97, 0x3a, 0xbf, 0xc1, 0xf5, 0x58, 0x1f, 0x26, 0xf5, 0x81, 0xcc, 0x71, 0xf6, 0xea, 0xef, 0x83, 0xfe, 0xbc, 0x6, 0x35, 0x8, 0x7d, 0x6e, 0x53, 0x88, 0x31, 0xb, 0xc5, 0xcd, 0x94, 0xcd, 0x3e, 0xdd, 0x24, 0x41, 0x2c, 0xb, 0x41, 0xc, 0x52, 0x5, 0x2, 0xcc, 0x99, 0xcb, 0x57, 0x6d, 0x44, 0x6, 0x5f, 0x68, 0xa2, 0xf3, 0x23, 0x17, 0x4b, 0xa0, 0x49, 0x43, 0x7e, 0xb2, 0xb2, 0x12, 0x5a, 0x78, 0x81, 0xf3, 0x66, 0xb2, 0xab, 0x42, 0x60, 0x69, 0x7c, 0xf1, 0x37, 0xaf, 0xa5, 0xde, 0x38, 0x25, 0x4a, 0x2c, 0xa2, 0xcb, 0xd4, 0x0, 0x26, 0xa4, 0x9e, 0x95, 0xb9, 0x1c, 0x21, 0x89, 0x98, 0x6, 0x7b, 0x41, 0x5f, 0x10, 0xcd, 0x74, 0x1e, 0xb8, 0xdd, 0x19, 0xcf, 0xe1, 0xb1, 0xca, 0xb8, 0x57, 0x51, 0x89, 0x2d, 0x2f, 0x47, 0x85, 0xb8, 0x9d, 0xee, 0x8, 0xb0, 0x6f, 0x8, 0x31, 0xd1, 0x26, 0xf, 0x70, 0xd5, 0x5c, 0x36, 0x5a, 0xfe, 0xb7, 0x66, 0x5d, 0xba, 0xa7, 0x0, 0x56, 0x5d, 0xfd, 0x5, 0xac, 0x74, 0x86, 0x81, 0x57, 0x5a, 0x14, 0x4, 0x3c, 0xb0, 0x8f, 0x68, 0x2c, 0x83, 0xd5, 0x97, 0x88, 0x65, 0xc1, 0x76, 0xa7, 0xab, 0x45, 0x12, 0xd8, 0xdc, 0xf0, 0xa0, 0xe9, 0xf6, 0x47, 0x18, 0xaa, 0x7c, 0x7, 0xdd, 0xd0, 0xad, 0x34, 0xd, 0x14, 0x53, 0x3, 0xf9, 0xed, 0x3d, 0xb7, 0x48, 0x11, 0x7c, 0xe3, 0x22, 0x53, 0x70, 0xbe, 0xa2, 0xbb, 0x2, 0x4b, 0x28, 0xd6, 0xa6, 0xb9, 0x7a, 0xc6, 0xf7, 0xbb, 0xdc, 0x30, 0xa5, 0xf7, 0x20, 0x9c, 0x55, 0x25, 0x44, 0xc8, 0x67, 0x87, 0x18, 0xfa, 0x2d, 0x1f, 0x96, 0xc4, 0x80, 0xdc, 0x70, 0x35, 0x94, 0xfd, 0xe2, 0x20, 0x41, 0x78, 0xf0, 0x63, 0x6b, 0x4d, 0x10, 0x22, 0x71, 0x56, 0x53, 0xc1, 0x2b, 0x59, 0x7f, 0x77, 0xad, 0x88, 0xf6, 0x46, 0x12, 0xbc, 0xf6, 0x6, 0xb0, 0xa, 0xb7, 0x6b, 0x43, 0xfe, 0xfd, 0x1d, 0x1a, 0x99, 0x18, 0x19, 0xd1, 0xe7, 0x57, 0xb0, 0xc0, 0xd4, 0x34, 0x28, 0x42, 0x54, 0x3a, 0x4, 0x84, 0xb5, 0x32, 0xd4, 0x1d, 0x9, 0x26, 0x99, 0xf8, 0x2a, 0x27, 0xfc, 0x6d, 0x11, 0x8b, 0x77, 0x87, 0x11, 0x34, 0x87, 0xdc, 0xf8, 0x51, 0xbc, 0xf0, 0xa7, 0xdf, 0x40, 0xa3, 0xf0, 0xc0, 0xdd, 0x97, 0xad, 0x56, 0xf6, 0xa5, 0xc5, 0x22, 0xe9, 0xdd, 0x15, 0xf, 0x5, 0x4c, 0x21, 0x5, 0x82, 0x2b, 0x5f, 0xd, 0xa8, 0x76, 0x7a, 0xa4, 0x62, 0x2b, 0xe8, 0x62, 0x30, 0x4d, 0x25, 0xbb, 0xee, 0x55, 0xc9, 0x3e, 0xe0, 0x5f, 0xa0, 0x11, 0x36, 0x9b, 0x52, 0x9d, 0x6e, 0xf4, 0xaf, 0x7e, 0xf6, 0x3d, 0x9e, 0x8f, 0x1, 0x13, 0xab, 0x55, 0x98, 0x76, 0x31, 0x99, 0x71, 0xe3, 0x63, 0xc4, 0xad, 0x47, 0xda, 0xcc, 0x38, 0x14, 0x25, 0xfd, 0x4e, 0x89, 0xfb, 0xdb, 0xf3, 0x22, 0x31, 0xe1, 0x18, 0x4b, 0x27, 0xce, 0xf6, 0x79, 0x9b, 0xbe, 0xdf, 0xaa, 0x58, 0xca, 0xe5, 0x9d, 0xa4, 0x85, 0x51, 0x73, 0x48, 0x11, 0x58, 0x77, 0x95, 0x24, 0x99, 0x90, 0x93, 0xbb, 0x61, 0xef, 0x1d, 0x11, 0x94, 0x36, 0xd1, 0x26, 0x4a, 0x97, 0x6a, 0x1d, 0x3b, 0x25, 0xfc, 0xd3, 0xce, 0xb4, 0x74, 0x44, 0x5e, 0xb1, 0x5d, 0x4c, 0xe6, 0x85, 0x14, 0x3a, 0x18, 0x6f, 0xd6, 0x1e, 0xec, 0x86, 0xde, 0xeb, 0x43, 0xce, 0x1f, 0xd6, 0x6b, 0x90, 0x5d, 0x22, 0x4d, 0xd7, 0xbe, 0xe8, 0xd6, 0x7, 0xab, 0x5c, 0xb7, 0x5a, 0x85, 0x27, 0x7f, 0x61, 0xe4, 0x16, 0xdd, 0xc3, 0xfb, 0xb2, 0xdd, 0xaa, 0x68, 0x65, 0x5b, 0xdf, 0xed, 0x8a, 0x4f, 0x48, 0xb5, 0xed, 0xad, 0x2f, 0xcf, 0x6d, 0xe8, 0x20, 0x8f, 0x87, 0x99, 0x56, 0x5f, 0x61, 0x7c, 0x49, 0x16, 0x35, 0xe2, 0xac, 0x7b, 0x70, 0xe8, 0xae, 0x58, 0x51, 0x56, 0x1c, 0x6d, 0xf8, 0xc6, 0x14, 0x8d, 0x45, 0xe2, 0xbe, 0xb9, 0xc1, 0x5c, 0xf1, 0xeb, 0x15, 0xc0, 0x9c, 0x37, 0xf, 0x66, 0xdf, 0x15, 0xa0, 0x61, 0xd1, 0x2e, 0x20, 0xa3, 0xeb, 0x4c, 0xb2, 0xf0, 0x3d, 0x4b, 0x20, 0x87, 0xf6, 0x58, 0x45, 0x4, 0x4c, 0x26, 0xbe, 0xed, 0x8e, 0xe, 0x89, 0xb7, 0x8b, 0xde, 0x90, 0x10, 0x87, 0xb7, 0xb5, 0x69, 0x1e, 0x18, 0xfa, 0xec, 0x3f, 0xa, 0xef, 0x98, 0x9a, 0xd6, 0x30, 0x81, 0x2f, 0xa0, 0x9e, 0x5d, 0xb9, 0xea, 0x66, 0x8e, 0xcf, 0xe9, 0xb2, 0x21, 0x0, 0x72, 0x24, 0xeb, 0x2b, 0xf, 0x52, 0x61, 0x43, 0xf8, 0x1d, 0xa, 0x54, 0x1c, 0x62, 0x5d, 0x6d, 0xfa, 0x71, 0x21, 0x77, 0x3, 0x12, 0xff, 0xf6, 0xf5, 0xf, 0x51, 0x7b, 0x3c, 0x6e, 0xf3, 0xbe, 0xb2, 0xab, 0x9b, 0x6, 0x7a, 0x81, 0x5, 0xcd, 0x81, 0x97, 0x11, 0x2f, 0x2b, 0x7e, 0x2b, 0xa1, 0xaf, 0x7e, 0xe2, 0xc2, 0xa8, 0x77, 0x5e, 0x38, 0x81, 0xa3, 0x3c, 0xd0, 0xfd, 0x78, 0xad, 0x85, 0xab, 0x15, 0xbb, 0x54, 0x3b, 0xab, 0xd4, 0x8a, 0x1c, 0xcf, 0xaa, 0x55, 0xbe, 0x48, 0x81, 0xbc, 0x8a, 0x52, 0x58, 0xc, 0xa6, 0x57, 0xb3, 0x93, 0x68, 0x4a, 0xfe, 0xb5, 0xaf, 0xf8, 0xcb, 0xcc, 0x66, 0x9a, 0xcf, 0x79, 0xd1, 0xbd, 0xb1, 0x9, 0x6c, 0x65, 0x77, 0x7d, 0x4f, 0xf1, 0x0, 0xdf, 0xa9, 0x29, 0x95, 0xac, 0x40, 0x4b, 0x33, 0x38, 0x10, 0x14, 0x82, 0x48, 0xdc, 0xe9, 0xc7, 0x45, 0x17, 0x42, 0x33, 0x32, 0x63, 0x4c, 0x69, 0x3, 0xc2, 0x75, 0xc5, 0xcc, 0x2f, 0xd2, 0x36, 0xc, 0x37, 0x89, 0xa5, 0x42, 0xf2, 0x47, 0xcf, 0xec, 0xda, 0x4e, 0xae, 0x16, 0x8c, 0x1e, 0xc4, 0x78, 0xcf, 0x4f, 0xb0, 0xab, 0x8e, 0xad, 0xcf, 0x98, 0xc5, 0x9e, 0xba, 0x5, 0xe6, 0x3d, 0xae, 0x29, 0x30, 0x4d, 0xae, 0xd3, 0x33, 0x19, 0x16, 0x5, 0x14, 0x9b, 0xbd, 0xfa, 0xf2, 0x6b, 0x1c, 0xd0, 0xa7, 0x59, 0x55, 0xfc, 0x2d, 0x71, 0x66, 0x63, 0x57, 0xd2, 0xe0, 0xaa, 0x3e, 0xff, 0xf8, 0x1c, 0x70, 0x48, 0xf9, 0x7, 0xe4, 0x36, 0xd4, 0x4b, 0x1f, 0xb4, 0x89, 0x1d, 0xe2, 0xed, 0xa9, 0xef, 0x6e, 0x66, 0x5c, 0x2f, 0x29, 0xc5, 0xa6, 0xcd, 0x94, 0xb2, 0xb6, 0x2f, 0x57, 0x83, 0x34, 0x9f, 0x3, 0xb9, 0x75, 0xbf, 0xe9, 0x6c, 0x21, 0xbb, 0x5c, 0x9, 0xf0, 0x12, 0xe0, 0x20, 0xda, 0xf0, 0x63, 0xd0, 0x1b, 0xcc, 0xae, 0xa0, 0xe5, 0x9, 0x29, 0xf0, 0x3a, 0x1c, 0xc2, 0x57, 0xdc, 0x9c, 0xce, 0x48, 0xcf, 0x9e, 0xd5, 0xc7, 0xf8, 0x36, 0xe3, 0x8a, 0x44, 0xb8, 0x32, 0x27, 0xf4, 0x85, 0x4f, 0x3f, 0x23, 0x37, 0x6e, 0x5, 0x52, 0xa8, 0x78, 0xef, 0x21, 0x5d, 0xb7, 0xf2, 0x0, 0xa9, 0x31, 0xdd, 0x34, 0xcd, 0x38, 0xba, 0x8a, 0xe1, 0xff, 0x58, 0x86, 0xa6, 0xb3, 0x72, 0x45, 0x57, 0xd9, 0xbf, 0xc, 0x19, 0x64, 0x74, 0x81, 0x6e, 0xed, 0x77, 0x21, 0x53, 0x6e, 0x40, 0xab, 0x5e, 0x53, 0xde, 0x5b, 0x97, 0xf0, 0x1a, 0x82, 0x4c, 0xc5, 0x60, 0xc7, 0x22, 0xba, 0x66, 0xe0, 0x2f, 0xa, 0xb0, 0xce, 0xb1, 0xe3, 0x88, 0x15, 0x7b, 0x33, 0xf0, 0x77, 0xf9, 0xb7, 0x55, 0x3a, 0x97, 0x94, 0xe, 0xa3, 0x72, 0xc8, 0x3b, 0xa0, 0xee, 0xd, 0x77, 0x83, 0xd9, 0x4a, 0x62, 0xdb, 0xef, 0xa5, 0x13, 0x64, 0x33, 0xab, 0xca, 0x47, 0x42, 0xd, 0x7a, 0x2, 0xd0, 0x1d, 0x39, 0xd5, 0xae, 0x12, 0xf3, 0x5d, 0xd, 0x59, 0x39, 0xac, 0x65, 0x13, 0x35, 0xc9, 0x2, 0x28, 0x53, 0x2a, 0xe2, 0xa2, 0x78, 0x45, 0x82, 0x2e, 0xdd, 0x87, 0xe6, 0xbe, 0x2e, 0xa5, 0xa6, 0xc6, 0x98, 0x31, 0xc7, 0xc1, 0x56, 0xfa, 0x5b, 0xf6, 0xcd, 0x10, 0xf2, 0xde, 0x72, 0x27, 0x13, 0xe8, 0x48, 0xa5, 0xb5, 0x83, 0x80, 0x41, 0x19, 0xa1, 0x4e, 0x25, 0xb5, 0xeb, 0xff, 0x4f, 0xea, 0xdc, 0x3f, 0x72, 0xbf, 0x50, 0xfb, 0x19, 0xea, 0xaa, 0x55, 0xc, 0xb4, 0x85, 0x2a, 0xa, 0xdc, 0xbe, 0x5f, 0x9f, 0xf2, 0x44, 0xbf, 0x54, 0xd9, 0x6f, 0xd, 0xca, 0x0, 0xe8, 0x89, 0x31, 0xb5, 0x10, 0x8a, 0xfd, 0x8, 0x52, 0x14, 0x17, 0xc, 0xfe, 0x50, 0x37, 0xba, 0x14, 0xb7, 0xd3, 0xc0, 0x43, 0x9e, 0xcc, 0x9a, 0x18, 0x34, 0xe, 0x20, 0x7d, 0x42, 0xc0, 0xe2, 0x16, 0xe6, 0x4f, 0xe2, 0xde, 0x5, 0xc1, 0x54, 0x18, 0xee, 0xc8, 0xf4, 0x25, 0x9c, 0x73, 0x2a, 0x34, 0x8f, 0xa5, 0x22, 0x32, 0x4d, 0x52, 0xc9, 0x27, 0xa0, 0x4f, 0x80, 0x7, 0x8, 0x6f, 0x32, 0x8f, 0x2e, 0xf8, 0xb7, 0xbf, 0xba, 0x19, 0xa5, 0x25, 0x56, 0x22, 0xac, 0x9c, 0xed, 0xa9, 0xe0, 0xda, 0xe, 0x1a, 0x9c, 0x10, 0xf1, 0x59, 0x12, 0x52, 0x58, 0x98, 0xa, 0xf8, 0x45, 0x44, 0x1f, 0xb7, 0x5a, 0x7, 0x4b, 0xa4, 0x37, 0x1b, 0x16, 0x21, 0x4a, 0xb6, 0x9e, 0x69, 0x21, 0xee, 0x67, 0xfe, 0x56, 0xdf, 0xfd, 0x23, 0xb5, 0x2e, 0xf7, 0xb9, 0x20, 0x21, 0x3a, 0x5c, 0x9f, 0x73, 0x6e, 0xd2, 0x50, 0x33, 0x4a, 0x41, 0xba, 0x88, 0x26, 0xf7, 0x75, 0x94, 0x44, 0x69, 0x45, 0x82, 0xf, 0x55, 0xb1, 0xe3, 0xa6, 0x82, 0xd4, 0x7e, 0x6d, 0x16, 0x43, 0xe6, 0xf7, 0x7f, 0xde, 0x2a, 0x22, 0x94, 0x9c, 0x68, 0xc6, 0x97, 0xad, 0x40, 0x98, 0xfa, 0x72, 0x2d, 0x92, 0xa5, 0x90, 0x5f, 0xaa, 0xe6, 0x32, 0xbd, 0x86, 0x18, 0x37, 0x44, 0xd, 0x5e, 0x7f, 0x67, 0x4f, 0xbd, 0xf1, 0xc5, 0x19, 0xa3, 0xfb, 0x76, 0xb2, 0x8e, 0x5, 0x4a, 0xa5, 0x7f, 0x7f, 0x12, 0x91, 0x3a, 0xd3, 0xab, 0x2d, 0x2a, 0x93, 0xb4, 0xc1, 0x60, 0xf0, 0xbf, 0xd9, 0xc7, 0x79, 0x4e, 0x22, 0x3a, 0xce, 0x23, 0x28, 0xa9, 0xb, 0x8c, 0x38, 0xb0, 0x6f, 0x81, 0x78, 0x78, 0x69, 0x8a, 0x73, 0x31, 0x8d, 0xb7, 0x0, 0xcd, 0x3, 0x2, 0xeb, 0x86, 0x2d, 0x1b, 0x91, 0x69, 0x2b, 0x51, 0x44, 0x6e, 0x4e, 0xf3, 0x56, 0xd, 0x4f, 0x3a, 0x65, 0x22, 0xc2, 0x5, 0xb8, 0x28, 0xca, 0x47, 0x40, 0x1e, 0x96, 0x4b, 0x43, 0x73, 0x4a, 0xb0, 0xf8, 0x3, 0x2c, 0x19, 0x2a, 0x71, 0xab, 0x87, 0x67, 0x96, 0x4c, 0x42, 0xee, 0x4f, 0x86, 0x42, 0x6c, 0x19, 0xcc, 0x5c, 0xce, 0xe, 0x5b, 0xda, 0x93, 0xbe, 0xc1, 0x59, 0xc1, 0x31, 0xc1, 0x22, 0x9f, 0x7d, 0xa8, 0x55, 0x56, 0xe4, 0xdc, 0x93, 0xd5, 0xb6, 0x2b, 0x42, 0x40, 0x89, 0x4c, 0xa9, 0x5a, 0x95, 0xec, 0xed, 0x92, 0x2f, 0xf2, 0x9a, 0x17, 0x32, 0x9d, 0x8, 0x65, 0x28, 0xfa, 0xf0, 0xf, 0x2, 0x5e, 0xda, 0x1c, 0x9b, 0x23, 0x3a, 0x86, 0x49, 0x46, 0x8f, 0x45, 0xf1, 0x11, 0x92, 0x1b, 0x71, 0xa5, 0x6d, 0x35, 0x9b, 0xde, 0xec, 0x93, 0xd4, 0x7d, 0x94, 0x81, 0xad, 0x80, 0x82, 0x6, 0xf9, 0xe4, 0x73, 0x97, 0x30, 0xfe, 0xc1, 0x7a, 0x86, 0x81, 0x3c, 0x91, 0x78, 0xad, 0xfe, 0x96, 0xdd, 0xe9, 0xb5, 0xb7, 0xee, 0x86, 0x14, 0xb5, 0x5e, 0x32, 0x8e, 0xb0, 0x93, 0xa1, 0x61, 0x74, 0x74, 0x85, 0x41, 0x35, 0xdc, 0x5a, 0xaa, 0xd, 0x84, 0xf5, 0xda, 0x9f, 0x36, 0xdb, 0x44, 0xc, 0x1d, 0xc1, 0x5, 0x92, 0x75, 0xad, 0xd9, 0x4a, 0xb1, 0x3a, 0xa2, 0xaf, 0x8f, 0x3, 0x3d, 0x9a, 0x3f, 0x53, 0x4, 0xf7, 0xe3, 0xfd, 0x53, 0x65, 0xdf, 0xfd, 0xc6, 0xa4, 0x15, 0x29, 0x90, 0x69, 0xaf, 0xbe, 0x11, 0x1c, 0xc3, 0x37, 0x4d, 0xc0, 0xdb, 0xd5, 0xc8, 0xcb, 0x1f, 0x28, 0xba, 0x2a, 0xa7, 0xa7, 0x21, 0xe6, 0x4a, 0x3f, 0x8d, 0xf2, 0x78, 0xa1, 0x95, 0x8, 0x8d, 0x9b, 0x76, 0xdc, 0xdd, 0x23, 0xd0, 0x6, 0xb2, 0x93, 0x84, 0xd7, 0xae, 0x88, 0xe4, 0xa4, 0x32, 0xe, 0x9, 0x1a, 0xe6, 0x6e, 0xf4, 0x3, 0x2f, 0x26, 0x3b, 0x2e, 0x48, 0x1d, 0xce, 0xb7, 0x9, 0xb8, 0xc9, 0x9e, 0xc4, 0x22, 0x2c, 0x2c, 0xc7, 0xe2, 0x6b, 0x48, 0x41, 0x8a, 0x36, 0xbf, 0xa0, 0xfe, 0x20, 0x94, 0x3b, 0x81, 0x69, 0xac, 0x6d, 0xa6, 0xe9, 0x6e, 0xd3, 0xb3, 0x87, 0xc9, 0x8c, 0x32, 0x8a, 0xc0, 0xdd, 0x6f, 0x61, 0x64, 0x32, 0x3a, 0x2c, 0xcd, 0x3b, 0xa, 0xba, 0xdb, 0x10, 0xd8, 0x9d, 0xc4, 0x3, 0x71, 0xc4, 0xa4, 0x78, 0x4b, 0x28, 0x1a, 0xd8, 0xf9, 0x99, 0xb, 0x18, 0xdd, 0xe8, 0xd8, 0xd1, 0xfe, 0x49, 0x39, 0x3a, 0xd3, 0x3f, 0x33, 0x8c, 0xdd, 0x99, 0x23, 0xb7, 0xb9, 0x2d, 0xdf, 0xdf, 0xcd, 0x26, 0x55, 0x78, 0x8c, 0x3e, 0xe5, 0xa6, 0xad, 0xb4, 0xe1, 0xbd, 0xc1, 0xed, 0xbf, 0xdf, 0xa0, 0x4e, 0xd5, 0x77, 0x24, 0x81, 0x6b, 0x43, 0xc7, 0xe8, 0x45, 0x32, 0xe7, 0x41, 0xd6, 0xec, 0x27, 0x90, 0xcc, 0x97, 0xe0, 0xf1, 0x77, 0x8f, 0xb6, 0x66, 0x5c, 0x62, 0x2b, 0x1e, 0x62, 0xa3, 0x1a, 0xf, 0xe5, 0xea, 0xa9, 0xae, 0x5d, 0xdc, 0x48, 0x58, 0xa1, 0x52, 0x7d, 0xc2, 0xac, 0x6, 0x57, 0x5c, 0xa2, 0x91, 0xa9, 0xa2, 0x51, 0x15, 0xa, 0xeb, 0xb4, 0xd, 0x97, 0x6a, 0x4, 0x54, 0x46, 0x4b, 0x7e, 0xff, 0x35, 0x4d, 0x4d, 0xbe, 0x2b, 0xb9, 0x2f, 0xa6, 0x18, 0xe7, 0x6a, 0x85, 0xd9, 0x8e, 0xd3, 0xa7, 0x10, 0x4, 0x16, 0xa0, 0xac, 0x89, 0xdb, 0x76, 0x7a, 0xeb, 0xbb, 0xa0, 0x6b, 0xf5, 0x2a, 0x35, 0x13, 0xbd, 0xc3, 0xc5, 0x1b, 0x8, 0xbd, 0x44, 0xdd, 0x18, 0xfe, 0x3e, 0xb8, 0x49, 0x24, 0xd8, 0x8d, 0xa7, 0xbe, 0xd6, 0x4b, 0xe, 0xd9, 0xf9, 0xda, 0x24, 0x31, 0x97, 0x4a, 0x4c, 0xd8, 0x32, 0x33, 0xc, 0x89, 0xdb, 0x6e, 0x1b, 0x84, 0xbb, 0x9b, 0xe6, 0x39, 0x3e, 0xc2, 0x6d, 0x3e, 0xae, 0x7, 0x45, 0x35, 0x8f, 0xc3, 0x41, 0x59, 0xd5, 0xe4, 0xad, 0x65, 0xe8, 0x3d, 0x87, 0x40, 0x38, 0x30, 0x5e, 0xfa, 0xda, 0xde, 0x9b, 0x8b, 0xf1, 0x4e, 0xbb, 0x4a, 0x41, 0x6f, 0x68, 0x52, 0xee, 0xfa, 0x42, 0xea, 0xe9, 0x9e, 0x4a, 0x5a, 0xa5, 0x37, 0x16, 0xaa, 0xf, 0x26, 0xb9, 0x93, 0x5f, 0x1, 0x14, 0xa5, 0x19, 0xeb, 0x98, 0x35, 0x9c, 0x9e, 0xd2, 0xeb, 0xd7, 0x51, 0x8e, 0x17, 0x32, 0x19, 0x6d, 0xc5, 0x3f, 0x52, 0xc8, 0xf1, 0xcf, 0x9a, 0x8, 0xdd, 0xc6, 0x9f, 0xd, 0xb6, 0x25, 0x9b, 0x2f, 0xac, 0xe8, 0x20, 0x4c, 0x5c, 0xd9, 0xd4, 0xab, 0x30, 0x29, 0x22, 0x7b, 0x50, 0xb2, 0x15, 0x4e, 0xb0, 0x77, 0x1e, 0xeb, 0xda, 0x9c, 0x2d, 0x19, 0x88, 0x6b, 0x7a, 0x3a, 0x79, 0x97, 0x31, 0x18, 0x4d, 0x5d, 0xf1, 0x92, 0x4b, 0xed, 0x1c, 0x72, 0x2a, 0x70, 0x38, 0x34, 0x93, 0xea, 0x37, 0xb0, 0x92, 0x8d, 0x94, 0x1d, 0x9d, 0xf3, 0x16, 0xa3, 0x9f, 0xf8, 0xda, 0x51, 0x6f, 0x28, 0x60, 0xa3, 0xec, 0xdf, 0x4f, 0xd2, 0x3a, 0x5, 0x79, 0xe9, 0xc5, 0x37, 0x1d, 0x40, 0xfa, 0x58, 0x19, 0x30, 0xe, 0xa7, 0xde, 0x7c, 0xe6, 0x1f, 0x25, 0xef, 0x96, 0xa, 0xd0, 0x74, 0xbe, 0x94, 0xeb, 0x2b, 0x1a, 0xc0, 0xd8, 0x75, 0x4b, 0xfd, 0xc, 0x38, 0x44, 0x2a, 0xe, 0x2c, 0xf2, 0xbd, 0x85, 0xb2, 0xc7, 0x1b, 0x87, 0xf4, 0x22, 0x86, 0x3c, 0x28, 0x94, 0xff, 0x9f, 0x40, 0x84, 0x46, 0x8c, 0x8f, 0x32, 0x6e, 0xb7, 0x70, 0xf, 0xae, 0x31, 0x97, 0xe1, 0xc5, 0x60, 0xbc, 0x9c, 0x72, 0xec, 0x77, 0xd1, 0x6d, 0xf8, 0xa2, 0x97, 0xf4, 0xf3, 0x30, 0x35, 0x81, 0x21, 0xe7, 0xfe, 0x20, 0x59, 0xc1, 0x92, 0x31, 0x7f, 0xe5, 0x1e, 0xc5, 0xe1, 0x31, 0xc, 0xf, 0xe, 0x10, 0xdd, 0xf4, 0x22, 0x73, 0xcd, 0x36, 0xf3, 0x84, 0xe6, 0x8f, 0xb9, 0xc, 0x7, 0x1d, 0x50, 0x58, 0x14, 0x4a, 0x12, 0x9a, 0xbe, 0xf, 0xd6, 0x3f, 0x6b, 0xbc, 0x92, 0xc8, 0x61, 0x57, 0xa4, 0xcb, 0x27, 0x6f, 0xfe, 0x58, 0x48, 0x38, 0xf5, 0x3b, 0x76, 0x9e, 0xb5, 0xf7, 0x71, 0x2, 0x4b, 0x5e, 0x8e, 0x5a, 0x5b, 0xa9, 0x6, 0x46, 0x3d, 0x92, 0x82, 0xa4, 0x5, 0x9b, 0x5d, 0xda, 0x1e, 0x46, 0xc4, 0xfe, 0xe6, 0xd0, 0x31, 0x77, 0xda, 0x20, 0xff, 0x18, 0xeb, 0x77, 0x51, 0x7b, 0x27, 0x62, 0x6d, 0xf0, 0x28, 0x98, 0x2e, 0x0, 0x48, 0x8d, 0x6d, 0x50, 0xe, 0xc3, 0xd6, 0xe8, 0xec, 0x63, 0xf9, 0x9f, 0xcd, 0x58, 0xa, 0xde, 0x5c, 0xe, 0xaa, 0x3b, 0x4e, 0xb7, 0xcd, 0x97, 0x3b, 0xf9, 0x38, 0x12, 0x63, 0xb, 0xc, 0x56, 0x50, 0x3d, 0x79, 0x79, 0xcf, 0x35, 0x1b, 0xc3, 0xe1, 0x78, 0x21, 0x5e, 0x35, 0x14, 0x2f, 0xd1, 0x95, 0x37, 0x88, 0x42, 0x2f, 0xc3, 0xb9, 0x21, 0x3d, 0xbf, 0x2, 0x34, 0xf, 0x1e, 0x6b, 0xc9, 0x73, 0x9e, 0xf3, 0x4f, 0x42, 0xc9, 0xbf, 0xf7, 0x6c, 0x96, 0xd6, 0xd0, 0xf6, 0x59, 0xa4, 0x2d, 0xca, 0x4e, 0x15, 0xb8, 0x3b, 0x9d, 0xd6, 0xf1, 0x3c, 0xb4, 0xed, 0x30, 0x54, 0x16, 0x9b, 0x42, 0xc2, 0x75, 0xd3, 0xd0, 0x15, 0x8a, 0x47, 0xc6, 0xd3, 0x6b, 0x37, 0xe4, 0x7d, 0x7f, 0x6, 0x33, 0x5e, 0x62, 0x59, 0x20, 0xcb, 0x5d, 0x30, 0x8c, 0x37, 0x9a, 0x59, 0x4, 0x3d, 0x9d, 0x9f, 0x40, 0xe1, 0xb2, 0xc1, 0x57, 0x80, 0x27, 0xba, 0xec, 0x84, 0xb1, 0x80, 0xbd, 0xa2, 0xe7, 0xac, 0x92, 0xcc, 0x60, 0xc7, 0xc4, 0x4c, 0xdb, 0x11, 0x53, 0xcb, 0xfe, 0x8e, 0x6d, 0x46, 0x63, 0xce, 0xf0, 0x18, 0xee, 0x49, 0x72, 0x8, 0x1b, 0xeb, 0xa0, 0xd, 0xf3, 0xde, 0xfb, 0x56, 0xfb, 0xe3, 0x47, 0x7d, 0x71, 0x58, 0xd4, 0x90, 0x93, 0x36, 0xe3, 0xa3, 0x8d, 0x6d, 0x16, 0x6, 0x40, 0x40, 0x76, 0xe9, 0x3, 0x4, 0xa9, 0x89, 0x82, 0x36, 0xc3, 0xb5, 0x37, 0xd6, 0xf1, 0x72, 0x83, 0x79, 0xd1, 0x4b, 0x3a, 0xc5, 0xd2, 0xd5, 0x9e, 0x67, 0x16, 0xa6, 0x87, 0x3b, 0xcf, 0xfd, 0xd8, 0xbc, 0xc4, 0x5e, 0x4e, 0x69, 0x6a, 0xb6, 0x13, 0x76, 0x6d, 0xae, 0xe5, 0x27, 0xfc, 0xe3, 0x76, 0xfc, 0x60, 0x74, 0x62, 0x49, 0x3c, 0xc6, 0xe1, 0x1f, 0x53, 0x80, 0x25, 0xdb, 0x1f, 0x98, 0x89, 0x1e, 0x54, 0x50, 0x6b, 0x2b, 0x4c, 0xfd, 0xa1, 0x91, 0x12, 0xdc, 0xca, 0x4f, 0xdf, 0xa6, 0x17, 0x3a, 0x69, 0xc0, 0x3, 0xf2, 0x17, 0x1, 0x4e, 0x60, 0xc4, 0xb2, 0xd0, 0xb8, 0x99, 0xa, 0x63, 0x19, 0x5f, 0x24, 0x44, 0x2c, 0x21, 0xc6, 0xaa, 0x20, 0xdc, 0xae, 0xa8, 0x52, 0xf, 0x52, 0x56, 0x4e, 0xed, 0xb1, 0xcd, 0x1a, 0xa, 0x70, 0xb6, 0xf, 0x56, 0xb5, 0x81, 0x96, 0x99, 0xfd, 0x73, 0xfd, 0x23, 0xe8, 0xba, 0xe1, 0xb4, 0x6c, 0x1f, 0x5d, 0x91, 0xda, 0xa3, 0x0, 0xbe, 0x6e, 0x18, 0x1, 0x3, 0xd, 0xcd, 0xa8, 0xfc, 0x89, 0xc9, 0xb0, 0x4f, 0x74, 0xb, 0xe, 0xda, 0xf9, 0xdb, 0x1, 0xd, 0x97, 0x6f, 0xd7, 0x31, 0x79, 0x64, 0xc5, 0xd8, 0xa, 0x6a, 0xb9, 0x59, 0xf6, 0xbf, 0x37, 0x57, 0xb1, 0xda, 0x22, 0xdf, 0x6b, 0x9c, 0x7a, 0xf3, 0x18, 0xdf, 0x82, 0xdc, 0x90, 0x2f, 0x43, 0xbc, 0xef, 0x51, 0x36, 0x70, 0x5d, 0x8e, 0xef, 0x2c, 0xc5, 0xa5, 0x81, 0x98, 0xd9, 0xa0, 0x7b, 0x88, 0x82, 0x1d, 0xec, 0x20, 0xb9, 0xda, 0x9d, 0xec, 0x7c, 0x3b, 0x8d, 0x3e, 0xec, 0xc3, 0xe8, 0xd7, 0xd0, 0x47, 0x87, 0xa8, 0x4c, 0x95, 0xc3, 0x5b, 0x44, 0x35, 0x35, 0xd5, 0x9f, 0xe0, 0xa2, 0xea, 0xed, 0xd0, 0xc2, 0x53, 0xce, 0x4e, 0x38, 0x2b, 0xa1, 0xda, 0x6, 0x46, 0x5e, 0x7d, 0x89, 0x9d, 0x77, 0xb0, 0x12, 0xec, 0x73, 0xb0, 0x47, 0x3e, 0xa5, 0xad, 0xf1, 0x56, 0x57, 0xba, 0xbb, 0x2d, 0x46, 0xb6, 0x37, 0xfe, 0xca, 0xf2, 0x9, 0xfe, 0x69, 0x17, 0x2e, 0xce, 0xec, 0xbf, 0x1e, 0x3d, 0x27, 0xfd, 0x7, 0xf6, 0x3c, 0x38, 0xd5, 0xc1, 0x8a, 0x25, 0xc, 0xe1, 0x12, 0xff, 0xf7, 0x35, 0x80, 0x5, 0x90, 0x6c, 0x29, 0xf, 0xcc, 0xd4, 0xb7, 0xdb, 0xeb, 0xa, 0x7b, 0xfa, 0x94, 0x90, 0x4b, 0xd4, 0xc8, 0xe, 0xc0, 0xf1, 0x10, 0xbf, 0xe1, 0x1, 0xc1, 0x67, 0xd6, 0xc4, 0xb1, 0x7, 0xd8, 0x83, 0x33, 0x71, 0xbe, 0xdf, 0x2c, 0x41, 0xa9, 0xa1, 0x2b, 0x14, 0x81, 0x3e, 0x6, 0x5e, 0x43, 0xdc, 0x6b, 0xa, 0xaf, 0xec, 0x15, 0x4c, 0x98, 0xb9, 0xda, 0xa3, 0x92, 0x60, 0x24, 0x2c, 0x59, 0x2a, 0xc2, 0x93, 0x20, 0x5a, 0x2d, 0x44, 0xca, 0xed, 0x3a, 0x70, 0xd5, 0x31, 0xbd, 0xd0, 0xeb, 0xb6, 0x87, 0x32, 0x65, 0xfd, 0x2a, 0x8f, 0x30, 0xba, 0xc8, 0x1b, 0xd, 0xac, 0x8b, 0xb8, 0x9b, 0xb2, 0xe3, 0xc1, 0x75, 0x38, 0x85, 0xaf, 0xfb, 0x7c, 0x44, 0x11, 0xca, 0x50, 0xc9, 0x2a, 0xbd, 0x8d, 0x4c, 0x5c, 0xea, 0x6c, 0x81, 0x6d, 0x28, 0x8, 0x32, 0xdc, 0x28, 0x0, 0xa8, 0x3a, 0xdc, 0x9d, 0x3e, 0xe2, 0x16, 0x0, 0x69, 0x65, 0x93, 0xe1, 0x41, 0xcc, 0xa7, 0x6b, 0xc, 0x22, 0xcb, 0x5c, 0x24, 0xd6, 0x69, 0xc3, 0x20, 0x6b, 0xb3, 0x6a, 0x9a, 0x2e, 0xb6, 0x48, 0xc3, 0x63, 0x2d, 0xb5, 0xbc, 0xc0, 0xcd, 0x19, 0x3e, 0x47, 0xa3, 0x98, 0x1b, 0x60, 0x8f, 0x3f, 0x8b, 0xf1, 0x70, 0xe4, 0x46, 0xe3, 0xcd, 0xc7, 0xa2, 0xd7, 0x8a, 0x64, 0xaa, 0x3a, 0xbd, 0xc3, 0x6e, 0x9f, 0xae, 0x20, 0x55, 0x6c, 0x7e, 0xc7, 0x34, 0x4d, 0x85, 0x58, 0xea, 0xb9, 0xdc, 0xef, 0xf9, 0x7d, 0xc2, 0x6d, 0x66, 0x86, 0xd6, 0x69, 0x23, 0x5f, 0x40, 0x85, 0xaa, 0x17, 0x4, 0xbf, 0xfe, 0xd1, 0x29, 0xfe, 0xa, 0x47, 0x93, 0x9e, 0x81, 0x46, 0x98, 0x9e, 0x7f, 0xa2, 0xe2, 0x69, 0x96, 0x6a, 0x3e, 0x4, 0x65, 0x1e, 0xe3, 0xa2, 0x8, 0xd0, 0x24, 0xa, 0x68, 0xb7, 0x9c, 0xcf, 0xce, 0xa7, 0xdb, 0xe1, 0xc7, 0x74, 0x32, 0x50, 0x23, 0x2, 0x3, 0x26, 0x6c, 0x4b, 0x4c, 0x93, 0x8c, 0xee, 0x61, 0xce, 0x89, 0x93, 0x19, 0xe3, 0x97, 0x43, 0x3c, 0xce, 0x57, 0x87, 0x48, 0x0, 0x26, 0x8, 0xe0, 0xfb, 0xda, 0xb4, 0x6, 0xdf, 0xa2, 0xc3, 0xaa, 0x6a, 0x5b, 0xff, 0xdd, 0x0, 0x7, 0xaf, 0x45, 0xa0, 0x9f, 0x1d, 0x8c, 0x24, 0x74, 0x59, 0xa, 0x8b, 0xc6, 0x1f, 0x39, 0x7d, 0x8, 0x40, 0x16, 0x3d, 0xa5, 0x7f, 0xd0, 0x41, 0x3e, 0xa4, 0x26, 0xc5, 0x5b, 0xe3, 0x74, 0x8a, 0xa7, 0x54, 0x31, 0x8c, 0x2f, 0xda, 0xe0, 0x24, 0x89, 0x76, 0x7b, 0x9a, 0x3f, 0x61, 0x23, 0x2b, 0x4a, 0x96, 0xba, 0xc4, 0x16, 0x1d, 0xba, 0x35, 0x8d, 0x54, 0x5a, 0x57, 0xd0, 0x54, 0xfb, 0xd1, 0xfe, 0x1b, 0x2e, 0x5, 0x2, 0x64, 0xbc, 0x36, 0x21, 0x99, 0xff, 0x29, 0xdf, 0x56, 0x81, 0x14, 0xb9, 0x9c, 0xf3, 0xbd, 0x48, 0x55, 0x4e, 0xcf, 0x3f, 0x87, 0xf4, 0xf0, 0x57, 0xce, 0x3, 0x3f, 0xda, 0x25, 0x87, 0x58, 0x32, 0x95, 0xca, 0x95, 0x5c, 0x2f, 0xd8, 0x7e, 0x74, 0xf0, 0x7c, 0x12, 0x7f, 0x64, 0xac, 0xd5, 0xb, 0x57, 0x2d, 0xb0, 0x38, 0x20, 0xff, 0x3f, 0xe0, 0x3a, 0xa1, 0x67, 0xa7, 0xc2, 0xb0, 0x16, 0x2d, 0x93, 0xe9, 0xcd, 0x27, 0xaa, 0xeb, 0x1, 0xe9, 0x34, 0x12, 0xfc, 0xe3, 0x86, 0xa6, 0xad, 0x44, 0xb4, 0x99, 0x46, 0xe6, 0x13, 0xc9, 0xc5, 0x4, 0x5, 0xc4, 0x9d, 0xe9, 0xfc, 0xdd, 0xdb, 0x53, 0x2e, 0xd4, 0x99, 0x2a, 0x48, 0x58, 0x37, 0xf5, 0xaf, 0xd1, 0x25, 0x2c, 0xaf, 0x9a, 0x67, 0xcf, 0x64, 0x26, 0x96, 0xf7, 0x90, 0xee, 0x2b, 0x3e, 0x39, 0xf1, 0x99, 0x5c, 0xab, 0x74, 0xb0, 0x5b, 0x22, 0xe6, 0xea, 0xfa, 0xd0, 0xfa, 0x6c, 0xdd, 0x63, 0x2d, 0x8c, 0x64, 0x55, 0xc3, 0xcc, 0x1e, 0x26, 0x63, 0x5e, 0x43, 0x80, 0x9f, 0xc9, 0xd6, 0x37, 0x43, 0x2e, 0xa6, 0x2, 0x63, 0xa0, 0x58, 0x49, 0xca, 0x49, 0x6a, 0x91, 0x91, 0xd3, 0xd5, 0x49, 0x31, 0x99, 0x58, 0x49, 0x55, 0x3c, 0xde, 0x91, 0x9f, 0xb, 0x2, 0x8d, 0x37, 0x70, 0x51, 0xd2, 0x4d, 0xa3, 0x39, 0xb8, 0x47, 0x58, 0xf2, 0xb7, 0x38, 0x41, 0x85, 0x25, 0x28, 0xec, 0x7d, 0x7e, 0x43, 0xf7, 0x14, 0x5b, 0xea, 0x9d, 0xcf, 0x91, 0x1d, 0x27, 0x1d, 0xe3, 0xe4, 0xa, 0xb2, 0x77, 0xb3, 0xfd, 0xd4, 0x35, 0xcb, 0x27, 0x13, 0x5e, 0x5, 0x45, 0x1e, 0xde, 0x74, 0x75, 0x3e, 0x70, 0x28, 0x1b, 0xe3, 0x98, 0x32, 0x39, 0x33, 0x1, 0xde, 0x37, 0x72, 0x8, 0x55, 0xc6, 0x1, 0xd1, 0x23, 0x1, 0xf3, 0xcb, 0x32, 0xdc, 0xb0, 0xaa, 0xe8, 0x22, 0xba, 0xd, 0xc7, 0xb9, 0x5b, 0x15, 0x3d, 0x3d, 0x62, 0x52, 0x4a, 0x44, 0x8f, 0x1, 0xb0, 0x36, 0x87, 0xf0, 0x74, 0xf5, 0xd0, 0x46, 0xb4, 0x17, 0x34, 0xa0, 0xf4, 0xb2, 0xa6, 0xc, 0xa4, 0x2f, 0xaa, 0xa4, 0x66, 0xed, 0x60, 0xdb, 0xba, 0xf0, 0x79, 0x56, 0x21, 0xef, 0x4e, 0x3e, 0x32, 0x5a, 0x19, 0x71, 0x38, 0x16, 0x2b, 0x95, 0x20, 0xc3, 0x40, 0x9, 0x8f, 0x7d, 0x5f, 0x9d, 0x87, 0x62, 0xac, 0x8d, 0xfe, 0x75, 0xe8, 0xa6, 0xc1, 0x23, 0xb6, 0x9c, 0x64, 0x43, 0x6e, 0x8d, 0x33, 0x41, 0xf5, 0xaf, 0xec, 0xcc, 0xd5, 0x41, 0x45, 0x73, 0xdd, 0xf7, 0x56, 0xca, 0x88, 0xbc, 0x96, 0xde, 0x26, 0xd4, 0xb5, 0xc3, 0xa2, 0xd3, 0x9e, 0x6b, 0x4f, 0xd9, 0x48, 0x9c, 0x27, 0xf8, 0x2e, 0xbb, 0xa3, 0x54, 0x63, 0xf2, 0x67, 0x18, 0xb, 0x5b, 0x46, 0x75, 0xd5, 0x51, 0x51, 0x22, 0x95, 0xff, 0xb0, 0x99, 0xef, 0xd8, 0x0, 0x45, 0xf9, 0x88, 0x9d, 0xe1, 0xf3, 0x8, 0xc1, 0x3e, 0x13, 0x87, 0x90, 0x6a, 0xa2, 0xc0, 0xbd, 0x12, 0x27, 0x9f, 0x69, 0xc5, 0x5d, 0xa9, 0x24, 0x42, 0xd1, 0x4d, 0x3f, 0x90, 0x96, 0x80, 0x7b, 0xe4, 0x29, 0x24, 0x99, 0xa5, 0x3d, 0x5a, 0xba, 0xdb, 0xf9, 0x2f, 0x71, 0x17, 0xb7, 0xc9, 0x91, 0x63, 0x75, 0x4b, 0x0, 0x52, 0x9e, 0x9c, 0x21, 0x9d, 0xcc, 0x1d, 0xa1, 0x69, 0xe6, 0x7d, 0xc0, 0xd6, 0xd1, 0x84, 0x6b, 0x6e, 0x3b, 0x57, 0xcf, 0x5d, 0xc8, 0xac, 0x35, 0xf4, 0xdb, 0x15, 0x54, 0x8f, 0xc8, 0x58, 0x56, 0x74, 0x61, 0x7, 0x58, 0xc5, 0x17, 0x9a, 0x7e, 0x36, 0x26, 0x6f, 0xc5, 0x90, 0xca, 0xa5, 0x77, 0xd0, 0x22, 0x76, 0x4e, 0xe0, 0xa2, 0x58, 0x22, 0xf7, 0xfb, 0x5, 0xe4, 0x6, 0x6e, 0x3e, 0x5d, 0x96, 0xba, 0x54, 0xf9, 0xe6, 0xe3, 0x6f, 0xd0, 0x24, 0x57, 0x74, 0x1a, 0x25, 0x81, 0x75, 0xd4, 0x47, 0x3e, 0xdb, 0xea, 0x6f, 0x67, 0x6a, 0xc0, 0xee, 0x5f, 0x22, 0xf3, 0x69, 0x9d, 0xc5, 0x9b, 0x44, 0xfc, 0x95, 0x88, 0xda, 0x7c, 0x5e, 0x7b, 0x8d, 0x1d, 0xa7, 0x14, 0x33, 0x1a, 0xc1, 0x4d, 0xd5, 0x5e, 0xc0, 0x89, 0xe8, 0x6d, 0xae, 0xd2, 0x11, 0x1a, 0xd9, 0x2b, 0xed, 0x4c, 0x72, 0x79, 0xa9, 0xb2, 0xf6, 0x5e, 0x6a, 0x30, 0x89, 0x69, 0xcf, 0x6e, 0x49, 0xa2, 0xc8, 0x8c, 0x7b, 0xd5, 0x11, 0x16, 0xf7, 0x82, 0xfb, 0xe0, 0x51, 0x1, 0xba, 0xb8, 0xc2, 0x8a, 0x66, 0xd5, 0x26, 0x7, 0x16, 0xd, 0xb0, 0x11, 0xd7, 0x14, 0x58, 0xa2, 0x2b, 0x62, 0xf2, 0xe2, 0x3f, 0x7f, 0x57, 0xf5, 0xdd, 0x6a, 0x35, 0x94, 0x9c, 0x6b, 0x1c, 0x1e, 0x83, 0x2b, 0xbd, 0x26, 0x38, 0xb7, 0xa, 0x6, 0x3a, 0xce, 0x89, 0xf, 0x24, 0x1c, 0xc1, 0x11, 0xfa, 0x93, 0x3a, 0x30, 0x6e, 0x95, 0xd8, 0xc8, 0x9c, 0x4f, 0x87, 0xbf, 0x7c, 0x0, 0xba, 0x42, 0x99, 0x2d, 0x26, 0xc9, 0x3f, 0xdf, 0xe6, 0xbc, 0x62, 0x4e, 0xff, 0xa, 0x56, 0xe4, 0xb0, 0xe5, 0xee, 0xe7, 0xb7, 0x9, 0xb0, 0x7c, 0xbb, 0x63, 0x19, 0xe5, 0xdd, 0x37, 0x9b, 0xe2, 0xce, 0x18, 0x51, 0xaa, 0x3, 0x39, 0x26, 0x47, 0x47, 0x4a, 0xd8, 0x5c, 0xd8, 0x55, 0x0, 0x62, 0xa6, 0xca, 0x50, 0x30, 0x3d, 0x1e, 0x4b, 0x6c, 0xa7, 0x76, 0xf5, 0x7e, 0xc9, 0x82, 0x1f, 0x64, 0xf6, 0x31, 0x93, 0x4b, 0x56, 0xc7, 0xfe, 0xdf, 0x54, 0x7c, 0x7c, 0xd9, 0xab, 0x58, 0x91, 0x1a, 0x1f, 0x6d, 0xee, 0xf5, 0x7f, 0xda, 0xc3, 0x85, 0xa3, 0x93, 0x44, 0x5, 0xdf, 0x96, 0x7d, 0xeb, 0xf5, 0x5, 0x7a, 0xa5, 0x39, 0x3a, 0x47, 0xe4, 0x47, 0xd4, 0xaf, 0xa3, 0x55, 0x6d, 0xe1, 0x88, 0xc4, 0xd9, 0xa4, 0x42, 0xae, 0x76, 0xf8, 0xf5, 0xf5, 0x44, 0xe1, 0x83, 0xf1, 0x8f, 0x0, 0xe6, 0xdd, 0xa4, 0x26, 0x90, 0x6c, 0xd9, 0x8c, 0x1c, 0xad, 0x95, 0xe9, 0x49, 0x9b, 0x58, 0x3e, 0x50, 0x73, 0x2e, 0x72, 0x80, 0x26, 0xbc, 0xc2, 0x84, 0xe1, 0xbc, 0xbc, 0x5, 0x2c, 0x2c, 0x68, 0xd4, 0xbb, 0x9a, 0x5f, 0x25, 0x56, 0xd4, 0x84, 0xf0, 0xc2, 0xcf, 0x2b, 0xc4, 0x67, 0x7, 0x1c, 0x64, 0xb0, 0xe9, 0xea, 0xa0, 0x2d, 0x9a, 0x4c, 0x86, 0x2d, 0x63, 0x45, 0x1b, 0x20, 0xd6, 0x2d, 0xe3, 0x68, 0x32, 0xa8, 0x92, 0xa2, 0x49, 0x78, 0x62, 0x9f, 0xc9, 0x3e, 0x91, 0x82, 0x88, 0x37, 0x2c, 0xfa, 0xfd, 0xd8, 0xed, 0xfe, 0x8c, 0x6f, 0xee, 0x3e, 0xf3, 0x96, 0xaf, 0xa5, 0xa8, 0x3f, 0xdc, 0xe5, 0x37, 0x67, 0xc0, 0x1d, 0x3a, 0xb0, 0xb0, 0x31, 0xb5, 0x6b, 0x23, 0xb0, 0x37, 0xf0, 0x89, 0x29, 0x9f, 0xe5, 0x33, 0x53, 0x2a, 0xa1, 0xd9, 0xa7, 0xb5, 0xf9, 0x13, 0xe0, 0x24, 0xe0, 0x6a, 0x3b, 0x79, 0x25, 0xcf, 0xb0, 0xc4, 0xb5, 0x84, 0xb4, 0x7, 0x66, 0x1b, 0xc8, 0x24, 0x16, 0x3f, 0x90, 0xfa, 0x79, 0x95, 0xe8, 0x57, 0xbd, 0x68, 0xbe, 0x65, 0xfb, 0x37, 0x3, 0xc2, 0x39, 0xfc, 0x5e, 0xa5, 0x93, 0xd6, 0xe9, 0x52, 0x72, 0xc8, 0xc4, 0x7a, 0x26, 0x4e, 0x13, 0x94, 0x89, 0x9f, 0xb0, 0x8b, 0xd7, 0xb8, 0x8, 0x85, 0x3b, 0xb, 0x7, 0x14, 0xc0, 0xe4, 0xa6, 0x9a, 0x2, 0x59, 0x95, 0xae, 0xd8, 0x50, 0xed, 0xb2, 0x4d, 0x5a, 0x2c, 0x29, 0x4e, 0xd7, 0x3d, 0x37, 0x8f, 0x84, 0x55, 0x33, 0x9c, 0xb, 0x38, 0xab, 0x45, 0xac, 0xb6, 0x8d, 0x1, 0xec, 0xa8, 0x53, 0xcc, 0x69, 0x2, 0x69, 0x44, 0x1f, 0x64, 0x98, 0x87, 0x1a, 0x8d, 0x62, 0x4b, 0x8c, 0x5e, 0x47, 0x13, 0x4b, 0x28, 0x3d, 0x74, 0x1c, 0xf6, 0x19, 0xde, 0x73, 0x38, 0x93, 0x4a, 0xbf, 0x53, 0x35, 0x3f, 0xbc, 0xe5, 0x6, 0x29, 0x66, 0x84, 0x96, 0x45, 0x31, 0x35, 0xd5, 0x38, 0xde, 0xd, 0x28, 0xf7, 0x34, 0xc6, 0xa8, 0x46, 0x8f, 0x8e, 0x19, 0x24, 0x3d, 0x87, 0x1b, 0xf9, 0xaa, 0x7e, 0x11, 0x9b, 0x5f, 0x11, 0xee, 0xd5, 0xec, 0xda, 0x8d, 0xae, 0x50, 0xbe, 0xff, 0x0, 0xce, 0xae, 0xa9, 0x10, 0x77, 0x4e, 0x3d, 0x3a, 0x26, 0x4f, 0xa7, 0x6b, 0xf2, 0x21, 0xf7, 0xf3, 0xf, 0x69, 0xfa, 0xce, 0xf0, 0x47, 0x4f, 0x8a, 0x4a, 0x66, 0x68, 0x54, 0xa4, 0xba, 0x4c, 0x8e, 0xdc, 0xc1, 0x3, 0xf6, 0x23, 0x9b, 0xa6, 0x9b, 0x35, 0xc5, 0x7a, 0x7b, 0x18, 0x1, 0xd6, 0xb4, 0xda, 0xd9, 0xc8, 0xeb, 0xc1, 0x37, 0x43, 0xca, 0xa6, 0x4b, 0x7, 0xb4, 0x52, 0x54, 0x58, 0xa6, 0x9f, 0x33, 0xb7, 0x2f, 0x90, 0x81, 0x4f, 0x4b, 0x1a, 0xaa, 0xde, 0x25, 0xa5, 0x7a, 0x5d, 0xbb, 0xd2, 0x7a, 0x57, 0xb3, 0xe6, 0xc2, 0x7a, 0x28, 0xcc, 0x3b, 0x0, 0x12, 0xf6, 0xa7, 0x8c, 0x52, 0xd7, 0xb8, 0x0, 0x14, 0x2c, 0xf1, 0xb6, 0xfd, 0x8a, 0x8d, 0xdd, 0xa2, 0x46, 0xd3, 0x2e, 0x3a, 0x10, 0x39, 0x13, 0xe2, 0x2e, 0x4d, 0xc5, 0xf8, 0xc8, 0x20, 0x2d, 0x5a, 0x35, 0x92, 0x1b, 0x1, 0x8f, 0xac, 0xf2, 0x46, 0x13, 0x9f, 0xfc, 0xc6, 0x81, 0x4b, 0xd2, 0xa6, 0x5, 0xf0, 0x42, 0x60, 0xdb, 0x67, 0x95, 0x1f, 0xf8, 0xd5, 0x92, 0x2e, 0xeb, 0x70, 0x84, 0x69, 0x4d, 0xea, 0x95, 0xcb, 0x54, 0xeb, 0x81, 0x4c, 0xe0, 0x28, 0xcb, 0x2a, 0x5f, 0x64, 0xec, 0xce, 0xf8, 0xc4, 0xbf, 0x1e, 0x1c, 0x23, 0x74, 0xe0, 0x6, 0xac, 0x9f, 0x79, 0x8f, 0x85, 0xc, 0xfa, 0x37, 0x99, 0x5f, 0x22, 0x72, 0x44, 0xdb, 0xf4, 0x34, 0x16, 0x86, 0xcd, 0xb0, 0x91, 0x90, 0x2c, 0x75, 0x59, 0x61, 0xc3, 0x5e, 0x96, 0xf9, 0xa4, 0xd, 0x63, 0xe3, 0x90, 0xfc, 0xe4, 0x6f, 0x6d, 0xaa, 0x9d, 0xa4, 0xec, 0x8c, 0x9b, 0x61, 0xfc, 0xbd, 0xfd, 0xaf, 0x84, 0x10, 0x4, 0xb, 0x14, 0xc1, 0x72, 0xf6, 0x29, 0x20, 0x5e, 0x3e, 0x6f, 0x13, 0x5f, 0xc2, 0x6e, 0x60, 0x4a, 0x4c, 0x22, 0x2, 0x9b, 0x14, 0x24, 0x6d, 0x4c, 0xcf, 0xdf, 0xcf, 0x42, 0xf1, 0xb0, 0xab, 0xed, 0xa0, 0xb1, 0xfa, 0x19, 0x4, 0xd, 0xe4, 0x10, 0xb3, 0xef, 0x51, 0xce, 0xf6, 0xd, 0xd, 0xbe, 0xf5, 0x8d, 0x95, 0xb4, 0x2e, 0x5b, 0xcb, 0x59, 0x8e, 0x15, 0x36, 0x29, 0x9e, 0x45, 0xd6, 0x36, 0xe3, 0x66, 0x14, 0xb9, 0xe2, 0xaa, 0x82, 0x36, 0xa6, 0x1a, 0x41, 0x39, 0x8a, 0x65, 0xfb, 0x33, 0xa9, 0xc0, 0xd4, 0xc5, 0xec, 0x52, 0x71, 0xb7, 0x26, 0xf0, 0x49, 0x8a, 0x75, 0xc, 0xf1, 0x1f, 0x31, 0x9, 0xcb, 0x97, 0x7f, 0x83, 0xf4, 0xd5, 0x32, 0x63, 0x62, 0x3a, 0x52, 0x4f, 0x99, 0x44, 0xbb, 0x61, 0x55, 0x33, 0x88, 0xc3, 0x7b, 0xa2, 0x5e, 0x84, 0x3d, 0xb0, 0xd4, 0x5e, 0x0, 0x8a, 0xf0, 0xa1, 0xc2, 0xe1, 0x3e, 0x9d, 0xd3, 0xd, 0x6b, 0x67, 0xe7, 0xd3, 0xfd, 0x61, 0x65, 0x17, 0x60, 0x70, 0xfb, 0xff, 0x35, 0xe, 0x62, 0xa8, 0xf9, 0x64, 0xf2, 0x4f, 0x42, 0xce, 0x36, 0xf7, 0x81, 0x26, 0xda, 0x9f, 0x41, 0xc3, 0xc4, 0x48, 0x16, 0xb8, 0x9b, 0x76, 0x31, 0xf8, 0x0, 0xd0, 0x20, 0x31, 0x65, 0x85, 0xb4, 0x9e, 0xd6, 0x62, 0xbc, 0xca, 0x4c, 0xf4, 0x75, 0x7d, 0xd1, 0xb1, 0xfc, 0x49, 0xb7, 0x82, 0x7f, 0xa0, 0x34, 0x54, 0x55, 0xfb, 0xbb, 0x87, 0xf7, 0x3a, 0x2c, 0xf8, 0x83, 0xe2, 0x62, 0xd0, 0xd4, 0x6e, 0xb0, 0xa0, 0x13, 0x92, 0xa1, 0x9f, 0x88, 0x22, 0x57, 0xb4, 0xc7, 0xf3, 0xdc, 0x5e, 0x8, 0x2b, 0x16, 0x7a, 0xf, 0x30, 0xeb, 0xda, 0xd, 0xd9, 0x36, 0x1, 0xe8, 0xb5, 0xed, 0xfc, 0x7d, 0xcf, 0x9d, 0x4c, 0x24, 0xd5, 0x74, 0x68, 0xb2, 0x5c, 0x64, 0xa2, 0x3a, 0x8e, 0x34, 0x79, 0xee, 0x27, 0xa1, 0xbb, 0x1d, 0x5f, 0x57, 0x53, 0xcc, 0x8a, 0x48, 0x1e, 0x16, 0xe6, 0x80, 0x85, 0x7e, 0x3, 0x95, 0xd0, 0x50, 0x26, 0x29, 0x83, 0x92, 0xe5, 0x57, 0x16, 0x82, 0x93, 0x14, 0x99, 0x7d, 0xe6, 0xab, 0x1f, 0xe7, 0x89, 0x71, 0x2f, 0xd, 0x67, 0x32, 0xe7, 0x91, 0xcf, 0x5e, 0x48, 0x87, 0x43, 0xc6, 0x21, 0x7a, 0x75, 0xdb, 0x57, 0x8e, 0x75, 0x15, 0xe5, 0x9c, 0xa, 0x29, 0xf8, 0x9, 0x7d, 0x42, 0x7a, 0x4a, 0x38, 0x38, 0x8f, 0x30, 0x6a, 0x84, 0x99, 0x2b, 0x73, 0xb0, 0xb4, 0xac, 0xc3, 0xaa, 0x19, 0x58, 0x84, 0x17, 0x9, 0x10, 0x94, 0x9e, 0x3, 0x5e, 0xce, 0xa7, 0x11, 0xa1, 0xcb, 0x95, 0x8e, 0x5, 0x78, 0x73, 0x37, 0xaa, 0x81, 0xeb, 0x54, 0x11, 0x41, 0x4, 0xa1, 0x46, 0xc7, 0x41, 0xc7, 0x8a, 0x82, 0xfb, 0xbc, 0x73, 0xc, 0xa1, 0x29, 0x2b, 0x97, 0x9d, 0x91, 0xbe, 0x39, 0x64, 0xad, 0xfb, 0xa2, 0x43, 0xb0, 0xb4, 0xf3, 0x4b, 0x40, 0xe8, 0xb5, 0x82, 0xdf, 0xda, 0xe6, 0x39, 0x4c, 0xbd, 0x97, 0x63, 0x8, 0x64, 0x71, 0x4f, 0xcb, 0xec, 0x1e, 0x7f, 0x68, 0xe5, 0x7d, 0xf, 0xc3, 0xc3, 0x7e, 0xf3, 0x73, 0x2a, 0x33, 0xdb, 0xa0, 0xeb, 0x59, 0xdd, 0xbd, 0x59, 0x52, 0xc6, 0x57, 0x32, 0x4d, 0xdb, 0x9c, 0x70, 0x91, 0x22, 0x90, 0x93, 0x38, 0xbd, 0x25, 0x3b, 0x79, 0x9a, 0xf0, 0x56, 0x37, 0xe4, 0x4b, 0xe3, 0x9f, 0xf3, 0xc9, 0x56, 0xfb, 0x9a, 0xce, 0xbd, 0x76, 0x2f, 0x27, 0x8b, 0x20, 0x61, 0x7a, 0x86, 0x37, 0x9f, 0xc3, 0x72, 0x99, 0x8, 0x7, 0x43, 0x1d, 0xea, 0x4f, 0x9f, 0x42, 0x8a, 0x87, 0x44, 0xa7, 0xd0, 0x9, 0x66, 0x51, 0xdb, 0x2b, 0x71, 0x49, 0x6, 0xdf, 0xb5, 0x69, 0xe7, 0x57, 0xba, 0x26, 0xb8, 0xf2, 0xaa, 0xc7, 0x1f, 0xf2, 0x5d, 0x33, 0x82, 0x95, 0xd9, 0x93, 0x5c, 0x67, 0xf0, 0x89, 0x23, 0xe6, 0x7b, 0x67, 0x68, 0x7a, 0x36, 0xac, 0x59, 0x1b, 0x95, 0xd9, 0x21, 0xff, 0x85, 0x79, 0xa7, 0xce, 0x1c, 0x1, 0x85, 0xfb, 0x56, 0x89, 0x3, 0x9b, 0x5e, 0xca, 0xaa, 0x1a, 0x85, 0xb7, 0x97, 0x97, 0x3b, 0x71, 0x56, 0x21, 0xa5, 0x8a, 0x51, 0xf6, 0x61, 0xa, 0x15, 0xc7, 0xe8, 0x57, 0x33, 0x69, 0x2b, 0x2c, 0xec, 0xe2, 0xe7, 0x42, 0x78, 0x48, 0xa5, 0x68, 0x68, 0x65, 0xaf, 0xff, 0x8d, 0x81, 0xfc, 0x68, 0xe0, 0x82, 0xbd, 0x63, 0xd9, 0x33, 0x77, 0x91, 0x65, 0x8b, 0x5c, 0xda, 0x64, 0x28, 0x73, 0x24, 0x7b, 0xff, 0x90, 0x70, 0x92, 0x97, 0xd, 0x6d, 0x2f, 0x94, 0xdb, 0xff, 0xd6, 0x73, 0x93, 0x3b, 0x44, 0x41, 0xee, 0xc3, 0x5, 0xb6, 0x6d, 0xd3, 0xff, 0xeb, 0x41, 0xe5, 0xb2, 0x3e, 0xcc, 0x1d, 0xce, 0x96, 0x5a, 0x41, 0xb7, 0xf6, 0xa2, 0x3a, 0x16, 0x2e, 0x68, 0x83, 0xe3, 0x18, 0xf2, 0x3a, 0x2f, 0xd4, 0xbd, 0xfe, 0x46, 0xdb, 0xba, 0xfd, 0xba, 0x7e, 0x50, 0xa0, 0x90, 0x1a, 0xe2, 0x52, 0xce, 0x4d, 0xab, 0xa8, 0x4c, 0x73, 0xfb, 0x7c, 0x1b, 0x2e, 0x83, 0xf0, 0xa3, 0xc9, 0x54, 0xc3, 0x3e, 0x52, 0xfe, 0x8a, 0x7a, 0xca, 0xad, 0x8e, 0x37, 0x7e, 0xc9, 0x91, 0xae, 0xbb, 0x32, 0x3b, 0xac, 0x99, 0xc5, 0x49, 0x74, 0x55, 0x46, 0x1c, 0xb, 0x71, 0xc3, 0x19, 0xa6, 0x7e, 0xa8, 0x9d, 0xf7, 0x6a, 0x4c, 0x2e, 0x69, 0x6a, 0xd9, 0x38, 0xde, 0x86, 0x5d, 0x3f, 0xff, 0xec, 0xc0, 0x8, 0x1c, 0x42, 0xf, 0x32, 0xc5, 0xec, 0x5d, 0xec, 0x8f, 0xbc, 0xf2, 0xa6, 0x92, 0x6c, 0x78, 0xd6, 0x84, 0xff, 0x83, 0x13, 0xa7, 0x84, 0xa0, 0xff, 0xdb, 0x6, 0x8c, 0x58, 0x87, 0x15, 0xe7, 0x57, 0x68, 0xca, 0xf5, 0x85, 0xd, 0xd4, 0x74, 0xc7, 0xb6, 0xb3, 0x11, 0x73, 0xe8, 0xa8, 0x21, 0x35, 0x4c, 0xc8, 0x57, 0x23, 0x67, 0xf, 0xfe, 0x29, 0x5b, 0x61, 0x74, 0xfe, 0xe5, 0xcd, 0x58, 0x71, 0x5b, 0x10, 0x51, 0xbc, 0x2, 0x8e, 0xfc, 0x5, 0xa1, 0x48, 0x1e, 0xa0, 0x37, 0x8c, 0xa4, 0x9b, 0x28, 0x4a, 0x75, 0x9d, 0x76, 0x80, 0x21, 0x1c, 0xd5, 0xe1, 0x6f, 0x8c, 0xc0, 0x87, 0x13, 0xbd, 0xb7, 0x33, 0xdd, 0x32, 0xb0, 0xa6, 0xa, 0xb, 0x2, 0xdb, 0x26, 0x38, 0x95, 0x3c, 0xc7, 0x64, 0x6, 0x80, 0x7e, 0x13, 0x5, 0x5d, 0xf9, 0xc, 0x66, 0xc4, 0x2, 0x63, 0xc6, 0x8a, 0xf2, 0xce, 0xb2, 0x11, 0x4e, 0x0, 0x99, 0x36, 0x35, 0x97, 0x4f, 0x28, 0x5b, 0x4f, 0x82, 0xea, 0x4, 0x5b, 0xd3, 0x9e, 0x29, 0x3e, 0xb4, 0x89, 0x30, 0xa0, 0x4d, 0xf7, 0x88, 0x2c, 0xc7, 0x2c, 0xe4, 0xa2, 0x45, 0x7a, 0xd5, 0x69, 0x82, 0x8e, 0xb3, 0x7, 0x66, 0xfc, 0x63, 0x1e, 0x7c, 0xc, 0xb, 0x39, 0x29, 0xaf, 0x2a, 0x9e, 0xe8, 0x69, 0x28, 0xee, 0x1b, 0xda, 0x40, 0xc7, 0xc7, 0x74, 0xb9, 0x3f, 0xaf, 0xfc, 0xf6, 0x56, 0x85, 0xd1, 0xbe, 0xb6, 0xa4, 0x95, 0x39, 0xa, 0x1a, 0x54, 0x5c, 0x9, 0x97, 0x95, 0x57, 0xab, 0x2d, 0xe9, 0x3c, 0xa7, 0x2a, 0xff, 0xa1, 0xc6, 0x6, 0xa7, 0x38, 0xe4, 0x4d, 0x4b, 0xa5, 0xd0, 0xad, 0xcd, 0x6, 0xa9, 0xfc, 0x1a, 0x6b, 0xb, 0x16, 0xdd, 0x10, 0xde, 0x29, 0x16, 0x60, 0xfc, 0x25, 0xa3, 0x3d, 0x63, 0xd3, 0x99, 0x9c, 0x8e, 0x34, 0x5a, 0x4d, 0x8a, 0x15, 0x46, 0xf7, 0xe3, 0x1f, 0x1d, 0x5c, 0xe8, 0x8b, 0xc8, 0xed, 0x53, 0xc2, 0xb6, 0x9c, 0xa0, 0x3c, 0x48, 0xe, 0x3d, 0xdd, 0x5a, 0x5, 0xe3, 0x9a, 0x87, 0xf6, 0x97, 0xb9, 0xbf, 0x1d, 0x43, 0x7, 0xd0, 0x9a, 0x92, 0xc, 0x42, 0xdb, 0xd2, 0x84, 0x15, 0x62, 0xf1, 0xce, 0xcd, 0x28, 0x88, 0x7, 0xef, 0xf3, 0xd, 0xb5, 0x66, 0x4b, 0xbd, 0x6d, 0x9d, 0xda, 0x89, 0x45, 0x4, 0x2b, 0x9c, 0xd9, 0xe3, 0xd2, 0x4f, 0xbc, 0x41, 0xc2, 0x98, 0xd2, 0xa7, 0xc9, 0x4b, 0x21, 0xfd, 0x7c, 0x80, 0x56, 0xba, 0x97, 0xb6, 0xe3, 0xdb, 0xea, 0x64, 0x45, 0x2, 0x78, 0x1c, 0xef, 0xc5, 0x49, 0x81, 0xb4, 0xcf, 0xcd, 0xe8, 0xdd, 0x4, 0x26, 0x4d, 0x5a, 0xa7, 0xf0, 0x6b, 0x94, 0xaf, 0x38, 0x15, 0x6c, 0x7f, 0x4d, 0x15, 0x27, 0xcc, 0x1f, 0x5b, 0xde, 0x30, 0x92, 0xcc, 0x95, 0x82, 0x4f, 0x86, 0x66, 0xe9, 0x19, 0x85, 0xd8, 0x77, 0xbc, 0x86, 0x62, 0xea, 0xa9, 0x1, 0x99, 0xb0, 0x4d, 0x79, 0x69, 0x58, 0xfe, 0x9d, 0x24, 0x21, 0xcd, 0xa6, 0xbb, 0xbd, 0xb, 0x37, 0xc4, 0x6b, 0x5e, 0xfc, 0x21, 0x31, 0x81, 0x8f, 0x71, 0x61, 0x8b, 0xc7, 0x22, 0xbd, 0xed, 0xdf, 0x9c, 0x71, 0x3d, 0xd4, 0xd9, 0xec, 0x3e, 0x31, 0x4b, 0x22, 0x1b, 0xbb, 0x19, 0x1f, 0x3, 0x44, 0x41, 0x58, 0x31, 0xa3, 0x7, 0xab, 0x73, 0x49, 0x97, 0x26, 0x65, 0x36, 0x6, 0xf4, 0xde, 0xaa, 0x67, 0x96, 0x5d, 0x53, 0xae, 0x19, 0x30, 0xd5, 0xd7, 0xc6, 0xeb, 0xa2, 0xe3, 0xa7, 0xdb, 0xfa, 0x72, 0x16, 0x9d, 0x26, 0x75, 0xa5, 0x13, 0x23, 0xa3, 0x2e, 0x92, 0xd, 0xb5, 0x69, 0x1a, 0xfa, 0x97, 0x45, 0x2b, 0x20, 0xca, 0xcf, 0x28, 0x6e, 0x4c, 0x91, 0xb, 0x10, 0x68, 0x0, 0x11, 0xbd, 0xb7, 0x5d, 0x6a, 0xc9, 0x73, 0x8d, 0x41, 0x2e, 0xe0, 0x46, 0x55, 0x80, 0x8e, 0xdc, 0x6e, 0x9e, 0xfa, 0x40, 0x98, 0x63, 0x82, 0x78, 0xe6, 0xe0, 0xc0, 0x3d, 0x64, 0xbe, 0xb7, 0xa4, 0x58, 0x8, 0x43, 0x1e, 0x5f, 0xcf, 0x18, 0x14, 0x24, 0x42, 0x1d, 0xaf, 0x49, 0xef, 0x9f, 0x62, 0xc, 0x99, 0x5, 0x32, 0x1d, 0xc3, 0x5e, 0xcd, 0xe0, 0x46, 0x48, 0xd4, 0x85, 0xbf, 0xba, 0xa8, 0x47, 0xdb, 0x46, 0x7f, 0x9f, 0x75, 0xaa, 0xf1, 0xc9, 0x66, 0x5f, 0xa1, 0x6c, 0xea, 0x96, 0xf7, 0xe4, 0x13, 0x10, 0x71, 0x28, 0x79, 0x1f, 0x2a, 0xdc, 0x7c, 0x56, 0x45, 0x8d, 0x65, 0x5c, 0x70, 0x28, 0xb7, 0xad, 0x98, 0xe, 0x60, 0xce, 0x4a, 0xff, 0xc1, 0xf7, 0x39, 0xad, 0x6c, 0x4b, 0x57, 0x86, 0xba, 0xa1, 0x28, 0xb4, 0x20, 0xba, 0x34, 0xd6, 0x58, 0x3d, 0xfb, 0xfd, 0xe6, 0xa2, 0xde, 0x1c, 0x1, 0xc0, 0xd, 0x96, 0x18, 0x7b, 0x7a, 0x36, 0x32, 0xa8, 0x7, 0x15, 0x52, 0x50, 0x8f, 0x2c, 0x39, 0xb7, 0x9d, 0x2e, 0xef, 0xe5, 0x4b, 0x91, 0xb3, 0xac, 0x85, 0x6f, 0x44, 0xea, 0x78, 0xb1, 0x70, 0x9a, 0xee, 0xc3, 0xd8, 0x98, 0xa6, 0x43, 0x4c, 0xbd, 0x77, 0x1, 0x4c, 0x84, 0xe5, 0xbb, 0x73, 0xa9, 0xea, 0xb3, 0x2a, 0x6, 0x4d, 0x27, 0x9b, 0x29, 0xaf, 0xda, 0x6a, 0x85, 0x7c, 0xe, 0xba, 0x26, 0xb8, 0xb2, 0x5c, 0x76, 0x94, 0x91, 0x9b, 0x13, 0x87, 0xd3, 0x9f, 0xbd, 0x9b, 0xe7, 0x21, 0x7b, 0x71, 0xc, 0x1c, 0x24, 0x9a, 0x76, 0x8f, 0xb4, 0x93, 0x5a, 0x72, 0x8b, 0x36, 0x68, 0xe3, 0x83, 0xe1, 0x96, 0x5b, 0x1f, 0x55, 0x4f, 0x9d, 0xef, 0xa0, 0x10, 0x99, 0x2a, 0xa4, 0x39, 0x71, 0xc6, 0x76, 0x5e, 0x9, 0x4e, 0xa2, 0xc8, 0xe1, 0x71, 0xf2, 0xb8, 0x19, 0x27, 0x36, 0x7f, 0x2f, 0x21, 0x17, 0x12, 0xfa, 0x0, 0x3f, 0xeb, 0x75, 0x9f, 0xb6, 0x6d, 0x3e, 0x34, 0x6e, 0x8e, 0x11, 0x4e, 0x3f, 0x99, 0xb6, 0x25, 0x59, 0x55, 0xbd, 0x98, 0x85, 0xfa, 0x2e, 0xb3, 0x14, 0xd5, 0xd, 0xb4, 0xa1, 0xe3, 0x24, 0x7a, 0x80, 0x55, 0x30, 0x7e, 0xc3, 0x57, 0x58, 0x77, 0x50, 0x95, 0xcc, 0x7d, 0xb0, 0xc1, 0x9b, 0x2c, 0x12, 0x11, 0x63, 0x5, 0xe9, 0xdc, 0xa5, 0x2, 0xd5, 0x85, 0xae, 0x6e, 0x72, 0x41, 0xeb, 0x34, 0xaa, 0xc9, 0x3f, 0xe5, 0xf7, 0x38, 0x49, 0xe, 0x9f, 0x8c, 0x61, 0x47, 0x9e, 0x71, 0x83, 0xdc, 0x69, 0x7d, 0xd4, 0x58, 0xcc, 0x64, 0x1a, 0xf4, 0x23, 0x1a, 0x4c, 0xd7, 0x66, 0x9f, 0x82, 0xb5, 0x68, 0xe0, 0x28, 0x5d, 0xf6, 0x66, 0x4, 0x21, 0x29, 0x75, 0xd3, 0xd8, 0xf8, 0x4e, 0xa6, 0xc6, 0x2f, 0x15, 0xf1, 0x2a, 0x7a, 0x6a, 0xce, 0x19, 0x5c, 0x48, 0xd4, 0x55, 0xd7, 0xe2, 0x48, 0xf6, 0xf5, 0xd2, 0xb, 0x6d, 0x21, 0xb5, 0x9d, 0xf8, 0xb1, 0x6a, 0x2d, 0xf0, 0xc6, 0xed, 0xc, 0x65, 0xfc, 0x1a, 0xf4, 0x46, 0x71, 0xdf, 0x8a, 0x1c, 0x96, 0x73, 0xbc, 0xb1, 0xb9, 0xb1, 0xbd, 0x7e, 0xcb, 0x7f, 0x14, 0xd2, 0x63, 0x3, 0x8, 0xc1, 0xf7, 0xe, 0xaf, 0xca, 0xc5, 0x9, 0x5c, 0xd9, 0xf3, 0x1a, 0xb, 0xf9, 0x83, 0x48, 0xf4, 0xf6, 0xd4, 0xbf, 0xaf, 0x7a, 0x6d, 0x9b, 0x8d, 0x8a, 0x87, 0xe0, 0x64, 0x9b, 0xe5, 0x6a, 0x35, 0xbd, 0xe8, 0x9c, 0xfc, 0xee, 0xf4, 0x5a, 0xd2, 0x2e, 0xc0, 0xa6, 0x98, 0x3d, 0x84, 0xd8, 0x19, 0x63, 0x64, 0xf5, 0x73, 0x31, 0x16, 0x4f, 0x6c, 0xca, 0x64, 0xed, 0x2d, 0x2b, 0xd0, 0xfc, 0x6d, 0xce, 0xe5, 0x19, 0x7b, 0xe2, 0xca, 0x87, 0xd8, 0xa0, 0x5f, 0xbc, 0x69, 0xa3, 0x10, 0x37, 0x46, 0x7, 0x6e, 0x60, 0xc2, 0x59, 0x4e, 0xe7, 0xc6, 0xf3, 0x2a, 0x11, 0xc1, 0x15, 0xa0, 0x13, 0x7a, 0x7e, 0x0, 0x30, 0xba, 0x4a, 0xf5, 0xaa, 0xbb, 0x89, 0x47, 0xbb, 0x83, 0xf4, 0x3f, 0x27, 0xfd, 0x9f, 0xf6, 0x50, 0xd, 0x7c, 0x92, 0xd6, 0xa4, 0xf4, 0x91, 0xc1, 0x63, 0x7e, 0xe6, 0xd6, 0xf2, 0x42, 0x40, 0x34, 0xda, 0x8b, 0xc6, 0x72, 0x8b, 0x93, 0xc2, 0xcd, 0xcf, 0xd7, 0xe9, 0x54, 0x6e, 0x6f, 0xd2, 0xfb, 0x8a, 0xd2, 0xe5, 0x3f, 0x8b, 0xc2, 0xb6, 0x23, 0x4, 0xd4, 0x8d, 0x44, 0x16, 0xf4, 0x2a, 0x3, 0xcc, 0x1e, 0x71, 0xd9, 0x76, 0xec, 0x10, 0x8c, 0x7e, 0x4a, 0xae, 0x6e, 0xb, 0xb9, 0x5, 0x98, 0x4f, 0x85, 0x94, 0x5, 0xed, 0x4b, 0x32, 0x15, 0xb, 0xfd, 0xa3, 0x5c, 0x8b, 0xd9, 0x48, 0x18, 0xf7, 0x89, 0xef, 0xb3, 0x39, 0xf0, 0xfc, 0xe5, 0x1f, 0xd0, 0x2e, 0xda, 0x7b, 0x62, 0x2e, 0x33, 0x81, 0x44, 0x41, 0x3e, 0x7, 0xa5, 0xd7, 0xec, 0x7c, 0xe6, 0xcd, 0xec, 0x9c, 0x8a, 0x46, 0x16, 0x69, 0x2e, 0xa1, 0x6d, 0x3a, 0x5, 0xcc, 0xeb, 0x92, 0xcc, 0x64, 0x6b, 0x3a, 0x78, 0xb8, 0x76, 0x0, 0xa8, 0xa2, 0x2f, 0x99, 0xa5, 0xa0, 0xe8, 0xd0, 0x42, 0x30, 0xec, 0x56, 0x7c, 0x53, 0x1c, 0xc7, 0xd9, 0x69, 0xc7, 0x6b, 0x6b, 0x96, 0x6a, 0x8b, 0x38, 0xc7, 0x9f, 0xbf, 0xd3, 0xab, 0x33, 0xc2, 0xa0, 0x69, 0x53, 0xc4, 0x2f, 0xd0, 0x5b, 0xf5, 0xd0, 0xf9, 0xee, 0x92, 0x32, 0x2, 0x33, 0x2c, 0xa7, 0x16, 0x11, 0x8c, 0x9f, 0x36, 0x40, 0x5a, 0xf, 0x91, 0xa7, 0x96, 0x3e, 0xf0, 0x6e, 0x9e, 0x42, 0x39, 0x39, 0x84, 0xf3, 0x81, 0x61, 0xeb, 0x60, 0xd3, 0x18, 0x25, 0x90, 0x83, 0xf0, 0x49, 0xaf, 0xb, 0x39, 0xe8, 0xb9, 0x13, 0xc0, 0x65, 0xfe, 0xa4, 0x34, 0x4d, 0xec, 0xb3, 0x7c, 0xb9, 0x7a, 0x3d, 0x85, 0x4f, 0x8b, 0x8, 0x7a, 0x42, 0x72, 0x1f, 0xad, 0xfe, 0x2e, 0x68, 0xfc, 0x83, 0x38, 0x68, 0x8d, 0x4d, 0xfc, 0xa1, 0x24, 0x72, 0xdd, 0xdd, 0xaf, 0x1d, 0x9f, 0x4c, 0x84, 0x4e, 0x5c, 0x7d, 0x9b, 0x11, 0x15, 0x8e, 0xd1, 0x40, 0x7f, 0xeb, 0x68, 0xc2, 0xb7, 0x4c, 0xd1, 0xc6, 0x79, 0xe1, 0x89, 0xae, 0xc2, 0x55, 0xc8, 0xb4, 0x65, 0xa2, 0xd9, 0xb0, 0x7c, 0x99, 0xbb, 0x8, 0x35, 0x5b, 0x4a, 0xc6, 0x2e, 0x5b, 0x63, 0x2c, 0xbc, 0x2c, 0x28, 0xb1, 0x7c, 0x1a, 0xdd, 0x28, 0xb8, 0x3a, 0x97, 0x46, 0xbe, 0x26, 0x76, 0x8d, 0xa0, 0xb2, 0xd6, 0x8, 0xe7, 0x40, 0x8d, 0xaf, 0x6b, 0xf3, 0xb3, 0xae, 0x4d, 0xa1, 0x1f, 0x57, 0x72, 0x98, 0xfd, 0x2d, 0xf2, 0x2f, 0x73, 0xb1, 0x85, 0x8d, 0x10, 0x87, 0x0, 0xa7, 0x1, 0xab, 0x87, 0x7a, 0x20, 0x88, 0x59, 0xa8, 0xfe, 0xaa, 0xaa, 0x55, 0x7, 0xf0, 0x69, 0xf8, 0x32, 0xc8, 0xcc, 0x1a, 0x9d, 0x8d, 0xca, 0x85, 0x11, 0x8f, 0x48, 0xd2, 0xde, 0x87, 0xd9, 0x7d, 0xc7, 0xf2, 0xad, 0x24, 0x61, 0xc4, 0x60, 0xf0, 0x39, 0x30, 0x5f, 0xf4, 0x95, 0xe0, 0x71, 0x75, 0xb, 0xd7, 0xe5, 0xf, 0xe7, 0x60, 0x62, 0x50, 0x86, 0xd5, 0x82, 0x5, 0xd1, 0x50, 0xf7, 0xa7, 0x5e, 0xd7, 0x39, 0x64, 0xc3, 0xba, 0x75, 0xb1, 0xd0, 0xf3, 0x8c, 0x29, 0x13, 0xd0, 0x21, 0x4d, 0x56, 0xa7, 0xf3, 0xfc, 0x3e, 0xcd, 0x3f, 0x3e, 0xa4, 0x4a, 0xb2, 0x9a, 0x8e, 0x8, 0xb8, 0x34, 0xc0, 0x26, 0xdd, 0xea, 0x46, 0x3d, 0xbd, 0xc9, 0x4d, 0xef, 0xa5, 0x6f, 0x6a, 0x4c, 0x8a, 0x58, 0x9d, 0xf9, 0xa2, 0x6c, 0xa4, 0x1d, 0x2f, 0x55, 0xd3, 0xab, 0xdd, 0xd1, 0xcd, 0xfa, 0x1a, 0xce, 0xf8, 0xc3, 0x72, 0x78, 0x5, 0xd4, 0x92, 0xee, 0x4e, 0xc, 0xd9, 0x94, 0x3b, 0x62, 0xca, 0x1f, 0xb4, 0x8b, 0xd2, 0xe1, 0x7c, 0x41, 0xe7, 0xd2, 0x92, 0x27, 0x24, 0xf5, 0xe7, 0xe, 0x97, 0x71, 0xbc, 0x42, 0xff, 0x1e, 0xa4, 0x67, 0x5c, 0x6d, 0xdc, 0xf4, 0x1f, 0x58, 0x2a, 0x88, 0x20, 0x7b, 0x9b, 0x70, 0x77, 0x2c, 0x7f, 0x21, 0xbe, 0x1d, 0x73, 0x54, 0x35, 0x77, 0x21, 0xb7, 0x5b, 0xcd, 0xa8, 0xf2, 0x2a, 0x59, 0xd0, 0x1d, 0x59, 0x69, 0xe7, 0xee, 0x58, 0x77, 0x64, 0xba, 0x4b, 0xc9, 0x30, 0x29, 0xbb, 0xc0, 0xf2, 0x76, 0xf1, 0xda, 0xdd, 0x6a, 0x1e, 0x58, 0x26, 0x57, 0xe2, 0x4, 0x46, 0xca, 0x1, 0xfb, 0x2f, 0x34, 0x85, 0xed, 0x4d, 0x40, 0xa, 0xd6, 0x38, 0x18, 0x44, 0x96, 0xf, 0xf6, 0x8c, 0x4a, 0x1c, 0x7, 0xc9, 0x1c, 0x69, 0xbc, 0x9b, 0x3, 0x28, 0x44, 0x34, 0x44, 0x87, 0x58, 0xfd, 0x81, 0xd, 0x9c, 0x80, 0x85, 0x1c, 0x10, 0x97, 0x7f, 0x6f, 0x45, 0x8c, 0x4c, 0x75, 0xfb, 0xa7, 0x3f, 0x1, 0x71, 0xaf, 0xd5, 0xa1, 0xf7, 0x6a, 0x46, 0xc9, 0xed, 0xb, 0xe5, 0x16, 0x82, 0xe6, 0xa0, 0x70, 0x73, 0xd2, 0xb, 0xa3, 0xcb, 0xf4, 0xcc, 0x21, 0x4, 0x87, 0xbf, 0xaf, 0x81, 0x79, 0xe1, 0xf0, 0x49, 0x94, 0x67, 0x6a, 0x49, 0x2, 0xae, 0xed, 0x47, 0xa, 0xbe, 0xc4, 0xcf, 0x86, 0x22, 0xca, 0xfe, 0xb1, 0x36, 0xc9, 0x73, 0x30, 0xfb, 0xf8, 0xf8, 0x3, 0x12, 0x46, 0x69, 0xf5, 0xf8, 0x48, 0xde, 0x5b, 0x71, 0xd6, 0xad, 0xbc, 0x7d, 0xbc, 0x89, 0x21, 0x73, 0x38, 0x70, 0xc9, 0x8a, 0xee, 0x9, 0xc7, 0x9e, 0x29, 0x45, 0x5d, 0xf8, 0xaf, 0x5a, 0x84, 0xe2, 0x7e, 0x28, 0xd1, 0x1f, 0xbf, 0x1d, 0xdb, 0x74, 0x88, 0x1f, 0x7d, 0xd6, 0x88, 0xc, 0x99, 0x8b, 0x58, 0x46, 0xea, 0x13, 0x83, 0x36, 0x84, 0x9a, 0x64, 0xba, 0x60, 0xae, 0x43, 0xd5, 0x60, 0xce, 0xcb, 0xfd, 0xd5, 0x2d, 0x27, 0x90, 0x98, 0x95, 0xe9, 0x3d, 0xcf, 0x10, 0x3a, 0x71, 0x3e, 0x2a, 0x43, 0xf3, 0x75, 0xb8, 0x27, 0x82, 0xe2, 0x9f, 0x47, 0x13, 0x5e, 0xc8, 0xcd, 0xfa, 0xfe, 0xa9, 0x1e, 0x56, 0xb8, 0xfd, 0xaa, 0x32, 0x83, 0xa0, 0x97, 0xa2, 0xa6, 0x62, 0x9b, 0x80, 0x73, 0xb5, 0x8b, 0xd, 0x9b, 0x6f, 0x3, 0x63, 0xc, 0xfd, 0x1c, 0xfa, 0xd2, 0xa8, 0xbd, 0x64, 0xbd, 0x55, 0xeb, 0x16, 0x7a, 0x27, 0x3e, 0xc1, 0x2a, 0x8a, 0x8e, 0xe4, 0xf7, 0xf5, 0xa9, 0xb1, 0x4e, 0xdf, 0xf6, 0x94, 0x44, 0x62, 0xa, 0x1f, 0x98, 0xeb, 0x84, 0xbf, 0xed, 0xf0, 0x38, 0x64, 0x53, 0x32, 0xdc, 0xba, 0x49, 0x71, 0x75, 0x4f, 0x0, 0x41, 0xa5, 0xbe, 0x50, 0xee, 0x94, 0x1c, 0xdf, 0x10, 0x7d, 0xc6, 0xba, 0x31, 0xbc, 0x27, 0xb7, 0xa1, 0x73, 0x3d, 0x25, 0x28, 0x6e, 0x68, 0x30, 0xf2, 0x1c, 0xd0, 0xb3, 0x3b, 0x5a, 0x6a, 0x30, 0x39, 0xc0, 0xb, 0xa4, 0x1b, 0x3a, 0x78, 0x96, 0xfd, 0x41, 0xa, 0x4e, 0xd4, 0xcd, 0x53, 0x2, 0x9a, 0xd3, 0xe8, 0xa1, 0x38, 0x86, 0x38, 0xc7, 0x26, 0xbe, 0x80, 0x64, 0x82, 0xf3, 0x85, 0x22, 0x1d, 0x5e, 0x36, 0xee, 0x36, 0x5c, 0xb, 0xec, 0x8f, 0x8d, 0x8d, 0x18, 0x82, 0x4d, 0xf, 0x1f, 0x48, 0x1a, 0xef, 0x34, 0x9a, 0xd2, 0x87, 0xa4, 0xe1, 0x43, 0x8f, 0x1a, 0xa5, 0xdd, 0x2, 0x39, 0x7c, 0x14, 0xa8, 0xa5, 0xb4, 0x73, 0x69, 0xfe, 0x6, 0xf7, 0xd2, 0x35, 0x7e, 0x45, 0x57, 0xc2, 0xcf, 0xef, 0xc2, 0x5a, 0x1b, 0x61, 0x0, 0x87, 0xd4, 0x48, 0x3f, 0x93, 0xb2, 0xbe, 0x12, 0x49, 0x88, 0xaf, 0x65, 0xc3, 0x94, 0xdf, 0x2e, 0x16, 0xe6, 0x4d, 0x5a, 0x7f, 0x4b, 0xf3, 0x32, 0xc, 0x7c, 0xba, 0x46, 0xc6, 0x74, 0x10, 0x9, 0xb2, 0xf3, 0x6a, 0x2c, 0x63, 0x5f, 0x6f, 0xb2, 0x9b, 0x33, 0xa3, 0xf6, 0x10, 0xb6, 0x85, 0x4d, 0x4, 0x8e, 0xdb, 0x85, 0x1e, 0x54, 0x7e, 0x19, 0x94, 0x8, 0x7a, 0x69, 0xc3, 0xa8, 0x4e, 0xcb, 0xa7, 0xc0, 0x8c, 0xe1, 0x65, 0x6e, 0xfe, 0x71, 0xa4, 0x50, 0x4f, 0x8c, 0xa3, 0x9c, 0x43, 0x13, 0x2f, 0x7a, 0x74, 0x31, 0xf0, 0x8b, 0x31, 0x7, 0xc0, 0xba, 0xa6, 0xc4, 0x53, 0x3d, 0xcb, 0xec, 0x1d, 0xe5, 0x3e, 0xda, 0xa8, 0x3f, 0x8f, 0xa4, 0x5c, 0xdf, 0x1a, 0xc0, 0xbf, 0x84, 0x9b, 0x2a, 0xe2, 0x6, 0x2f, 0x35, 0x64, 0x4a, 0x9e, 0x9, 0xc1, 0xa1, 0x4d, 0xe5, 0xce, 0xc0, 0x89, 0x1b, 0xfa, 0xe8, 0x54, 0xda, 0xbb, 0xfb, 0x55, 0x6e, 0x6f, 0xf5, 0x3d, 0x6a, 0x16, 0x88, 0x6f, 0x17, 0x20, 0x24, 0x4a, 0xa4, 0x1c, 0xff, 0xb5, 0xb7, 0xdf, 0x88, 0xfd, 0x6a, 0x93, 0xa0, 0xd4, 0x11, 0x86, 0x37, 0x24, 0x4c, 0xe3, 0x92, 0x48, 0x55, 0x3e, 0x6d, 0x41, 0x24, 0x5f, 0x45, 0x2a, 0xe, 0x43, 0x3d, 0xb5, 0x13, 0x84, 0xa0, 0xa2, 0x32, 0x90, 0xee, 0x6a, 0xc5, 0x99, 0xb1, 0x67, 0xc3, 0xee, 0xf6, 0x2b, 0x43, 0x9, 0xc1, 0xec, 0xf0, 0xda, 0xc6, 0x50, 0x28, 0x55, 0x48, 0x20, 0xc9, 0x5b, 0x55, 0xce, 0xeb, 0x49, 0x7, 0x13, 0x81, 0x54, 0xa6, 0x6b, 0xb6, 0xdf, 0x97, 0x85, 0x29, 0x6f, 0x97, 0xf7, 0x84, 0x1b, 0xa4, 0xd5, 0xf8, 0x70, 0xeb, 0xd9, 0xb5, 0xd5, 0x28, 0xb2, 0xbb, 0xd7, 0xe7, 0xdd, 0x5a, 0x37, 0x32, 0xb, 0x1c, 0xc, 0x86, 0x8b, 0xe8, 0x31, 0xaa, 0xdb, 0x3e, 0x17, 0xc4, 0x68, 0xf5, 0xd1, 0x2, 0xdf, 0x59, 0x54, 0x83, 0xfc, 0x92, 0x15, 0x7e, 0x9a, 0xcd, 0xf, 0xfb, 0xc0, 0xea, 0x2b, 0xa, 0x3b, 0x47, 0x1b, 0xb8, 0xfd, 0xa6, 0xb0, 0x48, 0xfc, 0xe8, 0xf, 0x6f, 0x4c, 0x22, 0xe3, 0x89, 0xe1, 0x77, 0x57, 0x45, 0xc8, 0xa5, 0xa1, 0x29, 0x28, 0x6f, 0x45, 0xe0, 0xbe, 0x10, 0xcc, 0xd5, 0x2b, 0x76, 0xda, 0x56, 0x5c, 0xd9, 0x8a, 0xa8, 0x1d, 0xd9, 0xe9, 0x14, 0x22, 0x2e, 0x15, 0x74, 0x3c, 0xb2, 0x7c, 0x72, 0xe, 0x5b, 0x97, 0xdf, 0x66, 0xc, 0xa9, 0x70, 0x76, 0x5d, 0xfd, 0x53, 0xfc, 0x5f, 0x22, 0xad, 0xb8, 0xb5, 0xb5, 0xae, 0xd2, 0xde, 0xfa, 0x73, 0xff, 0x6d, 0xab, 0xcf, 0x49, 0x35, 0x6d, 0xf, 0xe5, 0x33, 0xd4, 0x5e, 0x66, 0xcd, 0xfa, 0x6f, 0x69, 0x33, 0x6f, 0xb4, 0xfc, 0x11, 0xce, 0xac, 0xfd, 0x5b, 0x69, 0x60, 0x98, 0x7c, 0xaf, 0x52, 0xe2, 0xe, 0x81, 0x2c, 0xbb, 0x59, 0x71, 0xe1, 0xf, 0x45, 0x65, 0x7b, 0x35, 0x8b, 0x75, 0xbe, 0xbe, 0xdf, 0xf7, 0x72, 0xea, 0x9f, 0xd6, 0x74, 0x7e, 0x5, 0x2b, 0x45, 0x17, 0x73, 0x92, 0x7a, 0x71, 0x85, 0xd4, 0xef, 0xd7, 0x76, 0xb3, 0x84, 0x76, 0x6d, 0x8d, 0x81, 0xda, 0xd5, 0x48, 0xac, 0x2, 0xbf, 0x3d, 0x9c, 0x13, 0x89, 0x1b, 0x5a, 0x38, 0xa5, 0xfa, 0xce, 0xa7, 0x20, 0x68, 0x85, 0xcb, 0x4d, 0x50, 0x26, 0x9d, 0x1a, 0xe6, 0x45, 0x21, 0x98, 0xc0, 0xaf, 0x25, 0x5d, 0xac, 0x32, 0x6c, 0x5c, 0xf3, 0xc2, 0xb3, 0x27, 0x4e, 0x67, 0xa2, 0x3b, 0xaa, 0xc5, 0x7a, 0x6c, 0x9f, 0xa0, 0xa3, 0x69, 0x2e, 0xcf, 0x86, 0xb, 0xf3, 0x1d, 0x5c, 0x6a, 0x90, 0x87, 0xef, 0x7, 0x4d, 0xfc, 0x66, 0x6f, 0xb1, 0x61, 0x22, 0x1, 0xd4, 0xda, 0xc2, 0x75, 0xa9, 0x1e, 0x36, 0xbc, 0xf, 0xe6, 0x48, 0x97, 0xe6, 0xc7, 0x0, 0x99, 0x2d, 0x36, 0x35, 0xa0, 0xa2, 0xf, 0xaa, 0xf6, 0x7c, 0xe1, 0x3c, 0x2a, 0x1f, 0x87, 0x38, 0xe3, 0xa1, 0x3a, 0x44, 0xd5, 0x80, 0xdf, 0xb4, 0x47, 0x5b, 0x8b, 0x24, 0xda, 0x6a, 0x1a, 0x72, 0x3c, 0xdd, 0x8, 0xbb, 0x9f, 0x1f, 0x9c, 0x22, 0xb2, 0x46, 0x7e, 0xf9, 0xa1, 0x93, 0xfb, 0x7e, 0xba, 0x31, 0x46, 0xad, 0xe5, 0x4e, 0xa3, 0x10, 0xae, 0xf3, 0xa5, 0x5c, 0xaa, 0x6b, 0x4, 0x2, 0x6c, 0x74, 0x3e, 0xfc, 0x81, 0x7d, 0xb, 0x6, 0x9a, 0x2b, 0xf0, 0x90, 0xcc, 0x9e, 0xa7, 0x8c, 0x68, 0x7b, 0x2f, 0x16, 0x58, 0xdb, 0xdf, 0xc1, 0x54, 0xf5, 0x99, 0x2a, 0x77, 0xf4, 0xf4, 0x4b, 0xdc, 0x67, 0x7c, 0x4e, 0xb2, 0xed, 0x7b, 0x82, 0x4a, 0xaa, 0x43, 0xc7, 0xe4, 0xcb, 0x2b, 0xf8, 0xcf, 0xfa, 0xf5, 0x72, 0x94, 0x22, 0x9b, 0x4a, 0x2c, 0xcf, 0x82, 0xbb, 0xef, 0x2c, 0xf1, 0x7f, 0x36, 0x59, 0xb8, 0x6, 0x6e, 0x38, 0x75, 0xaf, 0xcd, 0xa3, 0x78, 0x59, 0x24, 0x32, 0x98, 0xb1, 0x7, 0x98, 0x6d, 0xd3, 0xbd, 0x2d, 0xe9, 0x11, 0x85, 0xb7, 0xe7, 0x95, 0x74, 0x43, 0x27, 0xa7, 0xdd, 0x77, 0x65, 0x6e, 0x16, 0x34, 0xcf, 0xaa, 0xaa, 0x3e, 0xc1, 0xa3, 0xa4, 0xb6, 0x40, 0x62, 0x2c, 0x9d, 0xc2, 0x49, 0xcd, 0x9c, 0x63, 0xa1, 0x2b, 0xa4, 0x3d, 0x7f, 0xe1, 0xc2, 0x33, 0x21, 0x6d, 0x7c, 0x5c, 0xeb, 0xf9, 0x91, 0x6, 0x76, 0xa9, 0xe6, 0x2a, 0xbd, 0xce, 0x85, 0xfb, 0xd, 0xb0, 0x65, 0xbd, 0x35, 0x6e, 0x80, 0x82, 0x2a, 0x39, 0xb9, 0x6, 0x79, 0x9f, 0x9e, 0x3b, 0x2b, 0xd, 0x4d, 0x8a, 0x29, 0x9f, 0x23, 0xf1, 0x7, 0xb2, 0xdb, 0xcf, 0x60, 0x97, 0x6c, 0xeb, 0x2e, 0xf9, 0xd4, 0x3f, 0x20, 0xbf, 0xc8, 0x9b, 0x4e, 0xa7, 0x7e, 0xe4, 0x2a, 0xb, 0x29, 0x3d, 0x7d, 0x3a, 0x16, 0x37, 0x93, 0xa6, 0x1f, 0x14, 0xa4, 0xef, 0x87, 0xe8, 0x5e, 0x29, 0xd0, 0x3f, 0x27, 0xf8, 0xf9, 0x37, 0x40, 0x84, 0x54, 0x58, 0xab, 0x41, 0xe3, 0x62, 0xa8, 0x46, 0x30, 0xb, 0xfc, 0xc6, 0x38, 0x53, 0xe9, 0x9f, 0xfb, 0xc8, 0x79, 0x95, 0xac, 0xe8, 0xe2, 0x94, 0xe4, 0x8b, 0xca, 0xd7, 0x69, 0x6f, 0xef, 0x24, 0xc4, 0xec, 0x57, 0xb8, 0x4f, 0x15, 0x52, 0xe, 0x63, 0x48, 0xdf, 0xe2, 0x42, 0x2b, 0x11, 0x13, 0xf0, 0xbf, 0x4, 0x52, 0x62, 0x8, 0xc9, 0xad, 0xef, 0xce, 0xb0, 0x63, 0x11, 0x6c, 0xb1, 0x8b, 0x7d, 0x89, 0x68, 0x14, 0xb7, 0xe3, 0x47, 0x51, 0xdf, 0xad, 0x75, 0xbf, 0xa2, 0x5, 0x8b, 0x37, 0x5b, 0x92, 0x1e, 0xda, 0x25, 0x66, 0x4b, 0x37, 0xfe, 0x12, 0x67, 0x76, 0xff, 0x0, 0x81, 0x4c, 0xfb, 0x60, 0x46, 0xc8, 0xcb, 0x80, 0x63, 0x60, 0xbc, 0xe4, 0xad, 0x10, 0x6c, 0xc9, 0x6e, 0x26, 0x27, 0xa7, 0xec, 0xb6, 0x7a, 0xb5, 0xc2, 0x6a, 0xb4, 0x0, 0xe8, 0x28, 0xbb, 0xd7, 0x73, 0xc6, 0xfd, 0xfe, 0xe3, 0xc0, 0x23, 0x20, 0x5f, 0x64, 0xb5, 0x28, 0x2b, 0x56, 0x30, 0x5f, 0xe, 0x43, 0x76, 0x6, 0xd8, 0xea, 0x36, 0x10, 0xca, 0x41, 0x67, 0x93, 0x12, 0x7f, 0x93, 0x31, 0x50, 0x6e, 0xbf, 0xf0, 0x9a, 0x29, 0x22, 0x6e, 0x9, 0xc3, 0x32, 0x22, 0xdd, 0x45, 0x21, 0x61, 0xb1, 0xa3, 0xd6, 0x33, 0x86, 0x5e, 0xd7, 0x57, 0x90, 0x49, 0x6c, 0xbd, 0xc2, 0xf1, 0x39, 0x51, 0x76, 0x99, 0xa5, 0xf5, 0xab, 0x1f, 0x6b, 0x6d, 0xc, 0x90, 0x3b, 0x63, 0x7c, 0x43, 0xe7, 0x16, 0x68, 0x29, 0xe8, 0x11, 0x4c, 0x16, 0x76, 0xd2, 0xc0, 0xa7, 0x38, 0xe, 0x84, 0x29, 0x9c, 0xf9, 0x95, 0x10, 0x1f, 0x3f, 0x9, 0xb9, 0x57, 0xb3, 0xb9, 0x12, 0x19, 0x17, 0xc8, 0x39, 0xf8, 0x4, 0xd5, 0x9, 0xfe, 0xdd, 0x4b, 0xdd, 0xbd, 0x3b, 0xfb, 0x64, 0x1f, 0x34, 0x45, 0x4, 0xdb, 0x5b, 0xed, 0x42, 0xef, 0xc8, 0x21, 0xe8, 0xb4, 0x95, 0xdd, 0x60, 0x15, 0x4e, 0x52, 0xb9, 0x70, 0x50, 0xaf, 0x39, 0xde, 0x68, 0xc8, 0xd1, 0xad, 0xe9, 0x95, 0x69, 0x79, 0xc9, 0x4c, 0x9a, 0x32, 0x28, 0xb8, 0x90, 0x97, 0x64, 0xae, 0x62, 0x5b, 0xb7, 0xa2, 0xeb, 0x1e, 0x2f, 0xc1, 0xe3, 0xd7, 0xf6, 0xd3, 0x7b, 0x61, 0x21, 0x64, 0x33, 0xdf, 0x1c, 0x71, 0x7e, 0xdb, 0xcf, 0x7, 0x89, 0xd7, 0x37, 0x9, 0xfc, 0x7d, 0xd5, 0x8b, 0x1a, 0x84, 0x99, 0x7a, 0x93, 0x88, 0xba, 0x41, 0xa, 0x5d, 0x4d, 0xc2, 0xa5, 0xb9, 0x1e, 0x86, 0x6c, 0xb6, 0x2, 0x84, 0x29, 0x58, 0xfc, 0xcd, 0x71, 0x4c, 0xf8, 0x6e, 0xdb, 0x99, 0xd9, 0x4c, 0x36, 0xe6, 0xaa, 0xaa, 0xe2, 0x69, 0xd9, 0xc7, 0x8b, 0x64, 0x18, 0x94, 0xf0, 0x4b, 0x6f, 0x3c, 0x71, 0xeb, 0xe9, 0xc2, 0xb3, 0x5a, 0xc2, 0x52, 0x6e, 0xc, 0x58, 0xd5, 0x75, 0x6a, 0x12, 0x0, 0x60, 0xe5, 0x24, 0x8a, 0x2b, 0x46, 0x8e, 0x85, 0x82, 0xfe, 0x8, 0x42, 0x54, 0xca, 0x90, 0x1a, 0xc2, 0x3e, 0x4a, 0xaf, 0xa3, 0x51, 0xd4, 0x14, 0x76, 0xc2, 0x63, 0x9e, 0xc1, 0x63, 0x39, 0xe7, 0x5, 0xe0, 0x95, 0x8c, 0x8, 0x32, 0x0, 0x8d, 0x4a, 0x94, 0xf9, 0x25, 0x50, 0x7c, 0x48, 0x2a, 0x94, 0x9a, 0x7d, 0xe3, 0x98, 0x8f, 0xe7, 0x45, 0x5c, 0x53, 0x51, 0x73, 0x35, 0x53, 0x80, 0x1f, 0x89, 0x44, 0x1c, 0xf1, 0x41, 0xfe, 0x90, 0xc3, 0xa2, 0x5d, 0x9c, 0xe1, 0xf9, 0x20, 0x8a, 0x6d, 0xbd, 0xda, 0x2f, 0xe6, 0x69, 0x1f, 0x65, 0xbb, 0xaa, 0x27, 0x2e, 0xb6, 0x9e, 0x1b, 0xb5, 0xbb, 0xbb, 0x3d, 0x37, 0x83, 0x9, 0xbb, 0xda, 0x32, 0x36, 0x82, 0xc9, 0x88, 0x3b, 0x7d, 0xde, 0xe7, 0x59, 0xa7, 0xf3, 0x74, 0x89, 0x6c, 0x6c, 0x87, 0x52, 0x3d, 0x8, 0x78, 0x65, 0x49, 0xd8, 0xcd, 0x45, 0xe0, 0xbc, 0x73, 0x64, 0xb5, 0x47, 0xe7, 0x53, 0x0, 0xe, 0x7e, 0xe5, 0x5d, 0x53, 0x8a, 0x1c, 0x56, 0x92, 0x65, 0xd3, 0x4, 0xad, 0x2e, 0x7f, 0xca, 0x78, 0xd3, 0x6, 0x6a, 0xdb, 0x59, 0xf8, 0x14, 0x20, 0x56, 0x61, 0xb3, 0xf8, 0xf8, 0x19, 0x14, 0x17, 0x91, 0xb1, 0x4e, 0x32, 0x99, 0x3b, 0x60, 0x25, 0x45, 0xbf, 0xd0, 0x98, 0x58, 0xa1, 0x9d, 0xcd, 0x45, 0x3e, 0xfc, 0x14, 0x8d, 0x32, 0x79, 0x71, 0x9f, 0xe8, 0x5e, 0xc, 0x86, 0x36, 0xee, 0xe8, 0x42, 0x6c, 0x89, 0x2d, 0xc2, 0x13, 0x41, 0xfd, 0x4d, 0xf0, 0xda, 0x13, 0x42, 0x10, 0x44, 0xb7, 0xb7, 0xdb, 0x1a, 0xea, 0x94, 0xd3, 0x1f, 0xa1, 0x5f, 0xfd, 0xe5, 0x51, 0x5, 0x4e, 0x1a, 0x94, 0x5d, 0x23, 0x68, 0x51, 0x1, 0xd1, 0x18, 0xbe, 0xcf, 0x72, 0x67, 0x23, 0x45, 0x98, 0x9, 0xe3, 0x71, 0x60, 0x27, 0x98, 0xba, 0x56, 0x5a, 0xde, 0x79, 0xe8, 0xe4, 0x91, 0x94, 0x5b, 0x28, 0xb0, 0xaf, 0xaf, 0xaa, 0x5e, 0x70, 0x4c, 0x1e, 0x88, 0xbe, 0xa0, 0x1, 0xab, 0xca, 0xd9, 0x2a, 0x5d, 0x4f, 0x1d, 0xff, 0x3f, 0x23, 0x7a, 0xc3, 0x4a, 0x9a, 0x34, 0x6e, 0x16, 0x6a, 0x1c, 0x4a, 0x46, 0x12, 0x1c, 0xcf, 0x60, 0x32, 0x38, 0x29, 0x66, 0x6b, 0x9e, 0xd9, 0x71, 0x54, 0x6d, 0x5f, 0x66, 0x43, 0x3d, 0xea, 0x9b, 0xc8, 0x8c, 0xff, 0x4, 0x4d, 0x97, 0x36, 0x57, 0x90, 0x92, 0x8f, 0x14, 0x9e, 0xf2, 0x27, 0xdf, 0x53, 0xc8, 0xc0, 0x6, 0xae, 0x64, 0x7a, 0xce, 0xc5, 0xe9, 0x58, 0x83, 0xd1, 0x6c, 0x25, 0xa5, 0x92, 0xd0, 0xde, 0x82, 0xce, 0x9c, 0x9d, 0xc7, 0xb7, 0x93, 0x6e, 0x79, 0x59, 0x6e, 0xcc, 0x27, 0x9e, 0xbb, 0x31, 0x92, 0x70, 0xe4, 0xe1, 0xa0, 0x29, 0x9e, 0xaa, 0x83, 0x30, 0xb, 0xb7, 0x44, 0xe6, 0x85, 0x37, 0x75, 0x1a, 0x18, 0xbf, 0x1e, 0x3f, 0xa, 0x5c, 0xc8, 0xe8, 0xd6, 0x8e, 0x7f, 0xc3, 0x87, 0x7c, 0x92, 0x24, 0xad, 0xbc, 0x8d, 0xb7, 0xe3, 0x9e, 0xbb, 0x62, 0xfb, 0xfd, 0x46, 0xba, 0xce, 0xcb, 0x77, 0xe4, 0xa8, 0xeb, 0x4b, 0xde, 0xae, 0xee, 0xb0, 0x8c, 0xd3, 0x37, 0xb6, 0xde, 0x76, 0x79, 0xe8, 0x98, 0xc4, 0xb, 0xfb, 0x47, 0x61, 0x6b, 0x4, 0x4c, 0x94, 0xb2, 0x9, 0x96, 0x1f, 0xf7, 0x35, 0x3f, 0x12, 0x8b, 0xd0, 0xb9, 0x2, 0x14, 0x3f, 0xa1, 0xb3, 0xd3, 0x63, 0xc8, 0x7b, 0x2c, 0xc3, 0x41, 0x34, 0x57, 0x6e, 0x3e, 0x8c, 0x57, 0xc4, 0x1e, 0x30, 0x4b, 0x7e, 0xf5, 0xda, 0xa, 0xc4, 0xc9, 0x6f, 0xc2, 0xa3, 0xce, 0x93, 0x74, 0xfd, 0x1b, 0xe7, 0x96, 0x56, 0x14, 0xf8, 0x1a, 0x3f, 0x4b, 0x5d, 0xd0, 0x8f, 0x60, 0x8c, 0x6a, 0x8a, 0x2a, 0xca, 0xda, 0x76, 0xb2, 0x25, 0x7, 0xf6, 0x7, 0xef, 0x53, 0x78, 0x59, 0x43, 0xc7, 0xf0, 0x23, 0xe0, 0xba, 0x19, 0xe, 0xe3, 0x20, 0x88, 0xc8, 0x52, 0xb1, 0xaf, 0x6f, 0xfa, 0xe3, 0x45, 0x16, 0x24, 0x9c, 0x60, 0x3e, 0x82, 0x84, 0xc1, 0x95, 0x5d, 0x73, 0x17, 0x53, 0x95, 0x3, 0x73, 0x75, 0x19, 0x3, 0x95, 0x49, 0x3b, 0xf0, 0xa9, 0x2, 0x4b, 0xb, 0x0, 0x46, 0x27, 0x70, 0x59, 0xf5, 0x6b, 0x7, 0x8, 0x75, 0xf5, 0xaa, 0x53, 0xcc, 0xc5, 0x32, 0xd2, 0xc5, 0xc7, 0xd5, 0xfd, 0xdb, 0x18, 0x3, 0x2d, 0x34, 0x2b, 0x7, 0xa7, 0x8d, 0x8f, 0xb3, 0x8a, 0xe3, 0x8d, 0x7b, 0xdc, 0xbd, 0x69, 0x35, 0x42, 0x48, 0xc9, 0xa1, 0x87, 0x58, 0x5b, 0xf2, 0x60, 0xad, 0x46, 0x29, 0x84, 0xb2, 0xd5, 0xb2, 0x7e, 0x70, 0xd1, 0xe9, 0xad, 0x29, 0x4f, 0x85, 0x9, 0x45, 0x6a, 0x2c, 0xdc, 0x59, 0x51, 0xaa, 0x37, 0x98, 0x18, 0x57, 0xc0, 0x94, 0x9f, 0x89, 0xe7, 0x89, 0xce, 0x49, 0xe0, 0x36, 0xf5, 0x27, 0xb5, 0xc, 0x89, 0xcc, 0x39, 0x85, 0x90, 0x18, 0xa1, 0x2a, 0x3c, 0xd8, 0xab, 0x9, 0x89, 0x30, 0xd3, 0x3b, 0xb7, 0x1a, 0x2b, 0x14, 0xd3, 0xec, 0x84, 0xab, 0xf5, 0xb3, 0x59, 0xbf, 0x85, 0x6a, 0xc6, 0xa4, 0xbe, 0xf2, 0x68, 0xa, 0x32, 0x3c, 0x1f, 0x54, 0xa4, 0x6d, 0x38, 0xc5, 0x8d, 0xad, 0x86, 0x11, 0xc4, 0xb7, 0xb0, 0x4e, 0xf3, 0xea, 0xd2, 0x49, 0xac, 0x46, 0xd6, 0xc9, 0xb5, 0xa6, 0xa9, 0x7a, 0x13, 0x83, 0xb, 0x7c, 0xc7, 0x42, 0x38, 0x5a, 0x22, 0x68, 0xfc, 0x0, 0xd0, 0x24, 0x7, 0xe9, 0xe1, 0x2f, 0xc8, 0xcf, 0x63, 0xf, 0x95, 0x1f, 0x44, 0xc6, 0x1b, 0xb0, 0xd1, 0x22, 0x8f, 0x44, 0x8e, 0xec, 0x19, 0xf7, 0x38, 0x7d, 0xba, 0xb1, 0x7f, 0x78, 0x5f, 0xfa, 0x33, 0x9b, 0xdf, 0x58, 0x1, 0x19, 0xa1, 0xfd, 0xdc, 0x94, 0xca, 0x1a, 0xa, 0x49, 0x26, 0x93, 0xc7, 0x63, 0x2, 0x6b, 0x52, 0x41, 0x9c, 0xdd, 0x64, 0xcb, 0x58, 0x92, 0x97, 0xa2, 0x91, 0x25, 0x77, 0xbb, 0x46, 0x78, 0xd9, 0x48, 0x70, 0x29, 0x58, 0x3f, 0xa7, 0x3b, 0x21, 0x7c, 0xd1, 0x70, 0x6b, 0xd6, 0xd4, 0xce, 0xa0, 0xe8, 0xb5, 0xeb, 0x8f, 0xc2, 0xc1, 0x38, 0x3, 0xc1, 0x31, 0x18, 0x91, 0x6b, 0xf3, 0x26, 0x1, 0xbf, 0x89, 0xe3, 0x54, 0xd, 0x9b, 0x68, 0x83, 0xb4, 0xfe, 0x2e, 0x24, 0x40, 0x62, 0xc2, 0x3a, 0x51, 0xf6, 0xd3, 0x75, 0x25, 0x72, 0xdb, 0xa6, 0xc, 0xc8, 0x37, 0x0, 0xf3, 0xe2, 0x4b, 0x86, 0x98, 0x82, 0xce, 0xfc, 0xc9, 0x2d, 0x36, 0x49, 0x1, 0xff, 0x12, 0xa1, 0x84, 0x71, 0xe9, 0x4a, 0x1c, 0x82, 0x75, 0xe5, 0x95, 0x6c, 0xf8, 0x5c, 0x94, 0xa8, 0xb1, 0xa4, 0x1f, 0x2f, 0x4a, 0x2, 0xb, 0x34, 0xa7, 0x25, 0x45, 0x5f, 0xd8, 0x5, 0xc9, 0xc2, 0xd1, 0xea, 0xca, 0x57, 0xae, 0x33, 0x7, 0x90, 0xf7, 0xd7, 0xe9, 0x94, 0xdd, 0x7c, 0xf0, 0x5c, 0xa6, 0xc9, 0x24, 0x31, 0x59, 0xb5, 0xa4, 0x9c, 0x35, 0x89, 0x73, 0xf7, 0x45, 0x7e, 0x36, 0xb7, 0x9, 0x87, 0xf5, 0xdc, 0x7a, 0x7e, 0xcb, 0x67, 0x30, 0x20, 0x1f, 0x18, 0x28, 0xb7, 0xc7, 0xff, 0x4b, 0x44, 0x82, 0x33, 0x80, 0xac, 0xba, 0x35, 0x3b, 0x30, 0x7, 0xfd, 0x9, 0x6f, 0x52, 0x45, 0xed, 0x7f, 0x5, 0xa, 0x24, 0x28, 0x81, 0xc, 0xf1, 0xa4, 0xe8, 0x8d, 0xfd, 0x2b, 0xff, 0xc4, 0xef, 0x32, 0x93, 0x31, 0xaa, 0x35, 0xbd, 0xa0, 0x77, 0x4e, 0x21, 0xe, 0xa4, 0xfa, 0x14, 0x73, 0x6d, 0x89, 0x32, 0x86, 0xf1, 0xe5, 0x1, 0xec, 0x67, 0x78, 0x76, 0x3e, 0x81, 0xa1, 0x17, 0xf1, 0xf8, 0xad, 0xc9, 0x95, 0x17, 0x74, 0x54, 0x78, 0xda, 0x6c, 0xcb, 0x85, 0xe1, 0xda, 0x1, 0x1, 0xd0, 0xb4, 0xb7, 0xbc, 0x94, 0x7a, 0x9b, 0xb, 0x4e, 0x43, 0x45, 0xb, 0xcb, 0xd8, 0xfb, 0xaf, 0x39, 0x43, 0xf5, 0x9e, 0xf4, 0x8e, 0xe9, 0x9e, 0x56, 0xc4, 0xdc, 0x99, 0x12, 0xa5, 0x9, 0x8a, 0x31, 0x89, 0x77, 0xd8, 0x25, 0xb0, 0xb2, 0x6, 0xd2, 0xb4, 0x81, 0x92, 0x57, 0xe8, 0xfa, 0x18, 0xa4, 0x4a, 0xf6, 0xf7, 0xba, 0xd7, 0xac, 0x8f, 0x25, 0x50, 0x3e, 0x68, 0xd8, 0x9f, 0xa1, 0xd3, 0xeb, 0x72, 0xc0, 0x3b, 0xdd, 0x8d, 0xdb, 0x1c, 0x48, 0x2e, 0x61, 0x52, 0xd8, 0x64, 0x1a, 0x54, 0xd7, 0xe1, 0xb4, 0xab, 0xc4, 0xc6, 0xc4, 0xac, 0x95, 0xef, 0x0, 0x46, 0x6c, 0xa, 0xaa, 0xed, 0xd2, 0x36, 0x15, 0x90, 0x47, 0x77, 0x43, 0x86, 0x40, 0x29, 0x61, 0x10, 0xda, 0x3f, 0x34, 0xe8, 0x25, 0xaf, 0x54, 0xf2, 0xd6, 0x25, 0xfd, 0x8d, 0xd9, 0xf9, 0x9f, 0xa4, 0xbe, 0x79, 0x55, 0xdf, 0x96, 0xd2, 0x4c, 0xf1, 0xda, 0xee, 0x5c, 0xc8, 0x5a, 0xe3, 0x10, 0xb1, 0xc5, 0xbc, 0xe3, 0xfd, 0xc5, 0xc4, 0x4, 0xf9, 0x2c, 0x41, 0x89, 0x8a, 0xee, 0xf9, 0x95, 0xf, 0xeb, 0xb6, 0x82, 0xee, 0x59, 0x94, 0x2c, 0xdd, 0xaa, 0xc2, 0x95, 0x65, 0x57, 0x84, 0x2e, 0xfe, 0xfc, 0x27, 0xd3, 0xae, 0x84, 0x4a, 0x77, 0x76, 0xd4, 0x68, 0x3, 0x22, 0x37, 0xc9, 0xd8, 0xef, 0x36, 0x6c, 0x29, 0x10, 0xde, 0x1c, 0x21, 0x77, 0xda, 0xc4, 0x82, 0x72, 0x96, 0xe8, 0x7e, 0xda, 0x36, 0x78, 0xa5, 0x70, 0xd2, 0x17, 0xb6, 0xb, 0x56, 0xb7, 0x9c, 0x31, 0x9c, 0xcd, 0xf0, 0x90, 0xfe, 0x55, 0xe4, 0xf7, 0xcb, 0xfd, 0x1, 0xf3, 0x34, 0x73, 0x7e, 0xbb, 0x3c, 0xb5, 0x3f, 0xec, 0xe4, 0x7d, 0x4e, 0xa4, 0x2e, 0x1e, 0x78, 0xd0, 0x4f, 0x38, 0xb, 0xad, 0xb3, 0xda, 0x8a, 0xb8, 0xb3, 0xba, 0xbb, 0xf2, 0x90, 0xe6, 0x60, 0x6b, 0x81, 0x4, 0x8b, 0xae, 0xf8, 0x51, 0x48, 0xd2, 0xe4, 0x92, 0x9c, 0xab, 0x46, 0x20, 0xc7, 0x6b, 0x13, 0xf3, 0x7c, 0xa1, 0x74, 0x8c, 0x51, 0x4c, 0x7d, 0x87, 0xf9, 0xa, 0xb5, 0x4e, 0xff, 0xbb, 0xca, 0x19, 0xa9, 0x90, 0x8d, 0x57, 0x14, 0xb6, 0xb2, 0x5e, 0xac, 0xc4, 0xf8, 0x18, 0x82, 0xe4, 0x16, 0x20, 0x54, 0x47, 0xc5, 0xcc, 0xa3, 0x85, 0x7b, 0xea, 0x1e, 0x6c, 0xa7, 0x3e, 0xe3, 0x5e, 0xf8, 0xd4, 0x92, 0x61, 0xb4, 0x52, 0x23, 0xbb, 0x15, 0xe1, 0xaf, 0x34, 0xd3, 0x1, 0xf1, 0xa3, 0x75, 0x91, 0x88, 0x94, 0x12, 0xbc, 0xfa, 0x25, 0xf9, 0x33, 0x52, 0xc0, 0xcd, 0x6b, 0x7f, 0x55, 0xec, 0x7f, 0xe7, 0xdb, 0x2, 0xa8, 0xe0, 0x59, 0xb6, 0x69, 0x80, 0x75, 0x7b, 0xb4, 0xbd, 0x74, 0xbd, 0x8f, 0xf9, 0xde, 0x12, 0x5e, 0x1c, 0xbb, 0xdd, 0xd8, 0x89, 0x58, 0x46, 0x6c, 0x65, 0xe8, 0x8e, 0xf3, 0x70, 0x6e, 0xb2, 0x30, 0x88, 0xb0, 0x12, 0x12, 0xde, 0x5c, 0xfd, 0x20, 0x43, 0xb2, 0xed, 0xa2, 0xe4, 0xcf, 0x30, 0x4f, 0xc3, 0xb8, 0x64, 0xab, 0x56, 0xa3, 0x31, 0xb1, 0xab, 0x26, 0x5d, 0x9c, 0xd9, 0xcc, 0xf0, 0x77, 0x7f, 0x94, 0x1d, 0x98, 0xbf, 0x37, 0x6a, 0x85, 0x66, 0x6e, 0xd7, 0x8b, 0x73, 0x9, 0x6d, 0xe7, 0x19, 0xc0, 0x18, 0xb6, 0x53, 0x7d, 0xd4, 0x6b, 0x1c, 0x23, 0x79, 0x22, 0x6a, 0x6c, 0xf4, 0x24, 0xc4, 0x64, 0xd9, 0x92, 0xdd, 0xde, 0xff, 0x3, 0x73, 0xf2, 0xab, 0xb5, 0x71, 0x78, 0x28, 0x71, 0xe9, 0x1d, 0x56, 0x15, 0xf8, 0x32, 0xa6, 0x48, 0x8f, 0xd1, 0x55, 0xc0, 0xd3, 0xf5, 0x8f, 0xf4, 0x85, 0x4f, 0x68, 0x25, 0x75, 0x27, 0x14, 0x2a, 0x22, 0xc3, 0xc, 0x36, 0x67, 0xa0, 0x41, 0xd8, 0xd0, 0x99, 0x4a, 0xc3, 0xf2, 0xb1, 0x44, 0xc, 0x86, 0xac, 0x55, 0x58, 0xbf, 0xa4, 0xac, 0x0, 0x3b, 0xbe, 0x37, 0xaf, 0xfa, 0xa0, 0xaa, 0xf6, 0xab, 0x8, 0xec, 0x53, 0x2a, 0x82, 0x36, 0xf4, 0x65, 0xe1, 0x12, 0x1b, 0xa1, 0x1, 0x58, 0x9a, 0x1d, 0x75, 0xd4, 0xe, 0xe2, 0x2c, 0xab, 0xa7, 0x78, 0xd5, 0xe0, 0x41, 0x9a, 0x7e, 0x6, 0xe1, 0xd, 0xea, 0x23, 0x50, 0x30, 0x5f, 0x3f, 0x47, 0x30, 0xc6, 0x68, 0x7f, 0xf9, 0x52, 0xb3, 0xb7, 0xdb, 0x58, 0xcf, 0x2, 0xb, 0x50, 0x3b, 0x77, 0xc, 0xd9, 0x96, 0x1f, 0x3c, 0x21, 0x48, 0x2e, 0xea, 0x15, 0x18, 0xe0, 0xee, 0xb0, 0x57, 0xb3, 0xff, 0x39, 0x80, 0xf2, 0xe0, 0xcd, 0x24, 0xc9, 0xb9, 0xe4, 0xfb, 0xa3, 0x46, 0x5a, 0xc9, 0x36, 0xb, 0x6c, 0xdb, 0x46, 0x5e, 0xa4, 0xae, 0xaa, 0x1f, 0xff, 0xaa, 0x28, 0x19, 0xc3, 0x75, 0xe5, 0xca, 0x6c, 0xb9, 0xcb, 0x70, 0x2a, 0x96, 0x3c, 0x26, 0xa9, 0x24, 0xd1, 0xbc, 0x2a, 0x36, 0x34, 0xe0, 0x8d, 0xe5, 0x2a, 0x3c, 0x28, 0xdb, 0x20, 0xf1, 0x7, 0xd5, 0xf6, 0xfe, 0x49, 0x8d, 0xa3, 0xb9, 0xfd, 0x40, 0xf1, 0x1f, 0x82, 0x2a, 0xfd, 0xb1, 0xe0, 0xe7, 0xae, 0x20, 0x30, 0x2f, 0x16, 0xbd, 0x49, 0x19, 0x25, 0xcb, 0xd4, 0xa5, 0x17, 0x4e, 0x3d, 0x1c, 0x7e, 0x4f, 0x83, 0xcb, 0xeb, 0x2a, 0xf9, 0xf0, 0x9f, 0x59, 0x2b, 0x8a, 0x77, 0x1, 0x6b, 0xfc, 0x4, 0x81, 0xd7, 0x23, 0xa9, 0x68, 0xf3, 0x4f, 0x69, 0xda, 0xdf, 0x44, 0xfa, 0x5b, 0x12, 0x7f, 0x66, 0xf7, 0xdb, 0x99, 0x71, 0x4f, 0x79, 0x2a, 0x6f, 0xe4, 0xf6, 0x8f, 0x6d, 0xc0, 0x1d, 0x13, 0xf8, 0xe9, 0xad, 0xde, 0xb5, 0x8, 0x7c, 0xce, 0xb4, 0xab, 0x59, 0x9a, 0x51, 0x2, 0x3e, 0xec, 0x2a, 0xb4, 0xbc, 0x10, 0xf7, 0xc4, 0x19, 0x27, 0xc2, 0xc0, 0xca, 0xd3, 0xbf, 0xd8, 0x1e, 0x15, 0xca, 0xc9, 0xe4, 0x9, 0x2, 0xc6, 0x9c, 0xa6, 0xa1, 0xd9, 0xb5, 0x4a, 0x74, 0x7a, 0x8f, 0x7f, 0x93, 0x14, 0x8b, 0x4, 0xe5, 0x6d, 0x4, 0xac, 0x15, 0xe1, 0xd8, 0x38, 0x19, 0x17, 0xd2, 0x16, 0x6b, 0x1c, 0x40, 0x9, 0xf7, 0x7d, 0xe7, 0x94, 0x8e, 0x7f, 0x63, 0xb6, 0xae, 0xa6, 0x94, 0xf0, 0x2c, 0x2a, 0x8e, 0x38, 0x30, 0xc1, 0x7c, 0x33, 0x6f, 0x78, 0x9d, 0x71, 0xb6, 0xcd, 0x7d, 0x39, 0x4, 0xe7, 0xd2, 0x1c, 0xc0, 0xd9, 0xef, 0x2f, 0x5c, 0x55, 0x20, 0x3f, 0x4a, 0xf, 0x23, 0xf2, 0xa, 0x7c, 0x9, 0x25, 0x45, 0x0, 0x76, 0x8e, 0xdb, 0x84, 0x47, 0x80, 0xa5, 0x54, 0x6, 0xaa, 0xc8, 0x93, 0xaa, 0xf1, 0xac, 0x3b, 0x22, 0x94, 0x91, 0xf7, 0x7c, 0x95, 0xca, 0x11, 0x40, 0xaa, 0xcd, 0x78, 0x53, 0x10, 0x64, 0x50, 0x75, 0xa7, 0x67, 0x6c, 0x31, 0xb7, 0x6e, 0x9f, 0xb1, 0xd0, 0xc5, 0xef, 0x1a, 0x47, 0x10, 0xcb, 0xb2, 0x6, 0xb8, 0xe1, 0xc, 0x75, 0x33, 0xb4, 0x7e, 0xae, 0xb1, 0x57, 0x4d, 0x71, 0xc5, 0x19, 0x3f, 0xfd, 0x3, 0xed, 0x7b, 0x8b, 0xdc, 0xc0, 0x4e, 0x19, 0xbc, 0x31, 0x4f, 0x34, 0x3, 0xdd, 0xb5, 0x20, 0x63, 0x8c, 0xa7, 0x52, 0x6c, 0xa6, 0x93, 0xfd, 0xb6, 0xd0, 0xe3, 0x2c, 0xc8, 0x8b, 0xd, 0x4, 0xb, 0xe, 0xf, 0xa9, 0x28, 0xb2, 0x7f, 0x89, 0xff, 0x45, 0x82, 0x2d, 0xf0, 0xba, 0x22, 0x61, 0xfa, 0x0, 0xe6, 0x79, 0xac, 0x2a, 0x57, 0xf5, 0x36, 0x8e, 0x17, 0x88, 0x82, 0x24, 0x56, 0xc3, 0x3e, 0x11, 0x31, 0x1d, 0x52, 0xb9, 0xf8, 0xf1, 0xef, 0x15, 0x1e, 0x86, 0x48, 0x9e, 0x15, 0x17, 0xd4, 0xe0, 0x12, 0xd4, 0xa1, 0x2a, 0xb8, 0x31, 0xf1, 0x53, 0x3, 0x62, 0xf8, 0x71, 0x1e, 0xc5, 0x73, 0x6f, 0x3d, 0x48, 0x2a, 0x6d, 0xdd, 0xc2, 0xd, 0xea, 0x12, 0x24, 0xcb, 0xa4, 0xff, 0x17, 0xb9, 0x1e, 0x41, 0x3c, 0x66, 0x50, 0x9e, 0x29, 0xde, 0xea, 0xcf, 0x74, 0x3a, 0x3d, 0x2, 0x92, 0x7a, 0x4a, 0xf, 0x99, 0xb3, 0x29, 0x3d, 0x5c, 0xb1, 0xa7, 0x59, 0xcf, 0xbc, 0xa9, 0x8, 0x92, 0xdf, 0xa5, 0xdc, 0xcc, 0xa3, 0x66, 0x29, 0xf9, 0xf2, 0x43, 0x14, 0x7c, 0x2, 0x48, 0xb4, 0xaf, 0x8c, 0x9, 0xbb, 0xa3, 0x44, 0xe0, 0xaf, 0x8c, 0xd4, 0x60, 0x10, 0x23, 0xed, 0x27, 0x4d, 0xb8, 0x31, 0x3a, 0x75, 0x56, 0x2b, 0x54, 0xd7, 0xbe, 0xdd, 0xfc, 0x50, 0xdd, 0xf3, 0xcb, 0x30, 0xd8, 0xb1, 0x41, 0x16, 0x1f, 0x3, 0x25, 0x27, 0x1e, 0xc, 0xcb, 0x1d, 0x85, 0xec, 0xa7, 0xdb, 0x75, 0xae, 0xb5, 0xe0, 0x8f, 0x1c, 0xac, 0x20, 0x21, 0xc5, 0x8, 0x57, 0x75, 0x4c, 0xb2, 0x9e, 0x3, 0x7, 0xd6, 0x71, 0xe, 0xbb, 0x1f, 0x46, 0x45, 0x3a, 0xcd, 0x15, 0xe2, 0x70, 0x2b, 0x91, 0x40, 0x32, 0x53, 0x1d, 0xf0, 0xd2, 0x32, 0x9b, 0xb1, 0xa, 0x18, 0x8, 0xff, 0x96, 0xb7, 0xaa, 0xc4, 0x57, 0x3c, 0x86, 0x7a, 0xd8, 0x32, 0x27, 0x9a, 0xc4, 0xb7, 0xaf, 0x9c, 0xed, 0x2a, 0x98, 0xd, 0x63, 0x31, 0xac, 0x5e, 0xb3, 0x9f, 0xa3, 0x20, 0x3e, 0x5c, 0xdf, 0x8c, 0x8e, 0x33, 0x40, 0x9, 0xd8, 0x4e, 0x8b, 0x36, 0x14, 0x30, 0xdd, 0xce, 0x6f, 0x7a, 0x56, 0xd0, 0xe6, 0x67, 0x9f, 0x57, 0x97, 0xca, 0x49, 0x8c, 0x20, 0x7c, 0xf6, 0x97, 0x35, 0xa2, 0x81, 0x7a, 0x3d, 0xfe, 0xe2, 0x6a, 0x9, 0x7e, 0x2, 0x32, 0x20, 0x5e, 0x66, 0x93, 0xb3, 0x24, 0xe7, 0xe1, 0xf3, 0xb1, 0xfc, 0xdf, 0xdc, 0x2f, 0xf3, 0x26, 0xda, 0x26, 0x83, 0xbe, 0x97, 0x60, 0x1d, 0x2f, 0x42, 0x79, 0x81, 0xb3, 0xb3, 0x9d, 0xfb, 0x2c, 0x3a, 0x26, 0x4b, 0xa, 0xdf, 0xd4, 0xee, 0x2d, 0x3a, 0x9c, 0x1f, 0xe6, 0x4, 0x7d, 0xe9, 0x6, 0x8d, 0x72, 0x25, 0x93, 0x44, 0x42, 0xbc, 0xdf, 0x1a, 0x8b, 0x1b, 0x3a, 0x5, 0x7e, 0x39, 0xd9, 0xc1, 0x6e, 0x7, 0xf7, 0xda, 0x66, 0xc7, 0xe5, 0x2b, 0xee, 0xab, 0xc7, 0xa, 0x81, 0x14, 0x1e, 0xba, 0x80, 0x74, 0xf1, 0x30, 0xf5, 0x78, 0xe7, 0x2a, 0xdd, 0x8b, 0x9d, 0x5b, 0x20, 0x7a, 0xd9, 0x35, 0x4, 0xd4, 0x56, 0x67, 0x5, 0x64, 0xf0, 0xb8, 0x6e, 0xe, 0x21, 0xf8, 0xb6, 0x8b, 0x8a, 0xe8, 0xd5, 0xea, 0xd9, 0x9f, 0xec, 0x2d, 0xf1, 0xe, 0x7, 0x6a, 0x87, 0xcc, 0x3b, 0x5, 0x95, 0x84, 0x4d, 0xe3, 0x4c, 0x40, 0xa7, 0x38, 0x53, 0xa7, 0x12, 0x5e, 0xdb, 0xa1, 0xb8, 0xe1, 0x49, 0x2b, 0xd2, 0xad, 0xa5, 0xbf, 0x14, 0x51, 0x20, 0x1f, 0xec, 0x36, 0x8f, 0x82, 0xb6, 0x79, 0xeb, 0xba, 0xad, 0x9e, 0x5b, 0xbd, 0x1, 0x58, 0x2, 0x7a, 0x9d, 0xc, 0x4b, 0x84, 0x1e, 0xd, 0x1e, 0xa0, 0xed, 0xc9, 0xdf, 0x7e, 0x88, 0x75, 0x51, 0x62, 0x4b, 0x21, 0xb6, 0x69, 0x96, 0xdd, 0x9f, 0x10, 0x14, 0x98, 0x7b, 0xf8, 0xf6, 0x56, 0xca, 0xa2, 0x88, 0xbc, 0xf6, 0xd, 0x17, 0x88, 0xb7, 0x2e, 0xfe, 0xf9, 0x73, 0xa4, 0xff, 0xf4, 0x6, 0xea, 0xc, 0x33, 0x3d, 0xe8, 0xc4, 0xb5, 0x81, 0xed, 0x43, 0x8b, 0x48, 0xfd, 0x5e, 0x79, 0x58, 0xf3, 0xd9, 0xf, 0x4d, 0xeb, 0x9d, 0xf, 0x62, 0x4a, 0x16, 0x94, 0x73, 0x6a, 0xac, 0xdb, 0x7b, 0x92, 0xc6, 0x3, 0xf, 0x9e, 0x9f, 0xf7, 0x8d, 0xc2, 0x45, 0xa9, 0xe1, 0xd7, 0xfc, 0x1e, 0x66, 0x68, 0x28, 0xf1, 0x48, 0xa3, 0xff, 0xd0, 0xe8, 0xf4, 0x7c, 0xe0, 0x38, 0x85, 0x39, 0x84, 0xc2, 0xd4, 0x6b, 0x19, 0x86, 0x9a, 0x28, 0x91, 0xa0, 0x18, 0x26, 0x73, 0xb1, 0x71, 0x66, 0x60, 0x6e, 0x79, 0xef, 0x32, 0xc6, 0x90, 0x90, 0xe5, 0x46, 0x4e, 0x66, 0xfb, 0xf8, 0x66, 0x1e, 0xd4, 0x62, 0x80, 0xa3, 0x4e, 0x27, 0x73, 0x5, 0x20, 0x4a, 0x74, 0x6c, 0x94, 0x13, 0x27, 0xa9, 0xe4, 0x67, 0x7b, 0xd0, 0x20, 0xe, 0xdc, 0x6b, 0xb2, 0x23, 0x12, 0x39, 0xa7, 0x5, 0xa, 0xeb, 0xf1, 0x93, 0x2d, 0xbe, 0x41, 0xd1, 0x36, 0x3f, 0x53, 0x2e, 0x3e, 0xf2, 0x42, 0xa4, 0xfc, 0x4d, 0xd4, 0xb3, 0x4b, 0xe8, 0x3a, 0x2, 0x7c, 0x6b, 0x8d, 0xa4, 0x4, 0xb8, 0x3b, 0x1c, 0x43, 0x76, 0xfa, 0xa8, 0x16, 0x1e, 0xe0, 0x72, 0xd4, 0xdd, 0xad, 0x52, 0x54, 0x1b, 0x27, 0xe1, 0x1e, 0xd, 0xe7, 0x5e, 0x40, 0x7d, 0x99, 0x75, 0xa2, 0xff, 0x1d, 0x6f, 0xfc, 0x50, 0x35, 0x1b, 0x39, 0xbf, 0x3c, 0xc5, 0x1a, 0x35, 0x6b, 0x89, 0x44, 0x44, 0xb8, 0x14, 0xfa, 0x7e, 0xfb, 0x27, 0x40, 0xf9, 0x2f, 0x4d, 0x97, 0x64, 0x7d, 0x48, 0x84, 0xde, 0xe8, 0xd0, 0xdc, 0xef, 0x9b, 0x98, 0x48, 0x2b, 0x60, 0xb2, 0x45, 0x8c, 0x87, 0x34, 0x46, 0xd8, 0xc2, 0xbb, 0xfc, 0xa8, 0x6c, 0x47, 0xbc, 0x3f, 0xf7, 0xb3, 0xb2, 0xd1, 0xc0, 0x43, 0xf4, 0xc8, 0xb7, 0x5, 0xd0, 0x21, 0x9c, 0x13, 0xc0, 0x40, 0x67, 0x2e, 0x8f, 0x51, 0xc1, 0x5f, 0xd7, 0x6, 0x8c, 0x6e, 0x3, 0x56, 0x9f, 0xa8, 0x49, 0x32, 0xb7, 0x7b, 0xcf, 0x2d, 0xdd, 0xe7, 0x45, 0xe2, 0x3d, 0x1d, 0xdd, 0x81, 0xa7, 0xe2, 0xd6, 0xeb, 0x4b, 0xdc, 0x78, 0xf5, 0xa0, 0xe7, 0x2c, 0xdf, 0x3, 0x89, 0x2, 0x4c, 0xac, 0xaf, 0x39, 0x9c, 0x88, 0x62, 0xe3, 0xae, 0xab, 0x4, 0x64, 0x14, 0x31, 0x7c, 0x84, 0xdc, 0x18, 0x78, 0xe9, 0xa4, 0xd8, 0xc0, 0x4, 0x63, 0x91, 0x67, 0x1f, 0xa9, 0xa2, 0xdc, 0x51, 0xae, 0xfc, 0x9e, 0xaa, 0x9b, 0x90, 0x41, 0xbe, 0x2a, 0xc1, 0x7a, 0x9c, 0x55, 0xf4, 0xe2, 0xd2, 0xd9, 0x3a, 0x77, 0x9f, 0xfc, 0x51, 0x4b, 0x2f, 0xe8, 0x1c, 0xe8, 0x73, 0x40, 0x27, 0x30, 0x71, 0xa7, 0xfc, 0x96, 0xb5, 0xfb, 0xac, 0x6f, 0x27, 0xc0, 0xc, 0xf7, 0x84, 0xa6, 0xc9, 0x9f, 0x81, 0x1d, 0xe0, 0xb1, 0xf7, 0xc9, 0xdd, 0x7f, 0xb4, 0x29, 0x40, 0x19, 0x9b, 0x45, 0x3, 0xe1, 0x8d, 0x35, 0x93, 0x3e, 0x1, 0x5b, 0x59, 0x1c, 0x88, 0xec, 0xd3, 0x2a, 0x53, 0x49, 0x93, 0x4c, 0x57, 0x51, 0xde, 0x46, 0x7b, 0xb3, 0x45, 0xd4, 0xb1, 0x2d, 0xd8, 0x9f, 0x23, 0xdf, 0x87, 0x5b, 0x44, 0xc6, 0xee, 0x24, 0x1d, 0x15, 0x75, 0xaf, 0x18, 0xc7, 0x59, 0x62, 0x3c, 0xf4, 0xa4, 0xc4, 0xa1, 0xae, 0xf7, 0x2, 0xbe, 0x70, 0xd7, 0xe5, 0xc0, 0x40, 0xf2, 0x33, 0x1b, 0x72, 0xf4, 0x90, 0x45, 0x6a, 0xea, 0x4, 0xdf, 0xfe, 0xfb, 0xf1, 0x24, 0x21, 0xe7, 0xef, 0x45, 0x97, 0xde, 0x3c, 0xe5, 0xf8, 0xd9, 0x46, 0xf0, 0x65, 0x32, 0x4, 0xe1, 0xe7, 0xe6, 0xc7, 0xd0, 0xe4, 0x8e, 0xa2, 0xfc, 0xc3, 0x1b, 0x3b, 0x25, 0x87, 0x9a, 0x33, 0x7e, 0x84, 0x43, 0xe6, 0x43, 0x37, 0x48, 0x53, 0x59, 0x9b, 0xc5, 0x2f, 0xd1, 0x4f, 0xb, 0xa, 0x6a, 0xcb, 0xcc, 0x2d, 0xd0, 0x27, 0xc3, 0x36, 0x68, 0xfb, 0xc2, 0xbc, 0x68, 0x7a, 0x82, 0x9, 0xd0, 0x5a, 0x2d, 0x91, 0x5e, 0x0, 0x4c, 0xb4, 0x24, 0x1b, 0xfe, 0xdc, 0x1f, 0x81, 0xf, 0xd2, 0x83, 0xcc, 0xc, 0xba, 0x6f, 0x66, 0xc1, 0x7e, 0x52, 0x36, 0x35, 0x46, 0x75, 0x14, 0x97, 0x81, 0x94, 0x69, 0xc2, 0xa9, 0x6d, 0x55, 0xa8, 0xb1, 0xdc, 0xfc, 0xb2, 0x32, 0xa7, 0x81, 0x67, 0x42, 0x93, 0xa5, 0x1d, 0x18, 0x14, 0xa7, 0xed, 0x14, 0x12, 0xec, 0x41, 0xb3, 0x67, 0x60, 0x3b, 0xc1, 0x9a, 0x60, 0x1f, 0xdf, 0x45, 0xa5, 0x97, 0x4c, 0x4b, 0xff, 0x6b, 0x7, 0xd2, 0x34, 0x1, 0x5, 0x24, 0xa1, 0x97, 0xca, 0x9, 0x14, 0x23, 0xc, 0xfa, 0x6e, 0x43, 0x8c, 0x63, 0x20, 0xa8, 0xc1, 0x4c, 0x25, 0xcd, 0x46, 0xfb, 0xdc, 0xaf, 0x63, 0xe3, 0xd4, 0x27, 0x2a, 0x94, 0x3, 0xc3, 0xad, 0xc2, 0x62, 0x83, 0x64, 0xe4, 0x56, 0xf0, 0x9d, 0x7b, 0xc6, 0x56, 0x63, 0x73, 0x63, 0x20, 0xbb, 0x5a, 0xa5, 0x52, 0xbc, 0x51, 0xc5, 0x98, 0xc0, 0x93, 0xab, 0x4b, 0xe6, 0x5f, 0xb1, 0xf9, 0x49, 0x2b, 0x38, 0x47, 0x8d, 0xff, 0x4d, 0xad, 0x21, 0xc2, 0x9e, 0xd6, 0xf4, 0x7d, 0x43, 0x15, 0xf6, 0xca, 0x79, 0x9, 0x65, 0x45, 0xbb, 0x64, 0xdc, 0x13, 0x5f, 0x14, 0x7, 0x1f, 0x19, 0xd9, 0x89, 0xc5, 0xe4, 0x9, 0xe, 0xd4, 0x3f, 0xab, 0xa8, 0xb6, 0x27, 0xa9, 0x3e, 0x31, 0x77, 0x2e, 0x84, 0x55, 0xe4, 0x8b, 0x98, 0x55, 0x1f, 0xe2, 0xd1, 0x51, 0x8b, 0xfc, 0xbb, 0x2b, 0x6, 0x73, 0xdd, 0x16, 0x57, 0xde, 0xf3, 0x8b, 0x4e, 0xe5, 0x11, 0x3c, 0x63, 0x3b, 0xbe, 0x85, 0x1b, 0xb6, 0x77, 0xe, 0x9a, 0xa6, 0xcc, 0x11, 0x9, 0x29, 0x7, 0x51, 0x56, 0xf, 0x59, 0xa6, 0xef, 0x95, 0x64, 0xe7, 0x27, 0xab, 0x3a, 0xd, 0x7, 0x33, 0x8b, 0xac, 0xe4, 0xe5, 0xd5, 0x2c, 0x9a, 0x2b, 0x67, 0x43, 0x26, 0x73, 0x91, 0xfc, 0x1c, 0x9b, 0xf7, 0xef, 0x52, 0x3f, 0xc1, 0xa7, 0x90, 0x9b, 0xa4, 0x5c, 0x66, 0x98, 0xb9, 0xef, 0xb3, 0x59, 0xda, 0x8d, 0x5a, 0x41, 0x13, 0x2f, 0x5, 0x2d, 0x92, 0x5b, 0x8a, 0x30, 0xa5, 0xf9, 0x3c, 0xab, 0xbb, 0x9e, 0xae, 0xd7, 0xa4, 0x6d, 0xf5, 0x7b, 0x6e, 0x98, 0x35, 0xcc, 0x13, 0x35, 0xff, 0x5c, 0x6b, 0x63, 0x3a, 0xdd, 0xf7, 0x98, 0x31, 0xba, 0xf8, 0xc, 0xbb, 0x86, 0x6f, 0xf1, 0x41, 0x22, 0x5, 0xd4, 0xb8, 0xbf, 0xa7, 0x13, 0xde, 0xd8, 0x75, 0x5, 0x76, 0x81, 0xa1, 0x7a, 0x9f, 0x16, 0x4e, 0xf7, 0x36, 0x1c, 0xed, 0x9, 0xf5, 0xcf, 0x3e, 0x3a, 0x16, 0x91, 0xa4, 0x40, 0x3c, 0x1f, 0xd6, 0xea, 0x6a, 0xaa, 0xfc, 0xe8, 0xdf, 0xfc, 0x95, 0x8c, 0x15, 0x6f, 0xa4, 0xcd, 0x13, 0x6e, 0x1b, 0x99, 0xa3, 0xd0, 0xae, 0x2f, 0x34, 0x15, 0x24, 0x48, 0x79, 0x70, 0x59, 0x6b, 0x66, 0xde, 0x5b, 0xba, 0xf3, 0xdd, 0xb6, 0x6a, 0xb2, 0xbc, 0xe6, 0x52, 0x1d, 0x3d, 0xdd, 0x8, 0x86, 0xe7, 0xa1, 0x8b, 0x76, 0x86, 0x65, 0x7, 0xea, 0x2a, 0xdb, 0x30, 0x49, 0xfa, 0x1a, 0xdc, 0xe7, 0x14, 0x57, 0x57, 0xd9, 0x17, 0x88, 0xc5, 0xf7, 0x7d, 0xbf, 0xc7, 0x1f, 0x6c, 0xe9, 0xee, 0xd9, 0xcd, 0xac, 0x47, 0x6b, 0x37, 0xec, 0x8c, 0xe5, 0xfb, 0x77, 0xa2, 0xc, 0x2a, 0xc4, 0x2, 0xe7, 0x13, 0xe4, 0x3f, 0x11, 0x51, 0xbe, 0x7c, 0xc4, 0xee, 0x64, 0x17, 0xdd, 0x39, 0xd7, 0x3e, 0x7b, 0xde, 0x7c, 0x1e, 0x4, 0xc0, 0xe1, 0xe9, 0x5c, 0x59, 0x74, 0xcb, 0x50, 0x12, 0xb2, 0x25, 0x29, 0x13, 0x85, 0x56, 0x35, 0x1c, 0x8, 0x1b, 0x0, 0xc4, 0x95, 0xff, 0x7c, 0x54, 0xb4, 0x88, 0x80, 0xbd, 0x4c, 0xee, 0x63, 0x8a, 0xc, 0x9e, 0x9a, 0xf7, 0x32, 0x7f, 0xdb, 0xcb, 0x47, 0x24, 0x6b, 0x18, 0xd4, 0x77, 0xb3, 0x9b, 0x21, 0x70, 0xd3, 0xaa, 0x82, 0xe9, 0xe3, 0x93, 0xa5, 0xa2, 0xc2, 0xe4, 0xc1, 0xcc, 0x6, 0x4f, 0xf2, 0x73, 0x7, 0x65, 0x68, 0xc3, 0x72, 0x23, 0x94, 0x85, 0x95, 0xa7, 0x4d, 0x3b, 0xa1, 0x8f, 0xc, 0x4, 0x75, 0x33, 0x1d, 0xbf, 0x8b, 0x91, 0xc9, 0x50, 0xda, 0x73, 0x9, 0x6f, 0x72, 0xe2, 0x6e, 0x2d, 0x82, 0x5b, 0xcd, 0xaf, 0x48, 0x71, 0x77, 0xfd, 0x20, 0x8b, 0x71, 0xfc, 0xe5, 0xa1, 0x7, 0x8, 0xfd, 0x7d, 0xe7, 0xe8, 0xb9, 0x3d, 0x70, 0xa7, 0x99, 0x44, 0xf, 0x5e, 0x7f, 0xf3, 0x36, 0x8e, 0x61, 0xe, 0x93, 0x72, 0x69, 0xbe, 0x7b, 0x80, 0x23, 0xb8, 0x77, 0x7c, 0x2b, 0x50, 0xff, 0x27, 0xcb, 0x5, 0x24, 0xb8, 0xe5, 0x62, 0x90, 0x37, 0xbd, 0xe3, 0x8b, 0x8b, 0xba, 0x92, 0x4a, 0xce, 0x2d, 0x1d, 0x7a, 0x4b, 0xd6, 0x37, 0x2e, 0x95, 0xb2, 0xc5, 0x73, 0xa, 0x4, 0xca, 0xae, 0x38, 0xd4, 0x2e, 0x25, 0x9e, 0xa, 0xcb, 0x3b, 0x9d, 0xc3, 0x6b, 0x95, 0x43, 0xdd, 0x63, 0x2d, 0x2b, 0xb3, 0x0, 0xca, 0x31, 0x1a, 0x18, 0x7a, 0x41, 0x5c, 0xb8, 0x33, 0x71, 0xd6, 0xc8, 0x42, 0xf4, 0x2e, 0x90, 0x47, 0x8e, 0xd0, 0x80, 0x9, 0x5c, 0x25, 0xe9, 0x1a, 0xcb, 0x98, 0x9f, 0x73, 0x4a, 0x2b, 0x81, 0x63, 0xd8, 0x4b, 0xa1, 0x45, 0x4a, 0x1e, 0xe1, 0x31, 0x5c, 0x5a, 0x2f, 0xdb, 0xb0, 0x9c, 0xfe, 0x55, 0x5d, 0x1e, 0x29, 0xcc, 0xf5, 0x8f, 0x6, 0x1b, 0x66, 0x74, 0xf4, 0xa4, 0xb8, 0xe, 0x9f, 0x38, 0x6b, 0x2, 0x24, 0x8c, 0x84, 0x58, 0xa4, 0x21, 0x6b, 0x53, 0xb0, 0x72, 0xdc, 0x81, 0xec, 0xf8, 0x5b, 0x2e, 0xac, 0x6a, 0x88, 0xad, 0xd0, 0x87, 0xc1, 0x3, 0x45, 0xb6, 0x71, 0xb7, 0x8a, 0x87, 0x16, 0x5c, 0xab, 0x45, 0x40, 0xc7, 0x6f, 0xfc, 0x7d, 0xb0, 0xed, 0xca, 0x0, 0x78, 0xbf, 0x60, 0x63, 0x2c, 0xa3, 0x72, 0xc9, 0xb9, 0xb5, 0x5b, 0x29, 0x24, 0xba, 0x6d, 0x9a, 0x7c, 0x8e, 0xf8, 0xe6, 0xc9, 0xa6, 0x9a, 0xa7, 0x92, 0x24, 0xbf, 0xff, 0x90, 0xc2, 0x6a, 0xc2, 0x41, 0xa, 0xd5, 0x29, 0xde, 0xe6, 0xcb, 0x9, 0xd3, 0x83, 0xf4, 0xa, 0x9f, 0x4f, 0xed, 0xbc, 0xe0, 0x8a, 0xd, 0x2, 0x5b, 0xe3, 0x23, 0x80, 0xb3, 0x6d, 0x98, 0x6e, 0x60, 0x33, 0x69, 0xbc, 0x1a, 0x9d, 0x2c, 0x8f, 0xad, 0x93, 0xe, 0x40, 0xe7, 0x1d, 0x2e, 0x29, 0x19, 0x4d, 0x5e, 0xbe, 0x52, 0xa9, 0x18, 0x3e, 0xfe, 0xbf, 0x80, 0x6, 0x2e, 0x1d, 0x77, 0xe9, 0xe8, 0x63, 0xb0, 0x4d, 0xc5, 0x98, 0xec, 0x5b, 0x8c, 0x1f, 0x5d, 0xa5, 0x74, 0x2a, 0x66, 0xf9, 0x2a, 0xd8, 0x66, 0x6f, 0x4, 0x8f, 0xf2, 0xfb, 0xe3, 0x94, 0x47, 0xdc, 0xd4, 0xb4, 0x2a, 0xa7, 0xa3, 0xd8, 0x2d, 0x7c, 0x5c, 0x45, 0x9f, 0x77, 0x9, 0x8d, 0x9d, 0xd1, 0xc3, 0xaf, 0xbd, 0x93, 0xd8, 0xdf, 0xa6, 0xd6, 0x57, 0x94, 0x50, 0xa7, 0xd5, 0x55, 0x62, 0x2e, 0x95, 0xf9, 0xfe, 0xf8, 0x8c, 0xff, 0x8a, 0x9a, 0xda, 0xfb, 0x7c, 0xa6, 0x3d, 0xcd, 0xd, 0x16, 0x2c, 0x2a, 0xf6, 0x23, 0x4c, 0xef, 0xea, 0x90, 0x8f, 0xe3, 0xc5, 0xe6, 0x34, 0x5a, 0x5d, 0xa6, 0xa9, 0x19, 0x55, 0x86, 0x35, 0x3d, 0x8a, 0xd3, 0x8f, 0xae, 0x8a, 0xc4, 0x7, 0x27, 0x85, 0x6, 0x50, 0xda, 0xae, 0xe7, 0xb7, 0x6a, 0x93, 0x90, 0x1c, 0x23, 0xef, 0x9, 0x2c, 0x4c, 0x32, 0x79, 0xe8, 0xb6, 0xfe, 0xec, 0x31, 0x38, 0xc9, 0xe, 0xfb, 0x6b, 0x1f, 0x87, 0xa0, 0x5d, 0x83, 0x4d, 0xd8, 0x68, 0xfb, 0xf0, 0xb1, 0xe6, 0xc1, 0x1d, 0x86, 0x39, 0xaf, 0xc, 0xc9, 0xd7, 0xf8, 0x94, 0x75, 0x46, 0xb0, 0xe5, 0x12, 0x92, 0x2b, 0x1, 0x65, 0xe2, 0x7a, 0x89, 0x26, 0x5d, 0x75, 0xd6, 0xa4, 0x8, 0x8a, 0xf6, 0xbc, 0xda, 0xfb, 0x91, 0x9, 0x1c, 0xe4, 0x3e, 0x40, 0xe8, 0x17, 0xbf, 0x3b, 0x3e, 0x34, 0x3e, 0x73, 0x65, 0x3d, 0x9b, 0x67, 0xd, 0x98, 0xc7, 0xd2, 0x5, 0x13, 0xe1, 0xd2, 0x32, 0x62, 0x5, 0x33, 0x6f, 0x7a, 0xc0, 0xf3, 0x92, 0xe4, 0x6b, 0x96, 0x9d, 0x50, 0x15, 0xbb, 0xff, 0x78, 0x88, 0x6a, 0xa4, 0x59, 0x9b, 0xa, 0x1, 0x11, 0x22, 0xff, 0x29, 0x1, 0xe3, 0xab, 0x4a, 0x56, 0x9f, 0x6c, 0xcf, 0x64, 0x6e, 0x33, 0x40, 0xc9, 0xf2, 0xc6, 0x22, 0x80, 0xc, 0x8b, 0x62, 0x52, 0xe7, 0xf, 0x87, 0xdb, 0xe8, 0x6a, 0xe9, 0x67, 0x2, 0xbe, 0x2b, 0x4, 0xbc, 0x93, 0xf1, 0x92, 0xe1, 0x22, 0x58, 0xc4, 0x37, 0xb2, 0x34, 0xb5, 0x85, 0xf0, 0x68, 0x41, 0x2c, 0x83, 0xbd, 0x92, 0xd1, 0xa0, 0x1d, 0x27, 0xf6, 0xbd, 0xe3, 0xe9, 0x76, 0x7a, 0xb5, 0x11, 0x89, 0xb8, 0xfa, 0x82, 0xa8, 0x52, 0xb5, 0xe, 0xdb, 0xb4, 0xe4, 0x45, 0x53, 0xc8, 0xff, 0xc3, 0xa7, 0x81, 0xa6, 0x2, 0xbe, 0xa3, 0x69, 0x4, 0xec, 0xf0, 0x8c, 0x9c, 0x88, 0x51, 0xe5, 0x29, 0xe8, 0xa5, 0x69, 0x13, 0x3, 0x9d, 0x41, 0xaa, 0x7, 0x16, 0xfc, 0xc6, 0xb4, 0xcb, 0xc1, 0x84, 0x1d, 0x24, 0xa6, 0x59, 0xac, 0x75, 0xee, 0xe0, 0x29, 0x88, 0xbf, 0xf2, 0x43, 0xc0, 0x85, 0xe1, 0xa5, 0x8e, 0x75, 0x8f, 0xa3, 0x82, 0x9f, 0xbd, 0x7c, 0xd8, 0xb9, 0x40, 0xda, 0x8b, 0x1, 0xc6, 0x8f, 0x2d, 0x5e, 0xe7, 0x65, 0x9e, 0xb3, 0x90, 0x56, 0xa3, 0x74, 0x5f, 0x51, 0x3d, 0xac, 0xe5, 0x79, 0xda, 0x4f, 0xcf, 0x4a, 0x53, 0x5f, 0x21, 0x30, 0x86, 0x3a, 0x3b, 0xb8, 0x68, 0x6e, 0x75, 0x85, 0xd0, 0x2e, 0x8b, 0x74, 0x5c, 0xb2, 0x7c, 0xd3, 0xe5, 0x58, 0x72, 0x31, 0xb0, 0xc4, 0xc2, 0xcc, 0xc5, 0x1a, 0x84, 0x35, 0x67, 0x69, 0x50, 0x9d, 0x3d, 0x6b, 0xc9, 0x7d, 0x7d, 0xbd, 0x54, 0x17, 0xfd, 0x10, 0xe4, 0x47, 0xa1, 0xd5, 0xdd, 0x99, 0xd3, 0x94, 0x6e, 0x29, 0x65, 0x3a, 0xfb, 0xc, 0xb3, 0xcd, 0xc4, 0xe0, 0xd7, 0xc8, 0xb4, 0x9d, 0x6c, 0xc1, 0xb8, 0x9, 0x6d, 0xdf, 0xd9, 0xc8, 0x7, 0x42, 0x1a, 0xba, 0x40, 0x6d, 0xc6, 0x52, 0x1c, 0xf7, 0x95, 0xd4, 0x6f, 0xda, 0x64, 0x52, 0x27, 0x9f, 0x16, 0xe, 0xfb, 0x62, 0x83, 0x7d, 0xe5, 0x46, 0xb7, 0xc2, 0x80, 0x22, 0x72, 0xad, 0x49, 0xf7, 0x87, 0xd9, 0xed, 0x7b, 0xec, 0x98, 0x43, 0xaf, 0x29, 0xc2, 0xfd, 0x58, 0x6a, 0x66, 0x52, 0x84, 0xed, 0xd1, 0xb0, 0xc2, 0xc3, 0xa9, 0xe6, 0x0, 0x6e, 0xcb, 0x4b, 0x8, 0x64, 0x90, 0x26, 0x1c, 0x41, 0x57, 0x3c, 0x0, 0x64, 0x55, 0x13, 0x55, 0x7, 0xc2, 0xcf, 0xa3, 0xdb, 0x94, 0x52, 0x50, 0x1c, 0x8b, 0xa0, 0x1e, 0xd3, 0x7d, 0x8b, 0x86, 0xa2, 0xb, 0xa3, 0x74, 0xca, 0x1e, 0x99, 0xe, 0xa9, 0xb, 0xd7, 0xb9, 0xc2, 0x62, 0xe7, 0x2c, 0x14, 0x4e, 0x9, 0xef, 0x13, 0x7f, 0xac, 0x9b, 0x43, 0xea, 0x88, 0x14, 0x7d, 0x9a, 0x8d, 0x3f, 0x14, 0xaa, 0x65, 0x1a, 0x2f, 0xcb, 0x20, 0x2d, 0xcf, 0xe0, 0xff, 0xd1, 0x6a, 0x1c, 0x38, 0xf1, 0x7b, 0x7b, 0x84, 0x4d, 0xb, 0xc8, 0x8a, 0x14, 0xb8, 0xf5, 0x56, 0xf2, 0xaf, 0xce, 0x35, 0x18, 0x44, 0x1b, 0x4, 0xef, 0xfc, 0xa5, 0xcd, 0xc0, 0x88, 0x90, 0xde, 0xce, 0xb8, 0x83, 0xe0, 0x9b, 0x51, 0x68, 0xe6, 0x25, 0x39, 0x9f, 0x97, 0x3e, 0x78, 0x1d, 0xb8, 0xa7, 0x89, 0x4c, 0xaf, 0xa, 0x13, 0xfd, 0x1e, 0xfa, 0xf7, 0x1b, 0xfd, 0x44, 0x21, 0x5c, 0x52, 0x9e, 0x5a, 0x26, 0x1b, 0x4, 0x69, 0x29, 0x4b, 0xb6, 0x65, 0xdb, 0xb9, 0x34, 0x96, 0x8e, 0xed, 0x8a, 0x9d, 0x59, 0x3, 0x32, 0x2e, 0xc8, 0x35, 0xf3, 0x63, 0x35, 0x40, 0x4f, 0xa5, 0xa7, 0xda, 0xab, 0x38, 0x2c, 0x2, 0xad, 0x88, 0xf0, 0x9d, 0xee, 0x60, 0x62, 0x45, 0xc1, 0x5a, 0x69, 0x1c, 0x93, 0x36, 0x78, 0x4d, 0xdf, 0xce, 0x3a, 0x4e, 0x8f, 0x4a, 0x67, 0x11, 0x59, 0x52, 0xfd, 0xda, 0xf9, 0x22, 0x7b, 0x6c, 0x40, 0x6d, 0x84, 0x21, 0x55, 0x1f, 0x89, 0x17, 0xfc, 0x1c, 0x3d, 0x78, 0x75, 0x4, 0x4d, 0xd7, 0x34, 0x3c, 0x17, 0x2a, 0x20, 0xfa, 0x99, 0xb6, 0x7f, 0xbd, 0xfd, 0x3a, 0x62, 0x9f, 0x82, 0xac, 0xb6, 0x8f, 0x24, 0x79, 0xa, 0xd3, 0x3f, 0xbb, 0x66, 0xb0, 0xcf, 0xe5, 0x4e, 0x35, 0xf0, 0xef, 0xda, 0x69, 0x91, 0x42, 0x6c, 0xe3, 0x24, 0x35, 0x52, 0xf8, 0x9c, 0x80, 0x1d, 0xbe, 0x55, 0x1, 0xb3, 0x4f, 0x6f, 0x13, 0x12, 0xa7, 0xbb, 0x1f, 0x1, 0xaf, 0x26, 0x48, 0xa1, 0xa1, 0x6b, 0x50, 0xb4, 0xf0, 0xf0, 0x6e, 0x3e, 0xa7, 0xae, 0x77, 0x31, 0x8b, 0x92, 0xd9, 0x4e, 0x24, 0xaa, 0x5e, 0xf2, 0x6a, 0xbf, 0xe2, 0xb2, 0x1d, 0xc8, 0x1a, 0x3a, 0x36, 0x28, 0x18, 0x66, 0x6, 0x82, 0x48, 0xb3, 0x22, 0x2a, 0x75, 0x6a, 0xab, 0x32, 0x3d, 0x3, 0x0, 0xc0, 0xcf, 0xb1, 0x3c, 0x6a, 0xd9, 0xe1, 0x77, 0xd6, 0x2a, 0x11, 0x30, 0x23, 0xc8, 0x72, 0xe6, 0xe3, 0xa7, 0xb7, 0x3, 0x43, 0x5e, 0x7e, 0xe8, 0x65, 0x2c, 0xcb, 0x4, 0xdf, 0xc6, 0x1b, 0xf7, 0x34, 0x18, 0x34, 0xa8, 0xed, 0x3c, 0x2c, 0x77, 0xf8, 0x32, 0x4b, 0xb6, 0x37, 0x42, 0x12, 0x4f, 0x8, 0x8d, 0x7, 0xfd, 0xec, 0xe3, 0x99, 0xbe, 0x8e, 0x68, 0xd8, 0x5d, 0x84, 0xf6, 0xc, 0xa7, 0xb8, 0x57, 0x25, 0xa3, 0xa4, 0x5d, 0x9c, 0xc5, 0x8f, 0x80, 0x62, 0x58, 0x58, 0xa3, 0x2b, 0x2b, 0x3, 0xa9, 0x86, 0x93, 0xf2, 0xed, 0xd5, 0x25, 0x68, 0xb6, 0x9b, 0xc2, 0x1e, 0x43, 0xdb, 0xa8, 0xa5, 0xb5, 0xc8, 0x8d, 0x1e, 0x3a, 0x98, 0x3a, 0x14, 0xbb, 0xd9, 0xd1, 0xe9, 0xcf, 0x7, 0x6a, 0x35, 0x5b, 0xdd, 0x48, 0x6f, 0x30, 0x3a, 0x68, 0xba, 0xd4, 0xc1, 0x37, 0x64, 0x2c, 0xb5, 0xe7, 0x6a, 0x3b, 0xd4, 0x4f, 0xb6, 0x54, 0xa1, 0xc1, 0xc0, 0xf9, 0xd0, 0x52, 0x54, 0xed, 0xba, 0xd, 0x66, 0x90, 0xf, 0x53, 0x50, 0x28, 0x95, 0x3e, 0x3f, 0x42, 0x81, 0x4d, 0x27, 0x47, 0x6, 0xa2, 0x32, 0x14, 0x74, 0x5, 0xb0, 0x7d, 0xf8, 0xf3, 0xeb, 0xcc, 0x1b, 0x38, 0xae, 0x12, 0xce, 0x94, 0xee, 0x35, 0x90, 0xda, 0xcc, 0x86, 0x6c, 0x17, 0x7f, 0x3a, 0xca, 0xea, 0x6, 0x46, 0x7e, 0x65, 0x3a, 0xc6, 0xdf, 0x4, 0xcd, 0x43, 0x80, 0xa3, 0xe5, 0x9a, 0x46, 0x1b, 0x25, 0xed, 0x15, 0x8d, 0xec, 0x9b, 0x64, 0x5e, 0xca, 0xca, 0x30, 0x6d, 0x5d, 0x1f, 0x7, 0xf, 0xf2, 0x9f, 0x35, 0x3b, 0x7b, 0x34, 0x86, 0xb2, 0xe4, 0xf7, 0x34, 0xf0, 0x65, 0x4d, 0x96, 0x29, 0xc8, 0x6, 0xf6, 0x81, 0x9f, 0xd8, 0xfc, 0x92, 0xc5, 0x15, 0x88, 0x52, 0x73, 0x4f, 0xc6, 0xa8, 0x49, 0xce, 0xa1, 0x3, 0xc, 0x8c, 0x7, 0x59, 0xf2, 0xb9, 0xe0, 0xff, 0x4d, 0xe0, 0x4b, 0xab, 0xf7, 0x4a, 0x50, 0x21, 0x66, 0x22, 0x4c, 0x5c, 0xa3, 0xf5, 0xf6, 0xff, 0x21, 0x9e, 0x98, 0x91, 0x1e, 0x5a, 0x84, 0x44, 0x1d, 0x7, 0x11, 0xfc, 0x9, 0x41, 0x5c, 0x95, 0x11, 0x8, 0x1e, 0x66, 0x11, 0xf1, 0x24, 0xba, 0x93, 0x9e, 0x4, 0xeb, 0x5, 0xb1, 0x84, 0xd4, 0xce, 0xed, 0x78, 0xb5, 0x24, 0xf4, 0xa1, 0x9b, 0xdc, 0x96, 0x69, 0x90, 0x3e, 0xe8, 0xb7, 0x66, 0x8f, 0xbf, 0x16, 0x82, 0xed, 0xd7, 0xf4, 0x4d, 0x2d, 0x87, 0xcf, 0xbe, 0x2c, 0x8e, 0x77, 0xf3, 0x7, 0xbf, 0x54, 0x37, 0xe7, 0x98, 0x99, 0xd8, 0x81, 0x42, 0x8, 0x87, 0xab, 0x8a, 0xbb, 0x5f, 0xc8, 0xfe, 0x5b, 0x39, 0x11, 0x45, 0x1d, 0x41, 0x28, 0xd3, 0xde, 0xf8, 0xcd, 0xe4, 0x79, 0xc0, 0x50, 0x31, 0xd0, 0xbc, 0x34, 0x59, 0xc4, 0xe7, 0x4b, 0x22, 0xae, 0xc9, 0x58, 0x43, 0x75, 0x71, 0x97, 0x9d, 0x4d, 0xdb, 0x30, 0x22, 0x41, 0xbb, 0xb1, 0xdb, 0xdc, 0x31, 0x8e, 0xd, 0xbd, 0x84, 0x8e, 0x16, 0xd2, 0x5f, 0x11, 0x1c, 0x34, 0x4f, 0x1b, 0xa6, 0x8f, 0xc2, 0x88, 0x58, 0x15, 0xfa, 0x75, 0xc7, 0xb, 0x5b, 0xba, 0xa5, 0xee, 0xd, 0x3c, 0x9a, 0x99, 0x52, 0xd0, 0x42, 0xce, 0x16, 0xa1, 0xe6, 0x42, 0x2d, 0xb0, 0xe9, 0xfe, 0x75, 0x97, 0xae, 0xb6, 0x5c, 0x54, 0xa1, 0x0, 0x52, 0xb0, 0x72, 0xea, 0xb4, 0xa3, 0x31, 0x7d, 0x6f, 0x50, 0xbc, 0x32, 0x9b, 0xbd, 0x8b, 0x78, 0x30, 0x89, 0xe5, 0x97, 0x2a, 0xb1, 0xe4, 0x37, 0x5f, 0xbc, 0xc8, 0x71, 0xb6, 0x73, 0x4a, 0x6, 0xc, 0x0, 0x6b, 0x8a, 0x5f, 0xde, 0x17, 0x5c, 0x92, 0xc6, 0xf3, 0xd5, 0x91, 0x49, 0xf3, 0x95, 0x4b, 0xcb, 0xa6, 0x66, 0x5, 0xd5, 0x7d, 0xf0, 0x97, 0xbf, 0xa8, 0x9e, 0xa0, 0x91, 0xb, 0xe5, 0x55, 0x8d, 0x2c, 0x20, 0xe7, 0xd7, 0x3a, 0xed, 0xc2, 0xdc, 0x6a, 0x5a, 0xec, 0x93, 0x0, 0x48, 0x23, 0x4a, 0x73, 0xaf, 0x36, 0xcb, 0x43, 0xbe, 0x8f, 0x1d, 0xfa, 0xe4, 0xa7, 0xa8, 0xa4, 0x1c, 0xb8, 0x87, 0xdc, 0xd0, 0xa7, 0x5f, 0x76, 0x22, 0xbf, 0xb5, 0x13, 0x70, 0x53, 0x6a, 0x1d, 0xf0, 0x5b, 0x80, 0x59, 0x98, 0xdb, 0x80, 0x42, 0x9d, 0xe2, 0xa5, 0x67, 0xe3, 0x1c, 0x6b, 0x77, 0x6f, 0x91, 0x53, 0x4f, 0x26, 0xf6, 0xdd, 0x33, 0x1f, 0xf6, 0x4f, 0x71, 0x3, 0xd1, 0x85, 0xa0, 0x8e, 0x23, 0x6, 0x42, 0xe3, 0x9e, 0x80, 0xe5, 0xb7, 0xd4, 0x50, 0x1c, 0x1d, 0xeb, 0xf8, 0x85, 0xd, 0x45, 0x9f, 0x99, 0x25, 0xf3, 0x39, 0xa2, 0xb1, 0x4, 0x39, 0x5f, 0x90, 0xad, 0x58, 0x1a, 0xf7, 0xa6, 0x26, 0xd0, 0xed, 0x24, 0xb8, 0xd6, 0x36, 0x27, 0x54, 0x43, 0xb8, 0x64, 0x93, 0x4a, 0x75, 0xa7, 0x41, 0x8, 0xe9, 0x1d, 0xeb, 0xcf, 0x41, 0xcb, 0x97, 0x75, 0x4f, 0xa, 0x58, 0xbf, 0x7a, 0x2b, 0x25, 0x20, 0x20, 0x8e, 0xc4, 0x17, 0x81, 0x92, 0x72, 0x37, 0x71, 0xa0, 0xf5, 0xc6, 0x28, 0x1c, 0xdb, 0xda, 0x9b, 0x9e, 0xc7, 0xe4, 0x51, 0x60, 0x8a, 0x65, 0xea, 0x9f, 0x6a, 0xc6, 0x73, 0xcb, 0x94, 0x13, 0x23, 0x7b, 0xbe, 0xc6, 0xd5, 0x1e, 0xf3, 0x27, 0xfe, 0xf8, 0xa6, 0x5a, 0x36, 0x8f, 0xc8, 0xf4, 0x9e, 0x49, 0xaa, 0x4a, 0x1f, 0x72, 0xb0, 0xf, 0x6b, 0x2a, 0xfb, 0xe3, 0xd5, 0xa7, 0xb3, 0x68, 0x1d, 0x85, 0x92, 0x3a, 0x7d, 0x9, 0x88, 0xa7, 0x13, 0x49, 0x6f, 0xe9, 0x8a, 0x7f, 0xe, 0x6, 0xc1, 0xfd, 0xdb, 0x88, 0xe2, 0xc, 0xfa, 0xf1, 0x8, 0xdd, 0xf8, 0xd2, 0x80, 0x74, 0x39, 0x3c, 0xf0, 0x95, 0xdb, 0x4e, 0x8b, 0xa, 0xf1, 0xe, 0x56, 0xe5, 0x47, 0x32, 0x75, 0xbc, 0x58, 0x45, 0xa4, 0x4f, 0xc0, 0xf, 0x5f, 0xef, 0x5c, 0x76, 0x75, 0x3d, 0x6d, 0xd6, 0xe6, 0x2c, 0x9f, 0x72, 0x66, 0xf0, 0x33, 0xb4, 0x5d, 0x27, 0x35, 0x6d, 0x7e, 0x59, 0x4e, 0x36, 0x27, 0x5c, 0xd9, 0x31, 0xbc, 0x93, 0x3a, 0x1a, 0x73, 0xbe, 0xee, 0x82, 0x1a, 0xdc, 0x1a, 0xa2, 0x65, 0xf4, 0xbb, 0x42, 0xfd, 0xe, 0x3, 0xef, 0xa4, 0x6f, 0xb, 0xc1, 0xbb, 0x97, 0xb0, 0x87, 0xc7, 0xa4, 0x7a, 0x24, 0xda, 0x77, 0xc, 0xf6, 0x32, 0xc6, 0x8d, 0x8b, 0x3e, 0x52, 0x23, 0xc2, 0x6a, 0xc2, 0xfb, 0x6f, 0xcf, 0x79, 0x45, 0x34, 0x11, 0xff, 0xf6, 0xa4, 0xf6, 0x50, 0x2, 0x98, 0x3c, 0x65, 0x25, 0x58, 0x8b, 0x39, 0x1f, 0xcc, 0x9a, 0xef, 0xea, 0x88, 0x95, 0x7e, 0x21, 0xf4, 0x25, 0x9a, 0x18, 0x85, 0xef, 0xfc, 0x68, 0xb9, 0xf5, 0xf5, 0x24, 0x94, 0x28, 0x22, 0x7, 0xd0, 0xf9, 0x8a, 0x5d, 0xc0, 0x2a, 0xb2, 0xa1, 0x49, 0x8c, 0xfa, 0x36, 0xb, 0xce, 0x5f, 0x11, 0xf1, 0x57, 0x36, 0x1c, 0xe6, 0x3f, 0x43, 0x62, 0x42, 0xc0, 0xf0, 0xcd, 0x6, 0xdc, 0x20, 0xc8, 0x9e, 0x2d, 0xc5, 0x8a, 0x9d, 0xb9, 0xa2, 0x1a, 0xbc, 0x7e, 0x9, 0xdd, 0xb2, 0x3a, 0x33, 0xa0, 0x37, 0x93, 0x93, 0x88, 0x7, 0x38, 0xdb, 0xa0, 0x37, 0x71, 0x5e, 0xf5, 0x1c, 0x13, 0x16, 0x2c, 0x79, 0x7f, 0x48, 0x48, 0x26, 0x61, 0xf2, 0xce, 0x3f, 0x36, 0x13, 0xd0, 0xda, 0x29, 0xf1, 0xab, 0xe, 0x1d, 0xc8, 0x39, 0x62, 0xe2, 0x6b, 0x27, 0x9d, 0xde, 0x61, 0xe7, 0x8e, 0xd3, 0x6a, 0xda, 0x1e, 0x34, 0x7a, 0x6a, 0x40, 0x7, 0x6a, 0x2, 0xd5, 0xac, 0x10, 0x73, 0x1, 0x1c, 0x28, 0x93, 0xe7, 0x54, 0xc9, 0x26, 0x35, 0x51, 0xac, 0x0, 0x76, 0xc5, 0x7b, 0x6b, 0x41, 0xa7, 0x44, 0x2b, 0xd4, 0x52, 0x89, 0x67, 0x9, 0xb1, 0x9f, 0x4, 0xb6, 0xb7, 0x3f, 0xda, 0xab, 0x7b, 0xef, 0xad, 0xdf, 0x59, 0xa6, 0xb0, 0x3c, 0xd, 0xc, 0x8b, 0x1b, 0x72, 0x31, 0x79, 0x58, 0x1b, 0x61, 0x9d, 0x4e, 0x6e, 0x47, 0x73, 0xfe, 0x31, 0x3b, 0x49, 0x4a, 0xba, 0x67, 0xf3, 0x4b, 0x26, 0xf0, 0xf7, 0x9b, 0x52, 0xa, 0xf2, 0x54, 0x4b, 0x91, 0x95, 0x97, 0x62, 0xe0, 0x96, 0xb6, 0xac, 0x36, 0xf2, 0x8b, 0x6d, 0xb9, 0xda, 0xcd, 0x13, 0xea, 0x25, 0xed, 0xa, 0xc7, 0xf2, 0x4f, 0xe7, 0xbb, 0xcb, 0x81, 0xeb, 0x9, 0x1d, 0xfa, 0xc5, 0x44, 0x85, 0x46, 0x87, 0x8c, 0xfc, 0x88, 0x17, 0x33, 0x6b, 0x69, 0xd, 0x67, 0x7a, 0x84, 0x59, 0x9a, 0x51, 0x45, 0xe2, 0xaf, 0x10, 0x84, 0x74, 0xd7, 0x30, 0xbc, 0xaf, 0x39, 0x97, 0x9a, 0x88, 0x4a, 0xf4, 0xd8, 0x3, 0xde, 0x33, 0x66, 0x37, 0xdb, 0x5d, 0x50, 0xb3, 0x9b, 0x6a, 0xd5, 0x14, 0x5e, 0x81, 0x46, 0x7, 0x7c, 0x66, 0x66, 0xbb, 0x93, 0x44, 0x88, 0xed, 0xf8, 0x28, 0x22, 0x82, 0x48, 0xab, 0x17, 0x1a, 0x56, 0xcc, 0x23, 0xce, 0x1b, 0x1a, 0x52, 0x59, 0x7, 0x83, 0x99, 0x26, 0xb6, 0xbc, 0x64, 0x1e, 0x42, 0x33, 0xf1, 0xb5, 0xe0, 0xde, 0x26, 0xc8, 0x38, 0xa6, 0xae, 0x6c, 0x34, 0x10, 0xb3, 0xb, 0x68, 0xe7, 0xd6, 0xd3, 0xce, 0xd4, 0xd5, 0x97, 0x40, 0x6f, 0xe0, 0xb, 0xa3, 0x12, 0x75, 0x52, 0x14, 0x96, 0x9, 0x9a, 0xa5, 0x89, 0xe5, 0xfd, 0x67, 0xd8, 0xf3, 0x80, 0xc1, 0xd0, 0x52, 0x4f, 0x25, 0x73, 0x2e, 0xac, 0x74, 0x3c, 0x33, 0xa3, 0xd8, 0x63, 0x90, 0x7a, 0x6f, 0xee, 0xe2, 0x44, 0x27, 0x14, 0x12, 0x3f, 0x60, 0x21, 0x65, 0x10, 0x9d, 0x38, 0x63, 0x3a, 0x81, 0x9c, 0x9e, 0xc7, 0x82, 0xcd, 0xa1, 0xeb, 0x42, 0xe3, 0x5a, 0x1c, 0x64, 0x9, 0xc1, 0xe9, 0x6, 0xbb, 0x4, 0x30, 0xfb, 0x85, 0x3c, 0x7f, 0xf1, 0x12, 0xc2, 0x1c, 0x44, 0xed, 0x1f, 0x53, 0x1a, 0xf6, 0x82, 0xac, 0xdf, 0x56, 0x16, 0x5f, 0x8f, 0xd9, 0xce, 0x30, 0x7a, 0xec, 0x88, 0xbc, 0xe7, 0x14, 0xd3, 0x95, 0xc5, 0xa6, 0xed, 0xed, 0x99, 0x78, 0x46, 0x4b, 0x46, 0xe7, 0x2e, 0xd3, 0xd5, 0x1e, 0xa, 0x3c, 0x42, 0xef, 0x1c, 0x13, 0x76, 0xcc, 0x69, 0xea, 0x76, 0x7e, 0x21, 0x17, 0xa9, 0xcd, 0xe7, 0x1f, 0xce, 0xcc, 0x27, 0x16, 0x3f, 0x89, 0x8a, 0x6b, 0x1, 0xd8, 0x12, 0x6b, 0x4f, 0xc7, 0x9f, 0x84, 0xde, 0xd6, 0xbc, 0x61, 0x4e, 0x14, 0xf3, 0xe2, 0x17, 0x58, 0xfa, 0xce, 0x5e, 0xc5, 0x9b, 0xb5, 0x39, 0x89, 0xb, 0xff, 0x70, 0xaa, 0xcb, 0x3b, 0xb3, 0x64, 0xb1, 0x91, 0xb7, 0x2a, 0x3f, 0xf, 0x1, 0x6b, 0xaf, 0x37, 0xcb, 0x52, 0x7b, 0xba, 0x67, 0xb7, 0x98, 0x41, 0x65, 0xf8, 0xfc, 0x80, 0xf3, 0xd, 0xbd, 0x4a, 0x1, 0xa1, 0x64, 0x54, 0xf3, 0x94, 0x51, 0x25, 0xf6, 0x35, 0x4c, 0x2e, 0xf2, 0xc1, 0x42, 0x1b, 0xf5, 0xbb, 0xf7, 0xe2, 0xf3, 0x70, 0x9a, 0x4c, 0xee, 0x21, 0x8, 0x64, 0x41, 0x35, 0x1f, 0x92, 0x19, 0xc6, 0xb, 0xb4, 0xea, 0x83, 0x15, 0x9f, 0x87, 0x72, 0x1d, 0xf6, 0xca, 0x90, 0x74, 0xb2, 0xe7, 0x6a, 0xf7, 0xf3, 0xd9, 0x8a, 0x99, 0xf7, 0x57, 0x11, 0xa4, 0x50, 0x19, 0x18, 0x1e, 0x7e, 0x3a, 0xda, 0xe8, 0xe6, 0xe1, 0xd7, 0xa9, 0x5f, 0xb9, 0x26, 0x84, 0xeb, 0x84, 0x37, 0x96, 0x10, 0x2a, 0x2e, 0x54, 0x6e, 0xed, 0xe4, 0xe, 0x83, 0xfd, 0x12, 0x96, 0xb8, 0x35, 0x4d, 0xbc, 0xe9, 0x5, 0x40, 0x5c, 0x50, 0xca, 0x77, 0xf4, 0xd1, 0xec, 0x7e, 0xa8, 0x3d, 0x20, 0x62, 0xb7, 0x86, 0x25, 0x8, 0x38, 0x22, 0x9b, 0xac, 0x68, 0x91, 0x35, 0x78, 0xcc, 0x59, 0xd6, 0x96, 0x66, 0xb4, 0x52, 0x63, 0xd3, 0xdd, 0x43, 0x46, 0x25, 0x69, 0x1d, 0xad, 0x9d, 0xd9, 0x70, 0xe3, 0xcd, 0xfa, 0x5d, 0x71, 0x62, 0x6c, 0xf2, 0x7a, 0x9d, 0x7b, 0x1e, 0x75, 0xac, 0xc5, 0x4c, 0x9d, 0xb7, 0xbd, 0x11, 0x42, 0xfd, 0x72, 0x64, 0xf9, 0x93, 0xc6, 0x4f, 0xde, 0xc8, 0xd2, 0xd3, 0x72, 0x8c, 0x64, 0xf0, 0x44, 0xdf, 0xf5, 0xcb, 0x69, 0x7b, 0xe1, 0x94, 0xbf, 0xf4, 0xa2, 0xc, 0xa9, 0x3d, 0xe2, 0x94, 0x28, 0xf1, 0xf8, 0x25, 0x53, 0x1a, 0xb, 0xd6, 0x17, 0x79, 0x6c, 0x7f, 0x43, 0xa, 0x5d, 0xcb, 0xc9, 0x96, 0x86, 0x4, 0xe7, 0x9b, 0x26, 0x7c, 0x33, 0xe1, 0x76, 0x99, 0x9c, 0x94, 0xe5, 0x68, 0x3d, 0xd7, 0xbd, 0xde, 0xaa, 0x6f, 0xd9, 0x68, 0xb7, 0xf1, 0x14, 0x86, 0x15, 0x9e, 0x69, 0xf0, 0xc4, 0x9c, 0x57, 0xa5, 0xdf, 0x22, 0xd6, 0xc6, 0x93, 0xbe, 0x17, 0xda, 0xd6, 0xcc, 0xb9, 0xf5, 0x4, 0xa5, 0x61, 0x6c, 0x86, 0x24, 0xa1, 0x4d, 0x69, 0x8d, 0x3c, 0x35, 0x21, 0x21, 0xc6, 0xb8, 0x40, 0x1, 0x80, 0xa5, 0x6c, 0x1c, 0xb8, 0x9b, 0xb7, 0xd4, 0x7d, 0x4a, 0x60, 0xf1, 0xc8, 0x78, 0xc8, 0x52, 0xfb, 0x6, 0xe8, 0xae, 0xe8, 0xb8, 0x47, 0x8d, 0x11, 0x4f, 0x14, 0x34, 0x54, 0x90, 0x9f, 0x94, 0x2b, 0xf5, 0xed, 0x72, 0x5a, 0x1, 0x27, 0x21, 0x4e, 0xa8, 0xfc, 0xeb, 0xf3, 0xce, 0xb7, 0x9c, 0xc0, 0xd0, 0x51, 0x90, 0xc8, 0xee, 0x6d, 0x29, 0x58, 0xfe, 0xe8, 0x86, 0x74, 0xd, 0x1, 0x41, 0x88, 0x81, 0xb2, 0x33, 0x40, 0x9f, 0xed, 0x9a, 0xed, 0x60, 0x56, 0xbd, 0x99, 0x8c, 0x2a, 0x53, 0xd1, 0x6a, 0xca, 0x70, 0xea, 0x71, 0xc3, 0x95, 0xfb, 0x8b, 0x97, 0xc4, 0x9d, 0x10, 0x3, 0x70, 0xd, 0x4d, 0x46, 0xe5, 0xef, 0x35, 0xe5, 0xd9, 0xdf, 0x2f, 0xf3, 0x1a, 0x5b, 0x18, 0xc9, 0x98, 0xa7, 0x7e, 0xf5, 0xab, 0x88, 0x24, 0xb4, 0x12, 0x17, 0x74, 0x7a, 0xed, 0xfa, 0x86, 0x72, 0xe9, 0xa7, 0x96, 0x2, 0x8e, 0x5f, 0x44, 0x1b, 0x17, 0x83, 0x93, 0x7, 0x1, 0x4c, 0xad, 0x31, 0x81, 0xe3, 0x21, 0xcf, 0x9b, 0xe8, 0x87, 0x39, 0xc9, 0x5, 0xe2, 0xdf, 0x8c, 0x8f, 0x8c, 0x2e, 0xc9, 0x52, 0x41, 0x3f, 0xe6, 0x3d, 0xd4, 0xad, 0x30, 0xa9, 0x62, 0x94, 0x72, 0x5a, 0xf0, 0x80, 0xc9, 0x43, 0xb1, 0xeb, 0x62, 0x68, 0xe9, 0x6, 0x3b, 0xe5, 0x54, 0x39, 0x4f, 0xb1, 0xf6, 0x2c, 0x24, 0xad, 0x75, 0x1d, 0xfe, 0x5e, 0x7d, 0x1, 0x1f, 0x6e, 0x41, 0x57, 0x8b, 0x9b, 0xe9, 0x74, 0x76, 0x96, 0x33, 0x53, 0x37, 0xa0, 0x88, 0xf4, 0xe8, 0xc0, 0x94, 0x6d, 0x6e, 0x5e, 0xf9, 0x16, 0xdc, 0x7a, 0x78, 0x3a, 0xb9, 0xcc, 0x9c, 0xc9, 0xdc, 0xa2, 0x51, 0xac, 0xc3, 0x1d, 0x7c, 0xa4, 0x9a, 0x13, 0xb4, 0x34, 0xc1, 0xd5, 0xd8, 0xdf, 0xaf, 0xaf, 0xcd, 0x8f, 0xf2, 0xed, 0x31, 0xb8, 0x10, 0x8e, 0xbd, 0x57, 0xd, 0x46, 0xfc, 0xbc, 0xf0, 0xcc, 0xfb, 0x76, 0x92, 0xe6, 0xfe, 0xcf, 0xb5, 0xce, 0x2a, 0x82, 0x3a, 0x5b, 0x91, 0x5d, 0xc7, 0xfe, 0xd2, 0x8e, 0x32, 0x6c, 0x47, 0x59, 0xc3, 0x13, 0xc1, 0x45, 0xa1, 0xcd, 0x7b, 0xe1, 0x8b, 0x53, 0x81, 0x1a, 0xf6, 0x8f, 0x3d, 0x6c, 0xaa, 0xc3, 0x67, 0xe8, 0x1, 0x2f, 0xc8, 0x16, 0x65, 0x5d, 0xe1, 0x34, 0x56, 0xb0, 0xb9, 0x48, 0x69, 0xd2, 0x7b, 0x43, 0xc1, 0xc7, 0xd4, 0x19, 0x6c, 0x0, 0xd2, 0xfc, 0xd2, 0x76, 0xe9, 0xb1, 0xe1, 0x37, 0xc4, 0xf3, 0xa0, 0xe8, 0x37, 0xf2, 0x94, 0xf6, 0x5f, 0x54, 0xf0, 0xb1, 0x8b, 0xbf, 0xc0, 0x3f, 0xec, 0x10, 0xdd, 0xe1, 0xd3, 0x7c, 0xac, 0x6c, 0x69, 0x89, 0x4f, 0xe6, 0xbf, 0x24, 0x5f, 0xec, 0x14, 0x37, 0xed, 0x6, 0x77, 0xaf, 0x5f, 0xd8, 0xb1, 0x3e, 0x36, 0x32, 0xcc, 0x27, 0xc0, 0x4d, 0x60, 0xbd, 0xfc, 0xc8, 0x85, 0x86, 0xaf, 0xc7, 0xc6, 0x95, 0x5f, 0xaa, 0x1, 0x8f, 0x2f, 0xce, 0xc8, 0xc1, 0xd4, 0x2a, 0x69, 0x74, 0x25, 0x32, 0xbe, 0x4b, 0xc4, 0x68, 0xa0, 0xa4, 0xd4, 0x78, 0x34, 0x0, 0xb8, 0xdb, 0x3c, 0xca, 0x2e, 0xe5, 0xc6, 0x8f, 0x7c, 0x99, 0xd3, 0x4, 0xec, 0x6b, 0xb1, 0x1d, 0xea, 0xcf, 0xc5, 0x2b, 0x8f, 0x2e, 0xc8, 0x5b, 0xb0, 0xd2, 0x93, 0x47, 0xf4, 0x7f, 0x51, 0x3d, 0x76, 0x3b, 0x36, 0x55, 0xc3, 0xdd, 0x8e, 0xce, 0x16, 0x6e, 0xd, 0x82, 0xf8, 0xf, 0xf7, 0xf2, 0x4a, 0x8, 0xa5, 0x61, 0x76, 0xd2, 0xd4, 0x7e, 0xcb, 0x72, 0x54, 0x19, 0xdd, 0x4e, 0x44, 0xd3, 0x41, 0x49, 0x96, 0xda, 0x38, 0xb4, 0xa2, 0xfe, 0x17, 0x0, 0xa2, 0xb4, 0xae, 0x56, 0x93, 0xf6, 0x9b, 0x3d, 0x9c, 0xb1, 0x6a, 0x91, 0x5f, 0x3b, 0xa1, 0xa6, 0x60, 0x93, 0xdc, 0x14, 0x9c, 0x51, 0xc0, 0x71, 0xe1, 0x42, 0x2e, 0xe9, 0x1a, 0x57, 0xc2, 0xf9, 0xcc, 0x41, 0xed, 0x63, 0xab, 0x31, 0xcb, 0x4f, 0x85, 0xc8, 0xb5, 0x76, 0xc5, 0xf3, 0x37, 0xa1, 0x92, 0x23, 0xc6, 0x1b, 0x19, 0xe5, 0x66, 0x3b, 0x68, 0xd5, 0x6c, 0x1c, 0x5a, 0x56, 0x71, 0x89, 0xe6, 0x6f, 0x60, 0x83, 0x2, 0x4b, 0x48, 0xa6, 0xfd, 0xe2, 0x67, 0x67, 0x5d, 0xa2, 0xf3, 0xa4, 0xc0, 0x65, 0x8a, 0xde, 0x21, 0xba, 0x87, 0xd1, 0x84, 0x6, 0xa7, 0x9c, 0xe4, 0x74, 0xde, 0x3d, 0xc, 0xe8, 0x33, 0x61, 0x76, 0xe8, 0x3a, 0x4d, 0xc3, 0xa5, 0x16, 0xa9, 0xa2, 0x84, 0x59, 0x35, 0x8c, 0x29, 0xb8, 0xcc, 0x3e, 0xa8, 0x9, 0xc0, 0xa4, 0x4c, 0xaa, 0x7c, 0x86, 0x19, 0x9a, 0xff, 0xb8, 0x75, 0xb3, 0x10, 0x56, 0x8, 0x2, 0xdc, 0x96, 0x3, 0xf7, 0x8b, 0x32, 0x96, 0xf2, 0x63, 0xae, 0x6f, 0xde, 0x4c, 0xdc, 0x9d, 0x9c, 0xd0, 0x98, 0xbd, 0x8, 0xb8, 0xc1, 0x51, 0x44, 0x40, 0xf2, 0x75, 0x65, 0xd4, 0x1c, 0x4b, 0x64, 0x70, 0xd2, 0x75, 0x73, 0x33, 0xeb, 0x7, 0x69, 0xbd, 0x86, 0x22, 0xfa, 0xbd, 0xbe, 0xc8, 0x56, 0x46, 0x2b, 0x63, 0xc4, 0xac, 0xd2, 0x13, 0xc7, 0x42, 0x2, 0xd6, 0xaf, 0x7a, 0x42, 0xda, 0x17, 0x46, 0x75, 0x5c, 0xc9, 0xb7, 0x65, 0x30, 0x31, 0xde, 0xa3, 0x17, 0xbf, 0x98, 0x98, 0x23, 0xf8, 0x6e, 0x3b, 0x8, 0xb, 0x26, 0x3d, 0x68, 0x94, 0x4d, 0xa5, 0xf6, 0x6, 0xeb, 0x52, 0x37, 0xa, 0xdd, 0x74, 0x20, 0x75, 0x23, 0xdc, 0xbe, 0x48, 0x93, 0x25, 0x82, 0x3e, 0xfc, 0x22, 0x76, 0x63, 0x3b, 0x5d, 0xe5, 0x6b, 0x13, 0x5, 0x0, 0xea, 0x6d, 0x0, 0x4d, 0x32, 0xf4, 0x12, 0x5e, 0x9f, 0x70, 0x2, 0xfc, 0x64, 0xa9, 0x86, 0x94, 0x52, 0xe6, 0x99, 0x33, 0x92, 0xc, 0xd, 0xba, 0x9, 0x80, 0x70, 0x97, 0x3a, 0x47, 0x58, 0x38, 0x36, 0xb6, 0x6a, 0x6a, 0xc, 0xb8, 0xe1, 0xf8, 0x4c, 0x1e, 0x26, 0x82, 0x4, 0x6c, 0x5c, 0x9a, 0x91, 0x6, 0x48, 0xce, 0xe5, 0xd0, 0x9a, 0x7a, 0x51, 0xaa, 0xa7, 0x6a, 0x5, 0xc, 0xd4, 0x92, 0x27, 0xb0, 0x61, 0x6c, 0xe5, 0xda, 0x6a, 0x7c, 0x4c, 0xc, 0x9e, 0xb1, 0xa4, 0x78, 0xb1, 0x9c, 0xf1, 0x7f, 0x26, 0xba, 0xe4, 0x4f, 0x5c, 0x6d, 0x4, 0xb3, 0x50, 0x15, 0x12, 0xab, 0x26, 0xe9, 0xd3, 0x84, 0xce, 0x47, 0xc1, 0x4a, 0x5e, 0x97, 0xe4, 0x2a, 0x72, 0xff, 0x5e, 0xf9, 0xe0, 0x8b, 0x7a, 0xa0, 0xf2, 0xd4, 0x6f, 0x2c, 0x70, 0xe4, 0x71, 0x80, 0xb2, 0xb7, 0x3c, 0xcf, 0x2a, 0xb9, 0x13, 0x73, 0x2d, 0x27, 0x28, 0x6d, 0x71, 0x88, 0xc5, 0x5c, 0xfe, 0xa9, 0xda, 0xf3, 0x7b, 0x2c, 0x86, 0x42, 0x9e, 0xa7, 0xe2, 0xf2, 0x8, 0xc0, 0x78, 0x20, 0x3, 0x83, 0x4c, 0x3f, 0x96, 0xb7, 0xf3, 0xe3, 0x3, 0x32, 0x90, 0xa0, 0x7a, 0x2c, 0x84, 0xfb, 0x7a, 0x32, 0xe7, 0xa, 0xca, 0x22, 0xaf, 0xb6, 0x9, 0x76, 0x96, 0x92, 0x30, 0xe1, 0x38, 0xf1, 0x58, 0x75, 0x75, 0x62, 0xfb, 0xb8, 0x73, 0xc1, 0xa8, 0xec, 0xf7, 0x31, 0xe8, 0xc3, 0x3c, 0x27, 0x16, 0x33, 0xf6, 0x74, 0x44, 0x17, 0xe4, 0x34, 0x2, 0xc4, 0xc3, 0xca, 0x89, 0x79, 0xa7, 0x1f, 0xfa, 0x36, 0xf5, 0xc5, 0x32, 0x58, 0xed, 0xa4, 0x44, 0x82, 0x92, 0x55, 0x3f, 0x6f, 0xe1, 0x90, 0xe1, 0x5b, 0xbf, 0x21, 0x26, 0x3a, 0xf4, 0x2b, 0x6b, 0x2b, 0xca, 0xc3, 0x72, 0xd6, 0xf7, 0x83, 0x5b, 0x7a, 0x82, 0x45, 0x62, 0xf8, 0x64, 0x72, 0x7f, 0xe9, 0x0, 0xf5, 0x9, 0xa1, 0xc1, 0xbb, 0x27, 0x73, 0xa4, 0x5c, 0x78, 0x59, 0xc2, 0xb6, 0x62, 0x6a, 0x7f, 0xe9, 0x9, 0xf1, 0xda, 0x20, 0x51, 0x56, 0x57, 0x18, 0xdf, 0xab, 0x88, 0xf1, 0x2b, 0x5f, 0xf2, 0x72, 0xbc, 0x34, 0xbf, 0x40, 0xea, 0x83, 0x62, 0x22, 0x6a, 0x21, 0xc, 0xe4, 0x18, 0x2e, 0x7, 0x46, 0x20, 0x3d, 0x57, 0x36, 0x81, 0xbe, 0x11, 0x6a, 0xf, 0x11, 0x11, 0x1b, 0x86, 0xe4, 0xd6, 0x84, 0x2a, 0xf3, 0x10, 0x31, 0x75, 0x29, 0xee, 0xe2, 0xde, 0xed, 0x3e, 0x69, 0x42, 0x40, 0xd3, 0x99, 0x7f, 0xf3, 0xb3, 0x3a, 0xd4, 0xc1, 0x1c, 0xe9, 0xf5, 0xa3, 0xce, 0xf4, 0x3a, 0x23, 0x6a, 0xdb, 0xca, 0x4a, 0x62, 0xc2, 0xe7, 0xef, 0xd0, 0xa9, 0x18, 0xdf, 0xc9, 0xf3, 0x79, 0xba, 0x79, 0xe8, 0xb, 0xd, 0xfe, 0xea, 0xf5, 0x2f, 0x52, 0x56, 0x5a, 0x4c, 0xc7, 0x4e, 0x51, 0x7d, 0x6c, 0xf0, 0x79, 0xc3, 0x4a, 0x9f, 0xa2, 0xe, 0xd7, 0x4, 0x14, 0x92, 0x64, 0x70, 0xf2, 0x69, 0x2, 0x91, 0xe5, 0x3e, 0x44, 0xe0, 0x81, 0xa0, 0x44, 0xa1, 0x17, 0xfd, 0xe5, 0x6a, 0x29, 0xe, 0xb7, 0x7d, 0xfb, 0x97, 0xd7, 0x9c, 0x71, 0x1f, 0x48, 0x30, 0x2b, 0x47, 0x2b, 0x52, 0x8c, 0x6f, 0xfe, 0x98, 0x2a, 0x63, 0xe, 0x84, 0xc2, 0xf0, 0xc5, 0x16, 0xd1, 0xcc, 0x89, 0x62, 0x7c, 0x98, 0x2d, 0xaf, 0x88, 0x10, 0xf5, 0xcf, 0xe6, 0x2d, 0x4c, 0xda, 0xcc, 0x2b, 0x2a, 0xf9, 0xf0, 0x79, 0xf6, 0xfe, 0x9e, 0xf, 0x81, 0x39, 0xa5, 0x1e, 0xa6, 0x43, 0xf4, 0x74, 0x38, 0xdf, 0xfe, 0x6, 0xc2, 0x11, 0xa3, 0xa3, 0x90, 0x85, 0x87, 0xbd, 0xf, 0x5b, 0x7b, 0x2a, 0x96, 0x8b, 0x1c, 0xc3, 0x58, 0x70, 0xe9, 0x37, 0xfc, 0x48, 0x10, 0x1a, 0x5f, 0x38, 0x55, 0xeb, 0xcd, 0x55, 0x62, 0xcd, 0x8c, 0x22, 0x51, 0x20, 0x5a, 0x8b, 0x1b, 0x4f, 0x9c, 0x96, 0xd4, 0x62, 0x97, 0xde, 0x5, 0x2f, 0xd5, 0x3, 0x88, 0x3d, 0x21, 0xf6, 0x73, 0x4c, 0xe5, 0x7b, 0x37, 0x64, 0x7c, 0xc0, 0xfb, 0x4e, 0x5a, 0x4, 0xfe, 0xbf, 0x65, 0x41, 0x85, 0xf5, 0x36, 0x63, 0x30, 0xd2, 0xd0, 0xf0, 0xbd, 0xcd, 0x25, 0x6f, 0x6, 0xd6, 0x54, 0x5b, 0x6d, 0xf8, 0x5c, 0x63, 0x2d, 0x5f, 0x68, 0xe5, 0xf6, 0x2e, 0xf1, 0xc1, 0xe9, 0x51, 0x8e, 0x82, 0x6d, 0x34, 0xcb, 0x2d, 0x4, 0xaf, 0xa6, 0x6f, 0x81, 0x73, 0x0, 0x79, 0x50, 0x95, 0x37, 0xf4, 0xf7, 0xc5, 0x13, 0xa7, 0xd3, 0x9c, 0xc8, 0xed, 0x2e, 0x35, 0xac, 0x4e, 0xb5, 0x9c, 0xd, 0x88, 0x47, 0xb3, 0x33, 0xee, 0x7a, 0x2e, 0x46, 0x9a, 0x8d, 0x99, 0x7c, 0x43, 0xf1, 0x1a, 0x83, 0x87, 0x4f, 0xe0, 0x11, 0xc9, 0x2, 0x88, 0xed, 0x69, 0xd9, 0x38, 0x19, 0xb, 0xa0, 0xa1, 0x1c, 0x10, 0x93, 0xbb, 0x7b, 0xb4, 0x5b, 0x80, 0x52, 0x10, 0x64, 0xc1, 0x31, 0xe4, 0xcd, 0xa3, 0xca, 0x3e, 0x4b, 0xfe, 0x7f, 0xb9, 0x94, 0xf3, 0xb0, 0x21, 0x5d, 0xfa, 0xe5, 0x21, 0x1d, 0x69, 0xb, 0x75, 0xbc, 0xfb, 0x9d, 0x47, 0x77, 0xbd, 0xb0, 0x0, 0x8b, 0xf7, 0xfa, 0xda, 0xf, 0x83, 0xd2, 0x57, 0x4f, 0x43, 0x52, 0x9c, 0x24, 0x8c, 0xf7, 0xab, 0x6d, 0x9, 0x98, 0x45, 0x75, 0x1f, 0x4b, 0xb3, 0xc0, 0xf8, 0x8f, 0x94, 0x6f, 0xbf, 0x73, 0x4c, 0x13, 0x4e, 0x45, 0x3d, 0xf0, 0xae, 0x34, 0x59, 0xc0, 0xb, 0x39, 0xd5, 0x56, 0xb8, 0x2e, 0xdf, 0x12, 0x13, 0x4, 0x5f, 0xbd, 0xea, 0xc0, 0x7b, 0xd6, 0x36, 0x86, 0xdf, 0x45, 0xef, 0x7e, 0xb5, 0x7f, 0xea, 0xdf, 0x1f, 0xe8, 0x9, 0x69, 0x37, 0x77, 0xda, 0x31, 0x53, 0x8c, 0x8e, 0x62, 0xbc, 0x55, 0x5b, 0x75, 0xe3, 0x8b, 0x2f, 0x1b, 0xd7, 0x41, 0x78, 0x13, 0x12, 0x5, 0xba, 0x35, 0x7d, 0xe5, 0x7c, 0x31, 0x59, 0x3, 0x55, 0x59, 0xc9, 0x6d, 0xd1, 0xf5, 0x7, 0xd4, 0x51, 0xb2, 0x1c, 0xcc, 0x72, 0x4c, 0xaf, 0xaa, 0x1f, 0x54, 0xcc, 0x73, 0x81, 0xe5, 0xac, 0x70, 0x81, 0xd2, 0x5a, 0x1b, 0xc, 0x7b, 0xc5, 0x57, 0xc0, 0x1c, 0x74, 0x23, 0x6, 0x21, 0xe6, 0x74, 0xb2, 0x4, 0x79, 0x8c, 0xcb, 0xe2, 0xa7, 0xca, 0xac, 0xef, 0x95, 0x94, 0xea, 0x24, 0xec, 0xc3, 0x66, 0xc4, 0x15, 0x7c, 0xef, 0x67, 0xf3, 0x6e, 0x51, 0xc3, 0x1c, 0x5c, 0x57, 0x45, 0x3b, 0x0, 0xef, 0x34, 0xc, 0xfe, 0xc2, 0x49, 0xa0, 0xe7, 0xb3, 0xde, 0x63, 0x9c, 0x14, 0xf7, 0x1d, 0xc0, 0x8e, 0x4, 0x6c, 0x98, 0x9a, 0xc7, 0xb9, 0x69, 0x38, 0x20, 0xef, 0x80, 0x1e, 0x6c, 0x83, 0x40, 0x7c, 0xcf, 0x47, 0x44, 0x29, 0x8e, 0xd5, 0x17, 0xe, 0x21, 0x1c, 0x60, 0x12, 0x12, 0x2e, 0x7d, 0x50, 0x2b, 0x79, 0xe2, 0x17, 0x5a, 0xfa, 0xd3, 0xed, 0x98, 0xc5, 0x7e, 0xac, 0xb7, 0xf4, 0x51, 0xd1, 0xf8, 0xd5, 0xa7, 0xd, 0xe5, 0x5a, 0xb9, 0xce, 0xd6, 0xb8, 0xe, 0x3a, 0xdc, 0xb0, 0x92, 0xb4, 0xa1, 0x63, 0x28, 0xdd, 0xb3, 0x69, 0x7b, 0x15, 0x75, 0x62, 0x3d, 0x41, 0xc5, 0x4e, 0xc7, 0xc4, 0xe2, 0xc7, 0xc4, 0x5f, 0xbc, 0xf7, 0x9f, 0x32, 0xbe, 0xda, 0x9d, 0xfa, 0x60, 0xea, 0x2a, 0x5a, 0x83, 0x87, 0xcb, 0x45, 0x74, 0xad, 0xf5, 0x17, 0xf1, 0x1d, 0x69, 0x1d, 0xe9, 0x36, 0x26, 0xf4, 0x9b, 0xe4, 0x7b, 0xc0, 0x8f, 0x42, 0x32, 0xcc, 0xb, 0x90, 0xaa, 0xe9, 0x69, 0xae, 0x5c, 0x20, 0x5b, 0x5e, 0xf7, 0x9c, 0x39, 0x2b, 0x72, 0x69, 0x6f, 0x35, 0x42, 0x42, 0x79, 0xf6, 0x59, 0xb0, 0x3d, 0x63, 0x54, 0x20, 0xa2, 0x4, 0xb4, 0x98, 0x6b, 0x51, 0xf4, 0x60, 0x6f, 0xe4, 0xf5, 0xca, 0x68, 0x9e, 0x93, 0x8, 0xad, 0x66, 0xfc, 0xf1, 0xe8, 0x1f, 0xb2, 0x46, 0x63, 0xd4, 0x1b, 0x66, 0x36, 0xf0, 0x9d, 0xb6, 0x3c, 0x1d, 0xb0, 0x6f, 0xde, 0xa, 0xb4, 0x84, 0xa8, 0xe4, 0xa0, 0x5, 0x7d, 0xbf, 0x4a, 0x3d, 0xef, 0xd4, 0x69, 0x25, 0xd9, 0xf8, 0x61, 0xb2, 0xe6, 0xe1, 0xd7, 0x2b, 0x1c, 0xef, 0xdb, 0x4d, 0xc7, 0xe5, 0xb0, 0x3, 0x5, 0x37, 0x4c, 0x9a, 0xe0, 0x39, 0x1a, 0x36, 0x6a, 0x73, 0x84, 0xff, 0xe7, 0x8, 0x75, 0xd5, 0x7f, 0xf8, 0xed, 0x76, 0xc7, 0x67, 0xfd, 0x39, 0x19, 0x8a, 0x84, 0x5c, 0xcb, 0x70, 0x7c, 0x84, 0xd0, 0xd1, 0x3, 0xde, 0x5a, 0x91, 0x53, 0xf5, 0x4f, 0x3e, 0x82, 0xa9, 0xcf, 0x83, 0x4d, 0xb5, 0x8f, 0x4, 0x4e, 0xd, 0xf1, 0x6e, 0x14, 0x8, 0xb3, 0x36, 0x2a, 0xcb, 0xb6, 0xb3, 0x91, 0xa6, 0x14, 0x7f, 0x65, 0x20, 0xc6, 0x93, 0x9b, 0x41, 0x2f, 0x7f, 0xda, 0xe1, 0xd3, 0xa2, 0xaa, 0xb7, 0x4d, 0x7a, 0x6f, 0x16, 0xb0, 0xf4, 0x17, 0x83, 0xae, 0xe6, 0x74, 0xec, 0xce, 0xf7, 0xe3, 0xd3, 0xfb, 0xfd, 0x4b, 0x87, 0xe0, 0xac, 0x16, 0xb5, 0xfd, 0xa3, 0xf3, 0x81, 0xc6, 0x19, 0x60, 0x84, 0x3d, 0xb0, 0x20, 0x16, 0x7c, 0x5c, 0xee, 0x12, 0xb, 0x1, 0xc5, 0x63, 0x2b, 0xdd, 0xb4, 0x68, 0xba, 0x1e, 0xc5, 0x68, 0x66, 0x32, 0xcd, 0x3, 0xac, 0x5b, 0xcb, 0xb, 0x4e, 0xf7, 0x79, 0x62, 0x2a, 0xa8, 0xcd, 0x5f, 0x8f, 0x9f, 0x13, 0x8e, 0xfd, 0xfd, 0x5b, 0xee, 0xbd, 0xc4, 0x58, 0xe5, 0xf3, 0x77, 0x9f, 0x3f, 0xe3, 0xf4, 0xba, 0x6c, 0xd7, 0x69, 0x19, 0x77, 0x71, 0xa4, 0x97, 0x4c, 0x3a, 0xa7, 0xe6, 0xdc, 0xf6, 0x4b, 0xe8, 0x27, 0xda, 0xd1, 0xc2, 0xe6, 0x13, 0x96, 0x3d, 0x37, 0xff, 0xe9, 0xa6, 0x59, 0xd7, 0x3c, 0x19, 0x15, 0xf1, 0x2c, 0x26, 0xd2, 0x63, 0x25, 0x70, 0x9b, 0x3f, 0xc8, 0x5c, 0x33, 0x1a, 0x91, 0x84, 0x31, 0x8c, 0xe4, 0x13, 0x59, 0x6a, 0xba, 0x59, 0x34, 0x56, 0x19, 0x29, 0xb3, 0xc7, 0x61, 0xd, 0x92, 0x1b, 0xad, 0x25, 0x24, 0xa0, 0xb6, 0xb8, 0x5a, 0x80, 0x86, 0x60, 0x0, 0x8d, 0xda, 0x12, 0xc5, 0x2a, 0xfd, 0xc0, 0xf5, 0xbc, 0x6a, 0x84, 0xa4, 0x6c, 0xd7, 0x38, 0x21, 0xac, 0xd8, 0x51, 0xea, 0xaf, 0x43, 0xd4, 0x4c, 0x34, 0x45, 0x75, 0x64, 0xcb, 0x85, 0xca, 0xed, 0xcd, 0x66, 0x24, 0x1b, 0x9f, 0x8c, 0x53, 0x9, 0x1a, 0x10, 0xb7, 0xb, 0x14, 0x5d, 0x11, 0x11, 0x5e, 0x51, 0xe8, 0x8a, 0xac, 0x9e, 0xf5, 0x3, 0x6f, 0x67, 0xff, 0x63, 0xd, 0xfb, 0x4a, 0x23, 0x7d, 0x51, 0x55, 0x5e, 0x75, 0xc1, 0x8f, 0x20, 0x7e, 0x4e, 0xdb, 0xc2, 0x61, 0x5d, 0x4b, 0x8a, 0xf2, 0xce, 0x59, 0x98, 0xaa, 0xf, 0x3, 0xaf, 0x34, 0xfc, 0xd4, 0xd6, 0xbd, 0x74, 0x47, 0x54, 0x53, 0xe4, 0x53, 0x10, 0x51, 0xbc, 0xa2, 0xdb, 0x3a, 0xcc, 0xe, 0x4d, 0x83, 0xf5, 0x71, 0xe3, 0xba, 0xf7, 0xd7, 0x15, 0x42, 0xbc, 0x63, 0x86, 0x6c, 0xbf, 0x57, 0xfd, 0xfc, 0x1d, 0x1b, 0x90, 0xd6, 0x3d, 0x38, 0xd2, 0xde, 0xc3, 0x7d, 0x58, 0xb5, 0xb4, 0xfb, 0x49, 0x3b, 0x62, 0x5f, 0x62, 0x7, 0x8d, 0xa0, 0x44, 0xfd, 0x62, 0xb7, 0xe9, 0x9d, 0x5b, 0xd6, 0xe4, 0x3e, 0xde, 0x15, 0x78, 0x71, 0x6e, 0x4b, 0x99, 0x5a, 0xd1, 0x31, 0xe1, 0xa7, 0xa0, 0xc7, 0x95, 0xd9, 0xaa, 0x23, 0xc0, 0x26, 0xf2, 0x6d, 0xb4, 0xc8, 0xed, 0xfc, 0x2a, 0x70, 0x4d, 0x9, 0xfd, 0x8c, 0x86, 0xa8, 0xd6, 0xce, 0xcd, 0x43, 0xc7, 0x7b, 0x75, 0xbe, 0xca, 0x1f, 0xc4, 0xe, 0xd7, 0xb7, 0x90, 0x93, 0xac, 0xdd, 0x47, 0x9e, 0x6c, 0x2a, 0x90, 0xaa, 0x10, 0x93, 0x25, 0x94, 0x6, 0x72, 0xeb, 0xd0, 0x64, 0x54, 0xf5, 0x80, 0x7e, 0xd1, 0xa7, 0x13, 0xa6, 0x67, 0xa7, 0xe1, 0xd3, 0x89, 0xad, 0x7d, 0xc9, 0xc8, 0x60, 0x12, 0x79, 0x77, 0xe7, 0xcb, 0xf0, 0xe4, 0x1f, 0xf2, 0x2f, 0xec, 0x10, 0xbc, 0xe6, 0xe9, 0xc2, 0x4a, 0x98, 0xed, 0x5, 0xa3, 0xcb, 0x77, 0xe8, 0x3d, 0xc5, 0xe3, 0xdc, 0x4f, 0x62, 0x83, 0xb2, 0xf9, 0xba, 0x9b, 0xec, 0xc0, 0x85, 0x14, 0xcd, 0x51, 0x94, 0x5e, 0xc8, 0x1e, 0x76, 0xb1, 0x6d, 0x75, 0x13, 0x1f, 0x55, 0x7e, 0xb9, 0xa4, 0x98, 0x8b, 0x3c, 0xe5, 0x28, 0xcc, 0x96, 0x40, 0xf8, 0xe3, 0xae, 0xb2, 0x8d, 0x1a, 0xf, 0x92, 0xa0, 0x61, 0xc3, 0x48, 0xa, 0x19, 0x31, 0x8c, 0x2d, 0x67, 0x8b, 0xa9, 0xd4, 0x55, 0x18, 0x0, 0xd1, 0xe7, 0xc1, 0x7b, 0x2a, 0x4b, 0x3f, 0xbf, 0x7, 0xfb, 0x2c, 0x24, 0xc4, 0x8b, 0xa2, 0x32, 0x3f, 0x4a, 0xf4, 0x9b, 0xfa, 0xd1, 0x63, 0xd, 0x7d, 0x13, 0xe5, 0x64, 0x9f, 0xd8, 0xa9, 0x2, 0x52, 0xc0, 0x8f, 0x65, 0x9, 0x63, 0x43, 0x50, 0x74, 0x48, 0x89, 0x48, 0x61, 0xda, 0x98, 0xd5, 0xf8, 0x30, 0xae, 0xe9, 0x91, 0xaf, 0x8b, 0x81, 0xd1, 0x10, 0xd7, 0x2e, 0x20, 0xc, 0x6a, 0x8b, 0x6, 0x9e, 0x7e, 0xe2, 0x44, 0x6b, 0x1a, 0x1c, 0xfb, 0xdc, 0x28, 0x1e, 0xdc, 0x57, 0xac, 0xd6, 0x64, 0xcb, 0x3a, 0x88, 0xa5, 0x76, 0xe1, 0x42, 0xac, 0xe2, 0x82, 0x99, 0x64, 0x2b, 0x78, 0xe2, 0x46, 0xba, 0x4e, 0x32, 0xf5, 0x50, 0x83, 0xe1, 0xaf, 0xaa, 0x8c, 0x3d, 0xca, 0x74, 0xd6, 0xf5, 0xf2, 0x2a, 0xd8, 0xf3, 0x1e, 0xd, 0x60, 0x56, 0xed, 0xf, 0x9, 0xc2, 0x7, 0xde, 0x50, 0x59, 0xef, 0xe0, 0x48, 0x45, 0xeb, 0x4f, 0x5a, 0x76, 0x3f, 0x2, 0xf0, 0xb2, 0x90, 0x67, 0xf1, 0x39, 0x33, 0x10, 0x3, 0xb3, 0xb3, 0xc8, 0xa3, 0x61, 0x1d, 0x78, 0x92, 0xa6, 0xe, 0x6d, 0x87, 0x32, 0x54, 0x38, 0xbc, 0x8, 0x3, 0x7b, 0x2, 0x28, 0xfb, 0x5, 0xcf, 0xbe, 0x2f, 0xe1, 0xb1, 0xa4, 0x7d, 0x68, 0x6c, 0x63, 0x58, 0x7c, 0x21, 0x7, 0x3d, 0x0, 0xe3, 0x0, 0xa3, 0xb2, 0x1, 0x5e, 0x37, 0xa9, 0x3b, 0x61, 0x6e, 0xe1, 0x1d, 0x88, 0x5, 0x84, 0x8c, 0xa5, 0x8b, 0xf4, 0xf8, 0x14, 0x30, 0xc4, 0x53, 0xc6, 0xf9, 0xd0, 0xa0, 0xd6, 0x97, 0x68, 0x1c, 0xbc, 0x55, 0x7f, 0xd, 0x3b, 0xe, 0xea, 0xe0, 0xd8, 0xad, 0x7a, 0x5b, 0xb8, 0x92, 0xaa, 0x5b, 0xb3, 0xf4, 0x48, 0x4e, 0x67, 0xb7, 0xd1, 0xec, 0x2b, 0xc2, 0x9a, 0x7a, 0x6d, 0x8d, 0xf7, 0xd7, 0xe2, 0xd0, 0x95, 0x9c, 0xf9, 0x62, 0x42, 0x7, 0xf5, 0xe9, 0x11, 0xf6, 0x89, 0xa, 0x47, 0x52, 0x48, 0xec, 0x9d, 0x86, 0x92, 0x19, 0x91, 0xaa, 0xf7, 0xe2, 0xaa, 0x6d, 0x4e, 0x77, 0x2e, 0x7f, 0xed, 0xbc, 0x19, 0xa, 0x9e, 0xe3, 0xe0, 0x3a, 0x7b, 0x7e, 0x67, 0xae, 0x91, 0x8a, 0x3f, 0x29, 0xd3, 0x1f, 0x61, 0xc8, 0x45, 0xcb, 0xb0, 0x63, 0xd3, 0x3b, 0xe9, 0x9a, 0x30, 0xcf, 0x1c, 0x1d, 0xbe, 0xe1, 0xca, 0x20, 0x39, 0xe7, 0xb, 0xf8, 0xa3, 0x1, 0xdf, 0x8e, 0x49, 0x74, 0xba, 0xac, 0xaa, 0x90, 0xac, 0xf5, 0xb2, 0x4a, 0x2a, 0x6d, 0x1e, 0xf1, 0x50, 0x35, 0x23, 0x3f, 0xf0, 0xc5, 0x60, 0x2e, 0xfd, 0x5a, 0x92, 0x11, 0x94, 0xd0, 0xd4, 0xa6, 0xe5, 0x58, 0xd2, 0xc3, 0x65, 0x5b, 0xa9, 0x6a, 0x2c, 0x90, 0x9f, 0xb5, 0xcf, 0x19, 0x1a, 0x68, 0x5c, 0xad, 0xf5, 0x3a, 0x1, 0x86, 0xb4, 0xf3, 0x38, 0x96, 0x97, 0x76, 0x67, 0x50, 0xa2, 0x28, 0xb, 0x8e, 0xa3, 0xd0, 0xb4, 0x32, 0x12, 0x4f, 0x7b, 0x6a, 0xd3, 0xb8, 0x84, 0x47, 0xa6, 0x96, 0xa6, 0x66, 0x2, 0x9e, 0xa1, 0xcf, 0x7f, 0x4b, 0xfb, 0xc3, 0x92, 0xfd, 0x64, 0x1f, 0x5e, 0xdf, 0x19, 0x6d, 0x50, 0x11, 0x49, 0x95, 0x6d, 0xa1, 0x3c, 0x7a, 0x69, 0xe1, 0x9f, 0x98, 0x9f, 0x7d, 0xa8, 0x27, 0x23, 0x8c, 0x8d, 0x48, 0x7e, 0x17, 0xa3, 0x7d, 0x3, 0x28, 0xce, 0x43, 0xa5, 0x18, 0x55, 0x3c, 0xf9, 0x76, 0x1d, 0x7, 0xea, 0x3b, 0x6d, 0xa, 0x22, 0x48, 0xfd, 0x5f, 0x58, 0x3, 0xe, 0xd7, 0xe7, 0x9d, 0x17, 0x55, 0x56, 0x70, 0x45, 0xa8, 0x72, 0x5c, 0xc, 0x78, 0x3e, 0x9c, 0x2, 0x50, 0x1d, 0xcb, 0xb4, 0x2, 0xc1, 0x39, 0xe8, 0x75, 0xf0, 0xd5, 0xbd, 0x71, 0x3e, 0x22, 0xb8, 0x98, 0xb4, 0xf0, 0xf4, 0x60, 0x64, 0xa5, 0x8d, 0x4b, 0x6d, 0x6c, 0xe0, 0x82, 0x26, 0xd4, 0x40, 0xa7, 0x96, 0xc9, 0x53, 0xae, 0x4e, 0x2c, 0x70, 0x89, 0x63, 0xef, 0x8b, 0x9d, 0xc1, 0x70, 0xff, 0xc6, 0xc2, 0x8d, 0x72, 0x35, 0x87, 0x35, 0x22, 0xdc, 0xc5, 0x2f, 0x12, 0xd6, 0x79, 0xf9, 0x77, 0xe2, 0x19, 0x3, 0xd0, 0xf5, 0x23, 0xc7, 0x8c, 0xed, 0xdd, 0x25, 0x4e, 0xe8, 0x7e, 0xa, 0x88, 0xcd, 0x63, 0xb0, 0xaf, 0xa8, 0x91, 0x60, 0xaf, 0x74, 0x35, 0xc6, 0xa7, 0x3e, 0x3f, 0x42, 0x7f, 0xde, 0x2, 0x84, 0xdc, 0xfc, 0xc, 0x52, 0xa1, 0x1a, 0xb3, 0x2f, 0x79, 0xd0, 0x62, 0x55, 0x16, 0x3b, 0xee, 0xb2, 0x47, 0x9a, 0x95, 0x5b, 0x3d, 0x88, 0xec, 0xdd, 0xb9, 0x99, 0xc7, 0x4, 0x38, 0x93, 0xb7, 0x80, 0x9f, 0xc0, 0x2d, 0xb8, 0x3d, 0x2d, 0x3d, 0x88, 0xe8, 0x69, 0xae, 0xf4, 0xa, 0xe7, 0x25, 0x2f, 0x5e, 0x5d, 0xc1, 0x85, 0x0, 0x4, 0x5, 0xce, 0xd9, 0x5f, 0x87, 0xf2, 0x38, 0x5a, 0x6b, 0xd0, 0xe8, 0x50, 0x28, 0xda, 0xb0, 0xbe, 0x9a, 0x35, 0x7f, 0x22, 0x15, 0xf2, 0x23, 0xe5, 0xe0, 0x37, 0x10, 0xf, 0x65, 0x3b, 0x1, 0x83, 0x95, 0x43, 0xab, 0x38, 0x44, 0x5e, 0x90, 0xc0, 0xef, 0xfb, 0x68, 0x42, 0x3, 0x6b, 0x77, 0x6, 0xc, 0xa2, 0x4b, 0x28, 0x7b, 0x33, 0x11, 0x6c, 0x1b, 0xc4, 0x49, 0xb9, 0x2, 0x4f, 0xef, 0x4b, 0x19, 0x47, 0x8d, 0x3b, 0x7c, 0x35, 0x5, 0x7e, 0xe, 0x0, 0x5b, 0xe1, 0x5f, 0xb4, 0x26, 0xb1, 0x28, 0x74, 0x66, 0x26, 0xc3, 0x44, 0x11, 0x92, 0xe0, 0x42, 0x93, 0xb9, 0xf8, 0x2c, 0x3e, 0x3, 0xb5, 0xf1, 0xc6, 0x4f, 0xf1, 0x54, 0xcf, 0xda, 0xdc, 0x60, 0x37, 0xfb, 0x7d, 0xa5, 0x7b, 0x8d, 0xd8, 0x31, 0xa, 0x5a, 0xd2, 0x77, 0x49, 0xf7, 0x68, 0xcb, 0x2f, 0xed, 0x4d, 0x7, 0x40, 0x76, 0x9a, 0x65, 0x47, 0x88, 0xf1, 0xc7, 0xf4, 0xdc, 0xf2, 0x69, 0xb1, 0x9d, 0x87, 0x6a, 0xf9, 0x6d, 0xd1, 0xd5, 0x75, 0x4d, 0x74, 0xb5, 0xef, 0xcc, 0xbe, 0xaa, 0xf5, 0xfd, 0x40, 0xc7, 0xd7, 0x21, 0x36, 0xe9, 0xed, 0x56, 0xcf, 0xc1, 0x76, 0xb5, 0x52, 0xce, 0xa9, 0x32, 0xb6, 0x27, 0x60, 0x6f, 0x9a, 0xe8, 0x3a, 0x40, 0xd3, 0x64, 0x5a, 0x78, 0xe8, 0xd, 0x5, 0xa, 0x66, 0x2e, 0x65, 0x82, 0x96, 0x47, 0xd6, 0xf3, 0x10, 0x2, 0xbe, 0xbc, 0x4f, 0xdf, 0x5e, 0xb2, 0x78, 0x5d, 0x31, 0xf9, 0xb4, 0xde, 0xf, 0x71, 0xc9, 0xf9, 0x35, 0x2, 0x1e, 0x9a, 0x0, 0x88, 0xf, 0xa1, 0xb8, 0x20, 0x48, 0x27, 0x40, 0xed, 0x2f, 0x40, 0x11, 0x8, 0x86, 0xac, 0xb7, 0x72, 0xbe, 0xe3, 0x63, 0x11, 0x60, 0x72, 0x26, 0x16, 0xd4, 0xea, 0x71, 0xc, 0x75, 0xad, 0xa3, 0x1e, 0xf7, 0xe3, 0x8b, 0xdc, 0xaf, 0x40, 0x71, 0x34, 0x2, 0x6b, 0xa6, 0x5a, 0xc6, 0x29, 0x6f, 0xe6, 0xa5, 0xc8, 0x8f, 0x39, 0x7, 0x64, 0xec, 0xc7, 0xf3, 0xa2, 0x38, 0x99, 0x17, 0x63, 0x67, 0x9, 0x14, 0x77, 0xb8, 0x1c, 0x1c, 0x71, 0xe, 0xba, 0x4f, 0xcf, 0x7c, 0xcf, 0x7c, 0x2f, 0x2a, 0x6f, 0xda, 0x65, 0xde, 0x1b, 0x9, 0x4e, 0x1a, 0x24, 0x91, 0xd8, 0xfc, 0x71, 0x1e, 0xc3, 0x56, 0x28, 0xcc, 0xc3, 0x1c, 0x44, 0x12, 0x7c, 0x7e, 0xb8, 0xc0, 0xaa, 0x24, 0xf2, 0xe5, 0x1e, 0x68, 0xd1, 0x3d, 0xea, 0x8, 0x73, 0xad, 0xf6, 0xd6, 0xae, 0x30, 0x22, 0x3e, 0xb5, 0x28, 0x17, 0xb0, 0xb8, 0xd4, 0x71, 0x7c, 0x7b, 0xf, 0x48, 0xd9, 0x94, 0xe3, 0xdf, 0xaf, 0x1c, 0xb2, 0x68, 0x23, 0x1f, 0xe2, 0x33, 0x78, 0xcc, 0x86, 0xb6, 0xfa, 0x11, 0xc9, 0xd7, 0xcc, 0xd1, 0x39, 0xfd, 0xf6, 0x61, 0xf, 0xa9, 0x90, 0x8d, 0x24, 0x8b, 0xeb, 0x16, 0xe2, 0xd, 0xd2, 0x22, 0xfc, 0x44, 0x8f, 0x5, 0xa5, 0x28, 0x96, 0xc6, 0x57, 0x92, 0x96, 0x26, 0x91, 0xce, 0x7, 0x58, 0x8a, 0x43, 0x4e, 0x1b, 0x8e, 0x7e, 0x9a, 0x10, 0xe4, 0x93, 0x38, 0x28, 0xad, 0xda, 0x9d, 0xd5, 0xaf, 0xcb, 0xc9, 0xc, 0xc3, 0x93, 0x80, 0x8d, 0x3d, 0xc6, 0x36, 0x5f, 0xf6, 0xb2, 0x32, 0xd, 0xa6, 0x9e, 0x46, 0x31, 0xdf, 0xc8, 0x91, 0x81, 0x3e, 0x4b, 0xdf, 0x93, 0xee, 0xb5, 0xde, 0x5b, 0x35, 0xc5, 0x17, 0x10, 0x9c, 0x28, 0xaa, 0x16, 0x86, 0x85, 0x31, 0x62, 0xd2, 0x10, 0xed, 0x48, 0xa4, 0x64, 0x4f, 0xed, 0x38, 0x8b, 0xb7, 0xef, 0xc4, 0xa8, 0x3, 0xeb, 0x81, 0x52, 0x3b, 0x32, 0x91, 0x5c, 0x1b, 0xd9, 0xbf, 0x2e, 0xff, 0xbe, 0xb6, 0x33, 0x2b, 0x88, 0xed, 0xa1, 0xd7, 0x22, 0x67, 0x51, 0x45, 0xfb, 0xd0, 0xab, 0xe8, 0x9f, 0x94, 0x1b, 0x44, 0x91, 0x6f, 0xa6, 0x81, 0xc1, 0x3a, 0x99, 0x4a, 0xa4, 0x63, 0x74, 0x6b, 0xb, 0x95, 0x5f, 0x2b, 0xa6, 0xf4, 0xcf, 0xa2, 0x1, 0xe8, 0x46, 0x44, 0x61, 0x22, 0xdf, 0x8c, 0x47, 0x2e, 0x27, 0x20, 0x3a, 0xfa, 0xb3, 0x50, 0xc6, 0x98, 0x9a, 0xc, 0x2a, 0x10, 0x70, 0xff, 0x73, 0x48, 0x98, 0x93, 0x0, 0xc5, 0x1, 0x6d, 0xa1, 0xfa, 0x6, 0x86, 0xec, 0x87, 0x8b, 0x4d, 0xdd, 0x9e, 0x94, 0x27, 0xc1, 0xf, 0x60, 0xd4, 0x6b, 0x6f, 0x0, 0x7a, 0xa9, 0xe7, 0x59, 0xff, 0xbe, 0x5e, 0x30, 0xd1, 0x9c, 0xf6, 0x28, 0xa2, 0xb5, 0x62, 0x86, 0xd1, 0x9, 0x62, 0x26, 0x8b, 0x40, 0xd4, 0xaa, 0x7d, 0x5d, 0xb8, 0x0, 0xb3, 0xb1, 0x8e, 0xf, 0x11, 0x48, 0x7e, 0xab, 0xaa, 0x64, 0x4, 0xd2, 0x3c, 0x78, 0x66, 0x61, 0xa0, 0x8b, 0xf, 0x25, 0x8b, 0xf6, 0x2d, 0xeb, 0x8a, 0xa0, 0xb2, 0x61, 0xc4, 0xe0, 0x97, 0x38, 0xd, 0x64, 0xbd, 0xe, 0x6f, 0x8f, 0x6f, 0xa6, 0x5d, 0x47, 0x41, 0xe1, 0x22, 0x33, 0x99, 0xe, 0x98, 0x45, 0x32, 0xe7, 0xad, 0x55, 0xd6, 0x0, 0x72, 0x6, 0x81, 0x57, 0x96, 0xf5, 0xa6, 0xe1, 0x6b, 0x13, 0xdb, 0xbe, 0x23, 0xfc, 0xe4, 0x79, 0xd8, 0x13, 0xaf, 0xdc, 0x6c, 0x24, 0x9f, 0xe, 0xac, 0x61, 0xf9, 0x17, 0x31, 0xb9, 0xc2, 0x1a, 0x9e, 0xdb, 0xeb, 0xb5, 0x41, 0xa7, 0xc8, 0xd1, 0x3b, 0x69, 0x6c, 0x46, 0xe2, 0xed, 0x82, 0x1e, 0x70, 0xd1, 0x3d, 0x4f, 0x6b, 0xde, 0xfc, 0x6f, 0x64, 0xa4, 0xca, 0x0, 0x4e, 0x80, 0x1f, 0x24, 0x49, 0x94, 0x70, 0x88, 0xdc, 0x43, 0x86, 0xe9, 0x6d, 0xf8, 0x73, 0xa2, 0x1c, 0x7f, 0xa3, 0x98, 0x98, 0x88, 0x28, 0x92, 0x9f, 0x19, 0xa3, 0xdf, 0x4a, 0x1e, 0xc, 0x58, 0xba, 0x73, 0xc2, 0xf0, 0x82, 0xbc, 0x65, 0xaf, 0x38, 0xd, 0xf, 0x3b, 0xcd, 0xa6, 0xf8, 0xb5, 0x8a, 0xb2, 0xd8, 0x8e, 0x4d, 0x89, 0x75, 0x85, 0xe0, 0xa6, 0xee, 0x15, 0x32, 0xc9, 0xe, 0x98, 0xb9, 0x42, 0x46, 0x9f, 0x34, 0x9d, 0x29, 0xa, 0x17, 0x19, 0xb7, 0xba, 0xb5, 0x36, 0xbc, 0x2b, 0x16, 0x2c, 0xb3, 0xa2, 0x3c, 0xd2, 0x4b, 0x85, 0x73, 0x35, 0x6, 0x15, 0x81, 0xf6, 0xdf, 0x92, 0x62, 0x41, 0xff, 0x99, 0xdb, 0xb5, 0x4b, 0xe3, 0x50, 0xa1, 0xb7, 0x55, 0x3d, 0xc1, 0xa3, 0x28, 0x20, 0x7a, 0xb9, 0x6, 0x45, 0x42, 0xe5, 0xc1, 0x6, 0xf4, 0x86, 0xcf, 0x95, 0xcd, 0xb9, 0xb9, 0xc1, 0xb0, 0xfa, 0x73, 0xae, 0xa9, 0x11, 0xb3, 0xab, 0x85, 0x36, 0xa3, 0xa9, 0x96, 0xa9, 0xaf, 0x3e, 0x97, 0x2, 0x1d, 0x57, 0x34, 0x29, 0xaf, 0x9b, 0x6f, 0xff, 0xe8, 0x40, 0x7c, 0x25, 0x21, 0x81, 0xab, 0xe4, 0xb1, 0x30, 0x2d, 0xd9, 0xe4, 0x28, 0xad, 0x9, 0x82, 0xb5, 0xe4, 0x9, 0x35, 0xa0, 0x51, 0x7c, 0xf, 0x12, 0x5b, 0xc3, 0xf8, 0x1, 0xbb, 0x60, 0x21, 0x1a, 0xc3, 0xde, 0xf9, 0x83, 0x2c, 0xb0, 0x73, 0xd5, 0xd9, 0x6a, 0x23, 0x8b, 0x8c, 0x98, 0x65, 0xe3, 0x7b, 0xa5, 0xae, 0x83, 0xe9, 0x53, 0x4e, 0x83, 0x6f, 0x64, 0x4d, 0x73, 0x68, 0xe9, 0x9b, 0x30, 0xa6, 0x5d, 0x8f, 0xea, 0x37, 0x91, 0x16, 0xce, 0xf1, 0xc1, 0x24, 0xa6, 0xf3, 0x10, 0x21, 0x9, 0x44, 0xca, 0xa2, 0x9e, 0x2a, 0x78, 0xb5, 0xf1, 0x46, 0x5b, 0x9e, 0x73, 0x94, 0xdf, 0x6a, 0xb1, 0xf8, 0xf4, 0xe, 0x41, 0xf8, 0x56, 0x6a, 0x26, 0x7b, 0xc4, 0xfe, 0x1a, 0x24, 0x97, 0xc1, 0x87, 0x9c, 0x6d, 0x8e, 0x6b, 0x40, 0xa, 0x1b, 0xab, 0x42, 0xcd, 0x2, 0x3e, 0x3f, 0x80, 0x69, 0xec, 0xdb, 0x4, 0xa8, 0x9, 0x3, 0x7f, 0x5f, 0xd0, 0xba, 0x3b, 0xf7, 0x85, 0x3b, 0xa8, 0x7f, 0x19, 0x8e, 0xad, 0x73, 0x72, 0x9, 0xc6, 0xc1, 0xad, 0x67, 0x50, 0xe, 0x44, 0x97, 0xc0, 0x8c, 0x89, 0x11, 0xb3, 0xa0, 0x7f, 0x74, 0x3f, 0x65, 0xac, 0xe, 0xcd, 0xe4, 0x72, 0xa2, 0xe2, 0xbc, 0xd0, 0x14, 0xf9, 0x51, 0x58, 0xba, 0x4b, 0xe3, 0x3e, 0xa4, 0xc4, 0x60, 0x96, 0x1a, 0x7a, 0xe9, 0xcd, 0xc8, 0xa1, 0xce, 0x67, 0xa3, 0xe5, 0xe3, 0xab, 0x71, 0x72, 0xa9, 0x8b, 0x95, 0x9d, 0xcd, 0x15, 0x16, 0x3d, 0xb6, 0x7e, 0xff, 0xf3, 0xb0, 0x20, 0xae, 0xf5, 0xce, 0xd, 0x28, 0xa2, 0xdc, 0xf8, 0x94, 0x37, 0xa4, 0x44, 0x63, 0x26, 0x36, 0x5c, 0x3c, 0x48, 0x3a, 0x92, 0xca, 0xdc, 0xa0, 0x10, 0x9d, 0x3f, 0xbf, 0x6b, 0x6b, 0x2d, 0xf3, 0xbd, 0xd9, 0x81, 0xca, 0xc5, 0x20, 0xb3, 0x95, 0xa, 0xb5, 0x47, 0xff, 0x28, 0xe, 0x62, 0x71, 0x33, 0xf0, 0xce, 0x1, 0x3b, 0x3e, 0x93, 0x53, 0x1, 0x10, 0x99, 0x85, 0xbf, 0x81, 0xf0, 0xd6, 0xc8, 0xa8, 0xc3, 0xa0, 0xe9, 0x3b, 0x18, 0x66, 0xa5, 0xdc, 0x41, 0xc3, 0x85, 0xc1, 0xb6, 0xa3, 0x2a, 0x62, 0xd8, 0xda, 0xfe, 0xe7, 0x7d, 0xfb, 0x6d, 0x1b, 0x90, 0x92, 0x4d, 0xe8, 0x99, 0x88, 0xd2, 0x4a, 0x7c, 0xe, 0x2b, 0xa0, 0x30, 0x36, 0xcf, 0xd3, 0x2f, 0xaa, 0x1d, 0xc8, 0xc7, 0x9f, 0xe5, 0x89, 0xdf, 0x47, 0x95, 0x31, 0xd1, 0x33, 0x67, 0x49, 0xcd, 0x84, 0x81, 0xbe, 0xb2, 0x2b, 0x41, 0xd3, 0x93, 0xeb, 0x49, 0xf4, 0xd5, 0x6b, 0x11, 0x85, 0xe0, 0xab, 0xf, 0x47, 0x25, 0x10, 0x53, 0x28, 0x87, 0x75, 0x33, 0xa4, 0x4, 0x2f, 0xd5, 0xbf, 0xe2, 0x7e, 0x18, 0x39, 0x4e, 0x74, 0xbc, 0x9e, 0x7d, 0x44, 0x6b, 0x16, 0x36, 0x2c, 0x32, 0x4b, 0xfd, 0x3c, 0x43, 0xad, 0x92, 0x51, 0xab, 0x79, 0xba, 0x17, 0xa8, 0x6a, 0x72, 0xeb, 0x15, 0xdb, 0xc1, 0xd8, 0xac, 0x6e, 0xf9, 0x63, 0xbe, 0x76, 0x4, 0x91, 0x1e, 0xf7, 0xfa, 0x16, 0x65, 0x7e, 0xc9, 0xda, 0x9b, 0x4e, 0xd7, 0x9e, 0xf4, 0x30, 0xc2, 0x60, 0x93, 0x77, 0x88, 0x49, 0xea, 0x74, 0x1e, 0xe3, 0x1d, 0xec, 0xa6, 0xa2, 0x45, 0xb6, 0x3f, 0xe5, 0xce, 0x1d, 0x58, 0x14, 0x3f, 0x48, 0x8f, 0x91, 0x23, 0xef, 0xba, 0x3b, 0xd1, 0x37, 0xd1, 0xfc, 0xdd, 0x2d, 0x6d, 0x42, 0x3a, 0x74, 0xd2, 0xe, 0xe5, 0xcd, 0x54, 0x67, 0x7e, 0xd9, 0xe4, 0xc5, 0x4f, 0xa3, 0x89, 0x68, 0xe1, 0xde, 0x49, 0xe9, 0xd2, 0xcf, 0x72, 0x39, 0xf2, 0x2a, 0x3e, 0x23, 0x52, 0xe0, 0x1a, 0x6a, 0x6, 0x94, 0x1d, 0xbe, 0x75, 0x9e, 0x0, 0x13, 0xf4, 0xab, 0x38, 0xc7, 0x31, 0xca, 0x6c, 0x8, 0x99, 0xc4, 0x9b, 0x1d, 0xd6, 0xb, 0xb5, 0x1e, 0xbc, 0xe2, 0xf5, 0x8c, 0x4a, 0x9b, 0x4a, 0xac, 0x83, 0x6f, 0x94, 0xf7, 0xc5, 0x6c, 0xeb, 0x28, 0xab, 0xff, 0xeb, 0xfc, 0x93, 0xda, 0x27, 0x4c, 0xf6, 0xd8, 0x4c, 0x64, 0xec, 0x92, 0xc4, 0x51, 0x7b, 0x9d, 0x27, 0x90, 0xd7, 0xa2, 0x58, 0x56, 0x52, 0xc7, 0x1f, 0xc5, 0x1f, 0xed, 0xc, 0x17, 0x30, 0x43, 0x8f, 0xed, 0x8a, 0x65, 0x3e, 0xeb, 0x59, 0xda, 0x5, 0x2e, 0x94, 0x61, 0xb, 0x22, 0x37, 0xdc, 0xd, 0xa3, 0x60, 0x3d, 0xba, 0x87, 0x7f, 0x2e, 0x74, 0xd1, 0x1c, 0x31, 0x7c, 0x6e, 0x1b, 0xb0, 0xf6, 0xee, 0xff, 0x73, 0x64, 0x51, 0x7c, 0x25, 0x76, 0xef, 0x19, 0xe5, 0x3c, 0xe7, 0x77, 0xd4, 0x18, 0xd3, 0x18, 0x58, 0x6f, 0xc0, 0xed, 0x63, 0x79, 0x3, 0x2e, 0x2, 0xab, 0xf3, 0xf5, 0xd1, 0x8b, 0x89, 0x3a, 0x40, 0xf0, 0xca, 0x33, 0x60, 0x49, 0xa0, 0x8d, 0x3b, 0xe4, 0x72, 0xdd, 0xcf, 0xa1, 0xe, 0xe1, 0x94, 0x9, 0xe2, 0xc0, 0x73, 0xba, 0x20, 0x6d, 0xec, 0xb1, 0xd1, 0xfa, 0xbc, 0xb6, 0xec, 0xc9, 0x29, 0x3, 0x9d, 0xbd, 0x84, 0x2c, 0xa1, 0x42, 0xff, 0xf1, 0x4a, 0x67, 0xc, 0x39, 0xc4, 0x3e, 0x1f, 0x75, 0xca, 0xe0, 0xe5, 0x1, 0xf7, 0x36, 0xbb, 0x27, 0x92, 0x66, 0xaf, 0x5c, 0x51, 0xff, 0xdf, 0x65, 0x3f, 0xbd, 0x7b, 0xcd, 0xc4, 0x79, 0xf5, 0x5d, 0x5, 0x12, 0x59, 0x85, 0x97, 0xb2, 0x8f, 0xef, 0x32, 0xc7, 0x7a, 0xe4, 0x3, 0x72, 0xed, 0x1d, 0x1a, 0x33, 0x1c, 0xcd, 0x5c, 0xc4, 0x3d, 0xa9, 0xd4, 0xd2, 0x18, 0x33, 0x8e, 0x33, 0xec, 0xbd, 0x63, 0xe9, 0x8d, 0xbe, 0xbb, 0xd7, 0x3d, 0x73, 0xbd, 0x7e, 0xc4, 0xa2, 0xba, 0xc3, 0xbc, 0x61, 0xde, 0xcb, 0xef, 0x35, 0x19, 0xad, 0x21, 0xa8, 0x5c, 0xdd, 0x4c, 0x2, 0x8c, 0x66, 0xac, 0x91, 0x49, 0xfa, 0xcd, 0xc1, 0xe4, 0x58, 0xa5, 0x7b, 0xda, 0xb4, 0x8f, 0x90, 0xe0, 0x4c, 0x1d, 0x49, 0xe8, 0xbd, 0x85, 0xf6, 0xf9, 0x69, 0xa8, 0x7b, 0x78, 0x1c, 0xf4, 0x81, 0xcb, 0xb, 0x2a, 0x7b, 0xe1, 0x40, 0xd2, 0x1f, 0x85, 0x2c, 0x52, 0x5c, 0xf6, 0xe3, 0x5c, 0xdf, 0x68, 0x2e, 0x51, 0xce, 0x13, 0xee, 0xd5, 0xb6, 0x52, 0xb9, 0xd4, 0xa7, 0xaf, 0x7e, 0xad, 0x31, 0x8b, 0xa, 0xdc, 0x8c, 0x20, 0x5e, 0x91, 0x1b, 0x75, 0x86, 0x5e, 0x16, 0xf4, 0x77, 0x64, 0x5d, 0x9b, 0x26, 0x8c, 0x8e, 0x91, 0x1b, 0x42, 0x44, 0xde, 0x5a, 0x8d, 0xd2, 0xba, 0x64, 0xf4, 0x79, 0xc2, 0x5e, 0x1b, 0xed, 0x26, 0x2e, 0xd7, 0x47, 0x2c, 0xe4, 0x65, 0x2d, 0x26, 0xf9, 0x67, 0x9e, 0x74, 0xe5, 0x98, 0x81, 0x44, 0x7e, 0x74, 0x34, 0x38, 0x67, 0x6, 0x41, 0x47, 0x54, 0x7e, 0xe3, 0xc1, 0xac, 0x37, 0x46, 0x22, 0x58, 0xe1, 0xf3, 0xec, 0xc9, 0xcb, 0x2, 0x3c, 0xa8, 0x5a, 0x80, 0x8e, 0xe9, 0xa8, 0x58, 0x0, 0xe8, 0x95, 0x55, 0x6e, 0xcd, 0xfa, 0x73, 0x18, 0x23, 0xa9, 0x32, 0xb3, 0xfd, 0x7c, 0x19, 0xb6, 0x87, 0xac, 0x25, 0x41, 0xa8, 0xbe, 0x9e, 0x7a, 0xc, 0x51, 0xa3, 0xf7, 0x5, 0xd8, 0x4c, 0x8e, 0x42, 0x6e, 0xe0, 0x9a, 0x99, 0xdf, 0x24, 0x9c, 0x45, 0x71, 0x4d, 0xdc, 0xd5, 0x4d, 0xd5, 0x3c, 0xa0, 0xb8, 0x20, 0x4f, 0x32, 0x84, 0x14, 0x27, 0xb9, 0x74, 0x31, 0xd9, 0xf2, 0x24, 0x79, 0x50, 0xde, 0x3a, 0xf9, 0xbf, 0xac, 0xb8, 0x42, 0x7, 0x5, 0x33, 0x38, 0x3, 0xf8, 0x8f, 0x46, 0x3e, 0xa5, 0x37, 0x40, 0xdf, 0x4d, 0xf3, 0x6, 0xa4, 0x93, 0x69, 0x8d, 0x40, 0x1a, 0xcd, 0x70, 0x22, 0xc0, 0xe5, 0x43, 0x97, 0x15, 0x5a, 0xf8, 0x7d, 0xa6, 0x25, 0xc1, 0xc2, 0xc9, 0x6f, 0x39, 0xcb, 0xbf, 0x64, 0x10, 0xbf, 0xbe, 0xb7, 0x3, 0xcb, 0x6d, 0x80, 0xa9, 0x92, 0x45, 0x44, 0x7c, 0x54, 0xcd, 0x87, 0x44, 0x4b, 0x61, 0x2, 0x1b, 0x42, 0xc5, 0x2a, 0x69, 0x4f, 0x60, 0x3, 0x83, 0xd3, 0x91, 0x7b, 0x22, 0xe1, 0xff, 0x79, 0xf0, 0xbd, 0xf9, 0xaa, 0x15, 0x63, 0x3e, 0xf6, 0x19, 0xfb, 0x44, 0xf3, 0xf1, 0x65, 0xe5, 0x9e, 0xf9, 0x99, 0x91, 0x21, 0xd6, 0x1f, 0x66, 0x1d, 0x8a, 0x1c, 0xe4, 0x8c, 0xd4, 0xc6, 0x3b, 0x88, 0x8c, 0x4, 0xd9, 0x74, 0x3c, 0x8f, 0x11, 0x65, 0x10, 0x1b, 0x8b, 0xaf, 0xf, 0xee, 0x89, 0x38, 0x71, 0xb6, 0x1b, 0xe2, 0xd, 0xf7, 0x60, 0x7b, 0xb4, 0xca, 0x36, 0xd8, 0xdc, 0x4f, 0xae, 0xac, 0x64, 0x63, 0xce, 0x44, 0xc7, 0x6d, 0xea, 0x75, 0x33, 0x5b, 0x95, 0x47, 0xb0, 0x5f, 0x26, 0x64, 0xb7, 0xc3, 0xc2, 0x41, 0x98, 0x4c, 0x5d, 0x8a, 0xc6, 0x60, 0x4f, 0x45, 0xcf, 0xd7, 0x8f, 0xe9, 0x60, 0xc, 0xea, 0x6a, 0x75, 0xe2, 0xfb, 0x1, 0xc7, 0x79, 0x1c, 0xb2, 0xaa, 0x5e, 0x88, 0xc8, 0x9, 0xcf, 0xbd, 0xd1, 0x91, 0xef, 0x59, 0x13, 0xca, 0x86, 0x25, 0x59, 0xf3, 0x57, 0x21, 0x8, 0x6a, 0x1c, 0x95, 0x51, 0x39, 0x94, 0xa5, 0xae, 0xd9, 0x6, 0xe7, 0xb7, 0xa2, 0x24, 0xef, 0xab, 0x57, 0xa2, 0xb1, 0x2e, 0x2e, 0x1e, 0x72, 0xa5, 0x3f, 0x98, 0xce, 0x6a, 0x51, 0xac, 0xee, 0x68, 0x3c, 0xdf, 0x82, 0x87, 0xc2, 0x47, 0x9d, 0xa7, 0xff, 0x7b, 0x57, 0x16, 0x4e, 0x63, 0x9f, 0xd6, 0xbd, 0x6c, 0xd4, 0xd2, 0x69, 0x8, 0x81, 0xbb, 0x45, 0x5a, 0x36, 0xc8, 0x68, 0x39, 0x8b, 0x7c, 0xe4, 0xbd, 0x51, 0x75, 0x26, 0x63, 0x76, 0xb8, 0xf3, 0x7a, 0x54, 0x67, 0x5b, 0x8f, 0x76, 0x90, 0x15, 0xff, 0xd3, 0x2e, 0xfb, 0xb2, 0x1d, 0x1c, 0x37, 0x40, 0x94, 0xa5, 0x17, 0x19, 0x69, 0x16, 0xe3, 0x14, 0x2c, 0x24, 0xdf, 0x78, 0xd1, 0xc0, 0x3, 0xc1, 0x2a, 0x86, 0xed, 0xce, 0x3f, 0xc9, 0x40, 0xaf, 0x84, 0xbb, 0xc5, 0x60, 0x79, 0x2b, 0x40, 0x39, 0xa6, 0xc8, 0xbc, 0xdc, 0xc7, 0x29, 0xcf, 0x6d, 0x7c, 0x8f, 0x47, 0xff, 0x9d, 0xf1, 0xfa, 0x22, 0xbd, 0x37, 0x33, 0xe4, 0x6a, 0x30, 0x71, 0x7a, 0x9b, 0x59, 0xbf, 0x5, 0x55, 0x7c, 0xef, 0xa8, 0x91, 0x46, 0x9c, 0x9e, 0x15, 0x9e, 0xe0, 0x19, 0xb1, 0xce, 0x74, 0x18, 0xe8, 0x3, 0xd4, 0x8d, 0xa9, 0x11, 0x52, 0x2, 0xe7, 0x25, 0x53, 0xd6, 0x82, 0xc9, 0x2b, 0x69, 0xda, 0x86, 0x12, 0xe3, 0xe7, 0xda, 0x7b, 0xf2, 0x80, 0x6d, 0x5f, 0xfb, 0x64, 0xf0, 0xa6, 0x47, 0x56, 0x9c, 0x3d, 0x40, 0x15, 0x4c, 0xd7, 0xa1, 0xe6, 0xc8, 0xfd, 0x5a, 0x13, 0x8b, 0xd6, 0xc6, 0x48, 0xda, 0x97, 0xff, 0xbf, 0x6d, 0xd6, 0x79, 0x79, 0x9, 0xc2, 0x1d, 0x53, 0x20, 0xea, 0xb9, 0xad, 0x96, 0x2, 0xf0, 0xc8, 0xb2, 0x4a, 0xd, 0x73, 0x33, 0xa3, 0x33, 0x19, 0x25, 0x7a, 0x2b, 0x12, 0x97, 0xaf, 0x45, 0x33, 0x23, 0xc1, 0x9c, 0x34, 0xc7, 0x36, 0xb0, 0x0, 0xf4, 0x73, 0x88, 0xde, 0x87, 0x56, 0xaf, 0x95, 0x75, 0x70, 0xa3, 0x47, 0x28, 0x92, 0xc1, 0xde, 0xf6, 0x7f, 0x58, 0x18, 0xe0, 0xb7, 0xcb, 0x91, 0xc1, 0x2f, 0xce, 0x3e, 0x28, 0x6e, 0x56, 0xdc, 0x20, 0x1c, 0x8b, 0xef, 0xc2, 0x78, 0xdc, 0xd2, 0x2e, 0x45, 0x5e, 0x53, 0xe6, 0x51, 0xed, 0x7f, 0x84, 0x29, 0x54, 0x56, 0xb3, 0xe, 0xd0, 0x3d, 0x67, 0xa, 0x86, 0x42, 0xc1, 0xfd, 0xb, 0xdd, 0x62, 0x8b, 0x27, 0x36, 0x1b, 0x72, 0x71, 0x57, 0x1a, 0x71, 0x3e, 0x29, 0x5a, 0x10, 0x27, 0x19, 0x76, 0x7f, 0xce, 0x1c, 0x0, 0xdf, 0x7d, 0x4c, 0xd0, 0x11, 0xb0, 0x81, 0xb6, 0xf7, 0x96, 0x19, 0xac, 0xa3, 0x92, 0xf7, 0xdf, 0x16, 0x30, 0xae, 0xc4, 0xf, 0xb, 0x12, 0xc, 0x58, 0xc7, 0xb8, 0xe, 0x96, 0x97, 0xf6, 0x35, 0xc0, 0xd3, 0x4, 0xde, 0xe2, 0x2c, 0x9f, 0x59, 0xf1, 0x28, 0x92, 0xad, 0xd2, 0xf8, 0x50, 0x24, 0x89, 0xab, 0xc1, 0x29, 0xb8, 0x9b, 0x12, 0x48, 0x7d, 0xc9, 0xaf, 0x50, 0x3a, 0xe1, 0x85, 0xd7, 0x24, 0xe0, 0x6e, 0xa9, 0x63, 0x27, 0xba, 0x45, 0x27, 0x7b, 0x6d, 0xfb, 0x3b, 0x1, 0x34, 0x65, 0x95, 0x42, 0x2a, 0xad, 0x1b, 0x67, 0x2, 0x62, 0x53, 0xbc, 0xd0, 0xe8, 0x7e, 0x4f, 0x3d, 0xea, 0x31, 0xdc, 0xc3, 0x42, 0xf, 0x2a, 0xf2, 0x32, 0x38, 0xf4, 0xa2, 0x87, 0x1a, 0x1a, 0x6, 0x61, 0xc6, 0x6b, 0x57, 0x45, 0x4b, 0xf6, 0xc9, 0x78, 0x9, 0xd2, 0x5f, 0xfb, 0x6d, 0x3c, 0xac, 0xab, 0xb7, 0x90, 0x1b, 0xe0, 0xb7, 0x0, 0x6a, 0xf3, 0x27, 0x36, 0x9e, 0x42, 0xe9, 0xcd, 0x33, 0xf7, 0x68, 0xcb, 0xe8, 0xbf, 0xdc, 0x81, 0x46, 0x3a, 0x95, 0xe3, 0xc2, 0x3, 0x41, 0x24, 0xff, 0x96, 0xe3, 0xe7, 0xad, 0x6, 0x1b, 0x1c, 0x56, 0x33, 0x41, 0x34, 0xa7, 0xd0, 0x65, 0xac, 0xb9, 0x20, 0xe1, 0xd9, 0x19, 0x79, 0x92, 0x7, 0x6f, 0x6f, 0x57, 0x5a, 0x95, 0x1f, 0x69, 0x46, 0xc8, 0xcf, 0xa0, 0x65, 0x9d, 0x44, 0xa6, 0xc0, 0x2b, 0x2e, 0x3d, 0x9b, 0xed, 0x67, 0x97, 0xb8, 0x41, 0xa5, 0x7b, 0xc7, 0x15, 0x92, 0xdc, 0x4, 0x1b, 0xb2, 0xd1, 0xaf, 0x1e, 0xfe, 0x67, 0x10, 0xc4, 0xb7, 0xbf, 0x85, 0xa7, 0x29, 0x69, 0x6a, 0x3c, 0x7, 0xa2, 0x79, 0xdb, 0x5f, 0xa7, 0xf4, 0x36, 0x25, 0x6f, 0x69, 0xca, 0x9b, 0x80, 0x6d, 0xd2, 0x9a, 0x85, 0x7b, 0x7e, 0x19, 0x3b, 0x69, 0xc0, 0xf2, 0x6, 0x73, 0xa5, 0xc0, 0x8e, 0xf4, 0xd9, 0x6a, 0x65, 0x62, 0x2, 0x4d, 0x9a, 0x1f, 0x90, 0xc7, 0xe7, 0x2b, 0x60, 0x38, 0xb9, 0x43, 0x94, 0xc2, 0xbe, 0xa4, 0x73, 0x0, 0xf, 0xfc, 0x97, 0x3, 0xd0, 0x5f, 0x67, 0x8d, 0x6f, 0xa4, 0x8f, 0x66, 0x5b, 0x8c, 0x10, 0x22, 0x15, 0xc9, 0x4a, 0x37, 0x14, 0x2e, 0xe4, 0x83, 0x2, 0xd1, 0xa7, 0xef, 0x92, 0x4a, 0x2, 0x6d, 0xb, 0xf9, 0x6d, 0x3e, 0x67, 0x26, 0x1f, 0x58, 0x57, 0xd4, 0x14, 0xf9, 0x5, 0x12, 0x8c, 0xdf, 0x67, 0x62, 0x51, 0xc8, 0xf5, 0x62, 0x24, 0x6c, 0xe0, 0xb4, 0xf1, 0x97, 0x11, 0xc1, 0x90, 0x9c, 0xdd, 0xb3, 0x1c, 0x2d, 0x6e, 0x9e, 0x57, 0x90, 0x79, 0x5a, 0x2d, 0xf8, 0x28, 0x95, 0x61, 0x22, 0x6, 0xcd, 0x89, 0xe1, 0x90, 0x74, 0xdc, 0xb0, 0x19, 0xdf, 0x39, 0x29, 0xbd, 0x77, 0x71, 0x91, 0xc0, 0x5, 0x85, 0xb1, 0x18, 0xc4, 0xd9, 0x17, 0x31, 0xd, 0x47, 0xd5, 0xee, 0xa0, 0x3c, 0x89, 0x6c, 0xeb, 0x92, 0xef, 0x39, 0x40, 0x19, 0xa4, 0x44, 0x82, 0xef, 0x33, 0x45, 0x95, 0x75, 0x2d, 0x2d, 0x3c, 0x85, 0xac, 0x62, 0x54, 0xad, 0x8f, 0x59, 0xb7, 0xda, 0x83, 0x48, 0xa4, 0xd7, 0x32, 0x6d, 0xd1, 0xf5, 0xf7, 0xbb, 0x81, 0xd8, 0x1d, 0xfd, 0x2d, 0x4f, 0xfb, 0x95, 0x80, 0xc5, 0x5d, 0x54, 0xf2, 0xae, 0x39, 0xe2, 0xb9, 0x39, 0x1e, 0x4d, 0xa, 0xa7, 0x9, 0x46, 0xb2, 0xbb, 0x8e, 0x33, 0x3e, 0xb3, 0xd3, 0x61, 0x61, 0x54, 0xbd, 0x15, 0xc2, 0x1d, 0x5, 0x6, 0xda, 0x3d, 0x94, 0x34, 0xec, 0x9d, 0xee, 0xca, 0x82, 0x67, 0x4b, 0x8b, 0x8e, 0xe9, 0x50, 0x8e, 0x1f, 0x3a, 0xea, 0x91, 0xa5, 0x8e, 0x35, 0x24, 0x94, 0xc1, 0xe1, 0xa9, 0x27, 0xc8, 0xc4, 0x71, 0x94, 0x7a, 0xbb, 0x9, 0x5d, 0xaa, 0x8b, 0xa3, 0x9c, 0x8f, 0xb5, 0x57, 0xc0, 0xb4, 0x4a, 0xfb, 0x19, 0xee, 0xe0, 0x24, 0x5e, 0x6, 0x1, 0x4a, 0xbf, 0x77, 0xb8, 0x7, 0x51, 0x80, 0xcf, 0xb9, 0xbe, 0xb3, 0xa1, 0x81, 0x8f, 0x3f, 0x2b, 0x97, 0xa0, 0x64, 0x27, 0xce, 0x45, 0xe1, 0x3c, 0x4f, 0xf7, 0xf5, 0xc4, 0x28, 0xcc, 0xf1, 0xd0, 0xe2, 0x5b, 0x98, 0xf3, 0xc7, 0xd, 0xc, 0xee, 0xde, 0xc3, 0x25, 0x9e, 0xd3, 0xc0, 0xad, 0xf4, 0x7d, 0x80, 0xa0, 0x67, 0xc4, 0x20, 0x98, 0x61, 0x40, 0x58, 0x5a, 0xcf, 0x61, 0x93, 0xbc, 0xe, 0x44, 0x0, 0xd6, 0x2a, 0x42, 0xa6, 0x29, 0x77, 0x52, 0x49, 0xf4, 0x73, 0x3f, 0x75, 0x6a, 0xb2, 0xef, 0x79, 0xfc, 0x44, 0x8d, 0xf8, 0x94, 0x1c, 0x1d, 0x4d, 0xdc, 0xc0, 0x3b, 0xc5, 0xfb, 0xf0, 0x49, 0xd0, 0xa0, 0x98, 0x36, 0xb, 0xea, 0x47, 0xb7, 0x1e, 0x29, 0x8d, 0x22, 0xfe, 0xc3, 0x18, 0x52, 0xd6, 0x29, 0xc1, 0x43, 0xb5, 0x4, 0xb8, 0x35, 0x16, 0xc5, 0xac, 0xd1, 0xb8, 0x59, 0xc8, 0xfa, 0x68, 0xe6, 0xd6, 0x95, 0x7d, 0x69, 0x10, 0x6c, 0xdb, 0x2f, 0x45, 0xcb, 0x1a, 0x25, 0x30, 0x6e, 0x50, 0x6, 0xf3, 0x50, 0x65, 0x69, 0xee, 0x31, 0xd9, 0x48, 0x35, 0x93, 0x8, 0xe5, 0xb3, 0xb0, 0x5b, 0xef, 0xb0, 0xf4, 0x4f, 0x9a, 0x94, 0xb8, 0xbd, 0xf3, 0x88, 0x3c, 0x26, 0x83, 0x8b, 0x20, 0x89, 0x99, 0x1d, 0xdb, 0x30, 0x7c, 0x14, 0xab, 0x3, 0xdf, 0xd4, 0x44, 0xfd, 0x15, 0x65, 0xed, 0xc5, 0xb0, 0x2e, 0xe7, 0x75, 0x2f, 0xa1, 0x17, 0x89, 0xfe, 0xe3, 0x28, 0xe0, 0xbb, 0x6c, 0x7a, 0xeb, 0xc0, 0xaa, 0xc5, 0xe4, 0xfe, 0xe1, 0xe7, 0x40, 0x51, 0x7e, 0x69, 0xa5, 0xed, 0x47, 0x7f, 0x1f, 0x92, 0x54, 0xb4, 0x37, 0x1, 0x45, 0x4f, 0x85, 0x81, 0xcd, 0x95, 0x84, 0x5f, 0x62, 0xdb, 0x83, 0xe5, 0xb2, 0xcd, 0xa1, 0xb, 0xbe, 0x74, 0xe4, 0x6d, 0x5e, 0xdd, 0x7c, 0xfd, 0xe4, 0xae, 0x39, 0x17, 0x10, 0xe8, 0x7d, 0x43, 0x51, 0x42, 0x90, 0xad, 0xfd, 0x81, 0x78, 0x4f, 0x91, 0x25, 0xab, 0xf6, 0x2c, 0xd, 0x56, 0x8f, 0x63, 0xcf, 0xe5, 0x4d, 0x5, 0xcc, 0x3f, 0xc0, 0xb, 0xb9, 0x50, 0x63, 0xb0, 0x18, 0xa7, 0x11, 0x28, 0x93, 0xff, 0x11, 0xbd, 0x9b, 0x30, 0xb3, 0x0, 0x2f, 0x74, 0x49, 0x4, 0xb4, 0x6f, 0x8a, 0x10, 0x76, 0x66, 0xd2, 0x51, 0xa8, 0xe0, 0xb9, 0x1b, 0x80, 0xc1, 0x90, 0x89, 0xbf, 0xbe, 0x99, 0xd0, 0xd, 0x61, 0x70, 0x7d, 0x51, 0xa, 0xb2, 0x5e, 0x11, 0x83, 0xf6, 0x2d, 0x6c, 0x33, 0x34, 0xfe, 0x77, 0x67, 0xfc, 0xc6, 0xcd, 0xc7, 0xdd, 0x70, 0x68, 0x83, 0xde, 0x87, 0xb, 0x88, 0x5, 0x61, 0xb1, 0xbe, 0xdd, 0xc4, 0xd9, 0xca, 0x84, 0x35, 0x34, 0xe2, 0x4b, 0x75, 0x3d, 0x1c, 0x4f, 0x16, 0xb3, 0x94, 0xc8, 0xe6, 0xc1, 0x3a, 0xed, 0x31, 0x7, 0x4c, 0x90, 0x6b, 0x4f, 0xec, 0x7d, 0x32, 0x26, 0x55, 0x38, 0x1c, 0xc6, 0xae, 0x7b, 0x26, 0x29, 0x3b, 0xfd, 0xc1, 0x58, 0x9d, 0x42, 0xff, 0xeb, 0xb8, 0x93, 0xb, 0x8c, 0xc0, 0x86, 0xd8, 0x22, 0x53, 0x89, 0xdb, 0x2d, 0xb2, 0x0, 0x5e, 0xca, 0xb7, 0xd8, 0xfe, 0xc3, 0x17, 0x1, 0x33, 0xcf, 0xf6, 0x1, 0x9c, 0x81, 0xfa, 0xc6, 0x9a, 0xd4, 0x54, 0xbd, 0xf, 0x3c, 0xbd, 0xa6, 0xda, 0x6d, 0xcf, 0xa2, 0x49, 0x80, 0x68, 0x30, 0x74, 0x91, 0x5a, 0x76, 0x72, 0x76, 0x3c, 0x6, 0x6a, 0xa, 0xbf, 0xb9, 0x47, 0x5, 0x64, 0xce, 0xa3, 0x37, 0x33, 0xa6, 0xb1, 0x98, 0xc8, 0x99, 0xc0, 0x42, 0x61, 0x69, 0xee, 0x5, 0xd, 0x80, 0xab, 0xb5, 0xd6, 0xac, 0xa5, 0x11, 0x59, 0x3f, 0x96, 0xf1, 0x63, 0x10, 0x20, 0x46, 0x57, 0x61, 0xee, 0xba, 0xa, 0x21, 0x96, 0xa5, 0x49, 0xa6, 0xd9, 0x36, 0x8c, 0x13, 0xa7, 0x1b, 0x63, 0x43, 0xd0, 0xae, 0x46, 0xcd, 0xd6, 0x58, 0x8a, 0xdd, 0xc6, 0x14, 0xd2, 0x34, 0x66, 0x8e, 0xb5, 0x33, 0xb6, 0x9c, 0x28, 0xc3, 0x1b, 0xf8, 0x47, 0x50, 0x30, 0xc1, 0xe5, 0x77, 0xa1, 0x26, 0xe2, 0xe0, 0xed, 0x12, 0x4f, 0x6f, 0x5a, 0x6, 0x62, 0xca, 0x2c, 0x33, 0x7b, 0x48, 0xbe, 0x67, 0xcd, 0x7e, 0xa4, 0xc3, 0x1c, 0xed, 0x47, 0xf, 0x87, 0xb1, 0x1e, 0x74, 0x14, 0x8b, 0x59, 0xe7, 0x58, 0x6e, 0xe6, 0x99, 0x6e, 0xe7, 0x1f, 0xf5, 0x76, 0x28, 0x82, 0x36, 0x89, 0x25, 0xd6, 0x11, 0xcc, 0x11, 0x68, 0x8a, 0x18, 0x57, 0x22, 0x46, 0x65, 0x7e, 0xfc, 0xc3, 0xcd, 0xdb, 0x2f, 0xc8, 0x9f, 0x2c, 0xdf, 0xb7, 0x5b, 0x20, 0x7b, 0xdd, 0x52, 0x4e, 0x1d, 0x3b, 0x14, 0xe4, 0xa2, 0x47, 0x78, 0x94, 0x95, 0xb6, 0x48, 0x11, 0xa9, 0xef, 0x93, 0xd7, 0xe4, 0x5, 0x75, 0x96, 0x2e, 0xfd, 0x46, 0xd4, 0x7e, 0xb4, 0x2f, 0x23, 0xf3, 0xeb, 0xe2, 0xd0, 0xe, 0x8f, 0xdd, 0x2e, 0x2a, 0xc5, 0x9e, 0xf, 0xf8, 0xff, 0xdb, 0x5f, 0xb5, 0x75, 0x33, 0xb4, 0x9a, 0xad, 0x11, 0xc, 0x2e, 0xe4, 0x20, 0x78, 0xca, 0x73, 0x46, 0x1b, 0x25, 0xe6, 0xa0, 0xe0, 0xac, 0x6d, 0x2d, 0x93, 0xd, 0x4c, 0x5c, 0x6b, 0xbc, 0x89, 0x9a, 0xa1, 0x5d, 0x9, 0x77, 0xcd, 0x38, 0x34, 0xfb, 0xbd, 0x48, 0x8d, 0x39, 0xa9, 0x24, 0x2f, 0x92, 0xb8, 0x41, 0x55, 0x51, 0xc4, 0x5d, 0x1d, 0x54, 0x9e, 0x9d, 0xfc, 0x41, 0xee, 0x86, 0xb1, 0xd, 0x61, 0xbf, 0xd5, 0x5e, 0x34, 0x9f, 0x9d, 0x9f, 0xca, 0xac, 0xf6, 0x5d, 0xa6, 0x7b, 0x3e, 0x86, 0x94, 0x36, 0xa8, 0x7a, 0x78, 0xda, 0x9d, 0x53, 0xba, 0xb5, 0x8e, 0xb7, 0xda, 0xf9, 0x9, 0xc3, 0x1b, 0x48, 0xd6, 0x33, 0x20, 0xfb, 0x5a, 0x4, 0x21, 0xa6, 0xaf, 0x30, 0xce, 0xf4, 0x76, 0x3d, 0xc9, 0xa, 0x7b, 0x77, 0xa6, 0xd6, 0xeb, 0xd7, 0xe0, 0xf5, 0x78, 0xd, 0x7b, 0xe3, 0xa6, 0x2b, 0x49, 0xf5, 0x76, 0x96, 0xc0, 0x16, 0x25, 0x3a, 0x5f, 0xc0, 0x9a, 0x88, 0xf8, 0x4b, 0x1e, 0x2b, 0xba, 0xf0, 0x4d, 0xe0, 0x2c, 0xb4, 0xcd, 0x1b, 0x34, 0x62, 0x50, 0xfd, 0x5c, 0x5d, 0x93, 0x20, 0xac, 0xac, 0x82, 0x33, 0x33, 0x30, 0x8a, 0xe, 0xb0, 0x98, 0x51, 0xc4, 0x38, 0x94, 0x42, 0x24, 0x8e, 0x1f, 0x5a, 0x3c, 0x18, 0x99, 0x3f, 0xf0, 0x55, 0xd2, 0x9d, 0xfa, 0x18, 0xb1, 0xfd, 0xa6, 0x62, 0x7f, 0xc2, 0x90, 0x8b, 0xb1, 0xb9, 0x91, 0xc1, 0x6e, 0x39, 0xf7, 0x32, 0xf7, 0xe8, 0xab, 0x86, 0xe7, 0xb, 0x91, 0x2d, 0x4a, 0x52, 0xf5, 0xa0, 0xc5, 0xa, 0xef, 0xad, 0x32, 0x5d, 0x94, 0xf6, 0x25, 0x97, 0xd6, 0xd4, 0x53, 0x9b, 0x89, 0xba, 0x10, 0x5, 0xc6, 0x76, 0x2a, 0x3, 0x1c, 0xb1, 0x58, 0x57, 0x59, 0x5d, 0x9b, 0xa4, 0x40, 0x4f, 0x65, 0xc8, 0x93, 0x28, 0x85, 0xb, 0x47, 0x94, 0x37, 0x52, 0xf4, 0xf6, 0x3e, 0xb6, 0xc, 0x69, 0x5e, 0x10, 0x29, 0x7d, 0x95, 0xd4, 0xb0, 0x59, 0x65, 0x64, 0x63, 0x43, 0x48, 0x7d, 0x8e, 0x8a, 0x78, 0x49, 0x3c, 0x27, 0xa8, 0xf4, 0xa9, 0x54, 0xce, 0x34, 0xb8, 0x6c, 0x40, 0xee, 0x9b, 0xda, 0x6f, 0xf8, 0xf, 0x26, 0x1c, 0x1e, 0x50, 0x47, 0x95, 0xe, 0x74, 0x79, 0xbd, 0x9d, 0xc6, 0xd2, 0xf9, 0x64, 0x88, 0xde, 0x21, 0x1, 0x2e, 0x23, 0x85, 0xd9, 0x42, 0x7b, 0x59, 0x2e, 0x77, 0x17, 0x45, 0x53, 0xc5, 0xc3, 0xb6, 0x55, 0xfb, 0xb9, 0x9c, 0x51, 0x47, 0xe5, 0x53, 0xbb, 0xd, 0x60, 0x28, 0x84, 0x9f, 0x1, 0x34, 0xf1, 0x1a, 0x79, 0x81, 0xe0, 0x76, 0x31, 0x47, 0x5a, 0x8, 0xc, 0xfb, 0x35, 0x63, 0x22, 0x3e, 0x2f, 0xe0, 0x73, 0xe5, 0x67, 0xbe, 0x38, 0x28, 0xfb, 0x4b, 0xc4, 0x84, 0x40, 0xb9, 0x1d, 0x89, 0x5, 0xc5, 0xc2, 0xc1, 0x96, 0x73, 0x13, 0x31, 0x91, 0x4b, 0x44, 0x58, 0xd9, 0x3f, 0xfa, 0xeb, 0x6a, 0xc1, 0x55, 0x6e, 0xe5, 0xe9, 0xdc, 0x9c, 0xac, 0xd0, 0x46, 0xaa, 0x2c, 0xd3, 0xce, 0x48, 0x71, 0xeb, 0xe8, 0x1f, 0xb6, 0xef, 0xc7, 0x10, 0x2e, 0x4d, 0xcf, 0x97, 0xff, 0xda, 0x35, 0xd8, 0x9f, 0xdd, 0x99, 0x1d, 0x43, 0x8d, 0xa1, 0xed, 0x9b, 0xe1, 0xcc, 0xd5, 0xf3, 0x3d, 0xb, 0x69, 0xf7, 0xc9, 0x6e, 0x32, 0xb7, 0x6d, 0x65, 0xfb, 0x97, 0x9c, 0x73, 0x95, 0x8c, 0x44, 0x71, 0xb2, 0xc1, 0x98, 0xe2, 0x21, 0x9c, 0x89, 0xea, 0xec, 0x65, 0x34, 0x57, 0x35, 0x37, 0x91, 0x72, 0xe5, 0xd0, 0x3d, 0xeb, 0x65, 0x21, 0x2b, 0x7c, 0xbd, 0x80, 0xc0, 0xf1, 0xc0, 0xdc, 0xe7, 0x16, 0x1e, 0xdf, 0x32, 0xc8, 0x7, 0xc, 0xad, 0x8f, 0xe5, 0x97, 0x9b, 0x43, 0xc3, 0x41, 0xa4, 0x50, 0xee, 0x73, 0x20, 0xe, 0x1f, 0x8e, 0xa4, 0x43, 0x6, 0x23, 0xa3, 0xc6, 0xeb, 0xce, 0x8b, 0x7f, 0x3c, 0x53, 0xb5, 0xe1, 0x63, 0x71, 0xb3, 0x47, 0xa6, 0x4d, 0xfa, 0x26, 0xb, 0x41, 0x4c, 0xd, 0x65, 0x1a, 0xfb, 0xfd, 0xe8, 0xdd, 0x64, 0x3a, 0xa5, 0xd, 0x73, 0xc, 0xd8, 0x88, 0xdf, 0x86, 0xe7, 0xc, 0xca, 0xa, 0x8f, 0x23, 0x27, 0x92, 0xcf, 0x19, 0xfd, 0x4c, 0xac, 0xab, 0xd4, 0xad, 0x86, 0x63, 0x7f, 0xde, 0x5c, 0x5e, 0xa0, 0xc4, 0xb6, 0x17, 0x7, 0x56, 0xaa, 0xc9, 0x58, 0x57, 0x2b, 0x17, 0x8c, 0xe7, 0x1, 0x5f, 0xc5, 0x65, 0xa2, 0xf, 0x1e, 0x4d, 0x12, 0xdc, 0xfb, 0xfd, 0xb2, 0x1f, 0xf8, 0x23, 0xf2, 0x9b, 0x3c, 0x8d, 0x23, 0xcf, 0x6b, 0xbb, 0x94, 0x3, 0x8d, 0x2c, 0x5c, 0x3c, 0x16, 0x6, 0x77, 0xc1, 0x56, 0x6f, 0x62, 0x6c, 0x2d, 0x9a, 0xda, 0x9, 0x9e, 0x90, 0x51, 0x53, 0x45, 0xe, 0x73, 0xa3, 0x25, 0x68, 0x8e, 0xe5, 0x79, 0xa, 0xef, 0x3, 0xc0, 0x8b, 0x8c, 0x9d, 0xfd, 0xec, 0x6b, 0x5, 0xb6, 0x78, 0x3f, 0x54, 0x6d, 0xb3, 0x90, 0xa0, 0x53, 0x32, 0xf1, 0x33, 0xf9, 0x32, 0x44, 0x79, 0x97, 0x49, 0xad, 0x82, 0x2, 0xf5, 0x21, 0x47, 0x3c, 0x49, 0x86, 0x13, 0x14, 0xd7, 0x9e, 0xd4, 0xf1, 0x13, 0xc4, 0xdc, 0xd8, 0xb4, 0xc2, 0x6a, 0x27, 0xd6, 0xd3, 0x18, 0xf8, 0xbc, 0x47, 0x53, 0x45, 0x7a, 0x15, 0xf, 0x44, 0xc9, 0x94, 0x26, 0x12, 0xf4, 0x13, 0x4a, 0xdd, 0x0, 0x77, 0x39, 0x7c, 0xbf, 0xab, 0xe3, 0x39, 0xef, 0x4e, 0x6c, 0x91, 0x8a, 0xa8, 0x72, 0x9c, 0x47, 0x6, 0x46, 0xdb, 0xf8, 0x49, 0xb1, 0xb3, 0xd3, 0xc2, 0x54, 0xab, 0xb1, 0x44, 0xff, 0x9, 0x3d, 0x83, 0x4b, 0x36, 0xac, 0x75, 0x88, 0x9b, 0x5c, 0xed, 0xf0, 0x12, 0x77, 0xc9, 0xca, 0xd, 0x52, 0x81, 0x2, 0x8f, 0x5d, 0xf5, 0x7a, 0x37, 0x62, 0x93, 0x46, 0x3b, 0x47, 0xf7, 0x6, 0xd6, 0x84, 0x6f, 0xfe, 0x51, 0xca, 0x5b, 0x8a, 0xa7, 0x4f, 0x27, 0x84, 0x4b, 0x6f, 0x4b, 0x76, 0x1d, 0xc0, 0x64, 0xb9, 0xdc, 0x91, 0x30, 0xfa, 0x46, 0xb8, 0x3a, 0xa, 0xf6, 0x26, 0x1f, 0x6d, 0xf0, 0xcf, 0xc0, 0x8a, 0x5f, 0xf5, 0xb, 0xd, 0x54, 0xeb, 0x50, 0xc1, 0x82, 0x88, 0x59, 0xd9, 0xd0, 0x93, 0xc2, 0x51, 0x2c, 0xa7, 0xa4, 0x22, 0x8a, 0x19, 0x3c, 0x64, 0xf6, 0x57, 0x6c, 0xf8, 0x10, 0x57, 0x39, 0x20, 0xb0, 0x91, 0xab, 0x97, 0xc0, 0xdb, 0x70, 0x19, 0x6c, 0x71, 0xe1, 0x9a, 0xf8, 0x3d, 0xe5, 0xcc, 0xa2, 0x2b, 0x7a, 0x5b, 0x4c, 0xd6, 0x85, 0xfc, 0x99, 0x9a, 0x79, 0xb2, 0x2a, 0xa8, 0xbe, 0x5a, 0xfa, 0xee, 0x94, 0x37, 0xd4, 0x62, 0xfe, 0x93, 0xb9, 0x11, 0xc6, 0x8d, 0x6, 0xf6, 0x1e, 0x28, 0x37, 0xaf, 0xf1, 0x69, 0x69, 0x9e, 0x83, 0x39, 0xc8, 0x46, 0xf5, 0x6a, 0x23, 0xec, 0x77, 0xc9, 0xc7, 0x78, 0x55, 0x62, 0x76, 0x5, 0x5c, 0xbd, 0x4c, 0x29, 0xde, 0xa8, 0xc0, 0xa4, 0xd1, 0x7c, 0xf, 0xaf, 0xdd, 0xe2, 0xd4, 0xf4, 0x95, 0x4f, 0x70, 0xfc, 0x43, 0x82, 0x12, 0x18, 0xe7, 0x50, 0xda, 0xab, 0xc5, 0x94, 0x7c, 0x6a, 0xbb, 0x3, 0x35, 0x74, 0x94, 0x2, 0x14, 0xbf, 0x8f, 0x79, 0xab, 0x53, 0xa1, 0x2, 0x4e, 0x28, 0x2f, 0x7a, 0xc8, 0x26, 0xef, 0xf8, 0xdc, 0x9e, 0xf9, 0x5, 0x5d, 0x92, 0x3c, 0x86, 0xdd, 0x35, 0x9b, 0x40, 0xe6, 0x81, 0x6d, 0x97, 0x70, 0x91, 0xe9, 0xdc, 0x99, 0x5a, 0x3a, 0xef, 0xe6, 0x1d, 0x13, 0x53, 0xec, 0x80, 0xbc, 0xaa, 0x35, 0xb3, 0x40, 0xc9, 0x64, 0x7c, 0x41, 0x19, 0xe9, 0x97, 0x6e, 0xaf, 0xf5, 0x4e, 0x45, 0x51, 0x9c, 0x30, 0x16, 0xed, 0xac, 0x9b, 0x3c, 0x76, 0x4, 0x48, 0x46, 0x81, 0x4d, 0x17, 0x6d, 0xe2, 0x97, 0x74, 0x19, 0x35, 0x86, 0x42, 0x5a, 0xa0, 0x9, 0xb1, 0xed, 0xad, 0x71, 0xfa, 0x10, 0xa4, 0x6e, 0xf7, 0x95, 0xda, 0xb7, 0xca, 0x19, 0x72, 0x1f, 0xd1, 0x88, 0xbe, 0xe7, 0x23, 0xc3, 0x74, 0x3c, 0x10, 0xdb, 0xb2, 0xd6, 0x91, 0xbb, 0xe1, 0xe3, 0xc2, 0xe2, 0x92, 0xb1, 0x3d, 0x59, 0xbe, 0xc1, 0x25, 0x5e, 0xb4, 0xca, 0x49, 0xf9, 0x53, 0x23, 0x2f, 0x6e, 0xa, 0x16, 0xe6, 0x39, 0x6a, 0xa, 0xd7, 0x57, 0x13, 0x6e, 0xe2, 0x13, 0x2, 0x9c, 0x3e, 0x62, 0x8e, 0x1a, 0x1c, 0x74, 0x73, 0xb2, 0x99, 0x93, 0x8d, 0xba, 0xa9, 0xdf, 0x54, 0x32, 0x8c, 0x59, 0xc, 0x40, 0xc, 0x31, 0x86, 0x3a, 0x73, 0x8, 0xb0, 0x0, 0xf4, 0x66, 0xe5, 0x57, 0x1f, 0x2e, 0x51, 0x7d, 0x69, 0xa0, 0xcb, 0xd0, 0x9c, 0x50, 0x40, 0xb2, 0xc2, 0x37, 0x95, 0x8c, 0x3d, 0x35, 0x57, 0x69, 0x9c, 0x98, 0x5f, 0x2f, 0x2b, 0x3c, 0x4c, 0x72, 0xc9, 0xbe, 0x7d, 0xa8, 0x1f, 0x3, 0xff, 0xa8, 0x2f, 0xe0, 0x90, 0x1f, 0xd1, 0xd5, 0xcf, 0x53, 0x5c, 0xd1, 0xf4, 0xfc, 0x4d, 0x31, 0x48, 0xae, 0x4f, 0x40, 0xb3, 0xef, 0x5f, 0xca, 0xb4, 0xa3, 0xbb, 0xf0, 0xb6, 0x8, 0x90, 0xd1, 0xf, 0xe2, 0xfc, 0x19, 0x49, 0xdc, 0x2a, 0xd1, 0x1b, 0x8d, 0xd1, 0xb4, 0x18, 0x9c, 0x8e, 0x1c, 0xc8, 0x88, 0x3a, 0x2f, 0xb2, 0x49, 0x29, 0x7c, 0xcc, 0x2c, 0xb1, 0xf5, 0x86, 0x7f, 0x98, 0xde, 0x5, 0xd8, 0x1a, 0xf6, 0xa2, 0x70, 0x79, 0x72, 0xed, 0x72, 0x21, 0x74, 0x69, 0xc7, 0x4e, 0x43, 0xd7, 0x8e, 0x2c, 0x9f, 0x3e, 0xb4, 0x52, 0x2c, 0x21, 0xf8, 0xe, 0x49, 0xd1, 0x7b, 0x5a, 0xb7, 0x0, 0xea, 0xfd, 0x2f, 0x5b, 0xa1, 0x8b, 0x95, 0xbf, 0x3e, 0xb2, 0xc7, 0xf2, 0xaa, 0xba, 0x6c, 0x69, 0x39, 0x20, 0xb4, 0x43, 0x96, 0x34, 0xbe, 0x2, 0x94, 0xde, 0x5b, 0x1f, 0xc4, 0xa5, 0xef, 0x39, 0x6b, 0x9d, 0xbe, 0x3a, 0x82, 0x7e, 0x7, 0x47, 0xde, 0x7f, 0x20, 0x2a, 0x28, 0x29, 0x86, 0x65, 0xfc, 0x74, 0xc3, 0x3b, 0xc4, 0x4, 0x6, 0x54, 0x1d, 0xe, 0xd4, 0x35, 0xed, 0x6f, 0x48, 0x3a, 0x3a, 0xb3, 0xa4, 0x16, 0xa1, 0xa4, 0x43, 0xee, 0x6c, 0x49, 0x70, 0x91, 0xaf, 0x8a, 0x94, 0xad, 0xe1, 0xdb, 0x4a, 0x17, 0x99, 0xdf, 0x51, 0x54, 0xa, 0xa3, 0x47, 0x8a, 0xa1, 0x91, 0x17, 0x9e, 0xd1, 0xbd, 0xca, 0x7c, 0x2a, 0xf1, 0xfc, 0xec, 0x3a, 0xb5, 0x12, 0x71, 0xd2, 0xc6, 0xb5, 0xfa, 0x95, 0xb3, 0x1e, 0x56, 0x87, 0x93, 0x1e, 0x8, 0x9, 0xa1, 0x6d, 0xa3, 0x28, 0x58, 0x93, 0x8c, 0xd7, 0x80, 0x97, 0xfb, 0x15, 0xb0, 0x40, 0xe5, 0x32, 0x3, 0x94, 0xd5, 0xfa, 0x66, 0xf4, 0xe0, 0x1b, 0xb5, 0xd7, 0xc9, 0x71, 0xf6, 0xd9, 0xd6, 0x41, 0xcd, 0xad, 0xfa, 0x17, 0xac, 0xa2, 0xb1, 0x28, 0x1e, 0x6c, 0xba, 0x5f, 0x1e, 0x20, 0xed, 0x33, 0x78, 0x6a, 0x6, 0x2b, 0x46, 0xf, 0xf9, 0x19, 0x97, 0xd9, 0x19, 0x61, 0x5f, 0xb, 0x6, 0x62, 0xf4, 0x31, 0xf4, 0xc2, 0x57, 0xd0, 0x7b, 0xb4, 0x46, 0x6f, 0xa5, 0x65, 0xbf, 0xe1, 0x47, 0x6c, 0xca, 0x8d, 0x34, 0xff, 0xf1, 0xbc, 0x41, 0x3e, 0x78, 0x38, 0x9a, 0x18, 0x7, 0x71, 0xda, 0xa9, 0x33, 0x5d, 0x7a, 0xf6, 0xea, 0xa, 0x2e, 0x87, 0x99, 0x77, 0x5a, 0x87, 0xd1, 0x29, 0x2d, 0x4d, 0x31, 0x87, 0xca, 0x33, 0xd7, 0x87, 0xc6, 0x3e, 0xdc, 0xe, 0xfa, 0xc7, 0x8a, 0x19, 0xcb, 0x49, 0x48, 0x89, 0x1c, 0x65, 0x46, 0x26, 0xf, 0x3d, 0xa9, 0x84, 0xa8, 0x78, 0x6, 0x20, 0x9b, 0xef, 0x64, 0xa9, 0x2d, 0xe6, 0x34, 0x98, 0x0, 0x87, 0x1b, 0x35, 0x3c, 0x4b, 0xb4, 0xc4, 0xe2, 0x9f, 0xef, 0xb2, 0xaf, 0xc, 0x79, 0x26, 0x33, 0x47, 0x6c, 0xf, 0x58, 0x4a, 0x26, 0x2, 0xb, 0x21, 0x5, 0x48, 0xb8, 0xe2, 0x94, 0xa1, 0x42, 0xe2, 0xf9, 0xa6, 0x8b, 0xe, 0x3c, 0xb0, 0x5e, 0xb6, 0x6a, 0x9b, 0x49, 0xde, 0x3f, 0xbc, 0x72, 0x54, 0x79, 0x9b, 0xf1, 0xd2, 0x80, 0x3a, 0x6e, 0x9c, 0x5b, 0x6b, 0xa8, 0x9f, 0x81, 0x42, 0x6d, 0x8, 0x75, 0x37, 0xe4, 0xa3, 0xe8, 0x3e, 0xbb, 0x50, 0x36, 0x66, 0xc1, 0x5f, 0x7, 0x32, 0xb1, 0xfc, 0x14, 0xeb, 0x75, 0xf6, 0x34, 0xd8, 0x7a, 0x6, 0xc9, 0xcc, 0xa8, 0xfd, 0x2f, 0xe9, 0xe6, 0x74, 0x24, 0x6a, 0xea, 0xf1, 0x95, 0xc0, 0xd3, 0xab, 0x34, 0xd9, 0x39, 0x71, 0x6d, 0xb7, 0xe4, 0xbe, 0x61, 0xb2, 0x4, 0x84, 0x69, 0x3e, 0xe7, 0x70, 0x69, 0x2e, 0x1d, 0x11, 0xcb, 0x5f, 0x5e, 0x3b, 0xb2, 0x9f, 0x87, 0x90, 0x54, 0xd7, 0xdf, 0x72, 0x6c, 0x50, 0x11, 0xc1, 0xf1, 0xbc, 0x61, 0x85, 0xd0, 0x97, 0x3a, 0x7, 0x70, 0x5e, 0xbf, 0x82, 0x1d, 0x20, 0x43, 0xa7, 0x32, 0x82, 0x79, 0x2f, 0xc5, 0xa, 0x7f, 0x36, 0x91, 0x4, 0x4b, 0xee, 0x20, 0x4d, 0xcb, 0x13, 0x46, 0x6a, 0x35, 0x12, 0xbf, 0x63, 0x8b, 0x28, 0x81, 0xe0, 0x70, 0xf6, 0xae, 0x21, 0x12, 0x16, 0x6b, 0xcb, 0x4a, 0x51, 0x8c, 0x2d, 0xe6, 0x96, 0x78, 0x9e, 0x37, 0x67, 0x4a, 0xf6, 0x71, 0xa5, 0x7f, 0xfd, 0xca, 0xa2, 0x37, 0x52, 0xb2, 0x6a, 0xba, 0x41, 0x38, 0x98, 0xbd, 0x77, 0xf0, 0x7e, 0x6e, 0xd1, 0x3c, 0x44, 0x2, 0xac, 0xc4, 0x82, 0x76, 0x9d, 0x31, 0xfb, 0x1, 0x51, 0xb2, 0xee, 0x2f, 0x98, 0xa, 0x29, 0x31, 0x29, 0xb0, 0x44, 0xb3, 0x61, 0x2, 0xb9, 0xc9, 0xc1, 0x51, 0xfa, 0x71, 0xd3, 0xbf, 0x5b, 0x8c, 0x0, 0xe, 0x33, 0xca, 0x78, 0x2, 0x1c, 0xdd, 0x66, 0xd8, 0xb1, 0x53, 0xaa, 0xe5, 0xa6, 0x76, 0x6f, 0x66, 0xcf, 0xa2, 0x13, 0x60, 0x79, 0xb7, 0xcf, 0xe5, 0x36, 0x18, 0x52, 0xa3, 0xad, 0x1a, 0x3a, 0x1d, 0x9c, 0x5f, 0xf7, 0x50, 0xff, 0x4, 0x56, 0x3c, 0x22, 0x2b, 0x75, 0x7e, 0xf3, 0xdd, 0x8e, 0x1d, 0x18, 0x11, 0x9a, 0x3c, 0xdd, 0x74, 0xf0, 0xe, 0x7b, 0x6d, 0xb8, 0xcc, 0x72, 0xc1, 0xff, 0xd0, 0xf2, 0x90, 0x7d, 0x3, 0xe3, 0xec, 0xd1, 0xab, 0x6c, 0x85, 0x55, 0x60, 0xd6, 0x7, 0xf3, 0xe3, 0xaf, 0x6d, 0x4c, 0x7e, 0x28, 0x93, 0x2f, 0x42, 0xa0, 0x79, 0x48, 0x33, 0x66, 0xac, 0x2a, 0x90, 0xec, 0x93, 0x71, 0x56, 0x1a, 0x13, 0xb4, 0x76, 0xb, 0xe7, 0xf6, 0xe5, 0x5a, 0x30, 0x3c, 0xaf, 0xdd, 0xeb, 0x1e, 0x3, 0x39, 0xbd, 0x87, 0x95, 0x31, 0xe8, 0xbb, 0x71, 0xf8, 0xde, 0x9, 0x57, 0x69, 0xb6, 0xb2, 0xe, 0x83, 0x99, 0x5, 0x57, 0x29, 0x70, 0x5b, 0x87, 0x1b, 0xce, 0x80, 0x4d, 0x16, 0xac, 0x64, 0x3, 0xa8, 0x7d, 0x8a, 0x83, 0xab, 0x83, 0x1c, 0xbe, 0x23, 0x1d, 0x43, 0x2f, 0x1e, 0xc7, 0x40, 0xb9, 0x4c, 0x87, 0x52, 0x8e, 0x3a, 0x4b, 0x5f, 0xdb, 0xa9, 0x35, 0x19, 0x21, 0xc3, 0x1d, 0x1b, 0x30, 0x92, 0x4, 0x35, 0x94, 0x20, 0x86, 0x95, 0x29, 0x6d, 0x64, 0xd2, 0x33, 0x4, 0x14, 0x91, 0xef, 0x4b, 0xd6, 0xb0, 0x16, 0xf4, 0x5e, 0x3c, 0x9a, 0xea, 0x25, 0x1f, 0x9d, 0x78, 0x2c, 0x35, 0x4a, 0xeb, 0x0, 0xf2, 0x20, 0x28, 0xb4, 0xd0, 0x4b, 0x2c, 0x9f, 0x92, 0x43, 0x4e, 0x5d, 0x23, 0x38, 0x66, 0x27, 0x81, 0xe7, 0x98, 0x32, 0x6e, 0x49, 0x67, 0xbd, 0x62, 0x1c, 0xc8, 0x5b, 0x17, 0x3f, 0xc, 0x66, 0x78, 0x83, 0x4d, 0xdd, 0xaf, 0x17, 0x89, 0xe1, 0x4, 0x4d, 0x8c, 0x6, 0xa8, 0x85, 0x1, 0x16, 0xa8, 0x32, 0x85, 0x9a, 0xb2, 0x92, 0xe1, 0xe4, 0x58, 0xdb, 0x3b, 0x8a, 0xd, 0xc7, 0x86, 0x5b, 0xa6, 0xe8, 0x3b, 0x40, 0xa0, 0x98, 0x4e, 0x6f, 0xe, 0x5f, 0x9e, 0x9f, 0x2c, 0xe8, 0xe6, 0x36, 0x46, 0xd4, 0x43, 0x10, 0x3a, 0xc3, 0x7c, 0xb8, 0x1d, 0x71, 0x5, 0xec, 0x8a, 0xaa, 0x63, 0x12, 0x43, 0x6f, 0xaa, 0xa4, 0x44, 0x27, 0xd, 0x12, 0xff, 0x43, 0x9b, 0x77, 0x77, 0xae, 0x2f, 0x89, 0xbd, 0xd3, 0x82, 0x9f, 0xdc, 0x8c, 0xc9, 0xc, 0xfe, 0xf0, 0xbc, 0xb1, 0xc5, 0xf1, 0xe6, 0x7f, 0x5f, 0xca, 0x72, 0x9a, 0x92, 0x44, 0x82, 0xa6, 0x63, 0xcc, 0xe0, 0x4a, 0x89, 0x3f, 0xb7, 0x92, 0x24, 0x2c, 0xce, 0x18, 0x5f, 0xb7, 0xe5, 0xf3, 0x9d, 0xf5, 0xd0, 0xca, 0x53, 0x8f, 0xd2, 0x40, 0xb7, 0x7c, 0x94, 0x12, 0xf0, 0xc4, 0xfb, 0x85, 0xb5, 0x3e, 0x17, 0xf7, 0xc7, 0x32, 0x86, 0xc, 0xda, 0x17, 0x4c, 0x3f, 0x94, 0xaf, 0x5b, 0x79, 0x8c, 0xeb, 0xd2, 0x51, 0x7c, 0xf6, 0xb5, 0x3f, 0xe2, 0x4e, 0x49, 0x99, 0x88, 0x68, 0x75, 0x75, 0x18, 0xef, 0x6f, 0xff, 0x8d, 0xb3, 0x3e, 0xda, 0x34, 0x28, 0xe8, 0x6b, 0x63, 0xea, 0x52, 0x2c, 0x1, 0xbe, 0xf8, 0x37, 0xdd, 0x61, 0x8c, 0x23, 0x2d, 0x29, 0xdb, 0x42, 0x81, 0x8f, 0x3f, 0x52, 0x54, 0xe, 0xd8, 0x5, 0x6a, 0x3, 0x36, 0xb4, 0x1e, 0xe3, 0xff, 0xc0, 0x93, 0x1e, 0xff, 0xcd, 0xe3, 0x83, 0xdf, 0x1d, 0x82, 0x50, 0xf, 0xfe, 0xd2, 0x3f, 0x3b, 0xb3, 0x9e, 0xff, 0xd, 0x9b, 0xe1, 0xc8, 0xd0, 0xf0, 0x22, 0xe8, 0xa4, 0x11, 0xa0, 0x3e, 0xf8, 0x4, 0x87, 0x5a, 0xd1, 0x7a, 0x64, 0xbc, 0xf, 0x82, 0xc6, 0x50, 0x35, 0x5b, 0x31, 0xbb, 0xec, 0x6b, 0xe7, 0xb7, 0x3d, 0xec, 0x3d, 0x86, 0xc7, 0xbf, 0x17, 0xf0, 0x3a, 0x5d, 0xff, 0x1, 0x29, 0x82, 0x6b, 0x97, 0x39, 0x44, 0x5, 0x20, 0x3b, 0xd, 0xbd, 0xb, 0x37, 0xca, 0x7f, 0x6, 0xf, 0x3d, 0x5e, 0x7f, 0x64, 0xde, 0x3d, 0xf6, 0x95, 0xa8, 0x9c, 0x5e, 0x52, 0x90, 0x7d, 0x14, 0xdf, 0x72, 0x20, 0x97, 0x1e, 0xd3, 0x4d, 0x2f, 0x5c, 0x75, 0xc6, 0xe6, 0x8e, 0xda, 0x6f, 0xa1, 0x58, 0x65, 0x19, 0xcf, 0xff, 0x26, 0x68, 0xc6, 0x95, 0x38, 0xf4, 0xc, 0xa3, 0x76, 0x1a, 0x1f, 0x7b, 0x9, 0xc3, 0x83, 0xe0, 0x4, 0xd6, 0xa9, 0xe, 0xe, 0x39, 0x66, 0x9, 0x83, 0x90, 0xe1, 0xff, 0x5e, 0xc8, 0xb3, 0x53, 0xf7, 0xb, 0xa5, 0xcf, 0xcc, 0xf7, 0xad, 0x15, 0xbc, 0xd9, 0x75, 0xb0, 0xe1, 0xa1, 0xdf, 0xd6, 0xe5, 0xa3, 0x81, 0x7e, 0xc1, 0x9b, 0x24, 0x44, 0xe4, 0x39, 0x8c, 0x43, 0xfd, 0xa7, 0x8e, 0xb2, 0xcc, 0x7d, 0xf3, 0x12, 0xba, 0x7f, 0x90, 0x73, 0x48, 0x65, 0xda, 0x4, 0x29, 0x37, 0x4a, 0xda, 0xa6, 0xda, 0x35, 0xc5, 0xa6, 0x83, 0x62, 0xc6, 0xcf, 0x64, 0x5, 0xbf, 0x95, 0x93, 0x4a, 0xf6, 0xa4, 0x9f, 0xd0, 0x31, 0x84, 0x56, 0x6f, 0xa7, 0xf9, 0x64, 0xd, 0x8c, 0x89, 0xf8, 0x2, 0x7c, 0xc2, 0x48, 0xf8, 0xd5, 0x5b, 0xb, 0x26, 0xe1, 0xad, 0x18, 0xf4, 0xe8, 0xde, 0x73, 0x69, 0x23, 0xe3, 0xf3, 0xc1, 0xdd, 0x85, 0xc1, 0x26, 0x9c, 0x31, 0xe9, 0x46, 0xc4, 0xa, 0x6f, 0x54, 0xd8, 0xb7, 0x85, 0x6d, 0x57, 0x9d, 0x7f, 0x24, 0xf2, 0x65, 0x79, 0x42, 0x48, 0x5f, 0x3, 0xb0, 0x36, 0xb6, 0x19, 0xb5, 0xff, 0x9d, 0xa3, 0x6a, 0xb5, 0xb3, 0x10, 0xb5, 0x8c, 0x4d, 0x8e, 0x9f, 0xa2, 0x3d, 0xb4, 0x59, 0x9f, 0x4b, 0x4c, 0x9e, 0xfd, 0x31, 0xce, 0xa8, 0x1, 0x3c, 0x30, 0xc1, 0x26, 0xbe, 0x20, 0xe, 0xc9, 0x47, 0xee, 0xe8, 0x82, 0x71, 0x18, 0x18, 0x1, 0x81, 0xb9, 0x7d, 0xdb, 0x7c, 0x68, 0xd9, 0xf6, 0x4f, 0xe1, 0xa1, 0x4d, 0xe, 0x52, 0x7a, 0x72, 0xd5, 0x36, 0x88, 0xba, 0x8, 0x98, 0x42, 0xc6, 0xe5, 0xa9, 0xdd, 0xe5, 0xc1, 0x2a, 0x68, 0x95, 0xfc, 0xa9, 0xca, 0x72, 0x3c, 0xd, 0x4e, 0x44, 0xea, 0x2b, 0x77, 0xde, 0xaa, 0xfa, 0x17, 0xc8, 0x9, 0x0, 0xab, 0x8c, 0x42, 0xf8, 0x5e, 0x16, 0xf0, 0xf, 0x46, 0x7a, 0xe4, 0x4c, 0xcc, 0xcb, 0x81, 0x52, 0x72, 0xbf, 0x12, 0x6d, 0xda, 0xd2, 0xaa, 0x23, 0x2, 0x48, 0x78, 0xc6, 0x44, 0x28, 0x6e, 0x25, 0x36, 0xfa, 0x2a, 0x34, 0x6e, 0x8e, 0x76, 0x16, 0x6d, 0x99, 0x46, 0x4d, 0x17, 0x17, 0xf2, 0x8b, 0x62, 0x6a, 0xff, 0xc4, 0x9f, 0xd, 0x49, 0x4e, 0x15, 0x94, 0x5a, 0x70, 0x77, 0x7a, 0x99, 0x2d, 0x8d, 0x28, 0xdd, 0x96, 0x9d, 0xc4, 0x72, 0x5d, 0xce, 0xd8, 0xd9, 0xe2, 0x77, 0x4f, 0x71, 0x1c, 0xc1, 0xa4, 0xc5, 0x6, 0x9d, 0x3e, 0xa0, 0xe4, 0x79, 0x36, 0x51, 0xaa, 0x2, 0x8b, 0xf2, 0xf, 0x3, 0xc2, 0xb3, 0x86, 0x13, 0xc2, 0xc9, 0xce, 0x8b, 0xb6, 0x86, 0x61, 0xb8, 0x6, 0x9f, 0xb, 0x68, 0xf9, 0x4d, 0xf2, 0x7c, 0x81, 0x92, 0xd2, 0xc0, 0xea, 0x45, 0x6b, 0xc4, 0x12, 0xe, 0xb1, 0x7, 0xc5, 0x2b, 0xf4, 0xff, 0x27, 0x94, 0x28, 0x4d, 0x40, 0x3c, 0x26, 0x12, 0xc4, 0x8e, 0x84, 0xb4, 0x99, 0x18, 0x5f, 0x3d, 0xc, 0x80, 0x40, 0xd0, 0x10, 0x70, 0xf9, 0x11, 0x20, 0xeb, 0xf, 0x30, 0x29, 0xf5, 0xc5, 0xb4, 0x3a, 0xdc, 0x40, 0xea, 0x69, 0x2d, 0xa4, 0x26, 0x8f, 0x1, 0xcc, 0xae, 0x22, 0xad, 0x84, 0xdc, 0x4a, 0xf0, 0x70, 0x32, 0x7b, 0x6c, 0xc3, 0x25, 0xed, 0x72, 0xfa, 0x50, 0x47, 0x6d, 0xba, 0x46, 0x8e, 0x8a, 0xe5, 0x93, 0xc5, 0xd1, 0x37, 0x6c, 0x8c, 0x8, 0xc, 0x12, 0x31, 0x47, 0x39, 0xa2, 0xda, 0x86, 0x6e, 0xcb, 0x63, 0x42, 0xbe, 0xc3, 0x38, 0xd0, 0x26, 0x71, 0x36, 0x7d, 0x41, 0x2c, 0xd0, 0x59, 0x71, 0xb0, 0x6d, 0x11, 0x3d, 0x9d, 0x10, 0x62, 0x89, 0xc1, 0x7f, 0xa6, 0x7, 0xae, 0x79, 0x15, 0x96, 0xbb, 0x87, 0x4d, 0xc8, 0x8f, 0xd6, 0x8d, 0x1f, 0x1c, 0x49, 0x9e, 0x0, 0x30, 0x19, 0x28, 0x13, 0xe3, 0x22, 0xaf, 0x8c, 0x8a, 0xff, 0xb4, 0x3a, 0xf2, 0x7c, 0x19, 0xfa, 0xcf, 0x87, 0xd6, 0x5d, 0x20, 0x44, 0x3a, 0x10, 0x58, 0xa2, 0x67, 0xed, 0xd, 0xc3, 0x96, 0xb7, 0x57, 0x29, 0x22, 0xe, 0x44, 0xbb, 0x23, 0xa5, 0xcc, 0x4, 0x4d, 0xef, 0x73, 0xa2, 0x73, 0x46, 0x32, 0x39, 0xec, 0x11, 0x3e, 0x34, 0xdf, 0x3a, 0xaf, 0xd3, 0x68, 0x59, 0xdc, 0xf1, 0xd7, 0x36, 0x61, 0x27, 0xa9, 0x53, 0xb0, 0x99, 0x28, 0x7b, 0x7a, 0xcd, 0x7e, 0x6, 0xae, 0x61, 0x26, 0xaa, 0x3e, 0xd9, 0x9c, 0x77, 0x2, 0xc8, 0xb9, 0x49, 0x85, 0xea, 0x85, 0x33, 0xc5, 0x40, 0x79, 0x1d, 0x6, 0xe7, 0x3c, 0xe9, 0xb3, 0x89, 0x7a, 0xd2, 0xd7, 0x1b, 0x2c, 0x3a, 0x5d, 0x75, 0xa8, 0xb5, 0xf7, 0x8a, 0x21, 0x5b, 0x25, 0xa0, 0x68, 0x9e, 0xb2, 0x54, 0x67, 0xf7, 0x8a, 0x7e, 0x83, 0x33, 0xb5, 0x2e, 0xab, 0x9f, 0x57, 0x73, 0x5a, 0xb0, 0xd1, 0x85, 0x43, 0xd7, 0xec, 0xa1, 0x55, 0x10, 0xb4, 0x15, 0x91, 0x5e, 0x44, 0x74, 0x92, 0x36, 0xb2, 0x4e, 0x27, 0x20, 0xf5, 0xc4, 0xa7, 0x72, 0x29, 0x2b, 0x90, 0xa2, 0xaa, 0xfc, 0x41, 0x71, 0xe0, 0xd3, 0x9a, 0xf6, 0xe4, 0x99, 0xd7, 0x9a, 0x53, 0xfd, 0x9f, 0x3f, 0x81, 0x94, 0x3f, 0x45, 0xa6, 0xf7, 0xc2, 0x5b, 0x37, 0x48, 0x3c, 0x8d, 0xc5, 0x96, 0x4e, 0xc6, 0x5d, 0xad, 0x6f, 0x32, 0xb3, 0x54, 0xe3, 0x40, 0xb2, 0xa9, 0xca, 0xaf, 0x3a, 0xa9, 0xe7, 0xa1, 0xac, 0x3, 0x9, 0x1b, 0x1d, 0xa0, 0xb8, 0x11, 0x12, 0x67, 0x97, 0xeb, 0x4c, 0xa0, 0x10, 0x17, 0xc8, 0x79, 0x2e, 0x94, 0x5e, 0xd4, 0xad, 0xcc, 0x27, 0x36, 0x4a, 0x7e, 0x55, 0xc, 0x6d, 0xcf, 0x4b, 0x56, 0xbc, 0xa2, 0x72, 0xc, 0xb8, 0xd7, 0x26, 0x43, 0x5f, 0xee, 0x9, 0x19, 0x2f, 0x29, 0xd4, 0xe9, 0xdb, 0x70, 0x6b, 0x18, 0x6b, 0xf1, 0x63, 0x26, 0x4c, 0xf7, 0x56, 0x2a, 0xb4, 0xfb, 0x35, 0xf7, 0xb0, 0x3d, 0xc2, 0x40, 0x0, 0xe1, 0x6a, 0xf6, 0xbd, 0x6, 0xb6, 0x58, 0x2d, 0x3, 0x87, 0x46, 0xde, 0xb4, 0x1e, 0xe0, 0x79, 0x2c, 0x5e, 0x83, 0x3d, 0x4f, 0xc5, 0x23, 0xef, 0x4, 0x5d, 0xf4, 0x8d, 0x81, 0x7, 0xb4, 0x41, 0x3d, 0x67, 0xc8, 0xa9, 0xfa, 0x55, 0x55, 0x53, 0xb9, 0x89, 0x6f, 0x4f, 0xd6, 0xce, 0x84, 0x5c, 0x41, 0xb7, 0xea, 0xd2, 0x60, 0x48, 0xd3, 0xba, 0xe, 0x5, 0xd2, 0x9b, 0xdb, 0x5f, 0xbf, 0xa5, 0x85, 0x66, 0xcc, 0xe0, 0x53, 0xdb, 0xb3, 0xa7, 0x1e, 0x8b, 0xa0, 0xd2, 0x61, 0x9a, 0x85, 0x14, 0x8b, 0xae, 0x63, 0xab, 0x95, 0xd4, 0x99, 0x2f, 0x5, 0x87, 0x84, 0xf, 0x74, 0x38, 0xea, 0x4e, 0x97, 0xb2, 0x5b, 0xbe, 0x8e, 0x17, 0x7f, 0xd1, 0x36, 0x5b, 0xca, 0xbc, 0xb, 0x3, 0xea, 0x6e, 0xf8, 0xaa, 0xe3, 0xcc, 0xe4, 0xb5, 0xe0, 0xe9, 0xf8, 0x68, 0x20, 0x2, 0x1a, 0xb5, 0x75, 0x3e, 0xeb, 0x9, 0x96, 0x87, 0x34, 0xa4, 0xca, 0xe1, 0xfa, 0xab, 0x5f, 0xca, 0x9f, 0x91, 0x9b, 0x45, 0x21, 0x1a, 0xac, 0xfa, 0x7a, 0x93, 0xd2, 0xa4, 0x66, 0x1f, 0x1c, 0xa9, 0xc, 0x9e, 0x31, 0x13, 0xec, 0x23, 0xf3, 0xc7, 0x4c, 0x19, 0x90, 0x16, 0xa1, 0x8a, 0x3a, 0x14, 0x25, 0xad, 0x8, 0x9e, 0xb5, 0x9, 0x8d, 0xad, 0x40, 0xbe, 0xa, 0x86, 0x50, 0xe7, 0x9b, 0xd, 0xd6, 0x37, 0x4c, 0x43, 0xbf, 0xc6, 0x8, 0xb0, 0x53, 0x6c, 0x17, 0xc5, 0x3e, 0x1d, 0xd0, 0xa0, 0x61, 0xa6, 0xae, 0x21, 0x23, 0x51, 0x52, 0x46, 0x74, 0x98, 0x98, 0x25, 0xa9, 0xec, 0x91, 0xa5, 0x4c, 0x8, 0xeb, 0x3f, 0xcb, 0x1d, 0xc9, 0x9d, 0xbb, 0xa9, 0x40, 0xc2, 0xb4, 0x78, 0x55, 0x43, 0xc5, 0x14, 0xdc, 0xaf, 0xc, 0x61, 0x3b, 0x2a, 0xd6, 0x5e, 0x6b, 0x84, 0x38, 0x1b, 0x37, 0x2f, 0x51, 0x7, 0x61, 0x81, 0xe3, 0xb0, 0xa, 0xb7, 0x1b, 0x57, 0x2d, 0x24, 0x6b, 0xeb, 0x80, 0x70, 0x2d, 0x83, 0x46, 0xe2, 0x71, 0x3b, 0x23, 0xd0, 0xb, 0xd3, 0x9d, 0x13, 0x31, 0xbe, 0x1b, 0x99, 0x27, 0x70, 0x53, 0x4e, 0x2e, 0x46, 0x91, 0x7e, 0x79, 0x68, 0x5a, 0x18, 0x4e, 0x6b, 0xa, 0xe2, 0x3f, 0x42, 0x7, 0xb7, 0xd9, 0x42, 0x7e, 0xc6, 0xf2, 0x82, 0x1b, 0x81, 0xf7, 0x4c, 0x68, 0x17, 0xc8, 0x25, 0x5d, 0xb9, 0x5b, 0x4, 0x5e, 0x0, 0x53, 0xbd, 0xfd, 0x68, 0x8e, 0x9d, 0xbe, 0x49, 0xf6, 0xe5, 0x20, 0x43, 0x4, 0x1b, 0x33, 0x5, 0xf, 0xdb, 0x98, 0x33, 0xc3, 0xe0, 0xb3, 0xe9, 0xfd, 0xf6, 0xae, 0xcf, 0xc8, 0x66, 0x9b, 0x20, 0xf4, 0x92, 0x4b, 0x9d, 0x73, 0x1a, 0xcc, 0xaf, 0xd1, 0xe9, 0xde, 0xb8, 0x8a, 0xa2, 0x5f, 0xa7, 0xae, 0x9, 0xd0, 0xf1, 0xc6, 0xea, 0xb5, 0x5f, 0x37, 0x14, 0xa5, 0x7a, 0x8f, 0x70, 0x60, 0xb5, 0x20, 0x64, 0x41, 0xdc, 0x54, 0x62, 0x9c, 0x49, 0xae, 0x9e, 0x7e, 0x7e, 0x83, 0x7a, 0x24, 0x39, 0x29, 0x7e, 0xa7, 0x24, 0x5, 0x9, 0x8c, 0xc0, 0xae, 0x74, 0xf2, 0x55, 0x6f, 0x8d, 0x19, 0x92, 0x2b, 0xf8, 0xc5, 0xce, 0x2, 0x14, 0x2e, 0x96, 0x3c, 0x49, 0xe7, 0x30, 0x2f, 0xfa, 0x17, 0xca, 0x17, 0x9f, 0xcb, 0x79, 0xb8, 0xe9, 0xe8, 0x83, 0xd7, 0xbc, 0x5f, 0x14, 0x6f, 0x5a, 0x14, 0x8c, 0x3d, 0xea, 0x6e, 0xee, 0xd, 0x5e, 0xe7, 0x15, 0xde, 0xde, 0xa2, 0x8a, 0x62, 0xdc, 0x72, 0x48, 0xf2, 0x74, 0x93, 0xbb, 0x61, 0x78, 0xfe, 0xc4, 0xe9, 0xd3, 0xe0, 0xb2, 0x87, 0x61, 0x2a, 0x82, 0xd4, 0x56, 0xf9, 0x26, 0x98, 0xc5, 0xcf, 0x17, 0x64, 0xb6, 0x9e, 0x16, 0x8, 0x24, 0x69, 0x9, 0x26, 0xca, 0x85, 0xf8, 0x9e, 0xc7, 0x6, 0x9d, 0xf6, 0xed, 0x8f, 0x13, 0x7d, 0xdc, 0x8a, 0x1f, 0x3, 0x0, 0x26, 0xf7, 0xbc, 0xe, 0xe6, 0x46, 0x3c, 0x10, 0xe, 0x47, 0x31, 0x62, 0x31, 0xb8, 0x82, 0x44, 0x9, 0x21, 0x7c, 0x48, 0xca, 0xfa, 0x6d, 0x6f, 0xef, 0x66, 0xe6, 0x62, 0x97, 0xce, 0xa, 0x2e, 0x42, 0x1f, 0x8d, 0x1f, 0xd3, 0xa9, 0x46, 0x32, 0xd2, 0x44, 0x49, 0x57, 0xf1, 0x83, 0x1e, 0x1b, 0x4b, 0x33, 0x7f, 0xa5, 0x3a, 0xa6, 0xdf, 0x13, 0x81, 0x5d, 0x2, 0x9f, 0xed, 0xda, 0xf8, 0xc, 0xc1, 0x11, 0xee, 0x0, 0xa8, 0x8e, 0xd7, 0x30, 0x75, 0xdd, 0xe3, 0xb5, 0xd4, 0x3c, 0x5, 0xeb, 0xc5, 0x43, 0x8c, 0xd5, 0x3e, 0xb1, 0x65, 0x9b, 0x63, 0x16, 0x15, 0xbd, 0xbd, 0x49, 0xad, 0xc3, 0x90, 0x79, 0x42, 0xb6, 0x41, 0x8e, 0xfd, 0x99, 0x1e, 0xae, 0x7e, 0x70, 0xbd, 0x15, 0xcf, 0x12, 0x1e, 0xb7, 0xab, 0x1a, 0x1b, 0x4f, 0xad, 0x29, 0xe, 0x5d, 0x54, 0x7, 0x4d, 0xe7, 0x43, 0x51, 0xe1, 0xde, 0x8b, 0xc8, 0x36, 0x63, 0x26, 0x30, 0x7c, 0x76, 0x76, 0x58, 0x6, 0x93, 0xf2, 0x25, 0x96, 0x19, 0x73, 0xc6, 0x71, 0x85, 0x7, 0x9c, 0x51, 0x29, 0x55, 0xed, 0xb2, 0x90, 0x86, 0xc8, 0xb4, 0x5, 0x27, 0x85, 0x2d, 0x2c, 0x4f, 0x27, 0x2d, 0x55, 0x9, 0x4e, 0x44, 0x8d, 0xbf, 0xb0, 0xd1, 0x75, 0x65, 0x98, 0xeb, 0xbe, 0x28, 0x76, 0x51, 0x46, 0x86, 0x7f, 0x38, 0xe2, 0x7b, 0x40, 0x6b, 0xfc, 0x39, 0xa6, 0x49, 0x30, 0x5e, 0xe, 0x25, 0x36, 0x0, 0x86, 0xd9, 0x35, 0x5c, 0xe7, 0x46, 0x16, 0xcc, 0x5d, 0xd8, 0x5b, 0xf3, 0xc, 0x3a, 0x27, 0x26, 0x6c, 0xd2, 0xce, 0xca, 0x8b, 0x42, 0x67, 0x53, 0xb5, 0x1d, 0xcf, 0x2e, 0xe2, 0x8b, 0x6, 0x9e, 0x1a, 0x97, 0xd8, 0x3d, 0x1, 0xc5, 0x9, 0x79, 0x8a, 0xcb, 0x11, 0xf4, 0x17, 0x6, 0xd5, 0x1d, 0x86, 0x98, 0xac, 0x57, 0x57, 0xbb, 0x5a, 0x93, 0x1e, 0xd, 0x1f, 0xde, 0x85, 0x7a, 0xe3, 0x4d, 0x15, 0xb4, 0x10, 0xfd, 0xde, 0xb5, 0xeb, 0x9c, 0x36, 0x92, 0xe3, 0xd9, 0xb8, 0xbe, 0x24, 0x13, 0x76, 0x9b, 0xef, 0xd5, 0x54, 0x26, 0x7e, 0xf1, 0x74, 0xba, 0x41, 0x63, 0x4d, 0xe4, 0xdd, 0xc1, 0x78, 0xc8, 0xe3, 0xa0, 0xc0, 0xfd, 0x18, 0xd9, 0x87, 0x81, 0x75, 0xd7, 0xa6, 0x13, 0x3a, 0xca, 0x2, 0x15, 0x60, 0x87, 0x66, 0xf0, 0x58, 0x66, 0xf3, 0x9c, 0x3e, 0x31, 0xc7, 0x7e, 0x5, 0xf8, 0x71, 0x1c, 0xef, 0x33, 0xc4, 0x5a, 0x83, 0x6a, 0x1b, 0x46, 0x62, 0x32, 0x85, 0x4c, 0x39, 0x86, 0x7c, 0x98, 0x53, 0xf0, 0xc8, 0xa1, 0xc4, 0x83, 0xe9, 0xdf, 0x8c, 0x39, 0xff, 0x31, 0xb9, 0xb7, 0x3, 0x62, 0x81, 0x5e, 0xbf, 0x5b, 0x4, 0xb9, 0xb7, 0x46, 0x3c, 0x19, 0x93, 0x6b, 0xe4, 0xa6, 0xa4, 0x5d, 0xbf, 0x4e, 0x1e, 0xe7, 0x4f, 0xa2, 0x43, 0x60, 0x2a, 0x94, 0xf9, 0x2b, 0x49, 0xb3, 0xff, 0x1e, 0x19, 0xc1, 0x29, 0x5, 0xde, 0x2f, 0x90, 0x49, 0x24, 0x66, 0x9f, 0x2d, 0xc3, 0x13, 0x67, 0xac, 0xa7, 0x92, 0xc7, 0x2c, 0x98, 0x37, 0xb7, 0xd8, 0x8a, 0xd8, 0x2f, 0xe3, 0x60, 0x1e, 0xa2, 0x19, 0x3, 0x3a, 0x7e, 0x1a, 0x59, 0x83, 0x73, 0x44, 0xde, 0xb0, 0x9, 0x56, 0xa4, 0x10, 0x83, 0xee, 0x41, 0xf1, 0x6d, 0x71, 0xf4, 0xd6, 0xe6, 0x39, 0xa0, 0xc1, 0xae, 0x2e, 0xd1, 0x98, 0x11, 0xf, 0xba, 0xb2, 0x14, 0xac, 0xe5, 0xee, 0x3a, 0x60, 0xa1, 0xc1, 0xeb, 0xce, 0x64, 0xb9, 0xe0, 0x36, 0x48, 0x1f, 0x40, 0x66, 0x3f, 0xd0, 0x4f, 0x96, 0x37, 0xe4, 0x2e, 0x12, 0x3f, 0x8f, 0xdd, 0x49, 0x4e, 0xdb, 0x3f, 0x18, 0xf, 0x38, 0x29, 0xf6, 0x67, 0xf2, 0x6e, 0x16, 0x4d, 0xa6, 0x8d, 0x70, 0x96, 0x8e, 0x3e, 0xf1, 0x74, 0x76, 0x20, 0xc, 0x18, 0x19, 0xbc, 0xdb, 0x8f, 0xae, 0x33, 0xa7, 0x9, 0x2e, 0x11, 0x1e, 0xb7, 0xae, 0x6a, 0x54, 0x75, 0x66, 0x99, 0xc7, 0xb1, 0x1, 0xe1, 0xf1, 0x2a, 0x43, 0x79, 0xc6, 0xde, 0x2d, 0xde, 0x8f, 0x55, 0xeb, 0xd5, 0x3f, 0x75, 0x57, 0x53, 0x1f, 0x2d, 0x39, 0x81, 0x8a, 0x15, 0xe1, 0x3a, 0x97, 0x6b, 0xa7, 0xa7, 0x91, 0x99, 0x89, 0x4a, 0xff, 0xbb, 0x6f, 0x41, 0xcf, 0x9d, 0x4a, 0xd, 0xfd, 0xfd, 0x65, 0x9e, 0x12, 0xdf, 0x4d, 0x94, 0x48, 0x9e, 0xc2, 0x7b, 0x66, 0x68, 0x85, 0x3c, 0xd9, 0x92, 0x1a, 0xbc, 0xe2, 0xdf, 0x98, 0x6e, 0x5, 0x69, 0x3c, 0x27, 0xb8, 0xa6, 0xfa, 0xcd, 0x18, 0xe4, 0xfc, 0x69, 0x9f, 0xc6, 0x61, 0x50, 0x23, 0xd8, 0x6b, 0x60, 0x27, 0x5e, 0xf7, 0x6a, 0xa0, 0x95, 0xd4, 0x42, 0x1f, 0x3a, 0x87, 0x6d, 0x5, 0xd5, 0xd3, 0x8e, 0x6a, 0x5b, 0xb2, 0x6a, 0x41, 0x28, 0x55, 0xaf, 0x23, 0x45, 0x1a, 0x2b, 0xc7, 0xff, 0xc0, 0xc6, 0x3, 0x9e, 0xc9, 0x21, 0x7b, 0x82, 0x18, 0xab, 0x1b, 0x69, 0x34, 0x90, 0x48, 0x86, 0xe, 0x6, 0x98, 0xf3, 0xc7, 0x93, 0xf, 0xf9, 0x7, 0x52, 0xb, 0xd1, 0xf8, 0x82, 0xcb, 0x96, 0x4a, 0x9f, 0xe3, 0xf9, 0xd0, 0x3a, 0x79, 0xcd, 0x71, 0xdd, 0xf5, 0x54, 0x3a, 0xfc, 0xd2, 0x35, 0xf4, 0x84, 0x7f, 0x78, 0x33, 0x8e, 0x5b, 0xc5, 0x3, 0x4b, 0x73, 0x46, 0x38, 0xa6, 0x75, 0xf9, 0x42, 0xef, 0xf0, 0xb9, 0x51, 0x50, 0xf7, 0x4, 0x73, 0xff, 0xc2, 0x87, 0x1c, 0x74, 0xdc, 0xa1, 0xac, 0x18, 0x80, 0xfe, 0x4b, 0x2d, 0xa7, 0x20, 0xf1, 0x56, 0x2c, 0x73, 0x3e, 0x5, 0x3d, 0x3b, 0x82, 0xfd, 0x16, 0xca, 0x37, 0x75, 0xe4, 0xcf, 0xbc, 0x11, 0x6b, 0x99, 0x5a, 0x1b, 0x74, 0x9c, 0x6c, 0xdf, 0xfa, 0xc3, 0x4f, 0x90, 0xc7, 0x32, 0x73, 0xee, 0x6a, 0x63, 0xe3, 0xc7, 0x45, 0x3f, 0xa2, 0x14, 0xaa, 0xd9, 0x91, 0xf0, 0xc3, 0x59, 0x86, 0xc3, 0x40, 0x85, 0x2d, 0xb1, 0x5d, 0x5e, 0x99, 0x4a, 0x8a, 0x59, 0xa5, 0xf3, 0xec, 0x3b, 0xa5, 0x20, 0x95, 0xa9, 0xea, 0xb1, 0x17, 0x4b, 0x53, 0x56, 0x3c, 0xe0, 0x4, 0xbf, 0xa4, 0xdc, 0xd3, 0x9e, 0x68, 0x62, 0xd5, 0xd8, 0x3a, 0x56, 0x6c, 0x71, 0xe7, 0x78, 0x61, 0x1d, 0xa4, 0x77, 0xba, 0x27, 0x8e, 0xff, 0xa1, 0x68, 0x40, 0xc, 0xc8, 0xe4, 0x3d, 0xf6, 0x13, 0xa, 0x99, 0x10, 0x1, 0x75, 0xf3, 0x46, 0x1d, 0xa6, 0x21, 0x35, 0xf3, 0x7b, 0xbb, 0x65, 0xb3, 0x10, 0x8e, 0x21, 0xff, 0xa, 0x75, 0xea, 0xd7, 0xf, 0x4, 0x18, 0x2, 0x81, 0x25, 0xa9, 0xb3, 0xa4, 0x8a, 0xfd, 0xa3, 0x5, 0xe6, 0xb4, 0x3d, 0x9b, 0x5f, 0xe7, 0x29, 0xb8, 0xfb, 0xe5, 0x53, 0x4d, 0xa5, 0x75, 0xdc, 0x6b, 0xe3, 0x17, 0x27, 0xd5, 0x2, 0xdc, 0xa5, 0x4, 0xc2, 0x2e, 0xa4, 0xe9, 0x2f, 0x50, 0xaf, 0x86, 0x82, 0xe3, 0x30, 0x26, 0xfb, 0xe8, 0x67, 0x88, 0x9b, 0x88, 0xc9, 0xbe, 0x6e, 0x5c, 0x84, 0xbf, 0x8d, 0xc9, 0x47, 0xcb, 0xf2, 0x91, 0xf4, 0x54, 0x12, 0x2a, 0xc, 0x79, 0xba, 0x1f, 0x9, 0xa3, 0x8b, 0x70, 0xf, 0xc2, 0x78, 0xfd, 0xf6, 0xd7, 0x17, 0x5e, 0xde, 0xac, 0x30, 0xac, 0x69, 0xa5, 0xd7, 0xb4, 0x52, 0x68, 0xd0, 0x96, 0xf9, 0xd0, 0x54, 0xae, 0x9, 0x46, 0xb5, 0x4b, 0x1d, 0xe5, 0x61, 0xd0, 0xae, 0xd, 0x17, 0x7d, 0xa3, 0x3f, 0x41, 0xfb, 0xb8, 0x34, 0x84, 0x86, 0xa8, 0x62, 0xf1, 0x64, 0xfb, 0x9e, 0xbd, 0xac, 0xa2, 0x99, 0xf2, 0xe1, 0x48, 0x64, 0x5e, 0x1a, 0x5c, 0xb7, 0x69, 0xa0, 0xb5, 0x42, 0x1a, 0x95, 0x99, 0xfa, 0xe7, 0x26, 0x3b, 0x2f, 0x89, 0x6e, 0x95, 0x6d, 0x47, 0x52, 0x87, 0xda, 0x60, 0x98, 0x70, 0xf4, 0xa3, 0xdd, 0x82, 0x24, 0x79, 0x51, 0xd1, 0x3a, 0xf0, 0x82, 0x7d, 0x1, 0xe3, 0x10, 0x41, 0xd6, 0xe4, 0x14, 0xd4, 0xfa, 0x2c, 0x8d, 0x92, 0x14, 0x24, 0x2b, 0xd0, 0x2e, 0x58, 0x5f, 0x15, 0x2b, 0xf1, 0x1b, 0x82, 0xcb, 0x1b, 0x14, 0x1a, 0x48, 0xda, 0xf5, 0x81, 0x4f, 0x70, 0xc7, 0xe3, 0x12, 0x81, 0x83, 0xff, 0x9f, 0xe5, 0x5d, 0x9c, 0xe4, 0x94, 0xc8, 0xbe, 0x5b, 0x32, 0x32, 0x5, 0x11, 0xc4, 0x88, 0x4d, 0x45, 0xcc, 0x51, 0xd0, 0xa0, 0x1b, 0x53, 0x8e, 0x1f, 0x9c, 0xb8, 0x6d, 0x4f, 0x44, 0x3a, 0x56, 0xca, 0xd6, 0x3f, 0xfe, 0x34, 0xb9, 0x8a, 0xda, 0x58, 0x15, 0x22, 0x5c, 0x7f, 0xa1, 0xf0, 0x74, 0x94, 0x6d, 0x1, 0x45, 0x84, 0xa, 0x8a, 0x7d, 0xcb, 0x61, 0x4d, 0xd3, 0x17, 0x19, 0x40, 0x47, 0x1c, 0x10, 0x39, 0x9d, 0x8e, 0xfb, 0xee, 0x2c, 0xd5, 0x29, 0x26, 0xff, 0xca, 0x2b, 0x2c, 0x62, 0xc1, 0x32, 0x3e, 0xcf, 0xf9, 0x5, 0x1a, 0x7, 0xe9, 0x3c, 0x5e, 0xb9, 0xd4, 0x8c, 0x43, 0x94, 0x15, 0x1f, 0xa6, 0xbc, 0xfb, 0xdf, 0xde, 0xaa, 0x4, 0xa6, 0xe6, 0xb6, 0x1e, 0x40, 0x49, 0xe1, 0x68, 0xf4, 0x27, 0x30, 0x85, 0x9c, 0xda, 0xab, 0xdf, 0x2a, 0x32, 0x1d, 0x22, 0x9a, 0x17, 0xcb, 0xb7, 0xf6, 0xa9, 0x8e, 0xed, 0xcc, 0x4d, 0x93, 0xb7, 0x4d, 0x76, 0x7b, 0xdc, 0xd, 0x18, 0x9, 0x5e, 0x40, 0x39, 0xb1, 0xfc, 0xdd, 0xc2, 0x7d, 0xb4, 0xbf, 0xa6, 0x29, 0x66, 0x5e, 0x91, 0x5a, 0x9f, 0x4e, 0x5e, 0xc5, 0xbf, 0x1e, 0x44, 0x4, 0x62, 0x37, 0x9d, 0xdb, 0xb1, 0x53, 0x5f, 0xc, 0x93, 0xcf, 0x68, 0x2d, 0xf8, 0xb1, 0x5, 0xb6, 0xcb, 0x42, 0xa1, 0xd3, 0x17, 0xf2, 0x80, 0x87, 0x30, 0xea, 0x44, 0x59, 0xdd, 0xe4, 0xf5, 0x45, 0x38, 0x61, 0xe7, 0x8d, 0xdc, 0xa3, 0xd7, 0x24, 0x76, 0x7d, 0xba, 0xea, 0x6b, 0x1e, 0xf1, 0x4d, 0x30, 0xfd, 0x9a, 0x70, 0x1e, 0x56, 0x4, 0x17, 0x2, 0x76, 0x43, 0x36, 0x95, 0x64, 0x4b, 0xf9, 0xc8, 0x3a, 0x4b, 0x20, 0xbf, 0x68, 0xca, 0x80, 0x56, 0x7c, 0xaf, 0x53, 0x4e, 0x74, 0x75, 0xc6, 0xe0, 0x4a, 0x7, 0x26, 0x5, 0xf6, 0x2a, 0xd9, 0xec, 0xf8, 0xce, 0xd8, 0x95, 0x5a, 0x74, 0xd1, 0x6c, 0x7a, 0xfa, 0xb9, 0xe6, 0xe4, 0xc3, 0x25, 0xa3, 0x3d, 0x6d, 0x54, 0x3d, 0xae, 0x3a, 0xe9, 0x9a, 0x1d, 0x69, 0x57, 0x1f, 0x33, 0x1a, 0x2e, 0x9d, 0xfe, 0xf3, 0x91, 0xe8, 0x35, 0x3d, 0x6, 0xac, 0x3f, 0x9, 0x30, 0xd4, 0x27, 0xa3, 0x13, 0x55, 0x12, 0x9b, 0xa5, 0xed, 0x8f, 0xf1, 0x36, 0x55, 0xf3, 0x34, 0x21, 0xdc, 0x86, 0x2, 0x21, 0x5c, 0x2c, 0xfe, 0x51, 0xaa, 0x8c, 0x65, 0xab, 0x1c, 0xee, 0xaa, 0x68, 0x3f, 0x92, 0x72, 0x35, 0xf9, 0xb, 0xa0, 0x23, 0x5a, 0xed, 0xab, 0xfd, 0x7e, 0x39, 0x6f, 0x62, 0x9a, 0xe3, 0x78, 0x9d, 0x19, 0xf3, 0x3b, 0x2b, 0xfe, 0x45, 0xc3, 0xbb, 0x71, 0x77, 0xaf, 0xa2, 0xb7, 0x2c, 0x80, 0x59, 0x1e, 0x7a, 0x82, 0x19, 0x3d, 0x1c, 0xa5, 0x87, 0xb4, 0x15, 0xbc, 0x3b, 0x82, 0x22, 0xa4, 0xd0, 0x99, 0xf2, 0x39, 0x61, 0x85, 0xfb, 0xc6, 0x56, 0xf4, 0x65, 0xdf, 0xc3, 0x9a, 0xd6, 0x8b, 0x1f, 0x70, 0xc6, 0x65, 0xdf, 0xad, 0x87, 0xdf, 0x58, 0x37, 0x1e, 0x32, 0x9f, 0x14, 0xba, 0x7e, 0x1b, 0x72, 0x14, 0xf7, 0xec, 0xb1, 0x2a, 0x31, 0xa3, 0x31, 0x98, 0xf0, 0x7d, 0xe1, 0x81, 0xd5, 0xc4, 0xd5, 0xec, 0xd6, 0x2f, 0xdb, 0xb3, 0xa1, 0xce, 0x8f, 0x6f, 0x99, 0x2, 0xfd, 0x4f, 0xf1, 0x82, 0x78, 0x3e, 0xa6, 0x9f, 0xe2, 0xdc, 0xca, 0xc6, 0x7, 0x35, 0xdc, 0xf6, 0xc9, 0xd0, 0xbe, 0x82, 0xb8, 0x6f, 0x2d, 0xf2, 0x46, 0x2c, 0xe5, 0x18, 0xd1, 0x5b, 0x75, 0x45, 0x1a, 0xcf, 0x8, 0x46, 0x7c, 0x27, 0x7c, 0x2c, 0x9f, 0xc2, 0x12, 0x80, 0x56, 0x32, 0xdf, 0xcb, 0x7c, 0xe, 0x9b, 0x72, 0x61, 0xdd, 0xae, 0xb0, 0xfc, 0xbf, 0x5d, 0xd7, 0xf7, 0x9e, 0xca, 0xa2, 0x7c, 0x62, 0xf, 0x64, 0x6f, 0xb1, 0xec, 0x8f, 0xf5, 0x46, 0x19, 0xf5, 0x39, 0x2b, 0xb9, 0x74, 0xe2, 0x44, 0xaf, 0x88, 0x62, 0x4, 0xfc, 0x4d, 0x7f, 0xe5, 0x29, 0xc3, 0xea, 0x2a, 0xf3, 0x91, 0xa, 0x31, 0xba, 0xaa, 0xd6, 0x4b, 0x27, 0xad, 0x43, 0xf9, 0x84, 0x68, 0xf, 0x40, 0x16, 0x9a, 0x71, 0x20, 0x1e, 0xf9, 0xda, 0xf6, 0x29, 0x5d, 0x68, 0x52, 0x9d, 0xe4, 0x27, 0x33, 0xcc, 0xc1, 0x5e, 0x59, 0xa0, 0x54, 0x3b, 0x96, 0xde, 0xf4, 0x38, 0xb3, 0xfd, 0xbc, 0xef, 0xe5, 0x15, 0x0, 0xe, 0xa6, 0x8d, 0xbb, 0x4d, 0xd9, 0x23, 0x7d, 0x17, 0xad, 0x17, 0xa6, 0x97, 0xa2, 0x4a, 0x72, 0x98, 0x8e, 0x55, 0xb6, 0xfd, 0x5b, 0x88, 0xf0, 0x30, 0x96, 0x9a, 0x89, 0xc7, 0x8a, 0xa2, 0xf7, 0xf9, 0x12, 0xc1, 0x2d, 0x87, 0xc8, 0x8a, 0xae, 0xd2, 0x59, 0xc4, 0xc3, 0x73, 0xca, 0x42, 0x6, 0xfa, 0xd6, 0xc8, 0xdf, 0xe7, 0x81, 0x69, 0x29, 0x15, 0x4a, 0xb9, 0xb5, 0x1f, 0x50, 0x44, 0xcd, 0x67, 0x37, 0xfd, 0xdd, 0xe, 0xf1, 0x1c, 0xc7, 0xe, 0xc7, 0xdd, 0x8e, 0x9a, 0xb3, 0xee, 0xe5, 0xc7, 0x28, 0x50, 0xd9, 0x81, 0x3d, 0x8e, 0xac, 0x2, 0x5d, 0xe3, 0xb0, 0x70, 0x72, 0xf1, 0x88, 0x0, 0xe3, 0x1f, 0x88, 0xe1, 0xab, 0x1f, 0x4, 0xec, 0xaa, 0x7f, 0x9e, 0xd9, 0xb8, 0x71, 0xcf, 0x62, 0xc2, 0x22, 0xf2, 0xe0, 0xa7, 0xde, 0x43, 0x50, 0x42, 0x51, 0xe6, 0x72, 0xac, 0x42, 0x9d, 0x30, 0x30, 0xcd, 0x16, 0x92, 0xdd, 0x9d, 0xfe, 0x94, 0xec, 0xfe, 0x87, 0xf, 0x7d, 0x9c, 0x53, 0xd6, 0xd7, 0xc7, 0x2a, 0x43, 0x7c, 0xa5, 0xc5, 0x3, 0x10, 0xda, 0x7f, 0x32, 0xf0, 0x2c, 0x69, 0x72, 0xde, 0x98, 0x6, 0x28, 0x5f, 0xc8, 0x28, 0xec, 0xb1, 0x83, 0xc2, 0x7e, 0x46, 0xfb, 0x31, 0x23, 0x77, 0xa4, 0x57, 0xe4, 0xea, 0x8e, 0x15, 0xa0, 0x5, 0xdc, 0x6d, 0xee, 0xdb, 0x57, 0x98, 0xd1, 0x71, 0x16, 0xc4, 0x18, 0x24, 0x52, 0x26, 0xb3, 0x58, 0xd, 0x2c, 0x3c, 0x7e, 0xfc, 0xfd, 0x3f, 0xda, 0x7c, 0xee, 0x26, 0x54, 0x52, 0x3a, 0x3a, 0xa8, 0xc3, 0x2, 0xdf, 0x69, 0x8, 0x1b, 0x34, 0xc8, 0xbf, 0x3b, 0x72, 0x42, 0xbf, 0x23, 0xa0, 0x91, 0x26, 0x45, 0x14, 0x2a, 0x0, 0x15, 0x3d, 0x30, 0xfa, 0xed, 0x85, 0x4c, 0x32, 0xf7, 0x5e, 0xda, 0xf3, 0xd4, 0x87, 0x54, 0x65, 0x97, 0x25, 0x86, 0xc, 0xb5, 0xdc, 0xc0, 0x5b, 0x2f, 0x35, 0x6c, 0xa9, 0x32, 0x48, 0xb0, 0x27, 0x69, 0x8f, 0x4c, 0xf9, 0xf2, 0x55, 0xba, 0xe1, 0x8e, 0xd0, 0xfa, 0x45, 0x4b, 0x34, 0x99, 0x6f, 0x99, 0x6a, 0x5d, 0x45, 0xaa, 0xa8, 0x8d, 0xcb, 0x33, 0xe1, 0xf7, 0xc1, 0x8d, 0x75, 0xec, 0x21, 0x7, 0x5d, 0x39, 0x35, 0x2a, 0x26, 0xe9, 0xe7, 0xca, 0xf3, 0x9e, 0xd5, 0x70, 0x66, 0x1d, 0x9d, 0xa4, 0x78, 0xb9, 0xe1, 0xc5, 0xc1, 0x63, 0xf, 0xde, 0x37, 0x1c, 0x7c, 0xcb, 0x69, 0xc, 0xc3, 0x72, 0x30, 0xe6, 0x50, 0xc8, 0x77, 0x52, 0x8a, 0x27, 0x1d, 0xe6, 0x3d, 0x6a, 0x1f, 0x8f, 0x5f, 0xf1, 0x84, 0xad, 0xa7, 0x2c, 0x59, 0x45, 0xbb, 0xa8, 0x46, 0xb8, 0x24, 0xd4, 0xe4, 0xee, 0xe3, 0x12, 0x19, 0x67, 0xfb, 0xe5, 0x79, 0x20, 0xa9, 0xa7, 0x6b, 0x5e, 0x72, 0xaa, 0x70, 0xeb, 0x1f, 0x33, 0xe1, 0x37, 0xd8, 0xf5, 0x7d, 0xf5, 0xcc, 0x80, 0x50, 0x21, 0x2e, 0xf7, 0x7f, 0x1d, 0xe0, 0xca, 0xe4, 0x7d, 0xa7, 0x12, 0x4, 0xe6, 0x3e, 0x24, 0xd9, 0x25, 0x90, 0x44, 0xdf, 0xac, 0x7c, 0xff, 0x6, 0x31, 0x5a, 0xef, 0x23, 0xcd, 0xf7, 0x75, 0xbe, 0xa8, 0xf7, 0xde, 0xd, 0x22, 0x78, 0x95, 0xbc, 0x8b, 0x66, 0x5e, 0x36, 0x86, 0x80, 0x98, 0xdc, 0xfb, 0xa5, 0xbd, 0xaa, 0xda, 0xdc, 0xa8, 0xad, 0xbe, 0x1f, 0x5f, 0x25, 0x4c, 0x6b, 0x14, 0xbc, 0xc3, 0xcf, 0x34, 0xcf, 0x29, 0xde, 0xfc, 0x9c, 0xe4, 0xd1, 0x85, 0x7e, 0x3e, 0x45, 0xbb, 0xac, 0xb5, 0x58, 0x23, 0xf9, 0x79, 0x96, 0xa0, 0x9c, 0xff, 0x23, 0x8, 0x24, 0x96, 0x2d, 0xfc, 0x15, 0x1e, 0xd1, 0x11, 0xc, 0xf7, 0xad, 0x65, 0x8d, 0x55, 0x1c, 0xce, 0xb0, 0xc, 0x23, 0xf7, 0x8c, 0x7, 0xb6, 0xbf, 0xb, 0x5, 0x4d, 0x53, 0x5b, 0x3b, 0x36, 0x16, 0xe, 0x13, 0xf1, 0x1e, 0xee, 0x82, 0x9e, 0x99, 0xb4, 0x7a, 0xaa, 0xe0, 0x27, 0x41, 0x2c, 0x36, 0x79, 0x2d, 0xac, 0x1d, 0xce, 0xb0, 0x6c, 0xbb, 0x91, 0x90, 0xc, 0x92, 0x67, 0x24, 0xdf, 0x23, 0x22, 0x63, 0x8d, 0x64, 0x1e, 0x28, 0x8f, 0x2e, 0xe3, 0xef, 0x9e, 0x7d, 0xf, 0xfd, 0xf4, 0x96, 0x2, 0xf1, 0x57, 0x55, 0x77, 0x36, 0xb4, 0x51, 0xea, 0xa3, 0x76, 0xca, 0x1d, 0x5, 0x8, 0x95, 0xfb, 0x60, 0x8f, 0xe9, 0xf3, 0xf1, 0xf7, 0x1c, 0x83, 0xea, 0x32, 0xff, 0x31, 0x4b, 0x71, 0x2c, 0x8d, 0xf1, 0x7b, 0x3e, 0x64, 0xca, 0x2a, 0x9d, 0x2e, 0x39, 0xc3, 0xb5, 0x64, 0x23, 0x2d, 0xdc, 0x6a, 0xcc, 0x9c, 0xfd, 0xa9, 0x9b, 0x1b, 0x72, 0xcc, 0xec, 0x97, 0x23, 0xfc, 0x34, 0x38, 0x83, 0xfa, 0x9a, 0xf3, 0x43, 0x69, 0x62, 0x85, 0x32, 0xa6, 0x22, 0x17, 0x95, 0x22, 0x10, 0xfc, 0x70, 0x41, 0xd5, 0x3d, 0xd6, 0x81, 0x6d, 0x2e, 0xcc, 0xae, 0x8f, 0xa5, 0x5f, 0x9f, 0x3b, 0x9a, 0x7d, 0xe7, 0x25, 0x87, 0x6c, 0xb6, 0xe0, 0xeb, 0x84, 0x63, 0xea, 0x5c, 0x23, 0x11, 0x4a, 0xe2, 0x45, 0x58, 0x18, 0xc1, 0xa8, 0x6, 0xb1, 0x93, 0xd0, 0xeb, 0x86, 0xb2, 0x37, 0x1, 0x7d, 0xc5, 0x8e, 0xb4, 0x2d, 0x18, 0x31, 0xf0, 0xb9, 0x33, 0xb2, 0x4, 0xf8, 0x32, 0x5d, 0x51, 0x26, 0xad, 0x3a, 0x9, 0xd4, 0xb1, 0xbb, 0x6, 0xec, 0xd1, 0x83, 0xd, 0xfe, 0x42, 0xa1, 0x88, 0xf8, 0x73, 0x5c, 0x24, 0x99, 0xc0, 0x95, 0x3b, 0x32, 0xcd, 0xed, 0x52, 0xaf, 0xd4, 0x26, 0xb1, 0xe6, 0x52, 0xcb, 0x8f, 0x1e, 0x2c, 0x2, 0xf8, 0x39, 0xd3, 0x6, 0x1, 0x4c, 0xac, 0x51, 0x5a, 0x50, 0xe1, 0xac, 0x44, 0xce, 0xe1, 0x89, 0xc5, 0x7c, 0xe9, 0x81, 0x43, 0xd9, 0xd3, 0xf8, 0xe0, 0xb8, 0xa4, 0xc5, 0x62, 0x11, 0x9b, 0xe9, 0x59, 0xf9, 0xc9, 0xe, 0xfd, 0xf7, 0x62, 0xd2, 0x90, 0xc9, 0x13, 0x3e, 0x28, 0xc9, 0x54, 0xc8, 0xfb, 0x85, 0x70, 0xdc, 0xae, 0xe7, 0xfd, 0x4, 0x2d, 0xcb, 0xbe, 0xdc, 0x47, 0x65, 0x77, 0x7d, 0x5, 0x5f, 0xfa, 0x76, 0x9a, 0x91, 0xf5, 0xbd, 0x8d, 0x54, 0xa0, 0x64, 0x7c, 0x1a, 0xa, 0xf7, 0xb7, 0x79, 0x3e, 0xb4, 0x9d, 0xdf, 0xc0, 0xc1, 0xd, 0xd6, 0x63, 0xfe, 0x51, 0xe2, 0x4a, 0xa, 0x6d, 0xbf, 0x8a, 0xc, 0x7f, 0x32, 0xe3, 0xd5, 0xe0, 0xe8, 0xce, 0x7e, 0x2b, 0x36, 0x0, 0x55, 0xff, 0x8, 0x50, 0x5, 0x5d, 0xf7, 0xe6, 0xa0, 0x3e, 0x4f, 0xc8, 0x4a, 0xf2, 0x2f, 0xb6, 0xde, 0x30, 0xb7, 0x16, 0x71, 0x5d, 0xfd, 0x69, 0x69, 0x93, 0x78, 0xe5, 0xe1, 0xd, 0x95, 0x6, 0x15, 0xd0, 0xc6, 0x2b, 0xf7, 0xe9, 0xe7, 0x63, 0x14, 0x2e, 0xa5, 0xec, 0x39, 0x1b, 0x41, 0x84, 0xa6, 0xff, 0x2f, 0x7f, 0x3, 0x7c, 0x30, 0x85, 0x3c, 0x67, 0xda, 0x91, 0x7f, 0x74, 0x0, 0xa6, 0xd6, 0xd0, 0xe9, 0x78, 0xcb, 0xc9, 0xe1, 0x43, 0x8d, 0xb0, 0xf5, 0xce, 0xb5, 0x27, 0x44, 0xc6, 0xc0, 0xf, 0xd6, 0x2f, 0xa, 0xa6, 0xa, 0x16, 0x1d, 0x5c, 0x7f, 0xcf, 0x17, 0x26, 0x12, 0x76, 0xda, 0x2, 0x60, 0x52, 0xe3, 0xee, 0x4e, 0x5d, 0xe2, 0xd6, 0xe9, 0x33, 0x35, 0xfd, 0xa, 0x5b, 0xfa, 0xb2, 0x88, 0x6f, 0x12, 0xb9, 0xb0, 0xb7, 0x6b, 0xe7, 0x66, 0x68, 0x85, 0x88, 0x99, 0x6a, 0x2e, 0x69, 0xca, 0x65, 0xdb, 0x49, 0x4f, 0x39, 0xdf, 0x3f, 0x6, 0xd6, 0xd8, 0x22, 0x91, 0x69, 0x29, 0x25, 0xcf, 0xc4, 0xd7, 0x3d, 0xbf, 0xbf, 0x15, 0xe8, 0x3b, 0xe1, 0xc8, 0x28, 0x53, 0xae, 0x8c, 0xf9, 0xd1, 0xdc, 0xed, 0xb2, 0xc4, 0x10, 0x5f, 0x37, 0xad, 0x6, 0xce, 0x5c, 0x7f, 0x8b, 0xeb, 0xd4, 0xef, 0xe1, 0xa2, 0x80, 0x45, 0x9f, 0x66, 0xb4, 0x99, 0x86, 0xbd, 0x5b, 0xd0, 0xf9, 0x93, 0xd5, 0x13, 0x6d, 0x97, 0xe7, 0xc9, 0xa4, 0x28, 0x55, 0xd3, 0x28, 0x7e, 0x1c, 0x95, 0xe0, 0x23, 0x39, 0x77, 0xb5, 0x6b, 0x3f, 0x90, 0x37, 0x29, 0xb9, 0x7f, 0x4e, 0x84, 0x4d, 0xed, 0x84, 0xc9, 0x69, 0x82, 0x8a, 0x2e, 0x4a, 0x17, 0xb2, 0x54, 0xd3, 0x36, 0x41, 0x2c, 0xfb, 0xdd, 0x4a, 0xbd, 0x25, 0xe1, 0x26, 0x4b, 0x14, 0xde, 0xf4, 0x2d, 0xf7, 0xfd, 0x1a, 0x10, 0xe6, 0xb0, 0x9d, 0xaa, 0xd0, 0xb8, 0xd1, 0x9b, 0xe4, 0xaa, 0xef, 0x45, 0x44, 0xb2, 0x93, 0x15, 0x33, 0xee, 0x4e, 0xc5, 0x5d, 0xb, 0xf1, 0x4b, 0x9, 0xb9, 0xe3, 0x35, 0xfa, 0xd2, 0xd6, 0x2b, 0xc4, 0x6a, 0x7d, 0x56, 0xdb, 0xae, 0x96, 0x1f, 0xbb, 0x68, 0x64, 0xf8, 0x6d, 0x8e, 0xb2, 0x43, 0x48, 0x1a, 0x5b, 0xfe, 0xe, 0x40, 0xb2, 0x79, 0x63, 0x5, 0xbb, 0x1b, 0x96, 0x6b, 0xa2, 0xa6, 0x70, 0xf0, 0xf5, 0xca, 0xb6, 0x39, 0x6e, 0x8e, 0x32, 0xd, 0x6c, 0x68, 0x70, 0xd3, 0xc8, 0x5f, 0x89, 0xcf, 0x6, 0xda, 0x80, 0xc9, 0xfd, 0x63, 0xb3, 0x10, 0x88, 0x4d, 0x80, 0xc3, 0x89, 0xa0, 0x3e, 0x89, 0xf, 0xa, 0x66, 0x9, 0x9b, 0x0, 0xc9, 0xaa, 0x23, 0x58, 0xa2, 0xe5, 0xf5, 0x81, 0xa6, 0x7b, 0x2d, 0x26, 0xb2, 0x3a, 0x86, 0x13, 0x34, 0x8c, 0xc, 0xc3, 0x4f, 0xf7, 0x59, 0x20, 0xc3, 0xb7, 0x44, 0x15, 0x69, 0x34, 0x61, 0x1c, 0xb2, 0x76, 0xf2, 0x5c, 0xf6, 0xba, 0xda, 0x4, 0x51, 0x2a, 0x6b, 0xa9, 0xe3, 0x2f, 0xe4, 0x3e, 0xa4, 0x9, 0xd1, 0x8, 0xbb, 0x70, 0x16, 0x7f, 0x20, 0x7b, 0x87, 0x22, 0xbe, 0x91, 0x52, 0x61, 0x4e, 0x88, 0xd1, 0xd, 0x9b, 0xbf, 0xc2, 0xa3, 0x97, 0xdc, 0xe8, 0x5a, 0x62, 0xe8, 0x86, 0x9b, 0x43, 0xf7, 0x4e, 0x58, 0x8, 0xff, 0x98, 0xd8, 0xdc, 0xa5, 0x90, 0x71, 0xde, 0x3d, 0xee, 0x58, 0x20, 0x40, 0x6c, 0x28, 0x26, 0xc1, 0xb1, 0x87, 0x5f, 0x17, 0xb2, 0xb0, 0x3d, 0xb5, 0x6d, 0x2a, 0x10, 0x71, 0x47, 0x33, 0xcc, 0x61, 0x68, 0x91, 0xf9, 0x69, 0x2d, 0xa5, 0x85, 0x13, 0xa8, 0x4f, 0xda, 0xa4, 0x69, 0x54, 0x59, 0x2f, 0x50, 0x38, 0x33, 0x6e, 0x78, 0xd7, 0x1d, 0xc5, 0x3a, 0x96, 0x53, 0x28, 0xef, 0xb8, 0x34, 0x25, 0x1b, 0x89, 0x1a, 0xf8, 0x19, 0xf0, 0xc0, 0x75, 0xd7, 0x4b, 0x4f, 0xc, 0x97, 0x19, 0xb6, 0x81, 0xf6, 0x19, 0xbe, 0xf3, 0x5a, 0x2a, 0x8c, 0x28, 0x17, 0xec, 0x98, 0x4, 0xdb, 0x63, 0x94, 0xb1, 0xf, 0x77, 0x2f, 0x54, 0xe9, 0x9d, 0xd9, 0x5e, 0x53, 0xd7, 0x4c, 0x20, 0xc6, 0xc1, 0x97, 0xfc, 0xce, 0x9, 0x3f, 0x48, 0xc4, 0xb6, 0xd3, 0xf8, 0xb4, 0x63, 0x5a, 0x15, 0xaf, 0x25, 0xd7, 0xec, 0x20, 0x1e, 0xc0, 0x4f, 0xd2, 0x95, 0xc, 0x1f, 0x12, 0xe7, 0x9a, 0x94, 0x74, 0xd3, 0xdf, 0xec, 0xb7, 0x77, 0xec, 0x72, 0xdb, 0x6d, 0x7d, 0xae, 0xa4, 0x53, 0x3, 0x3b, 0x9d, 0x7, 0xfe, 0xab, 0x9e, 0xf3, 0x1, 0x78, 0xc2, 0x62, 0xeb, 0xaa, 0xa4, 0xb3, 0xa, 0x34, 0x39, 0xde, 0x27, 0x8d, 0xca, 0x82, 0xa9, 0x20, 0x75, 0xd1, 0xfb, 0xed, 0xc6, 0xbd, 0xe4, 0xc2, 0x7e, 0x81, 0x58, 0x13, 0xac, 0xc6, 0x31, 0xde, 0x78, 0x2d, 0x31, 0xa6, 0x2e, 0x20, 0x9, 0x76, 0xbf, 0x83, 0x94, 0xe1, 0xd8, 0xc6, 0x22, 0xb6, 0xb8, 0x4a, 0xf6, 0x74, 0xde, 0x80, 0xe5, 0x9c, 0x58, 0xdf, 0xdd, 0xd2, 0xc8, 0x6a, 0x2e, 0xa, 0xe7, 0x66, 0x30, 0x5, 0x5c, 0x6e, 0x10, 0x43, 0x5a, 0x6b, 0x9c, 0x8c, 0x9b, 0xe5, 0xed, 0xf5, 0xc6, 0xd3, 0x52, 0xae, 0xc9, 0xce, 0xfc, 0xc3, 0xa5, 0xd6, 0x30, 0xef, 0xa9, 0xc0, 0x4f, 0x22, 0x7c, 0xec, 0xed, 0xed, 0x6c, 0xc1, 0x95, 0x83, 0xf0, 0xf, 0x19, 0xde, 0xf, 0xde, 0x94, 0x8f, 0xec, 0x12, 0xbe, 0x33, 0x34, 0x2d, 0x85, 0xb8, 0x1a, 0x13, 0xd, 0x2a, 0xa9, 0x98, 0xee, 0x36, 0x33, 0xfa, 0xe0, 0x45, 0xd7, 0xa4, 0x66, 0xef, 0xee, 0x80, 0x7d, 0xd3, 0x19, 0x1, 0xba, 0x1b, 0x53, 0x12, 0xb6, 0x15, 0xfe, 0x51, 0xb3, 0xc1, 0x70, 0xe7, 0x86, 0x97, 0xa3, 0xd5, 0x82, 0xf8, 0xd6, 0xba, 0xaf, 0x10, 0x1, 0xbf, 0xd, 0xb8, 0x1c, 0x5f, 0x1e, 0x3d, 0x6, 0x79, 0x9f, 0xc0, 0x8a, 0x13, 0x25, 0x56, 0xa1, 0x46, 0x27, 0x2f, 0xd2, 0x9e, 0x8, 0x91, 0x12, 0x70, 0x85, 0x7e, 0xe0, 0xac, 0x42, 0xa8, 0x61, 0x40, 0x19, 0xd9, 0x3e, 0x79, 0x94, 0x85, 0xa4, 0xf4, 0xd7, 0xd6, 0x3e, 0xe8, 0x30, 0x4d, 0xff, 0xee, 0xf9, 0x69, 0x72, 0xec, 0x9e, 0x5, 0x80, 0x9d, 0xc, 0x59, 0xba, 0xac, 0x90, 0xd1, 0xb9, 0x79, 0x1e, 0x58, 0xa4, 0xec, 0x5f, 0x1e, 0x6a, 0x50, 0x1d, 0x27, 0x54, 0xbe, 0x8f, 0xa7, 0xcf, 0x39, 0x24, 0x8e, 0x2c, 0x2b, 0xa3, 0xde, 0x8d, 0x8b, 0x7d, 0x5d, 0x1b, 0x8d, 0x19, 0xfb, 0x37, 0xab, 0x8d, 0x7, 0x11, 0x2c, 0xf3, 0x74, 0x38, 0xb9, 0x42, 0x6d, 0xcb, 0x5f, 0xf1, 0x84, 0x4f, 0xf9, 0x41, 0x4f, 0xb7, 0xdd, 0x91, 0xb2, 0x24, 0x15, 0x27, 0xa, 0x54, 0x64, 0x6a, 0x64, 0x5a, 0x8b, 0x75, 0x12, 0xc, 0xa, 0x95, 0x80, 0x95, 0xce, 0x3d, 0x93, 0x37, 0xf2, 0xf9, 0x32, 0xce, 0xf8, 0x2c, 0xab, 0xd0, 0xed, 0xc8, 0x4e, 0xb, 0xdd, 0x73, 0x73, 0xc1, 0x71, 0x16, 0xc6, 0x54, 0xa0, 0x44, 0x14, 0x82, 0xa2, 0x37, 0xf1, 0x53, 0x8b, 0x4e, 0x1b, 0xa, 0x76, 0x81, 0x9e, 0x3b, 0xf9, 0xf9, 0x24, 0x42, 0xc0, 0xa6, 0x3c, 0x1e, 0x67, 0xcf, 0x34, 0x4b, 0x78, 0x18, 0x94, 0xb9, 0xa9, 0xcd, 0xd2, 0xec, 0xbb, 0x81, 0x48, 0x38, 0xab, 0xb2, 0x79, 0x19, 0x83, 0x38, 0x2d, 0x3c, 0xe0, 0xf2, 0xb7, 0xfe, 0x54, 0xef, 0xb7, 0x46, 0x10, 0xae, 0x7e, 0x35, 0xc6, 0xef, 0xe4, 0x32, 0x29, 0x61, 0x29, 0x49, 0x70, 0xe6, 0x17, 0x5b, 0x35, 0xb1, 0xd4, 0x5, 0x3, 0xa2, 0x56, 0xa1, 0xb4, 0x58, 0x6a, 0x13, 0xa9, 0x88, 0xec, 0x75, 0xd2, 0xb4, 0x85, 0x99, 0x37, 0xbc, 0x8b, 0x33, 0xaf, 0x6e, 0x31, 0x91, 0x8b, 0x71, 0x9, 0xa5, 0x52, 0xd1, 0x7a, 0x9a, 0x22, 0x61, 0xe9, 0x7a, 0x15, 0x45, 0xc4, 0xf7, 0x9, 0x11, 0xfa, 0x88, 0x80, 0xfb, 0xa7, 0x7c, 0x19, 0xcf, 0xc5, 0x96, 0xdc, 0x4d, 0x47, 0x72, 0x42, 0x1, 0x76, 0x71, 0x77, 0x30, 0xa, 0x55, 0xd2, 0xa2, 0x1d, 0xf7, 0xc, 0x4d, 0x98, 0x98, 0x46, 0x53, 0xc6, 0xaa, 0x2a, 0x3a, 0xb8, 0x37, 0xe9, 0x6c, 0x9b, 0x8d, 0xf3, 0x5a, 0xc3, 0x1d, 0xf9, 0xe9, 0x99, 0x28, 0xbf, 0xc8, 0x83, 0xad, 0x98, 0x25, 0x16, 0x6c, 0x53, 0xb5, 0xc9, 0x6a, 0x70, 0x8e, 0x2c, 0x5c, 0xf8, 0xd, 0x14, 0x42, 0xde, 0x2b, 0x63, 0x7a, 0x8a, 0x5, 0xf4, 0x39, 0xb8, 0x4f, 0x31, 0x12, 0xf5, 0x47, 0x2a, 0x57, 0x10, 0x7c, 0x4e, 0x82, 0x89, 0x19, 0x23, 0x26, 0x88, 0x87, 0x4a, 0x56, 0xe1, 0x16, 0x20, 0x3d, 0x29, 0xa8, 0x76, 0x45, 0xc0, 0x18, 0xf8, 0xc0, 0x11, 0xcb, 0x31, 0xc6, 0x40, 0x97, 0x7d, 0x1e, 0xb9, 0x83, 0xa0, 0xce, 0xff, 0xcb, 0xd0, 0x23, 0xcb, 0xbd, 0x98, 0xdc, 0x88, 0xf6, 0x95, 0x74, 0xdc, 0x40, 0xfc, 0x4a, 0x4c, 0x12, 0xd7, 0xc, 0x49, 0x26, 0x5c, 0x77, 0x18, 0x1f, 0x84, 0xec, 0x51, 0xe6, 0x4a, 0xaf, 0xfd, 0xb4, 0xc3, 0xa6, 0x3e, 0x39, 0xd, 0x8e, 0x33, 0x7f, 0x43, 0x33, 0x1f, 0x1e, 0xb5, 0xe7, 0x53, 0x60, 0x2b, 0x83, 0xfb, 0x39, 0xd5, 0x14, 0x9e, 0x61, 0xda, 0x2, 0xe7, 0x46, 0xe0, 0xf6, 0xee, 0xcd, 0xd1, 0xac, 0x9c, 0x85, 0xc8, 0xbf, 0x94, 0x90, 0x2a, 0xfd, 0xbd, 0x64, 0x1e, 0x4d, 0xc5, 0xf, 0xc6, 0xac, 0x58, 0x85, 0x1e, 0x72, 0x27, 0xaf, 0x8f, 0x84, 0x92, 0x39, 0x9, 0xd0, 0x4c, 0xa1, 0xda, 0xcb, 0x8f, 0x7a, 0xc2, 0xb9, 0xa4, 0x0, 0x9, 0x12, 0xe6, 0x6d, 0x28, 0x8f, 0xcf, 0x20, 0x1b, 0x2b, 0x19, 0xbd, 0x83, 0xbe, 0xd9, 0x68, 0x1, 0xb9, 0x56, 0x23, 0x8a, 0xa4, 0x49, 0x4a, 0x94, 0x7a, 0x1e, 0xce, 0x7d, 0x0, 0x62, 0x44, 0xe7, 0x9c, 0xb9, 0x63, 0xb7, 0xf5, 0xb5, 0x4c, 0xa5, 0x48, 0xab, 0xb8, 0xe7, 0xdd, 0x5e, 0xf5, 0xd2, 0x73, 0xc6, 0x9e, 0xda, 0xef, 0xfa, 0x8c, 0x74, 0x7f, 0x56, 0xd1, 0xec, 0xbc, 0x87, 0x8, 0x6b, 0x1b, 0x38, 0x46, 0xc2, 0xf3, 0x78, 0xe1, 0xce, 0x97, 0x44, 0x69, 0xcb, 0x66, 0x62, 0x1e, 0xe3, 0x25, 0x65, 0x5e, 0x13, 0x64, 0x7d, 0x69, 0x26, 0xde, 0x31, 0x59, 0x7a, 0x50, 0x93, 0x1a, 0x2, 0x55, 0x2b, 0x14, 0xcf, 0x6, 0x3c, 0x8d, 0x87, 0x11, 0xcd, 0xb4, 0x40, 0x3f, 0xec, 0x91, 0x6a, 0xe7, 0x70, 0xdf, 0xc2, 0x53, 0x75, 0x4e, 0xad, 0x81, 0x4e, 0x48, 0x6e, 0x9d, 0x2e, 0x27, 0xb5, 0x87, 0xf, 0x83, 0x4a, 0x51, 0xff, 0xc6, 0xe5, 0x93, 0x1c, 0xea, 0x8e, 0x2a, 0x19, 0xc4, 0xdc, 0x2a, 0xcc, 0x67, 0x5a, 0x53, 0xf4, 0x42, 0xe2, 0x27, 0x7e, 0xc7, 0x99, 0x51, 0xc0, 0xd0, 0xf2, 0x9c, 0xda, 0x8c, 0x54, 0x84, 0xe7, 0xfa, 0x22, 0xbc, 0x2f, 0x50, 0x82, 0xa1, 0x72, 0xf5, 0xdf, 0xa9, 0xbd, 0xc0, 0x72, 0xb3, 0x58, 0x61, 0xb8, 0x71, 0x9b, 0x5f, 0x7, 0xdd, 0x82, 0x2b, 0x59, 0x3a, 0xf3, 0xe0, 0x2e, 0x3, 0x23, 0x95, 0x35, 0x27, 0x30, 0x76, 0x32, 0x5a, 0x50, 0xc4, 0x21, 0xa7, 0xe1, 0x7f, 0x9f, 0x40, 0x96, 0xf7, 0x82, 0x3e, 0x6e, 0x7b, 0x9e, 0xba, 0x37, 0xea, 0x56, 0x63, 0xc6, 0xb4, 0x5d, 0xf5, 0xff, 0xa, 0x15, 0x84, 0xdc, 0x1a, 0x62, 0xc8, 0x6c, 0x59, 0xf9, 0xe, 0x8, 0xf0, 0xb6, 0x7a, 0x64, 0x6d, 0xb8, 0x85, 0x6c, 0x75, 0x15, 0xc2, 0xb9, 0x1d, 0xaa, 0x94, 0xdb, 0xc9, 0xa5, 0xb1, 0x13, 0x20, 0xb1, 0x6d, 0xd3, 0x2d, 0x3, 0xc9, 0x86, 0x42, 0x1c, 0xc6, 0x6a, 0xde, 0x84, 0xf8, 0x6c, 0xc7, 0x88, 0x2f, 0xd3, 0x3f, 0x4a, 0xb3, 0xd0, 0x35, 0xc0, 0x7b, 0x41, 0xe3, 0xa7, 0xc0, 0x27, 0x83, 0x6b, 0x38, 0xb, 0x44, 0xd1, 0x62, 0x3, 0xac, 0x2d, 0x26, 0xb7, 0x8f, 0x43, 0xf9, 0xcd, 0xe0, 0x4c, 0x11, 0x41, 0x2c, 0xb1, 0xa0, 0x95, 0xad, 0xf1, 0xce, 0xa5, 0x2b, 0x62, 0x43, 0xd5, 0x67, 0xa8, 0x37, 0x9b, 0xc0, 0xc9, 0x86, 0xe4, 0x1, 0xd2, 0xcd, 0xd6, 0x26, 0x97, 0x92, 0xff, 0x42, 0xbf, 0x7a, 0x47, 0x20, 0x8d, 0x46, 0xe9, 0x11, 0xec, 0x82, 0xca, 0x31, 0xa0, 0x5f, 0xa0, 0x1c, 0xb6, 0xe, 0x5d, 0xcf, 0x73, 0x2e, 0x96, 0xaa, 0x5, 0xa3, 0xba, 0x49, 0x56, 0xe4, 0x15, 0x40, 0xb9, 0x61, 0x2b, 0xad, 0x35, 0x38, 0x21, 0x6c, 0x5f, 0x8e, 0x2b, 0x6d, 0x63, 0x47, 0xf7, 0x48, 0x2b, 0x1c, 0xf1, 0xe, 0x68, 0xa7, 0x8b, 0xc1, 0x5e, 0x7b, 0xcd, 0xa8, 0xec, 0xcc, 0x7e, 0x15, 0xef, 0x4d, 0xc8, 0x73, 0x7d, 0x1e, 0x58, 0x51, 0xf6, 0x6a, 0x54, 0x13, 0x2e, 0xdb, 0xc7, 0x39, 0x87, 0xb, 0xe2, 0xc, 0x46, 0x7c, 0x12, 0xd9, 0xed, 0xe2, 0xb1, 0xfa, 0xa8, 0xe6, 0x35, 0x6f, 0xc4, 0x1d, 0x9a, 0xba, 0x7b, 0xe, 0x69, 0x80, 0x6f, 0x66, 0x69, 0x1b, 0xa0, 0x90, 0x88, 0x64, 0x3d, 0xe, 0x53, 0xd6, 0x0, 0x3e, 0xc2, 0x99, 0xb1, 0x4c, 0xbd, 0x37, 0x0, 0x7a, 0xba, 0xb7, 0x2c, 0x4e, 0x27, 0xe7, 0x3a, 0x24, 0x57, 0x67, 0xb6, 0x50, 0xac, 0x9f, 0x72, 0x24, 0xf3, 0x23, 0x61, 0x79, 0x41, 0x8f, 0xf4, 0xcb, 0x72, 0xb3, 0x56, 0x7a, 0x36, 0xeb, 0x3, 0x92, 0x79, 0xb7, 0x5c, 0xe1, 0x37, 0xbe, 0xdd, 0x33, 0x40, 0xdc, 0xdf, 0x1f, 0x52, 0x1b, 0x7f, 0x8d, 0x8d, 0xae, 0xed, 0x10, 0xf4, 0x21, 0x47, 0x75, 0xdc, 0xbd, 0x4e, 0xf2, 0x6a, 0xbe, 0x4d, 0xa7, 0x18, 0x6e, 0x84, 0xae, 0x65, 0x99, 0x87, 0x92, 0x2a, 0x29, 0xb3, 0xdc, 0x4, 0xa0, 0xc7, 0x92, 0xb0, 0x77, 0xf6, 0x5c, 0xc1, 0xdd, 0x5, 0x6, 0x6c, 0x80, 0x64, 0x84, 0x3a, 0x8, 0xb0, 0x97, 0xb9, 0x3d, 0x70, 0xdf, 0x68, 0x4a, 0xd0, 0x7d, 0xbf, 0x5, 0x45, 0x4e, 0x13, 0x9c, 0x8c, 0x7f, 0xcf, 0x8c, 0x39, 0x3d, 0xe6, 0xa4, 0xaf, 0xf8, 0xb5, 0x41, 0x7f, 0x51, 0xe6, 0xa6, 0xcc, 0xc1, 0x7b, 0xad, 0x42, 0x93, 0x8b, 0xaa, 0xc1, 0x5a, 0x89, 0x16, 0xcd, 0xb0, 0xa9, 0x6a, 0x37, 0x4c, 0x8e, 0xf2, 0x53, 0xd3, 0xdc, 0xad, 0xa, 0xae, 0x90, 0x6f, 0xbd, 0x3a, 0x47, 0xff, 0x8e, 0x14, 0x8a, 0x31, 0x9, 0x24, 0x48, 0x76, 0x21, 0x27, 0x19, 0xca, 0xcc, 0x5e, 0xeb, 0xc5, 0xae, 0x22, 0xd2, 0xfb, 0x27, 0x25, 0x54, 0x58, 0x94, 0xd, 0xb5, 0x81, 0xa9, 0x52, 0x48, 0x59, 0xba, 0x8c, 0x6a, 0xe2, 0x3, 0x4e, 0x1f, 0xa0, 0x4a, 0xf9, 0xe0, 0xc2, 0xf5, 0xc5, 0x1d, 0xe1, 0xc7, 0x6c, 0x98, 0x71, 0x4e, 0xfa, 0xb6, 0x1f, 0x2, 0x8d, 0xb3, 0xa5, 0x96, 0x19, 0xfc, 0xf, 0x3f, 0x40, 0x85, 0x93, 0x8e, 0x26, 0x6, 0xe, 0x95, 0x61, 0x1a, 0xd0, 0x9, 0x1f, 0xd1, 0x93, 0x17, 0x65, 0x46, 0x5d, 0x40, 0x96, 0xeb, 0x5, 0xdf, 0x5a, 0xed, 0x77, 0xcc, 0x85, 0xa8, 0x63, 0x72, 0xea, 0xa0, 0x35, 0x25, 0xdc, 0x7, 0xd5, 0x38, 0xc3, 0x4f, 0xa9, 0x81, 0xad, 0xe7, 0x68, 0x9d, 0x4d, 0x22, 0x5a, 0x4b, 0x70, 0x6c, 0x31, 0x5f, 0x59, 0x26, 0x4f, 0x38, 0xa9, 0x4f, 0xe3, 0x36, 0x18, 0x96, 0x98, 0xe9, 0x1f, 0x17, 0x86, 0x6c, 0x49, 0x27, 0x39, 0xc4, 0x1b, 0x99, 0x98, 0xd7, 0x61, 0x87, 0xc6, 0x5a, 0xdb, 0x6f, 0xce, 0xd6, 0x96, 0x9e, 0xb2, 0xfc, 0xfe, 0x24, 0xa, 0xa3, 0x66, 0xac, 0xe5, 0xa6, 0xff, 0x2d, 0xc7, 0xd9, 0x6a, 0x70, 0x1e, 0xb5, 0x35, 0x6f, 0x12, 0xdf, 0xeb, 0xa9, 0xc3, 0xb4, 0xeb, 0x9c, 0xb9, 0x90, 0x8d, 0x60, 0xbf, 0xaf, 0x89, 0x53, 0xa7, 0x58, 0x98, 0xc8, 0xc6, 0x4f, 0x3c, 0x11, 0x76, 0xaa, 0xb5, 0xe2, 0x97, 0xb0, 0x8e, 0xde, 0x80, 0x4, 0x13, 0xb9, 0x63, 0xcc, 0x22, 0x10, 0x7e, 0x6c, 0x6, 0xcc, 0x6c, 0x5, 0xb6, 0xda, 0x3b, 0x0, 0xf9, 0xed, 0xb2, 0x44, 0xb1, 0xcb, 0x33, 0x5b, 0x8a, 0xe0, 0x8a, 0x3a, 0x14, 0x83, 0xb4, 0xa6, 0x2b, 0xb, 0xe6, 0xa1, 0x8f, 0x27, 0x4e, 0xfb, 0x42, 0x78, 0x31, 0x25, 0x1c, 0xb3, 0x24, 0x8, 0x38, 0xcd, 0x90, 0x7c, 0xcf, 0xe4, 0xd4, 0x78, 0xf8, 0x5e, 0x69, 0x86, 0x4d, 0xdf, 0x5c, 0xe8, 0x3a, 0x9a, 0x59, 0x50, 0xab, 0x2a, 0x36, 0xfc, 0x44, 0x58, 0xb3, 0x76, 0x0, 0xe0, 0x22, 0x4, 0x1a, 0xe7, 0xc8, 0xb1, 0x6e, 0x87, 0xa6, 0xd9, 0xd, 0x72, 0xce, 0xff, 0x4b, 0x34, 0x73, 0xa1, 0xe6, 0x3b, 0xfe, 0xc0, 0x16, 0xa6, 0x62, 0x2a, 0x16, 0xec, 0x41, 0xbc, 0x17, 0x41, 0x30, 0xd, 0x67, 0x13, 0x3e, 0xf6, 0xb1, 0xbe, 0x79, 0x6d, 0x3a, 0x90, 0x68, 0xc5, 0x3f, 0xaa, 0xcc, 0xaf, 0xfe, 0x31, 0xf5, 0xac, 0x57, 0x9b, 0x99, 0x55, 0x30, 0x17, 0xdf, 0xd7, 0x95, 0x63, 0xab, 0xf, 0xf8, 0x72, 0xfc, 0x97, 0x1d, 0x7f, 0x7b, 0xe6, 0x4a, 0x28, 0xa6, 0xd9, 0x91, 0x9a, 0x48, 0x6b, 0x86, 0xad, 0x69, 0x31, 0xd4, 0xe6, 0x47, 0x97, 0x7f, 0x17, 0x39, 0x33, 0xe5, 0xe5, 0x93, 0x80, 0xeb, 0x59, 0x2c, 0x8a, 0x2c, 0x5d, 0x23, 0x46, 0xc5, 0xe9, 0x94, 0x77, 0x69, 0xde, 0xed, 0x83, 0x43, 0x93, 0xd5, 0xbc, 0x75, 0x42, 0xf9, 0x53, 0x46, 0x82, 0xec, 0xbf, 0x71, 0x2f, 0xac, 0x8a, 0x3d, 0xd0, 0x17, 0x67, 0x9, 0x52, 0x14, 0xd2, 0x15, 0xf7, 0x7a, 0x71, 0x64, 0x17, 0xc4, 0x96, 0x4a, 0x13, 0xd0, 0x94, 0xf5, 0xf7, 0xe2, 0x56, 0xc9, 0x1e, 0xa4, 0xef, 0x73, 0x18, 0x2c, 0x4, 0x13, 0x82, 0x77, 0xf6, 0xb4, 0xe7, 0xe4, 0x4a, 0x37, 0xd5, 0x88, 0x97, 0xff, 0xc8, 0xe5, 0x5b, 0x3d, 0x82, 0x80, 0x63, 0x5e, 0x91, 0x2b, 0xe2, 0x8f, 0xee, 0xb2, 0x55, 0xc7, 0x6b, 0xea, 0x51, 0x26, 0x11, 0xe7, 0x4c, 0x62, 0x57, 0x66, 0x15, 0x49, 0xcb, 0x8a, 0xac, 0xb3, 0x30, 0xfd, 0x60, 0x4b, 0x0, 0xe1, 0xbf, 0x18, 0x22, 0x8c, 0xcc, 0x5d, 0xc2, 0x4d, 0xfe, 0x4c, 0xa6, 0x80, 0xda, 0xb9, 0xd0, 0x95, 0x6e, 0xf2, 0x6, 0x5, 0x37, 0xef, 0xc3, 0x41, 0xfd, 0x94, 0xaa, 0xab, 0x26, 0xef, 0xbc, 0x89, 0x9d, 0xd2, 0x66, 0x23, 0x63, 0xea, 0xe4, 0x4b, 0x8f, 0xe7, 0xd0, 0x6b, 0x1f, 0x33, 0x21, 0x2e, 0x5f, 0xf3, 0x86, 0x6, 0xce, 0xd9, 0x90, 0x5, 0xf3, 0xc7, 0xf, 0xcb, 0x3b, 0xd5, 0xa, 0xea, 0xd9, 0xc3, 0x22, 0xc0, 0x33, 0x29, 0xba, 0x84, 0xb3, 0x29, 0xc4, 0xa9, 0xcf, 0x92, 0xb8, 0x9d, 0x36, 0x52, 0xe6, 0xfc, 0x52, 0x8d, 0x51, 0x1f, 0x62, 0x28, 0x70, 0x48, 0x32, 0x31, 0x38, 0x10, 0x1e, 0x7d, 0xdf, 0x25, 0x5b, 0x79, 0x36, 0xaa, 0xbd, 0xe, 0x17, 0x3f, 0x47, 0x7e, 0x95, 0x34, 0x4f, 0x88, 0x31, 0xa9, 0x4a, 0xf1, 0x33, 0x58, 0xea, 0xfb, 0x39, 0xdc, 0x33, 0xf, 0xd5, 0x88, 0xc1, 0xa3, 0x10, 0xb0, 0x2c, 0x75, 0xf5, 0x76, 0xbc, 0x45, 0x61, 0xcd, 0x77, 0xde, 0x12, 0x7e, 0x21, 0x25, 0x3b, 0x11, 0xa5, 0x39, 0x18, 0x4, 0x66, 0x78, 0x41, 0x62, 0xd7, 0x9, 0xf3, 0xe, 0xcb, 0x58, 0xca, 0x95, 0x49, 0x22, 0xd0, 0xa2, 0x9d, 0xcc, 0x2, 0x6d, 0xbb, 0x3a, 0xfd, 0xb8, 0x4b, 0xb5, 0x45, 0x87, 0xca, 0x5a, 0xce, 0xda, 0x1, 0xf1, 0x7a, 0x15, 0x67, 0xa2, 0xa6, 0x11, 0xf2, 0xbc, 0xfd, 0xc4, 0x9, 0x86, 0x9c, 0xc4, 0x40, 0xf3, 0xdd, 0xda, 0x65, 0x4a, 0x60, 0xe9, 0x52, 0x9f, 0xe4, 0x97, 0xd5, 0x2a, 0x7e, 0x93, 0x90, 0xe7, 0xe8, 0x9b, 0xf1, 0x17, 0x6e, 0x32, 0x8, 0x25, 0x6e, 0x84, 0xdc, 0xc0, 0xbb, 0xb, 0x7a, 0x0, 0x38, 0x3f, 0xd6, 0x16, 0x1e, 0xb1, 0x3f, 0x60, 0x3, 0xcf, 0xfe, 0xbc, 0xd3, 0x4e, 0xa, 0x15, 0x89, 0x5, 0xb9, 0xc, 0xd8, 0x6c, 0x5c, 0xb6, 0x62, 0xf4, 0x5d, 0x1c, 0x53, 0x29, 0xa8, 0xad, 0x12, 0x34, 0x75, 0xa6, 0x14, 0x2f, 0xe7, 0x69, 0xe9, 0x90, 0x4c, 0x5b, 0xb9, 0xc7, 0x6, 0x89, 0x6c, 0x48, 0xc, 0x78, 0xb4, 0xbc, 0x4c, 0xa9, 0x67, 0x5a, 0x85, 0xf9, 0x2d, 0xd2, 0x13, 0x15, 0x61, 0xde, 0xc, 0xe0, 0x1b, 0x48, 0x9a, 0x86, 0xb4, 0xba, 0x1f, 0x8f, 0xd9, 0xb8, 0xc5, 0xa4, 0xea, 0x2f, 0x50, 0x2, 0x5, 0x41, 0x9c, 0x2, 0x9, 0x7c, 0x2f, 0x13, 0x56, 0x1b, 0x77, 0x42, 0xfa, 0xd4, 0xe5, 0x35, 0x12, 0xda, 0xf1, 0x57, 0xb2, 0xec, 0xaf, 0xae, 0x46, 0x6a, 0x58, 0x21, 0x7e, 0x61, 0xae, 0x3e, 0x65, 0xd4, 0x0, 0xf3, 0xef, 0x65, 0x1, 0x2a, 0x56, 0x3, 0xad, 0x13, 0x7a, 0xf6, 0x27, 0x70, 0xc7, 0x70, 0x87, 0xfa, 0x7f, 0x95, 0x2f, 0x1c, 0xc1, 0x46, 0x90, 0xc4, 0xf2, 0x89, 0x18, 0x8, 0xd5, 0xd7, 0xd6, 0x6, 0xbc, 0xbd, 0xe2, 0x51, 0xbe, 0x82, 0x60, 0xc1, 0xdf, 0x13, 0x95, 0x98, 0x71, 0xc1, 0xf6, 0x3a, 0xb, 0x71, 0x75, 0x84, 0xdd, 0x61, 0x43, 0x46, 0xd5, 0xb, 0x29, 0xe0, 0x44, 0x45, 0xd3, 0x8e, 0x8a, 0xa1, 0x7d, 0xbb, 0x3f, 0xdc, 0xcf, 0xd2, 0x1a, 0xe1, 0x8a, 0x78, 0xe8, 0x79, 0x9b, 0xd7, 0x77, 0xb1, 0xd5, 0xf1, 0x42, 0x74, 0xe0, 0x0, 0xf8, 0xd6, 0xab, 0xe3, 0xe0, 0x66, 0xd1, 0x7, 0x56, 0x47, 0x47, 0x40, 0xc6, 0xb7, 0x16, 0x7f, 0x80, 0x82, 0x3d, 0x88, 0x49, 0xa7, 0xe3, 0xe1, 0x58, 0x88, 0x10, 0xee, 0x31, 0x82, 0xb, 0x12, 0x59, 0x58, 0xce, 0x1e, 0x8a, 0x63, 0xeb, 0xe7, 0x80, 0x1b, 0xa4, 0x73, 0xaa, 0xc6, 0x5a, 0x52, 0x72, 0xcb, 0xac, 0x23, 0x44, 0x84, 0x3d, 0xea, 0xcd, 0xa7, 0x3e, 0xed, 0x80, 0x6b, 0xb0, 0x8d, 0x3a, 0x86, 0x13, 0xfa, 0xd3, 0x75, 0xe3, 0x47, 0xa7, 0x19, 0x1, 0xf7, 0xc8, 0x69, 0x2e, 0xcf, 0x35, 0x5a, 0xe9, 0xbb, 0xe5, 0xf8, 0x13, 0x4, 0x9f, 0x76, 0x6a, 0xe5, 0x64, 0x1d, 0xc0, 0x36, 0x6d, 0x3b, 0x96, 0x98, 0x6a, 0x45, 0x32, 0x2b, 0xd9, 0xb9, 0xda, 0x9c, 0x8e, 0xcf, 0x70, 0xce, 0x47, 0xd, 0x64, 0x98, 0x1, 0x6c, 0x5e, 0x35, 0xe3, 0x19, 0xed, 0x23, 0x51, 0x2, 0xac, 0x1a, 0x10, 0x7f, 0x6, 0x6, 0xad, 0x93, 0xef, 0x93, 0x6e, 0xf1, 0xd1, 0x85, 0xcf, 0x46, 0x48, 0x89, 0xfe, 0x89, 0xe, 0x91, 0x8e, 0xf7, 0xcb, 0xc, 0x1d, 0xe3, 0x78, 0xf6, 0x61, 0xd5, 0x1c, 0xab, 0xab, 0xbc, 0x33, 0x28, 0xc9, 0x87, 0xc8, 0xe5, 0x31, 0x73, 0x8d, 0xf6, 0x72, 0xe, 0x26, 0xad, 0x38, 0x63, 0xc3, 0x5, 0xdb, 0x35, 0x3e, 0x5, 0xc, 0x80, 0x8, 0x6b, 0xb0, 0xa1, 0x76, 0xeb, 0xe2, 0x81, 0xc9, 0x82, 0x7e, 0x8d, 0x78, 0x55, 0xae, 0x81, 0x96, 0x8a, 0xf7, 0x48, 0x38, 0x3e, 0xec, 0x3, 0x1, 0x9b, 0xa3, 0x81, 0x53, 0xf7, 0xb4, 0x1b, 0x26, 0x8a, 0xee, 0xeb, 0x1c, 0xb0, 0x4e, 0x42, 0x2c, 0x8f, 0xae, 0xd4, 0xf5, 0xf7, 0x11, 0x13, 0xf1, 0x1, 0x8c, 0xaf, 0x76, 0xb0, 0x3a, 0x15, 0x77, 0xc1, 0x2, 0x5e, 0x83, 0x4c, 0xc9, 0x2e, 0x38, 0x7c, 0xae, 0xf8, 0x7, 0xc0, 0xd0, 0x5e, 0x92, 0x1, 0x74, 0x3d, 0x5c, 0x7a, 0xb0, 0x6d, 0xb3, 0x6d, 0xe3, 0x5f, 0x2a, 0x9c, 0x5e, 0xbe, 0x46, 0x50, 0xe9, 0x76, 0x7a, 0xd5, 0xb9, 0xd5, 0xf2, 0x20, 0xba, 0x8e, 0xe7, 0x32, 0xac, 0x54, 0x52, 0xa3, 0xb9, 0x71, 0x8f, 0xca, 0x11, 0xef, 0x58, 0xa6, 0x98, 0xff, 0x3e, 0x37, 0x5e, 0x30, 0x67, 0xb6, 0x3e, 0x82, 0x0, 0xa1, 0xe5, 0xff, 0xcf, 0xee, 0x8c, 0xdc, 0x0, 0xc8, 0xb7, 0x46, 0xa5, 0x94, 0x59, 0x81, 0x2d, 0x9c, 0xe4, 0xd6, 0xea, 0x56, 0x62, 0xbb, 0xfc, 0x14, 0x78, 0x6b, 0x22, 0x10, 0x6e, 0x4a, 0xfc, 0x51, 0x8f, 0x7e, 0x38, 0x20, 0xde, 0xca, 0x83, 0x53, 0x80, 0xf9, 0xea, 0xfb, 0x54, 0x74, 0x31, 0x2f, 0x76, 0x9f, 0x68, 0x80, 0x38, 0x65, 0x29, 0xc, 0xba, 0x5a, 0x51, 0xb2, 0x1c, 0x72, 0xfa, 0x61, 0x75, 0xa2, 0xcf, 0x32, 0x5e, 0x94, 0x38, 0x49, 0x14, 0x5c, 0xa6, 0x91, 0x82, 0x5a, 0x75, 0x7e, 0x99, 0x9e, 0xd6, 0x7, 0x6e, 0xfc, 0x46, 0xe8, 0x70, 0x5, 0x7d, 0x44, 0x74, 0x1e, 0x64, 0x13, 0x68, 0xe2, 0xe2, 0xf2, 0x1f, 0x72, 0xce, 0x10, 0x17, 0xbf, 0x3d, 0xe8, 0x14, 0xf8, 0x19, 0x8, 0x45, 0xea, 0xd2, 0x7a, 0x69, 0xed, 0xb, 0xa7, 0xf0, 0x27, 0x36, 0x3f, 0x6b, 0x8, 0x99, 0x98, 0x36, 0x90, 0xdb, 0xcf, 0x46, 0xdb, 0xfc, 0x40, 0xff, 0xe9, 0xc4, 0x94, 0x7e, 0x5e, 0x15, 0x67, 0x52, 0x1b, 0xbf, 0xb3, 0x0, 0x97, 0xc5, 0x6b, 0x98, 0xb8, 0x28, 0x31, 0x8c, 0xc, 0x59, 0xaf, 0x8c, 0xc9, 0xeb, 0xbb, 0x1b, 0x30, 0x5d, 0x1, 0xfb, 0xd1, 0xa9, 0xd1, 0x2f, 0xba, 0x28, 0x4f, 0xe6, 0x18, 0x70, 0x5b, 0x36, 0xc0, 0x7e, 0x78, 0x12, 0x92, 0x4, 0x6c, 0x38, 0x98, 0xd0, 0x51, 0x4b, 0xc6, 0xd2, 0x32, 0x17, 0xe5, 0x11, 0x7b, 0x47, 0x57, 0xe, 0xfc, 0x38, 0x25, 0x28, 0xeb, 0xd6, 0xdf, 0xc5, 0xee, 0x39, 0x3b, 0xcc, 0xb0, 0x43, 0x5c, 0x57, 0xcc, 0x36, 0xcb, 0x78, 0x27, 0xf1, 0x6a, 0xae, 0x25, 0xc4, 0x6, 0x2d, 0x85, 0xb0, 0x70, 0x9b, 0x1b, 0x22, 0x5c, 0x8c, 0x2f, 0xf9, 0x6d, 0x9c, 0x6d, 0x82, 0xce, 0x9e, 0x4f, 0x8d, 0x6c, 0xc3, 0x59, 0x93, 0xb4, 0x7b, 0xba, 0x9a, 0xf5, 0xa4, 0x3a, 0x1d, 0x42, 0x2e, 0x2c, 0x7e, 0xc3, 0x40, 0xa8, 0x4f, 0xe8, 0x7c, 0x40, 0x26, 0xf9, 0x1c, 0xe4, 0x54, 0x14, 0x3d, 0xc0, 0xab, 0x18, 0x44, 0xf6, 0x7a, 0x3f, 0xcd, 0x5e, 0x60, 0x26, 0xbf, 0xea, 0xa5, 0xd6, 0xa6, 0x41, 0x23, 0x24, 0x8e, 0x66, 0x6b, 0x21, 0xf4, 0x84, 0xdb, 0x1e, 0x2, 0x1, 0x1, 0x4, 0xb8, 0xed, 0x36, 0xd8, 0x8c, 0x1d, 0x5e, 0x94, 0xe7, 0x7c, 0x33, 0x5b, 0x82, 0xdc, 0x3d, 0xd2, 0x86, 0x6b, 0x7, 0x4c, 0xf0, 0x43, 0x1, 0x7e, 0x4c, 0x34, 0xfd, 0x3, 0xc5, 0xf2, 0x7a, 0x31, 0xff, 0x62, 0x53, 0xa9, 0x4f, 0x7a, 0x8b, 0xe1, 0xb7, 0x3d, 0xdd, 0xa, 0x1b, 0xe0, 0x60, 0x82, 0x3f, 0x3e, 0x67, 0x9c, 0x91, 0xcc, 0xa1, 0x54, 0xe5, 0x49, 0xeb, 0xfb, 0x33, 0xe4, 0xf2, 0x92, 0xf2, 0x1b, 0x35, 0x91, 0xeb, 0x41, 0x11, 0x85, 0xec, 0xe7, 0x55, 0xc7, 0x4, 0x38, 0x9f, 0xda, 0x68, 0xe3, 0x9a, 0x34, 0x9c, 0x34, 0x64, 0xa1, 0xfe, 0x7, 0xf, 0x47, 0xa5, 0xba, 0x62, 0x85, 0xc9, 0x4c, 0x2f, 0xd5, 0xf3, 0xd, 0x29, 0x2b, 0x86, 0x9e, 0x4a, 0xc7, 0x24, 0x1a, 0x47, 0x43, 0x35, 0xaa, 0xa1, 0xd3, 0x11, 0x45, 0x19, 0xb8, 0xbe, 0x46, 0x94, 0x23, 0x4d, 0xd4, 0xdc, 0x81, 0x0, 0xdd, 0xc2, 0xbe, 0x2d, 0xc8, 0x2a, 0xc4, 0xf, 0x7f, 0x3d, 0xca, 0xd5, 0x6, 0x32, 0xf2, 0x47, 0xdb, 0xf5, 0x2b, 0x52, 0x1, 0x26, 0x1d, 0x20, 0x34, 0x6d, 0x2f, 0x9a, 0xf8, 0x8f, 0x3f, 0x53, 0x76, 0xb8, 0x17, 0x58, 0xa4, 0x8f, 0x37, 0xc, 0xc3, 0x57, 0x51, 0x36, 0xb9, 0x4f, 0x2d, 0xc5, 0xc5, 0x17, 0x75, 0xdc, 0x8c, 0x51, 0xe6, 0xac, 0xf7, 0x22, 0xef, 0x64, 0x7a, 0x84, 0xbf, 0xe6, 0x83, 0xb4, 0xde, 0x89, 0xfa, 0xe0, 0x92, 0x58, 0x45, 0x8, 0xf5, 0x60, 0x31, 0x58, 0x9b, 0xa6, 0xc2, 0x18, 0xb4, 0x94, 0x91, 0xe5, 0xb4, 0xd4, 0xfc, 0x74, 0xbe, 0xff, 0xe3, 0x83, 0x3c, 0xaa, 0xee, 0x78, 0xf1, 0x9b, 0xf2, 0x96, 0xe2, 0x95, 0xf8, 0x51, 0xe0, 0x4a, 0xb8, 0xce, 0x6, 0x38, 0x52, 0x23, 0xd0, 0x6b, 0xfe, 0x11, 0xe1, 0xce, 0x48, 0xce, 0x5a, 0x45, 0x55, 0x4, 0x1c, 0x49, 0x3a, 0xe4, 0x40, 0x46, 0x21, 0x52, 0xdd, 0xdd, 0x86, 0xfa, 0xf3, 0xb5, 0xc5, 0x8e, 0x90, 0xfa, 0x16, 0x96, 0x95, 0x2d, 0xb1, 0x1a, 0xa0, 0x1d, 0x66, 0x2d, 0x88, 0x8a, 0xae, 0x82, 0x43, 0x82, 0x60, 0x9f, 0xc4, 0x5e, 0x3f, 0x13, 0x5d, 0xeb, 0x92, 0xdf, 0x5c, 0xc1, 0xc9, 0xf6, 0x5e, 0x42, 0xcc, 0xce, 0x98, 0xee, 0x84, 0x4d, 0x66, 0x82, 0x66, 0x2d, 0xb5, 0xc4, 0xb8, 0x25, 0x6f, 0xd8, 0x5e, 0x28, 0x9e, 0x88, 0xbe, 0xde, 0x48, 0xc7, 0xcd, 0x80, 0xeb, 0xa0, 0x2b, 0x22, 0xec, 0xc1, 0x94, 0x97, 0x2d, 0x48, 0x5d, 0x3e, 0x52, 0x2f, 0xf4, 0xdf, 0xc3, 0x6b, 0x84, 0xe4, 0xf, 0x70, 0xd5, 0x7c, 0x4a, 0x74, 0x51, 0x13, 0xff, 0x13, 0xb1, 0xc5, 0xef, 0x85, 0x5e, 0xb0, 0xc6, 0x5b, 0xb2, 0x30, 0x26, 0x77, 0xd0, 0x4c, 0x65, 0x29, 0x30, 0x6d, 0xa, 0x9d, 0xb8, 0xd8, 0x32, 0x4f, 0xf5, 0xf1, 0xb4, 0x27, 0xfc, 0x27, 0x16, 0xf2, 0xaf, 0x3b, 0xde, 0xd4, 0x4, 0x73, 0xdf, 0xd8, 0x59, 0x96, 0xab, 0x8e, 0xe, 0x21, 0xff, 0x1b, 0xcf, 0x1b, 0xb7, 0x60, 0xbd, 0x3f, 0xd7, 0x8b, 0x43, 0xa2, 0xa9, 0xde, 0xb4, 0x11, 0x5d, 0x1f, 0xcd, 0x95, 0x45, 0x9d, 0x85, 0x35, 0x48, 0x9a, 0x32, 0xd, 0x9c, 0x56, 0x6e, 0xbb, 0x7d, 0x2d, 0xd, 0xf, 0x4a, 0x4e, 0x8a, 0x92, 0xdf, 0x5e, 0x8e, 0x3, 0xc6, 0x54, 0xd1, 0x5a, 0x8f, 0x21, 0x96, 0x42, 0xc9, 0x3e, 0xdf, 0xa2, 0xa4, 0x3b, 0xb8, 0x83, 0xb8, 0x63, 0xa3, 0xe5, 0x44, 0xc2, 0x7c, 0x5b, 0x4, 0xde, 0x96, 0xd, 0x4e, 0x73, 0xd7, 0x2b, 0xa4, 0x65, 0xc1, 0x93, 0x8d, 0x47, 0x75, 0x25, 0xb9, 0x8e, 0x13, 0xc8, 0x73, 0x26, 0x1, 0xf9, 0xe8, 0xbf, 0x84, 0x7d, 0x60, 0x4d, 0xe7, 0x8e, 0x5a, 0x63, 0x43, 0xea, 0x49, 0x50, 0xbb, 0xec, 0x1b, 0x86, 0x32, 0xda, 0x5a, 0x14, 0x61, 0x4b, 0x1d, 0x15, 0x3b, 0x9, 0xaa, 0xb5, 0x78, 0xb6, 0xeb, 0xc, 0xb4, 0xe2, 0xd3, 0x44, 0xdf, 0xac, 0xe, 0x9f, 0x19, 0x89, 0x20, 0xc4, 0x23, 0x42, 0xbc, 0xa4, 0x6, 0xa, 0x49, 0xb4, 0x2b, 0x25, 0xe, 0xf7, 0x5d, 0x2c, 0xcc, 0xb5, 0x79, 0x64, 0x1e, 0x8a, 0x32, 0x94, 0xba, 0xd2, 0x22, 0x69, 0x8b, 0x8c, 0x94, 0x8b, 0x21, 0xe7, 0xcc, 0x78, 0x42, 0x39, 0x4f, 0x6, 0xe6, 0x5c, 0x99, 0x7e, 0x94, 0x94, 0x69, 0xd9, 0xf1, 0x65, 0x2d, 0xf3, 0xcd, 0x18, 0x2b, 0x5b, 0xb7, 0xf3, 0xd8, 0xb3, 0x8b, 0x98, 0x77, 0x30, 0xcb, 0xa3, 0xd2, 0x95, 0x5a, 0xb5, 0xa8, 0x15, 0xcb, 0xcc, 0x29, 0x86, 0xdf, 0x26, 0x49, 0x8c, 0x54, 0xbe, 0xdc, 0x5b, 0x37, 0xa6, 0xb3, 0x25, 0x3c, 0xc6, 0x58, 0xad, 0x94, 0x88, 0x48, 0xac, 0x8f, 0x52, 0xd, 0x4e, 0xe9, 0xe3, 0x5b, 0xba, 0x69, 0x46, 0x77, 0xbe, 0x9c, 0xc4, 0x6e, 0xc, 0xa7, 0x40, 0x38, 0xa3, 0x8, 0x95, 0x11, 0x31, 0xe0, 0xf7, 0x19, 0x88, 0x9e, 0x2, 0xb2, 0x8a, 0x70, 0x96, 0x9d, 0x20, 0xed, 0x27, 0x3a, 0x94, 0xce, 0xe7, 0xc4, 0xd7, 0x10, 0xa1, 0x49, 0x9b, 0xa2, 0x17, 0xb3, 0x2f, 0x37, 0x1f, 0x7d, 0x62, 0x46, 0xb3, 0x7f, 0xa6, 0x57, 0xec, 0x39, 0xdf, 0x7c, 0x1e, 0x56, 0x12, 0xf9, 0x17, 0x8f, 0x7c, 0x6f, 0xf2, 0xe6, 0x3c, 0xfa, 0xc1, 0xed, 0x2f, 0x78, 0xe7, 0x6d, 0xc1, 0x4, 0xc4, 0xe7, 0x3a, 0x9, 0x1a, 0xc1, 0xe2, 0xfe, 0xb1, 0x90, 0xde, 0x3d, 0x85, 0x7d, 0x7a, 0x35, 0xdc, 0x23, 0x69, 0xce, 0xf2, 0x6a, 0x13, 0x68, 0x36, 0x45, 0x86, 0x8e, 0x44, 0x9b, 0xaa, 0xa, 0x2f, 0x1c, 0xaa, 0xfe, 0x52, 0x34, 0xb5, 0x16, 0x55, 0xd9, 0x46, 0x59, 0xd1, 0x94, 0xf4, 0xe8, 0xe3, 0x69, 0x15, 0x3b, 0x51, 0x16, 0x31, 0xb5, 0xe7, 0xe3, 0x51, 0xbe, 0x7d, 0xfd, 0xeb, 0xdd, 0x31, 0x68, 0x2, 0x7f, 0x40, 0xfc, 0x25, 0xb, 0xd1, 0x5f, 0xe4, 0xac, 0x3b, 0xad, 0x3b, 0x4f, 0xa7, 0x9, 0x68, 0x70, 0xba, 0x32, 0xb3, 0x8c, 0xca, 0x3f, 0xb9, 0xd6, 0xb1, 0x60, 0xe1, 0x40, 0xed, 0xbd, 0x28, 0x8b, 0xdf, 0x8e, 0x36, 0x85, 0xfd, 0xc2, 0xb4, 0x90, 0x8c, 0xa, 0x6f, 0x26, 0x4f, 0xd2, 0xaa, 0xff, 0xf6, 0x87, 0xd9, 0xaa, 0x3b, 0x62, 0x1b, 0x4e, 0x42, 0xd, 0x31, 0x9f, 0xa5, 0x66, 0x62, 0x81, 0x9b, 0x74, 0x45, 0xf0, 0x27, 0x78, 0xdb, 0xa0, 0x51, 0xd7, 0x4f, 0x94, 0x59, 0x72, 0x1d, 0x68, 0xa6, 0xd, 0x12, 0x80, 0x88, 0xc5, 0xa9, 0x31, 0xd, 0xd2, 0xcd, 0x0, 0xf1, 0x4b, 0xae, 0x97, 0xd3, 0xab, 0xf2, 0x7b, 0x6a, 0xc0, 0x8, 0x6b, 0x90, 0x22, 0x5a, 0xf7, 0x8b, 0xdc, 0x12, 0x4a, 0x84, 0xe5, 0xa3, 0xf, 0x92, 0x2d, 0x3f, 0xf2, 0x62, 0x34, 0x21, 0x91, 0x78, 0x40, 0xb9, 0x60, 0xbd, 0x71, 0xab, 0x6c, 0x20, 0xde, 0x6c, 0x17, 0x63, 0xa, 0xdd, 0x6b, 0xbc, 0x54, 0x4d, 0xee, 0xc, 0xb2, 0xc9, 0x54, 0x2f, 0xc0, 0x2a, 0x9f, 0xaa, 0xd8, 0xd2, 0x3c, 0xb0, 0xed, 0x6e, 0x20, 0x17, 0xe6, 0xf8, 0x3, 0x34, 0x64, 0x8, 0x93, 0x16, 0x8e, 0xf6, 0xc7, 0xb9, 0x3d, 0xdd, 0x92, 0xc5, 0x69, 0x14, 0x83, 0x41, 0x22, 0xba, 0x69, 0xfe, 0x2c, 0x5e, 0xf3, 0xbd, 0xd5, 0xf4, 0x8c, 0xe0, 0x6c, 0x44, 0x95, 0x92, 0x4f, 0xdb, 0xb8, 0xcd, 0x1b, 0xba, 0xdc, 0x58, 0xd9, 0x70, 0x59, 0x8e, 0xae, 0x79, 0x96, 0x4b, 0xb9, 0xd5, 0x40, 0x45, 0xb4, 0x9c, 0x95, 0xd2, 0x1f, 0xa3, 0x33, 0x14, 0x78, 0x56, 0xad, 0xc1, 0x2b, 0x0, 0x1b, 0xd1, 0xc3, 0xd4, 0xc7, 0xe3, 0x53, 0xc8, 0x8a, 0xcc, 0x81, 0xa2, 0x59, 0xcd, 0xb1, 0x28, 0xdd, 0xc0, 0xae, 0x75, 0xfd, 0xc2, 0x4d, 0x37, 0x7a, 0x5, 0x2, 0x12, 0xc7, 0x2f, 0x62, 0xf0, 0x8, 0xe4, 0x2b, 0x6a, 0xab, 0x58, 0x8b, 0x26, 0x12, 0xa1, 0xd0, 0x4a, 0xcb, 0x94, 0x3a, 0x19, 0xf5, 0x7c, 0xed, 0xf8, 0x34, 0x2b, 0x9c, 0x45, 0x1c, 0x7e, 0x16, 0xcd, 0xba, 0x74, 0xe2, 0xbc, 0x57, 0x54, 0x62, 0xcc, 0x24, 0xec, 0x60, 0x40, 0x2d, 0xa8, 0x64, 0x71, 0xf4, 0x1b, 0x75, 0xac, 0xe2, 0x5a, 0x6e, 0x5d, 0xf, 0x69, 0x45, 0x4d, 0xd4, 0xf3, 0xb3, 0x9, 0xc6, 0x33, 0x4c, 0x96, 0xb, 0x80, 0xac, 0xc4, 0x38, 0x5, 0xc5, 0x43, 0xc1, 0x1b, 0x45, 0xf9, 0xde, 0x86, 0x75, 0x4d, 0x39, 0x95, 0x92, 0x1f, 0x98, 0xd1, 0xa6, 0x58, 0xd0, 0x9b, 0x1e, 0xd, 0x4c, 0x3d, 0x80, 0xe8, 0x7, 0x1c, 0xcf, 0xa4, 0x76, 0xd6, 0x1, 0xdd, 0x4d, 0x33, 0x76, 0x5f, 0x2b, 0x5f, 0x3c, 0x3f, 0x65, 0x65, 0x74, 0x7d, 0xfe, 0xb1, 0xfe, 0x40, 0xf0, 0x5e, 0xd4, 0x3d, 0x28, 0xfe, 0xed, 0xb7, 0xf3, 0x9b, 0x59, 0xfe, 0x91, 0x11, 0x93, 0x37, 0x80, 0xad, 0x39, 0xf0, 0x5f, 0x49, 0xfa, 0x96, 0x4e, 0x5b, 0x99, 0x76, 0xbf, 0x94, 0x50, 0xe2, 0xa3, 0xb2, 0xb6, 0x40, 0x26, 0x74, 0x3f, 0xc8, 0xc1, 0x41, 0x63, 0x9, 0x8b, 0xc3, 0xa, 0x56, 0xfa, 0x84, 0xc8, 0xbe, 0xd2, 0x5, 0x14, 0xf3, 0xb9, 0x6b, 0x57, 0x6b, 0x9, 0x5e, 0x2b, 0xb0, 0x62, 0x87, 0x22, 0xfc, 0x40, 0x18, 0x61, 0x2f, 0xe6, 0xbb, 0xbd, 0xb2, 0x42, 0x1a, 0x49, 0x3, 0x73, 0xf7, 0x80, 0x8d, 0x62, 0x96, 0xbe, 0x33, 0x8f, 0xfd, 0xd8, 0x7e, 0x89, 0xa, 0x8d, 0x49, 0x48, 0xca, 0x69, 0x56, 0x4d, 0xef, 0x9d, 0x9c, 0xe9, 0x1a, 0x40, 0x4c, 0xf7, 0x5a, 0xb8, 0x44, 0x65, 0x5b, 0xeb, 0x38, 0x79, 0x88, 0x12, 0xf2, 0xe7, 0x12, 0xd3, 0xb, 0x43, 0x33, 0xe3, 0x94, 0x87, 0x25, 0xa7, 0x81, 0x73, 0xfc, 0xd2, 0x53, 0xb2, 0x8b, 0x2f, 0x5d, 0x94, 0x9e, 0xff, 0xa3, 0xbe, 0x85, 0x35, 0x59, 0x79, 0x6, 0x60, 0xaf, 0x8d, 0x7f, 0xf6, 0xc3, 0xb0, 0x77, 0xd8, 0xa6, 0x19, 0x85, 0xd0, 0x48, 0x78, 0x4f, 0x1b, 0x21, 0x62, 0x1b, 0x70, 0x38, 0x6e, 0x6d, 0x39, 0x6, 0x5, 0x6e, 0xf0, 0x7, 0xaf, 0xff, 0xb8, 0xfa, 0x91, 0x8d, 0xc8, 0x9a, 0xe5, 0xed, 0x96, 0x7c, 0x3f, 0xe, 0x1c, 0x5e, 0x2f, 0x79, 0x50, 0x8, 0xb4, 0x16, 0x8a, 0xf2, 0xff, 0x9f, 0xc0, 0xe0, 0x94, 0x9e, 0x5f, 0x76, 0x8d, 0xbe, 0x37, 0x3, 0xa0, 0xce, 0x3e, 0xa5, 0xd2, 0x88, 0xd0, 0xfa, 0x4a, 0xbd, 0x5d, 0x21, 0x98, 0x20, 0x89, 0x23, 0xa9, 0xa9, 0x6f, 0x2b, 0xa3, 0x2a, 0xed, 0xd9, 0x64, 0x15, 0x80, 0x65, 0xe1, 0x54, 0x13, 0x98, 0x8f, 0x24, 0xdf, 0x21, 0x85, 0x59, 0xa2, 0x88, 0x35, 0xec, 0x23, 0x7e, 0x58, 0x2c, 0x99, 0xa0, 0xd7, 0x81, 0xf2, 0xed, 0xcb, 0x7, 0x14, 0x96, 0x38, 0x55, 0xa, 0x93, 0x6, 0x21, 0xbe, 0x5b, 0xbe, 0xeb, 0xd, 0x32, 0x9, 0x7f, 0x81, 0x91, 0x24, 0xb5, 0xa5, 0xff, 0xa7, 0x60, 0x51, 0x6, 0x9, 0xd9, 0xb4, 0xc8, 0xe6, 0xa9, 0xd2, 0xf6, 0xff, 0x92, 0x39, 0x4f, 0xac, 0x76, 0x9c, 0x7b, 0x56, 0xf5, 0xc8, 0x5d, 0x5c, 0xc6, 0x9a, 0xd1, 0x96, 0xbe, 0xcc, 0xe0, 0xaa, 0x5f, 0xa2, 0x26, 0xcf, 0xa8, 0xf8, 0x71, 0xd4, 0x8, 0x52, 0x36, 0x37, 0x4a, 0x70, 0xf9, 0x1d, 0x5, 0xda, 0x45, 0xa1, 0x1b, 0x54, 0xbc, 0xab, 0xaf, 0xd8, 0xb7, 0xf5, 0x3d, 0x32, 0x43, 0x9d, 0xdd, 0x53, 0xe2, 0xf1, 0x92, 0xb0, 0xaf, 0xa3, 0xcf, 0x36, 0xcb, 0xdb, 0x79, 0xeb, 0xa7, 0xc4, 0x23, 0x91, 0xaa, 0xa3, 0x15, 0x6f, 0x4d, 0x2e, 0x42, 0xd3, 0x4d, 0x38, 0x8c, 0x9c, 0xff, 0x33, 0xc, 0x1b, 0x2d, 0x8f, 0x17, 0x86, 0x16, 0xb0, 0x62, 0x5, 0x6d, 0xbd, 0x7d, 0xd8, 0xae, 0x66, 0xe8, 0x66, 0xa4, 0x4e, 0xac, 0x76, 0x31, 0x40, 0x7b, 0xbe, 0x10, 0x1e, 0xc, 0x8f, 0x4d, 0x15, 0x4b, 0xa4, 0xd1, 0x58, 0x76, 0xf7, 0x75, 0x5f, 0x5, 0x39, 0xa5, 0x33, 0x10, 0x98, 0xb2, 0xc9, 0x1, 0xb1, 0x7f, 0xa4, 0xf5, 0x73, 0xbd, 0x56, 0xfb, 0x59, 0xbf, 0xfb, 0x84, 0x86, 0x25, 0x36, 0x2b, 0x84, 0x4c, 0x86, 0x38, 0xdd, 0xc8, 0x43, 0x3, 0x87, 0x4e, 0xf5, 0x92, 0x65, 0x46, 0xf1, 0xc5, 0x78, 0x6, 0xd1, 0x92, 0xc3, 0x37, 0x11, 0x8a, 0x91, 0xd5, 0xf0, 0xde, 0x82, 0xa8, 0x86, 0xd0, 0x33, 0x10, 0x2d, 0x4d, 0xd2, 0xe1, 0x8e, 0x26, 0xe9, 0x76, 0xe3, 0x62, 0xe1, 0x9c, 0x64, 0x66, 0xda, 0x53, 0xcc, 0xa3, 0xb2, 0x4e, 0x2e, 0x4e, 0x9b, 0x7a, 0xf1, 0x71, 0x8a, 0x70, 0x4, 0x2c, 0x5b, 0xe0, 0xd, 0xb2, 0xc7, 0xfd, 0xdb, 0x1, 0xa2, 0x7, 0x49, 0xee, 0x9a, 0xdc, 0x4c, 0x66, 0x55, 0x47, 0x6c, 0xfc, 0x8d, 0xcc, 0xe5, 0x91, 0x16, 0xbe, 0x47, 0xfb, 0xcb, 0x83, 0x2b, 0xfd, 0xc3, 0x5, 0x4c, 0xa7, 0x33, 0x58, 0x69, 0xb0, 0xde, 0xb0, 0x43, 0x72, 0x8a, 0x93, 0xee, 0xf, 0x8f, 0x42, 0x3f, 0x77, 0x25, 0x86, 0x7, 0x1f, 0xed, 0x3d, 0x4c, 0xa9, 0xdb, 0x63, 0x9b, 0xbd, 0x51, 0x67, 0x35, 0x44, 0xae, 0x2a, 0x85, 0x80, 0x1c, 0x2f, 0x3b, 0x11, 0x49, 0xec, 0xe2, 0xfb, 0x20, 0xc4, 0x73, 0x54, 0xf3, 0xb0, 0xed, 0xc3, 0x55, 0xc2, 0xb, 0xab, 0xcc, 0x63, 0xd6, 0xa9, 0x46, 0xae, 0xcf, 0x5d, 0x1, 0x3e, 0x1c, 0x84, 0x7d, 0x18, 0x1f, 0x99, 0x89, 0x55, 0x98, 0x1a, 0x3d, 0x8b, 0xb7, 0x1e, 0x4f, 0xd3, 0x2c, 0xe, 0x4c, 0xf8, 0x5f, 0xc6, 0xfa, 0x13, 0x17, 0x60, 0xec, 0x9c, 0xc2, 0xc9, 0xfa, 0xe9, 0xde, 0x52, 0xa5, 0x7a, 0xb2, 0xfd, 0x7b, 0x91, 0x53, 0x9f, 0x12, 0x64, 0xee, 0x4d, 0x53, 0x6f, 0x89, 0xe0, 0x1e, 0xeb, 0xdb, 0xf2, 0x23, 0xa5, 0x76, 0x27, 0x11, 0x59, 0xd2, 0x9, 0x33, 0xc1, 0xe1, 0x6c, 0xf6, 0x4c, 0xad, 0x57, 0x1d, 0x6f, 0x87, 0xa9, 0xa3, 0x76, 0xb5, 0x89, 0xc7, 0x32, 0xc6, 0xc8, 0xd7, 0xd, 0x69, 0xf2, 0x21, 0xc0, 0xcf, 0x6d, 0xad, 0x84, 0xeb, 0x32, 0xea, 0x55, 0xcf, 0x66, 0x95, 0x5, 0x72, 0x2b, 0xb7, 0x70, 0x61, 0x28, 0xf2, 0xa5, 0xcf, 0x10, 0x56, 0xa0, 0xfb, 0x1a, 0xbf, 0x4c, 0x89, 0x15, 0xdd, 0xb3, 0xc1, 0x36, 0xf4, 0x4f, 0x31, 0xf0, 0x24, 0xc5, 0xc6, 0xdd, 0xff, 0xa1, 0x7, 0x61, 0xc, 0x7e, 0xb2, 0xbd, 0xc1, 0xe9, 0x3a, 0x58, 0xa1, 0xa7, 0x7a, 0x40, 0xe2, 0x7c, 0xe3, 0x98, 0x6d, 0xaf, 0xe0, 0xb4, 0x38, 0xab, 0x28, 0xd9, 0x42, 0x43, 0xe5, 0xca, 0x98, 0x1c, 0xa, 0x7, 0x50, 0xb7, 0xe8, 0xf2, 0x58, 0x23, 0xe0, 0xaf, 0x86, 0xce, 0xef, 0x28, 0x12, 0x92, 0xea, 0x56, 0xb8, 0xb8, 0x31, 0xfc, 0x67, 0x1c, 0xa, 0x12, 0x19, 0x2a, 0x5, 0x59, 0xad, 0xae, 0xe3, 0xa4, 0x9e, 0x6, 0xb4, 0x19, 0xf0, 0x8d, 0x55, 0x9e, 0x43, 0x51, 0x9f, 0x27, 0x2b, 0x71, 0xac, 0xba, 0xa4, 0xd, 0x23, 0x24, 0x5a, 0x18, 0x55, 0xe3, 0x19, 0x89, 0x51, 0x50, 0x8f, 0xb7, 0x84, 0xdd, 0xfc, 0xce, 0x4d, 0x5a, 0x4c, 0x7d, 0xa4, 0xb2, 0xf, 0xd9, 0xa7, 0x9e, 0x0, 0xe, 0xb3, 0xbf, 0x9a, 0xac, 0x55, 0x73, 0xd2, 0xee, 0x74, 0x59, 0xc3, 0x2f, 0xfd, 0xaf, 0x8f, 0xea, 0xdb, 0x4c, 0x82, 0x2d, 0xb7, 0x89, 0x92, 0x7d, 0xef, 0xb5, 0xb2, 0x9d, 0x54, 0x5a, 0x1, 0x7f, 0x19, 0xa8, 0xd4, 0x80, 0x24, 0xb6, 0x93, 0x4, 0xc4, 0xb, 0x59, 0xd5, 0x61, 0x31, 0x3, 0x78, 0x6f, 0x2e, 0xb5, 0x55, 0x3a, 0xb0, 0xad, 0x9e, 0x30, 0x15, 0x81, 0xeb, 0x40, 0x25, 0xc6, 0xe5, 0x92, 0x5a, 0xde, 0xa7, 0xde, 0x5a, 0x3d, 0x6a, 0xcc, 0xf0, 0x31, 0xd6, 0x64, 0x61, 0xdd, 0xe8, 0x93, 0x7c, 0x9d, 0x5e, 0x9d, 0xdd, 0x2b, 0xc8, 0x4, 0x8d, 0x58, 0x7a, 0x1b, 0xfd, 0x9d, 0x31, 0xf8, 0x34, 0x55, 0x0, 0x68, 0x80, 0x95, 0xeb, 0xd8, 0xb5, 0x55, 0x8a, 0xde, 0x81, 0xca, 0x5b, 0x8d, 0xda, 0x86, 0xa8, 0x5e, 0x4d, 0xb, 0x2a, 0x25, 0x1, 0xa, 0x53, 0xe8, 0xa1, 0xa0, 0xea, 0x35, 0xfe, 0xb4, 0xff, 0x1b, 0x63, 0x95, 0xe9, 0xd8, 0xb1, 0x28, 0xd8, 0x2a, 0x87, 0xcd, 0xf9, 0x95, 0xf5, 0x6e, 0xe9, 0x7d, 0xe5, 0xe0, 0x84, 0x1e, 0x41, 0x60, 0x68, 0x19, 0x93, 0x4c, 0xa3, 0xae, 0xd3, 0x84, 0xdb, 0xa5, 0x32, 0xa7, 0x73, 0x70, 0x19, 0xbb, 0xd5, 0xf9, 0xc0, 0xd7, 0xcf, 0x6b, 0x56, 0xfe, 0xd2, 0xb8, 0xfa, 0x82, 0xeb, 0xf3, 0x36, 0x5f, 0x77, 0x45, 0x58, 0x8b, 0xff, 0xfd, 0xcc, 0xc, 0xb2, 0x8c, 0x10, 0xc1, 0x74, 0x83, 0x5f, 0xb6, 0x59, 0x16, 0x9a, 0x78, 0xc, 0x33, 0x22, 0xa4, 0xb4, 0xb8, 0xdc, 0x73, 0xa9, 0x7e, 0xe5, 0x41, 0x57, 0x74, 0x2e, 0x8f, 0x88, 0x20, 0x70, 0xca, 0x0, 0x5c, 0xf1, 0x9c, 0xfd, 0x45, 0xcf, 0xe3, 0xdc, 0x7c, 0x72, 0xf8, 0x7, 0x55, 0xf1, 0x1e, 0x74, 0x8a, 0xec, 0x4c, 0x6b, 0x19, 0x2f, 0x1c, 0xc5, 0x47, 0x18, 0xa6, 0x7e, 0xc9, 0x43, 0x8e, 0xd0, 0x70, 0x2b, 0x8a, 0xb1, 0x15, 0x5c, 0xa1, 0xd, 0x93, 0x14, 0x5, 0x61, 0x2f, 0x78, 0xc6, 0xb6, 0x33, 0x9f, 0xae, 0xdb, 0xae, 0x87, 0xff, 0x25, 0xc9, 0x54, 0xa, 0x88, 0x36, 0xb9, 0xe, 0xaf, 0x7d, 0x71, 0xe, 0x4d, 0x9c, 0xf5, 0xdd, 0x84, 0x92, 0xf5, 0x8c, 0x6f, 0x31, 0x93, 0xcf, 0x81, 0x15, 0x52, 0xf4, 0xc1, 0x3a, 0x87, 0xa8, 0xec, 0x3e, 0xfe, 0xef, 0x6a, 0xfb, 0xe9, 0xfc, 0x17, 0xb4, 0xc3, 0x8d, 0xfb, 0xee, 0x46, 0x80, 0x91, 0xa5, 0x0, 0x94, 0x20, 0x2, 0xac, 0x18, 0xd3, 0x73, 0x8b, 0x78, 0x85, 0x9a, 0xda, 0x35, 0xa5, 0x6b, 0xd4, 0x26, 0x6, 0xbd, 0xae, 0x3, 0x1f, 0xd2, 0x64, 0xdc, 0x73, 0xe8, 0x47, 0x8c, 0x9f, 0x9, 0x7e, 0xc9, 0x8e, 0x1, 0x4d, 0x56, 0xa8, 0xcd, 0x8c, 0xc6, 0x92, 0xde, 0x5c, 0x7a, 0x8d, 0x3e, 0xc4, 0x3c, 0x32, 0x73, 0xa1, 0x35, 0xe0, 0x78, 0x7c, 0xff, 0x80, 0xf8, 0x75, 0x62, 0xf2, 0x3e, 0xaa, 0xed, 0x3e, 0x27, 0xff, 0x3d, 0xee, 0xa4, 0x2f, 0xbc, 0x2e, 0xaf, 0xa3, 0xcd, 0xf4, 0xc4, 0x24, 0xfe, 0x4e, 0xcb, 0x3d, 0x84, 0xaf, 0xa0, 0xb1, 0x10, 0xcd, 0x9c, 0xc1, 0x57, 0xb8, 0x53, 0x4, 0x3e, 0x4d, 0x91, 0xeb, 0xd1, 0xc9, 0xdd, 0xeb, 0x1d, 0x77, 0x62, 0xbb, 0xc8, 0xde, 0x7b, 0x81, 0xaa, 0xc5, 0x91, 0xaa, 0x77, 0x92, 0x82, 0xae, 0x91, 0x23, 0x83, 0xd6, 0x8d, 0xf1, 0x7a, 0xca, 0x84, 0x1a, 0xc7, 0x16, 0xf3, 0x40, 0x17, 0xed, 0x73, 0x6d, 0xa5, 0x88, 0x5c, 0x9e, 0xba, 0xd3, 0x54, 0xa0, 0x2c, 0x71, 0xf7, 0x24, 0x6c, 0xe1, 0xea, 0x3b, 0x8, 0x35, 0xc2, 0x37, 0x4a, 0xfd, 0xe9, 0x83, 0x64, 0xb2, 0x83, 0xa8, 0x4, 0x5d, 0x2c, 0x7c, 0xe2, 0xae, 0xf3, 0x63, 0xc, 0xf1, 0x71, 0x46, 0xae, 0x8d, 0xa8, 0x1d, 0xe, 0xdb, 0xe1, 0x95, 0x59, 0xe2, 0xe8, 0x77, 0xa5, 0x6a, 0x6, 0xd6, 0x6e, 0xb1, 0xb1, 0xc4, 0xbf, 0xf8, 0x31, 0x2b, 0xe1, 0xd8, 0x12, 0x4a, 0xdd, 0xe6, 0x36, 0x77, 0x17, 0xbc, 0x29, 0x7e, 0x57, 0xe8, 0x35, 0x89, 0xa8, 0x2b, 0x72, 0x53, 0x23, 0x6d, 0x28, 0x5f, 0x1, 0x29, 0x37, 0x1d, 0xca, 0x35, 0xe0, 0xa3, 0x39, 0xa2, 0xb6, 0xc7, 0x86, 0x9f, 0x3a, 0xb0, 0xd3, 0xbf, 0x50, 0x52, 0x6e, 0x6e, 0x53, 0xd, 0xfd, 0x30, 0x89, 0xd9, 0x79, 0x32, 0x38, 0xc, 0xfa, 0xab, 0xbb, 0x4c, 0x8c, 0x39, 0x23, 0x3b, 0xa4, 0xc9, 0x38, 0x9b, 0x16, 0xab, 0xbf, 0x32, 0x17, 0xd9, 0x8, 0x43, 0x88, 0xdd, 0x2, 0xf2, 0x8f, 0xa2, 0x93, 0xb5, 0xe4, 0x6c, 0x37, 0x65, 0x1e, 0x1f, 0xd1, 0x51, 0xaf, 0xff, 0x25, 0x15, 0x74, 0xde, 0x48, 0xc6, 0x6e, 0x28, 0xc6, 0xf4, 0x9f, 0x36, 0xbd, 0x3c, 0xf9, 0x79, 0x9c, 0x12, 0xb1, 0xef, 0xf9, 0x6d, 0xc7, 0x94, 0x72, 0xa6, 0xb7, 0xe2, 0xf2, 0xa5, 0x31, 0x1e, 0x1f, 0xb9, 0xca, 0x10, 0x9, 0x50, 0x2d, 0x16, 0xd2, 0x1c, 0x4d, 0x44, 0x9e, 0xdd, 0xbe, 0x52, 0x22, 0xd0, 0xed, 0x4f, 0xb7, 0x34, 0xd6, 0x7a, 0x61, 0x58, 0x12, 0xe1, 0xf8, 0x60, 0xbd, 0x4a, 0x61, 0x5, 0x9e, 0x7b, 0x53, 0xc7, 0xd8, 0xc5, 0x5f, 0xaf, 0xe7, 0x66, 0xc7, 0x26, 0xfd, 0x26, 0xd9, 0x2b, 0x58, 0x81, 0xb5, 0x60, 0x6, 0xc8, 0x7f, 0xf0, 0xac, 0x44, 0x92, 0x1, 0x87, 0x8e, 0xfe, 0xdc, 0xba, 0x22, 0x73, 0x3b, 0x2c, 0x4, 0x5a, 0xe2, 0xc5, 0xfa, 0x16, 0x6, 0x6e, 0xa2, 0xe4, 0xa6, 0x3d, 0x75, 0x12, 0x3c, 0xa, 0x1, 0xca, 0x7b, 0x7, 0x7e, 0x95, 0x6c, 0xe4, 0x4b, 0xe6, 0x4b, 0xda, 0xe3, 0xa4, 0x6c, 0xb4, 0x78, 0xee, 0x75, 0x8e, 0x66, 0xda, 0x9b, 0xa5, 0xf2, 0x98, 0xde, 0xa4, 0x84, 0x51, 0x83, 0x41, 0x68, 0xa5, 0xd6, 0x4e, 0x92, 0x1f, 0xfb, 0x6e, 0xb6, 0xec, 0x64, 0xaf, 0xcf, 0x6c, 0xa2, 0xaf, 0x75, 0x27, 0xd7, 0x4b, 0x97, 0x4f, 0x5, 0xe6, 0x5a, 0x69, 0xf, 0x14, 0x5b, 0xab, 0xcb, 0xbb, 0xde, 0xef, 0x48, 0xe3, 0xa4, 0xb4, 0x71, 0xbc, 0x63, 0xd9, 0x96, 0xcc, 0xbe, 0x52, 0x2e, 0xfc, 0x18, 0x90, 0x5d, 0x5e, 0x5f, 0xbf, 0xa, 0x15, 0x71, 0x87, 0x56, 0x4, 0xa6, 0x2f, 0x18, 0xbd, 0x83, 0x9f, 0x33, 0x70, 0x61, 0xc0, 0xb4, 0x35, 0x5, 0x6, 0x37, 0x11, 0xb3, 0xb9, 0x41, 0x47, 0x55, 0xb3, 0x9, 0x5d, 0xf7, 0x72, 0xfa, 0x47, 0x6a, 0x4c, 0x14, 0x7a, 0xac, 0x71, 0x1a, 0x39, 0xca, 0xe3, 0xb6, 0x98, 0xf4, 0xc0, 0x8, 0x8, 0x0, 0x39, 0xe5, 0x7f, 0xef, 0xd9, 0xae, 0x7e, 0xba, 0x30, 0xa8, 0xe5, 0xa5, 0xa2, 0x57, 0xf1, 0xfc, 0x4a, 0x97, 0x27, 0x91, 0xc0, 0x3e, 0xd1, 0x7d, 0x99, 0x87, 0xb, 0xa7, 0x10, 0xd7, 0x78, 0x49, 0x8c, 0xaf, 0xee, 0x9a, 0xe9, 0x28, 0x89, 0x28, 0xd7, 0x24, 0x6e, 0x3d, 0xa7, 0x7a, 0xee, 0x6c, 0x15, 0x2b, 0xe7, 0xc2, 0x7, 0x50, 0x4c, 0x1d, 0x8a, 0x40, 0xed, 0xc5, 0x57, 0xcf, 0x5f, 0x4, 0x76, 0x5, 0xb6, 0x39, 0x9e, 0x71, 0x9f, 0xbf, 0x8b, 0x86, 0xc2, 0x1, 0x3c, 0x34, 0x7d, 0x2d, 0x3e, 0x10, 0x7e, 0x4b, 0x25, 0xca, 0x2c, 0xa2, 0xbe, 0x31, 0xf1, 0xa9, 0x38, 0xeb, 0xe6, 0x11, 0x19, 0x20, 0xcd, 0xec, 0xd3, 0xe1, 0x27, 0xeb, 0xc0, 0x72, 0xad, 0x70, 0x9a, 0x11, 0xb1, 0xfb, 0x7f, 0xb5, 0x6a, 0xaf, 0xe3, 0xb3, 0xf8, 0x2b, 0xc4, 0x92, 0x5b, 0x5b, 0x68, 0xc1, 0x23, 0xaf, 0x7a, 0x8d, 0xd0, 0xb9, 0xb7, 0x27, 0x2c, 0x1c, 0x59, 0x9a, 0x18, 0xc3, 0xd, 0x66, 0xf, 0xca, 0x43, 0xc8, 0xad, 0x2, 0xa1, 0xca, 0x7b, 0x52, 0x76, 0xb2, 0x1a, 0xb4, 0x8b, 0xd3, 0xde, 0x52, 0xff, 0x40, 0x5f, 0x4e, 0xa0, 0x24, 0xc6, 0x4a, 0x91, 0xd2, 0xfc, 0xcf, 0xd7, 0x11, 0x36, 0xd6, 0xbf, 0xd3, 0x1f, 0x2b, 0xb4, 0xe8, 0xb7, 0x3a, 0x6, 0x85, 0xfa, 0xfd, 0x40, 0xde, 0x6c, 0x5b, 0x7e, 0x8b, 0x17, 0x49, 0xc4, 0x11, 0x78, 0x13, 0xcc, 0x72, 0x29, 0x31, 0x9, 0xb6, 0x4c, 0x35, 0x61, 0xb4, 0x33, 0x5e, 0x12, 0x79, 0xf5, 0x6e, 0xe5, 0xa4, 0x88, 0xf7, 0x2e, 0x10, 0xca, 0x84, 0xb, 0xef, 0x5d, 0x7f, 0x67, 0xbd, 0x96, 0xb9, 0x99, 0xde, 0x97, 0x7b, 0xa8, 0x6f, 0xe9, 0x53, 0x15, 0xbe, 0x4e, 0xc1, 0xfe, 0xd3, 0x5d, 0xcd, 0x75, 0x42, 0x7e, 0xe6, 0x43, 0x57, 0x31, 0x23, 0x83, 0xb4, 0xb1, 0x25, 0x31, 0xf1, 0x81, 0x75, 0x8e, 0x49, 0x4d, 0xdd, 0xb1, 0xaf, 0xc4, 0xd9, 0xda, 0x15, 0x3f, 0x7d, 0x8e, 0x56, 0x84, 0xb8, 0x73, 0xae, 0xa3, 0x1b, 0xa6, 0xe3, 0xd8, 0xd, 0x1b, 0x98, 0xa, 0x52, 0xe3, 0xa4, 0xb, 0xa4, 0x41, 0x1a, 0xbd, 0xb3, 0x4c, 0x35, 0x1c, 0x9c, 0xab, 0x9f, 0xdf, 0x3a, 0xaa, 0xab, 0x1a, 0xd5, 0x18, 0xc4, 0x53, 0xd1, 0xa7, 0x1, 0x7, 0x21, 0xb9, 0xf2, 0xdc, 0xef, 0x7c, 0x1a, 0xdd, 0x61, 0x80, 0xf4, 0xbc, 0xb3, 0xf0, 0xee, 0x6c, 0xe6, 0xcc, 0x25, 0xde, 0x98, 0xb5, 0x83, 0x10, 0x34, 0x5e, 0xa, 0xe9, 0xc7, 0x54, 0xa, 0x89, 0xf4, 0xca, 0x2, 0x1c, 0x42, 0xb4, 0x2b, 0xa6, 0x5a, 0x7b, 0x62, 0xdb, 0x1d, 0x48, 0x74, 0x6a, 0x2d, 0xf5, 0x6b, 0x2c, 0xf6, 0x25, 0x56, 0x1d, 0xa0, 0x46, 0xb2, 0x73, 0x4c, 0xfd, 0xc5, 0x1f, 0x3d, 0x81, 0x31, 0x17, 0x62, 0xfc, 0x6d, 0x3f, 0xbe, 0x54, 0x88, 0xe5, 0x79, 0xdf, 0x22, 0x83, 0xe4, 0x2e, 0x8b, 0xfa, 0xb2, 0x38, 0x14, 0xe5, 0xa0, 0xcd, 0x4a, 0x2d, 0x48, 0x78, 0x73, 0xbe, 0x7, 0x18, 0xac, 0x40, 0x66, 0x95, 0x35, 0xc5, 0x1e, 0xb, 0xda, 0x84, 0x66, 0xe5, 0xc1, 0xd4, 0x21, 0x24, 0xb8, 0xe0, 0x97, 0x3f, 0xb3, 0xc4, 0x0, 0xbe, 0x41, 0x7b, 0x17, 0x23, 0xbd, 0xd0, 0xe1, 0x72, 0x7b, 0x14, 0x2e, 0xb4, 0xa4, 0x53, 0x4c, 0x10, 0x77, 0xf7, 0x5f, 0x9f, 0xd3, 0xf8, 0xd, 0x53, 0xfb, 0xd3, 0x64, 0x4e, 0xe6, 0x36, 0xdd, 0x4f, 0x7, 0x56, 0x67, 0xba, 0xa6, 0xa7, 0x71, 0x7c, 0xca, 0x1e, 0xe3, 0x8f, 0x65, 0x1b, 0xb8, 0xda, 0xad, 0xe4, 0x14, 0x52, 0x94, 0x20, 0x99, 0xc2, 0xf9, 0x11, 0x3f, 0x5d, 0x4e, 0x7d, 0x4, 0x50, 0x84, 0x2f, 0xe7, 0x2a, 0xf6, 0xd7, 0x92, 0x1e, 0x2a, 0xe2, 0x6a, 0x6d, 0x7e, 0x41, 0x41, 0x71, 0x4c, 0xca, 0x85, 0x7f, 0xb6, 0x1a, 0xed, 0xb5, 0x9a, 0x27, 0xc0, 0xd9, 0xb2, 0x44, 0x11, 0xce, 0x57, 0xfa, 0xb8, 0xf0, 0xb, 0x2d, 0xb1, 0x1, 0x6d, 0x4f, 0xdb, 0x18, 0x57, 0x40, 0xa0, 0xe8, 0x11, 0x8f, 0xc2, 0x6b, 0x3c, 0xe7, 0x3b, 0x1a, 0x59, 0xa0, 0x8c, 0xbb, 0x11, 0xac, 0x31, 0x45, 0xcc, 0xa, 0x5a, 0x9a, 0xd0, 0x12, 0xf4, 0x13, 0xde, 0xe7, 0xee, 0x74, 0xf1, 0xcb, 0x82, 0xd6, 0x4f, 0x4, 0xe6, 0x2b, 0x7e, 0x17, 0x70, 0xaf, 0x48, 0x1c, 0xcb, 0x74, 0xf5, 0x65, 0x7c, 0xcb, 0x61, 0x99, 0x92, 0x66, 0x59, 0xce, 0xe9, 0xba, 0xf6, 0x10, 0xfc, 0x6b, 0x83, 0x64, 0x8, 0x76, 0x8, 0xa, 0x6e, 0x61, 0xd5, 0x6b, 0x7, 0x78, 0xb, 0x2f, 0x63, 0xc4, 0xd5, 0xcf, 0x78, 0x85, 0xa0, 0x61, 0x12, 0x27, 0x68, 0x5, 0xcd, 0x2c, 0xf, 0x63, 0x77, 0x37, 0x30, 0x30, 0x40, 0xab, 0xe2, 0xc2, 0x32, 0xa7, 0xfd, 0x9e, 0x92, 0x95, 0xf, 0x6b, 0xc5, 0xb1, 0x95, 0xca, 0xd8, 0xf2, 0xf2, 0xd0, 0x3e, 0xb2, 0x8f, 0xf7, 0x9f, 0xab, 0x6f, 0xbc, 0x4e, 0xe8, 0x9f, 0x98, 0x74, 0x64, 0xf, 0xc8, 0xb1, 0xe6, 0xc, 0xe7, 0xbc, 0xa1, 0x2, 0x3b, 0x5, 0xf3, 0x9f, 0xbe, 0xd3, 0xaf, 0xc0, 0x99, 0x66, 0x48, 0xef, 0x12, 0x26, 0x1a, 0x41, 0xe3, 0xf9, 0x57, 0xd9, 0x22, 0x98, 0x5b, 0x48, 0x7b, 0x81, 0xd8, 0x41, 0xb, 0x19, 0x1, 0xe2, 0x4a, 0xd0, 0x56, 0xe, 0x82, 0xe0, 0x28, 0x85, 0x32, 0x1f, 0xd0, 0xe3, 0x81, 0x8a, 0x7c, 0x82, 0xbe, 0x77, 0xd4, 0x7d, 0xd4, 0x4d, 0xe4, 0x10, 0xec, 0xe7, 0x69, 0x4a, 0xee, 0x7c, 0xd7, 0xe, 0x13, 0x38, 0x60, 0x23, 0xaf, 0xf0, 0x65, 0x4c, 0x80, 0xce, 0x5c, 0x4, 0xf2, 0xdb, 0x70, 0x4b, 0x2a, 0x3, 0x19, 0x87, 0xfb, 0xf5, 0x9f, 0x3c, 0xb3, 0xcc, 0xb3, 0x36, 0xff, 0x3d, 0x78, 0xd2, 0x1f, 0xe6, 0xf2, 0x37, 0x4c, 0xd6, 0x71, 0x0, 0x91, 0xde, 0x7e, 0x11, 0xe5, 0xa1, 0x52, 0x87, 0x4, 0x6c, 0xed, 0x9e, 0xc5, 0xb4, 0x41, 0x13, 0xa0, 0x2e, 0x70, 0xf2, 0x41, 0x92, 0xb0, 0xc6, 0x9d, 0x3b, 0x90, 0x35, 0x6e, 0x23, 0x5b, 0x5b, 0x1f, 0xa8, 0xab, 0x91, 0x42, 0x1d, 0xd6, 0x53, 0xa6, 0x70, 0xaa, 0x73, 0x81, 0x1e, 0xb5, 0x2e, 0x4f, 0xd4, 0x48, 0xb6, 0xd1, 0x8f, 0x3f, 0xb9, 0x5a, 0x6, 0xce, 0xb7, 0x31, 0xfe, 0xf4, 0xe2, 0x99, 0xee, 0x8, 0x54, 0xa5, 0x4, 0x44, 0xdc, 0xda, 0x8b, 0xfa, 0xc4, 0x1b, 0xe3, 0x2e, 0xa1, 0xda, 0x34, 0x95, 0xdb, 0xe, 0x9c, 0x28, 0xf7, 0xa5, 0xb6, 0x81, 0x44, 0x8, 0xd2, 0xb3, 0x8f, 0x9d, 0x1d, 0x46, 0x42, 0x7f, 0x70, 0x3c, 0x29, 0x12, 0x32, 0x1d, 0x3f, 0xf9, 0xa3, 0x3e, 0xb7, 0x6b, 0x59, 0x6, 0x47, 0xc1, 0xad, 0x9c, 0x33, 0xde, 0xaf, 0x34, 0x8, 0xf8, 0x53, 0x29, 0xf2, 0x81, 0x0, 0xfc, 0xdc, 0x99, 0x60, 0x41, 0xe3, 0x85, 0x9, 0xed, 0xa4, 0x1f, 0xe2, 0xcd, 0x3, 0x7a, 0xc3, 0x7d, 0x6d, 0xa2, 0x2d, 0xdf, 0x84, 0xfa, 0x48, 0x8, 0xac, 0x1d, 0x8, 0x71, 0x69, 0x1b, 0xd6, 0x28, 0x9a, 0x5e, 0xa1, 0xe, 0xea, 0x14, 0xd9, 0x4, 0x80, 0xa8, 0x20, 0x55, 0xfe, 0x3f, 0x28, 0x54, 0xd1, 0xa8, 0x9c, 0x13, 0x9b, 0x63, 0xae, 0x2d, 0x42, 0x4f, 0x61, 0xa8, 0xb5, 0xd4, 0xd, 0xcc, 0xdc, 0xee, 0xcd, 0x8e, 0x74, 0xd7, 0x36, 0x16, 0x1d, 0x54, 0x2e, 0x5c, 0x86, 0x7b, 0xf0, 0xab, 0x5a, 0x38, 0x31, 0xe4, 0xdc, 0xe1, 0xec, 0xf9, 0xc2, 0xd2, 0x52, 0xe0, 0x95, 0x8b, 0x25, 0x3, 0x16, 0xff, 0x7a, 0x7, 0x33, 0x7a, 0x3f, 0x4c, 0xde, 0xc, 0x97, 0x1f, 0xe4, 0x12, 0x56, 0xdd, 0x5b, 0x67, 0xf1, 0xa6, 0xf5, 0x71, 0xae, 0x81, 0x51, 0xc3, 0xf8, 0x3e, 0x75, 0xae, 0xc8, 0x0, 0x56, 0xd5, 0xb4, 0x62, 0xe7, 0x8b, 0x4f, 0x62, 0x3e, 0xb3, 0x13, 0x34, 0x8e, 0x5, 0xd1, 0xe4, 0x9e, 0x2a, 0xfa, 0x5, 0xd8, 0x67, 0x69, 0x63, 0x8e, 0x96, 0xd7, 0xbf, 0xb8, 0x7d, 0x9b, 0x94, 0x48, 0x98, 0x17, 0x84, 0x3a, 0xd2, 0xe5, 0xd7, 0x8, 0x53, 0xa5, 0x9d, 0xe2, 0xf3, 0x1d, 0x3b, 0x2f, 0x89, 0x1f, 0x47, 0xee, 0x3d, 0x9e, 0x13, 0x5c, 0xc9, 0x89, 0xe0, 0x57, 0xd7, 0x4d, 0x59, 0x31, 0x86, 0x15, 0x56, 0x9, 0x1f, 0xea, 0xe2, 0x83, 0x10, 0x33, 0x8c, 0xe6, 0x14, 0x77, 0xad, 0x28, 0xa, 0xbe, 0x18, 0x88, 0x3d, 0x52, 0x2, 0xfc, 0x6b, 0xcd, 0x50, 0x58, 0xf3, 0x3a, 0x11, 0x85, 0xb5, 0xa1, 0x8a, 0xdf, 0x30, 0xb, 0x5f, 0x93, 0x7d, 0xac, 0xe3, 0xb7, 0x4a, 0x7c, 0xa0, 0xdd, 0xad, 0xcb, 0x0, 0x2f, 0x55, 0x99, 0x42, 0xc3, 0x92, 0x6c, 0xdf, 0x9, 0x29, 0xde, 0xd1, 0x3e, 0xc3, 0x3c, 0x11, 0x7, 0x3e, 0x48, 0xd, 0xc4, 0x2d, 0xae, 0x63, 0x8b, 0x7d, 0x39, 0x5d, 0x4a, 0x6e, 0x2b, 0x4c, 0x68, 0x79, 0x4b, 0xa9, 0x82, 0x55, 0x6c, 0xa2, 0x2d, 0x62, 0xd4, 0x33, 0x2b, 0x93, 0x8d, 0xf0, 0xbb, 0xd, 0x51, 0xf6, 0x34, 0xf5, 0x52, 0x3a, 0xc2, 0x64, 0xc9, 0x7, 0x1d, 0x21, 0x9b, 0xdc, 0x5b, 0xee, 0xf, 0xce, 0xee, 0xe, 0x58, 0x55, 0x1, 0xf7, 0x68, 0x81, 0x17, 0xdf, 0xe, 0xd6, 0xcd, 0x83, 0x5a, 0x90, 0xe7, 0xab, 0x84, 0x1, 0x17, 0xa1, 0xb5, 0x2f, 0x60, 0x50, 0x2a, 0x64, 0x23, 0xb0, 0xcd, 0x86, 0x98, 0x68, 0x0, 0xfb, 0xe1, 0xa6, 0x90, 0xd0, 0x68, 0xd5, 0x7f, 0x21, 0x59, 0x2, 0xc7, 0x22, 0x19, 0x5b, 0xe4, 0x41, 0x31, 0xc4, 0xd9, 0x1c, 0x83, 0x93, 0x6e, 0xf8, 0x95, 0xc, 0x87, 0x35, 0xca, 0xdf, 0x28, 0xe8, 0x8a, 0x56, 0x7a, 0x5, 0xc2, 0xde, 0x6d, 0xc1, 0x3c, 0x91, 0x25, 0x89, 0x8f, 0x56, 0x5a, 0x6f, 0xa2, 0xe1, 0x6d, 0x5b, 0xbc, 0x18, 0xae, 0x99, 0xf4, 0xf5, 0xbe, 0x13, 0xa4, 0xdf, 0x84, 0xae, 0xf0, 0xc3, 0xec, 0x5d, 0x83, 0xf8, 0xb0, 0xa, 0xa4, 0x65, 0xd8, 0xb, 0xe6, 0xb6, 0x7e, 0x37, 0x4b, 0x19, 0x39, 0x64, 0x59, 0x65, 0x69, 0x4a, 0x8, 0x92, 0x25, 0x56, 0xd8, 0xbc, 0xe0, 0xed, 0x23, 0x4f, 0xb9, 0x33, 0xe4, 0x5c, 0x89, 0x61, 0xe0, 0x42, 0x3d, 0x52, 0xd, 0x86, 0x13, 0xff, 0x3a, 0x4e, 0x41, 0x79, 0x7, 0xbf, 0x50, 0x6, 0xb2, 0xc1, 0xca, 0x6d, 0x61, 0xb, 0xd, 0x30, 0x31, 0x21, 0xd1, 0xd6, 0x6d, 0xe6, 0xde, 0xab, 0x99, 0xff, 0x67, 0xfd, 0xa0, 0xd4, 0xd, 0xc5, 0xaa, 0xc7, 0x50, 0x35, 0x90, 0xc9, 0xd7, 0xb2, 0x46, 0x7c, 0x8b, 0xcf, 0x2e, 0x2, 0xaf, 0x92, 0xbf, 0x3a, 0xe8, 0xb1, 0x33, 0x33, 0x5d, 0x36, 0xd6, 0x84, 0xe7, 0x65, 0xda, 0xc0, 0xb8, 0x9f, 0x75, 0x8f, 0x3f, 0x44, 0xb7, 0xbc, 0x30, 0x19, 0xe8, 0x7a, 0xb1, 0x12, 0xc7, 0x35, 0xab, 0x8, 0x6e, 0x4c, 0xff, 0x8d, 0x42, 0x80, 0x43, 0xf8, 0xfa, 0xa4, 0xef, 0xaf, 0x9d, 0xf1, 0x5f, 0x85, 0xa9, 0xff, 0x8d, 0x53, 0xd8, 0xce, 0xce, 0xc7, 0x3a, 0xbe, 0x9c, 0x40, 0xac, 0x20, 0x1e, 0xa7, 0x2d, 0x88, 0xb6, 0x1f, 0x8c, 0x35, 0x82, 0xa5, 0x42, 0xbe, 0xf7, 0xde, 0xec, 0xef, 0xe6, 0x6b, 0x4, 0x65, 0x80, 0x60, 0xfc, 0xd3, 0xa9, 0xdb, 0xe8, 0x9, 0xc8, 0x13, 0xaf, 0xc9, 0xff, 0x91, 0x14, 0x64, 0x47, 0x98, 0x6c, 0x1e, 0xf7, 0x31, 0xc, 0xd3, 0x25, 0x49, 0x57, 0x3b, 0x22, 0x21, 0x2a, 0xac, 0xba, 0x72, 0xeb, 0xb7, 0xe7, 0x59, 0x8, 0xef, 0xac, 0xd, 0x6a, 0x77, 0x42, 0x9, 0x90, 0x21, 0x14, 0xc3, 0xfe, 0x6, 0x2b, 0x12, 0x50, 0x7e, 0xb0, 0x94, 0x47, 0x32, 0xa5, 0x7c, 0xf0, 0x4a, 0x8b, 0x4f, 0x74, 0xdd, 0x7b, 0xc9, 0x3f, 0xd6, 0x8, 0x2f, 0xa1, 0x30, 0x9d, 0x6d, 0x62, 0x76, 0x1a, 0xf, 0x65, 0x39, 0x77, 0x84, 0xa3, 0x1f, 0xf7, 0x47, 0x1b, 0x10, 0x4f, 0x12, 0xdc, 0xd4, 0x19, 0x5f, 0x81, 0x3d, 0x8a, 0xb5, 0x6e, 0xb2, 0x95, 0xae, 0x69, 0x15, 0x87, 0x18, 0xfb, 0x95, 0x88, 0xe1, 0xcd, 0xc3, 0x21, 0x7f, 0x73, 0xf4, 0xbb, 0x2f, 0xc6, 0x7e, 0xac, 0xf5, 0x9, 0x62, 0xab, 0xa5, 0xdb, 0xd8, 0xbe, 0xad, 0xf9, 0xa5, 0xa9, 0xd7, 0xb5, 0x24, 0x68, 0xc7, 0x1d, 0xa6, 0xf7, 0x28, 0x7d, 0x70, 0xea, 0x99, 0xa9, 0xca, 0xb, 0x46, 0x11, 0x77, 0xcc, 0xe4, 0x92, 0x1c, 0x4d, 0x17, 0x7b, 0xba, 0x2d, 0xbf, 0xd4, 0x18, 0x66, 0xab, 0x4b, 0x3c, 0x79, 0xd2, 0x8b, 0xeb, 0x80, 0xc9, 0xf0, 0xb8, 0xbf, 0x91, 0x6, 0x79, 0x32, 0x89, 0x65, 0x9d, 0xae, 0x36, 0xb7, 0x6, 0x89, 0x5, 0x61, 0xed, 0x6e, 0x3b, 0xd6, 0xc0, 0x4, 0x2f, 0x2c, 0x71, 0x8f, 0x48, 0x3d, 0xc6, 0xd5, 0x6f, 0xf0, 0x5c, 0x41, 0x8e, 0x58, 0xd9, 0xac, 0x3f, 0x36, 0x97, 0x7e, 0x25, 0x93, 0x2b, 0x62, 0xf7, 0x9b, 0x1f, 0xce, 0xca, 0x7a, 0x66, 0xc4, 0xff, 0xd1, 0xa9, 0xcf, 0x1e, 0x6, 0xa, 0xaa, 0xa1, 0xf4, 0x1c, 0x23, 0x9a, 0x51, 0xc0, 0xb2, 0x75, 0xd6, 0x28, 0xe3, 0x52, 0x69, 0x4f, 0xfe, 0x94, 0xbf, 0x9e, 0x8a, 0x4a, 0x29, 0xa2, 0x67, 0xb7, 0x8b, 0xf2, 0xf5, 0xf3, 0xa, 0xfe, 0x4d, 0x2b, 0x51, 0x85, 0xd, 0x6a, 0xb1, 0x99, 0xa8, 0x8b, 0x95, 0x18, 0xa7, 0x48, 0x75, 0xba, 0xc, 0x43, 0xc2, 0x95, 0x15, 0xe6, 0x6b, 0xa1, 0x10, 0x1b, 0xd, 0xb3, 0x4c, 0xb7, 0xbf, 0x85, 0x97, 0xbb, 0xeb, 0xe3, 0x45, 0x36, 0xe6, 0xb2, 0x5e, 0x3f, 0xb5, 0x7, 0x32, 0x42, 0xc8, 0x84, 0x47, 0xe5, 0x57, 0xbe, 0xcf, 0xd5, 0x14, 0x72, 0x16, 0xc2, 0x79, 0xd7, 0xca, 0x3a, 0x9a, 0x2, 0xcd, 0x69, 0x79, 0x61, 0xa0, 0x17, 0x70, 0x8a, 0xcd, 0x68, 0x76, 0xd1, 0xe8, 0x7e, 0x9b, 0xbe, 0x9a, 0xd1, 0xb4, 0x77, 0x76, 0x17, 0x16, 0x9c, 0x93, 0xe, 0xfd, 0x58, 0x72, 0x8a, 0x96, 0xd5, 0xef, 0xf4, 0xc4, 0xa8, 0x23, 0xca, 0xfd, 0xd2, 0x65, 0xb8, 0xee, 0x81, 0x95, 0xf8, 0x8e, 0xcc, 0x8, 0xee, 0x15, 0x5a, 0x14, 0x56, 0x90, 0x1, 0xa, 0xa1, 0x8f, 0x76, 0x9b, 0xe1, 0xe, 0x88, 0xef, 0xb8, 0xf5, 0xef, 0xe, 0x8a, 0x1c, 0xcb, 0xbb, 0xca, 0xc0, 0xf0, 0xf9, 0x38, 0xc8, 0xb8, 0xcd, 0xe9, 0x1e, 0x2e, 0xc0, 0x14, 0x4a, 0x8a, 0xb8, 0xd8, 0x87, 0x5, 0xe5, 0x98, 0xf6, 0x2f, 0x96, 0x78, 0xf2, 0xf6, 0x80, 0xda, 0x44, 0xbf, 0xb3, 0x34, 0x9d, 0x51, 0x66, 0x2e, 0xb3, 0x5a, 0xf9, 0x34, 0x38, 0x28, 0x0, 0xa0, 0x78, 0x62, 0x97, 0x87, 0x60, 0x6e, 0xf6, 0x12, 0x73, 0x62, 0xe, 0x96, 0x62, 0x1e, 0x55, 0x1c, 0x90, 0xe6, 0x7b, 0xb2, 0x87, 0x9b, 0x1f, 0xbc, 0xfd, 0x24, 0x38, 0x85, 0xe7, 0x80, 0x7d, 0xc2, 0xac, 0x2f, 0x51, 0x9, 0xbc, 0xbb, 0x5a, 0x3b, 0x14, 0xac, 0x39, 0x42, 0x39, 0x6, 0x99, 0xce, 0x2f, 0x9e, 0x6e, 0x64, 0x4b, 0x9c, 0x7f, 0x85, 0x80, 0x1e, 0x81, 0x10, 0xa2, 0x68, 0x2a, 0xb5, 0x43, 0x36, 0x44, 0x4e, 0xd5, 0x6, 0x43, 0xb8, 0x8e, 0xd, 0x63, 0x6d, 0x8d, 0xde, 0xa, 0x6a, 0x14, 0x42, 0x63, 0x15, 0x32, 0x70, 0x22, 0x36, 0xaa, 0x5e, 0xf2, 0x26, 0xa8, 0x8b, 0x87, 0x87, 0x13, 0x86, 0xbd, 0x58, 0x7a, 0x22, 0x37, 0x1d, 0x28, 0x10, 0x3c, 0xc0, 0xb6, 0x43, 0xff, 0xde, 0x41, 0x2f, 0x95, 0x7a, 0xb3, 0x2, 0xb7, 0x89, 0x3b, 0xe6, 0x9a, 0xa5, 0x44, 0xe, 0x51, 0xf9, 0x3f, 0x14, 0xdc, 0x57, 0x32, 0x67, 0xf4, 0xba, 0x52, 0xd7, 0x5, 0x22, 0xc0, 0x19, 0x92, 0xd6, 0xb7, 0xc4, 0x69, 0x30, 0xc2, 0x46, 0xac, 0x2, 0x15, 0xfd, 0xc3, 0x92, 0x63, 0x2e, 0x46, 0x8, 0x22, 0x1b, 0xa2, 0xb1, 0x57, 0x60, 0x63, 0x5b, 0x1b, 0xc, 0x46, 0xf9, 0x1f, 0xe5, 0xf0, 0xc0, 0x2f, 0xf0, 0x32, 0x26, 0xca, 0x7a, 0x86, 0x1c, 0xf0, 0xc7, 0x7d, 0x33, 0x2b, 0xb9, 0x7d, 0xdc, 0xfb, 0x5a, 0xbf, 0xc4, 0x4b, 0x62, 0x5e, 0x1a, 0xe2, 0x4d, 0xbc, 0x7, 0x2b, 0x81, 0xcc, 0x90, 0x20, 0xb, 0x24, 0x37, 0xd1, 0x29, 0x32, 0x21, 0x1b, 0x5a, 0x9, 0xc5, 0x3, 0x4, 0x15, 0xe0, 0x35, 0xe, 0xd5, 0x34, 0xca, 0x1d, 0x6f, 0xb6, 0xbb, 0x3b, 0x7d, 0xed, 0x85, 0xf0, 0x35, 0x57, 0xae, 0x2e, 0x86, 0x66, 0xc8, 0xbe, 0x3e, 0xf0, 0xb6, 0xf9, 0xf2, 0x1, 0x5, 0x58, 0xc2, 0x74, 0xe, 0x99, 0x63, 0x20, 0xff, 0x8b, 0x40, 0xc8, 0x40, 0x9f, 0x3d, 0x4e, 0xdc, 0xfa, 0x2a, 0x6f, 0xeb, 0x32, 0xa0, 0xd3, 0x57, 0x3, 0x8a, 0xc9, 0xf1, 0xd, 0x2e, 0xb2, 0x18, 0xe3, 0x38, 0xdd, 0x2a, 0x50, 0x8d, 0x2d, 0x9a, 0xbb, 0x6a, 0xce, 0x84, 0x4a, 0x7a, 0x95, 0x7e, 0x6f, 0x65, 0xe8, 0x81, 0xf7, 0xf9, 0x98, 0x7b, 0xc2, 0x45, 0x13, 0x4e, 0x99, 0x92, 0xf6, 0xe1, 0x51, 0xee, 0x61, 0x93, 0xe1, 0x16, 0xd5, 0x7, 0x8, 0xef, 0x8a, 0x99, 0xfb, 0xef, 0x5c, 0x88, 0x13, 0x17, 0x8a, 0xf, 0x2f, 0xe9, 0xd5, 0x23, 0xd2, 0x80, 0x2, 0xd2, 0xe8, 0x10, 0x20, 0x67, 0x48, 0x98, 0xac, 0x7e, 0x23, 0x60, 0xfd, 0x2, 0x6f, 0xe7, 0x7e, 0xda, 0x9a, 0xad, 0xbf, 0x51, 0xcc, 0x48, 0x36, 0x1f, 0x3d, 0x67, 0x8d, 0xe7, 0xb, 0x44, 0x26, 0xf8, 0x26, 0xbf, 0xae, 0x70, 0xb1, 0xf5, 0xa6, 0xaa, 0x11, 0xaf, 0xb5, 0x88, 0x9d, 0xb2, 0xe, 0x93, 0x40, 0xb2, 0x4e, 0x44, 0x57, 0x6, 0x29, 0xd9, 0x4a, 0x76, 0x4a, 0x96, 0xd0, 0x5f, 0x7e, 0xf8, 0xbf, 0xe3, 0x5d, 0xa0, 0x4c, 0x84, 0x90, 0x86, 0xb, 0xc8, 0xa6, 0x41, 0x11, 0x8d, 0x94, 0xda, 0x4a, 0xa3, 0xfc, 0x83, 0x31, 0x1d, 0x70, 0x9, 0x1e, 0xdd, 0xbc, 0x56, 0x27, 0x80, 0x5c, 0xd4, 0x90, 0xb9, 0x1d, 0xe3, 0x94, 0x84, 0xe5, 0x66, 0x85, 0xa9, 0x56, 0xe8, 0xb9, 0xf3, 0xe3, 0x10, 0xab, 0xde, 0xd9, 0x87, 0x4f, 0xb2, 0x9c, 0xed, 0x3d, 0x37, 0xcb, 0x6e, 0x16, 0x3e, 0x3d, 0x65, 0x3f, 0x7, 0xc7, 0x14, 0xfd, 0x25, 0xc4, 0xae, 0x92, 0x9b, 0x4, 0x5d, 0x10, 0x11, 0x2e, 0xa4, 0x9, 0x49, 0x7e, 0x65, 0x7f, 0xa1, 0x9, 0xd6, 0xa5, 0x9b, 0xa3, 0x80, 0xc3, 0xcb, 0xe, 0xc1, 0x24, 0x77, 0x1e, 0x71, 0x6c, 0x70, 0xd0, 0x22, 0xb9, 0xc6, 0x3c, 0xd5, 0xe8, 0x84, 0x7d, 0xb5, 0xa, 0x81, 0x7b, 0xc3, 0xea, 0xa7, 0xca, 0x70, 0xa7, 0x78, 0xc9, 0x60, 0xe2, 0xb5, 0xf4, 0x71, 0xaa, 0x29, 0x61, 0xf2, 0xdb, 0x30, 0x8e, 0x9a, 0x48, 0xb6, 0xd9, 0xee, 0xe2, 0xfe, 0x75, 0x3f, 0xeb, 0x7f, 0xd2, 0x8f, 0x48, 0x94, 0x95, 0x15, 0x6a, 0x7, 0x90, 0x64, 0xea, 0x52, 0xce, 0x97, 0x1f, 0x6b, 0x4d, 0x42, 0x3e, 0xcb, 0x8c, 0x5e, 0x18, 0xa, 0xf3, 0x6d, 0xac, 0xbf, 0x47, 0x77, 0x51, 0x80, 0xec, 0x56, 0xad, 0x93, 0xfe, 0x91, 0x43, 0xcf, 0x5c, 0x93, 0xf0, 0x40, 0x1d, 0x81, 0x3, 0xf, 0x26, 0x6b, 0x86, 0xbe, 0x9a, 0x7b, 0x9f, 0xb9, 0x47, 0x20, 0x79, 0x84, 0x2d, 0xe4, 0x8e, 0xc8, 0xb, 0x60, 0xb1, 0x23, 0x71, 0xa3, 0x7c, 0x92, 0x45, 0x58, 0xdd, 0xd5, 0xbd, 0x8b, 0x8, 0x11, 0x13, 0x3f, 0x90, 0x2e, 0x27, 0xc2, 0xa2, 0x65, 0xcf, 0xde, 0xdc, 0xe0, 0x6f, 0x1f, 0xd6, 0x26, 0x6e, 0x35, 0x9e, 0xc0, 0xd, 0x48, 0x54, 0x9d, 0x9f, 0xad, 0xee, 0x5a, 0xbe, 0x46, 0x14, 0x40, 0xa1, 0xca, 0x91, 0xd1, 0x75, 0xc0, 0xc4, 0x8d, 0xcc, 0x66, 0x9c, 0xb8, 0xc9, 0x85, 0xbc, 0x62, 0x9a, 0x52, 0x5e, 0x5f, 0xa8, 0x68, 0x77, 0xdb, 0xb3, 0x97, 0x2d, 0x38, 0xe0, 0x87, 0x42, 0x33, 0xf6, 0x78, 0x2b, 0xb1, 0x2b, 0x89, 0x6f, 0x67, 0x47, 0xc9, 0x86, 0x0, 0xc2, 0xa9, 0xc0, 0x1a, 0xfb, 0xb, 0x92, 0xb2, 0x41, 0x20, 0x33, 0xec, 0xf6, 0x92, 0x42, 0x54, 0x9d, 0x98, 0xc9, 0x37, 0xb9, 0xb, 0xa3, 0x9e, 0x87, 0xd5, 0xc6, 0xeb, 0x41, 0xf9, 0x39, 0x87, 0xb1, 0xdb, 0xdf, 0xfc, 0x50, 0xa4, 0x76, 0x90, 0xa8, 0x29, 0x9c, 0xc3, 0x93, 0xb7, 0x5f, 0xb1, 0x11, 0xa8, 0x87, 0xfd, 0x3b, 0xa0, 0xb0, 0xd3, 0x28, 0xf1, 0x12, 0x49, 0x9e, 0x24, 0xb0, 0xde, 0x3e, 0xed, 0x5a, 0x13, 0x3a, 0x7b, 0x10, 0x32, 0xd9, 0x34, 0x20, 0x56, 0x99, 0xe1, 0x98, 0x1c, 0xd7, 0xc7, 0xd, 0x71, 0xc7, 0xce, 0xd8, 0xb2, 0xe0, 0x31, 0xb2, 0x13, 0x37, 0x56, 0xe7, 0x2, 0x8c, 0x96, 0xac, 0x85, 0xd2, 0x84, 0x62, 0xb6, 0xd, 0x43, 0xee, 0x89, 0x60, 0x25, 0x31, 0x56, 0x6f, 0x83, 0xf6, 0xd8, 0x9b, 0xce, 0xae, 0x46, 0xa0, 0x85, 0xfb, 0x4b, 0xfc, 0x4c, 0x48, 0xb9, 0xb2, 0x99, 0x15, 0x2c, 0x3e, 0x1e, 0xee, 0xaf, 0x2e, 0x12, 0x3d, 0x90, 0x38, 0x3c, 0x7e, 0x6c, 0x55, 0x70, 0xc7, 0xe0, 0xc, 0x94, 0xaa, 0xe8, 0xfa, 0x8, 0x1b, 0x63, 0xd6, 0x2, 0x48, 0xba, 0xf8, 0x69, 0x7f, 0x80, 0x85, 0x8a, 0xb0, 0xae, 0x1e, 0x41, 0x5, 0x4, 0xa, 0xed, 0x70, 0x66, 0x4c, 0x49, 0x16, 0x8f, 0xb0, 0xde, 0x60, 0xbb, 0x97, 0x37, 0x13, 0xc6, 0xf, 0xf2, 0x8c, 0x10, 0xc3, 0x6b, 0xc, 0xf5, 0xf4, 0x30, 0x3e, 0xc7, 0x46, 0x9c, 0x74, 0x29, 0x7c, 0x67, 0x1a, 0x1c, 0x98, 0x1e, 0xf1, 0xf4, 0x93, 0x1d, 0xfe, 0x8b, 0x68, 0x3e, 0x2e, 0xd8, 0x3, 0x73, 0x93, 0x85, 0x9e, 0xaa, 0xa6, 0xa7, 0xf5, 0xae, 0x1, 0x20, 0xb9, 0x59, 0xb9, 0x95, 0xf4, 0x2, 0x49, 0x85, 0xd8, 0xa2, 0xfc, 0xbd, 0xfd, 0xb0, 0x13, 0xfa, 0xf0, 0xa2, 0xb6, 0xe7, 0xd9, 0xcb, 0x41, 0x87, 0xb, 0x43, 0x56, 0x10, 0xf1, 0xbd, 0xf9, 0xb9, 0x19, 0x4d, 0x95, 0x23, 0xa2, 0x5, 0xd7, 0xde, 0x4f, 0x2a, 0x97, 0x5c, 0xfc, 0xd0, 0x74, 0xea, 0x77, 0x29, 0x91, 0xd6, 0xfe, 0xcb, 0xcb, 0xaf, 0xa5, 0x59, 0xcc, 0xfd, 0x11, 0x6, 0x87, 0x57, 0x2f, 0x30, 0xbb, 0xab, 0x19, 0x72, 0xba, 0x30, 0x27, 0xb3, 0xfa, 0x59, 0x0, 0xce, 0x28, 0x22, 0x43, 0xf5, 0xa8, 0xa0, 0xdc, 0x26, 0xfd, 0xcf, 0xbd, 0x6b, 0xb2, 0x6b, 0xd, 0xa9, 0x69, 0x8b, 0x63, 0x49, 0x89, 0xbc, 0xd3, 0x5d, 0xe9, 0x2d, 0x6a, 0x2b, 0x92, 0xf1, 0xa4, 0xe1, 0x76, 0xfd, 0x2c, 0x87, 0xd5, 0xb1, 0x3c, 0xf7, 0x99, 0xce, 0xa3, 0x32, 0xdb, 0x9a, 0x14, 0x2b, 0x75, 0x6a, 0x23, 0x89, 0x40, 0xd0, 0x9b, 0xf1, 0xf4, 0xb, 0xe, 0x3d, 0x31, 0x12, 0x6c, 0x20, 0x3b, 0xb2, 0xae, 0xfe, 0x3, 0xf3, 0xd, 0xe7, 0x73, 0xe0, 0xef, 0xd1, 0x9b, 0xeb, 0xa0, 0xdb, 0x9, 0x5, 0x53, 0x4e, 0xfc, 0x32, 0xd5, 0x7f, 0x4c, 0x7a, 0x78, 0x3d, 0xe9, 0xed, 0xff, 0x92, 0xd7, 0x10, 0x50, 0x24, 0xe4, 0xe2, 0xc4, 0x2d, 0xc7, 0xbd, 0xbb, 0x66, 0x4, 0x7d, 0xd4, 0xe0, 0xe7, 0x43, 0x5c, 0x6c, 0x56, 0x51, 0xcb, 0x85, 0x6e, 0x46, 0xf0, 0x97, 0x35, 0x19, 0xc9, 0xf9, 0xcf, 0x4a, 0xd9, 0x94, 0x49, 0xc, 0xe9, 0x54, 0x93, 0x7d, 0x92, 0x47, 0x21, 0x32, 0x93, 0xa3, 0xe0, 0x2b, 0xeb, 0xc1, 0xd, 0xc1, 0xfa, 0x27, 0x84, 0xfa, 0x19, 0xf3, 0x2f, 0xc2, 0xd8, 0xcf, 0x88, 0x74, 0x52, 0x96, 0x1, 0x84, 0xe6, 0xd4, 0xe2, 0x46, 0xa7, 0xaa, 0x67, 0x7d, 0x6, 0x2e, 0xfa, 0x11, 0x9f, 0x5f, 0x3e, 0x7f, 0x2a, 0xd9, 0xb6, 0x8e, 0x3b, 0xcb, 0xd6, 0x3a, 0x15, 0xfe, 0x9a, 0xbd, 0x0, 0xf8, 0xdd, 0xd7, 0x6d, 0x1a, 0x4d, 0x19, 0x7e, 0xf1, 0xca, 0xc0, 0x3c, 0xc1, 0xf6, 0xee, 0xc3, 0x5f, 0x32, 0x8e, 0xc5, 0xf6, 0x15, 0xb2, 0xc3, 0x1d, 0xa3, 0x0, 0x54, 0x9, 0x71, 0xe7, 0xd3, 0xa3, 0xaf, 0x7, 0x7c, 0x8e, 0x16, 0x2d, 0xae, 0xc7, 0x94, 0xa1, 0x17, 0x84, 0x3f, 0xc3, 0x40, 0x95, 0x31, 0x9b, 0x58, 0x42, 0x28, 0xf8, 0xd6, 0x83, 0xa2, 0x59, 0xf, 0x49, 0x18, 0xcb, 0x9f, 0xae, 0xda, 0x84, 0x1f, 0x73, 0xa2, 0xa0, 0x3b, 0x68, 0xc3, 0x60, 0xd9, 0xb6, 0x3d, 0x69, 0x10, 0x61, 0x14, 0xbb, 0x63, 0x5c, 0xc8, 0x5, 0xbf, 0x88, 0x7, 0xaf, 0x36, 0x94, 0xb1, 0xd2, 0x60, 0x74, 0x34, 0xdf, 0x59, 0x54, 0x90, 0xb1, 0x7d, 0x1a, 0xe1, 0x94, 0xe0, 0xf6, 0x73, 0x38, 0x9c, 0x1b, 0xc3, 0x91, 0xbb, 0x85, 0x7b, 0xb5, 0x57, 0xef, 0x48, 0xb, 0xa9, 0x5a, 0xc, 0x6f, 0xab, 0x3b, 0xaf, 0x69, 0xb1, 0xde, 0xde, 0x85, 0x36, 0x37, 0x2d, 0x73, 0xad, 0x10, 0xe6, 0x15, 0x8e, 0xba, 0x2, 0xdf, 0x70, 0x38, 0xf1, 0x71, 0xf7, 0xa7, 0x8c, 0xb6, 0xed, 0x37, 0x3, 0x6c, 0x3, 0x2c, 0xb6, 0x47, 0xf7, 0xac, 0xe4, 0x81, 0x4e, 0xb9, 0xb6, 0x76, 0xd5, 0x21, 0xd9, 0xcb, 0x76, 0x3c, 0xee, 0xc8, 0xa3, 0x6, 0xf3, 0x6e, 0x1f, 0x2a, 0xd3, 0x23, 0x16, 0xf1, 0x3c, 0x56, 0xe9, 0x63, 0x68, 0x64, 0xab, 0xd5, 0xe6, 0x26, 0x5c, 0x0, 0x5c, 0xbe, 0x4c, 0x8a, 0x3b, 0x27, 0xbb, 0xe6, 0x9c, 0xa5, 0x29, 0xd5, 0xdc, 0x6f, 0xb1, 0xd4, 0x4, 0x52, 0xaa, 0xaf, 0xc4, 0x8d, 0x79, 0x23, 0x79, 0x26, 0x4a, 0x62, 0xb0, 0xab, 0x7f, 0x30, 0x6b, 0xf6, 0x6d, 0xe5, 0x85, 0x14, 0xd6, 0x9d, 0x85, 0x34, 0x53, 0x3e, 0x3a, 0xee, 0xc8, 0xd0, 0x18, 0x5b, 0x5b, 0x47, 0x9c, 0xd5, 0x51, 0xcd, 0x7, 0x1f, 0xd, 0x8, 0x63, 0x26, 0x43, 0x8b, 0xb8, 0xa6, 0xd0, 0xc0, 0xc9, 0x6f, 0x29, 0x34, 0xc2, 0x91, 0x86, 0xc9, 0x1a, 0xb6, 0x7f, 0x88, 0x94, 0xa4, 0x83, 0xa, 0x2a, 0xf2, 0x9c, 0xea, 0xc, 0x27, 0x14, 0x51, 0x56, 0xf5, 0x2, 0x48, 0xa2, 0xe8, 0xa6, 0x30, 0x52, 0xaf, 0x13, 0xe9, 0xbc, 0x3d, 0xc7, 0xf, 0xad, 0xcb, 0x7, 0x8a, 0x45, 0x7b, 0x58, 0x9e, 0x90, 0x8a, 0xc, 0xf0, 0xd4, 0x84, 0xda, 0x0, 0x13, 0xac, 0x66, 0x44, 0xb5, 0x48, 0xd0, 0x5c, 0x42, 0xbf, 0xd8, 0xe9, 0x90, 0xbe, 0xb9, 0x9c, 0xb5, 0xe, 0x1b, 0x43, 0x3e, 0xdb, 0x16, 0x16, 0x99, 0xff, 0xec, 0x1a, 0x53, 0x7a, 0x11, 0xaa, 0xd3, 0x3b, 0xdc, 0xf4, 0x59, 0xd3, 0x92, 0xaf, 0x91, 0x36, 0x5c, 0x44, 0x20, 0x7, 0xe2, 0x3e, 0x7a, 0x74, 0x71, 0x87, 0x59, 0x82, 0xac, 0xd1, 0x71, 0xe9, 0x73, 0x9f, 0x94, 0xf7, 0x39, 0xc5, 0xf, 0x81, 0x30, 0x2e, 0x98, 0xd7, 0xf3, 0x5c, 0xd0, 0x29, 0x71, 0x1c, 0x7b, 0xb, 0xe2, 0x58, 0x87, 0xf2, 0x61, 0x9e, 0x56, 0x20, 0xcc, 0xad, 0xff, 0x2d, 0x4c, 0x54, 0x59, 0x2f, 0x3a, 0x5d, 0xb0, 0x53, 0x5e, 0xff, 0x9f, 0xc1, 0xf5, 0x16, 0xbe, 0x63, 0xa4, 0x4c, 0x4e, 0xef, 0xf, 0x33, 0xb2, 0x63, 0xcc, 0x66, 0x35, 0x87, 0x72, 0xef, 0xbc, 0x0, 0x9, 0x78, 0xcf, 0xca, 0xd2, 0x61, 0xd1, 0x7d, 0x82, 0x54, 0x5b, 0x39, 0xc5, 0x5d, 0x13, 0xc6, 0x1b, 0xbf, 0x27, 0x2e, 0x5, 0x8f, 0x63, 0x6c, 0xa0, 0xdf, 0x7, 0xf0, 0x24, 0xa2, 0x10, 0xda, 0x21, 0x33, 0x6d, 0x6d, 0x58, 0x73, 0xe9, 0x8f, 0x2c, 0x15, 0x26, 0x38, 0x57, 0xc, 0x8b, 0x98, 0x60, 0x55, 0xb9, 0x8b, 0x17, 0x43, 0x70, 0x86, 0x38, 0x1c, 0x80, 0xdf, 0xa1, 0x90, 0x40, 0x12, 0xb9, 0x67, 0x9b, 0xff, 0x0, 0x98, 0x75, 0xc8, 0x20, 0x26, 0x23, 0x4, 0x3, 0x5c, 0x3e, 0xca, 0xee, 0xdc, 0x70, 0x4b, 0x3c, 0x9d, 0x4b, 0x8e, 0x64, 0x1f, 0x18, 0x15, 0x3c, 0x2d, 0xbb, 0x5c, 0x34, 0x33, 0x6e, 0x37, 0xd8, 0x81, 0xf9, 0x7a, 0x29, 0xf2, 0xc, 0x9b, 0x28, 0x26, 0xb6, 0xf, 0x5e, 0xbe, 0x32, 0xbd, 0x4c, 0xc7, 0x9d, 0x75, 0x13, 0xa0, 0x17, 0xb7, 0xbc, 0x75, 0x74, 0xb1, 0x72, 0xd8, 0x50, 0xc9, 0x77, 0x84, 0x43, 0x3d, 0xd6, 0xe1, 0xff, 0x79, 0x78, 0xc6, 0xce, 0x70, 0x8c, 0x57, 0xd8, 0x14, 0x60, 0x0, 0x9b, 0x8b, 0x6b, 0xbb, 0x78, 0xa8, 0x99, 0xad, 0xc9, 0x6, 0x38, 0xfb, 0x11, 0x8e, 0x0, 0x99, 0x67, 0xb3, 0xca, 0x44, 0xcd, 0x35, 0x14, 0xe8, 0xcf, 0xe4, 0xd2, 0xf2, 0x9e, 0xc1, 0xfe, 0x3f, 0x11, 0x7f, 0xea, 0xa0, 0xd5, 0x7e, 0x76, 0xf6, 0x1b, 0xa, 0x4c, 0x71, 0x3, 0x5e, 0xf7, 0xff, 0x57, 0xee, 0xe9, 0x23, 0xa, 0x2e, 0x42, 0x3c, 0xa2, 0xaf, 0x83, 0xf, 0x54, 0x2d, 0x6b, 0x5f, 0xdd, 0xa7, 0x46, 0xea, 0x55, 0x7e, 0xc2, 0xc2, 0xc2, 0x8, 0x12, 0x2a, 0x67, 0x46, 0x42, 0x6b, 0xeb, 0x7a, 0x4f, 0x63, 0xae, 0xf7, 0x99, 0x35, 0xd1, 0xf7, 0xaa, 0x84, 0x98, 0x95, 0x95, 0x68, 0x89, 0xa6, 0x48, 0xb3, 0x7, 0xe3, 0x9b, 0x95, 0xb1, 0x87, 0x7c, 0x14, 0x3c, 0x57, 0xe, 0x25, 0x96, 0xf8, 0x61, 0xc, 0xdd, 0x3a, 0xfb, 0xe, 0xae, 0x5e, 0x32, 0x8c, 0xca, 0x5e, 0x74, 0x0, 0xed, 0x70, 0x3f, 0xff, 0xec, 0x96, 0x16, 0x91, 0x3c, 0x1d, 0xd4, 0x9a, 0x31, 0x65, 0xbc, 0xac, 0x73, 0xef, 0xc7, 0xb1, 0xf0, 0x20, 0xa0, 0x1, 0x7b, 0x6e, 0x4, 0x79, 0x9d, 0xd, 0x79, 0x89, 0xaf, 0x76, 0x9, 0xee, 0x6c, 0x2d, 0xf, 0x65, 0x4d, 0xca, 0x1e, 0x7, 0x43, 0x9a, 0x5d, 0x93, 0xa3, 0xfe, 0xb, 0x3b, 0x28, 0xc9, 0xd2, 0xfc, 0x66, 0xf1, 0x5, 0x66, 0x69, 0xb5, 0x5e, 0x66, 0xe, 0x8d, 0xd3, 0x4c, 0xa5, 0x7, 0x5d, 0x7e, 0xe7, 0xcf, 0x50, 0xd9, 0x43, 0xa, 0x5, 0xee, 0x90, 0xb5, 0x69, 0x2e, 0xd3, 0xda, 0xeb, 0xdd, 0x86, 0xe8, 0x31, 0x86, 0x3a, 0x9b, 0xb8, 0xed, 0xd2, 0x46, 0x37, 0x21, 0x7a, 0xde, 0x55, 0xe8, 0x8d, 0x11, 0x5f, 0xc, 0xb0, 0xb7, 0x6c, 0x5, 0xb2, 0xe4, 0x85, 0x9b, 0x2c, 0xd0, 0xfb, 0xae, 0xde, 0x2d, 0x89, 0x50, 0xd1, 0x8d, 0x9a, 0xf3, 0x3, 0x85, 0x79, 0x8b, 0x21, 0x86, 0x46, 0xb8, 0x37, 0x1a, 0x5f, 0x37, 0xb7, 0xd8, 0x6d, 0x29, 0x36, 0x8e, 0x89, 0x8e, 0xb7, 0xb1, 0xd4, 0x2c, 0x47, 0x93, 0xbd, 0x8f, 0x30, 0x53, 0xae, 0x45, 0xeb, 0xda, 0x6f, 0xc3, 0x2, 0x2e, 0x5a, 0xcd, 0x46, 0x85, 0x83, 0xa4, 0xba, 0x90, 0x4e, 0x3d, 0x6a, 0x60, 0x99, 0xbe, 0x9d, 0x2e, 0xe6, 0x55, 0xdd, 0xe7, 0xed, 0x81, 0x2a, 0xa0, 0x6a, 0x40, 0xa1, 0xa7, 0x4e, 0x27, 0xf9, 0x14, 0xdd, 0x60, 0x68, 0x86, 0x4f, 0x41, 0x80, 0xc2, 0xb0, 0xdc, 0xcf, 0x27, 0x43, 0xf9, 0x22, 0x10, 0xb, 0x41, 0xff, 0x96, 0xd8, 0xa5, 0x23, 0x6b, 0xba, 0x10, 0x99, 0x4e, 0x36, 0xe4, 0x7f, 0x35, 0x9e, 0xe1, 0x1f, 0x77, 0xc6, 0x33, 0x9a, 0xc3, 0xa8, 0x1d, 0x6e, 0xd0, 0x9f, 0xfd, 0x29, 0x8b, 0x48, 0xb4, 0x15, 0xbf, 0x22, 0x1f, 0x1a, 0x54, 0x92, 0x43, 0x1f, 0xe8, 0x63, 0x81, 0xab, 0x70, 0x8a, 0xa, 0x92, 0x8e, 0x65, 0xe5, 0x7, 0x49, 0xb2, 0xd1, 0x3f, 0x9b, 0x83, 0xec, 0xb6, 0x9c, 0xf7, 0xc4, 0xf2, 0x84, 0x3f, 0x4a, 0xb4, 0xe3, 0x5d, 0xd5, 0x17, 0x90, 0xc6, 0xc6, 0x17, 0x44, 0xf3, 0xb2, 0xac, 0x90, 0x23, 0x23, 0x10, 0x68, 0x81, 0x8, 0x32, 0xf7, 0x3b, 0x73, 0x6c, 0x1f, 0xa6, 0xe8, 0xf2, 0x52, 0x76, 0x2d, 0x9c, 0xb6, 0xaa, 0x74, 0xa7, 0xbc, 0xc5, 0x95, 0xed, 0xe3, 0x7, 0x53, 0xfb, 0x10, 0xf1, 0x81, 0x49, 0xc2, 0x73, 0x5c, 0xa0, 0xc9, 0x58, 0x94, 0xa3, 0x1c, 0xe3, 0xaa, 0x1b, 0x8b, 0x2d, 0x5d, 0xc5, 0xbb, 0xb2, 0x1d, 0xce, 0x56, 0xca, 0xf6, 0xf4, 0xb7, 0x8b, 0xd5, 0x41, 0x14, 0x76, 0x87, 0x8f, 0x80, 0xb6, 0x50, 0x76, 0xed, 0x49, 0xc3, 0xf4, 0xba, 0x16, 0x5e, 0x90, 0xac, 0xac, 0x61, 0xf6, 0x40, 0x51, 0x41, 0xed, 0xaf, 0x70, 0x22, 0xcb, 0xf0, 0x84, 0x87, 0x3b, 0xba, 0x2c, 0x40, 0x8a, 0xac, 0x80, 0xc2, 0x3b, 0x1a, 0x92, 0x37, 0x9, 0x46, 0x71, 0x3f, 0xd5, 0x30, 0x17, 0x34, 0x78, 0x6c, 0xd8, 0x1e, 0x7f, 0x48, 0xe2, 0x25, 0xb5, 0xb8, 0xbe, 0xf5, 0x8e, 0x38, 0xbf, 0x4f, 0xb7, 0xfd, 0x89, 0xc4, 0xbb, 0x82, 0xb3, 0xa0, 0x91, 0xe, 0x2a, 0xa9, 0x38, 0xcf, 0x3c, 0x43, 0x22, 0x3f, 0xba, 0x77, 0x7a, 0xa9, 0x5, 0x9f, 0xa2, 0xd6, 0x62, 0x83, 0xde, 0xfc, 0x9a, 0x18, 0x61, 0xea, 0x30, 0x6a, 0x7f, 0x4f, 0x11, 0xef, 0x59, 0x5, 0x55, 0x3b, 0x69, 0xdc, 0x8, 0x4c, 0x22, 0xb5, 0x43, 0x21, 0x26, 0x91, 0xc, 0xb5, 0x81, 0xb4, 0x9, 0xbb, 0x2b, 0x4f, 0xc8, 0xa8, 0xac, 0x9, 0xd7, 0x6e, 0xc1, 0xa8, 0xc, 0x85, 0xb2, 0x9d, 0xd, 0x21, 0xa6, 0xd6, 0x54, 0xcb, 0x9, 0x7a, 0xf6, 0x8d, 0x6d, 0xa4, 0x19, 0x9, 0x50, 0xe0, 0xf6, 0xee, 0x91, 0x57, 0x28, 0x13, 0xf, 0x81, 0x13, 0xf6, 0x90, 0x8b, 0x2, 0xd5, 0xf8, 0x47, 0xde, 0xce, 0x9a, 0xb8, 0x6, 0xd8, 0xce, 0xa8, 0x2f, 0x1a, 0x7, 0x78, 0x14, 0x7f, 0x69, 0x34, 0x61, 0x2e, 0x22, 0xbf, 0xdb, 0xfc, 0xab, 0x5d, 0xfd, 0x16, 0xdc, 0xb8, 0x53, 0x1b, 0x12, 0xbf, 0x2e, 0x91, 0x44, 0x7c, 0xc2, 0x96, 0x24, 0x74, 0x36, 0x94, 0xac, 0xb0, 0x26, 0xfc, 0x1f, 0x6c, 0x17, 0xa3, 0x8e, 0x2c, 0xbf, 0xde, 0x13, 0xac, 0x24, 0xe2, 0xb6, 0x32, 0xa8, 0x72, 0xf3, 0x35, 0xc2, 0x4c, 0x52, 0x2f, 0x96, 0x67, 0x35, 0x7d, 0x36, 0x98, 0x7e, 0xfb, 0xbf, 0x88, 0x81, 0x1f, 0xd6, 0x9e, 0x37, 0xa1, 0x30, 0xf1, 0xfa, 0x48, 0xa3, 0xbb, 0x73, 0x34, 0xd7, 0x4e, 0x90, 0xe1, 0x75, 0x1f, 0x6c, 0xfc, 0x79, 0x4a, 0x3b, 0x42, 0x66, 0x95, 0x18, 0x93, 0x44, 0xef, 0x54, 0x3d, 0xc8, 0xb, 0xf2, 0xa1, 0xec, 0x11, 0x91, 0x5d, 0x42, 0x6d, 0x83, 0xcf, 0x8d, 0x9a, 0x0, 0x18, 0xc3, 0xb5, 0xe5, 0x34, 0xd5, 0x85, 0xda, 0xbd, 0xa5, 0x71, 0x27, 0xea, 0xe, 0x98, 0xff, 0x1f, 0x8c, 0xe7, 0x53, 0xe7, 0x85, 0x3, 0x90, 0x84, 0xcf, 0xf1, 0xad, 0x62, 0x7b, 0x38, 0xc9, 0xf6, 0x14, 0x3b, 0x7d, 0xd2, 0x2b, 0x8f, 0xcb, 0xb0, 0x74, 0xe, 0x17, 0x93, 0xa9, 0x7f, 0x82, 0x86, 0xb4, 0x50, 0x2d, 0xab, 0x2b, 0xf3, 0xf6, 0x9a, 0x8c, 0xbe, 0xcd, 0xb8, 0x3a, 0xb9, 0xc3, 0xb0, 0x6, 0xe9, 0x55, 0xa5, 0xa6, 0x16, 0x14, 0x69, 0xa0, 0xce, 0x84, 0x1c, 0x88, 0xef, 0x43, 0x79, 0xc, 0x86, 0x8f, 0x5d, 0x8a, 0x3, 0x38, 0x8a, 0x1f, 0x31, 0x41, 0x67, 0x20, 0x61, 0xfc, 0xc0, 0x2e, 0x8c, 0xe7, 0x81, 0x35, 0xd7, 0x5a, 0x81, 0x2e, 0x4d, 0x49, 0x97, 0x40, 0x60, 0x59, 0x0, 0x9e, 0xcc, 0xb4, 0xba, 0x2c, 0x61, 0xf3, 0xec, 0x8a, 0x55, 0xff, 0x9e, 0xc3, 0x36, 0x9e, 0x7a, 0xef, 0xbe, 0x35, 0xee, 0x6, 0xba, 0x36, 0xcc, 0xc0, 0x4e, 0x32, 0xc, 0xcc, 0xd2, 0x3d, 0x15, 0x31, 0xce, 0xfa, 0x1f, 0xe9, 0x33, 0xf3, 0xbe, 0xf3, 0x64, 0xb3, 0xb0, 0x32, 0xe8, 0x28, 0x73, 0xff, 0x8a, 0xef, 0x1b, 0x84, 0x5, 0x2d, 0x4, 0xad, 0x9b, 0x1e, 0xe2, 0x21, 0x6a, 0x35, 0xdf, 0xe3, 0xf0, 0x42, 0x7e, 0x62, 0xdd, 0x4a, 0xcb, 0xb, 0x27, 0xa3, 0x11, 0xe7, 0x22, 0xd3, 0x58, 0x81, 0x9a, 0xb0, 0x4, 0x6e, 0x92, 0x66, 0xcd, 0x8e, 0x3f, 0x32, 0xba, 0xc1, 0x10, 0x81, 0x8f, 0xe3, 0x1, 0x0, 0x7, 0x7f, 0x6a, 0xfc, 0x12, 0xac, 0xbc, 0x8d, 0x27, 0x8, 0xec, 0xc, 0x58, 0x1d, 0x5e, 0xd6, 0x2d, 0xca, 0x76, 0xbe, 0x41, 0x41, 0xcd, 0xd2, 0x3a, 0xf3, 0x92, 0xe8, 0x5c, 0xcf, 0x95, 0x78, 0xd2, 0x39, 0x71, 0x36, 0xd, 0x23, 0x6d, 0x95, 0xc1, 0xc4, 0x12, 0xd0, 0x3e, 0xbd, 0x1a, 0xa9, 0x26, 0xd4, 0x95, 0x62, 0x9d, 0x77, 0xff, 0x28, 0x7b, 0xad, 0xa3, 0x3f, 0xc7, 0x6a, 0x4f, 0xc, 0x4, 0x26, 0x8e, 0x8b, 0x54, 0xd0, 0x44, 0xec, 0xe1, 0x50, 0x0, 0x8b, 0x6d, 0xa6, 0x32, 0x9b, 0xe2, 0x6c, 0x47, 0xf0, 0x66, 0x33, 0x94, 0x1f, 0xb4, 0xc7, 0x2, 0xa6, 0x53, 0xd9, 0x54, 0x75, 0x9, 0x28, 0x4f, 0x52, 0xa6, 0xac, 0x35, 0xbe, 0xea, 0xdb, 0x4e, 0xfd, 0x29, 0x12, 0x88, 0xb6, 0x29, 0x36, 0x67, 0xde, 0x46, 0x14, 0xe2, 0x45, 0x21, 0x2d, 0x3c, 0x70, 0x1e, 0xaa, 0xf7, 0x57, 0xc7, 0x68, 0xc8, 0x98, 0x7f, 0x9b, 0xe9, 0xa0, 0x76, 0x16, 0x64, 0x8b, 0x6d, 0xf6, 0x42, 0x4e, 0x96, 0x78, 0x7, 0x91, 0xdc, 0x84, 0x28, 0x60, 0x5b, 0x88, 0xc9, 0xc2, 0xcf, 0x90, 0xd6, 0xa0, 0x87, 0x51, 0x9a, 0x3b, 0x33, 0xda, 0xb4, 0xfe, 0xee, 0x87, 0x3c, 0x15, 0x98, 0x95, 0x78, 0x5f, 0x90, 0x96, 0xf0, 0x15, 0xe7, 0xdc, 0x82, 0xb7, 0xc9, 0xf, 0xfc, 0x2d, 0x12, 0x9b, 0x8b, 0x50, 0xc6, 0x9f, 0xd8, 0x65, 0x4b, 0xab, 0x15, 0x90, 0xf, 0xbb, 0xd5, 0xd6, 0xb7, 0xda, 0x79, 0x5e, 0xa2, 0x5a, 0x77, 0x6c, 0xf0, 0x21, 0xf0, 0x64, 0xa1, 0xec, 0xc7, 0x37, 0xcc, 0xd8, 0x9, 0xdf, 0x6, 0xa5, 0x2f, 0xef, 0x67, 0x13, 0x76, 0x9a, 0xc6, 0xee, 0x81, 0x5b, 0x76, 0xa4, 0x4c, 0xed, 0x7c, 0x86, 0xb0, 0x67, 0x19, 0x71, 0x83, 0x3b, 0x20, 0x45, 0x36, 0x9d, 0x8, 0xd, 0x5e, 0x8d, 0xe3, 0xf0, 0x30, 0xd9, 0x1e, 0xcc, 0xdc, 0x52, 0xaf, 0xbb, 0x20, 0xbf, 0xc7, 0xce, 0xbb, 0xef, 0x10, 0xad, 0x63, 0x2, 0xab, 0xfc, 0xcf, 0x99, 0x8a, 0x8f, 0xd1, 0xfc, 0x6d, 0x9e, 0x19, 0xd8, 0x17, 0x6, 0xf1, 0xe9, 0x3f, 0x77, 0xe2, 0x64, 0x48, 0x48, 0x70, 0x8, 0xe1, 0xe8, 0x79, 0x0, 0x2b, 0x34, 0x2f, 0x5c, 0x4d, 0xce, 0x9c, 0xbb, 0xae, 0x7a, 0x2d, 0xb5, 0x7a, 0x90, 0x80, 0xbf, 0xd0, 0xbc, 0x61, 0x21, 0xcd, 0xd3, 0xf3, 0x97, 0x4d, 0x74, 0x62, 0x9, 0x34, 0x8, 0x5b, 0xb2, 0xda, 0x1d, 0x3a, 0x6c, 0xa5, 0x8e, 0xb1, 0xc5, 0x17, 0x23, 0xc9, 0x6, 0xeb, 0xc7, 0x4e, 0xfe, 0xfe, 0x4a, 0x1c, 0xad, 0x90, 0xb8, 0x87, 0xb7, 0x1a, 0x80, 0xde, 0xe, 0x92, 0x9a, 0xcd, 0xdc, 0xe8, 0x7e, 0x49, 0x76, 0x9c, 0x61, 0x5c, 0x8b, 0xe, 0x37, 0x17, 0xc7, 0xc6, 0xa, 0x2b, 0x5d, 0xe1, 0x68, 0xcf, 0x4f, 0xb6, 0x4c, 0x20, 0x98, 0x92, 0x67, 0xbc, 0x62, 0x11, 0xc2, 0xde, 0xb, 0x11, 0x10, 0x3b, 0xa6, 0xef, 0xcc, 0x73, 0x69, 0xc5, 0x1a, 0xde, 0xe0, 0x97, 0xfa, 0xe3, 0xf9, 0x8b, 0xc, 0xe, 0x3d, 0x3e, 0x69, 0xfb, 0x5e, 0xb4, 0xfc, 0xd4, 0xd2, 0xe9, 0x48, 0x72, 0x3, 0x9e, 0x4f, 0xc3, 0x1e, 0xc9, 0x2d, 0x80, 0x80, 0x3, 0x6, 0x81, 0x33, 0x35, 0x2d, 0x77, 0xd8, 0xf3, 0xb4, 0xc, 0x53, 0x6c, 0xd6, 0x6, 0x3f, 0x29, 0xc1, 0x75, 0xc4, 0xd, 0xed, 0xe5, 0x7b, 0x10, 0x2b, 0xe8, 0x31, 0x19, 0x3c, 0x9e, 0xcb, 0x4c, 0x6b, 0xff, 0xc9, 0x57, 0x28, 0x3d, 0xc6, 0x5e, 0xb4, 0xa1, 0x92, 0xc6, 0x18, 0x21, 0xb9, 0xca, 0xbb, 0x85, 0x72, 0x14, 0x44, 0xec, 0xa, 0xef, 0xa3, 0x29, 0x1e, 0xe7, 0x9a, 0x18, 0xfc, 0x2e, 0x30, 0x93, 0x4c, 0xf0, 0x6, 0xe9, 0xcb, 0xe, 0xe1, 0xaa, 0xce, 0x14, 0x79, 0x10, 0xd0, 0xf8, 0x19, 0x8e, 0xb6, 0x34, 0x3f, 0xa2, 0xb7, 0x9d, 0x11, 0xd2, 0xef, 0xc2, 0x75, 0xd8, 0xe9, 0xc8, 0xc9, 0xad, 0xfc, 0x6e, 0x8c, 0x19, 0x3, 0x13, 0x71, 0xa1, 0x4d, 0xf6, 0x1b, 0x59, 0x65, 0x38, 0x30, 0x44, 0x3d, 0xf8, 0xbb, 0xf0, 0x3c, 0x59, 0x47, 0x72, 0x2b, 0xb7, 0x5b, 0x48, 0xae, 0x3a, 0xc6, 0xd4, 0xb2, 0xe1, 0x53, 0x53, 0x94, 0x2c, 0x6f, 0x7d, 0xde, 0x7, 0x9d, 0x15, 0x82, 0x9, 0xb1, 0xc5, 0x4e, 0xf3, 0xae, 0x9c, 0x38, 0x14, 0xef, 0x65, 0xdb, 0x53, 0xbb, 0x8e, 0x4a, 0x43, 0xde, 0x99, 0xdd, 0x7e, 0xcb, 0xc2, 0x2d, 0x5f, 0x40, 0xf2, 0x83, 0xed, 0xa3, 0x6f, 0x81, 0xa3, 0x8, 0x42, 0xc1, 0xb9, 0x9b, 0x42, 0x73, 0x27, 0x6e, 0x1e, 0xb0, 0x90, 0xd5, 0x18, 0xb6, 0xdc, 0xb2, 0x80, 0xe1, 0xcd, 0x2c, 0x7e, 0x4, 0xa9, 0xa4, 0xae, 0x4, 0xb5, 0x99, 0xb2, 0xd1, 0xa4, 0x3, 0xa4, 0x9f, 0x1e, 0x9e, 0x2c, 0x41, 0x52, 0x75, 0x40, 0x79, 0x36, 0x8a, 0xd2, 0x88, 0xe3, 0xb8, 0x32, 0xf3, 0x36, 0x1, 0xc5, 0x49, 0x19, 0xde, 0x68, 0xe6, 0xcc, 0x6f, 0x1b, 0x3a, 0x97, 0x2b, 0x12, 0x75, 0xbc, 0x51, 0x88, 0x17, 0x4c, 0xfa, 0x85, 0xfb, 0x52, 0x37, 0xe1, 0xb1, 0xe9, 0x8c, 0x3c, 0x38, 0xce, 0x57, 0x12, 0xd6, 0xae, 0x4d, 0xf7, 0xd2, 0x70, 0xa6, 0x3d, 0xd4, 0xbb, 0x6b, 0x84, 0xbf, 0x3f, 0xa2, 0x5a, 0xa3, 0x83, 0xfc, 0x21, 0x44, 0x5d, 0x23, 0x74, 0x5e, 0x3b, 0x47, 0x63, 0xc3, 0xe0, 0x8e, 0xdf, 0xf6, 0x58, 0xa1, 0x4a, 0x3c, 0x2a, 0xf5, 0xd7, 0x34, 0x2e, 0xd2, 0xc6, 0x9b, 0xab, 0x5a, 0xd0, 0x50, 0xf4, 0x85, 0x47, 0xa6, 0x35, 0xe7, 0x56, 0x8c, 0x7, 0xcd, 0x29, 0x5f, 0x7b, 0x63, 0x56, 0xbc, 0x67, 0x50, 0xe3, 0x3e, 0x80, 0xbb, 0xb2, 0x53, 0x70, 0x92, 0x91, 0xdc, 0xf, 0x5a, 0x23, 0x50, 0x65, 0xaa, 0xc4, 0xf2, 0xd8, 0xb6, 0x1a, 0x19, 0x3b, 0x2, 0x96, 0x83, 0x31, 0x58, 0x47, 0xc3, 0xba, 0x5, 0xf8, 0xf0, 0xa5, 0xb, 0x40, 0x80, 0xf, 0xf8, 0xc0, 0x5e, 0x5b, 0x6, 0x81, 0x88, 0x83, 0x5e, 0x1b, 0xcc, 0x22, 0xe5, 0x70, 0xc3, 0xfb, 0x8b, 0xb, 0x86, 0xd1, 0x4a, 0x2d, 0xde, 0xdf, 0x56, 0xb2, 0x67, 0xf0, 0x4d, 0x36, 0xad, 0x97, 0x89, 0x13, 0xe0, 0x2e, 0x50, 0x12, 0x8f, 0xa, 0x92, 0x83, 0x77, 0xdc, 0xa0, 0x3f, 0x50, 0x6a, 0x86, 0xbc, 0xc0, 0xad, 0x14, 0x0, 0xe8, 0xa6, 0x4b, 0x6, 0xd3, 0x44, 0xb7, 0x89, 0x3f, 0xa5, 0xdb, 0xa5, 0xcb, 0xcd, 0x1d, 0x51, 0x3, 0xa2, 0xb1, 0xa7, 0x95, 0x6d, 0xd4, 0x7d, 0x19, 0xfb, 0x41, 0x63, 0x3c, 0xd6, 0x7a, 0x4e, 0x9c, 0xce, 0x2e, 0x4c, 0x48, 0x29, 0xca, 0x6e, 0x42, 0x8a, 0x4f, 0x7f, 0xde, 0x89, 0xe4, 0x11, 0x92, 0xf4, 0xf1, 0x8e, 0xc7, 0x6e, 0x7f, 0x99, 0x14, 0x86, 0x45, 0x57, 0x6, 0x10, 0x9, 0x2c, 0x2b, 0xe8, 0xed, 0x3e, 0x1c, 0x6e, 0x6a, 0x28, 0x17, 0x18, 0xe0, 0x60, 0xf, 0x47, 0x2e, 0xf9, 0x25, 0x36, 0xa, 0x89, 0x31, 0x46, 0x56, 0x5c, 0x80, 0x5b, 0xea, 0xfe, 0x57, 0x0, 0xf6, 0x3e, 0x70, 0x30, 0x30, 0x3c, 0xaf, 0x7c, 0x74, 0x9f, 0x38, 0x39, 0x37, 0xdd, 0x54, 0xeb, 0xda, 0xe5, 0xe0, 0x55, 0xf1, 0xc9, 0xc9, 0xc3, 0xa4, 0x24, 0xfe, 0x62, 0x39, 0x39, 0xb5, 0x76, 0xf1, 0x4b, 0x7e, 0x29, 0xbf, 0x20, 0xaf, 0xe2, 0x3d, 0x18, 0x37, 0x3b, 0x8c, 0x5a, 0xf9, 0xb5, 0xd7, 0x1b, 0x4a, 0x3d, 0x1d, 0x19, 0x46, 0x99, 0x96, 0x3b, 0xa8, 0x57, 0xf2, 0x87, 0x7b, 0xdd, 0xc8, 0x1f, 0x28, 0x88, 0x75, 0x10, 0x54, 0x13, 0x2c, 0x8e, 0xb1, 0xe8, 0xaf, 0x2b, 0x9b, 0xf7, 0xde, 0x72, 0x63, 0xca, 0x72, 0x89, 0xd, 0x48, 0xbb, 0xf4, 0xda, 0x3f, 0x7a, 0x16, 0x56, 0xb7, 0xd4, 0x2d, 0x3f, 0xf4, 0xc, 0x31, 0x84, 0x2d, 0xe3, 0xac, 0x1e, 0xaa, 0x0, 0x27, 0xe4, 0xaf, 0xef, 0xbc, 0xe3, 0x3d, 0xe7, 0x85, 0xd7, 0x1e, 0x69, 0xe5, 0x5f, 0x67, 0x4, 0xa6, 0x2e, 0xb6, 0x5a, 0xdb, 0xa5, 0x4a, 0x51, 0xc6, 0xdf, 0x41, 0x3d, 0xe2, 0x2, 0x65, 0x36, 0x3c, 0xe0, 0x8e, 0x4, 0xe8, 0x35, 0xf8, 0xa0, 0xda, 0x1a, 0x8f, 0x11, 0x8b, 0x3f, 0x5a, 0x1a, 0xce, 0x84, 0x45, 0x3b, 0xec, 0x28, 0xb8, 0x46, 0x66, 0x2c, 0x6e, 0xcc, 0xca, 0xe8, 0xf, 0xe4, 0xd0, 0xdb, 0x85, 0xd1, 0x43, 0x13, 0x8c, 0x35, 0xaa, 0xca, 0x44, 0xf8, 0xd7, 0xe5, 0x2a, 0x18, 0x24, 0x99, 0xe4, 0xb7, 0x1d, 0x1a, 0x9a, 0x5d, 0x87, 0x9c, 0x2d, 0xd4, 0x4c, 0xd6, 0xc8, 0xee, 0x2e, 0x4, 0x5f, 0x51, 0x7b, 0xb3, 0xbe, 0x5f, 0x16, 0x7b, 0x9, 0xd4, 0x4d, 0x4d, 0xf3, 0xef, 0x6, 0xe2, 0xd9, 0x2e, 0x32, 0xfc, 0x7e, 0xe1, 0xb7, 0x59, 0x2, 0x41, 0xee, 0x7d, 0x0, 0xca, 0x36, 0x82, 0xc0, 0x81, 0xa4, 0x55, 0x75, 0xc9, 0x3f, 0xc2, 0x12, 0x53, 0x88, 0x8c, 0x7b, 0x29, 0xd6, 0x5, 0x6, 0x58, 0x71, 0x15, 0x39, 0xdd, 0x8e, 0xf7, 0x8e, 0x86, 0x78, 0xa0, 0x52, 0x5e, 0xc4, 0x3, 0xe0, 0x31, 0x6b, 0x95, 0xa6, 0x33, 0x7b, 0xff, 0xd5, 0x75, 0x2, 0x47, 0x3f, 0x67, 0x7e, 0xc, 0x3a, 0xdc, 0xd5, 0xc8, 0x98, 0x25, 0x2f, 0x7e, 0xb4, 0x27, 0x92, 0x41, 0x75, 0xa9, 0x14, 0x4c, 0x34, 0xb6, 0x37, 0x8b, 0x8c, 0x88, 0x11, 0x8b, 0xd6, 0x7e, 0x66, 0xd0, 0xdc, 0x25, 0x3e, 0x80, 0x3e, 0x8c, 0xe, 0x5e, 0x4a, 0xa2, 0x87, 0xb9, 0xdc, 0xd0, 0xe5, 0x34, 0x23, 0x3, 0x92, 0xae, 0x3b, 0xac, 0x40, 0x9f, 0x3a, 0xf6, 0xe0, 0x34, 0x95, 0xde, 0x63, 0x54, 0xf9, 0x28, 0x63, 0x6b, 0x92, 0xbf, 0x28, 0xa1, 0xb7, 0xf1, 0x64, 0xda, 0x7c, 0xcd, 0x1c, 0x49, 0x35, 0xde, 0x7b, 0xc4, 0x27, 0xec, 0xf1, 0x7e, 0x37, 0x27, 0x6a, 0xa3, 0xf, 0x24, 0x57, 0xa8, 0xc1, 0x1b, 0x62, 0x63, 0x66, 0x13, 0xdc, 0x35, 0x97, 0x68, 0xfb, 0xd4, 0x53, 0x64, 0x3a, 0x7a, 0x9d, 0x31, 0x29, 0xc9, 0x39, 0xa4, 0xf1, 0x80, 0xa0, 0xb, 0xcb, 0xf8, 0x4b, 0x27, 0x18, 0xfc, 0xeb, 0xc5, 0x78, 0x80, 0x66, 0x37, 0xb5, 0xb0, 0xef, 0xd0, 0x1, 0x1e, 0x24, 0x49, 0xd, 0xfb, 0x9c, 0xb0, 0x2a, 0x37, 0x7d, 0xc6, 0xd7, 0x50, 0x68, 0xc9, 0xea, 0x3a, 0xaf, 0x70, 0xe3, 0xb4, 0x66, 0x32, 0xb6, 0xc4, 0xe9, 0xfe, 0xf7, 0xe4, 0x64, 0x56, 0xac, 0xe3, 0xc2, 0xd4, 0xac, 0xb4, 0xbf, 0x8c, 0xb3, 0xce, 0xd2, 0xb, 0x91, 0xf8, 0x6e, 0x72, 0xc0, 0xc9, 0xc, 0xe5, 0x3a, 0x1c, 0xbf, 0x40, 0x7b, 0xd9, 0x69, 0x95, 0x30, 0x15, 0x1b, 0x5a, 0x5a, 0xfd, 0x7f, 0x4b, 0x88, 0x70, 0xcd, 0x14, 0x83, 0xef, 0x6a, 0x89, 0x90, 0x38, 0x93, 0x8c, 0x61, 0xa5, 0x5c, 0x51, 0xe1, 0x58, 0xd1, 0x42, 0xd9, 0x77, 0x2b, 0x43, 0x65, 0xe6, 0xa8, 0x67, 0xf7, 0xb6, 0xbf, 0x81, 0x21, 0xb3, 0x10, 0x41, 0x60, 0x3a, 0xe8, 0x94, 0x37, 0x75, 0xcc, 0xdb, 0xc0, 0xe8, 0x7c, 0xeb, 0xaf, 0x9, 0xa3, 0x73, 0x86, 0x59, 0x13, 0x26, 0xe0, 0x31, 0x0, 0xdb, 0x46, 0x7d, 0x57, 0xe5, 0x98, 0x5d, 0x28, 0x5b, 0x98, 0x9d, 0x8c, 0xfb, 0x21, 0xfc, 0xb, 0x3e, 0x84, 0xb0, 0x16, 0x1, 0x4, 0xc9, 0x31, 0x45, 0xb0, 0x69, 0xa8, 0xb3, 0xb1, 0x53, 0x30, 0xd8, 0xd7, 0x85, 0xf0, 0x49, 0x16, 0xdd, 0xe8, 0x27, 0x74, 0xcb, 0x87, 0xcc, 0x3b, 0xbb, 0x83, 0xce, 0x3d, 0xc9, 0x0, 0x11, 0x26, 0x77, 0x2a, 0x2a, 0x92, 0xa1, 0x61, 0xda, 0x79, 0x7e, 0xe8, 0x9c, 0x14, 0xf3, 0x2, 0x2b, 0x7a, 0x58, 0x83, 0xec, 0x92, 0xde, 0x84, 0x13, 0x7e, 0x14, 0x30, 0x7f, 0x7, 0xaf, 0xd3, 0x83, 0x4c, 0x48, 0x3a, 0xb5, 0x58, 0x6, 0x44, 0xf8, 0x78, 0xea, 0x53, 0xec, 0x7a, 0x2, 0xc2, 0x76, 0x20, 0x91, 0x7d, 0x17, 0xc8, 0x93, 0xe3, 0x14, 0x47, 0xf3, 0x84, 0x6c, 0x37, 0xc2, 0x15, 0x5d, 0xef, 0x37, 0x83, 0xa7, 0x1a, 0x3d, 0x59, 0xb6, 0x15, 0x83, 0x90, 0x2a, 0x85, 0xef, 0x84, 0xc4, 0x75, 0x3a, 0xd4, 0x6b, 0x8, 0x16, 0x8a, 0xc5, 0xa0, 0xb, 0x48, 0x6d, 0x9a, 0x52, 0x7a, 0x8d, 0x68, 0x29, 0x3, 0x92, 0xf1, 0xc2, 0xd, 0x25, 0x7f, 0x9c, 0xf9, 0x2d, 0x2e, 0x68, 0xfb, 0x42, 0x30, 0x12, 0xbc, 0x21, 0x81, 0xad, 0xe7, 0x87, 0x75, 0x2b, 0x65, 0x2a, 0x18, 0xe0, 0x33, 0x2, 0xfc, 0x30, 0x8a, 0x12, 0xe1, 0xe3, 0x87, 0xcf, 0x2e, 0xb8, 0x8f, 0x9, 0xfb, 0x93, 0x61, 0x28, 0x68, 0x71, 0xa7, 0xe6, 0xe9, 0x85, 0xae, 0x21, 0x3e, 0x4, 0xea, 0x34, 0xc8, 0x66, 0xd6, 0x49, 0x5b, 0xab, 0x87, 0x42, 0x41, 0x47, 0x18, 0x3e, 0xe4, 0x3b, 0x47, 0x2a, 0x9a, 0x21, 0x59, 0xb8, 0xf, 0xf4, 0x3c, 0xdf, 0x58, 0xcc, 0xe9, 0x59, 0x65, 0xe, 0xb4, 0x15, 0x66, 0xc, 0x8e, 0xfe, 0x1d, 0xfe, 0x70, 0x9d, 0x45, 0x56, 0xfd, 0xc8, 0xab, 0x14, 0x86, 0x3, 0xde, 0x5, 0x8e, 0xfa, 0xe0, 0x7b, 0x7c, 0x5c, 0x3, 0xe9, 0x68, 0xef, 0x63, 0x8e, 0x91, 0x1e, 0xb3, 0x53, 0xb4, 0x1, 0x64, 0x11, 0xd8, 0xb4, 0x36, 0x44, 0xd4, 0x7a, 0xba, 0xc, 0x66, 0xfd, 0x7a, 0x10, 0xa0, 0xf9, 0x51, 0x91, 0xc4, 0xe4, 0xe, 0x1f, 0xd0, 0xa8, 0xac, 0xaf, 0x1c, 0x76, 0xe9, 0x9e, 0x1d, 0x5c, 0xfe, 0x75, 0x8f, 0x58, 0xc0, 0xf0, 0x6b, 0xa1, 0x97, 0x34, 0x4c, 0x80, 0x4, 0x3, 0xbd, 0xbe, 0xe2, 0x3e, 0xb9, 0x90, 0xc9, 0xc2, 0x60, 0x9a, 0xfb, 0xa8, 0x14, 0x11, 0x25, 0x39, 0xfe, 0x32, 0x4d, 0xd1, 0x66, 0x33, 0xc7, 0xca, 0xbc, 0x25, 0xbf, 0x36, 0x5c, 0x49, 0xa7, 0xdb, 0x66, 0x2c, 0x56, 0xc9, 0x8b, 0x34, 0xad, 0x46, 0x1b, 0x30, 0x4d, 0x32, 0x7e, 0x40, 0x70, 0xd6, 0xc, 0x62, 0x46, 0x9f, 0x1, 0x3a, 0x73, 0xe3, 0xf1, 0xd4, 0xa8, 0xe, 0xe0, 0x24, 0xc3, 0xb0, 0x32, 0xd5, 0x96, 0xd3, 0xcd, 0x17, 0xc3, 0x3, 0xe, 0x1a, 0x21, 0x5b, 0x37, 0x7b, 0xfe, 0x5f, 0x20, 0x7d, 0xd, 0x9, 0xda, 0xd2, 0x47, 0x17, 0xfb, 0x3e, 0x7f, 0x3b, 0x19, 0xc5, 0x4f, 0xb5, 0x5f, 0x52, 0xcb, 0xa2, 0x1e, 0x97, 0x6a, 0xf6, 0x32, 0x9, 0x22, 0x6e, 0x40, 0xd4, 0x86, 0xb4, 0xdf, 0x60, 0xc1, 0xdd, 0x65, 0x34, 0xe1, 0x3f, 0x46, 0xec, 0xcf, 0x7f, 0x51, 0xc1, 0xe4, 0x76, 0x4e, 0x7e, 0xda, 0x83, 0xb5, 0x2, 0xd3, 0xd8, 0xa1, 0x48, 0xfa, 0xd6, 0x88, 0xcd, 0x72, 0x58, 0x26, 0x4f, 0x30, 0xc6, 0xa1, 0x90, 0x8b, 0x27, 0x3c, 0x1d, 0x6c, 0x80, 0x1c, 0xbc, 0xf0, 0xca, 0x25, 0xe7, 0x53, 0x35, 0x5c, 0x8d, 0x9d, 0xbb, 0x3, 0xe6, 0x59, 0xff, 0xdd, 0x85, 0xb, 0x7a, 0x32, 0xf, 0x55, 0xa4, 0x17, 0xc2, 0xec, 0x93, 0xa, 0x72, 0xc5, 0xde, 0x13, 0x22, 0xd6, 0x69, 0x41, 0xb7, 0x88, 0xb, 0x55, 0x59, 0x36, 0x5b, 0x45, 0xf2, 0x12, 0x72, 0x87, 0xe7, 0xca, 0xb5, 0x11, 0x41, 0x76, 0x20, 0x24, 0x31, 0xfd, 0x1d, 0x58, 0x7f, 0xcb, 0x13, 0xfb, 0xae, 0x75, 0x11, 0xda, 0x77, 0xca, 0x2d, 0x75, 0xe7, 0xaa, 0xff, 0x6b, 0x46, 0x75, 0xeb, 0x32, 0xff, 0x6c, 0xdb, 0x3b, 0x6f, 0xd7, 0x74, 0x9a, 0xda, 0xfc, 0x61, 0x7a, 0xf3, 0x40, 0x74, 0x8b, 0x2, 0x25, 0xb5, 0x92, 0xac, 0xb3, 0x1b, 0x29, 0x5f, 0x97, 0xa1, 0xf7, 0xf8, 0xfb, 0x20, 0x7f, 0x9, 0x83, 0xdf, 0xe1, 0x92, 0x26, 0x98, 0x0, 0x8, 0x4b, 0x55, 0x6c, 0x8f, 0x73, 0x28, 0x2f, 0x2f, 0xce, 0xa2, 0x17, 0x37, 0x70, 0xdc, 0x94, 0x41, 0x81, 0x40, 0x3c, 0xb9, 0x13, 0x79, 0x36, 0x96, 0xe8, 0x1f, 0x93, 0x45, 0x92, 0x4, 0xa6, 0x34, 0x88, 0xf7, 0x3f, 0x44, 0x98, 0x7b, 0xa1, 0xa5, 0x14, 0x51, 0x1, 0xab, 0xc6, 0x11, 0x4c, 0x5f, 0xba, 0xff, 0x83, 0xb3, 0xde, 0x60, 0xe6, 0x82, 0xa9, 0x1, 0xc6, 0x54, 0xaa, 0x4c, 0x26, 0xcd, 0x91, 0x34, 0x11, 0x5e, 0xd3, 0x1d, 0x5, 0x6b, 0xbd, 0x7c, 0x5f, 0x31, 0x3c, 0x97, 0x24, 0x47, 0x49, 0x52, 0x75, 0x7, 0xb0, 0xca, 0x5a, 0xe1, 0x65, 0x65, 0x1f, 0x9b, 0x65, 0x4, 0x26, 0xb0, 0x8f, 0x8c, 0x29, 0xf5, 0x30, 0xbf, 0x37, 0xde, 0xa0, 0xa8, 0x1b, 0x64, 0x21, 0xfc, 0x14, 0x51, 0x5e, 0xfa, 0x66, 0xa3, 0xc7, 0xe9, 0xd8, 0x3a, 0xf0, 0x52, 0xa5, 0x9c, 0x84, 0xdb, 0xc0, 0x35, 0x4e, 0x2, 0xe9, 0xdb, 0xe8, 0xc7, 0x89, 0xc7, 0xc3, 0xcf, 0xac, 0xbb, 0xa2, 0xa1, 0x62, 0xf2, 0x26, 0x9c, 0x7d, 0x3e, 0x73, 0xbf, 0x23, 0x48, 0x44, 0xb8, 0xf5, 0xfb, 0x2f, 0x88, 0x3b, 0x48, 0xf8, 0x6b, 0x88, 0x4e, 0x22, 0xb7, 0x40, 0xf6, 0xbe, 0x65, 0x8b, 0x3b, 0x2, 0x53, 0xcd, 0xf8, 0xd5, 0xd4, 0x91, 0xec, 0xbf, 0xaa, 0xbd, 0xa1, 0x9e, 0x7, 0x10, 0x15, 0xe, 0xa4, 0x26, 0x5d, 0x5d, 0xd0, 0xdc, 0xad, 0xd9, 0x1a, 0x4f, 0x8d, 0xe6, 0x13, 0xab, 0x2e, 0x3f, 0xdb, 0x3f, 0x80, 0xf, 0x64, 0xe2, 0x1a, 0xff, 0x1c, 0x17, 0xe1, 0xce, 0xd4, 0x49, 0xb7, 0xe7, 0xe0, 0x9, 0xd9, 0x36, 0x40, 0x5b, 0x27, 0x9f, 0x8e, 0x38, 0x4c, 0x4d, 0x8f, 0x1d, 0xe3, 0x34, 0xce, 0xfc, 0x30, 0x51, 0xd7, 0x69, 0x7f, 0xb3, 0x22, 0x4, 0x46, 0x1, 0xb4, 0xfd, 0xf1, 0xe0, 0x83, 0x78, 0x50, 0x41, 0x89, 0x19, 0x99, 0xce, 0xa8, 0xfe, 0x2e, 0x79, 0x41, 0x75, 0x5b, 0x37, 0x82, 0x5b, 0x51, 0xd4, 0x97, 0x5c, 0xbf, 0x59, 0x4f, 0x7d, 0x27, 0x3a, 0x92, 0x4f, 0x32, 0x4f, 0xac, 0x6, 0x34, 0xf, 0x65, 0x7d, 0x9b, 0xbc, 0xd9, 0x51, 0xbc, 0x39, 0x8a, 0xd1, 0x87, 0xfa, 0xc6, 0x8f, 0x10, 0xcc, 0x5c, 0x30, 0x85, 0x58, 0x82, 0x34, 0xc6, 0xe4, 0x82, 0x9f, 0x3c, 0xed, 0x5c, 0xf8, 0x64, 0x44, 0x3a, 0x14, 0x83, 0xfb, 0x8e, 0x25, 0xca, 0x1d, 0x7a, 0x1b, 0x38, 0x6, 0xe7, 0x2b, 0x41, 0x2a, 0x5a, 0x3c, 0x5a, 0xd1, 0x6c, 0xb5, 0x8f, 0xcd, 0xbf, 0xfd, 0xa8, 0x47, 0x93, 0x22, 0xcd, 0x54, 0x6e, 0xef, 0x2e, 0xdb, 0x31, 0x2f, 0x93, 0xd8, 0xf8, 0x1e, 0xb1, 0xae, 0xc4, 0xaf, 0x11, 0x44, 0x34, 0xed, 0xc1, 0xe7, 0x11} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p384.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p384.go deleted file mode 100644 index 318c08a9797..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p384.go +++ /dev/null @@ -1,540 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package nistec - -import ( - "crypto/internal/fips140/nistec/fiat" - "crypto/internal/fips140/subtle" - "errors" - "sync" -) - -// p384ElementLength is the length of an element of the base or scalar field, -// which have the same bytes length for all NIST P curves. -const p384ElementLength = 48 - -// P384Point is a P384 point. The zero value is NOT valid. -type P384Point struct { - // The point is represented in projective coordinates (X:Y:Z), - // where x = X/Z and y = Y/Z. - x, y, z *fiat.P384Element -} - -// NewP384Point returns a new P384Point representing the point at infinity point. -func NewP384Point() *P384Point { - return &P384Point{ - x: new(fiat.P384Element), - y: new(fiat.P384Element).One(), - z: new(fiat.P384Element), - } -} - -// SetGenerator sets p to the canonical generator and returns p. -func (p *P384Point) SetGenerator() *P384Point { - p.x.SetBytes([]byte{0xaa, 0x87, 0xca, 0x22, 0xbe, 0x8b, 0x5, 0x37, 0x8e, 0xb1, 0xc7, 0x1e, 0xf3, 0x20, 0xad, 0x74, 0x6e, 0x1d, 0x3b, 0x62, 0x8b, 0xa7, 0x9b, 0x98, 0x59, 0xf7, 0x41, 0xe0, 0x82, 0x54, 0x2a, 0x38, 0x55, 0x2, 0xf2, 0x5d, 0xbf, 0x55, 0x29, 0x6c, 0x3a, 0x54, 0x5e, 0x38, 0x72, 0x76, 0xa, 0xb7}) - p.y.SetBytes([]byte{0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0xa, 0x60, 0xb1, 0xce, 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0xe, 0x5f}) - p.z.One() - return p -} - -// Set sets p = q and returns p. -func (p *P384Point) Set(q *P384Point) *P384Point { - p.x.Set(q.x) - p.y.Set(q.y) - p.z.Set(q.z) - return p -} - -// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in -// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on -// the curve, it returns nil and an error, and the receiver is unchanged. -// Otherwise, it returns p. -func (p *P384Point) SetBytes(b []byte) (*P384Point, error) { - switch { - // Point at infinity. - case len(b) == 1 && b[0] == 0: - return p.Set(NewP384Point()), nil - - // Uncompressed form. - case len(b) == 1+2*p384ElementLength && b[0] == 4: - x, err := new(fiat.P384Element).SetBytes(b[1 : 1+p384ElementLength]) - if err != nil { - return nil, err - } - y, err := new(fiat.P384Element).SetBytes(b[1+p384ElementLength:]) - if err != nil { - return nil, err - } - if err := p384CheckOnCurve(x, y); err != nil { - return nil, err - } - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - // Compressed form. - case len(b) == 1+p384ElementLength && (b[0] == 2 || b[0] == 3): - x, err := new(fiat.P384Element).SetBytes(b[1:]) - if err != nil { - return nil, err - } - - // y² = x³ - 3x + b - y := p384Polynomial(new(fiat.P384Element), x) - if !p384Sqrt(y, y) { - return nil, errors.New("invalid P384 compressed point encoding") - } - - // Select the positive or negative root, as indicated by the least - // significant bit, based on the encoding type byte. - otherRoot := new(fiat.P384Element) - otherRoot.Sub(otherRoot, y) - cond := y.Bytes()[p384ElementLength-1]&1 ^ b[0]&1 - y.Select(otherRoot, y, int(cond)) - - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - default: - return nil, errors.New("invalid P384 point encoding") - } -} - -var _p384B *fiat.P384Element -var _p384BOnce sync.Once - -func p384B() *fiat.P384Element { - _p384BOnce.Do(func() { - _p384B, _ = new(fiat.P384Element).SetBytes([]byte{0xb3, 0x31, 0x2f, 0xa7, 0xe2, 0x3e, 0xe7, 0xe4, 0x98, 0x8e, 0x5, 0x6b, 0xe3, 0xf8, 0x2d, 0x19, 0x18, 0x1d, 0x9c, 0x6e, 0xfe, 0x81, 0x41, 0x12, 0x3, 0x14, 0x8, 0x8f, 0x50, 0x13, 0x87, 0x5a, 0xc6, 0x56, 0x39, 0x8d, 0x8a, 0x2e, 0xd1, 0x9d, 0x2a, 0x85, 0xc8, 0xed, 0xd3, 0xec, 0x2a, 0xef}) - }) - return _p384B -} - -// p384Polynomial sets y2 to x³ - 3x + b, and returns y2. -func p384Polynomial(y2, x *fiat.P384Element) *fiat.P384Element { - y2.Square(x) - y2.Mul(y2, x) - - threeX := new(fiat.P384Element).Add(x, x) - threeX.Add(threeX, x) - y2.Sub(y2, threeX) - - return y2.Add(y2, p384B()) -} - -func p384CheckOnCurve(x, y *fiat.P384Element) error { - // y² = x³ - 3x + b - rhs := p384Polynomial(new(fiat.P384Element), x) - lhs := new(fiat.P384Element).Square(y) - if rhs.Equal(lhs) != 1 { - return errors.New("P384 point not on curve") - } - return nil -} - -// Bytes returns the uncompressed or infinity encoding of p, as specified in -// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at -// infinity is shorter than all other encodings. -func (p *P384Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + 2*p384ElementLength]byte - return p.bytes(&out) -} - -func (p *P384Point) bytes(out *[1 + 2*p384ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P384Element).Invert(p.z) - x := new(fiat.P384Element).Mul(p.x, zinv) - y := new(fiat.P384Element).Mul(p.y, zinv) - - buf := append(out[:0], 4) - buf = append(buf, x.Bytes()...) - buf = append(buf, y.Bytes()...) - return buf -} - -// BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, -// Version 2.0, Section 2.3.5, or an error if p is the point at infinity. -func (p *P384Point) BytesX() ([]byte, error) { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p384ElementLength]byte - return p.bytesX(&out) -} - -func (p *P384Point) bytesX(out *[p384ElementLength]byte) ([]byte, error) { - if p.z.IsZero() == 1 { - return nil, errors.New("P384 point is the point at infinity") - } - - zinv := new(fiat.P384Element).Invert(p.z) - x := new(fiat.P384Element).Mul(p.x, zinv) - - return append(out[:0], x.Bytes()...), nil -} - -// BytesCompressed returns the compressed or infinity encoding of p, as -// specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the -// point at infinity is shorter than all other encodings. -func (p *P384Point) BytesCompressed() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + p384ElementLength]byte - return p.bytesCompressed(&out) -} - -func (p *P384Point) bytesCompressed(out *[1 + p384ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P384Element).Invert(p.z) - x := new(fiat.P384Element).Mul(p.x, zinv) - y := new(fiat.P384Element).Mul(p.y, zinv) - - // Encode the sign of the y coordinate (indicated by the least significant - // bit) as the encoding type (2 or 3). - buf := append(out[:0], 2) - buf[0] |= y.Bytes()[p384ElementLength-1] & 1 - buf = append(buf, x.Bytes()...) - return buf -} - -// Add sets q = p1 + p2, and returns q. The points may overlap. -func (q *P384Point) Add(p1, p2 *P384Point) *P384Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P384Element).Mul(p1.x, p2.x) // t0 := X1 * X2 - t1 := new(fiat.P384Element).Mul(p1.y, p2.y) // t1 := Y1 * Y2 - t2 := new(fiat.P384Element).Mul(p1.z, p2.z) // t2 := Z1 * Z2 - t3 := new(fiat.P384Element).Add(p1.x, p1.y) // t3 := X1 + Y1 - t4 := new(fiat.P384Element).Add(p2.x, p2.y) // t4 := X2 + Y2 - t3.Mul(t3, t4) // t3 := t3 * t4 - t4.Add(t0, t1) // t4 := t0 + t1 - t3.Sub(t3, t4) // t3 := t3 - t4 - t4.Add(p1.y, p1.z) // t4 := Y1 + Z1 - x3 := new(fiat.P384Element).Add(p2.y, p2.z) // X3 := Y2 + Z2 - t4.Mul(t4, x3) // t4 := t4 * X3 - x3.Add(t1, t2) // X3 := t1 + t2 - t4.Sub(t4, x3) // t4 := t4 - X3 - x3.Add(p1.x, p1.z) // X3 := X1 + Z1 - y3 := new(fiat.P384Element).Add(p2.x, p2.z) // Y3 := X2 + Z2 - x3.Mul(x3, y3) // X3 := X3 * Y3 - y3.Add(t0, t2) // Y3 := t0 + t2 - y3.Sub(x3, y3) // Y3 := X3 - Y3 - z3 := new(fiat.P384Element).Mul(p384B(), t2) // Z3 := b * t2 - x3.Sub(y3, z3) // X3 := Y3 - Z3 - z3.Add(x3, x3) // Z3 := X3 + X3 - x3.Add(x3, z3) // X3 := X3 + Z3 - z3.Sub(t1, x3) // Z3 := t1 - X3 - x3.Add(t1, x3) // X3 := t1 + X3 - y3.Mul(p384B(), y3) // Y3 := b * Y3 - t1.Add(t2, t2) // t1 := t2 + t2 - t2.Add(t1, t2) // t2 := t1 + t2 - y3.Sub(y3, t2) // Y3 := Y3 - t2 - y3.Sub(y3, t0) // Y3 := Y3 - t0 - t1.Add(y3, y3) // t1 := Y3 + Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - t1.Add(t0, t0) // t1 := t0 + t0 - t0.Add(t1, t0) // t0 := t1 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t1.Mul(t4, y3) // t1 := t4 * Y3 - t2.Mul(t0, y3) // t2 := t0 * Y3 - y3.Mul(x3, z3) // Y3 := X3 * Z3 - y3.Add(y3, t2) // Y3 := Y3 + t2 - x3.Mul(t3, x3) // X3 := t3 * X3 - x3.Sub(x3, t1) // X3 := X3 - t1 - z3.Mul(t4, z3) // Z3 := t4 * Z3 - t1.Mul(t3, t0) // t1 := t3 * t0 - z3.Add(z3, t1) // Z3 := Z3 + t1 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Double sets q = p + p, and returns q. The points may overlap. -func (q *P384Point) Double(p *P384Point) *P384Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P384Element).Square(p.x) // t0 := X ^ 2 - t1 := new(fiat.P384Element).Square(p.y) // t1 := Y ^ 2 - t2 := new(fiat.P384Element).Square(p.z) // t2 := Z ^ 2 - t3 := new(fiat.P384Element).Mul(p.x, p.y) // t3 := X * Y - t3.Add(t3, t3) // t3 := t3 + t3 - z3 := new(fiat.P384Element).Mul(p.x, p.z) // Z3 := X * Z - z3.Add(z3, z3) // Z3 := Z3 + Z3 - y3 := new(fiat.P384Element).Mul(p384B(), t2) // Y3 := b * t2 - y3.Sub(y3, z3) // Y3 := Y3 - Z3 - x3 := new(fiat.P384Element).Add(y3, y3) // X3 := Y3 + Y3 - y3.Add(x3, y3) // Y3 := X3 + Y3 - x3.Sub(t1, y3) // X3 := t1 - Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - y3.Mul(x3, y3) // Y3 := X3 * Y3 - x3.Mul(x3, t3) // X3 := X3 * t3 - t3.Add(t2, t2) // t3 := t2 + t2 - t2.Add(t2, t3) // t2 := t2 + t3 - z3.Mul(p384B(), z3) // Z3 := b * Z3 - z3.Sub(z3, t2) // Z3 := Z3 - t2 - z3.Sub(z3, t0) // Z3 := Z3 - t0 - t3.Add(z3, z3) // t3 := Z3 + Z3 - z3.Add(z3, t3) // Z3 := Z3 + t3 - t3.Add(t0, t0) // t3 := t0 + t0 - t0.Add(t3, t0) // t0 := t3 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t0.Mul(t0, z3) // t0 := t0 * Z3 - y3.Add(y3, t0) // Y3 := Y3 + t0 - t0.Mul(p.y, p.z) // t0 := Y * Z - t0.Add(t0, t0) // t0 := t0 + t0 - z3.Mul(t0, z3) // Z3 := t0 * Z3 - x3.Sub(x3, z3) // X3 := X3 - Z3 - z3.Mul(t0, t1) // Z3 := t0 * t1 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Select sets q to p1 if cond == 1, and to p2 if cond == 0. -func (q *P384Point) Select(p1, p2 *P384Point, cond int) *P384Point { - q.x.Select(p1.x, p2.x, cond) - q.y.Select(p1.y, p2.y, cond) - q.z.Select(p1.z, p2.z, cond) - return q -} - -// A p384Table holds the first 15 multiples of a point at offset -1, so [1]P -// is at table[0], [15]P is at table[14], and [0]P is implicitly the identity -// point. -type p384Table [15]*P384Point - -// Select selects the n-th multiple of the table base point into p. It works in -// constant time by iterating over every entry of the table. n must be in [0, 15]. -func (table *p384Table) Select(p *P384Point, n uint8) { - if n >= 16 { - panic("nistec: internal error: p384Table called with out-of-bounds value") - } - p.Set(NewP384Point()) - for i := uint8(1); i < 16; i++ { - cond := subtle.ConstantTimeByteEq(i, n) - p.Select(table[i-1], p, cond) - } -} - -// ScalarMult sets p = scalar * q, and returns p. -func (p *P384Point) ScalarMult(q *P384Point, scalar []byte) (*P384Point, error) { - // Compute a p384Table for the base point q. The explicit NewP384Point - // calls get inlined, letting the allocations live on the stack. - var table = p384Table{NewP384Point(), NewP384Point(), NewP384Point(), - NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point(), - NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point(), - NewP384Point(), NewP384Point(), NewP384Point(), NewP384Point()} - table[0].Set(q) - for i := 1; i < 15; i += 2 { - table[i].Double(table[i/2]) - table[i+1].Add(table[i], q) - } - - // Instead of doing the classic double-and-add chain, we do it with a - // four-bit window: we double four times, and then add [0-15]P. - t := NewP384Point() - p.Set(NewP384Point()) - for i, byte := range scalar { - // No need to double on the first iteration, as p is the identity at - // this point, and [N]∞ = ∞. - if i != 0 { - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - } - - windowValue := byte >> 4 - table.Select(t, windowValue) - p.Add(p, t) - - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - - windowValue = byte & 0b1111 - table.Select(t, windowValue) - p.Add(p, t) - } - - return p, nil -} - -var p384GeneratorTable *[p384ElementLength * 2]p384Table -var p384GeneratorTableOnce sync.Once - -// generatorTable returns a sequence of p384Tables. The first table contains -// multiples of G. Each successive table is the previous table doubled four -// times. -func (p *P384Point) generatorTable() *[p384ElementLength * 2]p384Table { - p384GeneratorTableOnce.Do(func() { - p384GeneratorTable = new([p384ElementLength * 2]p384Table) - base := NewP384Point().SetGenerator() - for i := 0; i < p384ElementLength*2; i++ { - p384GeneratorTable[i][0] = NewP384Point().Set(base) - for j := 1; j < 15; j++ { - p384GeneratorTable[i][j] = NewP384Point().Add(p384GeneratorTable[i][j-1], base) - } - base.Double(base) - base.Double(base) - base.Double(base) - base.Double(base) - } - }) - return p384GeneratorTable -} - -// ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and -// returns p. -func (p *P384Point) ScalarBaseMult(scalar []byte) (*P384Point, error) { - if len(scalar) != p384ElementLength { - return nil, errors.New("invalid scalar length") - } - tables := p.generatorTable() - - // This is also a scalar multiplication with a four-bit window like in - // ScalarMult, but in this case the doublings are precomputed. The value - // [windowValue]G added at iteration k would normally get doubled - // (totIterations-k)×4 times, but with a larger precomputation we can - // instead add [2^((totIterations-k)×4)][windowValue]G and avoid the - // doublings between iterations. - t := NewP384Point() - p.Set(NewP384Point()) - tableIndex := len(tables) - 1 - for _, byte := range scalar { - windowValue := byte >> 4 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - - windowValue = byte & 0b1111 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - } - - return p, nil -} - -// p384Sqrt sets e to a square root of x. If x is not a square, p384Sqrt returns -// false and e is unchanged. e and x can overlap. -func p384Sqrt(e, x *fiat.P384Element) (isSquare bool) { - candidate := new(fiat.P384Element) - p384SqrtCandidate(candidate, x) - square := new(fiat.P384Element).Square(candidate) - if square.Equal(x) != 1 { - return false - } - e.Set(candidate) - return true -} - -// p384SqrtCandidate sets z to a square root candidate for x. z and x must not overlap. -func p384SqrtCandidate(z, x *fiat.P384Element) { - // Since p = 3 mod 4, exponentiation by (p + 1) / 4 yields a square root candidate. - // - // The sequence of 14 multiplications and 381 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // _10 = 2*1 - // _11 = 1 + _10 - // _110 = 2*_11 - // _111 = 1 + _110 - // _111000 = _111 << 3 - // _111111 = _111 + _111000 - // _1111110 = 2*_111111 - // _1111111 = 1 + _1111110 - // x12 = _1111110 << 5 + _111111 - // x24 = x12 << 12 + x12 - // x31 = x24 << 7 + _1111111 - // x32 = 2*x31 + 1 - // x63 = x32 << 31 + x31 - // x126 = x63 << 63 + x63 - // x252 = x126 << 126 + x126 - // x255 = x252 << 3 + _111 - // return ((x255 << 33 + x32) << 64 + 1) << 30 - // - var t0 = new(fiat.P384Element) - var t1 = new(fiat.P384Element) - var t2 = new(fiat.P384Element) - - z.Square(x) - z.Mul(x, z) - z.Square(z) - t0.Mul(x, z) - z.Square(t0) - for s := 1; s < 3; s++ { - z.Square(z) - } - t1.Mul(t0, z) - t2.Square(t1) - z.Mul(x, t2) - for s := 0; s < 5; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - t2.Square(t1) - for s := 1; s < 12; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - for s := 0; s < 7; s++ { - t1.Square(t1) - } - t1.Mul(z, t1) - z.Square(t1) - z.Mul(x, z) - t2.Square(z) - for s := 1; s < 31; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - t2.Square(t1) - for s := 1; s < 63; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - t2.Square(t1) - for s := 1; s < 126; s++ { - t2.Square(t2) - } - t1.Mul(t1, t2) - for s := 0; s < 3; s++ { - t1.Square(t1) - } - t0.Mul(t0, t1) - for s := 0; s < 33; s++ { - t0.Square(t0) - } - z.Mul(z, t0) - for s := 0; s < 64; s++ { - z.Square(z) - } - z.Mul(x, z) - for s := 0; s < 30; s++ { - z.Square(z) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p521.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p521.go deleted file mode 100644 index 8ade8a33040..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/p521.go +++ /dev/null @@ -1,469 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Code generated by generate.go. DO NOT EDIT. - -package nistec - -import ( - "crypto/internal/fips140/nistec/fiat" - "crypto/internal/fips140/subtle" - "errors" - "sync" -) - -// p521ElementLength is the length of an element of the base or scalar field, -// which have the same bytes length for all NIST P curves. -const p521ElementLength = 66 - -// P521Point is a P521 point. The zero value is NOT valid. -type P521Point struct { - // The point is represented in projective coordinates (X:Y:Z), - // where x = X/Z and y = Y/Z. - x, y, z *fiat.P521Element -} - -// NewP521Point returns a new P521Point representing the point at infinity point. -func NewP521Point() *P521Point { - return &P521Point{ - x: new(fiat.P521Element), - y: new(fiat.P521Element).One(), - z: new(fiat.P521Element), - } -} - -// SetGenerator sets p to the canonical generator and returns p. -func (p *P521Point) SetGenerator() *P521Point { - p.x.SetBytes([]byte{0x0, 0xc6, 0x85, 0x8e, 0x6, 0xb7, 0x4, 0x4, 0xe9, 0xcd, 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x5, 0x3f, 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66}) - p.y.SetBytes([]byte{0x1, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x4, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x1, 0x3f, 0xad, 0x7, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50}) - p.z.One() - return p -} - -// Set sets p = q and returns p. -func (p *P521Point) Set(q *P521Point) *P521Point { - p.x.Set(q.x) - p.y.Set(q.y) - p.z.Set(q.z) - return p -} - -// SetBytes sets p to the compressed, uncompressed, or infinity value encoded in -// b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on -// the curve, it returns nil and an error, and the receiver is unchanged. -// Otherwise, it returns p. -func (p *P521Point) SetBytes(b []byte) (*P521Point, error) { - switch { - // Point at infinity. - case len(b) == 1 && b[0] == 0: - return p.Set(NewP521Point()), nil - - // Uncompressed form. - case len(b) == 1+2*p521ElementLength && b[0] == 4: - x, err := new(fiat.P521Element).SetBytes(b[1 : 1+p521ElementLength]) - if err != nil { - return nil, err - } - y, err := new(fiat.P521Element).SetBytes(b[1+p521ElementLength:]) - if err != nil { - return nil, err - } - if err := p521CheckOnCurve(x, y); err != nil { - return nil, err - } - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - // Compressed form. - case len(b) == 1+p521ElementLength && (b[0] == 2 || b[0] == 3): - x, err := new(fiat.P521Element).SetBytes(b[1:]) - if err != nil { - return nil, err - } - - // y² = x³ - 3x + b - y := p521Polynomial(new(fiat.P521Element), x) - if !p521Sqrt(y, y) { - return nil, errors.New("invalid P521 compressed point encoding") - } - - // Select the positive or negative root, as indicated by the least - // significant bit, based on the encoding type byte. - otherRoot := new(fiat.P521Element) - otherRoot.Sub(otherRoot, y) - cond := y.Bytes()[p521ElementLength-1]&1 ^ b[0]&1 - y.Select(otherRoot, y, int(cond)) - - p.x.Set(x) - p.y.Set(y) - p.z.One() - return p, nil - - default: - return nil, errors.New("invalid P521 point encoding") - } -} - -var _p521B *fiat.P521Element -var _p521BOnce sync.Once - -func p521B() *fiat.P521Element { - _p521BOnce.Do(func() { - _p521B, _ = new(fiat.P521Element).SetBytes([]byte{0x0, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x9, 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, 0xbd, 0x3b, 0xb1, 0xbf, 0x7, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x0}) - }) - return _p521B -} - -// p521Polynomial sets y2 to x³ - 3x + b, and returns y2. -func p521Polynomial(y2, x *fiat.P521Element) *fiat.P521Element { - y2.Square(x) - y2.Mul(y2, x) - - threeX := new(fiat.P521Element).Add(x, x) - threeX.Add(threeX, x) - y2.Sub(y2, threeX) - - return y2.Add(y2, p521B()) -} - -func p521CheckOnCurve(x, y *fiat.P521Element) error { - // y² = x³ - 3x + b - rhs := p521Polynomial(new(fiat.P521Element), x) - lhs := new(fiat.P521Element).Square(y) - if rhs.Equal(lhs) != 1 { - return errors.New("P521 point not on curve") - } - return nil -} - -// Bytes returns the uncompressed or infinity encoding of p, as specified in -// SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at -// infinity is shorter than all other encodings. -func (p *P521Point) Bytes() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + 2*p521ElementLength]byte - return p.bytes(&out) -} - -func (p *P521Point) bytes(out *[1 + 2*p521ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P521Element).Invert(p.z) - x := new(fiat.P521Element).Mul(p.x, zinv) - y := new(fiat.P521Element).Mul(p.y, zinv) - - buf := append(out[:0], 4) - buf = append(buf, x.Bytes()...) - buf = append(buf, y.Bytes()...) - return buf -} - -// BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, -// Version 2.0, Section 2.3.5, or an error if p is the point at infinity. -func (p *P521Point) BytesX() ([]byte, error) { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [p521ElementLength]byte - return p.bytesX(&out) -} - -func (p *P521Point) bytesX(out *[p521ElementLength]byte) ([]byte, error) { - if p.z.IsZero() == 1 { - return nil, errors.New("P521 point is the point at infinity") - } - - zinv := new(fiat.P521Element).Invert(p.z) - x := new(fiat.P521Element).Mul(p.x, zinv) - - return append(out[:0], x.Bytes()...), nil -} - -// BytesCompressed returns the compressed or infinity encoding of p, as -// specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the -// point at infinity is shorter than all other encodings. -func (p *P521Point) BytesCompressed() []byte { - // This function is outlined to make the allocations inline in the caller - // rather than happen on the heap. - var out [1 + p521ElementLength]byte - return p.bytesCompressed(&out) -} - -func (p *P521Point) bytesCompressed(out *[1 + p521ElementLength]byte) []byte { - if p.z.IsZero() == 1 { - return append(out[:0], 0) - } - - zinv := new(fiat.P521Element).Invert(p.z) - x := new(fiat.P521Element).Mul(p.x, zinv) - y := new(fiat.P521Element).Mul(p.y, zinv) - - // Encode the sign of the y coordinate (indicated by the least significant - // bit) as the encoding type (2 or 3). - buf := append(out[:0], 2) - buf[0] |= y.Bytes()[p521ElementLength-1] & 1 - buf = append(buf, x.Bytes()...) - return buf -} - -// Add sets q = p1 + p2, and returns q. The points may overlap. -func (q *P521Point) Add(p1, p2 *P521Point) *P521Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P521Element).Mul(p1.x, p2.x) // t0 := X1 * X2 - t1 := new(fiat.P521Element).Mul(p1.y, p2.y) // t1 := Y1 * Y2 - t2 := new(fiat.P521Element).Mul(p1.z, p2.z) // t2 := Z1 * Z2 - t3 := new(fiat.P521Element).Add(p1.x, p1.y) // t3 := X1 + Y1 - t4 := new(fiat.P521Element).Add(p2.x, p2.y) // t4 := X2 + Y2 - t3.Mul(t3, t4) // t3 := t3 * t4 - t4.Add(t0, t1) // t4 := t0 + t1 - t3.Sub(t3, t4) // t3 := t3 - t4 - t4.Add(p1.y, p1.z) // t4 := Y1 + Z1 - x3 := new(fiat.P521Element).Add(p2.y, p2.z) // X3 := Y2 + Z2 - t4.Mul(t4, x3) // t4 := t4 * X3 - x3.Add(t1, t2) // X3 := t1 + t2 - t4.Sub(t4, x3) // t4 := t4 - X3 - x3.Add(p1.x, p1.z) // X3 := X1 + Z1 - y3 := new(fiat.P521Element).Add(p2.x, p2.z) // Y3 := X2 + Z2 - x3.Mul(x3, y3) // X3 := X3 * Y3 - y3.Add(t0, t2) // Y3 := t0 + t2 - y3.Sub(x3, y3) // Y3 := X3 - Y3 - z3 := new(fiat.P521Element).Mul(p521B(), t2) // Z3 := b * t2 - x3.Sub(y3, z3) // X3 := Y3 - Z3 - z3.Add(x3, x3) // Z3 := X3 + X3 - x3.Add(x3, z3) // X3 := X3 + Z3 - z3.Sub(t1, x3) // Z3 := t1 - X3 - x3.Add(t1, x3) // X3 := t1 + X3 - y3.Mul(p521B(), y3) // Y3 := b * Y3 - t1.Add(t2, t2) // t1 := t2 + t2 - t2.Add(t1, t2) // t2 := t1 + t2 - y3.Sub(y3, t2) // Y3 := Y3 - t2 - y3.Sub(y3, t0) // Y3 := Y3 - t0 - t1.Add(y3, y3) // t1 := Y3 + Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - t1.Add(t0, t0) // t1 := t0 + t0 - t0.Add(t1, t0) // t0 := t1 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t1.Mul(t4, y3) // t1 := t4 * Y3 - t2.Mul(t0, y3) // t2 := t0 * Y3 - y3.Mul(x3, z3) // Y3 := X3 * Z3 - y3.Add(y3, t2) // Y3 := Y3 + t2 - x3.Mul(t3, x3) // X3 := t3 * X3 - x3.Sub(x3, t1) // X3 := X3 - t1 - z3.Mul(t4, z3) // Z3 := t4 * Z3 - t1.Mul(t3, t0) // t1 := t3 * t0 - z3.Add(z3, t1) // Z3 := Z3 + t1 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Double sets q = p + p, and returns q. The points may overlap. -func (q *P521Point) Double(p *P521Point) *P521Point { - // Complete addition formula for a = -3 from "Complete addition formulas for - // prime order elliptic curves" (https://eprint.iacr.org/2015/1060), §A.2. - - t0 := new(fiat.P521Element).Square(p.x) // t0 := X ^ 2 - t1 := new(fiat.P521Element).Square(p.y) // t1 := Y ^ 2 - t2 := new(fiat.P521Element).Square(p.z) // t2 := Z ^ 2 - t3 := new(fiat.P521Element).Mul(p.x, p.y) // t3 := X * Y - t3.Add(t3, t3) // t3 := t3 + t3 - z3 := new(fiat.P521Element).Mul(p.x, p.z) // Z3 := X * Z - z3.Add(z3, z3) // Z3 := Z3 + Z3 - y3 := new(fiat.P521Element).Mul(p521B(), t2) // Y3 := b * t2 - y3.Sub(y3, z3) // Y3 := Y3 - Z3 - x3 := new(fiat.P521Element).Add(y3, y3) // X3 := Y3 + Y3 - y3.Add(x3, y3) // Y3 := X3 + Y3 - x3.Sub(t1, y3) // X3 := t1 - Y3 - y3.Add(t1, y3) // Y3 := t1 + Y3 - y3.Mul(x3, y3) // Y3 := X3 * Y3 - x3.Mul(x3, t3) // X3 := X3 * t3 - t3.Add(t2, t2) // t3 := t2 + t2 - t2.Add(t2, t3) // t2 := t2 + t3 - z3.Mul(p521B(), z3) // Z3 := b * Z3 - z3.Sub(z3, t2) // Z3 := Z3 - t2 - z3.Sub(z3, t0) // Z3 := Z3 - t0 - t3.Add(z3, z3) // t3 := Z3 + Z3 - z3.Add(z3, t3) // Z3 := Z3 + t3 - t3.Add(t0, t0) // t3 := t0 + t0 - t0.Add(t3, t0) // t0 := t3 + t0 - t0.Sub(t0, t2) // t0 := t0 - t2 - t0.Mul(t0, z3) // t0 := t0 * Z3 - y3.Add(y3, t0) // Y3 := Y3 + t0 - t0.Mul(p.y, p.z) // t0 := Y * Z - t0.Add(t0, t0) // t0 := t0 + t0 - z3.Mul(t0, z3) // Z3 := t0 * Z3 - x3.Sub(x3, z3) // X3 := X3 - Z3 - z3.Mul(t0, t1) // Z3 := t0 * t1 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - z3.Add(z3, z3) // Z3 := Z3 + Z3 - - q.x.Set(x3) - q.y.Set(y3) - q.z.Set(z3) - return q -} - -// Select sets q to p1 if cond == 1, and to p2 if cond == 0. -func (q *P521Point) Select(p1, p2 *P521Point, cond int) *P521Point { - q.x.Select(p1.x, p2.x, cond) - q.y.Select(p1.y, p2.y, cond) - q.z.Select(p1.z, p2.z, cond) - return q -} - -// A p521Table holds the first 15 multiples of a point at offset -1, so [1]P -// is at table[0], [15]P is at table[14], and [0]P is implicitly the identity -// point. -type p521Table [15]*P521Point - -// Select selects the n-th multiple of the table base point into p. It works in -// constant time by iterating over every entry of the table. n must be in [0, 15]. -func (table *p521Table) Select(p *P521Point, n uint8) { - if n >= 16 { - panic("nistec: internal error: p521Table called with out-of-bounds value") - } - p.Set(NewP521Point()) - for i := uint8(1); i < 16; i++ { - cond := subtle.ConstantTimeByteEq(i, n) - p.Select(table[i-1], p, cond) - } -} - -// ScalarMult sets p = scalar * q, and returns p. -func (p *P521Point) ScalarMult(q *P521Point, scalar []byte) (*P521Point, error) { - // Compute a p521Table for the base point q. The explicit NewP521Point - // calls get inlined, letting the allocations live on the stack. - var table = p521Table{NewP521Point(), NewP521Point(), NewP521Point(), - NewP521Point(), NewP521Point(), NewP521Point(), NewP521Point(), - NewP521Point(), NewP521Point(), NewP521Point(), NewP521Point(), - NewP521Point(), NewP521Point(), NewP521Point(), NewP521Point()} - table[0].Set(q) - for i := 1; i < 15; i += 2 { - table[i].Double(table[i/2]) - table[i+1].Add(table[i], q) - } - - // Instead of doing the classic double-and-add chain, we do it with a - // four-bit window: we double four times, and then add [0-15]P. - t := NewP521Point() - p.Set(NewP521Point()) - for i, byte := range scalar { - // No need to double on the first iteration, as p is the identity at - // this point, and [N]∞ = ∞. - if i != 0 { - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - } - - windowValue := byte >> 4 - table.Select(t, windowValue) - p.Add(p, t) - - p.Double(p) - p.Double(p) - p.Double(p) - p.Double(p) - - windowValue = byte & 0b1111 - table.Select(t, windowValue) - p.Add(p, t) - } - - return p, nil -} - -var p521GeneratorTable *[p521ElementLength * 2]p521Table -var p521GeneratorTableOnce sync.Once - -// generatorTable returns a sequence of p521Tables. The first table contains -// multiples of G. Each successive table is the previous table doubled four -// times. -func (p *P521Point) generatorTable() *[p521ElementLength * 2]p521Table { - p521GeneratorTableOnce.Do(func() { - p521GeneratorTable = new([p521ElementLength * 2]p521Table) - base := NewP521Point().SetGenerator() - for i := 0; i < p521ElementLength*2; i++ { - p521GeneratorTable[i][0] = NewP521Point().Set(base) - for j := 1; j < 15; j++ { - p521GeneratorTable[i][j] = NewP521Point().Add(p521GeneratorTable[i][j-1], base) - } - base.Double(base) - base.Double(base) - base.Double(base) - base.Double(base) - } - }) - return p521GeneratorTable -} - -// ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and -// returns p. -func (p *P521Point) ScalarBaseMult(scalar []byte) (*P521Point, error) { - if len(scalar) != p521ElementLength { - return nil, errors.New("invalid scalar length") - } - tables := p.generatorTable() - - // This is also a scalar multiplication with a four-bit window like in - // ScalarMult, but in this case the doublings are precomputed. The value - // [windowValue]G added at iteration k would normally get doubled - // (totIterations-k)×4 times, but with a larger precomputation we can - // instead add [2^((totIterations-k)×4)][windowValue]G and avoid the - // doublings between iterations. - t := NewP521Point() - p.Set(NewP521Point()) - tableIndex := len(tables) - 1 - for _, byte := range scalar { - windowValue := byte >> 4 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - - windowValue = byte & 0b1111 - tables[tableIndex].Select(t, windowValue) - p.Add(p, t) - tableIndex-- - } - - return p, nil -} - -// p521Sqrt sets e to a square root of x. If x is not a square, p521Sqrt returns -// false and e is unchanged. e and x can overlap. -func p521Sqrt(e, x *fiat.P521Element) (isSquare bool) { - candidate := new(fiat.P521Element) - p521SqrtCandidate(candidate, x) - square := new(fiat.P521Element).Square(candidate) - if square.Equal(x) != 1 { - return false - } - e.Set(candidate) - return true -} - -// p521SqrtCandidate sets z to a square root candidate for x. z and x must not overlap. -func p521SqrtCandidate(z, x *fiat.P521Element) { - // Since p = 3 mod 4, exponentiation by (p + 1) / 4 yields a square root candidate. - // - // The sequence of 0 multiplications and 519 squarings is derived from the - // following addition chain generated with github.com/mmcloughlin/addchain v0.4.0. - // - // return 1 << 519 - // - - z.Square(x) - for s := 1; s < 519; s++ { - z.Square(z) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/ya.make deleted file mode 100644 index 140369f0a73..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/nistec/ya.make +++ /dev/null @@ -1,43 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nistec.go - p224.go - p224_sqrt.go - p256_asm.go - p256_asm_arm64.s - p256_ordinv.go - p256_table.go - p384.go - p521.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nistec.go - p224.go - p224_sqrt.go - p256_asm.go - p256_asm_amd64.s - p256_ordinv.go - p256_table.go - p384.go - p521.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - nistec.go - p224.go - p224_sqrt.go - p256.go - p256_ordinv_noasm.go - p256_table.go - p384.go - p521.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/notasan.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/notasan.go deleted file mode 100644 index 639d419ef9c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/notasan.go +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !asan - -package fips140 - -const asanEnabled = false diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/notboring.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/notboring.go deleted file mode 100644 index 681521c687c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/notboring.go +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !(boringcrypto && linux && (amd64 || arm64) && !android && !msan && cgo) - -package fips140 - -const boringEnabled = false diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/cast.go deleted file mode 100644 index 748372a8fc2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/cast.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package pbkdf2 - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/sha256" - "errors" -) - -func init() { - // Per IG 10.3.A: - // "if the module implements an approved PBKDF (SP 800-132), the module - // shall perform a CAST, at minimum, on the derivation of the Master - // Key (MK) as specified in Section 5.3 of SP 800-132" - // "The Iteration Count parameter does not need to be among those - // supported by the module in the approved mode but shall be at least - // two." - fips140.CAST("PBKDF2", func() error { - salt := []byte{ - 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, - 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, - } - want := []byte{ - 0xC7, 0x58, 0x76, 0xC0, 0x71, 0x1C, 0x29, 0x75, - 0x2D, 0x3A, 0xA6, 0xDF, 0x29, 0x96, - } - - mk, err := Key(sha256.New, "password", salt, 2, 14) - if err != nil { - return err - } - if !bytes.Equal(mk, want) { - return errors.New("unexpected result") - } - - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/pbkdf2.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/pbkdf2.go deleted file mode 100644 index 2cd9b002419..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/pbkdf2.go +++ /dev/null @@ -1,88 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package pbkdf2 - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/hmac" - "errors" - "hash" -) - -// divRoundUp divides x+y-1 by y, rounding up if the result is not whole. -// This function casts x and y to int64 in order to avoid cases where -// x+y would overflow int on systems where int is an int32. The result -// is an int, which is safe as (x+y-1)/y should always fit, regardless -// of the integer size. -func divRoundUp(x, y int) int { - return int((int64(x) + int64(y) - 1) / int64(y)) -} - -func Key[Hash hash.Hash](h func() Hash, password string, salt []byte, iter, keyLength int) ([]byte, error) { - setServiceIndicator(salt, keyLength) - - if keyLength <= 0 { - return nil, errors.New("pkbdf2: keyLength must be larger than 0") - } - - prf := hmac.New(h, []byte(password)) - hmac.MarkAsUsedInKDF(prf) - hashLen := prf.Size() - numBlocks := divRoundUp(keyLength, hashLen) - const maxBlocks = int64(1<<32 - 1) - if keyLength+hashLen < keyLength || int64(numBlocks) > maxBlocks { - return nil, errors.New("pbkdf2: keyLength too long") - } - - var buf [4]byte - dk := make([]byte, 0, numBlocks*hashLen) - U := make([]byte, hashLen) - for block := 1; block <= numBlocks; block++ { - // N.B.: || means concatenation, ^ means XOR - // for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter - // U_1 = PRF(password, salt || uint(i)) - prf.Reset() - prf.Write(salt) - buf[0] = byte(block >> 24) - buf[1] = byte(block >> 16) - buf[2] = byte(block >> 8) - buf[3] = byte(block) - prf.Write(buf[:4]) - dk = prf.Sum(dk) - T := dk[len(dk)-hashLen:] - copy(U, T) - - // U_n = PRF(password, U_(n-1)) - for n := 2; n <= iter; n++ { - prf.Reset() - prf.Write(U) - U = U[:0] - U = prf.Sum(U) - for x := range U { - T[x] ^= U[x] - } - } - } - return dk[:keyLength], nil -} - -func setServiceIndicator(salt []byte, keyLength int) { - // The HMAC construction will handle the hash function considerations for the service - // indicator. The remaining PBKDF2 considerations outlined by SP 800-132 pertain to - // salt and keyLength. - - // The length of the randomly-generated portion of the salt shall be at least 128 bits. - if len(salt) < 128/8 { - fips140.RecordNonApproved() - } - - // Per FIPS 140-3 IG C.M, key lengths below 112 bits are only allowed for - // legacy use (i.e. verification only) and we don't support that. - if keyLength < 112/8 { - fips140.RecordNonApproved() - } - - fips140.RecordApproved() -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/ya.make deleted file mode 100644 index 74eae4bef7a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/pbkdf2/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - pbkdf2.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/cast.go deleted file mode 100644 index b900b32c888..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/cast.go +++ /dev/null @@ -1,234 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package rsa - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/bigmod" - _ "crypto/internal/fips140/check" - "errors" - "sync" -) - -func testPrivateKey() *PrivateKey { - // https://www.rfc-editor.org/rfc/rfc9500.html#section-2.1 - N, _ := bigmod.NewModulus([]byte{ - 0xB0, 0xF9, 0xE8, 0x19, 0x43, 0xA7, 0xAE, 0x98, - 0x92, 0xAA, 0xDE, 0x17, 0xCA, 0x7C, 0x40, 0xF8, - 0x74, 0x4F, 0xED, 0x2F, 0x81, 0x48, 0xE6, 0xC8, - 0xEA, 0xA2, 0x7B, 0x7D, 0x00, 0x15, 0x48, 0xFB, - 0x51, 0x92, 0xAB, 0x28, 0xB5, 0x6C, 0x50, 0x60, - 0xB1, 0x18, 0xCC, 0xD1, 0x31, 0xE5, 0x94, 0x87, - 0x4C, 0x6C, 0xA9, 0x89, 0xB5, 0x6C, 0x27, 0x29, - 0x6F, 0x09, 0xFB, 0x93, 0xA0, 0x34, 0xDF, 0x32, - 0xE9, 0x7C, 0x6F, 0xF0, 0x99, 0x8C, 0xFD, 0x8E, - 0x6F, 0x42, 0xDD, 0xA5, 0x8A, 0xCD, 0x1F, 0xA9, - 0x79, 0x86, 0xF1, 0x44, 0xF3, 0xD1, 0x54, 0xD6, - 0x76, 0x50, 0x17, 0x5E, 0x68, 0x54, 0xB3, 0xA9, - 0x52, 0x00, 0x3B, 0xC0, 0x68, 0x87, 0xB8, 0x45, - 0x5A, 0xC2, 0xB1, 0x9F, 0x7B, 0x2F, 0x76, 0x50, - 0x4E, 0xBC, 0x98, 0xEC, 0x94, 0x55, 0x71, 0xB0, - 0x78, 0x92, 0x15, 0x0D, 0xDC, 0x6A, 0x74, 0xCA, - 0x0F, 0xBC, 0xD3, 0x54, 0x97, 0xCE, 0x81, 0x53, - 0x4D, 0xAF, 0x94, 0x18, 0x84, 0x4B, 0x13, 0xAE, - 0xA3, 0x1F, 0x9D, 0x5A, 0x6B, 0x95, 0x57, 0xBB, - 0xDF, 0x61, 0x9E, 0xFD, 0x4E, 0x88, 0x7F, 0x2D, - 0x42, 0xB8, 0xDD, 0x8B, 0xC9, 0x87, 0xEA, 0xE1, - 0xBF, 0x89, 0xCA, 0xB8, 0x5E, 0xE2, 0x1E, 0x35, - 0x63, 0x05, 0xDF, 0x6C, 0x07, 0xA8, 0x83, 0x8E, - 0x3E, 0xF4, 0x1C, 0x59, 0x5D, 0xCC, 0xE4, 0x3D, - 0xAF, 0xC4, 0x91, 0x23, 0xEF, 0x4D, 0x8A, 0xBB, - 0xA9, 0x3D, 0x39, 0x05, 0xE4, 0x02, 0x8D, 0x7B, - 0xA9, 0x14, 0x84, 0xA2, 0x75, 0x96, 0xE0, 0x7B, - 0x4B, 0x6E, 0xD9, 0x92, 0xF0, 0x77, 0xB5, 0x24, - 0xD3, 0xDC, 0xFE, 0x7D, 0xDD, 0x55, 0x49, 0xBE, - 0x7C, 0xCE, 0x8D, 0xA0, 0x35, 0xCF, 0xA0, 0xB3, - 0xFB, 0x8F, 0x9E, 0x46, 0xF7, 0x32, 0xB2, 0xA8, - 0x6B, 0x46, 0x01, 0x65, 0xC0, 0x8F, 0x53, 0x13}) - d, _ := bigmod.NewNat().SetBytes([]byte{ - 0x41, 0x18, 0x8B, 0x20, 0xCF, 0xDB, 0xDB, 0xC2, - 0xCF, 0x1F, 0xFE, 0x75, 0x2D, 0xCB, 0xAA, 0x72, - 0x39, 0x06, 0x35, 0x2E, 0x26, 0x15, 0xD4, 0x9D, - 0xCE, 0x80, 0x59, 0x7F, 0xCF, 0x0A, 0x05, 0x40, - 0x3B, 0xEF, 0x00, 0xFA, 0x06, 0x51, 0x82, 0xF7, - 0x2D, 0xEC, 0xFB, 0x59, 0x6F, 0x4B, 0x0C, 0xE8, - 0xFF, 0x59, 0x70, 0xBA, 0xF0, 0x7A, 0x89, 0xA5, - 0x19, 0xEC, 0xC8, 0x16, 0xB2, 0xF4, 0xFF, 0xAC, - 0x50, 0x69, 0xAF, 0x1B, 0x06, 0xBF, 0xEF, 0x7B, - 0xF6, 0xBC, 0xD7, 0x9E, 0x4E, 0x81, 0xC8, 0xC5, - 0xA3, 0xA7, 0xD9, 0x13, 0x0D, 0xC3, 0xCF, 0xBA, - 0xDA, 0xE5, 0xF6, 0xD2, 0x88, 0xF9, 0xAE, 0xE3, - 0xF6, 0xFF, 0x92, 0xFA, 0xE0, 0xF8, 0x1A, 0xF5, - 0x97, 0xBE, 0xC9, 0x6A, 0xE9, 0xFA, 0xB9, 0x40, - 0x2C, 0xD5, 0xFE, 0x41, 0xF7, 0x05, 0xBE, 0xBD, - 0xB4, 0x7B, 0xB7, 0x36, 0xD3, 0xFE, 0x6C, 0x5A, - 0x51, 0xE0, 0xE2, 0x07, 0x32, 0xA9, 0x7B, 0x5E, - 0x46, 0xC1, 0xCB, 0xDB, 0x26, 0xD7, 0x48, 0x54, - 0xC6, 0xB6, 0x60, 0x4A, 0xED, 0x46, 0x37, 0x35, - 0xFF, 0x90, 0x76, 0x04, 0x65, 0x57, 0xCA, 0xF9, - 0x49, 0xBF, 0x44, 0x88, 0x95, 0xC2, 0x04, 0x32, - 0xC1, 0xE0, 0x9C, 0x01, 0x4E, 0xA7, 0x56, 0x60, - 0x43, 0x4F, 0x1A, 0x0F, 0x3B, 0xE2, 0x94, 0xBA, - 0xBC, 0x5D, 0x53, 0x0E, 0x6A, 0x10, 0x21, 0x3F, - 0x53, 0xB6, 0x03, 0x75, 0xFC, 0x84, 0xA7, 0x57, - 0x3F, 0x2A, 0xF1, 0x21, 0x55, 0x84, 0xF5, 0xB4, - 0xBD, 0xA6, 0xD4, 0xE8, 0xF9, 0xE1, 0x7A, 0x78, - 0xD9, 0x7E, 0x77, 0xB8, 0x6D, 0xA4, 0xA1, 0x84, - 0x64, 0x75, 0x31, 0x8A, 0x7A, 0x10, 0xA5, 0x61, - 0x01, 0x4E, 0xFF, 0xA2, 0x3A, 0x81, 0xEC, 0x56, - 0xE9, 0xE4, 0x10, 0x9D, 0xEF, 0x8C, 0xB3, 0xF7, - 0x97, 0x22, 0x3F, 0x7D, 0x8D, 0x0D, 0x43, 0x51}, N) - p, _ := bigmod.NewModulus([]byte{ - 0xDD, 0x10, 0x57, 0x02, 0x38, 0x2F, 0x23, 0x2B, - 0x36, 0x81, 0xF5, 0x37, 0x91, 0xE2, 0x26, 0x17, - 0xC7, 0xBF, 0x4E, 0x9A, 0xCB, 0x81, 0xED, 0x48, - 0xDA, 0xF6, 0xD6, 0x99, 0x5D, 0xA3, 0xEA, 0xB6, - 0x42, 0x83, 0x9A, 0xFF, 0x01, 0x2D, 0x2E, 0xA6, - 0x28, 0xB9, 0x0A, 0xF2, 0x79, 0xFD, 0x3E, 0x6F, - 0x7C, 0x93, 0xCD, 0x80, 0xF0, 0x72, 0xF0, 0x1F, - 0xF2, 0x44, 0x3B, 0x3E, 0xE8, 0xF2, 0x4E, 0xD4, - 0x69, 0xA7, 0x96, 0x13, 0xA4, 0x1B, 0xD2, 0x40, - 0x20, 0xF9, 0x2F, 0xD1, 0x10, 0x59, 0xBD, 0x1D, - 0x0F, 0x30, 0x1B, 0x5B, 0xA7, 0xA9, 0xD3, 0x63, - 0x7C, 0xA8, 0xD6, 0x5C, 0x1A, 0x98, 0x15, 0x41, - 0x7D, 0x8E, 0xAB, 0x73, 0x4B, 0x0B, 0x4F, 0x3A, - 0x2C, 0x66, 0x1D, 0x9A, 0x1A, 0x82, 0xF3, 0xAC, - 0x73, 0x4C, 0x40, 0x53, 0x06, 0x69, 0xAB, 0x8E, - 0x47, 0x30, 0x45, 0xA5, 0x8E, 0x65, 0x53, 0x9D}) - q, _ := bigmod.NewModulus([]byte{ - 0xCC, 0xF1, 0xE5, 0xBB, 0x90, 0xC8, 0xE9, 0x78, - 0x1E, 0xA7, 0x5B, 0xEB, 0xF1, 0x0B, 0xC2, 0x52, - 0xE1, 0x1E, 0xB0, 0x23, 0xA0, 0x26, 0x0F, 0x18, - 0x87, 0x55, 0x2A, 0x56, 0x86, 0x3F, 0x4A, 0x64, - 0x21, 0xE8, 0xC6, 0x00, 0xBF, 0x52, 0x3D, 0x6C, - 0xB1, 0xB0, 0xAD, 0xBD, 0xD6, 0x5B, 0xFE, 0xE4, - 0xA8, 0x8A, 0x03, 0x7E, 0x3D, 0x1A, 0x41, 0x5E, - 0x5B, 0xB9, 0x56, 0x48, 0xDA, 0x5A, 0x0C, 0xA2, - 0x6B, 0x54, 0xF4, 0xA6, 0x39, 0x48, 0x52, 0x2C, - 0x3D, 0x5F, 0x89, 0xB9, 0x4A, 0x72, 0xEF, 0xFF, - 0x95, 0x13, 0x4D, 0x59, 0x40, 0xCE, 0x45, 0x75, - 0x8F, 0x30, 0x89, 0x80, 0x90, 0x89, 0x56, 0x58, - 0x8E, 0xEF, 0x57, 0x5B, 0x3E, 0x4B, 0xC4, 0xC3, - 0x68, 0xCF, 0xE8, 0x13, 0xEE, 0x9C, 0x25, 0x2C, - 0x2B, 0x02, 0xE0, 0xDF, 0x91, 0xF1, 0xAA, 0x01, - 0x93, 0x8D, 0x38, 0x68, 0x5D, 0x60, 0xBA, 0x6F}) - qInv, _ := bigmod.NewNat().SetBytes([]byte{ - 0x0A, 0x81, 0xD8, 0xA6, 0x18, 0x31, 0x4A, 0x80, - 0x3A, 0xF6, 0x1C, 0x06, 0x71, 0x1F, 0x2C, 0x39, - 0xB2, 0x66, 0xFF, 0x41, 0x4D, 0x53, 0x47, 0x6D, - 0x1D, 0xA5, 0x2A, 0x43, 0x18, 0xAA, 0xFE, 0x4B, - 0x96, 0xF0, 0xDA, 0x07, 0x15, 0x5F, 0x8A, 0x51, - 0x34, 0xDA, 0xB8, 0x8E, 0xE2, 0x9E, 0x81, 0x68, - 0x07, 0x6F, 0xCD, 0x78, 0xCA, 0x79, 0x1A, 0xC6, - 0x34, 0x42, 0xA8, 0x1C, 0xD0, 0x69, 0x39, 0x27, - 0xD8, 0x08, 0xE3, 0x35, 0xE8, 0xD8, 0xCB, 0xF2, - 0x12, 0x19, 0x07, 0x50, 0x9A, 0x57, 0x75, 0x9B, - 0x4F, 0x9A, 0x18, 0xFA, 0x3A, 0x7B, 0x33, 0x37, - 0x79, 0xED, 0xDE, 0x7A, 0x45, 0x93, 0x84, 0xF8, - 0x44, 0x4A, 0xDA, 0xEC, 0xFF, 0xEC, 0x95, 0xFD, - 0x55, 0x2B, 0x0C, 0xFC, 0xB6, 0xC7, 0xF6, 0x92, - 0x62, 0x6D, 0xDE, 0x1E, 0xF2, 0x68, 0xA4, 0x0D, - 0x2F, 0x67, 0xB5, 0xC8, 0xAA, 0x38, 0x7F, 0xF7}, p) - dP := []byte{ - 0x09, 0xED, 0x54, 0xEA, 0xED, 0x98, 0xF8, 0x4C, - 0x55, 0x7B, 0x4A, 0x86, 0xBF, 0x4F, 0x57, 0x84, - 0x93, 0xDC, 0xBC, 0x6B, 0xE9, 0x1D, 0xA1, 0x89, - 0x37, 0x04, 0x04, 0xA9, 0x08, 0x72, 0x76, 0xF4, - 0xCE, 0x51, 0xD8, 0xA1, 0x00, 0xED, 0x85, 0x7D, - 0xC2, 0xB0, 0x64, 0x94, 0x74, 0xF3, 0xF1, 0x5C, - 0xD2, 0x4C, 0x54, 0xDB, 0x28, 0x71, 0x10, 0xE5, - 0x6E, 0x5C, 0xB0, 0x08, 0x68, 0x2F, 0x91, 0x68, - 0xAA, 0x81, 0xF3, 0x14, 0x58, 0xB7, 0x43, 0x1E, - 0xCC, 0x1C, 0x44, 0x90, 0x6F, 0xDA, 0x87, 0xCA, - 0x89, 0x47, 0x10, 0xC3, 0x71, 0xE9, 0x07, 0x6C, - 0x1D, 0x49, 0xFB, 0xAE, 0x51, 0x27, 0x69, 0x34, - 0xF2, 0xAD, 0x78, 0x77, 0x89, 0xF4, 0x2D, 0x0F, - 0xA0, 0xB4, 0xC9, 0x39, 0x85, 0x5D, 0x42, 0x12, - 0x09, 0x6F, 0x70, 0x28, 0x0A, 0x4E, 0xAE, 0x7C, - 0x8A, 0x27, 0xD9, 0xC8, 0xD0, 0x77, 0x2E, 0x65} - dQ := []byte{ - 0x8C, 0xB6, 0x85, 0x7A, 0x7B, 0xD5, 0x46, 0x5F, - 0x80, 0x04, 0x7E, 0x9B, 0x87, 0xBC, 0x00, 0x27, - 0x31, 0x84, 0x05, 0x81, 0xE0, 0x62, 0x61, 0x39, - 0x01, 0x2A, 0x5B, 0x50, 0x5F, 0x0A, 0x33, 0x84, - 0x7E, 0xB7, 0xB8, 0xC3, 0x28, 0x99, 0x49, 0xAD, - 0x48, 0x6F, 0x3B, 0x4B, 0x3D, 0x53, 0x9A, 0xB5, - 0xDA, 0x76, 0x30, 0x21, 0xCB, 0xC8, 0x2C, 0x1B, - 0xA2, 0x34, 0xA5, 0x66, 0x8D, 0xED, 0x08, 0x01, - 0xB8, 0x59, 0xF3, 0x43, 0xF1, 0xCE, 0x93, 0x04, - 0xE6, 0xFA, 0xA2, 0xB0, 0x02, 0xCA, 0xD9, 0xB7, - 0x8C, 0xDE, 0x5C, 0xDC, 0x2C, 0x1F, 0xB4, 0x17, - 0x1C, 0x42, 0x42, 0x16, 0x70, 0xA6, 0xAB, 0x0F, - 0x50, 0xCC, 0x4A, 0x19, 0x4E, 0xB3, 0x6D, 0x1C, - 0x91, 0xE9, 0x35, 0xBA, 0x01, 0xB9, 0x59, 0xD8, - 0x72, 0x8B, 0x9E, 0x64, 0x42, 0x6B, 0x3F, 0xC3, - 0xA7, 0x50, 0x6D, 0xEB, 0x52, 0x39, 0xA8, 0xA7} - return &PrivateKey{ - pub: PublicKey{ - N: N, E: 65537, - }, - d: d, p: p, q: q, qInv: qInv, dP: dP, dQ: dQ, - fipsApproved: true, - } - -} - -var fipsSelfTest = sync.OnceFunc(func() { - fips140.CAST("RSASSA-PKCS-v1.5 2048-bit sign and verify", func() error { - k := testPrivateKey() - hash := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - want := []byte{ - 0x16, 0x98, 0x33, 0xc7, 0x30, 0x2c, 0x0a, 0xdc, - 0x0a, 0x8d, 0x02, 0x58, 0xeb, 0xf9, 0x7d, 0xb6, - 0x2a, 0xad, 0xee, 0x63, 0x72, 0xaa, 0x37, 0x2c, - 0xb3, 0x06, 0x04, 0xdf, 0xdb, 0x2b, 0xbc, 0xb1, - 0x76, 0x3e, 0xeb, 0x87, 0xef, 0x91, 0xef, 0x74, - 0x69, 0x62, 0x27, 0xf3, 0x24, 0xf8, 0xe7, 0x0e, - 0xb2, 0x15, 0x3f, 0xa2, 0x4d, 0xe2, 0x0c, 0xd4, - 0xdc, 0x2d, 0xc1, 0x1a, 0x84, 0x7c, 0x88, 0x80, - 0xb9, 0xa9, 0x23, 0x67, 0x39, 0x2e, 0x86, 0xc0, - 0x53, 0x9b, 0xc1, 0x35, 0xb3, 0x17, 0x5e, 0x62, - 0x95, 0xd6, 0xbc, 0x2a, 0xa6, 0xb1, 0xcf, 0x8f, - 0x99, 0x43, 0x1f, 0x3d, 0xd2, 0x70, 0x3f, 0x01, - 0x37, 0x2b, 0xdd, 0x69, 0x1a, 0x5c, 0x2b, 0x04, - 0x70, 0x92, 0xea, 0x2d, 0x86, 0x00, 0xcb, 0x79, - 0xca, 0xaf, 0xa4, 0x1c, 0xd9, 0x61, 0x21, 0x3b, - 0x1e, 0xc5, 0x88, 0xfb, 0xff, 0xbd, 0xc7, 0x3c, - 0x36, 0xa1, 0xc6, 0x85, 0x03, 0xaf, 0x47, 0x4f, - 0x42, 0x9e, 0x23, 0x65, 0x24, 0x69, 0x17, 0xdb, - 0xe7, 0xb7, 0xdc, 0x51, 0xc6, 0x30, 0x40, 0x32, - 0x4f, 0x71, 0xf1, 0x62, 0x2d, 0xaa, 0x98, 0xdb, - 0x11, 0x14, 0xf9, 0x9c, 0x35, 0xc3, 0x16, 0xe1, - 0x1a, 0xd1, 0x8c, 0x4d, 0x8c, 0xad, 0x06, 0x34, - 0xd2, 0x84, 0x97, 0xa4, 0x0b, 0x6e, 0x6d, 0x19, - 0x9f, 0xa7, 0x40, 0x1e, 0xb5, 0xfc, 0x4e, 0x12, - 0x08, 0xec, 0xf4, 0x07, 0x13, 0xdc, 0x5a, 0x8c, - 0xd5, 0x2a, 0xd6, 0x5a, 0x2c, 0xc9, 0x54, 0x84, - 0x78, 0x34, 0x8f, 0x11, 0xfb, 0x6e, 0xd4, 0x27, - 0x45, 0xd9, 0xfa, 0x90, 0x82, 0x83, 0x73, 0x22, - 0x15, 0xab, 0x96, 0x13, 0x0d, 0x52, 0x1c, 0xdc, - 0x17, 0xde, 0x12, 0x6f, 0x84, 0x46, 0xbb, 0xec, - 0xe3, 0xb1, 0xa1, 0x5d, 0x8b, 0xeb, 0xe6, 0xae, - 0x02, 0xb8, 0x76, 0x47, 0x76, 0x11, 0x61, 0x2b, - } - sig, err := signPKCS1v15(k, "SHA-256", hash) - if err != nil { - return err - } - if err := verifyPKCS1v15(k.PublicKey(), "SHA-256", hash, sig); err != nil { - return err - } - if !bytes.Equal(sig, want) { - return errors.New("unexpected result") - } - return nil - }) -}) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/keygen.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/keygen.go deleted file mode 100644 index 00b325d24b2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/keygen.go +++ /dev/null @@ -1,419 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package rsa - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/bigmod" - "crypto/internal/fips140/drbg" - "errors" - "io" -) - -// GenerateKey generates a new RSA key pair of the given bit size. -// bits must be at least 32. -func GenerateKey(rand io.Reader, bits int) (*PrivateKey, error) { - if bits < 32 { - return nil, errors.New("rsa: key too small") - } - fips140.RecordApproved() - if bits < 2048 || bits%2 == 1 { - fips140.RecordNonApproved() - } - - for { - p, err := randomPrime(rand, (bits+1)/2) - if err != nil { - return nil, err - } - q, err := randomPrime(rand, bits/2) - if err != nil { - return nil, err - } - - P, err := bigmod.NewModulus(p) - if err != nil { - return nil, err - } - Q, err := bigmod.NewModulus(q) - if err != nil { - return nil, err - } - - if Q.Nat().ExpandFor(P).Equal(P.Nat()) == 1 { - return nil, errors.New("rsa: generated p == q, random source is broken") - } - - N, err := bigmod.NewModulusProduct(p, q) - if err != nil { - return nil, err - } - if N.BitLen() != bits { - return nil, errors.New("rsa: internal error: modulus size incorrect") - } - - // d can be safely computed as e⁻¹ mod φ(N) where φ(N) = (p-1)(q-1), and - // indeed that's what both the original RSA paper and the pre-FIPS - // crypto/rsa implementation did. - // - // However, FIPS 186-5, A.1.1(3) requires computing it as e⁻¹ mod λ(N) - // where λ(N) = lcm(p-1, q-1). - // - // This makes d smaller by 1.5 bits on average, which is irrelevant both - // because we exclusively use the CRT for private operations and because - // we use constant time windowed exponentiation. On the other hand, it - // requires computing a GCD of two values that are not coprime, and then - // a division, both complex variable-time operations. - λ, err := totient(P, Q) - if err == errDivisorTooLarge { - // The divisor is too large, try again with different primes. - continue - } - if err != nil { - return nil, err - } - - e := bigmod.NewNat().SetUint(65537) - d, ok := bigmod.NewNat().InverseVarTime(e, λ) - if !ok { - // This checks that GCD(e, lcm(p-1, q-1)) = 1, which is equivalent - // to checking GCD(e, p-1) = 1 and GCD(e, q-1) = 1 separately in - // FIPS 186-5, Appendix A.1.3, steps 4.5 and 5.6. - // - // We waste a prime by retrying the whole process, since 65537 is - // probably only a factor of one of p-1 or q-1, but the probability - // of this check failing is only 1/65537, so it doesn't matter. - continue - } - - if e.ExpandFor(λ).Mul(d, λ).IsOne() == 0 { - return nil, errors.New("rsa: internal error: e*d != 1 mod λ(N)") - } - - // FIPS 186-5, A.1.1(3) requires checking that d > 2^(nlen / 2). - // - // The probability of this check failing when d is derived from - // (e, p, q) is roughly - // - // 2^(nlen/2) / 2^nlen = 2^(-nlen/2) - // - // so less than 2⁻¹²⁸ for keys larger than 256 bits. - // - // We still need to check to comply with FIPS 186-5, but knowing it has - // negligible chance of failure we can defer the check to the end of key - // generation and return an error if it fails. See [checkPrivateKey]. - - k, err := newPrivateKey(N, 65537, d, P, Q) - if err != nil { - return nil, err - } - - if k.fipsApproved { - fips140.PCT("RSA sign and verify PCT", func() error { - hash := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - sig, err := signPKCS1v15(k, "SHA-256", hash) - if err != nil { - return err - } - return verifyPKCS1v15(k.PublicKey(), "SHA-256", hash, sig) - }) - } - - return k, nil - } -} - -// errDivisorTooLarge is returned by [totient] when gcd(p-1, q-1) is too large. -var errDivisorTooLarge = errors.New("divisor too large") - -// totient computes the Carmichael totient function λ(N) = lcm(p-1, q-1). -func totient(p, q *bigmod.Modulus) (*bigmod.Modulus, error) { - a, b := p.Nat().SubOne(p), q.Nat().SubOne(q) - - // lcm(a, b) = a×b / gcd(a, b) = a × (b / gcd(a, b)) - - // Our GCD requires at least one of the numbers to be odd. For LCM we only - // need to preserve the larger prime power of each prime factor, so we can - // right-shift the number with the fewest trailing zeros until it's odd. - // For odd a, b and m >= n, lcm(a×2ᵐ, b×2ⁿ) = lcm(a×2ᵐ, b). - az, bz := a.TrailingZeroBitsVarTime(), b.TrailingZeroBitsVarTime() - if az < bz { - a = a.ShiftRightVarTime(az) - } else { - b = b.ShiftRightVarTime(bz) - } - - gcd, err := bigmod.NewNat().GCDVarTime(a, b) - if err != nil { - return nil, err - } - if gcd.IsOdd() == 0 { - return nil, errors.New("rsa: internal error: gcd(a, b) is even") - } - - // To avoid implementing multiple-precision division, we just try again if - // the divisor doesn't fit in a single word. This would have a chance of - // 2⁻⁶⁴ on 64-bit platforms, and 2⁻³² on 32-bit platforms, but testing 2⁻⁶⁴ - // edge cases is impractical, and we'd rather not behave differently on - // different platforms, so we reject divisors above 2³²-1. - if gcd.BitLenVarTime() > 32 { - return nil, errDivisorTooLarge - } - if gcd.IsZero() == 1 || gcd.Bits()[0] == 0 { - return nil, errors.New("rsa: internal error: gcd(a, b) is zero") - } - if rem := b.DivShortVarTime(gcd.Bits()[0]); rem != 0 { - return nil, errors.New("rsa: internal error: b is not divisible by gcd(a, b)") - } - - return bigmod.NewModulusProduct(a.Bytes(p), b.Bytes(q)) -} - -// randomPrime returns a random prime number of the given bit size following -// the process in FIPS 186-5, Appendix A.1.3. -func randomPrime(rand io.Reader, bits int) ([]byte, error) { - if bits < 16 { - return nil, errors.New("rsa: prime size must be at least 16 bits") - } - - b := make([]byte, (bits+7)/8) - for { - if err := drbg.ReadWithReader(rand, b); err != nil { - return nil, err - } - // Clear the most significant bits to reach the desired size. We use a - // mask rather than right-shifting b[0] to make it easier to inject test - // candidates, which can be represented as simple big-endian integers. - excess := len(b)*8 - bits - b[0] &= 0b1111_1111 >> excess - - // Don't let the value be too small: set the most significant two bits. - // Setting the top two bits, rather than just the top bit, means that - // when two of these values are multiplied together, the result isn't - // ever one bit short. - if excess < 7 { - b[0] |= 0b1100_0000 >> excess - } else { - b[0] |= 0b0000_0001 - b[1] |= 0b1000_0000 - } - - // Make the value odd since an even number certainly isn't prime. - b[len(b)-1] |= 1 - - // We don't need to check for p >= √2 × 2^(bits-1) (steps 4.4 and 5.4) - // because we set the top two bits above, so - // - // p > 2^(bits-1) + 2^(bits-2) = 3⁄2 × 2^(bits-1) > √2 × 2^(bits-1) - // - - // Step 5.5 requires checking that |p - q| > 2^(nlen/2 - 100). - // - // The probability of |p - q| ≤ k where p and q are uniformly random in - // the range (a, b) is 1 - (b-a-k)^2 / (b-a)^2, so the probability of - // this check failing during key generation is 2⁻⁹⁷. - // - // We still need to check to comply with FIPS 186-5, but knowing it has - // negligible chance of failure we can defer the check to the end of key - // generation and return an error if it fails. See [checkPrivateKey]. - - if isPrime(b) { - return b, nil - } - } -} - -// isPrime runs the Miller-Rabin Probabilistic Primality Test from -// FIPS 186-5, Appendix B.3.1. -// -// w must be a random odd integer greater than three in big-endian order. -// isPrime might return false positives for adversarially chosen values. -// -// isPrime is not constant-time. -func isPrime(w []byte) bool { - mr, err := millerRabinSetup(w) - if err != nil { - // w is zero, one, or even. - return false - } - - // Before Miller-Rabin, rule out most composites with trial divisions. - for i := 0; i < len(primes); i += 3 { - p1, p2, p3 := primes[i], primes[i+1], primes[i+2] - r := mr.w.Nat().DivShortVarTime(p1 * p2 * p3) - if r%p1 == 0 || r%p2 == 0 || r%p3 == 0 { - return false - } - } - - // iterations is the number of Miller-Rabin rounds, each with a - // randomly-selected base. - // - // The worst case false positive rate for a single iteration is 1/4 per - // https://eprint.iacr.org/2018/749, so if w were selected adversarially, we - // would need up to 64 iterations to get to a negligible (2⁻¹²⁸) chance of - // false positive. - // - // However, since this function is only used for randomly-selected w in the - // context of RSA key generation, we can use a smaller number of iterations. - // The exact number depends on the size of the prime (and the implied - // security level). See BoringSSL for the full formula. - // https://cs.opensource.google/boringssl/boringssl/+/master:crypto/fipsmodule/bn/prime.c.inc;l=208-283;drc=3a138e43 - bits := mr.w.BitLen() - var iterations int - switch { - case bits >= 3747: - iterations = 3 - case bits >= 1345: - iterations = 4 - case bits >= 476: - iterations = 5 - case bits >= 400: - iterations = 6 - case bits >= 347: - iterations = 7 - case bits >= 308: - iterations = 8 - case bits >= 55: - iterations = 27 - default: - iterations = 34 - } - - b := make([]byte, (bits+7)/8) - for { - drbg.Read(b) - excess := len(b)*8 - bits - b[0] &= 0b1111_1111 >> excess - result, err := millerRabinIteration(mr, b) - if err != nil { - // b was rejected. - continue - } - if result == millerRabinCOMPOSITE { - return false - } - iterations-- - if iterations == 0 { - return true - } - } -} - -// primes are the first prime numbers (except 2), such that the product of any -// three primes fits in a uint32. -// -// More primes cause fewer Miller-Rabin tests of composites (nothing can help -// with the final test on the actual prime) but have diminishing returns: these -// 255 primes catch 84.9% of composites, the next 255 would catch 1.5% more. -// Adding primes can still be marginally useful since they only compete with the -// (much more expensive) first Miller-Rabin round for candidates that were not -// rejected by the previous primes. -var primes = []uint{ - 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, - 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, - 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, - 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, - 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, - 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, - 479, 487, 491, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, - 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, - 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, - 773, 787, 797, 809, 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, 877, - 881, 883, 887, 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, - 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069, - 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 1171, 1181, - 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, - 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399, - 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, - 1489, 1493, 1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, - 1597, 1601, 1607, 1609, 1613, 1619, -} - -type millerRabin struct { - w *bigmod.Modulus - a uint - m []byte -} - -// millerRabinSetup prepares state that's reused across multiple iterations of -// the Miller-Rabin test. -func millerRabinSetup(w []byte) (*millerRabin, error) { - mr := &millerRabin{} - - // Check that w is odd, and precompute Montgomery parameters. - wm, err := bigmod.NewModulus(w) - if err != nil { - return nil, err - } - if wm.Nat().IsOdd() == 0 { - return nil, errors.New("candidate is even") - } - mr.w = wm - - // Compute m = (w-1)/2^a, where m is odd. - wMinus1 := mr.w.Nat().SubOne(mr.w) - if wMinus1.IsZero() == 1 { - return nil, errors.New("candidate is one") - } - mr.a = wMinus1.TrailingZeroBitsVarTime() - - // Store mr.m as a big-endian byte slice with leading zero bytes removed, - // for use with [bigmod.Nat.Exp]. - m := wMinus1.ShiftRightVarTime(mr.a) - mr.m = m.Bytes(mr.w) - for mr.m[0] == 0 { - mr.m = mr.m[1:] - } - - return mr, nil -} - -const millerRabinCOMPOSITE = false -const millerRabinPOSSIBLYPRIME = true - -func millerRabinIteration(mr *millerRabin, bb []byte) (bool, error) { - // Reject b ≤ 1 or b ≥ w − 1. - if len(bb) != (mr.w.BitLen()+7)/8 { - return false, errors.New("incorrect length") - } - b := bigmod.NewNat() - if _, err := b.SetBytes(bb, mr.w); err != nil { - return false, err - } - if b.IsZero() == 1 || b.IsOne() == 1 || b.IsMinusOne(mr.w) == 1 { - return false, errors.New("out-of-range candidate") - } - - // Compute b^(m*2^i) mod w for successive i. - // If b^m mod w = 1, b is a possible prime. - // If b^(m*2^i) mod w = -1 for some 0 <= i < a, b is a possible prime. - // Otherwise b is composite. - - // Start by computing and checking b^m mod w (also the i = 0 case). - z := bigmod.NewNat().Exp(b, mr.m, mr.w) - if z.IsOne() == 1 || z.IsMinusOne(mr.w) == 1 { - return millerRabinPOSSIBLYPRIME, nil - } - - // Check b^(m*2^i) mod w = -1 for 0 < i < a. - for range mr.a - 1 { - z.Mul(z, mr.w) - if z.IsMinusOne(mr.w) == 1 { - return millerRabinPOSSIBLYPRIME, nil - } - if z.IsOne() == 1 { - // Future squaring will not turn z == 1 into -1. - break - } - } - - return millerRabinCOMPOSITE, nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/pkcs1v15.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/pkcs1v15.go deleted file mode 100644 index d90b640201c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/pkcs1v15.go +++ /dev/null @@ -1,138 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package rsa - -// This file implements signing and verification using PKCS #1 v1.5 signatures. - -import ( - "bytes" - "crypto/internal/fips140" - "errors" -) - -// These are ASN1 DER structures: -// -// DigestInfo ::= SEQUENCE { -// digestAlgorithm AlgorithmIdentifier, -// digest OCTET STRING -// } -// -// For performance, we don't use the generic ASN1 encoder. Rather, we -// precompute a prefix of the digest value that makes a valid ASN1 DER string -// with the correct contents. -var hashPrefixes = map[string][]byte{ - "MD5": {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}, - "SHA-1": {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}, - "SHA-224": {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, - "SHA-256": {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, - "SHA-384": {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, - "SHA-512": {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, - "SHA-512/224": {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1C}, - "SHA-512/256": {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20}, - "SHA3-224": {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07, 0x05, 0x00, 0x04, 0x1C}, - "SHA3-256": {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08, 0x05, 0x00, 0x04, 0x20}, - "SHA3-384": {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09, 0x05, 0x00, 0x04, 0x30}, - "SHA3-512": {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0a, 0x05, 0x00, 0x04, 0x40}, - "MD5+SHA1": {}, // A special TLS case which doesn't use an ASN1 prefix. - "RIPEMD-160": {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14}, -} - -// SignPKCS1v15 calculates an RSASSA-PKCS1-v1.5 signature. -// -// hash is the name of the hash function as returned by [crypto.Hash.String] -// or the empty string to indicate that the message is signed directly. -func SignPKCS1v15(priv *PrivateKey, hash string, hashed []byte) ([]byte, error) { - fipsSelfTest() - fips140.RecordApproved() - checkApprovedHashName(hash) - - return signPKCS1v15(priv, hash, hashed) -} - -func signPKCS1v15(priv *PrivateKey, hash string, hashed []byte) ([]byte, error) { - em, err := pkcs1v15ConstructEM(&priv.pub, hash, hashed) - if err != nil { - return nil, err - } - - return decrypt(priv, em, withCheck) -} - -func pkcs1v15ConstructEM(pub *PublicKey, hash string, hashed []byte) ([]byte, error) { - // Special case: "" is used to indicate that the data is signed directly. - var prefix []byte - if hash != "" { - var ok bool - prefix, ok = hashPrefixes[hash] - if !ok { - return nil, errors.New("crypto/rsa: unsupported hash function") - } - } - - // EM = 0x00 || 0x01 || PS || 0x00 || T - k := pub.Size() - if k < len(prefix)+len(hashed)+2+8+1 { - return nil, ErrMessageTooLong - } - em := make([]byte, k) - em[1] = 1 - for i := 2; i < k-len(prefix)-len(hashed)-1; i++ { - em[i] = 0xff - } - copy(em[k-len(prefix)-len(hashed):], prefix) - copy(em[k-len(hashed):], hashed) - return em, nil -} - -// VerifyPKCS1v15 verifies an RSASSA-PKCS1-v1.5 signature. -// -// hash is the name of the hash function as returned by [crypto.Hash.String] -// or the empty string to indicate that the message is signed directly. -func VerifyPKCS1v15(pub *PublicKey, hash string, hashed []byte, sig []byte) error { - fipsSelfTest() - fips140.RecordApproved() - checkApprovedHashName(hash) - - return verifyPKCS1v15(pub, hash, hashed, sig) -} - -func verifyPKCS1v15(pub *PublicKey, hash string, hashed []byte, sig []byte) error { - if fipsApproved, err := checkPublicKey(pub); err != nil { - return err - } else if !fipsApproved { - fips140.RecordNonApproved() - } - - // RFC 8017 Section 8.2.2: If the length of the signature S is not k - // octets (where k is the length in octets of the RSA modulus n), output - // "invalid signature" and stop. - if pub.Size() != len(sig) { - return ErrVerification - } - - em, err := encrypt(pub, sig) - if err != nil { - return ErrVerification - } - - expected, err := pkcs1v15ConstructEM(pub, hash, hashed) - if err != nil { - return ErrVerification - } - if !bytes.Equal(em, expected) { - return ErrVerification - } - - return nil -} - -func checkApprovedHashName(hash string) { - switch hash { - case "SHA-224", "SHA-256", "SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256", - "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512": - default: - fips140.RecordNonApproved() - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/pkcs1v22.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/pkcs1v22.go deleted file mode 100644 index de7943773e6..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/pkcs1v22.go +++ /dev/null @@ -1,473 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package rsa - -// This file implements the RSASSA-PSS signature scheme and the RSAES-OAEP -// encryption scheme according to RFC 8017, aka PKCS #1 v2.2. - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/drbg" - "crypto/internal/fips140/sha256" - "crypto/internal/fips140/sha3" - "crypto/internal/fips140/sha512" - "crypto/internal/fips140/subtle" - "errors" - "hash" - "io" -) - -// Per RFC 8017, Section 9.1 -// -// EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc -// -// where -// -// DB = PS || 0x01 || salt -// -// and PS can be empty so -// -// emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2 -// - -// incCounter increments a four byte, big-endian counter. -func incCounter(c *[4]byte) { - if c[3]++; c[3] != 0 { - return - } - if c[2]++; c[2] != 0 { - return - } - if c[1]++; c[1] != 0 { - return - } - c[0]++ -} - -// mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function -// specified in PKCS #1 v2.1. -func mgf1XOR(out []byte, hash hash.Hash, seed []byte) { - var counter [4]byte - var digest []byte - - done := 0 - for done < len(out) { - hash.Reset() - hash.Write(seed) - hash.Write(counter[0:4]) - digest = hash.Sum(digest[:0]) - - for i := 0; i < len(digest) && done < len(out); i++ { - out[done] ^= digest[i] - done++ - } - incCounter(&counter) - } -} - -func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) { - // See RFC 8017, Section 9.1.1. - - hLen := hash.Size() - sLen := len(salt) - emLen := (emBits + 7) / 8 - - // 1. If the length of M is greater than the input limitation for the - // hash function (2^61 - 1 octets for SHA-1), output "message too - // long" and stop. - // - // 2. Let mHash = Hash(M), an octet string of length hLen. - - if len(mHash) != hLen { - return nil, errors.New("crypto/rsa: input must be hashed with given hash") - } - - // 3. If emLen < hLen + sLen + 2, output "encoding error" and stop. - - if emLen < hLen+sLen+2 { - return nil, ErrMessageTooLong - } - - em := make([]byte, emLen) - psLen := emLen - sLen - hLen - 2 - db := em[:psLen+1+sLen] - h := em[psLen+1+sLen : emLen-1] - - // 4. Generate a random octet string salt of length sLen; if sLen = 0, - // then salt is the empty string. - // - // 5. Let - // M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt; - // - // M' is an octet string of length 8 + hLen + sLen with eight - // initial zero octets. - // - // 6. Let H = Hash(M'), an octet string of length hLen. - - var prefix [8]byte - - hash.Reset() - hash.Write(prefix[:]) - hash.Write(mHash) - hash.Write(salt) - - h = hash.Sum(h[:0]) - - // 7. Generate an octet string PS consisting of emLen - sLen - hLen - 2 - // zero octets. The length of PS may be 0. - // - // 8. Let DB = PS || 0x01 || salt; DB is an octet string of length - // emLen - hLen - 1. - - db[psLen] = 0x01 - copy(db[psLen+1:], salt) - - // 9. Let dbMask = MGF(H, emLen - hLen - 1). - // - // 10. Let maskedDB = DB \xor dbMask. - - mgf1XOR(db, hash, h) - - // 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in - // maskedDB to zero. - - db[0] &= 0xff >> (8*emLen - emBits) - - // 12. Let EM = maskedDB || H || 0xbc. - em[emLen-1] = 0xbc - - // 13. Output EM. - return em, nil -} - -const pssSaltLengthAutodetect = -1 - -func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { - // See RFC 8017, Section 9.1.2. - - hLen := hash.Size() - emLen := (emBits + 7) / 8 - if emLen != len(em) { - return errors.New("rsa: internal error: inconsistent length") - } - - // 1. If the length of M is greater than the input limitation for the - // hash function (2^61 - 1 octets for SHA-1), output "inconsistent" - // and stop. - // - // 2. Let mHash = Hash(M), an octet string of length hLen. - if hLen != len(mHash) { - return ErrVerification - } - - // 3. If emLen < hLen + sLen + 2, output "inconsistent" and stop. - if emLen < hLen+sLen+2 { - return ErrVerification - } - - // 4. If the rightmost octet of EM does not have hexadecimal value - // 0xbc, output "inconsistent" and stop. - if em[emLen-1] != 0xbc { - return ErrVerification - } - - // 5. Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and - // let H be the next hLen octets. - db := em[:emLen-hLen-1] - h := em[emLen-hLen-1 : emLen-1] - - // 6. If the leftmost 8 * emLen - emBits bits of the leftmost octet in - // maskedDB are not all equal to zero, output "inconsistent" and - // stop. - var bitMask byte = 0xff >> (8*emLen - emBits) - if em[0] & ^bitMask != 0 { - return ErrVerification - } - - // 7. Let dbMask = MGF(H, emLen - hLen - 1). - // - // 8. Let DB = maskedDB \xor dbMask. - mgf1XOR(db, hash, h) - - // 9. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB - // to zero. - db[0] &= bitMask - - // If we don't know the salt length, look for the 0x01 delimiter. - if sLen == pssSaltLengthAutodetect { - psLen := bytes.IndexByte(db, 0x01) - if psLen < 0 { - return ErrVerification - } - sLen = len(db) - psLen - 1 - } - - // FIPS 186-5, Section 5.4(g): "the length (in bytes) of the salt (sLen) - // shall satisfy 0 ≤ sLen ≤ hLen". - if sLen > hLen { - fips140.RecordNonApproved() - } - - // 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero - // or if the octet at position emLen - hLen - sLen - 1 (the leftmost - // position is "position 1") does not have hexadecimal value 0x01, - // output "inconsistent" and stop. - psLen := emLen - hLen - sLen - 2 - for _, e := range db[:psLen] { - if e != 0x00 { - return ErrVerification - } - } - if db[psLen] != 0x01 { - return ErrVerification - } - - // 11. Let salt be the last sLen octets of DB. - salt := db[len(db)-sLen:] - - // 12. Let - // M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt ; - // M' is an octet string of length 8 + hLen + sLen with eight - // initial zero octets. - // - // 13. Let H' = Hash(M'), an octet string of length hLen. - hash.Reset() - var prefix [8]byte - hash.Write(prefix[:]) - hash.Write(mHash) - hash.Write(salt) - - h0 := hash.Sum(nil) - - // 14. If H = H', output "consistent." Otherwise, output "inconsistent." - if !bytes.Equal(h0, h) { - return ErrVerification - } - return nil -} - -// PSSMaxSaltLength returns the maximum salt length for a given public key and -// hash function. -func PSSMaxSaltLength(pub *PublicKey, hash hash.Hash) (int, error) { - saltLength := (pub.N.BitLen()-1+7)/8 - 2 - hash.Size() - if saltLength < 0 { - return 0, ErrMessageTooLong - } - // FIPS 186-5, Section 5.4(g): "the length (in bytes) of the salt (sLen) - // shall satisfy 0 ≤ sLen ≤ hLen". - if fips140.Enabled && saltLength > hash.Size() { - return hash.Size(), nil - } - return saltLength, nil -} - -// SignPSS calculates the signature of hashed using RSASSA-PSS. -func SignPSS(rand io.Reader, priv *PrivateKey, hash hash.Hash, hashed []byte, saltLength int) ([]byte, error) { - fipsSelfTest() - fips140.RecordApproved() - checkApprovedHash(hash) - - // Note that while we don't commit to deterministic execution with respect - // to the rand stream, we also don't apply MaybeReadByte, so per Hyrum's Law - // it's probably relied upon by some. It's a tolerable promise because a - // well-specified number of random bytes is included in the signature, in a - // well-specified way. - - if saltLength < 0 { - return nil, errors.New("crypto/rsa: salt length cannot be negative") - } - // FIPS 186-5, Section 5.4(g): "the length (in bytes) of the salt (sLen) - // shall satisfy 0 ≤ sLen ≤ hLen". - if saltLength > hash.Size() { - fips140.RecordNonApproved() - } - salt := make([]byte, saltLength) - if err := drbg.ReadWithReaderDeterministic(rand, salt); err != nil { - return nil, err - } - - emBits := priv.pub.N.BitLen() - 1 - em, err := emsaPSSEncode(hashed, emBits, salt, hash) - if err != nil { - return nil, err - } - - // RFC 8017: "Note that the octet length of EM will be one less than k if - // modBits - 1 is divisible by 8 and equal to k otherwise, where k is the - // length in octets of the RSA modulus n." 🙄 - // - // This is extremely annoying, as all other encrypt and decrypt inputs are - // always the exact same size as the modulus. Since it only happens for - // weird modulus sizes, fix it by padding inefficiently. - if emLen, k := len(em), priv.pub.Size(); emLen < k { - emNew := make([]byte, k) - copy(emNew[k-emLen:], em) - em = emNew - } - - return decrypt(priv, em, withCheck) -} - -// VerifyPSS verifies sig with RSASSA-PSS automatically detecting the salt length. -func VerifyPSS(pub *PublicKey, hash hash.Hash, digest []byte, sig []byte) error { - return verifyPSS(pub, hash, digest, sig, pssSaltLengthAutodetect) -} - -// VerifyPSS verifies sig with RSASSA-PSS and an expected salt length. -func VerifyPSSWithSaltLength(pub *PublicKey, hash hash.Hash, digest []byte, sig []byte, saltLength int) error { - if saltLength < 0 { - return errors.New("crypto/rsa: salt length cannot be negative") - } - return verifyPSS(pub, hash, digest, sig, saltLength) -} - -func verifyPSS(pub *PublicKey, hash hash.Hash, digest []byte, sig []byte, saltLength int) error { - fipsSelfTest() - fips140.RecordApproved() - checkApprovedHash(hash) - if fipsApproved, err := checkPublicKey(pub); err != nil { - return err - } else if !fipsApproved { - fips140.RecordNonApproved() - } - - if len(sig) != pub.Size() { - return ErrVerification - } - - emBits := pub.N.BitLen() - 1 - emLen := (emBits + 7) / 8 - em, err := encrypt(pub, sig) - if err != nil { - return ErrVerification - } - - // Like in signPSSWithSalt, deal with mismatches between emLen and the size - // of the modulus. The spec would have us wire emLen into the encoding - // function, but we'd rather always encode to the size of the modulus and - // then strip leading zeroes if necessary. This only happens for weird - // modulus sizes anyway. - for len(em) > emLen && len(em) > 0 { - if em[0] != 0 { - return ErrVerification - } - em = em[1:] - } - - return emsaPSSVerify(digest, em, emBits, saltLength, hash) -} - -func checkApprovedHash(hash hash.Hash) { - switch hash.(type) { - case *sha256.Digest, *sha512.Digest, *sha3.Digest: - default: - fips140.RecordNonApproved() - } -} - -// EncryptOAEP encrypts the given message with RSAES-OAEP. -func EncryptOAEP(hash, mgfHash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error) { - // Note that while we don't commit to deterministic execution with respect - // to the random stream, we also don't apply MaybeReadByte, so per Hyrum's - // Law it's probably relied upon by some. It's a tolerable promise because a - // well-specified number of random bytes is included in the ciphertext, in a - // well-specified way. - - fipsSelfTest() - fips140.RecordApproved() - checkApprovedHash(hash) - if fipsApproved, err := checkPublicKey(pub); err != nil { - return nil, err - } else if !fipsApproved { - fips140.RecordNonApproved() - } - k := pub.Size() - if len(msg) > k-2*hash.Size()-2 { - return nil, ErrMessageTooLong - } - - hash.Reset() - hash.Write(label) - lHash := hash.Sum(nil) - - em := make([]byte, k) - seed := em[1 : 1+hash.Size()] - db := em[1+hash.Size():] - - copy(db[0:hash.Size()], lHash) - db[len(db)-len(msg)-1] = 1 - copy(db[len(db)-len(msg):], msg) - - if err := drbg.ReadWithReaderDeterministic(random, seed); err != nil { - return nil, err - } - - mgf1XOR(db, mgfHash, seed) - mgf1XOR(seed, mgfHash, db) - - return encrypt(pub, em) -} - -// DecryptOAEP decrypts ciphertext using RSAES-OAEP. -func DecryptOAEP(hash, mgfHash hash.Hash, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error) { - fipsSelfTest() - fips140.RecordApproved() - checkApprovedHash(hash) - - k := priv.pub.Size() - if len(ciphertext) > k || - k < hash.Size()*2+2 { - return nil, ErrDecryption - } - - em, err := decrypt(priv, ciphertext, noCheck) - if err != nil { - return nil, err - } - - hash.Reset() - hash.Write(label) - lHash := hash.Sum(nil) - - firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) - - seed := em[1 : hash.Size()+1] - db := em[hash.Size()+1:] - - mgf1XOR(seed, mgfHash, db) - mgf1XOR(db, mgfHash, seed) - - lHash2 := db[0:hash.Size()] - - // We have to validate the plaintext in constant time in order to avoid - // attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal - // Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 - // v2.0. In J. Kilian, editor, Advances in Cryptology. - lHash2Good := subtle.ConstantTimeCompare(lHash, lHash2) - - // The remainder of the plaintext must be zero or more 0x00, followed - // by 0x01, followed by the message. - // lookingForIndex: 1 iff we are still looking for the 0x01 - // index: the offset of the first 0x01 byte - // invalid: 1 iff we saw a non-zero byte before the 0x01. - var lookingForIndex, index, invalid int - lookingForIndex = 1 - rest := db[hash.Size():] - - for i := 0; i < len(rest); i++ { - equals0 := subtle.ConstantTimeByteEq(rest[i], 0) - equals1 := subtle.ConstantTimeByteEq(rest[i], 1) - index = subtle.ConstantTimeSelect(lookingForIndex&equals1, i, index) - lookingForIndex = subtle.ConstantTimeSelect(equals1, 0, lookingForIndex) - invalid = subtle.ConstantTimeSelect(lookingForIndex&^equals0, 1, invalid) - } - - if firstByteIsZero&lHash2Good&^invalid&^lookingForIndex != 1 { - return nil, ErrDecryption - } - - return rest[index+1:], nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/rsa.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/rsa.go deleted file mode 100644 index 764338940a3..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/rsa.go +++ /dev/null @@ -1,439 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package rsa - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140/bigmod" - "errors" -) - -type PublicKey struct { - N *bigmod.Modulus - E int -} - -// Size returns the modulus size in bytes. Raw signatures and ciphertexts -// for or by this public key will have the same size. -func (pub *PublicKey) Size() int { - return (pub.N.BitLen() + 7) / 8 -} - -type PrivateKey struct { - // pub has already been checked with checkPublicKey. - pub PublicKey - d *bigmod.Nat - // The following values are not set for deprecated multi-prime keys. - // - // Since they are always set for keys in FIPS mode, for SP 800-56B Rev. 2 - // purposes we always use the Chinese Remainder Theorem (CRT) format. - p, q *bigmod.Modulus // p × q = n - // dP and dQ are used as exponents, so we store them as big-endian byte - // slices to be passed to [bigmod.Nat.Exp]. - dP []byte // d mod (p - 1) - dQ []byte // d mod (q - 1) - qInv *bigmod.Nat // qInv = q⁻¹ mod p - // fipsApproved is false if this key does not comply with FIPS 186-5 or - // SP 800-56B Rev. 2. - fipsApproved bool -} - -func (priv *PrivateKey) PublicKey() *PublicKey { - return &priv.pub -} - -// NewPrivateKey creates a new RSA private key from the given parameters. -// -// All values are in big-endian byte slice format, and may have leading zeros -// or be shorter if leading zeroes were trimmed. -func NewPrivateKey(N []byte, e int, d, P, Q []byte) (*PrivateKey, error) { - n, err := bigmod.NewModulus(N) - if err != nil { - return nil, err - } - p, err := bigmod.NewModulus(P) - if err != nil { - return nil, err - } - q, err := bigmod.NewModulus(Q) - if err != nil { - return nil, err - } - dN, err := bigmod.NewNat().SetBytes(d, n) - if err != nil { - return nil, err - } - return newPrivateKey(n, e, dN, p, q) -} - -func newPrivateKey(n *bigmod.Modulus, e int, d *bigmod.Nat, p, q *bigmod.Modulus) (*PrivateKey, error) { - pMinusOne := p.Nat().SubOne(p) - pMinusOneMod, err := bigmod.NewModulus(pMinusOne.Bytes(p)) - if err != nil { - return nil, err - } - dP := bigmod.NewNat().Mod(d, pMinusOneMod).Bytes(pMinusOneMod) - - qMinusOne := q.Nat().SubOne(q) - qMinusOneMod, err := bigmod.NewModulus(qMinusOne.Bytes(q)) - if err != nil { - return nil, err - } - dQ := bigmod.NewNat().Mod(d, qMinusOneMod).Bytes(qMinusOneMod) - - // Constant-time modular inversion with prime modulus by Fermat's Little - // Theorem: qInv = q⁻¹ mod p = q^(p-2) mod p. - if p.Nat().IsOdd() == 0 { - // [bigmod.Nat.Exp] requires an odd modulus. - return nil, errors.New("crypto/rsa: p is even") - } - pMinusTwo := p.Nat().SubOne(p).SubOne(p).Bytes(p) - qInv := bigmod.NewNat().Mod(q.Nat(), p) - qInv.Exp(qInv, pMinusTwo, p) - - pk := &PrivateKey{ - pub: PublicKey{ - N: n, E: e, - }, - d: d, p: p, q: q, - dP: dP, dQ: dQ, qInv: qInv, - } - if err := checkPrivateKey(pk); err != nil { - return nil, err - } - return pk, nil -} - -// NewPrivateKeyWithPrecomputation creates a new RSA private key from the given -// parameters, which include precomputed CRT values. -func NewPrivateKeyWithPrecomputation(N []byte, e int, d, P, Q, dP, dQ, qInv []byte) (*PrivateKey, error) { - n, err := bigmod.NewModulus(N) - if err != nil { - return nil, err - } - p, err := bigmod.NewModulus(P) - if err != nil { - return nil, err - } - q, err := bigmod.NewModulus(Q) - if err != nil { - return nil, err - } - dN, err := bigmod.NewNat().SetBytes(d, n) - if err != nil { - return nil, err - } - qInvNat, err := bigmod.NewNat().SetBytes(qInv, p) - if err != nil { - return nil, err - } - - pk := &PrivateKey{ - pub: PublicKey{ - N: n, E: e, - }, - d: dN, p: p, q: q, - dP: dP, dQ: dQ, qInv: qInvNat, - } - if err := checkPrivateKey(pk); err != nil { - return nil, err - } - return pk, nil -} - -// NewPrivateKeyWithoutCRT creates a new RSA private key from the given parameters. -// -// This is meant for deprecated multi-prime keys, and is not FIPS 140 compliant. -func NewPrivateKeyWithoutCRT(N []byte, e int, d []byte) (*PrivateKey, error) { - n, err := bigmod.NewModulus(N) - if err != nil { - return nil, err - } - dN, err := bigmod.NewNat().SetBytes(d, n) - if err != nil { - return nil, err - } - pk := &PrivateKey{ - pub: PublicKey{ - N: n, E: e, - }, - d: dN, - } - if err := checkPrivateKey(pk); err != nil { - return nil, err - } - return pk, nil -} - -// Export returns the key parameters in big-endian byte slice format. -// -// P, Q, dP, dQ, and qInv may be nil if the key was created with -// NewPrivateKeyWithoutCRT. -func (priv *PrivateKey) Export() (N []byte, e int, d, P, Q, dP, dQ, qInv []byte) { - N = priv.pub.N.Nat().Bytes(priv.pub.N) - e = priv.pub.E - d = priv.d.Bytes(priv.pub.N) - if priv.dP == nil { - return - } - P = priv.p.Nat().Bytes(priv.p) - Q = priv.q.Nat().Bytes(priv.q) - dP = bytes.Clone(priv.dP) - dQ = bytes.Clone(priv.dQ) - qInv = priv.qInv.Bytes(priv.p) - return -} - -// checkPrivateKey is called by the NewPrivateKey and GenerateKey functions, and -// is allowed to modify priv.fipsApproved. -func checkPrivateKey(priv *PrivateKey) error { - priv.fipsApproved = true - - if fipsApproved, err := checkPublicKey(&priv.pub); err != nil { - return err - } else if !fipsApproved { - priv.fipsApproved = false - } - - if priv.dP == nil { - // Legacy and deprecated multi-prime keys. - priv.fipsApproved = false - return nil - } - - N := priv.pub.N - p := priv.p - q := priv.q - - // FIPS 186-5, Section 5.1 requires "that p and q be of the same bit length." - if p.BitLen() != q.BitLen() { - priv.fipsApproved = false - } - - // Check that pq ≡ 1 mod N (and that p < N and q < N). - pN := bigmod.NewNat().ExpandFor(N) - if _, err := pN.SetBytes(p.Nat().Bytes(p), N); err != nil { - return errors.New("crypto/rsa: invalid prime") - } - qN := bigmod.NewNat().ExpandFor(N) - if _, err := qN.SetBytes(q.Nat().Bytes(q), N); err != nil { - return errors.New("crypto/rsa: invalid prime") - } - if pN.Mul(qN, N).IsZero() != 1 { - return errors.New("crypto/rsa: p * q != n") - } - - // Check that de ≡ 1 mod p-1, and de ≡ 1 mod q-1. - // - // This implies that e is coprime to each p-1 as e has a multiplicative - // inverse. Therefore e is coprime to lcm(p-1,q-1) = λ(N). - // It also implies that a^de ≡ a mod p as a^(p-1) ≡ 1 mod p. Thus a^de ≡ a - // mod n for all a coprime to n, as required. - // - // This checks dP, dQ, and e. We don't check d because it is not actually - // used in the RSA private key operation. - pMinus1, err := bigmod.NewModulus(p.Nat().SubOne(p).Bytes(p)) - if err != nil { - return errors.New("crypto/rsa: invalid prime") - } - dP, err := bigmod.NewNat().SetBytes(priv.dP, pMinus1) - if err != nil { - return errors.New("crypto/rsa: invalid CRT exponent") - } - de := bigmod.NewNat() - de.SetUint(uint(priv.pub.E)).ExpandFor(pMinus1) - de.Mul(dP, pMinus1) - if de.IsOne() != 1 { - return errors.New("crypto/rsa: invalid CRT exponent") - } - - qMinus1, err := bigmod.NewModulus(q.Nat().SubOne(q).Bytes(q)) - if err != nil { - return errors.New("crypto/rsa: invalid prime") - } - dQ, err := bigmod.NewNat().SetBytes(priv.dQ, qMinus1) - if err != nil { - return errors.New("crypto/rsa: invalid CRT exponent") - } - de.SetUint(uint(priv.pub.E)).ExpandFor(qMinus1) - de.Mul(dQ, qMinus1) - if de.IsOne() != 1 { - return errors.New("crypto/rsa: invalid CRT exponent") - } - - // Check that qInv * q ≡ 1 mod p. - qP, err := bigmod.NewNat().SetOverflowingBytes(q.Nat().Bytes(q), p) - if err != nil { - // q >= 2^⌈log2(p)⌉ - qP = bigmod.NewNat().Mod(q.Nat(), p) - } - if qP.Mul(priv.qInv, p).IsOne() != 1 { - return errors.New("crypto/rsa: invalid CRT coefficient") - } - - // Check that |p - q| > 2^(nlen/2 - 100). - // - // If p and q are very close to each other, then N=pq can be trivially - // factored using Fermat's factorization method. Broken RSA implementations - // do generate such keys. See Hanno Böck, Fermat Factorization in the Wild, - // https://eprint.iacr.org/2023/026.pdf. - diff := bigmod.NewNat() - if qP, err := bigmod.NewNat().SetBytes(q.Nat().Bytes(q), p); err != nil { - // q > p - pQ, err := bigmod.NewNat().SetBytes(p.Nat().Bytes(p), q) - if err != nil { - return errors.New("crypto/rsa: p == q") - } - // diff = 0 - p mod q = q - p - diff.ExpandFor(q).Sub(pQ, q) - } else { - // p > q - // diff = 0 - q mod p = p - q - diff.ExpandFor(p).Sub(qP, p) - } - // A tiny bit of leakage is acceptable because it's not adaptive, an - // attacker only learns the magnitude of p - q. - if diff.BitLenVarTime() <= N.BitLen()/2-100 { - return errors.New("crypto/rsa: |p - q| too small") - } - - // Check that d > 2^(nlen/2). - // - // See section 3 of https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf - // for more details about attacks on small d values. - // - // Likewise, the leakage of the magnitude of d is not adaptive. - if priv.d.BitLenVarTime() <= N.BitLen()/2 { - return errors.New("crypto/rsa: d too small") - } - - return nil -} - -func checkPublicKey(pub *PublicKey) (fipsApproved bool, err error) { - fipsApproved = true - if pub.N == nil { - return false, errors.New("crypto/rsa: missing public modulus") - } - if pub.N.Nat().IsOdd() == 0 { - return false, errors.New("crypto/rsa: public modulus is even") - } - // FIPS 186-5, Section 5.1: "This standard specifies the use of a modulus - // whose bit length is an even integer and greater than or equal to 2048 - // bits." - if pub.N.BitLen() < 2048 { - fipsApproved = false - } - if pub.N.BitLen()%2 == 1 { - fipsApproved = false - } - if pub.E < 2 { - return false, errors.New("crypto/rsa: public exponent too small or negative") - } - // e needs to be coprime with p-1 and q-1, since it must be invertible - // modulo λ(pq). Since p and q are prime, this means e needs to be odd. - if pub.E&1 == 0 { - return false, errors.New("crypto/rsa: public exponent is even") - } - // FIPS 186-5, Section 5.5(e): "The exponent e shall be an odd, positive - // integer such that 2¹⁶ < e < 2²⁵⁶." - if pub.E <= 1<<16 { - fipsApproved = false - } - // We require pub.E to fit into a 32-bit integer so that we - // do not have different behavior depending on whether - // int is 32 or 64 bits. See also - // https://www.imperialviolet.org/2012/03/16/rsae.html. - if pub.E > 1<<31-1 { - return false, errors.New("crypto/rsa: public exponent too large") - } - return fipsApproved, nil -} - -// Encrypt performs the RSA public key operation. -func Encrypt(pub *PublicKey, plaintext []byte) ([]byte, error) { - fips140.RecordNonApproved() - if _, err := checkPublicKey(pub); err != nil { - return nil, err - } - return encrypt(pub, plaintext) -} - -func encrypt(pub *PublicKey, plaintext []byte) ([]byte, error) { - m, err := bigmod.NewNat().SetBytes(plaintext, pub.N) - if err != nil { - return nil, err - } - return bigmod.NewNat().ExpShortVarTime(m, uint(pub.E), pub.N).Bytes(pub.N), nil -} - -var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA key size") -var ErrDecryption = errors.New("crypto/rsa: decryption error") -var ErrVerification = errors.New("crypto/rsa: verification error") - -const withCheck = true -const noCheck = false - -// DecryptWithoutCheck performs the RSA private key operation. -func DecryptWithoutCheck(priv *PrivateKey, ciphertext []byte) ([]byte, error) { - fips140.RecordNonApproved() - return decrypt(priv, ciphertext, noCheck) -} - -// DecryptWithCheck performs the RSA private key operation and checks the -// result to defend against errors in the CRT computation. -func DecryptWithCheck(priv *PrivateKey, ciphertext []byte) ([]byte, error) { - fips140.RecordNonApproved() - return decrypt(priv, ciphertext, withCheck) -} - -// decrypt performs an RSA decryption of ciphertext into out. If check is true, -// m^e is calculated and compared with ciphertext, in order to defend against -// errors in the CRT computation. -func decrypt(priv *PrivateKey, ciphertext []byte, check bool) ([]byte, error) { - if !priv.fipsApproved { - fips140.RecordNonApproved() - } - - var m *bigmod.Nat - N, E := priv.pub.N, priv.pub.E - - c, err := bigmod.NewNat().SetBytes(ciphertext, N) - if err != nil { - return nil, ErrDecryption - } - - if priv.dP == nil { - // Legacy codepath for deprecated multi-prime keys. - fips140.RecordNonApproved() - m = bigmod.NewNat().Exp(c, priv.d.Bytes(N), N) - - } else { - P, Q := priv.p, priv.q - t0 := bigmod.NewNat() - // m = c ^ Dp mod p - m = bigmod.NewNat().Exp(t0.Mod(c, P), priv.dP, P) - // m2 = c ^ Dq mod q - m2 := bigmod.NewNat().Exp(t0.Mod(c, Q), priv.dQ, Q) - // m = m - m2 mod p - m.Sub(t0.Mod(m2, P), P) - // m = m * Qinv mod p - m.Mul(priv.qInv, P) - // m = m * q mod N - m.ExpandFor(N).Mul(t0.Mod(Q.Nat(), N), N) - // m = m + m2 mod N - m.Add(m2.ExpandFor(N), N) - } - - if check { - c1 := bigmod.NewNat().ExpShortVarTime(m, uint(E), N) - if c1.Equal(c) != 1 { - return nil, ErrDecryption - } - } - - return m.Bytes(N), nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/ya.make deleted file mode 100644 index 2ba7d1885d1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/rsa/ya.make +++ /dev/null @@ -1,16 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - keygen.go - pkcs1v15.go - pkcs1v22.go - rsa.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/go.mod deleted file mode 100644 index eb93418b8a1..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module crypto/sha256/_asm - -go 1.24 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.20.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/tools v0.24.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/go.sum deleted file mode 100644 index 76af484b2eb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_asm.go deleted file mode 100644 index a3324673fdd..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_asm.go +++ /dev/null @@ -1,132 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - "os" - - . "github.com/mmcloughlin/avo/build" -) - -//go:generate go run . -out ../sha256block_amd64.s - -// SHA256 block routine. See sha256block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf - -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 63 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -func main() { - // https://github.com/mmcloughlin/avo/issues/450 - os.Setenv("GOOS", "linux") - os.Setenv("GOARCH", "amd64") - - Package("crypto/internal/fips140/sha256") - ConstraintExpr("!purego") - blockAVX2() - blockSHANI() - Generate() -} - -var _K = []uint32{ - 0x428a2f98, - 0x71374491, - 0xb5c0fbcf, - 0xe9b5dba5, - 0x3956c25b, - 0x59f111f1, - 0x923f82a4, - 0xab1c5ed5, - 0xd807aa98, - 0x12835b01, - 0x243185be, - 0x550c7dc3, - 0x72be5d74, - 0x80deb1fe, - 0x9bdc06a7, - 0xc19bf174, - 0xe49b69c1, - 0xefbe4786, - 0x0fc19dc6, - 0x240ca1cc, - 0x2de92c6f, - 0x4a7484aa, - 0x5cb0a9dc, - 0x76f988da, - 0x983e5152, - 0xa831c66d, - 0xb00327c8, - 0xbf597fc7, - 0xc6e00bf3, - 0xd5a79147, - 0x06ca6351, - 0x14292967, - 0x27b70a85, - 0x2e1b2138, - 0x4d2c6dfc, - 0x53380d13, - 0x650a7354, - 0x766a0abb, - 0x81c2c92e, - 0x92722c85, - 0xa2bfe8a1, - 0xa81a664b, - 0xc24b8b70, - 0xc76c51a3, - 0xd192e819, - 0xd6990624, - 0xf40e3585, - 0x106aa070, - 0x19a4c116, - 0x1e376c08, - 0x2748774c, - 0x34b0bcb5, - 0x391c0cb3, - 0x4ed8aa4a, - 0x5b9cca4f, - 0x682e6ff3, - 0x748f82ee, - 0x78a5636f, - 0x84c87814, - 0x8cc70208, - 0x90befffa, - 0xa4506ceb, - 0xbef9a3f7, - 0xc67178f2, -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_avx2.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_avx2.go deleted file mode 100644 index 0e6f1c74cf5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_avx2.go +++ /dev/null @@ -1,725 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -// The avx2-version is described in an Intel White-Paper: -// "Fast SHA-256 Implementations on Intel Architecture Processors" -// To find it, surf to http://www.intel.com/p/en_US/embedded -// and search for that title. -// AVX2 version by Intel, same algorithm as code in Linux kernel: -// https://github.com/torvalds/linux/blob/master/arch/x86/crypto/sha256-avx2-asm.S -// by -// James Guilford <[email protected]> -// Kirk Yap <[email protected]> -// Tim Chen <[email protected]> - -func blockAVX2() { - Implement("blockAVX2") - AllocLocal(536) - - Load(Param("dig"), CTX) // d.h[8] - Load(Param("p").Base(), INP) - Load(Param("p").Len(), NUM_BYTES) - - LEAQ(Mem{Base: INP, Index: NUM_BYTES, Scale: 1, Disp: -64}, NUM_BYTES) // Pointer to the last block - MOVQ(NUM_BYTES, Mem{Base: SP}.Offset(_INP_END)) - - CMPQ(NUM_BYTES, INP) - JE(LabelRef("avx2_only_one_block")) - - Comment("Load initial digest") - CTX := Mem{Base: CTX} - MOVL(CTX.Offset(0), a) // a = H0 - MOVL(CTX.Offset(4), b) // b = H1 - MOVL(CTX.Offset(8), c) // c = H2 - MOVL(CTX.Offset(12), d) // d = H3 - MOVL(CTX.Offset(16), e) // e = H4 - MOVL(CTX.Offset(20), f) // f = H5 - MOVL(CTX.Offset(24), g) // g = H6 - MOVL(CTX.Offset(28), h) // h = H7 - - avx2_loop0() - avx2_last_block_enter() - avx2_loop1() - avx2_loop2() - avx2_loop3() - avx2_do_last_block() - avx2_only_one_block() - done_hash() -} - -func avx2_loop0() { - Label("avx2_loop0") - Comment("at each iteration works with one block (512 bit)") - VMOVDQU(Mem{Base: INP}.Offset(0*32), XTMP0) - VMOVDQU(Mem{Base: INP}.Offset(1*32), XTMP1) - VMOVDQU(Mem{Base: INP}.Offset(2*32), XTMP2) - VMOVDQU(Mem{Base: INP}.Offset(3*32), XTMP3) - - flip_mask := flip_mask_DATA() - - VMOVDQU(flip_mask, BYTE_FLIP_MASK) - - Comment("Apply Byte Flip Mask: LE -> BE") - VPSHUFB(BYTE_FLIP_MASK, XTMP0, XTMP0) - VPSHUFB(BYTE_FLIP_MASK, XTMP1, XTMP1) - VPSHUFB(BYTE_FLIP_MASK, XTMP2, XTMP2) - VPSHUFB(BYTE_FLIP_MASK, XTMP3, XTMP3) - - Comment("Transpose data into high/low parts") - VPERM2I128(Imm(0x20), XTMP2, XTMP0, XDWORD0) // w3, w2, w1, w0 - VPERM2I128(Imm(0x31), XTMP2, XTMP0, XDWORD1) // w7, w6, w5, w4 - VPERM2I128(Imm(0x20), XTMP3, XTMP1, XDWORD2) // w11, w10, w9, w8 - VPERM2I128(Imm(0x31), XTMP3, XTMP1, XDWORD3) // w15, w14, w13, w12 - - K256 := K256_DATA() - LEAQ(K256, TBL) // Loading address of table with round-specific constants -} - -func avx2_last_block_enter() { - Label("avx2_last_block_enter") - ADDQ(Imm(64), INP) - MOVQ(INP, Mem{Base: SP}.Offset(_INP)) - XORQ(SRND, SRND) -} - -// for w0 - w47 -func avx2_loop1() { - Label("avx2_loop1") - - Comment("Do 4 rounds and scheduling") - VPADDD(Mem{Base: TBL, Scale: 1, Index: SRND}.Offset((0 * 32)), XDWORD0, XFER) - VMOVDQU(XFER, Mem{Base: SP, Scale: 1, Index: SRND}.Offset(_XFER+0*32)) - roundAndSchedN0(_XFER+0*32, a, b, c, d, e, f, g, h, XDWORD0, XDWORD1, XDWORD2, XDWORD3) - roundAndSchedN1(_XFER+0*32, h, a, b, c, d, e, f, g, XDWORD0, XDWORD1, XDWORD2, XDWORD3) - roundAndSchedN2(_XFER+0*32, g, h, a, b, c, d, e, f, XDWORD0, XDWORD1, XDWORD2, XDWORD3) - roundAndSchedN3(_XFER+0*32, f, g, h, a, b, c, d, e, XDWORD0, XDWORD1, XDWORD2, XDWORD3) - - Comment("Do 4 rounds and scheduling") - VPADDD(Mem{Base: TBL, Scale: 1, Index: SRND}.Offset(1*32), XDWORD1, XFER) - VMOVDQU(XFER, Mem{Base: SP, Scale: 1, Index: SRND}.Offset(_XFER+1*32)) - roundAndSchedN0(_XFER+1*32, e, f, g, h, a, b, c, d, XDWORD1, XDWORD2, XDWORD3, XDWORD0) - roundAndSchedN1(_XFER+1*32, d, e, f, g, h, a, b, c, XDWORD1, XDWORD2, XDWORD3, XDWORD0) - roundAndSchedN2(_XFER+1*32, c, d, e, f, g, h, a, b, XDWORD1, XDWORD2, XDWORD3, XDWORD0) - roundAndSchedN3(_XFER+1*32, b, c, d, e, f, g, h, a, XDWORD1, XDWORD2, XDWORD3, XDWORD0) - - Comment("Do 4 rounds and scheduling") - VPADDD(Mem{Base: TBL, Scale: 1, Index: SRND}.Offset((2 * 32)), XDWORD2, XFER) - VMOVDQU(XFER, Mem{Base: SP, Scale: 1, Index: SRND}.Offset(_XFER+2*32)) - roundAndSchedN0(_XFER+2*32, a, b, c, d, e, f, g, h, XDWORD2, XDWORD3, XDWORD0, XDWORD1) - roundAndSchedN1(_XFER+2*32, h, a, b, c, d, e, f, g, XDWORD2, XDWORD3, XDWORD0, XDWORD1) - roundAndSchedN2(_XFER+2*32, g, h, a, b, c, d, e, f, XDWORD2, XDWORD3, XDWORD0, XDWORD1) - roundAndSchedN3(_XFER+2*32, f, g, h, a, b, c, d, e, XDWORD2, XDWORD3, XDWORD0, XDWORD1) - - Comment("Do 4 rounds and scheduling") - VPADDD(Mem{Base: TBL, Scale: 1, Index: SRND}.Offset((3 * 32)), XDWORD3, XFER) - VMOVDQU(XFER, Mem{Base: SP, Scale: 1, Index: SRND}.Offset(_XFER+3*32)) - roundAndSchedN0(_XFER+3*32, e, f, g, h, a, b, c, d, XDWORD3, XDWORD0, XDWORD1, XDWORD2) - roundAndSchedN1(_XFER+3*32, d, e, f, g, h, a, b, c, XDWORD3, XDWORD0, XDWORD1, XDWORD2) - roundAndSchedN2(_XFER+3*32, c, d, e, f, g, h, a, b, XDWORD3, XDWORD0, XDWORD1, XDWORD2) - roundAndSchedN3(_XFER+3*32, b, c, d, e, f, g, h, a, XDWORD3, XDWORD0, XDWORD1, XDWORD2) - - ADDQ(Imm(4*32), SRND) - CMPQ(SRND, U32(3*4*32)) - JB(LabelRef("avx2_loop1")) -} - -// w48 - w63 processed with no scheduling (last 16 rounds) -func avx2_loop2() { - Label("avx2_loop2") - VPADDD(Mem{Base: TBL, Scale: 1, Index: SRND}.Offset(0*32), XDWORD0, XFER) - VMOVDQU(XFER, Mem{Base: SP, Scale: 1, Index: SRND}.Offset(_XFER+0*32)) - doRoundN0(_XFER+0*32, a, b, c, d, e, f, g, h, h) - doRoundN1(_XFER+0*32, h, a, b, c, d, e, f, g, h) - doRoundN2(_XFER+0*32, g, h, a, b, c, d, e, f, g) - doRoundN3(_XFER+0*32, f, g, h, a, b, c, d, e, f) - - VPADDD(Mem{Base: TBL, Scale: 1, Index: SRND}.Offset(1*32), XDWORD1, XFER) - VMOVDQU(XFER, Mem{Base: SP, Scale: 1, Index: SRND}.Offset(_XFER+1*32)) - doRoundN0(_XFER+1*32, e, f, g, h, a, b, c, d, e) - doRoundN1(_XFER+1*32, d, e, f, g, h, a, b, c, d) - doRoundN2(_XFER+1*32, c, d, e, f, g, h, a, b, c) - doRoundN3(_XFER+1*32, b, c, d, e, f, g, h, a, b) - - ADDQ(Imm(2*32), SRND) - - VMOVDQU(XDWORD2, XDWORD0) - VMOVDQU(XDWORD3, XDWORD1) - - CMPQ(SRND, U32(4*4*32)) - JB(LabelRef("avx2_loop2")) - - Load(Param("dig"), CTX) // d.h[8] - MOVQ(Mem{Base: SP}.Offset(_INP), INP) - - registers := []GPPhysical{a, b, c, d, e, f, g, h} - for i, reg := range registers { - addm(Mem{Base: CTX}.Offset(i*4), reg) - } - - CMPQ(Mem{Base: SP}.Offset(_INP_END), INP) - JB(LabelRef("done_hash")) - - XORQ(SRND, SRND) -} - -// Do second block using previously scheduled results -func avx2_loop3() { - Label("avx2_loop3") - doRoundN0(_XFER+0*32+16, a, b, c, d, e, f, g, h, a) - doRoundN1(_XFER+0*32+16, h, a, b, c, d, e, f, g, h) - doRoundN2(_XFER+0*32+16, g, h, a, b, c, d, e, f, g) - doRoundN3(_XFER+0*32+16, f, g, h, a, b, c, d, e, f) - - doRoundN0(_XFER+1*32+16, e, f, g, h, a, b, c, d, e) - doRoundN1(_XFER+1*32+16, d, e, f, g, h, a, b, c, d) - doRoundN2(_XFER+1*32+16, c, d, e, f, g, h, a, b, c) - doRoundN3(_XFER+1*32+16, b, c, d, e, f, g, h, a, b) - - ADDQ(Imm(2*32), SRND) - CMPQ(SRND, U32(4*4*32)) - JB(LabelRef("avx2_loop3")) - - Load(Param("dig"), CTX) // d.h[8] - MOVQ(Mem{Base: SP}.Offset(_INP), INP) - ADDQ(Imm(64), INP) - - registers := []GPPhysical{a, b, c, d, e, f, g, h} - for i, reg := range registers { - addm(Mem{Base: CTX}.Offset(i*4), reg) - } - - CMPQ(Mem{Base: SP}.Offset(_INP_END), INP) - JA(LabelRef("avx2_loop0")) - JB(LabelRef("done_hash")) -} - -func avx2_do_last_block() { - Label("avx2_do_last_block") - VMOVDQU(Mem{Base: INP}.Offset(0), XWORD0) - VMOVDQU(Mem{Base: INP}.Offset(16), XWORD1) - VMOVDQU(Mem{Base: INP}.Offset(32), XWORD2) - VMOVDQU(Mem{Base: INP}.Offset(48), XWORD3) - - flip_mask := flip_mask_DATA() - VMOVDQU(flip_mask, BYTE_FLIP_MASK) - - VPSHUFB(X_BYTE_FLIP_MASK, XWORD0, XWORD0) - VPSHUFB(X_BYTE_FLIP_MASK, XWORD1, XWORD1) - VPSHUFB(X_BYTE_FLIP_MASK, XWORD2, XWORD2) - VPSHUFB(X_BYTE_FLIP_MASK, XWORD3, XWORD3) - - K256 := K256_DATA() - LEAQ(K256, TBL) - - JMP(LabelRef("avx2_last_block_enter")) -} - -// Load initial digest -func avx2_only_one_block() { - Label("avx2_only_one_block") - registers := []GPPhysical{a, b, c, d, e, f, g, h} - for i, reg := range registers { - MOVL(Mem{Base: CTX}.Offset(i*4), reg) - } - JMP(LabelRef("avx2_do_last_block")) -} - -func done_hash() { - Label("done_hash") - VZEROUPPER() - RET() -} - -// addm (mem), reg -// - Add reg to mem using reg-mem add and store -func addm(P1 Mem, P2 GPPhysical) { - ADDL(P2, P1) - MOVL(P1, P2) -} - -var ( - XDWORD0 VecPhysical = Y4 - XDWORD1 = Y5 - XDWORD2 = Y6 - XDWORD3 = Y7 - - XWORD0 = X4 - XWORD1 = X5 - XWORD2 = X6 - XWORD3 = X7 - - XTMP0 = Y0 - XTMP1 = Y1 - XTMP2 = Y2 - XTMP3 = Y3 - XTMP4 = Y8 - XTMP5 = Y11 - - XFER = Y9 - - BYTE_FLIP_MASK = Y13 // mask to convert LE -> BE - X_BYTE_FLIP_MASK = X13 - - NUM_BYTES GPPhysical = RDX - INP = RDI - - CTX = RSI // Beginning of digest in memory (a, b, c, ... , h) - - a = EAX - b = EBX - c = ECX - d = R8L - e = EDX - f = R9L - g = R10L - h = R11L - - old_h = R11L - - TBL = RBP - - SRND = RSI // SRND is same register as CTX - - T1 = R12L - - y0 = R13L - y1 = R14L - y2 = R15L - y3 = EDI - - // Offsets - XFER_SIZE = 2 * 64 * 4 - INP_END_SIZE = 8 - INP_SIZE = 8 - - _XFER = 0 - _INP_END = _XFER + XFER_SIZE - _INP = _INP_END + INP_END_SIZE - STACK_SIZE = _INP + INP_SIZE -) - -func roundAndSchedN0(disp int, a, b, c, d, e, f, g, h GPPhysical, XDWORD0, XDWORD1, XDWORD2, XDWORD3 VecPhysical) { - // ############################# RND N + 0 ############################// - MOVL(a, y3) // y3 = a - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - - ADDL(Mem{Base: SP, Disp: disp + 0*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - VPALIGNR(Imm(4), XDWORD2, XDWORD3, XTMP0) // XTMP0 = W[-7] - MOVL(f, y2) // y2 = f - RORXL(Imm(13), a, T1) // T1 = a >> 13 - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - XORL(g, y2) // y2 = f^g - VPADDD(XDWORD0, XTMP0, XTMP0) // XTMP0 = W[-7] + W[-16] - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - - ANDL(e, y2) // y2 = (f^g)&e - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(22), a, y1) // y1 = a >> 22 - ADDL(h, d) // d = k + w + h + d - - ANDL(b, y3) // y3 = (a|c)&b - VPALIGNR(Imm(4), XDWORD0, XDWORD1, XTMP1) // XTMP1 = W[-15] - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - VPSRLD(Imm(7), XTMP1, XTMP2) // - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(c, T1) // T1 = a&c - - ADDL(y0, y2) // y2 = S1 + CH - VPSLLD(Imm(32-7), XTMP1, XTMP3) // - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 - VPOR(XTMP2, XTMP3, XTMP3) // XTMP3 = W[-15] ror 7 - - VPSRLD(Imm(18), XTMP1, XTMP2) - ADDL(y2, h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - ADDL(y3, h) // h = t1 + S0 + MAJ -} - -func roundAndSchedN1(disp int, a, b, c, d, e, f, g, h GPPhysical, XDWORD0, XDWORD1, XDWORD2, XDWORD3 VecPhysical) { - // ################################### RND N + 1 ############################ - MOVL(a, y3) // y3 = a - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - ADDL(Mem{Base: SP, Disp: disp + 1*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - - VPSRLD(Imm(3), XTMP1, XTMP4) // XTMP4 = W[-15] >> 3 - MOVL(f, y2) // y2 = f - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - XORL(g, y2) // y2 = f^g - - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(22), a, y1) // y1 = a >> 22 - ANDL(e, y2) // y2 = (f^g)&e - ADDL(h, d) // d = k + w + h + d - - VPSLLD(Imm(32-18), XTMP1, XTMP1) - ANDL(b, y3) // y3 = (a|c)&b - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - - VPXOR(XTMP1, XTMP3, XTMP3) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - - VPXOR(XTMP2, XTMP3, XTMP3) // XTMP3 = W[-15] ror 7 ^ W[-15] ror 18 - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(c, T1) // T1 = a&c - ADDL(y0, y2) // y2 = S1 + CH - - VPXOR(XTMP4, XTMP3, XTMP1) // XTMP1 = s0 - VPSHUFD(Imm(0xFA), XDWORD3, XTMP2) // XTMP2 = W[-2] {BBAA} - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - - VPADDD(XTMP1, XTMP0, XTMP0) // XTMP0 = W[-16] + W[-7] + s0 - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 - ADDL(y2, h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - ADDL(y3, h) // h = t1 + S0 + MAJ - - VPSRLD(Imm(10), XTMP2, XTMP4) // XTMP4 = W[-2] >> 10 {BBAA} -} - -func roundAndSchedN2(disp int, a, b, c, d, e, f, g, h GPPhysical, XDWORD0, XDWORD1, XDWORD2, XDWORD3 VecPhysical) { - // ################################### RND N + 2 ############################ - var shuff_00BA Mem = shuff_00BA_DATA() - - MOVL(a, y3) // y3 = a - RORXL(Imm(25), e, y0) // y0 = e >> 25 - ADDL(Mem{Base: SP, Disp: disp + 2*4, Scale: 1, Index: SRND}, h) // h = k + w + h - - VPSRLQ(Imm(19), XTMP2, XTMP3) // XTMP3 = W[-2] ror 19 {xBxA} - RORXL(Imm(11), e, y1) // y1 = e >> 11 - ORL(c, y3) // y3 = a|c - MOVL(f, y2) // y2 = f - XORL(g, y2) // y2 = f^g - - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - VPSRLQ(Imm(17), XTMP2, XTMP2) // XTMP2 = W[-2] ror 17 {xBxA} - ANDL(e, y2) // y2 = (f^g)&e - - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - VPXOR(XTMP3, XTMP2, XTMP2) - ADDL(h, d) // d = k + w + h + d - ANDL(b, y3) // y3 = (a|c)&b - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(22), a, y1) // y1 = a >> 22 - VPXOR(XTMP2, XTMP4, XTMP4) // XTMP4 = s1 {xBxA} - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - - VPSHUFB(shuff_00BA, XTMP4, XTMP4) // XTMP4 = s1 {00BA} - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - VPADDD(XTMP4, XTMP0, XTMP0) // XTMP0 = {..., ..., W[1], W[0]} - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(c, T1) // T1 = a&c - ADDL(y0, y2) // y2 = S1 + CH - VPSHUFD(Imm(80), XTMP0, XTMP2) // XTMP2 = W[-2] {DDCC} - - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 - ADDL(y2, h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - - ADDL(y3, h) // h = t1 + S0 + MAJ -} - -func roundAndSchedN3(disp int, a, b, c, d, e, f, g, h GPPhysical, XDWORD0, XDWORD1, XDWORD2, XDWORD3 VecPhysical) { - // ################################### RND N + 3 ############################ - var shuff_DC00 Mem = shuff_DC00_DATA() - - MOVL(a, y3) // y3 = a - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - ADDL(Mem{Base: SP, Disp: disp + 3*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - - VPSRLD(Imm(10), XTMP2, XTMP5) // XTMP5 = W[-2] >> 10 {DDCC} - MOVL(f, y2) // y2 = f - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - XORL(g, y2) // y2 = f^g - - VPSRLQ(Imm(19), XTMP2, XTMP3) // XTMP3 = W[-2] ror 19 {xDxC} - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - ANDL(e, y2) // y2 = (f^g)&e - ADDL(h, d) // d = k + w + h + d - ANDL(b, y3) // y3 = (a|c)&b - - VPSRLQ(Imm(17), XTMP2, XTMP2) // XTMP2 = W[-2] ror 17 {xDxC} - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - - VPXOR(XTMP3, XTMP2, XTMP2) - RORXL(Imm(22), a, y1) // y1 = a >> 22 - ADDL(y0, y2) // y2 = S1 + CH - - VPXOR(XTMP2, XTMP5, XTMP5) // XTMP5 = s1 {xDxC} - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 - - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - - VPSHUFB(shuff_DC00, XTMP5, XTMP5) // XTMP5 = s1 {DC00} - - VPADDD(XTMP0, XTMP5, XDWORD0) // XDWORD0 = {W[3], W[2], W[1], W[0]} - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(c, T1) // T1 = a&c - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - - ADDL(y1, h) // h = k + w + h + S0 - ADDL(y2, h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - ADDL(y3, h) // h = t1 + S0 + MAJ -} - -func doRoundN0(disp int, a, b, c, d, e, f, g, h, old_h GPPhysical) { - // ################################### RND N + 0 ########################### - MOVL(f, y2) // y2 = f - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - XORL(g, y2) // y2 = f^g - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - ANDL(e, y2) // y2 = (f^g)&e - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - RORXL(Imm(22), a, y1) // y1 = a >> 22 - MOVL(a, y3) // y3 = a - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - ADDL(Mem{Base: SP, Disp: disp + 0*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(b, y3) // y3 = (a|c)&b - ANDL(c, T1) // T1 = a&c - ADDL(y0, y2) // y2 = S1 + CH - - ADDL(h, d) // d = k + w + h + d - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 -} - -func doRoundN1(disp int, a, b, c, d, e, f, g, h, old_h GPPhysical) { - // ################################### RND N + 1 ########################### - ADDL(y2, old_h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - MOVL(f, y2) // y2 = f - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - XORL(g, y2) // y2 = f^g - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - ANDL(e, y2) // y2 = (f^g)&e - ADDL(y3, old_h) // h = t1 + S0 + MAJ - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - RORXL(Imm(22), a, y1) // y1 = a >> 22 - MOVL(a, y3) // y3 = a - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - ADDL(Mem{Base: SP, Disp: disp + 1*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(b, y3) // y3 = (a|c)&b - ANDL(c, T1) // T1 = a&c - ADDL(y0, y2) // y2 = S1 + CH - - ADDL(h, d) // d = k + w + h + d - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 -} - -func doRoundN2(disp int, a, b, c, d, e, f, g, h, old_h GPPhysical) { - // ################################### RND N + 2 ############################## - ADDL(y2, old_h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - MOVL(f, y2) // y2 = f - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - XORL(g, y2) // y2 = f^g - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - ANDL(e, y2) // y2 = (f^g)&e - ADDL(y3, old_h) // h = t1 + S0 + MAJ - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - RORXL(Imm(22), a, y1) // y1 = a >> 22 - MOVL(a, y3) // y3 = a - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - ADDL(Mem{Base: SP, Disp: disp + 2*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(b, y3) // y3 = (a|c)&b - ANDL(c, T1) // T1 = a&c - ADDL(y0, y2) // y2 = S1 + CH - - ADDL(h, d) // d = k + w + h + d - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 -} - -func doRoundN3(disp int, a, b, c, d, e, f, g, h, old_h GPPhysical) { - // ################################### RND N + 3 ########################### - ADDL(y2, old_h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - MOVL(f, y2) // y2 = f - RORXL(Imm(25), e, y0) // y0 = e >> 25 - RORXL(Imm(11), e, y1) // y1 = e >> 11 - XORL(g, y2) // y2 = f^g - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) - RORXL(Imm(6), e, y1) // y1 = (e >> 6) - ANDL(e, y2) // y2 = (f^g)&e - ADDL(y3, old_h) // h = t1 + S0 + MAJ - - XORL(y1, y0) // y0 = (e>>25) ^ (e>>11) ^ (e>>6) - RORXL(Imm(13), a, T1) // T1 = a >> 13 - XORL(g, y2) // y2 = CH = ((f^g)&e)^g - RORXL(Imm(22), a, y1) // y1 = a >> 22 - MOVL(a, y3) // y3 = a - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) - RORXL(Imm(2), a, T1) // T1 = (a >> 2) - ADDL(Mem{Base: SP, Disp: disp + 3*4, Scale: 1, Index: SRND}, h) // h = k + w + h - ORL(c, y3) // y3 = a|c - - XORL(T1, y1) // y1 = (a>>22) ^ (a>>13) ^ (a>>2) - MOVL(a, T1) // T1 = a - ANDL(b, y3) // y3 = (a|c)&b - ANDL(c, T1) // T1 = a&c - ADDL(y0, y2) // y2 = S1 + CH - - ADDL(h, d) // d = k + w + h + d - ORL(T1, y3) // y3 = MAJ = (a|c)&b)|(a&c) - ADDL(y1, h) // h = k + w + h + S0 - - ADDL(y2, d) // d = k + w + h + d + S1 + CH = d + t1 - - ADDL(y2, h) // h = k + w + h + S0 + S1 + CH = t1 + S0 - - ADDL(y3, h) // h = t1 + S0 + MAJ -} - -// Pointers for memoizing Data section symbols -var flip_maskPtr, shuff_00BAPtr, shuff_DC00Ptr, K256Ptr *Mem - -// shuffle byte order from LE to BE -func flip_mask_DATA() Mem { - if flip_maskPtr != nil { - return *flip_maskPtr - } - - flip_mask := GLOBL("flip_mask", RODATA) - flip_maskPtr = &flip_mask - - DATA(0x00, U64(0x0405060700010203)) - DATA(0x08, U64(0x0c0d0e0f08090a0b)) - DATA(0x10, U64(0x0405060700010203)) - DATA(0x18, U64(0x0c0d0e0f08090a0b)) - return flip_mask -} - -// shuffle xBxA -> 00BA -func shuff_00BA_DATA() Mem { - if shuff_00BAPtr != nil { - return *shuff_00BAPtr - } - - shuff_00BA := GLOBL("shuff_00BA", RODATA) - shuff_00BAPtr = &shuff_00BA - - DATA(0x00, U64(0x0b0a090803020100)) - DATA(0x08, U64(0xFFFFFFFFFFFFFFFF)) - DATA(0x10, U64(0x0b0a090803020100)) - DATA(0x18, U64(0xFFFFFFFFFFFFFFFF)) - return shuff_00BA -} - -// shuffle xDxC -> DC00 -func shuff_DC00_DATA() Mem { - if shuff_DC00Ptr != nil { - return *shuff_DC00Ptr - } - - shuff_DC00 := GLOBL("shuff_DC00", RODATA) - shuff_DC00Ptr = &shuff_DC00 - - DATA(0x00, U64(0xFFFFFFFFFFFFFFFF)) - DATA(0x08, U64(0x0b0a090803020100)) - DATA(0x10, U64(0xFFFFFFFFFFFFFFFF)) - DATA(0x18, U64(0x0b0a090803020100)) - return shuff_DC00 -} - -// Round specific constants -func K256_DATA() Mem { - if K256Ptr != nil { - return *K256Ptr - } - - K256 := GLOBL("K256", NOPTR+RODATA) - K256Ptr = &K256 - - offset_idx := 0 - - for i := 0; i < len(_K); i += 4 { - DATA((offset_idx+0)*4, U32(_K[i+0])) // k1 - DATA((offset_idx+1)*4, U32(_K[i+1])) // k2 - DATA((offset_idx+2)*4, U32(_K[i+2])) // k3 - DATA((offset_idx+3)*4, U32(_K[i+3])) // k4 - - DATA((offset_idx+4)*4, U32(_K[i+0])) // k1 - DATA((offset_idx+5)*4, U32(_K[i+1])) // k2 - DATA((offset_idx+6)*4, U32(_K[i+2])) // k3 - DATA((offset_idx+7)*4, U32(_K[i+3])) // k4 - offset_idx += 8 - } - return K256 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_shani.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_shani.go deleted file mode 100644 index 423e86206fa..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/_asm/sha256block_amd64_shani.go +++ /dev/null @@ -1,174 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -// The sha-ni implementation uses Intel(R) SHA extensions SHA256RNDS2, SHA256MSG1, SHA256MSG2 -// It also reuses portions of the flip_mask (half) and K256 table (stride 32) from the avx2 version -// -// Reference -// S. Gulley, et al, "New Instructions Supporting the Secure Hash -// Algorithm on Intel® Architecture Processors", July 2013 -// https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sha-extensions.html - -func blockSHANI() { - Implement("blockSHANI") - Load(Param("dig"), digestPtr) // init digest hash vector H0, H1,..., H7 pointer - Load(Param("p").Base(), dataPtr) // init input data base pointer - Load(Param("p").Len(), numBytes) // get number of input bytes to hash - SHRQ(Imm(6), numBytes) // force modulo 64 input buffer length - SHLQ(Imm(6), numBytes) - CMPQ(numBytes, Imm(0)) // exit early for zero-length input buffer - JEQ(LabelRef("done")) - ADDQ(dataPtr, numBytes) // point numBytes to end of input buffer - VMOVDQU(Mem{Base: digestPtr}.Offset(0*16), state0) // load initial hash values and reorder - VMOVDQU(Mem{Base: digestPtr}.Offset(1*16), state1) // DCBA, HGFE -> ABEF, CDGH - PSHUFD(Imm(0xb1), state0, state0) // CDAB - PSHUFD(Imm(0x1b), state1, state1) // EFGH - VMOVDQA(state0, m4) - PALIGNR(Imm(8), state1, state0) // ABEF - PBLENDW(Imm(0xf0), m4, state1) // CDGH - flip_mask := flip_mask_DATA() - VMOVDQA(flip_mask, shufMask) - LEAQ(K256_DATA(), sha256Constants) - - roundLoop() - done() -} - -func roundLoop() { - Label("roundLoop") - Comment("save hash values for addition after rounds") - VMOVDQA(state0, abefSave) - VMOVDQA(state1, cdghSave) - - Comment("do rounds 0-59") - rounds0to11(m0, nil, 0, nop) // 0-3 - rounds0to11(m1, m0, 1, sha256msg1) // 4-7 - rounds0to11(m2, m1, 2, sha256msg1) // 8-11 - VMOVDQU(Mem{Base: dataPtr}.Offset(3*16), msg) - PSHUFB(shufMask, msg) - rounds12to59(m3, 3, m2, m0, sha256msg1, vmovrev) // 12-15 - rounds12to59(m0, 4, m3, m1, sha256msg1, vmov) // 16-19 - rounds12to59(m1, 5, m0, m2, sha256msg1, vmov) // 20-23 - rounds12to59(m2, 6, m1, m3, sha256msg1, vmov) // 24-27 - rounds12to59(m3, 7, m2, m0, sha256msg1, vmov) // 28-31 - rounds12to59(m0, 8, m3, m1, sha256msg1, vmov) // 32-35 - rounds12to59(m1, 9, m0, m2, sha256msg1, vmov) // 36-39 - rounds12to59(m2, 10, m1, m3, sha256msg1, vmov) // 40-43 - rounds12to59(m3, 11, m2, m0, sha256msg1, vmov) // 44-47 - rounds12to59(m0, 12, m3, m1, sha256msg1, vmov) // 48-51 - rounds12to59(m1, 13, m0, m2, nop, vmov) // 52-55 - rounds12to59(m2, 14, m1, m3, nop, vmov) // 56-59 - - Comment("do rounds 60-63") - VMOVDQA(m3, msg) - PADDD(Mem{Base: sha256Constants}.Offset(15*32), msg) - SHA256RNDS2(msg, state0, state1) - PSHUFD(Imm(0x0e), msg, msg) - SHA256RNDS2(msg, state1, state0) - - Comment("add current hash values with previously saved") - PADDD(abefSave, state0) - PADDD(cdghSave, state1) - - Comment("advance data pointer; loop until buffer empty") - ADDQ(Imm(64), dataPtr) - CMPQ(numBytes, dataPtr) - JNE(LabelRef("roundLoop")) - - Comment("write hash values back in the correct order") - PSHUFD(Imm(0x1b), state0, state0) - PSHUFD(Imm(0xb1), state1, state1) - VMOVDQA(state0, m4) - PBLENDW(Imm(0xf0), state1, state0) - PALIGNR(Imm(8), m4, state1) - VMOVDQU(state0, Mem{Base: digestPtr}.Offset(0*16)) - VMOVDQU(state1, Mem{Base: digestPtr}.Offset(1*16)) -} - -func done() { - Label("done") - RET() -} - -var ( - digestPtr GPPhysical = RDI // input/output, base pointer to digest hash vector H0, H1, ..., H7 - dataPtr = RSI // input, base pointer to first input data block - numBytes = RDX // input, number of input bytes to be processed - sha256Constants = RAX // round contents from K256 table, indexed by round number x 32 - msg VecPhysical = X0 // input data - state0 = X1 // round intermediates and outputs - state1 = X2 - m0 = X3 // m0, m1,... m4 -- round message temps - m1 = X4 - m2 = X5 - m3 = X6 - m4 = X7 - shufMask = X8 // input data endian conversion control mask - abefSave = X9 // digest hash vector inter-block buffer abef - cdghSave = X10 // digest hash vector inter-block buffer cdgh -) - -// nop instead of final SHA256MSG1 for first and last few rounds -func nop(m, a VecPhysical) { -} - -// final SHA256MSG1 for middle rounds that require it -func sha256msg1(m, a VecPhysical) { - SHA256MSG1(m, a) -} - -// msg copy for all but rounds 12-15 -func vmov(a, b VecPhysical) { - VMOVDQA(a, b) -} - -// reverse copy for rounds 12-15 -func vmovrev(a, b VecPhysical) { - VMOVDQA(b, a) -} - -type VecFunc func(a, b VecPhysical) - -// sha rounds 0 to 11 -// -// identical with the exception of the final msg op -// which is replaced with a nop for rounds where it is not needed -// refer to Gulley, et al for more information -func rounds0to11(m, a VecPhysical, c int, sha256msg1 VecFunc) { - VMOVDQU(Mem{Base: dataPtr}.Offset(c*16), msg) - PSHUFB(shufMask, msg) - VMOVDQA(msg, m) - PADDD(Mem{Base: sha256Constants}.Offset(c*32), msg) - SHA256RNDS2(msg, state0, state1) - PSHUFD(U8(0x0e), msg, msg) - SHA256RNDS2(msg, state1, state0) - sha256msg1(m, a) -} - -// sha rounds 12 to 59 -// -// identical with the exception of the final msg op -// and the reverse copy(m,msg) in round 12 which is required -// after the last data load -// refer to Gulley, et al for more information -func rounds12to59(m VecPhysical, c int, a, t VecPhysical, sha256msg1, movop VecFunc) { - movop(m, msg) - PADDD(Mem{Base: sha256Constants}.Offset(c*32), msg) - SHA256RNDS2(msg, state0, state1) - VMOVDQA(m, m4) - PALIGNR(Imm(4), a, m4) - PADDD(m4, t) - SHA256MSG2(m, t) - PSHUFD(Imm(0x0e), msg, msg) - SHA256RNDS2(msg, state1, state0) - sha256msg1(m, a) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/cast.go deleted file mode 100644 index 2994d35d10e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/cast.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha256 - -import ( - "bytes" - "crypto/internal/fips140" - "errors" -) - -func init() { - fips140.CAST("SHA2-256", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - want := []byte{ - 0x5d, 0xfb, 0xab, 0xee, 0xdf, 0x31, 0x8b, 0xf3, - 0x3c, 0x09, 0x27, 0xc4, 0x3d, 0x76, 0x30, 0xf5, - 0x1b, 0x82, 0xf3, 0x51, 0x74, 0x03, 0x01, 0x35, - 0x4f, 0xa3, 0xd7, 0xfc, 0x51, 0xf0, 0x13, 0x2e, - } - h := New() - h.Write(input) - if got := h.Sum(nil); !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256.go deleted file mode 100644 index a51ad2be24d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256.go +++ /dev/null @@ -1,247 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package sha256 implements the SHA-224 and SHA-256 hash algorithms as defined -// in FIPS 180-4. -package sha256 - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140deps/byteorder" - "errors" - "hash" -) - -// The size of a SHA-256 checksum in bytes. -const size = 32 - -// The size of a SHA-224 checksum in bytes. -const size224 = 28 - -// The block size of SHA-256 and SHA-224 in bytes. -const blockSize = 64 - -// The maximum number of bytes that can be passed to block(). The limit exists -// because implementations that rely on assembly routines are not preemptible. -const maxAsmIters = 1024 -const maxAsmSize = blockSize * maxAsmIters // 64KiB - -const ( - chunk = 64 - init0 = 0x6A09E667 - init1 = 0xBB67AE85 - init2 = 0x3C6EF372 - init3 = 0xA54FF53A - init4 = 0x510E527F - init5 = 0x9B05688C - init6 = 0x1F83D9AB - init7 = 0x5BE0CD19 - init0_224 = 0xC1059ED8 - init1_224 = 0x367CD507 - init2_224 = 0x3070DD17 - init3_224 = 0xF70E5939 - init4_224 = 0xFFC00B31 - init5_224 = 0x68581511 - init6_224 = 0x64F98FA7 - init7_224 = 0xBEFA4FA4 -) - -// Digest is a SHA-224 or SHA-256 [hash.Hash] implementation. -type Digest struct { - h [8]uint32 - x [chunk]byte - nx int - len uint64 - is224 bool // mark if this digest is SHA-224 -} - -const ( - magic224 = "sha\x02" - magic256 = "sha\x03" - marshaledSize = len(magic256) + 8*4 + chunk + 8 -) - -func (d *Digest) MarshalBinary() ([]byte, error) { - return d.AppendBinary(make([]byte, 0, marshaledSize)) -} - -func (d *Digest) AppendBinary(b []byte) ([]byte, error) { - if d.is224 { - b = append(b, magic224...) - } else { - b = append(b, magic256...) - } - b = byteorder.BEAppendUint32(b, d.h[0]) - b = byteorder.BEAppendUint32(b, d.h[1]) - b = byteorder.BEAppendUint32(b, d.h[2]) - b = byteorder.BEAppendUint32(b, d.h[3]) - b = byteorder.BEAppendUint32(b, d.h[4]) - b = byteorder.BEAppendUint32(b, d.h[5]) - b = byteorder.BEAppendUint32(b, d.h[6]) - b = byteorder.BEAppendUint32(b, d.h[7]) - b = append(b, d.x[:d.nx]...) - b = append(b, make([]byte, len(d.x)-d.nx)...) - b = byteorder.BEAppendUint64(b, d.len) - return b, nil -} - -func (d *Digest) UnmarshalBinary(b []byte) error { - if len(b) < len(magic224) || (d.is224 && string(b[:len(magic224)]) != magic224) || (!d.is224 && string(b[:len(magic256)]) != magic256) { - return errors.New("crypto/sha256: invalid hash state identifier") - } - if len(b) != marshaledSize { - return errors.New("crypto/sha256: invalid hash state size") - } - b = b[len(magic224):] - b, d.h[0] = consumeUint32(b) - b, d.h[1] = consumeUint32(b) - b, d.h[2] = consumeUint32(b) - b, d.h[3] = consumeUint32(b) - b, d.h[4] = consumeUint32(b) - b, d.h[5] = consumeUint32(b) - b, d.h[6] = consumeUint32(b) - b, d.h[7] = consumeUint32(b) - b = b[copy(d.x[:], b):] - b, d.len = consumeUint64(b) - d.nx = int(d.len % chunk) - return nil -} - -func consumeUint64(b []byte) ([]byte, uint64) { - return b[8:], byteorder.BEUint64(b) -} - -func consumeUint32(b []byte) ([]byte, uint32) { - return b[4:], byteorder.BEUint32(b) -} - -func (d *Digest) Clone() (hash.Cloner, error) { - r := *d - return &r, nil -} - -func (d *Digest) Reset() { - if !d.is224 { - d.h[0] = init0 - d.h[1] = init1 - d.h[2] = init2 - d.h[3] = init3 - d.h[4] = init4 - d.h[5] = init5 - d.h[6] = init6 - d.h[7] = init7 - } else { - d.h[0] = init0_224 - d.h[1] = init1_224 - d.h[2] = init2_224 - d.h[3] = init3_224 - d.h[4] = init4_224 - d.h[5] = init5_224 - d.h[6] = init6_224 - d.h[7] = init7_224 - } - d.nx = 0 - d.len = 0 -} - -// New returns a new Digest computing the SHA-256 hash. -func New() *Digest { - d := new(Digest) - d.Reset() - return d -} - -// New224 returns a new Digest computing the SHA-224 hash. -func New224() *Digest { - d := new(Digest) - d.is224 = true - d.Reset() - return d -} - -func (d *Digest) Size() int { - if !d.is224 { - return size - } - return size224 -} - -func (d *Digest) BlockSize() int { return blockSize } - -func (d *Digest) Write(p []byte) (nn int, err error) { - nn = len(p) - d.len += uint64(nn) - if d.nx > 0 { - n := copy(d.x[d.nx:], p) - d.nx += n - if d.nx == chunk { - block(d, d.x[:]) - d.nx = 0 - } - p = p[n:] - } - if len(p) >= chunk { - n := len(p) &^ (chunk - 1) - for n > maxAsmSize { - block(d, p[:maxAsmSize]) - p = p[maxAsmSize:] - n -= maxAsmSize - } - block(d, p[:n]) - p = p[n:] - } - if len(p) > 0 { - d.nx = copy(d.x[:], p) - } - return -} - -func (d *Digest) Sum(in []byte) []byte { - fips140.RecordApproved() - // Make a copy of d so that caller can keep writing and summing. - d0 := *d - hash := d0.checkSum() - if d0.is224 { - return append(in, hash[:size224]...) - } - return append(in, hash[:]...) -} - -func (d *Digest) checkSum() [size]byte { - len := d.len - // Padding. Add a 1 bit and 0 bits until 56 bytes mod 64. - var tmp [64 + 8]byte // padding + length buffer - tmp[0] = 0x80 - var t uint64 - if len%64 < 56 { - t = 56 - len%64 - } else { - t = 64 + 56 - len%64 - } - - // Length in bits. - len <<= 3 - padlen := tmp[:t+8] - byteorder.BEPutUint64(padlen[t+0:], len) - d.Write(padlen) - - if d.nx != 0 { - panic("d.nx != 0") - } - - var digest [size]byte - - byteorder.BEPutUint32(digest[0:], d.h[0]) - byteorder.BEPutUint32(digest[4:], d.h[1]) - byteorder.BEPutUint32(digest[8:], d.h[2]) - byteorder.BEPutUint32(digest[12:], d.h[3]) - byteorder.BEPutUint32(digest[16:], d.h[4]) - byteorder.BEPutUint32(digest[20:], d.h[5]) - byteorder.BEPutUint32(digest[24:], d.h[6]) - if !d.is224 { - byteorder.BEPutUint32(digest[28:], d.h[7]) - } - - return digest -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block.go deleted file mode 100644 index 55a400e2502..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block.go +++ /dev/null @@ -1,128 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// SHA256 block step. -// In its own file so that a faster assembly or C version -// can be substituted easily. - -package sha256 - -import "math/bits" - -var _K = [...]uint32{ - 0x428a2f98, - 0x71374491, - 0xb5c0fbcf, - 0xe9b5dba5, - 0x3956c25b, - 0x59f111f1, - 0x923f82a4, - 0xab1c5ed5, - 0xd807aa98, - 0x12835b01, - 0x243185be, - 0x550c7dc3, - 0x72be5d74, - 0x80deb1fe, - 0x9bdc06a7, - 0xc19bf174, - 0xe49b69c1, - 0xefbe4786, - 0x0fc19dc6, - 0x240ca1cc, - 0x2de92c6f, - 0x4a7484aa, - 0x5cb0a9dc, - 0x76f988da, - 0x983e5152, - 0xa831c66d, - 0xb00327c8, - 0xbf597fc7, - 0xc6e00bf3, - 0xd5a79147, - 0x06ca6351, - 0x14292967, - 0x27b70a85, - 0x2e1b2138, - 0x4d2c6dfc, - 0x53380d13, - 0x650a7354, - 0x766a0abb, - 0x81c2c92e, - 0x92722c85, - 0xa2bfe8a1, - 0xa81a664b, - 0xc24b8b70, - 0xc76c51a3, - 0xd192e819, - 0xd6990624, - 0xf40e3585, - 0x106aa070, - 0x19a4c116, - 0x1e376c08, - 0x2748774c, - 0x34b0bcb5, - 0x391c0cb3, - 0x4ed8aa4a, - 0x5b9cca4f, - 0x682e6ff3, - 0x748f82ee, - 0x78a5636f, - 0x84c87814, - 0x8cc70208, - 0x90befffa, - 0xa4506ceb, - 0xbef9a3f7, - 0xc67178f2, -} - -func blockGeneric(dig *Digest, p []byte) { - var w [64]uint32 - h0, h1, h2, h3, h4, h5, h6, h7 := dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7] - for len(p) >= chunk { - // Can interlace the computation of w with the - // rounds below if needed for speed. - for i := 0; i < 16; i++ { - j := i * 4 - w[i] = uint32(p[j])<<24 | uint32(p[j+1])<<16 | uint32(p[j+2])<<8 | uint32(p[j+3]) - } - for i := 16; i < 64; i++ { - v1 := w[i-2] - t1 := (bits.RotateLeft32(v1, -17)) ^ (bits.RotateLeft32(v1, -19)) ^ (v1 >> 10) - v2 := w[i-15] - t2 := (bits.RotateLeft32(v2, -7)) ^ (bits.RotateLeft32(v2, -18)) ^ (v2 >> 3) - w[i] = t1 + w[i-7] + t2 + w[i-16] - } - - a, b, c, d, e, f, g, h := h0, h1, h2, h3, h4, h5, h6, h7 - - for i := 0; i < 64; i++ { - t1 := h + ((bits.RotateLeft32(e, -6)) ^ (bits.RotateLeft32(e, -11)) ^ (bits.RotateLeft32(e, -25))) + ((e & f) ^ (^e & g)) + _K[i] + w[i] - - t2 := ((bits.RotateLeft32(a, -2)) ^ (bits.RotateLeft32(a, -13)) ^ (bits.RotateLeft32(a, -22))) + ((a & b) ^ (a & c) ^ (b & c)) - - h = g - g = f - f = e - e = d + t1 - d = c - c = b - b = a - a = t1 + t2 - } - - h0 += a - h1 += b - h2 += c - h3 += d - h4 += e - h5 += f - h6 += g - h7 += h - - p = p[chunk:] - } - - dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7] = h0, h1, h2, h3, h4, h5, h6, h7 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_386.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_386.s deleted file mode 100644 index 0e27fa02d7e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_386.s +++ /dev/null @@ -1,285 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -// SHA256 block routine. See sha256block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 63 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -// Wt = Mt; for 0 <= t <= 15 -#define MSGSCHEDULE0(index) \ - MOVL (index*4)(SI), AX; \ - BSWAPL AX; \ - MOVL AX, (index*4)(BP) - -// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63 -// SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x) -// SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x) -#define MSGSCHEDULE1(index) \ - MOVL ((index-2)*4)(BP), AX; \ - MOVL AX, CX; \ - RORL $17, AX; \ - MOVL CX, DX; \ - RORL $19, CX; \ - SHRL $10, DX; \ - MOVL ((index-15)*4)(BP), BX; \ - XORL CX, AX; \ - MOVL BX, CX; \ - XORL DX, AX; \ - RORL $7, BX; \ - MOVL CX, DX; \ - SHRL $3, DX; \ - RORL $18, CX; \ - ADDL ((index-7)*4)(BP), AX; \ - XORL CX, BX; \ - XORL DX, BX; \ - ADDL ((index-16)*4)(BP), BX; \ - ADDL BX, AX; \ - MOVL AX, ((index)*4)(BP) - -// Calculate T1 in AX - uses AX, BX, CX and DX registers. -// Wt is passed in AX. -// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt -// BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x) -// Ch(x, y, z) = (x AND y) XOR (NOT x AND z) -#define SHA256T1(const, e, f, g, h) \ - MOVL (h*4)(DI), BX; \ - ADDL AX, BX; \ - MOVL (e*4)(DI), AX; \ - ADDL $const, BX; \ - MOVL (e*4)(DI), CX; \ - RORL $6, AX; \ - MOVL (e*4)(DI), DX; \ - RORL $11, CX; \ - XORL CX, AX; \ - MOVL (e*4)(DI), CX; \ - RORL $25, DX; \ - ANDL (f*4)(DI), CX; \ - XORL AX, DX; \ - MOVL (e*4)(DI), AX; \ - NOTL AX; \ - ADDL DX, BX; \ - ANDL (g*4)(DI), AX; \ - XORL CX, AX; \ - ADDL BX, AX - -// Calculate T2 in BX - uses AX, BX, CX and DX registers. -// T2 = BIGSIGMA0(a) + Maj(a, b, c) -// BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x) -// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) -#define SHA256T2(a, b, c) \ - MOVL (a*4)(DI), AX; \ - MOVL (c*4)(DI), BX; \ - RORL $2, AX; \ - MOVL (a*4)(DI), DX; \ - ANDL (b*4)(DI), BX; \ - RORL $13, DX; \ - MOVL (a*4)(DI), CX; \ - ANDL (c*4)(DI), CX; \ - XORL DX, AX; \ - XORL CX, BX; \ - MOVL (a*4)(DI), DX; \ - MOVL (b*4)(DI), CX; \ - RORL $22, DX; \ - ANDL (a*4)(DI), CX; \ - XORL CX, BX; \ - XORL DX, AX; \ - ADDL AX, BX - -// Calculate T1 and T2, then e = d + T1 and a = T1 + T2. -// The values for e and a are stored in d and h, ready for rotation. -#define SHA256ROUND(index, const, a, b, c, d, e, f, g, h) \ - SHA256T1(const, e, f, g, h); \ - MOVL AX, 292(SP); \ - SHA256T2(a, b, c); \ - MOVL 292(SP), AX; \ - ADDL AX, BX; \ - ADDL AX, (d*4)(DI); \ - MOVL BX, (h*4)(DI) - -#define SHA256ROUND0(index, const, a, b, c, d, e, f, g, h) \ - MSGSCHEDULE0(index); \ - SHA256ROUND(index, const, a, b, c, d, e, f, g, h) - -#define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \ - MSGSCHEDULE1(index); \ - SHA256ROUND(index, const, a, b, c, d, e, f, g, h) - -TEXT ·block(SB),0,$296-16 - MOVL p_base+4(FP), SI - MOVL p_len+8(FP), DX - SHRL $6, DX - SHLL $6, DX - - LEAL (SI)(DX*1), DI - MOVL DI, 288(SP) - CMPL SI, DI - JEQ end - - LEAL 256(SP), DI // variables - - MOVL dig+0(FP), BP - MOVL (0*4)(BP), AX // a = H0 - MOVL AX, (0*4)(DI) - MOVL (1*4)(BP), BX // b = H1 - MOVL BX, (1*4)(DI) - MOVL (2*4)(BP), CX // c = H2 - MOVL CX, (2*4)(DI) - MOVL (3*4)(BP), DX // d = H3 - MOVL DX, (3*4)(DI) - MOVL (4*4)(BP), AX // e = H4 - MOVL AX, (4*4)(DI) - MOVL (5*4)(BP), BX // f = H5 - MOVL BX, (5*4)(DI) - MOVL (6*4)(BP), CX // g = H6 - MOVL CX, (6*4)(DI) - MOVL (7*4)(BP), DX // h = H7 - MOVL DX, (7*4)(DI) - -loop: - MOVL SP, BP // message schedule - - SHA256ROUND0(0, 0x428a2f98, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND0(1, 0x71374491, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND0(2, 0xb5c0fbcf, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND0(3, 0xe9b5dba5, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND0(4, 0x3956c25b, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND0(5, 0x59f111f1, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND0(6, 0x923f82a4, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND0(7, 0xab1c5ed5, 1, 2, 3, 4, 5, 6, 7, 0) - SHA256ROUND0(8, 0xd807aa98, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND0(9, 0x12835b01, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND0(10, 0x243185be, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND0(11, 0x550c7dc3, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND0(12, 0x72be5d74, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND0(13, 0x80deb1fe, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND0(14, 0x9bdc06a7, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND0(15, 0xc19bf174, 1, 2, 3, 4, 5, 6, 7, 0) - - SHA256ROUND1(16, 0xe49b69c1, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND1(17, 0xefbe4786, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND1(18, 0x0fc19dc6, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND1(19, 0x240ca1cc, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND1(20, 0x2de92c6f, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND1(21, 0x4a7484aa, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND1(22, 0x5cb0a9dc, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND1(23, 0x76f988da, 1, 2, 3, 4, 5, 6, 7, 0) - SHA256ROUND1(24, 0x983e5152, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND1(25, 0xa831c66d, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND1(26, 0xb00327c8, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND1(27, 0xbf597fc7, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND1(28, 0xc6e00bf3, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND1(29, 0xd5a79147, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND1(30, 0x06ca6351, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND1(31, 0x14292967, 1, 2, 3, 4, 5, 6, 7, 0) - SHA256ROUND1(32, 0x27b70a85, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND1(33, 0x2e1b2138, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND1(34, 0x4d2c6dfc, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND1(35, 0x53380d13, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND1(36, 0x650a7354, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND1(37, 0x766a0abb, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND1(38, 0x81c2c92e, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND1(39, 0x92722c85, 1, 2, 3, 4, 5, 6, 7, 0) - SHA256ROUND1(40, 0xa2bfe8a1, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND1(41, 0xa81a664b, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND1(42, 0xc24b8b70, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND1(43, 0xc76c51a3, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND1(44, 0xd192e819, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND1(45, 0xd6990624, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND1(46, 0xf40e3585, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND1(47, 0x106aa070, 1, 2, 3, 4, 5, 6, 7, 0) - SHA256ROUND1(48, 0x19a4c116, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND1(49, 0x1e376c08, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND1(50, 0x2748774c, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND1(51, 0x34b0bcb5, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND1(52, 0x391c0cb3, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND1(53, 0x4ed8aa4a, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND1(54, 0x5b9cca4f, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND1(55, 0x682e6ff3, 1, 2, 3, 4, 5, 6, 7, 0) - SHA256ROUND1(56, 0x748f82ee, 0, 1, 2, 3, 4, 5, 6, 7) - SHA256ROUND1(57, 0x78a5636f, 7, 0, 1, 2, 3, 4, 5, 6) - SHA256ROUND1(58, 0x84c87814, 6, 7, 0, 1, 2, 3, 4, 5) - SHA256ROUND1(59, 0x8cc70208, 5, 6, 7, 0, 1, 2, 3, 4) - SHA256ROUND1(60, 0x90befffa, 4, 5, 6, 7, 0, 1, 2, 3) - SHA256ROUND1(61, 0xa4506ceb, 3, 4, 5, 6, 7, 0, 1, 2) - SHA256ROUND1(62, 0xbef9a3f7, 2, 3, 4, 5, 6, 7, 0, 1) - SHA256ROUND1(63, 0xc67178f2, 1, 2, 3, 4, 5, 6, 7, 0) - - MOVL dig+0(FP), BP - MOVL (0*4)(BP), AX // H0 = a + H0 - ADDL (0*4)(DI), AX - MOVL AX, (0*4)(DI) - MOVL AX, (0*4)(BP) - MOVL (1*4)(BP), BX // H1 = b + H1 - ADDL (1*4)(DI), BX - MOVL BX, (1*4)(DI) - MOVL BX, (1*4)(BP) - MOVL (2*4)(BP), CX // H2 = c + H2 - ADDL (2*4)(DI), CX - MOVL CX, (2*4)(DI) - MOVL CX, (2*4)(BP) - MOVL (3*4)(BP), DX // H3 = d + H3 - ADDL (3*4)(DI), DX - MOVL DX, (3*4)(DI) - MOVL DX, (3*4)(BP) - MOVL (4*4)(BP), AX // H4 = e + H4 - ADDL (4*4)(DI), AX - MOVL AX, (4*4)(DI) - MOVL AX, (4*4)(BP) - MOVL (5*4)(BP), BX // H5 = f + H5 - ADDL (5*4)(DI), BX - MOVL BX, (5*4)(DI) - MOVL BX, (5*4)(BP) - MOVL (6*4)(BP), CX // H6 = g + H6 - ADDL (6*4)(DI), CX - MOVL CX, (6*4)(DI) - MOVL CX, (6*4)(BP) - MOVL (7*4)(BP), DX // H7 = h + H7 - ADDL (7*4)(DI), DX - MOVL DX, (7*4)(DI) - MOVL DX, (7*4)(BP) - - ADDL $64, SI - CMPL SI, 288(SP) - JB loop - -end: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_amd64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_amd64.go deleted file mode 100644 index 0aabcd07922..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_amd64.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha256 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useAVX2 = cpu.X86HasAVX && cpu.X86HasAVX2 && cpu.X86HasBMI2 -var useSHANI = cpu.X86HasAVX && cpu.X86HasSHA && cpu.X86HasSSE41 && cpu.X86HasSSSE3 - -func init() { - impl.Register("sha256", "AVX2", &useAVX2) - impl.Register("sha256", "SHA-NI", &useSHANI) -} - -//go:noescape -func blockAVX2(dig *Digest, p []byte) - -//go:noescape -func blockSHANI(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if useSHANI { - blockSHANI(dig, p) - } else if useAVX2 { - blockAVX2(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_amd64.s deleted file mode 100644 index d5ab42c819e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_amd64.s +++ /dev/null @@ -1,1486 +0,0 @@ -// Code generated by command: go run sha256block_amd64_asm.go -out ../sha256block_amd64.s. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func blockAVX2(dig *Digest, p []byte) -// Requires: AVX, AVX2, BMI2 -TEXT ·blockAVX2(SB), $536-32 - MOVQ dig+0(FP), SI - MOVQ p_base+8(FP), DI - MOVQ p_len+16(FP), DX - LEAQ -64(DI)(DX*1), DX - MOVQ DX, 512(SP) - CMPQ DX, DI - JE avx2_only_one_block - - // Load initial digest - MOVL (SI), AX - MOVL 4(SI), BX - MOVL 8(SI), CX - MOVL 12(SI), R8 - MOVL 16(SI), DX - MOVL 20(SI), R9 - MOVL 24(SI), R10 - MOVL 28(SI), R11 - -avx2_loop0: - // at each iteration works with one block (512 bit) - VMOVDQU (DI), Y0 - VMOVDQU 32(DI), Y1 - VMOVDQU 64(DI), Y2 - VMOVDQU 96(DI), Y3 - VMOVDQU flip_mask<>+0(SB), Y13 - - // Apply Byte Flip Mask: LE -> BE - VPSHUFB Y13, Y0, Y0 - VPSHUFB Y13, Y1, Y1 - VPSHUFB Y13, Y2, Y2 - VPSHUFB Y13, Y3, Y3 - - // Transpose data into high/low parts - VPERM2I128 $0x20, Y2, Y0, Y4 - VPERM2I128 $0x31, Y2, Y0, Y5 - VPERM2I128 $0x20, Y3, Y1, Y6 - VPERM2I128 $0x31, Y3, Y1, Y7 - LEAQ K256<>+0(SB), BP - -avx2_last_block_enter: - ADDQ $0x40, DI - MOVQ DI, 520(SP) - XORQ SI, SI - -avx2_loop1: - // Do 4 rounds and scheduling - VPADDD (BP)(SI*1), Y4, Y9 - VMOVDQU Y9, (SP)(SI*1) - MOVL AX, DI - RORXL $0x19, DX, R13 - RORXL $0x0b, DX, R14 - ADDL (SP)(SI*1), R11 - ORL CX, DI - VPALIGNR $0x04, Y6, Y7, Y0 - MOVL R9, R15 - RORXL $0x0d, AX, R12 - XORL R14, R13 - XORL R10, R15 - VPADDD Y4, Y0, Y0 - RORXL $0x06, DX, R14 - ANDL DX, R15 - XORL R14, R13 - RORXL $0x16, AX, R14 - ADDL R11, R8 - ANDL BX, DI - VPALIGNR $0x04, Y4, Y5, Y1 - XORL R12, R14 - RORXL $0x02, AX, R12 - XORL R10, R15 - VPSRLD $0x07, Y1, Y2 - XORL R12, R14 - MOVL AX, R12 - ANDL CX, R12 - ADDL R13, R15 - VPSLLD $0x19, Y1, Y3 - ORL R12, DI - ADDL R14, R11 - ADDL R15, R8 - VPOR Y2, Y3, Y3 - VPSRLD $0x12, Y1, Y2 - ADDL R15, R11 - ADDL DI, R11 - MOVL R11, DI - RORXL $0x19, R8, R13 - RORXL $0x0b, R8, R14 - ADDL 4(SP)(SI*1), R10 - ORL BX, DI - VPSRLD $0x03, Y1, Y8 - MOVL DX, R15 - RORXL $0x0d, R11, R12 - XORL R14, R13 - XORL R9, R15 - RORXL $0x06, R8, R14 - XORL R14, R13 - RORXL $0x16, R11, R14 - ANDL R8, R15 - ADDL R10, CX - VPSLLD $0x0e, Y1, Y1 - ANDL AX, DI - XORL R12, R14 - VPXOR Y1, Y3, Y3 - RORXL $0x02, R11, R12 - XORL R9, R15 - VPXOR Y2, Y3, Y3 - XORL R12, R14 - MOVL R11, R12 - ANDL BX, R12 - ADDL R13, R15 - VPXOR Y8, Y3, Y1 - VPSHUFD $0xfa, Y7, Y2 - ORL R12, DI - ADDL R14, R10 - VPADDD Y1, Y0, Y0 - ADDL R15, CX - ADDL R15, R10 - ADDL DI, R10 - VPSRLD $0x0a, Y2, Y8 - MOVL R10, DI - RORXL $0x19, CX, R13 - ADDL 8(SP)(SI*1), R9 - VPSRLQ $0x13, Y2, Y3 - RORXL $0x0b, CX, R14 - ORL AX, DI - MOVL R8, R15 - XORL DX, R15 - RORXL $0x0d, R10, R12 - XORL R14, R13 - VPSRLQ $0x11, Y2, Y2 - ANDL CX, R15 - RORXL $0x06, CX, R14 - VPXOR Y3, Y2, Y2 - ADDL R9, BX - ANDL R11, DI - XORL R14, R13 - RORXL $0x16, R10, R14 - VPXOR Y2, Y8, Y8 - XORL DX, R15 - VPSHUFB shuff_00BA<>+0(SB), Y8, Y8 - XORL R12, R14 - RORXL $0x02, R10, R12 - VPADDD Y8, Y0, Y0 - XORL R12, R14 - MOVL R10, R12 - ANDL AX, R12 - ADDL R13, R15 - VPSHUFD $0x50, Y0, Y2 - ORL R12, DI - ADDL R14, R9 - ADDL R15, BX - ADDL R15, R9 - ADDL DI, R9 - MOVL R9, DI - RORXL $0x19, BX, R13 - RORXL $0x0b, BX, R14 - ADDL 12(SP)(SI*1), DX - ORL R11, DI - VPSRLD $0x0a, Y2, Y11 - MOVL CX, R15 - RORXL $0x0d, R9, R12 - XORL R14, R13 - XORL R8, R15 - VPSRLQ $0x13, Y2, Y3 - RORXL $0x06, BX, R14 - ANDL BX, R15 - ADDL DX, AX - ANDL R10, DI - VPSRLQ $0x11, Y2, Y2 - XORL R14, R13 - XORL R8, R15 - VPXOR Y3, Y2, Y2 - RORXL $0x16, R9, R14 - ADDL R13, R15 - VPXOR Y2, Y11, Y11 - XORL R12, R14 - ADDL R15, AX - RORXL $0x02, R9, R12 - VPSHUFB shuff_DC00<>+0(SB), Y11, Y11 - VPADDD Y0, Y11, Y4 - XORL R12, R14 - MOVL R9, R12 - ANDL R11, R12 - ORL R12, DI - ADDL R14, DX - ADDL R15, DX - ADDL DI, DX - - // Do 4 rounds and scheduling - VPADDD 32(BP)(SI*1), Y5, Y9 - VMOVDQU Y9, 32(SP)(SI*1) - MOVL DX, DI - RORXL $0x19, AX, R13 - RORXL $0x0b, AX, R14 - ADDL 32(SP)(SI*1), R8 - ORL R10, DI - VPALIGNR $0x04, Y7, Y4, Y0 - MOVL BX, R15 - RORXL $0x0d, DX, R12 - XORL R14, R13 - XORL CX, R15 - VPADDD Y5, Y0, Y0 - RORXL $0x06, AX, R14 - ANDL AX, R15 - XORL R14, R13 - RORXL $0x16, DX, R14 - ADDL R8, R11 - ANDL R9, DI - VPALIGNR $0x04, Y5, Y6, Y1 - XORL R12, R14 - RORXL $0x02, DX, R12 - XORL CX, R15 - VPSRLD $0x07, Y1, Y2 - XORL R12, R14 - MOVL DX, R12 - ANDL R10, R12 - ADDL R13, R15 - VPSLLD $0x19, Y1, Y3 - ORL R12, DI - ADDL R14, R8 - ADDL R15, R11 - VPOR Y2, Y3, Y3 - VPSRLD $0x12, Y1, Y2 - ADDL R15, R8 - ADDL DI, R8 - MOVL R8, DI - RORXL $0x19, R11, R13 - RORXL $0x0b, R11, R14 - ADDL 36(SP)(SI*1), CX - ORL R9, DI - VPSRLD $0x03, Y1, Y8 - MOVL AX, R15 - RORXL $0x0d, R8, R12 - XORL R14, R13 - XORL BX, R15 - RORXL $0x06, R11, R14 - XORL R14, R13 - RORXL $0x16, R8, R14 - ANDL R11, R15 - ADDL CX, R10 - VPSLLD $0x0e, Y1, Y1 - ANDL DX, DI - XORL R12, R14 - VPXOR Y1, Y3, Y3 - RORXL $0x02, R8, R12 - XORL BX, R15 - VPXOR Y2, Y3, Y3 - XORL R12, R14 - MOVL R8, R12 - ANDL R9, R12 - ADDL R13, R15 - VPXOR Y8, Y3, Y1 - VPSHUFD $0xfa, Y4, Y2 - ORL R12, DI - ADDL R14, CX - VPADDD Y1, Y0, Y0 - ADDL R15, R10 - ADDL R15, CX - ADDL DI, CX - VPSRLD $0x0a, Y2, Y8 - MOVL CX, DI - RORXL $0x19, R10, R13 - ADDL 40(SP)(SI*1), BX - VPSRLQ $0x13, Y2, Y3 - RORXL $0x0b, R10, R14 - ORL DX, DI - MOVL R11, R15 - XORL AX, R15 - RORXL $0x0d, CX, R12 - XORL R14, R13 - VPSRLQ $0x11, Y2, Y2 - ANDL R10, R15 - RORXL $0x06, R10, R14 - VPXOR Y3, Y2, Y2 - ADDL BX, R9 - ANDL R8, DI - XORL R14, R13 - RORXL $0x16, CX, R14 - VPXOR Y2, Y8, Y8 - XORL AX, R15 - VPSHUFB shuff_00BA<>+0(SB), Y8, Y8 - XORL R12, R14 - RORXL $0x02, CX, R12 - VPADDD Y8, Y0, Y0 - XORL R12, R14 - MOVL CX, R12 - ANDL DX, R12 - ADDL R13, R15 - VPSHUFD $0x50, Y0, Y2 - ORL R12, DI - ADDL R14, BX - ADDL R15, R9 - ADDL R15, BX - ADDL DI, BX - MOVL BX, DI - RORXL $0x19, R9, R13 - RORXL $0x0b, R9, R14 - ADDL 44(SP)(SI*1), AX - ORL R8, DI - VPSRLD $0x0a, Y2, Y11 - MOVL R10, R15 - RORXL $0x0d, BX, R12 - XORL R14, R13 - XORL R11, R15 - VPSRLQ $0x13, Y2, Y3 - RORXL $0x06, R9, R14 - ANDL R9, R15 - ADDL AX, DX - ANDL CX, DI - VPSRLQ $0x11, Y2, Y2 - XORL R14, R13 - XORL R11, R15 - VPXOR Y3, Y2, Y2 - RORXL $0x16, BX, R14 - ADDL R13, R15 - VPXOR Y2, Y11, Y11 - XORL R12, R14 - ADDL R15, DX - RORXL $0x02, BX, R12 - VPSHUFB shuff_DC00<>+0(SB), Y11, Y11 - VPADDD Y0, Y11, Y5 - XORL R12, R14 - MOVL BX, R12 - ANDL R8, R12 - ORL R12, DI - ADDL R14, AX - ADDL R15, AX - ADDL DI, AX - - // Do 4 rounds and scheduling - VPADDD 64(BP)(SI*1), Y6, Y9 - VMOVDQU Y9, 64(SP)(SI*1) - MOVL AX, DI - RORXL $0x19, DX, R13 - RORXL $0x0b, DX, R14 - ADDL 64(SP)(SI*1), R11 - ORL CX, DI - VPALIGNR $0x04, Y4, Y5, Y0 - MOVL R9, R15 - RORXL $0x0d, AX, R12 - XORL R14, R13 - XORL R10, R15 - VPADDD Y6, Y0, Y0 - RORXL $0x06, DX, R14 - ANDL DX, R15 - XORL R14, R13 - RORXL $0x16, AX, R14 - ADDL R11, R8 - ANDL BX, DI - VPALIGNR $0x04, Y6, Y7, Y1 - XORL R12, R14 - RORXL $0x02, AX, R12 - XORL R10, R15 - VPSRLD $0x07, Y1, Y2 - XORL R12, R14 - MOVL AX, R12 - ANDL CX, R12 - ADDL R13, R15 - VPSLLD $0x19, Y1, Y3 - ORL R12, DI - ADDL R14, R11 - ADDL R15, R8 - VPOR Y2, Y3, Y3 - VPSRLD $0x12, Y1, Y2 - ADDL R15, R11 - ADDL DI, R11 - MOVL R11, DI - RORXL $0x19, R8, R13 - RORXL $0x0b, R8, R14 - ADDL 68(SP)(SI*1), R10 - ORL BX, DI - VPSRLD $0x03, Y1, Y8 - MOVL DX, R15 - RORXL $0x0d, R11, R12 - XORL R14, R13 - XORL R9, R15 - RORXL $0x06, R8, R14 - XORL R14, R13 - RORXL $0x16, R11, R14 - ANDL R8, R15 - ADDL R10, CX - VPSLLD $0x0e, Y1, Y1 - ANDL AX, DI - XORL R12, R14 - VPXOR Y1, Y3, Y3 - RORXL $0x02, R11, R12 - XORL R9, R15 - VPXOR Y2, Y3, Y3 - XORL R12, R14 - MOVL R11, R12 - ANDL BX, R12 - ADDL R13, R15 - VPXOR Y8, Y3, Y1 - VPSHUFD $0xfa, Y5, Y2 - ORL R12, DI - ADDL R14, R10 - VPADDD Y1, Y0, Y0 - ADDL R15, CX - ADDL R15, R10 - ADDL DI, R10 - VPSRLD $0x0a, Y2, Y8 - MOVL R10, DI - RORXL $0x19, CX, R13 - ADDL 72(SP)(SI*1), R9 - VPSRLQ $0x13, Y2, Y3 - RORXL $0x0b, CX, R14 - ORL AX, DI - MOVL R8, R15 - XORL DX, R15 - RORXL $0x0d, R10, R12 - XORL R14, R13 - VPSRLQ $0x11, Y2, Y2 - ANDL CX, R15 - RORXL $0x06, CX, R14 - VPXOR Y3, Y2, Y2 - ADDL R9, BX - ANDL R11, DI - XORL R14, R13 - RORXL $0x16, R10, R14 - VPXOR Y2, Y8, Y8 - XORL DX, R15 - VPSHUFB shuff_00BA<>+0(SB), Y8, Y8 - XORL R12, R14 - RORXL $0x02, R10, R12 - VPADDD Y8, Y0, Y0 - XORL R12, R14 - MOVL R10, R12 - ANDL AX, R12 - ADDL R13, R15 - VPSHUFD $0x50, Y0, Y2 - ORL R12, DI - ADDL R14, R9 - ADDL R15, BX - ADDL R15, R9 - ADDL DI, R9 - MOVL R9, DI - RORXL $0x19, BX, R13 - RORXL $0x0b, BX, R14 - ADDL 76(SP)(SI*1), DX - ORL R11, DI - VPSRLD $0x0a, Y2, Y11 - MOVL CX, R15 - RORXL $0x0d, R9, R12 - XORL R14, R13 - XORL R8, R15 - VPSRLQ $0x13, Y2, Y3 - RORXL $0x06, BX, R14 - ANDL BX, R15 - ADDL DX, AX - ANDL R10, DI - VPSRLQ $0x11, Y2, Y2 - XORL R14, R13 - XORL R8, R15 - VPXOR Y3, Y2, Y2 - RORXL $0x16, R9, R14 - ADDL R13, R15 - VPXOR Y2, Y11, Y11 - XORL R12, R14 - ADDL R15, AX - RORXL $0x02, R9, R12 - VPSHUFB shuff_DC00<>+0(SB), Y11, Y11 - VPADDD Y0, Y11, Y6 - XORL R12, R14 - MOVL R9, R12 - ANDL R11, R12 - ORL R12, DI - ADDL R14, DX - ADDL R15, DX - ADDL DI, DX - - // Do 4 rounds and scheduling - VPADDD 96(BP)(SI*1), Y7, Y9 - VMOVDQU Y9, 96(SP)(SI*1) - MOVL DX, DI - RORXL $0x19, AX, R13 - RORXL $0x0b, AX, R14 - ADDL 96(SP)(SI*1), R8 - ORL R10, DI - VPALIGNR $0x04, Y5, Y6, Y0 - MOVL BX, R15 - RORXL $0x0d, DX, R12 - XORL R14, R13 - XORL CX, R15 - VPADDD Y7, Y0, Y0 - RORXL $0x06, AX, R14 - ANDL AX, R15 - XORL R14, R13 - RORXL $0x16, DX, R14 - ADDL R8, R11 - ANDL R9, DI - VPALIGNR $0x04, Y7, Y4, Y1 - XORL R12, R14 - RORXL $0x02, DX, R12 - XORL CX, R15 - VPSRLD $0x07, Y1, Y2 - XORL R12, R14 - MOVL DX, R12 - ANDL R10, R12 - ADDL R13, R15 - VPSLLD $0x19, Y1, Y3 - ORL R12, DI - ADDL R14, R8 - ADDL R15, R11 - VPOR Y2, Y3, Y3 - VPSRLD $0x12, Y1, Y2 - ADDL R15, R8 - ADDL DI, R8 - MOVL R8, DI - RORXL $0x19, R11, R13 - RORXL $0x0b, R11, R14 - ADDL 100(SP)(SI*1), CX - ORL R9, DI - VPSRLD $0x03, Y1, Y8 - MOVL AX, R15 - RORXL $0x0d, R8, R12 - XORL R14, R13 - XORL BX, R15 - RORXL $0x06, R11, R14 - XORL R14, R13 - RORXL $0x16, R8, R14 - ANDL R11, R15 - ADDL CX, R10 - VPSLLD $0x0e, Y1, Y1 - ANDL DX, DI - XORL R12, R14 - VPXOR Y1, Y3, Y3 - RORXL $0x02, R8, R12 - XORL BX, R15 - VPXOR Y2, Y3, Y3 - XORL R12, R14 - MOVL R8, R12 - ANDL R9, R12 - ADDL R13, R15 - VPXOR Y8, Y3, Y1 - VPSHUFD $0xfa, Y6, Y2 - ORL R12, DI - ADDL R14, CX - VPADDD Y1, Y0, Y0 - ADDL R15, R10 - ADDL R15, CX - ADDL DI, CX - VPSRLD $0x0a, Y2, Y8 - MOVL CX, DI - RORXL $0x19, R10, R13 - ADDL 104(SP)(SI*1), BX - VPSRLQ $0x13, Y2, Y3 - RORXL $0x0b, R10, R14 - ORL DX, DI - MOVL R11, R15 - XORL AX, R15 - RORXL $0x0d, CX, R12 - XORL R14, R13 - VPSRLQ $0x11, Y2, Y2 - ANDL R10, R15 - RORXL $0x06, R10, R14 - VPXOR Y3, Y2, Y2 - ADDL BX, R9 - ANDL R8, DI - XORL R14, R13 - RORXL $0x16, CX, R14 - VPXOR Y2, Y8, Y8 - XORL AX, R15 - VPSHUFB shuff_00BA<>+0(SB), Y8, Y8 - XORL R12, R14 - RORXL $0x02, CX, R12 - VPADDD Y8, Y0, Y0 - XORL R12, R14 - MOVL CX, R12 - ANDL DX, R12 - ADDL R13, R15 - VPSHUFD $0x50, Y0, Y2 - ORL R12, DI - ADDL R14, BX - ADDL R15, R9 - ADDL R15, BX - ADDL DI, BX - MOVL BX, DI - RORXL $0x19, R9, R13 - RORXL $0x0b, R9, R14 - ADDL 108(SP)(SI*1), AX - ORL R8, DI - VPSRLD $0x0a, Y2, Y11 - MOVL R10, R15 - RORXL $0x0d, BX, R12 - XORL R14, R13 - XORL R11, R15 - VPSRLQ $0x13, Y2, Y3 - RORXL $0x06, R9, R14 - ANDL R9, R15 - ADDL AX, DX - ANDL CX, DI - VPSRLQ $0x11, Y2, Y2 - XORL R14, R13 - XORL R11, R15 - VPXOR Y3, Y2, Y2 - RORXL $0x16, BX, R14 - ADDL R13, R15 - VPXOR Y2, Y11, Y11 - XORL R12, R14 - ADDL R15, DX - RORXL $0x02, BX, R12 - VPSHUFB shuff_DC00<>+0(SB), Y11, Y11 - VPADDD Y0, Y11, Y7 - XORL R12, R14 - MOVL BX, R12 - ANDL R8, R12 - ORL R12, DI - ADDL R14, AX - ADDL R15, AX - ADDL DI, AX - ADDQ $0x80, SI - CMPQ SI, $0x00000180 - JB avx2_loop1 - -avx2_loop2: - VPADDD (BP)(SI*1), Y4, Y9 - VMOVDQU Y9, (SP)(SI*1) - MOVL R9, R15 - RORXL $0x19, DX, R13 - RORXL $0x0b, DX, R14 - XORL R10, R15 - XORL R14, R13 - RORXL $0x06, DX, R14 - ANDL DX, R15 - XORL R14, R13 - RORXL $0x0d, AX, R12 - XORL R10, R15 - RORXL $0x16, AX, R14 - MOVL AX, DI - XORL R12, R14 - RORXL $0x02, AX, R12 - ADDL (SP)(SI*1), R11 - ORL CX, DI - XORL R12, R14 - MOVL AX, R12 - ANDL BX, DI - ANDL CX, R12 - ADDL R13, R15 - ADDL R11, R8 - ORL R12, DI - ADDL R14, R11 - ADDL R15, R8 - ADDL R15, R11 - MOVL DX, R15 - RORXL $0x19, R8, R13 - RORXL $0x0b, R8, R14 - XORL R9, R15 - XORL R14, R13 - RORXL $0x06, R8, R14 - ANDL R8, R15 - ADDL DI, R11 - XORL R14, R13 - RORXL $0x0d, R11, R12 - XORL R9, R15 - RORXL $0x16, R11, R14 - MOVL R11, DI - XORL R12, R14 - RORXL $0x02, R11, R12 - ADDL 4(SP)(SI*1), R10 - ORL BX, DI - XORL R12, R14 - MOVL R11, R12 - ANDL AX, DI - ANDL BX, R12 - ADDL R13, R15 - ADDL R10, CX - ORL R12, DI - ADDL R14, R10 - ADDL R15, CX - ADDL R15, R10 - MOVL R8, R15 - RORXL $0x19, CX, R13 - RORXL $0x0b, CX, R14 - XORL DX, R15 - XORL R14, R13 - RORXL $0x06, CX, R14 - ANDL CX, R15 - ADDL DI, R10 - XORL R14, R13 - RORXL $0x0d, R10, R12 - XORL DX, R15 - RORXL $0x16, R10, R14 - MOVL R10, DI - XORL R12, R14 - RORXL $0x02, R10, R12 - ADDL 8(SP)(SI*1), R9 - ORL AX, DI - XORL R12, R14 - MOVL R10, R12 - ANDL R11, DI - ANDL AX, R12 - ADDL R13, R15 - ADDL R9, BX - ORL R12, DI - ADDL R14, R9 - ADDL R15, BX - ADDL R15, R9 - MOVL CX, R15 - RORXL $0x19, BX, R13 - RORXL $0x0b, BX, R14 - XORL R8, R15 - XORL R14, R13 - RORXL $0x06, BX, R14 - ANDL BX, R15 - ADDL DI, R9 - XORL R14, R13 - RORXL $0x0d, R9, R12 - XORL R8, R15 - RORXL $0x16, R9, R14 - MOVL R9, DI - XORL R12, R14 - RORXL $0x02, R9, R12 - ADDL 12(SP)(SI*1), DX - ORL R11, DI - XORL R12, R14 - MOVL R9, R12 - ANDL R10, DI - ANDL R11, R12 - ADDL R13, R15 - ADDL DX, AX - ORL R12, DI - ADDL R14, DX - ADDL R15, AX - ADDL R15, DX - ADDL DI, DX - VPADDD 32(BP)(SI*1), Y5, Y9 - VMOVDQU Y9, 32(SP)(SI*1) - MOVL BX, R15 - RORXL $0x19, AX, R13 - RORXL $0x0b, AX, R14 - XORL CX, R15 - XORL R14, R13 - RORXL $0x06, AX, R14 - ANDL AX, R15 - XORL R14, R13 - RORXL $0x0d, DX, R12 - XORL CX, R15 - RORXL $0x16, DX, R14 - MOVL DX, DI - XORL R12, R14 - RORXL $0x02, DX, R12 - ADDL 32(SP)(SI*1), R8 - ORL R10, DI - XORL R12, R14 - MOVL DX, R12 - ANDL R9, DI - ANDL R10, R12 - ADDL R13, R15 - ADDL R8, R11 - ORL R12, DI - ADDL R14, R8 - ADDL R15, R11 - ADDL R15, R8 - MOVL AX, R15 - RORXL $0x19, R11, R13 - RORXL $0x0b, R11, R14 - XORL BX, R15 - XORL R14, R13 - RORXL $0x06, R11, R14 - ANDL R11, R15 - ADDL DI, R8 - XORL R14, R13 - RORXL $0x0d, R8, R12 - XORL BX, R15 - RORXL $0x16, R8, R14 - MOVL R8, DI - XORL R12, R14 - RORXL $0x02, R8, R12 - ADDL 36(SP)(SI*1), CX - ORL R9, DI - XORL R12, R14 - MOVL R8, R12 - ANDL DX, DI - ANDL R9, R12 - ADDL R13, R15 - ADDL CX, R10 - ORL R12, DI - ADDL R14, CX - ADDL R15, R10 - ADDL R15, CX - MOVL R11, R15 - RORXL $0x19, R10, R13 - RORXL $0x0b, R10, R14 - XORL AX, R15 - XORL R14, R13 - RORXL $0x06, R10, R14 - ANDL R10, R15 - ADDL DI, CX - XORL R14, R13 - RORXL $0x0d, CX, R12 - XORL AX, R15 - RORXL $0x16, CX, R14 - MOVL CX, DI - XORL R12, R14 - RORXL $0x02, CX, R12 - ADDL 40(SP)(SI*1), BX - ORL DX, DI - XORL R12, R14 - MOVL CX, R12 - ANDL R8, DI - ANDL DX, R12 - ADDL R13, R15 - ADDL BX, R9 - ORL R12, DI - ADDL R14, BX - ADDL R15, R9 - ADDL R15, BX - MOVL R10, R15 - RORXL $0x19, R9, R13 - RORXL $0x0b, R9, R14 - XORL R11, R15 - XORL R14, R13 - RORXL $0x06, R9, R14 - ANDL R9, R15 - ADDL DI, BX - XORL R14, R13 - RORXL $0x0d, BX, R12 - XORL R11, R15 - RORXL $0x16, BX, R14 - MOVL BX, DI - XORL R12, R14 - RORXL $0x02, BX, R12 - ADDL 44(SP)(SI*1), AX - ORL R8, DI - XORL R12, R14 - MOVL BX, R12 - ANDL CX, DI - ANDL R8, R12 - ADDL R13, R15 - ADDL AX, DX - ORL R12, DI - ADDL R14, AX - ADDL R15, DX - ADDL R15, AX - ADDL DI, AX - ADDQ $0x40, SI - VMOVDQU Y6, Y4 - VMOVDQU Y7, Y5 - CMPQ SI, $0x00000200 - JB avx2_loop2 - MOVQ dig+0(FP), SI - MOVQ 520(SP), DI - ADDL AX, (SI) - MOVL (SI), AX - ADDL BX, 4(SI) - MOVL 4(SI), BX - ADDL CX, 8(SI) - MOVL 8(SI), CX - ADDL R8, 12(SI) - MOVL 12(SI), R8 - ADDL DX, 16(SI) - MOVL 16(SI), DX - ADDL R9, 20(SI) - MOVL 20(SI), R9 - ADDL R10, 24(SI) - MOVL 24(SI), R10 - ADDL R11, 28(SI) - MOVL 28(SI), R11 - CMPQ 512(SP), DI - JB done_hash - XORQ SI, SI - -avx2_loop3: - MOVL R9, R15 - RORXL $0x19, DX, R13 - RORXL $0x0b, DX, R14 - XORL R10, R15 - XORL R14, R13 - RORXL $0x06, DX, R14 - ANDL DX, R15 - XORL R14, R13 - RORXL $0x0d, AX, R12 - XORL R10, R15 - RORXL $0x16, AX, R14 - MOVL AX, DI - XORL R12, R14 - RORXL $0x02, AX, R12 - ADDL 16(SP)(SI*1), R11 - ORL CX, DI - XORL R12, R14 - MOVL AX, R12 - ANDL BX, DI - ANDL CX, R12 - ADDL R13, R15 - ADDL R11, R8 - ORL R12, DI - ADDL R14, R11 - ADDL R15, R8 - ADDL R15, R11 - MOVL DX, R15 - RORXL $0x19, R8, R13 - RORXL $0x0b, R8, R14 - XORL R9, R15 - XORL R14, R13 - RORXL $0x06, R8, R14 - ANDL R8, R15 - ADDL DI, R11 - XORL R14, R13 - RORXL $0x0d, R11, R12 - XORL R9, R15 - RORXL $0x16, R11, R14 - MOVL R11, DI - XORL R12, R14 - RORXL $0x02, R11, R12 - ADDL 20(SP)(SI*1), R10 - ORL BX, DI - XORL R12, R14 - MOVL R11, R12 - ANDL AX, DI - ANDL BX, R12 - ADDL R13, R15 - ADDL R10, CX - ORL R12, DI - ADDL R14, R10 - ADDL R15, CX - ADDL R15, R10 - MOVL R8, R15 - RORXL $0x19, CX, R13 - RORXL $0x0b, CX, R14 - XORL DX, R15 - XORL R14, R13 - RORXL $0x06, CX, R14 - ANDL CX, R15 - ADDL DI, R10 - XORL R14, R13 - RORXL $0x0d, R10, R12 - XORL DX, R15 - RORXL $0x16, R10, R14 - MOVL R10, DI - XORL R12, R14 - RORXL $0x02, R10, R12 - ADDL 24(SP)(SI*1), R9 - ORL AX, DI - XORL R12, R14 - MOVL R10, R12 - ANDL R11, DI - ANDL AX, R12 - ADDL R13, R15 - ADDL R9, BX - ORL R12, DI - ADDL R14, R9 - ADDL R15, BX - ADDL R15, R9 - MOVL CX, R15 - RORXL $0x19, BX, R13 - RORXL $0x0b, BX, R14 - XORL R8, R15 - XORL R14, R13 - RORXL $0x06, BX, R14 - ANDL BX, R15 - ADDL DI, R9 - XORL R14, R13 - RORXL $0x0d, R9, R12 - XORL R8, R15 - RORXL $0x16, R9, R14 - MOVL R9, DI - XORL R12, R14 - RORXL $0x02, R9, R12 - ADDL 28(SP)(SI*1), DX - ORL R11, DI - XORL R12, R14 - MOVL R9, R12 - ANDL R10, DI - ANDL R11, R12 - ADDL R13, R15 - ADDL DX, AX - ORL R12, DI - ADDL R14, DX - ADDL R15, AX - ADDL R15, DX - ADDL DI, DX - MOVL BX, R15 - RORXL $0x19, AX, R13 - RORXL $0x0b, AX, R14 - XORL CX, R15 - XORL R14, R13 - RORXL $0x06, AX, R14 - ANDL AX, R15 - XORL R14, R13 - RORXL $0x0d, DX, R12 - XORL CX, R15 - RORXL $0x16, DX, R14 - MOVL DX, DI - XORL R12, R14 - RORXL $0x02, DX, R12 - ADDL 48(SP)(SI*1), R8 - ORL R10, DI - XORL R12, R14 - MOVL DX, R12 - ANDL R9, DI - ANDL R10, R12 - ADDL R13, R15 - ADDL R8, R11 - ORL R12, DI - ADDL R14, R8 - ADDL R15, R11 - ADDL R15, R8 - MOVL AX, R15 - RORXL $0x19, R11, R13 - RORXL $0x0b, R11, R14 - XORL BX, R15 - XORL R14, R13 - RORXL $0x06, R11, R14 - ANDL R11, R15 - ADDL DI, R8 - XORL R14, R13 - RORXL $0x0d, R8, R12 - XORL BX, R15 - RORXL $0x16, R8, R14 - MOVL R8, DI - XORL R12, R14 - RORXL $0x02, R8, R12 - ADDL 52(SP)(SI*1), CX - ORL R9, DI - XORL R12, R14 - MOVL R8, R12 - ANDL DX, DI - ANDL R9, R12 - ADDL R13, R15 - ADDL CX, R10 - ORL R12, DI - ADDL R14, CX - ADDL R15, R10 - ADDL R15, CX - MOVL R11, R15 - RORXL $0x19, R10, R13 - RORXL $0x0b, R10, R14 - XORL AX, R15 - XORL R14, R13 - RORXL $0x06, R10, R14 - ANDL R10, R15 - ADDL DI, CX - XORL R14, R13 - RORXL $0x0d, CX, R12 - XORL AX, R15 - RORXL $0x16, CX, R14 - MOVL CX, DI - XORL R12, R14 - RORXL $0x02, CX, R12 - ADDL 56(SP)(SI*1), BX - ORL DX, DI - XORL R12, R14 - MOVL CX, R12 - ANDL R8, DI - ANDL DX, R12 - ADDL R13, R15 - ADDL BX, R9 - ORL R12, DI - ADDL R14, BX - ADDL R15, R9 - ADDL R15, BX - MOVL R10, R15 - RORXL $0x19, R9, R13 - RORXL $0x0b, R9, R14 - XORL R11, R15 - XORL R14, R13 - RORXL $0x06, R9, R14 - ANDL R9, R15 - ADDL DI, BX - XORL R14, R13 - RORXL $0x0d, BX, R12 - XORL R11, R15 - RORXL $0x16, BX, R14 - MOVL BX, DI - XORL R12, R14 - RORXL $0x02, BX, R12 - ADDL 60(SP)(SI*1), AX - ORL R8, DI - XORL R12, R14 - MOVL BX, R12 - ANDL CX, DI - ANDL R8, R12 - ADDL R13, R15 - ADDL AX, DX - ORL R12, DI - ADDL R14, AX - ADDL R15, DX - ADDL R15, AX - ADDL DI, AX - ADDQ $0x40, SI - CMPQ SI, $0x00000200 - JB avx2_loop3 - MOVQ dig+0(FP), SI - MOVQ 520(SP), DI - ADDQ $0x40, DI - ADDL AX, (SI) - MOVL (SI), AX - ADDL BX, 4(SI) - MOVL 4(SI), BX - ADDL CX, 8(SI) - MOVL 8(SI), CX - ADDL R8, 12(SI) - MOVL 12(SI), R8 - ADDL DX, 16(SI) - MOVL 16(SI), DX - ADDL R9, 20(SI) - MOVL 20(SI), R9 - ADDL R10, 24(SI) - MOVL 24(SI), R10 - ADDL R11, 28(SI) - MOVL 28(SI), R11 - CMPQ 512(SP), DI - JA avx2_loop0 - JB done_hash - -avx2_do_last_block: - VMOVDQU (DI), X4 - VMOVDQU 16(DI), X5 - VMOVDQU 32(DI), X6 - VMOVDQU 48(DI), X7 - VMOVDQU flip_mask<>+0(SB), Y13 - VPSHUFB X13, X4, X4 - VPSHUFB X13, X5, X5 - VPSHUFB X13, X6, X6 - VPSHUFB X13, X7, X7 - LEAQ K256<>+0(SB), BP - JMP avx2_last_block_enter - -avx2_only_one_block: - MOVL (SI), AX - MOVL 4(SI), BX - MOVL 8(SI), CX - MOVL 12(SI), R8 - MOVL 16(SI), DX - MOVL 20(SI), R9 - MOVL 24(SI), R10 - MOVL 28(SI), R11 - JMP avx2_do_last_block - -done_hash: - VZEROUPPER - RET - -DATA flip_mask<>+0(SB)/8, $0x0405060700010203 -DATA flip_mask<>+8(SB)/8, $0x0c0d0e0f08090a0b -DATA flip_mask<>+16(SB)/8, $0x0405060700010203 -DATA flip_mask<>+24(SB)/8, $0x0c0d0e0f08090a0b -GLOBL flip_mask<>(SB), RODATA, $32 - -DATA K256<>+0(SB)/4, $0x428a2f98 -DATA K256<>+4(SB)/4, $0x71374491 -DATA K256<>+8(SB)/4, $0xb5c0fbcf -DATA K256<>+12(SB)/4, $0xe9b5dba5 -DATA K256<>+16(SB)/4, $0x428a2f98 -DATA K256<>+20(SB)/4, $0x71374491 -DATA K256<>+24(SB)/4, $0xb5c0fbcf -DATA K256<>+28(SB)/4, $0xe9b5dba5 -DATA K256<>+32(SB)/4, $0x3956c25b -DATA K256<>+36(SB)/4, $0x59f111f1 -DATA K256<>+40(SB)/4, $0x923f82a4 -DATA K256<>+44(SB)/4, $0xab1c5ed5 -DATA K256<>+48(SB)/4, $0x3956c25b -DATA K256<>+52(SB)/4, $0x59f111f1 -DATA K256<>+56(SB)/4, $0x923f82a4 -DATA K256<>+60(SB)/4, $0xab1c5ed5 -DATA K256<>+64(SB)/4, $0xd807aa98 -DATA K256<>+68(SB)/4, $0x12835b01 -DATA K256<>+72(SB)/4, $0x243185be -DATA K256<>+76(SB)/4, $0x550c7dc3 -DATA K256<>+80(SB)/4, $0xd807aa98 -DATA K256<>+84(SB)/4, $0x12835b01 -DATA K256<>+88(SB)/4, $0x243185be -DATA K256<>+92(SB)/4, $0x550c7dc3 -DATA K256<>+96(SB)/4, $0x72be5d74 -DATA K256<>+100(SB)/4, $0x80deb1fe -DATA K256<>+104(SB)/4, $0x9bdc06a7 -DATA K256<>+108(SB)/4, $0xc19bf174 -DATA K256<>+112(SB)/4, $0x72be5d74 -DATA K256<>+116(SB)/4, $0x80deb1fe -DATA K256<>+120(SB)/4, $0x9bdc06a7 -DATA K256<>+124(SB)/4, $0xc19bf174 -DATA K256<>+128(SB)/4, $0xe49b69c1 -DATA K256<>+132(SB)/4, $0xefbe4786 -DATA K256<>+136(SB)/4, $0x0fc19dc6 -DATA K256<>+140(SB)/4, $0x240ca1cc -DATA K256<>+144(SB)/4, $0xe49b69c1 -DATA K256<>+148(SB)/4, $0xefbe4786 -DATA K256<>+152(SB)/4, $0x0fc19dc6 -DATA K256<>+156(SB)/4, $0x240ca1cc -DATA K256<>+160(SB)/4, $0x2de92c6f -DATA K256<>+164(SB)/4, $0x4a7484aa -DATA K256<>+168(SB)/4, $0x5cb0a9dc -DATA K256<>+172(SB)/4, $0x76f988da -DATA K256<>+176(SB)/4, $0x2de92c6f -DATA K256<>+180(SB)/4, $0x4a7484aa -DATA K256<>+184(SB)/4, $0x5cb0a9dc -DATA K256<>+188(SB)/4, $0x76f988da -DATA K256<>+192(SB)/4, $0x983e5152 -DATA K256<>+196(SB)/4, $0xa831c66d -DATA K256<>+200(SB)/4, $0xb00327c8 -DATA K256<>+204(SB)/4, $0xbf597fc7 -DATA K256<>+208(SB)/4, $0x983e5152 -DATA K256<>+212(SB)/4, $0xa831c66d -DATA K256<>+216(SB)/4, $0xb00327c8 -DATA K256<>+220(SB)/4, $0xbf597fc7 -DATA K256<>+224(SB)/4, $0xc6e00bf3 -DATA K256<>+228(SB)/4, $0xd5a79147 -DATA K256<>+232(SB)/4, $0x06ca6351 -DATA K256<>+236(SB)/4, $0x14292967 -DATA K256<>+240(SB)/4, $0xc6e00bf3 -DATA K256<>+244(SB)/4, $0xd5a79147 -DATA K256<>+248(SB)/4, $0x06ca6351 -DATA K256<>+252(SB)/4, $0x14292967 -DATA K256<>+256(SB)/4, $0x27b70a85 -DATA K256<>+260(SB)/4, $0x2e1b2138 -DATA K256<>+264(SB)/4, $0x4d2c6dfc -DATA K256<>+268(SB)/4, $0x53380d13 -DATA K256<>+272(SB)/4, $0x27b70a85 -DATA K256<>+276(SB)/4, $0x2e1b2138 -DATA K256<>+280(SB)/4, $0x4d2c6dfc -DATA K256<>+284(SB)/4, $0x53380d13 -DATA K256<>+288(SB)/4, $0x650a7354 -DATA K256<>+292(SB)/4, $0x766a0abb -DATA K256<>+296(SB)/4, $0x81c2c92e -DATA K256<>+300(SB)/4, $0x92722c85 -DATA K256<>+304(SB)/4, $0x650a7354 -DATA K256<>+308(SB)/4, $0x766a0abb -DATA K256<>+312(SB)/4, $0x81c2c92e -DATA K256<>+316(SB)/4, $0x92722c85 -DATA K256<>+320(SB)/4, $0xa2bfe8a1 -DATA K256<>+324(SB)/4, $0xa81a664b -DATA K256<>+328(SB)/4, $0xc24b8b70 -DATA K256<>+332(SB)/4, $0xc76c51a3 -DATA K256<>+336(SB)/4, $0xa2bfe8a1 -DATA K256<>+340(SB)/4, $0xa81a664b -DATA K256<>+344(SB)/4, $0xc24b8b70 -DATA K256<>+348(SB)/4, $0xc76c51a3 -DATA K256<>+352(SB)/4, $0xd192e819 -DATA K256<>+356(SB)/4, $0xd6990624 -DATA K256<>+360(SB)/4, $0xf40e3585 -DATA K256<>+364(SB)/4, $0x106aa070 -DATA K256<>+368(SB)/4, $0xd192e819 -DATA K256<>+372(SB)/4, $0xd6990624 -DATA K256<>+376(SB)/4, $0xf40e3585 -DATA K256<>+380(SB)/4, $0x106aa070 -DATA K256<>+384(SB)/4, $0x19a4c116 -DATA K256<>+388(SB)/4, $0x1e376c08 -DATA K256<>+392(SB)/4, $0x2748774c -DATA K256<>+396(SB)/4, $0x34b0bcb5 -DATA K256<>+400(SB)/4, $0x19a4c116 -DATA K256<>+404(SB)/4, $0x1e376c08 -DATA K256<>+408(SB)/4, $0x2748774c -DATA K256<>+412(SB)/4, $0x34b0bcb5 -DATA K256<>+416(SB)/4, $0x391c0cb3 -DATA K256<>+420(SB)/4, $0x4ed8aa4a -DATA K256<>+424(SB)/4, $0x5b9cca4f -DATA K256<>+428(SB)/4, $0x682e6ff3 -DATA K256<>+432(SB)/4, $0x391c0cb3 -DATA K256<>+436(SB)/4, $0x4ed8aa4a -DATA K256<>+440(SB)/4, $0x5b9cca4f -DATA K256<>+444(SB)/4, $0x682e6ff3 -DATA K256<>+448(SB)/4, $0x748f82ee -DATA K256<>+452(SB)/4, $0x78a5636f -DATA K256<>+456(SB)/4, $0x84c87814 -DATA K256<>+460(SB)/4, $0x8cc70208 -DATA K256<>+464(SB)/4, $0x748f82ee -DATA K256<>+468(SB)/4, $0x78a5636f -DATA K256<>+472(SB)/4, $0x84c87814 -DATA K256<>+476(SB)/4, $0x8cc70208 -DATA K256<>+480(SB)/4, $0x90befffa -DATA K256<>+484(SB)/4, $0xa4506ceb -DATA K256<>+488(SB)/4, $0xbef9a3f7 -DATA K256<>+492(SB)/4, $0xc67178f2 -DATA K256<>+496(SB)/4, $0x90befffa -DATA K256<>+500(SB)/4, $0xa4506ceb -DATA K256<>+504(SB)/4, $0xbef9a3f7 -DATA K256<>+508(SB)/4, $0xc67178f2 -GLOBL K256<>(SB), RODATA|NOPTR, $512 - -DATA shuff_00BA<>+0(SB)/8, $0x0b0a090803020100 -DATA shuff_00BA<>+8(SB)/8, $0xffffffffffffffff -DATA shuff_00BA<>+16(SB)/8, $0x0b0a090803020100 -DATA shuff_00BA<>+24(SB)/8, $0xffffffffffffffff -GLOBL shuff_00BA<>(SB), RODATA, $32 - -DATA shuff_DC00<>+0(SB)/8, $0xffffffffffffffff -DATA shuff_DC00<>+8(SB)/8, $0x0b0a090803020100 -DATA shuff_DC00<>+16(SB)/8, $0xffffffffffffffff -DATA shuff_DC00<>+24(SB)/8, $0x0b0a090803020100 -GLOBL shuff_DC00<>(SB), RODATA, $32 - -// func blockSHANI(dig *Digest, p []byte) -// Requires: AVX, SHA, SSE2, SSE4.1, SSSE3 -TEXT ·blockSHANI(SB), $0-32 - MOVQ dig+0(FP), DI - MOVQ p_base+8(FP), SI - MOVQ p_len+16(FP), DX - SHRQ $0x06, DX - SHLQ $0x06, DX - CMPQ DX, $0x00 - JEQ done - ADDQ SI, DX - VMOVDQU (DI), X1 - VMOVDQU 16(DI), X2 - PSHUFD $0xb1, X1, X1 - PSHUFD $0x1b, X2, X2 - VMOVDQA X1, X7 - PALIGNR $0x08, X2, X1 - PBLENDW $0xf0, X7, X2 - VMOVDQA flip_mask<>+0(SB), X8 - LEAQ K256<>+0(SB), AX - -roundLoop: - // save hash values for addition after rounds - VMOVDQA X1, X9 - VMOVDQA X2, X10 - - // do rounds 0-59 - VMOVDQU (SI), X0 - PSHUFB X8, X0 - VMOVDQA X0, X3 - PADDD (AX), X0 - SHA256RNDS2 X0, X1, X2 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - VMOVDQU 16(SI), X0 - PSHUFB X8, X0 - VMOVDQA X0, X4 - PADDD 32(AX), X0 - SHA256RNDS2 X0, X1, X2 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X4, X3 - VMOVDQU 32(SI), X0 - PSHUFB X8, X0 - VMOVDQA X0, X5 - PADDD 64(AX), X0 - SHA256RNDS2 X0, X1, X2 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X5, X4 - VMOVDQU 48(SI), X0 - PSHUFB X8, X0 - VMOVDQA X0, X6 - PADDD 96(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X6, X7 - PALIGNR $0x04, X5, X7 - PADDD X7, X3 - SHA256MSG2 X6, X3 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X6, X5 - VMOVDQA X3, X0 - PADDD 128(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X3, X7 - PALIGNR $0x04, X6, X7 - PADDD X7, X4 - SHA256MSG2 X3, X4 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X3, X6 - VMOVDQA X4, X0 - PADDD 160(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X4, X7 - PALIGNR $0x04, X3, X7 - PADDD X7, X5 - SHA256MSG2 X4, X5 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X4, X3 - VMOVDQA X5, X0 - PADDD 192(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X5, X7 - PALIGNR $0x04, X4, X7 - PADDD X7, X6 - SHA256MSG2 X5, X6 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X5, X4 - VMOVDQA X6, X0 - PADDD 224(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X6, X7 - PALIGNR $0x04, X5, X7 - PADDD X7, X3 - SHA256MSG2 X6, X3 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X6, X5 - VMOVDQA X3, X0 - PADDD 256(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X3, X7 - PALIGNR $0x04, X6, X7 - PADDD X7, X4 - SHA256MSG2 X3, X4 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X3, X6 - VMOVDQA X4, X0 - PADDD 288(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X4, X7 - PALIGNR $0x04, X3, X7 - PADDD X7, X5 - SHA256MSG2 X4, X5 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X4, X3 - VMOVDQA X5, X0 - PADDD 320(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X5, X7 - PALIGNR $0x04, X4, X7 - PADDD X7, X6 - SHA256MSG2 X5, X6 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X5, X4 - VMOVDQA X6, X0 - PADDD 352(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X6, X7 - PALIGNR $0x04, X5, X7 - PADDD X7, X3 - SHA256MSG2 X6, X3 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X6, X5 - VMOVDQA X3, X0 - PADDD 384(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X3, X7 - PALIGNR $0x04, X6, X7 - PADDD X7, X4 - SHA256MSG2 X3, X4 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - SHA256MSG1 X3, X6 - VMOVDQA X4, X0 - PADDD 416(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X4, X7 - PALIGNR $0x04, X3, X7 - PADDD X7, X5 - SHA256MSG2 X4, X5 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - VMOVDQA X5, X0 - PADDD 448(AX), X0 - SHA256RNDS2 X0, X1, X2 - VMOVDQA X5, X7 - PALIGNR $0x04, X4, X7 - PADDD X7, X6 - SHA256MSG2 X5, X6 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - - // do rounds 60-63 - VMOVDQA X6, X0 - PADDD 480(AX), X0 - SHA256RNDS2 X0, X1, X2 - PSHUFD $0x0e, X0, X0 - SHA256RNDS2 X0, X2, X1 - - // add current hash values with previously saved - PADDD X9, X1 - PADDD X10, X2 - - // advance data pointer; loop until buffer empty - ADDQ $0x40, SI - CMPQ DX, SI - JNE roundLoop - - // write hash values back in the correct order - PSHUFD $0x1b, X1, X1 - PSHUFD $0xb1, X2, X2 - VMOVDQA X1, X7 - PBLENDW $0xf0, X2, X1 - PALIGNR $0x08, X7, X2 - VMOVDQU X1, (DI) - VMOVDQU X2, 16(DI) - -done: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_arm64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_arm64.go deleted file mode 100644 index ee91b4af2cb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_arm64.go +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha256 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useSHA2 = cpu.ARM64HasSHA2 - -func init() { - impl.Register("sha256", "Armv8.0", &useSHA2) -} - -//go:noescape -func blockSHA2(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if useSHA2 { - blockSHA2(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_arm64.s deleted file mode 100644 index b4082607990..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_arm64.s +++ /dev/null @@ -1,121 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -#define HASHUPDATE \ - SHA256H V9.S4, V3, V2 \ - SHA256H2 V9.S4, V8, V3 \ - VMOV V2.B16, V8.B16 - -// func blockSHA2(dig *Digest, p []byte) -TEXT ·blockSHA2(SB),NOSPLIT,$0 - MOVD dig+0(FP), R0 // Hash value first address - MOVD p_base+8(FP), R1 // message first address - MOVD p_len+16(FP), R3 // message length - MOVD $·_K+0(SB), R2 // k constants first address - VLD1 (R0), [V0.S4, V1.S4] // load h(a,b,c,d,e,f,g,h) - VLD1.P 64(R2), [V16.S4, V17.S4, V18.S4, V19.S4] - VLD1.P 64(R2), [V20.S4, V21.S4, V22.S4, V23.S4] - VLD1.P 64(R2), [V24.S4, V25.S4, V26.S4, V27.S4] - VLD1 (R2), [V28.S4, V29.S4, V30.S4, V31.S4] //load 64*4bytes K constant(K0-K63) - -blockloop: - - VLD1.P 16(R1), [V4.B16] // load 16bytes message - VLD1.P 16(R1), [V5.B16] // load 16bytes message - VLD1.P 16(R1), [V6.B16] // load 16bytes message - VLD1.P 16(R1), [V7.B16] // load 16bytes message - VMOV V0.B16, V2.B16 // backup: VO h(dcba) - VMOV V1.B16, V3.B16 // backup: V1 h(hgfe) - VMOV V2.B16, V8.B16 - VREV32 V4.B16, V4.B16 // prepare for using message in Byte format - VREV32 V5.B16, V5.B16 - VREV32 V6.B16, V6.B16 - VREV32 V7.B16, V7.B16 - - VADD V16.S4, V4.S4, V9.S4 // V18(W0+K0...W3+K3) - SHA256SU0 V5.S4, V4.S4 // V4: (su0(W1)+W0,...,su0(W4)+W3) - HASHUPDATE // H4 - - VADD V17.S4, V5.S4, V9.S4 // V18(W4+K4...W7+K7) - SHA256SU0 V6.S4, V5.S4 // V5: (su0(W5)+W4,...,su0(W8)+W7) - SHA256SU1 V7.S4, V6.S4, V4.S4 // V4: W16-W19 - HASHUPDATE // H8 - - VADD V18.S4, V6.S4, V9.S4 // V18(W8+K8...W11+K11) - SHA256SU0 V7.S4, V6.S4 // V6: (su0(W9)+W8,...,su0(W12)+W11) - SHA256SU1 V4.S4, V7.S4, V5.S4 // V5: W20-W23 - HASHUPDATE // H12 - - VADD V19.S4, V7.S4, V9.S4 // V18(W12+K12...W15+K15) - SHA256SU0 V4.S4, V7.S4 // V7: (su0(W13)+W12,...,su0(W16)+W15) - SHA256SU1 V5.S4, V4.S4, V6.S4 // V6: W24-W27 - HASHUPDATE // H16 - - VADD V20.S4, V4.S4, V9.S4 // V18(W16+K16...W19+K19) - SHA256SU0 V5.S4, V4.S4 // V4: (su0(W17)+W16,...,su0(W20)+W19) - SHA256SU1 V6.S4, V5.S4, V7.S4 // V7: W28-W31 - HASHUPDATE // H20 - - VADD V21.S4, V5.S4, V9.S4 // V18(W20+K20...W23+K23) - SHA256SU0 V6.S4, V5.S4 // V5: (su0(W21)+W20,...,su0(W24)+W23) - SHA256SU1 V7.S4, V6.S4, V4.S4 // V4: W32-W35 - HASHUPDATE // H24 - - VADD V22.S4, V6.S4, V9.S4 // V18(W24+K24...W27+K27) - SHA256SU0 V7.S4, V6.S4 // V6: (su0(W25)+W24,...,su0(W28)+W27) - SHA256SU1 V4.S4, V7.S4, V5.S4 // V5: W36-W39 - HASHUPDATE // H28 - - VADD V23.S4, V7.S4, V9.S4 // V18(W28+K28...W31+K31) - SHA256SU0 V4.S4, V7.S4 // V7: (su0(W29)+W28,...,su0(W32)+W31) - SHA256SU1 V5.S4, V4.S4, V6.S4 // V6: W40-W43 - HASHUPDATE // H32 - - VADD V24.S4, V4.S4, V9.S4 // V18(W32+K32...W35+K35) - SHA256SU0 V5.S4, V4.S4 // V4: (su0(W33)+W32,...,su0(W36)+W35) - SHA256SU1 V6.S4, V5.S4, V7.S4 // V7: W44-W47 - HASHUPDATE // H36 - - VADD V25.S4, V5.S4, V9.S4 // V18(W36+K36...W39+K39) - SHA256SU0 V6.S4, V5.S4 // V5: (su0(W37)+W36,...,su0(W40)+W39) - SHA256SU1 V7.S4, V6.S4, V4.S4 // V4: W48-W51 - HASHUPDATE // H40 - - VADD V26.S4, V6.S4, V9.S4 // V18(W40+K40...W43+K43) - SHA256SU0 V7.S4, V6.S4 // V6: (su0(W41)+W40,...,su0(W44)+W43) - SHA256SU1 V4.S4, V7.S4, V5.S4 // V5: W52-W55 - HASHUPDATE // H44 - - VADD V27.S4, V7.S4, V9.S4 // V18(W44+K44...W47+K47) - SHA256SU0 V4.S4, V7.S4 // V7: (su0(W45)+W44,...,su0(W48)+W47) - SHA256SU1 V5.S4, V4.S4, V6.S4 // V6: W56-W59 - HASHUPDATE // H48 - - VADD V28.S4, V4.S4, V9.S4 // V18(W48+K48,...,W51+K51) - HASHUPDATE // H52 - SHA256SU1 V6.S4, V5.S4, V7.S4 // V7: W60-W63 - - VADD V29.S4, V5.S4, V9.S4 // V18(W52+K52,...,W55+K55) - HASHUPDATE // H56 - - VADD V30.S4, V6.S4, V9.S4 // V18(W59+K59,...,W59+K59) - HASHUPDATE // H60 - - VADD V31.S4, V7.S4, V9.S4 // V18(W60+K60,...,W63+K63) - HASHUPDATE // H64 - - SUB $64, R3, R3 // message length - 64bytes, then compare with 64bytes - VADD V2.S4, V0.S4, V0.S4 - VADD V3.S4, V1.S4, V1.S4 - CBNZ R3, blockloop - -sha256ret: - - VST1 [V0.S4, V1.S4], (R0) // store hash value H - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_asm.go deleted file mode 100644 index 1b157d744d6..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_asm.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (386 || loong64 || riscv64) && !purego - -package sha256 - -//go:noescape -func block(dig *Digest, p []byte) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_loong64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_loong64.s deleted file mode 100644 index e171d93e0ba..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_loong64.s +++ /dev/null @@ -1,258 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// SHA256 block routine. See sha256block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// W[i] = M[i]; for 0 <= i <= 15 -// W[i] = SIGMA1(W[i-2]) + W[i-7] + SIGMA0(W[i-15]) + W[i-16]; for 16 <= i <= 63 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for i = 0 to 63 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + K[i] + W[i] -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -#define REGTMP R30 -#define REGTMP1 R16 -#define REGTMP2 R17 -#define REGTMP3 R18 -#define REGTMP4 R7 -#define REGTMP5 R6 - -// W[i] = M[i]; for 0 <= i <= 15 -#define LOAD0(index) \ - MOVW (index*4)(R5), REGTMP4; \ - REVB2W REGTMP4, REGTMP4; \ - MOVW REGTMP4, (index*4)(R3) - -// W[i] = SIGMA1(W[i-2]) + W[i-7] + SIGMA0(W[i-15]) + W[i-16]; for 16 <= i <= 63 -// SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x) -// SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x) -#define LOAD1(index) \ - MOVW (((index-2)&0xf)*4)(R3), REGTMP4; \ - MOVW (((index-15)&0xf)*4)(R3), REGTMP1; \ - MOVW (((index-7)&0xf)*4)(R3), REGTMP; \ - MOVW REGTMP4, REGTMP2; \ - MOVW REGTMP4, REGTMP3; \ - ROTR $17, REGTMP4; \ - ROTR $19, REGTMP2; \ - SRL $10, REGTMP3; \ - XOR REGTMP2, REGTMP4; \ - XOR REGTMP3, REGTMP4; \ - ROTR $7, REGTMP1, REGTMP5; \ - SRL $3, REGTMP1, REGTMP3; \ - ROTR $18, REGTMP1, REGTMP2; \ - ADD REGTMP, REGTMP4; \ - MOVW (((index-16)&0xf)*4)(R3), REGTMP; \ - XOR REGTMP3, REGTMP5; \ - XOR REGTMP2, REGTMP5; \ - ADD REGTMP, REGTMP5; \ - ADD REGTMP5, REGTMP4; \ - MOVW REGTMP4, ((index&0xf)*4)(R3) - -// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + K[i] + W[i] -// BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x) -// Ch(x, y, z) = (x AND y) XOR (NOT x AND z) -// = ((y XOR z) AND x) XOR z -// Calculate T1 in REGTMP4 -#define SHA256T1(const, e, f, g, h) \ - ADDV $const, h; \ - ADD REGTMP4, h; \ - ROTR $6, e, REGTMP5; \ - ROTR $11, e, REGTMP; \ - ROTR $25, e, REGTMP3; \ - XOR f, g, REGTMP2; \ - XOR REGTMP, REGTMP5; \ - AND e, REGTMP2; \ - XOR REGTMP5, REGTMP3; \ - XOR g, REGTMP2; \ - ADD REGTMP3, h; \ - ADD h, REGTMP2, REGTMP4 - -// T2 = BIGSIGMA0(a) + Maj(a, b, c) -// BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x) -// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) -// = ((y XOR z) AND x) XOR (y AND z) -// Calculate T2 in REGTMP1 -#define SHA256T2(a, b, c) \ - ROTR $2, a, REGTMP5; \ - ROTR $13, a, REGTMP3; \ - ROTR $22, a, REGTMP2; \ - XOR b, c, REGTMP; \ - AND b, c, REGTMP1; \ - XOR REGTMP3, REGTMP5; \ - AND REGTMP, a, REGTMP; \ - XOR REGTMP2, REGTMP5; \ - XOR REGTMP, REGTMP1; \ - ADD REGTMP5, REGTMP1 - -// Calculate T1 and T2, then e = d + T1 and a = T1 + T2. -// The values for e and a are stored in d and h, ready for rotation. -#define SHA256ROUND(const, a, b, c, d, e, f, g, h) \ - SHA256T1(const, e, f, g, h); \ - SHA256T2(a, b, c); \ - ADD REGTMP4, d; \ - ADD REGTMP1, REGTMP4, h - -#define SHA256ROUND0(index, const, a, b, c, d, e, f, g, h) \ - LOAD0(index); \ - SHA256ROUND(const, a, b, c, d, e, f, g, h) - -#define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \ - LOAD1(index); \ - SHA256ROUND(const, a, b, c, d, e, f, g, h) - -// A stack frame size of 64 bytes is required here, because -// the frame size used for data expansion is 64 bytes. -// See the definition of the macro LOAD1 above (4 bytes * 16 entries). -// -//func block(dig *Digest, p []byte) -TEXT ·block(SB),NOSPLIT,$64-32 - MOVV p_base+8(FP), R5 - MOVV p_len+16(FP), R6 - AND $~63, R6 - BEQ R6, end - - // p_len >= 64 - MOVV dig+0(FP), R4 - ADDV R5, R6, R25 - MOVW (0*4)(R4), R8 // a = H0 - MOVW (1*4)(R4), R9 // b = H1 - MOVW (2*4)(R4), R10 // c = H2 - MOVW (3*4)(R4), R11 // d = H3 - MOVW (4*4)(R4), R12 // e = H4 - MOVW (5*4)(R4), R13 // f = H5 - MOVW (6*4)(R4), R14 // g = H6 - MOVW (7*4)(R4), R15 // h = H7 - -loop: - SHA256ROUND0(0, 0x428a2f98, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND0(1, 0x71374491, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND0(2, 0xb5c0fbcf, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND0(3, 0xe9b5dba5, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND0(4, 0x3956c25b, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND0(5, 0x59f111f1, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND0(6, 0x923f82a4, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND0(7, 0xab1c5ed5, R9, R10, R11, R12, R13, R14, R15, R8) - SHA256ROUND0(8, 0xd807aa98, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND0(9, 0x12835b01, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND0(10, 0x243185be, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND0(11, 0x550c7dc3, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND0(12, 0x72be5d74, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND0(13, 0x80deb1fe, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND0(14, 0x9bdc06a7, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND0(15, 0xc19bf174, R9, R10, R11, R12, R13, R14, R15, R8) - - SHA256ROUND1(16, 0xe49b69c1, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND1(17, 0xefbe4786, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND1(18, 0x0fc19dc6, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND1(19, 0x240ca1cc, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND1(20, 0x2de92c6f, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND1(21, 0x4a7484aa, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND1(22, 0x5cb0a9dc, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND1(23, 0x76f988da, R9, R10, R11, R12, R13, R14, R15, R8) - SHA256ROUND1(24, 0x983e5152, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND1(25, 0xa831c66d, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND1(26, 0xb00327c8, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND1(27, 0xbf597fc7, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND1(28, 0xc6e00bf3, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND1(29, 0xd5a79147, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND1(30, 0x06ca6351, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND1(31, 0x14292967, R9, R10, R11, R12, R13, R14, R15, R8) - SHA256ROUND1(32, 0x27b70a85, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND1(33, 0x2e1b2138, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND1(34, 0x4d2c6dfc, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND1(35, 0x53380d13, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND1(36, 0x650a7354, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND1(37, 0x766a0abb, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND1(38, 0x81c2c92e, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND1(39, 0x92722c85, R9, R10, R11, R12, R13, R14, R15, R8) - SHA256ROUND1(40, 0xa2bfe8a1, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND1(41, 0xa81a664b, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND1(42, 0xc24b8b70, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND1(43, 0xc76c51a3, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND1(44, 0xd192e819, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND1(45, 0xd6990624, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND1(46, 0xf40e3585, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND1(47, 0x106aa070, R9, R10, R11, R12, R13, R14, R15, R8) - SHA256ROUND1(48, 0x19a4c116, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND1(49, 0x1e376c08, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND1(50, 0x2748774c, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND1(51, 0x34b0bcb5, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND1(52, 0x391c0cb3, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND1(53, 0x4ed8aa4a, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND1(54, 0x5b9cca4f, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND1(55, 0x682e6ff3, R9, R10, R11, R12, R13, R14, R15, R8) - SHA256ROUND1(56, 0x748f82ee, R8, R9, R10, R11, R12, R13, R14, R15) - SHA256ROUND1(57, 0x78a5636f, R15, R8, R9, R10, R11, R12, R13, R14) - SHA256ROUND1(58, 0x84c87814, R14, R15, R8, R9, R10, R11, R12, R13) - SHA256ROUND1(59, 0x8cc70208, R13, R14, R15, R8, R9, R10, R11, R12) - SHA256ROUND1(60, 0x90befffa, R12, R13, R14, R15, R8, R9, R10, R11) - SHA256ROUND1(61, 0xa4506ceb, R11, R12, R13, R14, R15, R8, R9, R10) - SHA256ROUND1(62, 0xbef9a3f7, R10, R11, R12, R13, R14, R15, R8, R9) - SHA256ROUND1(63, 0xc67178f2, R9, R10, R11, R12, R13, R14, R15, R8) - - MOVW (0*4)(R4), REGTMP - MOVW (1*4)(R4), REGTMP1 - MOVW (2*4)(R4), REGTMP2 - MOVW (3*4)(R4), REGTMP3 - ADD REGTMP, R8 // H0 = a + H0 - ADD REGTMP1, R9 // H1 = b + H1 - ADD REGTMP2, R10 // H2 = c + H2 - ADD REGTMP3, R11 // H3 = d + H3 - MOVW R8, (0*4)(R4) - MOVW R9, (1*4)(R4) - MOVW R10, (2*4)(R4) - MOVW R11, (3*4)(R4) - MOVW (4*4)(R4), REGTMP - MOVW (5*4)(R4), REGTMP1 - MOVW (6*4)(R4), REGTMP2 - MOVW (7*4)(R4), REGTMP3 - ADD REGTMP, R12 // H4 = e + H4 - ADD REGTMP1, R13 // H5 = f + H5 - ADD REGTMP2, R14 // H6 = g + H6 - ADD REGTMP3, R15 // H7 = h + H7 - MOVW R12, (4*4)(R4) - MOVW R13, (5*4)(R4) - MOVW R14, (6*4)(R4) - MOVW R15, (7*4)(R4) - - ADDV $64, R5 - BNE R5, R25, loop - -end: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_noasm.go deleted file mode 100644 index cc7abf6a382..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_noasm.go +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!386 && !amd64 && !arm64 && !loong64 && !ppc64 && !ppc64le && !riscv64 && !s390x) || purego - -package sha256 - -func block(dig *Digest, p []byte) { - blockGeneric(dig, p) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_ppc64x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_ppc64x.go deleted file mode 100644 index 735b4fcab0b..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_ppc64x.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -package sha256 - -import ( - "crypto/internal/fips140deps/godebug" - "crypto/internal/impl" -) - -// The POWER architecture doesn't have a way to turn off SHA-2 support at -// runtime with GODEBUG=cpu.something=off, so introduce a new GODEBUG knob for -// that. It's intentionally only checked at init() time, to avoid the -// performance overhead of checking it on every block. -var ppc64sha2 = godebug.Value("#ppc64sha2") != "off" - -func init() { - impl.Register("sha256", "POWER8", &ppc64sha2) -} - -//go:noescape -func blockPOWER(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if ppc64sha2 { - blockPOWER(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_ppc64x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_ppc64x.s deleted file mode 100644 index b28f80dcfa2..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_ppc64x.s +++ /dev/null @@ -1,453 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -// Based on CRYPTOGAMS code with the following comment: -// # ==================================================================== -// # Written by Andy Polyakov <[email protected]> for the OpenSSL -// # project. The module is, however, dual licensed under OpenSSL and -// # CRYPTOGAMS licenses depending on where you obtain it. For further -// # details see http://www.openssl.org/~appro/cryptogams/. -// # ==================================================================== - -#include "textflag.h" - -// SHA256 block routine. See sha256block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 63 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -#define CTX R3 -#define INP R4 -#define END R5 -#define TBL R6 // Pointer into kcon table -#define LEN R9 -#define TEMP R12 - -#define TBL_STRT R7 // Pointer to start of kcon table. - -#define R_x000 R0 -#define R_x010 R8 -#define R_x020 R10 -#define R_x030 R11 -#define R_x040 R14 -#define R_x050 R15 -#define R_x060 R16 -#define R_x070 R17 -#define R_x080 R18 -#define R_x090 R19 -#define R_x0a0 R20 -#define R_x0b0 R21 -#define R_x0c0 R22 -#define R_x0d0 R23 -#define R_x0e0 R24 -#define R_x0f0 R25 -#define R_x100 R26 -#define R_x110 R27 - - -// V0-V7 are A-H -// V8-V23 are used for the message schedule -#define KI V24 -#define FUNC V25 -#define S0 V26 -#define S1 V27 -#define s0 V28 -#define s1 V29 -#define LEMASK V31 // Permutation control register for little endian - -// 4 copies of each Kt, to fill all 4 words of a vector register -DATA ·kcon+0x000(SB)/8, $0x428a2f98428a2f98 -DATA ·kcon+0x008(SB)/8, $0x428a2f98428a2f98 -DATA ·kcon+0x010(SB)/8, $0x7137449171374491 -DATA ·kcon+0x018(SB)/8, $0x7137449171374491 -DATA ·kcon+0x020(SB)/8, $0xb5c0fbcfb5c0fbcf -DATA ·kcon+0x028(SB)/8, $0xb5c0fbcfb5c0fbcf -DATA ·kcon+0x030(SB)/8, $0xe9b5dba5e9b5dba5 -DATA ·kcon+0x038(SB)/8, $0xe9b5dba5e9b5dba5 -DATA ·kcon+0x040(SB)/8, $0x3956c25b3956c25b -DATA ·kcon+0x048(SB)/8, $0x3956c25b3956c25b -DATA ·kcon+0x050(SB)/8, $0x59f111f159f111f1 -DATA ·kcon+0x058(SB)/8, $0x59f111f159f111f1 -DATA ·kcon+0x060(SB)/8, $0x923f82a4923f82a4 -DATA ·kcon+0x068(SB)/8, $0x923f82a4923f82a4 -DATA ·kcon+0x070(SB)/8, $0xab1c5ed5ab1c5ed5 -DATA ·kcon+0x078(SB)/8, $0xab1c5ed5ab1c5ed5 -DATA ·kcon+0x080(SB)/8, $0xd807aa98d807aa98 -DATA ·kcon+0x088(SB)/8, $0xd807aa98d807aa98 -DATA ·kcon+0x090(SB)/8, $0x12835b0112835b01 -DATA ·kcon+0x098(SB)/8, $0x12835b0112835b01 -DATA ·kcon+0x0A0(SB)/8, $0x243185be243185be -DATA ·kcon+0x0A8(SB)/8, $0x243185be243185be -DATA ·kcon+0x0B0(SB)/8, $0x550c7dc3550c7dc3 -DATA ·kcon+0x0B8(SB)/8, $0x550c7dc3550c7dc3 -DATA ·kcon+0x0C0(SB)/8, $0x72be5d7472be5d74 -DATA ·kcon+0x0C8(SB)/8, $0x72be5d7472be5d74 -DATA ·kcon+0x0D0(SB)/8, $0x80deb1fe80deb1fe -DATA ·kcon+0x0D8(SB)/8, $0x80deb1fe80deb1fe -DATA ·kcon+0x0E0(SB)/8, $0x9bdc06a79bdc06a7 -DATA ·kcon+0x0E8(SB)/8, $0x9bdc06a79bdc06a7 -DATA ·kcon+0x0F0(SB)/8, $0xc19bf174c19bf174 -DATA ·kcon+0x0F8(SB)/8, $0xc19bf174c19bf174 -DATA ·kcon+0x100(SB)/8, $0xe49b69c1e49b69c1 -DATA ·kcon+0x108(SB)/8, $0xe49b69c1e49b69c1 -DATA ·kcon+0x110(SB)/8, $0xefbe4786efbe4786 -DATA ·kcon+0x118(SB)/8, $0xefbe4786efbe4786 -DATA ·kcon+0x120(SB)/8, $0x0fc19dc60fc19dc6 -DATA ·kcon+0x128(SB)/8, $0x0fc19dc60fc19dc6 -DATA ·kcon+0x130(SB)/8, $0x240ca1cc240ca1cc -DATA ·kcon+0x138(SB)/8, $0x240ca1cc240ca1cc -DATA ·kcon+0x140(SB)/8, $0x2de92c6f2de92c6f -DATA ·kcon+0x148(SB)/8, $0x2de92c6f2de92c6f -DATA ·kcon+0x150(SB)/8, $0x4a7484aa4a7484aa -DATA ·kcon+0x158(SB)/8, $0x4a7484aa4a7484aa -DATA ·kcon+0x160(SB)/8, $0x5cb0a9dc5cb0a9dc -DATA ·kcon+0x168(SB)/8, $0x5cb0a9dc5cb0a9dc -DATA ·kcon+0x170(SB)/8, $0x76f988da76f988da -DATA ·kcon+0x178(SB)/8, $0x76f988da76f988da -DATA ·kcon+0x180(SB)/8, $0x983e5152983e5152 -DATA ·kcon+0x188(SB)/8, $0x983e5152983e5152 -DATA ·kcon+0x190(SB)/8, $0xa831c66da831c66d -DATA ·kcon+0x198(SB)/8, $0xa831c66da831c66d -DATA ·kcon+0x1A0(SB)/8, $0xb00327c8b00327c8 -DATA ·kcon+0x1A8(SB)/8, $0xb00327c8b00327c8 -DATA ·kcon+0x1B0(SB)/8, $0xbf597fc7bf597fc7 -DATA ·kcon+0x1B8(SB)/8, $0xbf597fc7bf597fc7 -DATA ·kcon+0x1C0(SB)/8, $0xc6e00bf3c6e00bf3 -DATA ·kcon+0x1C8(SB)/8, $0xc6e00bf3c6e00bf3 -DATA ·kcon+0x1D0(SB)/8, $0xd5a79147d5a79147 -DATA ·kcon+0x1D8(SB)/8, $0xd5a79147d5a79147 -DATA ·kcon+0x1E0(SB)/8, $0x06ca635106ca6351 -DATA ·kcon+0x1E8(SB)/8, $0x06ca635106ca6351 -DATA ·kcon+0x1F0(SB)/8, $0x1429296714292967 -DATA ·kcon+0x1F8(SB)/8, $0x1429296714292967 -DATA ·kcon+0x200(SB)/8, $0x27b70a8527b70a85 -DATA ·kcon+0x208(SB)/8, $0x27b70a8527b70a85 -DATA ·kcon+0x210(SB)/8, $0x2e1b21382e1b2138 -DATA ·kcon+0x218(SB)/8, $0x2e1b21382e1b2138 -DATA ·kcon+0x220(SB)/8, $0x4d2c6dfc4d2c6dfc -DATA ·kcon+0x228(SB)/8, $0x4d2c6dfc4d2c6dfc -DATA ·kcon+0x230(SB)/8, $0x53380d1353380d13 -DATA ·kcon+0x238(SB)/8, $0x53380d1353380d13 -DATA ·kcon+0x240(SB)/8, $0x650a7354650a7354 -DATA ·kcon+0x248(SB)/8, $0x650a7354650a7354 -DATA ·kcon+0x250(SB)/8, $0x766a0abb766a0abb -DATA ·kcon+0x258(SB)/8, $0x766a0abb766a0abb -DATA ·kcon+0x260(SB)/8, $0x81c2c92e81c2c92e -DATA ·kcon+0x268(SB)/8, $0x81c2c92e81c2c92e -DATA ·kcon+0x270(SB)/8, $0x92722c8592722c85 -DATA ·kcon+0x278(SB)/8, $0x92722c8592722c85 -DATA ·kcon+0x280(SB)/8, $0xa2bfe8a1a2bfe8a1 -DATA ·kcon+0x288(SB)/8, $0xa2bfe8a1a2bfe8a1 -DATA ·kcon+0x290(SB)/8, $0xa81a664ba81a664b -DATA ·kcon+0x298(SB)/8, $0xa81a664ba81a664b -DATA ·kcon+0x2A0(SB)/8, $0xc24b8b70c24b8b70 -DATA ·kcon+0x2A8(SB)/8, $0xc24b8b70c24b8b70 -DATA ·kcon+0x2B0(SB)/8, $0xc76c51a3c76c51a3 -DATA ·kcon+0x2B8(SB)/8, $0xc76c51a3c76c51a3 -DATA ·kcon+0x2C0(SB)/8, $0xd192e819d192e819 -DATA ·kcon+0x2C8(SB)/8, $0xd192e819d192e819 -DATA ·kcon+0x2D0(SB)/8, $0xd6990624d6990624 -DATA ·kcon+0x2D8(SB)/8, $0xd6990624d6990624 -DATA ·kcon+0x2E0(SB)/8, $0xf40e3585f40e3585 -DATA ·kcon+0x2E8(SB)/8, $0xf40e3585f40e3585 -DATA ·kcon+0x2F0(SB)/8, $0x106aa070106aa070 -DATA ·kcon+0x2F8(SB)/8, $0x106aa070106aa070 -DATA ·kcon+0x300(SB)/8, $0x19a4c11619a4c116 -DATA ·kcon+0x308(SB)/8, $0x19a4c11619a4c116 -DATA ·kcon+0x310(SB)/8, $0x1e376c081e376c08 -DATA ·kcon+0x318(SB)/8, $0x1e376c081e376c08 -DATA ·kcon+0x320(SB)/8, $0x2748774c2748774c -DATA ·kcon+0x328(SB)/8, $0x2748774c2748774c -DATA ·kcon+0x330(SB)/8, $0x34b0bcb534b0bcb5 -DATA ·kcon+0x338(SB)/8, $0x34b0bcb534b0bcb5 -DATA ·kcon+0x340(SB)/8, $0x391c0cb3391c0cb3 -DATA ·kcon+0x348(SB)/8, $0x391c0cb3391c0cb3 -DATA ·kcon+0x350(SB)/8, $0x4ed8aa4a4ed8aa4a -DATA ·kcon+0x358(SB)/8, $0x4ed8aa4a4ed8aa4a -DATA ·kcon+0x360(SB)/8, $0x5b9cca4f5b9cca4f -DATA ·kcon+0x368(SB)/8, $0x5b9cca4f5b9cca4f -DATA ·kcon+0x370(SB)/8, $0x682e6ff3682e6ff3 -DATA ·kcon+0x378(SB)/8, $0x682e6ff3682e6ff3 -DATA ·kcon+0x380(SB)/8, $0x748f82ee748f82ee -DATA ·kcon+0x388(SB)/8, $0x748f82ee748f82ee -DATA ·kcon+0x390(SB)/8, $0x78a5636f78a5636f -DATA ·kcon+0x398(SB)/8, $0x78a5636f78a5636f -DATA ·kcon+0x3A0(SB)/8, $0x84c8781484c87814 -DATA ·kcon+0x3A8(SB)/8, $0x84c8781484c87814 -DATA ·kcon+0x3B0(SB)/8, $0x8cc702088cc70208 -DATA ·kcon+0x3B8(SB)/8, $0x8cc702088cc70208 -DATA ·kcon+0x3C0(SB)/8, $0x90befffa90befffa -DATA ·kcon+0x3C8(SB)/8, $0x90befffa90befffa -DATA ·kcon+0x3D0(SB)/8, $0xa4506ceba4506ceb -DATA ·kcon+0x3D8(SB)/8, $0xa4506ceba4506ceb -DATA ·kcon+0x3E0(SB)/8, $0xbef9a3f7bef9a3f7 -DATA ·kcon+0x3E8(SB)/8, $0xbef9a3f7bef9a3f7 -DATA ·kcon+0x3F0(SB)/8, $0xc67178f2c67178f2 -DATA ·kcon+0x3F8(SB)/8, $0xc67178f2c67178f2 -DATA ·kcon+0x400(SB)/8, $0x0000000000000000 -DATA ·kcon+0x408(SB)/8, $0x0000000000000000 - -#ifdef GOARCH_ppc64le -DATA ·kcon+0x410(SB)/8, $0x1011121310111213 // permutation control vectors -DATA ·kcon+0x418(SB)/8, $0x1011121300010203 -DATA ·kcon+0x420(SB)/8, $0x1011121310111213 -DATA ·kcon+0x428(SB)/8, $0x0405060700010203 -DATA ·kcon+0x430(SB)/8, $0x1011121308090a0b -DATA ·kcon+0x438(SB)/8, $0x0405060700010203 -#else -DATA ·kcon+0x410(SB)/8, $0x1011121300010203 -DATA ·kcon+0x418(SB)/8, $0x1011121310111213 // permutation control vectors -DATA ·kcon+0x420(SB)/8, $0x0405060700010203 -DATA ·kcon+0x428(SB)/8, $0x1011121310111213 -DATA ·kcon+0x430(SB)/8, $0x0001020304050607 -DATA ·kcon+0x438(SB)/8, $0x08090a0b10111213 -#endif - -GLOBL ·kcon(SB), RODATA, $1088 - -#define SHA256ROUND0(a, b, c, d, e, f, g, h, xi, idx) \ - VSEL g, f, e, FUNC; \ - VSHASIGMAW $15, e, $1, S1; \ - VADDUWM xi, h, h; \ - VSHASIGMAW $0, a, $1, S0; \ - VADDUWM FUNC, h, h; \ - VXOR b, a, FUNC; \ - VADDUWM S1, h, h; \ - VSEL b, c, FUNC, FUNC; \ - VADDUWM KI, g, g; \ - VADDUWM h, d, d; \ - VADDUWM FUNC, S0, S0; \ - LVX (TBL)(idx), KI; \ - VADDUWM S0, h, h - -#define SHA256ROUND1(a, b, c, d, e, f, g, h, xi, xj, xj_1, xj_9, xj_14, idx) \ - VSHASIGMAW $0, xj_1, $0, s0; \ - VSEL g, f, e, FUNC; \ - VSHASIGMAW $15, e, $1, S1; \ - VADDUWM xi, h, h; \ - VSHASIGMAW $0, a, $1, S0; \ - VSHASIGMAW $15, xj_14, $0, s1; \ - VADDUWM FUNC, h, h; \ - VXOR b, a, FUNC; \ - VADDUWM xj_9, xj, xj; \ - VADDUWM S1, h, h; \ - VSEL b, c, FUNC, FUNC; \ - VADDUWM KI, g, g; \ - VADDUWM h, d, d; \ - VADDUWM FUNC, S0, S0; \ - VADDUWM s0, xj, xj; \ - LVX (TBL)(idx), KI; \ - VADDUWM S0, h, h; \ - VADDUWM s1, xj, xj - -#ifdef GOARCH_ppc64le -#define VPERMLE(va,vb,vc,vt) VPERM va, vb, vc, vt -#else -#define VPERMLE(va,vb,vc,vt) -#endif - -// func blockPOWER(dig *Digest, p []byte) -TEXT ·blockPOWER(SB),0,$0-32 - MOVD dig+0(FP), CTX - MOVD p_base+8(FP), INP - MOVD p_len+16(FP), LEN - - SRD $6, LEN - SLD $6, LEN - ADD INP, LEN, END - - CMP INP, END - BEQ end - - MOVD $·kcon(SB), TBL_STRT - MOVD $0x10, R_x010 - -#ifdef GOARCH_ppc64le - MOVWZ $8, TEMP - LVSL (TEMP)(R0), LEMASK - VSPLTISB $0x0F, KI - VXOR KI, LEMASK, LEMASK -#endif - - LXVW4X (CTX)(R_x000), V0 - LXVW4X (CTX)(R_x010), V4 - - // unpack the input values into vector registers - VSLDOI $4, V0, V0, V1 - VSLDOI $8, V0, V0, V2 - VSLDOI $12, V0, V0, V3 - VSLDOI $4, V4, V4, V5 - VSLDOI $8, V4, V4, V6 - VSLDOI $12, V4, V4, V7 - - MOVD $0x020, R_x020 - MOVD $0x030, R_x030 - MOVD $0x040, R_x040 - MOVD $0x050, R_x050 - MOVD $0x060, R_x060 - MOVD $0x070, R_x070 - MOVD $0x080, R_x080 - MOVD $0x090, R_x090 - MOVD $0x0a0, R_x0a0 - MOVD $0x0b0, R_x0b0 - MOVD $0x0c0, R_x0c0 - MOVD $0x0d0, R_x0d0 - MOVD $0x0e0, R_x0e0 - MOVD $0x0f0, R_x0f0 - MOVD $0x100, R_x100 - MOVD $0x110, R_x110 - -loop: - MOVD TBL_STRT, TBL - LVX (TBL)(R_x000), KI - - LXVD2X (INP)(R_x000), V8 // load v8 in advance - - // Offload to VSR24-31 (aka FPR24-31) - XXLOR V0, V0, VS24 - XXLOR V1, V1, VS25 - XXLOR V2, V2, VS26 - XXLOR V3, V3, VS27 - XXLOR V4, V4, VS28 - XXLOR V5, V5, VS29 - XXLOR V6, V6, VS30 - XXLOR V7, V7, VS31 - - VADDUWM KI, V7, V7 // h+K[i] - LVX (TBL)(R_x010), KI - - VPERMLE(V8, V8, LEMASK, V8) - SHA256ROUND0(V0, V1, V2, V3, V4, V5, V6, V7, V8, R_x020) - VSLDOI $4, V8, V8, V9 - SHA256ROUND0(V7, V0, V1, V2, V3, V4, V5, V6, V9, R_x030) - VSLDOI $4, V9, V9, V10 - SHA256ROUND0(V6, V7, V0, V1, V2, V3, V4, V5, V10, R_x040) - LXVD2X (INP)(R_x010), V12 // load v12 in advance - VSLDOI $4, V10, V10, V11 - SHA256ROUND0(V5, V6, V7, V0, V1, V2, V3, V4, V11, R_x050) - VPERMLE(V12, V12, LEMASK, V12) - SHA256ROUND0(V4, V5, V6, V7, V0, V1, V2, V3, V12, R_x060) - VSLDOI $4, V12, V12, V13 - SHA256ROUND0(V3, V4, V5, V6, V7, V0, V1, V2, V13, R_x070) - VSLDOI $4, V13, V13, V14 - SHA256ROUND0(V2, V3, V4, V5, V6, V7, V0, V1, V14, R_x080) - LXVD2X (INP)(R_x020), V16 // load v16 in advance - VSLDOI $4, V14, V14, V15 - SHA256ROUND0(V1, V2, V3, V4, V5, V6, V7, V0, V15, R_x090) - VPERMLE(V16, V16, LEMASK, V16) - SHA256ROUND0(V0, V1, V2, V3, V4, V5, V6, V7, V16, R_x0a0) - VSLDOI $4, V16, V16, V17 - SHA256ROUND0(V7, V0, V1, V2, V3, V4, V5, V6, V17, R_x0b0) - VSLDOI $4, V17, V17, V18 - SHA256ROUND0(V6, V7, V0, V1, V2, V3, V4, V5, V18, R_x0c0) - VSLDOI $4, V18, V18, V19 - LXVD2X (INP)(R_x030), V20 // load v20 in advance - SHA256ROUND0(V5, V6, V7, V0, V1, V2, V3, V4, V19, R_x0d0) - VPERMLE(V20, V20, LEMASK, V20) - SHA256ROUND0(V4, V5, V6, V7, V0, V1, V2, V3, V20, R_x0e0) - VSLDOI $4, V20, V20, V21 - SHA256ROUND0(V3, V4, V5, V6, V7, V0, V1, V2, V21, R_x0f0) - VSLDOI $4, V21, V21, V22 - SHA256ROUND0(V2, V3, V4, V5, V6, V7, V0, V1, V22, R_x100) - VSLDOI $4, V22, V22, V23 - SHA256ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V23, V8, V9, V17, V22, R_x110) - - MOVD $3, TEMP - MOVD TEMP, CTR - ADD $0x120, TBL - ADD $0x40, INP - -L16_xx: - SHA256ROUND1(V0, V1, V2, V3, V4, V5, V6, V7, V8, V9, V10, V18, V23, R_x000) - SHA256ROUND1(V7, V0, V1, V2, V3, V4, V5, V6, V9, V10, V11, V19, V8, R_x010) - SHA256ROUND1(V6, V7, V0, V1, V2, V3, V4, V5, V10, V11, V12, V20, V9, R_x020) - SHA256ROUND1(V5, V6, V7, V0, V1, V2, V3, V4, V11, V12, V13, V21, V10, R_x030) - SHA256ROUND1(V4, V5, V6, V7, V0, V1, V2, V3, V12, V13, V14, V22, V11, R_x040) - SHA256ROUND1(V3, V4, V5, V6, V7, V0, V1, V2, V13, V14, V15, V23, V12, R_x050) - SHA256ROUND1(V2, V3, V4, V5, V6, V7, V0, V1, V14, V15, V16, V8, V13, R_x060) - SHA256ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V15, V16, V17, V9, V14, R_x070) - SHA256ROUND1(V0, V1, V2, V3, V4, V5, V6, V7, V16, V17, V18, V10, V15, R_x080) - SHA256ROUND1(V7, V0, V1, V2, V3, V4, V5, V6, V17, V18, V19, V11, V16, R_x090) - SHA256ROUND1(V6, V7, V0, V1, V2, V3, V4, V5, V18, V19, V20, V12, V17, R_x0a0) - SHA256ROUND1(V5, V6, V7, V0, V1, V2, V3, V4, V19, V20, V21, V13, V18, R_x0b0) - SHA256ROUND1(V4, V5, V6, V7, V0, V1, V2, V3, V20, V21, V22, V14, V19, R_x0c0) - SHA256ROUND1(V3, V4, V5, V6, V7, V0, V1, V2, V21, V22, V23, V15, V20, R_x0d0) - SHA256ROUND1(V2, V3, V4, V5, V6, V7, V0, V1, V22, V23, V8, V16, V21, R_x0e0) - SHA256ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V23, V8, V9, V17, V22, R_x0f0) - ADD $0x100, TBL - - BDNZ L16_xx - - XXLOR VS24, VS24, V10 - - XXLOR VS25, VS25, V11 - VADDUWM V10, V0, V0 - XXLOR VS26, VS26, V12 - VADDUWM V11, V1, V1 - XXLOR VS27, VS27, V13 - VADDUWM V12, V2, V2 - XXLOR VS28, VS28, V14 - VADDUWM V13, V3, V3 - XXLOR VS29, VS29, V15 - VADDUWM V14, V4, V4 - XXLOR VS30, VS30, V16 - VADDUWM V15, V5, V5 - XXLOR VS31, VS31, V17 - VADDUWM V16, V6, V6 - VADDUWM V17, V7, V7 - - CMPU INP, END - BLT loop - - LVX (TBL)(R_x000), V8 - VPERM V0, V1, KI, V0 - LVX (TBL)(R_x010), V9 - VPERM V4, V5, KI, V4 - VPERM V0, V2, V8, V0 - VPERM V4, V6, V8, V4 - VPERM V0, V3, V9, V0 - VPERM V4, V7, V9, V4 - STXVD2X V0, (CTX+R_x000) - STXVD2X V4, (CTX+R_x010) - -end: - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_riscv64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_riscv64.s deleted file mode 100644 index 567d44781cb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_riscv64.s +++ /dev/null @@ -1,262 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// SHA256 block routine. See sha256block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 63 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -// Wt = Mt; for 0 <= t <= 15 -#define MSGSCHEDULE0(index) \ - MOVBU ((index*4)+0)(X29), X5; \ - MOVBU ((index*4)+1)(X29), X6; \ - MOVBU ((index*4)+2)(X29), X7; \ - MOVBU ((index*4)+3)(X29), X8; \ - SLL $24, X5; \ - SLL $16, X6; \ - OR X5, X6, X5; \ - SLL $8, X7; \ - OR X5, X7, X5; \ - OR X5, X8, X5; \ - MOVW X5, (index*4)(X19) - -// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63 -// SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x) -// SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x) -#define MSGSCHEDULE1(index) \ - MOVWU (((index-2)&0xf)*4)(X19), X5; \ - MOVWU (((index-15)&0xf)*4)(X19), X6; \ - MOVWU (((index-7)&0xf)*4)(X19), X9; \ - MOVWU (((index-16)&0xf)*4)(X19), X21; \ - RORW $17, X5, X7; \ - RORW $19, X5, X8; \ - SRL $10, X5; \ - XOR X7, X5; \ - XOR X8, X5; \ - ADD X9, X5; \ - RORW $7, X6, X7; \ - RORW $18, X6, X8; \ - SRL $3, X6; \ - XOR X7, X6; \ - XOR X8, X6; \ - ADD X6, X5; \ - ADD X21, X5; \ - MOVW X5, ((index&0xf)*4)(X19) - -// Calculate T1 in X5. -// h is also used as an accumulator. Wt is passed in X5. -// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt -// BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x) -// Ch(x, y, z) = (x AND y) XOR (NOT x AND z) -// = ((y XOR z) AND x) XOR z -#define SHA256T1(index, e, f, g, h) \ - MOVWU (index*4)(X18), X8; \ - ADD X5, h; \ - RORW $6, e, X6; \ - ADD X8, h; \ - RORW $11, e, X7; \ - RORW $25, e, X8; \ - XOR X7, X6; \ - XOR f, g, X5; \ - XOR X8, X6; \ - AND e, X5; \ - ADD X6, h; \ - XOR g, X5; \ - ADD h, X5 - -// Calculate T2 in X6. -// T2 = BIGSIGMA0(a) + Maj(a, b, c) -// BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x) -// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) -// = ((y XOR z) AND x) XOR (y AND z) -#define SHA256T2(a, b, c) \ - RORW $2, a, X6; \ - RORW $13, a, X7; \ - RORW $22, a, X8; \ - XOR X7, X6; \ - XOR b, c, X9; \ - AND b, c, X7; \ - AND a, X9; \ - XOR X8, X6; \ - XOR X7, X9; \ - ADD X9, X6 - -// Calculate T1 and T2, then e = d + T1 and a = T1 + T2. -// The values for e and a are stored in d and h, ready for rotation. -#define SHA256ROUND(index, a, b, c, d, e, f, g, h) \ - SHA256T1(index, e, f, g, h); \ - SHA256T2(a, b, c); \ - ADD X5, d; \ - ADD X6, X5, h - -#define SHA256ROUND0(index, a, b, c, d, e, f, g, h) \ - MSGSCHEDULE0(index); \ - SHA256ROUND(index, a, b, c, d, e, f, g, h) - -#define SHA256ROUND1(index, a, b, c, d, e, f, g, h) \ - MSGSCHEDULE1(index); \ - SHA256ROUND(index, a, b, c, d, e, f, g, h) - -// Note that 64 bytes of stack space is used as a circular buffer -// for the message schedule (4 bytes * 16 entries). -// -// func block(dig *Digest, p []byte) -TEXT ·block(SB),0,$64-32 - MOV p_base+8(FP), X29 - MOV p_len+16(FP), X30 - SRL $6, X30 - SLL $6, X30 - - ADD X29, X30, X28 - BEQ X28, X29, end - - MOV $·_K(SB), X18 // const table - ADD $8, X2, X19 // message schedule - - MOV dig+0(FP), X20 - MOVWU (0*4)(X20), X10 // a = H0 - MOVWU (1*4)(X20), X11 // b = H1 - MOVWU (2*4)(X20), X12 // c = H2 - MOVWU (3*4)(X20), X13 // d = H3 - MOVWU (4*4)(X20), X14 // e = H4 - MOVWU (5*4)(X20), X15 // f = H5 - MOVWU (6*4)(X20), X16 // g = H6 - MOVWU (7*4)(X20), X17 // h = H7 - -loop: - SHA256ROUND0(0, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND0(1, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND0(2, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND0(3, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND0(4, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND0(5, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND0(6, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND0(7, X11, X12, X13, X14, X15, X16, X17, X10) - SHA256ROUND0(8, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND0(9, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND0(10, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND0(11, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND0(12, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND0(13, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND0(14, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND0(15, X11, X12, X13, X14, X15, X16, X17, X10) - - SHA256ROUND1(16, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND1(17, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND1(18, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND1(19, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND1(20, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND1(21, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND1(22, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND1(23, X11, X12, X13, X14, X15, X16, X17, X10) - SHA256ROUND1(24, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND1(25, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND1(26, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND1(27, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND1(28, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND1(29, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND1(30, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND1(31, X11, X12, X13, X14, X15, X16, X17, X10) - SHA256ROUND1(32, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND1(33, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND1(34, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND1(35, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND1(36, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND1(37, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND1(38, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND1(39, X11, X12, X13, X14, X15, X16, X17, X10) - SHA256ROUND1(40, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND1(41, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND1(42, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND1(43, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND1(44, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND1(45, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND1(46, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND1(47, X11, X12, X13, X14, X15, X16, X17, X10) - SHA256ROUND1(48, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND1(49, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND1(50, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND1(51, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND1(52, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND1(53, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND1(54, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND1(55, X11, X12, X13, X14, X15, X16, X17, X10) - SHA256ROUND1(56, X10, X11, X12, X13, X14, X15, X16, X17) - SHA256ROUND1(57, X17, X10, X11, X12, X13, X14, X15, X16) - SHA256ROUND1(58, X16, X17, X10, X11, X12, X13, X14, X15) - SHA256ROUND1(59, X15, X16, X17, X10, X11, X12, X13, X14) - SHA256ROUND1(60, X14, X15, X16, X17, X10, X11, X12, X13) - SHA256ROUND1(61, X13, X14, X15, X16, X17, X10, X11, X12) - SHA256ROUND1(62, X12, X13, X14, X15, X16, X17, X10, X11) - SHA256ROUND1(63, X11, X12, X13, X14, X15, X16, X17, X10) - - MOVWU (0*4)(X20), X5 - MOVWU (1*4)(X20), X6 - MOVWU (2*4)(X20), X7 - MOVWU (3*4)(X20), X8 - ADD X5, X10 // H0 = a + H0 - ADD X6, X11 // H1 = b + H1 - ADD X7, X12 // H2 = c + H2 - ADD X8, X13 // H3 = d + H3 - MOVW X10, (0*4)(X20) - MOVW X11, (1*4)(X20) - MOVW X12, (2*4)(X20) - MOVW X13, (3*4)(X20) - MOVWU (4*4)(X20), X5 - MOVWU (5*4)(X20), X6 - MOVWU (6*4)(X20), X7 - MOVWU (7*4)(X20), X8 - ADD X5, X14 // H4 = e + H4 - ADD X6, X15 // H5 = f + H5 - ADD X7, X16 // H6 = g + H6 - ADD X8, X17 // H7 = h + H7 - MOVW X14, (4*4)(X20) - MOVW X15, (5*4)(X20) - MOVW X16, (6*4)(X20) - MOVW X17, (7*4)(X20) - - ADD $64, X29 - BNE X28, X29, loop - -end: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_s390x.go deleted file mode 100644 index 503c3e49520..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_s390x.go +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha256 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useSHA256 = cpu.S390XHasSHA256 - -func init() { - // CP Assist for Cryptographic Functions (CPACF) - // https://www.ibm.com/docs/en/zos/3.1.0?topic=icsf-cp-assist-cryptographic-functions-cpacf - impl.Register("sha256", "CPACF", &useSHA256) -} - -//go:noescape -func blockS390X(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if useSHA256 { - blockS390X(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_s390x.s deleted file mode 100644 index 06469d68d65..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/sha256block_s390x.s +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func blockS390X(dig *Digest, p []byte) -TEXT ·blockS390X(SB), NOSPLIT|NOFRAME, $0-32 - LMG dig+0(FP), R1, R3 // R2 = &p[0], R3 = len(p) - MOVBZ $2, R0 // SHA-256 function code - -loop: - KIMD R0, R2 // compute intermediate message digest (KIMD) - BVS loop // continue if interrupted - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/ya.make deleted file mode 100644 index 442bd8dab89..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha256/ya.make +++ /dev/null @@ -1,31 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - sha256.go - sha256block.go - sha256block_arm64.go - sha256block_arm64.s - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - sha256.go - sha256block.go - sha256block_amd64.go - sha256block_amd64.s - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - sha256.go - sha256block.go - sha256block_noasm.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/go.mod deleted file mode 100644 index 39e83acc943..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module sha3/_asm - -go 1.22 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.19.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/tools v0.23.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/go.sum deleted file mode 100644 index 9e8f35f70fc..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/keccakf_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/keccakf_amd64_asm.go deleted file mode 100644 index 5e59b11fc87..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/_asm/keccakf_amd64_asm.go +++ /dev/null @@ -1,443 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources at https://github.com/gvanas/KeccakCodePackage - -package main - -import ( - "os" - - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../sha3_amd64.s - -// Round Constants for use in the ι step. -var RoundConstants = [24]uint64{ - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -} - -var ( - // Temporary registers - rT1 GPPhysical = RAX - - // Round vars - rpState = Mem{Base: RDI} - rpStack = Mem{Base: RSP} - - rDa = RBX - rDe = RCX - rDi = RDX - rDo = R8 - rDu = R9 - - rBa = R10 - rBe = R11 - rBi = R12 - rBo = R13 - rBu = R14 - - rCa = RSI - rCe = RBP - rCi = rBi - rCo = rBo - rCu = R15 -) - -const ( - _ba = iota * 8 - _be - _bi - _bo - _bu - _ga - _ge - _gi - _go - _gu - _ka - _ke - _ki - _ko - _ku - _ma - _me - _mi - _mo - _mu - _sa - _se - _si - _so - _su -) - -func main() { - // https://github.com/mmcloughlin/avo/issues/450 - os.Setenv("GOOS", "linux") - os.Setenv("GOARCH", "amd64") - - Package("crypto/internal/fips140/sha3") - ConstraintExpr("!purego") - keccakF1600() - Generate() -} - -func MOVQ_RBI_RCE() { MOVQ(rBi, rCe) } -func XORQ_RT1_RCA() { XORQ(rT1, rCa) } -func XORQ_RT1_RCE() { XORQ(rT1, rCe) } -func XORQ_RBA_RCU() { XORQ(rBa, rCu) } -func XORQ_RBE_RCU() { XORQ(rBe, rCu) } -func XORQ_RDU_RCU() { XORQ(rDu, rCu) } -func XORQ_RDA_RCA() { XORQ(rDa, rCa) } -func XORQ_RDE_RCE() { XORQ(rDe, rCe) } - -type ArgMacro func() - -func mKeccakRound( - iState, oState Mem, - rc U64, - B_RBI_RCE, G_RT1_RCA, G_RT1_RCE, G_RBA_RCU, - K_RT1_RCA, K_RT1_RCE, K_RBA_RCU, M_RT1_RCA, - M_RT1_RCE, M_RBE_RCU, S_RDU_RCU, S_RDA_RCA, - S_RDE_RCE ArgMacro, -) { - Comment("Prepare round") - MOVQ(rCe, rDa) - ROLQ(Imm(1), rDa) - - MOVQ(iState.Offset(_bi), rCi) - XORQ(iState.Offset(_gi), rDi) - XORQ(rCu, rDa) - XORQ(iState.Offset(_ki), rCi) - XORQ(iState.Offset(_mi), rDi) - XORQ(rDi, rCi) - - MOVQ(rCi, rDe) - ROLQ(Imm(1), rDe) - - MOVQ(iState.Offset(_bo), rCo) - XORQ(iState.Offset(_go), rDo) - XORQ(rCa, rDe) - XORQ(iState.Offset(_ko), rCo) - XORQ(iState.Offset(_mo), rDo) - XORQ(rDo, rCo) - - MOVQ(rCo, rDi) - ROLQ(Imm(1), rDi) - - MOVQ(rCu, rDo) - XORQ(rCe, rDi) - ROLQ(Imm(1), rDo) - - MOVQ(rCa, rDu) - XORQ(rCi, rDo) - ROLQ(Imm(1), rDu) - - Comment("Result b") - MOVQ(iState.Offset(_ba), rBa) - MOVQ(iState.Offset(_ge), rBe) - XORQ(rCo, rDu) - MOVQ(iState.Offset(_ki), rBi) - MOVQ(iState.Offset(_mo), rBo) - MOVQ(iState.Offset(_su), rBu) - XORQ(rDe, rBe) - ROLQ(Imm(44), rBe) - XORQ(rDi, rBi) - XORQ(rDa, rBa) - ROLQ(Imm(43), rBi) - - MOVQ(rBe, rCa) - MOVQ(rc, rT1) - ORQ(rBi, rCa) - XORQ(rBa, rT1) - XORQ(rT1, rCa) - MOVQ(rCa, oState.Offset(_ba)) - - XORQ(rDu, rBu) - ROLQ(Imm(14), rBu) - MOVQ(rBa, rCu) - ANDQ(rBe, rCu) - XORQ(rBu, rCu) - MOVQ(rCu, oState.Offset(_bu)) - - XORQ(rDo, rBo) - ROLQ(Imm(21), rBo) - MOVQ(rBo, rT1) - ANDQ(rBu, rT1) - XORQ(rBi, rT1) - MOVQ(rT1, oState.Offset(_bi)) - - NOTQ(rBi) - ORQ(rBa, rBu) - ORQ(rBo, rBi) - XORQ(rBo, rBu) - XORQ(rBe, rBi) - MOVQ(rBu, oState.Offset(_bo)) - MOVQ(rBi, oState.Offset(_be)) - B_RBI_RCE() - - Comment("Result g") - MOVQ(iState.Offset(_gu), rBe) - XORQ(rDu, rBe) - MOVQ(iState.Offset(_ka), rBi) - ROLQ(Imm(20), rBe) - XORQ(rDa, rBi) - ROLQ(Imm(3), rBi) - MOVQ(iState.Offset(_bo), rBa) - MOVQ(rBe, rT1) - ORQ(rBi, rT1) - XORQ(rDo, rBa) - MOVQ(iState.Offset(_me), rBo) - MOVQ(iState.Offset(_si), rBu) - ROLQ(Imm(28), rBa) - XORQ(rBa, rT1) - MOVQ(rT1, oState.Offset(_ga)) - G_RT1_RCA() - - XORQ(rDe, rBo) - ROLQ(Imm(45), rBo) - MOVQ(rBi, rT1) - ANDQ(rBo, rT1) - XORQ(rBe, rT1) - MOVQ(rT1, oState.Offset(_ge)) - G_RT1_RCE() - - XORQ(rDi, rBu) - ROLQ(Imm(61), rBu) - MOVQ(rBu, rT1) - ORQ(rBa, rT1) - XORQ(rBo, rT1) - MOVQ(rT1, oState.Offset(_go)) - - ANDQ(rBe, rBa) - XORQ(rBu, rBa) - MOVQ(rBa, oState.Offset(_gu)) - NOTQ(rBu) - G_RBA_RCU() - - ORQ(rBu, rBo) - XORQ(rBi, rBo) - MOVQ(rBo, oState.Offset(_gi)) - - Comment("Result k") - MOVQ(iState.Offset(_be), rBa) - MOVQ(iState.Offset(_gi), rBe) - MOVQ(iState.Offset(_ko), rBi) - MOVQ(iState.Offset(_mu), rBo) - MOVQ(iState.Offset(_sa), rBu) - XORQ(rDi, rBe) - ROLQ(Imm(6), rBe) - XORQ(rDo, rBi) - ROLQ(Imm(25), rBi) - MOVQ(rBe, rT1) - ORQ(rBi, rT1) - XORQ(rDe, rBa) - ROLQ(Imm(1), rBa) - XORQ(rBa, rT1) - MOVQ(rT1, oState.Offset(_ka)) - K_RT1_RCA() - - XORQ(rDu, rBo) - ROLQ(Imm(8), rBo) - MOVQ(rBi, rT1) - ANDQ(rBo, rT1) - XORQ(rBe, rT1) - MOVQ(rT1, oState.Offset(_ke)) - K_RT1_RCE() - - XORQ(rDa, rBu) - ROLQ(Imm(18), rBu) - NOTQ(rBo) - MOVQ(rBo, rT1) - ANDQ(rBu, rT1) - XORQ(rBi, rT1) - MOVQ(rT1, oState.Offset(_ki)) - - MOVQ(rBu, rT1) - ORQ(rBa, rT1) - XORQ(rBo, rT1) - MOVQ(rT1, oState.Offset(_ko)) - - ANDQ(rBe, rBa) - XORQ(rBu, rBa) - MOVQ(rBa, oState.Offset(_ku)) - K_RBA_RCU() - - Comment("Result m") - MOVQ(iState.Offset(_ga), rBe) - XORQ(rDa, rBe) - MOVQ(iState.Offset(_ke), rBi) - ROLQ(Imm(36), rBe) - XORQ(rDe, rBi) - MOVQ(iState.Offset(_bu), rBa) - ROLQ(Imm(10), rBi) - MOVQ(rBe, rT1) - MOVQ(iState.Offset(_mi), rBo) - ANDQ(rBi, rT1) - XORQ(rDu, rBa) - MOVQ(iState.Offset(_so), rBu) - ROLQ(Imm(27), rBa) - XORQ(rBa, rT1) - MOVQ(rT1, oState.Offset(_ma)) - M_RT1_RCA() - - XORQ(rDi, rBo) - ROLQ(Imm(15), rBo) - MOVQ(rBi, rT1) - ORQ(rBo, rT1) - XORQ(rBe, rT1) - MOVQ(rT1, oState.Offset(_me)) - M_RT1_RCE() - - XORQ(rDo, rBu) - ROLQ(Imm(56), rBu) - NOTQ(rBo) - MOVQ(rBo, rT1) - ORQ(rBu, rT1) - XORQ(rBi, rT1) - MOVQ(rT1, oState.Offset(_mi)) - - ORQ(rBa, rBe) - XORQ(rBu, rBe) - MOVQ(rBe, oState.Offset(_mu)) - - ANDQ(rBa, rBu) - XORQ(rBo, rBu) - MOVQ(rBu, oState.Offset(_mo)) - M_RBE_RCU() - - Comment("Result s") - MOVQ(iState.Offset(_bi), rBa) - MOVQ(iState.Offset(_go), rBe) - MOVQ(iState.Offset(_ku), rBi) - XORQ(rDi, rBa) - MOVQ(iState.Offset(_ma), rBo) - ROLQ(Imm(62), rBa) - XORQ(rDo, rBe) - MOVQ(iState.Offset(_se), rBu) - ROLQ(Imm(55), rBe) - - XORQ(rDu, rBi) - MOVQ(rBa, rDu) - XORQ(rDe, rBu) - ROLQ(Imm(2), rBu) - ANDQ(rBe, rDu) - XORQ(rBu, rDu) - MOVQ(rDu, oState.Offset(_su)) - - ROLQ(Imm(39), rBi) - S_RDU_RCU() - NOTQ(rBe) - XORQ(rDa, rBo) - MOVQ(rBe, rDa) - ANDQ(rBi, rDa) - XORQ(rBa, rDa) - MOVQ(rDa, oState.Offset(_sa)) - S_RDA_RCA() - - ROLQ(Imm(41), rBo) - MOVQ(rBi, rDe) - ORQ(rBo, rDe) - XORQ(rBe, rDe) - MOVQ(rDe, oState.Offset(_se)) - S_RDE_RCE() - - MOVQ(rBo, rDi) - MOVQ(rBu, rDo) - ANDQ(rBu, rDi) - ORQ(rBa, rDo) - XORQ(rBi, rDi) - XORQ(rBo, rDo) - MOVQ(rDi, oState.Offset(_si)) - MOVQ(rDo, oState.Offset(_so)) -} - -// keccakF1600 applies the Keccak permutation to a 1600b-wide -// state represented as a slice of 25 uint64s. -func keccakF1600() { - Implement("keccakF1600") - AllocLocal(200) - - Load(Param("a"), rpState.Base) - - Comment("Convert the user state into an internal state") - NOTQ(rpState.Offset(_be)) - NOTQ(rpState.Offset(_bi)) - NOTQ(rpState.Offset(_go)) - NOTQ(rpState.Offset(_ki)) - NOTQ(rpState.Offset(_mi)) - NOTQ(rpState.Offset(_sa)) - - Comment("Execute the KeccakF permutation") - MOVQ(rpState.Offset(_ba), rCa) - MOVQ(rpState.Offset(_be), rCe) - MOVQ(rpState.Offset(_bu), rCu) - - XORQ(rpState.Offset(_ga), rCa) - XORQ(rpState.Offset(_ge), rCe) - XORQ(rpState.Offset(_gu), rCu) - - XORQ(rpState.Offset(_ka), rCa) - XORQ(rpState.Offset(_ke), rCe) - XORQ(rpState.Offset(_ku), rCu) - - XORQ(rpState.Offset(_ma), rCa) - XORQ(rpState.Offset(_me), rCe) - XORQ(rpState.Offset(_mu), rCu) - - XORQ(rpState.Offset(_sa), rCa) - XORQ(rpState.Offset(_se), rCe) - MOVQ(rpState.Offset(_si), rDi) - MOVQ(rpState.Offset(_so), rDo) - XORQ(rpState.Offset(_su), rCu) - - for i, rc := range RoundConstants[:len(RoundConstants)-1] { - var iState, oState Mem - if i%2 == 0 { - iState, oState = rpState, rpStack - } else { - iState, oState = rpStack, rpState - } - mKeccakRound(iState, oState, U64(rc), MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE) - } - mKeccakRound(rpStack, rpState, U64(RoundConstants[len(RoundConstants)-1]), NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP) - - Comment("Revert the internal state to the user state") - NOTQ(rpState.Offset(_be)) - NOTQ(rpState.Offset(_bi)) - NOTQ(rpState.Offset(_go)) - NOTQ(rpState.Offset(_ki)) - NOTQ(rpState.Offset(_mi)) - NOTQ(rpState.Offset(_sa)) - - RET() -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/cast.go deleted file mode 100644 index 4a1ef486a2d..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/cast.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -import ( - "bytes" - "crypto/internal/fips140" - "errors" -) - -func init() { - fips140.CAST("cSHAKE128", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - want := []byte{ - 0xd2, 0x17, 0x37, 0x39, 0xf6, 0xa1, 0xe4, 0x6e, - 0x81, 0xe5, 0x70, 0xe3, 0x1b, 0x10, 0x4c, 0x82, - 0xc5, 0x48, 0xee, 0xe6, 0x09, 0xf5, 0x89, 0x52, - 0x52, 0xa4, 0x69, 0xd4, 0xd0, 0x76, 0x68, 0x6b, - } - h := NewCShake128(input, input) - h.Write(input) - if got := h.Sum(nil); !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/hashes.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/hashes.go deleted file mode 100644 index da1b9bcf5f8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/hashes.go +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -// New224 returns a new Digest computing the SHA3-224 hash. -func New224() *Digest { - return &Digest{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3} -} - -// New256 returns a new Digest computing the SHA3-256 hash. -func New256() *Digest { - return &Digest{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3} -} - -// New384 returns a new Digest computing the SHA3-384 hash. -func New384() *Digest { - return &Digest{rate: rateK768, outputLen: 48, dsbyte: dsbyteSHA3} -} - -// New512 returns a new Digest computing the SHA3-512 hash. -func New512() *Digest { - return &Digest{rate: rateK1024, outputLen: 64, dsbyte: dsbyteSHA3} -} - -// TODO(fips): do this in the stdlib crypto/sha3 package. -// -// crypto.RegisterHash(crypto.SHA3_224, New224) -// crypto.RegisterHash(crypto.SHA3_256, New256) -// crypto.RegisterHash(crypto.SHA3_384, New384) -// crypto.RegisterHash(crypto.SHA3_512, New512) - -const ( - dsbyteSHA3 = 0b00000110 - dsbyteKeccak = 0b00000001 - dsbyteShake = 0b00011111 - dsbyteCShake = 0b00000100 - - // rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in - // bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits. - rateK256 = (1600 - 256) / 8 - rateK448 = (1600 - 448) / 8 - rateK512 = (1600 - 512) / 8 - rateK768 = (1600 - 768) / 8 - rateK1024 = (1600 - 1024) / 8 -) - -// NewLegacyKeccak256 returns a new Digest computing the legacy, non-standard -// Keccak-256 hash. -func NewLegacyKeccak256() *Digest { - return &Digest{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak} -} - -// NewLegacyKeccak512 returns a new Digest computing the legacy, non-standard -// Keccak-512 hash. -func NewLegacyKeccak512() *Digest { - return &Digest{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak} -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/keccakf.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/keccakf.go deleted file mode 100644 index 398b1250008..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/keccakf.go +++ /dev/null @@ -1,431 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -import ( - "crypto/internal/fips140deps/byteorder" - "crypto/internal/fips140deps/cpu" - "math/bits" - "unsafe" -) - -// rc stores the round constants for use in the ι step. -var rc = [24]uint64{ - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -} - -// keccakF1600Generic applies the Keccak permutation. -func keccakF1600Generic(da *[200]byte) { - var a *[25]uint64 - if cpu.BigEndian { - a = new([25]uint64) - for i := range a { - a[i] = byteorder.LEUint64(da[i*8:]) - } - defer func() { - for i := range a { - byteorder.LEPutUint64(da[i*8:], a[i]) - } - }() - } else { - a = (*[25]uint64)(unsafe.Pointer(da)) - } - - // Implementation translated from Keccak-inplace.c - // in the keccak reference code. - var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64 - - for i := 0; i < 24; i += 4 { - // Combines the 5 steps in each round into 2 steps. - // Unrolls 4 rounds per loop and spreads some steps across rounds. - - // Round 1 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[6] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[12] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[18] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[24] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i] - a[6] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[16] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[22] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[3] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[10] = bc0 ^ (bc2 &^ bc1) - a[16] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[1] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[7] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[19] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[20] = bc0 ^ (bc2 &^ bc1) - a[1] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[11] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[23] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[4] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[5] = bc0 ^ (bc2 &^ bc1) - a[11] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[2] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[8] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[14] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[15] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - // Round 2 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[16] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[7] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[23] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[14] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1] - a[16] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[11] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[2] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[18] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[20] = bc0 ^ (bc2 &^ bc1) - a[11] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[6] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[22] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[4] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[15] = bc0 ^ (bc2 &^ bc1) - a[6] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[1] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[8] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[24] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[10] = bc0 ^ (bc2 &^ bc1) - a[1] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[12] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[3] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[19] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[5] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - // Round 3 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[11] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[22] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[8] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[19] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2] - a[11] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[1] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[12] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[23] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[15] = bc0 ^ (bc2 &^ bc1) - a[1] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[16] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[2] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[24] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[5] = bc0 ^ (bc2 &^ bc1) - a[16] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[6] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[3] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[14] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[20] = bc0 ^ (bc2 &^ bc1) - a[6] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[7] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[18] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[4] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[10] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - // Round 4 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[1] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[2] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[3] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[4] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3] - a[1] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[6] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[7] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[8] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[5] = bc0 ^ (bc2 &^ bc1) - a[6] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[11] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[12] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[14] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[10] = bc0 ^ (bc2 &^ bc1) - a[11] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[16] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[18] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[19] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[15] = bc0 ^ (bc2 &^ bc1) - a[16] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[22] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[23] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[24] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[20] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3.go deleted file mode 100644 index 7513f8ef5da..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3.go +++ /dev/null @@ -1,235 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package sha3 implements the SHA-3 fixed-output-length hash functions and -// the SHAKE variable-output-length functions defined by [FIPS 202], as well as -// the cSHAKE extendable-output-length functions defined by [SP 800-185]. -// -// [FIPS 202]: https://doi.org/10.6028/NIST.FIPS.202 -// [SP 800-185]: https://doi.org/10.6028/NIST.SP.800-185 -package sha3 - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/subtle" - "errors" -) - -// spongeDirection indicates the direction bytes are flowing through the sponge. -type spongeDirection int - -const ( - // spongeAbsorbing indicates that the sponge is absorbing input. - spongeAbsorbing spongeDirection = iota - // spongeSqueezing indicates that the sponge is being squeezed. - spongeSqueezing -) - -type Digest struct { - a [1600 / 8]byte // main state of the hash - - // a[n:rate] is the buffer. If absorbing, it's the remaining space to XOR - // into before running the permutation. If squeezing, it's the remaining - // output to produce before running the permutation. - n, rate int - - // dsbyte contains the "domain separation" bits and the first bit of - // the padding. Sections 6.1 and 6.2 of [1] separate the outputs of the - // SHA-3 and SHAKE functions by appending bitstrings to the message. - // Using a little-endian bit-ordering convention, these are "01" for SHA-3 - // and "1111" for SHAKE, or 00000010b and 00001111b, respectively. Then the - // padding rule from section 5.1 is applied to pad the message to a multiple - // of the rate, which involves adding a "1" bit, zero or more "0" bits, and - // a final "1" bit. We merge the first "1" bit from the padding into dsbyte, - // giving 00000110b (0x06) and 00011111b (0x1f). - // [1] http://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf - // "Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and - // Extendable-Output Functions (May 2014)" - dsbyte byte - - outputLen int // the default output size in bytes - state spongeDirection // whether the sponge is absorbing or squeezing -} - -// BlockSize returns the rate of sponge underlying this hash function. -func (d *Digest) BlockSize() int { return d.rate } - -// Size returns the output size of the hash function in bytes. -func (d *Digest) Size() int { return d.outputLen } - -// Reset resets the Digest to its initial state. -func (d *Digest) Reset() { - // Zero the permutation's state. - for i := range d.a { - d.a[i] = 0 - } - d.state = spongeAbsorbing - d.n = 0 -} - -func (d *Digest) Clone() *Digest { - ret := *d - return &ret -} - -// permute applies the KeccakF-1600 permutation. -func (d *Digest) permute() { - keccakF1600(&d.a) - d.n = 0 -} - -// padAndPermute appends the domain separation bits in dsbyte, applies -// the multi-bitrate 10..1 padding rule, and permutes the state. -func (d *Digest) padAndPermute() { - // Pad with this instance's domain-separator bits. We know that there's - // at least one byte of space in the sponge because, if it were full, - // permute would have been called to empty it. dsbyte also contains the - // first one bit for the padding. See the comment in the state struct. - d.a[d.n] ^= d.dsbyte - // This adds the final one bit for the padding. Because of the way that - // bits are numbered from the LSB upwards, the final bit is the MSB of - // the last byte. - d.a[d.rate-1] ^= 0x80 - // Apply the permutation - d.permute() - d.state = spongeSqueezing -} - -// Write absorbs more data into the hash's state. -func (d *Digest) Write(p []byte) (n int, err error) { return d.write(p) } -func (d *Digest) writeGeneric(p []byte) (n int, err error) { - if d.state != spongeAbsorbing { - panic("sha3: Write after Read") - } - - n = len(p) - - for len(p) > 0 { - x := subtle.XORBytes(d.a[d.n:d.rate], d.a[d.n:d.rate], p) - d.n += x - p = p[x:] - - // If the sponge is full, apply the permutation. - if d.n == d.rate { - d.permute() - } - } - - return -} - -// read squeezes an arbitrary number of bytes from the sponge. -func (d *Digest) readGeneric(out []byte) (n int, err error) { - // If we're still absorbing, pad and apply the permutation. - if d.state == spongeAbsorbing { - d.padAndPermute() - } - - n = len(out) - - // Now, do the squeezing. - for len(out) > 0 { - // Apply the permutation if we've squeezed the sponge dry. - if d.n == d.rate { - d.permute() - } - - x := copy(out, d.a[d.n:d.rate]) - d.n += x - out = out[x:] - } - - return -} - -// Sum appends the current hash to b and returns the resulting slice. -// It does not change the underlying hash state. -func (d *Digest) Sum(b []byte) []byte { - fips140.RecordApproved() - return d.sum(b) -} - -func (d *Digest) sumGeneric(b []byte) []byte { - if d.state != spongeAbsorbing { - panic("sha3: Sum after Read") - } - - // Make a copy of the original hash so that caller can keep writing - // and summing. - dup := d.Clone() - hash := make([]byte, dup.outputLen, 64) // explicit cap to allow stack allocation - dup.read(hash) - return append(b, hash...) -} - -const ( - magicSHA3 = "sha\x08" - magicShake = "sha\x09" - magicCShake = "sha\x0a" - magicKeccak = "sha\x0b" - // magic || rate || main state || n || sponge direction - marshaledSize = len(magicSHA3) + 1 + 200 + 1 + 1 -) - -func (d *Digest) MarshalBinary() ([]byte, error) { - return d.AppendBinary(make([]byte, 0, marshaledSize)) -} - -func (d *Digest) AppendBinary(b []byte) ([]byte, error) { - switch d.dsbyte { - case dsbyteSHA3: - b = append(b, magicSHA3...) - case dsbyteShake: - b = append(b, magicShake...) - case dsbyteCShake: - b = append(b, magicCShake...) - case dsbyteKeccak: - b = append(b, magicKeccak...) - default: - panic("unknown dsbyte") - } - // rate is at most 168, and n is at most rate. - b = append(b, byte(d.rate)) - b = append(b, d.a[:]...) - b = append(b, byte(d.n), byte(d.state)) - return b, nil -} - -func (d *Digest) UnmarshalBinary(b []byte) error { - if len(b) != marshaledSize { - return errors.New("sha3: invalid hash state") - } - - magic := string(b[:len(magicSHA3)]) - b = b[len(magicSHA3):] - switch { - case magic == magicSHA3 && d.dsbyte == dsbyteSHA3: - case magic == magicShake && d.dsbyte == dsbyteShake: - case magic == magicCShake && d.dsbyte == dsbyteCShake: - case magic == magicKeccak && d.dsbyte == dsbyteKeccak: - default: - return errors.New("sha3: invalid hash state identifier") - } - - rate := int(b[0]) - b = b[1:] - if rate != d.rate { - return errors.New("sha3: invalid hash state function") - } - - copy(d.a[:], b) - b = b[len(d.a):] - - n, state := int(b[0]), spongeDirection(b[1]) - if n > d.rate { - return errors.New("sha3: invalid hash state") - } - d.n = n - if state != spongeAbsorbing && state != spongeSqueezing { - return errors.New("sha3: invalid hash state") - } - d.state = state - - return nil -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_amd64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_amd64.go deleted file mode 100644 index d986e3f7b32..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_amd64.go +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha3 - -//go:noescape -func keccakF1600(a *[200]byte) - -func (d *Digest) write(p []byte) (n int, err error) { - return d.writeGeneric(p) -} -func (d *Digest) read(out []byte) (n int, err error) { - return d.readGeneric(out) -} -func (d *Digest) sum(b []byte) []byte { - return d.sumGeneric(b) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_amd64.s deleted file mode 100644 index 3137e2d6cfa..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_amd64.s +++ /dev/null @@ -1,5419 +0,0 @@ -// Code generated by command: go run keccakf_amd64_asm.go -out ../sha3_amd64.s. DO NOT EDIT. - -//go:build !purego - -// func keccakF1600(a *[200]byte) -TEXT ·keccakF1600(SB), $200-8 - MOVQ a+0(FP), DI - - // Convert the user state into an internal state - NOTQ 8(DI) - NOTQ 16(DI) - NOTQ 64(DI) - NOTQ 96(DI) - NOTQ 136(DI) - NOTQ 160(DI) - - // Execute the KeccakF permutation - MOVQ (DI), SI - MOVQ 8(DI), BP - MOVQ 32(DI), R15 - XORQ 40(DI), SI - XORQ 48(DI), BP - XORQ 72(DI), R15 - XORQ 80(DI), SI - XORQ 88(DI), BP - XORQ 112(DI), R15 - XORQ 120(DI), SI - XORQ 128(DI), BP - XORQ 152(DI), R15 - XORQ 160(DI), SI - XORQ 168(DI), BP - MOVQ 176(DI), DX - MOVQ 184(DI), R8 - XORQ 192(DI), R15 - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000000000001, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000000008082, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x800000000000808a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008000, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000000000808b, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000080000001, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008081, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008009, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000000000008a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000000000088, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000080008009, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000008000000a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000008000808b, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x800000000000008b, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008089, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008003, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008002, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000000080, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000000000800a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x800000008000000a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008081, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008080, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000080000001, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008008, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - NOP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - NOP - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - NOP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - NOP - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - NOP - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - NOP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - NOP - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - NOP - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - NOP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - NOP - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - NOP - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - NOP - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - NOP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Revert the internal state to the user state - NOTQ 8(DI) - NOTQ 16(DI) - NOTQ 64(DI) - NOTQ 96(DI) - NOTQ 136(DI) - NOTQ 160(DI) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_arm64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_arm64.go deleted file mode 100644 index fab91c02bb7..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_arm64.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2025 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha3 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" - "runtime" -) - -// On non-Apple ARM64, the SHA-3 instructions are apparently slower than the -// pure Go implementation. Checking GOOS is a bit blunt, as it also excludes -// Asahi Linux; we might consider checking the MIDR model in the future. -var useSHA3 = cpu.ARM64HasSHA3 && runtime.GOOS == "darwin" - -func init() { - impl.Register("sha3", "Armv8.2", &useSHA3) -} - -//go:noescape -func keccakF1600NEON(a *[200]byte) - -func keccakF1600(a *[200]byte) { - if useSHA3 { - keccakF1600NEON(a) - } else { - keccakF1600Generic(a) - } -} - -func (d *Digest) write(p []byte) (n int, err error) { - return d.writeGeneric(p) -} -func (d *Digest) read(out []byte) (n int, err error) { - return d.readGeneric(out) -} -func (d *Digest) sum(b []byte) []byte { - return d.sumGeneric(b) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_arm64.s deleted file mode 100644 index 7688d178d51..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_arm64.s +++ /dev/null @@ -1,165 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func keccakF1600NEON(a *[200]byte) -TEXT ·keccakF1600NEON(SB), $200-8 - MOVD a+0(FP), R0 - MOVD $round_consts<>(SB), R1 - MOVD $24, R2 // counter for loop - - VLD1.P 16(R0), [V0.D1, V1.D1] - VLD1.P 16(R0), [V2.D1, V3.D1] - VLD1.P 16(R0), [V4.D1, V5.D1] - VLD1.P 16(R0), [V6.D1, V7.D1] - VLD1.P 16(R0), [V8.D1, V9.D1] - VLD1.P 16(R0), [V10.D1, V11.D1] - VLD1.P 16(R0), [V12.D1, V13.D1] - VLD1.P 16(R0), [V14.D1, V15.D1] - VLD1.P 16(R0), [V16.D1, V17.D1] - VLD1.P 16(R0), [V18.D1, V19.D1] - VLD1.P 16(R0), [V20.D1, V21.D1] - VLD1.P 16(R0), [V22.D1, V23.D1] - VLD1 (R0), [V24.D1] - - SUB $192, R0, R0 - -loop: - // theta - VEOR3 V20.B16, V15.B16, V10.B16, V25.B16 - VEOR3 V21.B16, V16.B16, V11.B16, V26.B16 - VEOR3 V22.B16, V17.B16, V12.B16, V27.B16 - VEOR3 V23.B16, V18.B16, V13.B16, V28.B16 - VEOR3 V24.B16, V19.B16, V14.B16, V29.B16 - VEOR3 V25.B16, V5.B16, V0.B16, V25.B16 - VEOR3 V26.B16, V6.B16, V1.B16, V26.B16 - VEOR3 V27.B16, V7.B16, V2.B16, V27.B16 - VEOR3 V28.B16, V8.B16, V3.B16, V28.B16 - VEOR3 V29.B16, V9.B16, V4.B16, V29.B16 - - VRAX1 V27.D2, V25.D2, V30.D2 - VRAX1 V28.D2, V26.D2, V31.D2 - VRAX1 V29.D2, V27.D2, V27.D2 - VRAX1 V25.D2, V28.D2, V28.D2 - VRAX1 V26.D2, V29.D2, V29.D2 - - // theta and rho and Pi - VEOR V29.B16, V0.B16, V0.B16 - - VXAR $63, V30.D2, V1.D2, V25.D2 - - VXAR $20, V30.D2, V6.D2, V1.D2 - VXAR $44, V28.D2, V9.D2, V6.D2 - VXAR $3, V31.D2, V22.D2, V9.D2 - VXAR $25, V28.D2, V14.D2, V22.D2 - VXAR $46, V29.D2, V20.D2, V14.D2 - - VXAR $2, V31.D2, V2.D2, V26.D2 - - VXAR $21, V31.D2, V12.D2, V2.D2 - VXAR $39, V27.D2, V13.D2, V12.D2 - VXAR $56, V28.D2, V19.D2, V13.D2 - VXAR $8, V27.D2, V23.D2, V19.D2 - VXAR $23, V29.D2, V15.D2, V23.D2 - - VXAR $37, V28.D2, V4.D2, V15.D2 - - VXAR $50, V28.D2, V24.D2, V28.D2 - VXAR $62, V30.D2, V21.D2, V24.D2 - VXAR $9, V27.D2, V8.D2, V8.D2 - VXAR $19, V30.D2, V16.D2, V4.D2 - VXAR $28, V29.D2, V5.D2, V16.D2 - - VXAR $36, V27.D2, V3.D2, V5.D2 - - VXAR $43, V27.D2, V18.D2, V27.D2 - VXAR $49, V31.D2, V17.D2, V3.D2 - VXAR $54, V30.D2, V11.D2, V30.D2 - VXAR $58, V31.D2, V7.D2, V31.D2 - VXAR $61, V29.D2, V10.D2, V29.D2 - - // chi and iota - VBCAX V8.B16, V22.B16, V26.B16, V20.B16 - VBCAX V22.B16, V23.B16, V8.B16, V21.B16 - VBCAX V23.B16, V24.B16, V22.B16, V22.B16 - VBCAX V24.B16, V26.B16, V23.B16, V23.B16 - VBCAX V26.B16, V8.B16, V24.B16, V24.B16 - - VLD1R.P 8(R1), [V26.D2] - - VBCAX V3.B16, V19.B16, V30.B16, V17.B16 - VBCAX V19.B16, V15.B16, V3.B16, V18.B16 - VBCAX V15.B16, V16.B16, V19.B16, V19.B16 - VBCAX V16.B16, V30.B16, V15.B16, V15.B16 - VBCAX V30.B16, V3.B16, V16.B16, V16.B16 - - VBCAX V31.B16, V12.B16, V25.B16, V10.B16 - VBCAX V12.B16, V13.B16, V31.B16, V11.B16 - VBCAX V13.B16, V14.B16, V12.B16, V12.B16 - VBCAX V14.B16, V25.B16, V13.B16, V13.B16 - VBCAX V25.B16, V31.B16, V14.B16, V14.B16 - - VBCAX V4.B16, V9.B16, V29.B16, V7.B16 - VBCAX V9.B16, V5.B16, V4.B16, V8.B16 - VBCAX V5.B16, V6.B16, V9.B16, V9.B16 - VBCAX V6.B16, V29.B16, V5.B16, V5.B16 - VBCAX V29.B16, V4.B16, V6.B16, V6.B16 - - VBCAX V28.B16, V0.B16, V27.B16, V3.B16 - VBCAX V0.B16, V1.B16, V28.B16, V4.B16 - - VBCAX V1.B16, V2.B16, V0.B16, V0.B16 // iota (chi part) - - VBCAX V2.B16, V27.B16, V1.B16, V1.B16 - VBCAX V27.B16, V28.B16, V2.B16, V2.B16 - - VEOR V26.B16, V0.B16, V0.B16 // iota - - SUB $1, R2, R2 - CBNZ R2, loop - - VST1.P [V0.D1, V1.D1], 16(R0) - VST1.P [V2.D1, V3.D1], 16(R0) - VST1.P [V4.D1, V5.D1], 16(R0) - VST1.P [V6.D1, V7.D1], 16(R0) - VST1.P [V8.D1, V9.D1], 16(R0) - VST1.P [V10.D1, V11.D1], 16(R0) - VST1.P [V12.D1, V13.D1], 16(R0) - VST1.P [V14.D1, V15.D1], 16(R0) - VST1.P [V16.D1, V17.D1], 16(R0) - VST1.P [V18.D1, V19.D1], 16(R0) - VST1.P [V20.D1, V21.D1], 16(R0) - VST1.P [V22.D1, V23.D1], 16(R0) - VST1 [V24.D1], (R0) - - RET - -DATA round_consts<>+0x00(SB)/8, $0x0000000000000001 -DATA round_consts<>+0x08(SB)/8, $0x0000000000008082 -DATA round_consts<>+0x10(SB)/8, $0x800000000000808a -DATA round_consts<>+0x18(SB)/8, $0x8000000080008000 -DATA round_consts<>+0x20(SB)/8, $0x000000000000808b -DATA round_consts<>+0x28(SB)/8, $0x0000000080000001 -DATA round_consts<>+0x30(SB)/8, $0x8000000080008081 -DATA round_consts<>+0x38(SB)/8, $0x8000000000008009 -DATA round_consts<>+0x40(SB)/8, $0x000000000000008a -DATA round_consts<>+0x48(SB)/8, $0x0000000000000088 -DATA round_consts<>+0x50(SB)/8, $0x0000000080008009 -DATA round_consts<>+0x58(SB)/8, $0x000000008000000a -DATA round_consts<>+0x60(SB)/8, $0x000000008000808b -DATA round_consts<>+0x68(SB)/8, $0x800000000000008b -DATA round_consts<>+0x70(SB)/8, $0x8000000000008089 -DATA round_consts<>+0x78(SB)/8, $0x8000000000008003 -DATA round_consts<>+0x80(SB)/8, $0x8000000000008002 -DATA round_consts<>+0x88(SB)/8, $0x8000000000000080 -DATA round_consts<>+0x90(SB)/8, $0x000000000000800a -DATA round_consts<>+0x98(SB)/8, $0x800000008000000a -DATA round_consts<>+0xA0(SB)/8, $0x8000000080008081 -DATA round_consts<>+0xA8(SB)/8, $0x8000000000008080 -DATA round_consts<>+0xB0(SB)/8, $0x0000000080000001 -DATA round_consts<>+0xB8(SB)/8, $0x8000000080008008 -GLOBL round_consts<>(SB), NOPTR|RODATA, $192 diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_noasm.go deleted file mode 100644 index 1ce3edfb6fe..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_noasm.go +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !arm64 && !s390x) || purego - -package sha3 - -func keccakF1600(a *[200]byte) { - keccakF1600Generic(a) -} - -func (d *Digest) write(p []byte) (n int, err error) { - return d.writeGeneric(p) -} -func (d *Digest) read(out []byte) (n int, err error) { - return d.readGeneric(out) -} -func (d *Digest) sum(b []byte) []byte { - return d.sumGeneric(b) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_s390x.go deleted file mode 100644 index 0afc9b9aa1e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_s390x.go +++ /dev/null @@ -1,196 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha3 - -import ( - "crypto/internal/fips140/subtle" - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -// This file contains code for using the 'compute intermediate -// message digest' (KIMD) and 'compute last message digest' (KLMD) -// instructions to compute SHA-3 and SHAKE hashes on IBM Z. See -// [z/Architecture Principles of Operation, Fourteen Edition]. -// -// [z/Architecture Principles of Operation, Fourteen Edition]: https://www.ibm.com/docs/en/module_1678991624569/pdf/SA22-7832-13.pdf - -var useSHA3 = cpu.S390XHasSHA3 - -func init() { - // CP Assist for Cryptographic Functions (CPACF) - impl.Register("sha3", "CPACF", &useSHA3) -} - -func keccakF1600(a *[200]byte) { - keccakF1600Generic(a) -} - -// codes represent 7-bit KIMD/KLMD function codes as defined in -// the Principles of Operation. -type code uint64 - -const ( - // Function codes for KIMD/KLMD, from Figure 7-207. - sha3_224 code = 32 - sha3_256 code = 33 - sha3_384 code = 34 - sha3_512 code = 35 - shake_128 code = 36 - shake_256 code = 37 - nopad = 0x100 -) - -// kimd is a wrapper for the 'compute intermediate message digest' instruction. -// src is absorbed into the sponge state a. -// len(src) must be a multiple of the rate for the given function code. -// -//go:noescape -func kimd(function code, a *[200]byte, src []byte) - -// klmd is a wrapper for the 'compute last message digest' instruction. -// src is padded and absorbed into the sponge state a. -// -// If the function is a SHAKE XOF, the sponge is then optionally squeezed into -// dst by first applying the permutation and then copying the output until dst -// runs out. If len(dst) is a multiple of rate (including zero), the final -// permutation is not applied. If the nopad bit of function is set and len(src) -// is zero, only squeezing is performed. -// -//go:noescape -func klmd(function code, a *[200]byte, dst, src []byte) - -func (d *Digest) write(p []byte) (n int, err error) { - if d.state != spongeAbsorbing { - panic("sha3: Write after Read") - } - if !useSHA3 { - return d.writeGeneric(p) - } - - n = len(p) - - // If there is buffered input in the state, keep XOR'ing. - if d.n > 0 { - x := subtle.XORBytes(d.a[d.n:d.rate], d.a[d.n:d.rate], p) - d.n += x - p = p[x:] - } - - // If the sponge is full, apply the permutation. - if d.n == d.rate { - // Absorbing a "rate"ful of zeroes effectively XORs the state with - // zeroes (a no-op) and then runs the permutation. The actual function - // doesn't matter, they all run the same permutation. - kimd(shake_128, &d.a, make([]byte, rateK256)) - d.n = 0 - } - - // Absorb full blocks with KIMD. - if len(p) >= d.rate { - wholeBlocks := len(p) / d.rate * d.rate - kimd(d.function(), &d.a, p[:wholeBlocks]) - p = p[wholeBlocks:] - } - - // If there is any trailing input, XOR it into the state. - if len(p) > 0 { - d.n += subtle.XORBytes(d.a[d.n:d.rate], d.a[d.n:d.rate], p) - } - - return -} - -func (d *Digest) sum(b []byte) []byte { - if d.state != spongeAbsorbing { - panic("sha3: Sum after Read") - } - if !useSHA3 || d.dsbyte != dsbyteSHA3 && d.dsbyte != dsbyteShake { - return d.sumGeneric(b) - } - - // Copy the state to preserve the original. - a := d.a - - // We "absorb" a buffer of zeroes as long as the amount of input we already - // XOR'd into the sponge, to skip over it. The max cap is specified to avoid - // an allocation. - buf := make([]byte, d.n, rateK256) - function := d.function() - switch function { - case sha3_224, sha3_256, sha3_384, sha3_512: - klmd(function, &a, nil, buf) - return append(b, a[:d.outputLen]...) - case shake_128, shake_256: - h := make([]byte, d.outputLen, 64) - klmd(function, &a, h, buf) - return append(b, h...) - default: - panic("sha3: unknown function") - } -} - -func (d *Digest) read(out []byte) (n int, err error) { - if !useSHA3 || d.dsbyte != dsbyteShake { - return d.readGeneric(out) - } - - n = len(out) - - if d.state == spongeAbsorbing { - d.state = spongeSqueezing - - // We "absorb" a buffer of zeroes as long as the amount of input we - // already XOR'd into the sponge, to skip over it. The max cap is - // specified to avoid an allocation. - buf := make([]byte, d.n, rateK256) - klmd(d.function(), &d.a, out, buf) - } else { - // We have "buffered" output still to copy. - if d.n < d.rate { - x := copy(out, d.a[d.n:d.rate]) - d.n += x - out = out[x:] - } - if len(out) == 0 { - return - } - - klmd(d.function()|nopad, &d.a, out, nil) - } - - if len(out)%d.rate == 0 { - // The final permutation was not performed, - // so there is no "buffered" output. - d.n = d.rate - } else { - d.n = len(out) % d.rate - } - - return -} - -func (d *Digest) function() code { - switch d.rate { - case rateK256: - return shake_128 - case rateK448: - return sha3_224 - case rateK512: - if d.dsbyte == dsbyteSHA3 { - return sha3_256 - } else { - return shake_256 - } - case rateK768: - return sha3_384 - case rateK1024: - return sha3_512 - default: - panic("invalid rate") - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_s390x.s deleted file mode 100644 index 0ce277160e7..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/sha3_s390x.s +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func kimd(function code, a *[200]byte, src []byte) -TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40 - MOVD function+0(FP), R0 - MOVD a+8(FP), R1 - LMG src+16(FP), R2, R3 // R2=base, R3=len - -continue: - KIMD R0, R2 - BVS continue // continue if interrupted - MOVD $0, R0 // reset R0 for pre-go1.8 compilers - RET - -// func klmd(function code, a *[200]byte, dst, src []byte) -TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64 - MOVD function+0(FP), R0 - MOVD a+8(FP), R1 - LMG dst+16(FP), R2, R3 // R2=base, R3=len - LMG src+40(FP), R4, R5 // R4=base, R5=len - -continue: - KLMD R2, R4 - BVS continue // continue if interrupted - MOVD $0, R0 // reset R0 for pre-go1.8 compilers - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/shake.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/shake.go deleted file mode 100644 index fc5a60a1303..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/shake.go +++ /dev/null @@ -1,151 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -import ( - "bytes" - "crypto/internal/fips140" - "crypto/internal/fips140deps/byteorder" - "errors" - "math/bits" -) - -type SHAKE struct { - d Digest // SHA-3 state context and Read/Write operations - - // initBlock is the cSHAKE specific initialization set of bytes. It is initialized - // by newCShake function and stores concatenation of N followed by S, encoded - // by the method specified in 3.3 of [1]. - // It is stored here in order for Reset() to be able to put context into - // initial state. - initBlock []byte -} - -func bytepad(data []byte, rate int) []byte { - out := make([]byte, 0, 9+len(data)+rate-1) - out = append(out, leftEncode(uint64(rate))...) - out = append(out, data...) - if padlen := rate - len(out)%rate; padlen < rate { - out = append(out, make([]byte, padlen)...) - } - return out -} - -func leftEncode(x uint64) []byte { - // Let n be the smallest positive integer for which 2^(8n) > x. - n := (bits.Len64(x) + 7) / 8 - if n == 0 { - n = 1 - } - // Return n || x with n as a byte and x an n bytes in big-endian order. - b := make([]byte, 9) - byteorder.BEPutUint64(b[1:], x) - b = b[9-n-1:] - b[0] = byte(n) - return b -} - -func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) *SHAKE { - c := &SHAKE{d: Digest{rate: rate, outputLen: outputLen, dsbyte: dsbyte}} - c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes - c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...) - c.initBlock = append(c.initBlock, N...) - c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...) - c.initBlock = append(c.initBlock, S...) - c.Write(bytepad(c.initBlock, c.d.rate)) - return c -} - -func (s *SHAKE) BlockSize() int { return s.d.BlockSize() } -func (s *SHAKE) Size() int { return s.d.Size() } - -// Sum appends a portion of output to b and returns the resulting slice. The -// output length is selected to provide full-strength generic security: 32 bytes -// for SHAKE128 and 64 bytes for SHAKE256. It does not change the underlying -// state. It panics if any output has already been read. -func (s *SHAKE) Sum(in []byte) []byte { return s.d.Sum(in) } - -// Write absorbs more data into the hash's state. -// It panics if any output has already been read. -func (s *SHAKE) Write(p []byte) (n int, err error) { return s.d.Write(p) } - -func (s *SHAKE) Read(out []byte) (n int, err error) { - fips140.RecordApproved() - // Note that read is not exposed on Digest since SHA-3 does not offer - // variable output length. It is only used internally by Sum. - return s.d.read(out) -} - -// Reset resets the hash to initial state. -func (s *SHAKE) Reset() { - s.d.Reset() - if len(s.initBlock) != 0 { - s.Write(bytepad(s.initBlock, s.d.rate)) - } -} - -// Clone returns a copy of the SHAKE context in its current state. -func (s *SHAKE) Clone() *SHAKE { - ret := *s - return &ret -} - -func (s *SHAKE) MarshalBinary() ([]byte, error) { - return s.AppendBinary(make([]byte, 0, marshaledSize+len(s.initBlock))) -} - -func (s *SHAKE) AppendBinary(b []byte) ([]byte, error) { - b, err := s.d.AppendBinary(b) - if err != nil { - return nil, err - } - b = append(b, s.initBlock...) - return b, nil -} - -func (s *SHAKE) UnmarshalBinary(b []byte) error { - if len(b) < marshaledSize { - return errors.New("sha3: invalid hash state") - } - if err := s.d.UnmarshalBinary(b[:marshaledSize]); err != nil { - return err - } - s.initBlock = bytes.Clone(b[marshaledSize:]) - return nil -} - -// NewShake128 creates a new SHAKE128 XOF. -func NewShake128() *SHAKE { - return &SHAKE{d: Digest{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}} -} - -// NewShake256 creates a new SHAKE256 XOF. -func NewShake256() *SHAKE { - return &SHAKE{d: Digest{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}} -} - -// NewCShake128 creates a new cSHAKE128 XOF. -// -// N is used to define functions based on cSHAKE, it can be empty when plain -// cSHAKE is desired. S is a customization byte string used for domain -// separation. When N and S are both empty, this is equivalent to NewShake128. -func NewCShake128(N, S []byte) *SHAKE { - if len(N) == 0 && len(S) == 0 { - return NewShake128() - } - return newCShake(N, S, rateK256, 32, dsbyteCShake) -} - -// NewCShake256 creates a new cSHAKE256 XOF. -// -// N is used to define functions based on cSHAKE, it can be empty when plain -// cSHAKE is desired. S is a customization byte string used for domain -// separation. When N and S are both empty, this is equivalent to NewShake256. -func NewCShake256(N, S []byte) *SHAKE { - if len(N) == 0 && len(S) == 0 { - return NewShake256() - } - return newCShake(N, S, rateK512, 64, dsbyteCShake) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/ya.make deleted file mode 100644 index 089cb7c6d7a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha3/ya.make +++ /dev/null @@ -1,37 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - hashes.go - keccakf.go - sha3.go - sha3_arm64.go - sha3_arm64.s - shake.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - hashes.go - keccakf.go - sha3.go - sha3_amd64.go - sha3_amd64.s - shake.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - hashes.go - keccakf.go - sha3.go - sha3_noasm.go - shake.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/go.mod b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/go.mod deleted file mode 100644 index 78b953258b6..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/go.mod +++ /dev/null @@ -1,11 +0,0 @@ -module crypto/sha512/_asm - -go 1.24 - -require github.com/mmcloughlin/avo v0.6.0 - -require ( - golang.org/x/mod v0.20.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/tools v0.24.0 // indirect -) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/go.sum b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/go.sum deleted file mode 100644 index 76af484b2eb..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/go.sum +++ /dev/null @@ -1,8 +0,0 @@ -github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY= -github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= -golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= -golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= -golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/sha512block_amd64_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/sha512block_amd64_asm.go deleted file mode 100644 index 7e7572cb1ee..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/_asm/sha512block_amd64_asm.go +++ /dev/null @@ -1,1403 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package main - -import ( - "os" - - . "github.com/mmcloughlin/avo/build" - . "github.com/mmcloughlin/avo/operand" - . "github.com/mmcloughlin/avo/reg" -) - -//go:generate go run . -out ../sha512block_amd64.s - -// SHA512 block routine. See sha512block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 79 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 79 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -const ThatPeskyUnicodeDot = "\u00b7" - -var _K = []uint64{ - 0x428a2f98d728ae22, - 0x7137449123ef65cd, - 0xb5c0fbcfec4d3b2f, - 0xe9b5dba58189dbbc, - 0x3956c25bf348b538, - 0x59f111f1b605d019, - 0x923f82a4af194f9b, - 0xab1c5ed5da6d8118, - 0xd807aa98a3030242, - 0x12835b0145706fbe, - 0x243185be4ee4b28c, - 0x550c7dc3d5ffb4e2, - 0x72be5d74f27b896f, - 0x80deb1fe3b1696b1, - 0x9bdc06a725c71235, - 0xc19bf174cf692694, - 0xe49b69c19ef14ad2, - 0xefbe4786384f25e3, - 0x0fc19dc68b8cd5b5, - 0x240ca1cc77ac9c65, - 0x2de92c6f592b0275, - 0x4a7484aa6ea6e483, - 0x5cb0a9dcbd41fbd4, - 0x76f988da831153b5, - 0x983e5152ee66dfab, - 0xa831c66d2db43210, - 0xb00327c898fb213f, - 0xbf597fc7beef0ee4, - 0xc6e00bf33da88fc2, - 0xd5a79147930aa725, - 0x06ca6351e003826f, - 0x142929670a0e6e70, - 0x27b70a8546d22ffc, - 0x2e1b21385c26c926, - 0x4d2c6dfc5ac42aed, - 0x53380d139d95b3df, - 0x650a73548baf63de, - 0x766a0abb3c77b2a8, - 0x81c2c92e47edaee6, - 0x92722c851482353b, - 0xa2bfe8a14cf10364, - 0xa81a664bbc423001, - 0xc24b8b70d0f89791, - 0xc76c51a30654be30, - 0xd192e819d6ef5218, - 0xd69906245565a910, - 0xf40e35855771202a, - 0x106aa07032bbd1b8, - 0x19a4c116b8d2d0c8, - 0x1e376c085141ab53, - 0x2748774cdf8eeb99, - 0x34b0bcb5e19b48a8, - 0x391c0cb3c5c95a63, - 0x4ed8aa4ae3418acb, - 0x5b9cca4f7763e373, - 0x682e6ff3d6b2b8a3, - 0x748f82ee5defb2fc, - 0x78a5636f43172f60, - 0x84c87814a1f0ab72, - 0x8cc702081a6439ec, - 0x90befffa23631e28, - 0xa4506cebde82bde9, - 0xbef9a3f7b2c67915, - 0xc67178f2e372532b, - 0xca273eceea26619c, - 0xd186b8c721c0c207, - 0xeada7dd6cde0eb1e, - 0xf57d4f7fee6ed178, - 0x06f067aa72176fba, - 0x0a637dc5a2c898a6, - 0x113f9804bef90dae, - 0x1b710b35131c471b, - 0x28db77f523047d84, - 0x32caab7b40c72493, - 0x3c9ebe0a15c9bebc, - 0x431d67c49c100d4c, - 0x4cc5d4becb3e42b6, - 0x597f299cfc657e2a, - 0x5fcb6fab3ad6faec, - 0x6c44198c4a475817, -} - -func main() { - // https://github.com/mmcloughlin/avo/issues/450 - os.Setenv("GOOS", "linux") - os.Setenv("GOARCH", "amd64") - - Package("crypto/internal/fips140/sha512") - ConstraintExpr("!purego") - blockAVX2() - Generate() -} - -// Version below is based on "Fast SHA512 Implementations on Intel -// Architecture Processors" White-paper -// https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/fast-sha512-implementations-ia-processors-paper.pdf -// AVX2 version by Intel, same algorithm in Linux kernel: -// https://github.com/torvalds/linux/blob/master/arch/x86/crypto/sha512-avx2-asm.S - -// James Guilford <[email protected]> -// Kirk Yap <[email protected]> -// Tim Chen <[email protected]> -// David Cote <[email protected]> -// Aleksey Sidorov <[email protected]> - -// Line 289 -var ( - YFER_SIZE int = (4 * 8) - SRND_SIZE = (1 * 8) - INP_SIZE = (1 * 8) - - frame_YFER = (0) - frame_SRND = (frame_YFER + YFER_SIZE) - frame_INP = (frame_SRND + SRND_SIZE) - frame_INPEND = (frame_INP + INP_SIZE) -) - -// Line 298 -func addm(p1 Mem, p2 GPPhysical) { - ADDQ(p1, p2) - MOVQ(p2, p1) -} - -// Line 302 -func COPY_YMM_AND_BSWAP(p1 VecPhysical, p2 Mem, p3 VecPhysical) { - VMOVDQU(p2, p1) - VPSHUFB(p3, p1, p1) -} - -// Line 306 -func MY_VPALIGNR(YDST, YSRC1, YSRC2 VecPhysical, RVAL int) { - VPERM2F128(U8(0x3), YSRC2, YSRC1, YDST) - VPALIGNR(U8(RVAL), YSRC2, YDST, YDST) -} - -// Line 324 -func blockAVX2() { - Implement("blockAVX2") - Attributes(NOSPLIT) - AllocLocal(56) - - Load(Param("dig"), RSI) - Load(Param("p").Base(), RDI) - Load(Param("p").Len(), RDX) - - SHRQ(Imm(7), RDX) - SHLQ(Imm(7), RDX) - - JZ(LabelRef("done_hash")) - ADDQ(RDI, RDX) - MOVQ(RDX, Mem{Base: SP}.Offset(frame_INPEND)) - - MOVQ(Mem{Base: SI}.Offset(0*8), RAX) - MOVQ(Mem{Base: SI}.Offset(1*8), RBX) - MOVQ(Mem{Base: SI}.Offset(2*8), RCX) - MOVQ(Mem{Base: SI}.Offset(3*8), R8) - MOVQ(Mem{Base: SI}.Offset(4*8), RDX) - MOVQ(Mem{Base: SI}.Offset(5*8), R9) - MOVQ(Mem{Base: SI}.Offset(6*8), R10) - MOVQ(Mem{Base: SI}.Offset(7*8), R11) - - PSHUFFLE_BYTE_FLIP_MASK := PSHUFFLE_BYTE_FLIP_MASK_DATA() - VMOVDQU(PSHUFFLE_BYTE_FLIP_MASK, Y9) - - loop0() - loop1() - loop2() - done_hash() -} - -// Line 347 -func loop0() { - Label("loop0") - - _K := NewDataAddr(Symbol{Name: "$" + ThatPeskyUnicodeDot + "_K"}, 0) - MOVQ(_K, RBP) - - // byte swap first 16 dwords - COPY_YMM_AND_BSWAP(Y4, Mem{Base: DI}.Offset(0*32), Y9) - COPY_YMM_AND_BSWAP(Y5, Mem{Base: DI}.Offset(1*32), Y9) - COPY_YMM_AND_BSWAP(Y6, Mem{Base: DI}.Offset(2*32), Y9) - COPY_YMM_AND_BSWAP(Y7, Mem{Base: DI}.Offset(3*32), Y9) - - MOVQ(RDI, Mem{Base: SP}.Offset(frame_INP)) - - // schedule 64 input dwords, by doing 12 rounds of 4 each - MOVQ(U32(4), Mem{Base: SP}.Offset(frame_SRND)) -} - -// Line 361 -func loop1() { - Label("loop1") - VPADDQ(Mem{Base: BP}, Y4, Y0) - VMOVDQU(Y0, Mem{Base: SP}.Offset(frame_YFER)) - - MY_VPALIGNR(Y0, Y7, Y6, 8) - - VPADDQ(Y4, Y0, Y0) - - MY_VPALIGNR(Y1, Y5, Y4, 8) - - VPSRLQ(Imm(1), Y1, Y2) - VPSLLQ(Imm(64-1), Y1, Y3) - VPOR(Y2, Y3, Y3) - - VPSRLQ(Imm(7), Y1, Y8) - - MOVQ(RAX, RDI) - RORXQ(Imm(41), RDX, R13) - RORXQ(Imm(18), RDX, R14) - ADDQ(Mem{Base: SP}.Offset(frame_YFER), R11) - ORQ(RCX, RDI) - MOVQ(R9, R15) - RORXQ(Imm(34), RAX, R12) - - XORQ(R14, R13) - XORQ(R10, R15) - RORXQ(Imm(14), RDX, R14) - - ANDQ(RDX, R15) - XORQ(R14, R13) - RORXQ(Imm(39), RAX, R14) - ADDQ(R11, R8) - - ANDQ(RBX, RDI) - XORQ(R12, R14) - RORXQ(Imm(28), RAX, R12) - - XORQ(R10, R15) - XORQ(R12, R14) - MOVQ(RAX, R12) - ANDQ(RCX, R12) - - ADDQ(R13, R15) - ORQ(R12, RDI) - ADDQ(R14, R11) - - ADDQ(R15, R8) - - ADDQ(R15, R11) - ADDQ(RDI, R11) - - VPSRLQ(Imm(8), Y1, Y2) - VPSLLQ(Imm(64-8), Y1, Y1) - VPOR(Y2, Y1, Y1) - - VPXOR(Y8, Y3, Y3) - VPXOR(Y1, Y3, Y1) - - VPADDQ(Y1, Y0, Y0) - - VPERM2F128(Imm(0x0), Y0, Y0, Y4) - - MASK_YMM_LO := MASK_YMM_LO_DATA() - VPAND(MASK_YMM_LO, Y0, Y0) - - VPERM2F128(Imm(0x11), Y7, Y7, Y2) - VPSRLQ(Imm(6), Y2, Y8) - - MOVQ(R11, RDI) - RORXQ(Imm(41), R8, R13) - RORXQ(Imm(18), R8, R14) - ADDQ(Mem{Base: SP}.Offset(1*8+frame_YFER), R10) - ORQ(RBX, RDI) - - MOVQ(RDX, R15) - RORXQ(Imm(34), R11, R12) - XORQ(R14, R13) - XORQ(R9, R15) - - RORXQ(Imm(14), R8, R14) - XORQ(R14, R13) - RORXQ(Imm(39), R11, R14) - ANDQ(R8, R15) - ADDQ(R10, RCX) - - ANDQ(RAX, RDI) - XORQ(R12, R14) - - RORXQ(Imm(28), R11, R12) - XORQ(R9, R15) - - XORQ(R12, R14) - MOVQ(R11, R12) - ANDQ(RBX, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, R10) - - ADDQ(R15, RCX) - ADDQ(R15, R10) - ADDQ(RDI, R10) - - VPSRLQ(Imm(19), Y2, Y3) - VPSLLQ(Imm(64-19), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y2, Y3) - VPSLLQ(Imm(64-61), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y4, Y4) - - VPSRLQ(Imm(6), Y4, Y8) - - MOVQ(R10, RDI) - RORXQ(Imm(41), RCX, R13) - ADDQ(Mem{Base: SP}.Offset(2*8+frame_YFER), R9) - - RORXQ(Imm(18), RCX, R14) - ORQ(RAX, RDI) - MOVQ(R8, R15) - XORQ(RDX, R15) - - RORXQ(Imm(34), R10, R12) - XORQ(R14, R13) - ANDQ(RCX, R15) - - RORXQ(Imm(14), RCX, R14) - ADDQ(R9, RBX) - ANDQ(R11, RDI) - - XORQ(R14, R13) - RORXQ(Imm(39), R10, R14) - XORQ(RDX, R15) - - XORQ(R12, R14) - RORXQ(Imm(28), R10, R12) - - XORQ(R12, R14) - MOVQ(R10, R12) - ANDQ(RAX, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, R9) - ADDQ(R15, RBX) - ADDQ(R15, R9) - - ADDQ(RDI, R9) - - VPSRLQ(Imm(19), Y4, Y3) - VPSLLQ(Imm(64-19), Y4, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y4, Y3) - VPSLLQ(Imm(64-61), Y4, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y0, Y2) - - VPBLENDD(Imm(0xF0), Y2, Y4, Y4) - - MOVQ(R9, RDI) - RORXQ(Imm(41), RBX, R13) - RORXQ(Imm(18), RBX, R14) - ADDQ(Mem{Base: SP}.Offset(3*8+frame_YFER), RDX) - ORQ(R11, RDI) - - MOVQ(RCX, R15) - RORXQ(Imm(34), R9, R12) - XORQ(R14, R13) - XORQ(R8, R15) - - RORXQ(Imm(14), RBX, R14) - ANDQ(RBX, R15) - ADDQ(RDX, RAX) - ANDQ(R10, RDI) - - XORQ(R14, R13) - XORQ(R8, R15) - - RORXQ(Imm(39), R9, R14) - ADDQ(R13, R15) - - XORQ(R12, R14) - ADDQ(R15, RAX) - - RORXQ(Imm(28), R9, R12) - - XORQ(R12, R14) - MOVQ(R9, R12) - ANDQ(R11, R12) - ORQ(R12, RDI) - - ADDQ(R14, RDX) - ADDQ(R15, RDX) - ADDQ(RDI, RDX) - - VPADDQ(Mem{Base: BP}.Offset(1*32), Y5, Y0) - VMOVDQU(Y0, Mem{Base: SP}.Offset(frame_YFER)) - - MY_VPALIGNR(Y0, Y4, Y7, 8) - - VPADDQ(Y5, Y0, Y0) - - MY_VPALIGNR(Y1, Y6, Y5, 8) - - VPSRLQ(Imm(1), Y1, Y2) - VPSLLQ(Imm(64-1), Y1, Y3) - VPOR(Y2, Y3, Y3) - - VPSRLQ(Imm(7), Y1, Y8) - - MOVQ(RDX, RDI) - RORXQ(Imm(41), RAX, R13) - RORXQ(Imm(18), RAX, R14) - ADDQ(Mem{Base: SP}.Offset(frame_YFER), R8) - ORQ(R10, RDI) - MOVQ(RBX, R15) - RORXQ(Imm(34), RDX, R12) - - XORQ(R14, R13) - XORQ(RCX, R15) - RORXQ(Imm(14), RAX, R14) - - ANDQ(RAX, R15) - XORQ(R14, R13) - RORXQ(Imm(39), RDX, R14) - ADDQ(R8, R11) - - ANDQ(R9, RDI) - XORQ(R12, R14) - RORXQ(Imm(28), RDX, R12) - - XORQ(RCX, R15) - XORQ(R12, R14) - MOVQ(RDX, R12) - ANDQ(R10, R12) - - ADDQ(R13, R15) - ORQ(R12, RDI) - ADDQ(R14, R8) - - ADDQ(R15, R11) - - ADDQ(R15, R8) - ADDQ(RDI, R8) - - VPSRLQ(Imm(8), Y1, Y2) - VPSLLQ(Imm(64-8), Y1, Y1) - VPOR(Y2, Y1, Y1) - - VPXOR(Y8, Y3, Y3) - VPXOR(Y1, Y3, Y1) - - VPADDQ(Y1, Y0, Y0) - - VPERM2F128(Imm(0x0), Y0, Y0, Y5) - - VPAND(MASK_YMM_LO, Y0, Y0) - - VPERM2F128(Imm(0x11), Y4, Y4, Y2) - VPSRLQ(Imm(6), Y2, Y8) - - MOVQ(R8, RDI) - RORXQ(Imm(41), R11, R13) - RORXQ(Imm(18), R11, R14) - ADDQ(Mem{Base: SP}.Offset(1*8+frame_YFER), RCX) - ORQ(R9, RDI) - - MOVQ(RAX, R15) - RORXQ(Imm(34), R8, R12) - XORQ(R14, R13) - XORQ(RBX, R15) - - RORXQ(Imm(14), R11, R14) - XORQ(R14, R13) - RORXQ(Imm(39), R8, R14) - ANDQ(R11, R15) - ADDQ(RCX, R10) - - ANDQ(RDX, RDI) - XORQ(R12, R14) - - RORXQ(Imm(28), R8, R12) - XORQ(RBX, R15) - - XORQ(R12, R14) - MOVQ(R8, R12) - ANDQ(R9, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, RCX) - - ADDQ(R15, R10) - ADDQ(R15, RCX) - ADDQ(RDI, RCX) - - VPSRLQ(Imm(19), Y2, Y3) - VPSLLQ(Imm(64-19), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y2, Y3) - VPSLLQ(Imm(64-61), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y5, Y5) - - VPSRLQ(Imm(6), Y5, Y8) - - MOVQ(RCX, RDI) - RORXQ(Imm(41), R10, R13) - ADDQ(Mem{Base: SP}.Offset(2*8+frame_YFER), RBX) - - RORXQ(Imm(18), R10, R14) - ORQ(RDX, RDI) - MOVQ(R11, R15) - XORQ(RAX, R15) - - RORXQ(Imm(34), RCX, R12) - XORQ(R14, R13) - ANDQ(R10, R15) - - RORXQ(Imm(14), R10, R14) - ADDQ(RBX, R9) - ANDQ(R8, RDI) - - XORQ(R14, R13) - RORXQ(Imm(39), RCX, R14) - XORQ(RAX, R15) - - XORQ(R12, R14) - RORXQ(Imm(28), RCX, R12) - - XORQ(R12, R14) - MOVQ(RCX, R12) - ANDQ(RDX, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, RBX) - ADDQ(R15, R9) - ADDQ(R15, RBX) - - ADDQ(RDI, RBX) - - VPSRLQ(Imm(19), Y5, Y3) - VPSLLQ(Imm(64-19), Y5, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y5, Y3) - VPSLLQ(Imm(64-61), Y5, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y0, Y2) - - VPBLENDD(Imm(0xF0), Y2, Y5, Y5) - - MOVQ(RBX, RDI) - RORXQ(Imm(41), R9, R13) - RORXQ(Imm(18), R9, R14) - ADDQ(Mem{Base: SP}.Offset(3*8+frame_YFER), RAX) - ORQ(R8, RDI) - - MOVQ(R10, R15) - RORXQ(Imm(34), RBX, R12) - XORQ(R14, R13) - XORQ(R11, R15) - - RORXQ(Imm(14), R9, R14) - ANDQ(R9, R15) - ADDQ(RAX, RDX) - ANDQ(RCX, RDI) - - XORQ(R14, R13) - XORQ(R11, R15) - - RORXQ(Imm(39), RBX, R14) - ADDQ(R13, R15) - - XORQ(R12, R14) - ADDQ(R15, RDX) - - RORXQ(Imm(28), RBX, R12) - - XORQ(R12, R14) - MOVQ(RBX, R12) - ANDQ(R8, R12) - ORQ(R12, RDI) - - ADDQ(R14, RAX) - ADDQ(R15, RAX) - ADDQ(RDI, RAX) - - VPADDQ(Mem{Base: BP}.Offset(2*32), Y6, Y0) - VMOVDQU(Y0, Mem{Base: SP}.Offset(frame_YFER)) - - MY_VPALIGNR(Y0, Y5, Y4, 8) - - VPADDQ(Y6, Y0, Y0) - - MY_VPALIGNR(Y1, Y7, Y6, 8) - - VPSRLQ(Imm(1), Y1, Y2) - VPSLLQ(Imm(64-1), Y1, Y3) - VPOR(Y2, Y3, Y3) - - VPSRLQ(Imm(7), Y1, Y8) - - MOVQ(RAX, RDI) - RORXQ(Imm(41), RDX, R13) - RORXQ(Imm(18), RDX, R14) - ADDQ(Mem{Base: SP}.Offset(frame_YFER), R11) - ORQ(RCX, RDI) - MOVQ(R9, R15) - RORXQ(Imm(34), RAX, R12) - - XORQ(R14, R13) - XORQ(R10, R15) - RORXQ(Imm(14), RDX, R14) - - ANDQ(RDX, R15) - XORQ(R14, R13) - RORXQ(Imm(39), RAX, R14) - ADDQ(R11, R8) - - ANDQ(RBX, RDI) - XORQ(R12, R14) - RORXQ(Imm(28), RAX, R12) - - XORQ(R10, R15) - XORQ(R12, R14) - MOVQ(RAX, R12) - ANDQ(RCX, R12) - - ADDQ(R13, R15) - ORQ(R12, RDI) - ADDQ(R14, R11) - - ADDQ(R15, R8) - - ADDQ(R15, R11) - ADDQ(RDI, R11) - - VPSRLQ(Imm(8), Y1, Y2) - VPSLLQ(Imm(64-8), Y1, Y1) - VPOR(Y2, Y1, Y1) - - VPXOR(Y8, Y3, Y3) - VPXOR(Y1, Y3, Y1) - - VPADDQ(Y1, Y0, Y0) - - VPERM2F128(Imm(0x0), Y0, Y0, Y6) - - VPAND(MASK_YMM_LO, Y0, Y0) - - VPERM2F128(Imm(0x11), Y5, Y5, Y2) - VPSRLQ(Imm(6), Y2, Y8) - - MOVQ(R11, RDI) - RORXQ(Imm(41), R8, R13) - RORXQ(Imm(18), R8, R14) - ADDQ(Mem{Base: SP}.Offset(1*8+frame_YFER), R10) - ORQ(RBX, RDI) - - MOVQ(RDX, R15) - RORXQ(Imm(34), R11, R12) - XORQ(R14, R13) - XORQ(R9, R15) - - RORXQ(Imm(14), R8, R14) - XORQ(R14, R13) - RORXQ(Imm(39), R11, R14) - ANDQ(R8, R15) - ADDQ(R10, RCX) - - ANDQ(RAX, RDI) - XORQ(R12, R14) - - RORXQ(Imm(28), R11, R12) - XORQ(R9, R15) - - XORQ(R12, R14) - MOVQ(R11, R12) - ANDQ(RBX, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, R10) - - ADDQ(R15, RCX) - ADDQ(R15, R10) - ADDQ(RDI, R10) - - VPSRLQ(Imm(19), Y2, Y3) - VPSLLQ(Imm(64-19), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y2, Y3) - VPSLLQ(Imm(64-61), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y6, Y6) - - VPSRLQ(Imm(6), Y6, Y8) - - MOVQ(R10, RDI) - RORXQ(Imm(41), RCX, R13) - ADDQ(Mem{Base: SP}.Offset(2*8+frame_YFER), R9) - - RORXQ(Imm(18), RCX, R14) - ORQ(RAX, RDI) - MOVQ(R8, R15) - XORQ(RDX, R15) - - RORXQ(Imm(34), R10, R12) - XORQ(R14, R13) - ANDQ(RCX, R15) - - RORXQ(Imm(14), RCX, R14) - ADDQ(R9, RBX) - ANDQ(R11, RDI) - - XORQ(R14, R13) - RORXQ(Imm(39), R10, R14) - XORQ(RDX, R15) - - XORQ(R12, R14) - RORXQ(Imm(28), R10, R12) - - XORQ(R12, R14) - MOVQ(R10, R12) - ANDQ(RAX, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, R9) - ADDQ(R15, RBX) - ADDQ(R15, R9) - - ADDQ(RDI, R9) - - VPSRLQ(Imm(19), Y6, Y3) - VPSLLQ(Imm(64-19), Y6, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y6, Y3) - VPSLLQ(Imm(64-61), Y6, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y0, Y2) - - VPBLENDD(Imm(0xF0), Y2, Y6, Y6) - - MOVQ(R9, RDI) - RORXQ(Imm(41), RBX, R13) - RORXQ(Imm(18), RBX, R14) - ADDQ(Mem{Base: SP}.Offset(3*8+frame_YFER), RDX) - ORQ(R11, RDI) - - MOVQ(RCX, R15) - RORXQ(Imm(34), R9, R12) - XORQ(R14, R13) - XORQ(R8, R15) - - RORXQ(Imm(14), RBX, R14) - ANDQ(RBX, R15) - ADDQ(RDX, RAX) - ANDQ(R10, RDI) - - XORQ(R14, R13) - XORQ(R8, R15) - - RORXQ(Imm(39), R9, R14) - ADDQ(R13, R15) - - XORQ(R12, R14) - ADDQ(R15, RAX) - - RORXQ(Imm(28), R9, R12) - - XORQ(R12, R14) - MOVQ(R9, R12) - ANDQ(R11, R12) - ORQ(R12, RDI) - - ADDQ(R14, RDX) - ADDQ(R15, RDX) - ADDQ(RDI, RDX) - - VPADDQ(Mem{Base: BP}.Offset(3*32), Y7, Y0) - VMOVDQU(Y0, Mem{Base: SP}.Offset(frame_YFER)) - ADDQ(U8(4*32), RBP) - - MY_VPALIGNR(Y0, Y6, Y5, 8) - - VPADDQ(Y7, Y0, Y0) - - MY_VPALIGNR(Y1, Y4, Y7, 8) - - VPSRLQ(Imm(1), Y1, Y2) - VPSLLQ(Imm(64-1), Y1, Y3) - VPOR(Y2, Y3, Y3) - - VPSRLQ(Imm(7), Y1, Y8) - - MOVQ(RDX, RDI) - RORXQ(Imm(41), RAX, R13) - RORXQ(Imm(18), RAX, R14) - ADDQ(Mem{Base: SP}.Offset(frame_YFER), R8) - ORQ(R10, RDI) - MOVQ(RBX, R15) - RORXQ(Imm(34), RDX, R12) - - XORQ(R14, R13) - XORQ(RCX, R15) - RORXQ(Imm(14), RAX, R14) - - ANDQ(RAX, R15) - XORQ(R14, R13) - RORXQ(Imm(39), RDX, R14) - ADDQ(R8, R11) - - ANDQ(R9, RDI) - XORQ(R12, R14) - RORXQ(Imm(28), RDX, R12) - - XORQ(RCX, R15) - XORQ(R12, R14) - MOVQ(RDX, R12) - ANDQ(R10, R12) - - ADDQ(R13, R15) - ORQ(R12, RDI) - ADDQ(R14, R8) - - ADDQ(R15, R11) - - ADDQ(R15, R8) - ADDQ(RDI, R8) - - VPSRLQ(Imm(8), Y1, Y2) - VPSLLQ(Imm(64-8), Y1, Y1) - VPOR(Y2, Y1, Y1) - - VPXOR(Y8, Y3, Y3) - VPXOR(Y1, Y3, Y1) - - VPADDQ(Y1, Y0, Y0) - - VPERM2F128(Imm(0x0), Y0, Y0, Y7) - - VPAND(MASK_YMM_LO, Y0, Y0) - - VPERM2F128(Imm(0x11), Y6, Y6, Y2) - VPSRLQ(Imm(6), Y2, Y8) - - MOVQ(R8, RDI) - RORXQ(Imm(41), R11, R13) - RORXQ(Imm(18), R11, R14) - ADDQ(Mem{Base: SP}.Offset(1*8+frame_YFER), RCX) - ORQ(R9, RDI) - - MOVQ(RAX, R15) - RORXQ(Imm(34), R8, R12) - XORQ(R14, R13) - XORQ(RBX, R15) - - RORXQ(Imm(14), R11, R14) - XORQ(R14, R13) - RORXQ(Imm(39), R8, R14) - ANDQ(R11, R15) - ADDQ(RCX, R10) - - ANDQ(RDX, RDI) - XORQ(R12, R14) - - RORXQ(Imm(28), R8, R12) - XORQ(RBX, R15) - - XORQ(R12, R14) - MOVQ(R8, R12) - ANDQ(R9, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, RCX) - - ADDQ(R15, R10) - ADDQ(R15, RCX) - ADDQ(RDI, RCX) - - VPSRLQ(Imm(19), Y2, Y3) - VPSLLQ(Imm(64-19), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y2, Y3) - VPSLLQ(Imm(64-61), Y2, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y7, Y7) - - VPSRLQ(Imm(6), Y7, Y8) - - MOVQ(RCX, RDI) - RORXQ(Imm(41), R10, R13) - ADDQ(Mem{Base: SP}.Offset(2*8+frame_YFER), RBX) - - RORXQ(Imm(18), R10, R14) - ORQ(RDX, RDI) - MOVQ(R11, R15) - XORQ(RAX, R15) - - RORXQ(Imm(34), RCX, R12) - XORQ(R14, R13) - ANDQ(R10, R15) - - RORXQ(Imm(14), R10, R14) - ADDQ(RBX, R9) - ANDQ(R8, RDI) - - XORQ(R14, R13) - RORXQ(Imm(39), RCX, R14) - XORQ(RAX, R15) - - XORQ(R12, R14) - RORXQ(Imm(28), RCX, R12) - - XORQ(R12, R14) - MOVQ(RCX, R12) - ANDQ(RDX, R12) - ADDQ(R13, R15) - - ORQ(R12, RDI) - ADDQ(R14, RBX) - ADDQ(R15, R9) - ADDQ(R15, RBX) - - ADDQ(RDI, RBX) - - VPSRLQ(Imm(19), Y7, Y3) - VPSLLQ(Imm(64-19), Y7, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - VPSRLQ(Imm(61), Y7, Y3) - VPSLLQ(Imm(64-61), Y7, Y1) - VPOR(Y1, Y3, Y3) - VPXOR(Y3, Y8, Y8) - - VPADDQ(Y8, Y0, Y2) - - VPBLENDD(Imm(0xF0), Y2, Y7, Y7) - - MOVQ(RBX, RDI) - RORXQ(Imm(41), R9, R13) - RORXQ(Imm(18), R9, R14) - ADDQ(Mem{Base: SP}.Offset(3*8+frame_YFER), RAX) - ORQ(R8, RDI) - - MOVQ(R10, R15) - RORXQ(Imm(34), RBX, R12) - XORQ(R14, R13) - XORQ(R11, R15) - - RORXQ(Imm(14), R9, R14) - ANDQ(R9, R15) - ADDQ(RAX, RDX) - ANDQ(RCX, RDI) - - XORQ(R14, R13) - XORQ(R11, R15) - - RORXQ(Imm(39), RBX, R14) - ADDQ(R13, R15) - - XORQ(R12, R14) - ADDQ(R15, RDX) - - RORXQ(Imm(28), RBX, R12) - - XORQ(R12, R14) - MOVQ(RBX, R12) - ANDQ(R8, R12) - ORQ(R12, RDI) - - ADDQ(R14, RAX) - ADDQ(R15, RAX) - ADDQ(RDI, RAX) - - SUBQ(Imm(1), Mem{Base: SP}.Offset(frame_SRND)) - JNE(LabelRef("loop1")) - - MOVQ(U32(2), Mem{Base: SP}.Offset(frame_SRND)) -} - -// Line 1164 -func loop2() { - Label("loop2") - VPADDQ(Mem{Base: BP}, Y4, Y0) - VMOVDQU(Y0, Mem{Base: SP}.Offset(frame_YFER)) - - MOVQ(R9, R15) - RORXQ(Imm(41), RDX, R13) - RORXQ(Imm(18), RDX, R14) - XORQ(R10, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), RDX, R14) - ANDQ(RDX, R15) - - XORQ(R14, R13) - RORXQ(Imm(34), RAX, R12) - XORQ(R10, R15) - RORXQ(Imm(39), RAX, R14) - MOVQ(RAX, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), RAX, R12) - ADDQ(Mem{Base: SP}.Offset(frame_YFER), R11) - ORQ(RCX, RDI) - - XORQ(R12, R14) - MOVQ(RAX, R12) - ANDQ(RBX, RDI) - ANDQ(RCX, R12) - ADDQ(R13, R15) - - ADDQ(R11, R8) - ORQ(R12, RDI) - ADDQ(R14, R11) - - ADDQ(R15, R8) - - ADDQ(R15, R11) - MOVQ(RDX, R15) - RORXQ(Imm(41), R8, R13) - RORXQ(Imm(18), R8, R14) - XORQ(R9, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), R8, R14) - ANDQ(R8, R15) - ADDQ(RDI, R11) - - XORQ(R14, R13) - RORXQ(Imm(34), R11, R12) - XORQ(R9, R15) - RORXQ(Imm(39), R11, R14) - MOVQ(R11, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), R11, R12) - ADDQ(Mem{Base: SP}.Offset(8*1+frame_YFER), R10) - ORQ(RBX, RDI) - - XORQ(R12, R14) - MOVQ(R11, R12) - ANDQ(RAX, RDI) - ANDQ(RBX, R12) - ADDQ(R13, R15) - - ADDQ(R10, RCX) - ORQ(R12, RDI) - ADDQ(R14, R10) - - ADDQ(R15, RCX) - - ADDQ(R15, R10) - MOVQ(R8, R15) - RORXQ(Imm(41), RCX, R13) - RORXQ(Imm(18), RCX, R14) - XORQ(RDX, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), RCX, R14) - ANDQ(RCX, R15) - ADDQ(RDI, R10) - - XORQ(R14, R13) - RORXQ(Imm(34), R10, R12) - XORQ(RDX, R15) - RORXQ(Imm(39), R10, R14) - MOVQ(R10, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), R10, R12) - ADDQ(Mem{Base: SP}.Offset(8*2+frame_YFER), R9) - ORQ(RAX, RDI) - - XORQ(R12, R14) - MOVQ(R10, R12) - ANDQ(R11, RDI) - ANDQ(RAX, R12) - ADDQ(R13, R15) - - ADDQ(R9, RBX) - ORQ(R12, RDI) - ADDQ(R14, R9) - - ADDQ(R15, RBX) - - ADDQ(R15, R9) - MOVQ(RCX, R15) - RORXQ(Imm(41), RBX, R13) - RORXQ(Imm(18), RBX, R14) - XORQ(R8, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), RBX, R14) - ANDQ(RBX, R15) - ADDQ(RDI, R9) - - XORQ(R14, R13) - RORXQ(Imm(34), R9, R12) - XORQ(R8, R15) - RORXQ(Imm(39), R9, R14) - MOVQ(R9, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), R9, R12) - ADDQ(Mem{Base: SP}.Offset(8*3+frame_YFER), RDX) - ORQ(R11, RDI) - - XORQ(R12, R14) - MOVQ(R9, R12) - ANDQ(R10, RDI) - ANDQ(R11, R12) - ADDQ(R13, R15) - - ADDQ(RDX, RAX) - ORQ(R12, RDI) - ADDQ(R14, RDX) - - ADDQ(R15, RAX) - - ADDQ(R15, RDX) - - ADDQ(RDI, RDX) - - VPADDQ(Mem{Base: BP}.Offset(1*32), Y5, Y0) - VMOVDQU(Y0, Mem{Base: SP}.Offset(frame_YFER)) - ADDQ(U8(2*32), RBP) - - MOVQ(RBX, R15) - RORXQ(Imm(41), RAX, R13) - RORXQ(Imm(18), RAX, R14) - XORQ(RCX, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), RAX, R14) - ANDQ(RAX, R15) - - XORQ(R14, R13) - RORXQ(Imm(34), RDX, R12) - XORQ(RCX, R15) - RORXQ(Imm(39), RDX, R14) - MOVQ(RDX, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), RDX, R12) - ADDQ(Mem{Base: SP}.Offset(frame_YFER), R8) - ORQ(R10, RDI) - - XORQ(R12, R14) - MOVQ(RDX, R12) - ANDQ(R9, RDI) - ANDQ(R10, R12) - ADDQ(R13, R15) - - ADDQ(R8, R11) - ORQ(R12, RDI) - ADDQ(R14, R8) - - ADDQ(R15, R11) - - ADDQ(R15, R8) - MOVQ(RAX, R15) - RORXQ(Imm(41), R11, R13) - RORXQ(Imm(18), R11, R14) - XORQ(RBX, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), R11, R14) - ANDQ(R11, R15) - ADDQ(RDI, R8) - - XORQ(R14, R13) - RORXQ(Imm(34), R8, R12) - XORQ(RBX, R15) - RORXQ(Imm(39), R8, R14) - MOVQ(R8, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), R8, R12) - ADDQ(Mem{Base: SP}.Offset(8*1+frame_YFER), RCX) - ORQ(R9, RDI) - - XORQ(R12, R14) - MOVQ(R8, R12) - ANDQ(RDX, RDI) - ANDQ(R9, R12) - ADDQ(R13, R15) - - ADDQ(RCX, R10) - ORQ(R12, RDI) - ADDQ(R14, RCX) - - ADDQ(R15, R10) - - ADDQ(R15, RCX) - MOVQ(R11, R15) - RORXQ(Imm(41), R10, R13) - RORXQ(Imm(18), R10, R14) - XORQ(RAX, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), R10, R14) - ANDQ(R10, R15) - ADDQ(RDI, RCX) - - XORQ(R14, R13) - RORXQ(Imm(34), RCX, R12) - XORQ(RAX, R15) - RORXQ(Imm(39), RCX, R14) - MOVQ(RCX, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), RCX, R12) - ADDQ(Mem{Base: SP}.Offset(8*2+frame_YFER), RBX) - ORQ(RDX, RDI) - - XORQ(R12, R14) - MOVQ(RCX, R12) - ANDQ(R8, RDI) - ANDQ(RDX, R12) - ADDQ(R13, R15) - - ADDQ(RBX, R9) - ORQ(R12, RDI) - ADDQ(R14, RBX) - - ADDQ(R15, R9) - - ADDQ(R15, RBX) - MOVQ(R10, R15) - RORXQ(Imm(41), R9, R13) - RORXQ(Imm(18), R9, R14) - XORQ(R11, R15) - - XORQ(R14, R13) - RORXQ(Imm(14), R9, R14) - ANDQ(R9, R15) - ADDQ(RDI, RBX) - - XORQ(R14, R13) - RORXQ(Imm(34), RBX, R12) - XORQ(R11, R15) - RORXQ(Imm(39), RBX, R14) - MOVQ(RBX, RDI) - - XORQ(R12, R14) - RORXQ(Imm(28), RBX, R12) - ADDQ(Mem{Base: SP}.Offset(8*3+frame_YFER), RAX) - ORQ(R8, RDI) - - XORQ(R12, R14) - MOVQ(RBX, R12) - ANDQ(RCX, RDI) - ANDQ(R8, R12) - ADDQ(R13, R15) - - ADDQ(RAX, RDX) - ORQ(R12, RDI) - ADDQ(R14, RAX) - - ADDQ(R15, RDX) - - ADDQ(R15, RAX) - - ADDQ(RDI, RAX) - - VMOVDQU(Y6, Y4) - VMOVDQU(Y7, Y5) - - SUBQ(Imm(1), Mem{Base: SP}.Offset(frame_SRND)) - JNE(LabelRef("loop2")) - - addm(Mem{Base: SI}.Offset(8*0), RAX) - addm(Mem{Base: SI}.Offset(8*1), RBX) - addm(Mem{Base: SI}.Offset(8*2), RCX) - addm(Mem{Base: SI}.Offset(8*3), R8) - addm(Mem{Base: SI}.Offset(8*4), RDX) - addm(Mem{Base: SI}.Offset(8*5), R9) - addm(Mem{Base: SI}.Offset(8*6), R10) - addm(Mem{Base: SI}.Offset(8*7), R11) - - MOVQ(Mem{Base: SP}.Offset(frame_INP), RDI) - ADDQ(Imm(128), RDI) - CMPQ(RDI, Mem{Base: SP}.Offset(frame_INPEND)) - JNE(LabelRef("loop0")) -} - -// Line 1468 -func done_hash() { - Label("done_hash") - VZEROUPPER() - RET() -} - -// ##~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~DATA SECTION~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~## - -// Pointers for memoizing Data section symbols -var PSHUFFLE_BYTE_FLIP_MASK_DATA_ptr, MASK_YMM_LO_ptr *Mem - -// Line 310 -func PSHUFFLE_BYTE_FLIP_MASK_DATA() Mem { - if PSHUFFLE_BYTE_FLIP_MASK_DATA_ptr != nil { - return *PSHUFFLE_BYTE_FLIP_MASK_DATA_ptr - } - - PSHUFFLE_BYTE_FLIP_MASK_DATA := GLOBL("PSHUFFLE_BYTE_FLIP_MASK", NOPTR|RODATA) - PSHUFFLE_BYTE_FLIP_MASK_DATA_ptr = &PSHUFFLE_BYTE_FLIP_MASK_DATA - DATA(0x00, U64(0x0001020304050607)) - DATA(0x08, U64(0x08090a0b0c0d0e0f)) - DATA(0x10, U64(0x1011121314151617)) - DATA(0x18, U64(0x18191a1b1c1d1e1f)) - return PSHUFFLE_BYTE_FLIP_MASK_DATA -} - -// Line 317 -func MASK_YMM_LO_DATA() Mem { - if MASK_YMM_LO_ptr != nil { - return *MASK_YMM_LO_ptr - } - - MASK_YMM_LO := GLOBL("MASK_YMM_LO", NOPTR|RODATA) - MASK_YMM_LO_ptr = &MASK_YMM_LO - DATA(0x00, U64(0x0000000000000000)) - DATA(0x08, U64(0x0000000000000000)) - DATA(0x10, U64(0xFFFFFFFFFFFFFFFF)) - DATA(0x18, U64(0xFFFFFFFFFFFFFFFF)) - return MASK_YMM_LO -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/cast.go deleted file mode 100644 index 6feba3de090..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/cast.go +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha512 - -import ( - "bytes" - "crypto/internal/fips140" - "errors" -) - -func init() { - fips140.CAST("SHA2-512", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - want := []byte{ - 0xb4, 0xc4, 0xe0, 0x46, 0x82, 0x6b, 0xd2, 0x61, - 0x90, 0xd0, 0x97, 0x15, 0xfc, 0x31, 0xf4, 0xe6, - 0xa7, 0x28, 0x20, 0x4e, 0xad, 0xd1, 0x12, 0x90, - 0x5b, 0x08, 0xb1, 0x4b, 0x7f, 0x15, 0xc4, 0xf3, - 0x8e, 0x29, 0xb2, 0xfc, 0x54, 0x26, 0x5a, 0x12, - 0x63, 0x26, 0xc5, 0xbd, 0xea, 0x66, 0xc1, 0xb0, - 0x8e, 0x9e, 0x47, 0x72, 0x3b, 0x2d, 0x70, 0x06, - 0x5a, 0xc1, 0x26, 0x2e, 0xcc, 0x37, 0xbf, 0xb1, - } - h := New() - h.Write(input) - if got := h.Sum(nil); !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512.go deleted file mode 100644 index 3e7a5e11f15..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512.go +++ /dev/null @@ -1,307 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package sha512 implements the SHA-384, SHA-512, SHA-512/224, and SHA-512/256 -// hash algorithms as defined in FIPS 180-4. -package sha512 - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140deps/byteorder" - "errors" - "hash" -) - -const ( - // size512 is the size, in bytes, of a SHA-512 checksum. - size512 = 64 - - // size224 is the size, in bytes, of a SHA-512/224 checksum. - size224 = 28 - - // size256 is the size, in bytes, of a SHA-512/256 checksum. - size256 = 32 - - // size384 is the size, in bytes, of a SHA-384 checksum. - size384 = 48 - - // blockSize is the block size, in bytes, of the SHA-512/224, - // SHA-512/256, SHA-384 and SHA-512 hash functions. - blockSize = 128 -) - -const ( - chunk = 128 - init0 = 0x6a09e667f3bcc908 - init1 = 0xbb67ae8584caa73b - init2 = 0x3c6ef372fe94f82b - init3 = 0xa54ff53a5f1d36f1 - init4 = 0x510e527fade682d1 - init5 = 0x9b05688c2b3e6c1f - init6 = 0x1f83d9abfb41bd6b - init7 = 0x5be0cd19137e2179 - init0_224 = 0x8c3d37c819544da2 - init1_224 = 0x73e1996689dcd4d6 - init2_224 = 0x1dfab7ae32ff9c82 - init3_224 = 0x679dd514582f9fcf - init4_224 = 0x0f6d2b697bd44da8 - init5_224 = 0x77e36f7304c48942 - init6_224 = 0x3f9d85a86a1d36c8 - init7_224 = 0x1112e6ad91d692a1 - init0_256 = 0x22312194fc2bf72c - init1_256 = 0x9f555fa3c84c64c2 - init2_256 = 0x2393b86b6f53b151 - init3_256 = 0x963877195940eabd - init4_256 = 0x96283ee2a88effe3 - init5_256 = 0xbe5e1e2553863992 - init6_256 = 0x2b0199fc2c85b8aa - init7_256 = 0x0eb72ddc81c52ca2 - init0_384 = 0xcbbb9d5dc1059ed8 - init1_384 = 0x629a292a367cd507 - init2_384 = 0x9159015a3070dd17 - init3_384 = 0x152fecd8f70e5939 - init4_384 = 0x67332667ffc00b31 - init5_384 = 0x8eb44a8768581511 - init6_384 = 0xdb0c2e0d64f98fa7 - init7_384 = 0x47b5481dbefa4fa4 -) - -// Digest is a SHA-384, SHA-512, SHA-512/224, or SHA-512/256 [hash.Hash] -// implementation. -type Digest struct { - h [8]uint64 - x [chunk]byte - nx int - len uint64 - size int // size224, size256, size384, or size512 -} - -func (d *Digest) Reset() { - switch d.size { - case size384: - d.h[0] = init0_384 - d.h[1] = init1_384 - d.h[2] = init2_384 - d.h[3] = init3_384 - d.h[4] = init4_384 - d.h[5] = init5_384 - d.h[6] = init6_384 - d.h[7] = init7_384 - case size224: - d.h[0] = init0_224 - d.h[1] = init1_224 - d.h[2] = init2_224 - d.h[3] = init3_224 - d.h[4] = init4_224 - d.h[5] = init5_224 - d.h[6] = init6_224 - d.h[7] = init7_224 - case size256: - d.h[0] = init0_256 - d.h[1] = init1_256 - d.h[2] = init2_256 - d.h[3] = init3_256 - d.h[4] = init4_256 - d.h[5] = init5_256 - d.h[6] = init6_256 - d.h[7] = init7_256 - case size512: - d.h[0] = init0 - d.h[1] = init1 - d.h[2] = init2 - d.h[3] = init3 - d.h[4] = init4 - d.h[5] = init5 - d.h[6] = init6 - d.h[7] = init7 - default: - panic("unknown size") - } - d.nx = 0 - d.len = 0 -} - -const ( - magic384 = "sha\x04" - magic512_224 = "sha\x05" - magic512_256 = "sha\x06" - magic512 = "sha\x07" - marshaledSize = len(magic512) + 8*8 + chunk + 8 -) - -func (d *Digest) MarshalBinary() ([]byte, error) { - return d.AppendBinary(make([]byte, 0, marshaledSize)) -} - -func (d *Digest) AppendBinary(b []byte) ([]byte, error) { - switch d.size { - case size384: - b = append(b, magic384...) - case size224: - b = append(b, magic512_224...) - case size256: - b = append(b, magic512_256...) - case size512: - b = append(b, magic512...) - default: - panic("unknown size") - } - b = byteorder.BEAppendUint64(b, d.h[0]) - b = byteorder.BEAppendUint64(b, d.h[1]) - b = byteorder.BEAppendUint64(b, d.h[2]) - b = byteorder.BEAppendUint64(b, d.h[3]) - b = byteorder.BEAppendUint64(b, d.h[4]) - b = byteorder.BEAppendUint64(b, d.h[5]) - b = byteorder.BEAppendUint64(b, d.h[6]) - b = byteorder.BEAppendUint64(b, d.h[7]) - b = append(b, d.x[:d.nx]...) - b = append(b, make([]byte, len(d.x)-d.nx)...) - b = byteorder.BEAppendUint64(b, d.len) - return b, nil -} - -func (d *Digest) UnmarshalBinary(b []byte) error { - if len(b) < len(magic512) { - return errors.New("crypto/sha512: invalid hash state identifier") - } - switch { - case d.size == size384 && string(b[:len(magic384)]) == magic384: - case d.size == size224 && string(b[:len(magic512_224)]) == magic512_224: - case d.size == size256 && string(b[:len(magic512_256)]) == magic512_256: - case d.size == size512 && string(b[:len(magic512)]) == magic512: - default: - return errors.New("crypto/sha512: invalid hash state identifier") - } - if len(b) != marshaledSize { - return errors.New("crypto/sha512: invalid hash state size") - } - b = b[len(magic512):] - b, d.h[0] = consumeUint64(b) - b, d.h[1] = consumeUint64(b) - b, d.h[2] = consumeUint64(b) - b, d.h[3] = consumeUint64(b) - b, d.h[4] = consumeUint64(b) - b, d.h[5] = consumeUint64(b) - b, d.h[6] = consumeUint64(b) - b, d.h[7] = consumeUint64(b) - b = b[copy(d.x[:], b):] - b, d.len = consumeUint64(b) - d.nx = int(d.len % chunk) - return nil -} - -func consumeUint64(b []byte) ([]byte, uint64) { - return b[8:], byteorder.BEUint64(b) -} - -func (d *Digest) Clone() (hash.Cloner, error) { - r := *d - return &r, nil -} - -// New returns a new Digest computing the SHA-512 hash. -func New() *Digest { - d := &Digest{size: size512} - d.Reset() - return d -} - -// New512_224 returns a new Digest computing the SHA-512/224 hash. -func New512_224() *Digest { - d := &Digest{size: size224} - d.Reset() - return d -} - -// New512_256 returns a new Digest computing the SHA-512/256 hash. -func New512_256() *Digest { - d := &Digest{size: size256} - d.Reset() - return d -} - -// New384 returns a new Digest computing the SHA-384 hash. -func New384() *Digest { - d := &Digest{size: size384} - d.Reset() - return d -} - -func (d *Digest) Size() int { - return d.size -} - -func (d *Digest) BlockSize() int { return blockSize } - -func (d *Digest) Write(p []byte) (nn int, err error) { - nn = len(p) - d.len += uint64(nn) - if d.nx > 0 { - n := copy(d.x[d.nx:], p) - d.nx += n - if d.nx == chunk { - block(d, d.x[:]) - d.nx = 0 - } - p = p[n:] - } - if len(p) >= chunk { - n := len(p) &^ (chunk - 1) - block(d, p[:n]) - p = p[n:] - } - if len(p) > 0 { - d.nx = copy(d.x[:], p) - } - return -} - -func (d *Digest) Sum(in []byte) []byte { - fips140.RecordApproved() - // Make a copy of d so that caller can keep writing and summing. - d0 := new(Digest) - *d0 = *d - hash := d0.checkSum() - return append(in, hash[:d.size]...) -} - -func (d *Digest) checkSum() [size512]byte { - // Padding. Add a 1 bit and 0 bits until 112 bytes mod 128. - len := d.len - var tmp [128 + 16]byte // padding + length buffer - tmp[0] = 0x80 - var t uint64 - if len%128 < 112 { - t = 112 - len%128 - } else { - t = 128 + 112 - len%128 - } - - // Length in bits. - len <<= 3 - padlen := tmp[:t+16] - // Upper 64 bits are always zero, because len variable has type uint64, - // and tmp is already zeroed at that index, so we can skip updating it. - // byteorder.BEPutUint64(padlen[t+0:], 0) - byteorder.BEPutUint64(padlen[t+8:], len) - d.Write(padlen) - - if d.nx != 0 { - panic("d.nx != 0") - } - - var digest [size512]byte - byteorder.BEPutUint64(digest[0:], d.h[0]) - byteorder.BEPutUint64(digest[8:], d.h[1]) - byteorder.BEPutUint64(digest[16:], d.h[2]) - byteorder.BEPutUint64(digest[24:], d.h[3]) - byteorder.BEPutUint64(digest[32:], d.h[4]) - byteorder.BEPutUint64(digest[40:], d.h[5]) - if d.size != size384 { - byteorder.BEPutUint64(digest[48:], d.h[6]) - byteorder.BEPutUint64(digest[56:], d.h[7]) - } - - return digest -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block.go deleted file mode 100644 index 517e8389f7e..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block.go +++ /dev/null @@ -1,144 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// SHA512 block step. -// In its own file so that a faster assembly or C version -// can be substituted easily. - -package sha512 - -import "math/bits" - -var _K = [...]uint64{ - 0x428a2f98d728ae22, - 0x7137449123ef65cd, - 0xb5c0fbcfec4d3b2f, - 0xe9b5dba58189dbbc, - 0x3956c25bf348b538, - 0x59f111f1b605d019, - 0x923f82a4af194f9b, - 0xab1c5ed5da6d8118, - 0xd807aa98a3030242, - 0x12835b0145706fbe, - 0x243185be4ee4b28c, - 0x550c7dc3d5ffb4e2, - 0x72be5d74f27b896f, - 0x80deb1fe3b1696b1, - 0x9bdc06a725c71235, - 0xc19bf174cf692694, - 0xe49b69c19ef14ad2, - 0xefbe4786384f25e3, - 0x0fc19dc68b8cd5b5, - 0x240ca1cc77ac9c65, - 0x2de92c6f592b0275, - 0x4a7484aa6ea6e483, - 0x5cb0a9dcbd41fbd4, - 0x76f988da831153b5, - 0x983e5152ee66dfab, - 0xa831c66d2db43210, - 0xb00327c898fb213f, - 0xbf597fc7beef0ee4, - 0xc6e00bf33da88fc2, - 0xd5a79147930aa725, - 0x06ca6351e003826f, - 0x142929670a0e6e70, - 0x27b70a8546d22ffc, - 0x2e1b21385c26c926, - 0x4d2c6dfc5ac42aed, - 0x53380d139d95b3df, - 0x650a73548baf63de, - 0x766a0abb3c77b2a8, - 0x81c2c92e47edaee6, - 0x92722c851482353b, - 0xa2bfe8a14cf10364, - 0xa81a664bbc423001, - 0xc24b8b70d0f89791, - 0xc76c51a30654be30, - 0xd192e819d6ef5218, - 0xd69906245565a910, - 0xf40e35855771202a, - 0x106aa07032bbd1b8, - 0x19a4c116b8d2d0c8, - 0x1e376c085141ab53, - 0x2748774cdf8eeb99, - 0x34b0bcb5e19b48a8, - 0x391c0cb3c5c95a63, - 0x4ed8aa4ae3418acb, - 0x5b9cca4f7763e373, - 0x682e6ff3d6b2b8a3, - 0x748f82ee5defb2fc, - 0x78a5636f43172f60, - 0x84c87814a1f0ab72, - 0x8cc702081a6439ec, - 0x90befffa23631e28, - 0xa4506cebde82bde9, - 0xbef9a3f7b2c67915, - 0xc67178f2e372532b, - 0xca273eceea26619c, - 0xd186b8c721c0c207, - 0xeada7dd6cde0eb1e, - 0xf57d4f7fee6ed178, - 0x06f067aa72176fba, - 0x0a637dc5a2c898a6, - 0x113f9804bef90dae, - 0x1b710b35131c471b, - 0x28db77f523047d84, - 0x32caab7b40c72493, - 0x3c9ebe0a15c9bebc, - 0x431d67c49c100d4c, - 0x4cc5d4becb3e42b6, - 0x597f299cfc657e2a, - 0x5fcb6fab3ad6faec, - 0x6c44198c4a475817, -} - -func blockGeneric(dig *Digest, p []byte) { - var w [80]uint64 - h0, h1, h2, h3, h4, h5, h6, h7 := dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7] - for len(p) >= chunk { - for i := 0; i < 16; i++ { - j := i * 8 - w[i] = uint64(p[j])<<56 | uint64(p[j+1])<<48 | uint64(p[j+2])<<40 | uint64(p[j+3])<<32 | - uint64(p[j+4])<<24 | uint64(p[j+5])<<16 | uint64(p[j+6])<<8 | uint64(p[j+7]) - } - for i := 16; i < 80; i++ { - v1 := w[i-2] - t1 := bits.RotateLeft64(v1, -19) ^ bits.RotateLeft64(v1, -61) ^ (v1 >> 6) - v2 := w[i-15] - t2 := bits.RotateLeft64(v2, -1) ^ bits.RotateLeft64(v2, -8) ^ (v2 >> 7) - - w[i] = t1 + w[i-7] + t2 + w[i-16] - } - - a, b, c, d, e, f, g, h := h0, h1, h2, h3, h4, h5, h6, h7 - - for i := 0; i < 80; i++ { - t1 := h + (bits.RotateLeft64(e, -14) ^ bits.RotateLeft64(e, -18) ^ bits.RotateLeft64(e, -41)) + ((e & f) ^ (^e & g)) + _K[i] + w[i] - - t2 := (bits.RotateLeft64(a, -28) ^ bits.RotateLeft64(a, -34) ^ bits.RotateLeft64(a, -39)) + ((a & b) ^ (a & c) ^ (b & c)) - - h = g - g = f - f = e - e = d + t1 - d = c - c = b - b = a - a = t1 + t2 - } - - h0 += a - h1 += b - h2 += c - h3 += d - h4 += e - h5 += f - h6 += g - h7 += h - - p = p[chunk:] - } - - dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7] = h0, h1, h2, h3, h4, h5, h6, h7 -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_amd64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_amd64.go deleted file mode 100644 index 7059b88716a..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_amd64.go +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha512 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useAVX2 = cpu.X86HasAVX && cpu.X86HasAVX2 && cpu.X86HasBMI2 - -func init() { - impl.Register("sha512", "AVX2", &useAVX2) -} - -//go:noescape -func blockAVX2(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if useAVX2 { - blockAVX2(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_amd64.s deleted file mode 100644 index e11d509ab4b..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_amd64.s +++ /dev/null @@ -1,904 +0,0 @@ -// Code generated by command: go run sha512block_amd64_asm.go -out ../sha512block_amd64.s. DO NOT EDIT. - -//go:build !purego - -#include "textflag.h" - -// func blockAVX2(dig *Digest, p []byte) -// Requires: AVX, AVX2, BMI2 -TEXT ·blockAVX2(SB), NOSPLIT, $56-32 - MOVQ dig+0(FP), SI - MOVQ p_base+8(FP), DI - MOVQ p_len+16(FP), DX - SHRQ $0x07, DX - SHLQ $0x07, DX - JZ done_hash - ADDQ DI, DX - MOVQ DX, 48(SP) - MOVQ (SI), AX - MOVQ 8(SI), BX - MOVQ 16(SI), CX - MOVQ 24(SI), R8 - MOVQ 32(SI), DX - MOVQ 40(SI), R9 - MOVQ 48(SI), R10 - MOVQ 56(SI), R11 - VMOVDQU PSHUFFLE_BYTE_FLIP_MASK<>+0(SB), Y9 - -loop0: - MOVQ $·_K+0(SB), BP - VMOVDQU (DI), Y4 - VPSHUFB Y9, Y4, Y4 - VMOVDQU 32(DI), Y5 - VPSHUFB Y9, Y5, Y5 - VMOVDQU 64(DI), Y6 - VPSHUFB Y9, Y6, Y6 - VMOVDQU 96(DI), Y7 - VPSHUFB Y9, Y7, Y7 - MOVQ DI, 40(SP) - MOVQ $0x00000004, 32(SP) - -loop1: - VPADDQ (BP), Y4, Y0 - VMOVDQU Y0, (SP) - VPERM2F128 $0x03, Y6, Y7, Y0 - VPALIGNR $0x08, Y6, Y0, Y0 - VPADDQ Y4, Y0, Y0 - VPERM2F128 $0x03, Y4, Y5, Y1 - VPALIGNR $0x08, Y4, Y1, Y1 - VPSRLQ $0x01, Y1, Y2 - VPSLLQ $0x3f, Y1, Y3 - VPOR Y2, Y3, Y3 - VPSRLQ $0x07, Y1, Y8 - MOVQ AX, DI - RORXQ $0x29, DX, R13 - RORXQ $0x12, DX, R14 - ADDQ (SP), R11 - ORQ CX, DI - MOVQ R9, R15 - RORXQ $0x22, AX, R12 - XORQ R14, R13 - XORQ R10, R15 - RORXQ $0x0e, DX, R14 - ANDQ DX, R15 - XORQ R14, R13 - RORXQ $0x27, AX, R14 - ADDQ R11, R8 - ANDQ BX, DI - XORQ R12, R14 - RORXQ $0x1c, AX, R12 - XORQ R10, R15 - XORQ R12, R14 - MOVQ AX, R12 - ANDQ CX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R11 - ADDQ R15, R8 - ADDQ R15, R11 - ADDQ DI, R11 - VPSRLQ $0x08, Y1, Y2 - VPSLLQ $0x38, Y1, Y1 - VPOR Y2, Y1, Y1 - VPXOR Y8, Y3, Y3 - VPXOR Y1, Y3, Y1 - VPADDQ Y1, Y0, Y0 - VPERM2F128 $0x00, Y0, Y0, Y4 - VPAND MASK_YMM_LO<>+0(SB), Y0, Y0 - VPERM2F128 $0x11, Y7, Y7, Y2 - VPSRLQ $0x06, Y2, Y8 - MOVQ R11, DI - RORXQ $0x29, R8, R13 - RORXQ $0x12, R8, R14 - ADDQ 8(SP), R10 - ORQ BX, DI - MOVQ DX, R15 - RORXQ $0x22, R11, R12 - XORQ R14, R13 - XORQ R9, R15 - RORXQ $0x0e, R8, R14 - XORQ R14, R13 - RORXQ $0x27, R11, R14 - ANDQ R8, R15 - ADDQ R10, CX - ANDQ AX, DI - XORQ R12, R14 - RORXQ $0x1c, R11, R12 - XORQ R9, R15 - XORQ R12, R14 - MOVQ R11, R12 - ANDQ BX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R10 - ADDQ R15, CX - ADDQ R15, R10 - ADDQ DI, R10 - VPSRLQ $0x13, Y2, Y3 - VPSLLQ $0x2d, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y2, Y3 - VPSLLQ $0x03, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y4, Y4 - VPSRLQ $0x06, Y4, Y8 - MOVQ R10, DI - RORXQ $0x29, CX, R13 - ADDQ 16(SP), R9 - RORXQ $0x12, CX, R14 - ORQ AX, DI - MOVQ R8, R15 - XORQ DX, R15 - RORXQ $0x22, R10, R12 - XORQ R14, R13 - ANDQ CX, R15 - RORXQ $0x0e, CX, R14 - ADDQ R9, BX - ANDQ R11, DI - XORQ R14, R13 - RORXQ $0x27, R10, R14 - XORQ DX, R15 - XORQ R12, R14 - RORXQ $0x1c, R10, R12 - XORQ R12, R14 - MOVQ R10, R12 - ANDQ AX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R9 - ADDQ R15, BX - ADDQ R15, R9 - ADDQ DI, R9 - VPSRLQ $0x13, Y4, Y3 - VPSLLQ $0x2d, Y4, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y4, Y3 - VPSLLQ $0x03, Y4, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y0, Y2 - VPBLENDD $0xf0, Y2, Y4, Y4 - MOVQ R9, DI - RORXQ $0x29, BX, R13 - RORXQ $0x12, BX, R14 - ADDQ 24(SP), DX - ORQ R11, DI - MOVQ CX, R15 - RORXQ $0x22, R9, R12 - XORQ R14, R13 - XORQ R8, R15 - RORXQ $0x0e, BX, R14 - ANDQ BX, R15 - ADDQ DX, AX - ANDQ R10, DI - XORQ R14, R13 - XORQ R8, R15 - RORXQ $0x27, R9, R14 - ADDQ R13, R15 - XORQ R12, R14 - ADDQ R15, AX - RORXQ $0x1c, R9, R12 - XORQ R12, R14 - MOVQ R9, R12 - ANDQ R11, R12 - ORQ R12, DI - ADDQ R14, DX - ADDQ R15, DX - ADDQ DI, DX - VPADDQ 32(BP), Y5, Y0 - VMOVDQU Y0, (SP) - VPERM2F128 $0x03, Y7, Y4, Y0 - VPALIGNR $0x08, Y7, Y0, Y0 - VPADDQ Y5, Y0, Y0 - VPERM2F128 $0x03, Y5, Y6, Y1 - VPALIGNR $0x08, Y5, Y1, Y1 - VPSRLQ $0x01, Y1, Y2 - VPSLLQ $0x3f, Y1, Y3 - VPOR Y2, Y3, Y3 - VPSRLQ $0x07, Y1, Y8 - MOVQ DX, DI - RORXQ $0x29, AX, R13 - RORXQ $0x12, AX, R14 - ADDQ (SP), R8 - ORQ R10, DI - MOVQ BX, R15 - RORXQ $0x22, DX, R12 - XORQ R14, R13 - XORQ CX, R15 - RORXQ $0x0e, AX, R14 - ANDQ AX, R15 - XORQ R14, R13 - RORXQ $0x27, DX, R14 - ADDQ R8, R11 - ANDQ R9, DI - XORQ R12, R14 - RORXQ $0x1c, DX, R12 - XORQ CX, R15 - XORQ R12, R14 - MOVQ DX, R12 - ANDQ R10, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R8 - ADDQ R15, R11 - ADDQ R15, R8 - ADDQ DI, R8 - VPSRLQ $0x08, Y1, Y2 - VPSLLQ $0x38, Y1, Y1 - VPOR Y2, Y1, Y1 - VPXOR Y8, Y3, Y3 - VPXOR Y1, Y3, Y1 - VPADDQ Y1, Y0, Y0 - VPERM2F128 $0x00, Y0, Y0, Y5 - VPAND MASK_YMM_LO<>+0(SB), Y0, Y0 - VPERM2F128 $0x11, Y4, Y4, Y2 - VPSRLQ $0x06, Y2, Y8 - MOVQ R8, DI - RORXQ $0x29, R11, R13 - RORXQ $0x12, R11, R14 - ADDQ 8(SP), CX - ORQ R9, DI - MOVQ AX, R15 - RORXQ $0x22, R8, R12 - XORQ R14, R13 - XORQ BX, R15 - RORXQ $0x0e, R11, R14 - XORQ R14, R13 - RORXQ $0x27, R8, R14 - ANDQ R11, R15 - ADDQ CX, R10 - ANDQ DX, DI - XORQ R12, R14 - RORXQ $0x1c, R8, R12 - XORQ BX, R15 - XORQ R12, R14 - MOVQ R8, R12 - ANDQ R9, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, CX - ADDQ R15, R10 - ADDQ R15, CX - ADDQ DI, CX - VPSRLQ $0x13, Y2, Y3 - VPSLLQ $0x2d, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y2, Y3 - VPSLLQ $0x03, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y5, Y5 - VPSRLQ $0x06, Y5, Y8 - MOVQ CX, DI - RORXQ $0x29, R10, R13 - ADDQ 16(SP), BX - RORXQ $0x12, R10, R14 - ORQ DX, DI - MOVQ R11, R15 - XORQ AX, R15 - RORXQ $0x22, CX, R12 - XORQ R14, R13 - ANDQ R10, R15 - RORXQ $0x0e, R10, R14 - ADDQ BX, R9 - ANDQ R8, DI - XORQ R14, R13 - RORXQ $0x27, CX, R14 - XORQ AX, R15 - XORQ R12, R14 - RORXQ $0x1c, CX, R12 - XORQ R12, R14 - MOVQ CX, R12 - ANDQ DX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, BX - ADDQ R15, R9 - ADDQ R15, BX - ADDQ DI, BX - VPSRLQ $0x13, Y5, Y3 - VPSLLQ $0x2d, Y5, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y5, Y3 - VPSLLQ $0x03, Y5, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y0, Y2 - VPBLENDD $0xf0, Y2, Y5, Y5 - MOVQ BX, DI - RORXQ $0x29, R9, R13 - RORXQ $0x12, R9, R14 - ADDQ 24(SP), AX - ORQ R8, DI - MOVQ R10, R15 - RORXQ $0x22, BX, R12 - XORQ R14, R13 - XORQ R11, R15 - RORXQ $0x0e, R9, R14 - ANDQ R9, R15 - ADDQ AX, DX - ANDQ CX, DI - XORQ R14, R13 - XORQ R11, R15 - RORXQ $0x27, BX, R14 - ADDQ R13, R15 - XORQ R12, R14 - ADDQ R15, DX - RORXQ $0x1c, BX, R12 - XORQ R12, R14 - MOVQ BX, R12 - ANDQ R8, R12 - ORQ R12, DI - ADDQ R14, AX - ADDQ R15, AX - ADDQ DI, AX - VPADDQ 64(BP), Y6, Y0 - VMOVDQU Y0, (SP) - VPERM2F128 $0x03, Y4, Y5, Y0 - VPALIGNR $0x08, Y4, Y0, Y0 - VPADDQ Y6, Y0, Y0 - VPERM2F128 $0x03, Y6, Y7, Y1 - VPALIGNR $0x08, Y6, Y1, Y1 - VPSRLQ $0x01, Y1, Y2 - VPSLLQ $0x3f, Y1, Y3 - VPOR Y2, Y3, Y3 - VPSRLQ $0x07, Y1, Y8 - MOVQ AX, DI - RORXQ $0x29, DX, R13 - RORXQ $0x12, DX, R14 - ADDQ (SP), R11 - ORQ CX, DI - MOVQ R9, R15 - RORXQ $0x22, AX, R12 - XORQ R14, R13 - XORQ R10, R15 - RORXQ $0x0e, DX, R14 - ANDQ DX, R15 - XORQ R14, R13 - RORXQ $0x27, AX, R14 - ADDQ R11, R8 - ANDQ BX, DI - XORQ R12, R14 - RORXQ $0x1c, AX, R12 - XORQ R10, R15 - XORQ R12, R14 - MOVQ AX, R12 - ANDQ CX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R11 - ADDQ R15, R8 - ADDQ R15, R11 - ADDQ DI, R11 - VPSRLQ $0x08, Y1, Y2 - VPSLLQ $0x38, Y1, Y1 - VPOR Y2, Y1, Y1 - VPXOR Y8, Y3, Y3 - VPXOR Y1, Y3, Y1 - VPADDQ Y1, Y0, Y0 - VPERM2F128 $0x00, Y0, Y0, Y6 - VPAND MASK_YMM_LO<>+0(SB), Y0, Y0 - VPERM2F128 $0x11, Y5, Y5, Y2 - VPSRLQ $0x06, Y2, Y8 - MOVQ R11, DI - RORXQ $0x29, R8, R13 - RORXQ $0x12, R8, R14 - ADDQ 8(SP), R10 - ORQ BX, DI - MOVQ DX, R15 - RORXQ $0x22, R11, R12 - XORQ R14, R13 - XORQ R9, R15 - RORXQ $0x0e, R8, R14 - XORQ R14, R13 - RORXQ $0x27, R11, R14 - ANDQ R8, R15 - ADDQ R10, CX - ANDQ AX, DI - XORQ R12, R14 - RORXQ $0x1c, R11, R12 - XORQ R9, R15 - XORQ R12, R14 - MOVQ R11, R12 - ANDQ BX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R10 - ADDQ R15, CX - ADDQ R15, R10 - ADDQ DI, R10 - VPSRLQ $0x13, Y2, Y3 - VPSLLQ $0x2d, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y2, Y3 - VPSLLQ $0x03, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y6, Y6 - VPSRLQ $0x06, Y6, Y8 - MOVQ R10, DI - RORXQ $0x29, CX, R13 - ADDQ 16(SP), R9 - RORXQ $0x12, CX, R14 - ORQ AX, DI - MOVQ R8, R15 - XORQ DX, R15 - RORXQ $0x22, R10, R12 - XORQ R14, R13 - ANDQ CX, R15 - RORXQ $0x0e, CX, R14 - ADDQ R9, BX - ANDQ R11, DI - XORQ R14, R13 - RORXQ $0x27, R10, R14 - XORQ DX, R15 - XORQ R12, R14 - RORXQ $0x1c, R10, R12 - XORQ R12, R14 - MOVQ R10, R12 - ANDQ AX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R9 - ADDQ R15, BX - ADDQ R15, R9 - ADDQ DI, R9 - VPSRLQ $0x13, Y6, Y3 - VPSLLQ $0x2d, Y6, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y6, Y3 - VPSLLQ $0x03, Y6, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y0, Y2 - VPBLENDD $0xf0, Y2, Y6, Y6 - MOVQ R9, DI - RORXQ $0x29, BX, R13 - RORXQ $0x12, BX, R14 - ADDQ 24(SP), DX - ORQ R11, DI - MOVQ CX, R15 - RORXQ $0x22, R9, R12 - XORQ R14, R13 - XORQ R8, R15 - RORXQ $0x0e, BX, R14 - ANDQ BX, R15 - ADDQ DX, AX - ANDQ R10, DI - XORQ R14, R13 - XORQ R8, R15 - RORXQ $0x27, R9, R14 - ADDQ R13, R15 - XORQ R12, R14 - ADDQ R15, AX - RORXQ $0x1c, R9, R12 - XORQ R12, R14 - MOVQ R9, R12 - ANDQ R11, R12 - ORQ R12, DI - ADDQ R14, DX - ADDQ R15, DX - ADDQ DI, DX - VPADDQ 96(BP), Y7, Y0 - VMOVDQU Y0, (SP) - ADDQ $0x80, BP - VPERM2F128 $0x03, Y5, Y6, Y0 - VPALIGNR $0x08, Y5, Y0, Y0 - VPADDQ Y7, Y0, Y0 - VPERM2F128 $0x03, Y7, Y4, Y1 - VPALIGNR $0x08, Y7, Y1, Y1 - VPSRLQ $0x01, Y1, Y2 - VPSLLQ $0x3f, Y1, Y3 - VPOR Y2, Y3, Y3 - VPSRLQ $0x07, Y1, Y8 - MOVQ DX, DI - RORXQ $0x29, AX, R13 - RORXQ $0x12, AX, R14 - ADDQ (SP), R8 - ORQ R10, DI - MOVQ BX, R15 - RORXQ $0x22, DX, R12 - XORQ R14, R13 - XORQ CX, R15 - RORXQ $0x0e, AX, R14 - ANDQ AX, R15 - XORQ R14, R13 - RORXQ $0x27, DX, R14 - ADDQ R8, R11 - ANDQ R9, DI - XORQ R12, R14 - RORXQ $0x1c, DX, R12 - XORQ CX, R15 - XORQ R12, R14 - MOVQ DX, R12 - ANDQ R10, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, R8 - ADDQ R15, R11 - ADDQ R15, R8 - ADDQ DI, R8 - VPSRLQ $0x08, Y1, Y2 - VPSLLQ $0x38, Y1, Y1 - VPOR Y2, Y1, Y1 - VPXOR Y8, Y3, Y3 - VPXOR Y1, Y3, Y1 - VPADDQ Y1, Y0, Y0 - VPERM2F128 $0x00, Y0, Y0, Y7 - VPAND MASK_YMM_LO<>+0(SB), Y0, Y0 - VPERM2F128 $0x11, Y6, Y6, Y2 - VPSRLQ $0x06, Y2, Y8 - MOVQ R8, DI - RORXQ $0x29, R11, R13 - RORXQ $0x12, R11, R14 - ADDQ 8(SP), CX - ORQ R9, DI - MOVQ AX, R15 - RORXQ $0x22, R8, R12 - XORQ R14, R13 - XORQ BX, R15 - RORXQ $0x0e, R11, R14 - XORQ R14, R13 - RORXQ $0x27, R8, R14 - ANDQ R11, R15 - ADDQ CX, R10 - ANDQ DX, DI - XORQ R12, R14 - RORXQ $0x1c, R8, R12 - XORQ BX, R15 - XORQ R12, R14 - MOVQ R8, R12 - ANDQ R9, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, CX - ADDQ R15, R10 - ADDQ R15, CX - ADDQ DI, CX - VPSRLQ $0x13, Y2, Y3 - VPSLLQ $0x2d, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y2, Y3 - VPSLLQ $0x03, Y2, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y7, Y7 - VPSRLQ $0x06, Y7, Y8 - MOVQ CX, DI - RORXQ $0x29, R10, R13 - ADDQ 16(SP), BX - RORXQ $0x12, R10, R14 - ORQ DX, DI - MOVQ R11, R15 - XORQ AX, R15 - RORXQ $0x22, CX, R12 - XORQ R14, R13 - ANDQ R10, R15 - RORXQ $0x0e, R10, R14 - ADDQ BX, R9 - ANDQ R8, DI - XORQ R14, R13 - RORXQ $0x27, CX, R14 - XORQ AX, R15 - XORQ R12, R14 - RORXQ $0x1c, CX, R12 - XORQ R12, R14 - MOVQ CX, R12 - ANDQ DX, R12 - ADDQ R13, R15 - ORQ R12, DI - ADDQ R14, BX - ADDQ R15, R9 - ADDQ R15, BX - ADDQ DI, BX - VPSRLQ $0x13, Y7, Y3 - VPSLLQ $0x2d, Y7, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPSRLQ $0x3d, Y7, Y3 - VPSLLQ $0x03, Y7, Y1 - VPOR Y1, Y3, Y3 - VPXOR Y3, Y8, Y8 - VPADDQ Y8, Y0, Y2 - VPBLENDD $0xf0, Y2, Y7, Y7 - MOVQ BX, DI - RORXQ $0x29, R9, R13 - RORXQ $0x12, R9, R14 - ADDQ 24(SP), AX - ORQ R8, DI - MOVQ R10, R15 - RORXQ $0x22, BX, R12 - XORQ R14, R13 - XORQ R11, R15 - RORXQ $0x0e, R9, R14 - ANDQ R9, R15 - ADDQ AX, DX - ANDQ CX, DI - XORQ R14, R13 - XORQ R11, R15 - RORXQ $0x27, BX, R14 - ADDQ R13, R15 - XORQ R12, R14 - ADDQ R15, DX - RORXQ $0x1c, BX, R12 - XORQ R12, R14 - MOVQ BX, R12 - ANDQ R8, R12 - ORQ R12, DI - ADDQ R14, AX - ADDQ R15, AX - ADDQ DI, AX - SUBQ $0x01, 32(SP) - JNE loop1 - MOVQ $0x00000002, 32(SP) - -loop2: - VPADDQ (BP), Y4, Y0 - VMOVDQU Y0, (SP) - MOVQ R9, R15 - RORXQ $0x29, DX, R13 - RORXQ $0x12, DX, R14 - XORQ R10, R15 - XORQ R14, R13 - RORXQ $0x0e, DX, R14 - ANDQ DX, R15 - XORQ R14, R13 - RORXQ $0x22, AX, R12 - XORQ R10, R15 - RORXQ $0x27, AX, R14 - MOVQ AX, DI - XORQ R12, R14 - RORXQ $0x1c, AX, R12 - ADDQ (SP), R11 - ORQ CX, DI - XORQ R12, R14 - MOVQ AX, R12 - ANDQ BX, DI - ANDQ CX, R12 - ADDQ R13, R15 - ADDQ R11, R8 - ORQ R12, DI - ADDQ R14, R11 - ADDQ R15, R8 - ADDQ R15, R11 - MOVQ DX, R15 - RORXQ $0x29, R8, R13 - RORXQ $0x12, R8, R14 - XORQ R9, R15 - XORQ R14, R13 - RORXQ $0x0e, R8, R14 - ANDQ R8, R15 - ADDQ DI, R11 - XORQ R14, R13 - RORXQ $0x22, R11, R12 - XORQ R9, R15 - RORXQ $0x27, R11, R14 - MOVQ R11, DI - XORQ R12, R14 - RORXQ $0x1c, R11, R12 - ADDQ 8(SP), R10 - ORQ BX, DI - XORQ R12, R14 - MOVQ R11, R12 - ANDQ AX, DI - ANDQ BX, R12 - ADDQ R13, R15 - ADDQ R10, CX - ORQ R12, DI - ADDQ R14, R10 - ADDQ R15, CX - ADDQ R15, R10 - MOVQ R8, R15 - RORXQ $0x29, CX, R13 - RORXQ $0x12, CX, R14 - XORQ DX, R15 - XORQ R14, R13 - RORXQ $0x0e, CX, R14 - ANDQ CX, R15 - ADDQ DI, R10 - XORQ R14, R13 - RORXQ $0x22, R10, R12 - XORQ DX, R15 - RORXQ $0x27, R10, R14 - MOVQ R10, DI - XORQ R12, R14 - RORXQ $0x1c, R10, R12 - ADDQ 16(SP), R9 - ORQ AX, DI - XORQ R12, R14 - MOVQ R10, R12 - ANDQ R11, DI - ANDQ AX, R12 - ADDQ R13, R15 - ADDQ R9, BX - ORQ R12, DI - ADDQ R14, R9 - ADDQ R15, BX - ADDQ R15, R9 - MOVQ CX, R15 - RORXQ $0x29, BX, R13 - RORXQ $0x12, BX, R14 - XORQ R8, R15 - XORQ R14, R13 - RORXQ $0x0e, BX, R14 - ANDQ BX, R15 - ADDQ DI, R9 - XORQ R14, R13 - RORXQ $0x22, R9, R12 - XORQ R8, R15 - RORXQ $0x27, R9, R14 - MOVQ R9, DI - XORQ R12, R14 - RORXQ $0x1c, R9, R12 - ADDQ 24(SP), DX - ORQ R11, DI - XORQ R12, R14 - MOVQ R9, R12 - ANDQ R10, DI - ANDQ R11, R12 - ADDQ R13, R15 - ADDQ DX, AX - ORQ R12, DI - ADDQ R14, DX - ADDQ R15, AX - ADDQ R15, DX - ADDQ DI, DX - VPADDQ 32(BP), Y5, Y0 - VMOVDQU Y0, (SP) - ADDQ $0x40, BP - MOVQ BX, R15 - RORXQ $0x29, AX, R13 - RORXQ $0x12, AX, R14 - XORQ CX, R15 - XORQ R14, R13 - RORXQ $0x0e, AX, R14 - ANDQ AX, R15 - XORQ R14, R13 - RORXQ $0x22, DX, R12 - XORQ CX, R15 - RORXQ $0x27, DX, R14 - MOVQ DX, DI - XORQ R12, R14 - RORXQ $0x1c, DX, R12 - ADDQ (SP), R8 - ORQ R10, DI - XORQ R12, R14 - MOVQ DX, R12 - ANDQ R9, DI - ANDQ R10, R12 - ADDQ R13, R15 - ADDQ R8, R11 - ORQ R12, DI - ADDQ R14, R8 - ADDQ R15, R11 - ADDQ R15, R8 - MOVQ AX, R15 - RORXQ $0x29, R11, R13 - RORXQ $0x12, R11, R14 - XORQ BX, R15 - XORQ R14, R13 - RORXQ $0x0e, R11, R14 - ANDQ R11, R15 - ADDQ DI, R8 - XORQ R14, R13 - RORXQ $0x22, R8, R12 - XORQ BX, R15 - RORXQ $0x27, R8, R14 - MOVQ R8, DI - XORQ R12, R14 - RORXQ $0x1c, R8, R12 - ADDQ 8(SP), CX - ORQ R9, DI - XORQ R12, R14 - MOVQ R8, R12 - ANDQ DX, DI - ANDQ R9, R12 - ADDQ R13, R15 - ADDQ CX, R10 - ORQ R12, DI - ADDQ R14, CX - ADDQ R15, R10 - ADDQ R15, CX - MOVQ R11, R15 - RORXQ $0x29, R10, R13 - RORXQ $0x12, R10, R14 - XORQ AX, R15 - XORQ R14, R13 - RORXQ $0x0e, R10, R14 - ANDQ R10, R15 - ADDQ DI, CX - XORQ R14, R13 - RORXQ $0x22, CX, R12 - XORQ AX, R15 - RORXQ $0x27, CX, R14 - MOVQ CX, DI - XORQ R12, R14 - RORXQ $0x1c, CX, R12 - ADDQ 16(SP), BX - ORQ DX, DI - XORQ R12, R14 - MOVQ CX, R12 - ANDQ R8, DI - ANDQ DX, R12 - ADDQ R13, R15 - ADDQ BX, R9 - ORQ R12, DI - ADDQ R14, BX - ADDQ R15, R9 - ADDQ R15, BX - MOVQ R10, R15 - RORXQ $0x29, R9, R13 - RORXQ $0x12, R9, R14 - XORQ R11, R15 - XORQ R14, R13 - RORXQ $0x0e, R9, R14 - ANDQ R9, R15 - ADDQ DI, BX - XORQ R14, R13 - RORXQ $0x22, BX, R12 - XORQ R11, R15 - RORXQ $0x27, BX, R14 - MOVQ BX, DI - XORQ R12, R14 - RORXQ $0x1c, BX, R12 - ADDQ 24(SP), AX - ORQ R8, DI - XORQ R12, R14 - MOVQ BX, R12 - ANDQ CX, DI - ANDQ R8, R12 - ADDQ R13, R15 - ADDQ AX, DX - ORQ R12, DI - ADDQ R14, AX - ADDQ R15, DX - ADDQ R15, AX - ADDQ DI, AX - VMOVDQU Y6, Y4 - VMOVDQU Y7, Y5 - SUBQ $0x01, 32(SP) - JNE loop2 - ADDQ (SI), AX - MOVQ AX, (SI) - ADDQ 8(SI), BX - MOVQ BX, 8(SI) - ADDQ 16(SI), CX - MOVQ CX, 16(SI) - ADDQ 24(SI), R8 - MOVQ R8, 24(SI) - ADDQ 32(SI), DX - MOVQ DX, 32(SI) - ADDQ 40(SI), R9 - MOVQ R9, 40(SI) - ADDQ 48(SI), R10 - MOVQ R10, 48(SI) - ADDQ 56(SI), R11 - MOVQ R11, 56(SI) - MOVQ 40(SP), DI - ADDQ $0x80, DI - CMPQ DI, 48(SP) - JNE loop0 - -done_hash: - VZEROUPPER - RET - -DATA PSHUFFLE_BYTE_FLIP_MASK<>+0(SB)/8, $0x0001020304050607 -DATA PSHUFFLE_BYTE_FLIP_MASK<>+8(SB)/8, $0x08090a0b0c0d0e0f -DATA PSHUFFLE_BYTE_FLIP_MASK<>+16(SB)/8, $0x1011121314151617 -DATA PSHUFFLE_BYTE_FLIP_MASK<>+24(SB)/8, $0x18191a1b1c1d1e1f -GLOBL PSHUFFLE_BYTE_FLIP_MASK<>(SB), RODATA|NOPTR, $32 - -DATA MASK_YMM_LO<>+0(SB)/8, $0x0000000000000000 -DATA MASK_YMM_LO<>+8(SB)/8, $0x0000000000000000 -DATA MASK_YMM_LO<>+16(SB)/8, $0xffffffffffffffff -DATA MASK_YMM_LO<>+24(SB)/8, $0xffffffffffffffff -GLOBL MASK_YMM_LO<>(SB), RODATA|NOPTR, $32 diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_arm64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_arm64.go deleted file mode 100644 index d6a3ab06ee8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_arm64.go +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha512 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useSHA512 = cpu.ARM64HasSHA512 - -func init() { - impl.Register("sha512", "Armv8.2", &useSHA512) -} - -//go:noescape -func blockSHA512(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if useSHA512 { - blockSHA512(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_arm64.s deleted file mode 100644 index cabe262548c..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_arm64.s +++ /dev/null @@ -1,137 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -// Based on the Linux Kernel with the following comment: -// Algorithm based on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb87127bcefc17efab757606e1b1e333fd614dd0 -// Originally written by Ard Biesheuvel <[email protected]> - -#include "textflag.h" - -#define SHA512TRANS(i0, i1, i2, i3, i4, rc0, in0) \ - VADD in0.D2, rc0.D2, V5.D2 \ - VEXT $8, i3.B16, i2.B16, V6.B16 \ - VEXT $8, V5.B16, V5.B16, V5.B16 \ - VEXT $8, i2.B16, i1.B16, V7.B16 \ - VADD V5.D2, i3.D2, i3.D2 \ - -#define SHA512ROUND(i0, i1, i2, i3, i4, rc0, rc1, in0, in1, in2, in3, in4) \ - VLD1.P 16(R4), [rc1.D2] \ - SHA512TRANS(i0, i1, i2, i3, i4, rc0, in0) \ - VEXT $8, in4.B16, in3.B16, V5.B16 \ - SHA512SU0 in1.D2, in0.D2 \ - SHA512H V7.D2, V6, i3 \ - SHA512SU1 V5.D2, in2.D2, in0.D2 \ - VADD i3.D2, i1.D2, i4.D2 \ - SHA512H2 i0.D2, i1, i3 - -#define SHA512ROUND_NO_UPDATE(i0, i1, i2, i3, i4, rc0, rc1, in0) \ - VLD1.P 16(R4), [rc1.D2] \ - SHA512TRANS(i0, i1, i2, i3, i4, rc0, in0) \ - SHA512H V7.D2, V6, i3 \ - VADD i3.D2, i1.D2, i4.D2 \ - SHA512H2 i0.D2, i1, i3 - -#define SHA512ROUND_LAST(i0, i1, i2, i3, i4, rc0, in0) \ - SHA512TRANS(i0, i1, i2, i3, i4, rc0, in0) \ - SHA512H V7.D2, V6, i3 \ - VADD i3.D2, i1.D2, i4.D2 \ - SHA512H2 i0.D2, i1, i3 - -// func blockSHA512(dig *Digest, p []byte) -TEXT ·blockSHA512(SB),NOSPLIT,$0 - MOVD dig+0(FP), R0 - MOVD p_base+8(FP), R1 - MOVD p_len+16(FP), R2 - MOVD $·_K+0(SB), R3 - - // long enough to prefetch - PRFM (R3), PLDL3KEEP - // load digest - VLD1 (R0), [V8.D2, V9.D2, V10.D2, V11.D2] -loop: - // load digest in V0-V3 keeping original in V8-V11 - VMOV V8.B16, V0.B16 - VMOV V9.B16, V1.B16 - VMOV V10.B16, V2.B16 - VMOV V11.B16, V3.B16 - - // load message data in V12-V19 - VLD1.P 64(R1), [V12.D2, V13.D2, V14.D2, V15.D2] - VLD1.P 64(R1), [V16.D2, V17.D2, V18.D2, V19.D2] - - // convert message into big endian format - VREV64 V12.B16, V12.B16 - VREV64 V13.B16, V13.B16 - VREV64 V14.B16, V14.B16 - VREV64 V15.B16, V15.B16 - VREV64 V16.B16, V16.B16 - VREV64 V17.B16, V17.B16 - VREV64 V18.B16, V18.B16 - VREV64 V19.B16, V19.B16 - - MOVD R3, R4 - // load first 4 round consts in V20-V23 - VLD1.P 64(R4), [V20.D2, V21.D2, V22.D2, V23.D2] - - SHA512ROUND(V0, V1, V2, V3, V4, V20, V24, V12, V13, V19, V16, V17) - SHA512ROUND(V3, V0, V4, V2, V1, V21, V25, V13, V14, V12, V17, V18) - SHA512ROUND(V2, V3, V1, V4, V0, V22, V26, V14, V15, V13, V18, V19) - SHA512ROUND(V4, V2, V0, V1, V3, V23, V27, V15, V16, V14, V19, V12) - SHA512ROUND(V1, V4, V3, V0, V2, V24, V28, V16, V17, V15, V12, V13) - - SHA512ROUND(V0, V1, V2, V3, V4, V25, V29, V17, V18, V16, V13, V14) - SHA512ROUND(V3, V0, V4, V2, V1, V26, V30, V18, V19, V17, V14, V15) - SHA512ROUND(V2, V3, V1, V4, V0, V27, V31, V19, V12, V18, V15, V16) - SHA512ROUND(V4, V2, V0, V1, V3, V28, V24, V12, V13, V19, V16, V17) - SHA512ROUND(V1, V4, V3, V0, V2, V29, V25, V13, V14, V12, V17, V18) - - SHA512ROUND(V0, V1, V2, V3, V4, V30, V26, V14, V15, V13, V18, V19) - SHA512ROUND(V3, V0, V4, V2, V1, V31, V27, V15, V16, V14, V19, V12) - SHA512ROUND(V2, V3, V1, V4, V0, V24, V28, V16, V17, V15, V12, V13) - SHA512ROUND(V4, V2, V0, V1, V3, V25, V29, V17, V18, V16, V13, V14) - SHA512ROUND(V1, V4, V3, V0, V2, V26, V30, V18, V19, V17, V14, V15) - - SHA512ROUND(V0, V1, V2, V3, V4, V27, V31, V19, V12, V18, V15, V16) - SHA512ROUND(V3, V0, V4, V2, V1, V28, V24, V12, V13, V19, V16, V17) - SHA512ROUND(V2, V3, V1, V4, V0, V29, V25, V13, V14, V12, V17, V18) - SHA512ROUND(V4, V2, V0, V1, V3, V30, V26, V14, V15, V13, V18, V19) - SHA512ROUND(V1, V4, V3, V0, V2, V31, V27, V15, V16, V14, V19, V12) - - SHA512ROUND(V0, V1, V2, V3, V4, V24, V28, V16, V17, V15, V12, V13) - SHA512ROUND(V3, V0, V4, V2, V1, V25, V29, V17, V18, V16, V13, V14) - SHA512ROUND(V2, V3, V1, V4, V0, V26, V30, V18, V19, V17, V14, V15) - SHA512ROUND(V4, V2, V0, V1, V3, V27, V31, V19, V12, V18, V15, V16) - SHA512ROUND(V1, V4, V3, V0, V2, V28, V24, V12, V13, V19, V16, V17) - - SHA512ROUND(V0, V1, V2, V3, V4, V29, V25, V13, V14, V12, V17, V18) - SHA512ROUND(V3, V0, V4, V2, V1, V30, V26, V14, V15, V13, V18, V19) - SHA512ROUND(V2, V3, V1, V4, V0, V31, V27, V15, V16, V14, V19, V12) - SHA512ROUND(V4, V2, V0, V1, V3, V24, V28, V16, V17, V15, V12, V13) - SHA512ROUND(V1, V4, V3, V0, V2, V25, V29, V17, V18, V16, V13, V14) - - SHA512ROUND(V0, V1, V2, V3, V4, V26, V30, V18, V19, V17, V14, V15) - SHA512ROUND(V3, V0, V4, V2, V1, V27, V31, V19, V12, V18, V15, V16) - - SHA512ROUND_NO_UPDATE(V2, V3, V1, V4, V0, V28, V24, V12) - SHA512ROUND_NO_UPDATE(V4, V2, V0, V1, V3, V29, V25, V13) - SHA512ROUND_NO_UPDATE(V1, V4, V3, V0, V2, V30, V26, V14) - SHA512ROUND_NO_UPDATE(V0, V1, V2, V3, V4, V31, V27, V15) - - SHA512ROUND_LAST(V3, V0, V4, V2, V1, V24, V16) - SHA512ROUND_LAST(V2, V3, V1, V4, V0, V25, V17) - SHA512ROUND_LAST(V4, V2, V0, V1, V3, V26, V18) - SHA512ROUND_LAST(V1, V4, V3, V0, V2, V27, V19) - - // add result to digest - VADD V0.D2, V8.D2, V8.D2 - VADD V1.D2, V9.D2, V9.D2 - VADD V2.D2, V10.D2, V10.D2 - VADD V3.D2, V11.D2, V11.D2 - SUB $128, R2 - CBNZ R2, loop - - VST1 [V8.D2, V9.D2, V10.D2, V11.D2], (R0) - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_asm.go deleted file mode 100644 index 532345108f8..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_asm.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (loong64 || riscv64) && !purego - -package sha512 - -//go:noescape -func block(dig *Digest, p []byte) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_loong64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_loong64.s deleted file mode 100644 index f65d563ca34..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_loong64.s +++ /dev/null @@ -1,237 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// SHA512 block routine. See sha512block.go for Go equivalent. - -#define REGTMP R30 -#define REGTMP1 R16 -#define REGTMP2 R17 -#define REGTMP3 R18 -#define REGTMP4 R7 -#define REGTMP5 R6 - -// W[i] = M[i]; for 0 <= i <= 15 -#define LOAD0(index) \ - MOVV (index*8)(R5), REGTMP4; \ - REVBV REGTMP4, REGTMP4; \ - MOVV REGTMP4, (index*8)(R3) - -// W[i] = SIGMA1(W[i-2]) + W[i-7] + SIGMA0(W[i-15]) + W[i-16]; for 16 <= i <= 79 -// SIGMA0(x) = ROTR(1,x) XOR ROTR(8,x) XOR SHR(7,x) -// SIGMA1(x) = ROTR(19,x) XOR ROTR(61,x) XOR SHR(6,x) -#define LOAD1(index) \ - MOVV (((index-2)&0xf)*8)(R3), REGTMP4; \ - MOVV (((index-15)&0xf)*8)(R3), REGTMP1; \ - MOVV (((index-7)&0xf)*8)(R3), REGTMP; \ - MOVV REGTMP4, REGTMP2; \ - MOVV REGTMP4, REGTMP3; \ - ROTRV $19, REGTMP4; \ - ROTRV $61, REGTMP2; \ - SRLV $6, REGTMP3; \ - XOR REGTMP2, REGTMP4; \ - XOR REGTMP3, REGTMP4; \ - ROTRV $1, REGTMP1, REGTMP5; \ - SRLV $7, REGTMP1, REGTMP2; \ - ROTRV $8, REGTMP1; \ - ADDV REGTMP, REGTMP4; \ - MOVV (((index-16)&0xf)*8)(R3), REGTMP; \ - XOR REGTMP1, REGTMP5; \ - XOR REGTMP2, REGTMP5; \ - ADDV REGTMP, REGTMP5; \ - ADDV REGTMP5, REGTMP4; \ - MOVV REGTMP4, ((index&0xf)*8)(R3) - -// h is also used as an accumulator. Wt is passed in REGTMP4. -// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + K[i] + W[i] -// BIGSIGMA1(x) = ROTR(14,x) XOR ROTR(18,x) XOR ROTR(41,x) -// Ch(x, y, z) = (x AND y) XOR (NOT x AND z) -// = ((y XOR z) AND x) XOR z -// Calculate T1 in REGTMP4 -#define SHA512T1(const, e, f, g, h) \ - ADDV $const, h; \ - ADDV REGTMP4, h; \ - ROTRV $14, e, REGTMP5; \ - ROTRV $18, e, REGTMP; \ - ROTRV $41, e, REGTMP3; \ - XOR f, g, REGTMP2; \ - XOR REGTMP, REGTMP5; \ - AND e, REGTMP2; \ - XOR REGTMP5, REGTMP3; \ - XOR g, REGTMP2; \ - ADDV REGTMP3, h; \ - ADDV h, REGTMP2, REGTMP4 - -// T2 = BIGSIGMA0(a) + Maj(a, b, c) -// BIGSIGMA0(x) = ROTR(28,x) XOR ROTR(34,x) XOR ROTR(39,x) -// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) -// = ((y XOR z) AND x) XOR (y AND z) -// Calculate T2 in REGTMP1 -#define SHA512T2(a, b, c) \ - ROTRV $28, a, REGTMP5; \ - ROTRV $34, a, REGTMP3; \ - ROTRV $39, a, REGTMP2; \ - XOR b, c, REGTMP; \ - AND b, c, REGTMP1; \ - XOR REGTMP3, REGTMP5; \ - AND REGTMP, a, REGTMP; \ - XOR REGTMP2, REGTMP5; \ - XOR REGTMP, REGTMP1; \ - ADDV REGTMP5, REGTMP1 - -// Calculate T1 and T2, then e = d + T1 and a = T1 + T2. -// The values for e and a are stored in d and h, ready for rotation. -#define SHA512ROUND(const, a, b, c, d, e, f, g, h) \ - SHA512T1(const, e, f, g, h); \ - SHA512T2(a, b, c); \ - ADDV REGTMP4, d; \ - ADDV REGTMP1, REGTMP4, h - -#define SHA512ROUND0(index, const, a, b, c, d, e, f, g, h) \ - LOAD0(index); \ - SHA512ROUND(const, a, b, c, d, e, f, g, h) - -#define SHA512ROUND1(index, const, a, b, c, d, e, f, g, h) \ - LOAD1(index); \ - SHA512ROUND(const, a, b, c, d, e, f, g, h) - -// A stack frame size of 128 bytes is required here, because -// the frame size used for data expansion is 128 bytes. -// See the definition of the macro LOAD1 above (8 bytes * 16 entries). -// -// func block(dig *Digest, p []byte) -TEXT ·block(SB),NOSPLIT,$128-32 - MOVV p_len+16(FP), R6 - MOVV p_base+8(FP), R5 - AND $~127, R6 - BEQ R6, end - - // p_len >= 128 - MOVV dig+0(FP), R4 - ADDV R5, R6, R25 - MOVV (0*8)(R4), R8 // a = H0 - MOVV (1*8)(R4), R9 // b = H1 - MOVV (2*8)(R4), R10 // c = H2 - MOVV (3*8)(R4), R11 // d = H3 - MOVV (4*8)(R4), R12 // e = H4 - MOVV (5*8)(R4), R13 // f = H5 - MOVV (6*8)(R4), R14 // g = H6 - MOVV (7*8)(R4), R15 // h = H7 - -loop: - SHA512ROUND0( 0, 0x428a2f98d728ae22, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND0( 1, 0x7137449123ef65cd, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND0( 2, 0xb5c0fbcfec4d3b2f, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND0( 3, 0xe9b5dba58189dbbc, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND0( 4, 0x3956c25bf348b538, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND0( 5, 0x59f111f1b605d019, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND0( 6, 0x923f82a4af194f9b, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND0( 7, 0xab1c5ed5da6d8118, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND0( 8, 0xd807aa98a3030242, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND0( 9, 0x12835b0145706fbe, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND0(10, 0x243185be4ee4b28c, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND0(11, 0x550c7dc3d5ffb4e2, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND0(12, 0x72be5d74f27b896f, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND0(13, 0x80deb1fe3b1696b1, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND0(14, 0x9bdc06a725c71235, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND0(15, 0xc19bf174cf692694, R9, R10, R11, R12, R13, R14, R15, R8) - - SHA512ROUND1(16, 0xe49b69c19ef14ad2, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(17, 0xefbe4786384f25e3, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(18, 0x0fc19dc68b8cd5b5, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(19, 0x240ca1cc77ac9c65, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(20, 0x2de92c6f592b0275, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(21, 0x4a7484aa6ea6e483, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(22, 0x5cb0a9dcbd41fbd4, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(23, 0x76f988da831153b5, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(24, 0x983e5152ee66dfab, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(25, 0xa831c66d2db43210, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(26, 0xb00327c898fb213f, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(27, 0xbf597fc7beef0ee4, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(28, 0xc6e00bf33da88fc2, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(29, 0xd5a79147930aa725, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(30, 0x06ca6351e003826f, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(31, 0x142929670a0e6e70, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(32, 0x27b70a8546d22ffc, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(33, 0x2e1b21385c26c926, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(34, 0x4d2c6dfc5ac42aed, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(35, 0x53380d139d95b3df, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(36, 0x650a73548baf63de, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(37, 0x766a0abb3c77b2a8, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(38, 0x81c2c92e47edaee6, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(39, 0x92722c851482353b, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(40, 0xa2bfe8a14cf10364, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(41, 0xa81a664bbc423001, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(42, 0xc24b8b70d0f89791, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(43, 0xc76c51a30654be30, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(44, 0xd192e819d6ef5218, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(45, 0xd69906245565a910, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(46, 0xf40e35855771202a, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(47, 0x106aa07032bbd1b8, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(48, 0x19a4c116b8d2d0c8, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(49, 0x1e376c085141ab53, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(50, 0x2748774cdf8eeb99, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(51, 0x34b0bcb5e19b48a8, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(52, 0x391c0cb3c5c95a63, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(53, 0x4ed8aa4ae3418acb, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(54, 0x5b9cca4f7763e373, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(55, 0x682e6ff3d6b2b8a3, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(56, 0x748f82ee5defb2fc, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(57, 0x78a5636f43172f60, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(58, 0x84c87814a1f0ab72, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(59, 0x8cc702081a6439ec, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(60, 0x90befffa23631e28, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(61, 0xa4506cebde82bde9, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(62, 0xbef9a3f7b2c67915, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(63, 0xc67178f2e372532b, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(64, 0xca273eceea26619c, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(65, 0xd186b8c721c0c207, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(66, 0xeada7dd6cde0eb1e, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(67, 0xf57d4f7fee6ed178, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(68, 0x06f067aa72176fba, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(69, 0x0a637dc5a2c898a6, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(70, 0x113f9804bef90dae, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(71, 0x1b710b35131c471b, R9, R10, R11, R12, R13, R14, R15, R8) - SHA512ROUND1(72, 0x28db77f523047d84, R8, R9, R10, R11, R12, R13, R14, R15) - SHA512ROUND1(73, 0x32caab7b40c72493, R15, R8, R9, R10, R11, R12, R13, R14) - SHA512ROUND1(74, 0x3c9ebe0a15c9bebc, R14, R15, R8, R9, R10, R11, R12, R13) - SHA512ROUND1(75, 0x431d67c49c100d4c, R13, R14, R15, R8, R9, R10, R11, R12) - SHA512ROUND1(76, 0x4cc5d4becb3e42b6, R12, R13, R14, R15, R8, R9, R10, R11) - SHA512ROUND1(77, 0x597f299cfc657e2a, R11, R12, R13, R14, R15, R8, R9, R10) - SHA512ROUND1(78, 0x5fcb6fab3ad6faec, R10, R11, R12, R13, R14, R15, R8, R9) - SHA512ROUND1(79, 0x6c44198c4a475817, R9, R10, R11, R12, R13, R14, R15, R8) - - MOVV (0*8)(R4), REGTMP - MOVV (1*8)(R4), REGTMP1 - MOVV (2*8)(R4), REGTMP2 - MOVV (3*8)(R4), REGTMP3 - ADDV REGTMP, R8 // H0 = a + H0 - ADDV REGTMP1, R9 // H1 = b + H1 - ADDV REGTMP2, R10 // H2 = c + H2 - ADDV REGTMP3, R11 // H3 = d + H3 - MOVV R8, (0*8)(R4) - MOVV R9, (1*8)(R4) - MOVV R10, (2*8)(R4) - MOVV R11, (3*8)(R4) - MOVV (4*8)(R4), REGTMP - MOVV (5*8)(R4), REGTMP1 - MOVV (6*8)(R4), REGTMP2 - MOVV (7*8)(R4), REGTMP3 - ADDV REGTMP, R12 // H4 = e + H4 - ADDV REGTMP1, R13 // H5 = f + H5 - ADDV REGTMP2, R14 // H6 = g + H6 - ADDV REGTMP3, R15 // H7 = h + H7 - MOVV R12, (4*8)(R4) - MOVV R13, (5*8)(R4) - MOVV R14, (6*8)(R4) - MOVV R15, (7*8)(R4) - - ADDV $128, R5 - BNE R5, R25, loop - -end: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_noasm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_noasm.go deleted file mode 100644 index a1051ca2db0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_noasm.go +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !arm64 && !loong64 && !ppc64 && !ppc64le && !riscv64 && !s390x) || purego - -package sha512 - -func block(dig *Digest, p []byte) { - blockGeneric(dig, p) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_ppc64x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_ppc64x.go deleted file mode 100644 index e5098d39708..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_ppc64x.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -package sha512 - -import ( - "crypto/internal/fips140deps/godebug" - "crypto/internal/impl" -) - -// The POWER architecture doesn't have a way to turn off SHA-512 support at -// runtime with GODEBUG=cpu.something=off, so introduce a new GODEBUG knob for -// that. It's intentionally only checked at init() time, to avoid the -// performance overhead of checking it on every block. -var ppc64sha512 = godebug.Value("#ppc64sha512") != "off" - -func init() { - impl.Register("sha512", "POWER8", &ppc64sha512) -} - -//go:noescape -func blockPOWER(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if ppc64sha512 { - blockPOWER(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_ppc64x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_ppc64x.s deleted file mode 100644 index fd2c47bc7e3..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_ppc64x.s +++ /dev/null @@ -1,487 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Based on CRYPTOGAMS code with the following comment: -// # ==================================================================== -// # Written by Andy Polyakov <[email protected]> for the OpenSSL -// # project. The module is, however, dual licensed under OpenSSL and -// # CRYPTOGAMS licenses depending on where you obtain it. For further -// # details see http://www.openssl.org/~appro/cryptogams/. -// # ==================================================================== - -//go:build (ppc64 || ppc64le) && !purego - -#include "textflag.h" - -// SHA512 block routine. See sha512block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 79 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 79 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -#define CTX R3 -#define INP R4 -#define END R5 -#define TBL R6 -#define CNT R8 -#define LEN R9 -#define TEMP R12 - -#define TBL_STRT R7 // Pointer to start of kcon table. - -#define R_x000 R0 -#define R_x010 R10 -#define R_x020 R25 -#define R_x030 R26 -#define R_x040 R14 -#define R_x050 R15 -#define R_x060 R16 -#define R_x070 R17 -#define R_x080 R18 -#define R_x090 R19 -#define R_x0a0 R20 -#define R_x0b0 R21 -#define R_x0c0 R22 -#define R_x0d0 R23 -#define R_x0e0 R24 -#define R_x0f0 R28 -#define R_x100 R29 -#define R_x110 R27 - - -// V0-V7 are A-H -// V8-V23 are used for the message schedule -#define KI V24 -#define FUNC V25 -#define S0 V26 -#define S1 V27 -#define s0 V28 -#define s1 V29 -#define LEMASK V31 // Permutation control register for little endian - -// VPERM is needed on LE to switch the bytes - -#ifdef GOARCH_ppc64le -#define VPERMLE(va,vb,vc,vt) VPERM va, vb, vc, vt -#else -#define VPERMLE(va,vb,vc,vt) -#endif - -// 2 copies of each Kt, to fill both doublewords of a vector register -DATA ·kcon+0x000(SB)/8, $0x428a2f98d728ae22 -DATA ·kcon+0x008(SB)/8, $0x428a2f98d728ae22 -DATA ·kcon+0x010(SB)/8, $0x7137449123ef65cd -DATA ·kcon+0x018(SB)/8, $0x7137449123ef65cd -DATA ·kcon+0x020(SB)/8, $0xb5c0fbcfec4d3b2f -DATA ·kcon+0x028(SB)/8, $0xb5c0fbcfec4d3b2f -DATA ·kcon+0x030(SB)/8, $0xe9b5dba58189dbbc -DATA ·kcon+0x038(SB)/8, $0xe9b5dba58189dbbc -DATA ·kcon+0x040(SB)/8, $0x3956c25bf348b538 -DATA ·kcon+0x048(SB)/8, $0x3956c25bf348b538 -DATA ·kcon+0x050(SB)/8, $0x59f111f1b605d019 -DATA ·kcon+0x058(SB)/8, $0x59f111f1b605d019 -DATA ·kcon+0x060(SB)/8, $0x923f82a4af194f9b -DATA ·kcon+0x068(SB)/8, $0x923f82a4af194f9b -DATA ·kcon+0x070(SB)/8, $0xab1c5ed5da6d8118 -DATA ·kcon+0x078(SB)/8, $0xab1c5ed5da6d8118 -DATA ·kcon+0x080(SB)/8, $0xd807aa98a3030242 -DATA ·kcon+0x088(SB)/8, $0xd807aa98a3030242 -DATA ·kcon+0x090(SB)/8, $0x12835b0145706fbe -DATA ·kcon+0x098(SB)/8, $0x12835b0145706fbe -DATA ·kcon+0x0A0(SB)/8, $0x243185be4ee4b28c -DATA ·kcon+0x0A8(SB)/8, $0x243185be4ee4b28c -DATA ·kcon+0x0B0(SB)/8, $0x550c7dc3d5ffb4e2 -DATA ·kcon+0x0B8(SB)/8, $0x550c7dc3d5ffb4e2 -DATA ·kcon+0x0C0(SB)/8, $0x72be5d74f27b896f -DATA ·kcon+0x0C8(SB)/8, $0x72be5d74f27b896f -DATA ·kcon+0x0D0(SB)/8, $0x80deb1fe3b1696b1 -DATA ·kcon+0x0D8(SB)/8, $0x80deb1fe3b1696b1 -DATA ·kcon+0x0E0(SB)/8, $0x9bdc06a725c71235 -DATA ·kcon+0x0E8(SB)/8, $0x9bdc06a725c71235 -DATA ·kcon+0x0F0(SB)/8, $0xc19bf174cf692694 -DATA ·kcon+0x0F8(SB)/8, $0xc19bf174cf692694 -DATA ·kcon+0x100(SB)/8, $0xe49b69c19ef14ad2 -DATA ·kcon+0x108(SB)/8, $0xe49b69c19ef14ad2 -DATA ·kcon+0x110(SB)/8, $0xefbe4786384f25e3 -DATA ·kcon+0x118(SB)/8, $0xefbe4786384f25e3 -DATA ·kcon+0x120(SB)/8, $0x0fc19dc68b8cd5b5 -DATA ·kcon+0x128(SB)/8, $0x0fc19dc68b8cd5b5 -DATA ·kcon+0x130(SB)/8, $0x240ca1cc77ac9c65 -DATA ·kcon+0x138(SB)/8, $0x240ca1cc77ac9c65 -DATA ·kcon+0x140(SB)/8, $0x2de92c6f592b0275 -DATA ·kcon+0x148(SB)/8, $0x2de92c6f592b0275 -DATA ·kcon+0x150(SB)/8, $0x4a7484aa6ea6e483 -DATA ·kcon+0x158(SB)/8, $0x4a7484aa6ea6e483 -DATA ·kcon+0x160(SB)/8, $0x5cb0a9dcbd41fbd4 -DATA ·kcon+0x168(SB)/8, $0x5cb0a9dcbd41fbd4 -DATA ·kcon+0x170(SB)/8, $0x76f988da831153b5 -DATA ·kcon+0x178(SB)/8, $0x76f988da831153b5 -DATA ·kcon+0x180(SB)/8, $0x983e5152ee66dfab -DATA ·kcon+0x188(SB)/8, $0x983e5152ee66dfab -DATA ·kcon+0x190(SB)/8, $0xa831c66d2db43210 -DATA ·kcon+0x198(SB)/8, $0xa831c66d2db43210 -DATA ·kcon+0x1A0(SB)/8, $0xb00327c898fb213f -DATA ·kcon+0x1A8(SB)/8, $0xb00327c898fb213f -DATA ·kcon+0x1B0(SB)/8, $0xbf597fc7beef0ee4 -DATA ·kcon+0x1B8(SB)/8, $0xbf597fc7beef0ee4 -DATA ·kcon+0x1C0(SB)/8, $0xc6e00bf33da88fc2 -DATA ·kcon+0x1C8(SB)/8, $0xc6e00bf33da88fc2 -DATA ·kcon+0x1D0(SB)/8, $0xd5a79147930aa725 -DATA ·kcon+0x1D8(SB)/8, $0xd5a79147930aa725 -DATA ·kcon+0x1E0(SB)/8, $0x06ca6351e003826f -DATA ·kcon+0x1E8(SB)/8, $0x06ca6351e003826f -DATA ·kcon+0x1F0(SB)/8, $0x142929670a0e6e70 -DATA ·kcon+0x1F8(SB)/8, $0x142929670a0e6e70 -DATA ·kcon+0x200(SB)/8, $0x27b70a8546d22ffc -DATA ·kcon+0x208(SB)/8, $0x27b70a8546d22ffc -DATA ·kcon+0x210(SB)/8, $0x2e1b21385c26c926 -DATA ·kcon+0x218(SB)/8, $0x2e1b21385c26c926 -DATA ·kcon+0x220(SB)/8, $0x4d2c6dfc5ac42aed -DATA ·kcon+0x228(SB)/8, $0x4d2c6dfc5ac42aed -DATA ·kcon+0x230(SB)/8, $0x53380d139d95b3df -DATA ·kcon+0x238(SB)/8, $0x53380d139d95b3df -DATA ·kcon+0x240(SB)/8, $0x650a73548baf63de -DATA ·kcon+0x248(SB)/8, $0x650a73548baf63de -DATA ·kcon+0x250(SB)/8, $0x766a0abb3c77b2a8 -DATA ·kcon+0x258(SB)/8, $0x766a0abb3c77b2a8 -DATA ·kcon+0x260(SB)/8, $0x81c2c92e47edaee6 -DATA ·kcon+0x268(SB)/8, $0x81c2c92e47edaee6 -DATA ·kcon+0x270(SB)/8, $0x92722c851482353b -DATA ·kcon+0x278(SB)/8, $0x92722c851482353b -DATA ·kcon+0x280(SB)/8, $0xa2bfe8a14cf10364 -DATA ·kcon+0x288(SB)/8, $0xa2bfe8a14cf10364 -DATA ·kcon+0x290(SB)/8, $0xa81a664bbc423001 -DATA ·kcon+0x298(SB)/8, $0xa81a664bbc423001 -DATA ·kcon+0x2A0(SB)/8, $0xc24b8b70d0f89791 -DATA ·kcon+0x2A8(SB)/8, $0xc24b8b70d0f89791 -DATA ·kcon+0x2B0(SB)/8, $0xc76c51a30654be30 -DATA ·kcon+0x2B8(SB)/8, $0xc76c51a30654be30 -DATA ·kcon+0x2C0(SB)/8, $0xd192e819d6ef5218 -DATA ·kcon+0x2C8(SB)/8, $0xd192e819d6ef5218 -DATA ·kcon+0x2D0(SB)/8, $0xd69906245565a910 -DATA ·kcon+0x2D8(SB)/8, $0xd69906245565a910 -DATA ·kcon+0x2E0(SB)/8, $0xf40e35855771202a -DATA ·kcon+0x2E8(SB)/8, $0xf40e35855771202a -DATA ·kcon+0x2F0(SB)/8, $0x106aa07032bbd1b8 -DATA ·kcon+0x2F8(SB)/8, $0x106aa07032bbd1b8 -DATA ·kcon+0x300(SB)/8, $0x19a4c116b8d2d0c8 -DATA ·kcon+0x308(SB)/8, $0x19a4c116b8d2d0c8 -DATA ·kcon+0x310(SB)/8, $0x1e376c085141ab53 -DATA ·kcon+0x318(SB)/8, $0x1e376c085141ab53 -DATA ·kcon+0x320(SB)/8, $0x2748774cdf8eeb99 -DATA ·kcon+0x328(SB)/8, $0x2748774cdf8eeb99 -DATA ·kcon+0x330(SB)/8, $0x34b0bcb5e19b48a8 -DATA ·kcon+0x338(SB)/8, $0x34b0bcb5e19b48a8 -DATA ·kcon+0x340(SB)/8, $0x391c0cb3c5c95a63 -DATA ·kcon+0x348(SB)/8, $0x391c0cb3c5c95a63 -DATA ·kcon+0x350(SB)/8, $0x4ed8aa4ae3418acb -DATA ·kcon+0x358(SB)/8, $0x4ed8aa4ae3418acb -DATA ·kcon+0x360(SB)/8, $0x5b9cca4f7763e373 -DATA ·kcon+0x368(SB)/8, $0x5b9cca4f7763e373 -DATA ·kcon+0x370(SB)/8, $0x682e6ff3d6b2b8a3 -DATA ·kcon+0x378(SB)/8, $0x682e6ff3d6b2b8a3 -DATA ·kcon+0x380(SB)/8, $0x748f82ee5defb2fc -DATA ·kcon+0x388(SB)/8, $0x748f82ee5defb2fc -DATA ·kcon+0x390(SB)/8, $0x78a5636f43172f60 -DATA ·kcon+0x398(SB)/8, $0x78a5636f43172f60 -DATA ·kcon+0x3A0(SB)/8, $0x84c87814a1f0ab72 -DATA ·kcon+0x3A8(SB)/8, $0x84c87814a1f0ab72 -DATA ·kcon+0x3B0(SB)/8, $0x8cc702081a6439ec -DATA ·kcon+0x3B8(SB)/8, $0x8cc702081a6439ec -DATA ·kcon+0x3C0(SB)/8, $0x90befffa23631e28 -DATA ·kcon+0x3C8(SB)/8, $0x90befffa23631e28 -DATA ·kcon+0x3D0(SB)/8, $0xa4506cebde82bde9 -DATA ·kcon+0x3D8(SB)/8, $0xa4506cebde82bde9 -DATA ·kcon+0x3E0(SB)/8, $0xbef9a3f7b2c67915 -DATA ·kcon+0x3E8(SB)/8, $0xbef9a3f7b2c67915 -DATA ·kcon+0x3F0(SB)/8, $0xc67178f2e372532b -DATA ·kcon+0x3F8(SB)/8, $0xc67178f2e372532b -DATA ·kcon+0x400(SB)/8, $0xca273eceea26619c -DATA ·kcon+0x408(SB)/8, $0xca273eceea26619c -DATA ·kcon+0x410(SB)/8, $0xd186b8c721c0c207 -DATA ·kcon+0x418(SB)/8, $0xd186b8c721c0c207 -DATA ·kcon+0x420(SB)/8, $0xeada7dd6cde0eb1e -DATA ·kcon+0x428(SB)/8, $0xeada7dd6cde0eb1e -DATA ·kcon+0x430(SB)/8, $0xf57d4f7fee6ed178 -DATA ·kcon+0x438(SB)/8, $0xf57d4f7fee6ed178 -DATA ·kcon+0x440(SB)/8, $0x06f067aa72176fba -DATA ·kcon+0x448(SB)/8, $0x06f067aa72176fba -DATA ·kcon+0x450(SB)/8, $0x0a637dc5a2c898a6 -DATA ·kcon+0x458(SB)/8, $0x0a637dc5a2c898a6 -DATA ·kcon+0x460(SB)/8, $0x113f9804bef90dae -DATA ·kcon+0x468(SB)/8, $0x113f9804bef90dae -DATA ·kcon+0x470(SB)/8, $0x1b710b35131c471b -DATA ·kcon+0x478(SB)/8, $0x1b710b35131c471b -DATA ·kcon+0x480(SB)/8, $0x28db77f523047d84 -DATA ·kcon+0x488(SB)/8, $0x28db77f523047d84 -DATA ·kcon+0x490(SB)/8, $0x32caab7b40c72493 -DATA ·kcon+0x498(SB)/8, $0x32caab7b40c72493 -DATA ·kcon+0x4A0(SB)/8, $0x3c9ebe0a15c9bebc -DATA ·kcon+0x4A8(SB)/8, $0x3c9ebe0a15c9bebc -DATA ·kcon+0x4B0(SB)/8, $0x431d67c49c100d4c -DATA ·kcon+0x4B8(SB)/8, $0x431d67c49c100d4c -DATA ·kcon+0x4C0(SB)/8, $0x4cc5d4becb3e42b6 -DATA ·kcon+0x4C8(SB)/8, $0x4cc5d4becb3e42b6 -DATA ·kcon+0x4D0(SB)/8, $0x597f299cfc657e2a -DATA ·kcon+0x4D8(SB)/8, $0x597f299cfc657e2a -DATA ·kcon+0x4E0(SB)/8, $0x5fcb6fab3ad6faec -DATA ·kcon+0x4E8(SB)/8, $0x5fcb6fab3ad6faec -DATA ·kcon+0x4F0(SB)/8, $0x6c44198c4a475817 -DATA ·kcon+0x4F8(SB)/8, $0x6c44198c4a475817 -DATA ·kcon+0x500(SB)/8, $0x0000000000000000 -DATA ·kcon+0x508(SB)/8, $0x0000000000000000 -DATA ·kcon+0x510(SB)/8, $0x1011121314151617 -DATA ·kcon+0x518(SB)/8, $0x0001020304050607 -GLOBL ·kcon(SB), RODATA, $1312 - -#define SHA512ROUND0(a, b, c, d, e, f, g, h, xi, idx) \ - VSEL g, f, e, FUNC; \ - VSHASIGMAD $15, e, $1, S1; \ - VADDUDM xi, h, h; \ - VSHASIGMAD $0, a, $1, S0; \ - VADDUDM FUNC, h, h; \ - VXOR b, a, FUNC; \ - VADDUDM S1, h, h; \ - VSEL b, c, FUNC, FUNC; \ - VADDUDM KI, g, g; \ - VADDUDM h, d, d; \ - VADDUDM FUNC, S0, S0; \ - LVX (TBL)(idx), KI; \ - VADDUDM S0, h, h - -#define SHA512ROUND1(a, b, c, d, e, f, g, h, xi, xj, xj_1, xj_9, xj_14, idx) \ - VSHASIGMAD $0, xj_1, $0, s0; \ - VSEL g, f, e, FUNC; \ - VSHASIGMAD $15, e, $1, S1; \ - VADDUDM xi, h, h; \ - VSHASIGMAD $0, a, $1, S0; \ - VSHASIGMAD $15, xj_14, $0, s1; \ - VADDUDM FUNC, h, h; \ - VXOR b, a, FUNC; \ - VADDUDM xj_9, xj, xj; \ - VADDUDM S1, h, h; \ - VSEL b, c, FUNC, FUNC; \ - VADDUDM KI, g, g; \ - VADDUDM h, d, d; \ - VADDUDM FUNC, S0, S0; \ - VADDUDM s0, xj, xj; \ - LVX (TBL)(idx), KI; \ - VADDUDM S0, h, h; \ - VADDUDM s1, xj, xj - -// func blockPOWER(dig *Digest, p []byte) -TEXT ·blockPOWER(SB),0,$0-32 - MOVD dig+0(FP), CTX - MOVD p_base+8(FP), INP - MOVD p_len+16(FP), LEN - - SRD $6, LEN - SLD $6, LEN - - ADD INP, LEN, END - - CMP INP, END - BEQ end - - MOVD $·kcon(SB), TBL_STRT - - MOVD R0, CNT - MOVWZ $0x010, R_x010 - MOVWZ $0x020, R_x020 - MOVWZ $0x030, R_x030 - MOVD $0x040, R_x040 - MOVD $0x050, R_x050 - MOVD $0x060, R_x060 - MOVD $0x070, R_x070 - MOVD $0x080, R_x080 - MOVD $0x090, R_x090 - MOVD $0x0a0, R_x0a0 - MOVD $0x0b0, R_x0b0 - MOVD $0x0c0, R_x0c0 - MOVD $0x0d0, R_x0d0 - MOVD $0x0e0, R_x0e0 - MOVD $0x0f0, R_x0f0 - MOVD $0x100, R_x100 - MOVD $0x110, R_x110 - - -#ifdef GOARCH_ppc64le - // Generate the mask used with VPERM for LE - MOVWZ $8, TEMP - LVSL (TEMP)(R0), LEMASK - VSPLTISB $0x0F, KI - VXOR KI, LEMASK, LEMASK -#endif - - LXVD2X (CTX)(R_x000), VS32 // v0 = vs32 - LXVD2X (CTX)(R_x010), VS34 // v2 = vs34 - LXVD2X (CTX)(R_x020), VS36 // v4 = vs36 - - // unpack the input values into vector registers - VSLDOI $8, V0, V0, V1 - LXVD2X (CTX)(R_x030), VS38 // v6 = vs38 - VSLDOI $8, V2, V2, V3 - VSLDOI $8, V4, V4, V5 - VSLDOI $8, V6, V6, V7 - -loop: - MOVD TBL_STRT, TBL - LVX (TBL)(R_x000), KI - - LXVD2X (INP)(R0), VS40 // load v8 (=vs40) in advance - ADD $16, INP - - // Copy V0-V7 to VS24-VS31 - - XXLOR V0, V0, VS24 - XXLOR V1, V1, VS25 - XXLOR V2, V2, VS26 - XXLOR V3, V3, VS27 - XXLOR V4, V4, VS28 - XXLOR V5, V5, VS29 - XXLOR V6, V6, VS30 - XXLOR V7, V7, VS31 - - VADDUDM KI, V7, V7 // h+K[i] - LVX (TBL)(R_x010), KI - - VPERMLE(V8,V8,LEMASK,V8) - SHA512ROUND0(V0, V1, V2, V3, V4, V5, V6, V7, V8, R_x020) - LXVD2X (INP)(R_x000), VS42 // load v10 (=vs42) in advance - VSLDOI $8, V8, V8, V9 - SHA512ROUND0(V7, V0, V1, V2, V3, V4, V5, V6, V9, R_x030) - VPERMLE(V10,V10,LEMASK,V10) - SHA512ROUND0(V6, V7, V0, V1, V2, V3, V4, V5, V10, R_x040) - LXVD2X (INP)(R_x010), VS44 // load v12 (=vs44) in advance - VSLDOI $8, V10, V10, V11 - SHA512ROUND0(V5, V6, V7, V0, V1, V2, V3, V4, V11, R_x050) - VPERMLE(V12,V12,LEMASK,V12) - SHA512ROUND0(V4, V5, V6, V7, V0, V1, V2, V3, V12, R_x060) - LXVD2X (INP)(R_x020), VS46 // load v14 (=vs46) in advance - VSLDOI $8, V12, V12, V13 - SHA512ROUND0(V3, V4, V5, V6, V7, V0, V1, V2, V13, R_x070) - VPERMLE(V14,V14,LEMASK,V14) - SHA512ROUND0(V2, V3, V4, V5, V6, V7, V0, V1, V14, R_x080) - LXVD2X (INP)(R_x030), VS48 // load v16 (=vs48) in advance - VSLDOI $8, V14, V14, V15 - SHA512ROUND0(V1, V2, V3, V4, V5, V6, V7, V0, V15, R_x090) - VPERMLE(V16,V16,LEMASK,V16) - SHA512ROUND0(V0, V1, V2, V3, V4, V5, V6, V7, V16, R_x0a0) - LXVD2X (INP)(R_x040), VS50 // load v18 (=vs50) in advance - VSLDOI $8, V16, V16, V17 - SHA512ROUND0(V7, V0, V1, V2, V3, V4, V5, V6, V17, R_x0b0) - VPERMLE(V18,V18,LEMASK,V18) - SHA512ROUND0(V6, V7, V0, V1, V2, V3, V4, V5, V18, R_x0c0) - LXVD2X (INP)(R_x050), VS52 // load v20 (=vs52) in advance - VSLDOI $8, V18, V18, V19 - SHA512ROUND0(V5, V6, V7, V0, V1, V2, V3, V4, V19, R_x0d0) - VPERMLE(V20,V20,LEMASK,V20) - SHA512ROUND0(V4, V5, V6, V7, V0, V1, V2, V3, V20, R_x0e0) - LXVD2X (INP)(R_x060), VS54 // load v22 (=vs54) in advance - VSLDOI $8, V20, V20, V21 - SHA512ROUND0(V3, V4, V5, V6, V7, V0, V1, V2, V21, R_x0f0) - VPERMLE(V22,V22,LEMASK,V22) - SHA512ROUND0(V2, V3, V4, V5, V6, V7, V0, V1, V22, R_x100) - VSLDOI $8, V22, V22, V23 - SHA512ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V23, V8, V9, V17, V22, R_x110) - - MOVWZ $4, TEMP - MOVWZ TEMP, CTR - ADD $0x120, TBL - ADD $0x70, INP - -L16_xx: - SHA512ROUND1(V0, V1, V2, V3, V4, V5, V6, V7, V8, V9, V10, V18, V23, R_x000) - SHA512ROUND1(V7, V0, V1, V2, V3, V4, V5, V6, V9, V10, V11, V19, V8, R_x010) - SHA512ROUND1(V6, V7, V0, V1, V2, V3, V4, V5, V10, V11, V12, V20, V9, R_x020) - SHA512ROUND1(V5, V6, V7, V0, V1, V2, V3, V4, V11, V12, V13, V21, V10, R_x030) - SHA512ROUND1(V4, V5, V6, V7, V0, V1, V2, V3, V12, V13, V14, V22, V11, R_x040) - SHA512ROUND1(V3, V4, V5, V6, V7, V0, V1, V2, V13, V14, V15, V23, V12, R_x050) - SHA512ROUND1(V2, V3, V4, V5, V6, V7, V0, V1, V14, V15, V16, V8, V13, R_x060) - SHA512ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V15, V16, V17, V9, V14, R_x070) - SHA512ROUND1(V0, V1, V2, V3, V4, V5, V6, V7, V16, V17, V18, V10, V15, R_x080) - SHA512ROUND1(V7, V0, V1, V2, V3, V4, V5, V6, V17, V18, V19, V11, V16, R_x090) - SHA512ROUND1(V6, V7, V0, V1, V2, V3, V4, V5, V18, V19, V20, V12, V17, R_x0a0) - SHA512ROUND1(V5, V6, V7, V0, V1, V2, V3, V4, V19, V20, V21, V13, V18, R_x0b0) - SHA512ROUND1(V4, V5, V6, V7, V0, V1, V2, V3, V20, V21, V22, V14, V19, R_x0c0) - SHA512ROUND1(V3, V4, V5, V6, V7, V0, V1, V2, V21, V22, V23, V15, V20, R_x0d0) - SHA512ROUND1(V2, V3, V4, V5, V6, V7, V0, V1, V22, V23, V8, V16, V21, R_x0e0) - SHA512ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V23, V8, V9, V17, V22, R_x0f0) - ADD $0x100, TBL - - BDNZ L16_xx - - XXLOR VS24, VS24, V10 - XXLOR VS25, VS25, V11 - XXLOR VS26, VS26, V12 - XXLOR VS27, VS27, V13 - XXLOR VS28, VS28, V14 - XXLOR VS29, VS29, V15 - XXLOR VS30, VS30, V16 - XXLOR VS31, VS31, V17 - VADDUDM V10, V0, V0 - VADDUDM V11, V1, V1 - VADDUDM V12, V2, V2 - VADDUDM V13, V3, V3 - VADDUDM V14, V4, V4 - VADDUDM V15, V5, V5 - VADDUDM V16, V6, V6 - VADDUDM V17, V7, V7 - - CMPU INP, END - BLT loop - -#ifdef GOARCH_ppc64le - VPERM V0, V1, KI, V0 - VPERM V2, V3, KI, V2 - VPERM V4, V5, KI, V4 - VPERM V6, V7, KI, V6 -#else - VPERM V1, V0, KI, V0 - VPERM V3, V2, KI, V2 - VPERM V5, V4, KI, V4 - VPERM V7, V6, KI, V6 -#endif - STXVD2X VS32, (CTX+R_x000) // v0 = vs32 - STXVD2X VS34, (CTX+R_x010) // v2 = vs34 - STXVD2X VS36, (CTX+R_x020) // v4 = vs36 - STXVD2X VS38, (CTX+R_x030) // v6 = vs38 - -end: - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_riscv64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_riscv64.s deleted file mode 100644 index f25ed62237b..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_riscv64.s +++ /dev/null @@ -1,287 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// SHA512 block routine. See sha512block.go for Go equivalent. -// -// The algorithm is detailed in FIPS 180-4: -// -// https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -// -// Wt = Mt; for 0 <= t <= 15 -// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 79 -// -// a = H0 -// b = H1 -// c = H2 -// d = H3 -// e = H4 -// f = H5 -// g = H6 -// h = H7 -// -// for t = 0 to 79 { -// T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt -// T2 = BIGSIGMA0(a) + Maj(a,b,c) -// h = g -// g = f -// f = e -// e = d + T1 -// d = c -// c = b -// b = a -// a = T1 + T2 -// } -// -// H0 = a + H0 -// H1 = b + H1 -// H2 = c + H2 -// H3 = d + H3 -// H4 = e + H4 -// H5 = f + H5 -// H6 = g + H6 -// H7 = h + H7 - -// Wt = Mt; for 0 <= t <= 15 -#define MSGSCHEDULE0(index) \ - MOVBU ((index*8)+0)(X29), X5; \ - MOVBU ((index*8)+1)(X29), X6; \ - MOVBU ((index*8)+2)(X29), X7; \ - MOVBU ((index*8)+3)(X29), X8; \ - SLL $56, X5; \ - SLL $48, X6; \ - OR X5, X6, X5; \ - SLL $40, X7; \ - OR X5, X7, X5; \ - SLL $32, X8; \ - OR X5, X8, X5; \ - MOVBU ((index*8)+4)(X29), X9; \ - MOVBU ((index*8)+5)(X29), X6; \ - MOVBU ((index*8)+6)(X29), X7; \ - MOVBU ((index*8)+7)(X29), X8; \ - SLL $24, X9; \ - OR X5, X9, X5; \ - SLL $16, X6; \ - OR X5, X6, X5; \ - SLL $8, X7; \ - OR X5, X7, X5; \ - OR X5, X8, X5; \ - MOV X5, (index*8)(X19) - -// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 79 -// SIGMA0(x) = ROTR(1,x) XOR ROTR(8,x) XOR SHR(7,x) -// SIGMA1(x) = ROTR(19,x) XOR ROTR(61,x) XOR SHR(6,x) -#define MSGSCHEDULE1(index) \ - MOV (((index-2)&0xf)*8)(X19), X5; \ - MOV (((index-15)&0xf)*8)(X19), X6; \ - MOV (((index-7)&0xf)*8)(X19), X9; \ - MOV (((index-16)&0xf)*8)(X19), X21; \ - ROR $19, X5, X7; \ - ROR $61, X5, X8; \ - SRL $6, X5; \ - XOR X7, X5; \ - XOR X8, X5; \ - ADD X9, X5; \ - ROR $1, X6, X7; \ - ROR $8, X6, X8; \ - SRL $7, X6; \ - XOR X7, X6; \ - XOR X8, X6; \ - ADD X6, X5; \ - ADD X21, X5; \ - MOV X5, ((index&0xf)*8)(X19) - -// Calculate T1 in X5. -// h is also used as an accumulator. Wt is passed in X5. -// T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt -// BIGSIGMA1(x) = ROTR(14,x) XOR ROTR(18,x) XOR ROTR(41,x) -// Ch(x, y, z) = (x AND y) XOR (NOT x AND z) -// = ((y XOR z) AND x) XOR z -#define SHA512T1(index, e, f, g, h) \ - MOV (index*8)(X18), X8; \ - ADD X5, h; \ - ROR $14, e, X6; \ - ADD X8, h; \ - ROR $18, e, X7; \ - ROR $41, e, X8; \ - XOR X7, X6; \ - XOR f, g, X5; \ - XOR X8, X6; \ - AND e, X5; \ - ADD X6, h; \ - XOR g, X5; \ - ADD h, X5 - -// Calculate T2 in X6. -// T2 = BIGSIGMA0(a) + Maj(a, b, c) -// BIGSIGMA0(x) = ROTR(28,x) XOR ROTR(34,x) XOR ROTR(39,x) -// Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z) -// = ((y XOR z) AND x) XOR (y AND z) -#define SHA512T2(a, b, c) \ - ROR $28, a, X6; \ - ROR $34, a, X7; \ - ROR $39, a, X8; \ - XOR X7, X6; \ - XOR b, c, X9; \ - AND b, c, X7; \ - AND a, X9; \ - XOR X8, X6; \ - XOR X7, X9; \ - ADD X9, X6 - -// Calculate T1 and T2, then e = d + T1 and a = T1 + T2. -// The values for e and a are stored in d and h, ready for rotation. -#define SHA512ROUND(index, a, b, c, d, e, f, g, h) \ - SHA512T1(index, e, f, g, h); \ - SHA512T2(a, b, c); \ - ADD X5, d; \ - ADD X6, X5, h - -#define SHA512ROUND0(index, a, b, c, d, e, f, g, h) \ - MSGSCHEDULE0(index); \ - SHA512ROUND(index, a, b, c, d, e, f, g, h) - -#define SHA512ROUND1(index, a, b, c, d, e, f, g, h) \ - MSGSCHEDULE1(index); \ - SHA512ROUND(index, a, b, c, d, e, f, g, h) - -// func block(dig *Digest, p []byte) -TEXT ·block(SB),0,$128-32 - MOV p_base+8(FP), X29 - MOV p_len+16(FP), X30 - SRL $7, X30 - SLL $7, X30 - - ADD X29, X30, X28 - BEQ X28, X29, end - - MOV $·_K(SB), X18 // const table - ADD $8, X2, X19 // message schedule - - MOV dig+0(FP), X20 - MOV (0*8)(X20), X10 // a = H0 - MOV (1*8)(X20), X11 // b = H1 - MOV (2*8)(X20), X12 // c = H2 - MOV (3*8)(X20), X13 // d = H3 - MOV (4*8)(X20), X14 // e = H4 - MOV (5*8)(X20), X15 // f = H5 - MOV (6*8)(X20), X16 // g = H6 - MOV (7*8)(X20), X17 // h = H7 - -loop: - SHA512ROUND0(0, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND0(1, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND0(2, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND0(3, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND0(4, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND0(5, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND0(6, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND0(7, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND0(8, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND0(9, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND0(10, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND0(11, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND0(12, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND0(13, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND0(14, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND0(15, X11, X12, X13, X14, X15, X16, X17, X10) - - SHA512ROUND1(16, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(17, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(18, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(19, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(20, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(21, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(22, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(23, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(24, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(25, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(26, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(27, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(28, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(29, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(30, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(31, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(32, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(33, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(34, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(35, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(36, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(37, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(38, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(39, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(40, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(41, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(42, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(43, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(44, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(45, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(46, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(47, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(48, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(49, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(50, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(51, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(52, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(53, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(54, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(55, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(56, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(57, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(58, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(59, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(60, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(61, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(62, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(63, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(64, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(65, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(66, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(67, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(68, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(69, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(70, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(71, X11, X12, X13, X14, X15, X16, X17, X10) - SHA512ROUND1(72, X10, X11, X12, X13, X14, X15, X16, X17) - SHA512ROUND1(73, X17, X10, X11, X12, X13, X14, X15, X16) - SHA512ROUND1(74, X16, X17, X10, X11, X12, X13, X14, X15) - SHA512ROUND1(75, X15, X16, X17, X10, X11, X12, X13, X14) - SHA512ROUND1(76, X14, X15, X16, X17, X10, X11, X12, X13) - SHA512ROUND1(77, X13, X14, X15, X16, X17, X10, X11, X12) - SHA512ROUND1(78, X12, X13, X14, X15, X16, X17, X10, X11) - SHA512ROUND1(79, X11, X12, X13, X14, X15, X16, X17, X10) - - MOV (0*8)(X20), X5 - MOV (1*8)(X20), X6 - MOV (2*8)(X20), X7 - MOV (3*8)(X20), X8 - ADD X5, X10 // H0 = a + H0 - ADD X6, X11 // H1 = b + H1 - ADD X7, X12 // H2 = c + H2 - ADD X8, X13 // H3 = d + H3 - MOV X10, (0*8)(X20) - MOV X11, (1*8)(X20) - MOV X12, (2*8)(X20) - MOV X13, (3*8)(X20) - MOV (4*8)(X20), X5 - MOV (5*8)(X20), X6 - MOV (6*8)(X20), X7 - MOV (7*8)(X20), X8 - ADD X5, X14 // H4 = e + H4 - ADD X6, X15 // H5 = f + H5 - ADD X7, X16 // H6 = g + H6 - ADD X8, X17 // H7 = h + H7 - MOV X14, (4*8)(X20) - MOV X15, (5*8)(X20) - MOV X16, (6*8)(X20) - MOV X17, (7*8)(X20) - - ADD $128, X29 - BNE X28, X29, loop - -end: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_s390x.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_s390x.go deleted file mode 100644 index 175424068ee..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_s390x.go +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package sha512 - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useSHA512 = cpu.S390XHasSHA512 - -func init() { - // CP Assist for Cryptographic Functions (CPACF) - // https://www.ibm.com/docs/en/zos/3.1.0?topic=icsf-cp-assist-cryptographic-functions-cpacf - impl.Register("sha512", "CPACF", &useSHA512) -} - -//go:noescape -func blockS390X(dig *Digest, p []byte) - -func block(dig *Digest, p []byte) { - if useSHA512 { - blockS390X(dig, p) - } else { - blockGeneric(dig, p) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_s390x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_s390x.s deleted file mode 100644 index 5e943ed11fc..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/sha512block_s390x.s +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func blockS390X(dig *Digest, p []byte) -TEXT ·blockS390X(SB), NOSPLIT|NOFRAME, $0-32 - LMG dig+0(FP), R1, R3 // R2 = &p[0], R3 = len(p) - MOVBZ $3, R0 // SHA-512 function code - -loop: - KIMD R0, R2 // compute intermediate message digest (KIMD) - BVS loop // continue if interrupted - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/ya.make deleted file mode 100644 index 5a871a4cb63..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/sha512/ya.make +++ /dev/null @@ -1,31 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - sha512.go - sha512block.go - sha512block_arm64.go - sha512block_arm64.s - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - sha512.go - sha512block.go - sha512block_amd64.go - sha512block_amd64.s - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - sha512.go - sha512block.go - sha512block_noasm.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ssh/kdf.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/ssh/kdf.go deleted file mode 100644 index 431deda8dda..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ssh/kdf.go +++ /dev/null @@ -1,55 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package ssh implements the SSH KDF as specified in RFC 4253, -// Section 7.2 and allowed by SP 800-135 Revision 1. -package ssh - -import ( - _ "crypto/internal/fips140/check" - "hash" -) - -type Direction struct { - ivTag []byte - keyTag []byte - macKeyTag []byte -} - -var ServerKeys, ClientKeys Direction - -func init() { - ServerKeys = Direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}} - ClientKeys = Direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}} -} - -func Keys[Hash hash.Hash](hash func() Hash, d Direction, - K, H, sessionID []byte, - ivKeyLen, keyLen, macKeyLen int, -) (ivKey, key, macKey []byte) { - - h := hash() - generateKeyMaterial := func(tag []byte, length int) []byte { - var key []byte - for len(key) < length { - h.Reset() - h.Write(K) - h.Write(H) - if len(key) == 0 { - h.Write(tag) - h.Write(sessionID) - } else { - h.Write(key) - } - key = h.Sum(key) - } - return key[:length] - } - - ivKey = generateKeyMaterial(d.ivTag, ivKeyLen) - key = generateKeyMaterial(d.keyTag, keyLen) - macKey = generateKeyMaterial(d.macKeyTag, macKeyLen) - - return -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ssh/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/ssh/ya.make deleted file mode 100644 index 05e592757ee..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ssh/ya.make +++ /dev/null @@ -1,12 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - kdf.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/constant_time.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/constant_time.go deleted file mode 100644 index fa7a002d3fa..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/constant_time.go +++ /dev/null @@ -1,96 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package subtle - -import ( - "crypto/internal/fips140deps/byteorder" - "math/bits" -) - -// ConstantTimeCompare returns 1 if the two slices, x and y, have equal contents -// and 0 otherwise. The time taken is a function of the length of the slices and -// is independent of the contents. If the lengths of x and y do not match it -// returns 0 immediately. -func ConstantTimeCompare(x, y []byte) int { - if len(x) != len(y) { - return 0 - } - - var v byte - - for i := 0; i < len(x); i++ { - v |= x[i] ^ y[i] - } - - return ConstantTimeByteEq(v, 0) -} - -// ConstantTimeLessOrEqBytes returns 1 if x <= y and 0 otherwise. The comparison -// is lexigraphical, or big-endian. The time taken is a function of the length of -// the slices and is independent of the contents. If the lengths of x and y do not -// match it returns 0 immediately. -func ConstantTimeLessOrEqBytes(x, y []byte) int { - if len(x) != len(y) { - return 0 - } - - // Do a constant time subtraction chain y - x. - // If there is no borrow at the end, then x <= y. - var b uint64 - for len(x) > 8 { - x0 := byteorder.BEUint64(x[len(x)-8:]) - y0 := byteorder.BEUint64(y[len(y)-8:]) - _, b = bits.Sub64(y0, x0, b) - x = x[:len(x)-8] - y = y[:len(y)-8] - } - if len(x) > 0 { - xb := make([]byte, 8) - yb := make([]byte, 8) - copy(xb[8-len(x):], x) - copy(yb[8-len(y):], y) - x0 := byteorder.BEUint64(xb) - y0 := byteorder.BEUint64(yb) - _, b = bits.Sub64(y0, x0, b) - } - return int(b ^ 1) -} - -// ConstantTimeSelect returns x if v == 1 and y if v == 0. -// Its behavior is undefined if v takes any other value. -func ConstantTimeSelect(v, x, y int) int { return ^(v-1)&x | (v-1)&y } - -// ConstantTimeByteEq returns 1 if x == y and 0 otherwise. -func ConstantTimeByteEq(x, y uint8) int { - return int((uint32(x^y) - 1) >> 31) -} - -// ConstantTimeEq returns 1 if x == y and 0 otherwise. -func ConstantTimeEq(x, y int32) int { - return int((uint64(uint32(x^y)) - 1) >> 63) -} - -// ConstantTimeCopy copies the contents of y into x (a slice of equal length) -// if v == 1. If v == 0, x is left unchanged. Its behavior is undefined if v -// takes any other value. -func ConstantTimeCopy(v int, x, y []byte) { - if len(x) != len(y) { - panic("subtle: slices have different lengths") - } - - xmask := byte(v - 1) - ymask := byte(^(v - 1)) - for i := 0; i < len(x); i++ { - x[i] = x[i]&xmask | y[i]&ymask - } -} - -// ConstantTimeLessOrEq returns 1 if x <= y and 0 otherwise. -// Its behavior is undefined if x or y are negative or > 2**31 - 1. -func ConstantTimeLessOrEq(x, y int) int { - x32 := int32(x) - y32 := int32(y) - return int(((x32 - y32 - 1) >> 31) & 1) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor.go deleted file mode 100644 index b1e22ff36e3..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor.go +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2022 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package subtle - -import "crypto/internal/fips140/alias" - -// XORBytes sets dst[i] = x[i] ^ y[i] for all i < n = min(len(x), len(y)), -// returning n, the number of bytes written to dst. -// -// If dst does not have length at least n, -// XORBytes panics without writing anything to dst. -// -// dst and x or y may overlap exactly or not at all, -// otherwise XORBytes may panic. -func XORBytes(dst, x, y []byte) int { - n := min(len(x), len(y)) - if n == 0 { - return 0 - } - if n > len(dst) { - panic("subtle.XORBytes: dst too short") - } - if alias.InexactOverlap(dst[:n], x[:n]) || alias.InexactOverlap(dst[:n], y[:n]) { - panic("subtle.XORBytes: invalid overlap") - } - xorBytes(&dst[0], &x[0], &y[0], n) // arch-specific - return n -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_amd64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_amd64.s deleted file mode 100644 index 949424f87ae..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_amd64.s +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func xorBytes(dst, a, b *byte, n int) -TEXT ·xorBytes(SB), NOSPLIT, $0 - MOVQ dst+0(FP), BX - MOVQ a+8(FP), SI - MOVQ b+16(FP), CX - MOVQ n+24(FP), DX - TESTQ $15, DX // AND 15 & len, if not zero jump to not_aligned. - JNZ not_aligned - -aligned: - MOVQ $0, AX // position in slices - - PCALIGN $16 -loop16b: - MOVOU (SI)(AX*1), X0 // XOR 16byte forwards. - MOVOU (CX)(AX*1), X1 - PXOR X1, X0 - MOVOU X0, (BX)(AX*1) - ADDQ $16, AX - CMPQ DX, AX - JNE loop16b - RET - - PCALIGN $16 -loop_1b: - SUBQ $1, DX // XOR 1byte backwards. - MOVB (SI)(DX*1), DI - MOVB (CX)(DX*1), AX - XORB AX, DI - MOVB DI, (BX)(DX*1) - TESTQ $7, DX // AND 7 & len, if not zero jump to loop_1b. - JNZ loop_1b - CMPQ DX, $0 // if len is 0, ret. - JE ret - TESTQ $15, DX // AND 15 & len, if zero jump to aligned. - JZ aligned - -not_aligned: - TESTQ $7, DX // AND $7 & len, if not zero jump to loop_1b. - JNE loop_1b - SUBQ $8, DX // XOR 8bytes backwards. - MOVQ (SI)(DX*1), DI - MOVQ (CX)(DX*1), AX - XORQ AX, DI - MOVQ DI, (BX)(DX*1) - CMPQ DX, $16 // if len is greater or equal 16 here, it must be aligned. - JGE aligned - -ret: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_arm64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_arm64.s deleted file mode 100644 index 76321645d77..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_arm64.s +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2020 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func xorBytes(dst, a, b *byte, n int) -TEXT ·xorBytes(SB), NOSPLIT|NOFRAME, $0 - MOVD dst+0(FP), R0 - MOVD a+8(FP), R1 - MOVD b+16(FP), R2 - MOVD n+24(FP), R3 - CMP $64, R3 - BLT tail -loop_64: - VLD1.P 64(R1), [V0.B16, V1.B16, V2.B16, V3.B16] - VLD1.P 64(R2), [V4.B16, V5.B16, V6.B16, V7.B16] - VEOR V0.B16, V4.B16, V4.B16 - VEOR V1.B16, V5.B16, V5.B16 - VEOR V2.B16, V6.B16, V6.B16 - VEOR V3.B16, V7.B16, V7.B16 - VST1.P [V4.B16, V5.B16, V6.B16, V7.B16], 64(R0) - SUBS $64, R3 - CMP $64, R3 - BGE loop_64 -tail: - // quick end - CBZ R3, end - TBZ $5, R3, less_than32 - VLD1.P 32(R1), [V0.B16, V1.B16] - VLD1.P 32(R2), [V2.B16, V3.B16] - VEOR V0.B16, V2.B16, V2.B16 - VEOR V1.B16, V3.B16, V3.B16 - VST1.P [V2.B16, V3.B16], 32(R0) -less_than32: - TBZ $4, R3, less_than16 - LDP.P 16(R1), (R11, R12) - LDP.P 16(R2), (R13, R14) - EOR R11, R13, R13 - EOR R12, R14, R14 - STP.P (R13, R14), 16(R0) -less_than16: - TBZ $3, R3, less_than8 - MOVD.P 8(R1), R11 - MOVD.P 8(R2), R12 - EOR R11, R12, R12 - MOVD.P R12, 8(R0) -less_than8: - TBZ $2, R3, less_than4 - MOVWU.P 4(R1), R13 - MOVWU.P 4(R2), R14 - EORW R13, R14, R14 - MOVWU.P R14, 4(R0) -less_than4: - TBZ $1, R3, less_than2 - MOVHU.P 2(R1), R15 - MOVHU.P 2(R2), R16 - EORW R15, R16, R16 - MOVHU.P R16, 2(R0) -less_than2: - TBZ $0, R3, end - MOVBU (R1), R17 - MOVBU (R2), R19 - EORW R17, R19, R19 - MOVBU R19, (R0) -end: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_asm.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_asm.go deleted file mode 100644 index bb85aefef40..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_asm.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (amd64 || arm64 || ppc64 || ppc64le || riscv64) && !purego - -package subtle - -//go:noescape -func xorBytes(dst, a, b *byte, n int) diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_generic.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_generic.go deleted file mode 100644 index 0b31eec6019..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_generic.go +++ /dev/null @@ -1,64 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !arm64 && !loong64 && !ppc64 && !ppc64le && !riscv64) || purego - -package subtle - -import ( - "runtime" - "unsafe" -) - -const wordSize = unsafe.Sizeof(uintptr(0)) - -const supportsUnaligned = runtime.GOARCH == "386" || - runtime.GOARCH == "amd64" || - runtime.GOARCH == "ppc64" || - runtime.GOARCH == "ppc64le" || - runtime.GOARCH == "s390x" - -func xorBytes(dstb, xb, yb *byte, n int) { - // xorBytes assembly is written using pointers and n. Back to slices. - dst := unsafe.Slice(dstb, n) - x := unsafe.Slice(xb, n) - y := unsafe.Slice(yb, n) - - if supportsUnaligned || aligned(dstb, xb, yb) { - xorLoop(words(dst), words(x), words(y)) - if uintptr(n)%wordSize == 0 { - return - } - done := n &^ int(wordSize-1) - dst = dst[done:] - x = x[done:] - y = y[done:] - } - xorLoop(dst, x, y) -} - -// aligned reports whether dst, x, and y are all word-aligned pointers. -func aligned(dst, x, y *byte) bool { - return (uintptr(unsafe.Pointer(dst))|uintptr(unsafe.Pointer(x))|uintptr(unsafe.Pointer(y)))&(wordSize-1) == 0 -} - -// words returns a []uintptr pointing at the same data as x, -// with any trailing partial word removed. -func words(x []byte) []uintptr { - n := uintptr(len(x)) / wordSize - if n == 0 { - // Avoid creating a *uintptr that refers to data smaller than a uintptr; - // see issue 59334. - return nil - } - return unsafe.Slice((*uintptr)(unsafe.Pointer(&x[0])), n) -} - -func xorLoop[T byte | uintptr](dst, x, y []T) { - x = x[:len(dst)] // remove bounds check in loop - y = y[:len(dst)] // remove bounds check in loop - for i := range dst { - dst[i] = x[i] ^ y[i] - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_loong64.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_loong64.go deleted file mode 100644 index ad66824d886..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_loong64.go +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2025 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -package subtle - -import ( - "crypto/internal/fips140deps/cpu" - "crypto/internal/impl" -) - -var useLSX = cpu.LOONG64HasLSX -var useLASX = cpu.LOONG64HasLASX - -func init() { - impl.Register("subtle", "LSX", &useLSX) - impl.Register("subtle", "LASX", &useLASX) -} - -//go:noescape -func xorBytesBasic(dst, a, b *byte, n int) - -//go:noescape -func xorBytesLSX(dst, a, b *byte, n int) - -//go:noescape -func xorBytesLASX(dst, a, b *byte, n int) - -func xorBytes(dst, a, b *byte, n int) { - if useLASX { - xorBytesLASX(dst, a, b, n) - } else if useLSX { - xorBytesLSX(dst, a, b, n) - } else { - xorBytesBasic(dst, a, b, n) - } -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_loong64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_loong64.s deleted file mode 100644 index 36c18a62777..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_loong64.s +++ /dev/null @@ -1,409 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -#define SMALL_TAIL \ - SGTU $2, R7, R8; \ - BNE R8, xor_1; \ - SGTU $4, R7, R8; \ - BNE R8, xor_2; \ - SGTU $8, R7, R8; \ - BNE R8, xor_4; \ - SGTU $16, R7, R8; \ - BNE R8, xor_8; \ - -#define SMALL \ -xor_8_check:; \ - SGTU $8, R7, R8; \ - BNE R8, xor_4_check; \ -xor_8:; \ - SUBV $8, R7; \ - MOVV (R5), R10; \ - MOVV (R6), R11; \ - XOR R10, R11; \ - MOVV R11, (R4); \ - ADDV $8, R5; \ - ADDV $8, R6; \ - ADDV $8, R4; \ - BEQ R7, R0, end; \ -xor_4_check:; \ - SGTU $4, R7, R8; \ - BNE R8, xor_2_check; \ -xor_4:; \ - SUBV $4, R7; \ - MOVW (R5), R10; \ - MOVW (R6), R11; \ - XOR R10, R11; \ - MOVW R11, (R4); \ - ADDV $4, R5; \ - ADDV $4, R6; \ - ADDV $4, R4; \ - BEQ R7, R0, end; \ -xor_2_check:; \ - SGTU $2, R7, R8; \ - BNE R8, xor_1; \ -xor_2:; \ - SUBV $2, R7; \ - MOVH (R5), R10; \ - MOVH (R6), R11; \ - XOR R10, R11; \ - MOVH R11, (R4); \ - ADDV $2, R5; \ - ADDV $2, R6; \ - ADDV $2, R4; \ - BEQ R7, R0, end; \ -xor_1:; \ - MOVB (R5), R10; \ - MOVB (R6), R11; \ - XOR R10, R11; \ - MOVB R11, (R4); \ - -// func xorBytesBasic(dst, a, b *byte, n int) -TEXT ·xorBytesBasic(SB), NOSPLIT, $0 - MOVV dst+0(FP), R4 - MOVV a+8(FP), R5 - MOVV b+16(FP), R6 - MOVV n+24(FP), R7 - - SMALL_TAIL - -xor_64_check: - SGTU $64, R7, R8 - BNE R8, xor_32_check -xor_64_loop: - SUBV $64, R7 - MOVV (R5), R10 - MOVV 8(R5), R11 - MOVV 16(R5), R12 - MOVV 24(R5), R13 - MOVV (R6), R14 - MOVV 8(R6), R15 - MOVV 16(R6), R16 - MOVV 24(R6), R17 - XOR R10, R14 - XOR R11, R15 - XOR R12, R16 - XOR R13, R17 - MOVV R14, (R4) - MOVV R15, 8(R4) - MOVV R16, 16(R4) - MOVV R17, 24(R4) - MOVV 32(R5), R10 - MOVV 40(R5), R11 - MOVV 48(R5), R12 - MOVV 56(R5), R13 - MOVV 32(R6), R14 - MOVV 40(R6), R15 - MOVV 48(R6), R16 - MOVV 56(R6), R17 - XOR R10, R14 - XOR R11, R15 - XOR R12, R16 - XOR R13, R17 - MOVV R14, 32(R4) - MOVV R15, 40(R4) - MOVV R16, 48(R4) - MOVV R17, 56(R4) - SGTU $64, R7, R8 - ADDV $64, R5 - ADDV $64, R6 - ADDV $64, R4 - BEQ R8, xor_64_loop - BEQ R7, end - -xor_32_check: - SGTU $32, R7, R8 - BNE R8, xor_16_check -xor_32: - SUBV $32, R7 - MOVV (R5), R10 - MOVV 8(R5), R11 - MOVV 16(R5), R12 - MOVV 24(R5), R13 - MOVV (R6), R14 - MOVV 8(R6), R15 - MOVV 16(R6), R16 - MOVV 24(R6), R17 - XOR R10, R14 - XOR R11, R15 - XOR R12, R16 - XOR R13, R17 - MOVV R14, (R4) - MOVV R15, 8(R4) - MOVV R16, 16(R4) - MOVV R17, 24(R4) - ADDV $32, R5 - ADDV $32, R6 - ADDV $32, R4 - BEQ R7, R0, end - -xor_16_check: - SGTU $16, R7, R8 - BNE R8, xor_8_check -xor_16: - SUBV $16, R7 - MOVV (R5), R10 - MOVV 8(R5), R11 - MOVV (R6), R12 - MOVV 8(R6), R13 - XOR R10, R12 - XOR R11, R13 - MOVV R12, (R4) - MOVV R13, 8(R4) - ADDV $16, R5 - ADDV $16, R6 - ADDV $16, R4 - BEQ R7, R0, end - - SMALL -end: - RET - -// func xorBytesLSX(dst, a, b *byte, n int) -TEXT ·xorBytesLSX(SB), NOSPLIT, $0 - MOVV dst+0(FP), R4 - MOVV a+8(FP), R5 - MOVV b+16(FP), R6 - MOVV n+24(FP), R7 - - SMALL_TAIL - -xor_128_lsx_check: - SGTU $128, R7, R8 - BNE R8, xor_64_lsx_check -xor_128_lsx_loop: - SUBV $128, R7 - VMOVQ (R5), V0 - VMOVQ 16(R5), V1 - VMOVQ 32(R5), V2 - VMOVQ 48(R5), V3 - VMOVQ 64(R5), V4 - VMOVQ 80(R5), V5 - VMOVQ 96(R5), V6 - VMOVQ 112(R5), V7 - VMOVQ (R6), V8 - VMOVQ 16(R6), V9 - VMOVQ 32(R6), V10 - VMOVQ 48(R6), V11 - VMOVQ 64(R6), V12 - VMOVQ 80(R6), V13 - VMOVQ 96(R6), V14 - VMOVQ 112(R6), V15 - VXORV V0, V8, V8 - VXORV V1, V9, V9 - VXORV V2, V10, V10 - VXORV V3, V11, V11 - VXORV V4, V12, V12 - VXORV V5, V13, V13 - VXORV V6, V14, V14 - VXORV V7, V15, V15 - VMOVQ V8, (R4) - VMOVQ V9, 16(R4) - VMOVQ V10, 32(R4) - VMOVQ V11, 48(R4) - VMOVQ V12, 64(R4) - VMOVQ V13, 80(R4) - VMOVQ V14, 96(R4) - VMOVQ V15, 112(R4) - SGTU $128, R7, R8 - ADDV $128, R5 - ADDV $128, R6 - ADDV $128, R4 - BEQ R8, xor_128_lsx_loop - BEQ R7, end - -xor_64_lsx_check: - SGTU $64, R7, R8 - BNE R8, xor_32_lsx_check -xor_64_lsx: - SUBV $64, R7 - VMOVQ (R5), V0 - VMOVQ 16(R5), V1 - VMOVQ 32(R5), V2 - VMOVQ 48(R5), V3 - VMOVQ (R6), V4 - VMOVQ 16(R6), V5 - VMOVQ 32(R6), V6 - VMOVQ 48(R6), V7 - VXORV V0, V4, V4 - VXORV V1, V5, V5 - VXORV V2, V6, V6 - VXORV V3, V7, V7 - VMOVQ V4, (R4) - VMOVQ V5, 16(R4) - VMOVQ V6, 32(R4) - VMOVQ V7, 48(R4) - ADDV $64, R5 - ADDV $64, R6 - ADDV $64, R4 - BEQ R7, end - -xor_32_lsx_check: - SGTU $32, R7, R8 - BNE R8, xor_16_lsx_check -xor_32_lsx: - SUBV $32, R7 - VMOVQ (R5), V0 - VMOVQ 16(R5), V1 - VMOVQ (R6), V2 - VMOVQ 16(R6), V3 - VXORV V0, V2, V2 - VXORV V1, V3, V3 - VMOVQ V2, (R4) - VMOVQ V3, 16(R4) - ADDV $32, R5 - ADDV $32, R6 - ADDV $32, R4 - BEQ R7, end - -xor_16_lsx_check: - SGTU $16, R7, R8 - BNE R8, xor_8_check -xor_16_lsx: - SUBV $16, R7 - VMOVQ (R5), V0 - VMOVQ (R6), V1 - VXORV V0, V1, V1 - VMOVQ V1, (R4) - ADDV $16, R5 - ADDV $16, R6 - ADDV $16, R4 - BEQ R7, end - - SMALL -end: - RET - -// func xorBytesLASX(dst, a, b *byte, n int) -TEXT ·xorBytesLASX(SB), NOSPLIT, $0 - MOVV dst+0(FP), R4 - MOVV a+8(FP), R5 - MOVV b+16(FP), R6 - MOVV n+24(FP), R7 - - SMALL_TAIL - -xor_256_lasx_check: - SGTU $256, R7, R8 - BNE R8, xor_128_lasx_check -xor_256_lasx_loop: - SUBV $256, R7 - XVMOVQ (R5), X0 - XVMOVQ 32(R5), X1 - XVMOVQ 64(R5), X2 - XVMOVQ 96(R5), X3 - XVMOVQ 128(R5), X4 - XVMOVQ 160(R5), X5 - XVMOVQ 192(R5), X6 - XVMOVQ 224(R5), X7 - XVMOVQ (R6), X8 - XVMOVQ 32(R6), X9 - XVMOVQ 64(R6), X10 - XVMOVQ 96(R6), X11 - XVMOVQ 128(R6), X12 - XVMOVQ 160(R6), X13 - XVMOVQ 192(R6), X14 - XVMOVQ 224(R6), X15 - XVXORV X0, X8, X8 - XVXORV X1, X9, X9 - XVXORV X2, X10, X10 - XVXORV X3, X11, X11 - XVXORV X4, X12, X12 - XVXORV X5, X13, X13 - XVXORV X6, X14, X14 - XVXORV X7, X15, X15 - XVMOVQ X8, (R4) - XVMOVQ X9, 32(R4) - XVMOVQ X10, 64(R4) - XVMOVQ X11, 96(R4) - XVMOVQ X12, 128(R4) - XVMOVQ X13, 160(R4) - XVMOVQ X14, 192(R4) - XVMOVQ X15, 224(R4) - SGTU $256, R7, R8 - ADDV $256, R5 - ADDV $256, R6 - ADDV $256, R4 - BEQ R8, xor_256_lasx_loop - BEQ R7, end - -xor_128_lasx_check: - SGTU $128, R7, R8 - BNE R8, xor_64_lasx_check -xor_128_lasx: - SUBV $128, R7 - XVMOVQ (R5), X0 - XVMOVQ 32(R5), X1 - XVMOVQ 64(R5), X2 - XVMOVQ 96(R5), X3 - XVMOVQ (R6), X4 - XVMOVQ 32(R6), X5 - XVMOVQ 64(R6), X6 - XVMOVQ 96(R6), X7 - XVXORV X0, X4, X4 - XVXORV X1, X5, X5 - XVXORV X2, X6, X6 - XVXORV X3, X7, X7 - XVMOVQ X4, (R4) - XVMOVQ X5, 32(R4) - XVMOVQ X6, 64(R4) - XVMOVQ X7, 96(R4) - ADDV $128, R5 - ADDV $128, R6 - ADDV $128, R4 - BEQ R7, end - -xor_64_lasx_check: - SGTU $64, R7, R8 - BNE R8, xor_32_lasx_check -xor_64_lasx: - SUBV $64, R7 - XVMOVQ (R5), X0 - XVMOVQ 32(R5), X1 - XVMOVQ (R6), X2 - XVMOVQ 32(R6), X3 - XVXORV X0, X2, X2 - XVXORV X1, X3, X3 - XVMOVQ X2, (R4) - XVMOVQ X3, 32(R4) - ADDV $64, R5 - ADDV $64, R6 - ADDV $64, R4 - BEQ R7, end - -xor_32_lasx_check: - SGTU $32, R7, R8 - BNE R8, xor_16_lasx_check -xor_32_lasx: - SUBV $32, R7 - XVMOVQ (R5), X0 - XVMOVQ (R6), X1 - XVXORV X0, X1, X1 - XVMOVQ X1, (R4) - ADDV $32, R5 - ADDV $32, R6 - ADDV $32, R4 - BEQ R7, end - -xor_16_lasx_check: - SGTU $16, R7, R8 - BNE R8, xor_8_check -xor_16_lasx: - SUBV $16, R7 - VMOVQ (R5), V0 - VMOVQ (R6), V1 - VXORV V0, V1, V1 - VMOVQ V1, (R4) - ADDV $16, R5 - ADDV $16, R6 - ADDV $16, R4 - BEQ R7, end - - SMALL -end: - RET - diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_ppc64x.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_ppc64x.s deleted file mode 100644 index c1f72c5ced7..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_ppc64x.s +++ /dev/null @@ -1,142 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (ppc64 || ppc64le) && !purego - -#include "textflag.h" - -// func xorBytes(dst, a, b *byte, n int) -TEXT ·xorBytes(SB), NOSPLIT, $0 - MOVD dst+0(FP), R3 // R3 = dst - MOVD a+8(FP), R4 // R4 = a - MOVD b+16(FP), R5 // R5 = b - MOVD n+24(FP), R6 // R6 = n - - CMPU R6, $64, CR7 // Check if n ≥ 64 bytes - MOVD R0, R8 // R8 = index - CMPU R6, $8, CR6 // Check if 8 ≤ n < 64 bytes - BLE CR6, small // <= 8 - BLT CR7, xor32 // Case for 32 ≤ n < 64 bytes - - // Case for n ≥ 64 bytes -preloop64: - SRD $6, R6, R7 // Set up loop counter - MOVD R7, CTR - MOVD $16, R10 - MOVD $32, R14 - MOVD $48, R15 - ANDCC $63, R6, R9 // Check for tailing bytes for later - PCALIGN $16 - // Case for >= 64 bytes - // Process 64 bytes per iteration - // Load 4 vectors of a and b - // XOR the corresponding vectors - // from a and b and store the result -loop64: - LXVD2X (R4)(R8), VS32 - LXVD2X (R4)(R10), VS34 - LXVD2X (R4)(R14), VS36 - LXVD2X (R4)(R15), VS38 - LXVD2X (R5)(R8), VS33 - LXVD2X (R5)(R10), VS35 - LXVD2X (R5)(R14), VS37 - LXVD2X (R5)(R15), VS39 - XXLXOR VS32, VS33, VS32 - XXLXOR VS34, VS35, VS34 - XXLXOR VS36, VS37, VS36 - XXLXOR VS38, VS39, VS38 - STXVD2X VS32, (R3)(R8) - STXVD2X VS34, (R3)(R10) - STXVD2X VS36, (R3)(R14) - STXVD2X VS38, (R3)(R15) - ADD $64, R8 - ADD $64, R10 - ADD $64, R14 - ADD $64, R15 - BDNZ loop64 - BC 12,2,LR // BEQLR - MOVD R9, R6 - CMP R6, $8 - BLE small - // Case for 8 <= n < 64 bytes - // Process 32 bytes if available -xor32: - CMP R6, $32 - BLT xor16 - ADD $16, R8, R9 - LXVD2X (R4)(R8), VS32 - LXVD2X (R4)(R9), VS33 - LXVD2X (R5)(R8), VS34 - LXVD2X (R5)(R9), VS35 - XXLXOR VS32, VS34, VS32 - XXLXOR VS33, VS35, VS33 - STXVD2X VS32, (R3)(R8) - STXVD2X VS33, (R3)(R9) - ADD $32, R8 - ADD $-32, R6 - CMP R6, $8 - BLE small - // Case for 8 <= n < 32 bytes - // Process 16 bytes if available -xor16: - CMP R6, $16 - BLT xor8 - LXVD2X (R4)(R8), VS32 - LXVD2X (R5)(R8), VS33 - XXLXOR VS32, VS33, VS32 - STXVD2X VS32, (R3)(R8) - ADD $16, R8 - ADD $-16, R6 -small: - CMP R6, $0 - BC 12,2,LR // BEQLR -xor8: -#ifdef GOPPC64_power10 - SLD $56,R6,R17 - ADD R4,R8,R18 - ADD R5,R8,R19 - ADD R3,R8,R20 - LXVL R18,R17,V0 - LXVL R19,R17,V1 - VXOR V0,V1,V1 - STXVL V1,R20,R17 - RET -#else - CMP R6, $8 - BLT xor4 - // Case for 8 ≤ n < 16 bytes - MOVD (R4)(R8), R14 // R14 = a[i,...,i+7] - MOVD (R5)(R8), R15 // R15 = b[i,...,i+7] - XOR R14, R15, R16 // R16 = a[] ^ b[] - SUB $8, R6 // n = n - 8 - MOVD R16, (R3)(R8) // Store to dst - ADD $8, R8 -xor4: - CMP R6, $4 - BLT xor2 - MOVWZ (R4)(R8), R14 - MOVWZ (R5)(R8), R15 - XOR R14, R15, R16 - MOVW R16, (R3)(R8) - ADD $4,R8 - ADD $-4,R6 -xor2: - CMP R6, $2 - BLT xor1 - MOVHZ (R4)(R8), R14 - MOVHZ (R5)(R8), R15 - XOR R14, R15, R16 - MOVH R16, (R3)(R8) - ADD $2,R8 - ADD $-2,R6 -xor1: - CMP R6, $0 - BC 12,2,LR // BEQLR - MOVBZ (R4)(R8), R14 // R14 = a[i] - MOVBZ (R5)(R8), R15 // R15 = b[i] - XOR R14, R15, R16 // R16 = a[i] ^ b[i] - MOVB R16, (R3)(R8) // Store to dst -#endif -done: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_riscv64.s b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_riscv64.s deleted file mode 100644 index b5fa5dcef45..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/xor_riscv64.s +++ /dev/null @@ -1,169 +0,0 @@ -// Copyright 2025 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -#include "textflag.h" - -// func xorBytes(dst, a, b *byte, n int) -TEXT ·xorBytes(SB), NOSPLIT|NOFRAME, $0 - MOV dst+0(FP), X10 - MOV a+8(FP), X11 - MOV b+16(FP), X12 - MOV n+24(FP), X13 - - MOV $32, X15 - BLT X13, X15, loop4_check - - // Check alignment - if alignment differs we have to do one byte at a time. - AND $7, X10, X5 - AND $7, X11, X6 - AND $7, X12, X7 - BNE X5, X6, loop4_check - BNE X5, X7, loop4_check - BEQZ X5, loop64_check - - // Check one byte at a time until we reach 8 byte alignment. - MOV $8, X8 - SUB X5, X8 - SUB X8, X13 -align: - MOVBU 0(X11), X16 - MOVBU 0(X12), X17 - XOR X16, X17 - MOVB X17, 0(X10) - ADD $1, X10 - ADD $1, X11 - ADD $1, X12 - SUB $1, X8 - BNEZ X8, align - -loop64_check: - MOV $64, X15 - BLT X13, X15, tail32_check - PCALIGN $16 -loop64: - MOV 0(X11), X16 - MOV 0(X12), X17 - MOV 8(X11), X18 - MOV 8(X12), X19 - XOR X16, X17 - XOR X18, X19 - MOV X17, 0(X10) - MOV X19, 8(X10) - MOV 16(X11), X20 - MOV 16(X12), X21 - MOV 24(X11), X22 - MOV 24(X12), X23 - XOR X20, X21 - XOR X22, X23 - MOV X21, 16(X10) - MOV X23, 24(X10) - MOV 32(X11), X16 - MOV 32(X12), X17 - MOV 40(X11), X18 - MOV 40(X12), X19 - XOR X16, X17 - XOR X18, X19 - MOV X17, 32(X10) - MOV X19, 40(X10) - MOV 48(X11), X20 - MOV 48(X12), X21 - MOV 56(X11), X22 - MOV 56(X12), X23 - XOR X20, X21 - XOR X22, X23 - MOV X21, 48(X10) - MOV X23, 56(X10) - ADD $64, X10 - ADD $64, X11 - ADD $64, X12 - SUB $64, X13 - BGE X13, X15, loop64 - BEQZ X13, done - -tail32_check: - MOV $32, X15 - BLT X13, X15, tail16_check - MOV 0(X11), X16 - MOV 0(X12), X17 - MOV 8(X11), X18 - MOV 8(X12), X19 - XOR X16, X17 - XOR X18, X19 - MOV X17, 0(X10) - MOV X19, 8(X10) - MOV 16(X11), X20 - MOV 16(X12), X21 - MOV 24(X11), X22 - MOV 24(X12), X23 - XOR X20, X21 - XOR X22, X23 - MOV X21, 16(X10) - MOV X23, 24(X10) - ADD $32, X10 - ADD $32, X11 - ADD $32, X12 - SUB $32, X13 - BEQZ X13, done - -tail16_check: - MOV $16, X15 - BLT X13, X15, loop4_check - MOV 0(X11), X16 - MOV 0(X12), X17 - MOV 8(X11), X18 - MOV 8(X12), X19 - XOR X16, X17 - XOR X18, X19 - MOV X17, 0(X10) - MOV X19, 8(X10) - ADD $16, X10 - ADD $16, X11 - ADD $16, X12 - SUB $16, X13 - BEQZ X13, done - -loop4_check: - MOV $4, X15 - BLT X13, X15, loop1 - PCALIGN $16 -loop4: - MOVBU 0(X11), X16 - MOVBU 0(X12), X17 - MOVBU 1(X11), X18 - MOVBU 1(X12), X19 - XOR X16, X17 - XOR X18, X19 - MOVB X17, 0(X10) - MOVB X19, 1(X10) - MOVBU 2(X11), X20 - MOVBU 2(X12), X21 - MOVBU 3(X11), X22 - MOVBU 3(X12), X23 - XOR X20, X21 - XOR X22, X23 - MOVB X21, 2(X10) - MOVB X23, 3(X10) - ADD $4, X10 - ADD $4, X11 - ADD $4, X12 - SUB $4, X13 - BGE X13, X15, loop4 - - PCALIGN $16 -loop1: - BEQZ X13, done - MOVBU 0(X11), X16 - MOVBU 0(X12), X17 - XOR X16, X17 - MOVB X17, 0(X10) - ADD $1, X10 - ADD $1, X11 - ADD $1, X12 - SUB $1, X13 - JMP loop1 - -done: - RET diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/ya.make deleted file mode 100644 index c960bf29cf0..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/subtle/ya.make +++ /dev/null @@ -1,28 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - constant_time.go - xor.go - xor_arm64.s - xor_asm.go - ) -ELSEIF (OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - constant_time.go - xor.go - xor_amd64.s - xor_asm.go - ) -ELSEIF (OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - constant_time.go - xor.go - xor_generic.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/cast.go deleted file mode 100644 index d77bf413355..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/cast.go +++ /dev/null @@ -1,38 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package tls12 - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/sha256" - "errors" -) - -func init() { - fips140.CAST("TLSv1.2-SHA2-256", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - transcript := []byte{ - 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, - 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, - } - want := []byte{ - 0x8c, 0x3e, 0xed, 0xa7, 0x1c, 0x1b, 0x4c, 0xc0, - 0xa0, 0x44, 0x90, 0x75, 0xa8, 0x8e, 0xbc, 0x7c, - 0x5e, 0x1c, 0x4b, 0x1e, 0x4f, 0xe3, 0xc1, 0x06, - 0xeb, 0xdc, 0xc0, 0x5d, 0xc0, 0xc8, 0xec, 0xf3, - 0xe2, 0xb9, 0xd1, 0x03, 0x5e, 0xb2, 0x60, 0x5d, - 0x12, 0x68, 0x4f, 0x49, 0xdf, 0xa9, 0x9d, 0xcc, - } - if got := MasterSecret(sha256.New, input, transcript); !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/tls12.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/tls12.go deleted file mode 100644 index 5b4dcae101f..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/tls12.go +++ /dev/null @@ -1,70 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package tls12 - -import ( - "crypto/internal/fips140" - "crypto/internal/fips140/hmac" - "crypto/internal/fips140/sha256" - "crypto/internal/fips140/sha512" - "hash" -) - -// PRF implements the TLS 1.2 pseudo-random function, as defined in RFC 5246, -// Section 5 and allowed by SP 800-135, Revision 1, Section 4.2.2. -func PRF[H hash.Hash](hash func() H, secret []byte, label string, seed []byte, keyLen int) []byte { - labelAndSeed := make([]byte, len(label)+len(seed)) - copy(labelAndSeed, label) - copy(labelAndSeed[len(label):], seed) - - result := make([]byte, keyLen) - pHash(hash, result, secret, labelAndSeed) - return result -} - -// pHash implements the P_hash function, as defined in RFC 5246, Section 5. -func pHash[H hash.Hash](hash func() H, result, secret, seed []byte) { - h := hmac.New(hash, secret) - h.Write(seed) - a := h.Sum(nil) - - for len(result) > 0 { - h.Reset() - h.Write(a) - h.Write(seed) - b := h.Sum(nil) - n := copy(result, b) - result = result[n:] - - h.Reset() - h.Write(a) - a = h.Sum(nil) - } -} - -const masterSecretLength = 48 -const extendedMasterSecretLabel = "extended master secret" - -// MasterSecret implements the TLS 1.2 extended master secret derivation, as -// defined in RFC 7627 and allowed by SP 800-135, Revision 1, Section 4.2.2. -func MasterSecret[H hash.Hash](hash func() H, preMasterSecret, transcript []byte) []byte { - // "The TLS 1.2 KDF is an approved KDF when the following conditions are - // satisfied: [...] (3) P_HASH uses either SHA-256, SHA-384 or SHA-512." - h := hash() - switch any(h).(type) { - case *sha256.Digest: - if h.Size() != 32 { - fips140.RecordNonApproved() - } - case *sha512.Digest: - if h.Size() != 46 && h.Size() != 64 { - fips140.RecordNonApproved() - } - default: - fips140.RecordNonApproved() - } - - return PRF(hash, preMasterSecret, extendedMasterSecretLabel, transcript, masterSecretLength) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/ya.make deleted file mode 100644 index 7df8f5c6268..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls12/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - tls12.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/cast.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/cast.go deleted file mode 100644 index ad1fe6e4602..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/cast.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package tls13 - -import ( - "bytes" - "crypto/internal/fips140" - _ "crypto/internal/fips140/check" - "crypto/internal/fips140/sha256" - "errors" -) - -func init() { - fips140.CAST("TLSv1.3-SHA2-256", func() error { - input := []byte{ - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - } - want := []byte{ - 0x78, 0x20, 0x71, 0x75, 0x52, 0xfd, 0x47, 0x67, - 0xe1, 0x07, 0x5c, 0x83, 0x74, 0x2e, 0x49, 0x43, - 0xf7, 0xe3, 0x08, 0x6a, 0x2a, 0xcb, 0x96, 0xc7, - 0xa3, 0x1f, 0xe3, 0x23, 0x56, 0x6e, 0x14, 0x5b, - } - es := NewEarlySecret(sha256.New, nil) - hs := es.HandshakeSecret(nil) - ms := hs.MasterSecret() - transcript := sha256.New() - transcript.Write(input) - if got := ms.ResumptionMasterSecret(transcript); !bytes.Equal(got, want) { - return errors.New("unexpected result") - } - return nil - }) -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/tls13.go b/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/tls13.go deleted file mode 100644 index f2c2423a257..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/tls13.go +++ /dev/null @@ -1,178 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package tls13 implements the TLS 1.3 Key Schedule as specified in RFC 8446, -// Section 7.1 and allowed by FIPS 140-3 IG 2.4.B Resolution 7. -package tls13 - -import ( - "crypto/internal/fips140/hkdf" - "crypto/internal/fips140deps/byteorder" - "hash" -) - -// We don't set the service indicator in this package but we delegate that to -// the underlying functions because the TLS 1.3 KDF does not have a standard of -// its own. - -// ExpandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1. -func ExpandLabel[H hash.Hash](hash func() H, secret []byte, label string, context []byte, length int) []byte { - if len("tls13 ")+len(label) > 255 || len(context) > 255 { - // It should be impossible for this to panic: labels are fixed strings, - // and context is either a fixed-length computed hash, or parsed from a - // field which has the same length limitation. - // - // Another reasonable approach might be to return a randomized slice if - // we encounter an error, which would break the connection, but avoid - // panicking. This would perhaps be safer but significantly more - // confusing to users. - panic("tls13: label or context too long") - } - hkdfLabel := make([]byte, 0, 2+1+len("tls13 ")+len(label)+1+len(context)) - hkdfLabel = byteorder.BEAppendUint16(hkdfLabel, uint16(length)) - hkdfLabel = append(hkdfLabel, byte(len("tls13 ")+len(label))) - hkdfLabel = append(hkdfLabel, "tls13 "...) - hkdfLabel = append(hkdfLabel, label...) - hkdfLabel = append(hkdfLabel, byte(len(context))) - hkdfLabel = append(hkdfLabel, context...) - return hkdf.Expand(hash, secret, string(hkdfLabel), length) -} - -func extract[H hash.Hash](hash func() H, newSecret, currentSecret []byte) []byte { - if newSecret == nil { - newSecret = make([]byte, hash().Size()) - } - return hkdf.Extract(hash, newSecret, currentSecret) -} - -func deriveSecret[H hash.Hash](hash func() H, secret []byte, label string, transcript hash.Hash) []byte { - if transcript == nil { - transcript = hash() - } - return ExpandLabel(hash, secret, label, transcript.Sum(nil), transcript.Size()) -} - -const ( - resumptionBinderLabel = "res binder" - clientEarlyTrafficLabel = "c e traffic" - clientHandshakeTrafficLabel = "c hs traffic" - serverHandshakeTrafficLabel = "s hs traffic" - clientApplicationTrafficLabel = "c ap traffic" - serverApplicationTrafficLabel = "s ap traffic" - earlyExporterLabel = "e exp master" - exporterLabel = "exp master" - resumptionLabel = "res master" -) - -type EarlySecret struct { - secret []byte - hash func() hash.Hash -} - -func NewEarlySecret[H hash.Hash](h func() H, psk []byte) *EarlySecret { - return &EarlySecret{ - secret: extract(h, psk, nil), - hash: func() hash.Hash { return h() }, - } -} - -func (s *EarlySecret) ResumptionBinderKey() []byte { - return deriveSecret(s.hash, s.secret, resumptionBinderLabel, nil) -} - -// ClientEarlyTrafficSecret derives the client_early_traffic_secret from the -// early secret and the transcript up to the ClientHello. -func (s *EarlySecret) ClientEarlyTrafficSecret(transcript hash.Hash) []byte { - return deriveSecret(s.hash, s.secret, clientEarlyTrafficLabel, transcript) -} - -type HandshakeSecret struct { - secret []byte - hash func() hash.Hash -} - -func (s *EarlySecret) HandshakeSecret(sharedSecret []byte) *HandshakeSecret { - derived := deriveSecret(s.hash, s.secret, "derived", nil) - return &HandshakeSecret{ - secret: extract(s.hash, sharedSecret, derived), - hash: s.hash, - } -} - -// ClientHandshakeTrafficSecret derives the client_handshake_traffic_secret from -// the handshake secret and the transcript up to the ServerHello. -func (s *HandshakeSecret) ClientHandshakeTrafficSecret(transcript hash.Hash) []byte { - return deriveSecret(s.hash, s.secret, clientHandshakeTrafficLabel, transcript) -} - -// ServerHandshakeTrafficSecret derives the server_handshake_traffic_secret from -// the handshake secret and the transcript up to the ServerHello. -func (s *HandshakeSecret) ServerHandshakeTrafficSecret(transcript hash.Hash) []byte { - return deriveSecret(s.hash, s.secret, serverHandshakeTrafficLabel, transcript) -} - -type MasterSecret struct { - secret []byte - hash func() hash.Hash -} - -func (s *HandshakeSecret) MasterSecret() *MasterSecret { - derived := deriveSecret(s.hash, s.secret, "derived", nil) - return &MasterSecret{ - secret: extract(s.hash, nil, derived), - hash: s.hash, - } -} - -// ClientApplicationTrafficSecret derives the client_application_traffic_secret_0 -// from the master secret and the transcript up to the server Finished. -func (s *MasterSecret) ClientApplicationTrafficSecret(transcript hash.Hash) []byte { - return deriveSecret(s.hash, s.secret, clientApplicationTrafficLabel, transcript) -} - -// ServerApplicationTrafficSecret derives the server_application_traffic_secret_0 -// from the master secret and the transcript up to the server Finished. -func (s *MasterSecret) ServerApplicationTrafficSecret(transcript hash.Hash) []byte { - return deriveSecret(s.hash, s.secret, serverApplicationTrafficLabel, transcript) -} - -// ResumptionMasterSecret derives the resumption_master_secret from the master secret -// and the transcript up to the client Finished. -func (s *MasterSecret) ResumptionMasterSecret(transcript hash.Hash) []byte { - return deriveSecret(s.hash, s.secret, resumptionLabel, transcript) -} - -type ExporterMasterSecret struct { - secret []byte - hash func() hash.Hash -} - -// ExporterMasterSecret derives the exporter_master_secret from the master secret -// and the transcript up to the server Finished. -func (s *MasterSecret) ExporterMasterSecret(transcript hash.Hash) *ExporterMasterSecret { - return &ExporterMasterSecret{ - secret: deriveSecret(s.hash, s.secret, exporterLabel, transcript), - hash: s.hash, - } -} - -// EarlyExporterMasterSecret derives the exporter_master_secret from the early secret -// and the transcript up to the ClientHello. -func (s *EarlySecret) EarlyExporterMasterSecret(transcript hash.Hash) *ExporterMasterSecret { - return &ExporterMasterSecret{ - secret: deriveSecret(s.hash, s.secret, earlyExporterLabel, transcript), - hash: s.hash, - } -} - -func (s *ExporterMasterSecret) Exporter(label string, context []byte, length int) []byte { - secret := deriveSecret(s.hash, s.secret, label, nil) - h := s.hash() - h.Write(context) - return ExpandLabel(s.hash, secret, "exporter", h.Sum(nil), length) -} - -func TestingOnlyExporterSecret(s *ExporterMasterSecret) []byte { - return s.secret -} diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/ya.make deleted file mode 100644 index e44109f4cf5..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/tls13/ya.make +++ /dev/null @@ -1,13 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - tls13.go - ) -ENDIF() -END() diff --git a/contrib/go/_std_1.25/src/crypto/internal/fips140/ya.make b/contrib/go/_std_1.25/src/crypto/internal/fips140/ya.make deleted file mode 100644 index 6fbd3d99540..00000000000 --- a/contrib/go/_std_1.25/src/crypto/internal/fips140/ya.make +++ /dev/null @@ -1,16 +0,0 @@ -# THIS FILE IS AUTOGENERATED, DO NOT EDIT !!! -# Generator: ya tool yamaker ym2; contrib/go/_std_{VER}/.yandex_meta/build.ym; contrib/go/yagogen/gen.py -# Docs: https://a.yandex-team.ru/arcadia/devtools/contrib/docs/toolchain_go.md - - -GO_LIBRARY() -IF (OS_DARWIN AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_DARWIN AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_AARCH64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM6 AND NOT RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND RACE AND NOT CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND CGO_ENABLED OR OS_LINUX AND ARCH_ARM7 AND NOT RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND RACE AND NOT CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND CGO_ENABLED OR OS_WINDOWS AND ARCH_X86_64 AND NOT RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND RACE AND NOT CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND CGO_ENABLED OR OS_ANDROID AND ARCH_ARM64 AND NOT RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND RACE AND NOT CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND CGO_ENABLED OR OS_EMSCRIPTEN AND ARCH_WASM32 AND NOT RACE AND NOT CGO_ENABLED) - SRCS( - cast.go - fips140.go - indicator.go - notasan.go - notboring.go - ) -ENDIF() -END() |