diff --git a/vendor/cryptopp/Filelist.txt b/vendor/cryptopp/Filelist.txt index 6b84bbce81..fce6ae7533 100644 --- a/vendor/cryptopp/Filelist.txt +++ b/vendor/cryptopp/Filelist.txt @@ -257,9 +257,9 @@ poly1305.cpp poly1305.h polynomi.cpp polynomi.h -ppc_power7.cpp -ppc_power8.cpp -ppc_power9.cpp +power7_ppc.cpp +power8_ppc.cpp +power9_ppc.cpp ppc_simd.cpp ppc_simd.h pssr.cpp @@ -587,6 +587,7 @@ TestPrograms/test_32bit.cpp TestPrograms/test_64bit.cpp TestPrograms/test_arm_acle_header.cpp TestPrograms/test_arm_aes.cpp +TestPrograms/test_arm_armv7.cpp TestPrograms/test_arm_asimd.cpp TestPrograms/test_arm_crc.cpp TestPrograms/test_arm_neon.cpp diff --git a/vendor/cryptopp/History.txt b/vendor/cryptopp/History.txt index 9754a8ef34..748e2c09c3 100644 --- a/vendor/cryptopp/History.txt +++ b/vendor/cryptopp/History.txt @@ -542,3 +542,41 @@ last several releases. - expanded community input and support * 70 unique contributors as of this release - port to Apple M1 hardware + +8.6.0 - September 21, 2021 + - minor release, recompile of programs required + - expanded community input and support + * 74 unique contributors as of this release + - fix ElGamal encryption + - fix ChaCha20 AVX2 implementation + - add octal and decimal literal prefix parsing to Integer + - add missing overload in ed25519Signer and ed25519Verifier + - make SHA-NI independent of AVX and AVX2 + - fix OldRandomPool GenerateWord32 + - use CPPFLAGS during feature testing + - fix compile on CentOS 5 + - fix compile on FreeBSD + - fix feature testing on ARM A-32 and Aarch64 + - enable inline ASM for CRC and PMULL on Apple M1 + - fix Intel oneAPI compile + - rename test files with *.cpp extension + - fix GCC compile error due to missing _mm256_set_m128i + - add LSH-256 and LSH-512 hash functions + - add ECIES_P1363 for backwards compatibility + - fix AdditiveCipherTemplate ProcessData + - remove CRYPTOPP_NO_CXX11 define + - add -fno-common for Darwin builds + - update documentation + +8.7.0 - August 7, 2022 + - minor release, recompile of programs required + - expanded community input and support + * 81 unique contributors as of this release + - fix RSA key generation for small moduli + - fix AES-GCM with AESNI but without CLMUL + - fix Clang warning with C++17 + - fix MinGW builds due to use of O_NOFOLLOW + - rework CFB_CipherTemplate::ProcessData and AdditiveCipherTemplate::ProcessData + * restored performance and avoided performance penalty of a temp buffer + - fix undersized SecBlock buffer in Integer bit operations + - work around several GCC 11 & 12 problems diff --git a/vendor/cryptopp/Install.txt b/vendor/cryptopp/Install.txt index 9bb92fd759..3fe6c769b6 100644 --- a/vendor/cryptopp/Install.txt +++ b/vendor/cryptopp/Install.txt @@ -204,7 +204,7 @@ ACCEPTANCE TESTING Crypto++ uses five security gates in its engineering process. The library must maintain the quality provided by the review system and integrity of the test suites. You can use the information to decide if the Crypto++ library suits your needs and provides a compatible security posture. -The first gate is code review and discussion of proposed chnages. Git commits often cross reference a User Group discussions. +The first gate is code review and discussion of proposed changes. Git commits often cross reference a User Group discussions. Second is the compiler warning system. The code must clean compile under the equivalent of GCC's -Wall -Wextra (modulo -Wno-type-limits -Wno-unknown-pragmas). This is a moving target as compiler analysis improves. diff --git a/vendor/cryptopp/License.txt b/vendor/cryptopp/License.txt index e0c9285ed5..800ac7e284 100644 --- a/vendor/cryptopp/License.txt +++ b/vendor/cryptopp/License.txt @@ -28,10 +28,11 @@ Han Lulu, Markku-Juhani O. Saarinen - sm4.cpp sm4_simd.cpp Daniel J. Bernstein, Jack Lloyd - chacha.cpp, chacha_simd.cpp, chacha_avx.cpp Andrew Moon - ed25519, x25519, donna_32.cpp, donna_64.cpp, donna_sse.cpp -The Crypto++ Library uses portions of Andy Polyakov's CRYPTOGAMS for Poly1305 -scalar multiplication, aes_armv4.S, sha1_armv4.S and sha256_armv4.S. CRYPTOGAMS -is dual licensed with a permissive BSD-style license. The CRYPTOGAMS license is -reproduced below. +The Crypto++ Library uses portions of Andy Polyakov's CRYPTOGAMS on Linux +for 32-bit ARM with files aes_armv4.S, sha1_armv4.S and sha256_armv4.S. +CRYPTOGAMS is dual licensed with a permissive BSD-style license. The +CRYPTOGAMS license is reproduced below. You can disable Cryptogams code by +undefining the relevant macros in config_asm.h. The Crypto++ Library uses portions of Jack Lloyd's Botan for ChaCha SSE2 and AVX. Botan placed the code in public domain for Crypto++ to use. diff --git a/vendor/cryptopp/Readme.txt b/vendor/cryptopp/Readme.txt index baa235796f..bdcef411f9 100644 --- a/vendor/cryptopp/Readme.txt +++ b/vendor/cryptopp/Readme.txt @@ -1,5 +1,5 @@ Crypto++: free C++ Class Library of Cryptographic Schemes -Version 8.6 - TBD +Version 8.8 - TBD Crypto++ Library is a free C++ class library of cryptographic schemes. Currently the library contains the following algorithms: @@ -91,13 +91,13 @@ for any purpose without paying anyone, but see License.txt for the fine print. The following compilers are supported for this release. Please visit http://www.cryptopp.com the most up to date build instructions and porting notes. - * Visual Studio 2003 - 2019 - * GCC 3.3 - 10.1 + * Visual Studio 2003 - 2022 + * GCC 3.3 - 12.2 * Apple Clang 4.3 - 12.0 - * LLVM Clang 2.9 - 11.0 + * LLVM Clang 2.9 - 14.0 * C++ Builder 2015 * Intel C++ Compiler 9 - 16.0 - * Sun Studio 12u1 - 12.6 + * Sun Studio 12u1 - 12.7 * IBM XL C/C++ 10.0 - 14.0 *** Important Usage Notes *** @@ -294,6 +294,19 @@ documentation is one of the highest returns on investment. The items in this section comprise the most recent history. Please see History.txt for the record back to Crypto++ 1.0. +8.7.0 - August 7, 2022 + - minor release, recompile of programs required + - expanded community input and support + * 81 unique contributors as of this release + - fix RSA key generation for small moduli + - fix AES-GCM with AESNI but without CLMUL + - fix Clang warning with C++17 + - fix MinGW builds due to use of O_NOFOLLOW + - rework CFB_CipherTemplate::ProcessData and AdditiveCipherTemplate::ProcessData + * restored performance and avoided performance penalty of a temp buffer + - fix undersized SecBlock buffer in Integer bit operations + - work around several GCC 11 & 12 problems + 8.6.0 - September 21, 2021 - minor release, recompile of programs required - expanded community input and support diff --git a/vendor/cryptopp/arm_simd.h b/vendor/cryptopp/arm_simd.h index a9fb4ea428..4edd4085de 100644 --- a/vendor/cryptopp/arm_simd.h +++ b/vendor/cryptopp/arm_simd.h @@ -351,9 +351,9 @@ inline uint64x2_t VEXT_U8(uint64x2_t a, uint64x2_t b) :"=w" (r) : "w" (a), "w" (b), "I" (C) ); return r; #endif -//@} } +//@} #endif // CRYPTOPP_ARM_PMULL_AVAILABLE #if CRYPTOPP_ARM_SHA3_AVAILABLE || defined(CRYPTOPP_DOXYGEN_PROCESSING) @@ -385,19 +385,19 @@ inline uint64x2_t VEOR3(uint64x2_t a, uint64x2_t b, uint64x2_t c) /// \param a the first value /// \param b the second value /// \param c the third value -/// \return two-way exclusive OR of the values, then rotated by imm6 +/// \return two-way exclusive OR of the values, then rotated by c /// \details VXARQ() performs vxarq_u64(). VXARQ is provided as GCC inline assembly due /// to Clang and lack of support for the intrinsic. /// \details VXARQ requires ARMv8.2. /// \since Crypto++ 8.6 -inline uint64x2_t VXAR(uint64x2_t a, uint64x2_t b, const int imm6) +inline uint64x2_t VXAR(uint64x2_t a, uint64x2_t b, const int c) { #if defined(_MSC_VER) - return vxarq_u64(a, b, imm6); + return vxarq_u64(a, b, c); #else uint64x2_t r; __asm__ ("xar %0.2d, %1.2d, %2.2d, %3 \n\t" - :"=w" (r) : "w" (a), "w" (b), "I" (imm6)); + :"=w" (r) : "w" (a), "w" (b), "I" (c)); return r; #endif } diff --git a/vendor/cryptopp/asn.h b/vendor/cryptopp/asn.h index 23cf4ae24a..cf44fc7278 100644 --- a/vendor/cryptopp/asn.h +++ b/vendor/cryptopp/asn.h @@ -110,7 +110,7 @@ class CRYPTOPP_DLL UnknownOID : public BERDecodeErr /// \brief Construct an UnknownOID UnknownOID() : BERDecodeErr("BER decode error: unknown object identifier") {} /// \brief Construct an UnknownOID - /// \param err error message to use for the execption + /// \param err error message to use for the exception UnknownOID(const char *err) : BERDecodeErr(err) {} }; diff --git a/vendor/cryptopp/basecode.cpp b/vendor/cryptopp/basecode.cpp index b46193b165..335d95c790 100644 --- a/vendor/cryptopp/basecode.cpp +++ b/vendor/cryptopp/basecode.cpp @@ -182,7 +182,7 @@ void BaseN_Decoder::InitializeDecodingLookupArray(int *lookup, const byte *alpha for (unsigned int i=0; i= 1910) +#if (_MSC_VER >= 1910) && (_MSC_VER < 1916) # ifndef CRYPTOPP_DEBUG # pragma optimize("", off) # pragma optimize("ts", on) diff --git a/vendor/cryptopp/config_asm.h b/vendor/cryptopp/config_asm.h index 9cf324ede3..157e9d6a64 100644 --- a/vendor/cryptopp/config_asm.h +++ b/vendor/cryptopp/config_asm.h @@ -130,7 +130,7 @@ #endif // Couple to CRYPTOPP_DISABLE_AESNI, but use CRYPTOPP_CLMUL_AVAILABLE so we can selectively -// disable for misbehaving platofrms and compilers, like Solaris or some Clang. +// disable for misbehaving platforms and compilers, like Solaris or some Clang. #if defined(CRYPTOPP_DISABLE_AESNI) #define CRYPTOPP_DISABLE_CLMUL 1 #endif @@ -311,6 +311,12 @@ # endif // Platforms #endif +// Buggy Microsoft compiler, https://github.com/weidai11/cryptopp/issues/1096 +#if defined(_MSC_VER) +# undef CRYPTOPP_ARM_SHA1_AVAILABLE +# undef CRYPTOPP_ARM_SHA2_AVAILABLE +#endif + // ARMv8 and SHA-512, SHA-3. -march=armv8.2-a+crypto or above must be present // Requires GCC 8.0, Clang 11.0, Apple Clang 12.0 or Visual Studio 20?? #if !defined(CRYPTOPP_ARM_SHA3_AVAILABLE) && !defined(CRYPTOPP_DISABLE_ARM_SHA) @@ -365,12 +371,14 @@ // than C/C++. Define this to use the Cryptogams AES and SHA implementations // on GNU Linux systems. When defined, Crypto++ will use aes_armv4.S, // sha1_armv4.S and sha256_armv4.S. https://www.cryptopp.com/wiki/Cryptogams. -#if defined(__arm__) && defined(__linux__) -# if defined(__GNUC__) || defined(__clang__) -# define CRYPTOGAMS_ARM_AES 1 -# define CRYPTOGAMS_ARM_SHA1 1 -# define CRYPTOGAMS_ARM_SHA256 1 -# define CRYPTOGAMS_ARM_SHA512 1 +#if !defined(CRYPTOPP_DISABLE_ARM_NEON) +# if defined(__arm__) && defined(__linux__) +# if defined(__GNUC__) || defined(__clang__) +# define CRYPTOGAMS_ARM_AES 1 +# define CRYPTOGAMS_ARM_SHA1 1 +# define CRYPTOGAMS_ARM_SHA256 1 +# define CRYPTOGAMS_ARM_SHA512 1 +# endif # endif #endif diff --git a/vendor/cryptopp/config_dll.h b/vendor/cryptopp/config_dll.h index 27519087c8..73d16d9d25 100644 --- a/vendor/cryptopp/config_dll.h +++ b/vendor/cryptopp/config_dll.h @@ -104,7 +104,7 @@ /// \brief Override for internal linkage /// \details CRYPTOPP_TABLE can be used to override internal linkage /// on tables with the const qualifier. According to C++ rules - /// a decalration with const qualifier is internal linkage. + /// a declaration with const qualifier is internal linkage. /// \note The name CRYPTOPP_TABLE was chosen because it is often used to /// export a table, like AES or SHA constants. The name avoids collisions /// with the DLL gear macros, like CRYPTOPP_EXPORTS and CRYPTOPP_EXTERN. diff --git a/vendor/cryptopp/config_ver.h b/vendor/cryptopp/config_ver.h index 1bd4130ce1..8b4c14c544 100644 --- a/vendor/cryptopp/config_ver.h +++ b/vendor/cryptopp/config_ver.h @@ -35,7 +35,7 @@ /// as a shared object if versions are inadvertently mixed and matched. /// \sa CRYPTOPP_VERSION, LibraryVersion(), HeaderVersion() /// \since Crypto++ 8.2 -#define CRYPTOPP_MINOR 6 +#define CRYPTOPP_MINOR 7 /// \brief Library revision number /// \details CRYPTOPP_REVISION reflects the revision number of the library the /// headers came from. It is not necessarily the revision of the library built @@ -50,7 +50,7 @@ /// shared object if versions are inadvertently mixed and matched. /// \sa CRYPTOPP_MAJOR, CRYPTOPP_MINOR, CRYPTOPP_REVISION, LibraryVersion(), HeaderVersion() /// \since Crypto++ 5.6 -#define CRYPTOPP_VERSION 860 +#define CRYPTOPP_VERSION 870 // Compiler version macros diff --git a/vendor/cryptopp/cpu.cpp b/vendor/cryptopp/cpu.cpp index a2eeac9987..f2f294548d 100644 --- a/vendor/cryptopp/cpu.cpp +++ b/vendor/cryptopp/cpu.cpp @@ -1130,6 +1130,8 @@ inline bool CPU_QuerySM4() void DetectArmFeatures() { +#ifndef CRYPTOPP_DISABLE_ASM + // The CPU_ProbeXXX's return false for OSes which // can't tolerate SIGILL-based probes g_hasARMv7 = CPU_QueryARMv7() || CPU_ProbeARMv7(); @@ -1155,6 +1157,8 @@ void DetectArmFeatures() if (g_cacheLineSize == 0) g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE; +#endif // CRYPTOPP_DISABLE_ASM + *const_cast(&g_ArmDetectionDone) = true; } @@ -1162,7 +1166,7 @@ void DetectArmFeatures() #elif (CRYPTOPP_BOOL_PPC32 || CRYPTOPP_BOOL_PPC64) -bool CRYPTOPP_SECTION_INIT g_PowerpcDetectionDone = false; +bool CRYPTOPP_SECTION_INIT g_PowerPcDetectionDone = false; bool CRYPTOPP_SECTION_INIT g_hasAltivec = false; bool CRYPTOPP_SECTION_INIT g_hasPower7 = false; bool CRYPTOPP_SECTION_INIT g_hasPower8 = false; @@ -1373,15 +1377,16 @@ inline bool CPU_QueryDARN() return false; } -void DetectPowerpcFeatures() +void DetectPowerPcFeatures() { - // GCC 10 is giving us trouble in CPU_ProbePower9() and - // CPU_ProbeDARN(). GCC is generating POWER9 instructions - // on POWER8 for ppc_power9.cpp. The compiler idiots did - // not think through the consequences of requiring us to - // use -mcpu=power9 to unlock the ISA. Epic fail. + // GCC 10 is giving us trouble in CPU_ProbePower9() and CPU_ProbeDARN(). + // GCC is generating POWER9 instructions on POWER8 for ppc_power9.cpp. + // The compiler idiots did not think through the consequences of + // requiring us to use -mcpu=power9 to unlock the ISA. Epic fail. // https://github.com/weidai11/cryptopp/issues/986 +#ifndef CRYPTOPP_DISABLE_ASM + // The CPU_ProbeXXX's return false for OSes which // can't tolerate SIGILL-based probes, like Apple g_hasAltivec = CPU_QueryAltivec() || CPU_ProbeAltivec(); @@ -1410,7 +1415,9 @@ void DetectPowerpcFeatures() if (g_cacheLineSize == 0) g_cacheLineSize = CRYPTOPP_L1_CACHE_LINE_SIZE; - *const_cast(&g_PowerpcDetectionDone) = true; +#endif // CRYPTOPP_DISABLE_ASM + + *const_cast(&g_PowerPcDetectionDone) = true; } #endif @@ -1430,7 +1437,7 @@ class InitCpu #elif CRYPTOPP_BOOL_ARM32 || CRYPTOPP_BOOL_ARMV8 CryptoPP::DetectArmFeatures(); #elif CRYPTOPP_BOOL_PPC32 || CRYPTOPP_BOOL_PPC64 - CryptoPP::DetectPowerpcFeatures(); + CryptoPP::DetectPowerPcFeatures(); #endif } }; diff --git a/vendor/cryptopp/cpu.h b/vendor/cryptopp/cpu.h index b21117633f..537bb782ee 100644 --- a/vendor/cryptopp/cpu.h +++ b/vendor/cryptopp/cpu.h @@ -60,6 +60,10 @@ #define ATT_NOPREFIX #endif +// Thanks to v1ne at https://github.com/weidai11/cryptopp/pull/1133 +#define PERCENT_PASTE(x) "%" #x +#define PERCENT_REG(x) PERCENT_PASTE(x) + #ifdef CRYPTOPP_GENERATE_X64_MASM #define CRYPTOPP_X86_ASM_AVAILABLE @@ -671,7 +675,7 @@ inline bool HasSM4() // Hide from Doxygen #ifndef CRYPTOPP_DOXYGEN_PROCESSING -extern bool g_PowerpcDetectionDone; +extern bool g_PowerPcDetectionDone; extern bool g_hasAltivec; extern bool g_hasPower7; extern bool g_hasPower8; @@ -682,7 +686,7 @@ extern bool g_hasSHA256; extern bool g_hasSHA512; extern bool g_hasDARN; extern word32 g_cacheLineSize; -void CRYPTOPP_API DetectPowerpcFeatures(); +void CRYPTOPP_API DetectPowerPcFeatures(); #endif // CRYPTOPP_DOXYGEN_PROCESSING /// \name POWERPC CPU FEATURES @@ -698,8 +702,8 @@ void CRYPTOPP_API DetectPowerpcFeatures(); inline bool HasAltivec() { #if CRYPTOPP_ALTIVEC_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasAltivec; #else return false; @@ -715,8 +719,8 @@ inline bool HasAltivec() inline bool HasPower7() { #if CRYPTOPP_POWER7_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasPower7; #else return false; @@ -732,8 +736,8 @@ inline bool HasPower7() inline bool HasPower8() { #if CRYPTOPP_POWER8_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasPower8; #else return false; @@ -749,8 +753,8 @@ inline bool HasPower8() inline bool HasPower9() { #if CRYPTOPP_POWER9_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasPower9; #else return false; @@ -767,8 +771,8 @@ inline bool HasPower9() inline bool HasAES() { #if CRYPTOPP_POWER8_AES_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasAES; #else return false; @@ -785,8 +789,8 @@ inline bool HasAES() inline bool HasPMULL() { #if CRYPTOPP_POWER8_VMULL_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasPMULL; #else return false; @@ -803,8 +807,8 @@ inline bool HasPMULL() inline bool HasSHA256() { #if CRYPTOPP_POWER8_SHA_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasSHA256; #else return false; @@ -821,8 +825,8 @@ inline bool HasSHA256() inline bool HasSHA512() { #if CRYPTOPP_POWER8_SHA_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_hasSHA512; #else return false; @@ -838,8 +842,8 @@ inline bool HasSHA512() inline bool HasDARN() { #if CRYPTOPP_POWER9_AVAILABLE - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); // see comments in cpu.cpp # if defined(__ibmxl__) && defined(__linux__) return false; @@ -861,8 +865,8 @@ inline bool HasDARN() /// ARM processor equivalent is a privileged instruction, so a compile time value is returned. inline int GetCacheLineSize() { - if (!g_PowerpcDetectionDone) - DetectPowerpcFeatures(); + if (!g_PowerPcDetectionDone) + DetectPowerPcFeatures(); return g_cacheLineSize; } diff --git a/vendor/cryptopp/crc.h b/vendor/cryptopp/crc.h index 8dcf800f16..17e5977ba0 100644 --- a/vendor/cryptopp/crc.h +++ b/vendor/cryptopp/crc.h @@ -30,10 +30,16 @@ class CRC32 : public HashTransformation void Update(const byte *input, size_t length); void TruncatedFinal(byte *hash, size_t size); unsigned int DigestSize() const {return DIGESTSIZE;} - CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() {return "CRC32";} - std::string AlgorithmName() const {return StaticAlgorithmName();} + CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() {return "CRC32";} + std::string AlgorithmName() const {return StaticAlgorithmName();} + /// \brief Updates a CRC with additional input + /// \param b the additional input as a byte void UpdateByte(byte b) {m_crc = m_tab[CRC32_INDEX(m_crc) ^ b] ^ CRC32_SHIFTED(m_crc);} + + /// \brief Retrieves the i-th byte of the CRC + /// \param i the additional input as a byte + /// \return the byte at the i-th position byte GetCrcByte(size_t i) const {return reinterpret_cast(&m_crc)[i];} std::string AlgorithmProvider() const; @@ -57,10 +63,16 @@ class CRC32C : public HashTransformation void Update(const byte *input, size_t length); void TruncatedFinal(byte *hash, size_t size); unsigned int DigestSize() const {return DIGESTSIZE;} - CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() {return "CRC32C";} - std::string AlgorithmName() const {return StaticAlgorithmName();} + CRYPTOPP_STATIC_CONSTEXPR const char* StaticAlgorithmName() {return "CRC32C";} + std::string AlgorithmName() const {return StaticAlgorithmName();} + /// \brief Updates a CRC with additional input + /// \param b the additional input as a byte void UpdateByte(byte b) {m_crc = m_tab[CRC32_INDEX(m_crc) ^ b] ^ CRC32_SHIFTED(m_crc);} + + /// \brief Retrieves the i-th byte of the CRC + /// \param i the additional input as a byte + /// \return the byte at the i-th position byte GetCrcByte(size_t i) const {return reinterpret_cast(&m_crc)[i];} std::string AlgorithmProvider() const; diff --git a/vendor/cryptopp/cryptlib.h b/vendor/cryptopp/cryptlib.h index a56735f682..6d4792f0fc 100644 --- a/vendor/cryptopp/cryptlib.h +++ b/vendor/cryptopp/cryptlib.h @@ -3,7 +3,7 @@ /// \file cryptlib.h /// \brief Abstract base classes that provide a uniform interface to this library. -/*! \mainpage Crypto++ Library 8.6 API Reference +/*! \mainpage Crypto++ Library 8.7 API Reference
Abstract Base Classes
cryptlib.h @@ -21,7 +21,7 @@ Rabbit, Salsa20, \ref SEAL "SEAL-LE", \ref SEAL "SEAL-BE", WAKE, XSalsa20
Hash Functions
BLAKE2s, BLAKE2b, \ref Keccak "Keccak (F1600)", SHA1, SHA224, SHA256, SHA384, SHA512, - \ref SHA3 "SHA-3", SM3, Tiger, RIPEMD160, RIPEMD320, RIPEMD128, RIPEMD256, SipHash, Whirlpool, + \ref SHA3 "SHA-3", SM3, LSH (256/512), Tiger, RIPEMD160, RIPEMD256, SipHash, Whirlpool, Weak::MD2, Weak::MD4, Weak::MD5
Non-Cryptographic Checksums
CRC32, CRC32C, Adler32 @@ -2100,7 +2100,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE BufferedTransformation : public Algorithm, void CopyAllTo(BufferedTransformation &target, const std::string &channel=DEFAULT_CHANNEL) const; /// \brief Retrieve the next message in a series - /// \return true if a message was retreved, false otherwise + /// \return true if a message was retrieved, false otherwise /// \details Internally, the base class implementation returns false. virtual bool GetNextMessageSeries() {return false;} /// \brief Provides the number of messages in a series @@ -2432,7 +2432,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CryptoMaterial : public NameValuePairs /// \throw NotImplemented /// \details Save() writes the material to a BufferedTransformation. /// \details If the material is a key, then the key is written with ASN.1 DER encoding. The key - /// includes an object identifier with an algorthm id, like a subjectPublicKeyInfo. + /// includes an object identifier with an algorithm id, like a subjectPublicKeyInfo. /// \details A "raw" key without the "key info" can be saved using a key's DEREncode() method. /// \details If a derived class does not override Save(), then the base class throws /// NotImplemented(). @@ -2449,7 +2449,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CryptoMaterial : public NameValuePairs ///
  • the key should be ASN.1 BER encoded ///
  • the key should be a "key info" /// - /// \details "key info" means the key should have an object identifier with an algorthm id, + /// \details "key info" means the key should have an object identifier with an algorithm id, /// like a subjectPublicKeyInfo. /// \details To read a "raw" key without the "key info", then call the key's BERDecode() method. /// \note Load() generally does not check that the key is valid. Call Validate(), if needed. @@ -2541,7 +2541,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE PrivateKey : public GeneratableCryptoMater { }; -/// \brief Interface for crypto prameters +/// \brief Interface for crypto parameters class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CryptoParameters : public GeneratableCryptoMaterial { }; @@ -2815,7 +2815,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE PK_SignatureScheme /// \details MaxSignatureLength() returns the maximum signature length produced given the length of the /// recoverable message part. virtual size_t MaxSignatureLength(size_t recoverablePartLength = 0) const - {CRYPTOPP_UNUSED(recoverablePartLength); return SignatureLength();} + {CRYPTOPP_UNUSED(recoverablePartLength); return SignatureLength();} /// \brief Provides the length of longest message that can be recovered /// \return the length of longest message that can be recovered, in bytes @@ -2881,7 +2881,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE PK_Signer : public PK_SignatureScheme, pub /// \brief Create a new HashTransformation to accumulate the message to be signed /// \param rng a RandomNumberGenerator derived class /// \return a pointer to a PK_MessageAccumulator - /// \details NewSignatureAccumulator() can be used with all signing methods. Sign() will autimatically delete the + /// \details NewSignatureAccumulator() can be used with all signing methods. Sign() will automatically delete the /// accumulator pointer. The caller is responsible for deletion if a method is called that takes a reference. virtual PK_MessageAccumulator * NewSignatureAccumulator(RandomNumberGenerator &rng) const =0; @@ -2944,7 +2944,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE PK_Verifier : public PK_SignatureScheme, p /// \brief Create a new HashTransformation to accumulate the message to be verified /// \return a pointer to a PK_MessageAccumulator - /// \details NewVerificationAccumulator() can be used with all verification methods. Verify() will autimatically delete + /// \details NewVerificationAccumulator() can be used with all verification methods. Verify() will automatically delete /// the accumulator pointer. The caller is responsible for deletion if a method is called that takes a reference. virtual PK_MessageAccumulator * NewVerificationAccumulator() const =0; diff --git a/vendor/cryptopp/default.cpp b/vendor/cryptopp/default.cpp index 25533b5a59..23323b4927 100644 --- a/vendor/cryptopp/default.cpp +++ b/vendor/cryptopp/default.cpp @@ -19,7 +19,7 @@ NAMESPACE_BEGIN(CryptoPP) // The purpose of this function Mash() is to take an arbitrary length input -// string and *deterministicly* produce an arbitrary length output string such +// string and *deterministically* produce an arbitrary length output string such // that (1) it looks random, (2) no information about the input is // deducible from it, and (3) it contains as much entropy as it can hold, or // the amount of entropy in the input string, whichever is smaller. @@ -28,7 +28,7 @@ template static void Mash(const byte *in, size_t inLen, byte *out, size_t outLen, int iterations) { if (BytePrecision(outLen) > 2) - throw InvalidArgument("Mash: output legnth too large"); + throw InvalidArgument("Mash: output length too large"); size_t bufSize = RoundUpToMultipleOf(outLen, (size_t)H::DIGESTSIZE); byte b[2]; diff --git a/vendor/cryptopp/donna_32.cpp b/vendor/cryptopp/donna_32.cpp index 85d45d124e..a5dbad3dd0 100644 --- a/vendor/cryptopp/donna_32.cpp +++ b/vendor/cryptopp/donna_32.cpp @@ -1935,7 +1935,7 @@ ed25519_sign_CXX(std::istream& stream, const byte sk[32], const byte pk[32], byt ALIGN(ALIGN_SPEC) ge25519 R; hash_512bits extsk, hashr, hram; - // Unfortunately we need to read the stream twice. The fisrt time calculates + // Unfortunately we need to read the stream twice. The first time calculates // 'r = H(aExt[32..64], m)'. The second time calculates 'S = H(R,A,m)'. There // is a data dependency due to hashing 'RS' with 'R = [r]B' that does not // allow us to read the stream once. diff --git a/vendor/cryptopp/donna_64.cpp b/vendor/cryptopp/donna_64.cpp index e2d66d4753..0a66105e4e 100644 --- a/vendor/cryptopp/donna_64.cpp +++ b/vendor/cryptopp/donna_64.cpp @@ -1650,7 +1650,7 @@ ed25519_sign_CXX(std::istream& stream, const byte sk[32], const byte pk[32], byt ALIGN(ALIGN_SPEC) ge25519 R; hash_512bits extsk, hashr, hram; - // Unfortunately we need to read the stream twice. The fisrt time calculates + // Unfortunately we need to read the stream twice. The first time calculates // 'r = H(aExt[32..64], m)'. The second time calculates 'S = H(R,A,m)'. There // is a data dependency due to hashing 'RS' with 'R = [r]B' that does not // allow us to read the stream once. diff --git a/vendor/cryptopp/donna_sse.cpp b/vendor/cryptopp/donna_sse.cpp index 816c5fe08f..7fad92a417 100644 --- a/vendor/cryptopp/donna_sse.cpp +++ b/vendor/cryptopp/donna_sse.cpp @@ -6,7 +6,7 @@ // clean, but it has one potential problem. The original code is C and relies // upon unions. Accessing the inactive union member is undefined behavior in // C++. That means copying the array into packedelem8.u is OK; but then using -// packedelem8.v in a calcualtion is UB. Fortunately most (all?) compilers +// packedelem8.v in a calculation is UB. Fortunately most (all?) compilers // take pity on C++ developers and compile the code. We will have to keep an // eye on things or rewrite significant portions of this code. diff --git a/vendor/cryptopp/eccrypto.h b/vendor/cryptopp/eccrypto.h index b68403d956..17ccb134e7 100644 --- a/vendor/cryptopp/eccrypto.h +++ b/vendor/cryptopp/eccrypto.h @@ -587,7 +587,7 @@ struct ECGDSA : public DL_SS< /// \brief Elliptic Curve Integrated Encryption Scheme /// \tparam COFACTOR_OPTION cofactor multiplication option -/// \tparam HASH HashTransformation derived class used for key drivation and MAC computation +/// \tparam HASH HashTransformation derived class used for key derivation and MAC computation /// \tparam DHAES_MODE flag indicating if the MAC includes additional context parameters such as u·V, v·U and label /// \tparam LABEL_OCTETS flag indicating if the label size is specified in octets or bits /// \details ECIES is an Elliptic Curve based Integrated Encryption Scheme (IES). The scheme combines a Key Encapsulation @@ -595,7 +595,7 @@ struct ECGDSA : public DL_SS< /// IND-CCA2, which is a strong notion of security. /// You should prefer an Integrated Encryption Scheme over homegrown schemes. /// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the ECIES_P1363. -/// If you desire an Integrated Encryption Scheme compatibile with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES +/// If you desire an Integrated Encryption Scheme compatible with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES /// template class with NoCofactorMultiplication, DHAES_MODE=true and LABEL_OCTETS=false. /// \details The default template parameters ensure compatibility with Bouncy Castle 1.54 and Botan 1.11. The combination of /// IncompatibleCofactorMultiplication and DHAES_MODE=true is recommended for best efficiency and security. @@ -619,16 +619,16 @@ struct ECIES /// \brief Elliptic Curve Integrated Encryption Scheme for P1363 /// \tparam COFACTOR_OPTION cofactor multiplication option -/// \tparam HASH HashTransformation derived class used for key drivation and MAC computation +/// \tparam HASH HashTransformation derived class used for key derivation and MAC computation /// \details ECIES_P1363 is an Elliptic Curve based Integrated Encryption Scheme (IES) for P1363. The scheme combines a Key Encapsulation /// Method (KEM) with a Data Encapsulation Method (DEM) and a MAC tag. The scheme is /// IND-CCA2, which is a strong notion of security. /// You should prefer an Integrated Encryption Scheme over homegrown schemes. /// \details The library's original implementation is based on an early P1363 draft, which itself appears to be based on an early Certicom -/// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Ecryption +/// SEC-1 draft (or an early SEC-1 draft was based on a P1363 draft). Crypto++ 4.2 used the early draft in its Integrated Enryption /// Schemes with NoCofactorMultiplication, DHAES_MODE=false and LABEL_OCTETS=true. /// \details If you desire an Integrated Encryption Scheme with Crypto++ 4.2 compatibility, then use the ECIES_P1363. -/// If you desire an Integrated Encryption Scheme compatibile with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES +/// If you desire an Integrated Encryption Scheme compatible with Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES /// template class with NoCofactorMultiplication, DHAES_MODE=true and LABEL_OCTETS=false. /// \details The default template parameters ensure compatibility with P1363. The combination of /// IncompatibleCofactorMultiplication and DHAES_MODE=true is recommended for best efficiency and security. diff --git a/vendor/cryptopp/filters.h b/vendor/cryptopp/filters.h index a2252e4cb6..0de46c414e 100644 --- a/vendor/cryptopp/filters.h +++ b/vendor/cryptopp/filters.h @@ -25,7 +25,7 @@ NAMESPACE_BEGIN(CryptoPP) /// \brief Implementation of BufferedTransformation's attachment interface -/// \details Filter is a cornerstone of the Pipeline trinitiy. Data flows from +/// \details Filter is a cornerstone of the Pipeline trinity. Data flows from /// Sources, through Filters, and then terminates in Sinks. The difference /// between a Source and Filter is a Source \a pumps data, while a Filter does /// not. The difference between a Filter and a Sink is a Filter allows an @@ -222,7 +222,7 @@ struct CRYPTOPP_DLL FilterPutSpaceHelper byte *HelpCreatePutSpace(BufferedTransformation &target, const std::string &channel, size_t minSize, size_t bufferSize) {return HelpCreatePutSpace(target, channel, minSize, minSize, bufferSize);} - /// \brief Temporay working space + /// \brief Temporary working space SecByteBlock m_tempSpace; }; @@ -537,7 +537,7 @@ class CRYPTOPP_DLL StreamTransformationFilter : public FilterWithBufferedInput, /// \param c reference to a StreamTransformation /// \param attachment an optional attached transformation /// \param padding the \ref BlockPaddingSchemeDef "padding scheme" - /// \details This contructor creates a StreamTransformationFilter() for stream ciphers and + /// \details This constructor creates a StreamTransformationFilter() for stream ciphers and /// confidentiality-only block cipher modes of operation. If you are using an authenticated /// encryption mode of operation, then use either AuthenticatedEncryptionFilter() or /// AuthenticatedDecryptionFilter(). @@ -1191,7 +1191,7 @@ class RandomNumberSink : public Bufferless /// \brief Copy input to a memory buffer /// \details ArraySink wraps a fixed size buffer. The buffer is full once Put returns non-0. -/// When used in a pipleline, ArraySink silently discards input if the buffer is full. +/// When used in a pipeline, ArraySink silently discards input if the buffer is full. /// AvailableSize() can be used to determine how much space remains in the buffer. /// TotalPutLength() can be used to determine how many bytes were processed. /// \sa StringSink, ArrayXorSink @@ -1233,7 +1233,7 @@ class CRYPTOPP_DLL ArraySink : public Bufferless /// \brief Xor input to a memory buffer /// \details ArrayXorSink wraps a fixed size buffer. The buffer is full once Put returns non-0. -/// When used in a pipleline, ArrayXorSink silently discards input if the buffer is full. +/// When used in a pipeline, ArrayXorSink silently discards input if the buffer is full. /// AvailableSize() can be used to determine how much space remains in the buffer. /// TotalPutLength() can be used to determine how many bytes were processed. /// \sa StringSink, ArraySink diff --git a/vendor/cryptopp/fips140.h b/vendor/cryptopp/fips140.h index a26cf6f97e..ebc67edfe3 100644 --- a/vendor/cryptopp/fips140.h +++ b/vendor/cryptopp/fips140.h @@ -17,7 +17,7 @@ NAMESPACE_BEGIN(CryptoPP) /// Exception thrown when a crypto algorithm is used after a self test fails -/// \details The self tests for an algorithm are performed by Algortihm class +/// \details The self tests for an algorithm are performed by Algorithm class /// when CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2 is defined. class CRYPTOPP_DLL SelfTestFailure : public Exception { @@ -51,7 +51,7 @@ enum PowerUpSelfTestStatus { /// \param expectedModuleMac the expected MAC of the components protected by the integrity check /// \details Performs the power-up self test, and sets the self test status to /// POWER_UP_SELF_TEST_PASSED or POWER_UP_SELF_TEST_FAILED. -/// \details The self tests for an algorithm are performed by the Algortihm class +/// \details The self tests for an algorithm are performed by the Algorithm class /// when CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2 is defined. CRYPTOPP_DLL void CRYPTOPP_API DoPowerUpSelfTest(const char *moduleFilename, const byte *expectedModuleMac); @@ -59,7 +59,7 @@ CRYPTOPP_DLL void CRYPTOPP_API DoPowerUpSelfTest(const char *moduleFilename, con /// \details Performs the power-up self test using the filename of this DLL and the /// embedded module MAC, and sets the self test status to POWER_UP_SELF_TEST_PASSED or /// POWER_UP_SELF_TEST_FAILED. -/// \details The self tests for an algorithm are performed by the Algortihm class +/// \details The self tests for an algorithm are performed by the Algorithm class /// when CRYPTOPP_ENABLE_COMPLIANCE_WITH_FIPS_140_2 is defined. CRYPTOPP_DLL void CRYPTOPP_API DoDllPowerUpSelfTest(); @@ -83,7 +83,7 @@ CRYPTOPP_DLL MessageAuthenticationCode * CRYPTOPP_API NewIntegrityCheckingMAC(); /// \param moduleFilename the fully qualified name of the module /// \param expectedModuleMac the expected MAC of the components protected by the integrity check /// \param pActualMac the actual MAC of the components calculated by the integrity check -/// \param pMacFileLocation the offest of the MAC in the PE/PE+ module +/// \param pMacFileLocation the offset of the MAC in the PE/PE+ module /// \return true if the MAC is valid, false otherwise CRYPTOPP_DLL bool CRYPTOPP_API IntegrityCheckModule(const char *moduleFilename, const byte *expectedModuleMac, SecByteBlock *pActualMac = NULLPTR, unsigned long *pMacFileLocation = NULLPTR); diff --git a/vendor/cryptopp/gcm.cpp b/vendor/cryptopp/gcm.cpp index 16c43b2705..0b037ba1ba 100644 --- a/vendor/cryptopp/gcm.cpp +++ b/vendor/cryptopp/gcm.cpp @@ -559,6 +559,7 @@ size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len) #endif #if CRYPTOPP_SSE2_ASM_AVAILABLE + case 1: // SSE2 and 2K tables { #ifdef __GNUC__ @@ -725,10 +726,8 @@ size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len) ATT_PREFIX : : "c" (data), "d" (len/16), "S" (hashBuffer), "D" (s_reductionTable) - : "memory", "cc", "%eax" - #if CRYPTOPP_BOOL_X64 - , "%ebx", "%r11" - #endif + : "memory", "cc", "%eax", "%ebx", PERCENT_REG(AS_REG_7), "%xmm0", + "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5" ); #elif defined(CRYPTOPP_GENERATE_X64_MASM) pop rbx @@ -804,7 +803,7 @@ size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len) ATT_PREFIX : : "c" (data), "d" (len/16), "S" (hashBuffer) - : "memory", "cc", "%edi", "%eax" + : "memory", "cc", "%edi", "%eax", "%xmm0", "%xmm1" ); #elif defined(CRYPTOPP_GENERATE_X64_MASM) pop rdi diff --git a/vendor/cryptopp/gcm_simd.cpp b/vendor/cryptopp/gcm_simd.cpp index e061b199f9..bdff4231c3 100644 --- a/vendor/cryptopp/gcm_simd.cpp +++ b/vendor/cryptopp/gcm_simd.cpp @@ -154,59 +154,6 @@ bool CPU_ProbePMULL() } #endif // ARM32 or ARM64 -#if (CRYPTOPP_BOOL_PPC32 || CRYPTOPP_BOOL_PPC64) -bool CPU_ProbePMULL() -{ -#if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES) - return false; -#elif (CRYPTOPP_POWER8_VMULL_AVAILABLE) - // longjmp and clobber warnings. Volatile is required. - volatile bool result = true; - - volatile SigHandler oldHandler = signal(SIGILL, SigIllHandler); - if (oldHandler == SIG_ERR) - return false; - - volatile sigset_t oldMask; - if (sigprocmask(0, NULLPTR, (sigset_t*)&oldMask)) - { - signal(SIGILL, oldHandler); - return false; - } - - if (setjmp(s_jmpSIGILL)) - result = false; - else - { - const uint64_t wa1[]={0,W64LIT(0x9090909090909090)}, - wb1[]={0,W64LIT(0xb0b0b0b0b0b0b0b0)}; - const uint64x2_p a1=VecLoad(wa1), b1=VecLoad(wb1); - - const uint8_t wa2[]={0x80,0x80,0x80,0x80,0x80,0x80,0x80,0x80, - 0xa0,0xa0,0xa0,0xa0,0xa0,0xa0,0xa0,0xa0}, - wb2[]={0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0, - 0xe0,0xe0,0xe0,0xe0,0xe0,0xe0,0xe0,0xe0}; - const uint32x4_p a2=VecLoad(wa2), b2=VecLoad(wb2); - - const uint64x2_p r1 = VecIntelMultiply11(a1, b1); - const uint64x2_p r2 = VecIntelMultiply11((uint64x2_p)a2, (uint64x2_p)b2); - - const uint64_t wc1[]={W64LIT(0x5300530053005300), W64LIT(0x5300530053005300)}, - wc2[]={W64LIT(0x6c006c006c006c00), W64LIT(0x6c006c006c006c00)}; - const uint64x2_p c1=VecLoad(wc1), c2=VecLoad(wc2); - - result = !!(VecEqual(r1, c1) && VecEqual(r2, c2)); - } - - sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR); - signal(SIGILL, oldHandler); - return result; -#else - return false; -#endif // CRYPTOPP_POWER8_VMULL_AVAILABLE -} -#endif // PPC32 or PPC64 - // *************************** ARM NEON *************************** // #if CRYPTOPP_ARM_NEON_AVAILABLE diff --git a/vendor/cryptopp/gf2n.h b/vendor/cryptopp/gf2n.h index 239de98824..075635283d 100644 --- a/vendor/cryptopp/gf2n.h +++ b/vendor/cryptopp/gf2n.h @@ -28,7 +28,7 @@ class CRYPTOPP_DLL PolynomialMod2 public: /// \name ENUMS, EXCEPTIONS, and TYPEDEFS //@{ - /// \brief Excpetion thrown when divide by zero is encountered + /// \brief Exception thrown when divide by zero is encountered class DivideByZero : public Exception { public: diff --git a/vendor/cryptopp/gfpcrypt.h b/vendor/cryptopp/gfpcrypt.h index 9b85b5958a..93b033b6c5 100644 --- a/vendor/cryptopp/gfpcrypt.h +++ b/vendor/cryptopp/gfpcrypt.h @@ -864,7 +864,7 @@ CRYPTOPP_DLL_TEMPLATE_CLASS DL_PrivateKey_WithSignaturePairwiseConsistencyTestNoCofactorMultiplication, DHAES_MODE=false and LABEL_OCTETS=true. /// \details If you need this method for Bouncy Castle 1.54 and Botan 1.11 compatibility, then use the ECIES template class with -/// NoCofactorMultiplication, DHAES_MODE=ture and LABEL_OCTETS=false. +/// NoCofactorMultiplication, DHAES_MODE=true and LABEL_OCTETS=false. /// \details Bouncy Castle 1.54 and Botan 1.11 compatibility are the default template parameters. /// \since Crypto++ 4.0 template diff --git a/vendor/cryptopp/integer.cpp b/vendor/cryptopp/integer.cpp index e5c58d902a..188380349d 100644 --- a/vendor/cryptopp/integer.cpp +++ b/vendor/cryptopp/integer.cpp @@ -20,7 +20,7 @@ // them. Initialization priorities are init_priority() on Linux and init_seg() // on Windows. OS X and several other platforms lack them. Initialization // priorities are platform specific but they are also the most trouble free -// with determisitic destruction. +// with deterministic destruction. // Second, if C++11 dynamic initialization is available, then we use it. After // the std::call_once fiasco we moved to dynamic initialization to avoid // unknown troubles platforms that are tested less frequently. In addition @@ -39,7 +39,7 @@ // resource acquisition in reverse. For resources provided through the // Singletons, there is no way to express the dependency order to safely // destroy resources. (That's one of the problems C++11 dynamic -// intitialization with concurrent execution is supposed to solve). +// initialization with concurrent execution is supposed to solve). // The final problem with Singletons is resource/memory exhaustion in languages // like Java and .Net. Java and .Net load and unload a native DLL hundreds or // thousands of times during the life of a program. Each load produces a @@ -3799,24 +3799,36 @@ Integer& Integer::operator--() // worry about negative zero. Also see http://stackoverflow.com/q/11644362. Integer Integer::And(const Integer& t) const { + // Grow due to https://github.com/weidai11/cryptopp/issues/1072 + // The temporary Integer 'result' may have fewer blocks than + // 'this' or 't', if leading 0-blocks are trimmed in copy ctor. + if (this == &t) { return AbsoluteValue(); } else if (reg.size() >= t.reg.size()) { - Integer result(t); - AndWords(result.reg, reg, t.reg.size()); + IntegerSecBlock temp(t.reg.size()); + // AndWords(temp, reg, t.reg, t.reg.size()); + for (size_t i=0; i= t.reg.size()) { - Integer result(*this); - OrWords(result.reg, t.reg, t.reg.size()); + IntegerSecBlock temp(reg, reg.size()); + // OrWords(temp, t.reg, t.reg.size()); + for (size_t i=0; i= t.reg.size()) { - Integer result(*this); - XorWords(result.reg, t.reg, t.reg.size()); + IntegerSecBlock temp(reg, reg.size()); + // OrWords(temp, t.reg, t.reg.size()); + for (size_t i=0; i CRYPTOPP_DLL std::string IntToString(Integer value, unsigned int base) { diff --git a/vendor/cryptopp/integer.h b/vendor/cryptopp/integer.h index ad51894a62..5f157d6103 100644 --- a/vendor/cryptopp/integer.h +++ b/vendor/cryptopp/integer.h @@ -3,14 +3,14 @@ /// \file integer.h /// \brief Multiple precision integer with arithmetic operations /// \details The Integer class can represent positive and negative integers -/// with absolute value less than (256**sizeof(word))(256**sizeof(int)). +/// with absolute value less than (256**sizeof(word))(256**sizeof(int)). /// \details Internally, the library uses a sign magnitude representation, and the class -/// has two data members. The first is a IntegerSecBlock (a SecBlock) and it is -/// used to hold the representation. The second is a Sign (an enumeration), and it is -/// used to track the sign of the Integer. +/// has two data members. The first is a IntegerSecBlock (a SecBlock) and it is +/// used to hold the representation. The second is a Sign (an enumeration), and it is +/// used to track the sign of the Integer. /// \details For details on how the Integer class initializes its function pointers using -/// InitializeInteger and how it creates Integer::Zero(), Integer::One(), and -/// Integer::Two(), then see the comments at the top of integer.cpp. +/// InitializeInteger and how it creates Integer::Zero(), Integer::One(), and +/// Integer::Two(), then see the comments at the top of integer.cpp. /// \since Crypto++ 1.0 #ifndef CRYPTOPP_INTEGER_H @@ -36,14 +36,14 @@ typedef SecBlock > IntegerSecBlock; /// \brief Multiple precision integer with arithmetic operations /// \details The Integer class can represent positive and negative integers -/// with absolute value less than (256**sizeof(word))(256**sizeof(int)). +/// with absolute value less than (256**sizeof(word))(256**sizeof(int)). /// \details Internally, the library uses a sign magnitude representation, and the class -/// has two data members. The first is a IntegerSecBlock (a SecBlock) and it is -/// used to hold the representation. The second is a Sign (an enumeration), and it is -/// used to track the sign of the Integer. +/// has two data members. The first is a IntegerSecBlock (a SecBlock) and it is +/// used to hold the representation. The second is a Sign (an enumeration), and it is +/// used to track the sign of the Integer. /// \details For details on how the Integer class initializes its function pointers using -/// InitializeInteger and how it creates Integer::Zero(), Integer::One(), and -/// Integer::Two(), then see the comments at the top of integer.cpp. +/// InitializeInteger and how it creates Integer::Zero(), Integer::One(), and +/// Integer::Two(), then see the comments at the top of integer.cpp. /// \since Crypto++ 1.0 /// \nosubgrouping class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object @@ -59,7 +59,7 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object }; /// \brief Exception thrown when a random number cannot be found that - /// satisfies the condition + /// satisfies the condition class RandomNumberNotFound : public Exception { public: @@ -120,19 +120,21 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \brief Convert from a C-string /// \param str C-string value /// \param order the ByteOrder of the string to be processed - /// \details \p str can be in base 2, 8, 10, or 16. Base is determined by a case - /// insensitive suffix of 'h', 'o', or 'b'. No suffix means base 10. + /// \details \p str can be in base 8, 10, or 16. Base is determined + /// by a case insensitive suffix of 'o' (8), '.' (10), or 'h' (16). + /// No suffix means base 10. /// \details Byte order was added at Crypto++ 5.7 to allow use of little-endian - /// integers with curve25519, Poly1305 and Microsoft CAPI. + /// integers with curve25519, Poly1305 and Microsoft CAPI. explicit Integer(const char *str, ByteOrder order = BIG_ENDIAN_ORDER); /// \brief Convert from a wide C-string /// \param str wide C-string value /// \param order the ByteOrder of the string to be processed - /// \details \p str can be in base 2, 8, 10, or 16. Base is determined by a case - /// insensitive suffix of 'h', 'o', or 'b'. No suffix means base 10. + /// \details \p str can be in base 8, 10, or 16. Base is determined + /// by a case insensitive suffix of 'o' (8), '.' (10), or 'h' (16). + /// No suffix means base 10. /// \details Byte order was added at Crypto++ 5.7 to allow use of little-endian - /// integers with curve25519, Poly1305 and Microsoft CAPI. + /// integers with curve25519, Poly1305 and Microsoft CAPI. explicit Integer(const wchar_t *str, ByteOrder order = BIG_ENDIAN_ORDER); /// \brief Convert from a big-endian byte array @@ -141,7 +143,7 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param sign enumeration indicating Signedness /// \param order the ByteOrder of the array to be processed /// \details Byte order was added at Crypto++ 5.7 to allow use of little-endian - /// integers with curve25519, Poly1305 and Microsoft CAPI. + /// integers with curve25519, Poly1305 and Microsoft CAPI. Integer(const byte *encodedInteger, size_t byteCount, Signedness sign=UNSIGNED, ByteOrder order = BIG_ENDIAN_ORDER); /// \brief Convert from a big-endian array @@ -150,7 +152,7 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param sign enumeration indicating Signedness /// \param order the ByteOrder of the data to be processed /// \details Byte order was added at Crypto++ 5.7 to allow use of little-endian - /// integers with curve25519, Poly1305 and Microsoft CAPI. + /// integers with curve25519, Poly1305 and Microsoft CAPI. Integer(BufferedTransformation &bt, size_t byteCount, Signedness sign=UNSIGNED, ByteOrder order = BIG_ENDIAN_ORDER); /// \brief Convert from a BER encoded byte array @@ -185,13 +187,13 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param mod the modulus used to reduce the equivalence class /// \throw RandomNumberNotFound if the set is empty. /// \details Ideally, the random integer created should be uniformly distributed - /// over {x | min \<= x \<= max and \p x is of rnType and x \% mod == equiv}. - /// However the actual distribution may not be uniform because sequential - /// search is used to find an appropriate number from a random starting - /// point. + /// over {x | min \<= x \<= max and \p x is of rnType and x \% mod == equiv}. + /// However the actual distribution may not be uniform because sequential + /// search is used to find an appropriate number from a random starting + /// point. /// \details May return (with very small probability) a pseudoprime when a prime - /// is requested and max \> lastSmallPrime*lastSmallPrime. \p lastSmallPrime - /// is declared in nbtheory.h. + /// is requested and max \> lastSmallPrime*lastSmallPrime. \p lastSmallPrime + /// is declared in nbtheory.h. Integer(RandomNumberGenerator &rng, const Integer &min, const Integer &max, RandomNumberType rnType=ANY, const Integer &equiv=Zero(), const Integer &mod=One()); /// \brief Exponentiates to a power of 2 @@ -213,7 +215,7 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param sign enumeration indicating Signedness /// \details Unsigned means encode absolute value, signed means encode two's complement if negative. /// \details outputLen can be used to ensure an Integer is encoded to an exact size (rather than a - /// minimum size). An exact size is useful, for example, when encoding to a field element size. + /// minimum size). An exact size is useful, for example, when encoding to a field element size. void Encode(byte *output, size_t outputLen, Signedness sign=UNSIGNED) const; /// \brief Encode in big-endian format @@ -222,13 +224,13 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param sign enumeration indicating Signedness /// \details Unsigned means encode absolute value, signed means encode two's complement if negative. /// \details outputLen can be used to ensure an Integer is encoded to an exact size (rather than a - /// minimum size). An exact size is useful, for example, when encoding to a field element size. + /// minimum size). An exact size is useful, for example, when encoding to a field element size. void Encode(BufferedTransformation &bt, size_t outputLen, Signedness sign=UNSIGNED) const; /// \brief Encode in DER format /// \param bt BufferedTransformation object /// \details Encodes the Integer using Distinguished Encoding Rules - /// The result is placed into a BufferedTransformation object + /// The result is placed into a BufferedTransformation object void DEREncode(BufferedTransformation &bt) const; /// \brief Encode absolute value as big-endian octet string @@ -241,14 +243,14 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param bufferSize length of the byte array /// \return length of the output /// \details OpenPGPEncode places result into the buffer and returns the - /// number of bytes used for the encoding + /// number of bytes used for the encoding size_t OpenPGPEncode(byte *output, size_t bufferSize) const; /// \brief Encode absolute value in OpenPGP format /// \param bt BufferedTransformation object /// \return length of the output /// \details OpenPGPEncode places result into a BufferedTransformation object and returns the - /// number of bytes used for the encoding + /// number of bytes used for the encoding size_t OpenPGPEncode(BufferedTransformation &bt) const; /// \brief Decode from big-endian byte array @@ -297,7 +299,7 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \name ACCESSORS //@{ /// \brief Determines if the Integer is convertable to Long - /// \return true if *this can be represented as a signed long + /// \return true if *this can be represented as a signed long /// \sa ConvertToLong() bool IsConvertableToLong() const; /// \brief Convert the Integer to Long @@ -325,7 +327,7 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \return the i-th byte byte GetByte(size_t i) const; /// \brief Provides the low order bits of the Integer - /// \return n lowest bits of *this >> i + /// \return n lowest bits of *this >> i lword GetBits(size_t i, size_t n) const; /// \brief Determines if the Integer is 0 @@ -403,38 +405,38 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \brief Bitwise AND Assignment /// \param t the other Integer - /// \return the result of *this & t - /// \details operator&=() performs a bitwise AND on *this. Missing bits are truncated - /// at the most significant bit positions, so the result is as small as the - /// smaller of the operands. + /// \return the result of *this & t + /// \details operator&=() performs a bitwise AND on *this. Missing bits are truncated + /// at the most significant bit positions, so the result is as small as the + /// smaller of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library - /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, - /// the integer should be converted to a 2's compliment representation before performing - /// the operation. + /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, + /// the integer should be converted to a 2's compliment representation before performing + /// the operation. /// \since Crypto++ 6.0 Integer& operator&=(const Integer& t); /// \brief Bitwise OR Assignment /// \param t the second Integer - /// \return the result of *this | t - /// \details operator|=() performs a bitwise OR on *this. Missing bits are shifted in - /// at the most significant bit positions, so the result is as large as the - /// larger of the operands. + /// \return the result of *this | t + /// \details operator|=() performs a bitwise OR on *this. Missing bits are shifted in + /// at the most significant bit positions, so the result is as large as the + /// larger of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library - /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, - /// the integer should be converted to a 2's compliment representation before performing - /// the operation. + /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, + /// the integer should be converted to a 2's compliment representation before performing + /// the operation. /// \since Crypto++ 6.0 Integer& operator|=(const Integer& t); /// \brief Bitwise XOR Assignment /// \param t the other Integer - /// \return the result of *this ^ t - /// \details operator^=() performs a bitwise XOR on *this. Missing bits are shifted - /// in at the most significant bit positions, so the result is as large as the - /// larger of the operands. + /// \return the result of *this ^ t + /// \details operator^=() performs a bitwise XOR on *this. Missing bits are shifted + /// in at the most significant bit positions, so the result is as large as the + /// larger of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library - /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, - /// the integer should be converted to a 2's compliment representation before performing - /// the operation. + /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, + /// the integer should be converted to a 2's compliment representation before performing + /// the operation. /// \since Crypto++ 6.0 Integer& operator^=(const Integer& t); @@ -460,13 +462,13 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param mod the modulus used to reduce the equivalence class /// \throw RandomNumberNotFound if the set is empty. /// \details Ideally, the random integer created should be uniformly distributed - /// over {x | min \<= x \<= max and \p x is of rnType and x \% mod == equiv}. - /// However the actual distribution may not be uniform because sequential - /// search is used to find an appropriate number from a random starting - /// point. + /// over {x | min \<= x \<= max and \p x is of rnType and x \% mod == equiv}. + /// However the actual distribution may not be uniform because sequential + /// search is used to find an appropriate number from a random starting + /// point. /// \details May return (with very small probability) a pseudoprime when a prime - /// is requested and max \> lastSmallPrime*lastSmallPrime. \p lastSmallPrime - /// is declared in nbtheory.h. + /// is requested and max \> lastSmallPrime*lastSmallPrime. \p lastSmallPrime + /// is declared in nbtheory.h. bool Randomize(RandomNumberGenerator &rng, const Integer &min, const Integer &max, RandomNumberType rnType, const Integer &equiv=Zero(), const Integer &mod=One()); /// \brief Generate a random number @@ -474,16 +476,16 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param params additional parameters that cannot be passed directly to the function /// \return true if a random number was generated, false otherwise /// \details GenerateRandomNoThrow attempts to generate a random number according to the - /// parameters specified in params. The function does not throw RandomNumberNotFound. + /// parameters specified in params. The function does not throw RandomNumberNotFound. /// \details The example below generates a prime number using NameValuePairs that Integer - /// class recognizes. The names are not provided in argnames.h. + /// class recognizes. The names are not provided in argnames.h. /// 
    -		///     AutoSeededRandomPool prng;
-		///     AlgorithmParameters params = MakeParameters("BitLength", 2048)
-		///                                                ("RandomNumberType", Integer::PRIME);
-		///     Integer x;
-		///     if (x.GenerateRandomNoThrow(prng, params) == false)
-		///         throw std::runtime_error("Failed to generate prime number");
+		///    AutoSeededRandomPool prng;
+		///    AlgorithmParameters params = MakeParameters("BitLength", 2048)
+		///                                               ("RandomNumberType", Integer::PRIME);
+		///    Integer x;
+		///    if (x.GenerateRandomNoThrow(prng, params) == false)
+		///        throw std::runtime_error("Failed to generate prime number");
 		///
    bool GenerateRandomNoThrow(RandomNumberGenerator &rng, const NameValuePairs ¶ms = g_nullNameValuePairs); @@ -492,16 +494,16 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param params additional parameters that cannot be passed directly to the function /// \throw RandomNumberNotFound if a random number is not found /// \details GenerateRandom attempts to generate a random number according to the - /// parameters specified in params. + /// parameters specified in params. /// \details The example below generates a prime number using NameValuePairs that Integer - /// class recognizes. The names are not provided in argnames.h. + /// class recognizes. The names are not provided in argnames.h. /// 
    -		///     AutoSeededRandomPool prng;
-		///     AlgorithmParameters params = MakeParameters("BitLength", 2048)
-		///                                                ("RandomNumberType", Integer::PRIME);
-		///     Integer x;
-		///     try { x.GenerateRandom(prng, params); }
-		///     catch (RandomNumberNotFound&) { x = -1; }
+		///    AutoSeededRandomPool prng;
+		///    AlgorithmParameters params = MakeParameters("BitLength", 2048)
+		///                                               ("RandomNumberType", Integer::PRIME);
+		///    Integer x;
+		///    try { x.GenerateRandom(prng, params); }
+		///    catch (RandomNumberNotFound&) { x = -1; }
 		///
    void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs ¶ms = g_nullNameValuePairs) { @@ -551,10 +553,10 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \name BINARY OPERATORS //@{ /// \brief Perform signed comparison - /// \param a the Integer to comapre - /// \retval -1 if *this < a - /// \retval 0 if *this = a - /// \retval 1 if *this > a + /// \param a the Integer to compare + /// \retval -1 if *this < a + /// \retval 0 if *this = a + /// \retval 1 if *this > a int Compare(const Integer& a) const; /// \brief Addition @@ -579,12 +581,12 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param t the other Integer /// \return the result of *this & t /// \details And() performs a bitwise AND on the operands. Missing bits are truncated - /// at the most significant bit positions, so the result is as small as the - /// smaller of the operands. + /// at the most significant bit positions, so the result is as small as the + /// smaller of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library - /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, - /// the integer should be converted to a 2's compliment representation before performing - /// the operation. + /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, + /// the integer should be converted to a 2's compliment representation before performing + /// the operation. /// \since Crypto++ 6.0 Integer And(const Integer& t) const; @@ -592,12 +594,12 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param t the other Integer /// \return the result of *this | t /// \details Or() performs a bitwise OR on the operands. Missing bits are shifted in - /// at the most significant bit positions, so the result is as large as the - /// larger of the operands. + /// at the most significant bit positions, so the result is as large as the + /// larger of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library - /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, - /// the integer should be converted to a 2's compliment representation before performing - /// the operation. + /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, + /// the integer should be converted to a 2's compliment representation before performing + /// the operation. /// \since Crypto++ 6.0 Integer Or(const Integer& t) const; @@ -605,12 +607,12 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \param t the other Integer /// \return the result of *this ^ t /// \details Xor() performs a bitwise XOR on the operands. Missing bits are shifted in - /// at the most significant bit positions, so the result is as large as the - /// larger of the operands. + /// at the most significant bit positions, so the result is as large as the + /// larger of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library - /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, - /// the integer should be converted to a 2's compliment representation before performing - /// the operation. + /// does not attempt to interpret bits, and the result is always POSITIVE. If needed, + /// the integer should be converted to a 2's compliment representation before performing + /// the operation. /// \since Crypto++ 6.0 Integer Xor(const Integer& t) const; @@ -645,38 +647,38 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \brief Extended Division /// \param r a reference for the remainder /// \param q a reference for the quotient - /// \param a a reference to the dividend - /// \param d a reference to the divisor + /// \param a reference to the dividend + /// \param d reference to the divisor /// \details Divide calculates r and q such that (a == d*q + r) && (0 <= r < abs(d)). static void CRYPTOPP_API Divide(Integer &r, Integer &q, const Integer &a, const Integer &d); /// \brief Extended Division /// \param r a reference for the remainder /// \param q a reference for the quotient - /// \param a a reference to the dividend - /// \param d a reference to the divisor + /// \param a reference to the dividend + /// \param d reference to the divisor /// \details Divide calculates r and q such that (a == d*q + r) && (0 <= r < abs(d)). - /// This overload uses a faster division algorithm because the divisor is short. + /// This overload uses a faster division algorithm because the divisor is short. static void CRYPTOPP_API Divide(word &r, Integer &q, const Integer &a, word d); /// \brief Extended Division /// \param r a reference for the remainder /// \param q a reference for the quotient - /// \param a a reference to the dividend - /// \param n a reference to the divisor + /// \param a reference to the dividend + /// \param n reference to the divisor /// \details DivideByPowerOf2 calculates r and q such that (a == d*q + r) && (0 <= r < abs(d)). - /// It returns same result as Divide(r, q, a, Power2(n)), but faster. - /// This overload uses a faster division algorithm because the divisor is a power of 2. + /// It returns same result as Divide(r, q, a, Power2(n)), but faster. + /// This overload uses a faster division algorithm because the divisor is a power of 2. static void CRYPTOPP_API DivideByPowerOf2(Integer &r, Integer &q, const Integer &a, unsigned int n); /// \brief Calculate greatest common divisor - /// \param a a reference to the first number - /// \param n a reference to the secind number + /// \param a reference to the first number + /// \param n reference to the secind number /// \return the greatest common divisor a and n. static Integer CRYPTOPP_API Gcd(const Integer &a, const Integer &n); /// \brief Calculate multiplicative inverse - /// \param n a reference to the modulus + /// \param n reference to the modulus /// \return an Integer *this % n. /// \details InverseMod returns the multiplicative inverse of the Integer *this /// modulo the Integer n. If no Integer exists then Integer 0 is returned. @@ -695,34 +697,34 @@ class CRYPTOPP_DLL Integer : private InitializeInteger, public ASN1Object /// \name INPUT/OUTPUT //@{ /// \brief Extraction operator - /// \param in a reference to a std::istream - /// \param a a reference to an Integer - /// \return a reference to a std::istream reference + /// \param in reference to a std::istream + /// \param a reference to an Integer + /// \return reference to a std::istream reference friend CRYPTOPP_DLL std::istream& CRYPTOPP_API operator>>(std::istream& in, Integer &a); /// \brief Insertion operator - /// \param out a reference to a std::ostream + /// \param out reference to a std::ostream /// \param a a constant reference to an Integer - /// \return a reference to a std::ostream reference + /// \return reference to a std::ostream reference /// \details The output integer responds to std::hex, std::oct, std::hex, std::upper and - /// std::lower. The output includes the suffix \a h (for hex), \a . (\a dot, for dec) - /// and \a o (for octal). There is currently no way to suppress the suffix. + /// std::lower. The output includes the suffix \a h (for hex), \a . (\a dot, for dec) + /// and \a o (for octal). There is currently no way to suppress the suffix. /// \details If you want to print an Integer without the suffix or using an arbitrary base, then - /// use IntToString(). + /// use IntToString(). /// \sa IntToString friend CRYPTOPP_DLL std::ostream& CRYPTOPP_API operator<<(std::ostream& out, const Integer &a); //@} /// \brief Modular multiplication - /// \param x a reference to the first term - /// \param y a reference to the second term - /// \param m a reference to the modulus + /// \param x reference to the first term + /// \param y reference to the second term + /// \param m reference to the modulus /// \return an Integer (a * b) % m. CRYPTOPP_DLL friend Integer CRYPTOPP_API a_times_b_mod_c(const Integer &x, const Integer& y, const Integer& m); /// \brief Modular exponentiation - /// \param x a reference to the base - /// \param e a reference to the exponent - /// \param m a reference to the modulus + /// \param x reference to the base + /// \param e reference to the exponent + /// \param m reference to the modulus /// \return an Integer (a ^ b) % m. CRYPTOPP_DLL friend Integer CRYPTOPP_API a_exp_b_mod_c(const Integer &x, const Integer& e, const Integer& m); @@ -786,12 +788,12 @@ inline CryptoPP::word operator%(const CryptoPP::Integer &a, CryptoPP::word b) /// \param b the second Integer /// \return the result of a & b /// \details operator&() performs a bitwise AND on the operands. Missing bits are truncated -/// at the most significant bit positions, so the result is as small as the -/// smaller of the operands. +/// at the most significant bit positions, so the result is as small as the +/// smaller of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library -/// does not attempt to interpret bits, and the result is always POSITIVE. If needed, -/// the integer should be converted to a 2's compliment representation before performing -/// the operation. +/// does not attempt to interpret bits, and the result is always POSITIVE. If needed, +/// the integer should be converted to a 2's compliment representation before performing +/// the operation. /// \since Crypto++ 6.0 inline CryptoPP::Integer operator&(const CryptoPP::Integer &a, const CryptoPP::Integer &b) {return a.And(b);} @@ -800,12 +802,12 @@ inline CryptoPP::Integer operator&(const CryptoPP::Integer &a, const CryptoPP::I /// \param b the second Integer /// \return the result of a | b /// \details operator|() performs a bitwise OR on the operands. Missing bits are shifted in -/// at the most significant bit positions, so the result is as large as the -/// larger of the operands. +/// at the most significant bit positions, so the result is as large as the +/// larger of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library -/// does not attempt to interpret bits, and the result is always POSITIVE. If needed, -/// the integer should be converted to a 2's compliment representation before performing -/// the operation. +/// does not attempt to interpret bits, and the result is always POSITIVE. If needed, +/// the integer should be converted to a 2's compliment representation before performing +/// the operation. /// \since Crypto++ 6.0 inline CryptoPP::Integer operator|(const CryptoPP::Integer &a, const CryptoPP::Integer &b) {return a.Or(b);} @@ -814,12 +816,12 @@ inline CryptoPP::Integer operator|(const CryptoPP::Integer &a, const CryptoPP::I /// \param b the second Integer /// \return the result of a ^ b /// \details operator^() performs a bitwise XOR on the operands. Missing bits are shifted -/// in at the most significant bit positions, so the result is as large as the -/// larger of the operands. +/// in at the most significant bit positions, so the result is as large as the +/// larger of the operands. /// \details Internally, Crypto++ uses a sign-magnitude representation. The library -/// does not attempt to interpret bits, and the result is always POSITIVE. If needed, -/// the integer should be converted to a 2's compliment representation before performing -/// the operation. +/// does not attempt to interpret bits, and the result is always POSITIVE. If needed, +/// the integer should be converted to a 2's compliment representation before performing +/// the operation. /// \since Crypto++ 6.0 inline CryptoPP::Integer operator^(const CryptoPP::Integer &a, const CryptoPP::Integer &b) {return a.Xor(b);} diff --git a/vendor/cryptopp/keccak.h b/vendor/cryptopp/keccak.h index b2c1a9c297..2d9e3603ad 100644 --- a/vendor/cryptopp/keccak.h +++ b/vendor/cryptopp/keccak.h @@ -26,7 +26,7 @@ NAMESPACE_BEGIN(CryptoPP) /// \details Keccak will likely change in the future to accommodate extensibility of the /// round function and the XOF functions. /// \details Perform the following to specify a different digest size. The class will use F1600, -/// XOF d=0x01, and a new vaue for r() (which will be 200-2*24 = 152). +/// XOF d=0x01, and a new value for r() (which will be 200-2*24 = 152). /// 
      Keccack_192 : public Keccack
 ///   {
 ///     public:
diff --git a/vendor/cryptopp/lsh256_avx.cpp b/vendor/cryptopp/lsh256_avx.cpp
index df45543bc4..0479a76e7f 100644
--- a/vendor/cryptopp/lsh256_avx.cpp
+++ b/vendor/cryptopp/lsh256_avx.cpp
@@ -15,6 +15,9 @@
 #include "lsh.h"
 #include "misc.h"
 
+// Squash MS LNK4221 and libtool warnings
+extern const char LSH256_AVX_FNAME[] = __FILE__;
+
 #if defined(CRYPTOPP_AVX2_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
 
 #if defined(CRYPTOPP_AVX2_AVAILABLE)
diff --git a/vendor/cryptopp/lsh256_sse.cpp b/vendor/cryptopp/lsh256_sse.cpp
index 72f43b6b96..e414ac7afc 100644
--- a/vendor/cryptopp/lsh256_sse.cpp
+++ b/vendor/cryptopp/lsh256_sse.cpp
@@ -16,6 +16,9 @@
 #include "cpu.h"
 #include "misc.h"
 
+// Squash MS LNK4221 and libtool warnings
+extern const char LSH256_SSE_FNAME[] = __FILE__;
+
 #if defined(CRYPTOPP_SSSE3_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
 
 #if defined(CRYPTOPP_SSSE3_AVAILABLE)
diff --git a/vendor/cryptopp/lsh512_avx.cpp b/vendor/cryptopp/lsh512_avx.cpp
index 14015e1dbe..4314b7e908 100644
--- a/vendor/cryptopp/lsh512_avx.cpp
+++ b/vendor/cryptopp/lsh512_avx.cpp
@@ -15,6 +15,9 @@
 #include "lsh.h"
 #include "misc.h"
 
+// Squash MS LNK4221 and libtool warnings
+extern const char LSH512_AVX_FNAME[] = __FILE__;
+
 #if defined(CRYPTOPP_AVX2_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
 
 #if defined(CRYPTOPP_AVX2_AVAILABLE)
diff --git a/vendor/cryptopp/lsh512_sse.cpp b/vendor/cryptopp/lsh512_sse.cpp
index 4af885e11e..6907d51ecb 100644
--- a/vendor/cryptopp/lsh512_sse.cpp
+++ b/vendor/cryptopp/lsh512_sse.cpp
@@ -15,6 +15,9 @@
 #include "lsh.h"
 #include "misc.h"
 
+// Squash MS LNK4221 and libtool warnings
+extern const char LSH512_SSE_FNAME[] = __FILE__;
+
 #if defined(CRYPTOPP_SSSE3_AVAILABLE) && defined(CRYPTOPP_ENABLE_64BIT_SSE)
 
 #if defined(CRYPTOPP_SSSE3_AVAILABLE)
diff --git a/vendor/cryptopp/mersenne.h b/vendor/cryptopp/mersenne.h
index 3b7fd0edc1..ed5783f3f7 100644
--- a/vendor/cryptopp/mersenne.h
+++ b/vendor/cryptopp/mersenne.h
@@ -2,7 +2,7 @@
 
 /// \file mersenne.h
 /// \brief Class file for Mersenne Twister
-/// \warning MersenneTwister is suitable for Monte-Carlo simulations, where uniformaly distrubuted
+/// \warning MersenneTwister is suitable for Monte-Carlo simulations, where uniformaly distributed
 ///  numbers are required quickly. It should not be used for cryptographic purposes.
 /// \since Crypto++ 5.6.3
 #ifndef CRYPTOPP_MERSENNE_TWISTER_H
@@ -23,7 +23,7 @@ NAMESPACE_BEGIN(CryptoPP)
 /// \details Provides the MersenneTwister implementation. The class is a header-only implementation.
 /// \details You should reseed the generator after a fork() to avoid multiple generators
 ///  with the same internal state.
-/// \warning MersenneTwister is suitable for simulations, where uniformaly distrubuted numbers are
+/// \warning MersenneTwister is suitable for simulations, where uniformaly distributed numbers are
 ///  required quickly. It should not be used for cryptographic purposes.
 /// \sa MT19937, MT19937ar
 /// \since Crypto++ 5.6.3
@@ -162,7 +162,7 @@ class MersenneTwister : public RandomNumberGenerator
 		return temp ^ (temp >> 18);
 	}
 
-	/// \brief Performs the twist operaton on the state array
+	/// \brief Performs the twist operation on the state array
 	void Twist()
 	{
 		static const word32 magic[2]={0x0UL, K};
diff --git a/vendor/cryptopp/misc.cpp b/vendor/cryptopp/misc.cpp
index 6d58089ea8..90244499a6 100644
--- a/vendor/cryptopp/misc.cpp
+++ b/vendor/cryptopp/misc.cpp
@@ -35,8 +35,8 @@
 #  include 
 # endif
 
-# if defined(__aarch64__) || defined(__aarch32__) || defined(_M_ARM64)
-#  if defined(CRYPTOPP_ARM_NEON_HEADER)
+# if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64)
+#  if (CRYPTOPP_ARM_NEON_HEADER) || (CRYPTOPP_ARM_ASIMD_AVAILABLE)
 #   include 
 #  endif
 # endif
@@ -254,7 +254,7 @@ bool VerifyBufsEqual(const byte *buf, const byte *mask, size_t count)
 	for (size_t i=0; i
 inline T2 ModPowerOf2(const T1 &a, const T2 &b)
 {
 	CRYPTOPP_ASSERT(IsPowerOf2(b));
-	// Coverity finding CID 170383 Overflowed return value (INTEGER_OVERFLOW)
-	return T2(a) & SaturatingSubtract(b,1U);
+    // Coverity finding CID 170383 Overflowed return value (INTEGER_OVERFLOW)
+    // Visual Studio and /RTCc warning, https://docs.microsoft.com/en-us/cpp/build/reference/rtc-run-time-error-checks
+	return T2(a & SaturatingSubtract(b,1U));
 }
 
 /// \brief Rounds a value down to a multiple of a second value
@@ -2089,6 +2090,20 @@ inline word64 ByteReverse(word64 value)
 #endif
 }
 
+#if defined(CRYPTOPP_WORD128_AVAILABLE)
+/// \brief Reverses bytes in a 128-bit value
+/// \param value the 128-bit value to reverse
+/// \details ByteReverse calls bswap if available. Otherwise the function uses
+///  a combination of rotates on the word128.
+/// \note word128 is available on some 64-bit platforms when the compiler supports it.
+/// \since Crypto++ 8.7
+inline word128 ByteReverse(word128 value)
+{
+	// TODO: speed this up
+	return (word128(ByteReverse(word64(value))) << 64) | ByteReverse(word64(value>>64));
+}
+#endif
+
 /// \brief Reverses bits in a 8-bit value
 /// \param value the 8-bit value to reverse
 /// \details BitReverse performs a combination of shifts on the byte.
@@ -2158,6 +2173,8 @@ inline word64 BitReverse(word64 value)
 ///  Internally the size of T is checked, and then value is cast to a byte,
 ///  word16, word32 or word64. After the cast, the appropriate BitReverse
 ///  overload is called.
+/// \note word128 is available on some 64-bit platforms when the compiler supports it.
+/// \since Crypto++ 1.0, word128 since Crypto++ 8.7
 template 
 inline T BitReverse(T value)
 {
@@ -2169,6 +2186,10 @@ inline T BitReverse(T value)
 		return (T)BitReverse((word32)value);
 	else if (sizeof(T) == 8)
 		return (T)BitReverse((word64)value);
+#if defined(CRYPTOPP_WORD128_AVAILABLE)
+	else if (sizeof(T) == 16)
+		return (T)BitReverse((word128)value);
+#endif
 	else
 	{
 		CRYPTOPP_ASSERT(0);
@@ -2243,7 +2264,7 @@ void ByteReverse(T *out, const T *in, size_t byteCount)
 /// \param out the output array of elements
 /// \param in the input array of elements
 /// \param byteCount the byte count of the arrays
-/// \details Internally, ByteReverse visits each element in the in array
+/// \details ConditionalByteReverse visits each element in the in array
 ///  calls ByteReverse on it depending on the desired endianness, and writes the result to out.
 /// \details ByteReverse does not process tail byes, or bytes that are
 ///  not part of a full element. If T is int (and int is 4 bytes), then
@@ -2259,6 +2280,13 @@ inline void ConditionalByteReverse(ByteOrder order, T *out, const T *in, size_t
 		memcpy_s(out, byteCount, in, byteCount);
 }
 
+/// \brief Copy bytes in a buffer to an array of elements in big-endian order
+/// \tparam T the class or type
+/// \param order the ByteOrder of the data
+/// \param out the output array of elements
+/// \param outlen the byte count of the array
+/// \param in the input array of elements
+/// \param inlen the byte count of the array
 template 
 inline void GetUserKey(ByteOrder order, T *out, size_t outlen, const byte *in, size_t inlen)
 {
@@ -2269,28 +2297,59 @@ inline void GetUserKey(ByteOrder order, T *out, size_t outlen, const byte *in, s
 	ConditionalByteReverse(order, out, out, RoundUpToMultipleOf(inlen, U));
 }
 
-inline byte UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const byte *)
-{
-	CRYPTOPP_UNUSED(order);
+/// \brief Retrieve a byte from an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned buffer
+/// \param unused dummy parameter
+/// \return byte value
+/// \details UnalignedGetWordNonTemplate accesses an unaligned buffer and returns a byte value.
+/// \since Crypto++ 1.0
+inline byte UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const byte *unused)
+{
+	CRYPTOPP_UNUSED(order); CRYPTOPP_UNUSED(unused);
 	return block[0];
 }
 
-inline word16 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word16 *)
-{
+/// \brief Retrieve a word16 from an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned buffer
+/// \param unused dummy parameter
+/// \return byte value
+/// \details UnalignedGetWordNonTemplate accesses an unaligned buffer and returns a word16 value.
+/// \since Crypto++ 1.0
+inline word16 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word16 *unused)
+{
+	CRYPTOPP_UNUSED(unused);
 	return (order == BIG_ENDIAN_ORDER)
 		? block[1] | (block[0] << 8)
 		: block[0] | (block[1] << 8);
 }
 
-inline word32 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word32 *)
-{
+/// \brief Retrieve a word32 from an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned buffer
+/// \param unused dummy parameter
+/// \return byte value
+/// \details UnalignedGetWordNonTemplate accesses an unaligned buffer and returns a word32 value.
+/// \since Crypto++ 1.0
+inline word32 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word32 *unused)
+{
+	CRYPTOPP_UNUSED(unused);
 	return (order == BIG_ENDIAN_ORDER)
 		? word32(block[3]) | (word32(block[2]) << 8) | (word32(block[1]) << 16) | (word32(block[0]) << 24)
 		: word32(block[0]) | (word32(block[1]) << 8) | (word32(block[2]) << 16) | (word32(block[3]) << 24);
 }
 
-inline word64 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word64 *)
-{
+/// \brief Retrieve a word64 from an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned buffer
+/// \param unused dummy parameter
+/// \return byte value
+/// \details UnalignedGetWordNonTemplate accesses an unaligned buffer and returns a word64 value.
+/// \since Crypto++ 1.0
+inline word64 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word64 *unused)
+{
+	CRYPTOPP_UNUSED(unused);
 	return (order == BIG_ENDIAN_ORDER)
 		?
 		(word64(block[7]) |
@@ -2312,12 +2371,76 @@ inline word64 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, co
 		(word64(block[7]) << 56));
 }
 
+#if defined(CRYPTOPP_WORD128_AVAILABLE)
+/// \brief Retrieve a word128 from an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned buffer
+/// \param unused dummy parameter
+/// \return byte value
+/// \details UnalignedGetWordNonTemplate accesses an unaligned buffer and returns a word128 value.
+/// \note word128 is available on some 64-bit platforms when the compiler supports it.
+/// \since Crypto++ 8.7
+inline word128 UnalignedGetWordNonTemplate(ByteOrder order, const byte *block, const word128 *unused)
+{
+	CRYPTOPP_UNUSED(unused);
+	return (order == BIG_ENDIAN_ORDER)
+		?
+		(word128(block[15]) |
+		(word128(block[14]) <<   8) |
+		(word128(block[13]) <<  16) |
+		(word128(block[12]) <<  24) |
+		(word128(block[11]) <<  32) |
+		(word128(block[10]) <<  40) |
+		(word128(block[ 9]) <<  48) |
+		(word128(block[ 8]) <<  56) |
+		(word128(block[ 7]) <<  64) |
+		(word128(block[ 6]) <<  72) |
+		(word128(block[ 5]) <<  80) |
+		(word128(block[ 4]) <<  88) |
+		(word128(block[ 3]) <<  96) |
+		(word128(block[ 2]) << 104) |
+		(word128(block[ 1]) << 112) |
+		(word128(block[ 0]) << 120))
+		:
+		(word128(block[ 0]) |
+		(word128(block[ 1]) <<   8) |
+		(word128(block[ 2]) <<  16) |
+		(word128(block[ 3]) <<  24) |
+		(word128(block[ 4]) <<  32) |
+		(word128(block[ 5]) <<  40) |
+		(word128(block[ 6]) <<  48) |
+		(word128(block[ 7]) <<  56) |
+		(word128(block[ 8]) <<  64) |
+		(word128(block[ 9]) <<  72) |
+		(word128(block[10]) <<  80) |
+		(word128(block[11]) <<  88) |
+		(word128(block[12]) <<  96) |
+		(word128(block[13]) << 104) |
+		(word128(block[14]) << 112) |
+		(word128(block[15]) << 120));
+}
+#endif
+
+/// \brief Write a byte to an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned output buffer
+/// \param value byte value
+/// \param xorBlock optional unaligned xor buffer
+/// \details UnalignedbyteNonTemplate writes a byte value to an unaligned buffer.
+/// \since Crypto++ 1.0
 inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, byte value, const byte *xorBlock)
 {
 	CRYPTOPP_UNUSED(order);
 	block[0] = static_cast(xorBlock ? (value ^ xorBlock[0]) : value);
 }
 
+/// \brief Write a word16 to an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned output buffer
+/// \param value word16 value
+/// \param xorBlock optional unaligned xor buffer
+/// \details UnalignedbyteNonTemplate writes a word16 value to an unaligned buffer.
+/// \since Crypto++ 1.0
 inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word16 value, const byte *xorBlock)
 {
 	if (order == BIG_ENDIAN_ORDER)
@@ -2348,6 +2471,13 @@ inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word16 value,
 	}
 }
 
+/// \brief Write a word32 to an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned output buffer
+/// \param value word32 value
+/// \param xorBlock optional unaligned xor buffer
+/// \details UnalignedbyteNonTemplate writes a word32 value to an unaligned buffer.
+/// \since Crypto++ 1.0
 inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word32 value, const byte *xorBlock)
 {
 	if (order == BIG_ENDIAN_ORDER)
@@ -2386,6 +2516,13 @@ inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word32 value,
 	}
 }
 
+/// \brief Write a word64 to an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned output buffer
+/// \param value word64 value
+/// \param xorBlock optional unaligned xor buffer
+/// \details UnalignedbyteNonTemplate writes a word64 value to an unaligned buffer.
+/// \since Crypto++ 1.0
 inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word64 value, const byte *xorBlock)
 {
 	if (order == BIG_ENDIAN_ORDER)
@@ -2440,6 +2577,106 @@ inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word64 value,
 	}
 }
 
+#if defined(CRYPTOPP_WORD128_AVAILABLE)
+/// \brief Write a word128 to an unaligned buffer
+/// \param order the ByteOrder of the data
+/// \param block an unaligned output buffer
+/// \param value word128 value
+/// \param xorBlock optional unaligned xor buffer
+/// \details UnalignedbyteNonTemplate writes a word128 value to an unaligned buffer.
+/// \note word128 is available on some 64-bit platforms when the compiler supports it.
+/// \since Crypto++ 8.7
+inline void UnalignedbyteNonTemplate(ByteOrder order, byte *block, word128 value, const byte *xorBlock)
+{
+	if (order == BIG_ENDIAN_ORDER)
+	{
+		if (xorBlock)
+		{
+			block[0] = xorBlock[0] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 15);
+			block[1] = xorBlock[1] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 14);
+			block[2] = xorBlock[2] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 13);
+			block[3] = xorBlock[3] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 12);
+			block[4] = xorBlock[4] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 11);
+			block[5] = xorBlock[5] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 10);
+			block[6] = xorBlock[6] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value,  9);
+			block[7] = xorBlock[7] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value,  8);
+
+			block[ 8] = xorBlock[ 8] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 7);
+			block[ 9] = xorBlock[ 9] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 6);
+			block[10] = xorBlock[10] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 5);
+			block[11] = xorBlock[11] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 4);
+			block[12] = xorBlock[12] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 3);
+			block[13] = xorBlock[13] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 2);
+			block[14] = xorBlock[14] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 1);
+			block[15] = xorBlock[15] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 0);
+		}
+		else
+		{
+			block[0] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 15);
+			block[1] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 14);
+			block[2] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 13);
+			block[3] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 12);
+			block[4] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 11);
+			block[5] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 10);
+			block[6] = CRYPTOPP_GET_BYTE_AS_BYTE(value,  9);
+			block[7] = CRYPTOPP_GET_BYTE_AS_BYTE(value,  8);
+
+			block[ 8] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 7);
+			block[ 9] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 6);
+			block[10] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 5);
+			block[11] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 4);
+			block[12] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 3);
+			block[13] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 2);
+			block[14] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 1);
+			block[15] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 0);
+		}
+	}
+	else
+	{
+		if (xorBlock)
+		{
+			block[0] = xorBlock[0] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 0);
+			block[1] = xorBlock[1] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 1);
+			block[2] = xorBlock[2] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 2);
+			block[3] = xorBlock[3] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 3);
+			block[4] = xorBlock[4] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 4);
+			block[5] = xorBlock[5] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 5);
+			block[6] = xorBlock[6] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 6);
+			block[7] = xorBlock[7] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 7);
+
+			block[ 8] = xorBlock[ 8] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value,  8);
+			block[ 9] = xorBlock[ 9] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value,  9);
+			block[10] = xorBlock[10] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 10);
+			block[11] = xorBlock[11] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 11);
+			block[12] = xorBlock[12] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 12);
+			block[13] = xorBlock[13] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 13);
+			block[14] = xorBlock[14] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 14);
+			block[15] = xorBlock[15] ^ CRYPTOPP_GET_BYTE_AS_BYTE(value, 15);
+		}
+		else
+		{
+			block[0] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 0);
+			block[1] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 1);
+			block[2] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 2);
+			block[3] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 3);
+			block[4] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 4);
+			block[5] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 5);
+			block[6] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 6);
+			block[7] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 7);
+
+			block[ 8] = CRYPTOPP_GET_BYTE_AS_BYTE(value,  8);
+			block[ 9] = CRYPTOPP_GET_BYTE_AS_BYTE(value,  9);
+			block[10] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 10);
+			block[11] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 11);
+			block[12] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 12);
+			block[13] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 13);
+			block[14] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 14);
+			block[15] = CRYPTOPP_GET_BYTE_AS_BYTE(value, 15);
+		}
+	}
+}
+#endif
+
 /// \brief Access a block of memory
 /// \tparam T class or type
 /// \param assumeAligned flag indicating alignment
diff --git a/vendor/cryptopp/nbtheory.cpp b/vendor/cryptopp/nbtheory.cpp
index 36a30c2712..949bae5f96 100644
--- a/vendor/cryptopp/nbtheory.cpp
+++ b/vendor/cryptopp/nbtheory.cpp
@@ -847,7 +847,7 @@ Integer Lucas(const Integer &e, const Integer &pIn, const Integer &n)
 	return m.ConvertOut(v);
 }
 
-// This is Peter Montgomery's unpublished Lucas sequence evalutation algorithm.
+// This is Peter Montgomery's unpublished Lucas sequence evaluation algorithm.
 // The total number of multiplies and squares used is less than the binary
 // algorithm (see above).  Unfortunately I can't get it to run as fast as
 // the binary algorithm because of the extra overhead.
diff --git a/vendor/cryptopp/oids.h b/vendor/cryptopp/oids.h
index 7d09a79374..936f68b2f6 100644
--- a/vendor/cryptopp/oids.h
+++ b/vendor/cryptopp/oids.h
@@ -1,7 +1,7 @@
 // oids.h - originally written and placed in the public domain by Wei Dai
 
 /// \file oids.h
-/// \brief ASN.1 object identifiers for algorthms and schemes
+/// \brief ASN.1 object identifiers for algorithms and schemes
 /// \details Most OIDs can be found at http://www.oid-info.com/. The Chinese OIDs
 ///   are assigned in GM/T 0006-2012, Cryptographic Application Identifier Criterion
 ///   Specification. A reproduction can be found at http://gmssl.org/docs/oid.html.
diff --git a/vendor/cryptopp/osrng.cpp b/vendor/cryptopp/osrng.cpp
index 7ab61e6b42..500e8e6986 100644
--- a/vendor/cryptopp/osrng.cpp
+++ b/vendor/cryptopp/osrng.cpp
@@ -21,6 +21,29 @@
 #include "osrng.h"
 #include "rng.h"
 
+// FreeBSD links /dev/urandom -> /dev/random. It showed up when we added
+// O_NOFOLLOW to harden the non-blocking generator. Use Arc4Random instead
+// for a non-blocking generator. Arc4Random is cryptograhic quality prng
+// based on ChaCha20. The ChaCha20 generator is seeded from /dev/random,
+// so we can't completely avoid the blocking.
+// https://www.freebsd.org/cgi/man.cgi?query=arc4random_buf.
+#ifdef __FreeBSD__
+# define DONT_USE_O_NOFOLLOW 1
+# define USE_FREEBSD_ARC4RANDOM 1
+# include 
+#endif
+
+// Solaris links /dev/urandom -> ../devices/pseudo/random@0:urandom
+// We can't access the device. Avoid O_NOFOLLOW for the platform.
+#ifdef __sun
+# define DONT_USE_O_NOFOLLOW 1
+#endif
+
+// And other OSes that don't define it
+#ifndef O_NOFOLLOW
+# define DONT_USE_O_NOFOLLOW 1
+#endif
+
 #ifdef CRYPTOPP_WIN32_AVAILABLE
 #define WIN32_LEAN_AND_MEAN
 #include 
@@ -133,19 +156,23 @@ MicrosoftCryptoProvider::~MicrosoftCryptoProvider()
 
 NonblockingRng::NonblockingRng()
 {
-#ifndef CRYPTOPP_WIN32_AVAILABLE
-	m_fd = open("/dev/urandom",O_RDONLY);
+#if !defined(CRYPTOPP_WIN32_AVAILABLE) && !defined(USE_FREEBSD_ARC4RANDOM)
+# ifndef DONT_USE_O_NOFOLLOW
+	const int flags = O_RDONLY|O_NOFOLLOW;
+# else
+	const int flags = O_RDONLY;
+# endif
+
+	m_fd = open("/dev/urandom", flags);
 	if (m_fd == -1)
 		throw OS_RNG_Err("open /dev/urandom");
 
-	// Do some OSes return -NNN instead of -1?
-	CRYPTOPP_ASSERT(m_fd >= 0);
 #endif
 }
 
 NonblockingRng::~NonblockingRng()
 {
-#ifndef CRYPTOPP_WIN32_AVAILABLE
+#if !defined(CRYPTOPP_WIN32_AVAILABLE) && !defined(USE_FREEBSD_ARC4RANDOM)
 	close(m_fd);
 #endif
 }
@@ -189,6 +216,12 @@ void NonblockingRng::GenerateBlock(byte *output, size_t size)
 	}
 # endif
 #else
+
+# if defined(USE_FREEBSD_ARC4RANDOM)
+	// Cryptographic quality prng based on ChaCha20,
+	// https://www.freebsd.org/cgi/man.cgi?query=arc4random_buf
+	arc4random_buf(output, size);
+# else
 	while (size)
 	{
 		ssize_t len = read(m_fd, output, size);
@@ -200,10 +233,11 @@ void NonblockingRng::GenerateBlock(byte *output, size_t size)
 
 			continue;
 		}
-
 		output += len;
 		size -= len;
 	}
+# endif  // USE_FREEBSD_ARC4RANDOM
+
 #endif  // CRYPTOPP_WIN32_AVAILABLE
 }
 
@@ -214,21 +248,24 @@ void NonblockingRng::GenerateBlock(byte *output, size_t size)
 #ifdef BLOCKING_RNG_AVAILABLE
 
 #ifndef CRYPTOPP_BLOCKING_RNG_FILENAME
-#ifdef __OpenBSD__
-#define CRYPTOPP_BLOCKING_RNG_FILENAME "/dev/srandom"
-#else
-#define CRYPTOPP_BLOCKING_RNG_FILENAME "/dev/random"
-#endif
+# ifdef __OpenBSD__
+#  define CRYPTOPP_BLOCKING_RNG_FILENAME "/dev/srandom"
+# else
+#  define CRYPTOPP_BLOCKING_RNG_FILENAME "/dev/random"
+# endif
 #endif
 
 BlockingRng::BlockingRng()
 {
-	m_fd = open(CRYPTOPP_BLOCKING_RNG_FILENAME,O_RDONLY);
+#ifndef DONT_USE_O_NOFOLLOW
+	const int flags = O_RDONLY|O_NOFOLLOW;
+#else
+	const int flags = O_RDONLY;
+#endif
+
+	m_fd = open(CRYPTOPP_BLOCKING_RNG_FILENAME, flags);
 	if (m_fd == -1)
 		throw OS_RNG_Err("open " CRYPTOPP_BLOCKING_RNG_FILENAME);
-
-	// Do some OSes return -NNN instead of -1?
-	CRYPTOPP_ASSERT(m_fd >= 0);
 }
 
 BlockingRng::~BlockingRng()
diff --git a/vendor/cryptopp/poly1305.h b/vendor/cryptopp/poly1305.h
index 194569f028..19e712bd3f 100644
--- a/vendor/cryptopp/poly1305.h
+++ b/vendor/cryptopp/poly1305.h
@@ -2,7 +2,7 @@
 //              Based on Andy Polyakov's Base-2^26 scalar multiplication implementation.
 //              For more information, see https://www.openssl.org/~appro/cryptogams/.
 
-// The library added Bernstein's Poly1305 classses at Crypto++ 6.0. The IETF
+// The library added Bernstein's Poly1305 classes at Crypto++ 6.0. The IETF
 // uses a slightly different implementation than Bernstein, and the IETF
 // classes were added at Crypto++ 8.1. We wanted to maintain ABI compatibility
 // at the 8.1 release so the original Poly1305 classes were not disturbed.
diff --git a/vendor/cryptopp/ppc_power7.cpp b/vendor/cryptopp/power7_ppc.cpp
similarity index 100%
rename from vendor/cryptopp/ppc_power7.cpp
rename to vendor/cryptopp/power7_ppc.cpp
diff --git a/vendor/cryptopp/ppc_power8.cpp b/vendor/cryptopp/power8_ppc.cpp
similarity index 61%
rename from vendor/cryptopp/ppc_power8.cpp
rename to vendor/cryptopp/power8_ppc.cpp
index 738ceb46ce..68ad531e49 100644
--- a/vendor/cryptopp/ppc_power8.cpp
+++ b/vendor/cryptopp/power8_ppc.cpp
@@ -43,12 +43,12 @@ bool CPU_ProbePower8()
 {
 #if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES)
     return false;
-#elif (_ARCH_PWR8) && defined(CRYPTOPP_POWER8_AVAILABLE)
+#elif defined(CRYPTOPP_POWER8_AVAILABLE)
 # if defined(CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY)
 
     // longjmp and clobber warnings. Volatile is required.
     // http://github.com/weidai11/cryptopp/issues/24 and http://stackoverflow.com/q/7721854
-    volatile int result = true;
+    volatile int result = false;
 
     volatile SigHandler oldHandler = signal(SIGILL, SigIllHandler);
     if (oldHandler == SIG_ERR)
@@ -65,25 +65,16 @@ bool CPU_ProbePower8()
         result = false;
     else
     {
-        // POWER8 added 64-bit SIMD operations
-        const word64 x = W64LIT(0xffffffffffffffff);
-        word64 w1[2] = {x, x}, w2[2] = {4, 6}, w3[2];
-
-        // Specifically call the VSX loads and stores with 64-bit types
-        #if defined(__ibmxl__) || (defined(_AIX) && defined(__xlC__)) || defined(__clang__)
-        const uint64x2_p v1 = vec_xl(0, (unsigned long long*)w1);
-        const uint64x2_p v2 = vec_xl(0, (unsigned long long*)w2);
-        const uint64x2_p v3 = vec_add(v1, v2);  // 64-bit add
-        vec_xst(v3, 0, (unsigned long long*)w3);
-        #else
-        const uint64x2_p v1 = (uint64x2_p)vec_vsx_ld(0, (const byte*)w1);
-        const uint64x2_p v2 = (uint64x2_p)vec_vsx_ld(0, (const byte*)w2);
-        const uint64x2_p v3 = vec_add(v1, v2);  // 64-bit add
-        vec_vsx_st((uint8x16_p)v3, 0, (byte*)w3);
-        #endif
-
-        // Relies on integer wrap
-        result = (w3[0] == 3 && w3[1] == 5);
+        // This is 64-bit add "vaddudm v0, v1, v0" from POWER8. We cannot use
+        // vec_add because GCC uses POWER8 instructions outside this SIGILL block.
+        // https://github.com/weidai11/cryptopp/issues/1112 and
+        // https://github.com/weidai11/cryptopp/issues/1115.
+#if CRYPTOPP_BIG_ENDIAN
+        __asm__ __volatile__ (".byte 0x10, 0x01, 0x00, 0xc0  \n\t" : : : "v0");
+#else
+        __asm__ __volatile__ (".byte 0xc0, 0x00, 0x01, 0x10  \n\t" : : : "v0");
+#endif
+        result = true;
     }
 
     sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR);
@@ -95,16 +86,58 @@ bool CPU_ProbePower8()
 #endif  // _ARCH_PWR8
 }
 
+///////////
+bool CPU_ProbePMULL()
+{
+#if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES)
+    return false;
+#elif (CRYPTOPP_POWER8_VMULL_AVAILABLE)
+    // longjmp and clobber warnings. Volatile is required.
+    volatile bool result = false;
+
+    volatile SigHandler oldHandler = signal(SIGILL, SigIllHandler);
+    if (oldHandler == SIG_ERR)
+        return false;
+
+    volatile sigset_t oldMask;
+    if (sigprocmask(0, NULLPTR, (sigset_t*)&oldMask))
+    {
+        signal(SIGILL, oldHandler);
+        return false;
+    }
+
+    if (setjmp(s_jmpSIGILL))
+        result = false;
+    else
+    {
+        // This is VMULL 'vpmsumd v0,v0,v1'
+#if CRYPTOPP_BIG_ENDIAN
+        __asm__ __volatile__ (".byte 0x10, 0x00, 0x0c, 0xc8  \n\t" : : : "v0");
+#else
+        __asm__ __volatile__ (".byte 0xc8, 0x0c, 0x00, 0x10  \n\t" : : : "v0");
+#endif
+        result = true;
+    }
+
+    sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR);
+    signal(SIGILL, oldHandler);
+    return result;
+#else
+    return false;
+#endif  // CRYPTOPP_POWER8_VMULL_AVAILABLE
+}
+///////////
+
 bool CPU_ProbeAES()
 {
 #if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES)
     return false;
-#elif (__CRYPTO__) && defined(CRYPTOPP_POWER8_AES_AVAILABLE)
+#elif defined(CRYPTOPP_POWER8_AES_AVAILABLE)
 # if defined(CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY)
 
     // longjmp and clobber warnings. Volatile is required.
     // http://github.com/weidai11/cryptopp/issues/24 and http://stackoverflow.com/q/7721854
-    volatile int result = true;
+    volatile int result = false;
 
     volatile SigHandler oldHandler = signal(SIGILL, SigIllHandler);
     if (oldHandler == SIG_ERR)
@@ -121,21 +154,15 @@ bool CPU_ProbeAES()
         result = false;
     else
     {
-        byte key[16] = {0xA0, 0xFA, 0xFE, 0x17, 0x88, 0x54, 0x2c, 0xb1,
-                        0x23, 0xa3, 0x39, 0x39, 0x2a, 0x6c, 0x76, 0x05};
-        byte state[16] = {0x19, 0x3d, 0xe3, 0xb3, 0xa0, 0xf4, 0xe2, 0x2b,
-                          0x9a, 0xc6, 0x8d, 0x2a, 0xe9, 0xf8, 0x48, 0x08};
-        byte r[16] = {255}, z[16] = {};
-
-        uint8x16_p k = (uint8x16_p)VecLoad(0, key);
-        uint8x16_p s = (uint8x16_p)VecLoad(0, state);
-        s = VecEncrypt(s, k);
-        s = VecEncryptLast(s, k);
-        s = VecDecrypt(s, k);
-        s = VecDecryptLast(s, k);
-        VecStore(s, r);
-
-        result = (0 != std::memcmp(r, z, 16));
+        // This is AES 'vcipher v0,v0,v1' followed by 'vcipherlast v0,v0,v1'
+#if CRYPTOPP_BIG_ENDIAN
+        __asm__ __volatile__ (".byte 0x10, 0x00, 0x0d, 0x08  \n\t"
+                              ".byte 0x10, 0x00, 0x0d, 0x09  \n\t" : : : "v0");
+#else
+        __asm__ __volatile__ (".byte 0x08, 0x0d, 0x00, 0x10  \n\t"
+                              ".byte 0x09, 0x0d, 0x00, 0x10  \n\t" : : : "v0");
+#endif
+        result = true;
     }
 
     sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR);
@@ -151,7 +178,7 @@ bool CPU_ProbeSHA256()
 {
 #if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES)
     return false;
-#elif (__CRYPTO__) && defined(CRYPTOPP_POWER8_SHA_AVAILABLE)
+#elif defined(CRYPTOPP_POWER8_SHA_AVAILABLE)
 # if defined(CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY)
 
     // longjmp and clobber warnings. Volatile is required.
@@ -173,16 +200,13 @@ bool CPU_ProbeSHA256()
         result = false;
     else
     {
-        byte r[16], z[16] = {0};
-        uint8x16_p x = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-
-        x = VecSHA256<0,0>(x);
-        x = VecSHA256<0,0xf>(x);
-        x = VecSHA256<1,0>(x);
-        x = VecSHA256<1,0xf>(x);
-        VecStore(x, r);
-
-        result = (0 == std::memcmp(r, z, 16));
+        // This is SHA-256 'vshasigmaw v0,v0,1,15'.
+#if CRYPTOPP_BIG_ENDIAN
+        __asm__ __volatile__ (".byte 0x10, 0x00, 0xfe, 0x82  \n\t" : : : "v0");
+#else
+        __asm__ __volatile__ (".byte 0x82, 0xfe, 0x00, 0x10  \n\t" : : : "v0");
+#endif
+        result = true;
     }
 
     sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR);
@@ -198,7 +222,7 @@ bool CPU_ProbeSHA512()
 {
 #if defined(CRYPTOPP_NO_CPU_FEATURE_PROBES)
     return false;
-#elif (__CRYPTO__) && defined(CRYPTOPP_POWER8_SHA_AVAILABLE)
+#elif defined(CRYPTOPP_POWER8_SHA_AVAILABLE)
 # if defined(CRYPTOPP_GNU_STYLE_INLINE_ASSEMBLY)
 
     // longjmp and clobber warnings. Volatile is required.
@@ -220,16 +244,13 @@ bool CPU_ProbeSHA512()
         result = false;
     else
     {
-        byte r[16], z[16] = {0};
-        uint8x16_p x = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-
-        x = VecSHA512<0,0>(x);
-        x = VecSHA512<0,0xf>(x);
-        x = VecSHA512<1,0>(x);
-        x = VecSHA512<1,0xf>(x);
-        VecStore(x, r);
-
-        result = (0 == std::memcmp(r, z, 16));
+        // This is SHA-512 'vshasigmad v0,v0,1,15'.
+#if CRYPTOPP_BIG_ENDIAN
+        __asm__ __volatile__ (".byte 0x10, 0x00, 0xfe, 0xc2  \n\t" : : : "v0");
+#else
+        __asm__ __volatile__ (".byte 0xc2, 0xfe, 0x00, 0x10  \n\t" : : : "v0");
+#endif
+        result = true;
     }
 
     sigprocmask(SIG_SETMASK, (sigset_t*)&oldMask, NULLPTR);
diff --git a/vendor/cryptopp/ppc_power9.cpp b/vendor/cryptopp/power9_ppc.cpp
similarity index 100%
rename from vendor/cryptopp/ppc_power9.cpp
rename to vendor/cryptopp/power9_ppc.cpp
diff --git a/vendor/cryptopp/ppc_simd.h b/vendor/cryptopp/ppc_simd.h
index fdd02d22fd..a5297cf1b1 100644
--- a/vendor/cryptopp/ppc_simd.h
+++ b/vendor/cryptopp/ppc_simd.h
@@ -4,8 +4,8 @@
 /// \brief Support functions for PowerPC and vector operations
 /// \details This header provides an agnostic interface into Clang, GCC
 ///  and IBM XL C/C++ compilers modulo their different built-in functions
-///  for accessing vector intructions.
-/// \details The abstractions are necesssary to support back to GCC 4.8 and
+///  for accessing vector instructions.
+/// \details The abstractions are necessary to support back to GCC 4.8 and
 ///  XLC 11 and 12. GCC 4.8 and 4.9 are still popular, and they are the
 ///  default compiler for GCC112, GCC119 and others on the compile farm.
 ///  Older IBM XL C/C++ compilers also have the need due to lack of
@@ -300,7 +300,7 @@ inline T VecReverseBE(const T data)
 ///  of src is aligned. If unaligned it uses vec_lvsl,
 ///  vec_ld, vec_perm and src. The fixups using
 ///  vec_lvsl and vec_perm are relatively expensive so
-///  you should provide aligned memory adresses.
+///  you should provide aligned memory addresses.
 /// \par Wraps
 ///  vec_ld, vec_lvsl, vec_perm
 /// \sa VecLoad, VecLoadAligned
@@ -331,7 +331,7 @@ inline uint32x4_p VecLoad_ALTIVEC(const byte src[16])
 ///  of src is aligned. If unaligned it uses vec_lvsl,
 ///  vec_ld, vec_perm and src.
 /// \details The fixups using vec_lvsl and vec_perm are
-///  relatively expensive so you should provide aligned memory adresses.
+///  relatively expensive so you should provide aligned memory addresses.
 /// \par Wraps
 ///  vec_ld, vec_lvsl, vec_perm
 /// \sa VecLoad, VecLoadAligned
@@ -806,7 +806,7 @@ inline uint32x4_p VecLoadBE(int off, const byte src[16])
 /// \details VecStore_ALTIVEC() uses vec_st if the effective address
 ///  of dest is aligned, and uses vec_ste otherwise.
 ///  vec_ste is relatively expensive so you should provide aligned
-///  memory adresses.
+///  memory addresses.
 /// \details VecStore_ALTIVEC() is used when POWER7 or above
 ///  and unaligned loads is not available.
 /// \par Wraps
@@ -846,7 +846,7 @@ inline void VecStore_ALTIVEC(const T data, byte dest[16])
 /// \details VecStore_ALTIVEC() uses vec_st if the effective address
 ///  of dest is aligned, and uses vec_ste otherwise.
 ///  vec_ste is relatively expensive so you should provide aligned
-///  memory adresses.
+///  memory addresses.
 /// \details VecStore_ALTIVEC() is used when POWER7 or above
 ///  and unaligned loads is not available.
 /// \par Wraps
diff --git a/vendor/cryptopp/premake5.lua b/vendor/cryptopp/premake5.lua
index 411a0ae815..cbf1212ea1 100644
--- a/vendor/cryptopp/premake5.lua
+++ b/vendor/cryptopp/premake5.lua
@@ -133,9 +133,9 @@ project "cryptopp"
 		"pkcspad.cpp",
 		"poly1305.cpp",
 		"polynomi.cpp",
-		"ppc_power7.cpp",
-		"ppc_power8.cpp",
-		"ppc_power9.cpp",
+		"power7_ppc.cpp",
+		"power8_ppc.cpp",
+		"power9_ppc.cpp",
 		"ppc_simd.cpp",
 		"pssr.cpp",
 		"pubkey.cpp",
diff --git a/vendor/cryptopp/pubkey.h b/vendor/cryptopp/pubkey.h
index e51701ea1c..bdfeef42a6 100644
--- a/vendor/cryptopp/pubkey.h
+++ b/vendor/cryptopp/pubkey.h
@@ -2,7 +2,7 @@
 
 /// \file pubkey.h
 /// \brief This file contains helper classes/functions for implementing public key algorithms.
-/// \details The class hierachies in this header file tend to look like this:
+/// \details The class hierarchies in this header file tend to look like this:
 ///
 /// 
     ///                   x1
@@ -20,12 +20,12 @@
 /// 
    
 ///
 /// 
      
-///   
    • x1, y1, z1 are abstract interface classes defined in cryptlib.h
-///   
    • x2, y2, z2 are implementations of the interfaces using "abstract policies", which
-///       are pure virtual functions that should return interfaces to interchangeable algorithms.
-///       These classes have Base suffixes.
-///   
    • x3, y3, z3 hold actual algorithms and implement those virtual functions.
-///       These classes have Impl suffixes.
+///  
    • x1, y1, z1 are abstract interface classes defined in cryptlib.h
+///  
    • x2, y2, z2 are implementations of the interfaces using "abstract policies", which
+///      are pure virtual functions that should return interfaces to interchangeable algorithms.
+///      These classes have Base suffixes.
+///  
    • x3, y3, z3 hold actual algorithms and implement those virtual functions.
+///      These classes have Impl suffixes.
 /// 
    
 ///
 /// \details The TF_ prefix means an implementation using trapdoor functions on integers.
@@ -78,16 +78,16 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE TrapdoorFunctionBounds
 	/// \return the maximum size of a message before the trapdoor function is applied
 	/// \details Derived classes must implement PreimageBound().
 	virtual Integer PreimageBound() const =0;
-	/// \brief Returns the maximum size of a message after the trapdoor function is applied
-	/// \return the maximum size of a message after the trapdoor function is applied
+	/// \brief Returns the maximum size of a representation after the trapdoor function is applied
+	/// \return the maximum size of a representation after the trapdoor function is applied
 	/// \details Derived classes must implement ImageBound().
 	virtual Integer ImageBound() const =0;
 	/// \brief Returns the maximum size of a message before the trapdoor function is applied bound to a public key
 	/// \return the maximum size of a message before the trapdoor function is applied bound to a public key
 	/// \details The default implementation returns PreimageBound() - 1.
 	virtual Integer MaxPreimage() const {return --PreimageBound();}
-	/// \brief Returns the maximum size of a message after the trapdoor function is applied bound to a public key
-	/// \return the maximum size of a message after the trapdoor function is applied bound to a public key
+	/// \brief Returns the maximum size of a representation after the trapdoor function is applied bound to a public key
+	/// \return the maximum size of a representation after the trapdoor function is applied bound to a public key
 	/// \details The default implementation returns ImageBound() - 1.
 	virtual Integer MaxImage() const {return --ImageBound();}
 };
@@ -107,8 +107,8 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE RandomizedTrapdoorFunction : public Trapdo
 	/// \param x the message on which the encryption function is applied
 	/// \return the message x encrypted under the public key
 	/// \details ApplyRandomizedFunction is a generalization of encryption under a public key
-	///   cryptosystem. The RandomNumberGenerator may (or may not) be required.
-	///   Derived classes must implement it.
+	///  cryptosystem. The RandomNumberGenerator may (or may not) be required.
+	///  Derived classes must implement it.
 	virtual Integer ApplyRandomizedFunction(RandomNumberGenerator &rng, const Integer &x) const =0;
 
 	/// \brief Determines if the encryption algorithm is randomized
@@ -119,7 +119,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE RandomizedTrapdoorFunction : public Trapdo
 
 /// \brief Applies the trapdoor function
 /// \details ApplyFunction() is the foundation for encrypting a message under a public key.
-///   Derived classes will override it at some point.
+///  Derived classes will override it at some point.
 /// \sa TrapdoorFunctionBounds(), RandomizedTrapdoorFunction(), TrapdoorFunction(),
 ///  RandomizedTrapdoorFunctionInverse() and TrapdoorFunctionInverse()
 class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE TrapdoorFunction : public RandomizedTrapdoorFunction
@@ -131,8 +131,8 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE TrapdoorFunction : public RandomizedTrapdo
 	/// \param rng a RandomNumberGenerator derived class
 	/// \param x the message on which the encryption function is applied
 	/// \details ApplyRandomizedFunction is a generalization of encryption under a public key
-	///   cryptosystem. The RandomNumberGenerator may (or may not) be required.
-	/// \details Internally, ApplyRandomizedFunction() calls ApplyFunction() \a
+	///  cryptosystem. The RandomNumberGenerator may (or may not) be required.
+	/// \details Internally, ApplyRandomizedFunction() calls ApplyFunction()
 	///  without the RandomNumberGenerator.
 	Integer ApplyRandomizedFunction(RandomNumberGenerator &rng, const Integer &x) const
 		{CRYPTOPP_UNUSED(rng); return ApplyFunction(x);}
@@ -142,7 +142,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE TrapdoorFunction : public RandomizedTrapdo
 	/// \param x the message on which the encryption function is applied
 	/// \return the message x encrypted under the public key
 	/// \details ApplyFunction is a generalization of encryption under a public key
-	///   cryptosystem. Derived classes must implement it.
+	///  cryptosystem. Derived classes must implement it.
 	virtual Integer ApplyFunction(const Integer &x) const =0;
 };
 
@@ -161,7 +161,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE RandomizedTrapdoorFunctionInverse
 	/// \param x the message on which the decryption function is applied
 	/// \return the message x decrypted under the private key
 	/// \details CalculateRandomizedInverse is a generalization of decryption using the private key
-	///   The RandomNumberGenerator may (or may not) be required. Derived classes must implement it.
+	///  The RandomNumberGenerator may (or may not) be required. Derived classes must implement it.
 	virtual Integer CalculateRandomizedInverse(RandomNumberGenerator &rng, const Integer &x) const =0;
 
 	/// \brief Determines if the decryption algorithm is randomized
@@ -185,7 +185,7 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE TrapdoorFunctionInverse : public Randomize
 	/// \param x the message on which the decryption function is applied
 	/// \return the message x decrypted under the private key
 	/// \details CalculateRandomizedInverse is a generalization of decryption using the private key
-	/// \details Internally, CalculateRandomizedInverse() calls CalculateInverse() \a
+	/// \details Internally, CalculateRandomizedInverse() calls CalculateInverse()
 	///  without the RandomNumberGenerator.
 	Integer CalculateRandomizedInverse(RandomNumberGenerator &rng, const Integer &x) const
 		{return CalculateInverse(rng, x);}
@@ -872,7 +872,7 @@ class CRYPTOPP_NO_VTABLE DL_GroupParameters : public CryptoParameters
 	}
 
 	/// \brief Exponentiates an element
-	/// \param base the base elemenet
+	/// \param base the base element
 	/// \param exponent the exponent to raise the base
 	/// \return the result of the exponentiation
 	/// \details Internally, ExponentiateElement() calls SimultaneousExponentiate().
diff --git a/vendor/cryptopp/queue.cpp b/vendor/cryptopp/queue.cpp
index a188b445b3..f7c680ab6a 100644
--- a/vendor/cryptopp/queue.cpp
+++ b/vendor/cryptopp/queue.cpp
@@ -255,7 +255,7 @@ size_t ByteQueue::Put2(const byte *inString, size_t length, int messageEnd, bool
 
 void ByteQueue::CleanupUsedNodes()
 {
-	// Test for m_head due to Enterprise Anlysis finding
+	// Test for m_head due to Enterprise Analysis finding
 	while (m_head && m_head != m_tail && m_head->UsedUp())
 	{
 		ByteQueueNode *temp=m_head;
@@ -263,7 +263,7 @@ void ByteQueue::CleanupUsedNodes()
 		delete temp;
 	}
 
-	// Test for m_head due to Enterprise Anlysis finding
+	// Test for m_head due to Enterprise Analysis finding
 	if (m_head && m_head->CurrentSize() == 0)
 		m_head->Clear();
 }
diff --git a/vendor/cryptopp/randpool.cpp b/vendor/cryptopp/randpool.cpp
index 00fefa7c3e..d378f78535 100644
--- a/vendor/cryptopp/randpool.cpp
+++ b/vendor/cryptopp/randpool.cpp
@@ -105,7 +105,7 @@ void OldRandomPool::IncorporateEntropy(const byte *input, size_t length)
 	}
 }
 
-// GenerateWord32 is overriden and provides Crypto++ 5.4 behavior.
+// GenerateWord32 is overridden and provides Crypto++ 5.4 behavior.
 // Taken from RandomNumberGenerator::GenerateWord32 in cryptlib.cpp.
 word32 OldRandomPool::GenerateWord32 (word32 min, word32 max)
 {
diff --git a/vendor/cryptopp/randpool.h b/vendor/cryptopp/randpool.h
index b261f38ac6..51227c350c 100644
--- a/vendor/cryptopp/randpool.h
+++ b/vendor/cryptopp/randpool.h
@@ -87,7 +87,7 @@ class CRYPTOPP_DLL OldRandomPool : public RandomNumberGenerator
 	byte GenerateByte();
 	void GenerateBlock(byte *output, size_t size);
 
-	// GenerateWord32 is overriden and provides Crypto++ 5.4 behavior.
+	// GenerateWord32 is overridden and provides Crypto++ 5.4 behavior.
 	// Taken from RandomNumberSource::GenerateWord32 in cryptlib.cpp.
 	word32 GenerateWord32 (word32 min=0, word32 max=0xffffffffUL);
 
diff --git a/vendor/cryptopp/rdrand.cpp b/vendor/cryptopp/rdrand.cpp
index ab4d2a56ef..2444cfd10d 100644
--- a/vendor/cryptopp/rdrand.cpp
+++ b/vendor/cryptopp/rdrand.cpp
@@ -12,12 +12,12 @@
 //   to select an implementation or throws "NotImplemented". Users of the
 //   classes should call HasRDRAND() or HasRDSEED() to determine if a
 //   generator is available at runtime.
-// The original classes accepted a retry count. Retries were superflous for
+// The original classes accepted a retry count. Retries were superfluous for
 //   RDRAND, and RDSEED encountered a failure about 1 in 256 bytes depending
 //   on the processor. Retries were removed at Crypto++ 6.0 because
 //   GenerateBlock unconditionally retries and always fulfills the request.
 // Intel recommends using a retry count in case RDRAND or RDSEED circuit
-//   is bad. This implemenation does not follow the advice and requires
+//   is bad. This implementation does not follow the advice and requires
 //   good silicon. If the circuit or processor is bad then the user has
 //   bigger problems than generating random numbers.
 
diff --git a/vendor/cryptopp/rdrand.h b/vendor/cryptopp/rdrand.h
index 02aaf82011..d1f3c4129e 100644
--- a/vendor/cryptopp/rdrand.h
+++ b/vendor/cryptopp/rdrand.h
@@ -14,7 +14,7 @@
 //   to select an implementation or "throw NotImplemented". At runtime the
 //   constructor will throw RDRAND_Err or RDSEED_Err if a generator is
 //   is not available.
-// The original classes accepted a retry count. Retries were superflous for
+// The original classes accepted a retry count. Retries were superfluous for
 //   RDRAND, and RDSEED encountered a failure about 1 in 256 bytes depending
 //   on the processor. Retries were removed at Crypto++ 6.0 because
 //   GenerateBlock unconditionally retries and always fulfills the request.
@@ -107,7 +107,7 @@ class RDSEED : public RandomNumberGenerator
     virtual ~RDSEED() {}
 
     /// \brief Construct a RDSEED generator
-    /// \details Empirical testing under a 6th generaton i7 (6200U) shows RDSEED fails
+    /// \details Empirical testing under a 6th generation i7 (6200U) shows RDSEED fails
     ///   to fulfill requests at about once every for every 256 bytes requested.
     ///   The generator runs about 4 times slower than RDRAND.
      /// \throw RDSEED_Err if the random number generator is not available
diff --git a/vendor/cryptopp/rijndael.cpp b/vendor/cryptopp/rijndael.cpp
index 6c9ae8c203..3e490ad5af 100644
--- a/vendor/cryptopp/rijndael.cpp
+++ b/vendor/cryptopp/rijndael.cpp
@@ -88,10 +88,9 @@ being unloaded from L1 cache, until that round is finished.
 #include "misc.h"
 #include "cpu.h"
 
-// VS2017 and global optimization bug. TODO, figure out when
-// we can re-enable full optimizations for VS2017. Also see
+// VS2017 and global optimization bug. Also see
 // https://github.com/weidai11/cryptopp/issues/649
-#if (_MSC_VER >= 1910)
+#if (_MSC_VER >= 1910) && (_MSC_VER < 1916)
 # ifndef CRYPTOPP_DEBUG
 #  pragma optimize("", off)
 #  pragma optimize("ts", on)
@@ -136,7 +135,7 @@ ANONYMOUS_NAMESPACE_BEGIN
 //   with the same 4k block offsets as the Te table. Logically,
 //   the code is trying to create the condition:
 //
-// Two sepearate memory pages:
+// Two separate memory pages:
 //
 //  +-----+   +-----+
 //  |XXXXX|   |YYYYY|
diff --git a/vendor/cryptopp/rng.h b/vendor/cryptopp/rng.h
index 16d5b694e6..74456acb6e 100644
--- a/vendor/cryptopp/rng.h
+++ b/vendor/cryptopp/rng.h
@@ -17,7 +17,7 @@ NAMESPACE_BEGIN(CryptoPP)
 
 /// \brief Linear Congruential Generator (LCG)
 /// \details Originally propsed by William S. England.
-/// \warning LC_RNG is suitable for simulations, where uniformaly distrubuted numbers are
+/// \warning LC_RNG is suitable for simulations, where uniformaly distributed numbers are
 ///  required quickly. It should not be used for cryptographic purposes.
 class LC_RNG : public RandomNumberGenerator
 {
diff --git a/vendor/cryptopp/rsa.cpp b/vendor/cryptopp/rsa.cpp
index 1fb63aaa4c..d6d9846cac 100644
--- a/vendor/cryptopp/rsa.cpp
+++ b/vendor/cryptopp/rsa.cpp
@@ -126,19 +126,24 @@ void InvertibleRSAFunction::GenerateRandom(RandomNumberGenerator &rng, const Nam
 	if (m_e < 3 || m_e.IsEven())
 		throw InvalidArgument("InvertibleRSAFunction: invalid public exponent");
 
-	RSAPrimeSelector selector(m_e);
-	AlgorithmParameters primeParam = MakeParametersForTwoPrimesOfEqualSize(modulusSize)
-		(Name::PointerToPrimeSelector(), selector.GetSelectorPointer());
-	m_p.GenerateRandom(rng, primeParam);
-	m_q.GenerateRandom(rng, primeParam);
+	// Do this in a loop for small moduli. For small moduli, u' == 0 when p == q.
+	// https://github.com/weidai11/cryptopp/issues/1136
+	do
+	{
+		RSAPrimeSelector selector(m_e);
+		AlgorithmParameters primeParam = MakeParametersForTwoPrimesOfEqualSize(modulusSize)
+			(Name::PointerToPrimeSelector(), selector.GetSelectorPointer());
+		m_p.GenerateRandom(rng, primeParam);
+		m_q.GenerateRandom(rng, primeParam);
 
-	m_d = m_e.InverseMod(LCM(m_p-1, m_q-1));
-	CRYPTOPP_ASSERT(m_d.IsPositive());
+		m_d = m_e.InverseMod(LCM(m_p-1, m_q-1));
+		CRYPTOPP_ASSERT(m_d.IsPositive());
 
-	m_dp = m_d % (m_p-1);
-	m_dq = m_d % (m_q-1);
-	m_n = m_p * m_q;
-	m_u = m_q.InverseMod(m_p);
+		m_dp = m_d % (m_p-1);
+		m_dq = m_d % (m_q-1);
+		m_n = m_p * m_q;
+		m_u = m_q.InverseMod(m_p);
+	} while (m_u.IsZero());
 
 	if (FIPS_140_2_ComplianceEnabled())
 	{
@@ -159,7 +164,7 @@ void InvertibleRSAFunction::Initialize(RandomNumberGenerator &rng, unsigned int
 
 void InvertibleRSAFunction::Initialize(const Integer &n, const Integer &e, const Integer &d)
 {
-	if (n.IsEven() || e.IsEven() | d.IsEven())
+	if (n.IsEven() || e.IsEven() || d.IsEven())
 		throw InvalidArgument("InvertibleRSAFunction: input is not a valid RSA private key");
 
 	m_n = n;
diff --git a/vendor/cryptopp/scrypt.cpp b/vendor/cryptopp/scrypt.cpp
index 31431c8ab5..860fd49899 100644
--- a/vendor/cryptopp/scrypt.cpp
+++ b/vendor/cryptopp/scrypt.cpp
@@ -237,7 +237,7 @@ void Scrypt::ValidateParameters(size_t derivedLen, word64 cost, word64 blockSize
     // '128 * r * N' and '128 * r * p' do not overflow. They are the tests
     // that set errno to ENOMEM. We can make the logic a little more clear
     // using word128. At first blush the word128 may seem like  overkill.
-    // However, this alogirthm is dominated by slow moving parts, so a
+    // However, this algorithm is dominated by slow moving parts, so a
     // one-time check is insignificant in the bigger picture.
 #if defined(CRYPTOPP_WORD128_AVAILABLE)
     const word128 maxElems = static_cast(SIZE_MAX);
diff --git a/vendor/cryptopp/sha.cpp b/vendor/cryptopp/sha.cpp
index 047c13b35b..fa7554c864 100644
--- a/vendor/cryptopp/sha.cpp
+++ b/vendor/cryptopp/sha.cpp
@@ -258,8 +258,11 @@ std::string SHA1::AlgorithmProvider() const
         return "SSE2";
 #endif
 #if CRYPTOGAMS_ARM_SHA1
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
         return "NEON";
+    else
+# endif
     if (HasARMv7())
         return "ARMv7";
 #endif
@@ -291,18 +294,22 @@ void SHA1::Transform(word32 *state, const word32 *data)
         return;
     }
 #endif
+// Disabled at the moment due to MDC and SEAL failures
 #if CRYPTOGAMS_ARM_SHA1 && 0
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
     {
-# if defined(CRYPTOPP_LITTLE_ENDIAN)
+#  if defined(CRYPTOPP_LITTLE_ENDIAN)
         word32 dataBuf[16];
         ByteReverse(dataBuf, data, SHA1::BLOCKSIZE);
+        cryptogams_sha1_block_data_order_neon(state, dataBuf, 1);
+#  else
         cryptogams_sha1_block_data_order_neon(state, data, 1);
-# else
-        cryptogams_sha1_block_data_order_neon(state, data, 1);
-# endif
+#  endif
         return;
     }
+    else
+# endif
     if (HasARMv7())
     {
 # if defined(CRYPTOPP_LITTLE_ENDIAN)
@@ -339,11 +346,14 @@ size_t SHA1::HashMultipleBlocks(const word32 *input, size_t length)
     }
 #endif
 #if CRYPTOGAMS_ARM_SHA1
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
     {
         cryptogams_sha1_block_data_order_neon(m_state, input, length / SHA1::BLOCKSIZE);
         return length & (SHA1::BLOCKSIZE - 1);
     }
+    else
+# endif
     if (HasARMv7())
     {
         cryptogams_sha1_block_data_order(m_state, input, length / SHA1::BLOCKSIZE);
@@ -464,8 +474,11 @@ std::string SHA256_AlgorithmProvider()
         return "SSE2";
 #endif
 #if CRYPTOGAMS_ARM_SHA256
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
         return "NEON";
+    else
+# endif
     if (HasARMv7())
         return "ARMv7";
 #endif
@@ -812,12 +825,14 @@ INTEL_NOPREFIX
     ATT_PREFIX
     :
     : "c" (state), "d" (data), "S" (SHA256_K+48), "D" (len)
-    #if CRYPTOPP_BOOL_X64
+    #if CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64
         , "m" (workspace[0])
     #endif
-    : "memory", "cc", "%eax"
-    #if CRYPTOPP_BOOL_X64
+    : "memory", "cc", "%eax", "%xmm0", "%xmm1", PERCENT_REG(AS_REG_7)
+    #if CRYPTOPP_BOOL_X32 || CRYPTOPP_BOOL_X64
         , "%rbx", "%r8", "%r10"
+    #else
+        , "%ebx"
     #endif
     );
 #endif
@@ -852,18 +867,22 @@ void SHA256::Transform(word32 *state, const word32 *data)
         return;
     }
 #endif
+// Disabled at the moment due to MDC and SEAL failures
 #if CRYPTOGAMS_ARM_SHA256 && 0
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
     {
-# if defined(CRYPTOPP_LITTLE_ENDIAN)
+#  if defined(CRYPTOPP_LITTLE_ENDIAN)
         word32 dataBuf[16];
         ByteReverse(dataBuf, data, SHA256::BLOCKSIZE);
+        cryptogams_sha256_block_data_order_neon(state, dataBuf, 1);
+#  else
         cryptogams_sha256_block_data_order_neon(state, data, 1);
-# else
-        cryptogams_sha256_block_data_order_neon(state, data, 1);
-# endif
+#  endif
         return;
     }
+    else
+# endif
     if (HasARMv7())
     {
 # if defined(CRYPTOPP_LITTLE_ENDIAN)
@@ -915,11 +934,14 @@ size_t SHA256::HashMultipleBlocks(const word32 *input, size_t length)
     }
 #endif
 #if CRYPTOGAMS_ARM_SHA256
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
     {
         cryptogams_sha256_block_data_order_neon(m_state, input, length / SHA256::BLOCKSIZE);
         return length & (SHA256::BLOCKSIZE - 1);
     }
+    else
+# endif
     if (HasARMv7())
     {
         cryptogams_sha256_block_data_order(m_state, input, length / SHA256::BLOCKSIZE);
@@ -983,11 +1005,14 @@ size_t SHA224::HashMultipleBlocks(const word32 *input, size_t length)
     }
 #endif
 #if CRYPTOGAMS_ARM_SHA256
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
     {
         cryptogams_sha256_block_data_order_neon(m_state, input, length / SHA256::BLOCKSIZE);
         return length & (SHA256::BLOCKSIZE - 1);
     }
+    else
+# endif
     if (HasARMv7())
     {
         cryptogams_sha256_block_data_order(m_state, input, length / SHA256::BLOCKSIZE);
@@ -1039,8 +1064,11 @@ std::string SHA512_AlgorithmProvider()
         return "SSE2";
 #endif
 #if CRYPTOGAMS_ARM_SHA512
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
         return "NEON";
+    else
+# endif
     if (HasARMv7())
         return "ARMv7";
 #endif
@@ -1268,7 +1296,9 @@ void CRYPTOPP_FASTCALL SHA512_HashBlock_SSE2(word64 *state, const word64 *data)
     ATT_PREFIX
         :
         : "a" (SHA512_K), "c" (state), "d" (data)
-        : "%esi", "%edi", "memory", "cc"
+        : "%ebx", "%esi", "%edi", "%mm0", "%mm1", "%mm2", "%mm3", "%mm4", "%mm5",
+          "%xmm0", "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5", "%xmm6", "%xmm7",
+          "memory", "cc"
     );
 #else
     AS1(    pop        edi)
@@ -1351,17 +1381,20 @@ void SHA512::Transform(word64 *state, const word64 *data)
     }
 #endif
 #if CRYPTOGAMS_ARM_SHA512
+# if CRYPTOPP_ARM_NEON_AVAILABLE
     if (HasNEON())
     {
-# if (CRYPTOPP_LITTLE_ENDIAN)
+#  if (CRYPTOPP_LITTLE_ENDIAN)
         word64 dataBuf[16];
         ByteReverse(dataBuf, data, SHA512::BLOCKSIZE);
         cryptogams_sha512_block_data_order_neon(state, dataBuf, 1);
-# else
+#  else
         cryptogams_sha512_block_data_order_neon(state, data, 1);
-# endif
+#  endif
         return;
     }
+    else
+# endif
     if (HasARMv7())
     {
 # if (CRYPTOPP_LITTLE_ENDIAN)
diff --git a/vendor/cryptopp/shake.h b/vendor/cryptopp/shake.h
index aec6861d97..4d52132da6 100644
--- a/vendor/cryptopp/shake.h
+++ b/vendor/cryptopp/shake.h
@@ -75,7 +75,7 @@ class SHAKE_Final : public SHAKE
     /// \details SHAKE128 and SHAKE256 don't need the output size in advance
     ///   because the output size does not affect the digest. TruncatedFinal
     ///   produces the correct digest for any output size. However, cSHAKE
-    ///   requires the output size in advance because the algoirthm uses
+    ///   requires the output size in advance because the algorithm uses
     ///   output size as a parameter to the hash function.
     SHAKE_Final(unsigned int outputSize=DIGESTSIZE) : SHAKE(outputSize) {}
 
@@ -111,7 +111,7 @@ class SHAKE128 : public SHAKE_Final<128>
     /// \details SHAKE128 and SHAKE256 don't need the output size in advance
     ///   because the output size does not affect the digest. TruncatedFinal
     ///   produces the correct digest for any output size. However, cSHAKE
-    ///   requires the output size in advance because the algoirthm uses
+    ///   requires the output size in advance because the algorithm uses
     ///   output size as a parameter to the hash function.
     /// \since Crypto++ 8.1
     SHAKE128() {}
@@ -120,7 +120,7 @@ class SHAKE128 : public SHAKE_Final<128>
     /// \details SHAKE128 and SHAKE256 don't need the output size in advance
     ///   because the output size does not affect the digest. TruncatedFinal
     ///   produces the correct digest for any output size. However, cSHAKE
-    ///   requires the output size in advance because the algoirthm uses
+    ///   requires the output size in advance because the algorithm uses
     ///   output size as a parameter to the hash function.
     /// \since Crypto++ 8.1
     SHAKE128(unsigned int outputSize) : SHAKE_Final<128>(outputSize) {}
@@ -141,7 +141,7 @@ class SHAKE256 : public SHAKE_Final<256>
     /// \details SHAKE128 and SHAKE256 don't need the output size in advance
     ///   because the output size does not affect the digest. TruncatedFinal
     ///   produces the correct digest for any output size. However, cSHAKE
-    ///   requires the output size in advance because the algoirthm uses
+    ///   requires the output size in advance because the algorithm uses
     ///   output size as a parameter to the hash function.
     /// \since Crypto++ 8.1
     SHAKE256() {}
@@ -150,7 +150,7 @@ class SHAKE256 : public SHAKE_Final<256>
     /// \details SHAKE128 and SHAKE256 don't need the output size in advance
     ///   because the output size does not affect the digest. TruncatedFinal
     ///   produces the correct digest for any output size. However, cSHAKE
-    ///   requires the output size in advance because the algoirthm uses
+    ///   requires the output size in advance because the algorithm uses
     ///   output size as a parameter to the hash function.
     /// \since Crypto++ 8.1
     SHAKE256(unsigned int outputSize) : SHAKE_Final<256>(outputSize) {}
diff --git a/vendor/cryptopp/shark.cpp b/vendor/cryptopp/shark.cpp
index d51f2c9baa..fda1df08ef 100644
--- a/vendor/cryptopp/shark.cpp
+++ b/vendor/cryptopp/shark.cpp
@@ -40,7 +40,7 @@ void SHARK::Base::UncheckedSetKey(const byte *key, unsigned int keyLen, const Na
 	m_rounds = GetRoundsAndThrowIfInvalid(params, this);
 	m_roundKeys.New(m_rounds+1);
 
-	// concatenate key enought times to fill a
+	// concatenate key enough times to fill a
 	for (unsigned int i=0; i<(m_rounds+1)*8; i++)
 		((byte *)m_roundKeys.begin())[i] = key[i%keyLen];
 
diff --git a/vendor/cryptopp/simple.h b/vendor/cryptopp/simple.h
index cf91427b6a..885c6781b0 100644
--- a/vendor/cryptopp/simple.h
+++ b/vendor/cryptopp/simple.h
@@ -18,7 +18,7 @@
 
 NAMESPACE_BEGIN(CryptoPP)
 
-/// \brief Base class for identifying alogorithm
+/// \brief Base class for identifying algorithm
 /// \tparam BASE base class from which to derive
 /// \tparam DERIVED class which to clone
 template 
@@ -467,12 +467,12 @@ class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE Store : public AutoSignalingSMS4 Encryption Algorithm for Wireless Networks,
 ///   Reference implementation using OpenSSL and
@@ -38,7 +38,7 @@ struct SM4_Info : public FixedBlockSize<16>, FixedKeyLength<16>
 
 /// \brief Classes for the SM4 block cipher
 /// \details SM4 is a block cipher designed by Xiaoyun Wang, et al. The block cipher is part of the
-///   Chinese State Cryptography Administration portfolio. The cipher was formely known as SMS4.
+///   Chinese State Cryptography Administration portfolio. The cipher was formerly known as SMS4.
 /// \sa SMS4 Encryption Algorithm for Wireless Networks
 /// \since Crypto++ 6.0
 class CRYPTOPP_NO_VTABLE SM4 : public SM4_Info, public BlockCipherDocumentation
@@ -60,7 +60,7 @@ class CRYPTOPP_NO_VTABLE SM4 : public SM4_Info, public BlockCipherDocumentation
     /// \details Enc provides implementation for encryption transformation. All key
     ///   sizes are supported.
     /// \details SM4 encryption is accelerated on machines with AES-NI. Decryption is
-    ///   not acclerated because it is not profitable. Thanks to Markku-Juhani Olavi
+    ///   not accelerated because it is not profitable. Thanks to Markku-Juhani Olavi
     ///   Saarinen.
     /// \since Crypto++ 6.0, AESNI encryption since Crypto++ 8.0
     class CRYPTOPP_NO_VTABLE Enc : public Base
@@ -78,7 +78,7 @@ class CRYPTOPP_NO_VTABLE SM4 : public SM4_Info, public BlockCipherDocumentation
     /// \details Dec provides implementation for decryption transformation. All key
     ///   sizes are supported.
     /// \details SM4 encryption is accelerated on machines with AES-NI. Decryption is
-    ///   not acclerated because it is not profitable. Thanks to Markku-Juhani Olavi
+    ///   not accelerated because it is not profitable. Thanks to Markku-Juhani Olavi
     ///   Saarinen.
     /// \since Crypto++ 6.0
     class CRYPTOPP_NO_VTABLE Dec : public Base
diff --git a/vendor/cryptopp/smartptr.h b/vendor/cryptopp/smartptr.h
index 1d04babdb2..4e16a7fe9d 100644
--- a/vendor/cryptopp/smartptr.h
+++ b/vendor/cryptopp/smartptr.h
@@ -220,7 +220,7 @@ template  counted_ptr & counted_ptr::operator=(const counted_ptr<
 template  class vector_member_ptrs
 {
 public:
-	/// Construct an arry of \p T
+	/// Construct an array of \p T
 	/// \param size the size of the array, in elements
 	/// \details If \p T is a Plain Old Dataype (POD), then the array is uninitialized.
 	vector_member_ptrs(size_t size=0)
diff --git a/vendor/cryptopp/strciphr.cpp b/vendor/cryptopp/strciphr.cpp
index 8d3e885824..3ff7bd4328 100644
--- a/vendor/cryptopp/strciphr.cpp
+++ b/vendor/cryptopp/strciphr.cpp
@@ -1,14 +1,15 @@
 // strciphr.cpp - originally written and placed in the public domain by Wei Dai
 
-// TODO: Figure out what is happening in ProcessData. The issue surfaced for
-//       CFB_CipherTemplate::ProcessData when we cut-in Cryptogams
-//       AES ARMv7 asm. Then again in AdditiveCipherTemplate::ProcessData
-//       for CTR mode with HIGHT, which is a 64-bit block cipher. In both cases,
-//       inString == outString leads to incorrect results. We think it relates to
-//       aliasing violations because inString == outString.
+//     TODO: Figure out what is happening in ProcessData. The issue surfaced
+//     for CFB_CipherTemplate::ProcessData when we cut-in Cryptogams
+//     AES ARMv7 asm. Then again in AdditiveCipherTemplate::ProcessData
+//     for CTR mode with HIGHT, which is a 64-bit block cipher. In both cases,
+//     inString == outString leads to incorrect results. We think it relates
+//     to aliasing violations because inString == outString.
 //
-//       Also see https://github.com/weidai11/cryptopp/issues/683 and
-//       https://github.com/weidai11/cryptopp/issues/1010.
+//     Also see https://github.com/weidai11/cryptopp/issues/683,
+//     https://github.com/weidai11/cryptopp/issues/1010 and
+//     https://github.com/weidai11/cryptopp/issues/1088.
 
 #include "pch.h"
 
@@ -54,7 +55,7 @@ void AdditiveCipherTemplate::GenerateBlock(byte *outString, size_t length)
 	}
 
 	PolicyInterface &policy = this->AccessPolicy();
-	unsigned int bytesPerIteration = policy.GetBytesPerIteration();
+	size_t bytesPerIteration = policy.GetBytesPerIteration();
 
 	if (length >= bytesPerIteration)
 	{
@@ -75,6 +76,17 @@ void AdditiveCipherTemplate::GenerateBlock(byte *outString, size_t length)
 	}
 }
 
+// TODO: Figure out what is happening in ProcessData. The issue surfaced
+// for CFB_CipherTemplate::ProcessData when we cut-in Cryptogams
+// AES ARMv7 asm. Then again in AdditiveCipherTemplate::ProcessData
+// for CTR mode with HIGHT, which is a 64-bit block cipher. In both cases,
+// inString == outString leads to incorrect results. We think it relates
+// to aliasing violations because inString == outString.
+//
+// Also see https://github.com/weidai11/cryptopp/issues/683,
+// https://github.com/weidai11/cryptopp/issues/1010 and
+// https://github.com/weidai11/cryptopp/issues/1088.
+
 template 
 void AdditiveCipherTemplate::ProcessData(byte *outString, const byte *inString, size_t length)
 {
@@ -82,29 +94,7 @@ void AdditiveCipherTemplate::ProcessData(byte *outString, const byte *inStrin
 	CRYPTOPP_ASSERT(length % this->MandatoryBlockSize() == 0);
 
 	PolicyInterface &policy = this->AccessPolicy();
-	unsigned int bytesPerIteration = policy.GetBytesPerIteration();
-
-	// GCC and Clang do not like this for CTR mode and 64-bit ciphers like HIGHT.
-	// The incorrect result is a partial string of 0's instead of plaintext or
-	// ciphertext. Recovered plaintext is partially garbage.
-	//
-	// It almost feels as if the compiler does not see the string is transformed
-	// in-place so it short-circuits the transform. In this case, if we use a
-	// stand-alone reproducer with the same data then the issue is present.
-
-	byte* savedOutString = outString;
-	size_t savedLength = length;
-	bool copyOut = false;
-
-	if (inString == outString)
-	{
-		// No need to copy inString to outString.
-		// Just allocate the space.
-		m_tempOutString.New(length);
-		m_tempOutString.SetMark(0);
-		outString = m_tempOutString.BytePtr();
-		copyOut = true;
-	}
+	size_t bytesPerIteration = policy.GetBytesPerIteration();
 
 	if (m_leftOver > 0)
 	{
@@ -116,13 +106,9 @@ void AdditiveCipherTemplate::ProcessData(byte *outString, const byte *inStrin
 		length -= len; m_leftOver -= len;
 	}
 
-	if (!length) {
-		if (copyOut)
-			std::memcpy(savedOutString, m_tempOutString.BytePtr(), savedLength);
-		return;
-	}
+	if (!length) { return; }
 
-	const unsigned int alignment = policy.GetAlignment();
+	const word32 alignment = policy.GetAlignment();
 	const bool inAligned = IsAlignedOn(inString, alignment);
 	const bool outAligned = IsAlignedOn(outString, alignment);
 	CRYPTOPP_UNUSED(inAligned); CRYPTOPP_UNUSED(outAligned);
@@ -135,6 +121,10 @@ void AdditiveCipherTemplate::ProcessData(byte *outString, const byte *inStrin
 		KeystreamOperation operation = KeystreamOperation(flags);
 		policy.OperateKeystream(operation, outString, inString, iterations);
 
+		// Try to tame the optimizer. This is GH #683, #1010, and #1088.
+		volatile byte* unused = const_cast(outString);
+		CRYPTOPP_UNUSED(unused);
+
 		inString = PtrAdd(inString, iterations * bytesPerIteration);
 		outString = PtrAdd(outString, iterations * bytesPerIteration);
 		length -= iterations * bytesPerIteration;
@@ -163,9 +153,6 @@ void AdditiveCipherTemplate::ProcessData(byte *outString, const byte *inStrin
 
 		m_leftOver = bufferByteSize - length;
 	}
-
-	if (copyOut)
-		std::memcpy(savedOutString, m_tempOutString.BytePtr(), savedLength);
 }
 
 template 
@@ -219,6 +206,17 @@ void CFB_CipherTemplate::Resynchronize(const byte *iv, int length)
 	m_leftOver = policy.GetBytesPerIteration();
 }
 
+// TODO: Figure out what is happening in ProcessData. The issue surfaced
+// for CFB_CipherTemplate::ProcessData when we cut-in Cryptogams
+// AES ARMv7 asm. Then again in AdditiveCipherTemplate::ProcessData
+// for CTR mode with HIGHT, which is a 64-bit block cipher. In both cases,
+// inString == outString leads to incorrect results. We think it relates
+// to aliasing violations because inString == outString.
+//
+// Also see https://github.com/weidai11/cryptopp/issues/683,
+// https://github.com/weidai11/cryptopp/issues/1010 and
+// https://github.com/weidai11/cryptopp/issues/1088.
+
 template 
 void CFB_CipherTemplate::ProcessData(byte *outString, const byte *inString, size_t length)
 {
@@ -229,29 +227,6 @@ void CFB_CipherTemplate::ProcessData(byte *outString, const byte *inString
 	unsigned int bytesPerIteration = policy.GetBytesPerIteration();
 	byte *reg = policy.GetRegisterBegin();
 
-	// GCC and Clang do not like this on ARM when inString == outString. The incorrect
-	// result is a string of 0's instead of plaintext or ciphertext. The 0's trace back
-	// to the allocation for the std::string in datatest.cpp. Elements in the string
-	// are initialized to their default value, which is 0.
-	//
-	// It almost feels as if the compiler does not see the string is transformed
-	// in-place so it short-circuits the transform. However, if we use a stand-alone
-	// reproducer with the same data then the issue is _not_ present.
-
-	byte* savedOutString = outString;
-	size_t savedLength = length;
-	bool copyOut = false;
-
-	if (inString == outString)
-	{
-		// No need to copy inString to outString.
-		// Just allocate the space.
-		m_tempOutString.New(length);
-		m_tempOutString.SetMark(0);
-		outString = m_tempOutString.BytePtr();
-		copyOut = true;
-	}
-
 	if (m_leftOver)
 	{
 		const size_t len = STDMIN(m_leftOver, length);
@@ -262,13 +237,9 @@ void CFB_CipherTemplate::ProcessData(byte *outString, const byte *inString
 		m_leftOver -= len; length -= len;
 	}
 
-	if (!length) {
-		if (copyOut)
-			std::memcpy(savedOutString, m_tempOutString.BytePtr(), savedLength);
-		return;
-	}
+	if (!length) { return; }
 
-	const unsigned int alignment = policy.GetAlignment();
+	const word32 alignment = policy.GetAlignment();
 	const bool inAligned = IsAlignedOn(inString, alignment);
 	const bool outAligned = IsAlignedOn(outString, alignment);
 	CRYPTOPP_UNUSED(inAligned); CRYPTOPP_UNUSED(outAligned);
@@ -278,6 +249,10 @@ void CFB_CipherTemplate::ProcessData(byte *outString, const byte *inString
 		CipherDir cipherDir = GetCipherDir(*this);
 		policy.Iterate(outString, inString, cipherDir, length / bytesPerIteration);
 
+		// Try to tame the optimizer. This is GH #683, #1010, and #1088.
+		volatile byte* unused = const_cast(outString);
+		CRYPTOPP_UNUSED(unused);
+
 		const size_t remainder = length % bytesPerIteration;
 		inString = PtrAdd(inString, length - remainder);
 		outString = PtrAdd(outString, length - remainder);
@@ -300,9 +275,6 @@ void CFB_CipherTemplate::ProcessData(byte *outString, const byte *inString
 		CombineMessageAndShiftRegister(outString, reg, inString, length);
 		m_leftOver = bytesPerIteration - length;
 	}
-
-	if (copyOut)
-		std::memcpy(savedOutString, m_tempOutString.BytePtr(), savedLength);
 }
 
 template 
diff --git a/vendor/cryptopp/strciphr.h b/vendor/cryptopp/strciphr.h
index 94ee617452..ef8989db25 100644
--- a/vendor/cryptopp/strciphr.h
+++ b/vendor/cryptopp/strciphr.h
@@ -86,9 +86,9 @@ enum KeystreamOperationFlags {
 /// \sa AdditiveCipherAbstractPolicy::GetBytesPerIteration(), AdditiveCipherAbstractPolicy::GetOptimalBlockSize()
 ///  and AdditiveCipherAbstractPolicy::GetAlignment()
 enum KeystreamOperation {
-	/// \brief Wirte the keystream to the output buffer, input is NULL
+	/// \brief Write the keystream to the output buffer, input is NULL
 	WRITE_KEYSTREAM				= INPUT_NULL,
-	/// \brief Wirte the keystream to the aligned output buffer, input is NULL
+	/// \brief Write the keystream to the aligned output buffer, input is NULL
 	WRITE_KEYSTREAM_ALIGNED		= INPUT_NULL | OUTPUT_ALIGNED,
 	/// \brief XOR the input buffer and keystream, write to the output buffer
 	XOR_KEYSTREAM				= 0,
@@ -320,7 +320,13 @@ class CRYPTOPP_NO_VTABLE AdditiveCipherTemplate : public BASE, public RandomNumb
 	///     ChaCha20 chacha(key, keySize);
 	///     chacha.ProcessData(cipher, plain, size);
 	///
    - void ProcessData(byte *outString, const byte *inString, size_t length); + /// \details You should use distinct buffers for inString and outString. If the buffers + /// are the same, then the data will be copied to an internal buffer to avoid GCC alias + /// violations. The internal copy will impact performance. + /// \sa Issue 1088, 36% loss + /// of performance with AES, Issue + /// 1010, HIGHT cipher troubles with FileSource + void ProcessData(byte *outString, const byte *inString, size_t length); /// \brief Resynchronize the cipher /// \param iv a byte array used to resynchronize the cipher @@ -388,12 +394,11 @@ class CRYPTOPP_NO_VTABLE AdditiveCipherTemplate : public BASE, public RandomNumb inline byte * KeystreamBufferBegin() {return this->m_buffer.data();} inline byte * KeystreamBufferEnd() {return (PtrAdd(this->m_buffer.data(), this->m_buffer.size()));} - // m_tempOutString added due to GH #1010 - AlignedSecByteBlock m_buffer, m_tempOutString; + AlignedSecByteBlock m_buffer; size_t m_leftOver; }; -/// \brief Policy object for feeback based stream ciphers +/// \brief Policy object for feedback based stream ciphers class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CFB_CipherAbstractPolicy { public: @@ -578,6 +583,12 @@ class CRYPTOPP_NO_VTABLE CFB_CipherTemplate : public BASE /// ChaCha20 chacha(key, keySize); /// chacha.ProcessData(cipher, plain, size); /// + /// \details You should use distinct buffers for inString and outString. If the buffers + /// are the same, then the data will be copied to an internal buffer to avoid GCC alias + /// violations. The internal copy will impact performance. + /// \sa Issue 1088, 36% loss + /// of performance with AES, Issue + /// 1010, HIGHT cipher troubles with FileSource void ProcessData(byte *outString, const byte *inString, size_t length); /// \brief Resynchronize the cipher @@ -634,8 +645,6 @@ class CRYPTOPP_NO_VTABLE CFB_CipherTemplate : public BASE void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs ¶ms); - // m_tempOutString added due to GH #1010 - AlignedSecByteBlock m_tempOutString; size_t m_leftOver; }; diff --git a/vendor/cryptopp/x64dll.asm b/vendor/cryptopp/x64dll.asm index c1eecdea8d..e2915b23dd 100644 --- a/vendor/cryptopp/x64dll.asm +++ b/vendor/cryptopp/x64dll.asm @@ -1998,7 +1998,7 @@ XGETBV64 ENDP ALIGN 8 CPUID64 PROC ;; preserve per ABI - push rbx + mov r9, rbx ;; eax = func mov rax, rcx ;; ecx = subfunc @@ -2011,7 +2011,7 @@ CPUID64 PROC mov [r8+8], ecx mov [r8+12], edx ;; restore - pop rbx + mov rbx, r9 ;; return mov rax, 1 ret diff --git a/vendor/cryptopp/xed25519.h b/vendor/cryptopp/xed25519.h index 50adfec914..cd0c75c128 100644 --- a/vendor/cryptopp/xed25519.h +++ b/vendor/cryptopp/xed25519.h @@ -69,7 +69,7 @@ class x25519 : public SimpleKeyAgreementDomain, public CryptoParameters, public /// \brief Create a x25519 object /// \details This constructor creates an empty x25519 object. It is /// intended for use in loading existing parameters, like CryptoBox - /// parameters. If you are perfoming key agreement you should use a + /// parameters. If you are performing key agreement you should use a /// constructor that generates random parameters on construction. x25519() {} @@ -350,7 +350,7 @@ struct ed25519_MessageAccumulator : public PK_MessageAccumulator /// If you call GetPrivateExponent() then the little-endian byte /// array is converted to a big-endian Integer() so it can be /// returned the way a caller expects. And calling -/// SetPrivateExponent perfoms a similar internal conversion. +/// SetPrivateExponent performs a similar internal conversion. /// \since Crypto++ 8.0 struct ed25519PrivateKey : public PKCS8PrivateKey { @@ -360,7 +360,7 @@ struct ed25519PrivateKey : public PKCS8PrivateKey /// \brief Size of the public key /// \details PUBLIC_KEYLENGTH is the size of the public key, in bytes. CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32); - /// \brief Size of the siganture + /// \brief Size of the signature /// \details SIGNATURE_LENGTH is the size of the signature, in bytes. /// ed25519 is a DL-based signature scheme. The signature is the /// concatenation of r || s. @@ -503,7 +503,7 @@ struct ed25519Signer : public PK_Signer /// \brief Size of the public key /// \details PUBLIC_KEYLENGTH is the size of the public key, in bytes. CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32); - /// \brief Size of the siganture + /// \brief Size of the signature /// \details SIGNATURE_LENGTH is the size of the signature, in bytes. /// ed25519 is a DL-based signature scheme. The signature is the /// concatenation of r || s. @@ -629,7 +629,7 @@ struct ed25519Signer : public PK_Signer /// If you call GetPublicElement() then the little-endian byte /// array is converted to a big-endian Integer() so it can be /// returned the way a caller expects. And calling -/// SetPublicElement() perfoms a similar internal conversion. +/// SetPublicElement() performs a similar internal conversion. /// \since Crypto++ 8.0 struct ed25519PublicKey : public X509PublicKey { diff --git a/vendor/cryptopp/xts.cpp b/vendor/cryptopp/xts.cpp index 03f2fdfa77..6e41891773 100644 --- a/vendor/cryptopp/xts.cpp +++ b/vendor/cryptopp/xts.cpp @@ -25,7 +25,7 @@ #endif #if defined(__aarch32__) || defined(__aarch64__) || defined(_M_ARM64) -# if (CRYPTOPP_ARM_NEON_HEADER) +# if (CRYPTOPP_ARM_NEON_HEADER) || (CRYPTOPP_ARM_ASIMD_AVAILABLE) # include # endif #endif @@ -93,7 +93,16 @@ inline void XorBuffer(byte *buf, const byte *mask, size_t count) // Borrowed from CMAC, but little-endian representation inline void GF_Double(byte *out, const byte* in, unsigned int len) { -#if defined(_M_X64) || defined(_M_ARM64) || defined(_LP64) || defined(__LP64__) +#if defined(CRYPTOPP_WORD128_AVAILABLE) + word128 carry = 0, x; + for (size_t i=0, idx=0; i(false, LITTLE_ENDIAN_ORDER, in+idx); + word128 y = (x >> 127); x = (x << 1) + carry; + PutWord(false, LITTLE_ENDIAN_ORDER, out+idx, x); + carry = y; + } +#elif defined(_M_X64) || defined(_M_ARM64) || defined(_LP64) || defined(__LP64__) word64 carry = 0, x; for (size_t i=0, idx=0; i