Add files using upload-large-folder tool

include/Openacc/cupti_openacc.h

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2017 NVIDIA Corporation.  All rights reserved.
+ *
+ * NOTICE TO LICENSEE:
+ *
+ * This source code and/or documentation ("Licensed Deliverables") are
+ * subject to NVIDIA intellectual property rights under U.S. and
+ * international Copyright laws.
+ *
+ * These Licensed Deliverables contained herein is PROPRIETARY and
+ * CONFIDENTIAL to NVIDIA and is being provided under the terms and
+ * conditions of a form of NVIDIA software license agreement by and
+ * between NVIDIA and Licensee ("License Agreement") or electronically
+ * accepted by Licensee.  Notwithstanding any terms or conditions to
+ * the contrary in the License Agreement, reproduction or disclosure
+ * of the Licensed Deliverables to any third party without the express
+ * written consent of NVIDIA is prohibited.
+ *
+ * NOTWITHSTANDING ANY TERMS OR CONDITIONS TO THE CONTRARY IN THE
+ * LICENSE AGREEMENT, NVIDIA MAKES NO REPRESENTATION ABOUT THE
+ * SUITABILITY OF THESE LICENSED DELIVERABLES FOR ANY PURPOSE.  IT IS
+ * PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY OF ANY KIND.
+ * NVIDIA DISCLAIMS ALL WARRANTIES WITH REGARD TO THESE LICENSED
+ * DELIVERABLES, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY,
+ * NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
+ * NOTWITHSTANDING ANY TERMS OR CONDITIONS TO THE CONTRARY IN THE
+ * LICENSE AGREEMENT, IN NO EVENT SHALL NVIDIA BE LIABLE FOR ANY
+ * SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR ANY
+ * DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
+ * OF THESE LICENSED DELIVERABLES.
+ *
+ * U.S. Government End Users.  These Licensed Deliverables are a
+ * "commercial item" as that term is defined at 48 C.F.R. 2.101 (OCT
+ * 1995), consisting of "commercial computer software" and "commercial
+ * computer software documentation" as such terms are used in 48
+ * C.F.R. 12.212 (SEPT 1995) and is provided to the U.S. Government
+ * only as a commercial end item.  Consistent with 48 C.F.R.12.212 and
+ * 48 C.F.R. 227.7202-1 through 227.7202-4 (JUNE 1995), all
+ * U.S. Government End Users acquire the Licensed Deliverables with
+ * only those rights set forth herein.
+ *
+ * Any use of the Licensed Deliverables in individual and commercial
+ * software must include, in the user documentation and internal
+ * comments to the code, the above Disclaimer and U.S. Government End
+ * Users Notice.
+ */
+
+#include <cuda_stdint.h>
+
+#if !defined(_CUPTI_OPENACC_H_)
+#define _CUPTI_OPENACC_H_
+
+#ifndef CUPTIAPI
+#ifdef _WIN32
+#define CUPTIAPI __stdcall
+#else
+#define CUPTIAPI
+#endif
+#endif
+
+#if defined(__LP64__)
+#define CUPTILP64 1
+#elif defined(_WIN64)
+#define CUPTILP64 1
+#else
+#undef CUPTILP64
+#endif
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#if defined(__GNUC__) && defined(CUPTI_LIB)
+    #pragma GCC visibility push(default)
+#endif
+
+/**
+ * \brief Initialize OpenACC support
+ *
+ * \param profRegister function of type acc_prof_reg as obtained from acc_register_library
+ * \param profUnregister function of type acc_prof_reg as obtained from acc_register_library
+ * \param profLookup function of type acc_prof_lookup as obtained from acc_register_library
+ */
+CUptiResult CUPTIAPI
+cuptiOpenACCInitialize(void *profRegister, void *profUnregister, void *profLookup);
+
+#if defined(__GNUC__) && defined(CUPTI_LIB)
+    #pragma GCC visibility pop
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif /*_CUPTI_OPENACC_H_*/
+

include/Openmp/cupti_openmp.h

@@ -0,0 +1,100 @@
+/*
+ * Copyright 2018 NVIDIA Corporation.  All rights reserved.
+ *
+ * NOTICE TO LICENSEE:
+ *
+ * This source code and/or documentation ("Licensed Deliverables") are
+ * subject to NVIDIA intellectual property rights under U.S. and
+ * international Copyright laws.
+ *
+ * These Licensed Deliverables contained herein is PROPRIETARY and
+ * CONFIDENTIAL to NVIDIA and is being provided under the terms and
+ * conditions of a form of NVIDIA software license agreement by and
+ * between NVIDIA and Licensee ("License Agreement") or electronically
+ * accepted by Licensee.  Notwithstanding any terms or conditions to
+ * the contrary in the License Agreement, reproduction or disclosure
+ * of the Licensed Deliverables to any third party without the express
+ * written consent of NVIDIA is prohibited.
+ *
+ * NOTWITHSTANDING ANY TERMS OR CONDITIONS TO THE CONTRARY IN THE
+ * LICENSE AGREEMENT, NVIDIA MAKES NO REPRESENTATION ABOUT THE
+ * SUITABILITY OF THESE LICENSED DELIVERABLES FOR ANY PURPOSE.  IT IS
+ * PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY OF ANY KIND.
+ * NVIDIA DISCLAIMS ALL WARRANTIES WITH REGARD TO THESE LICENSED
+ * DELIVERABLES, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY,
+ * NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
+ * NOTWITHSTANDING ANY TERMS OR CONDITIONS TO THE CONTRARY IN THE
+ * LICENSE AGREEMENT, IN NO EVENT SHALL NVIDIA BE LIABLE FOR ANY
+ * SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR ANY
+ * DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+ * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
+ * OF THESE LICENSED DELIVERABLES.
+ *
+ * U.S. Government End Users.  These Licensed Deliverables are a
+ * "commercial item" as that term is defined at 48 C.F.R. 2.101 (OCT
+ * 1995), consisting of "commercial computer software" and "commercial
+ * computer software documentation" as such terms are used in 48
+ * C.F.R. 12.212 (SEPT 1995) and is provided to the U.S. Government
+ * only as a commercial end item.  Consistent with 48 C.F.R.12.212 and
+ * 48 C.F.R. 227.7202-1 through 227.7202-4 (JUNE 1995), all
+ * U.S. Government End Users acquire the Licensed Deliverables with
+ * only those rights set forth herein.
+ *
+ * Any use of the Licensed Deliverables in individual and commercial
+ * software must include, in the user documentation and internal
+ * comments to the code, the above Disclaimer and U.S. Government End
+ * Users Notice.
+ */
+
+#include <cuda_stdint.h>
+#include "Openmp/omp-tools.h"
+
+#if !defined(_CUPTI_OPENMP_H_)
+#define _CUPTI_OPENMP_H_
+
+#ifndef CUPTIAPI
+#ifdef _WIN32
+#define CUPTIAPI __stdcall
+#else
+#define CUPTIAPI
+#endif
+#endif
+
+#if defined(__LP64__)
+#define CUPTILP64 1
+#elif defined(_WIN64)
+#define CUPTILP64 1
+#else
+#undef CUPTILP64
+#endif
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#if defined(__GNUC__) && defined(CUPTI_LIB)
+    #pragma GCC visibility push(default)
+#endif
+
+/**
+ * \brief Initialize OPENMP support (deprecated, used before OpenMP 5.0)
+ *
+ */
+int CUPTIAPI cuptiOpenMpInitialize(ompt_function_lookup_t ompt_fn_lookup, const char *runtime_version, unsigned int ompt_version);
+
+/**
+ * \brief Initialize OPENMP support
+ *
+ */
+int CUPTIAPI cuptiOpenMpInitialize_v2(ompt_function_lookup_t lookup, int initial_device_num, ompt_data_t *tool_data);
+
+#if defined(__GNUC__) && defined(CUPTI_LIB)
+    #pragma GCC visibility pop
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif /*_CUPTI_OPENMP_H_*/

include/Openmp/omp-tools.h

@@ -0,0 +1,1083 @@
+/*
+ * include/50/omp-tools.h.var
+ */
+
+//===----------------------------------------------------------------------===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is dual licensed under the MIT and the University of Illinois Open
+// Source Licenses. See LICENSE.txt for details.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef __OMPT__
+#define __OMPT__
+
+/*****************************************************************************
+ * system include files
+ *****************************************************************************/
+
+#include <stdint.h>
+#include <stddef.h>
+
+/*****************************************************************************
+ * iteration macros
+ *****************************************************************************/
+
+#define FOREACH_OMPT_INQUIRY_FN(macro)      \
+    macro (ompt_enumerate_states)           \
+    macro (ompt_enumerate_mutex_impls)      \
+                                            \
+    macro (ompt_set_callback)               \
+    macro (ompt_get_callback)               \
+                                            \
+    macro (ompt_get_state)                  \
+                                            \
+    macro (ompt_get_parallel_info)          \
+    macro (ompt_get_task_info)              \
+    macro (ompt_get_task_memory)            \
+    macro (ompt_get_thread_data)            \
+    macro (ompt_get_unique_id)              \
+    macro (ompt_finalize_tool)              \
+                                            \
+    macro(ompt_get_num_procs)               \
+    macro(ompt_get_num_places)              \
+    macro(ompt_get_place_proc_ids)          \
+    macro(ompt_get_place_num)               \
+    macro(ompt_get_partition_place_nums)    \
+    macro(ompt_get_proc_id)                 \
+                                            \
+    macro(ompt_get_target_info)             \
+    macro(ompt_get_num_devices)
+
+#define FOREACH_OMPT_STATE(macro)                                                                \
+                                                                                                \
+    /* first available state */                                                                 \
+    macro (ompt_state_undefined, 0x102)      /* undefined thread state */                        \
+                                                                                                \
+    /* work states (0..15) */                                                                   \
+    macro (ompt_state_work_serial, 0x000)    /* working outside parallel */                      \
+    macro (ompt_state_work_parallel, 0x001)  /* working within parallel */                       \
+    macro (ompt_state_work_reduction, 0x002) /* performing a reduction */                        \
+                                                                                                \
+    /* barrier wait states (16..31) */                                                          \
+    macro (ompt_state_wait_barrier, 0x010)   /* waiting at a barrier */                          \
+    macro (ompt_state_wait_barrier_implicit_parallel, 0x011)                                     \
+                                            /* implicit barrier at the end of parallel region */\
+    macro (ompt_state_wait_barrier_implicit_workshare, 0x012)                                    \
+                                            /* implicit barrier at the end of worksharing */    \
+    macro (ompt_state_wait_barrier_implicit, 0x013)  /* implicit barrier */                      \
+    macro (ompt_state_wait_barrier_explicit, 0x014)  /* explicit barrier */                      \
+                                                                                                \
+    /* task wait states (32..63) */                                                             \
+    macro (ompt_state_wait_taskwait, 0x020)  /* waiting at a taskwait */                         \
+    macro (ompt_state_wait_taskgroup, 0x021) /* waiting at a taskgroup */                        \
+                                                                                                \
+    /* mutex wait states (64..127) */                                                           \
+    macro (ompt_state_wait_mutex, 0x040)                                                         \
+    macro (ompt_state_wait_lock, 0x041)      /* waiting for lock */                              \
+    macro (ompt_state_wait_critical, 0x042)  /* waiting for critical */                          \
+    macro (ompt_state_wait_atomic, 0x043)    /* waiting for atomic */                            \
+    macro (ompt_state_wait_ordered, 0x044)   /* waiting for ordered */                           \
+                                                                                                \
+    /* target wait states (128..255) */                                                         \
+    macro (ompt_state_wait_target, 0x080)        /* waiting for target region */                 \
+    macro (ompt_state_wait_target_map, 0x081)    /* waiting for target data mapping operation */ \
+    macro (ompt_state_wait_target_update, 0x082) /* waiting for target update operation */       \
+                                                                                                \
+    /* misc (256..511) */                                                                       \
+    macro (ompt_state_idle, 0x100)           /* waiting for work */                              \
+    macro (ompt_state_overhead, 0x101)       /* overhead excluding wait states */                \
+                                                                                                \
+    /* implementation-specific states (512..) */
+
+
+#define FOREACH_KMP_MUTEX_IMPL(macro)                                                \
+    macro (kmp_mutex_impl_none, 0)         /* unknown implementation */              \
+    macro (kmp_mutex_impl_spin, 1)         /* based on spin */                       \
+    macro (kmp_mutex_impl_queuing, 2)      /* based on some fair policy */           \
+    macro (kmp_mutex_impl_speculative, 3)  /* based on HW-supported speculation */
+
+#define FOREACH_OMPT_EVENT(macro)                                                                                        \
+                                                                                                                         \
+    /*--- Mandatory Events ---*/                                                                                         \
+    macro (ompt_callback_thread_begin,      ompt_callback_thread_begin_t,       1) /* thread begin                    */ \
+    macro (ompt_callback_thread_end,        ompt_callback_thread_end_t,         2) /* thread end                      */ \
+                                                                                                                         \
+    macro (ompt_callback_parallel_begin,    ompt_callback_parallel_begin_t,     3) /* parallel begin                  */ \
+    macro (ompt_callback_parallel_end,      ompt_callback_parallel_end_t,       4) /* parallel end                    */ \
+                                                                                                                         \
+    macro (ompt_callback_task_create,       ompt_callback_task_create_t,        5) /* task begin                      */ \
+    macro (ompt_callback_task_schedule,     ompt_callback_task_schedule_t,      6) /* task schedule                   */ \
+    macro (ompt_callback_implicit_task,     ompt_callback_implicit_task_t,      7) /* implicit task                   */ \
+                                                                                                                         \
+    macro (ompt_callback_target,            ompt_callback_target_t,             8) /* target                          */ \
+    macro (ompt_callback_target_data_op,    ompt_callback_target_data_op_t,     9) /* target data op                  */ \
+    macro (ompt_callback_target_submit,     ompt_callback_target_submit_t,     10) /* target  submit                  */ \
+                                                                                                                         \
+    macro (ompt_callback_control_tool,      ompt_callback_control_tool_t,      11) /* control tool                    */ \
+                                                                                                                         \
+    macro (ompt_callback_device_initialize, ompt_callback_device_initialize_t, 12) /* device initialize               */ \
+    macro (ompt_callback_device_finalize,   ompt_callback_device_finalize_t,   13) /* device finalize                 */ \
+                                                                                                                         \
+    macro (ompt_callback_device_load,       ompt_callback_device_load_t,       14) /* device load                     */ \
+    macro (ompt_callback_device_unload,     ompt_callback_device_unload_t,     15) /* device unload                   */ \
+                                                                                                                         \
+    /* Optional Events */                                                                                                \
+    macro (ompt_callback_sync_region_wait,  ompt_callback_sync_region_t,       16) /* sync region wait begin or end   */ \
+                                                                                                                         \
+    macro (ompt_callback_mutex_released,    ompt_callback_mutex_t,             17) /* mutex released                  */ \
+                                                                                                                         \
+    macro (ompt_callback_dependences,       ompt_callback_dependences_t,       18) /* report task dependences         */ \
+    macro (ompt_callback_task_dependence,   ompt_callback_task_dependence_t,   19) /* report task dependence          */ \
+                                                                                                                         \
+    macro (ompt_callback_work,              ompt_callback_work_t,              20) /* task at work begin or end       */ \
+                                                                                                                         \
+    macro (ompt_callback_master,            ompt_callback_master_t,            21) /* task at master begin or end     */ \
+                                                                                                                         \
+    macro (ompt_callback_target_map,        ompt_callback_target_map_t,        22) /* target map                      */ \
+                                                                                                                         \
+    macro (ompt_callback_sync_region,       ompt_callback_sync_region_t,       23) /* sync region begin or end        */ \
+                                                                                                                         \
+    macro (ompt_callback_lock_init,         ompt_callback_mutex_acquire_t,     24) /* lock init                       */ \
+    macro (ompt_callback_lock_destroy,      ompt_callback_mutex_t,             25) /* lock destroy                    */ \
+                                                                                                                         \
+    macro (ompt_callback_mutex_acquire,     ompt_callback_mutex_acquire_t,     26) /* mutex acquire                   */ \
+    macro (ompt_callback_mutex_acquired,    ompt_callback_mutex_t,             27) /* mutex acquired                  */ \
+                                                                                                                         \
+    macro (ompt_callback_nest_lock,         ompt_callback_nest_lock_t,         28) /* nest lock                       */ \
+                                                                                                                         \
+    macro (ompt_callback_flush,             ompt_callback_flush_t,             29) /* after executing flush           */ \
+                                                                                                                         \
+    macro (ompt_callback_cancel,            ompt_callback_cancel_t,            30) /* cancel innermost binding region */ \
+                                                                                                                         \
+    macro (ompt_callback_reduction,         ompt_callback_sync_region_t,       31) /* reduction                       */ \
+                                                                                                                         \
+    macro (ompt_callback_dispatch,          ompt_callback_dispatch_t,          32) /* dispatch of work                */
+
+/*****************************************************************************
+ * implementation specific types
+ *****************************************************************************/
+
+typedef enum kmp_mutex_impl_t {
+#define kmp_mutex_impl_macro(impl, code) impl = code,
+    FOREACH_KMP_MUTEX_IMPL(kmp_mutex_impl_macro)
+#undef kmp_mutex_impl_macro
+} kmp_mutex_impl_t;
+
+/*****************************************************************************
+ * definitions generated from spec
+ *****************************************************************************/
+
+typedef enum ompt_callbacks_t {
+  ompt_callback_thread_begin             = 1,
+  ompt_callback_thread_end               = 2,
+  ompt_callback_parallel_begin           = 3,
+  ompt_callback_parallel_end             = 4,
+  ompt_callback_task_create              = 5,
+  ompt_callback_task_schedule            = 6,
+  ompt_callback_implicit_task            = 7,
+  ompt_callback_target                   = 8,
+  ompt_callback_target_data_op           = 9,
+  ompt_callback_target_submit            = 10,
+  ompt_callback_control_tool             = 11,
+  ompt_callback_device_initialize        = 12,
+  ompt_callback_device_finalize          = 13,
+  ompt_callback_device_load              = 14,
+  ompt_callback_device_unload            = 15,
+  ompt_callback_sync_region_wait         = 16,
+  ompt_callback_mutex_released           = 17,
+  ompt_callback_dependences              = 18,
+  ompt_callback_task_dependence          = 19,
+  ompt_callback_work                     = 20,
+  ompt_callback_master                   = 21,
+  ompt_callback_target_map               = 22,
+  ompt_callback_sync_region              = 23,
+  ompt_callback_lock_init                = 24,
+  ompt_callback_lock_destroy             = 25,
+  ompt_callback_mutex_acquire            = 26,
+  ompt_callback_mutex_acquired           = 27,
+  ompt_callback_nest_lock                = 28,
+  ompt_callback_flush                    = 29,
+  ompt_callback_cancel                   = 30,
+  ompt_callback_reduction                = 31,
+  ompt_callback_dispatch                 = 32
+} ompt_callbacks_t;
+
+typedef enum ompt_record_t {
+  ompt_record_ompt               = 1,
+  ompt_record_native             = 2,
+  ompt_record_invalid            = 3
+} ompt_record_t;
+
+typedef enum ompt_record_native_t {
+  ompt_record_native_info  = 1,
+  ompt_record_native_event = 2
+} ompt_record_native_t;
+
+typedef enum ompt_set_result_t {
+  ompt_set_error            = 0,
+  ompt_set_never            = 1,
+  ompt_set_impossible       = 2,
+  ompt_set_sometimes        = 3,
+  ompt_set_sometimes_paired = 4,
+  ompt_set_always           = 5
+} ompt_set_result_t;
+
+typedef uint64_t ompt_id_t;
+
+typedef uint64_t ompt_device_time_t;
+
+typedef uint64_t ompt_buffer_cursor_t;
+
+typedef enum ompt_thread_t {
+  ompt_thread_initial                 = 1,
+  ompt_thread_worker                  = 2,
+  ompt_thread_other                   = 3,
+  ompt_thread_unknown                 = 4
+} ompt_thread_t;
+
+typedef enum ompt_scope_endpoint_t {
+  ompt_scope_begin                    = 1,
+  ompt_scope_end                      = 2
+} ompt_scope_endpoint_t;
+
+typedef enum ompt_dispatch_t {
+  ompt_dispatch_iteration             = 1,
+  ompt_dispatch_section               = 2
+} ompt_dispatch_t;
+
+typedef enum ompt_sync_region_t {
+  ompt_sync_region_barrier                = 1,
+  ompt_sync_region_barrier_implicit       = 2,
+  ompt_sync_region_barrier_explicit       = 3,
+  ompt_sync_region_barrier_implementation = 4,
+  ompt_sync_region_taskwait               = 5,
+  ompt_sync_region_taskgroup              = 6,
+  ompt_sync_region_reduction              = 7
+} ompt_sync_region_t;
+
+typedef enum ompt_target_data_op_t {
+  ompt_target_data_alloc                = 1,
+  ompt_target_data_transfer_to_device   = 2,
+  ompt_target_data_transfer_from_device = 3,
+  ompt_target_data_delete               = 4,
+  ompt_target_data_associate            = 5,
+  ompt_target_data_disassociate         = 6
+} ompt_target_data_op_t;
+
+typedef enum ompt_work_t {
+  ompt_work_loop               = 1,
+  ompt_work_sections           = 2,
+  ompt_work_single_executor    = 3,
+  ompt_work_single_other       = 4,
+  ompt_work_workshare          = 5,
+  ompt_work_distribute         = 6,
+  ompt_work_taskloop           = 7
+} ompt_work_t;
+
+typedef enum ompt_mutex_t {
+  ompt_mutex_lock                     = 1,
+  ompt_mutex_test_lock                = 2,
+  ompt_mutex_nest_lock                = 3,
+  ompt_mutex_test_nest_lock           = 4,
+  ompt_mutex_critical                 = 5,
+  ompt_mutex_atomic                   = 6,
+  ompt_mutex_ordered                  = 7
+} ompt_mutex_t;
+
+typedef enum ompt_native_mon_flag_t {
+  ompt_native_data_motion_explicit    = 0x01,
+  ompt_native_data_motion_implicit    = 0x02,
+  ompt_native_kernel_invocation       = 0x04,
+  ompt_native_kernel_execution        = 0x08,
+  ompt_native_driver                  = 0x10,
+  ompt_native_runtime                 = 0x20,
+  ompt_native_overhead                = 0x40,
+  ompt_native_idleness                = 0x80
+} ompt_native_mon_flag_t;
+
+typedef enum ompt_task_flag_t {
+  ompt_task_initial                   = 0x00000001,
+  ompt_task_implicit                  = 0x00000002,
+  ompt_task_explicit                  = 0x00000004,
+  ompt_task_target                    = 0x00000008,
+  ompt_task_undeferred                = 0x08000000,
+  ompt_task_untied                    = 0x10000000,
+  ompt_task_final                     = 0x20000000,
+  ompt_task_mergeable                 = 0x40000000,
+  ompt_task_merged                    = 0x80000000
+} ompt_task_flag_t;
+
+typedef enum ompt_task_status_t {
+  ompt_task_complete      = 1,
+  ompt_task_yield         = 2,
+  ompt_task_cancel        = 3,
+  ompt_task_detach        = 4,
+  ompt_task_early_fulfill = 5,
+  ompt_task_late_fulfill  = 6,
+  ompt_task_switch        = 7
+} ompt_task_status_t;
+
+typedef enum ompt_target_t {
+  ompt_target                         = 1,
+  ompt_target_enter_data              = 2,
+  ompt_target_exit_data               = 3,
+  ompt_target_update                  = 4
+} ompt_target_t;
+
+typedef enum ompt_parallel_flag_t {
+  ompt_parallel_invoker_program = 0x00000001,
+  ompt_parallel_invoker_runtime = 0x00000002,
+  ompt_parallel_league          = 0x40000000,
+  ompt_parallel_team            = 0x80000000
+} ompt_parallel_flag_t;
+
+typedef enum ompt_target_map_flag_t {
+  ompt_target_map_flag_to             = 0x01,
+  ompt_target_map_flag_from           = 0x02,
+  ompt_target_map_flag_alloc          = 0x04,
+  ompt_target_map_flag_release        = 0x08,
+  ompt_target_map_flag_delete         = 0x10,
+  ompt_target_map_flag_implicit       = 0x20
+} ompt_target_map_flag_t;
+
+typedef enum ompt_dependence_type_t {
+  ompt_dependence_type_in              = 1,
+  ompt_dependence_type_out             = 2,
+  ompt_dependence_type_inout           = 3,
+  ompt_dependence_type_mutexinoutset   = 4,
+  ompt_dependence_type_source          = 5,
+  ompt_dependence_type_sink            = 6
+} ompt_dependence_type_t;
+
+typedef enum ompt_cancel_flag_t {
+  ompt_cancel_parallel       = 0x01,
+  ompt_cancel_sections       = 0x02,
+  ompt_cancel_loop           = 0x04,
+  ompt_cancel_taskgroup      = 0x08,
+  ompt_cancel_activated      = 0x10,
+  ompt_cancel_detected       = 0x20,
+  ompt_cancel_discarded_task = 0x40
+} ompt_cancel_flag_t;
+
+typedef uint64_t ompt_hwid_t;
+
+typedef uint64_t ompt_wait_id_t;
+
+typedef enum ompt_frame_flag_t {
+  ompt_frame_runtime        = 0x00,
+  ompt_frame_application    = 0x01,
+  ompt_frame_cfa            = 0x10,
+  ompt_frame_framepointer   = 0x20,
+  ompt_frame_stackaddress   = 0x30
+} ompt_frame_flag_t; 
+
+typedef enum ompt_state_t {
+  ompt_state_work_serial                      = 0x000,
+  ompt_state_work_parallel                    = 0x001,
+  ompt_state_work_reduction                   = 0x002,
+
+  ompt_state_wait_barrier                     = 0x010,
+  ompt_state_wait_barrier_implicit_parallel   = 0x011,
+  ompt_state_wait_barrier_implicit_workshare  = 0x012,
+  ompt_state_wait_barrier_implicit            = 0x013,
+  ompt_state_wait_barrier_explicit            = 0x014,
+
+  ompt_state_wait_taskwait                    = 0x020,
+  ompt_state_wait_taskgroup                   = 0x021,
+
+  ompt_state_wait_mutex                       = 0x040,
+  ompt_state_wait_lock                        = 0x041,
+  ompt_state_wait_critical                    = 0x042,
+  ompt_state_wait_atomic                      = 0x043,
+  ompt_state_wait_ordered                     = 0x044,
+
+  ompt_state_wait_target                      = 0x080,
+  ompt_state_wait_target_map                  = 0x081,
+  ompt_state_wait_target_update               = 0x082,
+
+  ompt_state_idle                             = 0x100,
+  ompt_state_overhead                         = 0x101,
+  ompt_state_undefined                        = 0x102
+} ompt_state_t;
+
+typedef uint64_t (*ompt_get_unique_id_t) (void);
+
+typedef uint64_t ompd_size_t;
+
+typedef uint64_t ompd_wait_id_t;
+
+typedef uint64_t ompd_addr_t;
+typedef int64_t  ompd_word_t;
+typedef uint64_t ompd_seg_t;
+
+typedef uint64_t ompd_device_t;
+
+typedef uint64_t ompd_thread_id_t;
+
+typedef enum ompd_scope_t {
+  ompd_scope_global = 1,
+  ompd_scope_address_space = 2,
+  ompd_scope_thread = 3,
+  ompd_scope_parallel = 4,
+  ompd_scope_implicit_task = 5,
+  ompd_scope_task = 6
+} ompd_scope_t;
+
+typedef uint64_t ompd_icv_id_t;
+
+typedef enum ompd_rc_t {
+  ompd_rc_ok = 0,
+  ompd_rc_unavailable = 1,
+  ompd_rc_stale_handle = 2,
+  ompd_rc_bad_input = 3,
+  ompd_rc_error = 4,
+  ompd_rc_unsupported = 5,
+  ompd_rc_needs_state_tracking = 6,
+  ompd_rc_incompatible = 7,
+  ompd_rc_device_read_error = 8,
+  ompd_rc_device_write_error = 9,
+  ompd_rc_nomem = 10,
+} ompd_rc_t;
+
+typedef void (*ompt_interface_fn_t) (void);
+
+typedef ompt_interface_fn_t (*ompt_function_lookup_t) (
+  const char *interface_function_name
+);
+
+typedef union ompt_data_t {
+  uint64_t value;
+  void *ptr;
+} ompt_data_t;
+
+typedef struct ompt_frame_t {
+  ompt_data_t exit_frame;
+  ompt_data_t enter_frame;
+  int exit_frame_flags;
+  int enter_frame_flags;
+} ompt_frame_t;
+
+typedef void (*ompt_callback_t) (void);
+
+typedef void ompt_device_t;
+
+typedef void ompt_buffer_t;
+
+typedef void (*ompt_callback_buffer_request_t) (
+  int device_num,
+  ompt_buffer_t **buffer,
+  size_t *bytes
+);
+
+typedef void (*ompt_callback_buffer_complete_t) (
+  int device_num,
+  ompt_buffer_t *buffer,
+  size_t bytes,
+  ompt_buffer_cursor_t begin,
+  int buffer_owned
+);
+
+typedef void (*ompt_finalize_t) (
+  ompt_data_t *tool_data
+);
+
+typedef int (*ompt_initialize_t) (
+  ompt_function_lookup_t lookup,
+  int initial_device_num,
+  ompt_data_t *tool_data
+);
+
+typedef struct ompt_start_tool_result_t {
+  ompt_initialize_t initialize;
+  ompt_finalize_t finalize;
+  ompt_data_t tool_data;
+} ompt_start_tool_result_t;
+
+typedef struct ompt_record_abstract_t {
+  ompt_record_native_t rclass;
+  const char *type;
+  ompt_device_time_t start_time;
+  ompt_device_time_t end_time;
+  ompt_hwid_t hwid;
+} ompt_record_abstract_t;
+
+typedef struct ompt_dependence_t {
+  ompt_data_t variable;
+  ompt_dependence_type_t dependence_type;
+} ompt_dependence_t;
+
+typedef int (*ompt_enumerate_states_t) (
+  int current_state,
+  int *next_state,
+  const char **next_state_name
+);
+
+typedef int (*ompt_enumerate_mutex_impls_t) (
+  int current_impl,
+  int *next_impl,
+  const char **next_impl_name
+);
+
+typedef ompt_set_result_t (*ompt_set_callback_t) (
+  ompt_callbacks_t event,
+  ompt_callback_t callback
+);
+
+typedef int (*ompt_get_callback_t) (
+  ompt_callbacks_t event,
+  ompt_callback_t *callback
+);
+
+typedef ompt_data_t *(*ompt_get_thread_data_t) (void);
+
+typedef int (*ompt_get_num_procs_t) (void);
+
+typedef int (*ompt_get_num_places_t) (void);
+
+typedef int (*ompt_get_place_proc_ids_t) (
+  int place_num,
+  int ids_size,
+  int *ids
+);
+
+typedef int (*ompt_get_place_num_t) (void);
+
+typedef int (*ompt_get_partition_place_nums_t) (
+  int place_nums_size,
+  int *place_nums
+);
+
+typedef int (*ompt_get_proc_id_t) (void);
+
+typedef int (*ompt_get_state_t) (
+  ompt_wait_id_t *wait_id
+);
+
+typedef int (*ompt_get_parallel_info_t) (
+  int ancestor_level,
+  ompt_data_t **parallel_data,
+  int *team_size
+);
+
+typedef int (*ompt_get_task_info_t) (
+  int ancestor_level,
+  int *flags,
+  ompt_data_t **task_data,
+  ompt_frame_t **task_frame,
+  ompt_data_t **parallel_data,
+  int *thread_num
+);
+
+typedef int (*ompt_get_task_memory_t)(
+  void **addr,
+  size_t *size,
+  int block
+);
+
+typedef int (*ompt_get_target_info_t) (
+  uint64_t *device_num,
+  ompt_id_t *target_id,
+  ompt_id_t *host_op_id
+);
+
+typedef int (*ompt_get_num_devices_t) (void);
+
+typedef void (*ompt_finalize_tool_t) (void);
+
+typedef int (*ompt_get_device_num_procs_t) (
+  ompt_device_t *device
+);
+
+typedef ompt_device_time_t (*ompt_get_device_time_t) (
+  ompt_device_t *device
+);
+
+typedef double (*ompt_translate_time_t) (
+  ompt_device_t *device,
+  ompt_device_time_t time
+);
+
+typedef ompt_set_result_t (*ompt_set_trace_ompt_t) (
+  ompt_device_t *device,
+  unsigned int enable,
+  unsigned int etype
+);
+
+typedef ompt_set_result_t (*ompt_set_trace_native_t) (
+  ompt_device_t *device,
+  int enable,
+  int flags
+);
+
+typedef int (*ompt_start_trace_t) (
+  ompt_device_t *device,
+  ompt_callback_buffer_request_t request,
+  ompt_callback_buffer_complete_t complete
+);
+
+typedef int (*ompt_pause_trace_t) (
+  ompt_device_t *device,
+  int begin_pause
+);
+
+typedef int (*ompt_flush_trace_t) (
+  ompt_device_t *device
+);
+
+typedef int (*ompt_stop_trace_t) (
+  ompt_device_t *device
+);
+
+typedef int (*ompt_advance_buffer_cursor_t) (
+  ompt_device_t *device,
+  ompt_buffer_t *buffer,
+  size_t size,
+  ompt_buffer_cursor_t current,
+  ompt_buffer_cursor_t *next
+);
+
+typedef ompt_record_t (*ompt_get_record_type_t) (
+  ompt_buffer_t *buffer,
+  ompt_buffer_cursor_t current
+);
+
+typedef void *(*ompt_get_record_native_t) (
+  ompt_buffer_t *buffer,
+  ompt_buffer_cursor_t current,
+  ompt_id_t *host_op_id
+);
+
+typedef ompt_record_abstract_t *
+(*ompt_get_record_abstract_t) (
+  void *native_record
+);
+
+typedef void (*ompt_callback_thread_begin_t) (
+  ompt_thread_t thread_type,
+  ompt_data_t *thread_data
+);
+
+typedef struct ompt_record_thread_begin_t {
+  ompt_thread_t thread_type;
+} ompt_record_thread_begin_t;
+
+typedef void (*ompt_callback_thread_end_t) (
+  ompt_data_t *thread_data
+);
+
+typedef void (*ompt_callback_parallel_begin_t) (
+  ompt_data_t *encountering_task_data,
+  const ompt_frame_t *encountering_task_frame,
+  ompt_data_t *parallel_data,
+  unsigned int requested_parallelism,
+  int flags,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_parallel_begin_t {
+  ompt_id_t encountering_task_id;
+  ompt_id_t parallel_id;
+  unsigned int requested_parallelism;
+  int flags;
+  const void *codeptr_ra;
+} ompt_record_parallel_begin_t;
+
+typedef void (*ompt_callback_parallel_end_t) (
+  ompt_data_t *parallel_data,
+  ompt_data_t *encountering_task_data,
+  int flags,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_parallel_end_t {
+  ompt_id_t parallel_id;
+  ompt_id_t encountering_task_id;
+  int flags;
+  const void *codeptr_ra;
+} ompt_record_parallel_end_t;
+
+typedef void (*ompt_callback_work_t) (
+  ompt_work_t wstype,
+  ompt_scope_endpoint_t endpoint,
+  ompt_data_t *parallel_data,
+  ompt_data_t *task_data,
+  uint64_t count,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_work_t {
+  ompt_work_t wstype;
+  ompt_scope_endpoint_t endpoint;
+  ompt_id_t parallel_id;
+  ompt_id_t task_id;
+  uint64_t count;
+  const void *codeptr_ra;
+} ompt_record_work_t;
+
+typedef void (*ompt_callback_dispatch_t) (
+  ompt_data_t *parallel_data,
+  ompt_data_t *task_data,
+  ompt_dispatch_t kind,
+  ompt_data_t instance 
+);
+
+typedef struct ompt_record_dispatch_t {
+  ompt_id_t parallel_id;
+  ompt_id_t task_id;
+  ompt_dispatch_t kind;
+  ompt_data_t instance; 
+} ompt_record_dispatch_t;
+
+typedef void (*ompt_callback_task_create_t) (
+  ompt_data_t *encountering_task_data,
+  const ompt_frame_t *encountering_task_frame,
+  ompt_data_t *new_task_data,
+  int flags,
+  int has_dependences,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_task_create_t {
+  ompt_id_t encountering_task_id;
+  ompt_id_t new_task_id;
+  int flags;
+  int has_dependences;
+  const void *codeptr_ra;
+} ompt_record_task_create_t;
+
+typedef void (*ompt_callback_dependences_t) (
+  ompt_data_t *task_data,
+  const ompt_dependence_t *deps,
+  int ndeps
+);
+
+typedef struct ompt_record_dependences_t {
+  ompt_id_t task_id;
+  ompt_dependence_t dep;
+  int ndeps;
+} ompt_record_dependences_t;
+
+typedef void (*ompt_callback_task_dependence_t) (
+  ompt_data_t *src_task_data,
+  ompt_data_t *sink_task_data
+);
+
+typedef struct ompt_record_task_dependence_t {
+  ompt_id_t src_task_id;
+  ompt_id_t sink_task_id;
+} ompt_record_task_dependence_t;
+
+typedef void (*ompt_callback_task_schedule_t) (
+  ompt_data_t *prior_task_data,
+  ompt_task_status_t prior_task_status,
+  ompt_data_t *next_task_data
+);
+
+typedef struct ompt_record_task_schedule_t {
+  ompt_id_t prior_task_id;
+  ompt_task_status_t prior_task_status;
+  ompt_id_t next_task_id;
+} ompt_record_task_schedule_t;
+
+typedef void (*ompt_callback_implicit_task_t) (
+  ompt_scope_endpoint_t endpoint,
+  ompt_data_t *parallel_data,
+  ompt_data_t *task_data,
+  unsigned int actual_parallelism,
+  unsigned int index,
+  int flags
+);
+
+typedef struct ompt_record_implicit_task_t {
+  ompt_scope_endpoint_t endpoint;
+  ompt_id_t parallel_id;
+  ompt_id_t task_id;
+  unsigned int actual_parallelism;
+  unsigned int index;
+  int flags;
+} ompt_record_implicit_task_t;
+
+typedef void (*ompt_callback_master_t) (
+  ompt_scope_endpoint_t endpoint,
+  ompt_data_t *parallel_data,
+  ompt_data_t *task_data,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_master_t {
+  ompt_scope_endpoint_t endpoint;
+  ompt_id_t parallel_id;
+  ompt_id_t task_id;
+  const void *codeptr_ra;
+} ompt_record_master_t;
+
+typedef void (*ompt_callback_sync_region_t) (
+  ompt_sync_region_t kind,
+  ompt_scope_endpoint_t endpoint,
+  ompt_data_t *parallel_data,
+  ompt_data_t *task_data,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_sync_region_t {
+  ompt_sync_region_t kind;
+  ompt_scope_endpoint_t endpoint;
+  ompt_id_t parallel_id;
+  ompt_id_t task_id;
+  const void *codeptr_ra;
+} ompt_record_sync_region_t;
+
+typedef void (*ompt_callback_mutex_acquire_t) (
+  ompt_mutex_t kind,
+  unsigned int hint,
+  unsigned int impl,
+  ompt_wait_id_t wait_id,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_mutex_acquire_t {
+  ompt_mutex_t kind;
+  unsigned int hint;
+  unsigned int impl;
+  ompt_wait_id_t wait_id;
+  const void *codeptr_ra;
+} ompt_record_mutex_acquire_t;
+
+typedef void (*ompt_callback_mutex_t) (
+  ompt_mutex_t kind,
+  ompt_wait_id_t wait_id,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_mutex_t {
+  ompt_mutex_t kind;
+  ompt_wait_id_t wait_id;
+  const void *codeptr_ra;
+} ompt_record_mutex_t;
+
+typedef void (*ompt_callback_nest_lock_t) (
+  ompt_scope_endpoint_t endpoint,
+  ompt_wait_id_t wait_id,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_nest_lock_t {
+  ompt_scope_endpoint_t endpoint;
+  ompt_wait_id_t wait_id;
+  const void *codeptr_ra;
+} ompt_record_nest_lock_t;
+
+typedef void (*ompt_callback_flush_t) (
+  ompt_data_t *thread_data,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_flush_t {
+  const void *codeptr_ra;
+} ompt_record_flush_t;
+
+typedef void (*ompt_callback_cancel_t) (
+  ompt_data_t *task_data,
+  int flags,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_cancel_t {
+  ompt_id_t task_id;
+  int flags;
+  const void *codeptr_ra;
+} ompt_record_cancel_t;
+
+typedef void (*ompt_callback_device_initialize_t) (
+  int device_num,
+  const char *type,
+  ompt_device_t *device,
+  ompt_function_lookup_t lookup,
+  const char *documentation
+);
+
+typedef void (*ompt_callback_device_finalize_t) (
+  int device_num
+);
+
+typedef void (*ompt_callback_device_load_t) (
+  int device_num,
+  const char *filename,
+  int64_t offset_in_file,
+  void *vma_in_file,
+  size_t bytes,
+  void *host_addr,
+  void *device_addr,
+  uint64_t module_id
+);
+
+typedef void (*ompt_callback_device_unload_t) (
+  int device_num,
+  uint64_t module_id
+);
+
+typedef void (*ompt_callback_target_data_op_t) (
+  ompt_id_t target_id,
+  ompt_id_t host_op_id,
+  ompt_target_data_op_t optype,
+  void *src_addr,
+  int src_device_num,
+  void *dest_addr,
+  int dest_device_num,
+  size_t bytes,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_target_data_op_t {
+  ompt_id_t host_op_id;
+  ompt_target_data_op_t optype;
+  void *src_addr;
+  int src_device_num;
+  void *dest_addr;
+  int dest_device_num;
+  size_t bytes;
+  ompt_device_time_t end_time;
+  const void *codeptr_ra;
+} ompt_record_target_data_op_t;
+
+typedef void (*ompt_callback_target_t) (
+  ompt_target_t kind,
+  ompt_scope_endpoint_t endpoint,
+  int device_num,
+  ompt_data_t *task_data,
+  ompt_id_t target_id,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_target_t {
+  ompt_target_t kind;
+  ompt_scope_endpoint_t endpoint;
+  int device_num;
+  ompt_id_t task_id;
+  ompt_id_t target_id;
+  const void *codeptr_ra;
+} ompt_record_target_t;
+
+typedef void (*ompt_callback_target_map_t) (
+  ompt_id_t target_id,
+  unsigned int nitems,
+  void **host_addr,
+  void **device_addr,
+  size_t *bytes,
+  unsigned int *mapping_flags,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_target_map_t {
+  ompt_id_t target_id;
+  unsigned int nitems;
+  void **host_addr;
+  void **device_addr;
+  size_t *bytes;
+  unsigned int *mapping_flags;
+  const void *codeptr_ra;
+} ompt_record_target_map_t;
+
+typedef void (*ompt_callback_target_submit_t) (
+  ompt_id_t target_id,
+  ompt_id_t host_op_id,
+  unsigned int requested_num_teams
+);
+
+typedef struct ompt_record_target_kernel_t {
+  ompt_id_t host_op_id;
+  unsigned int requested_num_teams;
+  unsigned int granted_num_teams;
+  ompt_device_time_t end_time;
+} ompt_record_target_kernel_t;
+
+typedef int (*ompt_callback_control_tool_t) (
+  uint64_t command,
+  uint64_t modifier,
+  void *arg,
+  const void *codeptr_ra
+);
+
+typedef struct ompt_record_control_tool_t {
+  uint64_t command;
+  uint64_t modifier;
+  const void *codeptr_ra;
+} ompt_record_control_tool_t;
+
+typedef struct ompd_address_t {
+  ompd_seg_t segment;
+  ompd_addr_t address;
+} ompd_address_t;
+
+typedef struct ompd_frame_info_t {
+  ompd_address_t frame_address;
+  ompd_word_t frame_flag;
+} ompd_frame_info_t;
+
+typedef struct _ompd_aspace_handle ompd_address_space_handle_t;
+typedef struct _ompd_thread_handle ompd_thread_handle_t;
+typedef struct _ompd_parallel_handle ompd_parallel_handle_t;
+typedef struct _ompd_task_handle ompd_task_handle_t;
+
+typedef struct _ompd_aspace_cont ompd_address_space_context_t;
+typedef struct _ompd_thread_cont ompd_thread_context_t;
+
+typedef struct ompd_device_type_sizes_t {
+  uint8_t sizeof_char;
+  uint8_t sizeof_short;
+  uint8_t sizeof_int;
+  uint8_t sizeof_long;
+  uint8_t sizeof_long_long;
+  uint8_t sizeof_pointer;
+} ompd_device_type_sizes_t;
+
+typedef struct ompt_record_ompt_t {
+  ompt_callbacks_t type;
+  ompt_device_time_t time;
+  ompt_id_t thread_id;
+  ompt_id_t target_id;
+  union {
+    ompt_record_thread_begin_t thread_begin;
+    ompt_record_parallel_begin_t parallel_begin;
+    ompt_record_parallel_end_t parallel_end;
+    ompt_record_work_t work;
+    ompt_record_dispatch_t dispatch;
+    ompt_record_task_create_t task_create;
+    ompt_record_dependences_t dependences;
+    ompt_record_task_dependence_t task_dependence;
+    ompt_record_task_schedule_t task_schedule;
+    ompt_record_implicit_task_t implicit_task;
+    ompt_record_master_t master;
+    ompt_record_sync_region_t sync_region;
+    ompt_record_mutex_acquire_t mutex_acquire;
+    ompt_record_mutex_t mutex;
+    ompt_record_nest_lock_t nest_lock;
+    ompt_record_flush_t flush;
+    ompt_record_cancel_t cancel;
+    ompt_record_target_t target;
+    ompt_record_target_data_op_t target_data_op;
+    ompt_record_target_map_t target_map;
+    ompt_record_target_kernel_t target_kernel;
+    ompt_record_control_tool_t control_tool;
+  } record;
+} ompt_record_ompt_t;
+
+typedef ompt_record_ompt_t *(*ompt_get_record_ompt_t) (
+  ompt_buffer_t *buffer,
+  ompt_buffer_cursor_t current
+);
+
+#define ompt_id_none 0
+#define ompt_data_none {0}
+#define ompt_time_none 0
+#define ompt_hwid_none 0
+#define ompt_addr_none ~0
+#define ompt_mutex_impl_none 0
+#define ompt_wait_id_none 0
+
+#define ompd_segment_none 0
+
+#endif /* __OMPT__ */

include/nettle/aes.h

@@ -0,0 +1,185 @@
+/* aes.h
+
+   The aes/rijndael block cipher.
+
+   Copyright (C) 2001, 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_AES_H_INCLUDED
+#define NETTLE_AES_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define aes_set_encrypt_key nettle_aes_set_encrypt_key
+#define aes_set_decrypt_key nettle_aes_set_decrypt_key
+#define aes_invert_key nettle_aes_invert_key
+#define aes_encrypt nettle_aes_encrypt
+#define aes_decrypt nettle_aes_decrypt
+#define aes128_set_encrypt_key nettle_aes128_set_encrypt_key
+#define aes128_set_decrypt_key nettle_aes128_set_decrypt_key
+#define aes128_invert_key nettle_aes128_invert_key
+#define aes128_encrypt nettle_aes128_encrypt
+#define aes128_decrypt nettle_aes128_decrypt
+#define aes192_set_encrypt_key nettle_aes192_set_encrypt_key
+#define aes192_set_decrypt_key nettle_aes192_set_decrypt_key
+#define aes192_invert_key nettle_aes192_invert_key
+#define aes192_encrypt nettle_aes192_encrypt
+#define aes192_decrypt nettle_aes192_decrypt
+#define aes256_set_encrypt_key nettle_aes256_set_encrypt_key
+#define aes256_set_decrypt_key nettle_aes256_set_decrypt_key
+#define aes256_invert_key nettle_aes256_invert_key
+#define aes256_encrypt nettle_aes256_encrypt
+#define aes256_decrypt nettle_aes256_decrypt
+
+#define AES_BLOCK_SIZE 16
+
+#define AES128_KEY_SIZE 16
+#define AES192_KEY_SIZE 24
+#define AES256_KEY_SIZE 32
+#define _AES128_ROUNDS 10
+#define _AES192_ROUNDS 12
+#define _AES256_ROUNDS 14
+
+struct aes128_ctx
+{
+  uint32_t keys[4 * (_AES128_ROUNDS + 1)];
+};
+
+void
+aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key);
+void
+aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key);
+void
+aes128_invert_key(struct aes128_ctx *dst,
+		  const struct aes128_ctx *src);
+void
+aes128_encrypt(const struct aes128_ctx *ctx,
+	       size_t length, uint8_t *dst,
+	       const uint8_t *src);
+void
+aes128_decrypt(const struct aes128_ctx *ctx,
+	       size_t length, uint8_t *dst,
+	       const uint8_t *src);
+
+struct aes192_ctx
+{
+  uint32_t keys[4 * (_AES192_ROUNDS + 1)];
+};
+
+void
+aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key);
+void
+aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key);
+void
+aes192_invert_key(struct aes192_ctx *dst,
+		  const struct aes192_ctx *src);
+void
+aes192_encrypt(const struct aes192_ctx *ctx,
+	       size_t length, uint8_t *dst,
+	       const uint8_t *src);
+void
+aes192_decrypt(const struct aes192_ctx *ctx,
+	       size_t length, uint8_t *dst,
+	       const uint8_t *src);
+
+struct aes256_ctx
+{
+  uint32_t keys[4 * (_AES256_ROUNDS + 1)];
+};
+
+void
+aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key);
+void
+aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key);
+void
+aes256_invert_key(struct aes256_ctx *dst,
+		  const struct aes256_ctx *src);
+void
+aes256_encrypt(const struct aes256_ctx *ctx,
+	       size_t length, uint8_t *dst,
+	       const uint8_t *src);
+void
+aes256_decrypt(const struct aes256_ctx *ctx,
+	       size_t length, uint8_t *dst,
+	       const uint8_t *src);
+
+/* The older nettle-2.7 AES interface is deprecated, please migrate to
+   the newer interface where each algorithm has a fixed key size. */
+
+/* Variable key size between 128 and 256 bits. But the only valid
+ * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */
+#define AES_MIN_KEY_SIZE AES128_KEY_SIZE
+#define AES_MAX_KEY_SIZE AES256_KEY_SIZE
+
+#define AES_KEY_SIZE 32
+
+struct aes_ctx
+{
+  unsigned key_size;  /* In octets */
+  union {
+    struct aes128_ctx ctx128;
+    struct aes192_ctx ctx192;
+    struct aes256_ctx ctx256;
+  } u;
+};
+
+void
+aes_set_encrypt_key(struct aes_ctx *ctx,
+		    size_t length, const uint8_t *key)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+aes_set_decrypt_key(struct aes_ctx *ctx,
+		   size_t length, const uint8_t *key)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+aes_invert_key(struct aes_ctx *dst,
+	       const struct aes_ctx *src)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+aes_encrypt(const struct aes_ctx *ctx,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED;
+void
+aes_decrypt(const struct aes_ctx *ctx,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_AES_H_INCLUDED */

include/nettle/arcfour.h

@@ -0,0 +1,79 @@
+/* arcfour.h
+
+   The arcfour/rc4 stream cipher.
+
+   Copyright (C) 2001, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_ARCFOUR_H_INCLUDED
+#define NETTLE_ARCFOUR_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define arcfour128_set_key nettle_arcfour128_set_key
+#define arcfour_set_key nettle_arcfour_set_key
+#define arcfour_crypt nettle_arcfour_crypt
+
+/* Minimum and maximum keysizes, and a reasonable default. In
+ * octets.*/
+#define ARCFOUR_MIN_KEY_SIZE 1
+#define ARCFOUR_MAX_KEY_SIZE 256
+#define ARCFOUR_KEY_SIZE 16
+#define ARCFOUR128_KEY_SIZE 16
+
+struct arcfour_ctx
+{
+  uint8_t S[256];
+  uint8_t i;
+  uint8_t j;
+};
+
+void
+arcfour_set_key(struct arcfour_ctx *ctx,
+		size_t length, const uint8_t *key);
+
+void
+arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key);
+
+void
+arcfour_crypt(struct arcfour_ctx *ctx,
+	      size_t length, uint8_t *dst,
+	      const uint8_t *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_ARCFOUR_H_INCLUDED */
+

include/nettle/arctwo.h

@@ -0,0 +1,103 @@
+/* arctwo.h
+
+   The arctwo/rfc2268 block cipher.
+
+   Copyright (C) 2004 Simon Josefsson
+   Copyright (C) 2002, 2004, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_ARCTWO_H_INCLUDED
+#define NETTLE_ARCTWO_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define arctwo_set_key nettle_arctwo_set_key
+#define arctwo_set_key_ekb nettle_arctwo_set_key_ekb
+#define arctwo_set_key_gutmann nettle_arctwo_set_key_gutmann
+#define arctwo40_set_key nettle_arctwo40_set_key
+#define arctwo64_set_key nettle_arctwo64_set_key
+#define arctwo128_set_key nettle_arctwo128_set_key
+#define arctwo128_set_key_gutmann nettle_arctwo128_set_key_gutmann
+#define arctwo_encrypt nettle_arctwo_encrypt
+#define arctwo_decrypt nettle_arctwo_decrypt
+
+#define ARCTWO_BLOCK_SIZE 8
+
+/* Variable key size from 1 byte to 128 bytes. */
+#define ARCTWO_MIN_KEY_SIZE 1
+#define ARCTWO_MAX_KEY_SIZE 128
+
+#define ARCTWO_KEY_SIZE 8
+
+struct arctwo_ctx
+{
+  uint16_t S[64];
+};
+
+/* Key expansion function that takes the "effective key bits", 1-1024,
+   as an explicit argument. 0 means maximum key bits. */
+void
+arctwo_set_key_ekb (struct arctwo_ctx *ctx,
+		    size_t length, const uint8_t * key, unsigned ekb);
+
+/* Equvivalent to arctwo_set_key_ekb, with ekb = 8 * length */
+void
+arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key);
+void
+arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key);
+void
+arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key);
+void
+arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key);
+
+/* Equvivalent to arctwo_set_key_ekb, with ekb = 1024 */
+void
+arctwo_set_key_gutmann (struct arctwo_ctx *ctx,
+			size_t length, const uint8_t *key);
+void
+arctwo128_set_key_gutmann (struct arctwo_ctx *ctx,
+			   const uint8_t *key);
+
+void
+arctwo_encrypt (struct arctwo_ctx *ctx,
+		size_t length, uint8_t *dst, const uint8_t *src);
+void
+arctwo_decrypt (struct arctwo_ctx *ctx,
+		size_t length, uint8_t *dst, const uint8_t *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_ARCTWO_H_INCLUDED */

include/nettle/asn1.h

@@ -0,0 +1,152 @@
+/* asn1.h
+
+   Limited support for ASN.1 DER decoding.
+
+   Copyright (C) 2005 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_ASN1_H_INCLUDED
+#define NETTLE_ASN1_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define asn1_der_iterator_first nettle_asn1_der_iterator_first
+#define asn1_der_iterator_next nettle_asn1_der_iterator_next
+#define asn1_der_decode_constructed nettle_asn1_der_decode_constructed
+#define asn1_der_decode_constructed_last nettle_asn1_der_decode_constructed_last
+#define asn1_der_decode_bitstring nettle_asn1_der_decode_bitstring
+#define asn1_der_decode_bitstring_last nettle_asn1_der_decode_bitstring_last
+#define asn1_der_get_uint32 nettle_asn1_der_get_uint32
+#define asn1_der_get_bignum nettle_asn1_der_get_bignum
+
+
+/* enum asn1_type keeps the class number and the constructive in bits
+   13-14, and the constructive flag in bit 12. The remaining 14 bits
+   are the tag (although currently, only tags in the range 0-30 are
+   supported). */
+
+enum
+  {
+    ASN1_TYPE_CONSTRUCTED = 1 << 12,
+
+    ASN1_CLASS_UNIVERSAL = 0,
+    ASN1_CLASS_APPLICATION = 1 << 13,
+    ASN1_CLASS_CONTEXT_SPECIFIC = 2 << 13,
+    ASN1_CLASS_PRIVATE = 3 << 13,
+
+    ASN1_CLASS_MASK = 3 << 13,
+    ASN1_CLASS_SHIFT = 13,
+  };
+
+enum asn1_type
+  {
+    ASN1_BOOLEAN = 1,
+    ASN1_INTEGER = 2,
+    ASN1_BITSTRING = 3,
+    ASN1_OCTETSTRING = 4,
+    ASN1_NULL = 5,
+    ASN1_IDENTIFIER = 6,
+    ASN1_REAL = 9,
+    ASN1_ENUMERATED = 10,
+    ASN1_UTF8STRING = 12,
+    ASN1_SEQUENCE = 16 | ASN1_TYPE_CONSTRUCTED,
+    ASN1_SET = 17 | ASN1_TYPE_CONSTRUCTED,
+    ASN1_PRINTABLESTRING = 19,
+    ASN1_TELETEXSTRING = 20,
+    ASN1_IA5STRING = 22,
+    ASN1_UTC = 23,
+    ASN1_UNIVERSALSTRING = 28,
+    ASN1_BMPSTRING = 30,
+  };
+
+enum asn1_iterator_result
+  {
+    ASN1_ITERATOR_ERROR,
+    ASN1_ITERATOR_PRIMITIVE,
+    ASN1_ITERATOR_CONSTRUCTED,
+    ASN1_ITERATOR_END,
+  };
+
+/* Parsing DER objects. */
+struct asn1_der_iterator
+{
+  size_t buffer_length;
+  const uint8_t *buffer;
+
+  /* Next object to parse. */
+  size_t pos;
+
+  enum asn1_type type;
+
+  /* Pointer to the current object */
+  size_t length;
+  const uint8_t *data;
+};
+
+/* Initializes the iterator. */
+enum asn1_iterator_result
+asn1_der_iterator_first(struct asn1_der_iterator *iterator,
+			size_t length, const uint8_t *input);
+
+enum asn1_iterator_result
+asn1_der_iterator_next(struct asn1_der_iterator *iterator);
+
+/* Starts parsing of a constructed object. */
+enum asn1_iterator_result
+asn1_der_decode_constructed(struct asn1_der_iterator *i,
+			    struct asn1_der_iterator *contents);
+
+/* For the common case that we have a sequence at the end of the
+   object. Checks that the current object is the final one, and then
+   reinitializes the iterator to parse its ontents. */
+enum asn1_iterator_result
+asn1_der_decode_constructed_last(struct asn1_der_iterator *i);
+
+enum asn1_iterator_result
+asn1_der_decode_bitstring(struct asn1_der_iterator *i,
+			  struct asn1_der_iterator *contents);
+
+enum asn1_iterator_result
+asn1_der_decode_bitstring_last(struct asn1_der_iterator *i);
+
+/* All these functions return 1 on success, 0 on failure */
+int
+asn1_der_get_uint32(struct asn1_der_iterator *i,
+		    uint32_t *x);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_ASN1_H_INCLUDED */

include/nettle/base16.h

@@ -0,0 +1,110 @@
+/* base16.h
+   
+   Hex encoding and decoding, following spki conventions (i.e.
+   allowing whitespace between digits).
+
+   Copyright (C) 2002 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_BASE16_H_INCLUDED
+#define NETTLE_BASE16_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define base16_encode_single nettle_base16_encode_single
+#define base16_encode_update nettle_base16_encode_update
+#define base16_decode_init nettle_base16_decode_init
+#define base16_decode_single nettle_base16_decode_single
+#define base16_decode_update nettle_base16_decode_update
+#define base16_decode_final nettle_base16_decode_final
+
+/* Base16 encoding */
+
+/* Maximum length of output for base16_encode_update. */
+#define BASE16_ENCODE_LENGTH(length) ((length) * 2)
+
+/* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */
+void
+base16_encode_single(char *dst,
+		     uint8_t src);
+
+/* Always stores BASE16_ENCODE_LENGTH(length) digits in dst. */
+void
+base16_encode_update(char *dst,
+		     size_t length,
+		     const uint8_t *src);
+
+
+/* Base16 decoding */
+
+/* Maximum length of output for base16_decode_update. */
+/* We have at most 4 buffered bits, and a total of (length + 1) * 4 bits. */
+#define BASE16_DECODE_LENGTH(length) (((length) + 1) / 2)
+
+struct base16_decode_ctx
+{
+  unsigned char word; /* Leftover bits */
+  unsigned char bits; /* Number buffered bits */
+};
+
+void
+base16_decode_init(struct base16_decode_ctx *ctx);
+
+/* Decodes a single byte. Returns amount of output (0 or 1), or -1 on
+ * errors. */
+int
+base16_decode_single(struct base16_decode_ctx *ctx,
+		     uint8_t *dst,
+		     char src);
+
+/* Returns 1 on success, 0 on error. DST should point to an area of
+ * size at least BASE16_DECODE_LENGTH(length). The amount of data
+ * generated is returned in *DST_LENGTH. */
+
+int
+base16_decode_update(struct base16_decode_ctx *ctx,
+		     size_t *dst_length,
+		     uint8_t *dst,
+		     size_t src_length,
+		     const char *src);
+
+/* Returns 1 on success. */
+int
+base16_decode_final(struct base16_decode_ctx *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BASE16_H_INCLUDED */

include/nettle/base64.h

@@ -0,0 +1,172 @@
+/* base64.h
+   
+   Base-64 encoding and decoding.
+
+   Copyright (C) 2002 Niels Möller, Dan Egnor
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_BASE64_H_INCLUDED
+#define NETTLE_BASE64_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define base64_encode_init nettle_base64_encode_init
+#define base64url_encode_init nettle_base64url_encode_init
+#define base64_encode_single nettle_base64_encode_single
+#define base64_encode_update nettle_base64_encode_update
+#define base64_encode_final nettle_base64_encode_final
+#define base64_encode_raw nettle_base64_encode_raw
+#define base64_encode_group nettle_base64_encode_group
+#define base64_decode_init nettle_base64_decode_init
+#define base64url_decode_init nettle_base64url_decode_init
+#define base64_decode_single nettle_base64_decode_single
+#define base64_decode_update nettle_base64_decode_update
+#define base64_decode_final nettle_base64_decode_final
+
+#define BASE64_BINARY_BLOCK_SIZE 3
+#define BASE64_TEXT_BLOCK_SIZE 4
+
+/* Base64 encoding */
+
+/* Maximum length of output for base64_encode_update. NOTE: Doesn't
+ * include any padding that base64_encode_final may add. */
+/* We have at most 4 buffered bits, and a total of (4 + length * 8) bits. */
+#define BASE64_ENCODE_LENGTH(length) (((length) * 8 + 4)/6)
+
+/* Maximum length of output generated by base64_encode_final. */
+#define BASE64_ENCODE_FINAL_LENGTH 3
+
+/* Exact length of output generated by base64_encode_raw, including
+ * padding. */
+#define BASE64_ENCODE_RAW_LENGTH(length) ((((length) + 2)/3)*4)
+
+struct base64_encode_ctx
+{
+  const char *alphabet;    /* Alphabet to use for encoding */
+  unsigned short word;     /* Leftover bits */
+  unsigned char bits;      /* Number of bits, always 0, 2, or 4. */
+};
+
+/* Initialize encoding context for base-64 */
+void
+base64_encode_init(struct base64_encode_ctx *ctx);
+
+/* Initialize encoding context for URL safe alphabet, RFC 4648. */
+void
+base64url_encode_init(struct base64_encode_ctx *ctx);
+
+/* Encodes a single byte. Returns amount of output (always 1 or 2). */
+size_t
+base64_encode_single(struct base64_encode_ctx *ctx,
+		     char *dst,
+		     uint8_t src);
+
+/* Returns the number of output characters. DST should point to an
+ * area of size at least BASE64_ENCODE_LENGTH(length). */
+size_t
+base64_encode_update(struct base64_encode_ctx *ctx,
+		     char *dst,
+		     size_t length,
+		     const uint8_t *src);
+
+/* DST should point to an area of size at least
+ * BASE64_ENCODE_FINAL_LENGTH */
+size_t
+base64_encode_final(struct base64_encode_ctx *ctx,
+		    char *dst);
+
+/* Lower level functions */
+
+/* Encodes a string in one go, including any padding at the end.
+ * Generates exactly BASE64_ENCODE_RAW_LENGTH(length) bytes of output.
+ * Supports overlapped operation, if src <= dst. FIXME: Use of overlap
+ * is deprecated, if needed there should be a separate public fucntion
+ * to do that.*/
+void
+base64_encode_raw(char *dst, size_t length, const uint8_t *src);
+
+void
+base64_encode_group(char *dst, uint32_t group);
+
+
+/* Base64 decoding */
+
+/* Maximum length of output for base64_decode_update. */
+/* We have at most 6 buffered bits, and a total of (length + 1) * 6 bits. */
+#define BASE64_DECODE_LENGTH(length) ((((length) + 1) * 6) / 8)
+
+struct base64_decode_ctx
+{
+  const signed char *table; /* Decoding table */
+  unsigned short word;      /* Leftover bits */
+  unsigned char bits;       /* Number buffered bits */
+
+  /* Number of padding characters encountered */
+  unsigned char padding;
+};
+
+/* Initialize decoding context for base-64 */
+void
+base64_decode_init(struct base64_decode_ctx *ctx);
+
+/* Initialize encoding context for URL safe alphabet, RFC 4648. */
+void
+base64url_decode_init(struct base64_decode_ctx *ctx);
+
+/* Decodes a single byte. Returns amount of output (0 or 1), or -1 on
+ * errors. */
+int
+base64_decode_single(struct base64_decode_ctx *ctx,
+		     uint8_t *dst,
+		     char src);
+
+/* Returns 1 on success, 0 on error. DST should point to an area of
+ * size at least BASE64_DECODE_LENGTH(length). The amount of data
+ * generated is returned in *DST_LENGTH. */
+int
+base64_decode_update(struct base64_decode_ctx *ctx,
+		     size_t *dst_length,
+		     uint8_t *dst,
+		     size_t src_length,
+		     const char *src);
+
+/* Returns 1 on success. */
+int
+base64_decode_final(struct base64_decode_ctx *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BASE64_H_INCLUDED */

include/nettle/bignum.h

@@ -0,0 +1,129 @@
+/* bignum.h
+
+   Bignum operations that are missing from gmp.
+
+   Copyright (C) 2001 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_BIGNUM_H_INCLUDED
+#define NETTLE_BIGNUM_H_INCLUDED
+
+#include "nettle-types.h"
+
+/* For NETTLE_USE_MINI_GMP */
+#include "version.h"
+
+#if NETTLE_USE_MINI_GMP
+# include "mini-gmp.h"
+
+# define GMP_NUMB_MASK (~(mp_limb_t) 0)
+
+/* Side-channel silent powm not available in mini-gmp. */
+# define mpz_powm_sec mpz_powm
+#else
+# include <gmp.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Size needed for signed encoding, including extra sign byte if
+ * necessary. */
+size_t
+nettle_mpz_sizeinbase_256_s(const mpz_t x);
+
+/* Size needed for unsigned encoding */
+size_t
+nettle_mpz_sizeinbase_256_u(const mpz_t x);
+
+/* Writes an integer as length octets, using big endian byte order,
+ * and two's complement for negative numbers. */
+void
+nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x);
+
+/* Reads a big endian, two's complement, integer. */
+void
+nettle_mpz_set_str_256_s(mpz_t x,
+			 size_t length, const uint8_t *s);
+
+void
+nettle_mpz_init_set_str_256_s(mpz_t x,
+			      size_t length, const uint8_t *s);
+
+/* Similar, but for unsigned format. These function don't interpret
+ * the most significant bit as the sign. */
+void
+nettle_mpz_set_str_256_u(mpz_t x,
+			 size_t length, const uint8_t *s);
+
+void
+nettle_mpz_init_set_str_256_u(mpz_t x,
+			      size_t length, const uint8_t *s);
+
+/* Returns a uniformly distributed random number 0 <= x < 2^n */
+void
+nettle_mpz_random_size(mpz_t x,
+		       void *ctx, nettle_random_func *random,
+		       unsigned bits);
+
+/* Returns a number x, almost uniformly random in the range
+ * 0 <= x < n. */
+void
+nettle_mpz_random(mpz_t x, 
+		  void *ctx, nettle_random_func *random,
+		  const mpz_t n);
+
+void
+nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set,
+		    void *ctx, nettle_random_func *random,
+		    void *progress_ctx, nettle_progress_func *progress);
+
+  
+/* sexp parsing */
+struct sexp_iterator;
+
+/* If LIMIT is non-zero, the number must be at most LIMIT bits.
+ * Implies sexp_iterator_next. */
+int
+nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i);
+
+
+/* der parsing */
+struct asn1_der_iterator;
+
+int
+nettle_asn1_der_get_bignum(struct asn1_der_iterator *iterator,
+			   mpz_t x, unsigned max_bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BIGNUM_H_INCLUDED */

include/nettle/blowfish.h

@@ -0,0 +1,106 @@
+/* blowfish.h
+
+   Blowfish block cipher.
+
+   Copyright (C) 2014 Niels Möller
+   Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_BLOWFISH_H_INCLUDED
+#define NETTLE_BLOWFISH_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define blowfish_set_key nettle_blowfish_set_key
+#define blowfish128_set_key nettle_blowfish128_set_key
+#define blowfish_encrypt nettle_blowfish_encrypt
+#define blowfish_decrypt nettle_blowfish_decrypt
+#define blowfish_bcrypt_hash nettle_blowfish_bcrypt_hash
+#define blowfish_bcrypt_verify nettle_blowfish_bcrypt_verify
+
+#define BLOWFISH_BLOCK_SIZE 8
+
+/* Variable key size between 64 and 448 bits. */
+#define BLOWFISH_MIN_KEY_SIZE 8
+#define BLOWFISH_MAX_KEY_SIZE 56
+
+/* Default to 128 bits */
+#define BLOWFISH_KEY_SIZE 16
+
+#define BLOWFISH128_KEY_SIZE 16
+
+#define _BLOWFISH_ROUNDS 16
+
+#define BLOWFISH_BCRYPT_HASH_SIZE (60 + 1) /* Including null-terminator */
+#define BLOWFISH_BCRYPT_BINSALT_SIZE 16    /* Binary string size */
+
+struct blowfish_ctx
+{
+  uint32_t s[4][256];
+  uint32_t p[_BLOWFISH_ROUNDS+2];
+};
+
+/* Returns 0 for weak keys, otherwise 1. */
+int
+blowfish_set_key(struct blowfish_ctx *ctx,
+                 size_t length, const uint8_t *key);
+int
+blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key);
+
+void
+blowfish_encrypt(const struct blowfish_ctx *ctx,
+                 size_t length, uint8_t *dst,
+                 const uint8_t *src);
+void
+blowfish_decrypt(const struct blowfish_ctx *ctx,
+                 size_t length, uint8_t *dst,
+                 const uint8_t *src);
+
+/* dst parameter must point to a buffer of minimally
+ * BLOWFISH_BCRYPT_HASH_SIZE bytes */
+int
+blowfish_bcrypt_hash(uint8_t *dst,
+                     size_t lenkey, const uint8_t *key,
+                     size_t lenscheme, const uint8_t *scheme,
+		     int log2rounds,
+		     const uint8_t *salt);
+int
+blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key,
+                       size_t lenhashed, const uint8_t *hashed);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BLOWFISH_H_INCLUDED */

include/nettle/buffer.h

@@ -0,0 +1,106 @@
+/* buffer.h
+
+   A bare-bones string stream.
+
+   Copyright (C) 2002 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_BUFFER_H_INCLUDED
+#define NETTLE_BUFFER_H_INCLUDED
+
+#include "realloc.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct nettle_buffer
+{
+  uint8_t *contents;
+  /* Allocated size */
+  size_t alloc;
+
+  void *realloc_ctx;
+  nettle_realloc_func *realloc;
+
+  /* Current size */
+  size_t size;
+};
+
+/* Initializes a buffer that uses plain realloc */
+void
+nettle_buffer_init(struct nettle_buffer *buffer);
+
+void
+nettle_buffer_init_realloc(struct nettle_buffer *buffer,
+			   void *realloc_ctx,
+			   nettle_realloc_func *realloc);
+
+/* Initializes a buffer of fix size */
+void
+nettle_buffer_init_size(struct nettle_buffer *buffer,
+			size_t length, uint8_t *space);
+
+void
+nettle_buffer_clear(struct nettle_buffer *buffer);
+
+/* Resets the buffer, without freeing the buffer space. */
+void
+nettle_buffer_reset(struct nettle_buffer *buffer);
+
+int
+nettle_buffer_grow(struct nettle_buffer *buffer,
+		   size_t length);
+
+#define NETTLE_BUFFER_PUTC(buffer, c) \
+( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \
+  && ((buffer)->contents[(buffer)->size++] = (c), 1) )
+
+int
+nettle_buffer_write(struct nettle_buffer *buffer,
+		    size_t length, const uint8_t *data);
+
+/* Like nettle_buffer_write, but instead of copying data to the
+ * buffer, it returns a pointer to the area where the caller can copy
+ * the data. The pointer is valid only until the next call that can
+ * reallocate the buffer. */
+uint8_t *
+nettle_buffer_space(struct nettle_buffer *buffer,
+		    size_t length);
+
+/* Copy the contents of SRC to the end of DST. */
+int
+nettle_buffer_copy(struct nettle_buffer *dst,
+		   const struct nettle_buffer *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_BUFFER_H_INCLUDED */

include/nettle/camellia.h

@@ -0,0 +1,143 @@
+/* camellia.h
+
+   Copyright (C) 2006,2007 NTT
+   (Nippon Telegraph and Telephone Corporation).
+
+   Copyright (C) 2010, 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CAMELLIA_H_INCLUDED
+#define NETTLE_CAMELLIA_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define camellia128_set_encrypt_key nettle_camellia128_set_encrypt_key
+#define camellia128_set_decrypt_key nettle_camellia_set_decrypt_key
+#define camellia128_invert_key nettle_camellia128_invert_key
+#define camellia128_crypt nettle_camellia128_crypt
+
+#define camellia192_set_encrypt_key nettle_camellia192_set_encrypt_key
+#define camellia192_set_decrypt_key nettle_camellia192_set_decrypt_key
+
+#define camellia256_set_encrypt_key nettle_camellia256_set_encrypt_key
+#define camellia256_set_decrypt_key nettle_camellia256_set_decrypt_key
+#define camellia256_invert_key nettle_camellia256_invert_key
+#define camellia256_crypt nettle_camellia256_crypt
+
+
+#define CAMELLIA_BLOCK_SIZE 16
+/* Valid key sizes are 128, 192 or 256 bits (16, 24 or 32 bytes) */
+#define CAMELLIA128_KEY_SIZE 16
+#define CAMELLIA192_KEY_SIZE 24
+#define CAMELLIA256_KEY_SIZE 32
+
+/* For 128-bit keys, there are 18 regular rounds, pre- and
+   post-whitening, and two FL and FLINV rounds, using a total of 26
+   subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6
+   additional regular rounds and one additional FL and FLINV, using a
+   total of 34 subkeys. */
+/* The clever combination of subkeys imply one of the pre- and
+   post-whitening keys is folded with the round keys, so that subkey
+   #1 and the last one (#25 or #33) is not used. The result is that we
+   have only 24 or 32 subkeys at the end of key setup. */
+
+#define _CAMELLIA128_NKEYS 24
+#define _CAMELLIA256_NKEYS 32
+
+struct camellia128_ctx
+{
+  uint64_t keys[_CAMELLIA128_NKEYS];
+};
+
+void
+camellia128_set_encrypt_key(struct camellia128_ctx *ctx,
+			    const uint8_t *key);
+
+void
+camellia128_set_decrypt_key(struct camellia128_ctx *ctx,
+			    const uint8_t *key);
+
+void
+camellia128_invert_key(struct camellia128_ctx *dst,
+		       const struct camellia128_ctx *src);
+
+void
+camellia128_crypt(const struct camellia128_ctx *ctx,
+		  size_t length, uint8_t *dst,
+		  const uint8_t *src);
+
+struct camellia256_ctx
+{
+  uint64_t keys[_CAMELLIA256_NKEYS];
+};
+
+void
+camellia256_set_encrypt_key(struct camellia256_ctx *ctx,
+			    const uint8_t *key);
+
+void
+camellia256_set_decrypt_key(struct camellia256_ctx *ctx,
+			    const uint8_t *key);
+
+void
+camellia256_invert_key(struct camellia256_ctx *dst,
+		       const struct camellia256_ctx *src);
+
+void
+camellia256_crypt(const struct camellia256_ctx *ctx,
+		  size_t length, uint8_t *dst,
+		  const uint8_t *src);
+
+/* camellia192 is the same as camellia256, except for the key
+   schedule. */
+/* Slightly ugly with a #define on a struct tag, since it might cause
+   surprises if also used as a name of a variable. */
+#define camellia192_ctx camellia256_ctx
+
+void
+camellia192_set_encrypt_key(struct camellia256_ctx *ctx,
+			    const uint8_t *key);
+
+void
+camellia192_set_decrypt_key(struct camellia256_ctx *ctx,
+			    const uint8_t *key);
+
+#define camellia192_invert_key camellia256_invert_key
+#define camellia192_crypt camellia256_crypt
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CAMELLIA_H_INCLUDED */

include/nettle/cast128.h

@@ -0,0 +1,86 @@
+/* cast128.h
+
+   The CAST-128 block cipher.
+
+   Copyright (C) 2001, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_CAST128_H_INCLUDED
+#define NETTLE_CAST128_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define cast5_set_key nettle_cast5_set_key
+#define cast128_set_key nettle_cast128_set_key
+#define cast128_encrypt nettle_cast128_encrypt
+#define cast128_decrypt nettle_cast128_decrypt
+
+#define CAST128_BLOCK_SIZE 8
+
+/* Variable key size between 40 and 128. */
+#define CAST5_MIN_KEY_SIZE 5
+#define CAST5_MAX_KEY_SIZE 16
+
+#define CAST128_KEY_SIZE 16
+
+struct cast128_ctx
+{
+  unsigned rounds;  /* Number of rounds to use, 12 or 16 */
+  /* Expanded key, rotations (5 bits only) and 32-bit masks. */
+  unsigned char Kr[16];
+  uint32_t Km[16];
+};
+
+/* Using variable key size. */
+void
+cast5_set_key(struct cast128_ctx *ctx,
+	      size_t length, const uint8_t *key);
+
+void
+cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key);
+
+void
+cast128_encrypt(const struct cast128_ctx *ctx,
+		size_t length, uint8_t *dst,
+		const uint8_t *src);
+void
+cast128_decrypt(const struct cast128_ctx *ctx,
+		size_t length, uint8_t *dst,
+		const uint8_t *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CAST128_H_INCLUDED */

include/nettle/cbc.h

@@ -0,0 +1,86 @@
+/* cbc.h
+
+   Cipher block chaining mode.
+
+   Copyright (C) 2001 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CBC_H_INCLUDED
+#define NETTLE_CBC_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define cbc_encrypt nettle_cbc_encrypt
+#define cbc_decrypt nettle_cbc_decrypt
+
+void
+cbc_encrypt(const void *ctx, nettle_cipher_func *f,
+	    size_t block_size, uint8_t *iv,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src);
+
+void
+cbc_decrypt(const void *ctx, nettle_cipher_func *f,
+	    size_t block_size, uint8_t *iv,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src);
+
+#define CBC_CTX(type, size) \
+{ type ctx; uint8_t iv[size]; }
+
+#define CBC_SET_IV(ctx, data) \
+memcpy((ctx)->iv, (data), sizeof((ctx)->iv))
+
+/* NOTE: Avoid using NULL, as we don't include anything defining it. */
+#define CBC_ENCRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	    (uint8_t *) 0, (const uint8_t *) 0))	\
+   : cbc_encrypt((void *) &(self)->ctx,			\
+		 (nettle_cipher_func *) (f),		\
+		 sizeof((self)->iv), (self)->iv,	\
+		 (length), (dst), (src)))
+
+#define CBC_DECRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	    (uint8_t *) 0, (const uint8_t *) 0))	\
+   : cbc_decrypt((void *) &(self)->ctx,			\
+		 (nettle_cipher_func *) (f),		\
+		 sizeof((self)->iv), (self)->iv,	\
+		 (length), (dst), (src)))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CBC_H_INCLUDED */

include/nettle/ccm.h

@@ -0,0 +1,302 @@
+/* ccm.h
+
+   Counter with CBC-MAC mode, specified by NIST,
+   http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+
+   Copyright (C) 2014 Exegin Technologies Limited
+   Copyright (C) 2014 Owen Kirby
+
+   Contributed to GNU Nettle by Owen Kirby
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/* NIST SP800-38C doesn't specify the particular formatting and
+ * counter generation algorithm for CCM, but it does include an
+ * example algorithm. This example has become the de-factor standard,
+ * and has been adopted by both the IETF and IEEE across a wide
+ * variety of protocols.
+ */
+
+#ifndef NETTLE_CCM_H_INCLUDED
+#define NETTLE_CCM_H_INCLUDED
+
+#include "aes.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define ccm_set_nonce nettle_ccm_set_nonce
+#define ccm_update nettle_ccm_update
+#define ccm_encrypt nettle_ccm_encrypt
+#define ccm_decrypt nettle_ccm_decrypt
+#define ccm_digest nettle_ccm_digest
+#define ccm_encrypt_message nettle_ccm_encrypt_message
+#define ccm_decrypt_message nettle_ccm_decrypt_message
+
+#define ccm_aes128_set_key nettle_ccm_aes128_set_key
+#define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce
+#define ccm_aes128_update nettle_ccm_aes128_update
+#define ccm_aes128_encrypt nettle_ccm_aes128_encrypt
+#define ccm_aes128_decrypt nettle_ccm_aes128_decrypt
+#define ccm_aes128_digest nettle_ccm_aes128_digest
+#define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message
+#define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message
+
+#define ccm_aes192_set_key nettle_ccm_aes192_set_key
+#define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce
+#define ccm_aes192_update nettle_ccm_aes192_update
+#define ccm_aes192_encrypt nettle_ccm_aes192_encrypt
+#define ccm_aes192_decrypt nettle_ccm_aes192_decrypt
+#define ccm_aes192_digest nettle_ccm_aes192_digest
+#define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message
+#define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message
+
+#define ccm_aes256_set_key nettle_ccm_aes256_set_key
+#define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce
+#define ccm_aes256_update nettle_ccm_aes256_update
+#define ccm_aes256_encrypt nettle_ccm_aes256_encrypt
+#define ccm_aes256_decrypt nettle_ccm_aes256_decrypt
+#define ccm_aes256_digest nettle_ccm_aes256_digest
+#define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message
+#define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message
+
+/* For CCM, the block size of the block cipher shall be 128 bits. */
+#define CCM_BLOCK_SIZE  16
+#define CCM_DIGEST_SIZE 16
+#define CCM_MIN_NONCE_SIZE 7
+#define CCM_MAX_NONCE_SIZE 14
+
+/* Maximum cleartext message size, as a function of the nonce size N.
+   The length field is L octets, with L = 15 - N, and then the maximum
+   size M = 2^{8L} - 1. */
+#define CCM_MAX_MSG_SIZE(N)			\
+  ((sizeof(size_t) + (N) <= 15)			\
+   ? ~(size_t) 0				\
+   : ((size_t) 1 << (8*(15 - N))) - 1)
+
+/* Per-message state */
+struct ccm_ctx {
+  union nettle_block16 ctr;     /* Counter for CTR encryption. */
+  union nettle_block16 tag;     /* CBC-MAC message tag. */
+  /* Length of data processed by the CBC-MAC modulus the block size */
+  unsigned int blength;
+};
+
+/*
+ * CCM mode requires the adata and message lengths when building the IV, which
+ * prevents streaming processing and it incompatible with the AEAD API.
+ */
+void
+ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
+	      size_t noncelen, const uint8_t *nonce,
+	      size_t authlen, size_t msglen, size_t taglen);
+
+void
+ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
+	    size_t length, const uint8_t *data);
+
+void
+ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
+	    size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
+	    size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
+	   size_t length, uint8_t *digest);
+
+/*
+ * All-in-one encryption and decryption API:
+ *  tlength = sizeof(digest)
+ *  mlength = sizeof(cleartext)
+ *  clength = sizeof(ciphertext) = mlength + tlength
+ *
+ * The ciphertext will contain the encrypted payload with the message digest
+ * appended to the end.
+ */
+void
+ccm_encrypt_message(const void *cipher, nettle_cipher_func *f,
+		    size_t nlength, const uint8_t *nonce,
+		    size_t alength, const uint8_t *adata,
+		    size_t tlength,
+		    size_t clength, uint8_t *dst, const uint8_t *src);
+
+/*
+ * The decryption function will write the plaintext to dst and parse the digest
+ * from the final tlength bytes of the ciphertext. If the digest matched the
+ * value computed during decryption then this will return 1, or it will return
+ * 0 if the digest was invalid.
+ */
+int
+ccm_decrypt_message(const void *cipher, nettle_cipher_func *f,
+		    size_t nlength, const uint8_t *nonce,
+		    size_t alength, const uint8_t *adata,
+		    size_t tlength,
+		    size_t mlength, uint8_t *dst, const uint8_t *src);
+
+/* CCM Mode with AES-128 */
+struct ccm_aes128_ctx {
+    struct ccm_ctx      ccm;
+    struct aes128_ctx   cipher;
+};
+
+void
+ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key);
+
+void
+ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx,
+		     size_t length, const uint8_t *nonce,
+		     size_t authlen, size_t msglen, size_t taglen);
+
+void
+ccm_aes128_update (struct ccm_aes128_ctx *ctx,
+		   size_t length, const uint8_t *data);
+
+void
+ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_aes128_digest(struct ccm_aes128_ctx *ctx,
+		  size_t length, uint8_t *digest);
+
+void
+ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx,
+			   size_t nlength, const uint8_t *nonce,
+			   size_t alength, const uint8_t *adata,
+			   size_t tlength,
+			   size_t clength, uint8_t *dst, const uint8_t *src);
+
+int
+ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx,
+			   size_t nlength, const uint8_t *nonce,
+			   size_t alength, const uint8_t *adata,
+			   size_t tlength,
+			   size_t mlength, uint8_t *dst, const uint8_t *src);
+
+struct ccm_aes192_ctx {
+    struct ccm_ctx      ccm;
+    struct aes192_ctx   cipher;
+};
+
+/* CCM Mode with AES-192 */
+void
+ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key);
+
+void
+ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx,
+		     size_t length, const uint8_t *nonce,
+		     size_t authlen, size_t msglen, size_t taglen);
+
+void
+ccm_aes192_update(struct ccm_aes192_ctx *ctx,
+		  size_t length, const uint8_t *data);
+
+void
+ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_aes192_digest(struct ccm_aes192_ctx *ctx,
+		  size_t length, uint8_t *digest);
+
+void
+ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx,
+			   size_t nlength, const uint8_t *nonce,
+			   size_t alength, const uint8_t *adata,
+			   size_t tlength,
+			   size_t clength, uint8_t *dst, const uint8_t *src);
+
+int
+ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx,
+			   size_t nlength, const uint8_t *nonce,
+			   size_t alength, const uint8_t *adata,
+			   size_t tlength,
+			   size_t mlength, uint8_t *dst, const uint8_t *src);
+
+/* CCM Mode with AES-256 */
+struct ccm_aes256_ctx {
+    struct ccm_ctx      ccm;
+    struct aes256_ctx   cipher;
+};
+
+void
+ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key);
+
+void
+ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx,
+		     size_t length, const uint8_t *nonce,
+		     size_t authlen, size_t msglen, size_t taglen);
+
+void
+ccm_aes256_update(struct ccm_aes256_ctx *ctx,
+		  size_t length, const uint8_t *data);
+
+void
+ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+ccm_aes256_digest(struct ccm_aes256_ctx *ctx,
+		  size_t length, uint8_t *digest);
+
+void
+ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx,
+			   size_t nlength, const uint8_t *nonce,
+			   size_t alength, const uint8_t *adata,
+			   size_t tlength,
+			   size_t clength, uint8_t *dst, const uint8_t *src);
+
+int
+ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx,
+			   size_t nlength, const uint8_t *nonce,
+			   size_t alength, const uint8_t *adata,
+			   size_t tlength,
+			   size_t mlength, uint8_t *dst, const uint8_t *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CCM_H_INCLUDED */

include/nettle/cfb.h

@@ -0,0 +1,122 @@
+/* cfb.h
+
+   Cipher feedback mode.
+
+   Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov
+   Copyright (C) 2001 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CFB_H_INCLUDED
+#define NETTLE_CFB_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define cfb_encrypt nettle_cfb_encrypt
+#define cfb_decrypt nettle_cfb_decrypt
+
+#define cfb8_encrypt nettle_cfb8_encrypt
+#define cfb8_decrypt nettle_cfb8_decrypt
+
+void
+cfb_encrypt(const void *ctx, nettle_cipher_func *f,
+	    size_t block_size, uint8_t *iv,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src);
+
+void
+cfb_decrypt(const void *ctx, nettle_cipher_func *f,
+	    size_t block_size, uint8_t *iv,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src);
+
+void
+cfb8_encrypt(const void *ctx, nettle_cipher_func *f,
+	     size_t block_size, uint8_t *iv,
+	     size_t length, uint8_t *dst,
+	     const uint8_t *src);
+
+void
+cfb8_decrypt(const void *ctx, nettle_cipher_func *f,
+	     size_t block_size, uint8_t *iv,
+	     size_t length, uint8_t *dst,
+	     const uint8_t *src);
+
+
+#define CFB_CTX(type, size) \
+{ type ctx; uint8_t iv[size]; }
+
+#define CFB_SET_IV(ctx, data) \
+memcpy((ctx)->iv, (data), sizeof((ctx)->iv))
+
+#define CFB8_CTX CFB_CTX
+#define CFB8_SET_IV CFB_SET_IV
+
+/* NOTE: Avoid using NULL, as we don't include anything defining it. */
+#define CFB_ENCRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	    (uint8_t *) 0, (const uint8_t *) 0))	\
+   : cfb_encrypt((void *) &(self)->ctx,			\
+		 (nettle_cipher_func *) (f),		\
+		 sizeof((self)->iv), (self)->iv,	\
+		 (length), (dst), (src)))
+
+#define CFB_DECRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	    (uint8_t *) 0, (const uint8_t *) 0))	\
+   : cfb_decrypt((void *) &(self)->ctx,			\
+		 (nettle_cipher_func *) (f),		\
+		 sizeof((self)->iv), (self)->iv,	\
+		 (length), (dst), (src)))
+
+#define CFB8_ENCRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	    (uint8_t *) 0, (const uint8_t *) 0))	\
+   : cfb8_encrypt((void *) &(self)->ctx,		\
+		  (nettle_cipher_func *) (f),		\
+		  sizeof((self)->iv), (self)->iv,	\
+		  (length), (dst), (src)))
+
+#define CFB8_DECRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	    (uint8_t *) 0, (const uint8_t *) 0))	\
+   : cfb8_decrypt((void *) &(self)->ctx,		\
+		  (nettle_cipher_func *) (f),		\
+		  sizeof((self)->iv), (self)->iv,	\
+		  (length), (dst), (src)))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CFB_H_INCLUDED */

include/nettle/chacha-poly1305.h

@@ -0,0 +1,98 @@
+/* chacha-poly1305.h
+
+   AEAD mechanism based on chacha and poly1305.
+   See draft-agl-tls-chacha20poly1305-04.
+
+   Copyright (C) 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED
+#define NETTLE_CHACHA_POLY1305_H_INCLUDED
+
+#include "chacha.h"
+#include "poly1305.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define chacha_poly1305_set_key nettle_chacha_poly1305_set_key
+#define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce
+#define chacha_poly1305_update nettle_chacha_poly1305_update
+#define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt
+#define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt
+#define chacha_poly1305_digest nettle_chacha_poly1305_digest
+
+#define CHACHA_POLY1305_BLOCK_SIZE 64
+/* FIXME: Any need for 128-bit variant? */
+#define CHACHA_POLY1305_KEY_SIZE 32
+#define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE96_SIZE
+#define CHACHA_POLY1305_DIGEST_SIZE 16
+
+struct chacha_poly1305_ctx
+{
+  struct chacha_ctx chacha;
+  struct poly1305_ctx poly1305;
+  union nettle_block16 s;
+  uint64_t auth_size;
+  uint64_t data_size;
+  /* poly1305 block */
+  uint8_t block[POLY1305_BLOCK_SIZE];
+  unsigned index;
+};
+
+void
+chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx,
+			 const uint8_t *key);
+void
+chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx,
+			   const uint8_t *nonce);
+
+void
+chacha_poly1305_update (struct chacha_poly1305_ctx *ctx,
+			size_t length, const uint8_t *data);
+
+void
+chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx,
+			 size_t length, uint8_t *dst, const uint8_t *src);
+			 
+void
+chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx,
+			 size_t length, uint8_t *dst, const uint8_t *src);
+			 
+void
+chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx,
+			size_t length, uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */

include/nettle/chacha.h

@@ -0,0 +1,107 @@
+/* chacha.h
+
+   The ChaCha stream cipher.
+
+   Copyright (C) 2013 Joachim Strömbergson
+   Copyright (C) 2012 Simon Josefsson
+   Copyright (C) 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CHACHA_H_INCLUDED
+#define NETTLE_CHACHA_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define chacha_set_key nettle_chacha_set_key
+#define chacha_set_nonce nettle_chacha_set_nonce
+#define chacha_set_nonce96 nettle_chacha_set_nonce96
+#define chacha_set_counter nettle_chacha_set_counter
+#define chacha_set_counter32 nettle_chacha_set_counter32
+#define chacha_crypt nettle_chacha_crypt
+#define chacha_crypt32 nettle_chacha_crypt32
+
+/* Currently, only 256-bit keys are supported. */
+#define CHACHA_KEY_SIZE 32
+#define CHACHA_BLOCK_SIZE 64
+#define CHACHA_NONCE_SIZE 8
+#define CHACHA_NONCE96_SIZE 12
+#define CHACHA_COUNTER_SIZE 8
+#define CHACHA_COUNTER32_SIZE 4
+
+#define _CHACHA_STATE_LENGTH 16
+
+struct chacha_ctx
+{
+  /* Indices 0-3 holds a constant (SIGMA or TAU).
+     Indices 4-11 holds the key.
+     Indices 12-13 holds the block counter.
+     Indices 14-15 holds the IV:
+
+     This creates the state matrix:
+     C C C C
+     K K K K
+     K K K K
+     B B I I
+  */
+  uint32_t state[_CHACHA_STATE_LENGTH];
+};
+
+void
+chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key);
+
+void
+chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce);
+
+void
+chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce);
+
+void
+chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter);
+
+void
+chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter);
+
+void
+chacha_crypt(struct chacha_ctx *ctx, size_t length, 
+             uint8_t *dst, const uint8_t *src);
+
+void
+chacha_crypt32(struct chacha_ctx *ctx, size_t length,
+	       uint8_t *dst, const uint8_t *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CHACHA_H_INCLUDED */

include/nettle/cmac.h

@@ -0,0 +1,237 @@
+/* cmac.h
+
+   CMAC mode, as specified in RFC4493
+
+   Copyright (C) 2017 Red Hat, Inc.
+
+   Contributed by Nikos Mavrogiannopoulos
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CMAC_H_INCLUDED
+#define NETTLE_CMAC_H_INCLUDED
+
+#include "aes.h"
+#include "des.h"
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define CMAC128_DIGEST_SIZE 16
+#define CMAC64_DIGEST_SIZE 8
+
+#define cmac128_set_key nettle_cmac128_set_key
+#define cmac128_init nettle_cmac128_init
+#define cmac128_update nettle_cmac128_update
+#define cmac128_digest nettle_cmac128_digest
+#define cmac_aes128_set_key nettle_cmac_aes128_set_key
+#define cmac_aes128_update nettle_cmac_aes128_update
+#define cmac_aes128_digest nettle_cmac_aes128_digest
+#define cmac_aes256_set_key nettle_cmac_aes256_set_key
+#define cmac_aes256_update nettle_cmac_aes256_update
+#define cmac_aes256_digest nettle_cmac_aes256_digest
+
+#define cmac64_set_key nettle_cmac64_set_key
+#define cmac64_init nettle_cmac64_init
+#define cmac64_update nettle_cmac64_update
+#define cmac64_digest nettle_cmac64_digest
+#define cmac_des3_set_key nettle_cmac_des3_set_key
+#define cmac_des3_update nettle_cmac_des3_update
+#define cmac_des3_digest nettle_cmac_des3_digest
+
+struct cmac128_key
+{
+  union nettle_block16 K1;
+  union nettle_block16 K2;
+};
+
+struct cmac128_ctx
+{
+  /* MAC state */
+  union nettle_block16 X;
+
+  /* Block buffer */
+  union nettle_block16 block;
+  size_t index;
+};
+
+struct cmac64_key
+{
+  union nettle_block8 K1;
+  union nettle_block8 K2;
+};
+
+struct cmac64_ctx
+{
+  /* MAC state */
+  union nettle_block8 X;
+
+  /* Block buffer */
+  union nettle_block8 block;
+  size_t index;
+};
+
+void
+cmac128_set_key(struct cmac128_key *key, const void *cipher,
+		nettle_cipher_func *encrypt);
+
+void
+cmac128_init(struct cmac128_ctx *ctx);
+
+void
+cmac128_update(struct cmac128_ctx *ctx, const void *cipher,
+	       nettle_cipher_func *encrypt,
+	       size_t msg_len, const uint8_t *msg);
+void
+cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key,
+	       const void *cipher, nettle_cipher_func *encrypt,
+	       unsigned length, uint8_t *digest);
+
+
+#define CMAC128_CTX(type) \
+  { struct cmac128_key key; struct cmac128_ctx ctx; type cipher; }
+
+/* NOTE: Avoid using NULL, as we don't include anything defining it. */
+#define CMAC128_SET_KEY(self, set_key, encrypt, cmac_key)	\
+  do {								\
+    (set_key)(&(self)->cipher, (cmac_key));			\
+    if (0) (encrypt)(&(self)->cipher, ~(size_t) 0,		\
+		     (uint8_t *) 0, (const uint8_t *) 0);	\
+    cmac128_set_key(&(self)->key, &(self)->cipher,		\
+		    (nettle_cipher_func *) (encrypt));		\
+    cmac128_init(&(self)->ctx);					\
+  } while (0)
+
+#define CMAC128_UPDATE(self, encrypt, length, src)		\
+  (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0,			\
+		 (uint8_t *) 0, (const uint8_t *) 0)		\
+     : cmac128_update(&(self)->ctx, &(self)->cipher,		\
+		      (nettle_cipher_func *)encrypt,		\
+		      (length), (src)))
+
+#define CMAC128_DIGEST(self, encrypt, length, digest)		\
+  (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0,			\
+		 (uint8_t *) 0, (const uint8_t *) 0)		\
+     : cmac128_digest(&(self)->ctx, &(self)->key,		\
+		      &(self)->cipher,				\
+		      (nettle_cipher_func *) (encrypt),		\
+		      (length), (digest)))
+
+void
+cmac64_set_key(struct cmac64_key *key, const void *cipher,
+		nettle_cipher_func *encrypt);
+
+void
+cmac64_init(struct cmac64_ctx *ctx);
+
+void
+cmac64_update(struct cmac64_ctx *ctx, const void *cipher,
+	       nettle_cipher_func *encrypt,
+	       size_t msg_len, const uint8_t *msg);
+
+void
+cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key,
+	       const void *cipher, nettle_cipher_func *encrypt,
+	       unsigned length, uint8_t *digest);
+
+
+#define CMAC64_CTX(type) \
+  { struct cmac64_key key; struct cmac64_ctx ctx; type cipher; }
+
+/* NOTE: Avoid using NULL, as we don't include anything defining it. */
+#define CMAC64_SET_KEY(self, set_key, encrypt, cmac_key)	\
+  do {								\
+    (set_key)(&(self)->cipher, (cmac_key));			\
+    if (0) (encrypt)(&(self)->cipher, ~(size_t) 0,		\
+		     (uint8_t *) 0, (const uint8_t *) 0);	\
+    cmac64_set_key(&(self)->key, &(self)->cipher,		\
+		    (nettle_cipher_func *) (encrypt));		\
+    cmac64_init(&(self)->ctx);					\
+  } while (0)
+
+#define CMAC64_UPDATE(self, encrypt, length, src)		\
+  (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0,			\
+		 (uint8_t *) 0, (const uint8_t *) 0)		\
+     : cmac64_update(&(self)->ctx, &(self)->cipher,		\
+		      (nettle_cipher_func *)encrypt,		\
+		      (length), (src)))
+
+#define CMAC64_DIGEST(self, encrypt, length, digest)		\
+  (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0,			\
+		 (uint8_t *) 0, (const uint8_t *) 0)		\
+     : cmac64_digest(&(self)->ctx, &(self)->key,		\
+		      &(self)->cipher,				\
+		      (nettle_cipher_func *) (encrypt),		\
+		      (length), (digest)))
+
+struct cmac_aes128_ctx CMAC128_CTX(struct aes128_ctx);
+
+void
+cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key);
+
+void
+cmac_aes128_update(struct cmac_aes128_ctx *ctx,
+		   size_t length, const uint8_t *data);
+
+void
+cmac_aes128_digest(struct cmac_aes128_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+struct cmac_aes256_ctx CMAC128_CTX(struct aes256_ctx);
+
+void
+cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key);
+
+void
+cmac_aes256_update(struct cmac_aes256_ctx *ctx,
+		   size_t length, const uint8_t *data);
+
+void
+cmac_aes256_digest(struct cmac_aes256_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+struct cmac_des3_ctx CMAC64_CTX(struct des3_ctx);
+
+void
+cmac_des3_set_key(struct cmac_des3_ctx *ctx, const uint8_t *key);
+
+void
+cmac_des3_update(struct cmac_des3_ctx *ctx,
+		 size_t length, const uint8_t *data);
+
+void
+cmac_des3_digest(struct cmac_des3_ctx *ctx,
+		 size_t length, uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* CMAC_H_INCLUDED */

include/nettle/ctr.h

@@ -0,0 +1,71 @@
+/* ctr.h
+
+   Counter mode, using an network byte order incremented counter,
+   matching the testcases of NIST 800-38A.
+
+   Copyright (C) 2005 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CTR_H_INCLUDED
+#define NETTLE_CTR_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define ctr_crypt nettle_ctr_crypt
+
+void
+ctr_crypt(const void *ctx, nettle_cipher_func *f,
+	  size_t block_size, uint8_t *ctr,
+	  size_t length, uint8_t *dst,
+	  const uint8_t *src);
+
+#define CTR_CTX(type, size) \
+{ type ctx; uint8_t ctr[size]; }
+
+#define CTR_SET_COUNTER(ctx, data) \
+memcpy((ctx)->ctr, (data), sizeof((ctx)->ctr))
+
+#define CTR_CRYPT(self, f, length, dst, src)		\
+  (0 ? ((f)(&(self)->ctx, ~(size_t) 0,			\
+	  (uint8_t *) 0, (const uint8_t *) 0))		\
+   : ctr_crypt((void *) &(self)->ctx,			\
+	       (nettle_cipher_func *) (f),		\
+	       sizeof((self)->ctr), (self)->ctr,	\
+	       (length), (dst), (src)))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CTR_H_INCLUDED */

include/nettle/curve25519.h

@@ -0,0 +1,60 @@
+/* curve25519.h
+
+   Copyright (C) 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CURVE25519_H
+#define NETTLE_CURVE25519_H
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define curve25519_mul_g nettle_curve25519_mul_g
+#define curve25519_mul nettle_curve25519_mul
+
+#define CURVE25519_SIZE 32
+
+/* Indicates that curve25519_mul conforms to RFC 7748. */
+#define NETTLE_CURVE25519_RFC7748 1
+
+void
+curve25519_mul_g (uint8_t *q, const uint8_t *n);
+
+void
+curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CURVE25519_H */

include/nettle/curve448.h

@@ -0,0 +1,58 @@
+/* curve448.h
+
+   Copyright (C) 2017 Daiki Ueno
+   Copyright (C) 2017 Red Hat, Inc.
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_CURVE448_H
+#define NETTLE_CURVE448_H
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define curve448_mul_g nettle_curve448_mul_g
+#define curve448_mul nettle_curve448_mul
+
+#define CURVE448_SIZE 56
+
+void
+curve448_mul_g (uint8_t *q, const uint8_t *n);
+
+void
+curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_CURVE448_H */

include/nettle/des.h

@@ -0,0 +1,120 @@
+/* des.h
+
+   The des block cipher. And triple des.
+
+   Copyright (C) 1992 Dana L. How
+   Copyright (C) 2001 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/*
+ *	des - fast & portable DES encryption & decryption.
+ *	Copyright (C) 1992  Dana L. How
+ *	Please see the file `../lib/descore.README' for the complete copyright
+ *	notice.
+ *
+ * Slightly edited by Niels Möller, 1997
+ */
+
+#ifndef NETTLE_DES_H_INCLUDED
+#define NETTLE_DES_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Namespace mangling */
+#define des_set_key nettle_des_set_key
+#define des_encrypt nettle_des_encrypt
+#define des_decrypt nettle_des_decrypt
+#define des_check_parity nettle_des_check_parity
+#define des_fix_parity nettle_des_fix_parity
+#define des3_set_key nettle_des3_set_key
+#define des3_encrypt nettle_des3_encrypt
+#define des3_decrypt nettle_des3_decrypt
+
+#define DES_KEY_SIZE 8
+#define DES_BLOCK_SIZE 8
+
+/* Expanded key length */
+#define _DES_KEY_LENGTH 32
+
+struct des_ctx
+{
+  uint32_t key[_DES_KEY_LENGTH];
+};
+
+/* Returns 1 for good keys and 0 for weak keys. */
+int
+des_set_key(struct des_ctx *ctx, const uint8_t *key);
+
+void
+des_encrypt(const struct des_ctx *ctx,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src);
+void
+des_decrypt(const struct des_ctx *ctx,
+	    size_t length, uint8_t *dst,
+	    const uint8_t *src);
+
+int
+des_check_parity(size_t length, const uint8_t *key);
+
+void
+des_fix_parity(size_t length, uint8_t *dst,
+	       const uint8_t *src);
+
+#define DES3_KEY_SIZE 24
+#define DES3_BLOCK_SIZE DES_BLOCK_SIZE
+
+struct des3_ctx
+{
+  struct des_ctx des[3];
+};
+
+
+/* Returns 1 for good keys and 0 for weak keys. */
+int
+des3_set_key(struct des3_ctx *ctx, const uint8_t *key);
+
+void
+des3_encrypt(const struct des3_ctx *ctx,
+	     size_t length, uint8_t *dst,
+	     const uint8_t *src);
+void
+des3_decrypt(const struct des3_ctx *ctx,
+	     size_t length, uint8_t *dst,
+	     const uint8_t *src);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_DES_H_INCLUDED */

include/nettle/dsa-compat.h

@@ -0,0 +1,183 @@
+/* dsa-compat.h
+
+   Old DSA publickey interface.
+
+   Copyright (C) 2002, 2013, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_DSA_COMPAT_H_INCLUDED
+#define NETTLE_DSA_COMPAT_H_INCLUDED
+
+#include "dsa.h"
+
+#include "sha1.h"
+#include "sha2.h"
+
+/* Name mangling */
+#define dsa_public_key_init nettle_dsa_public_key_init
+#define dsa_public_key_clear nettle_dsa_public_key_clear
+#define dsa_private_key_init nettle_dsa_private_key_init
+#define dsa_private_key_clear nettle_dsa_private_key_clear
+#define dsa_sha1_sign nettle_dsa_sha1_sign
+#define dsa_sha1_verify nettle_dsa_sha1_verify
+#define dsa_sha256_sign nettle_dsa_sha256_sign
+#define dsa_sha256_verify nettle_dsa_sha256_verify
+#define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest
+#define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest
+#define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest
+#define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest
+#define dsa_compat_generate_keypair nettle_dsa_compat_generate_keypair
+
+/* Switch meaning of dsa_generate_keypair */
+#undef dsa_generate_keypair
+#define dsa_generate_keypair nettle_dsa_compat_generate_keypair
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct dsa_public_key
+{
+  /* Same as struct dsa_params, but can't use that struct here without
+     breaking backwards compatibility. Layout must be identical, since
+     this is cast to a struct dsa_param pointer for calling _dsa_sign
+     and _dsa_verify */
+  mpz_t p;
+  mpz_t q;
+  mpz_t g;
+
+  /* Public value */
+  mpz_t y;
+};
+
+struct dsa_private_key
+{
+  /* Unlike an rsa public key, private key operations will need both
+   * the private and the public information. */
+  mpz_t x;
+};
+
+/* Signing a message works as follows:
+ *
+ * Store the private key in a dsa_private_key struct.
+ *
+ * Initialize a hashing context, by callling
+ *   sha1_init
+ *
+ * Hash the message by calling
+ *   sha1_update
+ *
+ * Create the signature by calling
+ *   dsa_sha1_sign
+ *
+ * The signature is represented as a struct dsa_signature. This call also
+ * resets the hashing context.
+ *
+ * When done with the key and signature, don't forget to call
+ * dsa_signature_clear.
+ */
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_public_key_init(struct dsa_public_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_public_key_clear(struct dsa_public_key *key);
+
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_private_key_init(struct dsa_private_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_private_key_clear(struct dsa_private_key *key);
+
+int
+dsa_sha1_sign(const struct dsa_public_key *pub,
+	      const struct dsa_private_key *key,
+	      void *random_ctx, nettle_random_func *random,
+	      struct sha1_ctx *hash,
+	      struct dsa_signature *signature);
+
+int
+dsa_sha256_sign(const struct dsa_public_key *pub,
+		const struct dsa_private_key *key,
+		void *random_ctx, nettle_random_func *random,
+		struct sha256_ctx *hash,
+		struct dsa_signature *signature);
+
+int
+dsa_sha1_verify(const struct dsa_public_key *key,
+		struct sha1_ctx *hash,
+		const struct dsa_signature *signature);
+
+int
+dsa_sha256_verify(const struct dsa_public_key *key,
+		  struct sha256_ctx *hash,
+		  const struct dsa_signature *signature);
+
+int
+dsa_sha1_sign_digest(const struct dsa_public_key *pub,
+		     const struct dsa_private_key *key,
+		     void *random_ctx, nettle_random_func *random,
+		     const uint8_t *digest,
+		     struct dsa_signature *signature);
+int
+dsa_sha256_sign_digest(const struct dsa_public_key *pub,
+		       const struct dsa_private_key *key,
+		       void *random_ctx, nettle_random_func *random,
+		       const uint8_t *digest,
+		       struct dsa_signature *signature);
+
+int
+dsa_sha1_verify_digest(const struct dsa_public_key *key,
+		       const uint8_t *digest,
+		       const struct dsa_signature *signature);
+
+int
+dsa_sha256_verify_digest(const struct dsa_public_key *key,
+			 const uint8_t *digest,
+			 const struct dsa_signature *signature);
+
+/* Key generation */
+int
+dsa_generate_keypair(struct dsa_public_key *pub,
+		     struct dsa_private_key *key,
+
+		     void *random_ctx, nettle_random_func *random,
+		     void *progress_ctx, nettle_progress_func *progress,
+		     unsigned p_bits, unsigned q_bits);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_DSA_COMPAT_H_INCLUDED */

include/nettle/dsa.h

@@ -0,0 +1,210 @@
+/* dsa.h
+
+   The DSA publickey algorithm.
+
+   Copyright (C) 2002, 2013, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_DSA_H_INCLUDED
+#define NETTLE_DSA_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define dsa_params_init nettle_dsa_params_init
+#define dsa_params_clear nettle_dsa_params_clear
+#define dsa_signature_init nettle_dsa_signature_init
+#define dsa_signature_clear nettle_dsa_signature_clear
+#define dsa_sign nettle_dsa_sign
+#define dsa_verify nettle_dsa_verify
+#define dsa_generate_params nettle_dsa_generate_params
+#define dsa_generate_keypair nettle_dsa_generate_keypair
+#define dsa_signature_from_sexp nettle_dsa_signature_from_sexp
+#define dsa_keypair_to_sexp nettle_dsa_keypair_to_sexp
+#define dsa_keypair_from_sexp_alist nettle_dsa_keypair_from_sexp_alist
+#define dsa_sha1_keypair_from_sexp nettle_dsa_sha1_keypair_from_sexp
+#define dsa_sha256_keypair_from_sexp nettle_dsa_sha256_keypair_from_sexp
+#define dsa_params_from_der_iterator nettle_dsa_params_from_der_iterator
+#define dsa_public_key_from_der_iterator nettle_dsa_public_key_from_der_iterator
+#define dsa_openssl_private_key_from_der_iterator nettle_dsa_openssl_private_key_from_der_iterator 
+#define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der
+
+/* For FIPS approved parameters */
+#define DSA_SHA1_MIN_P_BITS 512
+#define DSA_SHA1_Q_OCTETS 20
+#define DSA_SHA1_Q_BITS 160
+
+#define DSA_SHA256_MIN_P_BITS 1024
+#define DSA_SHA256_Q_OCTETS 32
+#define DSA_SHA256_Q_BITS 256
+
+struct dsa_params
+{  
+  /* Modulo */
+  mpz_t p;
+
+  /* Group order */
+  mpz_t q;
+
+  /* Generator */
+  mpz_t g;
+};
+
+void
+dsa_params_init (struct dsa_params *params);
+
+void
+dsa_params_clear (struct dsa_params *params);
+
+struct dsa_signature
+{
+  mpz_t r;
+  mpz_t s;
+};
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+dsa_signature_init(struct dsa_signature *signature);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+dsa_signature_clear(struct dsa_signature *signature);
+
+int
+dsa_sign(const struct dsa_params *params,
+	 const mpz_t x,
+	 void *random_ctx, nettle_random_func *random,
+	 size_t digest_size,
+	 const uint8_t *digest,
+	 struct dsa_signature *signature);
+
+int
+dsa_verify(const struct dsa_params *params,
+	   const mpz_t y,
+	   size_t digest_size,
+	   const uint8_t *digest,
+	   const struct dsa_signature *signature);
+
+
+/* Key generation */
+
+int
+dsa_generate_params(struct dsa_params *params,
+		    void *random_ctx, nettle_random_func *random,
+		    void *progress_ctx, nettle_progress_func *progress,
+		    unsigned p_bits, unsigned q_bits);
+
+void
+dsa_generate_keypair (const struct dsa_params *params,
+		      mpz_t pub, mpz_t key,
+		      void *random_ctx, nettle_random_func *random);
+
+/* Keys in sexp form. */
+
+struct nettle_buffer;
+
+/* Generates a public-key expression if PRIV is NULL .*/
+int
+dsa_keypair_to_sexp(struct nettle_buffer *buffer,
+		    const char *algorithm_name, /* NULL means "dsa" */
+		    const struct dsa_params *params,
+		    const mpz_t pub,
+		    const mpz_t priv);
+
+struct sexp_iterator;
+
+int
+dsa_signature_from_sexp(struct dsa_signature *rs,
+			struct sexp_iterator *i,
+			unsigned q_bits);
+
+int
+dsa_keypair_from_sexp_alist(struct dsa_params *params,
+			    mpz_t pub,
+			    mpz_t priv,
+			    unsigned p_max_bits,
+			    unsigned q_bits,
+			    struct sexp_iterator *i);
+
+/* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
+ * expect a private key expression and ignore the parts not needed for
+ * the public key. */
+/* Keys must be initialized before calling this function, as usual. */
+int
+dsa_sha1_keypair_from_sexp(struct dsa_params *params,
+			   mpz_t pub,
+			   mpz_t priv,
+			   unsigned p_max_bits,
+			   size_t length, const uint8_t *expr);
+
+int
+dsa_sha256_keypair_from_sexp(struct dsa_params *params,
+			     mpz_t pub,
+			     mpz_t priv,
+			     unsigned p_max_bits,
+			     size_t length, const uint8_t *expr);
+
+/* Keys in X.509 andd OpenSSL format. */
+struct asn1_der_iterator;
+
+int
+dsa_params_from_der_iterator(struct dsa_params *params,
+			     unsigned max_bits, unsigned q_bits,
+			     struct asn1_der_iterator *i);
+
+int
+dsa_public_key_from_der_iterator(const struct dsa_params *params,
+				 mpz_t pub,
+				 struct asn1_der_iterator *i);
+
+int
+dsa_openssl_private_key_from_der_iterator(struct dsa_params *params,
+					  mpz_t pub,
+					  mpz_t priv,
+					  unsigned p_max_bits,
+					  struct asn1_der_iterator *i);
+
+int
+dsa_openssl_private_key_from_der(struct dsa_params *params,
+				 mpz_t pub,
+				 mpz_t priv,
+				 unsigned p_max_bits,
+				 size_t length, const uint8_t *data);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_DSA_H_INCLUDED */

include/nettle/eax.h

@@ -0,0 +1,185 @@
+/* eax.h
+
+   EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf
+
+   Copyright (C) 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_EAX_H_INCLUDED
+#define NETTLE_EAX_H_INCLUDED
+
+#include "aes.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define eax_set_key nettle_eax_set_key
+#define eax_set_nonce nettle_eax_set_nonce
+#define eax_update nettle_eax_update
+#define eax_encrypt nettle_eax_encrypt
+#define eax_decrypt nettle_eax_decrypt
+#define eax_digest nettle_eax_digest
+
+#define eax_aes128_set_key nettle_eax_aes128_set_key
+#define eax_aes128_set_nonce nettle_eax_aes128_set_nonce
+#define eax_aes128_update nettle_eax_aes128_update
+#define eax_aes128_encrypt nettle_eax_aes128_encrypt
+#define eax_aes128_decrypt nettle_eax_aes128_decrypt
+#define eax_aes128_digest nettle_eax_aes128_digest
+
+/* Restricted to block ciphers with 128 bit block size. FIXME: Reflect
+   this in naming? */
+
+#define EAX_BLOCK_SIZE 16
+#define EAX_DIGEST_SIZE 16
+/* FIXME: Reasonable default? */
+#define EAX_IV_SIZE 16
+
+/* Values independent of message and nonce */
+struct eax_key
+{
+  union nettle_block16 pad_block;
+  union nettle_block16 pad_partial;
+};
+
+struct eax_ctx
+{
+  union nettle_block16 omac_nonce;
+  union nettle_block16 omac_data;
+  union nettle_block16 omac_message;
+  union nettle_block16 ctr;
+};
+
+void
+eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f);
+
+void
+eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key,
+	       const void *cipher, nettle_cipher_func *f,
+	       size_t nonce_length, const uint8_t *nonce);
+
+void
+eax_update (struct eax_ctx *eax, const struct eax_key *key,
+	    const void *cipher, nettle_cipher_func *f,
+	    size_t data_length, const uint8_t *data);
+
+void
+eax_encrypt (struct eax_ctx *eax, const struct eax_key *key,
+	     const void *cipher, nettle_cipher_func *f,
+	     size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+eax_decrypt (struct eax_ctx *eax, const struct eax_key *key,
+	     const void *cipher, nettle_cipher_func *f,
+	     size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+eax_digest (struct eax_ctx *eax, const struct eax_key *key,
+	    const void *cipher, nettle_cipher_func *f,
+	    size_t length, uint8_t *digest);
+
+/* Put the cipher last, to get cipher-independent offsets for the EAX
+ * state. */
+#define EAX_CTX(type) \
+  { struct eax_key key; struct eax_ctx eax; type cipher; }
+
+#define EAX_SET_KEY(ctx, set_key, encrypt, data)			\
+  do {									\
+    (set_key)(&(ctx)->cipher, (data));					\
+    if (0) (encrypt) (&(ctx)->cipher, ~(size_t) 0,			\
+		      (uint8_t *) 0, (const uint8_t *) 0);		\
+    eax_set_key (&(ctx)->key, &(ctx)->cipher, (nettle_cipher_func *) encrypt); \
+  } while (0)
+
+#define EAX_SET_NONCE(ctx, encrypt, length, nonce)			\
+  (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0,				\
+		  (uint8_t *) 0, (const uint8_t *) 0)			\
+   : eax_set_nonce (&(ctx)->eax, &(ctx)->key,			\
+		    &(ctx)->cipher, (nettle_cipher_func *) (encrypt),	\
+		    (length), (nonce)))
+
+#define EAX_UPDATE(ctx, encrypt, length, data)				\
+  (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0,				\
+		  (uint8_t *) 0, (const uint8_t *) 0)			\
+   : eax_update (&(ctx)->eax, &(ctx)->key,				\
+		 &(ctx)->cipher, (nettle_cipher_func *) (encrypt),	\
+		 (length), (data)))
+
+#define EAX_ENCRYPT(ctx, encrypt, length, dst, src)			\
+  (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0,				\
+		  (uint8_t *) 0, (const uint8_t *) 0)			\
+   : eax_encrypt (&(ctx)->eax, &(ctx)->key,				\
+		 &(ctx)->cipher, (nettle_cipher_func *) (encrypt),	\
+		  (length), (dst), (src)))
+
+#define EAX_DECRYPT(ctx, encrypt, length, dst, src)			\
+  (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0,				\
+		  (uint8_t *) 0, (const uint8_t *) 0)			\
+   : eax_decrypt (&(ctx)->eax, &(ctx)->key,				\
+		 &(ctx)->cipher, (nettle_cipher_func *) (encrypt),	\
+		  (length), (dst), (src)))
+
+#define EAX_DIGEST(ctx, encrypt, length, digest)			\
+  (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0,				\
+		  (uint8_t *) 0, (const uint8_t *) 0)			\
+   : eax_digest (&(ctx)->eax, &(ctx)->key,				\
+		 &(ctx)->cipher, (nettle_cipher_func *) (encrypt),	\
+		 (length), (digest)))
+
+struct eax_aes128_ctx EAX_CTX(struct aes128_ctx);
+
+void
+eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key);
+
+void
+eax_aes128_set_nonce(struct eax_aes128_ctx *ctx,
+		     size_t length, const uint8_t *iv);
+
+void
+eax_aes128_update(struct eax_aes128_ctx *ctx,
+		  size_t length, const uint8_t *data);
+
+void
+eax_aes128_encrypt(struct eax_aes128_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+eax_aes128_decrypt(struct eax_aes128_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+eax_aes128_digest(struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_EAX_H_INCLUDED */

include/nettle/ecc-curve.h

@@ -0,0 +1,58 @@
+/* ecc-curve.h
+
+   Copyright (C) 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#ifndef NETTLE_ECC_CURVE_H_INCLUDED
+#define NETTLE_ECC_CURVE_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* The contents of this struct is internal. */
+struct ecc_curve;
+
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_384r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_521r1(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_ECC_CURVE_H_INCLUDED */

include/nettle/ecc.h

@@ -0,0 +1,159 @@
+/* ecc.h
+
+   Copyright (C) 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#ifndef NETTLE_ECC_H_INCLUDED
+#define NETTLE_ECC_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define ecc_point_init nettle_ecc_point_init
+#define ecc_point_clear nettle_ecc_point_clear
+#define ecc_point_set nettle_ecc_point_set
+#define ecc_point_get nettle_ecc_point_get
+#define ecc_point_mul nettle_ecc_point_mul
+#define ecc_point_mul_g nettle_ecc_point_mul_g
+#define ecc_scalar_init nettle_ecc_scalar_init
+#define ecc_scalar_clear nettle_ecc_scalar_clear
+#define ecc_scalar_set nettle_ecc_scalar_set
+#define ecc_scalar_get nettle_ecc_scalar_get
+#define ecc_scalar_random nettle_ecc_scalar_random
+#define ecc_point_mul nettle_ecc_point_mul
+#define ecc_bit_size nettle_ecc_bit_size
+#define ecc_size nettle_ecc_size
+#define ecc_size_a nettle_ecc_size_a
+#define ecc_size_j nettle_ecc_size_j
+
+struct ecc_curve;
+
+/* High level interface, for ECDSA, DH, etc */
+
+/* Represents a point on the ECC curve */
+struct ecc_point
+{
+  const struct ecc_curve *ecc;
+  /* Allocated using the same allocation function as GMP. */
+  mp_limb_t *p;
+};
+
+/* Represents a non-zero scalar, an element of Z_q^*, where q is the
+   group order of the curve. */
+struct ecc_scalar
+{
+  const struct ecc_curve *ecc;
+  /* Allocated using the same allocation function as GMP. */
+  mp_limb_t *p;
+};
+
+void
+ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc);
+void
+ecc_point_clear (struct ecc_point *p);
+
+/* Fails and returns zero if the point is not on the curve. */
+int
+ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y);
+void
+ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y);
+
+void
+ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc);
+void
+ecc_scalar_clear (struct ecc_scalar *s);
+
+/* Fails and returns zero if the scalar is not in the proper range. */
+int
+ecc_scalar_set (struct ecc_scalar *s, const mpz_t z);
+void
+ecc_scalar_get (const struct ecc_scalar *s, mpz_t z);
+/* Generates a random scalar, suitable as an ECDSA private key or a
+   ECDH exponent. */
+void
+ecc_scalar_random (struct ecc_scalar *s,
+		   void *random_ctx, nettle_random_func *random);
+
+/* Computes r = n p */
+void
+ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n,
+	       const struct ecc_point *p);
+
+/* Computes r = n g */
+void
+ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n);
+
+
+/* Low-level interface */
+  
+/* Points on a curve are represented as arrays of mp_limb_t, with
+   curve-specific representation. For the secp curves, we use Jacobian
+   coordinates (possibly in Montgomery form for mod multiplication).
+   For curve25519 we use homogeneous coordinates on an equivalent
+   Edwards curve. The suffix "_h" denotes this internal
+   representation.
+   
+   Since we use additive notation for the groups, the infinity point
+   on the curve is denoted 0. The infinity point can be represented
+   with x = y = 0 in affine coordinates, and Z = 0 in Jacobian
+   coordinates. However, note that most of the ECC functions do *not*
+   support infinity as an input or output.
+*/
+
+/* Returns the bit size of a single coordinate (and of the prime p). */
+unsigned
+ecc_bit_size (const struct ecc_curve *ecc);
+
+/* Returns the size of a single coordinate. */
+mp_size_t
+ecc_size (const struct ecc_curve *ecc);
+
+/* Size of a point, using affine coordinates x, y. */
+mp_size_t
+ecc_size_a (const struct ecc_curve *ecc);
+
+/* Size of a point, using jacobian coordinates X, Y and Z. */
+mp_size_t
+ecc_size_j (const struct ecc_curve *ecc);
+
+/* FIXME: Define a generic ecc_dup, ecc_add, for any type of curve. Do
+   they need to handle infinity points? */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_ECC_H_INCLUDED */

include/nettle/ecdsa.h

@@ -0,0 +1,103 @@
+/* ecdsa.h
+
+   Copyright (C) 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+
+#ifndef NETTLE_ECDSA_H_INCLUDED
+#define NETTLE_ECDSA_H_INCLUDED
+
+#include "ecc.h"
+#include "dsa.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define ecdsa_sign nettle_ecdsa_sign
+#define ecdsa_verify nettle_ecdsa_verify
+#define ecdsa_generate_keypair nettle_ecdsa_generate_keypair
+#define ecc_ecdsa_sign nettle_ecc_ecdsa_sign
+#define ecc_ecdsa_sign_itch nettle_ecc_ecdsa_sign_itch
+#define ecc_ecdsa_verify nettle_ecc_ecdsa_verify
+#define ecc_ecdsa_verify_itch nettle_ecc_ecdsa_verify_itch
+
+/* High level ECDSA functions.
+ *
+ * A public key is represented as a struct ecc_point, and a private
+ * key as a struct ecc_scalar. FIXME: Introduce some aliases? */
+void
+ecdsa_sign (const struct ecc_scalar *key,
+	    void *random_ctx, nettle_random_func *random,
+	    size_t digest_length,
+	    const uint8_t *digest,
+	    struct dsa_signature *signature);
+
+int
+ecdsa_verify (const struct ecc_point *pub,
+	      size_t length, const uint8_t *digest,
+	      const struct dsa_signature *signature);
+
+void
+ecdsa_generate_keypair (struct ecc_point *pub,
+			struct ecc_scalar *key,
+			void *random_ctx, nettle_random_func *random);
+
+/* Low-level ECDSA functions. */
+mp_size_t
+ecc_ecdsa_sign_itch (const struct ecc_curve *ecc);
+
+void
+ecc_ecdsa_sign (const struct ecc_curve *ecc,
+		const mp_limb_t *zp,
+		/* Random nonce, must be invertible mod ecc group
+		   order. */
+		const mp_limb_t *kp,
+		size_t length, const uint8_t *digest,
+		mp_limb_t *rp, mp_limb_t *sp,
+		mp_limb_t *scratch);
+
+mp_size_t
+ecc_ecdsa_verify_itch (const struct ecc_curve *ecc);
+
+int
+ecc_ecdsa_verify (const struct ecc_curve *ecc,
+		  const mp_limb_t *pp, /* Public key */
+		  size_t length, const uint8_t *digest,
+		  const mp_limb_t *rp, const mp_limb_t *sp,
+		  mp_limb_t *scratch);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_ECDSA_H_INCLUDED */

include/nettle/eddsa.h

@@ -0,0 +1,90 @@
+/* eddsa.h
+
+   Copyright (C) 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_EDDSA_H
+#define NETTLE_EDDSA_H
+
+#include "nettle-types.h"
+
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define ed25519_sha512_set_private_key nettle_ed25519_sha512_set_private_key
+#define ed25519_sha512_public_key nettle_ed25519_sha512_public_key
+#define ed25519_sha512_sign nettle_ed25519_sha512_sign
+#define ed25519_sha512_verify nettle_ed25519_sha512_verify
+#define ed448_shake256_public_key nettle_ed448_shake256_public_key
+#define ed448_shake256_sign nettle_ed448_shake256_sign
+#define ed448_shake256_verify nettle_ed448_shake256_verify
+
+#define ED25519_KEY_SIZE 32
+#define ED25519_SIGNATURE_SIZE 64
+
+void
+ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv);
+
+void
+ed25519_sha512_sign (const uint8_t *pub,
+		     const uint8_t *priv,		     
+		     size_t length, const uint8_t *msg,
+		     uint8_t *signature);
+
+int
+ed25519_sha512_verify (const uint8_t *pub,
+		       size_t length, const uint8_t *msg,
+		       const uint8_t *signature);
+
+#define ED448_KEY_SIZE 57
+#define ED448_SIGNATURE_SIZE 114
+
+void
+ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv);
+
+void
+ed448_shake256_sign (const uint8_t *pub,
+		     const uint8_t *priv,
+		     size_t length, const uint8_t *msg,
+		     uint8_t *signature);
+
+int
+ed448_shake256_verify (const uint8_t *pub,
+		       size_t length, const uint8_t *msg,
+		       const uint8_t *signature);
+			   
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_EDDSA_H */

include/nettle/gcm.h

@@ -0,0 +1,330 @@
+/* gcm.h
+
+   Galois counter mode, specified by NIST,
+   http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+
+   Copyright (C) 2011 Katholieke Universiteit Leuven
+   Copyright (C) 2011, 2014 Niels Möller
+
+   Contributed by Nikos Mavrogiannopoulos
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_GCM_H_INCLUDED
+#define NETTLE_GCM_H_INCLUDED
+
+#include "aes.h"
+#include "camellia.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define gcm_set_key nettle_gcm_set_key
+#define gcm_set_iv nettle_gcm_set_iv
+#define gcm_update nettle_gcm_update
+#define gcm_encrypt nettle_gcm_encrypt
+#define gcm_decrypt nettle_gcm_decrypt
+#define gcm_digest nettle_gcm_digest
+
+#define gcm_aes128_set_key nettle_gcm_aes128_set_key
+#define gcm_aes128_set_iv nettle_gcm_aes128_set_iv
+#define gcm_aes128_update nettle_gcm_aes128_update
+#define gcm_aes128_encrypt nettle_gcm_aes128_encrypt
+#define gcm_aes128_decrypt nettle_gcm_aes128_decrypt
+#define gcm_aes128_digest nettle_gcm_aes128_digest
+
+#define gcm_aes192_set_key nettle_gcm_aes192_set_key
+#define gcm_aes192_set_iv nettle_gcm_aes192_set_iv
+#define gcm_aes192_update nettle_gcm_aes192_update
+#define gcm_aes192_encrypt nettle_gcm_aes192_encrypt
+#define gcm_aes192_decrypt nettle_gcm_aes192_decrypt
+#define gcm_aes192_digest nettle_gcm_aes192_digest
+
+#define gcm_aes256_set_key nettle_gcm_aes256_set_key
+#define gcm_aes256_set_iv nettle_gcm_aes256_set_iv
+#define gcm_aes256_update nettle_gcm_aes256_update
+#define gcm_aes256_encrypt nettle_gcm_aes256_encrypt
+#define gcm_aes256_decrypt nettle_gcm_aes256_decrypt
+#define gcm_aes256_digest nettle_gcm_aes256_digest
+
+#define gcm_aes_set_key nettle_gcm_aes_set_key
+#define gcm_aes_set_iv nettle_gcm_aes_set_iv
+#define gcm_aes_update nettle_gcm_aes_update
+#define gcm_aes_encrypt nettle_gcm_aes_encrypt
+#define gcm_aes_decrypt nettle_gcm_aes_decrypt
+#define gcm_aes_digest nettle_gcm_aes_digest
+
+#define gcm_camellia128_set_key nettle_gcm_camellia128_set_key
+#define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv
+#define gcm_camellia128_update nettle_gcm_camellia128_update
+#define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt
+#define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt
+#define gcm_camellia128_digest nettle_gcm_camellia128_digest
+
+#define gcm_camellia256_set_key nettle_gcm_camellia256_set_key
+#define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv
+#define gcm_camellia256_update nettle_gcm_camellia256_update
+#define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt
+#define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt
+#define gcm_camellia256_digest nettle_gcm_camellia256_digest
+
+#define GCM_BLOCK_SIZE 16
+#define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4)
+#define GCM_DIGEST_SIZE 16
+#define GCM_TABLE_BITS 8
+
+/* Hashing subkey */
+struct gcm_key
+{
+  union nettle_block16 h[1 << GCM_TABLE_BITS];
+};
+
+/* Per-message state, depending on the iv */
+struct gcm_ctx {
+  /* Original counter block */
+  union nettle_block16 iv;
+  /* Updated for each block. */
+  union nettle_block16 ctr;
+  /* Hashing state */
+  union nettle_block16 x;
+  uint64_t auth_size;
+  uint64_t data_size;
+};
+
+void
+gcm_set_key(struct gcm_key *key,
+	    const void *cipher, nettle_cipher_func *f);
+
+void
+gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key,
+	   size_t length, const uint8_t *iv);
+
+void
+gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key,
+	   size_t length, const uint8_t *data);
+
+void
+gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
+	    const void *cipher, nettle_cipher_func *f,
+	    size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
+	    const void *cipher, nettle_cipher_func *f,
+	    size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key,
+	   const void *cipher, nettle_cipher_func *f,
+	   size_t length, uint8_t *digest);
+
+/* Convenience macrology (not sure how useful it is) */
+/* All-in-one context, with hash subkey, message state, and cipher. */
+#define GCM_CTX(type) \
+  { struct gcm_key key; struct gcm_ctx gcm; type cipher; }
+
+/* NOTE: Avoid using NULL, as we don't include anything defining it. */
+#define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key)		\
+  do {								\
+    (set_key)(&(ctx)->cipher, (gcm_key));			\
+    if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0,		\
+		     (uint8_t *) 0, (const uint8_t *) 0);	\
+    gcm_set_key(&(ctx)->key, &(ctx)->cipher,			\
+		(nettle_cipher_func *) (encrypt));		\
+  } while (0)
+
+#define GCM_SET_IV(ctx, length, data)				\
+  gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data))
+
+#define GCM_UPDATE(ctx, length, data)			\
+  gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data))
+
+#define GCM_ENCRYPT(ctx, encrypt, length, dst, src)			\
+  (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
+		 (uint8_t *) 0, (const uint8_t *) 0)			\
+     : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
+		   (nettle_cipher_func *) (encrypt),			\
+		   (length), (dst), (src)))
+
+#define GCM_DECRYPT(ctx, encrypt, length, dst, src)			\
+  (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
+		 (uint8_t *) 0, (const uint8_t *) 0)			\
+     : gcm_decrypt(&(ctx)->gcm,  &(ctx)->key, &(ctx)->cipher,		\
+		   (nettle_cipher_func *) (encrypt),			\
+		   (length), (dst), (src)))
+
+#define GCM_DIGEST(ctx, encrypt, length, digest)			\
+  (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
+		 (uint8_t *) 0, (const uint8_t *) 0)			\
+     : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
+		  (nettle_cipher_func *) (encrypt),			\
+		  (length), (digest)))
+
+struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);
+
+void
+gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key);
+
+/* FIXME: Define _update and _set_iv as some kind of aliaes,
+   there's nothing aes-specific. */
+void
+gcm_aes128_update (struct gcm_aes128_ctx *ctx,
+		   size_t length, const uint8_t *data);
+void
+gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx,
+		   size_t length, const uint8_t *iv);
+
+void
+gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_aes128_digest(struct gcm_aes128_ctx *ctx,
+		  size_t length, uint8_t *digest);
+
+struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx);
+
+void
+gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key);
+
+void
+gcm_aes192_update (struct gcm_aes192_ctx *ctx,
+		   size_t length, const uint8_t *data);
+void
+gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx,
+		   size_t length, const uint8_t *iv);
+
+void
+gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_aes192_digest(struct gcm_aes192_ctx *ctx,
+		  size_t length, uint8_t *digest);
+
+struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx);
+
+void
+gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key);
+
+void
+gcm_aes256_update (struct gcm_aes256_ctx *ctx,
+		   size_t length, const uint8_t *data);
+void
+gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx,
+		   size_t length, const uint8_t *iv);
+
+void
+gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx,
+		   size_t length, uint8_t *dst, const uint8_t *src);
+
+void
+gcm_aes256_digest(struct gcm_aes256_ctx *ctx,
+		  size_t length, uint8_t *digest);
+
+/* Old deprecated aes interface, for backwards compatibility */
+struct gcm_aes_ctx GCM_CTX(struct aes_ctx);
+
+void
+gcm_aes_set_key(struct gcm_aes_ctx *ctx,
+		size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+gcm_aes_set_iv(struct gcm_aes_ctx *ctx,
+	       size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+gcm_aes_update(struct gcm_aes_ctx *ctx,
+	       size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+gcm_aes_encrypt(struct gcm_aes_ctx *ctx,
+		size_t length, uint8_t *dst, const uint8_t *src)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+gcm_aes_decrypt(struct gcm_aes_ctx *ctx,
+		size_t length, uint8_t *dst, const uint8_t *src)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
+
+void
+gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
+
+
+struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx);
+
+void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx,
+			     const uint8_t *key);
+void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx,
+			    size_t length, const uint8_t *iv);
+void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx,
+			    size_t length, const uint8_t *data);
+void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx,
+			     size_t length, uint8_t *dst, const uint8_t *src);
+void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx,
+			     size_t length, uint8_t *dst, const uint8_t *src);
+void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx,
+			    size_t length, uint8_t *digest);
+
+
+struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx);
+
+void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx,
+			     const uint8_t *key);
+void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx,
+			    size_t length, const uint8_t *iv);
+void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx,
+			    size_t length, const uint8_t *data);
+void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx,
+			     size_t length, uint8_t *dst, const uint8_t *src);
+void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx,
+			     size_t length, uint8_t *dst, const uint8_t *src);
+void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx,
+			    size_t length, uint8_t *digest);
+
+  
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_GCM_H_INCLUDED */

include/nettle/gostdsa.h

@@ -0,0 +1,107 @@
+/* gostdsa.h
+
+   Copyright (C) 2015 Dmity Eremin-Solenikov
+   Copyright (C) 2013 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_GOSTDSA_H_INCLUDED
+#define NETTLE_GOSTDSA_H_INCLUDED
+
+#include "ecc.h"
+#include "dsa.h"
+#include "ecdsa.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define gostdsa_sign nettle_gostdsa_sign
+#define gostdsa_verify nettle_gostdsa_verify
+#define gostdsa_vko nettle_gostdsa_vko
+#define ecc_gostdsa_sign nettle_ecc_gostdsa_sign
+#define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch
+#define ecc_gostdsa_verify nettle_ecc_gostdsa_verify
+#define ecc_gostdsa_verify_itch nettle_ecc_gostdsa_verify_itch
+
+/* Just use ECDSA function for key generation */
+#define gostdsa_generate_keypair ecdsa_generate_keypair
+
+/* High level GOST DSA functions.
+ *
+ * A public key is represented as a struct ecc_point, and a private
+ * key as a struct ecc_scalar. FIXME: Introduce some aliases? */
+void
+gostdsa_sign (const struct ecc_scalar *key,
+	      void *random_ctx, nettle_random_func *random,
+	      size_t digest_length,
+	      const uint8_t *digest,
+	      struct dsa_signature *signature);
+
+int
+gostdsa_verify (const struct ecc_point *pub,
+	        size_t length, const uint8_t *digest,
+	        const struct dsa_signature *signature);
+
+void
+gostdsa_vko (const struct ecc_scalar *key,
+	     const struct ecc_point *pub,
+	     size_t ukm_length, const uint8_t *ukm,
+	     uint8_t *out);
+
+/* Low-level GOSTDSA functions. */
+mp_size_t
+ecc_gostdsa_sign_itch (const struct ecc_curve *ecc);
+
+void
+ecc_gostdsa_sign (const struct ecc_curve *ecc,
+		const mp_limb_t *zp,
+		/* Random nonce, must be invertible mod ecc group
+		   order. */
+		const mp_limb_t *kp,
+		size_t length, const uint8_t *digest,
+		mp_limb_t *rp, mp_limb_t *sp,
+		mp_limb_t *scratch);
+
+mp_size_t
+ecc_gostdsa_verify_itch (const struct ecc_curve *ecc);
+
+int
+ecc_gostdsa_verify (const struct ecc_curve *ecc,
+		  const mp_limb_t *pp, /* Public key */
+		  size_t length, const uint8_t *digest,
+		  const mp_limb_t *rp, const mp_limb_t *sp,
+		  mp_limb_t *scratch);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_GOSTDSA_H_INCLUDED */

include/nettle/gosthash94.h

@@ -0,0 +1,112 @@
+/* gosthash94.h
+
+   The GOST R 34.11-94 hash function, described in RFC 5831.
+
+   Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/* Based on rhash gost.h. */
+
+/* Copyright: 2009-2012 Aleksey Kravchenko <rhash.admin@gmail.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+/*
+ * Ported to nettle by Nikos Mavrogiannopoulos.
+ */
+
+#ifndef NETTLE_GOSTHASH94_H_INCLUDED
+#define NETTLE_GOSTHASH94_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define gosthash94_init nettle_gosthash94_init
+#define gosthash94_update nettle_gosthash94_update
+#define gosthash94_digest nettle_gosthash94_digest
+
+#define gosthash94cp_update nettle_gosthash94cp_update
+#define gosthash94cp_digest nettle_gosthash94cp_digest
+
+#define GOSTHASH94_BLOCK_SIZE 32
+#define GOSTHASH94_DIGEST_SIZE 32
+/* For backwards compatibility */
+#define GOSTHASH94_DATA_SIZE GOSTHASH94_BLOCK_SIZE
+
+#define GOSTHASH94CP_BLOCK_SIZE GOSTHASH94_BLOCK_SIZE
+#define GOSTHASH94CP_DIGEST_SIZE GOSTHASH94_DIGEST_SIZE
+
+struct gosthash94_ctx
+{
+  uint32_t hash[8]; /* algorithm 256-bit state */
+  uint32_t sum[8];  /* sum of processed message blocks */
+  uint64_t count;               /* Block count */
+  unsigned index;               /* Into buffer */
+  uint8_t block[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */
+};
+#define gosthash94cp_ctx gosthash94_ctx
+
+void gosthash94_init(struct gosthash94_ctx *ctx);
+void gosthash94_update(struct gosthash94_ctx *ctx,
+		       size_t length, const uint8_t *msg);
+void gosthash94_digest(struct gosthash94_ctx *ctx,
+		       size_t length, uint8_t *result);
+
+#define gosthash94cp_init gosthash94_init
+void gosthash94cp_update(struct gosthash94_ctx *ctx,
+			 size_t length, const uint8_t *msg);
+void gosthash94cp_digest(struct gosthash94_ctx *ctx,
+			 size_t length, uint8_t *result);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_GOSTHASH94_H_INCLUDED */

include/nettle/hkdf.h

@@ -0,0 +1,67 @@
+/* hkdf.h
+
+   TLS PRF code (RFC-5246, RFC-2246).
+
+   Copyright (C) 2017 Red Hat, Inc.
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_HKDF_H_INCLUDED
+#define NETTLE_HKDF_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Namespace mangling */
+#define hkdf_extract nettle_hkdf_extract
+#define hkdf_expand nettle_hkdf_expand
+
+void
+hkdf_extract(void *mac_ctx,
+	     nettle_hash_update_func *update,
+	     nettle_hash_digest_func *digest,
+	     size_t digest_size,
+	     size_t secret_size, const uint8_t *secret,
+	     uint8_t *dst);
+
+void
+hkdf_expand(void *mac_ctx,
+	    nettle_hash_update_func *update,
+	    nettle_hash_digest_func *digest,
+	    size_t digest_size,
+	    size_t info_size, const uint8_t *info,
+	    size_t length, uint8_t *dst);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_HKDF_H_INCLUDED */

include/nettle/hmac.h

@@ -0,0 +1,280 @@
+/* hmac.h
+
+   HMAC message authentication code (RFC-2104).
+
+   Copyright (C) 2001, 2002 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_HMAC_H_INCLUDED
+#define NETTLE_HMAC_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#include "gosthash94.h"
+#include "md5.h"
+#include "ripemd160.h"
+#include "sha1.h"
+#include "sha2.h"
+#include "streebog.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Namespace mangling */
+#define hmac_set_key nettle_hmac_set_key
+#define hmac_update nettle_hmac_update
+#define hmac_digest nettle_hmac_digest
+#define hmac_md5_set_key nettle_hmac_md5_set_key
+#define hmac_md5_update nettle_hmac_md5_update
+#define hmac_md5_digest nettle_hmac_md5_digest
+#define hmac_ripemd160_set_key nettle_hmac_ripemd160_set_key
+#define hmac_ripemd160_update nettle_hmac_ripemd160_update
+#define hmac_ripemd160_digest nettle_hmac_ripemd160_digest
+#define hmac_sha1_set_key nettle_hmac_sha1_set_key
+#define hmac_sha1_update nettle_hmac_sha1_update
+#define hmac_sha1_digest nettle_hmac_sha1_digest
+#define hmac_sha224_set_key nettle_hmac_sha224_set_key
+#define hmac_sha224_digest nettle_hmac_sha224_digest
+#define hmac_sha256_set_key nettle_hmac_sha256_set_key
+#define hmac_sha256_update nettle_hmac_sha256_update
+#define hmac_sha256_digest nettle_hmac_sha256_digest
+#define hmac_sha384_set_key nettle_hmac_sha384_set_key
+#define hmac_sha384_digest nettle_hmac_sha384_digest
+#define hmac_sha512_set_key nettle_hmac_sha512_set_key
+#define hmac_sha512_update nettle_hmac_sha512_update
+#define hmac_sha512_digest nettle_hmac_sha512_digest
+#define hmac_gosthash94_set_key nettle_hmac_gosthash94_set_key
+#define hmac_gosthash94_update nettle_hmac_gosthash94_update
+#define hmac_gosthash94_digest nettle_hmac_gosthash94_digest
+#define hmac_gosthash94cp_set_key nettle_hmac_gosthash94cp_set_key
+#define hmac_gosthash94cp_update nettle_hmac_gosthash94cp_update
+#define hmac_gosthash94cp_digest nettle_hmac_gosthash94cp_digest
+#define hmac_streebog256_set_key nettle_hmac_streebog256_set_key
+#define hmac_streebog256_digest nettle_hmac_streebog256_digest
+#define hmac_streebog512_set_key nettle_hmac_streebog512_set_key
+#define hmac_streebog512_update nettle_hmac_streebog512_update
+#define hmac_streebog512_digest nettle_hmac_streebog512_digest
+
+void
+hmac_set_key(void *outer, void *inner, void *state,
+	     const struct nettle_hash *hash,
+	     size_t length, const uint8_t *key);
+
+/* This function is not strictly needed, it's s just the same as the
+ * hash update function. */
+void
+hmac_update(void *state,
+	    const struct nettle_hash *hash,
+	    size_t length, const uint8_t *data);
+
+void
+hmac_digest(const void *outer, const void *inner, void *state,
+	    const struct nettle_hash *hash,
+	    size_t length, uint8_t *digest);
+
+
+#define HMAC_CTX(type) \
+{ type outer; type inner; type state; }
+
+#define HMAC_SET_KEY(ctx, hash, length, key)			\
+  hmac_set_key( &(ctx)->outer, &(ctx)->inner, &(ctx)->state,	\
+                (hash), (length), (key) )
+
+#define HMAC_DIGEST(ctx, hash, length, digest)			\
+  hmac_digest( &(ctx)->outer, &(ctx)->inner, &(ctx)->state,	\
+               (hash), (length), (digest) )
+
+/* HMAC using specific hash functions */
+
+/* hmac-md5 */
+struct hmac_md5_ctx HMAC_CTX(struct md5_ctx);
+
+void
+hmac_md5_set_key(struct hmac_md5_ctx *ctx,
+		 size_t key_length, const uint8_t *key);
+
+void
+hmac_md5_update(struct hmac_md5_ctx *ctx,
+		size_t length, const uint8_t *data);
+
+void
+hmac_md5_digest(struct hmac_md5_ctx *ctx,
+		size_t length, uint8_t *digest);
+
+
+/* hmac-ripemd160 */
+struct hmac_ripemd160_ctx HMAC_CTX(struct ripemd160_ctx);
+
+void
+hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx,
+		       size_t key_length, const uint8_t *key);
+
+void
+hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx,
+		      size_t length, const uint8_t *data);
+
+void
+hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx,
+		      size_t length, uint8_t *digest);
+
+
+/* hmac-sha1 */
+struct hmac_sha1_ctx HMAC_CTX(struct sha1_ctx);
+
+void
+hmac_sha1_set_key(struct hmac_sha1_ctx *ctx,
+		  size_t key_length, const uint8_t *key);
+
+void
+hmac_sha1_update(struct hmac_sha1_ctx *ctx,
+		 size_t length, const uint8_t *data);
+
+void
+hmac_sha1_digest(struct hmac_sha1_ctx *ctx,
+		 size_t length, uint8_t *digest);
+
+/* hmac-sha256 */
+struct hmac_sha256_ctx HMAC_CTX(struct sha256_ctx);
+
+void
+hmac_sha256_set_key(struct hmac_sha256_ctx *ctx,
+		    size_t key_length, const uint8_t *key);
+
+void
+hmac_sha256_update(struct hmac_sha256_ctx *ctx,
+		   size_t length, const uint8_t *data);
+
+void
+hmac_sha256_digest(struct hmac_sha256_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+/* hmac-sha224 */
+#define hmac_sha224_ctx hmac_sha256_ctx
+
+void
+hmac_sha224_set_key(struct hmac_sha224_ctx *ctx,
+		    size_t key_length, const uint8_t *key);
+
+#define hmac_sha224_update nettle_hmac_sha256_update
+
+void
+hmac_sha224_digest(struct hmac_sha224_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+/* hmac-sha512 */
+struct hmac_sha512_ctx HMAC_CTX(struct sha512_ctx);
+
+void
+hmac_sha512_set_key(struct hmac_sha512_ctx *ctx,
+		    size_t key_length, const uint8_t *key);
+
+void
+hmac_sha512_update(struct hmac_sha512_ctx *ctx,
+		   size_t length, const uint8_t *data);
+
+void
+hmac_sha512_digest(struct hmac_sha512_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+/* hmac-sha384 */
+#define hmac_sha384_ctx hmac_sha512_ctx
+
+void
+hmac_sha384_set_key(struct hmac_sha512_ctx *ctx,
+		    size_t key_length, const uint8_t *key);
+
+#define hmac_sha384_update nettle_hmac_sha512_update
+
+void
+hmac_sha384_digest(struct hmac_sha512_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+/* hmac-gosthash94 */
+struct hmac_gosthash94_ctx HMAC_CTX(struct gosthash94_ctx);
+
+void
+hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx,
+			size_t key_length, const uint8_t *key);
+
+void
+hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx,
+		       size_t length, const uint8_t *data);
+
+  void
+hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx,
+		       size_t length, uint8_t *digest);
+
+struct hmac_gosthash94cp_ctx HMAC_CTX(struct gosthash94cp_ctx);
+
+void
+hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx,
+			  size_t key_length, const uint8_t *key);
+
+void
+hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx,
+			 size_t length, const uint8_t *data);
+
+void
+hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx,
+			 size_t length, uint8_t *digest);
+
+
+/* hmac-streebog */
+struct hmac_streebog512_ctx HMAC_CTX(struct streebog512_ctx);
+
+void
+hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx,
+		    size_t key_length, const uint8_t *key);
+
+void
+hmac_streebog512_update(struct hmac_streebog512_ctx *ctx,
+		   size_t length, const uint8_t *data);
+
+void
+hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+#define hmac_streebog256_ctx hmac_streebog512_ctx
+
+void
+hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx,
+		    size_t key_length, const uint8_t *key);
+
+#define hmac_streebog256_update hmac_streebog512_update
+
+void
+hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx,
+		   size_t length, uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_HMAC_H_INCLUDED */

include/nettle/knuth-lfib.h

@@ -0,0 +1,80 @@
+/* knuth-lfib.h
+
+   The "lagged fibonacci" pseudorandomness generator, described in
+   Knuth, TAoCP, 3.6
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+/* NOTE: This generator is totally inappropriate for cryptographic
+ * applications. It is useful for generating deterministic but
+ * random-looking test data, and is used by the Nettle testsuite. */
+#ifndef NETTLE_KNUTH_LFIB_H_INCLUDED
+#define NETTLE_KNUTH_LFIB_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Namespace mangling */
+#define knuth_lfib_init nettle_knuth_lfib_init
+#define knuth_lfib_get nettle_knuth_lfib_get
+#define knuth_lfib_get_array nettle_knuth_lfib_get_array
+#define knuth_lfib_random nettle_knuth_lfib_random
+
+#define _KNUTH_LFIB_KK 100
+
+struct knuth_lfib_ctx
+{
+  uint32_t x[_KNUTH_LFIB_KK];
+  unsigned index;
+};
+
+void
+knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed);
+
+/* Get's a single number in the range 0 ... 2^30-1 */
+uint32_t
+knuth_lfib_get(struct knuth_lfib_ctx *ctx);
+
+/* Get an array of numbers */
+void
+knuth_lfib_get_array(struct knuth_lfib_ctx *ctx,
+		     size_t n, uint32_t *a);
+
+/* Get an array of octets. */
+void
+knuth_lfib_random(struct knuth_lfib_ctx *ctx,
+		  size_t n, uint8_t *dst);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_KNUTH_LFIB_H_INCLUDED */

include/nettle/macros.h

@@ -0,0 +1,245 @@
+/* macros.h
+
+   Copyright (C) 2001, 2010 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_MACROS_H_INCLUDED
+#define NETTLE_MACROS_H_INCLUDED
+
+/* Reads a 64-bit integer, in network, big-endian, byte order */
+#define READ_UINT64(p)				\
+(  (((uint64_t) (p)[0]) << 56)			\
+ | (((uint64_t) (p)[1]) << 48)			\
+ | (((uint64_t) (p)[2]) << 40)			\
+ | (((uint64_t) (p)[3]) << 32)			\
+ | (((uint64_t) (p)[4]) << 24)			\
+ | (((uint64_t) (p)[5]) << 16)			\
+ | (((uint64_t) (p)[6]) << 8)			\
+ |  ((uint64_t) (p)[7]))
+
+#define WRITE_UINT64(p, i)			\
+do {						\
+  (p)[0] = ((i) >> 56) & 0xff;			\
+  (p)[1] = ((i) >> 48) & 0xff;			\
+  (p)[2] = ((i) >> 40) & 0xff;			\
+  (p)[3] = ((i) >> 32) & 0xff;			\
+  (p)[4] = ((i) >> 24) & 0xff;			\
+  (p)[5] = ((i) >> 16) & 0xff;			\
+  (p)[6] = ((i) >> 8) & 0xff;			\
+  (p)[7] = (i) & 0xff;				\
+} while(0)
+
+/* Reads a 32-bit integer, in network, big-endian, byte order */
+#define READ_UINT32(p)				\
+(  (((uint32_t) (p)[0]) << 24)			\
+ | (((uint32_t) (p)[1]) << 16)			\
+ | (((uint32_t) (p)[2]) << 8)			\
+ |  ((uint32_t) (p)[3]))
+
+#define WRITE_UINT32(p, i)			\
+do {						\
+  (p)[0] = ((i) >> 24) & 0xff;			\
+  (p)[1] = ((i) >> 16) & 0xff;			\
+  (p)[2] = ((i) >> 8) & 0xff;			\
+  (p)[3] = (i) & 0xff;				\
+} while(0)
+
+/* Analogous macros, for 24 and 16 bit numbers */
+#define READ_UINT24(p)				\
+(  (((uint32_t) (p)[0]) << 16)			\
+ | (((uint32_t) (p)[1]) << 8)			\
+ |  ((uint32_t) (p)[2]))
+
+#define WRITE_UINT24(p, i)			\
+do {						\
+  (p)[0] = ((i) >> 16) & 0xff;			\
+  (p)[1] = ((i) >> 8) & 0xff;			\
+  (p)[2] = (i) & 0xff;				\
+} while(0)
+
+#define READ_UINT16(p)				\
+(  (((uint32_t) (p)[0]) << 8)			\
+ |  ((uint32_t) (p)[1]))
+
+#define WRITE_UINT16(p, i)			\
+do {						\
+  (p)[0] = ((i) >> 8) & 0xff;			\
+  (p)[1] = (i) & 0xff;				\
+} while(0)
+
+/* And the other, little-endian, byteorder */
+#define LE_READ_UINT64(p)			\
+(  (((uint64_t) (p)[7]) << 56)			\
+ | (((uint64_t) (p)[6]) << 48)			\
+ | (((uint64_t) (p)[5]) << 40)			\
+ | (((uint64_t) (p)[4]) << 32)			\
+ | (((uint64_t) (p)[3]) << 24)			\
+ | (((uint64_t) (p)[2]) << 16)			\
+ | (((uint64_t) (p)[1]) << 8)			\
+ |  ((uint64_t) (p)[0]))
+
+#define LE_WRITE_UINT64(p, i)			\
+do {						\
+  (p)[7] = ((i) >> 56) & 0xff;			\
+  (p)[6] = ((i) >> 48) & 0xff;			\
+  (p)[5] = ((i) >> 40) & 0xff;			\
+  (p)[4] = ((i) >> 32) & 0xff;			\
+  (p)[3] = ((i) >> 24) & 0xff;			\
+  (p)[2] = ((i) >> 16) & 0xff;			\
+  (p)[1] = ((i) >> 8) & 0xff;			\
+  (p)[0] = (i) & 0xff;				\
+} while (0)
+
+#define LE_READ_UINT32(p)			\
+(  (((uint32_t) (p)[3]) << 24)			\
+ | (((uint32_t) (p)[2]) << 16)			\
+ | (((uint32_t) (p)[1]) << 8)			\
+ |  ((uint32_t) (p)[0]))
+
+#define LE_WRITE_UINT32(p, i)			\
+do {						\
+  (p)[3] = ((i) >> 24) & 0xff;			\
+  (p)[2] = ((i) >> 16) & 0xff;			\
+  (p)[1] = ((i) >> 8) & 0xff;			\
+  (p)[0] = (i) & 0xff;				\
+} while(0)
+
+/* Analogous macros, for 16 bit numbers */
+#define LE_READ_UINT16(p)			\
+  (  (((uint32_t) (p)[1]) << 8)			\
+     |  ((uint32_t) (p)[0]))
+
+#define LE_WRITE_UINT16(p, i)			\
+  do {						\
+    (p)[1] = ((i) >> 8) & 0xff;			\
+    (p)[0] = (i) & 0xff;			\
+  } while(0)
+
+/* Macro to make it easier to loop over several blocks. */
+#define FOR_BLOCKS(length, dst, src, blocksize)	\
+  assert( !((length) % (blocksize)));           \
+  for (; (length); ((length) -= (blocksize),	\
+		  (dst) += (blocksize),		\
+		  (src) += (blocksize)) )
+
+/* The masking of the right shift is needed to allow n == 0 (using
+   just 32 - n and 64 - n results in undefined behaviour). Most uses
+   of these macros use a constant and non-zero rotation count. */
+#define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31))))
+
+#define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63)))
+
+/* Requires that size > 0 */
+#define INCREMENT(size, ctr)			\
+  do {						\
+    unsigned increment_i = (size) - 1;		\
+    if (++(ctr)[increment_i] == 0)		\
+      while (increment_i > 0			\
+	     && ++(ctr)[--increment_i] == 0 )	\
+	;					\
+  } while (0)
+
+
+/* Helper macro for Merkle-Damgård hash functions. Assumes the context
+   structs includes the following fields:
+
+     uint8_t block[...];		// Buffer holding one block
+     unsigned int index;		// Index into block
+*/
+
+/* Currently used by sha512 (and sha384) only. */
+#define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low)
+
+/* Takes the compression function f as argument. NOTE: also clobbers
+   length and data. */
+#define MD_UPDATE(ctx, length, data, f, incr)				\
+  do {									\
+    if ((ctx)->index)							\
+      {									\
+	/* Try to fill partial block */					\
+	unsigned __md_left = sizeof((ctx)->block) - (ctx)->index;	\
+	if ((length) < __md_left)					\
+	  {								\
+	    memcpy((ctx)->block + (ctx)->index, (data), (length));	\
+	    (ctx)->index += (length);					\
+	    goto __md_done; /* Finished */				\
+	  }								\
+	else								\
+	  {								\
+	    memcpy((ctx)->block + (ctx)->index, (data), __md_left);	\
+									\
+	    f((ctx), (ctx)->block);					\
+	    (incr);							\
+									\
+	    (data) += __md_left;					\
+	    (length) -= __md_left;					\
+	  }								\
+      }									\
+    while ((length) >= sizeof((ctx)->block))				\
+      {									\
+	f((ctx), (data));						\
+	(incr);								\
+									\
+	(data) += sizeof((ctx)->block);					\
+	(length) -= sizeof((ctx)->block);				\
+      }									\
+    memcpy ((ctx)->block, (data), (length));				\
+    (ctx)->index = (length);						\
+  __md_done:								\
+    ;									\
+  } while (0)
+
+/* Pads the block to a block boundary with the bit pattern 1 0*,
+   leaving size octets for the length field at the end. If needed,
+   compresses the block and starts a new one. */
+#define MD_PAD(ctx, size, f)						\
+  do {									\
+    unsigned __md_i;							\
+    __md_i = (ctx)->index;						\
+									\
+    /* Set the first char of padding to 0x80. This is safe since there	\
+       is always at least one byte free */				\
+									\
+    assert(__md_i < sizeof((ctx)->block));				\
+    (ctx)->block[__md_i++] = 0x80;					\
+									\
+    if (__md_i > (sizeof((ctx)->block) - (size)))			\
+      { /* No room for length in this block. Process it and		\
+	   pad with another one */					\
+	memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \
+									\
+	f((ctx), (ctx)->block);						\
+	__md_i = 0;							\
+      }									\
+    memset((ctx)->block + __md_i, 0,					\
+	   sizeof((ctx)->block) - (size) - __md_i);			\
+									\
+  } while (0)
+
+#endif /* NETTLE_MACROS_H_INCLUDED */

include/nettle/memxor.h

@@ -0,0 +1,25 @@
+/* memxor.h
+ *
+ */
+
+#ifndef NETTLE_MEMXOR_H_INCLUDED
+#define NETTLE_MEMXOR_H_INCLUDED
+
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define memxor nettle_memxor
+#define memxor3 nettle_memxor3
+
+void *memxor(void *dst, const void *src, size_t n);
+void *memxor3(void *dst, const void *a, const void *b, size_t n);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_MEMXOR_H_INCLUDED */

include/nettle/nettle-meta.h

@@ -0,0 +1,298 @@
+/* nettle-meta.h
+
+   Information about algorithms.
+
+   Copyright (C) 2002, 2014, 2020 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_META_H_INCLUDED
+#define NETTLE_META_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+struct nettle_cipher
+{
+  const char *name;
+  
+  unsigned context_size;
+  
+  /* Zero for stream ciphers */
+  unsigned block_size;
+
+  /* Suggested key size; other sizes are sometimes possible. */
+  unsigned key_size;
+
+  nettle_set_key_func *set_encrypt_key;
+  nettle_set_key_func *set_decrypt_key;
+
+  nettle_cipher_func *encrypt;
+  nettle_cipher_func *decrypt;
+};
+
+/* null-terminated list of ciphers implemented by this version of nettle */
+const struct nettle_cipher * const * _NETTLE_ATTRIBUTE_PURE
+nettle_get_ciphers (void);
+
+#define nettle_ciphers (nettle_get_ciphers())
+
+extern const struct nettle_cipher nettle_aes128;
+extern const struct nettle_cipher nettle_aes192;
+extern const struct nettle_cipher nettle_aes256;
+
+extern const struct nettle_cipher nettle_camellia128;
+extern const struct nettle_cipher nettle_camellia192;
+extern const struct nettle_cipher nettle_camellia256;
+
+extern const struct nettle_cipher nettle_cast128;
+
+extern const struct nettle_cipher nettle_serpent128;
+extern const struct nettle_cipher nettle_serpent192;
+extern const struct nettle_cipher nettle_serpent256;
+
+extern const struct nettle_cipher nettle_twofish128;
+extern const struct nettle_cipher nettle_twofish192;
+extern const struct nettle_cipher nettle_twofish256;
+
+extern const struct nettle_cipher nettle_arctwo40;
+extern const struct nettle_cipher nettle_arctwo64;
+extern const struct nettle_cipher nettle_arctwo128;
+extern const struct nettle_cipher nettle_arctwo_gutmann128;
+
+struct nettle_hash
+{
+  const char *name;
+
+  /* Size of the context struct */
+  unsigned context_size;
+
+  /* Size of digests */
+  unsigned digest_size;
+  
+  /* Internal block size */
+  unsigned block_size;
+
+  nettle_hash_init_func *init;
+  nettle_hash_update_func *update;
+  nettle_hash_digest_func *digest;
+};
+
+#define _NETTLE_HASH(name, NAME) {		\
+ #name,						\
+ sizeof(struct name##_ctx),			\
+ NAME##_DIGEST_SIZE,				\
+ NAME##_BLOCK_SIZE,				\
+ (nettle_hash_init_func *) name##_init,		\
+ (nettle_hash_update_func *) name##_update,	\
+ (nettle_hash_digest_func *) name##_digest	\
+} 
+
+/* null-terminated list of digests implemented by this version of nettle */
+const struct nettle_hash * const * _NETTLE_ATTRIBUTE_PURE
+nettle_get_hashes (void);
+
+#define nettle_hashes (nettle_get_hashes())
+
+const struct nettle_hash *
+nettle_lookup_hash (const char *name);
+
+extern const struct nettle_hash nettle_md2;
+extern const struct nettle_hash nettle_md4;
+extern const struct nettle_hash nettle_md5;
+extern const struct nettle_hash nettle_gosthash94;
+extern const struct nettle_hash nettle_gosthash94cp;
+extern const struct nettle_hash nettle_ripemd160;
+extern const struct nettle_hash nettle_sha1;
+extern const struct nettle_hash nettle_sha224;
+extern const struct nettle_hash nettle_sha256;
+extern const struct nettle_hash nettle_sha384;
+extern const struct nettle_hash nettle_sha512;
+extern const struct nettle_hash nettle_sha512_224;
+extern const struct nettle_hash nettle_sha512_256;
+extern const struct nettle_hash nettle_sha3_224;
+extern const struct nettle_hash nettle_sha3_256;
+extern const struct nettle_hash nettle_sha3_384;
+extern const struct nettle_hash nettle_sha3_512;
+extern const struct nettle_hash nettle_streebog256;
+extern const struct nettle_hash nettle_streebog512;
+
+struct nettle_mac
+{
+  const char *name;
+
+  /* Size of the context struct */
+  unsigned context_size;
+
+  /* Size of digests */
+  unsigned digest_size;
+
+  /* Key size */
+  unsigned key_size;
+
+  nettle_set_key_func *set_key;
+  nettle_hash_update_func *update;
+  nettle_hash_digest_func *digest;
+};
+
+struct nettle_aead
+{
+  const char *name;
+  
+  unsigned context_size;
+  /* Block size for encrypt and decrypt. */
+  unsigned block_size;
+  unsigned key_size;
+  unsigned nonce_size;
+  unsigned digest_size;
+
+  nettle_set_key_func *set_encrypt_key;
+  nettle_set_key_func *set_decrypt_key;
+  nettle_set_key_func *set_nonce;
+  nettle_hash_update_func *update;
+  nettle_crypt_func *encrypt;
+  nettle_crypt_func *decrypt;
+  /* FIXME: Drop length argument? */
+  nettle_hash_digest_func *digest;
+};
+
+/* null-terminated list of aead constructions implemented by this
+   version of nettle */
+const struct nettle_aead * const * _NETTLE_ATTRIBUTE_PURE
+nettle_get_aeads (void);
+
+#define nettle_aeads (nettle_get_aeads())
+
+extern const struct nettle_aead nettle_gcm_aes128;
+extern const struct nettle_aead nettle_gcm_aes192;
+extern const struct nettle_aead nettle_gcm_aes256;
+extern const struct nettle_aead nettle_gcm_camellia128;
+extern const struct nettle_aead nettle_gcm_camellia256;
+extern const struct nettle_aead nettle_eax_aes128;
+extern const struct nettle_aead nettle_chacha_poly1305;
+
+struct nettle_armor
+{
+  const char *name;
+  unsigned encode_context_size;
+  unsigned decode_context_size;
+
+  unsigned encode_final_length;
+
+  nettle_armor_init_func *encode_init;
+  nettle_armor_length_func *encode_length;
+  nettle_armor_encode_update_func *encode_update;
+  nettle_armor_encode_final_func *encode_final;
+  
+  nettle_armor_init_func *decode_init;
+  nettle_armor_length_func *decode_length;
+  nettle_armor_decode_update_func *decode_update;
+  nettle_armor_decode_final_func *decode_final;
+};
+
+#define _NETTLE_ARMOR(name, NAME) {				\
+  #name,							\
+  sizeof(struct name##_encode_ctx),				\
+  sizeof(struct name##_decode_ctx),				\
+  NAME##_ENCODE_FINAL_LENGTH,					\
+  (nettle_armor_init_func *) name##_encode_init,		\
+  (nettle_armor_length_func *) name##_encode_length,		\
+  (nettle_armor_encode_update_func *) name##_encode_update,	\
+  (nettle_armor_encode_final_func *) name##_encode_final,	\
+  (nettle_armor_init_func *) name##_decode_init,		\
+  (nettle_armor_length_func *) name##_decode_length,		\
+  (nettle_armor_decode_update_func *) name##_decode_update,	\
+  (nettle_armor_decode_final_func *) name##_decode_final,	\
+}
+
+#define _NETTLE_ARMOR_0(name, NAME) {				\
+  #name,							\
+  0,								\
+  sizeof(struct name##_decode_ctx),				\
+  NAME##_ENCODE_FINAL_LENGTH,					\
+  (nettle_armor_init_func *) name##_encode_init,		\
+  (nettle_armor_length_func *) name##_encode_length,		\
+  (nettle_armor_encode_update_func *) name##_encode_update,	\
+  (nettle_armor_encode_final_func *) name##_encode_final,	\
+  (nettle_armor_init_func *) name##_decode_init,		\
+  (nettle_armor_length_func *) name##_decode_length,		\
+  (nettle_armor_decode_update_func *) name##_decode_update,	\
+  (nettle_armor_decode_final_func *) name##_decode_final,	\
+}
+
+/* null-terminated list of armor schemes implemented by this version of nettle */
+const struct nettle_armor * const * _NETTLE_ATTRIBUTE_PURE
+nettle_get_armors (void);
+
+#define nettle_armors (nettle_get_armors())
+
+extern const struct nettle_armor nettle_base64;
+extern const struct nettle_armor nettle_base64url;
+extern const struct nettle_armor nettle_base16;
+
+#define _NETTLE_HMAC(name, HASH) {		\
+  #name,					\
+  sizeof(struct name##_ctx),			\
+  HASH##_DIGEST_SIZE,				\
+  HASH##_DIGEST_SIZE,				\
+  name##_set_key_wrapper,			\
+  (nettle_hash_update_func *) name##_update,	\
+  (nettle_hash_digest_func *) name##_digest,	\
+}
+
+/* null-terminated list of macs implemented by this
+   version of nettle */
+const struct nettle_mac * const * _NETTLE_ATTRIBUTE_PURE
+nettle_get_macs (void);
+
+#define nettle_macs (nettle_get_macs())
+
+extern const struct nettle_mac nettle_cmac_aes128;
+extern const struct nettle_mac nettle_cmac_aes256;
+extern const struct nettle_mac nettle_cmac_des3;
+
+/* HMAC variants with key size = digest size */
+extern const struct nettle_mac nettle_hmac_md5;
+extern const struct nettle_mac nettle_hmac_ripemd160;
+extern const struct nettle_mac nettle_hmac_sha1;
+extern const struct nettle_mac nettle_hmac_sha224;
+extern const struct nettle_mac nettle_hmac_sha256;
+extern const struct nettle_mac nettle_hmac_sha384;
+extern const struct nettle_mac nettle_hmac_sha512;
+extern const struct nettle_mac nettle_hmac_streebog256;
+extern const struct nettle_mac nettle_hmac_streebog512;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_META_H_INCLUDED */

include/nettle/nettle-types.h

@@ -0,0 +1,131 @@
+/* nettle-types.h
+
+   Copyright (C) 2005, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_TYPES_H
+#define NETTLE_TYPES_H
+
+/* For size_t */
+#include <stddef.h>
+#include <stdint.h>
+
+/* Attributes we want to use in installed header files, and hence
+   can't rely on config.h. */
+#ifdef __GNUC__
+
+#define _NETTLE_ATTRIBUTE_PURE __attribute__((pure))
+#ifndef _NETTLE_ATTRIBUTE_DEPRECATED
+/* Variant without message is supported since gcc-3.1 or so. */
+#define _NETTLE_ATTRIBUTE_DEPRECATED __attribute__((deprecated))
+#endif
+
+#else /* !__GNUC__ */
+
+#define _NETTLE_ATTRIBUTE_PURE
+#define _NETTLE_ATTRIBUTE_DEPRECATED
+
+#endif /* !__GNUC__ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* An aligned 16-byte block. */
+union nettle_block16
+{
+  uint8_t b[16];
+  unsigned long w[16 / sizeof(unsigned long)] _NETTLE_ATTRIBUTE_DEPRECATED;
+  uint64_t u64[2];
+};
+
+union nettle_block8
+{
+  uint8_t b[8];
+  uint64_t u64;
+};
+
+/* Randomness. Used by key generation and dsa signature creation. */
+typedef void nettle_random_func(void *ctx,
+				size_t length, uint8_t *dst);
+
+/* Progress report function, mainly for key generation. */
+typedef void nettle_progress_func(void *ctx, int c);
+
+/* Realloc function, used by struct nettle_buffer. */
+typedef void *nettle_realloc_func(void *ctx, void *p, size_t length);
+
+/* Ciphers */
+typedef void nettle_set_key_func(void *ctx, const uint8_t *key);
+
+/* For block ciphers, const context. */
+typedef void nettle_cipher_func(const void *ctx,
+				size_t length, uint8_t *dst,
+				const uint8_t *src);
+
+
+/* Uses a void * for cipher contexts. Used for crypt operations where
+   the internal state changes during the encryption. */
+typedef void nettle_crypt_func(void *ctx,
+			       size_t length, uint8_t *dst,
+			       const uint8_t *src);
+
+/* Hash algorithms */
+typedef void nettle_hash_init_func(void *ctx);
+typedef void nettle_hash_update_func(void *ctx,
+				     size_t length,
+				     const uint8_t *src);
+typedef void nettle_hash_digest_func(void *ctx,
+				     size_t length, uint8_t *dst);
+
+/* ASCII armor codecs. NOTE: Experimental and subject to change. */
+
+typedef size_t nettle_armor_length_func(size_t length);
+typedef void nettle_armor_init_func(void *ctx);
+
+typedef size_t nettle_armor_encode_update_func(void *ctx,
+					       char *dst,
+					       size_t src_length,
+					       const uint8_t *src);
+
+typedef size_t nettle_armor_encode_final_func(void *ctx, char *dst);
+
+typedef int nettle_armor_decode_update_func(void *ctx,
+					    size_t *dst_length,
+					    uint8_t *dst,
+					    size_t src_length,
+					    const char *src);
+
+typedef int nettle_armor_decode_final_func(void *ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_TYPES_H */

include/nettle/pbkdf2.h

@@ -0,0 +1,106 @@
+/* pbkdf2.h
+
+   PKCS #5 password-based key derivation function PBKDF2, see RFC 2898.
+
+   Copyright (C) 2012 Simon Josefsson
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PBKDF2_H_INCLUDED
+#define NETTLE_PBKDF2_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Namespace mangling */
+#define pbkdf2 nettle_pbkdf2
+#define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1
+#define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256
+#define pbkdf2_hmac_sha384 nettle_pbkdf2_hmac_sha384
+#define pbkdf2_hmac_sha512 nettle_pbkdf2_hmac_sha512
+#define pbkdf2_hmac_gosthash94cp nettle_pbkdf2_hmac_gosthash94cp
+
+void
+pbkdf2 (void *mac_ctx,
+	nettle_hash_update_func *update,
+	nettle_hash_digest_func *digest,
+	size_t digest_size, unsigned iterations,
+	size_t salt_length, const uint8_t *salt,
+	size_t length, uint8_t *dst);
+
+#define PBKDF2(ctx, update, digest, digest_size,			\
+	       iterations, salt_length, salt, length, dst)		\
+  (0 ? ((update)((ctx), 0, (uint8_t *) 0),				\
+	(digest)((ctx), 0, (uint8_t *) 0))				\
+   : pbkdf2 ((ctx),							\
+	     (nettle_hash_update_func *)(update),			\
+	     (nettle_hash_digest_func *)(digest),			\
+	     (digest_size), (iterations),				\
+	     (salt_length), (salt), (length), (dst)))
+
+/* PBKDF2 with specific PRFs. */
+
+void
+pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key,
+		  unsigned iterations,
+		  size_t salt_length, const uint8_t *salt,
+		  size_t length, uint8_t *dst);
+
+void
+pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key,
+		    unsigned iterations,
+		    size_t salt_length, const uint8_t *salt,
+		    size_t length, uint8_t *dst);
+
+void
+pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key,
+		    unsigned iterations,
+		    size_t salt_length, const uint8_t *salt,
+		    size_t length, uint8_t *dst);
+
+void
+pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key,
+		    unsigned iterations,
+		    size_t salt_length, const uint8_t *salt,
+		    size_t length, uint8_t *dst);
+
+void
+pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key,
+			  unsigned iterations,
+			  size_t salt_length, const uint8_t *salt,
+			  size_t length, uint8_t *dst);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PBKDF2_H_INCLUDED */

include/nettle/pgp.h

@@ -0,0 +1,248 @@
+/* pgp.h
+
+   PGP related functions.
+
+   Copyright (C) 2001, 2002 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PGP_H_INCLUDED
+#define NETTLE_PGP_H_INCLUDED
+
+#include <time.h>
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define pgp_put_uint32 nettle_pgp_put_uint32
+#define pgp_put_uint16 nettle_pgp_put_uint16
+#define pgp_put_mpi nettle_pgp_put_mpi
+#define pgp_put_string nettle_pgp_put_string
+#define pgp_put_length nettle_pgp_put_length
+#define pgp_put_header nettle_pgp_put_header
+#define pgp_put_header_length nettle_pgp_put_header_length
+#define pgp_sub_packet_start nettle_pgp_sub_packet_start
+#define pgp_put_sub_packet nettle_pgp_put_sub_packet
+#define pgp_sub_packet_end nettle_pgp_sub_packet_end
+#define pgp_put_public_rsa_key nettle_pgp_put_public_rsa_key
+#define pgp_put_rsa_sha1_signature nettle_pgp_put_rsa_sha1_signature
+#define pgp_put_userid nettle_pgp_put_userid
+#define pgp_crc24 nettle_pgp_crc24
+#define pgp_armor nettle_pgp_armor
+
+struct nettle_buffer;
+struct rsa_public_key;
+struct rsa_private_key;
+struct sha1_ctx;
+
+int
+pgp_put_uint32(struct nettle_buffer *buffer, uint32_t i);
+
+int
+pgp_put_uint16(struct nettle_buffer *buffer, unsigned i);
+
+int
+pgp_put_mpi(struct nettle_buffer *buffer, const mpz_t x);
+
+int
+pgp_put_string(struct nettle_buffer *buffer,
+	       unsigned length,
+	       const uint8_t *s);
+
+int
+pgp_put_length(struct nettle_buffer *buffer,
+	       unsigned length);
+
+int
+pgp_put_header(struct nettle_buffer *buffer,
+	       unsigned tag, unsigned length);
+
+void
+pgp_put_header_length(struct nettle_buffer *buffer,
+		      /* start of the header */
+		      unsigned start,
+		      unsigned field_size);
+
+unsigned
+pgp_sub_packet_start(struct nettle_buffer *buffer);
+
+int
+pgp_put_sub_packet(struct nettle_buffer *buffer,
+		   unsigned type,
+		   unsigned length,
+		   const uint8_t *data);
+
+void
+pgp_sub_packet_end(struct nettle_buffer *buffer, unsigned start);
+
+int
+pgp_put_public_rsa_key(struct nettle_buffer *,
+		       const struct rsa_public_key *key,
+		       time_t timestamp);
+
+int
+pgp_put_rsa_sha1_signature(struct nettle_buffer *buffer,
+			   const struct rsa_private_key *key,
+			   const uint8_t *keyid,
+			   unsigned type,
+			   struct sha1_ctx *hash);
+
+int
+pgp_put_userid(struct nettle_buffer *buffer,
+	       unsigned length,
+	       const uint8_t *name);
+
+uint32_t
+pgp_crc24(unsigned length, const uint8_t *data);
+
+int
+pgp_armor(struct nettle_buffer *buffer,
+	  const char *tag,
+	  unsigned length,
+	  const uint8_t *data);
+
+/* Values that can be passed to pgp_put_header when the size of the
+ * length field, but not the length itself, is known. Also the minimum length
+ * for the given field size. */
+enum pgp_lengths
+  {
+    PGP_LENGTH_ONE_OCTET = 0,
+    PGP_LENGTH_TWO_OCTETS = 192,
+    PGP_LENGTH_FOUR_OCTETS = 8384,
+  };
+
+enum pgp_public_key_algorithm
+  {
+    PGP_RSA = 1,
+    PGP_RSA_ENCRYPT = 2,
+    PGP_RSA_SIGN = 3,
+    PGP_EL_GAMAL_ENCRYPT = 16,
+    PGP_DSA = 17,
+    PGP_EL_GAMAL = 20,
+  };
+
+enum pgp_symmetric_algorithm
+  {
+    PGP_PLAINTEXT = 0,
+    PGP_IDEA = 1,
+    PGP_3DES = 2,
+    PGP_CAST5 = 3,
+    PGP_BLOWFISH = 4,
+    PGP_SAFER_SK = 5,
+    PGP_AES128 = 7,
+    PGP_AES192 = 8,
+    PGP_AES256 = 9,
+  };
+
+enum pgp_compression_algorithm
+  {
+    PGP_UNCOMPRESSED = 0,
+    PGP_ZIP = 1,
+    PGP_ZLIB = 2,
+  };
+
+enum pgp_hash_algorithm
+  {
+    PGP_MD5 = 1,
+    PGP_SHA1 = 2,
+    PGP_RIPEMD = 3,
+    PGP_MD2 = 5,
+    PGP_TIGER192 = 6,
+    PGP_HAVAL = 7,
+  };
+
+enum pgp_tag
+  {
+    PGP_TAG_PUBLIC_SESSION_KEY = 1,
+    PGP_TAG_SIGNATURE = 2,
+    PGP_TAG_SYMMETRIC_SESSION_KEY = 3,
+    PGP_TAG_ONE_PASS_SIGNATURE = 4,
+    PGP_TAG_SECRET_KEY = 5,
+    PGP_TAG_PUBLIC_KEY = 6,
+    PGP_TAG_SECRET_SUBKEY = 7,
+    PGP_TAG_COMPRESSED = 8,
+    PGP_TAG_ENCRYPTED = 9,
+    PGP_TAG_MARKER = 10,
+    PGP_TAG_LITERAL = 11,
+    PGP_TAG_TRUST = 12,
+    PGP_TAG_USERID = 13,
+    PGP_TAG_PUBLIC_SUBKEY = 14,
+  };
+
+enum pgp_signature_type
+  {
+    PGP_SIGN_BINARY = 0,
+    PGP_SIGN_TEXT = 1,
+    PGP_SIGN_STANDALONE = 2,
+    PGP_SIGN_CERTIFICATION = 0x10,
+    PGP_SIGN_CERTIFICATION_PERSONA = 0x11,
+    PGP_SIGN_CERTIFICATION_CASUAL = 0x12,
+    PGP_SIGN_CERTIFICATION_POSITIVE = 0x13,
+    PGP_SIGN_SUBKEY = 0x18,
+    PGP_SIGN_KEY = 0x1f,
+    PGP_SIGN_REVOCATION = 0x20,
+    PGP_SIGN_REVOCATION_SUBKEY = 0x28,
+    PGP_SIGN_REVOCATION_CERTIFICATE = 0x30,
+    PGP_SIGN_TIMESTAMP = 0x40,
+  };
+
+enum pgp_subpacket_tag
+  {
+    PGP_SUBPACKET_CREATION_TIME = 2,
+    PGP_SUBPACKET_SIGNATURE_EXPIRATION_TIME = 3,
+    PGP_SUBPACKET_EXPORTABLE_CERTIFICATION = 4,
+    PGP_SUBPACKET_TRUST_SIGNATURE = 5,
+    PGP_SUBPACKET_REGULAR_EXPRESSION = 6,
+    PGP_SUBPACKET_REVOCABLE = 7,
+    PGP_SUBPACKET_KEY_EXPIRATION_TIME = 9,
+    PGP_SUBPACKET_PLACEHOLDER = 10 ,
+    PGP_SUBPACKET_PREFERRED_SYMMETRIC_ALGORITHMS = 11,
+    PGP_SUBPACKET_REVOCATION_KEY = 12,
+    PGP_SUBPACKET_ISSUER_KEY_ID = 16,
+    PGP_SUBPACKET_NOTATION_DATA = 20,
+    PGP_SUBPACKET_PREFERRED_HASH_ALGORITHMS = 21,
+    PGP_SUBPACKET_PREFERRED_COMPRESSION_ALGORITHMS = 22,
+    PGP_SUBPACKET_KEY_SERVER_PREFERENCES = 23,
+    PGP_SUBPACKET_PREFERRED_KEY_SERVER = 24,
+    PGP_SUBPACKET_PRIMARY_USER_ID = 25,
+    PGP_SUBPACKET_POLICY_URL = 26,
+    PGP_SUBPACKET_KEY_FLAGS = 27,
+    PGP_SUBPACKET_SIGNERS_USER_ID = 28,
+    PGP_SUBPACKET_REASON_FOR_REVOCATION = 29,
+  };
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PGP_H_INCLUDED */

include/nettle/pkcs1.h

@@ -0,0 +1,106 @@
+/* pkcs1.h
+
+   PKCS1 embedding.
+
+   Copyright (C) 2003 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PKCS1_H_INCLUDED
+#define NETTLE_PKCS1_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode
+#define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode
+#define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest
+#define pkcs1_rsa_sha1_encode nettle_pkcs1_rsa_sha1_encode
+#define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest
+#define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode
+#define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest
+#define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode
+#define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest
+#define pkcs1_encrypt nettle_pkcs1_encrypt
+#define pkcs1_decrypt nettle_pkcs1_decrypt
+
+struct md5_ctx;
+struct sha1_ctx;
+struct sha256_ctx;
+struct sha512_ctx;
+
+int
+pkcs1_encrypt (size_t key_size,
+	       /* For padding */
+	       void *random_ctx, nettle_random_func *random,
+	       size_t length, const uint8_t *message,
+	       mpz_t m);
+
+int
+pkcs1_decrypt (size_t key_size,
+	       const mpz_t m,
+	       size_t *length, uint8_t *message);
+
+int
+pkcs1_rsa_digest_encode(mpz_t m, size_t key_size,
+			size_t di_length, const uint8_t *digest_info);
+
+int
+pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash);
+
+int
+pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+int
+pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash);
+
+int
+pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+int
+pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash);
+
+int
+pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+int
+pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash);
+
+int
+pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PKCS1_H_INCLUDED */

include/nettle/poly1305.h

@@ -0,0 +1,114 @@
+/* poly1305.h
+
+   Poly1305 message authentication code.
+
+   Copyright (C) 2013 Nikos Mavrogiannopoulos
+   Copyright (C) 2013, 2014 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_POLY1305_H_INCLUDED
+#define NETTLE_POLY1305_H_INCLUDED
+
+#include "aes.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define poly1305_aes_set_key nettle_poly1305_aes_set_key
+#define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce
+#define poly1305_aes_update nettle_poly1305_aes_update
+#define poly1305_aes_digest nettle_poly1305_aes_digest
+
+/* Low level functions/macros for the poly1305 construction. */
+
+#define POLY1305_BLOCK_SIZE 16
+
+struct poly1305_ctx {
+  /* Key, 128-bit value and some cached multiples. */
+  union
+  {
+    uint32_t r32[6];
+    uint64_t r64[3];
+  } r;
+  uint32_t s32[3];
+  /* State, represented as words of 26, 32 or 64 bits, depending on
+     implementation. */
+  /* High bits first, to maintain alignment. */
+  uint32_t hh;
+  union
+  {
+    uint32_t h32[4];
+    uint64_t h64[2];
+  } h;
+};
+
+/* poly1305-aes */
+
+#define POLY1305_AES_KEY_SIZE 32
+#define POLY1305_AES_DIGEST_SIZE 16
+#define POLY1305_AES_NONCE_SIZE 16
+
+struct poly1305_aes_ctx
+{
+  /* Keep aes context last, to make it possible to use a general
+     poly1305_update if other variants are added. */
+  struct poly1305_ctx pctx;
+  uint8_t block[POLY1305_BLOCK_SIZE];
+  unsigned index;
+  uint8_t nonce[POLY1305_BLOCK_SIZE];
+  struct aes128_ctx aes;
+};
+
+/* Also initialize the nonce to zero. */
+void
+poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key);
+
+/* Optional, if not used, messages get incrementing nonces starting
+   from zero. */
+void
+poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx,
+		        const uint8_t *nonce);
+
+/* Update is not aes-specific, but since this is the only implemented
+   variant, we need no more general poly1305_update. */
+void
+poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data);
+
+/* Also increments the nonce */
+void
+poly1305_aes_digest (struct poly1305_aes_ctx *ctx,
+	       	     size_t length, uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_POLY1305_H_INCLUDED */

include/nettle/pss-mgf1.h

@@ -0,0 +1,58 @@
+/* pss-mgf1.h
+
+   PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447).
+
+   Copyright (C) 2017 Daiki Ueno
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PSS_MGF1_H_INCLUDED
+#define NETTLE_PSS_MGF1_H_INCLUDED
+
+#include "nettle-meta.h"
+
+#include "sha1.h"
+#include "sha2.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Namespace mangling */
+#define pss_mgf1 nettle_pss_mgf1
+
+void
+pss_mgf1(const void *seed, const struct nettle_hash *hash,
+	 size_t length, uint8_t *mask);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PSS_MGF1_H_INCLUDED */

include/nettle/pss.h

@@ -0,0 +1,65 @@
+/* pss.h
+
+   PKCS#1 RSA-PSS (RFC-3447).
+
+   Copyright (C) 2017 Daiki Ueno
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_PSS_H_INCLUDED
+#define NETTLE_PSS_H_INCLUDED
+
+#include "nettle-meta.h"
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Namespace mangling */
+#define pss_encode_mgf1 nettle_pss_encode_mgf1
+#define pss_verify_mgf1 nettle_pss_verify_mgf1
+
+int
+pss_encode_mgf1(mpz_t m, size_t bits,
+		const struct nettle_hash *hash,
+		size_t salt_length, const uint8_t *salt,
+		const uint8_t *digest);
+
+int
+pss_verify_mgf1(const mpz_t m, size_t bits,
+		const struct nettle_hash *hash,
+		size_t salt_length,
+		const uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_PSS_H_INCLUDED */

include/nettle/realloc.h

@@ -0,0 +1,48 @@
+/* realloc.h
+
+   Copyright (C) 2002 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_REALLOC_H_INCLUDED
+#define NETTLE_REALLOC_H_INCLUDED
+
+#include "nettle-types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+nettle_realloc_func nettle_realloc;
+nettle_realloc_func nettle_xrealloc;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_REALLOC_H_INCLUDED */

include/nettle/ripemd160.h

@@ -0,0 +1,83 @@
+/* ripemd160.h
+
+   RIPEMD-160 hash function.
+
+   Copyright (C) 2011 Andres Mejia
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#ifndef NETTLE_RIPEMD160_H_INCLUDED
+#define NETTLE_RIPEMD160_H_INCLUDED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "nettle-types.h"
+
+/* Name mangling */
+#define ripemd160_init nettle_ripemd160_init
+#define ripemd160_update nettle_ripemd160_update
+#define ripemd160_digest nettle_ripemd160_digest
+
+/* RIPEMD160 */
+
+#define RIPEMD160_DIGEST_SIZE 20
+#define RIPEMD160_BLOCK_SIZE 64
+/* For backwards compatibility */
+#define RIPEMD160_DATA_SIZE RIPEMD160_BLOCK_SIZE
+
+/* Digest is kept internally as 5 32-bit words. */
+#define _RIPEMD160_DIGEST_LENGTH 5
+
+struct ripemd160_ctx
+{
+  uint32_t state[_RIPEMD160_DIGEST_LENGTH];
+  uint64_t count;         /* 64-bit block count */
+  unsigned int index;
+  uint8_t block[RIPEMD160_BLOCK_SIZE];
+};
+
+void
+ripemd160_init(struct ripemd160_ctx *ctx);
+
+void
+ripemd160_update(struct ripemd160_ctx *ctx,
+		 size_t length,
+		 const uint8_t *data);
+
+void
+ripemd160_digest(struct ripemd160_ctx *ctx,
+		 size_t length,
+		 uint8_t *digest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_RIPEMD160_H_INCLUDED */

include/nettle/rsa.h

@@ -0,0 +1,538 @@
+/* rsa.h
+
+   The RSA publickey algorithm.
+
+   Copyright (C) 2001, 2002 Niels Möller
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+     * the GNU Lesser General Public License as published by the Free
+       Software Foundation; either version 3 of the License, or (at your
+       option) any later version.
+
+   or
+
+     * the GNU General Public License as published by the Free
+       Software Foundation; either version 2 of the License, or (at your
+       option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+ 
+#ifndef NETTLE_RSA_H_INCLUDED
+#define NETTLE_RSA_H_INCLUDED
+
+#include "nettle-types.h"
+#include "bignum.h"
+
+#include "md5.h"
+#include "sha1.h"
+#include "sha2.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Name mangling */
+#define rsa_public_key_init nettle_rsa_public_key_init
+#define rsa_public_key_clear nettle_rsa_public_key_clear
+#define rsa_public_key_prepare nettle_rsa_public_key_prepare
+#define rsa_private_key_init nettle_rsa_private_key_init
+#define rsa_private_key_clear nettle_rsa_private_key_clear
+#define rsa_private_key_prepare nettle_rsa_private_key_prepare
+#define rsa_pkcs1_verify nettle_rsa_pkcs1_verify
+#define rsa_pkcs1_sign nettle_rsa_pkcs1_sign
+#define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr
+#define rsa_md5_sign nettle_rsa_md5_sign
+#define rsa_md5_sign_tr nettle_rsa_md5_sign_tr
+#define rsa_md5_verify nettle_rsa_md5_verify
+#define rsa_sha1_sign nettle_rsa_sha1_sign
+#define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr
+#define rsa_sha1_verify nettle_rsa_sha1_verify
+#define rsa_sha256_sign nettle_rsa_sha256_sign
+#define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr
+#define rsa_sha256_verify nettle_rsa_sha256_verify
+#define rsa_sha512_sign nettle_rsa_sha512_sign
+#define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr
+#define rsa_sha512_verify nettle_rsa_sha512_verify
+#define rsa_md5_sign_digest nettle_rsa_md5_sign_digest
+#define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr
+#define rsa_md5_verify_digest nettle_rsa_md5_verify_digest
+#define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest
+#define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr
+#define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest
+#define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest
+#define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr
+#define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest
+#define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest
+#define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr
+#define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest
+#define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr
+#define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest
+#define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr
+#define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest
+#define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr
+#define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest
+#define rsa_encrypt nettle_rsa_encrypt
+#define rsa_decrypt nettle_rsa_decrypt
+#define rsa_decrypt_tr nettle_rsa_decrypt_tr
+#define rsa_sec_decrypt nettle_rsa_sec_decrypt
+#define rsa_compute_root nettle_rsa_compute_root
+#define rsa_compute_root_tr nettle_rsa_compute_root_tr
+#define rsa_generate_keypair nettle_rsa_generate_keypair
+#define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp
+#define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist
+#define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp
+#define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator
+#define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator
+#define rsa_keypair_from_der nettle_rsa_keypair_from_der
+#define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp
+
+/* This limit is somewhat arbitrary. Technically, the smallest modulo
+   which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But
+   for ridiculously small keys, not all odd e are possible (e.g., for
+   5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e =
+   3 don't work). The smallest size that makes sense with pkcs#1, and
+   which allows RSA encryption of one byte messages, is 12 octets, 89
+   bits. */
+
+#define RSA_MINIMUM_N_OCTETS 12
+#define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7)
+
+struct rsa_public_key
+{
+  /* Size of the modulo, in octets. This is also the size of all
+   * signatures that are created or verified with this key. */
+  size_t size;
+  
+  /* Modulo */
+  mpz_t n;
+
+  /* Public exponent */
+  mpz_t e;
+};
+
+struct rsa_private_key
+{
+  size_t size;
+
+  /* d is filled in by the key generation function; otherwise it's
+   * completely unused. */
+  mpz_t d;
+  
+  /* The two factors */
+  mpz_t p; mpz_t q;
+
+  /* d % (p-1), i.e. a e = 1 (mod (p-1)) */
+  mpz_t a;
+
+  /* d % (q-1), i.e. b e = 1 (mod (q-1)) */
+  mpz_t b;
+
+  /* modular inverse of q , i.e. c q = 1 (mod p) */
+  mpz_t c;
+};
+
+/* Signing a message works as follows:
+ *
+ * Store the private key in a rsa_private_key struct.
+ *
+ * Call rsa_private_key_prepare. This initializes the size attribute
+ * to the length of a signature.
+ *
+ * Initialize a hashing context, by callling
+ *   md5_init
+ *
+ * Hash the message by calling
+ *   md5_update
+ *
+ * Create the signature by calling
+ *   rsa_md5_sign
+ *
+ * The signature is represented as a mpz_t bignum. This call also
+ * resets the hashing context.
+ *
+ * When done with the key and signature, don't forget to call
+ * mpz_clear.
+ */
+ 
+/* Calls mpz_init to initialize bignum storage. */
+void
+rsa_public_key_init(struct rsa_public_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+rsa_public_key_clear(struct rsa_public_key *key);
+
+int
+rsa_public_key_prepare(struct rsa_public_key *key);
+
+/* Calls mpz_init to initialize bignum storage. */
+void
+rsa_private_key_init(struct rsa_private_key *key);
+
+/* Calls mpz_clear to deallocate bignum storage. */
+void
+rsa_private_key_clear(struct rsa_private_key *key);
+
+int
+rsa_private_key_prepare(struct rsa_private_key *key);
+
+
+/* PKCS#1 style signatures */
+int
+rsa_pkcs1_sign(const struct rsa_private_key *key,
+	       size_t length, const uint8_t *digest_info,
+	       mpz_t s);
+
+int
+rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
+  	          const struct rsa_private_key *key,
+	          void *random_ctx, nettle_random_func *random,
+	          size_t length, const uint8_t *digest_info,
+   	          mpz_t s);
+int
+rsa_pkcs1_verify(const struct rsa_public_key *key,
+		 size_t length, const uint8_t *digest_info,
+		 const mpz_t signature);
+
+int
+rsa_md5_sign(const struct rsa_private_key *key,
+             struct md5_ctx *hash,
+             mpz_t signature);
+
+int
+rsa_md5_sign_tr(const struct rsa_public_key *pub,
+		const struct rsa_private_key *key,
+		void *random_ctx, nettle_random_func *random,
+		struct md5_ctx *hash, mpz_t s);
+
+
+int
+rsa_md5_verify(const struct rsa_public_key *key,
+               struct md5_ctx *hash,
+	       const mpz_t signature);
+
+int
+rsa_sha1_sign(const struct rsa_private_key *key,
+              struct sha1_ctx *hash,
+              mpz_t signature);
+
+int
+rsa_sha1_sign_tr(const struct rsa_public_key *pub,
+		 const struct rsa_private_key *key,
+		 void *random_ctx, nettle_random_func *random,
+		 struct sha1_ctx *hash,
+		 mpz_t s);
+
+int
+rsa_sha1_verify(const struct rsa_public_key *key,
+                struct sha1_ctx *hash,
+		const mpz_t signature);
+
+int
+rsa_sha256_sign(const struct rsa_private_key *key,
+		struct sha256_ctx *hash,
+		mpz_t signature);
+
+int
+rsa_sha256_sign_tr(const struct rsa_public_key *pub,
+		   const struct rsa_private_key *key,
+		   void *random_ctx, nettle_random_func *random,
+		   struct sha256_ctx *hash,
+		   mpz_t s);
+
+int
+rsa_sha256_verify(const struct rsa_public_key *key,
+		  struct sha256_ctx *hash,
+		  const mpz_t signature);
+
+int
+rsa_sha512_sign(const struct rsa_private_key *key,
+		struct sha512_ctx *hash,
+		mpz_t signature);
+
+int
+rsa_sha512_sign_tr(const struct rsa_public_key *pub,
+		   const struct rsa_private_key *key,
+		   void *random_ctx, nettle_random_func *random,
+		   struct sha512_ctx *hash,
+		   mpz_t s);
+
+int
+rsa_sha512_verify(const struct rsa_public_key *key,
+		  struct sha512_ctx *hash,
+		  const mpz_t signature);
+
+/* Variants taking the digest as argument. */
+int
+rsa_md5_sign_digest(const struct rsa_private_key *key,
+		    const uint8_t *digest,
+		    mpz_t s);
+
+int
+rsa_md5_sign_digest_tr(const struct rsa_public_key *pub,
+		       const struct rsa_private_key *key,
+		       void *random_ctx, nettle_random_func *random,
+		       const uint8_t *digest, mpz_t s);
+
+int
+rsa_md5_verify_digest(const struct rsa_public_key *key,
+		      const uint8_t *digest,
+		      const mpz_t signature);
+
+int
+rsa_sha1_sign_digest(const struct rsa_private_key *key,
+		     const uint8_t *digest,
+		     mpz_t s);
+
+int
+rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub,
+			const struct rsa_private_key *key,
+			void *random_ctx, nettle_random_func *random,
+			const uint8_t *digest,
+			mpz_t s);
+
+int
+rsa_sha1_verify_digest(const struct rsa_public_key *key,
+		       const uint8_t *digest,
+		       const mpz_t signature);
+
+int
+rsa_sha256_sign_digest(const struct rsa_private_key *key,
+		       const uint8_t *digest,
+		       mpz_t s);
+
+int
+rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub,
+			  const struct rsa_private_key *key,
+			  void *random_ctx, nettle_random_func *random,
+			  const uint8_t *digest,
+			  mpz_t s);
+
+int
+rsa_sha256_verify_digest(const struct rsa_public_key *key,
+			 const uint8_t *digest,
+			 const mpz_t signature);
+
+int
+rsa_sha512_sign_digest(const struct rsa_private_key *key,
+		       const uint8_t *digest,
+		       mpz_t s);
+
+int
+rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub,
+			  const struct rsa_private_key *key,
+			  void *random_ctx, nettle_random_func *random,
+			  const uint8_t *digest,
+			  mpz_t s);
+
+int
+rsa_sha512_verify_digest(const struct rsa_public_key *key,
+			 const uint8_t *digest,
+			 const mpz_t signature);
+
+/* PSS style signatures */
+int
+rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub,
+			      const struct rsa_private_key *key,
+			      void *random_ctx, nettle_random_func *random,
+			      size_t salt_length, const uint8_t *salt,
+			      const uint8_t *digest,
+			      mpz_t s);
+
+int
+rsa_pss_sha256_verify_digest(const struct rsa_public_key *key,
+			     size_t salt_length,
+			     const uint8_t *digest,
+			     const mpz_t signature);
+
+int
+rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub,
+			      const struct rsa_private_key *key,
+			      void *random_ctx, nettle_random_func *random,
+			      size_t salt_length, const uint8_t *salt,
+			      const uint8_t *digest,
+			      mpz_t s);
+
+int
+rsa_pss_sha384_verify_digest(const struct rsa_public_key *key,
+			     size_t salt_length,
+			     const uint8_t *digest,
+			     const mpz_t signature);
+
+int
+rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub,
+			      const struct rsa_private_key *key,
+			      void *random_ctx, nettle_random_func *random,
+			      size_t salt_length, const uint8_t *salt,
+			      const uint8_t *digest,
+			      mpz_t s);
+
+int
+rsa_pss_sha512_verify_digest(const struct rsa_public_key *key,
+			     size_t salt_length,
+			     const uint8_t *digest,
+			     const mpz_t signature);
+
+
+/* RSA encryption, using PKCS#1 */
+/* These functions uses the v1.5 padding. What should the v2 (OAEP)
+ * functions be called? */
+
+/* Returns 1 on success, 0 on failure, which happens if the
+ * message is too long for the key. */
+int
+rsa_encrypt(const struct rsa_public_key *key,
+	    /* For padding */
+	    void *random_ctx, nettle_random_func *random,
+	    size_t length, const uint8_t *cleartext,
+	    mpz_t cipher);
+
+/* Message must point to a buffer of size *LENGTH. KEY->size is enough
+ * for all valid messages. On success, *LENGTH is updated to reflect
+ * the actual length of the message. Returns 1 on success, 0 on
+ * failure, which happens if decryption failed or if the message
+ * didn't fit. */
+int
+rsa_decrypt(const struct rsa_private_key *key,
+	    size_t *length, uint8_t *cleartext,
+	    const mpz_t ciphertext);
+
+/* Timing-resistant version, using randomized RSA blinding. */
+int
+rsa_decrypt_tr(const struct rsa_public_key *pub,
+	       const struct rsa_private_key *key,
+	       void *random_ctx, nettle_random_func *random,	       
+	       size_t *length, uint8_t *message,
+	       const mpz_t gibberish);
+
+/* like rsa_decrypt_tr but with additional side-channel resistance.
+ * NOTE: the length of the final message must be known in advance. */
+int
+rsa_sec_decrypt(const struct rsa_public_key *pub,
+	        const struct rsa_private_key *key,
+	        void *random_ctx, nettle_random_func *random,
+	        size_t length, uint8_t *message,
+	        const mpz_t gibberish);
+
+/* Compute x, the e:th root of m. Calling it with x == m is allowed.
+   It is required that 0 <= m < n. */
+void
+rsa_compute_root(const struct rsa_private_key *key,
+		 mpz_t x, const mpz_t m);
+
+/* Safer variant, using RSA blinding, and checking the result after
+   CRT. It is required that 0 <= m < n. */
+int
+rsa_compute_root_tr(const struct rsa_public_key *pub,
+		    const struct rsa_private_key *key,
+		    void *random_ctx, nettle_random_func *random,
+		    mpz_t x, const mpz_t m);
+
+/* Key generation */
+
+/* Note that the key structs must be initialized first. */
+int
+rsa_generate_keypair(struct rsa_public_key *pub,
+		     struct rsa_private_key *key,
+
+		     void *random_ctx, nettle_random_func *random,
+		     void *progress_ctx, nettle_progress_func *progress,
+
+		     /* Desired size of modulo, in bits */
+		     unsigned n_size,
+		     
+		     /* Desired size of public exponent, in bits. If
+		      * zero, the passed in value pub->e is used. */
+		     unsigned e_size);
+
+
+#define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \
+  algorithm##_update(ctx, length, data), \
+  rsa_##algorithm##_sign(key, ctx, signature) \
+)
+
+#define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \
+  algorithm##_update(ctx, length, data), \
+  rsa_##algorithm##_verify(key, ctx, signature) \
+)
+
+
+/* Keys in sexp form. */
+
+struct nettle_buffer;
+
+/* Generates a public-key expression if PRIV is NULL .*/
+int
+rsa_keypair_to_sexp(struct nettle_buffer *buffer,
+		    const char *algorithm_name, /* NULL means "rsa" */
+		    const struct rsa_public_key *pub,
+		    const struct rsa_private_key *priv);
+
+struct sexp_iterator;
+
+int
+rsa_keypair_from_sexp_alist(struct rsa_public_key *pub,
+			    struct rsa_private_key *priv,
+			    unsigned limit,
+			    struct sexp_iterator *i);
+
+/* If PRIV is NULL, expect a public-key expression. If PUB is NULL,
+ * expect a private key expression and ignore the parts not needed for
+ * the public key. */
+/* Keys must be initialized before calling this function, as usual. */
+int
+rsa_keypair_from_sexp(struct rsa_public_key *pub,
+		      struct rsa_private_key *priv,
+		      unsigned limit,
+		      size_t length, const uint8_t *expr);
+
+
+/* Keys in PKCS#1 format. */
+struct asn1_der_iterator;
+
+int
+rsa_public_key_from_der_iterator(struct rsa_public_key *pub,
+				 unsigned limit,
+				 struct asn1_der_iterator *i);
+
+int
+rsa_private_key_from_der_iterator(struct rsa_public_key *pub,
+				  struct rsa_private_key *priv,
+				  unsigned limit,
+				  struct asn1_der_iterator *i);
+
+/* For public keys, use PRIV == NULL */ 
+int
+rsa_keypair_from_der(struct rsa_public_key *pub,
+		     struct rsa_private_key *priv,
+		     unsigned limit, 
+		     size_t length, const uint8_t *data);
+
+/* OpenPGP format. Experimental interface, subject to change. */
+int
+rsa_keypair_to_openpgp(struct nettle_buffer *buffer,
+		       const struct rsa_public_key *pub,
+		       const struct rsa_private_key *priv,
+		       /* A single user id. NUL-terminated utf8. */
+		       const char *userid);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NETTLE_RSA_H_INCLUDED */