10 files changed, 1741 insertions, 1741 deletions

diff --git a/CryptoPP/authenc.cpp b/CryptoPP/authenc.cpp
index 0ca5da60d..f93662efb 100644
--- a/CryptoPP/authenc.cpp
+++ b/CryptoPP/authenc.cpp
@@ -1,180 +1,180 @@
-// authenc.cpp - written and placed in the public domain by Wei Dai

-

-#include "pch.h"

-

-#ifndef CRYPTOPP_IMPORTS

-

-#include "authenc.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-void AuthenticatedSymmetricCipherBase::AuthenticateData(const byte *input, size_t len)

-{

-	unsigned int blockSize = AuthenticationBlockSize();

-	unsigned int &num = m_bufferedDataLength;

-	byte* data = m_buffer.begin();

-

-	if (num != 0)	// process left over data

-	{

-		if (num+len >= blockSize)

-		{

-			memcpy(data+num, input, blockSize-num);

-			AuthenticateBlocks(data, blockSize);

-			input += (blockSize-num);

-			len -= (blockSize-num);

-			num = 0;

-			// drop through and do the rest

-		}

-		else

-		{

-			memcpy(data+num, input, len);

-			num += (unsigned int)len;

-			return;

-		}

-	}

-

-	// now process the input data in blocks of blockSize bytes and save the leftovers to m_data

-	if (len >= blockSize)

-	{

-		size_t leftOver = AuthenticateBlocks(input, len);

-		input += (len - leftOver);

-		len = leftOver;

-	}

-

-	memcpy(data, input, len);

-	num = (unsigned int)len;

-}

-

-void AuthenticatedSymmetricCipherBase::SetKey(const byte *userKey, size_t keylength, const NameValuePairs &params)

-{

-	m_bufferedDataLength = 0;

-	m_state = State_Start;

-

-	SetKeyWithoutResync(userKey, keylength, params);

-	m_state = State_KeySet;

-

-	size_t length;

-	const byte *iv = GetIVAndThrowIfInvalid(params, length);

-	if (iv)

-		Resynchronize(iv, (int)length);

-}

-

-void AuthenticatedSymmetricCipherBase::Resynchronize(const byte *iv, int length)

-{

-	if (m_state < State_KeySet)

-		throw BadState(AlgorithmName(), "Resynchronize", "key is set");

-

-	m_bufferedDataLength = 0;

-	m_totalHeaderLength = m_totalMessageLength = m_totalFooterLength = 0;

-	m_state = State_KeySet;

-

-	Resync(iv, this->ThrowIfInvalidIVLength(length));

-	m_state = State_IVSet;

-}

-

-void AuthenticatedSymmetricCipherBase::Update(const byte *input, size_t length)

-{

-	if (length == 0)

-		return;

-

-	switch (m_state)

-	{

-	case State_Start:

-	case State_KeySet:

-		throw BadState(AlgorithmName(), "Update", "setting key and IV");

-	case State_IVSet:

-		AuthenticateData(input, length);

-		m_totalHeaderLength += length;

-		break;

-	case State_AuthUntransformed:

-	case State_AuthTransformed:

-		AuthenticateLastConfidentialBlock();

-		m_bufferedDataLength = 0;

-		m_state = State_AuthFooter;

-		// fall through

-	case State_AuthFooter:

-		AuthenticateData(input, length);

-		m_totalFooterLength += length;

-		break;

-	default:

-		assert(false);

-	}

-}

-

-void AuthenticatedSymmetricCipherBase::ProcessData(byte *outString, const byte *inString, size_t length)

-{

-	m_totalMessageLength += length;

-	if (m_state >= State_IVSet && m_totalMessageLength > MaxMessageLength())

-		throw InvalidArgument(AlgorithmName() + ": message length exceeds maximum");

-

-reswitch:

-	switch (m_state)

-	{

-	case State_Start:

-	case State_KeySet:

-		throw BadState(AlgorithmName(), "ProcessData", "setting key and IV");

-	case State_AuthFooter:

-		throw BadState(AlgorithmName(), "ProcessData was called after footer input has started");

-	case State_IVSet:

-		AuthenticateLastHeaderBlock();

-		m_bufferedDataLength = 0;

-		m_state = AuthenticationIsOnPlaintext()==IsForwardTransformation() ? State_AuthUntransformed : State_AuthTransformed;

-		goto reswitch;

-	case State_AuthUntransformed:

-		AuthenticateData(inString, length);

-		AccessSymmetricCipher().ProcessData(outString, inString, length);

-		break;

-	case State_AuthTransformed:

-		AccessSymmetricCipher().ProcessData(outString, inString, length);

-		AuthenticateData(outString, length);

-		break;

-	default:

-		assert(false);

-	}

-}

-

-void AuthenticatedSymmetricCipherBase::TruncatedFinal(byte *mac, size_t macSize)

-{

-	if (m_totalHeaderLength > MaxHeaderLength())

-		throw InvalidArgument(AlgorithmName() + ": header length of " + IntToString(m_totalHeaderLength) + " exceeds the maximum of " + IntToString(MaxHeaderLength()));

-

-	if (m_totalFooterLength > MaxFooterLength())

-	{

-		if (MaxFooterLength() == 0)

-			throw InvalidArgument(AlgorithmName() + ": additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted");

-		else

-			throw InvalidArgument(AlgorithmName() + ": footer length of " + IntToString(m_totalFooterLength) + " exceeds the maximum of " + IntToString(MaxFooterLength()));

-	}

-

-	switch (m_state)

-	{

-	case State_Start:

-	case State_KeySet:

-		throw BadState(AlgorithmName(), "TruncatedFinal", "setting key and IV");

-

-	case State_IVSet:

-		AuthenticateLastHeaderBlock();

-		m_bufferedDataLength = 0;

-		// fall through

-

-	case State_AuthUntransformed:

-	case State_AuthTransformed:

-		AuthenticateLastConfidentialBlock();

-		m_bufferedDataLength = 0;

-		// fall through

-

-	case State_AuthFooter:

-		AuthenticateLastFooterBlock(mac, macSize);

-		m_bufferedDataLength = 0;

-		break;

-

-	default:

-		assert(false);

-	}

-

-	m_state = State_KeySet;

-}

-

-NAMESPACE_END

-

-#endif

+// authenc.cpp - written and placed in the public domain by Wei Dai
+
+#include "pch.h"
+
+#ifndef CRYPTOPP_IMPORTS
+
+#include "authenc.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+void AuthenticatedSymmetricCipherBase::AuthenticateData(const byte *input, size_t len)
+{
+	unsigned int blockSize = AuthenticationBlockSize();
+	unsigned int &num = m_bufferedDataLength;
+	byte* data = m_buffer.begin();
+
+	if (num != 0)	// process left over data
+	{
+		if (num+len >= blockSize)
+		{
+			memcpy(data+num, input, blockSize-num);
+			AuthenticateBlocks(data, blockSize);
+			input += (blockSize-num);
+			len -= (blockSize-num);
+			num = 0;
+			// drop through and do the rest
+		}
+		else
+		{
+			memcpy(data+num, input, len);
+			num += (unsigned int)len;
+			return;
+		}
+	}
+
+	// now process the input data in blocks of blockSize bytes and save the leftovers to m_data
+	if (len >= blockSize)
+	{
+		size_t leftOver = AuthenticateBlocks(input, len);
+		input += (len - leftOver);
+		len = leftOver;
+	}
+
+	memcpy(data, input, len);
+	num = (unsigned int)len;
+}
+
+void AuthenticatedSymmetricCipherBase::SetKey(const byte *userKey, size_t keylength, const NameValuePairs &params)
+{
+	m_bufferedDataLength = 0;
+	m_state = State_Start;
+
+	SetKeyWithoutResync(userKey, keylength, params);
+	m_state = State_KeySet;
+
+	size_t length;
+	const byte *iv = GetIVAndThrowIfInvalid(params, length);
+	if (iv)
+		Resynchronize(iv, (int)length);
+}
+
+void AuthenticatedSymmetricCipherBase::Resynchronize(const byte *iv, int length)
+{
+	if (m_state < State_KeySet)
+		throw BadState(AlgorithmName(), "Resynchronize", "key is set");
+
+	m_bufferedDataLength = 0;
+	m_totalHeaderLength = m_totalMessageLength = m_totalFooterLength = 0;
+	m_state = State_KeySet;
+
+	Resync(iv, this->ThrowIfInvalidIVLength(length));
+	m_state = State_IVSet;
+}
+
+void AuthenticatedSymmetricCipherBase::Update(const byte *input, size_t length)
+{
+	if (length == 0)
+		return;
+
+	switch (m_state)
+	{
+	case State_Start:
+	case State_KeySet:
+		throw BadState(AlgorithmName(), "Update", "setting key and IV");
+	case State_IVSet:
+		AuthenticateData(input, length);
+		m_totalHeaderLength += length;
+		break;
+	case State_AuthUntransformed:
+	case State_AuthTransformed:
+		AuthenticateLastConfidentialBlock();
+		m_bufferedDataLength = 0;
+		m_state = State_AuthFooter;
+		// fall through
+	case State_AuthFooter:
+		AuthenticateData(input, length);
+		m_totalFooterLength += length;
+		break;
+	default:
+		assert(false);
+	}
+}
+
+void AuthenticatedSymmetricCipherBase::ProcessData(byte *outString, const byte *inString, size_t length)
+{
+	m_totalMessageLength += length;
+	if (m_state >= State_IVSet && m_totalMessageLength > MaxMessageLength())
+		throw InvalidArgument(AlgorithmName() + ": message length exceeds maximum");
+
+reswitch:
+	switch (m_state)
+	{
+	case State_Start:
+	case State_KeySet:
+		throw BadState(AlgorithmName(), "ProcessData", "setting key and IV");
+	case State_AuthFooter:
+		throw BadState(AlgorithmName(), "ProcessData was called after footer input has started");
+	case State_IVSet:
+		AuthenticateLastHeaderBlock();
+		m_bufferedDataLength = 0;
+		m_state = AuthenticationIsOnPlaintext()==IsForwardTransformation() ? State_AuthUntransformed : State_AuthTransformed;
+		goto reswitch;
+	case State_AuthUntransformed:
+		AuthenticateData(inString, length);
+		AccessSymmetricCipher().ProcessData(outString, inString, length);
+		break;
+	case State_AuthTransformed:
+		AccessSymmetricCipher().ProcessData(outString, inString, length);
+		AuthenticateData(outString, length);
+		break;
+	default:
+		assert(false);
+	}
+}
+
+void AuthenticatedSymmetricCipherBase::TruncatedFinal(byte *mac, size_t macSize)
+{
+	if (m_totalHeaderLength > MaxHeaderLength())
+		throw InvalidArgument(AlgorithmName() + ": header length of " + IntToString(m_totalHeaderLength) + " exceeds the maximum of " + IntToString(MaxHeaderLength()));
+
+	if (m_totalFooterLength > MaxFooterLength())
+	{
+		if (MaxFooterLength() == 0)
+			throw InvalidArgument(AlgorithmName() + ": additional authenticated data (AAD) cannot be input after data to be encrypted or decrypted");
+		else
+			throw InvalidArgument(AlgorithmName() + ": footer length of " + IntToString(m_totalFooterLength) + " exceeds the maximum of " + IntToString(MaxFooterLength()));
+	}
+
+	switch (m_state)
+	{
+	case State_Start:
+	case State_KeySet:
+		throw BadState(AlgorithmName(), "TruncatedFinal", "setting key and IV");
+
+	case State_IVSet:
+		AuthenticateLastHeaderBlock();
+		m_bufferedDataLength = 0;
+		// fall through
+
+	case State_AuthUntransformed:
+	case State_AuthTransformed:
+		AuthenticateLastConfidentialBlock();
+		m_bufferedDataLength = 0;
+		// fall through
+
+	case State_AuthFooter:
+		AuthenticateLastFooterBlock(mac, macSize);
+		m_bufferedDataLength = 0;
+		break;
+
+	default:
+		assert(false);
+	}
+
+	m_state = State_KeySet;
+}
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/authenc.h b/CryptoPP/authenc.h
index f726716e7..5bb2a51c8 100644
--- a/CryptoPP/authenc.h
+++ b/CryptoPP/authenc.h
@@ -1,49 +1,49 @@
-#ifndef CRYPTOPP_AUTHENC_H

-#define CRYPTOPP_AUTHENC_H

-

-#include "cryptlib.h"

-#include "secblock.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-//! .

-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE AuthenticatedSymmetricCipherBase : public AuthenticatedSymmetricCipher

-{

-public:

-	AuthenticatedSymmetricCipherBase() : m_state(State_Start) {}

-

-	bool IsRandomAccess() const {return false;}

-	bool IsSelfInverting() const {return true;}

-	void UncheckedSetKey(const byte *,unsigned int,const CryptoPP::NameValuePairs &) {assert(false);}

-

-	void SetKey(const byte *userKey, size_t keylength, const NameValuePairs &params);

-	void Restart() {if (m_state > State_KeySet) m_state = State_KeySet;}

-	void Resynchronize(const byte *iv, int length=-1);

-	void Update(const byte *input, size_t length);

-	void ProcessData(byte *outString, const byte *inString, size_t length);

-	void TruncatedFinal(byte *mac, size_t macSize);

-

-protected:

-	void AuthenticateData(const byte *data, size_t len);

-	const SymmetricCipher & GetSymmetricCipher() const {return const_cast<AuthenticatedSymmetricCipherBase *>(this)->AccessSymmetricCipher();};

-

-	virtual SymmetricCipher & AccessSymmetricCipher() =0;

-	virtual bool AuthenticationIsOnPlaintext() const =0;

-	virtual unsigned int AuthenticationBlockSize() const =0;

-	virtual void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params) =0;

-	virtual void Resync(const byte *iv, size_t len) =0;

-	virtual size_t AuthenticateBlocks(const byte *data, size_t len) =0;

-	virtual void AuthenticateLastHeaderBlock() =0;

-	virtual void AuthenticateLastConfidentialBlock() {}

-	virtual void AuthenticateLastFooterBlock(byte *mac, size_t macSize) =0;

-

-	enum State {State_Start, State_KeySet, State_IVSet, State_AuthUntransformed, State_AuthTransformed, State_AuthFooter};

-	State m_state;

-	unsigned int m_bufferedDataLength;

-	lword m_totalHeaderLength, m_totalMessageLength, m_totalFooterLength;

-	AlignedSecByteBlock m_buffer;

-};

-

-NAMESPACE_END

-

-#endif

+#ifndef CRYPTOPP_AUTHENC_H
+#define CRYPTOPP_AUTHENC_H
+
+#include "cryptlib.h"
+#include "secblock.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+//! .
+class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE AuthenticatedSymmetricCipherBase : public AuthenticatedSymmetricCipher
+{
+public:
+	AuthenticatedSymmetricCipherBase() : m_state(State_Start) {}
+
+	bool IsRandomAccess() const {return false;}
+	bool IsSelfInverting() const {return true;}
+	void UncheckedSetKey(const byte *,unsigned int,const CryptoPP::NameValuePairs &) {assert(false);}
+
+	void SetKey(const byte *userKey, size_t keylength, const NameValuePairs &params);
+	void Restart() {if (m_state > State_KeySet) m_state = State_KeySet;}
+	void Resynchronize(const byte *iv, int length=-1);
+	void Update(const byte *input, size_t length);
+	void ProcessData(byte *outString, const byte *inString, size_t length);
+	void TruncatedFinal(byte *mac, size_t macSize);
+
+protected:
+	void AuthenticateData(const byte *data, size_t len);
+	const SymmetricCipher & GetSymmetricCipher() const {return const_cast<AuthenticatedSymmetricCipherBase *>(this)->AccessSymmetricCipher();};
+
+	virtual SymmetricCipher & AccessSymmetricCipher() =0;
+	virtual bool AuthenticationIsOnPlaintext() const =0;
+	virtual unsigned int AuthenticationBlockSize() const =0;
+	virtual void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params) =0;
+	virtual void Resync(const byte *iv, size_t len) =0;
+	virtual size_t AuthenticateBlocks(const byte *data, size_t len) =0;
+	virtual void AuthenticateLastHeaderBlock() =0;
+	virtual void AuthenticateLastConfidentialBlock() {}
+	virtual void AuthenticateLastFooterBlock(byte *mac, size_t macSize) =0;
+
+	enum State {State_Start, State_KeySet, State_IVSet, State_AuthUntransformed, State_AuthTransformed, State_AuthFooter};
+	State m_state;
+	unsigned int m_bufferedDataLength;
+	lword m_totalHeaderLength, m_totalMessageLength, m_totalFooterLength;
+	AlignedSecByteBlock m_buffer;
+};
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/ccm.cpp b/CryptoPP/ccm.cpp
index 036878719..030828ad8 100644
--- a/CryptoPP/ccm.cpp
+++ b/CryptoPP/ccm.cpp
@@ -1,140 +1,140 @@
-// ccm.cpp - written and placed in the public domain by Wei Dai

-

-#include "pch.h"

-

-#ifndef CRYPTOPP_IMPORTS

-

-#include "ccm.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-void CCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params)

-{

-	BlockCipher &blockCipher = AccessBlockCipher();

-

-	blockCipher.SetKey(userKey, keylength, params);

-

-	if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)

-		throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");

-

-	m_digestSize = params.GetIntValueWithDefault(Name::DigestSize(), DefaultDigestSize());

-	if (m_digestSize % 2 > 0 || m_digestSize < 4 || m_digestSize > 16)

-		throw InvalidArgument(AlgorithmName() + ": DigestSize must be 4, 6, 8, 10, 12, 14, or 16");

-

-	m_buffer.Grow(2*REQUIRED_BLOCKSIZE);

-	m_L = 8;

-}

-

-void CCM_Base::Resync(const byte *iv, size_t len)

-{

-	BlockCipher &cipher = AccessBlockCipher();

-

-	m_L = REQUIRED_BLOCKSIZE-1-(int)len;

-	assert(m_L >= 2);

-	if (m_L > 8)

-		m_L = 8;

-

-	m_buffer[0] = byte(m_L-1);	// flag

-	memcpy(m_buffer+1, iv, len);

-	memset(m_buffer+1+len, 0, REQUIRED_BLOCKSIZE-1-len);

-

-	if (m_state >= State_IVSet)

-		m_ctr.Resynchronize(m_buffer, REQUIRED_BLOCKSIZE);

-	else

-		m_ctr.SetCipherWithIV(cipher, m_buffer);

-

-	m_ctr.Seek(REQUIRED_BLOCKSIZE);

-	m_aadLength = 0; 

-	m_messageLength = 0;

-}

-

-void CCM_Base::UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength)

-{

-	if (m_state != State_IVSet)

-		throw BadState(AlgorithmName(), "SpecifyDataLengths", "or after State_IVSet");

-

-	m_aadLength = headerLength; 

-	m_messageLength = messageLength;

-

-	byte *cbcBuffer = CBC_Buffer();

-	const BlockCipher &cipher = GetBlockCipher();

-

-	cbcBuffer[0] = byte(64*(headerLength>0) + 8*((m_digestSize-2)/2) + (m_L-1));	// flag

-	PutWord<word64>(true, BIG_ENDIAN_ORDER, cbcBuffer+REQUIRED_BLOCKSIZE-8, m_messageLength);

-	memcpy(cbcBuffer+1, m_buffer+1, REQUIRED_BLOCKSIZE-1-m_L);

-	cipher.ProcessBlock(cbcBuffer);

-

-	if (headerLength>0)

-	{

-		assert(m_bufferedDataLength == 0);

-

-		if (headerLength < ((1<<16) - (1<<8)))

-		{

-			PutWord<word16>(true, BIG_ENDIAN_ORDER, m_buffer, (word16)headerLength);

-			m_bufferedDataLength = 2;

-		}

-		else if (headerLength < (W64LIT(1)<<32))

-		{

-			m_buffer[0] = 0xff;

-			m_buffer[1] = 0xfe;

-			PutWord<word32>(false, BIG_ENDIAN_ORDER, m_buffer+2, (word32)headerLength);

-			m_bufferedDataLength = 6;

-		}

-		else

-		{

-			m_buffer[0] = 0xff;

-			m_buffer[1] = 0xff;

-			PutWord<word64>(false, BIG_ENDIAN_ORDER, m_buffer+2, headerLength);

-			m_bufferedDataLength = 10;

-		}

-	}

-}

-

-size_t CCM_Base::AuthenticateBlocks(const byte *data, size_t len)

-{

-	byte *cbcBuffer = CBC_Buffer();

-	const BlockCipher &cipher = GetBlockCipher();

-	return cipher.AdvancedProcessBlocks(cbcBuffer, data, cbcBuffer, len, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);

-}

-

-void CCM_Base::AuthenticateLastHeaderBlock()

-{

-	byte *cbcBuffer = CBC_Buffer();

-	const BlockCipher &cipher = GetBlockCipher();

-

-	if (m_aadLength != m_totalHeaderLength)

-		throw InvalidArgument(AlgorithmName() + ": header length doesn't match that given in SpecifyDataLengths");

-

-	if (m_bufferedDataLength > 0)

-	{

-		xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);

-		cipher.ProcessBlock(cbcBuffer);

-		m_bufferedDataLength = 0;

-	}

-}

-

-void CCM_Base::AuthenticateLastConfidentialBlock()

-{

-	byte *cbcBuffer = CBC_Buffer();

-	const BlockCipher &cipher = GetBlockCipher();

-

-	if (m_messageLength != m_totalMessageLength)

-		throw InvalidArgument(AlgorithmName() + ": message length doesn't match that given in SpecifyDataLengths");

-

-	if (m_bufferedDataLength > 0)

-	{

-		xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);

-		cipher.ProcessBlock(cbcBuffer);

-		m_bufferedDataLength = 0;

-	}

-}

-

-void CCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize)

-{

-	m_ctr.Seek(0);

-	m_ctr.ProcessData(mac, CBC_Buffer(), macSize);

-}

-

-NAMESPACE_END

-

-#endif

+// ccm.cpp - written and placed in the public domain by Wei Dai
+
+#include "pch.h"
+
+#ifndef CRYPTOPP_IMPORTS
+
+#include "ccm.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+void CCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params)
+{
+	BlockCipher &blockCipher = AccessBlockCipher();
+
+	blockCipher.SetKey(userKey, keylength, params);
+
+	if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)
+		throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");
+
+	m_digestSize = params.GetIntValueWithDefault(Name::DigestSize(), DefaultDigestSize());
+	if (m_digestSize % 2 > 0 || m_digestSize < 4 || m_digestSize > 16)
+		throw InvalidArgument(AlgorithmName() + ": DigestSize must be 4, 6, 8, 10, 12, 14, or 16");
+
+	m_buffer.Grow(2*REQUIRED_BLOCKSIZE);
+	m_L = 8;
+}
+
+void CCM_Base::Resync(const byte *iv, size_t len)
+{
+	BlockCipher &cipher = AccessBlockCipher();
+
+	m_L = REQUIRED_BLOCKSIZE-1-(int)len;
+	assert(m_L >= 2);
+	if (m_L > 8)
+		m_L = 8;
+
+	m_buffer[0] = byte(m_L-1);	// flag
+	memcpy(m_buffer+1, iv, len);
+	memset(m_buffer+1+len, 0, REQUIRED_BLOCKSIZE-1-len);
+
+	if (m_state >= State_IVSet)
+		m_ctr.Resynchronize(m_buffer, REQUIRED_BLOCKSIZE);
+	else
+		m_ctr.SetCipherWithIV(cipher, m_buffer);
+
+	m_ctr.Seek(REQUIRED_BLOCKSIZE);
+	m_aadLength = 0; 
+	m_messageLength = 0;
+}
+
+void CCM_Base::UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength)
+{
+	if (m_state != State_IVSet)
+		throw BadState(AlgorithmName(), "SpecifyDataLengths", "or after State_IVSet");
+
+	m_aadLength = headerLength; 
+	m_messageLength = messageLength;
+
+	byte *cbcBuffer = CBC_Buffer();
+	const BlockCipher &cipher = GetBlockCipher();
+
+	cbcBuffer[0] = byte(64*(headerLength>0) + 8*((m_digestSize-2)/2) + (m_L-1));	// flag
+	PutWord<word64>(true, BIG_ENDIAN_ORDER, cbcBuffer+REQUIRED_BLOCKSIZE-8, m_messageLength);
+	memcpy(cbcBuffer+1, m_buffer+1, REQUIRED_BLOCKSIZE-1-m_L);
+	cipher.ProcessBlock(cbcBuffer);
+
+	if (headerLength>0)
+	{
+		assert(m_bufferedDataLength == 0);
+
+		if (headerLength < ((1<<16) - (1<<8)))
+		{
+			PutWord<word16>(true, BIG_ENDIAN_ORDER, m_buffer, (word16)headerLength);
+			m_bufferedDataLength = 2;
+		}
+		else if (headerLength < (W64LIT(1)<<32))
+		{
+			m_buffer[0] = 0xff;
+			m_buffer[1] = 0xfe;
+			PutWord<word32>(false, BIG_ENDIAN_ORDER, m_buffer+2, (word32)headerLength);
+			m_bufferedDataLength = 6;
+		}
+		else
+		{
+			m_buffer[0] = 0xff;
+			m_buffer[1] = 0xff;
+			PutWord<word64>(false, BIG_ENDIAN_ORDER, m_buffer+2, headerLength);
+			m_bufferedDataLength = 10;
+		}
+	}
+}
+
+size_t CCM_Base::AuthenticateBlocks(const byte *data, size_t len)
+{
+	byte *cbcBuffer = CBC_Buffer();
+	const BlockCipher &cipher = GetBlockCipher();
+	return cipher.AdvancedProcessBlocks(cbcBuffer, data, cbcBuffer, len, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
+}
+
+void CCM_Base::AuthenticateLastHeaderBlock()
+{
+	byte *cbcBuffer = CBC_Buffer();
+	const BlockCipher &cipher = GetBlockCipher();
+
+	if (m_aadLength != m_totalHeaderLength)
+		throw InvalidArgument(AlgorithmName() + ": header length doesn't match that given in SpecifyDataLengths");
+
+	if (m_bufferedDataLength > 0)
+	{
+		xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);
+		cipher.ProcessBlock(cbcBuffer);
+		m_bufferedDataLength = 0;
+	}
+}
+
+void CCM_Base::AuthenticateLastConfidentialBlock()
+{
+	byte *cbcBuffer = CBC_Buffer();
+	const BlockCipher &cipher = GetBlockCipher();
+
+	if (m_messageLength != m_totalMessageLength)
+		throw InvalidArgument(AlgorithmName() + ": message length doesn't match that given in SpecifyDataLengths");
+
+	if (m_bufferedDataLength > 0)
+	{
+		xorbuf(cbcBuffer, m_buffer, m_bufferedDataLength);
+		cipher.ProcessBlock(cbcBuffer);
+		m_bufferedDataLength = 0;
+	}
+}
+
+void CCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize)
+{
+	m_ctr.Seek(0);
+	m_ctr.ProcessData(mac, CBC_Buffer(), macSize);
+}
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/ccm.h b/CryptoPP/ccm.h
index 2f3c56b45..b1e5f00b9 100644
--- a/CryptoPP/ccm.h
+++ b/CryptoPP/ccm.h
@@ -1,101 +1,101 @@
-#ifndef CRYPTOPP_CCM_H

-#define CRYPTOPP_CCM_H

-

-#include "authenc.h"

-#include "modes.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-//! .

-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CCM_Base : public AuthenticatedSymmetricCipherBase

-{

-public:

-	CCM_Base()

-		: m_digestSize(0), m_L(0) {}

-

-	// AuthenticatedSymmetricCipher

-	std::string AlgorithmName() const

-		{return GetBlockCipher().AlgorithmName() + std::string("/CCM");}

-	size_t MinKeyLength() const

-		{return GetBlockCipher().MinKeyLength();}

-	size_t MaxKeyLength() const

-		{return GetBlockCipher().MaxKeyLength();}

-	size_t DefaultKeyLength() const

-		{return GetBlockCipher().DefaultKeyLength();}

-	size_t GetValidKeyLength(size_t n) const

-		{return GetBlockCipher().GetValidKeyLength(n);}

-	bool IsValidKeyLength(size_t n) const

-		{return GetBlockCipher().IsValidKeyLength(n);}

-	unsigned int OptimalDataAlignment() const

-		{return GetBlockCipher().OptimalDataAlignment();}

-	IV_Requirement IVRequirement() const

-		{return UNIQUE_IV;}

-	unsigned int IVSize() const

-		{return 8;}

-	unsigned int MinIVLength() const

-		{return 7;}

-	unsigned int MaxIVLength() const

-		{return 13;}

-	unsigned int DigestSize() const

-		{return m_digestSize;}

-	lword MaxHeaderLength() const

-		{return W64LIT(0)-1;}

-	lword MaxMessageLength() const

-		{return m_L<8 ? (W64LIT(1)<<(8*m_L))-1 : W64LIT(0)-1;}

-	bool NeedsPrespecifiedDataLengths() const

-		{return true;}

-	void UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength);

-

-protected:

-	// AuthenticatedSymmetricCipherBase

-	bool AuthenticationIsOnPlaintext() const

-		{return true;}

-	unsigned int AuthenticationBlockSize() const

-		{return GetBlockCipher().BlockSize();}

-	void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params);

-	void Resync(const byte *iv, size_t len);

-	size_t AuthenticateBlocks(const byte *data, size_t len);

-	void AuthenticateLastHeaderBlock();

-	void AuthenticateLastConfidentialBlock();

-	void AuthenticateLastFooterBlock(byte *mac, size_t macSize);

-	SymmetricCipher & AccessSymmetricCipher() {return m_ctr;}

-

-	virtual BlockCipher & AccessBlockCipher() =0;

-	virtual int DefaultDigestSize() const =0;

-

-	const BlockCipher & GetBlockCipher() const {return const_cast<CCM_Base *>(this)->AccessBlockCipher();};

-	byte *CBC_Buffer() {return m_buffer+REQUIRED_BLOCKSIZE;}

-

-	enum {REQUIRED_BLOCKSIZE = 16};

-	int m_digestSize, m_L;

-	word64 m_messageLength, m_aadLength;

-	CTR_Mode_ExternalCipher::Encryption m_ctr;

-};

-

-//! .

-template <class T_BlockCipher, int T_DefaultDigestSize, bool T_IsEncryption>

-class CCM_Final : public CCM_Base

-{

-public:

-	static std::string StaticAlgorithmName()

-		{return T_BlockCipher::StaticAlgorithmName() + std::string("/CCM");}

-	bool IsForwardTransformation() const

-		{return T_IsEncryption;}

-

-private:

-	BlockCipher & AccessBlockCipher() {return m_cipher;}

-	int DefaultDigestSize() const {return T_DefaultDigestSize;}

-	typename T_BlockCipher::Encryption m_cipher;

-};

-

-/// <a href="http://www.cryptolounge.org/wiki/CCM">CCM</a>

-template <class T_BlockCipher, int T_DefaultDigestSize = 16>

-struct CCM : public AuthenticatedSymmetricCipherDocumentation

-{

-	typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, true> Encryption;

-	typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, false> Decryption;

-};

-

-NAMESPACE_END

-

-#endif

+#ifndef CRYPTOPP_CCM_H
+#define CRYPTOPP_CCM_H
+
+#include "authenc.h"
+#include "modes.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+//! .
+class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CCM_Base : public AuthenticatedSymmetricCipherBase
+{
+public:
+	CCM_Base()
+		: m_digestSize(0), m_L(0) {}
+
+	// AuthenticatedSymmetricCipher
+	std::string AlgorithmName() const
+		{return GetBlockCipher().AlgorithmName() + std::string("/CCM");}
+	size_t MinKeyLength() const
+		{return GetBlockCipher().MinKeyLength();}
+	size_t MaxKeyLength() const
+		{return GetBlockCipher().MaxKeyLength();}
+	size_t DefaultKeyLength() const
+		{return GetBlockCipher().DefaultKeyLength();}
+	size_t GetValidKeyLength(size_t n) const
+		{return GetBlockCipher().GetValidKeyLength(n);}
+	bool IsValidKeyLength(size_t n) const
+		{return GetBlockCipher().IsValidKeyLength(n);}
+	unsigned int OptimalDataAlignment() const
+		{return GetBlockCipher().OptimalDataAlignment();}
+	IV_Requirement IVRequirement() const
+		{return UNIQUE_IV;}
+	unsigned int IVSize() const
+		{return 8;}
+	unsigned int MinIVLength() const
+		{return 7;}
+	unsigned int MaxIVLength() const
+		{return 13;}
+	unsigned int DigestSize() const
+		{return m_digestSize;}
+	lword MaxHeaderLength() const
+		{return W64LIT(0)-1;}
+	lword MaxMessageLength() const
+		{return m_L<8 ? (W64LIT(1)<<(8*m_L))-1 : W64LIT(0)-1;}
+	bool NeedsPrespecifiedDataLengths() const
+		{return true;}
+	void UncheckedSpecifyDataLengths(lword headerLength, lword messageLength, lword footerLength);
+
+protected:
+	// AuthenticatedSymmetricCipherBase
+	bool AuthenticationIsOnPlaintext() const
+		{return true;}
+	unsigned int AuthenticationBlockSize() const
+		{return GetBlockCipher().BlockSize();}
+	void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params);
+	void Resync(const byte *iv, size_t len);
+	size_t AuthenticateBlocks(const byte *data, size_t len);
+	void AuthenticateLastHeaderBlock();
+	void AuthenticateLastConfidentialBlock();
+	void AuthenticateLastFooterBlock(byte *mac, size_t macSize);
+	SymmetricCipher & AccessSymmetricCipher() {return m_ctr;}
+
+	virtual BlockCipher & AccessBlockCipher() =0;
+	virtual int DefaultDigestSize() const =0;
+
+	const BlockCipher & GetBlockCipher() const {return const_cast<CCM_Base *>(this)->AccessBlockCipher();};
+	byte *CBC_Buffer() {return m_buffer+REQUIRED_BLOCKSIZE;}
+
+	enum {REQUIRED_BLOCKSIZE = 16};
+	int m_digestSize, m_L;
+	word64 m_messageLength, m_aadLength;
+	CTR_Mode_ExternalCipher::Encryption m_ctr;
+};
+
+//! .
+template <class T_BlockCipher, int T_DefaultDigestSize, bool T_IsEncryption>
+class CCM_Final : public CCM_Base
+{
+public:
+	static std::string StaticAlgorithmName()
+		{return T_BlockCipher::StaticAlgorithmName() + std::string("/CCM");}
+	bool IsForwardTransformation() const
+		{return T_IsEncryption;}
+
+private:
+	BlockCipher & AccessBlockCipher() {return m_cipher;}
+	int DefaultDigestSize() const {return T_DefaultDigestSize;}
+	typename T_BlockCipher::Encryption m_cipher;
+};
+
+/// <a href="http://www.cryptolounge.org/wiki/CCM">CCM</a>
+template <class T_BlockCipher, int T_DefaultDigestSize = 16>
+struct CCM : public AuthenticatedSymmetricCipherDocumentation
+{
+	typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, true> Encryption;
+	typedef CCM_Final<T_BlockCipher, T_DefaultDigestSize, false> Decryption;
+};
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/cmac.cpp b/CryptoPP/cmac.cpp
index e8fa6fea6..a31d5f8b0 100644
--- a/CryptoPP/cmac.cpp
+++ b/CryptoPP/cmac.cpp
@@ -1,122 +1,122 @@
-// cmac.cpp - written and placed in the public domain by Wei Dai

-

-#include "pch.h"

-

-#ifndef CRYPTOPP_IMPORTS

-

-#include "cmac.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-static void MulU(byte *k, unsigned int length)

-{

-	byte carry = 0;

-

-	for (int i=length-1; i>=1; i-=2)

-	{

-		byte carry2 = k[i] >> 7;

-		k[i] += k[i] + carry;

-		carry = k[i-1] >> 7;

-		k[i-1] += k[i-1] + carry2;

-	}

-

-	if (carry)

-	{

-		switch (length)

-		{

-		case 8:

-			k[7] ^= 0x1b;

-			break;

-		case 16:

-			k[15] ^= 0x87;

-			break;

-		case 32:

-			k[30] ^= 4; 

-			k[31] ^= 0x23;

-			break;

-		default:

-			throw InvalidArgument("CMAC: " + IntToString(length) + " is not a supported cipher block size");

-		}

-	}

-}

-

-void CMAC_Base::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params)

-{

-	BlockCipher &cipher = AccessCipher();

-	unsigned int blockSize = cipher.BlockSize();

-

-	cipher.SetKey(key, length, params);

-	m_reg.CleanNew(3*blockSize);

-	m_counter = 0;

-

-	cipher.ProcessBlock(m_reg, m_reg+blockSize);

-	MulU(m_reg+blockSize, blockSize);

-	memcpy(m_reg+2*blockSize, m_reg+blockSize, blockSize);

-	MulU(m_reg+2*blockSize, blockSize);

-}

-

-void CMAC_Base::Update(const byte *input, size_t length)

-{

-	if (!length)

-		return;

-

-	BlockCipher &cipher = AccessCipher();

-	unsigned int blockSize = cipher.BlockSize();

-

-	if (m_counter > 0)

-	{

-		unsigned int len = UnsignedMin(blockSize - m_counter, length);

-		xorbuf(m_reg+m_counter, input, len);

-		length -= len;

-		input += len;

-		m_counter += len;

-

-		if (m_counter == blockSize && length > 0)

-		{

-			cipher.ProcessBlock(m_reg);

-			m_counter = 0;

-		}

-	}

-

-	if (length > blockSize)

-	{

-		assert(m_counter == 0);

-		size_t leftOver = 1 + cipher.AdvancedProcessBlocks(m_reg, input, m_reg, length-1, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);

-		input += (length - leftOver);

-		length = leftOver;

-	}

-

-	if (length > 0)

-	{

-		assert(m_counter + length <= blockSize);

-		xorbuf(m_reg+m_counter, input, length);

-		m_counter += (unsigned int)length;

-	}

-

-	assert(m_counter > 0);

-}

-

-void CMAC_Base::TruncatedFinal(byte *mac, size_t size)

-{

-	ThrowIfInvalidTruncatedSize(size);

-

-	BlockCipher &cipher = AccessCipher();

-	unsigned int blockSize = cipher.BlockSize();

-

-	if (m_counter < blockSize)

-	{

-		m_reg[m_counter] ^= 0x80;

-		cipher.AdvancedProcessBlocks(m_reg, m_reg+2*blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);

-	}

-	else

-		cipher.AdvancedProcessBlocks(m_reg, m_reg+blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);

-

-	memcpy(mac, m_reg, size);

-

-	m_counter = 0;

-	memset(m_reg, 0, blockSize);

-}

-

-NAMESPACE_END

-

-#endif

+// cmac.cpp - written and placed in the public domain by Wei Dai
+
+#include "pch.h"
+
+#ifndef CRYPTOPP_IMPORTS
+
+#include "cmac.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+static void MulU(byte *k, unsigned int length)
+{
+	byte carry = 0;
+
+	for (int i=length-1; i>=1; i-=2)
+	{
+		byte carry2 = k[i] >> 7;
+		k[i] += k[i] + carry;
+		carry = k[i-1] >> 7;
+		k[i-1] += k[i-1] + carry2;
+	}
+
+	if (carry)
+	{
+		switch (length)
+		{
+		case 8:
+			k[7] ^= 0x1b;
+			break;
+		case 16:
+			k[15] ^= 0x87;
+			break;
+		case 32:
+			k[30] ^= 4; 
+			k[31] ^= 0x23;
+			break;
+		default:
+			throw InvalidArgument("CMAC: " + IntToString(length) + " is not a supported cipher block size");
+		}
+	}
+}
+
+void CMAC_Base::UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params)
+{
+	BlockCipher &cipher = AccessCipher();
+	unsigned int blockSize = cipher.BlockSize();
+
+	cipher.SetKey(key, length, params);
+	m_reg.CleanNew(3*blockSize);
+	m_counter = 0;
+
+	cipher.ProcessBlock(m_reg, m_reg+blockSize);
+	MulU(m_reg+blockSize, blockSize);
+	memcpy(m_reg+2*blockSize, m_reg+blockSize, blockSize);
+	MulU(m_reg+2*blockSize, blockSize);
+}
+
+void CMAC_Base::Update(const byte *input, size_t length)
+{
+	if (!length)
+		return;
+
+	BlockCipher &cipher = AccessCipher();
+	unsigned int blockSize = cipher.BlockSize();
+
+	if (m_counter > 0)
+	{
+		unsigned int len = UnsignedMin(blockSize - m_counter, length);
+		xorbuf(m_reg+m_counter, input, len);
+		length -= len;
+		input += len;
+		m_counter += len;
+
+		if (m_counter == blockSize && length > 0)
+		{
+			cipher.ProcessBlock(m_reg);
+			m_counter = 0;
+		}
+	}
+
+	if (length > blockSize)
+	{
+		assert(m_counter == 0);
+		size_t leftOver = 1 + cipher.AdvancedProcessBlocks(m_reg, input, m_reg, length-1, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
+		input += (length - leftOver);
+		length = leftOver;
+	}
+
+	if (length > 0)
+	{
+		assert(m_counter + length <= blockSize);
+		xorbuf(m_reg+m_counter, input, length);
+		m_counter += (unsigned int)length;
+	}
+
+	assert(m_counter > 0);
+}
+
+void CMAC_Base::TruncatedFinal(byte *mac, size_t size)
+{
+	ThrowIfInvalidTruncatedSize(size);
+
+	BlockCipher &cipher = AccessCipher();
+	unsigned int blockSize = cipher.BlockSize();
+
+	if (m_counter < blockSize)
+	{
+		m_reg[m_counter] ^= 0x80;
+		cipher.AdvancedProcessBlocks(m_reg, m_reg+2*blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
+	}
+	else
+		cipher.AdvancedProcessBlocks(m_reg, m_reg+blockSize, m_reg, blockSize, BlockTransformation::BT_DontIncrementInOutPointers|BlockTransformation::BT_XorInput);
+
+	memcpy(mac, m_reg, size);
+
+	m_counter = 0;
+	memset(m_reg, 0, blockSize);
+}
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/cmac.h b/CryptoPP/cmac.h
index ab3ecf8cc..d8a1b391d 100644
--- a/CryptoPP/cmac.h
+++ b/CryptoPP/cmac.h
@@ -1,52 +1,52 @@
-#ifndef CRYPTOPP_CMAC_H

-#define CRYPTOPP_CMAC_H

-

-#include "seckey.h"

-#include "secblock.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-//! _

-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CMAC_Base : public MessageAuthenticationCode

-{

-public:

-	CMAC_Base() {}

-

-	void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params);

-	void Update(const byte *input, size_t length);

-	void TruncatedFinal(byte *mac, size_t size);

-	unsigned int DigestSize() const {return GetCipher().BlockSize();}

-	unsigned int OptimalBlockSize() const {return GetCipher().BlockSize();}

-	unsigned int OptimalDataAlignment() const {return GetCipher().OptimalDataAlignment();}

-

-protected:

-	friend class EAX_Base;

-

-	const BlockCipher & GetCipher() const {return const_cast<CMAC_Base*>(this)->AccessCipher();}

-	virtual BlockCipher & AccessCipher() =0;

-

-	void ProcessBuf();

-	SecByteBlock m_reg;

-	unsigned int m_counter;

-};

-

-/// <a href="http://www.cryptolounge.org/wiki/CMAC">CMAC</a>

-/*! Template parameter T should be a class derived from BlockCipherDocumentation, for example AES, with a block size of 8, 16, or 32 */

-template <class T>

-class CMAC : public MessageAuthenticationCodeImpl<CMAC_Base, CMAC<T> >, public SameKeyLengthAs<T>

-{

-public:

-	CMAC() {}

-	CMAC(const byte *key, size_t length=SameKeyLengthAs<T>::DEFAULT_KEYLENGTH)

-		{this->SetKey(key, length);}

-

-	static std::string StaticAlgorithmName() {return std::string("CMAC(") + T::StaticAlgorithmName() + ")";}

-

-private:

-	BlockCipher & AccessCipher() {return m_cipher;}

-	typename T::Encryption m_cipher;

-};

-

-NAMESPACE_END

-

-#endif

+#ifndef CRYPTOPP_CMAC_H
+#define CRYPTOPP_CMAC_H
+
+#include "seckey.h"
+#include "secblock.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+//! _
+class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE CMAC_Base : public MessageAuthenticationCode
+{
+public:
+	CMAC_Base() {}
+
+	void UncheckedSetKey(const byte *key, unsigned int length, const NameValuePairs &params);
+	void Update(const byte *input, size_t length);
+	void TruncatedFinal(byte *mac, size_t size);
+	unsigned int DigestSize() const {return GetCipher().BlockSize();}
+	unsigned int OptimalBlockSize() const {return GetCipher().BlockSize();}
+	unsigned int OptimalDataAlignment() const {return GetCipher().OptimalDataAlignment();}
+
+protected:
+	friend class EAX_Base;
+
+	const BlockCipher & GetCipher() const {return const_cast<CMAC_Base*>(this)->AccessCipher();}
+	virtual BlockCipher & AccessCipher() =0;
+
+	void ProcessBuf();
+	SecByteBlock m_reg;
+	unsigned int m_counter;
+};
+
+/// <a href="http://www.cryptolounge.org/wiki/CMAC">CMAC</a>
+/*! Template parameter T should be a class derived from BlockCipherDocumentation, for example AES, with a block size of 8, 16, or 32 */
+template <class T>
+class CMAC : public MessageAuthenticationCodeImpl<CMAC_Base, CMAC<T> >, public SameKeyLengthAs<T>
+{
+public:
+	CMAC() {}
+	CMAC(const byte *key, size_t length=SameKeyLengthAs<T>::DEFAULT_KEYLENGTH)
+		{this->SetKey(key, length);}
+
+	static std::string StaticAlgorithmName() {return std::string("CMAC(") + T::StaticAlgorithmName() + ")";}
+
+private:
+	BlockCipher & AccessCipher() {return m_cipher;}
+	typename T::Encryption m_cipher;
+};
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/eax.cpp b/CryptoPP/eax.cpp
index cf836632b..2728c9bcd 100644
--- a/CryptoPP/eax.cpp
+++ b/CryptoPP/eax.cpp
@@ -1,59 +1,59 @@
-// eax.cpp - written and placed in the public domain by Wei Dai

-

-#include "pch.h"

-#include "eax.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-void EAX_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params)

-{

-	AccessMAC().SetKey(userKey, keylength, params);

-	m_buffer.New(2*AccessMAC().TagSize());

-}

-

-void EAX_Base::Resync(const byte *iv, size_t len)

-{

-	MessageAuthenticationCode &mac = AccessMAC();

-	unsigned int blockSize = mac.TagSize();

-

-	memset(m_buffer, 0, blockSize);

-	mac.Update(m_buffer, blockSize);

-	mac.CalculateDigest(m_buffer+blockSize, iv, len);

-

-	m_buffer[blockSize-1] = 1;

-	mac.Update(m_buffer, blockSize);

-

-	m_ctr.SetCipherWithIV(AccessMAC().AccessCipher(), m_buffer+blockSize, blockSize);

-}

-

-size_t EAX_Base::AuthenticateBlocks(const byte *data, size_t len)

-{

-	AccessMAC().Update(data, len);

-	return 0;

-}

-

-void EAX_Base::AuthenticateLastHeaderBlock()

-{

-	assert(m_bufferedDataLength == 0);

-	MessageAuthenticationCode &mac = AccessMAC();

-	unsigned int blockSize = mac.TagSize();

-

-	mac.Final(m_buffer);

-	xorbuf(m_buffer+blockSize, m_buffer, blockSize);

-

-	memset(m_buffer, 0, blockSize);

-	m_buffer[blockSize-1] = 2;

-	mac.Update(m_buffer, blockSize);

-}

-

-void EAX_Base::AuthenticateLastFooterBlock(byte *tag, size_t macSize)

-{

-	assert(m_bufferedDataLength == 0);

-	MessageAuthenticationCode &mac = AccessMAC();

-	unsigned int blockSize = mac.TagSize();

-

-	mac.TruncatedFinal(m_buffer, macSize);

-	xorbuf(tag, m_buffer, m_buffer+blockSize, macSize);

-}

-

-NAMESPACE_END

+// eax.cpp - written and placed in the public domain by Wei Dai
+
+#include "pch.h"
+#include "eax.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+void EAX_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params)
+{
+	AccessMAC().SetKey(userKey, keylength, params);
+	m_buffer.New(2*AccessMAC().TagSize());
+}
+
+void EAX_Base::Resync(const byte *iv, size_t len)
+{
+	MessageAuthenticationCode &mac = AccessMAC();
+	unsigned int blockSize = mac.TagSize();
+
+	memset(m_buffer, 0, blockSize);
+	mac.Update(m_buffer, blockSize);
+	mac.CalculateDigest(m_buffer+blockSize, iv, len);
+
+	m_buffer[blockSize-1] = 1;
+	mac.Update(m_buffer, blockSize);
+
+	m_ctr.SetCipherWithIV(AccessMAC().AccessCipher(), m_buffer+blockSize, blockSize);
+}
+
+size_t EAX_Base::AuthenticateBlocks(const byte *data, size_t len)
+{
+	AccessMAC().Update(data, len);
+	return 0;
+}
+
+void EAX_Base::AuthenticateLastHeaderBlock()
+{
+	assert(m_bufferedDataLength == 0);
+	MessageAuthenticationCode &mac = AccessMAC();
+	unsigned int blockSize = mac.TagSize();
+
+	mac.Final(m_buffer);
+	xorbuf(m_buffer+blockSize, m_buffer, blockSize);
+
+	memset(m_buffer, 0, blockSize);
+	m_buffer[blockSize-1] = 2;
+	mac.Update(m_buffer, blockSize);
+}
+
+void EAX_Base::AuthenticateLastFooterBlock(byte *tag, size_t macSize)
+{
+	assert(m_bufferedDataLength == 0);
+	MessageAuthenticationCode &mac = AccessMAC();
+	unsigned int blockSize = mac.TagSize();
+
+	mac.TruncatedFinal(m_buffer, macSize);
+	xorbuf(tag, m_buffer, m_buffer+blockSize, macSize);
+}
+
+NAMESPACE_END
diff --git a/CryptoPP/gcm.cpp b/CryptoPP/gcm.cpp
index 237325d9f..2304f96d8 100644
--- a/CryptoPP/gcm.cpp
+++ b/CryptoPP/gcm.cpp
@@ -1,828 +1,828 @@
-// gcm.cpp - written and placed in the public domain by Wei Dai

-

-// use "cl /EP /P /DCRYPTOPP_GENERATE_X64_MASM gcm.cpp" to generate MASM code

-

-#include "pch.h"

-

-#ifndef CRYPTOPP_IMPORTS

-#ifndef CRYPTOPP_GENERATE_X64_MASM

-

-#include "gcm.h"

-#include "cpu.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-word16 GCM_Base::s_reductionTable[256];

-volatile bool GCM_Base::s_reductionTableInitialized = false;

-

-void GCM_Base::GCTR::IncrementCounterBy256()

-{

-	IncrementCounterByOne(m_counterArray+BlockSize()-4, 3);

-}

-

-#if 0

-// preserved for testing

-void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c)

-{

-	word64 Z0=0, Z1=0, V0, V1;

-

-	typedef BlockGetAndPut<word64, BigEndian> Block;

-	Block::Get(a)(V0)(V1);

-

-	for (int i=0; i<16; i++) 

-	{

-		for (int j=0x80; j!=0; j>>=1)

-		{

-			int x = b[i] & j;

-			Z0 ^= x ? V0 : 0;

-			Z1 ^= x ? V1 : 0;

-			x = (int)V1 & 1;

-			V1 = (V1>>1) | (V0<<63);

-			V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);

-		}

-	}

-	Block::Put(NULL, c)(Z0)(Z1);

-}

-

-__m128i _mm_clmulepi64_si128(const __m128i &a, const __m128i &b, int i)

-{

-	word64 A[1] = {ByteReverse(((word64*)&a)[i&1])};

-	word64 B[1] = {ByteReverse(((word64*)&b)[i>>4])};

-

-	PolynomialMod2 pa((byte *)A, 8);

-	PolynomialMod2 pb((byte *)B, 8);

-	PolynomialMod2 c = pa*pb;

-

-	__m128i output;

-	for (int i=0; i<16; i++)

-		((byte *)&output)[i] = c.GetByte(i);

-	return output;

-}

-#endif

-

-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE

-inline static void SSE2_Xor16(byte *a, const byte *b, const byte *c)

-{

-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE

-	*(__m128i *)a = _mm_xor_si128(*(__m128i *)b, *(__m128i *)c);

-#else

-	asm ("movdqa %1, %%xmm0; pxor %2, %%xmm0; movdqa %%xmm0, %0;" : "=m" (a[0]) : "m"(b[0]), "m"(c[0]));

-#endif

-}

-#endif

-

-inline static void Xor16(byte *a, const byte *b, const byte *c)

-{

-	((word64 *)a)[0] = ((word64 *)b)[0] ^ ((word64 *)c)[0];

-	((word64 *)a)[1] = ((word64 *)b)[1] ^ ((word64 *)c)[1];

-}

-

-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE

-static CRYPTOPP_ALIGN_DATA(16) const word64 s_clmulConstants64[] = {

-	W64LIT(0xe100000000000000), W64LIT(0xc200000000000000),

-	W64LIT(0x08090a0b0c0d0e0f), W64LIT(0x0001020304050607),

-	W64LIT(0x0001020304050607), W64LIT(0x08090a0b0c0d0e0f)};

-static const __m128i *s_clmulConstants = (const __m128i *)s_clmulConstants64;

-static const unsigned int s_clmulTableSizeInBlocks = 8;

-

-inline __m128i CLMUL_Reduce(__m128i c0, __m128i c1, __m128i c2, const __m128i &r)

-{

-	/* 

-	The polynomial to be reduced is c0 * x^128 + c1 * x^64 + c2. c0t below refers to the most 

-	significant half of c0 as a polynomial, which, due to GCM's bit reflection, are in the

-	rightmost bit positions, and the lowest byte addresses.

-

-	c1 ^= c0t * 0xc200000000000000

-	c2t ^= c0t

-	t = shift (c1t ^ c0b) left 1 bit

-	c2 ^= t * 0xe100000000000000

-	c2t ^= c1b

-	shift c2 left 1 bit and xor in lowest bit of c1t

-	*/

-#if 0	// MSVC 2010 workaround: see http://connect.microsoft.com/VisualStudio/feedback/details/575301

-	c2 = _mm_xor_si128(c2, _mm_move_epi64(c0));

-#else

-	c1 = _mm_xor_si128(c1, _mm_slli_si128(c0, 8));

-#endif

-	c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(c0, r, 0x10));

-	c0 = _mm_srli_si128(c0, 8);

-	c0 = _mm_xor_si128(c0, c1);

-	c0 = _mm_slli_epi64(c0, 1);

-	c0 = _mm_clmulepi64_si128(c0, r, 0);

-	c2 = _mm_xor_si128(c2, c0);

-	c2 = _mm_xor_si128(c2, _mm_srli_si128(c1, 8));

-	c1 = _mm_unpacklo_epi64(c1, c2);

-	c1 = _mm_srli_epi64(c1, 63);

-	c2 = _mm_slli_epi64(c2, 1);

-	return _mm_xor_si128(c2, c1);

-}

-

-inline __m128i CLMUL_GF_Mul(const __m128i &x, const __m128i &h, const __m128i &r)

-{

-	__m128i c0 = _mm_clmulepi64_si128(x,h,0);

-	__m128i c1 = _mm_xor_si128(_mm_clmulepi64_si128(x,h,1), _mm_clmulepi64_si128(x,h,0x10));

-	__m128i c2 = _mm_clmulepi64_si128(x,h,0x11);

-

-	return CLMUL_Reduce(c0, c1, c2, r);

-}

-#endif

-

-void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params)

-{

-	BlockCipher &blockCipher = AccessBlockCipher();

-	blockCipher.SetKey(userKey, keylength, params);

-

-	if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)

-		throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");

-

-	int tableSize, i, j, k;

-

-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE

-	if (HasCLMUL())

-	{

-		params.GetIntValue(Name::TableSize(), tableSize);	// avoid "parameter not used" error

-		tableSize = s_clmulTableSizeInBlocks * REQUIRED_BLOCKSIZE;

-	}

-	else

-#endif

-	{

-		if (params.GetIntValue(Name::TableSize(), tableSize))

-			tableSize = (tableSize >= 64*1024) ? 64*1024 : 2*1024;

-		else

-			tableSize = (GetTablesOption() == GCM_64K_Tables) ? 64*1024 : 2*1024;

-

-#if defined(_MSC_VER) && (_MSC_VER >= 1300 && _MSC_VER < 1400)

-		// VC 2003 workaround: compiler generates bad code for 64K tables

-		tableSize = 2*1024;

-#endif

-	}

-

-	m_buffer.resize(3*REQUIRED_BLOCKSIZE + tableSize);

-	byte *table = MulTable();

-	byte *hashKey = HashKey();

-	memset(hashKey, 0, REQUIRED_BLOCKSIZE);

-	blockCipher.ProcessBlock(hashKey);

-

-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE

-	if (HasCLMUL())

-	{

-		const __m128i r = s_clmulConstants[0];

-		__m128i h0 = _mm_shuffle_epi8(_mm_load_si128((__m128i *)hashKey), s_clmulConstants[1]);

-		__m128i h = h0;

-

-		for (i=0; i<tableSize; i+=32)

-		{

-			__m128i h1 = CLMUL_GF_Mul(h, h0, r);

-			_mm_storel_epi64((__m128i *)(table+i), h);

-			_mm_storeu_si128((__m128i *)(table+i+16), h1);

-			_mm_storeu_si128((__m128i *)(table+i+8), h);

-			_mm_storel_epi64((__m128i *)(table+i+8), h1);

-			h = CLMUL_GF_Mul(h1, h0, r);

-		}

-

-		return;

-	}

-#endif

-

-	word64 V0, V1;

-	typedef BlockGetAndPut<word64, BigEndian> Block;

-	Block::Get(hashKey)(V0)(V1);

-

-	if (tableSize == 64*1024)

-	{

-		for (i=0; i<128; i++)

-		{

-			k = i%8;

-			Block::Put(NULL, table+(i/8)*256*16+(size_t(1)<<(11-k)))(V0)(V1);

-

-			int x = (int)V1 & 1; 

-			V1 = (V1>>1) | (V0<<63);

-			V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);

-		}

-

-		for (i=0; i<16; i++)

-		{

-			memset(table+i*256*16, 0, 16);

-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE

-			if (HasSSE2())

-				for (j=2; j<=0x80; j*=2)

-					for (k=1; k<j; k++)

-						SSE2_Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16);

-			else

-#endif

-				for (j=2; j<=0x80; j*=2)

-					for (k=1; k<j; k++)

-						Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16);

-		}

-	}

-	else

-	{

-		if (!s_reductionTableInitialized)

-		{

-			s_reductionTable[0] = 0;

-			word16 x = 0x01c2;

-			s_reductionTable[1] = ByteReverse(x);

-			for (int i=2; i<=0x80; i*=2)

-			{

-				x <<= 1;

-				s_reductionTable[i] = ByteReverse(x);

-				for (int j=1; j<i; j++)

-					s_reductionTable[i+j] = s_reductionTable[i] ^ s_reductionTable[j];

-			}

-			s_reductionTableInitialized = true;

-		}

-

-		for (i=0; i<128-24; i++)

-		{

-			k = i%32;

-			if (k < 4)

-				Block::Put(NULL, table+1024+(i/32)*256+(size_t(1)<<(7-k)))(V0)(V1);

-			else if (k < 8)

-				Block::Put(NULL, table+(i/32)*256+(size_t(1)<<(11-k)))(V0)(V1);

-

-			int x = (int)V1 & 1; 

-			V1 = (V1>>1) | (V0<<63);

-			V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);

-		}

-

-		for (i=0; i<4; i++)

-		{

-			memset(table+i*256, 0, 16);

-			memset(table+1024+i*256, 0, 16);

-#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE

-			if (HasSSE2())

-				for (j=2; j<=8; j*=2)

-					for (k=1; k<j; k++)

-					{

-						SSE2_Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16);

-						SSE2_Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16);

-					}

-			else

-#endif

-				for (j=2; j<=8; j*=2)

-					for (k=1; k<j; k++)

-					{

-						Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16);

-						Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16);

-					}

-		}

-	}

-}

-

-inline void GCM_Base::ReverseHashBufferIfNeeded()

-{

-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE

-	if (HasCLMUL())

-	{

-		__m128i &x = *(__m128i *)HashBuffer();

-		x = _mm_shuffle_epi8(x, s_clmulConstants[1]);

-	}

-#endif

-}

-

-void GCM_Base::Resync(const byte *iv, size_t len)

-{

-	BlockCipher &cipher = AccessBlockCipher();

-	byte *hashBuffer = HashBuffer();

-

-	if (len == 12)

-	{

-		memcpy(hashBuffer, iv, len);

-		memset(hashBuffer+len, 0, 3);

-		hashBuffer[len+3] = 1;

-	}

-	else

-	{

-		size_t origLen = len;

-		memset(hashBuffer, 0, HASH_BLOCKSIZE);

-

-		if (len >= HASH_BLOCKSIZE)

-		{

-			len = GCM_Base::AuthenticateBlocks(iv, len);

-			iv += (origLen - len);

-		}

-

-		if (len > 0)

-		{

-			memcpy(m_buffer, iv, len);

-			memset(m_buffer+len, 0, HASH_BLOCKSIZE-len);

-			GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);

-		}

-

-		PutBlock<word64, BigEndian, true>(NULL, m_buffer)(0)(origLen*8);

-		GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);

-

-		ReverseHashBufferIfNeeded();

-	}

-

-	if (m_state >= State_IVSet)

-		m_ctr.Resynchronize(hashBuffer, REQUIRED_BLOCKSIZE);

-	else

-		m_ctr.SetCipherWithIV(cipher, hashBuffer);

-

-	m_ctr.Seek(HASH_BLOCKSIZE);

-

-	memset(hashBuffer, 0, HASH_BLOCKSIZE);

-}

-

-unsigned int GCM_Base::OptimalDataAlignment() const

-{

-	return 

-#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)

-		HasSSE2() ? 16 : 

-#endif

-		GetBlockCipher().OptimalDataAlignment();

-}

-

-#pragma warning(disable: 4731)	// frame pointer register 'ebp' modified by inline assembly code

-

-#endif	// #ifndef CRYPTOPP_GENERATE_X64_MASM

-

-#ifdef CRYPTOPP_X64_MASM_AVAILABLE

-extern "C" {

-void GCM_AuthenticateBlocks_2K(const byte *data, size_t blocks, word64 *hashBuffer, const word16 *reductionTable);

-void GCM_AuthenticateBlocks_64K(const byte *data, size_t blocks, word64 *hashBuffer);

-}

-#endif

-

-#ifndef CRYPTOPP_GENERATE_X64_MASM

-

-size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len)

-{

-#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE

-	if (HasCLMUL())

-	{

-		const __m128i *table = (const __m128i *)MulTable();

-		__m128i x = _mm_load_si128((__m128i *)HashBuffer());

-		const __m128i r = s_clmulConstants[0], bswapMask = s_clmulConstants[1], bswapMask2 = s_clmulConstants[2];

-

-		while (len >= 16)

-		{

-			size_t s = UnsignedMin(len/16, s_clmulTableSizeInBlocks), i=0;

-			__m128i d, d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-1)*16)), bswapMask2);;

-			__m128i c0 = _mm_setzero_si128();

-			__m128i c1 = _mm_setzero_si128();

-			__m128i c2 = _mm_setzero_si128();

-

-			while (true)

-			{

-				__m128i h0 = _mm_load_si128(table+i);

-				__m128i h1 = _mm_load_si128(table+i+1);

-				__m128i h01 = _mm_xor_si128(h0, h1);

-

-				if (++i == s)

-				{

-					d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask);

-					d = _mm_xor_si128(d, x);

-					c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0));

-					c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1));

-					d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2)));

-					c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0));

-					break;

-				}

-

-				d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask2);

-				c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d2, h0, 1));

-				c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1));

-				d2 = _mm_xor_si128(d2, d);

-				c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d2, h01, 1));

-

-				if (++i == s)

-				{

-					d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask);

-					d = _mm_xor_si128(d, x);

-					c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10));

-					c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 0x11));

-					d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2)));

-					c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10));

-					break;

-				}

-

-				d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask);

-				c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10));

-				c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d2, h1, 0x10));

-				d = _mm_xor_si128(d, d2);

-				c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10));

-			}

-			data += s*16;

-			len -= s*16;

-

-			c1 = _mm_xor_si128(_mm_xor_si128(c1, c0), c2);

-			x = CLMUL_Reduce(c0, c1, c2, r);

-		}

-

-		_mm_store_si128((__m128i *)HashBuffer(), x);

-		return len;

-	}

-#endif

-

-	typedef BlockGetAndPut<word64, NativeByteOrder> Block;

-	word64 *hashBuffer = (word64 *)HashBuffer();

-

-	switch (2*(m_buffer.size()>=64*1024)

-#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)

-		+ HasSSE2()

-#endif

-		)

-	{

-	case 0:		// non-SSE2 and 2K tables

-		{

-		byte *table = MulTable();

-		word64 x0 = hashBuffer[0], x1 = hashBuffer[1];

-

-		do

-		{

-			word64 y0, y1, a0, a1, b0, b1, c0, c1, d0, d1;

-			Block::Get(data)(y0)(y1);

-			x0 ^= y0;

-			x1 ^= y1;

-

-			data += HASH_BLOCKSIZE;

-			len -= HASH_BLOCKSIZE;

-

-			#define READ_TABLE_WORD64_COMMON(a, b, c, d)	*(word64 *)(table+(a*1024)+(b*256)+c+d*8)

-

-			#ifdef IS_LITTLE_ENDIAN

-				#if CRYPTOPP_BOOL_SLOW_WORD64

-					word32 z0 = (word32)x0;

-					word32 z1 = (word32)(x0>>32);

-					word32 z2 = (word32)x1;

-					word32 z3 = (word32)(x1>>32);

-					#define READ_TABLE_WORD64(a, b, c, d, e)	READ_TABLE_WORD64_COMMON((d%2), c, (d?(z##c>>((d?d-1:0)*4))&0xf0:(z##c&0xf)<<4), e)

-				#else

-					#define READ_TABLE_WORD64(a, b, c, d, e)	READ_TABLE_WORD64_COMMON((d%2), c, ((d+8*b)?(x##a>>(((d+8*b)?(d+8*b)-1:1)*4))&0xf0:(x##a&0xf)<<4), e)

-				#endif

-				#define GF_MOST_SIG_8BITS(a) (a##1 >> 7*8)

-				#define GF_SHIFT_8(a) a##1 = (a##1 << 8) ^ (a##0 >> 7*8); a##0 <<= 8;

-			#else

-				#define READ_TABLE_WORD64(a, b, c, d, e)	READ_TABLE_WORD64_COMMON((1-d%2), c, ((15-d-8*b)?(x##a>>(((15-d-8*b)?(15-d-8*b)-1:0)*4))&0xf0:(x##a&0xf)<<4), e)

-				#define GF_MOST_SIG_8BITS(a) (a##1 & 0xff)

-				#define GF_SHIFT_8(a) a##1 = (a##1 >> 8) ^ (a##0 << 7*8); a##0 >>= 8;

-			#endif

-

-			#define GF_MUL_32BY128(op, a, b, c)											\

-				a0 op READ_TABLE_WORD64(a, b, c, 0, 0) ^ READ_TABLE_WORD64(a, b, c, 1, 0);\

-				a1 op READ_TABLE_WORD64(a, b, c, 0, 1) ^ READ_TABLE_WORD64(a, b, c, 1, 1);\

-				b0 op READ_TABLE_WORD64(a, b, c, 2, 0) ^ READ_TABLE_WORD64(a, b, c, 3, 0);\

-				b1 op READ_TABLE_WORD64(a, b, c, 2, 1) ^ READ_TABLE_WORD64(a, b, c, 3, 1);\

-				c0 op READ_TABLE_WORD64(a, b, c, 4, 0) ^ READ_TABLE_WORD64(a, b, c, 5, 0);\

-				c1 op READ_TABLE_WORD64(a, b, c, 4, 1) ^ READ_TABLE_WORD64(a, b, c, 5, 1);\

-				d0 op READ_TABLE_WORD64(a, b, c, 6, 0) ^ READ_TABLE_WORD64(a, b, c, 7, 0);\

-				d1 op READ_TABLE_WORD64(a, b, c, 6, 1) ^ READ_TABLE_WORD64(a, b, c, 7, 1);\

-

-			GF_MUL_32BY128(=, 0, 0, 0)

-			GF_MUL_32BY128(^=, 0, 1, 1)

-			GF_MUL_32BY128(^=, 1, 0, 2)

-			GF_MUL_32BY128(^=, 1, 1, 3)

-

-			word32 r = (word32)s_reductionTable[GF_MOST_SIG_8BITS(d)] << 16;

-			GF_SHIFT_8(d)

-			c0 ^= d0; c1 ^= d1;

-			r ^= (word32)s_reductionTable[GF_MOST_SIG_8BITS(c)] << 8;

-			GF_SHIFT_8(c)

-			b0 ^= c0; b1 ^= c1;

-			r ^= s_reductionTable[GF_MOST_SIG_8BITS(b)];

-			GF_SHIFT_8(b)

-			a0 ^= b0; a1 ^= b1;

-			a0 ^= ConditionalByteReverse<word64>(LITTLE_ENDIAN_ORDER, r);

-			x0 = a0; x1 = a1;

-		}

-		while (len >= HASH_BLOCKSIZE);

-

-		hashBuffer[0] = x0; hashBuffer[1] = x1;

-		return len;

-		}

-

-	case 2:		// non-SSE2 and 64K tables

-		{

-		byte *table = MulTable();

-		word64 x0 = hashBuffer[0], x1 = hashBuffer[1];

-

-		do

-		{

-			word64 y0, y1, a0, a1;

-			Block::Get(data)(y0)(y1);

-			x0 ^= y0;

-			x1 ^= y1;

-

-			data += HASH_BLOCKSIZE;

-			len -= HASH_BLOCKSIZE;

-

-			#undef READ_TABLE_WORD64_COMMON

-			#undef READ_TABLE_WORD64

-

-			#define READ_TABLE_WORD64_COMMON(a, c, d)	*(word64 *)(table+(a)*256*16+(c)+(d)*8)

-

-			#ifdef IS_LITTLE_ENDIAN

-				#if CRYPTOPP_BOOL_SLOW_WORD64

-					word32 z0 = (word32)x0;

-					word32 z1 = (word32)(x0>>32);

-					word32 z2 = (word32)x1;

-					word32 z3 = (word32)(x1>>32);

-					#define READ_TABLE_WORD64(b, c, d, e)	READ_TABLE_WORD64_COMMON(c*4+d, (d?(z##c>>((d?d:1)*8-4))&0xff0:(z##c&0xff)<<4), e)

-				#else

-					#define READ_TABLE_WORD64(b, c, d, e)	READ_TABLE_WORD64_COMMON(c*4+d, ((d+4*(c%2))?(x##b>>(((d+4*(c%2))?(d+4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e)

-				#endif

-			#else

-				#define READ_TABLE_WORD64(b, c, d, e)	READ_TABLE_WORD64_COMMON(c*4+d, ((7-d-4*(c%2))?(x##b>>(((7-d-4*(c%2))?(7-d-4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e)

-			#endif

-

-			#define GF_MUL_8BY128(op, b, c, d)		\

-				a0 op READ_TABLE_WORD64(b, c, d, 0);\

-				a1 op READ_TABLE_WORD64(b, c, d, 1);\

-

-			GF_MUL_8BY128(=, 0, 0, 0)

-			GF_MUL_8BY128(^=, 0, 0, 1)

-			GF_MUL_8BY128(^=, 0, 0, 2)

-			GF_MUL_8BY128(^=, 0, 0, 3)

-			GF_MUL_8BY128(^=, 0, 1, 0)

-			GF_MUL_8BY128(^=, 0, 1, 1)

-			GF_MUL_8BY128(^=, 0, 1, 2)

-			GF_MUL_8BY128(^=, 0, 1, 3)

-			GF_MUL_8BY128(^=, 1, 2, 0)

-			GF_MUL_8BY128(^=, 1, 2, 1)

-			GF_MUL_8BY128(^=, 1, 2, 2)

-			GF_MUL_8BY128(^=, 1, 2, 3)

-			GF_MUL_8BY128(^=, 1, 3, 0)

-			GF_MUL_8BY128(^=, 1, 3, 1)

-			GF_MUL_8BY128(^=, 1, 3, 2)

-			GF_MUL_8BY128(^=, 1, 3, 3)

-

-			x0 = a0; x1 = a1;

-		}

-		while (len >= HASH_BLOCKSIZE);

-

-		hashBuffer[0] = x0; hashBuffer[1] = x1;

-		return len;

-		}

-#endif	// #ifndef CRYPTOPP_GENERATE_X64_MASM

-

-#ifdef CRYPTOPP_X64_MASM_AVAILABLE

-	case 1:		// SSE2 and 2K tables

-		GCM_AuthenticateBlocks_2K(data, len/16, hashBuffer, s_reductionTable);

-		return len % 16;

-	case 3:		// SSE2 and 64K tables

-		GCM_AuthenticateBlocks_64K(data, len/16, hashBuffer);

-		return len % 16;

-#endif

-

-#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE

-	case 1:		// SSE2 and 2K tables

-		{

-		#ifdef __GNUC__

-			__asm__ __volatile__

-			(

-			".intel_syntax noprefix;"

-		#elif defined(CRYPTOPP_GENERATE_X64_MASM)

-			ALIGN   8

-			GCM_AuthenticateBlocks_2K	PROC FRAME

-			rex_push_reg rsi

-			push_reg rdi

-			push_reg rbx

-			.endprolog

-			mov rsi, r8

-			mov r11, r9

-		#else

-			AS2(	mov		WORD_REG(cx), data			)

-			AS2(	mov		WORD_REG(dx), len			)

-			AS2(	mov		WORD_REG(si), hashBuffer	)

-			AS2(	shr		WORD_REG(dx), 4				)

-		#endif

-

-		AS_PUSH_IF86(	bx)

-		AS_PUSH_IF86(	bp)

-

-		#ifdef __GNUC__

-			AS2(	mov		AS_REG_7, WORD_REG(di))

-		#elif CRYPTOPP_BOOL_X86

-			AS2(	lea		AS_REG_7, s_reductionTable)

-		#endif

-

-		AS2(	movdqa	xmm0, [WORD_REG(si)]			)

-

-		#define MUL_TABLE_0 WORD_REG(si) + 32

-		#define MUL_TABLE_1 WORD_REG(si) + 32 + 1024

-		#define RED_TABLE AS_REG_7

-

-		ASL(0)

-		AS2(	movdqu	xmm4, [WORD_REG(cx)]			)

-		AS2(	pxor	xmm0, xmm4						)

-

-		AS2(	movd	ebx, xmm0						)

-		AS2(	mov		eax, AS_HEX(f0f0f0f0)			)

-		AS2(	and		eax, ebx						)

-		AS2(	shl		ebx, 4							)

-		AS2(	and		ebx, AS_HEX(f0f0f0f0)			)

-		AS2(	movzx	edi, ah							)

-		AS2(	movdqa	xmm5, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)

-		AS2(	movzx	edi, al					)

-		AS2(	movdqa	xmm4, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)

-		AS2(	shr		eax, 16							)

-		AS2(	movzx	edi, ah					)

-		AS2(	movdqa	xmm3, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)

-		AS2(	movzx	edi, al					)

-		AS2(	movdqa	xmm2, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)

-

-		#define SSE2_MUL_32BITS(i)											\

-			AS2(	psrldq	xmm0, 4											)\

-			AS2(	movd	eax, xmm0										)\

-			AS2(	and		eax, AS_HEX(f0f0f0f0)									)\

-			AS2(	movzx	edi, bh											)\

-			AS2(	pxor	xmm5, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\

-			AS2(	movzx	edi, bl											)\

-			AS2(	pxor	xmm4, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\

-			AS2(	shr		ebx, 16											)\

-			AS2(	movzx	edi, bh											)\

-			AS2(	pxor	xmm3, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\

-			AS2(	movzx	edi, bl											)\

-			AS2(	pxor	xmm2, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\

-			AS2(	movd	ebx, xmm0										)\

-			AS2(	shl		ebx, 4											)\

-			AS2(	and		ebx, AS_HEX(f0f0f0f0)									)\

-			AS2(	movzx	edi, ah											)\

-			AS2(	pxor	xmm5, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\

-			AS2(	movzx	edi, al											)\

-			AS2(	pxor	xmm4, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\

-			AS2(	shr		eax, 16											)\

-			AS2(	movzx	edi, ah											)\

-			AS2(	pxor	xmm3, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\

-			AS2(	movzx	edi, al											)\

-			AS2(	pxor	xmm2, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\

-

-		SSE2_MUL_32BITS(1)

-		SSE2_MUL_32BITS(2)

-		SSE2_MUL_32BITS(3)

-

-		AS2(	movzx	edi, bh					)

-		AS2(	pxor	xmm5, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)

-		AS2(	movzx	edi, bl					)

-		AS2(	pxor	xmm4, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)

-		AS2(	shr		ebx, 16						)

-		AS2(	movzx	edi, bh					)

-		AS2(	pxor	xmm3, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)

-		AS2(	movzx	edi, bl					)

-		AS2(	pxor	xmm2, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)

-

-		AS2(	movdqa	xmm0, xmm3						)

-		AS2(	pslldq	xmm3, 1							)

-		AS2(	pxor	xmm2, xmm3						)

-		AS2(	movdqa	xmm1, xmm2						)

-		AS2(	pslldq	xmm2, 1							)

-		AS2(	pxor	xmm5, xmm2						)

-

-		AS2(	psrldq	xmm0, 15						)

-		AS2(	movd	WORD_REG(di), xmm0					)

-		AS2(	movzx	eax, WORD PTR [RED_TABLE + WORD_REG(di)*2]	)

-		AS2(	shl		eax, 8							)

-

-		AS2(	movdqa	xmm0, xmm5						)

-		AS2(	pslldq	xmm5, 1							)

-		AS2(	pxor	xmm4, xmm5						)

-

-		AS2(	psrldq	xmm1, 15						)

-		AS2(	movd	WORD_REG(di), xmm1					)

-		AS2(	xor		ax, WORD PTR [RED_TABLE + WORD_REG(di)*2]	)

-		AS2(	shl		eax, 8							)

-

-		AS2(	psrldq	xmm0, 15						)

-		AS2(	movd	WORD_REG(di), xmm0					)

-		AS2(	xor		ax, WORD PTR [RED_TABLE + WORD_REG(di)*2]	)

-

-		AS2(	movd	xmm0, eax						)

-		AS2(	pxor	xmm0, xmm4						)

-

-		AS2(	add		WORD_REG(cx), 16					)

-		AS2(	sub		WORD_REG(dx), 1						)

-		ASJ(	jnz,	0, b							)

-		AS2(	movdqa	[WORD_REG(si)], xmm0				)

-

-		AS_POP_IF86(	bp)

-		AS_POP_IF86(	bx)

-

-		#ifdef __GNUC__

-				".att_syntax prefix;"

-					: 

-					: "c" (data), "d" (len/16), "S" (hashBuffer), "D" (s_reductionTable)

-					: "memory", "cc", "%eax"

-			#if CRYPTOPP_BOOL_X64

-					, "%ebx", "%r11"

-			#endif

-				);

-		#elif defined(CRYPTOPP_GENERATE_X64_MASM)

-			pop rbx

-			pop rdi

-			pop rsi

-			ret

-			GCM_AuthenticateBlocks_2K ENDP

-		#endif

-

-		return len%16;

-		}

-	case 3:		// SSE2 and 64K tables

-		{

-		#ifdef __GNUC__

-			__asm__ __volatile__

-			(

-			".intel_syntax noprefix;"

-		#elif defined(CRYPTOPP_GENERATE_X64_MASM)

-			ALIGN   8

-			GCM_AuthenticateBlocks_64K	PROC FRAME

-			rex_push_reg rsi

-			push_reg rdi

-			.endprolog

-			mov rsi, r8

-		#else

-			AS2(	mov		WORD_REG(cx), data			)

-			AS2(	mov		WORD_REG(dx), len			)

-			AS2(	mov		WORD_REG(si), hashBuffer	)

-			AS2(	shr		WORD_REG(dx), 4				)

-		#endif

-

-		AS2(	movdqa	xmm0, [WORD_REG(si)]				)

-

-		#undef MUL_TABLE

-		#define MUL_TABLE(i,j) WORD_REG(si) + 32 + (i*4+j)*256*16

-

-		ASL(1)

-		AS2(	movdqu	xmm1, [WORD_REG(cx)]				)

-		AS2(	pxor	xmm1, xmm0						)

-		AS2(	pxor	xmm0, xmm0						)

-

-		#undef SSE2_MUL_32BITS

-		#define SSE2_MUL_32BITS(i)								\

-			AS2(	movd	eax, xmm1							)\

-			AS2(	psrldq	xmm1, 4								)\

-			AS2(	movzx	edi, al						)\

-			AS2(	add		WORD_REG(di), WORD_REG(di)					)\

-			AS2(	pxor	xmm0, [MUL_TABLE(i,0) + WORD_REG(di)*8]	)\

-			AS2(	movzx	edi, ah						)\

-			AS2(	add		WORD_REG(di), WORD_REG(di)					)\

-			AS2(	pxor	xmm0, [MUL_TABLE(i,1) + WORD_REG(di)*8]	)\

-			AS2(	shr		eax, 16								)\

-			AS2(	movzx	edi, al						)\

-			AS2(	add		WORD_REG(di), WORD_REG(di)					)\

-			AS2(	pxor	xmm0, [MUL_TABLE(i,2) + WORD_REG(di)*8]	)\

-			AS2(	movzx	edi, ah						)\

-			AS2(	add		WORD_REG(di), WORD_REG(di)					)\

-			AS2(	pxor	xmm0, [MUL_TABLE(i,3) + WORD_REG(di)*8]	)\

-

-		SSE2_MUL_32BITS(0)

-		SSE2_MUL_32BITS(1)

-		SSE2_MUL_32BITS(2)

-		SSE2_MUL_32BITS(3)

-

-		AS2(	add		WORD_REG(cx), 16					)

-		AS2(	sub		WORD_REG(dx), 1						)

-		ASJ(	jnz,	1, b							)

-		AS2(	movdqa	[WORD_REG(si)], xmm0				)

-

-		#ifdef __GNUC__

-				".att_syntax prefix;"

-					: 

-					: "c" (data), "d" (len/16), "S" (hashBuffer)

-					: "memory", "cc", "%edi", "%eax"

-				);

-		#elif defined(CRYPTOPP_GENERATE_X64_MASM)

-			pop rdi

-			pop rsi

-			ret

-			GCM_AuthenticateBlocks_64K ENDP

-		#endif

-

-		return len%16;

-		}

-#endif

-#ifndef CRYPTOPP_GENERATE_X64_MASM

-	}

-

-	return len%16;

-}

-

-void GCM_Base::AuthenticateLastHeaderBlock()

-{

-	if (m_bufferedDataLength > 0)

-	{

-		memset(m_buffer+m_bufferedDataLength, 0, HASH_BLOCKSIZE-m_bufferedDataLength);

-		m_bufferedDataLength = 0;

-		GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);

-	}

-}

-

-void GCM_Base::AuthenticateLastConfidentialBlock()

-{

-	GCM_Base::AuthenticateLastHeaderBlock();

-	PutBlock<word64, BigEndian, true>(NULL, m_buffer)(m_totalHeaderLength*8)(m_totalMessageLength*8);

-	GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);

-}

-

-void GCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize)

-{

-	m_ctr.Seek(0);

-	ReverseHashBufferIfNeeded();

-	m_ctr.ProcessData(mac, HashBuffer(), macSize);

-}

-

-NAMESPACE_END

-

-#endif	// #ifndef CRYPTOPP_GENERATE_X64_MASM

-#endif

+// gcm.cpp - written and placed in the public domain by Wei Dai
+
+// use "cl /EP /P /DCRYPTOPP_GENERATE_X64_MASM gcm.cpp" to generate MASM code
+
+#include "pch.h"
+
+#ifndef CRYPTOPP_IMPORTS
+#ifndef CRYPTOPP_GENERATE_X64_MASM
+
+#include "gcm.h"
+#include "cpu.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+word16 GCM_Base::s_reductionTable[256];
+volatile bool GCM_Base::s_reductionTableInitialized = false;
+
+void GCM_Base::GCTR::IncrementCounterBy256()
+{
+	IncrementCounterByOne(m_counterArray+BlockSize()-4, 3);
+}
+
+#if 0
+// preserved for testing
+void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c)
+{
+	word64 Z0=0, Z1=0, V0, V1;
+
+	typedef BlockGetAndPut<word64, BigEndian> Block;
+	Block::Get(a)(V0)(V1);
+
+	for (int i=0; i<16; i++) 
+	{
+		for (int j=0x80; j!=0; j>>=1)
+		{
+			int x = b[i] & j;
+			Z0 ^= x ? V0 : 0;
+			Z1 ^= x ? V1 : 0;
+			x = (int)V1 & 1;
+			V1 = (V1>>1) | (V0<<63);
+			V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);
+		}
+	}
+	Block::Put(NULL, c)(Z0)(Z1);
+}
+
+__m128i _mm_clmulepi64_si128(const __m128i &a, const __m128i &b, int i)
+{
+	word64 A[1] = {ByteReverse(((word64*)&a)[i&1])};
+	word64 B[1] = {ByteReverse(((word64*)&b)[i>>4])};
+
+	PolynomialMod2 pa((byte *)A, 8);
+	PolynomialMod2 pb((byte *)B, 8);
+	PolynomialMod2 c = pa*pb;
+
+	__m128i output;
+	for (int i=0; i<16; i++)
+		((byte *)&output)[i] = c.GetByte(i);
+	return output;
+}
+#endif
+
+#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
+inline static void SSE2_Xor16(byte *a, const byte *b, const byte *c)
+{
+#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE
+	*(__m128i *)a = _mm_xor_si128(*(__m128i *)b, *(__m128i *)c);
+#else
+	asm ("movdqa %1, %%xmm0; pxor %2, %%xmm0; movdqa %%xmm0, %0;" : "=m" (a[0]) : "m"(b[0]), "m"(c[0]));
+#endif
+}
+#endif
+
+inline static void Xor16(byte *a, const byte *b, const byte *c)
+{
+	((word64 *)a)[0] = ((word64 *)b)[0] ^ ((word64 *)c)[0];
+	((word64 *)a)[1] = ((word64 *)b)[1] ^ ((word64 *)c)[1];
+}
+
+#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
+static CRYPTOPP_ALIGN_DATA(16) const word64 s_clmulConstants64[] = {
+	W64LIT(0xe100000000000000), W64LIT(0xc200000000000000),
+	W64LIT(0x08090a0b0c0d0e0f), W64LIT(0x0001020304050607),
+	W64LIT(0x0001020304050607), W64LIT(0x08090a0b0c0d0e0f)};
+static const __m128i *s_clmulConstants = (const __m128i *)s_clmulConstants64;
+static const unsigned int s_clmulTableSizeInBlocks = 8;
+
+inline __m128i CLMUL_Reduce(__m128i c0, __m128i c1, __m128i c2, const __m128i &r)
+{
+	/* 
+	The polynomial to be reduced is c0 * x^128 + c1 * x^64 + c2. c0t below refers to the most 
+	significant half of c0 as a polynomial, which, due to GCM's bit reflection, are in the
+	rightmost bit positions, and the lowest byte addresses.
+
+	c1 ^= c0t * 0xc200000000000000
+	c2t ^= c0t
+	t = shift (c1t ^ c0b) left 1 bit
+	c2 ^= t * 0xe100000000000000
+	c2t ^= c1b
+	shift c2 left 1 bit and xor in lowest bit of c1t
+	*/
+#if 0	// MSVC 2010 workaround: see http://connect.microsoft.com/VisualStudio/feedback/details/575301
+	c2 = _mm_xor_si128(c2, _mm_move_epi64(c0));
+#else
+	c1 = _mm_xor_si128(c1, _mm_slli_si128(c0, 8));
+#endif
+	c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(c0, r, 0x10));
+	c0 = _mm_srli_si128(c0, 8);
+	c0 = _mm_xor_si128(c0, c1);
+	c0 = _mm_slli_epi64(c0, 1);
+	c0 = _mm_clmulepi64_si128(c0, r, 0);
+	c2 = _mm_xor_si128(c2, c0);
+	c2 = _mm_xor_si128(c2, _mm_srli_si128(c1, 8));
+	c1 = _mm_unpacklo_epi64(c1, c2);
+	c1 = _mm_srli_epi64(c1, 63);
+	c2 = _mm_slli_epi64(c2, 1);
+	return _mm_xor_si128(c2, c1);
+}
+
+inline __m128i CLMUL_GF_Mul(const __m128i &x, const __m128i &h, const __m128i &r)
+{
+	__m128i c0 = _mm_clmulepi64_si128(x,h,0);
+	__m128i c1 = _mm_xor_si128(_mm_clmulepi64_si128(x,h,1), _mm_clmulepi64_si128(x,h,0x10));
+	__m128i c2 = _mm_clmulepi64_si128(x,h,0x11);
+
+	return CLMUL_Reduce(c0, c1, c2, r);
+}
+#endif
+
+void GCM_Base::SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params)
+{
+	BlockCipher &blockCipher = AccessBlockCipher();
+	blockCipher.SetKey(userKey, keylength, params);
+
+	if (blockCipher.BlockSize() != REQUIRED_BLOCKSIZE)
+		throw InvalidArgument(AlgorithmName() + ": block size of underlying block cipher is not 16");
+
+	int tableSize, i, j, k;
+
+#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
+	if (HasCLMUL())
+	{
+		params.GetIntValue(Name::TableSize(), tableSize);	// avoid "parameter not used" error
+		tableSize = s_clmulTableSizeInBlocks * REQUIRED_BLOCKSIZE;
+	}
+	else
+#endif
+	{
+		if (params.GetIntValue(Name::TableSize(), tableSize))
+			tableSize = (tableSize >= 64*1024) ? 64*1024 : 2*1024;
+		else
+			tableSize = (GetTablesOption() == GCM_64K_Tables) ? 64*1024 : 2*1024;
+
+#if defined(_MSC_VER) && (_MSC_VER >= 1300 && _MSC_VER < 1400)
+		// VC 2003 workaround: compiler generates bad code for 64K tables
+		tableSize = 2*1024;
+#endif
+	}
+
+	m_buffer.resize(3*REQUIRED_BLOCKSIZE + tableSize);
+	byte *table = MulTable();
+	byte *hashKey = HashKey();
+	memset(hashKey, 0, REQUIRED_BLOCKSIZE);
+	blockCipher.ProcessBlock(hashKey);
+
+#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
+	if (HasCLMUL())
+	{
+		const __m128i r = s_clmulConstants[0];
+		__m128i h0 = _mm_shuffle_epi8(_mm_load_si128((__m128i *)hashKey), s_clmulConstants[1]);
+		__m128i h = h0;
+
+		for (i=0; i<tableSize; i+=32)
+		{
+			__m128i h1 = CLMUL_GF_Mul(h, h0, r);
+			_mm_storel_epi64((__m128i *)(table+i), h);
+			_mm_storeu_si128((__m128i *)(table+i+16), h1);
+			_mm_storeu_si128((__m128i *)(table+i+8), h);
+			_mm_storel_epi64((__m128i *)(table+i+8), h1);
+			h = CLMUL_GF_Mul(h1, h0, r);
+		}
+
+		return;
+	}
+#endif
+
+	word64 V0, V1;
+	typedef BlockGetAndPut<word64, BigEndian> Block;
+	Block::Get(hashKey)(V0)(V1);
+
+	if (tableSize == 64*1024)
+	{
+		for (i=0; i<128; i++)
+		{
+			k = i%8;
+			Block::Put(NULL, table+(i/8)*256*16+(size_t(1)<<(11-k)))(V0)(V1);
+
+			int x = (int)V1 & 1; 
+			V1 = (V1>>1) | (V0<<63);
+			V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);
+		}
+
+		for (i=0; i<16; i++)
+		{
+			memset(table+i*256*16, 0, 16);
+#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
+			if (HasSSE2())
+				for (j=2; j<=0x80; j*=2)
+					for (k=1; k<j; k++)
+						SSE2_Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16);
+			else
+#endif
+				for (j=2; j<=0x80; j*=2)
+					for (k=1; k<j; k++)
+						Xor16(table+i*256*16+(j+k)*16, table+i*256*16+j*16, table+i*256*16+k*16);
+		}
+	}
+	else
+	{
+		if (!s_reductionTableInitialized)
+		{
+			s_reductionTable[0] = 0;
+			word16 x = 0x01c2;
+			s_reductionTable[1] = ByteReverse(x);
+			for (int i=2; i<=0x80; i*=2)
+			{
+				x <<= 1;
+				s_reductionTable[i] = ByteReverse(x);
+				for (int j=1; j<i; j++)
+					s_reductionTable[i+j] = s_reductionTable[i] ^ s_reductionTable[j];
+			}
+			s_reductionTableInitialized = true;
+		}
+
+		for (i=0; i<128-24; i++)
+		{
+			k = i%32;
+			if (k < 4)
+				Block::Put(NULL, table+1024+(i/32)*256+(size_t(1)<<(7-k)))(V0)(V1);
+			else if (k < 8)
+				Block::Put(NULL, table+(i/32)*256+(size_t(1)<<(11-k)))(V0)(V1);
+
+			int x = (int)V1 & 1; 
+			V1 = (V1>>1) | (V0<<63);
+			V0 = (V0>>1) ^ (x ? W64LIT(0xe1) << 56 : 0);
+		}
+
+		for (i=0; i<4; i++)
+		{
+			memset(table+i*256, 0, 16);
+			memset(table+1024+i*256, 0, 16);
+#if CRYPTOPP_BOOL_SSE2_INTRINSICS_AVAILABLE || CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
+			if (HasSSE2())
+				for (j=2; j<=8; j*=2)
+					for (k=1; k<j; k++)
+					{
+						SSE2_Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16);
+						SSE2_Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16);
+					}
+			else
+#endif
+				for (j=2; j<=8; j*=2)
+					for (k=1; k<j; k++)
+					{
+						Xor16(table+i*256+(j+k)*16, table+i*256+j*16, table+i*256+k*16);
+						Xor16(table+1024+i*256+(j+k)*16, table+1024+i*256+j*16, table+1024+i*256+k*16);
+					}
+		}
+	}
+}
+
+inline void GCM_Base::ReverseHashBufferIfNeeded()
+{
+#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
+	if (HasCLMUL())
+	{
+		__m128i &x = *(__m128i *)HashBuffer();
+		x = _mm_shuffle_epi8(x, s_clmulConstants[1]);
+	}
+#endif
+}
+
+void GCM_Base::Resync(const byte *iv, size_t len)
+{
+	BlockCipher &cipher = AccessBlockCipher();
+	byte *hashBuffer = HashBuffer();
+
+	if (len == 12)
+	{
+		memcpy(hashBuffer, iv, len);
+		memset(hashBuffer+len, 0, 3);
+		hashBuffer[len+3] = 1;
+	}
+	else
+	{
+		size_t origLen = len;
+		memset(hashBuffer, 0, HASH_BLOCKSIZE);
+
+		if (len >= HASH_BLOCKSIZE)
+		{
+			len = GCM_Base::AuthenticateBlocks(iv, len);
+			iv += (origLen - len);
+		}
+
+		if (len > 0)
+		{
+			memcpy(m_buffer, iv, len);
+			memset(m_buffer+len, 0, HASH_BLOCKSIZE-len);
+			GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
+		}
+
+		PutBlock<word64, BigEndian, true>(NULL, m_buffer)(0)(origLen*8);
+		GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
+
+		ReverseHashBufferIfNeeded();
+	}
+
+	if (m_state >= State_IVSet)
+		m_ctr.Resynchronize(hashBuffer, REQUIRED_BLOCKSIZE);
+	else
+		m_ctr.SetCipherWithIV(cipher, hashBuffer);
+
+	m_ctr.Seek(HASH_BLOCKSIZE);
+
+	memset(hashBuffer, 0, HASH_BLOCKSIZE);
+}
+
+unsigned int GCM_Base::OptimalDataAlignment() const
+{
+	return 
+#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)
+		HasSSE2() ? 16 : 
+#endif
+		GetBlockCipher().OptimalDataAlignment();
+}
+
+#pragma warning(disable: 4731)	// frame pointer register 'ebp' modified by inline assembly code
+
+#endif	// #ifndef CRYPTOPP_GENERATE_X64_MASM
+
+#ifdef CRYPTOPP_X64_MASM_AVAILABLE
+extern "C" {
+void GCM_AuthenticateBlocks_2K(const byte *data, size_t blocks, word64 *hashBuffer, const word16 *reductionTable);
+void GCM_AuthenticateBlocks_64K(const byte *data, size_t blocks, word64 *hashBuffer);
+}
+#endif
+
+#ifndef CRYPTOPP_GENERATE_X64_MASM
+
+size_t GCM_Base::AuthenticateBlocks(const byte *data, size_t len)
+{
+#if CRYPTOPP_BOOL_AESNI_INTRINSICS_AVAILABLE
+	if (HasCLMUL())
+	{
+		const __m128i *table = (const __m128i *)MulTable();
+		__m128i x = _mm_load_si128((__m128i *)HashBuffer());
+		const __m128i r = s_clmulConstants[0], bswapMask = s_clmulConstants[1], bswapMask2 = s_clmulConstants[2];
+
+		while (len >= 16)
+		{
+			size_t s = UnsignedMin(len/16, s_clmulTableSizeInBlocks), i=0;
+			__m128i d, d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-1)*16)), bswapMask2);;
+			__m128i c0 = _mm_setzero_si128();
+			__m128i c1 = _mm_setzero_si128();
+			__m128i c2 = _mm_setzero_si128();
+
+			while (true)
+			{
+				__m128i h0 = _mm_load_si128(table+i);
+				__m128i h1 = _mm_load_si128(table+i+1);
+				__m128i h01 = _mm_xor_si128(h0, h1);
+
+				if (++i == s)
+				{
+					d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask);
+					d = _mm_xor_si128(d, x);
+					c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0));
+					c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1));
+					d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2)));
+					c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0));
+					break;
+				}
+
+				d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask2);
+				c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d2, h0, 1));
+				c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 1));
+				d2 = _mm_xor_si128(d2, d);
+				c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d2, h01, 1));
+
+				if (++i == s)
+				{
+					d = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)data), bswapMask);
+					d = _mm_xor_si128(d, x);
+					c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10));
+					c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d, h1, 0x11));
+					d = _mm_xor_si128(d, _mm_shuffle_epi32(d, _MM_SHUFFLE(1, 0, 3, 2)));
+					c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10));
+					break;
+				}
+
+				d2 = _mm_shuffle_epi8(_mm_loadu_si128((const __m128i *)(data+(s-i)*16-8)), bswapMask);
+				c0 = _mm_xor_si128(c0, _mm_clmulepi64_si128(d, h0, 0x10));
+				c2 = _mm_xor_si128(c2, _mm_clmulepi64_si128(d2, h1, 0x10));
+				d = _mm_xor_si128(d, d2);
+				c1 = _mm_xor_si128(c1, _mm_clmulepi64_si128(d, h01, 0x10));
+			}
+			data += s*16;
+			len -= s*16;
+
+			c1 = _mm_xor_si128(_mm_xor_si128(c1, c0), c2);
+			x = CLMUL_Reduce(c0, c1, c2, r);
+		}
+
+		_mm_store_si128((__m128i *)HashBuffer(), x);
+		return len;
+	}
+#endif
+
+	typedef BlockGetAndPut<word64, NativeByteOrder> Block;
+	word64 *hashBuffer = (word64 *)HashBuffer();
+
+	switch (2*(m_buffer.size()>=64*1024)
+#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE || defined(CRYPTOPP_X64_MASM_AVAILABLE)
+		+ HasSSE2()
+#endif
+		)
+	{
+	case 0:		// non-SSE2 and 2K tables
+		{
+		byte *table = MulTable();
+		word64 x0 = hashBuffer[0], x1 = hashBuffer[1];
+
+		do
+		{
+			word64 y0, y1, a0, a1, b0, b1, c0, c1, d0, d1;
+			Block::Get(data)(y0)(y1);
+			x0 ^= y0;
+			x1 ^= y1;
+
+			data += HASH_BLOCKSIZE;
+			len -= HASH_BLOCKSIZE;
+
+			#define READ_TABLE_WORD64_COMMON(a, b, c, d)	*(word64 *)(table+(a*1024)+(b*256)+c+d*8)
+
+			#ifdef IS_LITTLE_ENDIAN
+				#if CRYPTOPP_BOOL_SLOW_WORD64
+					word32 z0 = (word32)x0;
+					word32 z1 = (word32)(x0>>32);
+					word32 z2 = (word32)x1;
+					word32 z3 = (word32)(x1>>32);
+					#define READ_TABLE_WORD64(a, b, c, d, e)	READ_TABLE_WORD64_COMMON((d%2), c, (d?(z##c>>((d?d-1:0)*4))&0xf0:(z##c&0xf)<<4), e)
+				#else
+					#define READ_TABLE_WORD64(a, b, c, d, e)	READ_TABLE_WORD64_COMMON((d%2), c, ((d+8*b)?(x##a>>(((d+8*b)?(d+8*b)-1:1)*4))&0xf0:(x##a&0xf)<<4), e)
+				#endif
+				#define GF_MOST_SIG_8BITS(a) (a##1 >> 7*8)
+				#define GF_SHIFT_8(a) a##1 = (a##1 << 8) ^ (a##0 >> 7*8); a##0 <<= 8;
+			#else
+				#define READ_TABLE_WORD64(a, b, c, d, e)	READ_TABLE_WORD64_COMMON((1-d%2), c, ((15-d-8*b)?(x##a>>(((15-d-8*b)?(15-d-8*b)-1:0)*4))&0xf0:(x##a&0xf)<<4), e)
+				#define GF_MOST_SIG_8BITS(a) (a##1 & 0xff)
+				#define GF_SHIFT_8(a) a##1 = (a##1 >> 8) ^ (a##0 << 7*8); a##0 >>= 8;
+			#endif
+
+			#define GF_MUL_32BY128(op, a, b, c)											\
+				a0 op READ_TABLE_WORD64(a, b, c, 0, 0) ^ READ_TABLE_WORD64(a, b, c, 1, 0);\
+				a1 op READ_TABLE_WORD64(a, b, c, 0, 1) ^ READ_TABLE_WORD64(a, b, c, 1, 1);\
+				b0 op READ_TABLE_WORD64(a, b, c, 2, 0) ^ READ_TABLE_WORD64(a, b, c, 3, 0);\
+				b1 op READ_TABLE_WORD64(a, b, c, 2, 1) ^ READ_TABLE_WORD64(a, b, c, 3, 1);\
+				c0 op READ_TABLE_WORD64(a, b, c, 4, 0) ^ READ_TABLE_WORD64(a, b, c, 5, 0);\
+				c1 op READ_TABLE_WORD64(a, b, c, 4, 1) ^ READ_TABLE_WORD64(a, b, c, 5, 1);\
+				d0 op READ_TABLE_WORD64(a, b, c, 6, 0) ^ READ_TABLE_WORD64(a, b, c, 7, 0);\
+				d1 op READ_TABLE_WORD64(a, b, c, 6, 1) ^ READ_TABLE_WORD64(a, b, c, 7, 1);\
+
+			GF_MUL_32BY128(=, 0, 0, 0)
+			GF_MUL_32BY128(^=, 0, 1, 1)
+			GF_MUL_32BY128(^=, 1, 0, 2)
+			GF_MUL_32BY128(^=, 1, 1, 3)
+
+			word32 r = (word32)s_reductionTable[GF_MOST_SIG_8BITS(d)] << 16;
+			GF_SHIFT_8(d)
+			c0 ^= d0; c1 ^= d1;
+			r ^= (word32)s_reductionTable[GF_MOST_SIG_8BITS(c)] << 8;
+			GF_SHIFT_8(c)
+			b0 ^= c0; b1 ^= c1;
+			r ^= s_reductionTable[GF_MOST_SIG_8BITS(b)];
+			GF_SHIFT_8(b)
+			a0 ^= b0; a1 ^= b1;
+			a0 ^= ConditionalByteReverse<word64>(LITTLE_ENDIAN_ORDER, r);
+			x0 = a0; x1 = a1;
+		}
+		while (len >= HASH_BLOCKSIZE);
+
+		hashBuffer[0] = x0; hashBuffer[1] = x1;
+		return len;
+		}
+
+	case 2:		// non-SSE2 and 64K tables
+		{
+		byte *table = MulTable();
+		word64 x0 = hashBuffer[0], x1 = hashBuffer[1];
+
+		do
+		{
+			word64 y0, y1, a0, a1;
+			Block::Get(data)(y0)(y1);
+			x0 ^= y0;
+			x1 ^= y1;
+
+			data += HASH_BLOCKSIZE;
+			len -= HASH_BLOCKSIZE;
+
+			#undef READ_TABLE_WORD64_COMMON
+			#undef READ_TABLE_WORD64
+
+			#define READ_TABLE_WORD64_COMMON(a, c, d)	*(word64 *)(table+(a)*256*16+(c)+(d)*8)
+
+			#ifdef IS_LITTLE_ENDIAN
+				#if CRYPTOPP_BOOL_SLOW_WORD64
+					word32 z0 = (word32)x0;
+					word32 z1 = (word32)(x0>>32);
+					word32 z2 = (word32)x1;
+					word32 z3 = (word32)(x1>>32);
+					#define READ_TABLE_WORD64(b, c, d, e)	READ_TABLE_WORD64_COMMON(c*4+d, (d?(z##c>>((d?d:1)*8-4))&0xff0:(z##c&0xff)<<4), e)
+				#else
+					#define READ_TABLE_WORD64(b, c, d, e)	READ_TABLE_WORD64_COMMON(c*4+d, ((d+4*(c%2))?(x##b>>(((d+4*(c%2))?(d+4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e)
+				#endif
+			#else
+				#define READ_TABLE_WORD64(b, c, d, e)	READ_TABLE_WORD64_COMMON(c*4+d, ((7-d-4*(c%2))?(x##b>>(((7-d-4*(c%2))?(7-d-4*(c%2)):1)*8-4))&0xff0:(x##b&0xff)<<4), e)
+			#endif
+
+			#define GF_MUL_8BY128(op, b, c, d)		\
+				a0 op READ_TABLE_WORD64(b, c, d, 0);\
+				a1 op READ_TABLE_WORD64(b, c, d, 1);\
+
+			GF_MUL_8BY128(=, 0, 0, 0)
+			GF_MUL_8BY128(^=, 0, 0, 1)
+			GF_MUL_8BY128(^=, 0, 0, 2)
+			GF_MUL_8BY128(^=, 0, 0, 3)
+			GF_MUL_8BY128(^=, 0, 1, 0)
+			GF_MUL_8BY128(^=, 0, 1, 1)
+			GF_MUL_8BY128(^=, 0, 1, 2)
+			GF_MUL_8BY128(^=, 0, 1, 3)
+			GF_MUL_8BY128(^=, 1, 2, 0)
+			GF_MUL_8BY128(^=, 1, 2, 1)
+			GF_MUL_8BY128(^=, 1, 2, 2)
+			GF_MUL_8BY128(^=, 1, 2, 3)
+			GF_MUL_8BY128(^=, 1, 3, 0)
+			GF_MUL_8BY128(^=, 1, 3, 1)
+			GF_MUL_8BY128(^=, 1, 3, 2)
+			GF_MUL_8BY128(^=, 1, 3, 3)
+
+			x0 = a0; x1 = a1;
+		}
+		while (len >= HASH_BLOCKSIZE);
+
+		hashBuffer[0] = x0; hashBuffer[1] = x1;
+		return len;
+		}
+#endif	// #ifndef CRYPTOPP_GENERATE_X64_MASM
+
+#ifdef CRYPTOPP_X64_MASM_AVAILABLE
+	case 1:		// SSE2 and 2K tables
+		GCM_AuthenticateBlocks_2K(data, len/16, hashBuffer, s_reductionTable);
+		return len % 16;
+	case 3:		// SSE2 and 64K tables
+		GCM_AuthenticateBlocks_64K(data, len/16, hashBuffer);
+		return len % 16;
+#endif
+
+#if CRYPTOPP_BOOL_SSE2_ASM_AVAILABLE
+	case 1:		// SSE2 and 2K tables
+		{
+		#ifdef __GNUC__
+			__asm__ __volatile__
+			(
+			".intel_syntax noprefix;"
+		#elif defined(CRYPTOPP_GENERATE_X64_MASM)
+			ALIGN   8
+			GCM_AuthenticateBlocks_2K	PROC FRAME
+			rex_push_reg rsi
+			push_reg rdi
+			push_reg rbx
+			.endprolog
+			mov rsi, r8
+			mov r11, r9
+		#else
+			AS2(	mov		WORD_REG(cx), data			)
+			AS2(	mov		WORD_REG(dx), len			)
+			AS2(	mov		WORD_REG(si), hashBuffer	)
+			AS2(	shr		WORD_REG(dx), 4				)
+		#endif
+
+		AS_PUSH_IF86(	bx)
+		AS_PUSH_IF86(	bp)
+
+		#ifdef __GNUC__
+			AS2(	mov		AS_REG_7, WORD_REG(di))
+		#elif CRYPTOPP_BOOL_X86
+			AS2(	lea		AS_REG_7, s_reductionTable)
+		#endif
+
+		AS2(	movdqa	xmm0, [WORD_REG(si)]			)
+
+		#define MUL_TABLE_0 WORD_REG(si) + 32
+		#define MUL_TABLE_1 WORD_REG(si) + 32 + 1024
+		#define RED_TABLE AS_REG_7
+
+		ASL(0)
+		AS2(	movdqu	xmm4, [WORD_REG(cx)]			)
+		AS2(	pxor	xmm0, xmm4						)
+
+		AS2(	movd	ebx, xmm0						)
+		AS2(	mov		eax, AS_HEX(f0f0f0f0)			)
+		AS2(	and		eax, ebx						)
+		AS2(	shl		ebx, 4							)
+		AS2(	and		ebx, AS_HEX(f0f0f0f0)			)
+		AS2(	movzx	edi, ah							)
+		AS2(	movdqa	xmm5, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)
+		AS2(	movzx	edi, al					)
+		AS2(	movdqa	xmm4, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)
+		AS2(	shr		eax, 16							)
+		AS2(	movzx	edi, ah					)
+		AS2(	movdqa	xmm3, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)
+		AS2(	movzx	edi, al					)
+		AS2(	movdqa	xmm2, XMMWORD_PTR [MUL_TABLE_1 + WORD_REG(di)]	)
+
+		#define SSE2_MUL_32BITS(i)											\
+			AS2(	psrldq	xmm0, 4											)\
+			AS2(	movd	eax, xmm0										)\
+			AS2(	and		eax, AS_HEX(f0f0f0f0)									)\
+			AS2(	movzx	edi, bh											)\
+			AS2(	pxor	xmm5, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\
+			AS2(	movzx	edi, bl											)\
+			AS2(	pxor	xmm4, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\
+			AS2(	shr		ebx, 16											)\
+			AS2(	movzx	edi, bh											)\
+			AS2(	pxor	xmm3, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\
+			AS2(	movzx	edi, bl											)\
+			AS2(	pxor	xmm2, XMMWORD_PTR [MUL_TABLE_0 + (i-1)*256 + WORD_REG(di)]	)\
+			AS2(	movd	ebx, xmm0										)\
+			AS2(	shl		ebx, 4											)\
+			AS2(	and		ebx, AS_HEX(f0f0f0f0)									)\
+			AS2(	movzx	edi, ah											)\
+			AS2(	pxor	xmm5, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\
+			AS2(	movzx	edi, al											)\
+			AS2(	pxor	xmm4, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\
+			AS2(	shr		eax, 16											)\
+			AS2(	movzx	edi, ah											)\
+			AS2(	pxor	xmm3, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\
+			AS2(	movzx	edi, al											)\
+			AS2(	pxor	xmm2, XMMWORD_PTR [MUL_TABLE_1 + i*256 + WORD_REG(di)]		)\
+
+		SSE2_MUL_32BITS(1)
+		SSE2_MUL_32BITS(2)
+		SSE2_MUL_32BITS(3)
+
+		AS2(	movzx	edi, bh					)
+		AS2(	pxor	xmm5, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)
+		AS2(	movzx	edi, bl					)
+		AS2(	pxor	xmm4, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)
+		AS2(	shr		ebx, 16						)
+		AS2(	movzx	edi, bh					)
+		AS2(	pxor	xmm3, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)
+		AS2(	movzx	edi, bl					)
+		AS2(	pxor	xmm2, XMMWORD_PTR [MUL_TABLE_0 + 3*256 + WORD_REG(di)]	)
+
+		AS2(	movdqa	xmm0, xmm3						)
+		AS2(	pslldq	xmm3, 1							)
+		AS2(	pxor	xmm2, xmm3						)
+		AS2(	movdqa	xmm1, xmm2						)
+		AS2(	pslldq	xmm2, 1							)
+		AS2(	pxor	xmm5, xmm2						)
+
+		AS2(	psrldq	xmm0, 15						)
+		AS2(	movd	WORD_REG(di), xmm0					)
+		AS2(	movzx	eax, WORD PTR [RED_TABLE + WORD_REG(di)*2]	)
+		AS2(	shl		eax, 8							)
+
+		AS2(	movdqa	xmm0, xmm5						)
+		AS2(	pslldq	xmm5, 1							)
+		AS2(	pxor	xmm4, xmm5						)
+
+		AS2(	psrldq	xmm1, 15						)
+		AS2(	movd	WORD_REG(di), xmm1					)
+		AS2(	xor		ax, WORD PTR [RED_TABLE + WORD_REG(di)*2]	)
+		AS2(	shl		eax, 8							)
+
+		AS2(	psrldq	xmm0, 15						)
+		AS2(	movd	WORD_REG(di), xmm0					)
+		AS2(	xor		ax, WORD PTR [RED_TABLE + WORD_REG(di)*2]	)
+
+		AS2(	movd	xmm0, eax						)
+		AS2(	pxor	xmm0, xmm4						)
+
+		AS2(	add		WORD_REG(cx), 16					)
+		AS2(	sub		WORD_REG(dx), 1						)
+		ASJ(	jnz,	0, b							)
+		AS2(	movdqa	[WORD_REG(si)], xmm0				)
+
+		AS_POP_IF86(	bp)
+		AS_POP_IF86(	bx)
+
+		#ifdef __GNUC__
+				".att_syntax prefix;"
+					: 
+					: "c" (data), "d" (len/16), "S" (hashBuffer), "D" (s_reductionTable)
+					: "memory", "cc", "%eax"
+			#if CRYPTOPP_BOOL_X64
+					, "%ebx", "%r11"
+			#endif
+				);
+		#elif defined(CRYPTOPP_GENERATE_X64_MASM)
+			pop rbx
+			pop rdi
+			pop rsi
+			ret
+			GCM_AuthenticateBlocks_2K ENDP
+		#endif
+
+		return len%16;
+		}
+	case 3:		// SSE2 and 64K tables
+		{
+		#ifdef __GNUC__
+			__asm__ __volatile__
+			(
+			".intel_syntax noprefix;"
+		#elif defined(CRYPTOPP_GENERATE_X64_MASM)
+			ALIGN   8
+			GCM_AuthenticateBlocks_64K	PROC FRAME
+			rex_push_reg rsi
+			push_reg rdi
+			.endprolog
+			mov rsi, r8
+		#else
+			AS2(	mov		WORD_REG(cx), data			)
+			AS2(	mov		WORD_REG(dx), len			)
+			AS2(	mov		WORD_REG(si), hashBuffer	)
+			AS2(	shr		WORD_REG(dx), 4				)
+		#endif
+
+		AS2(	movdqa	xmm0, [WORD_REG(si)]				)
+
+		#undef MUL_TABLE
+		#define MUL_TABLE(i,j) WORD_REG(si) + 32 + (i*4+j)*256*16
+
+		ASL(1)
+		AS2(	movdqu	xmm1, [WORD_REG(cx)]				)
+		AS2(	pxor	xmm1, xmm0						)
+		AS2(	pxor	xmm0, xmm0						)
+
+		#undef SSE2_MUL_32BITS
+		#define SSE2_MUL_32BITS(i)								\
+			AS2(	movd	eax, xmm1							)\
+			AS2(	psrldq	xmm1, 4								)\
+			AS2(	movzx	edi, al						)\
+			AS2(	add		WORD_REG(di), WORD_REG(di)					)\
+			AS2(	pxor	xmm0, [MUL_TABLE(i,0) + WORD_REG(di)*8]	)\
+			AS2(	movzx	edi, ah						)\
+			AS2(	add		WORD_REG(di), WORD_REG(di)					)\
+			AS2(	pxor	xmm0, [MUL_TABLE(i,1) + WORD_REG(di)*8]	)\
+			AS2(	shr		eax, 16								)\
+			AS2(	movzx	edi, al						)\
+			AS2(	add		WORD_REG(di), WORD_REG(di)					)\
+			AS2(	pxor	xmm0, [MUL_TABLE(i,2) + WORD_REG(di)*8]	)\
+			AS2(	movzx	edi, ah						)\
+			AS2(	add		WORD_REG(di), WORD_REG(di)					)\
+			AS2(	pxor	xmm0, [MUL_TABLE(i,3) + WORD_REG(di)*8]	)\
+
+		SSE2_MUL_32BITS(0)
+		SSE2_MUL_32BITS(1)
+		SSE2_MUL_32BITS(2)
+		SSE2_MUL_32BITS(3)
+
+		AS2(	add		WORD_REG(cx), 16					)
+		AS2(	sub		WORD_REG(dx), 1						)
+		ASJ(	jnz,	1, b							)
+		AS2(	movdqa	[WORD_REG(si)], xmm0				)
+
+		#ifdef __GNUC__
+				".att_syntax prefix;"
+					: 
+					: "c" (data), "d" (len/16), "S" (hashBuffer)
+					: "memory", "cc", "%edi", "%eax"
+				);
+		#elif defined(CRYPTOPP_GENERATE_X64_MASM)
+			pop rdi
+			pop rsi
+			ret
+			GCM_AuthenticateBlocks_64K ENDP
+		#endif
+
+		return len%16;
+		}
+#endif
+#ifndef CRYPTOPP_GENERATE_X64_MASM
+	}
+
+	return len%16;
+}
+
+void GCM_Base::AuthenticateLastHeaderBlock()
+{
+	if (m_bufferedDataLength > 0)
+	{
+		memset(m_buffer+m_bufferedDataLength, 0, HASH_BLOCKSIZE-m_bufferedDataLength);
+		m_bufferedDataLength = 0;
+		GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
+	}
+}
+
+void GCM_Base::AuthenticateLastConfidentialBlock()
+{
+	GCM_Base::AuthenticateLastHeaderBlock();
+	PutBlock<word64, BigEndian, true>(NULL, m_buffer)(m_totalHeaderLength*8)(m_totalMessageLength*8);
+	GCM_Base::AuthenticateBlocks(m_buffer, HASH_BLOCKSIZE);
+}
+
+void GCM_Base::AuthenticateLastFooterBlock(byte *mac, size_t macSize)
+{
+	m_ctr.Seek(0);
+	ReverseHashBufferIfNeeded();
+	m_ctr.ProcessData(mac, HashBuffer(), macSize);
+}
+
+NAMESPACE_END
+
+#endif	// #ifndef CRYPTOPP_GENERATE_X64_MASM
+#endif
diff --git a/CryptoPP/gcm.h b/CryptoPP/gcm.h
index 0b32524f9..272a51c9c 100644
--- a/CryptoPP/gcm.h
+++ b/CryptoPP/gcm.h
@@ -1,106 +1,106 @@
-#ifndef CRYPTOPP_GCM_H

-#define CRYPTOPP_GCM_H

-

-#include "authenc.h"

-#include "modes.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-//! .

-enum GCM_TablesOption {GCM_2K_Tables, GCM_64K_Tables};

-

-//! .

-class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE GCM_Base : public AuthenticatedSymmetricCipherBase

-{

-public:

-	// AuthenticatedSymmetricCipher

-	std::string AlgorithmName() const

-		{return GetBlockCipher().AlgorithmName() + std::string("/GCM");}

-	size_t MinKeyLength() const

-		{return GetBlockCipher().MinKeyLength();}

-	size_t MaxKeyLength() const

-		{return GetBlockCipher().MaxKeyLength();}

-	size_t DefaultKeyLength() const

-		{return GetBlockCipher().DefaultKeyLength();}

-	size_t GetValidKeyLength(size_t n) const

-		{return GetBlockCipher().GetValidKeyLength(n);}

-	bool IsValidKeyLength(size_t n) const

-		{return GetBlockCipher().IsValidKeyLength(n);}

-	unsigned int OptimalDataAlignment() const;

-	IV_Requirement IVRequirement() const

-		{return UNIQUE_IV;}

-	unsigned int IVSize() const

-		{return 12;}

-	unsigned int MinIVLength() const

-		{return 1;}

-	unsigned int MaxIVLength() const

-		{return UINT_MAX;}		// (W64LIT(1)<<61)-1 in the standard

-	unsigned int DigestSize() const

-		{return 16;}

-	lword MaxHeaderLength() const

-		{return (W64LIT(1)<<61)-1;}

-	lword MaxMessageLength() const

-		{return ((W64LIT(1)<<39)-256)/8;}

-

-protected:

-	// AuthenticatedSymmetricCipherBase

-	bool AuthenticationIsOnPlaintext() const

-		{return false;}

-	unsigned int AuthenticationBlockSize() const

-		{return HASH_BLOCKSIZE;}

-	void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params);

-	void Resync(const byte *iv, size_t len);

-	size_t AuthenticateBlocks(const byte *data, size_t len);

-	void AuthenticateLastHeaderBlock();

-	void AuthenticateLastConfidentialBlock();

-	void AuthenticateLastFooterBlock(byte *mac, size_t macSize);

-	SymmetricCipher & AccessSymmetricCipher() {return m_ctr;}

-

-	virtual BlockCipher & AccessBlockCipher() =0;

-	virtual GCM_TablesOption GetTablesOption() const =0;

-

-	const BlockCipher & GetBlockCipher() const {return const_cast<GCM_Base *>(this)->AccessBlockCipher();};

-	byte *HashBuffer() {return m_buffer+REQUIRED_BLOCKSIZE;}

-	byte *HashKey() {return m_buffer+2*REQUIRED_BLOCKSIZE;}

-	byte *MulTable() {return m_buffer+3*REQUIRED_BLOCKSIZE;}

-	inline void ReverseHashBufferIfNeeded();

-

-	class CRYPTOPP_DLL GCTR : public CTR_Mode_ExternalCipher::Encryption

-	{

-	protected:

-		void IncrementCounterBy256();

-	};

-

-	GCTR m_ctr;

-	static word16 s_reductionTable[256];

-	static volatile bool s_reductionTableInitialized;

-	enum {REQUIRED_BLOCKSIZE = 16, HASH_BLOCKSIZE = 16};

-};

-

-//! .

-template <class T_BlockCipher, GCM_TablesOption T_TablesOption, bool T_IsEncryption>

-class GCM_Final : public GCM_Base

-{

-public:

-	static std::string StaticAlgorithmName()

-		{return T_BlockCipher::StaticAlgorithmName() + std::string("/GCM");}

-	bool IsForwardTransformation() const

-		{return T_IsEncryption;}

-

-private:

-	GCM_TablesOption GetTablesOption() const {return T_TablesOption;}

-	BlockCipher & AccessBlockCipher() {return m_cipher;}

-	typename T_BlockCipher::Encryption m_cipher;

-};

-

-//! <a href="http://www.cryptolounge.org/wiki/GCM">GCM</a>

-template <class T_BlockCipher, GCM_TablesOption T_TablesOption=GCM_2K_Tables>

-struct GCM : public AuthenticatedSymmetricCipherDocumentation

-{

-	typedef GCM_Final<T_BlockCipher, T_TablesOption, true> Encryption;

-	typedef GCM_Final<T_BlockCipher, T_TablesOption, false> Decryption;

-};

-

-NAMESPACE_END

-

-#endif

+#ifndef CRYPTOPP_GCM_H
+#define CRYPTOPP_GCM_H
+
+#include "authenc.h"
+#include "modes.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+//! .
+enum GCM_TablesOption {GCM_2K_Tables, GCM_64K_Tables};
+
+//! .
+class CRYPTOPP_DLL CRYPTOPP_NO_VTABLE GCM_Base : public AuthenticatedSymmetricCipherBase
+{
+public:
+	// AuthenticatedSymmetricCipher
+	std::string AlgorithmName() const
+		{return GetBlockCipher().AlgorithmName() + std::string("/GCM");}
+	size_t MinKeyLength() const
+		{return GetBlockCipher().MinKeyLength();}
+	size_t MaxKeyLength() const
+		{return GetBlockCipher().MaxKeyLength();}
+	size_t DefaultKeyLength() const
+		{return GetBlockCipher().DefaultKeyLength();}
+	size_t GetValidKeyLength(size_t n) const
+		{return GetBlockCipher().GetValidKeyLength(n);}
+	bool IsValidKeyLength(size_t n) const
+		{return GetBlockCipher().IsValidKeyLength(n);}
+	unsigned int OptimalDataAlignment() const;
+	IV_Requirement IVRequirement() const
+		{return UNIQUE_IV;}
+	unsigned int IVSize() const
+		{return 12;}
+	unsigned int MinIVLength() const
+		{return 1;}
+	unsigned int MaxIVLength() const
+		{return UINT_MAX;}		// (W64LIT(1)<<61)-1 in the standard
+	unsigned int DigestSize() const
+		{return 16;}
+	lword MaxHeaderLength() const
+		{return (W64LIT(1)<<61)-1;}
+	lword MaxMessageLength() const
+		{return ((W64LIT(1)<<39)-256)/8;}
+
+protected:
+	// AuthenticatedSymmetricCipherBase
+	bool AuthenticationIsOnPlaintext() const
+		{return false;}
+	unsigned int AuthenticationBlockSize() const
+		{return HASH_BLOCKSIZE;}
+	void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs &params);
+	void Resync(const byte *iv, size_t len);
+	size_t AuthenticateBlocks(const byte *data, size_t len);
+	void AuthenticateLastHeaderBlock();
+	void AuthenticateLastConfidentialBlock();
+	void AuthenticateLastFooterBlock(byte *mac, size_t macSize);
+	SymmetricCipher & AccessSymmetricCipher() {return m_ctr;}
+
+	virtual BlockCipher & AccessBlockCipher() =0;
+	virtual GCM_TablesOption GetTablesOption() const =0;
+
+	const BlockCipher & GetBlockCipher() const {return const_cast<GCM_Base *>(this)->AccessBlockCipher();};
+	byte *HashBuffer() {return m_buffer+REQUIRED_BLOCKSIZE;}
+	byte *HashKey() {return m_buffer+2*REQUIRED_BLOCKSIZE;}
+	byte *MulTable() {return m_buffer+3*REQUIRED_BLOCKSIZE;}
+	inline void ReverseHashBufferIfNeeded();
+
+	class CRYPTOPP_DLL GCTR : public CTR_Mode_ExternalCipher::Encryption
+	{
+	protected:
+		void IncrementCounterBy256();
+	};
+
+	GCTR m_ctr;
+	static word16 s_reductionTable[256];
+	static volatile bool s_reductionTableInitialized;
+	enum {REQUIRED_BLOCKSIZE = 16, HASH_BLOCKSIZE = 16};
+};
+
+//! .
+template <class T_BlockCipher, GCM_TablesOption T_TablesOption, bool T_IsEncryption>
+class GCM_Final : public GCM_Base
+{
+public:
+	static std::string StaticAlgorithmName()
+		{return T_BlockCipher::StaticAlgorithmName() + std::string("/GCM");}
+	bool IsForwardTransformation() const
+		{return T_IsEncryption;}
+
+private:
+	GCM_TablesOption GetTablesOption() const {return T_TablesOption;}
+	BlockCipher & AccessBlockCipher() {return m_cipher;}
+	typename T_BlockCipher::Encryption m_cipher;
+};
+
+//! <a href="http://www.cryptolounge.org/wiki/GCM">GCM</a>
+template <class T_BlockCipher, GCM_TablesOption T_TablesOption=GCM_2K_Tables>
+struct GCM : public AuthenticatedSymmetricCipherDocumentation
+{
+	typedef GCM_Final<T_BlockCipher, T_TablesOption, true> Encryption;
+	typedef GCM_Final<T_BlockCipher, T_TablesOption, false> Decryption;
+};
+
+NAMESPACE_END
+
+#endif
diff --git a/CryptoPP/seed.cpp b/CryptoPP/seed.cpp
index 6c739b474..101902dce 100644
--- a/CryptoPP/seed.cpp
+++ b/CryptoPP/seed.cpp
@@ -1,104 +1,104 @@
-// seed.cpp - written and placed in the public domain by Wei Dai

-

-#include "pch.h"

-#include "seed.h"

-#include "misc.h"

-

-NAMESPACE_BEGIN(CryptoPP)

-

-static const word32 s_kc[16] = {

-	0x9e3779b9, 0x3c6ef373, 0x78dde6e6, 0xf1bbcdcc, 0xe3779b99, 0xc6ef3733, 0x8dde6e67, 0x1bbcdccf,

-	0x3779b99e, 0x6ef3733c, 0xdde6e678, 0xbbcdccf1, 0x779b99e3, 0xef3733c6, 0xde6e678d, 0xbcdccf1b};

-

-static const byte s_s0[256] = {

-	0xA9, 0x85, 0xD6, 0xD3, 0x54, 0x1D, 0xAC, 0x25, 0x5D, 0x43, 0x18, 0x1E, 0x51, 0xFC, 0xCA, 0x63, 0x28,

-	0x44, 0x20, 0x9D, 0xE0, 0xE2, 0xC8, 0x17, 0xA5, 0x8F, 0x03, 0x7B, 0xBB, 0x13, 0xD2, 0xEE, 0x70, 0x8C,

-	0x3F, 0xA8, 0x32, 0xDD, 0xF6, 0x74, 0xEC, 0x95, 0x0B, 0x57, 0x5C, 0x5B, 0xBD, 0x01, 0x24, 0x1C, 0x73,

-	0x98, 0x10, 0xCC, 0xF2, 0xD9, 0x2C, 0xE7, 0x72, 0x83, 0x9B, 0xD1, 0x86, 0xC9, 0x60, 0x50, 0xA3, 0xEB,

-	0x0D, 0xB6, 0x9E, 0x4F, 0xB7, 0x5A, 0xC6, 0x78, 0xA6, 0x12, 0xAF, 0xD5, 0x61, 0xC3, 0xB4, 0x41, 0x52,

-	0x7D, 0x8D, 0x08, 0x1F, 0x99, 0x00, 0x19, 0x04, 0x53, 0xF7, 0xE1, 0xFD, 0x76, 0x2F, 0x27, 0xB0, 0x8B,

-	0x0E, 0xAB, 0xA2, 0x6E, 0x93, 0x4D, 0x69, 0x7C, 0x09, 0x0A, 0xBF, 0xEF, 0xF3, 0xC5, 0x87, 0x14, 0xFE,

-	0x64, 0xDE, 0x2E, 0x4B, 0x1A, 0x06, 0x21, 0x6B, 0x66, 0x02, 0xF5, 0x92, 0x8A, 0x0C, 0xB3, 0x7E, 0xD0,

-	0x7A, 0x47, 0x96, 0xE5, 0x26, 0x80, 0xAD, 0xDF, 0xA1, 0x30, 0x37, 0xAE, 0x36, 0x15, 0x22, 0x38, 0xF4,

-	0xA7, 0x45, 0x4C, 0x81, 0xE9, 0x84, 0x97, 0x35, 0xCB, 0xCE, 0x3C, 0x71, 0x11, 0xC7, 0x89, 0x75, 0xFB,

-	0xDA, 0xF8, 0x94, 0x59, 0x82, 0xC4, 0xFF, 0x49, 0x39, 0x67, 0xC0, 0xCF, 0xD7, 0xB8, 0x0F, 0x8E, 0x42,

-	0x23, 0x91, 0x6C, 0xDB, 0xA4, 0x34, 0xF1, 0x48, 0xC2, 0x6F, 0x3D, 0x2D, 0x40, 0xBE, 0x3E, 0xBC, 0xC1,

-	0xAA, 0xBA, 0x4E, 0x55, 0x3B, 0xDC, 0x68, 0x7F, 0x9C, 0xD8, 0x4A, 0x56, 0x77, 0xA0, 0xED, 0x46, 0xB5,

-	0x2B, 0x65, 0xFA, 0xE3, 0xB9, 0xB1, 0x9F, 0x5E, 0xF9, 0xE6, 0xB2, 0x31, 0xEA, 0x6D, 0x5F, 0xE4, 0xF0,

-	0xCD, 0x88, 0x16, 0x3A, 0x58, 0xD4, 0x62, 0x29, 0x07, 0x33, 0xE8, 0x1B, 0x05, 0x79, 0x90, 0x6A, 0x2A,

-	0x9A};

-

-static const byte s_s1[256] = {

-	0x38, 0xE8, 0x2D, 0xA6, 0xCF, 0xDE, 0xB3, 0xB8, 0xAF, 0x60, 0x55, 0xC7, 0x44, 0x6F, 0x6B, 0x5B, 0xC3,

-	0x62, 0x33, 0xB5, 0x29, 0xA0, 0xE2, 0xA7, 0xD3, 0x91, 0x11, 0x06, 0x1C, 0xBC, 0x36, 0x4B, 0xEF, 0x88,

-	0x6C, 0xA8, 0x17, 0xC4, 0x16, 0xF4, 0xC2, 0x45, 0xE1, 0xD6, 0x3F, 0x3D, 0x8E, 0x98, 0x28, 0x4E, 0xF6,

-	0x3E, 0xA5, 0xF9, 0x0D, 0xDF, 0xD8, 0x2B, 0x66, 0x7A, 0x27, 0x2F, 0xF1, 0x72, 0x42, 0xD4, 0x41, 0xC0,

-	0x73, 0x67, 0xAC, 0x8B, 0xF7, 0xAD, 0x80, 0x1F, 0xCA, 0x2C, 0xAA, 0x34, 0xD2, 0x0B, 0xEE, 0xE9, 0x5D,

-	0x94, 0x18, 0xF8, 0x57, 0xAE, 0x08, 0xC5, 0x13, 0xCD, 0x86, 0xB9, 0xFF, 0x7D, 0xC1, 0x31, 0xF5, 0x8A,

-	0x6A, 0xB1, 0xD1, 0x20, 0xD7, 0x02, 0x22, 0x04, 0x68, 0x71, 0x07, 0xDB, 0x9D, 0x99, 0x61, 0xBE, 0xE6,

-	0x59, 0xDD, 0x51, 0x90, 0xDC, 0x9A, 0xA3, 0xAB, 0xD0, 0x81, 0x0F, 0x47, 0x1A, 0xE3, 0xEC, 0x8D, 0xBF,

-	0x96, 0x7B, 0x5C, 0xA2, 0xA1, 0x63, 0x23, 0x4D, 0xC8, 0x9E, 0x9C, 0x3A, 0x0C, 0x2E, 0xBA, 0x6E, 0x9F,

-	0x5A, 0xF2, 0x92, 0xF3, 0x49, 0x78, 0xCC, 0x15, 0xFB, 0x70, 0x75, 0x7F, 0x35, 0x10, 0x03, 0x64, 0x6D,

-	0xC6, 0x74, 0xD5, 0xB4, 0xEA, 0x09, 0x76, 0x19, 0xFE, 0x40, 0x12, 0xE0, 0xBD, 0x05, 0xFA, 0x01, 0xF0,

-	0x2A, 0x5E, 0xA9, 0x56, 0x43, 0x85, 0x14, 0x89, 0x9B, 0xB0, 0xE5, 0x48, 0x79, 0x97, 0xFC, 0x1E, 0x82,

-	0x21, 0x8C, 0x1B, 0x5F, 0x77, 0x54, 0xB2, 0x1D, 0x25, 0x4F, 0x00, 0x46, 0xED, 0x58, 0x52, 0xEB, 0x7E,

-	0xDA, 0xC9, 0xFD, 0x30, 0x95, 0x65, 0x3C, 0xB6, 0xE4, 0xBB, 0x7C, 0x0E, 0x50, 0x39, 0x26, 0x32, 0x84,

-	0x69, 0x93, 0x37, 0xE7, 0x24, 0xA4, 0xCB, 0x53, 0x0A, 0x87, 0xD9, 0x4C, 0x83, 0x8F, 0xCE, 0x3B, 0x4A,

-	0xB7};

-

-#define SS0(x) ((s_s0[x]*0x01010101UL) & 0x3FCFF3FC)

-#define SS1(x) ((s_s1[x]*0x01010101UL) & 0xFC3FCFF3)

-#define SS2(x) ((s_s0[x]*0x01010101UL) & 0xF3FC3FCF)

-#define SS3(x) ((s_s1[x]*0x01010101UL) & 0xCFF3FC3F)

-#define G(x) (SS0(GETBYTE(x, 0)) ^ SS1(GETBYTE(x, 1)) ^ SS2(GETBYTE(x, 2)) ^ SS3(GETBYTE(x, 3)))

-

-void SEED::Base::UncheckedSetKey(const byte *userKey, unsigned int length, const NameValuePairs &params)

-{

-	AssertValidKeyLength(length);

-

-	word64 key01, key23;

-	GetBlock<word64, BigEndian> get(userKey);

-	get(key01)(key23);

-	word32 *k = m_k;

-	size_t kInc = 2;

-	if (!IsForwardTransformation())

-	{

-		k = k+30;

-		kInc = 0-kInc;

-	}

-

-	for (int i=0; i<ROUNDS; i++)

-	{

-		word32 t0 = word32(key01>>32) + word32(key23>>32) - s_kc[i];

-		word32 t1 = word32(key01) - word32(key23) + s_kc[i];

-		k[0] = G(t0);

-		k[1] = G(t1);

-		k+=kInc;

-		if (i&1)

-			key23 = rotlFixed<word64>(key23, 8);

-		else

-			key01 = rotrFixed<word64>(key01, 8);

-	}

-}

-

-void SEED::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const

-{

-	typedef BlockGetAndPut<word32, BigEndian> Block;

-	word32 a0, a1, b0, b1, t0, t1;

-	Block::Get(inBlock)(a0)(a1)(b0)(b1);

-

-	for (int i=0; i<ROUNDS; i+=2)

-	{

-		t0 = b0 ^ m_k[2*i+0]; t1 = b1 ^ m_k[2*i+1] ^ t0;

-		t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1);

-		a0 ^= t0 + t1; a1 ^= t1;

-

-		t0 = a0 ^ m_k[2*i+2]; t1 = a1 ^ m_k[2*i+3] ^ t0;

-		t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1);

-		b0 ^= t0 + t1; b1 ^= t1;

-	}

-

-	Block::Put(xorBlock, outBlock)(b0)(b1)(a0)(a1);

-}

-

-NAMESPACE_END

+// seed.cpp - written and placed in the public domain by Wei Dai
+
+#include "pch.h"
+#include "seed.h"
+#include "misc.h"
+
+NAMESPACE_BEGIN(CryptoPP)
+
+static const word32 s_kc[16] = {
+	0x9e3779b9, 0x3c6ef373, 0x78dde6e6, 0xf1bbcdcc, 0xe3779b99, 0xc6ef3733, 0x8dde6e67, 0x1bbcdccf,
+	0x3779b99e, 0x6ef3733c, 0xdde6e678, 0xbbcdccf1, 0x779b99e3, 0xef3733c6, 0xde6e678d, 0xbcdccf1b};
+
+static const byte s_s0[256] = {
+	0xA9, 0x85, 0xD6, 0xD3, 0x54, 0x1D, 0xAC, 0x25, 0x5D, 0x43, 0x18, 0x1E, 0x51, 0xFC, 0xCA, 0x63, 0x28,
+	0x44, 0x20, 0x9D, 0xE0, 0xE2, 0xC8, 0x17, 0xA5, 0x8F, 0x03, 0x7B, 0xBB, 0x13, 0xD2, 0xEE, 0x70, 0x8C,
+	0x3F, 0xA8, 0x32, 0xDD, 0xF6, 0x74, 0xEC, 0x95, 0x0B, 0x57, 0x5C, 0x5B, 0xBD, 0x01, 0x24, 0x1C, 0x73,
+	0x98, 0x10, 0xCC, 0xF2, 0xD9, 0x2C, 0xE7, 0x72, 0x83, 0x9B, 0xD1, 0x86, 0xC9, 0x60, 0x50, 0xA3, 0xEB,
+	0x0D, 0xB6, 0x9E, 0x4F, 0xB7, 0x5A, 0xC6, 0x78, 0xA6, 0x12, 0xAF, 0xD5, 0x61, 0xC3, 0xB4, 0x41, 0x52,
+	0x7D, 0x8D, 0x08, 0x1F, 0x99, 0x00, 0x19, 0x04, 0x53, 0xF7, 0xE1, 0xFD, 0x76, 0x2F, 0x27, 0xB0, 0x8B,
+	0x0E, 0xAB, 0xA2, 0x6E, 0x93, 0x4D, 0x69, 0x7C, 0x09, 0x0A, 0xBF, 0xEF, 0xF3, 0xC5, 0x87, 0x14, 0xFE,
+	0x64, 0xDE, 0x2E, 0x4B, 0x1A, 0x06, 0x21, 0x6B, 0x66, 0x02, 0xF5, 0x92, 0x8A, 0x0C, 0xB3, 0x7E, 0xD0,
+	0x7A, 0x47, 0x96, 0xE5, 0x26, 0x80, 0xAD, 0xDF, 0xA1, 0x30, 0x37, 0xAE, 0x36, 0x15, 0x22, 0x38, 0xF4,
+	0xA7, 0x45, 0x4C, 0x81, 0xE9, 0x84, 0x97, 0x35, 0xCB, 0xCE, 0x3C, 0x71, 0x11, 0xC7, 0x89, 0x75, 0xFB,
+	0xDA, 0xF8, 0x94, 0x59, 0x82, 0xC4, 0xFF, 0x49, 0x39, 0x67, 0xC0, 0xCF, 0xD7, 0xB8, 0x0F, 0x8E, 0x42,
+	0x23, 0x91, 0x6C, 0xDB, 0xA4, 0x34, 0xF1, 0x48, 0xC2, 0x6F, 0x3D, 0x2D, 0x40, 0xBE, 0x3E, 0xBC, 0xC1,
+	0xAA, 0xBA, 0x4E, 0x55, 0x3B, 0xDC, 0x68, 0x7F, 0x9C, 0xD8, 0x4A, 0x56, 0x77, 0xA0, 0xED, 0x46, 0xB5,
+	0x2B, 0x65, 0xFA, 0xE3, 0xB9, 0xB1, 0x9F, 0x5E, 0xF9, 0xE6, 0xB2, 0x31, 0xEA, 0x6D, 0x5F, 0xE4, 0xF0,
+	0xCD, 0x88, 0x16, 0x3A, 0x58, 0xD4, 0x62, 0x29, 0x07, 0x33, 0xE8, 0x1B, 0x05, 0x79, 0x90, 0x6A, 0x2A,
+	0x9A};
+
+static const byte s_s1[256] = {
+	0x38, 0xE8, 0x2D, 0xA6, 0xCF, 0xDE, 0xB3, 0xB8, 0xAF, 0x60, 0x55, 0xC7, 0x44, 0x6F, 0x6B, 0x5B, 0xC3,
+	0x62, 0x33, 0xB5, 0x29, 0xA0, 0xE2, 0xA7, 0xD3, 0x91, 0x11, 0x06, 0x1C, 0xBC, 0x36, 0x4B, 0xEF, 0x88,
+	0x6C, 0xA8, 0x17, 0xC4, 0x16, 0xF4, 0xC2, 0x45, 0xE1, 0xD6, 0x3F, 0x3D, 0x8E, 0x98, 0x28, 0x4E, 0xF6,
+	0x3E, 0xA5, 0xF9, 0x0D, 0xDF, 0xD8, 0x2B, 0x66, 0x7A, 0x27, 0x2F, 0xF1, 0x72, 0x42, 0xD4, 0x41, 0xC0,
+	0x73, 0x67, 0xAC, 0x8B, 0xF7, 0xAD, 0x80, 0x1F, 0xCA, 0x2C, 0xAA, 0x34, 0xD2, 0x0B, 0xEE, 0xE9, 0x5D,
+	0x94, 0x18, 0xF8, 0x57, 0xAE, 0x08, 0xC5, 0x13, 0xCD, 0x86, 0xB9, 0xFF, 0x7D, 0xC1, 0x31, 0xF5, 0x8A,
+	0x6A, 0xB1, 0xD1, 0x20, 0xD7, 0x02, 0x22, 0x04, 0x68, 0x71, 0x07, 0xDB, 0x9D, 0x99, 0x61, 0xBE, 0xE6,
+	0x59, 0xDD, 0x51, 0x90, 0xDC, 0x9A, 0xA3, 0xAB, 0xD0, 0x81, 0x0F, 0x47, 0x1A, 0xE3, 0xEC, 0x8D, 0xBF,
+	0x96, 0x7B, 0x5C, 0xA2, 0xA1, 0x63, 0x23, 0x4D, 0xC8, 0x9E, 0x9C, 0x3A, 0x0C, 0x2E, 0xBA, 0x6E, 0x9F,
+	0x5A, 0xF2, 0x92, 0xF3, 0x49, 0x78, 0xCC, 0x15, 0xFB, 0x70, 0x75, 0x7F, 0x35, 0x10, 0x03, 0x64, 0x6D,
+	0xC6, 0x74, 0xD5, 0xB4, 0xEA, 0x09, 0x76, 0x19, 0xFE, 0x40, 0x12, 0xE0, 0xBD, 0x05, 0xFA, 0x01, 0xF0,
+	0x2A, 0x5E, 0xA9, 0x56, 0x43, 0x85, 0x14, 0x89, 0x9B, 0xB0, 0xE5, 0x48, 0x79, 0x97, 0xFC, 0x1E, 0x82,
+	0x21, 0x8C, 0x1B, 0x5F, 0x77, 0x54, 0xB2, 0x1D, 0x25, 0x4F, 0x00, 0x46, 0xED, 0x58, 0x52, 0xEB, 0x7E,
+	0xDA, 0xC9, 0xFD, 0x30, 0x95, 0x65, 0x3C, 0xB6, 0xE4, 0xBB, 0x7C, 0x0E, 0x50, 0x39, 0x26, 0x32, 0x84,
+	0x69, 0x93, 0x37, 0xE7, 0x24, 0xA4, 0xCB, 0x53, 0x0A, 0x87, 0xD9, 0x4C, 0x83, 0x8F, 0xCE, 0x3B, 0x4A,
+	0xB7};
+
+#define SS0(x) ((s_s0[x]*0x01010101UL) & 0x3FCFF3FC)
+#define SS1(x) ((s_s1[x]*0x01010101UL) & 0xFC3FCFF3)
+#define SS2(x) ((s_s0[x]*0x01010101UL) & 0xF3FC3FCF)
+#define SS3(x) ((s_s1[x]*0x01010101UL) & 0xCFF3FC3F)
+#define G(x) (SS0(GETBYTE(x, 0)) ^ SS1(GETBYTE(x, 1)) ^ SS2(GETBYTE(x, 2)) ^ SS3(GETBYTE(x, 3)))
+
+void SEED::Base::UncheckedSetKey(const byte *userKey, unsigned int length, const NameValuePairs &params)
+{
+	AssertValidKeyLength(length);
+
+	word64 key01, key23;
+	GetBlock<word64, BigEndian> get(userKey);
+	get(key01)(key23);
+	word32 *k = m_k;
+	size_t kInc = 2;
+	if (!IsForwardTransformation())
+	{
+		k = k+30;
+		kInc = 0-kInc;
+	}
+
+	for (int i=0; i<ROUNDS; i++)
+	{
+		word32 t0 = word32(key01>>32) + word32(key23>>32) - s_kc[i];
+		word32 t1 = word32(key01) - word32(key23) + s_kc[i];
+		k[0] = G(t0);
+		k[1] = G(t1);
+		k+=kInc;
+		if (i&1)
+			key23 = rotlFixed<word64>(key23, 8);
+		else
+			key01 = rotrFixed<word64>(key01, 8);
+	}
+}
+
+void SEED::Base::ProcessAndXorBlock(const byte *inBlock, const byte *xorBlock, byte *outBlock) const
+{
+	typedef BlockGetAndPut<word32, BigEndian> Block;
+	word32 a0, a1, b0, b1, t0, t1;
+	Block::Get(inBlock)(a0)(a1)(b0)(b1);
+
+	for (int i=0; i<ROUNDS; i+=2)
+	{
+		t0 = b0 ^ m_k[2*i+0]; t1 = b1 ^ m_k[2*i+1] ^ t0;
+		t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1);
+		a0 ^= t0 + t1; a1 ^= t1;
+
+		t0 = a0 ^ m_k[2*i+2]; t1 = a1 ^ m_k[2*i+3] ^ t0;
+		t1 = G(t1); t0 += t1; t0 = G(t0); t1 += t0; t1 = G(t1);
+		b0 ^= t0 + t1; b1 ^= t1;
+	}
+
+	Block::Put(xorBlock, outBlock)(b0)(b1)(a0)(a1);
+}
+
+NAMESPACE_END