Project import
diff --git a/libmincrypt/Android.mk b/libmincrypt/Android.mk
new file mode 100644
index 0000000..7906986
--- /dev/null
+++ b/libmincrypt/Android.mk
@@ -0,0 +1,18 @@
+# Copyright 2008 The Android Open Source Project
+#
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := libmincrypt
+LOCAL_SRC_FILES := dsa_sig.c p256.c p256_ec.c p256_ecdsa.c rsa.c sha.c sha256.c
+LOCAL_CFLAGS := -Wall -Werror
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := libmincrypt
+LOCAL_SRC_FILES := dsa_sig.c p256.c p256_ec.c p256_ecdsa.c rsa.c sha.c sha256.c
+LOCAL_CFLAGS := -Wall -Werror
+include $(BUILD_HOST_STATIC_LIBRARY)
+
+include $(LOCAL_PATH)/tools/Android.mk \
+        $(LOCAL_PATH)/test/Android.mk
diff --git a/libmincrypt/NOTICE b/libmincrypt/NOTICE
new file mode 100644
index 0000000..430d3d6
--- /dev/null
+++ b/libmincrypt/NOTICE
@@ -0,0 +1,23 @@
+ Copyright 2008, The Android Open Source Project
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+     * Redistributions of source code must retain the above copyright
+       notice, this list of conditions and the following disclaimer.
+     * Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+     * Neither the name of Google Inc. nor the names of its contributors may
+       be used to endorse or promote products derived from this software
+       without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR 
+ IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 
+ EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 
+ OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+ OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/libmincrypt/dsa_sig.c b/libmincrypt/dsa_sig.c
new file mode 100644
index 0000000..101314b
--- /dev/null
+++ b/libmincrypt/dsa_sig.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright 2013 The Android Open Source Project
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of Google Inc. nor the names of its contributors may
+ *       be used to endorse or promote products derived from this software
+ *       without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <string.h>
+
+#include "mincrypt/dsa_sig.h"
+#include "mincrypt/p256.h"
+
+/**
+ * Trims off the leading zero bytes and copy it to a buffer aligning it to the end.
+ */
+static inline int trim_to_p256_bytes(unsigned char dst[P256_NBYTES], unsigned char *src,
+        int src_len) {
+    int dst_offset;
+    while (*src == '\0' && src_len > 0) {
+        src++;
+        src_len--;
+    }
+    if (src_len > P256_NBYTES || src_len < 1) {
+        return 0;
+    }
+    dst_offset = P256_NBYTES - src_len;
+    memset(dst, 0, dst_offset);
+    memcpy(dst + dst_offset, src, src_len);
+    return 1;
+}
+
+/**
+ * Unpacks the ASN.1 DSA signature sequence.
+ */
+int dsa_sig_unpack(unsigned char* sig, int sig_len, p256_int* r_int, p256_int* s_int) {
+    /*
+     * Structure is:
+     *   0x30 0xNN  SEQUENCE + s_length
+     *     0x02 0xNN  INTEGER + r_length
+     *       0xAA 0xBB ..   r_length bytes of "r" (offset 4)
+     *     0x02 0xNN  INTEGER + s_length
+     *       0xMM 0xNN ..   s_length bytes of "s" (offset 6 + r_len)
+     */
+    int seq_len;
+    unsigned char r_bytes[P256_NBYTES];
+    unsigned char s_bytes[P256_NBYTES];
+    int r_len;
+    int s_len;
+
+    memset(r_bytes, 0, sizeof(r_bytes));
+    memset(s_bytes, 0, sizeof(s_bytes));
+
+    /*
+     * Must have at least:
+     * 2 bytes sequence header and length
+     * 2 bytes R integer header and length
+     * 1 byte of R
+     * 2 bytes S integer header and length
+     * 1 byte of S
+     *
+     * 8 bytes total
+     */
+    if (sig_len < 8 || sig[0] != 0x30 || sig[2] != 0x02) {
+        return 0;
+    }
+
+    seq_len = sig[1];
+    if ((seq_len <= 0) || (seq_len + 2 != sig_len)) {
+        return 0;
+    }
+
+    r_len = sig[3];
+    /*
+     * Must have at least:
+     * 2 bytes for R header and length
+     * 2 bytes S integer header and length
+     * 1 byte of S
+     */
+    if ((r_len < 1) || (r_len > seq_len - 5) || (sig[4 + r_len] != 0x02)) {
+        return 0;
+    }
+    s_len = sig[5 + r_len];
+
+    /**
+     * Must have:
+     * 2 bytes for R header and length
+     * r_len bytes for R
+     * 2 bytes S integer header and length
+     */
+    if ((s_len < 1) || (s_len != seq_len - 4 - r_len)) {
+        return 0;
+    }
+
+    /*
+     * ASN.1 encoded integers are zero-padded for positive integers. Make sure we have
+     * a correctly-sized buffer and that the resulting integer isn't too large.
+     */
+    if (!trim_to_p256_bytes(r_bytes, &sig[4], r_len)
+            || !trim_to_p256_bytes(s_bytes, &sig[6 + r_len], s_len)) {
+        return 0;
+    }
+
+    p256_from_bin(r_bytes, r_int);
+    p256_from_bin(s_bytes, s_int);
+
+    return 1;
+}
diff --git a/libmincrypt/p256.c b/libmincrypt/p256.c
new file mode 100644
index 0000000..555a07a
--- /dev/null
+++ b/libmincrypt/p256.c
@@ -0,0 +1,373 @@
+/*
+ * Copyright 2013 The Android Open Source Project
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of Google Inc. nor the names of its contributors may
+ *       be used to endorse or promote products derived from this software
+ *       without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// This is an implementation of the P256 elliptic curve group. It's written to
+// be portable 32-bit, although it's still constant-time.
+//
+// WARNING: Implementing these functions in a constant-time manner is far from
+//          obvious. Be careful when touching this code.
+//
+// See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background.
+
+#include <assert.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "mincrypt/p256.h"
+
+const p256_int SECP256r1_n =  // curve order
+  {{0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, -1, -1, 0, -1}};
+
+const p256_int SECP256r1_p =  // curve field size
+  {{-1, -1, -1, 0, 0, 0, 1, -1 }};
+
+const p256_int SECP256r1_b =  // curve b
+  {{0x27d2604b, 0x3bce3c3e, 0xcc53b0f6, 0x651d06b0,
+    0x769886bc, 0xb3ebbd55, 0xaa3a93e7, 0x5ac635d8}};
+
+void p256_init(p256_int* a) {
+  memset(a, 0, sizeof(*a));
+}
+
+void p256_clear(p256_int* a) { p256_init(a); }
+
+int p256_get_bit(const p256_int* scalar, int bit) {
+  return (P256_DIGIT(scalar, bit / P256_BITSPERDIGIT)
+              >> (bit & (P256_BITSPERDIGIT - 1))) & 1;
+}
+
+int p256_is_zero(const p256_int* a) {
+  int i, result = 0;
+  for (i = 0; i < P256_NDIGITS; ++i) result |= P256_DIGIT(a, i);
+  return !result;
+}
+
+// top, c[] += a[] * b
+// Returns new top
+static p256_digit mulAdd(const p256_int* a,
+                         p256_digit b,
+                         p256_digit top,
+                         p256_digit* c) {
+  int i;
+  p256_ddigit carry = 0;
+
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    carry += *c;
+    carry += (p256_ddigit)P256_DIGIT(a, i) * b;
+    *c++ = (p256_digit)carry;
+    carry >>= P256_BITSPERDIGIT;
+  }
+  return top + (p256_digit)carry;
+}
+
+// top, c[] -= top_a, a[]
+static p256_digit subTop(p256_digit top_a,
+                         const p256_digit* a,
+                         p256_digit top_c,
+                         p256_digit* c) {
+  int i;
+  p256_sddigit borrow = 0;
+
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    borrow += *c;
+    borrow -= *a++;
+    *c++ = (p256_digit)borrow;
+    borrow >>= P256_BITSPERDIGIT;
+  }
+  borrow += top_c;
+  borrow -= top_a;
+  top_c = (p256_digit)borrow;
+  assert((borrow >> P256_BITSPERDIGIT) == 0);
+  return top_c;
+}
+
+// top, c[] -= MOD[] & mask (0 or -1)
+// returns new top.
+static p256_digit subM(const p256_int* MOD,
+                       p256_digit top,
+                       p256_digit* c,
+                       p256_digit mask) {
+  int i;
+  p256_sddigit borrow = 0;
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    borrow += *c;
+    borrow -= P256_DIGIT(MOD, i) & mask;
+    *c++ = (p256_digit)borrow;
+    borrow >>= P256_BITSPERDIGIT;
+  }
+  return top + (p256_digit)borrow;
+}
+
+// top, c[] += MOD[] & mask (0 or -1)
+// returns new top.
+static p256_digit addM(const p256_int* MOD,
+                       p256_digit top,
+                       p256_digit* c,
+                       p256_digit mask) {
+  int i;
+  p256_ddigit carry = 0;
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    carry += *c;
+    carry += P256_DIGIT(MOD, i) & mask;
+    *c++ = (p256_digit)carry;
+    carry >>= P256_BITSPERDIGIT;
+  }
+  return top + (p256_digit)carry;
+}
+
+// c = a * b mod MOD. c can be a and/or b.
+void p256_modmul(const p256_int* MOD,
+                 const p256_int* a,
+                 const p256_digit top_b,
+                 const p256_int* b,
+                 p256_int* c) {
+  p256_digit tmp[P256_NDIGITS * 2 + 1] = { 0 };
+  p256_digit top = 0;
+  int i;
+
+  // Multiply/add into tmp.
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    if (i) tmp[i + P256_NDIGITS - 1] = top;
+    top = mulAdd(a, P256_DIGIT(b, i), 0, tmp + i);
+  }
+
+  // Multiply/add top digit
+  tmp[i + P256_NDIGITS - 1] = top;
+  top = mulAdd(a, top_b, 0, tmp + i);
+
+  // Reduce tmp, digit by digit.
+  for (; i >= 0; --i) {
+    p256_digit reducer[P256_NDIGITS] = { 0 };
+    p256_digit top_reducer;
+
+    // top can be any value at this point.
+    // Guestimate reducer as top * MOD, since msw of MOD is -1.
+    top_reducer = mulAdd(MOD, top, 0, reducer);
+
+    // Subtract reducer from top | tmp.
+    top = subTop(top_reducer, reducer, top, tmp + i);
+
+    // top is now either 0 or 1. Make it 0, fixed-timing.
+    assert(top <= 1);
+
+    top = subM(MOD, top, tmp + i, ~(top - 1));
+
+    assert(top == 0);
+
+    // We have now reduced the top digit off tmp. Fetch new top digit.
+    top = tmp[i + P256_NDIGITS - 1];
+  }
+
+  // tmp might still be larger than MOD, yet same bit length.
+  // Make sure it is less, fixed-timing.
+  addM(MOD, 0, tmp, subM(MOD, 0, tmp, -1));
+
+  memcpy(c, tmp, P256_NBYTES);
+}
+int p256_is_odd(const p256_int* a) { return P256_DIGIT(a, 0) & 1; }
+int p256_is_even(const p256_int* a) { return !(P256_DIGIT(a, 0) & 1); }
+
+p256_digit p256_shl(const p256_int* a, int n, p256_int* b) {
+  int i;
+  p256_digit top = P256_DIGIT(a, P256_NDIGITS - 1);
+
+  n %= P256_BITSPERDIGIT;
+  for (i = P256_NDIGITS - 1; i > 0; --i) {
+    p256_digit accu = (P256_DIGIT(a, i) << n);
+    accu |= (P256_DIGIT(a, i - 1) >> (P256_BITSPERDIGIT - n));
+    P256_DIGIT(b, i) = accu;
+  }
+  P256_DIGIT(b, i) = (P256_DIGIT(a, i) << n);
+
+  top = (p256_digit)((((p256_ddigit)top) << n) >> P256_BITSPERDIGIT);
+
+  return top;
+}
+
+void p256_shr(const p256_int* a, int n, p256_int* b) {
+  int i;
+
+  n %= P256_BITSPERDIGIT;
+  for (i = 0; i < P256_NDIGITS - 1; ++i) {
+    p256_digit accu = (P256_DIGIT(a, i) >> n);
+    accu |= (P256_DIGIT(a, i + 1) << (P256_BITSPERDIGIT - n));
+    P256_DIGIT(b, i) = accu;
+  }
+  P256_DIGIT(b, i) = (P256_DIGIT(a, i) >> n);
+}
+
+static void p256_shr1(const p256_int* a, int highbit, p256_int* b) {
+  int i;
+
+  for (i = 0; i < P256_NDIGITS - 1; ++i) {
+    p256_digit accu = (P256_DIGIT(a, i) >> 1);
+    accu |= (P256_DIGIT(a, i + 1) << (P256_BITSPERDIGIT - 1));
+    P256_DIGIT(b, i) = accu;
+  }
+  P256_DIGIT(b, i) = (P256_DIGIT(a, i) >> 1) |
+      (highbit << (P256_BITSPERDIGIT - 1));
+}
+
+// Return -1, 0, 1 for a < b, a == b or a > b respectively.
+int p256_cmp(const p256_int* a, const p256_int* b) {
+  int i;
+  p256_sddigit borrow = 0;
+  p256_digit notzero = 0;
+
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    borrow += (p256_sddigit)P256_DIGIT(a, i) - P256_DIGIT(b, i);
+    // Track whether any result digit is ever not zero.
+    // Relies on !!(non-zero) evaluating to 1, e.g., !!(-1) evaluating to 1.
+    notzero |= !!((p256_digit)borrow);
+    borrow >>= P256_BITSPERDIGIT;
+  }
+  return (int)borrow | notzero;
+}
+
+// c = a - b. Returns borrow: 0 or -1.
+int p256_sub(const p256_int* a, const p256_int* b, p256_int* c) {
+  int i;
+  p256_sddigit borrow = 0;
+
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    borrow += (p256_sddigit)P256_DIGIT(a, i) - P256_DIGIT(b, i);
+    if (c) P256_DIGIT(c, i) = (p256_digit)borrow;
+    borrow >>= P256_BITSPERDIGIT;
+  }
+  return (int)borrow;
+}
+
+// c = a + b. Returns carry: 0 or 1.
+int p256_add(const p256_int* a, const p256_int* b, p256_int* c) {
+  int i;
+  p256_ddigit carry = 0;
+
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    carry += (p256_ddigit)P256_DIGIT(a, i) + P256_DIGIT(b, i);
+    if (c) P256_DIGIT(c, i) = (p256_digit)carry;
+    carry >>= P256_BITSPERDIGIT;
+  }
+  return (int)carry;
+}
+
+// b = a + d. Returns carry, 0 or 1.
+int p256_add_d(const p256_int* a, p256_digit d, p256_int* b) {
+  int i;
+  p256_ddigit carry = d;
+
+  for (i = 0; i < P256_NDIGITS; ++i) {
+    carry += (p256_ddigit)P256_DIGIT(a, i);
+    if (b) P256_DIGIT(b, i) = (p256_digit)carry;
+    carry >>= P256_BITSPERDIGIT;
+  }
+  return (int)carry;
+}
+
+// b = 1/a mod MOD, binary euclid.
+void p256_modinv_vartime(const p256_int* MOD,
+                         const p256_int* a,
+                         p256_int* b) {
+  p256_int R = P256_ZERO;
+  p256_int S = P256_ONE;
+  p256_int U = *MOD;
+  p256_int V = *a;
+
+  for (;;) {
+    if (p256_is_even(&U)) {
+      p256_shr1(&U, 0, &U);
+      if (p256_is_even(&R)) {
+        p256_shr1(&R, 0, &R);
+      } else {
+        // R = (R+MOD)/2
+        p256_shr1(&R, p256_add(&R, MOD, &R), &R);
+      }
+    } else if (p256_is_even(&V)) {
+      p256_shr1(&V, 0, &V);
+      if (p256_is_even(&S)) {
+        p256_shr1(&S, 0, &S);
+      } else {
+        // S = (S+MOD)/2
+        p256_shr1(&S, p256_add(&S, MOD, &S) , &S);
+      }
+    } else {  // U,V both odd.
+      if (!p256_sub(&V, &U, NULL)) {
+        p256_sub(&V, &U, &V);
+        if (p256_sub(&S, &R, &S)) p256_add(&S, MOD, &S);
+        if (p256_is_zero(&V)) break;  // done.
+      } else {
+        p256_sub(&U, &V, &U);
+        if (p256_sub(&R, &S, &R)) p256_add(&R, MOD, &R);
+      }
+    }
+  }
+
+  p256_mod(MOD, &R, b);
+}
+
+void p256_mod(const p256_int* MOD,
+              const p256_int* in,
+              p256_int* out) {
+  if (out != in) *out = *in;
+  addM(MOD, 0, P256_DIGITS(out), subM(MOD, 0, P256_DIGITS(out), -1));
+}
+
+// Verify y^2 == x^3 - 3x + b mod p
+// and 0 < x < p and 0 < y < p
+int p256_is_valid_point(const p256_int* x, const p256_int* y) {
+  p256_int y2, x3;
+
+  if (p256_cmp(&SECP256r1_p, x) <= 0 ||
+      p256_cmp(&SECP256r1_p, y) <= 0 ||
+      p256_is_zero(x) ||
+      p256_is_zero(y)) return 0;
+
+  p256_modmul(&SECP256r1_p, y, 0, y, &y2);  // y^2
+
+  p256_modmul(&SECP256r1_p, x, 0, x, &x3);  // x^2
+  p256_modmul(&SECP256r1_p, x, 0, &x3, &x3);  // x^3
+  if (p256_sub(&x3, x, &x3)) p256_add(&x3, &SECP256r1_p, &x3);  // x^3 - x
+  if (p256_sub(&x3, x, &x3)) p256_add(&x3, &SECP256r1_p, &x3);  // x^3 - 2x
+  if (p256_sub(&x3, x, &x3)) p256_add(&x3, &SECP256r1_p, &x3);  // x^3 - 3x
+  if (p256_add(&x3, &SECP256r1_b, &x3))  // x^3 - 3x + b
+    p256_sub(&x3, &SECP256r1_p, &x3);
+
+  return p256_cmp(&y2, &x3) == 0;
+}
+
+void p256_from_bin(const uint8_t src[P256_NBYTES], p256_int* dst) {
+  int i;
+  const uint8_t* p = &src[0];
+
+  for (i = P256_NDIGITS - 1; i >= 0; --i) {
+    P256_DIGIT(dst, i) =
+        (p[0] << 24) |
+        (p[1] << 16) |
+        (p[2] << 8) |
+        p[3];
+    p += 4;
+  }
+}
diff --git a/libmincrypt/p256_ec.c b/libmincrypt/p256_ec.c
new file mode 100644
index 0000000..90262cc
--- /dev/null
+++ b/libmincrypt/p256_ec.c
@@ -0,0 +1,1279 @@
+/*
+ * Copyright 2013 The Android Open Source Project
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of Google Inc. nor the names of its contributors may
+ *       be used to endorse or promote products derived from this software
+ *       without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// This is an implementation of the P256 elliptic curve group. It's written to
+// be portable 32-bit, although it's still constant-time.
+//
+// WARNING: Implementing these functions in a constant-time manner is far from
+//          obvious. Be careful when touching this code.
+//
+// See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background.
+
+#include <stdint.h>
+#include <stdio.h>
+
+#include <string.h>
+#include <stdlib.h>
+
+#include "mincrypt/p256.h"
+
+typedef uint8_t u8;
+typedef uint32_t u32;
+typedef int32_t s32;
+typedef uint64_t u64;
+
+/* Our field elements are represented as nine 32-bit limbs.
+ *
+ * The value of an felem (field element) is:
+ *   x[0] + (x[1] * 2**29) + (x[2] * 2**57) + ... + (x[8] * 2**228)
+ *
+ * That is, each limb is alternately 29 or 28-bits wide in little-endian
+ * order.
+ *
+ * This means that an felem hits 2**257, rather than 2**256 as we would like. A
+ * 28, 29, ... pattern would cause us to hit 2**256, but that causes problems
+ * when multiplying as terms end up one bit short of a limb which would require
+ * much bit-shifting to correct.
+ *
+ * Finally, the values stored in an felem are in Montgomery form. So the value
+ * |y| is stored as (y*R) mod p, where p is the P-256 prime and R is 2**257.
+ */
+typedef u32 limb;
+#define NLIMBS 9
+typedef limb felem[NLIMBS];
+
+static const limb kBottom28Bits = 0xfffffff;
+static const limb kBottom29Bits = 0x1fffffff;
+
+/* kOne is the number 1 as an felem. It's 2**257 mod p split up into 29 and
+ * 28-bit words. */
+static const felem kOne = {
+    2, 0, 0, 0xffff800,
+    0x1fffffff, 0xfffffff, 0x1fbfffff, 0x1ffffff,
+    0
+};
+static const felem kZero = {0};
+static const felem kP = {
+    0x1fffffff, 0xfffffff, 0x1fffffff, 0x3ff,
+    0, 0, 0x200000, 0xf000000,
+    0xfffffff
+};
+static const felem k2P = {
+    0x1ffffffe, 0xfffffff, 0x1fffffff, 0x7ff,
+    0, 0, 0x400000, 0xe000000,
+    0x1fffffff
+};
+/* kPrecomputed contains precomputed values to aid the calculation of scalar
+ * multiples of the base point, G. It's actually two, equal length, tables
+ * concatenated.
+ *
+ * The first table contains (x,y) felem pairs for 16 multiples of the base
+ * point, G.
+ *
+ *   Index  |  Index (binary) | Value
+ *       0  |           0000  | 0G (all zeros, omitted)
+ *       1  |           0001  | G
+ *       2  |           0010  | 2**64G
+ *       3  |           0011  | 2**64G + G
+ *       4  |           0100  | 2**128G
+ *       5  |           0101  | 2**128G + G
+ *       6  |           0110  | 2**128G + 2**64G
+ *       7  |           0111  | 2**128G + 2**64G + G
+ *       8  |           1000  | 2**192G
+ *       9  |           1001  | 2**192G + G
+ *      10  |           1010  | 2**192G + 2**64G
+ *      11  |           1011  | 2**192G + 2**64G + G
+ *      12  |           1100  | 2**192G + 2**128G
+ *      13  |           1101  | 2**192G + 2**128G + G
+ *      14  |           1110  | 2**192G + 2**128G + 2**64G
+ *      15  |           1111  | 2**192G + 2**128G + 2**64G + G
+ *
+ * The second table follows the same style, but the terms are 2**32G,
+ * 2**96G, 2**160G, 2**224G.
+ *
+ * This is ~2KB of data. */
+static const limb kPrecomputed[NLIMBS * 2 * 15 * 2] = {
+    0x11522878, 0xe730d41, 0xdb60179, 0x4afe2ff, 0x12883add, 0xcaddd88, 0x119e7edc, 0xd4a6eab, 0x3120bee,
+    0x1d2aac15, 0xf25357c, 0x19e45cdd, 0x5c721d0, 0x1992c5a5, 0xa237487, 0x154ba21, 0x14b10bb, 0xae3fe3,
+    0xd41a576, 0x922fc51, 0x234994f, 0x60b60d3, 0x164586ae, 0xce95f18, 0x1fe49073, 0x3fa36cc, 0x5ebcd2c,
+    0xb402f2f, 0x15c70bf, 0x1561925c, 0x5a26704, 0xda91e90, 0xcdc1c7f, 0x1ea12446, 0xe1ade1e, 0xec91f22,
+    0x26f7778, 0x566847e, 0xa0bec9e, 0x234f453, 0x1a31f21a, 0xd85e75c, 0x56c7109, 0xa267a00, 0xb57c050,
+    0x98fb57, 0xaa837cc, 0x60c0792, 0xcfa5e19, 0x61bab9e, 0x589e39b, 0xa324c5, 0x7d6dee7, 0x2976e4b,
+    0x1fc4124a, 0xa8c244b, 0x1ce86762, 0xcd61c7e, 0x1831c8e0, 0x75774e1, 0x1d96a5a9, 0x843a649, 0xc3ab0fa,
+    0x6e2e7d5, 0x7673a2a, 0x178b65e8, 0x4003e9b, 0x1a1f11c2, 0x7816ea, 0xf643e11, 0x58c43df, 0xf423fc2,
+    0x19633ffa, 0x891f2b2, 0x123c231c, 0x46add8c, 0x54700dd, 0x59e2b17, 0x172db40f, 0x83e277d, 0xb0dd609,
+    0xfd1da12, 0x35c6e52, 0x19ede20c, 0xd19e0c0, 0x97d0f40, 0xb015b19, 0x449e3f5, 0xe10c9e, 0x33ab581,
+    0x56a67ab, 0x577734d, 0x1dddc062, 0xc57b10d, 0x149b39d, 0x26a9e7b, 0xc35df9f, 0x48764cd, 0x76dbcca,
+    0xca4b366, 0xe9303ab, 0x1a7480e7, 0x57e9e81, 0x1e13eb50, 0xf466cf3, 0x6f16b20, 0x4ba3173, 0xc168c33,
+    0x15cb5439, 0x6a38e11, 0x73658bd, 0xb29564f, 0x3f6dc5b, 0x53b97e, 0x1322c4c0, 0x65dd7ff, 0x3a1e4f6,
+    0x14e614aa, 0x9246317, 0x1bc83aca, 0xad97eed, 0xd38ce4a, 0xf82b006, 0x341f077, 0xa6add89, 0x4894acd,
+    0x9f162d5, 0xf8410ef, 0x1b266a56, 0xd7f223, 0x3e0cb92, 0xe39b672, 0x6a2901a, 0x69a8556, 0x7e7c0,
+    0x9b7d8d3, 0x309a80, 0x1ad05f7f, 0xc2fb5dd, 0xcbfd41d, 0x9ceb638, 0x1051825c, 0xda0cf5b, 0x812e881,
+    0x6f35669, 0x6a56f2c, 0x1df8d184, 0x345820, 0x1477d477, 0x1645db1, 0xbe80c51, 0xc22be3e, 0xe35e65a,
+    0x1aeb7aa0, 0xc375315, 0xf67bc99, 0x7fdd7b9, 0x191fc1be, 0x61235d, 0x2c184e9, 0x1c5a839, 0x47a1e26,
+    0xb7cb456, 0x93e225d, 0x14f3c6ed, 0xccc1ac9, 0x17fe37f3, 0x4988989, 0x1a90c502, 0x2f32042, 0xa17769b,
+    0xafd8c7c, 0x8191c6e, 0x1dcdb237, 0x16200c0, 0x107b32a1, 0x66c08db, 0x10d06a02, 0x3fc93, 0x5620023,
+    0x16722b27, 0x68b5c59, 0x270fcfc, 0xfad0ecc, 0xe5de1c2, 0xeab466b, 0x2fc513c, 0x407f75c, 0xbaab133,
+    0x9705fe9, 0xb88b8e7, 0x734c993, 0x1e1ff8f, 0x19156970, 0xabd0f00, 0x10469ea7, 0x3293ac0, 0xcdc98aa,
+    0x1d843fd, 0xe14bfe8, 0x15be825f, 0x8b5212, 0xeb3fb67, 0x81cbd29, 0xbc62f16, 0x2b6fcc7, 0xf5a4e29,
+    0x13560b66, 0xc0b6ac2, 0x51ae690, 0xd41e271, 0xf3e9bd4, 0x1d70aab, 0x1029f72, 0x73e1c35, 0xee70fbc,
+    0xad81baf, 0x9ecc49a, 0x86c741e, 0xfe6be30, 0x176752e7, 0x23d416, 0x1f83de85, 0x27de188, 0x66f70b8,
+    0x181cd51f, 0x96b6e4c, 0x188f2335, 0xa5df759, 0x17a77eb6, 0xfeb0e73, 0x154ae914, 0x2f3ec51, 0x3826b59,
+    0xb91f17d, 0x1c72949, 0x1362bf0a, 0xe23fddf, 0xa5614b0, 0xf7d8f, 0x79061, 0x823d9d2, 0x8213f39,
+    0x1128ae0b, 0xd095d05, 0xb85c0c2, 0x1ecb2ef, 0x24ddc84, 0xe35e901, 0x18411a4a, 0xf5ddc3d, 0x3786689,
+    0x52260e8, 0x5ae3564, 0x542b10d, 0x8d93a45, 0x19952aa4, 0x996cc41, 0x1051a729, 0x4be3499, 0x52b23aa,
+    0x109f307e, 0x6f5b6bb, 0x1f84e1e7, 0x77a0cfa, 0x10c4df3f, 0x25a02ea, 0xb048035, 0xe31de66, 0xc6ecaa3,
+    0x28ea335, 0x2886024, 0x1372f020, 0xf55d35, 0x15e4684c, 0xf2a9e17, 0x1a4a7529, 0xcb7beb1, 0xb2a78a1,
+    0x1ab21f1f, 0x6361ccf, 0x6c9179d, 0xb135627, 0x1267b974, 0x4408bad, 0x1cbff658, 0xe3d6511, 0xc7d76f,
+    0x1cc7a69, 0xe7ee31b, 0x54fab4f, 0x2b914f, 0x1ad27a30, 0xcd3579e, 0xc50124c, 0x50daa90, 0xb13f72,
+    0xb06aa75, 0x70f5cc6, 0x1649e5aa, 0x84a5312, 0x329043c, 0x41c4011, 0x13d32411, 0xb04a838, 0xd760d2d,
+    0x1713b532, 0xbaa0c03, 0x84022ab, 0x6bcf5c1, 0x2f45379, 0x18ae070, 0x18c9e11e, 0x20bca9a, 0x66f496b,
+    0x3eef294, 0x67500d2, 0xd7f613c, 0x2dbbeb, 0xb741038, 0xe04133f, 0x1582968d, 0xbe985f7, 0x1acbc1a,
+    0x1a6a939f, 0x33e50f6, 0xd665ed4, 0xb4b7bd6, 0x1e5a3799, 0x6b33847, 0x17fa56ff, 0x65ef930, 0x21dc4a,
+    0x2b37659, 0x450fe17, 0xb357b65, 0xdf5efac, 0x15397bef, 0x9d35a7f, 0x112ac15f, 0x624e62e, 0xa90ae2f,
+    0x107eecd2, 0x1f69bbe, 0x77d6bce, 0x5741394, 0x13c684fc, 0x950c910, 0x725522b, 0xdc78583, 0x40eeabb,
+    0x1fde328a, 0xbd61d96, 0xd28c387, 0x9e77d89, 0x12550c40, 0x759cb7d, 0x367ef34, 0xae2a960, 0x91b8bdc,
+    0x93462a9, 0xf469ef, 0xb2e9aef, 0xd2ca771, 0x54e1f42, 0x7aaa49, 0x6316abb, 0x2413c8e, 0x5425bf9,
+    0x1bed3e3a, 0xf272274, 0x1f5e7326, 0x6416517, 0xea27072, 0x9cedea7, 0x6e7633, 0x7c91952, 0xd806dce,
+    0x8e2a7e1, 0xe421e1a, 0x418c9e1, 0x1dbc890, 0x1b395c36, 0xa1dc175, 0x1dc4ef73, 0x8956f34, 0xe4b5cf2,
+    0x1b0d3a18, 0x3194a36, 0x6c2641f, 0xe44124c, 0xa2f4eaa, 0xa8c25ba, 0xf927ed7, 0x627b614, 0x7371cca,
+    0xba16694, 0x417bc03, 0x7c0a7e3, 0x9c35c19, 0x1168a205, 0x8b6b00d, 0x10e3edc9, 0x9c19bf2, 0x5882229,
+    0x1b2b4162, 0xa5cef1a, 0x1543622b, 0x9bd433e, 0x364e04d, 0x7480792, 0x5c9b5b3, 0xe85ff25, 0x408ef57,
+    0x1814cfa4, 0x121b41b, 0xd248a0f, 0x3b05222, 0x39bb16a, 0xc75966d, 0xa038113, 0xa4a1769, 0x11fbc6c,
+    0x917e50e, 0xeec3da8, 0x169d6eac, 0x10c1699, 0xa416153, 0xf724912, 0x15cd60b7, 0x4acbad9, 0x5efc5fa,
+    0xf150ed7, 0x122b51, 0x1104b40a, 0xcb7f442, 0xfbb28ff, 0x6ac53ca, 0x196142cc, 0x7bf0fa9, 0x957651,
+    0x4e0f215, 0xed439f8, 0x3f46bd5, 0x5ace82f, 0x110916b6, 0x6db078, 0xffd7d57, 0xf2ecaac, 0xca86dec,
+    0x15d6b2da, 0x965ecc9, 0x1c92b4c2, 0x1f3811, 0x1cb080f5, 0x2d8b804, 0x19d1c12d, 0xf20bd46, 0x1951fa7,
+    0xa3656c3, 0x523a425, 0xfcd0692, 0xd44ddc8, 0x131f0f5b, 0xaf80e4a, 0xcd9fc74, 0x99bb618, 0x2db944c,
+    0xa673090, 0x1c210e1, 0x178c8d23, 0x1474383, 0x10b8743d, 0x985a55b, 0x2e74779, 0x576138, 0x9587927,
+    0x133130fa, 0xbe05516, 0x9f4d619, 0xbb62570, 0x99ec591, 0xd9468fe, 0x1d07782d, 0xfc72e0b, 0x701b298,
+    0x1863863b, 0x85954b8, 0x121a0c36, 0x9e7fedf, 0xf64b429, 0x9b9d71e, 0x14e2f5d8, 0xf858d3a, 0x942eea8,
+    0xda5b765, 0x6edafff, 0xa9d18cc, 0xc65e4ba, 0x1c747e86, 0xe4ea915, 0x1981d7a1, 0x8395659, 0x52ed4e2,
+    0x87d43b7, 0x37ab11b, 0x19d292ce, 0xf8d4692, 0x18c3053f, 0x8863e13, 0x4c146c0, 0x6bdf55a, 0x4e4457d,
+    0x16152289, 0xac78ec2, 0x1a59c5a2, 0x2028b97, 0x71c2d01, 0x295851f, 0x404747b, 0x878558d, 0x7d29aa4,
+    0x13d8341f, 0x8daefd7, 0x139c972d, 0x6b7ea75, 0xd4a9dde, 0xff163d8, 0x81d55d7, 0xa5bef68, 0xb7b30d8,
+    0xbe73d6f, 0xaa88141, 0xd976c81, 0x7e7a9cc, 0x18beb771, 0xd773cbd, 0x13f51951, 0x9d0c177, 0x1c49a78,
+};
+
+
+/* Field element operations: */
+
+/* NON_ZERO_TO_ALL_ONES returns:
+ *   0xffffffff for 0 < x <= 2**31
+ *   0 for x == 0 or x > 2**31.
+ *
+ * x must be a u32 or an equivalent type such as limb. */
+#define NON_ZERO_TO_ALL_ONES(x) ((((u32)(x) - 1) >> 31) - 1)
+
+/* felem_reduce_carry adds a multiple of p in order to cancel |carry|,
+ * which is a term at 2**257.
+ *
+ * On entry: carry < 2**3, inout[0,2,...] < 2**29, inout[1,3,...] < 2**28.
+ * On exit: inout[0,2,..] < 2**30, inout[1,3,...] < 2**29. */
+static void felem_reduce_carry(felem inout, limb carry) {
+  const u32 carry_mask = NON_ZERO_TO_ALL_ONES(carry);
+
+  inout[0] += carry << 1;
+  inout[3] += 0x10000000 & carry_mask;
+  /* carry < 2**3 thus (carry << 11) < 2**14 and we added 2**28 in the
+   * previous line therefore this doesn't underflow. */
+  inout[3] -= carry << 11;
+  inout[4] += (0x20000000 - 1) & carry_mask;
+  inout[5] += (0x10000000 - 1) & carry_mask;
+  inout[6] += (0x20000000 - 1) & carry_mask;
+  inout[6] -= carry << 22;
+  /* This may underflow if carry is non-zero but, if so, we'll fix it in the
+   * next line. */
+  inout[7] -= 1 & carry_mask;
+  inout[7] += carry << 25;
+}
+
+/* felem_sum sets out = in+in2.
+ *
+ * On entry, in[i]+in2[i] must not overflow a 32-bit word.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 */
+static void felem_sum(felem out, const felem in, const felem in2) {
+  limb carry = 0;
+  unsigned i;
+
+  for (i = 0;; i++) {
+    out[i] = in[i] + in2[i];
+    out[i] += carry;
+    carry = out[i] >> 29;
+    out[i] &= kBottom29Bits;
+
+    i++;
+    if (i == NLIMBS)
+      break;
+
+    out[i] = in[i] + in2[i];
+    out[i] += carry;
+    carry = out[i] >> 28;
+    out[i] &= kBottom28Bits;
+  }
+
+  felem_reduce_carry(out, carry);
+}
+
+#define two31m3 (((limb)1) << 31) - (((limb)1) << 3)
+#define two30m2 (((limb)1) << 30) - (((limb)1) << 2)
+#define two30p13m2 (((limb)1) << 30) + (((limb)1) << 13) - (((limb)1) << 2)
+#define two31m2 (((limb)1) << 31) - (((limb)1) << 2)
+#define two31p24m2 (((limb)1) << 31) + (((limb)1) << 24) - (((limb)1) << 2)
+#define two30m27m2 (((limb)1) << 30) - (((limb)1) << 27) - (((limb)1) << 2)
+
+/* zero31 is 0 mod p. */
+static const felem zero31 = { two31m3, two30m2, two31m2, two30p13m2, two31m2, two30m2, two31p24m2, two30m27m2, two31m2 };
+
+/* felem_diff sets out = in-in2.
+ *
+ * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and
+ *           in2[0,2,...] < 2**30, in2[1,3,...] < 2**29.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */
+static void felem_diff(felem out, const felem in, const felem in2) {
+  limb carry = 0;
+  unsigned i;
+
+   for (i = 0;; i++) {
+    out[i] = in[i] - in2[i];
+    out[i] += zero31[i];
+    out[i] += carry;
+    carry = out[i] >> 29;
+    out[i] &= kBottom29Bits;
+
+    i++;
+    if (i == NLIMBS)
+      break;
+
+    out[i] = in[i] - in2[i];
+    out[i] += zero31[i];
+    out[i] += carry;
+    carry = out[i] >> 28;
+    out[i] &= kBottom28Bits;
+  }
+
+  felem_reduce_carry(out, carry);
+}
+
+/* felem_reduce_degree sets out = tmp/R mod p where tmp contains 64-bit words
+ * with the same 29,28,... bit positions as an felem.
+ *
+ * The values in felems are in Montgomery form: x*R mod p where R = 2**257.
+ * Since we just multiplied two Montgomery values together, the result is
+ * x*y*R*R mod p. We wish to divide by R in order for the result also to be
+ * in Montgomery form.
+ *
+ * On entry: tmp[i] < 2**64
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 */
+static void felem_reduce_degree(felem out, u64 tmp[17]) {
+   /* The following table may be helpful when reading this code:
+    *
+    * Limb number:   0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10...
+    * Width (bits):  29| 28| 29| 28| 29| 28| 29| 28| 29| 28| 29
+    * Start bit:     0 | 29| 57| 86|114|143|171|200|228|257|285
+    *   (odd phase): 0 | 28| 57| 85|114|142|171|199|228|256|285 */
+  limb tmp2[18], carry, x, xMask;
+  unsigned i;
+
+  /* tmp contains 64-bit words with the same 29,28,29-bit positions as an
+   * felem. So the top of an element of tmp might overlap with another
+   * element two positions down. The following loop eliminates this
+   * overlap. */
+  tmp2[0] = (limb)(tmp[0] & kBottom29Bits);
+
+  /* In the following we use "(limb) tmp[x]" and "(limb) (tmp[x]>>32)" to try
+   * and hint to the compiler that it can do a single-word shift by selecting
+   * the right register rather than doing a double-word shift and truncating
+   * afterwards. */
+  tmp2[1] = ((limb) tmp[0]) >> 29;
+  tmp2[1] |= (((limb)(tmp[0] >> 32)) << 3) & kBottom28Bits;
+  tmp2[1] += ((limb) tmp[1]) & kBottom28Bits;
+  carry = tmp2[1] >> 28;
+  tmp2[1] &= kBottom28Bits;
+
+  for (i = 2; i < 17; i++) {
+    tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25;
+    tmp2[i] += ((limb)(tmp[i - 1])) >> 28;
+    tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 4) & kBottom29Bits;
+    tmp2[i] += ((limb) tmp[i]) & kBottom29Bits;
+    tmp2[i] += carry;
+    carry = tmp2[i] >> 29;
+    tmp2[i] &= kBottom29Bits;
+
+    i++;
+    if (i == 17)
+      break;
+    tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25;
+    tmp2[i] += ((limb)(tmp[i - 1])) >> 29;
+    tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 3) & kBottom28Bits;
+    tmp2[i] += ((limb) tmp[i]) & kBottom28Bits;
+    tmp2[i] += carry;
+    carry = tmp2[i] >> 28;
+    tmp2[i] &= kBottom28Bits;
+  }
+
+  tmp2[17] = ((limb)(tmp[15] >> 32)) >> 25;
+  tmp2[17] += ((limb)(tmp[16])) >> 29;
+  tmp2[17] += (((limb)(tmp[16] >> 32)) << 3);
+  tmp2[17] += carry;
+
+  /* Montgomery elimination of terms.
+   *
+   * Since R is 2**257, we can divide by R with a bitwise shift if we can
+   * ensure that the right-most 257 bits are all zero. We can make that true by
+   * adding multiplies of p without affecting the value.
+   *
+   * So we eliminate limbs from right to left. Since the bottom 29 bits of p
+   * are all ones, then by adding tmp2[0]*p to tmp2 we'll make tmp2[0] == 0.
+   * We can do that for 8 further limbs and then right shift to eliminate the
+   * extra factor of R. */
+  for (i = 0;; i += 2) {
+    tmp2[i + 1] += tmp2[i] >> 29;
+    x = tmp2[i] & kBottom29Bits;
+    xMask = NON_ZERO_TO_ALL_ONES(x);
+    tmp2[i] = 0;
+
+    /* The bounds calculations for this loop are tricky. Each iteration of
+     * the loop eliminates two words by adding values to words to their
+     * right.
+     *
+     * The following table contains the amounts added to each word (as an
+     * offset from the value of i at the top of the loop). The amounts are
+     * accounted for from the first and second half of the loop separately
+     * and are written as, for example, 28 to mean a value <2**28.
+     *
+     * Word:                   3   4   5   6   7   8   9   10
+     * Added in top half:     28  11      29  21  29  28
+     *                                        28  29
+     *                                            29
+     * Added in bottom half:      29  10      28  21  28   28
+     *                                            29
+     *
+     * The value that is currently offset 7 will be offset 5 for the next
+     * iteration and then offset 3 for the iteration after that. Therefore
+     * the total value added will be the values added at 7, 5 and 3.
+     *
+     * The following table accumulates these values. The sums at the bottom
+     * are written as, for example, 29+28, to mean a value < 2**29+2**28.
+     *
+     * Word:                   3   4   5   6   7   8   9  10  11  12  13
+     *                        28  11  10  29  21  29  28  28  28  28  28
+     *                            29  28  11  28  29  28  29  28  29  28
+     *                                    29  28  21  21  29  21  29  21
+     *                                        10  29  28  21  28  21  28
+     *                                        28  29  28  29  28  29  28
+     *                                            11  10  29  10  29  10
+     *                                            29  28  11  28  11
+     *                                                    29      29
+     *                        --------------------------------------------
+     *                                                30+ 31+ 30+ 31+ 30+
+     *                                                28+ 29+ 28+ 29+ 21+
+     *                                                21+ 28+ 21+ 28+ 10
+     *                                                10  21+ 10  21+
+     *                                                    11      11
+     *
+     * So the greatest amount is added to tmp2[10] and tmp2[12]. If
+     * tmp2[10/12] has an initial value of <2**29, then the maximum value
+     * will be < 2**31 + 2**30 + 2**28 + 2**21 + 2**11, which is < 2**32,
+     * as required. */
+    tmp2[i + 3] += (x << 10) & kBottom28Bits;
+    tmp2[i + 4] += (x >> 18);
+
+    tmp2[i + 6] += (x << 21) & kBottom29Bits;
+    tmp2[i + 7] += x >> 8;
+
+    /* At position 200, which is the starting bit position for word 7, we
+     * have a factor of 0xf000000 = 2**28 - 2**24. */
+    tmp2[i + 7] += 0x10000000 & xMask;
+    /* Word 7 is 28 bits wide, so the 2**28 term exactly hits word 8. */
+    tmp2[i + 8] += (x - 1) & xMask;
+    tmp2[i + 7] -= (x << 24) & kBottom28Bits;
+    tmp2[i + 8] -= x >> 4;
+
+    tmp2[i + 8] += 0x20000000 & xMask;
+    tmp2[i + 8] -= x;
+    tmp2[i + 8] += (x << 28) & kBottom29Bits;
+    tmp2[i + 9] += ((x >> 1) - 1) & xMask;
+
+    if (i+1 == NLIMBS)
+      break;
+    tmp2[i + 2] += tmp2[i + 1] >> 28;
+    x = tmp2[i + 1] & kBottom28Bits;
+    xMask = NON_ZERO_TO_ALL_ONES(x);
+    tmp2[i + 1] = 0;
+
+    tmp2[i + 4] += (x << 11) & kBottom29Bits;
+    tmp2[i + 5] += (x >> 18);
+
+    tmp2[i + 7] += (x << 21) & kBottom28Bits;
+    tmp2[i + 8] += x >> 7;
+
+    /* At position 199, which is the starting bit of the 8th word when
+     * dealing with a context starting on an odd word, we have a factor of
+     * 0x1e000000 = 2**29 - 2**25. Since we have not updated i, the 8th
+     * word from i+1 is i+8. */
+    tmp2[i + 8] += 0x20000000 & xMask;
+    tmp2[i + 9] += (x - 1) & xMask;
+    tmp2[i + 8] -= (x << 25) & kBottom29Bits;
+    tmp2[i + 9] -= x >> 4;
+
+    tmp2[i + 9] += 0x10000000 & xMask;
+    tmp2[i + 9] -= x;
+    tmp2[i + 10] += (x - 1) & xMask;
+  }
+
+  /* We merge the right shift with a carry chain. The words above 2**257 have
+   * widths of 28,29,... which we need to correct when copying them down.  */
+  carry = 0;
+  for (i = 0; i < 8; i++) {
+    /* The maximum value of tmp2[i + 9] occurs on the first iteration and
+     * is < 2**30+2**29+2**28. Adding 2**29 (from tmp2[i + 10]) is
+     * therefore safe. */
+    out[i] = tmp2[i + 9];
+    out[i] += carry;
+    out[i] += (tmp2[i + 10] << 28) & kBottom29Bits;
+    carry = out[i] >> 29;
+    out[i] &= kBottom29Bits;
+
+    i++;
+    out[i] = tmp2[i + 9] >> 1;
+    out[i] += carry;
+    carry = out[i] >> 28;
+    out[i] &= kBottom28Bits;
+  }
+
+  out[8] = tmp2[17];
+  out[8] += carry;
+  carry = out[8] >> 29;
+  out[8] &= kBottom29Bits;
+
+  felem_reduce_carry(out, carry);
+}
+
+/* felem_square sets out=in*in.
+ *
+ * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */
+static void felem_square(felem out, const felem in) {
+  u64 tmp[17];
+
+  tmp[0] = ((u64) in[0]) * in[0];
+  tmp[1] = ((u64) in[0]) * (in[1] << 1);
+  tmp[2] = ((u64) in[0]) * (in[2] << 1) +
+           ((u64) in[1]) * (in[1] << 1);
+  tmp[3] = ((u64) in[0]) * (in[3] << 1) +
+           ((u64) in[1]) * (in[2] << 1);
+  tmp[4] = ((u64) in[0]) * (in[4] << 1) +
+           ((u64) in[1]) * (in[3] << 2) + ((u64) in[2]) * in[2];
+  tmp[5] = ((u64) in[0]) * (in[5] << 1) + ((u64) in[1]) *
+           (in[4] << 1) + ((u64) in[2]) * (in[3] << 1);
+  tmp[6] = ((u64) in[0]) * (in[6] << 1) + ((u64) in[1]) *
+           (in[5] << 2) + ((u64) in[2]) * (in[4] << 1) +
+           ((u64) in[3]) * (in[3] << 1);
+  tmp[7] = ((u64) in[0]) * (in[7] << 1) + ((u64) in[1]) *
+           (in[6] << 1) + ((u64) in[2]) * (in[5] << 1) +
+           ((u64) in[3]) * (in[4] << 1);
+  /* tmp[8] has the greatest value of 2**61 + 2**60 + 2**61 + 2**60 + 2**60,
+   * which is < 2**64 as required. */
+  tmp[8] = ((u64) in[0]) * (in[8] << 1) + ((u64) in[1]) *
+           (in[7] << 2) + ((u64) in[2]) * (in[6] << 1) +
+           ((u64) in[3]) * (in[5] << 2) + ((u64) in[4]) * in[4];
+  tmp[9] = ((u64) in[1]) * (in[8] << 1) + ((u64) in[2]) *
+           (in[7] << 1) + ((u64) in[3]) * (in[6] << 1) +
+           ((u64) in[4]) * (in[5] << 1);
+  tmp[10] = ((u64) in[2]) * (in[8] << 1) + ((u64) in[3]) *
+            (in[7] << 2) + ((u64) in[4]) * (in[6] << 1) +
+            ((u64) in[5]) * (in[5] << 1);
+  tmp[11] = ((u64) in[3]) * (in[8] << 1) + ((u64) in[4]) *
+            (in[7] << 1) + ((u64) in[5]) * (in[6] << 1);
+  tmp[12] = ((u64) in[4]) * (in[8] << 1) +
+            ((u64) in[5]) * (in[7] << 2) + ((u64) in[6]) * in[6];
+  tmp[13] = ((u64) in[5]) * (in[8] << 1) +
+            ((u64) in[6]) * (in[7] << 1);
+  tmp[14] = ((u64) in[6]) * (in[8] << 1) +
+            ((u64) in[7]) * (in[7] << 1);
+  tmp[15] = ((u64) in[7]) * (in[8] << 1);
+  tmp[16] = ((u64) in[8]) * in[8];
+
+  felem_reduce_degree(out, tmp);
+}
+
+/* felem_mul sets out=in*in2.
+ *
+ * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and
+ *           in2[0,2,...] < 2**30, in2[1,3,...] < 2**29.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */
+static void felem_mul(felem out, const felem in, const felem in2) {
+  u64 tmp[17];
+
+  tmp[0] = ((u64) in[0]) * in2[0];
+  tmp[1] = ((u64) in[0]) * (in2[1] << 0) +
+           ((u64) in[1]) * (in2[0] << 0);
+  tmp[2] = ((u64) in[0]) * (in2[2] << 0) + ((u64) in[1]) *
+           (in2[1] << 1) + ((u64) in[2]) * (in2[0] << 0);
+  tmp[3] = ((u64) in[0]) * (in2[3] << 0) + ((u64) in[1]) *
+           (in2[2] << 0) + ((u64) in[2]) * (in2[1] << 0) +
+           ((u64) in[3]) * (in2[0] << 0);
+  tmp[4] = ((u64) in[0]) * (in2[4] << 0) + ((u64) in[1]) *
+           (in2[3] << 1) + ((u64) in[2]) * (in2[2] << 0) +
+           ((u64) in[3]) * (in2[1] << 1) +
+           ((u64) in[4]) * (in2[0] << 0);
+  tmp[5] = ((u64) in[0]) * (in2[5] << 0) + ((u64) in[1]) *
+           (in2[4] << 0) + ((u64) in[2]) * (in2[3] << 0) +
+           ((u64) in[3]) * (in2[2] << 0) + ((u64) in[4]) *
+           (in2[1] << 0) + ((u64) in[5]) * (in2[0] << 0);
+  tmp[6] = ((u64) in[0]) * (in2[6] << 0) + ((u64) in[1]) *
+           (in2[5] << 1) + ((u64) in[2]) * (in2[4] << 0) +
+           ((u64) in[3]) * (in2[3] << 1) + ((u64) in[4]) *
+           (in2[2] << 0) + ((u64) in[5]) * (in2[1] << 1) +
+           ((u64) in[6]) * (in2[0] << 0);
+  tmp[7] = ((u64) in[0]) * (in2[7] << 0) + ((u64) in[1]) *
+           (in2[6] << 0) + ((u64) in[2]) * (in2[5] << 0) +
+           ((u64) in[3]) * (in2[4] << 0) + ((u64) in[4]) *
+           (in2[3] << 0) + ((u64) in[5]) * (in2[2] << 0) +
+           ((u64) in[6]) * (in2[1] << 0) +
+           ((u64) in[7]) * (in2[0] << 0);
+  /* tmp[8] has the greatest value but doesn't overflow. See logic in
+   * felem_square. */
+  tmp[8] = ((u64) in[0]) * (in2[8] << 0) + ((u64) in[1]) *
+           (in2[7] << 1) + ((u64) in[2]) * (in2[6] << 0) +
+           ((u64) in[3]) * (in2[5] << 1) + ((u64) in[4]) *
+           (in2[4] << 0) + ((u64) in[5]) * (in2[3] << 1) +
+           ((u64) in[6]) * (in2[2] << 0) + ((u64) in[7]) *
+           (in2[1] << 1) + ((u64) in[8]) * (in2[0] << 0);
+  tmp[9] = ((u64) in[1]) * (in2[8] << 0) + ((u64) in[2]) *
+           (in2[7] << 0) + ((u64) in[3]) * (in2[6] << 0) +
+           ((u64) in[4]) * (in2[5] << 0) + ((u64) in[5]) *
+           (in2[4] << 0) + ((u64) in[6]) * (in2[3] << 0) +
+           ((u64) in[7]) * (in2[2] << 0) +
+           ((u64) in[8]) * (in2[1] << 0);
+  tmp[10] = ((u64) in[2]) * (in2[8] << 0) + ((u64) in[3]) *
+            (in2[7] << 1) + ((u64) in[4]) * (in2[6] << 0) +
+            ((u64) in[5]) * (in2[5] << 1) + ((u64) in[6]) *
+            (in2[4] << 0) + ((u64) in[7]) * (in2[3] << 1) +
+            ((u64) in[8]) * (in2[2] << 0);
+  tmp[11] = ((u64) in[3]) * (in2[8] << 0) + ((u64) in[4]) *
+            (in2[7] << 0) + ((u64) in[5]) * (in2[6] << 0) +
+            ((u64) in[6]) * (in2[5] << 0) + ((u64) in[7]) *
+            (in2[4] << 0) + ((u64) in[8]) * (in2[3] << 0);
+  tmp[12] = ((u64) in[4]) * (in2[8] << 0) + ((u64) in[5]) *
+            (in2[7] << 1) + ((u64) in[6]) * (in2[6] << 0) +
+            ((u64) in[7]) * (in2[5] << 1) +
+            ((u64) in[8]) * (in2[4] << 0);
+  tmp[13] = ((u64) in[5]) * (in2[8] << 0) + ((u64) in[6]) *
+            (in2[7] << 0) + ((u64) in[7]) * (in2[6] << 0) +
+            ((u64) in[8]) * (in2[5] << 0);
+  tmp[14] = ((u64) in[6]) * (in2[8] << 0) + ((u64) in[7]) *
+            (in2[7] << 1) + ((u64) in[8]) * (in2[6] << 0);
+  tmp[15] = ((u64) in[7]) * (in2[8] << 0) +
+            ((u64) in[8]) * (in2[7] << 0);
+  tmp[16] = ((u64) in[8]) * (in2[8] << 0);
+
+  felem_reduce_degree(out, tmp);
+}
+
+static void felem_assign(felem out, const felem in) {
+  memcpy(out, in, sizeof(felem));
+}
+
+/* felem_inv calculates |out| = |in|^{-1}
+ *
+ * Based on Fermat's Little Theorem:
+ *   a^p = a (mod p)
+ *   a^{p-1} = 1 (mod p)
+ *   a^{p-2} = a^{-1} (mod p)
+ */
+static void felem_inv(felem out, const felem in) {
+  felem ftmp, ftmp2;
+  /* each e_I will hold |in|^{2^I - 1} */
+  felem e2, e4, e8, e16, e32, e64;
+  unsigned i;
+
+  felem_square(ftmp, in); /* 2^1 */
+  felem_mul(ftmp, in, ftmp); /* 2^2 - 2^0 */
+  felem_assign(e2, ftmp);
+  felem_square(ftmp, ftmp); /* 2^3 - 2^1 */
+  felem_square(ftmp, ftmp); /* 2^4 - 2^2 */
+  felem_mul(ftmp, ftmp, e2); /* 2^4 - 2^0 */
+  felem_assign(e4, ftmp);
+  felem_square(ftmp, ftmp); /* 2^5 - 2^1 */
+  felem_square(ftmp, ftmp); /* 2^6 - 2^2 */
+  felem_square(ftmp, ftmp); /* 2^7 - 2^3 */
+  felem_square(ftmp, ftmp); /* 2^8 - 2^4 */
+  felem_mul(ftmp, ftmp, e4); /* 2^8 - 2^0 */
+  felem_assign(e8, ftmp);
+  for (i = 0; i < 8; i++) {
+    felem_square(ftmp, ftmp);
+  } /* 2^16 - 2^8 */
+  felem_mul(ftmp, ftmp, e8); /* 2^16 - 2^0 */
+  felem_assign(e16, ftmp);
+  for (i = 0; i < 16; i++) {
+    felem_square(ftmp, ftmp);
+  } /* 2^32 - 2^16 */
+  felem_mul(ftmp, ftmp, e16); /* 2^32 - 2^0 */
+  felem_assign(e32, ftmp);
+  for (i = 0; i < 32; i++) {
+    felem_square(ftmp, ftmp);
+  } /* 2^64 - 2^32 */
+  felem_assign(e64, ftmp);
+  felem_mul(ftmp, ftmp, in); /* 2^64 - 2^32 + 2^0 */
+  for (i = 0; i < 192; i++) {
+    felem_square(ftmp, ftmp);
+  } /* 2^256 - 2^224 + 2^192 */
+
+  felem_mul(ftmp2, e64, e32); /* 2^64 - 2^0 */
+  for (i = 0; i < 16; i++) {
+    felem_square(ftmp2, ftmp2);
+  } /* 2^80 - 2^16 */
+  felem_mul(ftmp2, ftmp2, e16); /* 2^80 - 2^0 */
+  for (i = 0; i < 8; i++) {
+    felem_square(ftmp2, ftmp2);
+  } /* 2^88 - 2^8 */
+  felem_mul(ftmp2, ftmp2, e8); /* 2^88 - 2^0 */
+  for (i = 0; i < 4; i++) {
+    felem_square(ftmp2, ftmp2);
+  } /* 2^92 - 2^4 */
+  felem_mul(ftmp2, ftmp2, e4); /* 2^92 - 2^0 */
+  felem_square(ftmp2, ftmp2); /* 2^93 - 2^1 */
+  felem_square(ftmp2, ftmp2); /* 2^94 - 2^2 */
+  felem_mul(ftmp2, ftmp2, e2); /* 2^94 - 2^0 */
+  felem_square(ftmp2, ftmp2); /* 2^95 - 2^1 */
+  felem_square(ftmp2, ftmp2); /* 2^96 - 2^2 */
+  felem_mul(ftmp2, ftmp2, in); /* 2^96 - 3 */
+
+  felem_mul(out, ftmp2, ftmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
+}
+
+/* felem_scalar_3 sets out=3*out.
+ *
+ * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */
+static void felem_scalar_3(felem out) {
+  limb carry = 0;
+  unsigned i;
+
+  for (i = 0;; i++) {
+    out[i] *= 3;
+    out[i] += carry;
+    carry = out[i] >> 29;
+    out[i] &= kBottom29Bits;
+
+    i++;
+    if (i == NLIMBS)
+      break;
+
+    out[i] *= 3;
+    out[i] += carry;
+    carry = out[i] >> 28;
+    out[i] &= kBottom28Bits;
+  }
+
+  felem_reduce_carry(out, carry);
+}
+
+/* felem_scalar_4 sets out=4*out.
+ *
+ * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */
+static void felem_scalar_4(felem out) {
+  limb carry = 0, next_carry;
+  unsigned i;
+
+  for (i = 0;; i++) {
+    next_carry = out[i] >> 27;
+    out[i] <<= 2;
+    out[i] &= kBottom29Bits;
+    out[i] += carry;
+    carry = next_carry + (out[i] >> 29);
+    out[i] &= kBottom29Bits;
+
+    i++;
+    if (i == NLIMBS)
+      break;
+
+    next_carry = out[i] >> 26;
+    out[i] <<= 2;
+    out[i] &= kBottom28Bits;
+    out[i] += carry;
+    carry = next_carry + (out[i] >> 28);
+    out[i] &= kBottom28Bits;
+  }
+
+  felem_reduce_carry(out, carry);
+}
+
+/* felem_scalar_8 sets out=8*out.
+ *
+ * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.
+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */
+static void felem_scalar_8(felem out) {
+  limb carry = 0, next_carry;
+  unsigned i;
+
+  for (i = 0;; i++) {
+    next_carry = out[i] >> 26;
+    out[i] <<= 3;
+    out[i] &= kBottom29Bits;
+    out[i] += carry;
+    carry = next_carry + (out[i] >> 29);
+    out[i] &= kBottom29Bits;
+
+    i++;
+    if (i == NLIMBS)
+      break;
+
+    next_carry = out[i] >> 25;
+    out[i] <<= 3;
+    out[i] &= kBottom28Bits;
+    out[i] += carry;
+    carry = next_carry + (out[i] >> 28);
+    out[i] &= kBottom28Bits;
+  }
+
+  felem_reduce_carry(out, carry);
+}
+
+/* felem_is_zero_vartime returns 1 iff |in| == 0. It takes a variable amount of
+ * time depending on the value of |in|. */
+static char felem_is_zero_vartime(const felem in) {
+  limb carry;
+  int i;
+  limb tmp[NLIMBS];
+
+  felem_assign(tmp, in);
+
+  /* First, reduce tmp to a minimal form. */
+  do {
+    carry = 0;
+    for (i = 0;; i++) {
+      tmp[i] += carry;
+      carry = tmp[i] >> 29;
+      tmp[i] &= kBottom29Bits;
+
+      i++;
+      if (i == NLIMBS)
+        break;
+
+      tmp[i] += carry;
+      carry = tmp[i] >> 28;
+      tmp[i] &= kBottom28Bits;
+    }
+
+    felem_reduce_carry(tmp, carry);
+  } while (carry);
+
+  /* tmp < 2**257, so the only possible zero values are 0, p and 2p. */
+  return memcmp(tmp, kZero, sizeof(tmp)) == 0 ||
+         memcmp(tmp, kP, sizeof(tmp)) == 0 ||
+         memcmp(tmp, k2P, sizeof(tmp)) == 0;
+}
+
+
+/* Group operations:
+ *
+ * Elements of the elliptic curve group are represented in Jacobian
+ * coordinates: (x, y, z). An affine point (x', y') is x'=x/z**2, y'=y/z**3 in
+ * Jacobian form. */
+
+/* point_double sets {x_out,y_out,z_out} = 2*{x,y,z}.
+ *
+ * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l */
+static void point_double(felem x_out, felem y_out, felem z_out, const felem x,
+                         const felem y, const felem z) {
+  felem delta, gamma, alpha, beta, tmp, tmp2;
+
+  felem_square(delta, z);
+  felem_square(gamma, y);
+  felem_mul(beta, x, gamma);
+
+  felem_sum(tmp, x, delta);
+  felem_diff(tmp2, x, delta);
+  felem_mul(alpha, tmp, tmp2);
+  felem_scalar_3(alpha);
+
+  felem_sum(tmp, y, z);
+  felem_square(tmp, tmp);
+  felem_diff(tmp, tmp, gamma);
+  felem_diff(z_out, tmp, delta);
+
+  felem_scalar_4(beta);
+  felem_square(x_out, alpha);
+  felem_diff(x_out, x_out, beta);
+  felem_diff(x_out, x_out, beta);
+
+  felem_diff(tmp, beta, x_out);
+  felem_mul(tmp, alpha, tmp);
+  felem_square(tmp2, gamma);
+  felem_scalar_8(tmp2);
+  felem_diff(y_out, tmp, tmp2);
+}
+
+/* point_add_mixed sets {x_out,y_out,z_out} = {x1,y1,z1} + {x2,y2,1}.
+ * (i.e. the second point is affine.)
+ *
+ * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
+ *
+ * Note that this function does not handle P+P, infinity+P nor P+infinity
+ * correctly. */
+static void point_add_mixed(felem x_out, felem y_out, felem z_out,
+                            const felem x1, const felem y1, const felem z1,
+                            const felem x2, const felem y2) {
+  felem z1z1, z1z1z1, s2, u2, h, i, j, r, rr, v, tmp;
+
+  felem_square(z1z1, z1);
+  felem_sum(tmp, z1, z1);
+
+  felem_mul(u2, x2, z1z1);
+  felem_mul(z1z1z1, z1, z1z1);
+  felem_mul(s2, y2, z1z1z1);
+  felem_diff(h, u2, x1);
+  felem_sum(i, h, h);
+  felem_square(i, i);
+  felem_mul(j, h, i);
+  felem_diff(r, s2, y1);
+  felem_sum(r, r, r);
+  felem_mul(v, x1, i);
+
+  felem_mul(z_out, tmp, h);
+  felem_square(rr, r);
+  felem_diff(x_out, rr, j);
+  felem_diff(x_out, x_out, v);
+  felem_diff(x_out, x_out, v);
+
+  felem_diff(tmp, v, x_out);
+  felem_mul(y_out, tmp, r);
+  felem_mul(tmp, y1, j);
+  felem_diff(y_out, y_out, tmp);
+  felem_diff(y_out, y_out, tmp);
+}
+
+/* point_add sets {x_out,y_out,z_out} = {x1,y1,z1} + {x2,y2,z2}.
+ *
+ * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
+ *
+ * Note that this function does not handle P+P, infinity+P nor P+infinity
+ * correctly. */
+static void point_add(felem x_out, felem y_out, felem z_out, const felem x1,
+                      const felem y1, const felem z1, const felem x2,
+                      const felem y2, const felem z2) {
+  felem z1z1, z1z1z1, z2z2, z2z2z2, s1, s2, u1, u2, h, i, j, r, rr, v, tmp;
+
+  felem_square(z1z1, z1);
+  felem_square(z2z2, z2);
+  felem_mul(u1, x1, z2z2);
+
+  felem_sum(tmp, z1, z2);
+  felem_square(tmp, tmp);
+  felem_diff(tmp, tmp, z1z1);
+  felem_diff(tmp, tmp, z2z2);
+
+  felem_mul(z2z2z2, z2, z2z2);
+  felem_mul(s1, y1, z2z2z2);
+
+  felem_mul(u2, x2, z1z1);
+  felem_mul(z1z1z1, z1, z1z1);
+  felem_mul(s2, y2, z1z1z1);
+  felem_diff(h, u2, u1);
+  felem_sum(i, h, h);
+  felem_square(i, i);
+  felem_mul(j, h, i);
+  felem_diff(r, s2, s1);
+  felem_sum(r, r, r);
+  felem_mul(v, u1, i);
+
+  felem_mul(z_out, tmp, h);
+  felem_square(rr, r);
+  felem_diff(x_out, rr, j);
+  felem_diff(x_out, x_out, v);
+  felem_diff(x_out, x_out, v);
+
+  felem_diff(tmp, v, x_out);
+  felem_mul(y_out, tmp, r);
+  felem_mul(tmp, s1, j);
+  felem_diff(y_out, y_out, tmp);
+  felem_diff(y_out, y_out, tmp);
+}
+
+/* point_add_or_double_vartime sets {x_out,y_out,z_out} = {x1,y1,z1} +
+ *                                                        {x2,y2,z2}.
+ *
+ * See http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
+ *
+ * This function handles the case where {x1,y1,z1}={x2,y2,z2}. */
+static void point_add_or_double_vartime(
+    felem x_out, felem y_out, felem z_out, const felem x1, const felem y1,
+    const felem z1, const felem x2, const felem y2, const felem z2) {
+  felem z1z1, z1z1z1, z2z2, z2z2z2, s1, s2, u1, u2, h, i, j, r, rr, v, tmp;
+  char x_equal, y_equal;
+
+  felem_square(z1z1, z1);
+  felem_square(z2z2, z2);
+  felem_mul(u1, x1, z2z2);
+
+  felem_sum(tmp, z1, z2);
+  felem_square(tmp, tmp);
+  felem_diff(tmp, tmp, z1z1);
+  felem_diff(tmp, tmp, z2z2);
+
+  felem_mul(z2z2z2, z2, z2z2);
+  felem_mul(s1, y1, z2z2z2);
+
+  felem_mul(u2, x2, z1z1);
+  felem_mul(z1z1z1, z1, z1z1);
+  felem_mul(s2, y2, z1z1z1);
+  felem_diff(h, u2, u1);
+  x_equal = felem_is_zero_vartime(h);
+  felem_sum(i, h, h);
+  felem_square(i, i);
+  felem_mul(j, h, i);
+  felem_diff(r, s2, s1);
+  y_equal = felem_is_zero_vartime(r);
+  if (x_equal && y_equal) {
+    point_double(x_out, y_out, z_out, x1, y1, z1);
+    return;
+  }
+  felem_sum(r, r, r);
+  felem_mul(v, u1, i);
+
+  felem_mul(z_out, tmp, h);
+  felem_square(rr, r);
+  felem_diff(x_out, rr, j);
+  felem_diff(x_out, x_out, v);
+  felem_diff(x_out, x_out, v);
+
+  felem_diff(tmp, v, x_out);
+  felem_mul(y_out, tmp, r);
+  felem_mul(tmp, s1, j);
+  felem_diff(y_out, y_out, tmp);
+  felem_diff(y_out, y_out, tmp);
+}
+
+/* copy_conditional sets out=in if mask = 0xffffffff in constant time.
+ *
+ * On entry: mask is either 0 or 0xffffffff. */
+static void copy_conditional(felem out, const felem in, limb mask) {
+  int i;
+
+  for (i = 0; i < NLIMBS; i++) {
+    const limb tmp = mask & (in[i] ^ out[i]);
+    out[i] ^= tmp;
+  }
+}
+
+/* select_affine_point sets {out_x,out_y} to the index'th entry of table.
+ * On entry: index < 16, table[0] must be zero. */
+static void select_affine_point(felem out_x, felem out_y, const limb* table,
+                                limb index) {
+  limb i, j;
+
+  memset(out_x, 0, sizeof(felem));
+  memset(out_y, 0, sizeof(felem));
+
+  for (i = 1; i < 16; i++) {
+    limb mask = i ^ index;
+    mask |= mask >> 2;
+    mask |= mask >> 1;
+    mask &= 1;
+    mask--;
+    for (j = 0; j < NLIMBS; j++, table++) {
+      out_x[j] |= *table & mask;
+    }
+    for (j = 0; j < NLIMBS; j++, table++) {
+      out_y[j] |= *table & mask;
+    }
+  }
+}
+
+/* select_jacobian_point sets {out_x,out_y,out_z} to the index'th entry of
+ * table. On entry: index < 16, table[0] must be zero. */
+static void select_jacobian_point(felem out_x, felem out_y, felem out_z,
+                                  const limb* table, limb index) {
+  limb i, j;
+
+  memset(out_x, 0, sizeof(felem));
+  memset(out_y, 0, sizeof(felem));
+  memset(out_z, 0, sizeof(felem));
+
+  /* The implicit value at index 0 is all zero. We don't need to perform that
+   * iteration of the loop because we already set out_* to zero. */
+  table += 3 * NLIMBS;
+
+  // Hit all entries to obscure cache profiling.
+  for (i = 1; i < 16; i++) {
+    limb mask = i ^ index;
+    mask |= mask >> 2;
+    mask |= mask >> 1;
+    mask &= 1;
+    mask--;
+    for (j = 0; j < NLIMBS; j++, table++) {
+      out_x[j] |= *table & mask;
+    }
+    for (j = 0; j < NLIMBS; j++, table++) {
+      out_y[j] |= *table & mask;
+    }
+    for (j = 0; j < NLIMBS; j++, table++) {
+      out_z[j] |= *table & mask;
+    }
+  }
+}
+
+/* scalar_base_mult sets {nx,ny,nz} = scalar*G where scalar is a little-endian
+ * number. Note that the value of scalar must be less than the order of the
+ * group. */
+static void scalar_base_mult(felem nx, felem ny, felem nz,
+                             const p256_int* scalar) {
+  int i, j;
+  limb n_is_infinity_mask = -1, p_is_noninfinite_mask, mask;
+  u32 table_offset;
+
+  felem px, py;
+  felem tx, ty, tz;
+
+  memset(nx, 0, sizeof(felem));
+  memset(ny, 0, sizeof(felem));
+  memset(nz, 0, sizeof(felem));
+
+  /* The loop adds bits at positions 0, 64, 128 and 192, followed by
+   * positions 32,96,160 and 224 and does this 32 times. */
+  for (i = 0; i < 32; i++) {
+    if (i) {
+      point_double(nx, ny, nz, nx, ny, nz);
+    }
+    table_offset = 0;
+    for (j = 0; j <= 32; j += 32) {
+      char bit0 = p256_get_bit(scalar, 31 - i + j);
+      char bit1 = p256_get_bit(scalar, 95 - i + j);
+      char bit2 = p256_get_bit(scalar, 159 - i + j);
+      char bit3 = p256_get_bit(scalar, 223 - i + j);
+      limb index = bit0 | (bit1 << 1) | (bit2 << 2) | (bit3 << 3);
+
+      select_affine_point(px, py, kPrecomputed + table_offset, index);
+      table_offset += 30 * NLIMBS;
+
+      /* Since scalar is less than the order of the group, we know that
+       * {nx,ny,nz} != {px,py,1}, unless both are zero, which we handle
+       * below. */
+      point_add_mixed(tx, ty, tz, nx, ny, nz, px, py);
+      /* The result of point_add_mixed is incorrect if {nx,ny,nz} is zero
+       * (a.k.a.  the point at infinity). We handle that situation by
+       * copying the point from the table. */
+      copy_conditional(nx, px, n_is_infinity_mask);
+      copy_conditional(ny, py, n_is_infinity_mask);
+      copy_conditional(nz, kOne, n_is_infinity_mask);
+
+      /* Equally, the result is also wrong if the point from the table is
+       * zero, which happens when the index is zero. We handle that by
+       * only copying from {tx,ty,tz} to {nx,ny,nz} if index != 0. */
+      p_is_noninfinite_mask = NON_ZERO_TO_ALL_ONES(index);
+      mask = p_is_noninfinite_mask & ~n_is_infinity_mask;
+      copy_conditional(nx, tx, mask);
+      copy_conditional(ny, ty, mask);
+      copy_conditional(nz, tz, mask);
+      /* If p was not zero, then n is now non-zero. */
+      n_is_infinity_mask &= ~p_is_noninfinite_mask;
+    }
+  }
+}
+
+/* point_to_affine converts a Jacobian point to an affine point. If the input
+ * is the point at infinity then it returns (0, 0) in constant time. */
+static void point_to_affine(felem x_out, felem y_out, const felem nx,
+                            const felem ny, const felem nz) {
+  felem z_inv, z_inv_sq;
+  felem_inv(z_inv, nz);
+  felem_square(z_inv_sq, z_inv);
+  felem_mul(x_out, nx, z_inv_sq);
+  felem_mul(z_inv, z_inv, z_inv_sq);
+  felem_mul(y_out, ny, z_inv);
+}
+
+/* scalar_base_mult sets {nx,ny,nz} = scalar*{x,y}. */
+static void scalar_mult(felem nx, felem ny, felem nz, const felem x,
+                        const felem y, const p256_int* scalar) {
+  int i;
+  felem px, py, pz, tx, ty, tz;
+  felem precomp[16][3];
+  limb n_is_infinity_mask, index, p_is_noninfinite_mask, mask;
+
+  /* We precompute 0,1,2,... times {x,y}. */
+  memset(precomp, 0, sizeof(felem) * 3);
+  memcpy(&precomp[1][0], x, sizeof(felem));
+  memcpy(&precomp[1][1], y, sizeof(felem));
+  memcpy(&precomp[1][2], kOne, sizeof(felem));
+
+  for (i = 2; i < 16; i += 2) {
+    point_double(precomp[i][0], precomp[i][1], precomp[i][2],
+                 precomp[i / 2][0], precomp[i / 2][1], precomp[i / 2][2]);
+
+    point_add_mixed(precomp[i + 1][0], precomp[i + 1][1], precomp[i + 1][2],
+                    precomp[i][0], precomp[i][1], precomp[i][2], x, y);
+  }
+
+  memset(nx, 0, sizeof(felem));
+  memset(ny, 0, sizeof(felem));
+  memset(nz, 0, sizeof(felem));
+  n_is_infinity_mask = -1;
+
+  /* We add in a window of four bits each iteration and do this 64 times. */
+  for (i = 0; i < 256; i += 4) {
+    if (i) {
+      point_double(nx, ny, nz, nx, ny, nz);
+      point_double(nx, ny, nz, nx, ny, nz);
+      point_double(nx, ny, nz, nx, ny, nz);
+      point_double(nx, ny, nz, nx, ny, nz);
+    }
+
+    index = (p256_get_bit(scalar, 255 - i - 0) << 3) |
+            (p256_get_bit(scalar, 255 - i - 1) << 2) |
+            (p256_get_bit(scalar, 255 - i - 2) << 1) |
+            p256_get_bit(scalar, 255 - i - 3);
+
+    /* See the comments in scalar_base_mult about handling infinities. */
+    select_jacobian_point(px, py, pz, precomp[0][0], index);
+    point_add(tx, ty, tz, nx, ny, nz, px, py, pz);
+    copy_conditional(nx, px, n_is_infinity_mask);
+    copy_conditional(ny, py, n_is_infinity_mask);
+    copy_conditional(nz, pz, n_is_infinity_mask);
+
+    p_is_noninfinite_mask = NON_ZERO_TO_ALL_ONES(index);
+    mask = p_is_noninfinite_mask & ~n_is_infinity_mask;
+
+    copy_conditional(nx, tx, mask);
+    copy_conditional(ny, ty, mask);
+    copy_conditional(nz, tz, mask);
+    n_is_infinity_mask &= ~p_is_noninfinite_mask;
+  }
+}
+
+#define kRDigits {2, 0, 0, 0xfffffffe, 0xffffffff, 0xffffffff, 0xfffffffd, 1} // 2^257 mod p256.p
+
+#define kRInvDigits {0x80000000, 1, 0xffffffff, 0, 0x80000001, 0xfffffffe, 1, 0x7fffffff}  // 1 / 2^257 mod p256.p
+
+static const p256_int kR = { kRDigits };
+static const p256_int kRInv = { kRInvDigits };
+
+/* to_montgomery sets out = R*in. */
+static void to_montgomery(felem out, const p256_int* in) {
+  p256_int in_shifted;
+  int i;
+
+  p256_init(&in_shifted);
+  p256_modmul(&SECP256r1_p, in, 0, &kR, &in_shifted);
+
+  for (i = 0; i < NLIMBS; i++) {
+    if ((i & 1) == 0) {
+      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom29Bits;
+      p256_shr(&in_shifted, 29, &in_shifted);
+    } else {
+      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom28Bits;
+      p256_shr(&in_shifted, 28, &in_shifted);
+    }
+  }
+
+  p256_clear(&in_shifted);
+}
+
+/* from_montgomery sets out=in/R. */
+static void from_montgomery(p256_int* out, const felem in) {
+  p256_int result, tmp;
+  int i, top;
+
+  p256_init(&result);
+  p256_init(&tmp);
+
+  p256_add_d(&tmp, in[NLIMBS - 1], &result);
+  for (i = NLIMBS - 2; i >= 0; i--) {
+    if ((i & 1) == 0) {
+      top = p256_shl(&result, 29, &tmp);
+    } else {
+      top = p256_shl(&result, 28, &tmp);
+    }
+    top |= p256_add_d(&tmp, in[i], &result);
+  }
+
+  p256_modmul(&SECP256r1_p, &kRInv, top, &result, out);
+
+  p256_clear(&result);
+  p256_clear(&tmp);
+}
+
+/* p256_base_point_mul sets {out_x,out_y} = nG, where n is < the
+ * order of the group. */
+void p256_base_point_mul(const p256_int* n, p256_int* out_x, p256_int* out_y) {
+  felem x, y, z;
+
+  scalar_base_mult(x, y, z, n);
+
+  {
+    felem x_affine, y_affine;
+
+    point_to_affine(x_affine, y_affine, x, y, z);
+    from_montgomery(out_x, x_affine);
+    from_montgomery(out_y, y_affine);
+  }
+}
+
+/* p256_points_mul_vartime sets {out_x,out_y} = n1*G + n2*{in_x,in_y}, where
+ * n1 and n2 are < the order of the group.
+ *
+ * As indicated by the name, this function operates in variable time. This
+ * is safe because it's used for signature validation which doesn't deal
+ * with secrets. */
+void p256_points_mul_vartime(
+    const p256_int* n1, const p256_int* n2, const p256_int* in_x,
+    const p256_int* in_y, p256_int* out_x, p256_int* out_y) {
+  felem x1, y1, z1, x2, y2, z2, px, py;
+
+  /* If both scalars are zero, then the result is the point at infinity. */
+  if (p256_is_zero(n1) != 0 && p256_is_zero(n2) != 0) {
+    p256_clear(out_x);
+    p256_clear(out_y);
+    return;
+  }
+
+  to_montgomery(px, in_x);
+  to_montgomery(py, in_y);
+  scalar_base_mult(x1, y1, z1, n1);
+  scalar_mult(x2, y2, z2, px, py, n2);
+
+  if (p256_is_zero(n2) != 0) {
+    /* If n2 == 0, then {x2,y2,z2} is zero and the result is just
+         * {x1,y1,z1}. */
+  } else if (p256_is_zero(n1) != 0) {
+    /* If n1 == 0, then {x1,y1,z1} is zero and the result is just
+         * {x2,y2,z2}. */
+    memcpy(x1, x2, sizeof(x2));
+    memcpy(y1, y2, sizeof(y2));
+    memcpy(z1, z2, sizeof(z2));
+  } else {
+    /* This function handles the case where {x1,y1,z1} == {x2,y2,z2}. */
+    point_add_or_double_vartime(x1, y1, z1, x1, y1, z1, x2, y2, z2);
+  }
+
+  point_to_affine(px, py, x1, y1, z1);
+  from_montgomery(out_x, px);
+  from_montgomery(out_y, py);
+}
diff --git a/libmincrypt/p256_ecdsa.c b/libmincrypt/p256_ecdsa.c
new file mode 100644
index 0000000..f2264b0
--- /dev/null
+++ b/libmincrypt/p256_ecdsa.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2013 The Android Open Source Project
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of Google Inc. nor the names of its contributors may
+ *       be used to endorse or promote products derived from this software
+ *       without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <string.h>
+
+#include "mincrypt/p256_ecdsa.h"
+#include "mincrypt/p256.h"
+
+int p256_ecdsa_verify(const p256_int* key_x, const p256_int* key_y,
+                      const p256_int* message,
+                      const p256_int* r, const p256_int* s) {
+  p256_int u, v;
+
+  // Check public key.
+  if (!p256_is_valid_point(key_x, key_y)) return 0;
+
+  // Check r and s are != 0 % n.
+  p256_mod(&SECP256r1_n, r, &u);
+  p256_mod(&SECP256r1_n, s, &v);
+  if (p256_is_zero(&u) || p256_is_zero(&v)) return 0;
+
+  p256_modinv_vartime(&SECP256r1_n, s, &v);
+  p256_modmul(&SECP256r1_n, message, 0, &v, &u);  // message / s % n
+  p256_modmul(&SECP256r1_n, r, 0, &v, &v);  // r / s % n
+
+  p256_points_mul_vartime(&u, &v,
+                          key_x, key_y,
+                          &u, &v);
+
+  p256_mod(&SECP256r1_n, &u, &u);  // (x coord % p) % n
+  return p256_cmp(r, &u) == 0;
+}
+
diff --git a/libmincrypt/rsa.c b/libmincrypt/rsa.c
new file mode 100644
index 0000000..9061b3a
--- /dev/null
+++ b/libmincrypt/rsa.c
@@ -0,0 +1,308 @@
+/* rsa.c
+**
+** Copyright 2012, The Android Open Source Project
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions are met:
+**     * Redistributions of source code must retain the above copyright
+**       notice, this list of conditions and the following disclaimer.
+**     * Redistributions in binary form must reproduce the above copyright
+**       notice, this list of conditions and the following disclaimer in the
+**       documentation and/or other materials provided with the distribution.
+**     * Neither the name of Google Inc. nor the names of its contributors may
+**       be used to endorse or promote products derived from this software
+**       without specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include "mincrypt/rsa.h"
+#include "mincrypt/sha.h"
+#include "mincrypt/sha256.h"
+
+// a[] -= mod
+static void subM(const RSAPublicKey* key,
+                 uint32_t* a) {
+    int64_t A = 0;
+    int i;
+    for (i = 0; i < key->len; ++i) {
+        A += (uint64_t)a[i] - key->n[i];
+        a[i] = (uint32_t)A;
+        A >>= 32;
+    }
+}
+
+// return a[] >= mod
+static int geM(const RSAPublicKey* key,
+               const uint32_t* a) {
+    int i;
+    for (i = key->len; i;) {
+        --i;
+        if (a[i] < key->n[i]) return 0;
+        if (a[i] > key->n[i]) return 1;
+    }
+    return 1;  // equal
+}
+
+// montgomery c[] += a * b[] / R % mod
+static void montMulAdd(const RSAPublicKey* key,
+                       uint32_t* c,
+                       const uint32_t a,
+                       const uint32_t* b) {
+    uint64_t A = (uint64_t)a * b[0] + c[0];
+    uint32_t d0 = (uint32_t)A * key->n0inv;
+    uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A;
+    int i;
+
+    for (i = 1; i < key->len; ++i) {
+        A = (A >> 32) + (uint64_t)a * b[i] + c[i];
+        B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A;
+        c[i - 1] = (uint32_t)B;
+    }
+
+    A = (A >> 32) + (B >> 32);
+
+    c[i - 1] = (uint32_t)A;
+
+    if (A >> 32) {
+        subM(key, c);
+    }
+}
+
+// montgomery c[] = a[] * b[] / R % mod
+static void montMul(const RSAPublicKey* key,
+                    uint32_t* c,
+                    const uint32_t* a,
+                    const uint32_t* b) {
+    int i;
+    for (i = 0; i < key->len; ++i) {
+        c[i] = 0;
+    }
+    for (i = 0; i < key->len; ++i) {
+        montMulAdd(key, c, a[i], b);
+    }
+}
+
+// In-place public exponentiation.
+// Input and output big-endian byte array in inout.
+static void modpow(const RSAPublicKey* key,
+                   uint8_t* inout) {
+    uint32_t a[RSANUMWORDS];
+    uint32_t aR[RSANUMWORDS];
+    uint32_t aaR[RSANUMWORDS];
+    uint32_t* aaa = 0;
+    int i;
+
+    // Convert from big endian byte array to little endian word array.
+    for (i = 0; i < key->len; ++i) {
+        uint32_t tmp =
+            (inout[((key->len - 1 - i) * 4) + 0] << 24) |
+            (inout[((key->len - 1 - i) * 4) + 1] << 16) |
+            (inout[((key->len - 1 - i) * 4) + 2] << 8) |
+            (inout[((key->len - 1 - i) * 4) + 3] << 0);
+        a[i] = tmp;
+    }
+
+    if (key->exponent == 65537) {
+        aaa = aaR;  // Re-use location.
+        montMul(key, aR, a, key->rr);  // aR = a * RR / R mod M
+        for (i = 0; i < 16; i += 2) {
+            montMul(key, aaR, aR, aR);  // aaR = aR * aR / R mod M
+            montMul(key, aR, aaR, aaR);  // aR = aaR * aaR / R mod M
+        }
+        montMul(key, aaa, aR, a);  // aaa = aR * a / R mod M
+    } else if (key->exponent == 3) {
+        aaa = aR;  // Re-use location.
+        montMul(key, aR, a, key->rr);  /* aR = a * RR / R mod M   */
+        montMul(key, aaR, aR, aR);     /* aaR = aR * aR / R mod M */
+        montMul(key, aaa, aaR, a);     /* aaa = aaR * a / R mod M */
+    }
+
+    // Make sure aaa < mod; aaa is at most 1x mod too large.
+    if (geM(key, aaa)) {
+        subM(key, aaa);
+    }
+
+    // Convert to bigendian byte array
+    for (i = key->len - 1; i >= 0; --i) {
+        uint32_t tmp = aaa[i];
+        *inout++ = tmp >> 24;
+        *inout++ = tmp >> 16;
+        *inout++ = tmp >> 8;
+        *inout++ = tmp >> 0;
+    }
+}
+
+// Expected PKCS1.5 signature padding bytes, for a keytool RSA signature.
+// Has the 0-length optional parameter encoded in the ASN1 (as opposed to the
+// other flavor which omits the optional parameter entirely). This code does not
+// accept signatures without the optional parameter.
+
+/*
+static const uint8_t sha_padding[RSANUMBYTES] = {
+    0x00, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0x00, 0x30, 0x21, 0x30,
+    0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+    0x05, 0x00, 0x04, 0x14,
+
+    // 20 bytes of hash go here.
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+};
+*/
+
+// SHA-1 of PKCS1.5 signature sha_padding for 2048 bit, as above.
+// At the location of the bytes of the hash all 00 are hashed.
+static const uint8_t kExpectedPadShaRsa2048[SHA_DIGEST_SIZE] = {
+    0xdc, 0xbd, 0xbe, 0x42, 0xd5, 0xf5, 0xa7, 0x2e,
+    0x6e, 0xfc, 0xf5, 0x5d, 0xaf, 0x9d, 0xea, 0x68,
+    0x7c, 0xfb, 0xf1, 0x67
+};
+
+/*
+static const uint8_t sha256_padding[RSANUMBYTES] = {
+    0x00, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0x00, 0x30, 0x31, 0x30,
+    0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+    0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20,
+
+    // 32 bytes of hash go here.
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+};
+*/
+
+// SHA-256 of PKCS1.5 signature sha256_padding for 2048 bit, as above.
+// At the location of the bytes of the hash all 00 are hashed.
+static const uint8_t kExpectedPadSha256Rsa2048[SHA256_DIGEST_SIZE] = {
+    0xab, 0x28, 0x8d, 0x8a, 0xd7, 0xd9, 0x59, 0x92,
+    0xba, 0xcc, 0xf8, 0x67, 0x20, 0xe1, 0x15, 0x2e,
+    0x39, 0x8d, 0x80, 0x36, 0xd6, 0x6f, 0xf0, 0xfd,
+    0x90, 0xe8, 0x7d, 0x8b, 0xe1, 0x7c, 0x87, 0x59,
+};
+
+// Verify a 2048-bit RSA PKCS1.5 signature against an expected hash.
+// Both e=3 and e=65537 are supported.  hash_len may be
+// SHA_DIGEST_SIZE (== 20) to indicate a SHA-1 hash, or
+// SHA256_DIGEST_SIZE (== 32) to indicate a SHA-256 hash.  No other
+// values are supported.
+//
+// Returns 1 on successful verification, 0 on failure.
+int RSA_verify(const RSAPublicKey *key,
+               const uint8_t *signature,
+               const int len,
+               const uint8_t *hash,
+               const int hash_len) {
+    uint8_t buf[RSANUMBYTES];
+    int i;
+    const uint8_t* padding_hash;
+
+    if (key->len != RSANUMWORDS) {
+        return 0;  // Wrong key passed in.
+    }
+
+    if (len != sizeof(buf)) {
+        return 0;  // Wrong input length.
+    }
+
+    if (hash_len != SHA_DIGEST_SIZE &&
+        hash_len != SHA256_DIGEST_SIZE) {
+        return 0;  // Unsupported hash.
+    }
+
+    if (key->exponent != 3 && key->exponent != 65537) {
+        return 0;  // Unsupported exponent.
+    }
+
+    for (i = 0; i < len; ++i) {  // Copy input to local workspace.
+        buf[i] = signature[i];
+    }
+
+    modpow(key, buf);  // In-place exponentiation.
+
+    // Xor sha portion, so it all becomes 00 iff equal.
+    for (i = len - hash_len; i < len; ++i) {
+        buf[i] ^= *hash++;
+    }
+
+    // Hash resulting buf, in-place.
+    switch (hash_len) {
+        case SHA_DIGEST_SIZE:
+            padding_hash = kExpectedPadShaRsa2048;
+            SHA_hash(buf, len, buf);
+            break;
+        case SHA256_DIGEST_SIZE:
+            padding_hash = kExpectedPadSha256Rsa2048;
+            SHA256_hash(buf, len, buf);
+            break;
+        default:
+            return 0;
+    }
+
+    // Compare against expected hash value.
+    for (i = 0; i < hash_len; ++i) {
+        if (buf[i] != padding_hash[i]) {
+            return 0;
+        }
+    }
+
+    return 1;  // All checked out OK.
+}
diff --git a/libmincrypt/sha.c b/libmincrypt/sha.c
new file mode 100644
index 0000000..5bef32e
--- /dev/null
+++ b/libmincrypt/sha.c
@@ -0,0 +1,155 @@
+/* sha.c
+**
+** Copyright 2013, The Android Open Source Project
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions are met:
+**     * Redistributions of source code must retain the above copyright
+**       notice, this list of conditions and the following disclaimer.
+**     * Redistributions in binary form must reproduce the above copyright
+**       notice, this list of conditions and the following disclaimer in the
+**       documentation and/or other materials provided with the distribution.
+**     * Neither the name of Google Inc. nor the names of its contributors may
+**       be used to endorse or promote products derived from this software
+**       without specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+// Optimized for minimal code size.
+
+#include "mincrypt/sha.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#define rol(bits, value) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+static void SHA1_Transform(SHA_CTX* ctx) {
+    uint32_t W[80];
+    uint32_t A, B, C, D, E;
+    uint8_t* p = ctx->buf;
+    int t;
+
+    for(t = 0; t < 16; ++t) {
+        uint32_t tmp =  *p++ << 24;
+        tmp |= *p++ << 16;
+        tmp |= *p++ << 8;
+        tmp |= *p++;
+        W[t] = tmp;
+    }
+
+    for(; t < 80; t++) {
+        W[t] = rol(1,W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]);
+    }
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+    E = ctx->state[4];
+
+    for(t = 0; t < 80; t++) {
+        uint32_t tmp = rol(5,A) + E + W[t];
+
+        if (t < 20)
+            tmp += (D^(B&(C^D))) + 0x5A827999;
+        else if ( t < 40)
+            tmp += (B^C^D) + 0x6ED9EBA1;
+        else if ( t < 60)
+            tmp += ((B&C)|(D&(B|C))) + 0x8F1BBCDC;
+        else
+            tmp += (B^C^D) + 0xCA62C1D6;
+
+        E = D;
+        D = C;
+        C = rol(30,B);
+        B = A;
+        A = tmp;
+    }
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+    ctx->state[4] += E;
+}
+
+static const HASH_VTAB SHA_VTAB = {
+    SHA_init,
+    SHA_update,
+    SHA_final,
+    SHA_hash,
+    SHA_DIGEST_SIZE
+};
+
+void SHA_init(SHA_CTX* ctx) {
+    ctx->f = &SHA_VTAB;
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+    ctx->count = 0;
+}
+
+
+void SHA_update(SHA_CTX* ctx, const void* data, int len) {
+    int i = (int) (ctx->count & 63);
+    const uint8_t* p = (const uint8_t*)data;
+
+    ctx->count += len;
+
+    while (len--) {
+        ctx->buf[i++] = *p++;
+        if (i == 64) {
+            SHA1_Transform(ctx);
+            i = 0;
+        }
+    }
+}
+
+
+const uint8_t* SHA_final(SHA_CTX* ctx) {
+    uint8_t *p = ctx->buf;
+    uint64_t cnt = ctx->count * 8;
+    int i;
+
+    SHA_update(ctx, (uint8_t*)"\x80", 1);
+    while ((ctx->count & 63) != 56) {
+        SHA_update(ctx, (uint8_t*)"\0", 1);
+    }
+    for (i = 0; i < 8; ++i) {
+        uint8_t tmp = (uint8_t) (cnt >> ((7 - i) * 8));
+        SHA_update(ctx, &tmp, 1);
+    }
+
+    for (i = 0; i < 5; i++) {
+        uint32_t tmp = ctx->state[i];
+        *p++ = tmp >> 24;
+        *p++ = tmp >> 16;
+        *p++ = tmp >> 8;
+        *p++ = tmp >> 0;
+    }
+
+    return ctx->buf;
+}
+
+/* Convenience function */
+const uint8_t* SHA_hash(const void* data, int len, uint8_t* digest) {
+    SHA_CTX ctx;
+    SHA_init(&ctx);
+    SHA_update(&ctx, data, len);
+    memcpy(digest, SHA_final(&ctx), SHA_DIGEST_SIZE);
+    return digest;
+}
diff --git a/libmincrypt/sha256.c b/libmincrypt/sha256.c
new file mode 100644
index 0000000..eb6e308
--- /dev/null
+++ b/libmincrypt/sha256.c
@@ -0,0 +1,184 @@
+/* sha256.c
+**
+** Copyright 2013, The Android Open Source Project
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions are met:
+**     * Redistributions of source code must retain the above copyright
+**       notice, this list of conditions and the following disclaimer.
+**     * Redistributions in binary form must reproduce the above copyright
+**       notice, this list of conditions and the following disclaimer in the
+**       documentation and/or other materials provided with the distribution.
+**     * Neither the name of Google Inc. nor the names of its contributors may
+**       be used to endorse or promote products derived from this software
+**       without specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+// Optimized for minimal code size.
+
+#include "mincrypt/sha256.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
+#define shr(value, bits) ((value) >> (bits))
+
+static const uint32_t K[64] = {
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 };
+
+static void SHA256_Transform(SHA256_CTX* ctx) {
+    uint32_t W[64];
+    uint32_t A, B, C, D, E, F, G, H;
+    uint8_t* p = ctx->buf;
+    int t;
+
+    for(t = 0; t < 16; ++t) {
+        uint32_t tmp =  *p++ << 24;
+        tmp |= *p++ << 16;
+        tmp |= *p++ << 8;
+        tmp |= *p++;
+        W[t] = tmp;
+    }
+
+    for(; t < 64; t++) {
+        uint32_t s0 = ror(W[t-15], 7) ^ ror(W[t-15], 18) ^ shr(W[t-15], 3);
+        uint32_t s1 = ror(W[t-2], 17) ^ ror(W[t-2], 19) ^ shr(W[t-2], 10);
+        W[t] = W[t-16] + s0 + W[t-7] + s1;
+    }
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+    E = ctx->state[4];
+    F = ctx->state[5];
+    G = ctx->state[6];
+    H = ctx->state[7];
+
+    for(t = 0; t < 64; t++) {
+        uint32_t s0 = ror(A, 2) ^ ror(A, 13) ^ ror(A, 22);
+        uint32_t maj = (A & B) ^ (A & C) ^ (B & C);
+        uint32_t t2 = s0 + maj;
+        uint32_t s1 = ror(E, 6) ^ ror(E, 11) ^ ror(E, 25);
+        uint32_t ch = (E & F) ^ ((~E) & G);
+        uint32_t t1 = H + s1 + ch + K[t] + W[t];
+
+        H = G;
+        G = F;
+        F = E;
+        E = D + t1;
+        D = C;
+        C = B;
+        B = A;
+        A = t1 + t2;
+    }
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+    ctx->state[4] += E;
+    ctx->state[5] += F;
+    ctx->state[6] += G;
+    ctx->state[7] += H;
+}
+
+static const HASH_VTAB SHA256_VTAB = {
+    SHA256_init,
+    SHA256_update,
+    SHA256_final,
+    SHA256_hash,
+    SHA256_DIGEST_SIZE
+};
+
+void SHA256_init(SHA256_CTX* ctx) {
+    ctx->f = &SHA256_VTAB;
+    ctx->state[0] = 0x6a09e667;
+    ctx->state[1] = 0xbb67ae85;
+    ctx->state[2] = 0x3c6ef372;
+    ctx->state[3] = 0xa54ff53a;
+    ctx->state[4] = 0x510e527f;
+    ctx->state[5] = 0x9b05688c;
+    ctx->state[6] = 0x1f83d9ab;
+    ctx->state[7] = 0x5be0cd19;
+    ctx->count = 0;
+}
+
+
+void SHA256_update(SHA256_CTX* ctx, const void* data, int len) {
+    int i = (int) (ctx->count & 63);
+    const uint8_t* p = (const uint8_t*)data;
+
+    ctx->count += len;
+
+    while (len--) {
+        ctx->buf[i++] = *p++;
+        if (i == 64) {
+            SHA256_Transform(ctx);
+            i = 0;
+        }
+    }
+}
+
+
+const uint8_t* SHA256_final(SHA256_CTX* ctx) {
+    uint8_t *p = ctx->buf;
+    uint64_t cnt = ctx->count * 8;
+    int i;
+
+    SHA256_update(ctx, (uint8_t*)"\x80", 1);
+    while ((ctx->count & 63) != 56) {
+        SHA256_update(ctx, (uint8_t*)"\0", 1);
+    }
+    for (i = 0; i < 8; ++i) {
+        uint8_t tmp = (uint8_t) (cnt >> ((7 - i) * 8));
+        SHA256_update(ctx, &tmp, 1);
+    }
+
+    for (i = 0; i < 8; i++) {
+        uint32_t tmp = ctx->state[i];
+        *p++ = tmp >> 24;
+        *p++ = tmp >> 16;
+        *p++ = tmp >> 8;
+        *p++ = tmp >> 0;
+    }
+
+    return ctx->buf;
+}
+
+/* Convenience function */
+const uint8_t* SHA256_hash(const void* data, int len, uint8_t* digest) {
+    SHA256_CTX ctx;
+    SHA256_init(&ctx);
+    SHA256_update(&ctx, data, len);
+    memcpy(digest, SHA256_final(&ctx), SHA256_DIGEST_SIZE);
+    return digest;
+}
diff --git a/libmincrypt/test/Android.mk b/libmincrypt/test/Android.mk
new file mode 100644
index 0000000..73ff7d0
--- /dev/null
+++ b/libmincrypt/test/Android.mk
@@ -0,0 +1,15 @@
+# Copyright 2013 The Android Open Source Project
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := rsa_test
+LOCAL_SRC_FILES := rsa_test.c
+LOCAL_STATIC_LIBRARIES := libmincrypt
+include $(BUILD_HOST_NATIVE_TEST)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := ecdsa_test
+LOCAL_SRC_FILES := ecdsa_test.c
+LOCAL_STATIC_LIBRARIES := libmincrypt
+include $(BUILD_HOST_NATIVE_TEST)
diff --git a/libmincrypt/test/ecdsa_test.c b/libmincrypt/test/ecdsa_test.c
new file mode 100644
index 0000000..24ec013
--- /dev/null
+++ b/libmincrypt/test/ecdsa_test.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright 2013 The Android Open Source Project
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of Google Inc. nor the names of its contributors may
+ *       be used to endorse or promote products derived from this software
+ *       without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/cdefs.h>
+
+#include "mincrypt/dsa_sig.h"
+#include "mincrypt/p256.h"
+#include "mincrypt/p256_ecdsa.h"
+#include "mincrypt/sha256.h"
+
+#ifndef __unused
+#define __unused __attribute__((__unused__))
+#endif
+
+/**
+ * Messages signed using:
+ *
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIDw6UiziVMbjlfSpOAIpA2tcL+v1OlznZLnpadO8BGi1oAoGCCqGSM49
+AwEHoUQDQgAEZw7VAOjAXYRFuhZWYBgjahdOvkwcAnjGkxQWytZW+iS1hI3ZGE24
+6XmNka9IGxAgj2n/ip+MuZJMFoJ9DRea3g==
+-----END EC PRIVATE KEY-----
+ */
+
+p256_int key_x = {
+    .a = {0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
+          0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
+};
+p256_int key_y = {
+    .a = {0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
+          0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
+};
+
+char* message_1 =
+    "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
+    "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
+    "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
+    "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
+    "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
+    "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
+    "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
+    "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
+    "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
+    "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
+    "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
+    "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
+    "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
+    "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
+    "d5 9d 73 be 12";
+
+char* signature_1 =
+    "30 44 02 20 43 18 fc eb 3b a8 3a a8 a3 cf 41 b7"
+    "81 4a f9 01 e1 8b 6e 95 c1 3a 83 25 9e a5 2e 66"
+    "7c 98 25 d9 02 20 54 f3 7f 5a e9 36 9c a2 f0 51"
+    "e0 6e 78 48 60 a3 f9 8a d5 2c 37 5a 0a 29 c9 f7"
+    "ea 57 7e 88 46 12";
+
+// Same as signature 1, but with leading zeroes.
+char* message_2 =
+    "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
+    "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
+    "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
+    "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
+    "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
+    "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
+    "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
+    "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
+    "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
+    "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
+    "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
+    "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
+    "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
+    "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
+    "d5 9d 73 be 12";
+
+char* signature_2 =
+    "30 46 02 21 00 43 18 fc eb 3b a8 3a a8 a3 cf 41 b7"
+    "81 4a f9 01 e1 8b 6e 95 c1 3a 83 25 9e a5 2e 66"
+    "7c 98 25 d9 02 21 00 54 f3 7f 5a e9 36 9c a2 f0 51"
+    "e0 6e 78 48 60 a3 f9 8a d5 2c 37 5a 0a 29 c9 f7"
+    "ea 57 7e 88 46 12";
+
+// Excessive zeroes on the signature
+char* message_3 =
+    "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
+    "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
+    "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
+    "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
+    "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
+    "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
+    "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
+    "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
+    "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
+    "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
+    "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
+    "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
+    "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
+    "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
+    "d5 9d 73 be 12";
+
+char* signature_3 =
+    "30 4c 02 24 00 00 00 00 43 18 fc eb 3b a8 3a a8 a3 cf 41 b7"
+    "81 4a f9 01 e1 8b 6e 95 c1 3a 83 25 9e a5 2e 66"
+    "7c 98 25 d9 02 24 00 00 00 00 54 f3 7f 5a e9 36 9c a2 f0 51"
+    "e0 6e 78 48 60 a3 f9 8a d5 2c 37 5a 0a 29 c9 f7"
+    "ea 57 7e 88 46 12";
+
+
+char* good_dsa_signature_1 =
+    "30 0D 02 01 01 02 08 00 A5 55 5A 01 FF A5 01";
+p256_int good_dsa_signature_1_r = {
+    .a = {0x00000001U, 0x00000000U, 0x00000000U, 0x00000000U,
+          0x00000000U, 0x00000000U, 0x00000000U, 0x00000000U}
+};
+p256_int good_dsa_signature_1_s = {
+    .a = {0x01FFA501U, 0x00A5555AU, 0x00000000U, 0x00000000U,
+          0x00000000U, 0x00000000U, 0x00000000U, 0x00000000U}
+};
+
+
+char* bad_dsa_signature_1 =
+     "a0 06 02 01 01 02 01 01";
+
+char* bad_dsa_signature_2 =
+     "30 07 02 01 01 02 01 01";
+
+char* bad_dsa_signature_3 =
+     "30 06 82 01 01 02 01 01";
+
+char* bad_dsa_signature_4 =
+     "30 06 02 00 01 02 01 01";
+
+char* bad_dsa_signature_5 =
+     "30 06 02 01 01 82 01 01";
+
+char* bad_dsa_signature_6 =
+     "30 05 02 01 01 02 00";
+
+char* bad_dsa_signature_7 =
+     "30 06 02 01 01 02 00 01";
+
+unsigned char* parsehex(char* str, int* len) {
+    // result can't be longer than input
+    unsigned char* result = malloc(strlen(str));
+
+    unsigned char* p = result;
+    *len = 0;
+
+    while (*str) {
+        int b;
+
+        while (isspace(*str)) str++;
+
+        switch (*str) {
+            case '0': case '1': case '2': case '3': case '4':
+            case '5': case '6': case '7': case '8': case '9':
+                b = (*str - '0') << 4; break;
+            case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+                b = (*str - 'a' + 10) << 4; break;
+            case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+                b = (*str - 'A' + 10) << 4; break;
+            case '\0':
+                return result;
+            default:
+                return NULL;
+        }
+        str++;
+
+        while (isspace(*str)) str++;
+
+        switch (*str) {
+            case '0': case '1': case '2': case '3': case '4':
+            case '5': case '6': case '7': case '8': case '9':
+                b |= *str - '0'; break;
+            case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+                b |= *str - 'a' + 10; break;
+            case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+                b |= *str - 'A' + 10; break;
+            default:
+                return NULL;
+        }
+        str++;
+
+        *p++ = b;
+        ++*len;
+    }
+
+    return result;
+}
+
+int main(int arg __unused, char** argv __unused) {
+
+    unsigned char hash_buf[SHA256_DIGEST_SIZE];
+
+    unsigned char* message;
+    int mlen;
+    unsigned char* signature;
+    int slen;
+
+    p256_int hash;
+    p256_int r;
+    p256_int s;
+
+    int success = 1;
+
+#define CHECK_DSA_SIG(sig, good) do {\
+    message = parsehex(sig, &mlen); \
+    int result = dsa_sig_unpack(message, mlen, &r, &s); \
+    printf(#sig ": %s\n", result ? "good" : "bad"); \
+    success = success && !(good ^ result); \
+    free(message); \
+    } while(0)
+#define CHECK_GOOD_DSA_SIG(n) do {\
+    CHECK_DSA_SIG(good_dsa_signature_##n, 1); \
+    int result = !memcmp(P256_DIGITS(&good_dsa_signature_##n##_r), P256_DIGITS(&r), \
+                         P256_NBYTES); \
+    success = success && result; \
+    printf("    R value %s\n", result ? "good" : "bad"); \
+    result = !memcmp(P256_DIGITS(&good_dsa_signature_##n##_s), P256_DIGITS(&s), \
+                    P256_NBYTES); \
+    success = success && result; \
+    printf("    S value %s\n", result ? "good" : "bad"); \
+    } while (0)
+#define CHECK_BAD_DSA_SIG(n) \
+    CHECK_DSA_SIG(bad_dsa_signature_##n, 0)
+
+    CHECK_GOOD_DSA_SIG(1);
+
+    CHECK_BAD_DSA_SIG(1);
+    CHECK_BAD_DSA_SIG(2);
+    CHECK_BAD_DSA_SIG(3);
+    CHECK_BAD_DSA_SIG(4);
+    CHECK_BAD_DSA_SIG(5);
+    CHECK_BAD_DSA_SIG(6);
+    CHECK_BAD_DSA_SIG(7);
+
+
+#define TEST_MESSAGE(n) do {\
+    message = parsehex(message_##n, &mlen); \
+    SHA256_hash(message, mlen, hash_buf); \
+    p256_from_bin(hash_buf, &hash); \
+    signature = parsehex(signature_##n, &slen); \
+    int result = dsa_sig_unpack(signature, slen, &r, &s); \
+    if (result) { result = p256_ecdsa_verify(&key_x, &key_y, &hash, &r, &s); } \
+    printf("message %d: %s\n", n, result ? "verified" : "not verified"); \
+    success = success && result; \
+    free(signature); \
+    } while(0)
+
+    TEST_MESSAGE(1);
+    TEST_MESSAGE(2);
+    TEST_MESSAGE(3);
+
+    printf("\n%s\n\n", success ? "PASS" : "FAIL");
+
+    return !success;
+}
diff --git a/libmincrypt/test/rsa_test.c b/libmincrypt/test/rsa_test.c
new file mode 100644
index 0000000..055138f
--- /dev/null
+++ b/libmincrypt/test/rsa_test.c
@@ -0,0 +1,842 @@
+/*
+** Copyright 2013, The Android Open Source Project
+**
+** Redistribution and use in source and binary forms, with or without
+** modification, are permitted provided that the following conditions are met:
+**     * Redistributions of source code must retain the above copyright
+**       notice, this list of conditions and the following disclaimer.
+**     * Redistributions in binary form must reproduce the above copyright
+**       notice, this list of conditions and the following disclaimer in the
+**       documentation and/or other materials provided with the distribution.
+**     * Neither the name of Google Inc. nor the names of its contributors may
+**       be used to endorse or promote products derived from this software
+**       without specific prior written permission.
+**
+** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
+** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/cdefs.h>
+
+#include "mincrypt/rsa.h"
+#include "mincrypt/sha.h"
+
+#ifndef __unused
+#define __unused __attribute__((unused))
+#endif
+
+// RSA test data taken from:
+//
+//   ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15sign-vectors.txt
+
+// This is the result (reformatted) of running DumpPublicKey on:
+//
+//   # Example 15: A 2048-bit RSA key pair
+//   # -----------------------------------
+//
+//
+//   # Public key
+//   # ----------
+//
+//   # Modulus:
+//   df 27 1f d2 5f 86 44 49 6b 0c 81 be 4b d5 02 97
+//   ef 09 9b 00 2a 6f d6 77 27 eb 44 9c ea 56 6e d6
+//   a3 98 1a 71 31 2a 14 1c ab c9 81 5c 12 09 e3 20
+//   a2 5b 32 46 4e 99 99 f1 8c a1 3a 9f d3 89 25 58
+//   f9 e0 ad ef dd 36 50 dd 23 a3 f0 36 d6 0f e3 98
+//   84 37 06 a4 0b 0b 84 62 c8 be e3 bc e1 2f 1f 28
+//   60 c2 44 4c dc 6a 44 47 6a 75 ff 4a a2 42 73 cc
+//   be 3b f8 02 48 46 5f 8f f8 c3 a7 f3 36 7d fc 0d
+//   f5 b6 50 9a 4f 82 81 1c ed d8 1c da aa 73 c4 91
+//   da 41 21 70 d5 44 d4 ba 96 b9 7f 0a fc 80 65 49
+//   8d 3a 49 fd 91 09 92 a1 f0 72 5b e2 4f 46 5c fe
+//   7e 0e ab f6 78 99 6c 50 bc 5e 75 24 ab f7 3f 15
+//   e5 be f7 d5 18 39 4e 31 38 ce 49 44 50 6a aa af
+//   3f 9b 23 6d ca b8 fc 00 f8 7a f5 96 fd c3 d9 d6
+//   c7 5c d5 08 36 2f ae 2c be dd cc 4c 74 50 b1 7b
+//   77 6c 07 9e cc a1 f2 56 35 1a 43 b9 7d be 21 53
+//
+//   # Exponent:
+//   01 00 01
+
+RSAPublicKey key_15 = {
+    .len = 64,
+    .n0inv = 0xf0053525,
+    .n = {2109612371u,890913721u,3433165398u,2003568542u,
+          1951445371u,3202206796u,909094444u,3344749832u,
+          4257470934u,4168807830u,3401120768u,1067131757u,
+          1349167791u,953043268u,406408753u,3854497749u,
+          2885107477u,3160306980u,2023320656u,2114890742u,
+          1330011390u,4034026466u,2433323681u,2369407485u,
+          4236272969u,2528739082u,3578057914u,3661701488u,
+          2859713681u,3990363354u,1333952796u,4122366106u,
+          914226189u,4173572083u,1212571535u,3191601154u,
+          2722264012u,1786117962u,3697951815u,1623344204u,
+          3777961768u,3367953340u,185304162u,2218198692u,
+          3591365528u,597946422u,3711324381u,4192251375u,
+          3548980568u,2359376543u,1318689265u,2723885638u,
+          302637856u,2882109788u,824841244u,2744654449u,
+          3931533014u,669729948u,711972471u,4010384128u,
+          1272251031u,1795981758u,1602634825u,3743883218u},
+    .rr = {820482522u,2494434288u,1082168230u,731376296u,
+           1306039452u,3139792975u,2575869288u,3874938710u,
+           3198185181u,153506080u,1236489694u,1061859740u,
+           1174461268u,115279508u,1782749185u,238124145u,
+           3587596076u,2259236093u,1112265915u,4048059865u,
+           3890381098u,999426242u,794481771u,3804065613u,
+           2786019148u,461403875u,3072256692u,4079652654u,
+           3056719901u,1871565394u,212974856u,3359008174u,
+           1397773937u,3796256698u,914342841u,1097174457u,
+           3322220191u,3170814748u,2439215020u,618719336u,
+           3629353460u,496817177u,317052742u,380264245u,
+           1976007217u,2697736152u,312540864u,4291855337u,
+           697006561u,4234182488u,3904590917u,2609582216u,
+           451424084u,1805773827u,776344974u,1064489733u,
+           2633377036u,1954826648u,3202815814u,2240368662u,
+           2618582484u,2211196815u,4107362845u,3640258615u},
+    .exponent = 65537,
+};
+
+// PKCS#1 v1.5 Signature Example 15.1
+
+char* message_1 =
+    "f4 5d 55 f3 55 51 e9 75 d6 a8 dc 7e a9 f4 88 59"
+    "39 40 cc 75 69 4a 27 8f 27 e5 78 a1 63 d8 39 b3"
+    "40 40 84 18 08 cf 9c 58 c9 b8 72 8b f5 f9 ce 8e"
+    "e8 11 ea 91 71 4f 47 ba b9 2d 0f 6d 5a 26 fc fe"
+    "ea 6c d9 3b 91 0c 0a 2c 96 3e 64 eb 18 23 f1 02"
+    "75 3d 41 f0 33 59 10 ad 3a 97 71 04 f1 aa f6 c3"
+    "74 27 16 a9 75 5d 11 b8 ee d6 90 47 7f 44 5c 5d"
+    "27 20 8b 2e 28 43 30 fa 3d 30 14 23 fa 7f 2d 08"
+    "6e 0a d0 b8 92 b9 db 54 4e 45 6d 3f 0d ab 85 d9"
+    "53 c1 2d 34 0a a8 73 ed a7 27 c8 a6 49 db 7f a6"
+    "37 40 e2 5e 9a f1 53 3b 30 7e 61 32 99 93 11 0e"
+    "95 19 4e 03 93 99 c3 82 4d 24 c5 1f 22 b2 6b de"
+    "10 24 cd 39 59 58 a2 df eb 48 16 a6 e8 ad ed b5"
+    "0b 1f 6b 56 d0 b3 06 0f f0 f1 c4 cb 0d 0e 00 1d"
+    "d5 9d 73 be 12";
+
+char* signature_1 =
+    "b7 5a 54 66 b6 5d 0f 30 0e f5 38 33 f2 17 5c 8a"
+    "34 7a 38 04 fc 63 45 1d c9 02 f0 b7 1f 90 83 45"
+    "9e d3 7a 51 79 a3 b7 23 a5 3f 10 51 64 2d 77 37"
+    "4c 4c 6c 8d bb 1c a2 05 25 f5 c9 f3 2d b7 76 95"
+    "35 56 da 31 29 0e 22 19 74 82 ce b6 99 06 c4 6a"
+    "75 8f b0 e7 40 9b a8 01 07 7d 2a 0a 20 ea e7 d1"
+    "d6 d3 92 ab 49 57 e8 6b 76 f0 65 2d 68 b8 39 88"
+    "a7 8f 26 e1 11 72 ea 60 9b f8 49 fb bd 78 ad 7e"
+    "dc e2 1d e6 62 a0 81 36 8c 04 06 07 ce e2 9d b0"
+    "62 72 27 f4 49 63 ad 17 1d 22 93 b6 33 a3 92 e3"
+    "31 dc a5 4f e3 08 27 52 f4 3f 63 c1 61 b4 47 a4"
+    "c6 5a 68 75 67 0d 5f 66 00 fc c8 60 a1 ca eb 0a"
+    "88 f8 fd ec 4e 56 43 98 a5 c4 6c 87 f6 8c e0 70"
+    "01 f6 21 3a be 0a b5 62 5f 87 d1 90 25 f0 8d 81"
+    "da c7 bd 45 86 bc 93 82 19 1f 6d 28 80 f6 22 7e"
+    "5d f3 ee d2 1e 77 92 d2 49 48 04 87 f3 65 52 61";
+
+// PKCS#1 v1.5 Signature Example 15.2
+
+char *message_2 =
+    "c1 4b 4c 60 75 b2 f9 aa d6 61 de f4 ec fd 3c b9 "
+    "33 c6 23 f4 e6 3b f5 34 10 d2 f0 16 d1 ab 98 e2 "
+    "72 9e cc f8 00 6c d8 e0 80 50 73 7d 95 fd bf 29 "
+    "6b 66 f5 b9 79 2a 90 29 36 c4 f7 ac 69 f5 14 53 "
+    "ce 43 69 45 2d c2 2d 96 f0 37 74 81 14 66 20 00 "
+    "dd 9c d3 a5 e1 79 f4 e0 f8 1f a6 a0 31 1c a1 ae "
+    "e6 51 9a 0f 63 ce c7 8d 27 bb 72 63 93 fb 7f 1f "
+    "88 cd e7 c9 7f 8a 66 cd 66 30 12 81 da c3 f3 a4 "
+    "33 24 8c 75 d6 c2 dc d7 08 b6 a9 7b 0a 3f 32 5e "
+    "0b 29 64 f8 a5 81 9e 47 9b ";
+
+char* signature_2 =
+    "af a7 34 34 62 be a1 22 cc 14 9f ca 70 ab da e7"
+    "94 46 67 7d b5 37 36 66 af 7d c3 13 01 5f 4d e7"
+    "86 e6 e3 94 94 6f ad 3c c0 e2 b0 2b ed ba 50 47"
+    "fe 9e 2d 7d 09 97 05 e4 a3 9f 28 68 32 79 cf 0a"
+    "c8 5c 15 30 41 22 42 c0 e9 18 95 3b e0 00 e9 39"
+    "cf 3b f1 82 52 5e 19 93 70 fa 79 07 eb a6 9d 5d"
+    "b4 63 10 17 c0 e3 6d f7 03 79 b5 db 8d 4c 69 5a"
+    "97 9a 8e 61 73 22 40 65 d7 dc 15 13 2e f2 8c d8"
+    "22 79 51 63 06 3b 54 c6 51 14 1b e8 6d 36 e3 67"
+    "35 bc 61 f3 1f ca 57 4e 53 09 f3 a3 bb df 91 ef"
+    "f1 2b 99 e9 cc 17 44 f1 ee 9a 1b d2 2c 5b ad 96"
+    "ad 48 19 29 25 1f 03 43 fd 36 bc f0 ac de 7f 11"
+    "e5 ad 60 97 77 21 20 27 96 fe 06 1f 9a da 1f c4"
+    "c8 e0 0d 60 22 a8 35 75 85 ff e9 fd d5 93 31 a2"
+    "8c 4a a3 12 15 88 fb 6c f6 83 96 d8 ac 05 46 59"
+    "95 00 c9 70 85 00 a5 97 2b d5 4f 72 cf 8d b0 c8";
+
+// PKCS#1 v1.5 Signature Example 15.3
+
+char* message_3 =
+    "d0 23 71 ad 7e e4 8b bf db 27 63 de 7a 84 3b 94 "
+    "08 ce 5e b5 ab f8 47 ca 3d 73 59 86 df 84 e9 06 "
+    "0b db cd d3 a5 5b a5 5d de 20 d4 76 1e 1a 21 d2 "
+    "25 c1 a1 86 f4 ac 4b 30 19 d3 ad f7 8f e6 33 46 "
+    "67 f5 6f 70 c9 01 a0 a2 70 0c 6f 0d 56 ad d7 19 "
+    "59 2d c8 8f 6d 23 06 c7 00 9f 6e 7a 63 5b 4c b3 "
+    "a5 02 df e6 8d dc 58 d0 3b e1 0a 11 70 00 4f e7 "
+    "4d d3 e4 6b 82 59 1f f7 54 14 f0 c4 a0 3e 60 5e "
+    "20 52 4f 24 16 f1 2e ca 58 9f 11 1b 75 d6 39 c6 "
+    "1b aa 80 ca fd 05 cf 35 00 24 4a 21 9e d9 ce d9 "
+    "f0 b1 02 97 18 2b 65 3b 52 6f 40 0f 29 53 ba 21 "
+    "4d 5b cd 47 88 41 32 87 2a e9 0d 4d 6b 1f 42 15 "
+    "39 f9 f3 46 62 a5 6d c0 e7 b4 b9 23 b6 23 1e 30 "
+    "d2 67 67 97 81 7f 7c 33 7b 5a c8 24 ba 93 14 3b "
+    "33 81 fa 3d ce 0e 6a eb d3 8e 67 73 51 87 b1 eb "
+    "d9 5c 02 ";
+
+char* signature_3 =
+    "3b ac 63 f8 6e 3b 70 27 12 03 10 6b 9c 79 aa bd"
+    "9f 47 7c 56 e4 ee 58 a4 fc e5 ba f2 ca b4 96 0f"
+    "88 39 1c 9c 23 69 8b e7 5c 99 ae df 9e 1a bf 17"
+    "05 be 1d ac 33 14 0a db 48 eb 31 f4 50 bb 9e fe"
+    "83 b7 b9 0d b7 f1 57 6d 33 f4 0c 1c ba 4b 8d 6b"
+    "1d 33 23 56 4b 0f 17 74 11 4f a7 c0 8e 6d 1e 20"
+    "dd 8f bb a9 b6 ac 7a d4 1e 26 b4 56 8f 4a 8a ac"
+    "bf d1 78 a8 f8 d2 c9 d5 f5 b8 81 12 93 5a 8b c9"
+    "ae 32 cd a4 0b 8d 20 37 55 10 73 50 96 53 68 18"
+    "ce 2b 2d b7 1a 97 72 c9 b0 dd a0 9a e1 01 52 fa"
+    "11 46 62 18 d0 91 b5 3d 92 54 30 61 b7 29 4a 55"
+    "be 82 ff 35 d5 c3 2f a2 33 f0 5a aa c7 58 50 30"
+    "7e cf 81 38 3c 11 16 74 39 7b 1a 1b 9d 3b f7 61"
+    "2c cb e5 ba cd 2b 38 f0 a9 83 97 b2 4c 83 65 8f"
+    "b6 c0 b4 14 0e f1 19 70 c4 63 0d 44 34 4e 76 ea"
+    "ed 74 dc be e8 11 db f6 57 59 41 f0 8a 65 23 b8";
+
+// PKCS#1 v1.5 Signature Example 15.4
+
+char* message_4 =
+    "29 03 55 84 ab 7e 02 26 a9 ec 4b 02 e8 dc f1 27 "
+    "2d c9 a4 1d 73 e2 82 00 07 b0 f6 e2 1f ec cd 5b "
+    "d9 db b9 ef 88 cd 67 58 76 9e e1 f9 56 da 7a d1 "
+    "84 41 de 6f ab 83 86 db c6 93 ";
+
+char* signature_4 =
+    "28 d8 e3 fc d5 dd db 21 ff bd 8d f1 63 0d 73 77"
+    "aa 26 51 e1 4c ad 1c 0e 43 cc c5 2f 90 7f 94 6d"
+    "66 de 72 54 e2 7a 6c 19 0e b0 22 ee 89 ec f6 22"
+    "4b 09 7b 71 06 8c d6 07 28 a1 ae d6 4b 80 e5 45"
+    "7b d3 10 6d d9 17 06 c9 37 c9 79 5f 2b 36 36 7f"
+    "f1 53 dc 25 19 a8 db 9b df 2c 80 74 30 c4 51 de"
+    "17 bb cd 0c e7 82 b3 e8 f1 02 4d 90 62 4d ea 7f"
+    "1e ed c7 42 0b 7e 7c aa 65 77 ce f4 31 41 a7 26"
+    "42 06 58 0e 44 a1 67 df 5e 41 ee a0 e6 9a 80 54"
+    "54 c4 0e ef c1 3f 48 e4 23 d7 a3 2d 02 ed 42 c0"
+    "ab 03 d0 a7 cf 70 c5 86 0a c9 2e 03 ee 00 5b 60"
+    "ff 35 03 42 4b 98 cc 89 45 68 c7 c5 6a 02 33 55"
+    "1c eb e5 88 cf 8b 01 67 b7 df 13 ad ca d8 28 67"
+    "68 10 49 9c 70 4d a7 ae 23 41 4d 69 e3 c0 d2 db"
+    "5d cb c2 61 3b c1 20 42 1f 9e 36 53 c5 a8 76 72"
+    "97 64 3c 7e 07 40 de 01 63 55 45 3d 6c 95 ae 72";
+
+// PKCS#1 v1.5 Signature Example 15.5
+
+char* message_5 =
+    "bd a3 a1 c7 90 59 ea e5 98 30 8d 3d f6 09 ";
+
+char* signature_5 =
+    "a1 56 17 6c b9 67 77 c7 fb 96 10 5d bd 91 3b c4"
+    "f7 40 54 f6 80 7c 60 08 a1 a9 56 ea 92 c1 f8 1c"
+    "b8 97 dc 4b 92 ef 9f 4e 40 66 8d c7 c5 56 90 1a"
+    "cb 6c f2 69 fe 61 5b 0f b7 2b 30 a5 13 38 69 23"
+    "14 b0 e5 87 8a 88 c2 c7 77 4b d1 69 39 b5 ab d8"
+    "2b 44 29 d6 7b d7 ac 8e 5e a7 fe 92 4e 20 a6 ec"
+    "66 22 91 f2 54 8d 73 4f 66 34 86 8b 03 9a a5 f9"
+    "d4 d9 06 b2 d0 cb 85 85 bf 42 85 47 af c9 1c 6e"
+    "20 52 dd cd 00 1c 3e f8 c8 ee fc 3b 6b 2a 82 b6"
+    "f9 c8 8c 56 f2 e2 c3 cb 0b e4 b8 0d a9 5e ba 37"
+    "1d 8b 5f 60 f9 25 38 74 3d db b5 da 29 72 c7 1f"
+    "e7 b9 f1 b7 90 26 8a 0e 77 0f c5 eb 4d 5d d8 52"
+    "47 d4 8a e2 ec 3f 26 25 5a 39 85 52 02 06 a1 f2"
+    "68 e4 83 e9 db b1 d5 ca b1 90 91 76 06 de 31 e7"
+    "c5 18 2d 8f 15 1b f4 1d fe cc ae d7 cd e6 90 b2"
+    "16 47 10 6b 49 0c 72 9d 54 a8 fe 28 02 a6 d1 26";
+
+// PKCS#1 v1.5 Signature Example 15.6
+
+char* message_6 =
+    "c1 87 91 5e 4e 87 da 81 c0 8e d4 35 6a 0c ce ac "
+    "1c 4f b5 c0 46 b4 52 81 b3 87 ec 28 f1 ab fd 56 "
+    "7e 54 6b 23 6b 37 d0 1a e7 1d 3b 28 34 36 5d 3d "
+    "f3 80 b7 50 61 b7 36 b0 13 0b 07 0b e5 8a e8 a4 "
+    "6d 12 16 63 61 b6 13 db c4 7d fa eb 4c a7 46 45 "
+    "6c 2e 88 83 85 52 5c ca 9d d1 c3 c7 a9 ad a7 6d "
+    "6c ";;
+
+char* signature_6 =
+    "9c ab 74 16 36 08 66 9f 75 55 a3 33 cf 19 6f e3"
+    "a0 e9 e5 eb 1a 32 d3 4b b5 c8 5f f6 89 aa ab 0e"
+    "3e 65 66 8e d3 b1 15 3f 94 eb 3d 8b e3 79 b8 ee"
+    "f0 07 c4 a0 2c 70 71 ce 30 d8 bb 34 1e 58 c6 20"
+    "f7 3d 37 b4 ec bf 48 be 29 4f 6c 9e 0e cb 5e 63"
+    "fe c4 1f 12 0e 55 53 df a0 eb eb bb 72 64 0a 95"
+    "37 ba dc b4 51 33 02 29 d9 f7 10 f6 2e 3e d8 ec"
+    "78 4e 50 ee 1d 92 62 b4 26 71 34 00 11 d7 d0 98"
+    "c6 f2 55 7b 21 31 fa 9b d0 25 46 36 59 7e 88 ec"
+    "b3 5a 24 0e f0 fd 85 95 71 24 df 80 80 fe e1 e1"
+    "49 af 93 99 89 e8 6b 26 c8 5a 58 81 fa e8 67 3d"
+    "9f d4 08 00 dd 13 4e b9 bd b6 41 0f 42 0b 0a a9"
+    "7b 20 ef cf 2e b0 c8 07 fa eb 83 a3 cc d9 b5 1d"
+    "45 53 e4 1d fc 0d f6 ca 80 a1 e8 1d c2 34 bb 83"
+    "89 dd 19 5a 38 b4 2d e4 ed c4 9d 34 64 78 b9 f1"
+    "1f 05 57 20 5f 5b 0b d7 ff e9 c8 50 f3 96 d7 c4";;
+
+// PKCS#1 v1.5 Signature Example 15.7
+
+char* message_7 =
+    "ab fa 2e cb 7d 29 bd 5b cb 99 31 ce 2b ad 2f 74 "
+    "38 3e 95 68 3c ee 11 02 2f 08 e8 e7 d0 b8 fa 05 "
+    "8b f9 eb 7e b5 f9 88 68 b5 bb 1f b5 c3 1c ed a3 "
+    "a6 4f 1a 12 cd f2 0f cd 0e 5a 24 6d 7a 17 73 d8 "
+    "db a0 e3 b2 77 54 5b ab e5 8f 2b 96 e3 f4 ed c1 "
+    "8e ab f5 cd 2a 56 0f ca 75 fe 96 e0 7d 85 9d ef "
+    "b2 56 4f 3a 34 f1 6f 11 e9 1b 3a 71 7b 41 af 53 "
+    "f6 60 53 23 00 1a a4 06 c6 ";
+
+char* signature_7 =
+    "c4 b4 37 bc f7 03 f3 52 e1 fa f7 4e b9 62 20 39"
+    "42 6b 56 72 ca f2 a7 b3 81 c6 c4 f0 19 1e 7e 4a"
+    "98 f0 ee bc d6 f4 17 84 c2 53 7f f0 f9 9e 74 98"
+    "2c 87 20 1b fb c6 5e ae 83 2d b7 1d 16 da ca db"
+    "09 77 e5 c5 04 67 9e 40 be 0f 9d b0 6f fd 84 8d"
+    "d2 e5 c3 8a 7e c0 21 e7 f6 8c 47 df d3 8c c3 54"
+    "49 3d 53 39 b4 59 5a 5b f3 1e 3f 8f 13 81 68 07"
+    "37 3d f6 ad 0d c7 e7 31 e5 1a d1 9e b4 75 4b 13"
+    "44 85 84 2f e7 09 d3 78 44 4d 8e 36 b1 72 4a 4f"
+    "da 21 ca fe e6 53 ab 80 74 7f 79 52 ee 80 4d ea"
+    "b1 03 9d 84 13 99 45 bb f4 be 82 00 87 53 f3 c5"
+    "4c 78 21 a1 d2 41 f4 21 79 c7 94 ef 70 42 bb f9"
+    "95 56 56 22 2e 45 c3 43 69 a3 84 69 7b 6a e7 42"
+    "e1 8f a5 ca 7a ba d2 7d 9f e7 10 52 e3 31 0d 0f"
+    "52 c8 d1 2e a3 3b f0 53 a3 00 f4 af c4 f0 98 df"
+    "4e 6d 88 67 79 d6 45 94 d3 69 15 8f db c1 f6 94";
+
+// PKCS#1 v1.5 Signature Example 15.8
+
+char* message_8 =
+    "df 40 44 a8 9a 83 e9 fc bf 12 62 54 0a e3 03 8b "
+    "bc 90 f2 b2 62 8b f2 a4 46 7a c6 77 22 d8 54 6b "
+    "3a 71 cb 0e a4 16 69 d5 b4 d6 18 59 c1 b4 e4 7c "
+    "ec c5 93 3f 75 7e c8 6d b0 64 4e 31 18 12 d0 0f "
+    "b8 02 f0 34 00 63 9c 0e 36 4d ae 5a eb c5 79 1b "
+    "c6 55 76 23 61 bc 43 c5 3d 3c 78 86 76 8f 79 68 "
+    "c1 c5 44 c6 f7 9f 7b e8 20 c7 e2 bd 2f 9d 73 e6 "
+    "2d ed 6d 2e 93 7e 6a 6d ae f9 0e e3 7a 1a 52 a5 "
+    "4f 00 e3 1a dd d6 48 94 cf 4c 02 e1 60 99 e2 9f "
+    "9e b7 f1 a7 bb 7f 84 c4 7a 2b 59 48 13 be 02 a1 "
+    "7b 7f c4 3b 34 c2 2c 91 92 52 64 12 6c 89 f8 6b "
+    "b4 d8 7f 3e f1 31 29 6c 53 a3 08 e0 33 1d ac 8b "
+    "af 3b 63 42 22 66 ec ef 2b 90 78 15 35 db da 41 "
+    "cb d0 cf 22 a8 cb fb 53 2e c6 8f c6 af b2 ac 06 ";
+
+char* signature_8 =
+    "14 14 b3 85 67 ae 6d 97 3e de 4a 06 84 2d cc 0e"
+    "05 59 b1 9e 65 a4 88 9b db ab d0 fd 02 80 68 29"
+    "13 ba cd 5d c2 f0 1b 30 bb 19 eb 81 0b 7d 9d ed"
+    "32 b2 84 f1 47 bb e7 71 c9 30 c6 05 2a a7 34 13"
+    "90 a8 49 f8 1d a9 cd 11 e5 ec cf 24 6d ba e9 5f"
+    "a9 58 28 e9 ae 0c a3 55 03 25 32 6d ee f9 f4 95"
+    "30 ba 44 1b ed 4a c2 9c 02 9c 9a 27 36 b1 a4 19"
+    "0b 85 08 4a d1 50 42 6b 46 d7 f8 5b d7 02 f4 8d"
+    "ac 5f 71 33 0b c4 23 a7 66 c6 5c c1 dc ab 20 d3"
+    "d3 bb a7 2b 63 b3 ef 82 44 d4 2f 15 7c b7 e3 a8"
+    "ba 5c 05 27 2c 64 cc 1a d2 1a 13 49 3c 39 11 f6"
+    "0b 4e 9f 4e cc 99 00 eb 05 6e e5 9d 6f e4 b8 ff"
+    "6e 80 48 cc c0 f3 8f 28 36 fd 3d fe 91 bf 4a 38"
+    "6e 1e cc 2c 32 83 9f 0c a4 d1 b2 7a 56 8f a9 40"
+    "dd 64 ad 16 bd 01 25 d0 34 8e 38 30 85 f0 88 94"
+    "86 1c a1 89 87 22 7d 37 b4 2b 58 4a 83 57 cb 04";
+
+// PKCS#1 v1.5 Signature Example 15.9
+
+char* message_9 =
+    "ea 94 1f f0 6f 86 c2 26 92 7f cf 0e 3b 11 b0 87 "
+    "26 76 17 0c 1b fc 33 bd a8 e2 65 c7 77 71 f9 d0 "
+    "85 01 64 a5 ee cb cc 5c e8 27 fb fa 07 c8 52 14 "
+    "79 6d 81 27 e8 ca a8 18 94 ea 61 ce b1 44 9e 72 "
+    "fe a0 a4 c9 43 b2 da 6d 9b 10 5f e0 53 b9 03 9a "
+    "9c c5 3d 42 0b 75 39 fa b2 23 9c 6b 51 d1 7e 69 "
+    "4c 95 7d 4b 0f 09 84 46 18 79 a0 75 9c 44 01 be "
+    "ec d4 c6 06 a0 af bd 7a 07 6f 50 a2 df c2 80 7f "
+    "24 f1 91 9b aa 77 46 d3 a6 4e 26 8e d3 f5 f8 e6 "
+    "da 83 a2 a5 c9 15 2f 83 7c b0 78 12 bd 5b a7 d3 "
+    "a0 79 85 de 88 11 3c 17 96 e9 b4 66 ec 29 9c 5a "
+    "c1 05 9e 27 f0 94 15 ";
+
+char* signature_9 =
+    "ce eb 84 cc b4 e9 09 92 65 65 07 21 ee a0 e8 ec"
+    "89 ca 25 bd 35 4d 4f 64 56 49 67 be 9d 4b 08 b3"
+    "f1 c0 18 53 9c 9d 37 1c f8 96 1f 22 91 fb e0 dc"
+    "2f 2f 95 fe a4 7b 63 9f 1e 12 f4 bc 38 1c ef 0c"
+    "2b 7a 7b 95 c3 ad f2 76 05 b7 f6 39 98 c3 cb ad"
+    "54 28 08 c3 82 2e 06 4d 4a d1 40 93 67 9e 6e 01"
+    "41 8a 6d 5c 05 96 84 cd 56 e3 4e d6 5a b6 05 b8"
+    "de 4f cf a6 40 47 4a 54 a8 25 1b bb 73 26 a4 2d"
+    "08 58 5c fc fc 95 67 69 b1 5b 6d 7f df 7d a8 4f"
+    "81 97 6e aa 41 d6 92 38 0f f1 0e ae cf e0 a5 79"
+    "68 29 09 b5 52 1f ad e8 54 d7 97 b8 a0 34 5b 9a"
+    "86 4e 05 88 f6 ca dd bf 65 f1 77 99 8e 18 0d 1f"
+    "10 24 43 e6 dc a5 3a 94 82 3c aa 9c 3b 35 f3 22"
+    "58 3c 70 3a f6 74 76 15 9e c7 ec 93 d1 76 9b 30"
+    "0a f0 e7 15 7d c2 98 c6 cd 2d ee 22 62 f8 cd dc"
+    "10 f1 1e 01 74 14 71 bb fd 65 18 a1 75 73 45 75";
+
+// PKCS#1 v1.5 Signature Example 15.10
+
+char* message_10 =
+    "d8 b8 16 45 c1 3c d7 ec f5 d0 0e d2 c9 1b 9a cd "
+    "46 c1 55 68 e5 30 3c 4a 97 75 ed e7 6b 48 40 3d "
+    "6b e5 6c 05 b6 b1 cf 77 c6 e7 5d e0 96 c5 cb 35 "
+    "51 cb 6f a9 64 f3 c8 79 cf 58 9d 28 e1 da 2f 9d "
+    "ec ";
+
+char* signature_10 =
+    "27 45 07 4c a9 71 75 d9 92 e2 b4 47 91 c3 23 c5"
+    "71 67 16 5c dd 8d a5 79 cd ef 46 86 b9 bb 40 4b"
+    "d3 6a 56 50 4e b1 fd 77 0f 60 bf a1 88 a7 b2 4b"
+    "0c 91 e8 81 c2 4e 35 b0 4d c4 dd 4c e3 85 66 bc"
+    "c9 ce 54 f4 9a 17 5f c9 d0 b2 25 22 d9 57 90 47"
+    "f9 ed 42 ec a8 3f 76 4a 10 16 39 97 94 7e 7d 2b"
+    "52 ff 08 98 0e 7e 7c 22 57 93 7b 23 f3 d2 79 d4"
+    "cd 17 d6 f4 95 54 63 73 d9 83 d5 36 ef d7 d1 b6"
+    "71 81 ca 2c b5 0a c6 16 c5 c7 ab fb b9 26 0b 91"
+    "b1 a3 8e 47 24 20 01 ff 45 2f 8d e1 0c a6 ea ea"
+    "dc af 9e dc 28 95 6f 28 a7 11 29 1f c9 a8 08 78"
+    "b8 ba 4c fe 25 b8 28 1c b8 0b c9 cd 6d 2b d1 82"
+    "52 46 ee be 25 2d 99 57 ef 93 70 73 52 08 4e 6d"
+    "36 d4 23 55 1b f2 66 a8 53 40 fb 4a 6a f3 70 88"
+    "0a ab 07 15 3d 01 f4 8d 08 6d f0 bf be c0 5e 7b"
+    "44 3b 97 e7 17 18 97 0e 2f 4b f6 20 23 e9 5b 67";
+
+// PKCS#1 v1.5 Signature Example 15.11
+
+char* message_11 =
+    "e5 73 9b 6c 14 c9 2d 51 0d 95 b8 26 93 33 37 ff "
+    "0d 24 ef 72 1a c4 ef 64 c2 ba d2 64 be 8b 44 ef "
+    "a1 51 6e 08 a2 7e b6 b6 11 d3 30 1d f0 06 2d ae "
+    "fc 73 a8 c0 d9 2e 2c 52 1f ac bc 7b 26 47 38 76 "
+    "7e a6 fc 97 d5 88 a0 ba f6 ce 50 ad f7 9e 60 0b "
+    "d2 9e 34 5f cb 1d ba 71 ac 5c 02 89 02 3f e4 a8 "
+    "2b 46 a5 40 77 19 19 7d 2e 95 8e 35 31 fd 54 ae "
+    "f9 03 aa bb 43 55 f8 83 18 99 4e d3 c3 dd 62 f4 "
+    "20 a7 ";
+
+char* signature_11 =
+    "be 40 a5 fb 94 f1 13 e1 b3 ef f6 b6 a3 39 86 f2"
+    "02 e3 63 f0 74 83 b7 92 e6 8d fa 55 54 df 04 66"
+    "cc 32 15 09 50 78 3b 4d 96 8b 63 9a 04 fd 2f b9"
+    "7f 6e b9 67 02 1f 5a dc cb 9f ca 95 ac c8 f2 cd"
+    "88 5a 38 0b 0a 4e 82 bc 76 07 64 db ab 88 c1 e6"
+    "c0 25 5c aa 94 f2 32 19 9d 6f 59 7c c9 14 5b 00"
+    "e3 d4 ba 34 6b 55 9a 88 33 ad 15 16 ad 51 63 f0"
+    "16 af 6a 59 83 1c 82 ea 13 c8 22 4d 84 d0 76 5a"
+    "9d 12 38 4d a4 60 a8 53 1b 4c 40 7e 04 f4 f3 50"
+    "70 9e b9 f0 8f 5b 22 0f fb 45 ab f6 b7 5d 15 79"
+    "fd 3f 1e b5 5f c7 5b 00 af 8b a3 b0 87 82 7f e9"
+    "ae 9f b4 f6 c5 fa 63 03 1f e5 82 85 2f e2 83 4f"
+    "9c 89 bf f5 3e 25 52 21 6b c7 c1 d4 a3 d5 dc 2b"
+    "a6 95 5c d9 b1 7d 13 63 e7 fe e8 ed 76 29 75 3f"
+    "f3 12 5e dd 48 52 1a e3 b9 b0 32 17 f4 49 6d 0d"
+    "8e de 57 ac bc 5b d4 de ae 74 a5 6f 86 67 1d e2";
+
+// PKCS#1 v1.5 Signature Example 15.12
+
+char* message_12 =
+    "7a f4 28 35 91 7a 88 d6 b3 c6 71 6b a2 f5 b0 d5 "
+    "b2 0b d4 e2 e6 e5 74 e0 6a f1 ee f7 c8 11 31 be "
+    "22 bf 81 28 b9 cb c6 ec 00 27 5b a8 02 94 a5 d1 "
+    "17 2d 08 24 a7 9e 8f dd 83 01 83 e4 c0 0b 96 78 "
+    "28 67 b1 22 7f ea 24 9a ad 32 ff c5 fe 00 7b c5 "
+    "1f 21 79 2f 72 8d ed a8 b5 70 8a a9 9c ab ab 20 "
+    "a4 aa 78 3e d8 6f 0f 27 b5 d5 63 f4 2e 07 15 8c "
+    "ea 72 d0 97 aa 68 87 ec 41 1d d0 12 91 2a 5e 03 "
+    "2b bf a6 78 50 71 44 bc c9 5f 39 b5 8b e7 bf d1 "
+    "75 9a db 9a 91 fa 1d 6d 82 26 a8 34 3a 8b 84 9d "
+    "ae 76 f7 b9 82 24 d5 9e 28 f7 81 f1 3e ce 60 5f "
+    "84 f6 c9 0b ae 5f 8c f3 78 81 6f 40 20 a7 dd a1 "
+    "be d9 0c 92 a2 36 34 d2 03 fa c3 fc d8 6d 68 d3 "
+    "18 2a 7d 9c ca be 7b 07 95 f5 c6 55 e9 ac c4 e3 "
+    "ec 18 51 40 d1 0c ef 05 34 64 ab 17 5c 83 bd 83 "
+    "93 5e 3d ab af 34 62 ee be 63 d1 5f 57 3d 26 9a ";
+
+char* signature_12 =
+    "4e 78 c5 90 2b 80 79 14 d1 2f a5 37 ae 68 71 c8"
+    "6d b8 02 1e 55 d1 ad b8 eb 0c cf 1b 8f 36 ab 7d"
+    "ad 1f 68 2e 94 7a 62 70 72 f0 3e 62 73 71 78 1d"
+    "33 22 1d 17 4a be 46 0d bd 88 56 0c 22 f6 90 11"
+    "6e 2f bb e6 e9 64 36 3a 3e 52 83 bb 5d 94 6e f1"
+    "c0 04 7e ba 03 8c 75 6c 40 be 79 23 05 58 09 b0"
+    "e9 f3 4a 03 a5 88 15 eb dd e7 67 93 1f 01 8f 6f"
+    "18 78 f2 ef 4f 47 dd 37 40 51 dd 48 68 5d ed 6e"
+    "fb 3e a8 02 1f 44 be 1d 7d 14 93 98 f9 8e a9 c0"
+    "8d 62 88 8e bb 56 19 2d 17 74 7b 6b 8e 17 09 54"
+    "31 f1 25 a8 a8 e9 96 2a a3 1c 28 52 64 e0 8f b2"
+    "1a ac 33 6c e6 c3 8a a3 75 e4 2b c9 2a b0 ab 91"
+    "03 84 31 e1 f9 2c 39 d2 af 5d ed 7e 43 bc 15 1e"
+    "6e be a4 c3 e2 58 3a f3 43 7e 82 c4 3c 5e 3b 5b"
+    "07 cf 03 59 68 3d 22 98 e3 59 48 ed 80 6c 06 3c"
+    "60 6e a1 78 15 0b 1e fc 15 85 69 34 c7 25 5c fe";
+
+// PKCS#1 v1.5 Signature Example 15.13
+
+char* message_13 =
+    "eb ae f3 f9 f2 3b df e5 fa 6b 8a f4 c2 08 c1 89 "
+    "f2 25 1b f3 2f 5f 13 7b 9d e4 40 63 78 68 6b 3f "
+    "07 21 f6 2d 24 cb 86 88 d6 fc 41 a2 7c ba e2 1d "
+    "30 e4 29 fe ac c7 11 19 41 c2 77 ";
+
+char* signature_13 =
+    "c4 8d be f5 07 11 4f 03 c9 5f af be b4 df 1b fa"
+    "88 e0 18 4a 33 cc 4f 8a 9a 10 35 ff 7f 82 2a 5e"
+    "38 cd a1 87 23 91 5f f0 78 24 44 29 e0 f6 08 1c"
+    "14 fd 83 33 1f a6 5c 6b a7 bb 9a 12 db f6 62 23"
+    "74 cd 0c a5 7d e3 77 4e 2b d7 ae 82 36 77 d0 61"
+    "d5 3a e9 c4 04 0d 2d a7 ef 70 14 f3 bb dc 95 a3"
+    "61 a4 38 55 c8 ce 9b 97 ec ab ce 17 4d 92 62 85"
+    "14 2b 53 4a 30 87 f9 f4 ef 74 51 1e c7 42 b0 d5"
+    "68 56 03 fa f4 03 b5 07 2b 98 5d f4 6a df 2d 25"
+    "29 a0 2d 40 71 1e 21 90 91 70 52 37 1b 79 b7 49"
+    "b8 3a bf 0a e2 94 86 c3 f2 f6 24 77 b2 bd 36 2b"
+    "03 9c 01 3c 0c 50 76 ef 52 0d bb 40 5f 42 ce e9"
+    "54 25 c3 73 a9 75 e1 cd d0 32 c4 96 22 c8 50 79"
+    "b0 9e 88 da b2 b1 39 69 ef 7a 72 39 73 78 10 40"
+    "45 9f 57 d5 01 36 38 48 3d e2 d9 1c b3 c4 90 da"
+    "81 c4 6d e6 cd 76 ea 8a 0c 8f 6f e3 31 71 2d 24";
+
+// PKCS#1 v1.5 Signature Example 15.14
+
+char* message_14 =
+    "c5 a2 71 12 78 76 1d fc dd 4f 0c 99 e6 f5 61 9d "
+    "6c 48 b5 d4 c1 a8 09 82 fa a6 b4 cf 1c f7 a6 0f "
+    "f3 27 ab ef 93 c8 01 42 9e fd e0 86 40 85 81 46 "
+    "10 56 ac c3 3f 3d 04 f5 ad a2 12 16 ca cd 5f d1 "
+    "f9 ed 83 20 3e 0e 2f e6 13 8e 3e ae 84 24 e5 91 "
+    "5a 08 3f 3f 7a b7 60 52 c8 be 55 ae 88 2d 6e c1 "
+    "48 2b 1e 45 c5 da e9 f4 10 15 40 53 27 02 2e c3 "
+    "2f 0e a2 42 97 63 b2 55 04 3b 19 58 ee 3c f6 d6 "
+    "39 83 59 6e b3 85 84 4f 85 28 cc 9a 98 65 83 5d "
+    "c5 11 3c 02 b8 0d 0f ca 68 aa 25 e7 2b ca ae b3 "
+    "cf 9d 79 d8 4f 98 4f d4 17 ";
+
+char* signature_14 =
+    "6b d5 25 7a a0 66 11 fb 46 60 08 7c b4 bc 4a 9e"
+    "44 91 59 d3 16 52 bd 98 08 44 da f3 b1 c7 b3 53"
+    "f8 e5 61 42 f7 ea 98 57 43 3b 18 57 3b 4d ee de"
+    "81 8a 93 b0 29 02 97 78 3f 1a 2f 23 cb c7 27 97"
+    "a6 72 53 7f 01 f6 24 84 cd 41 62 c3 21 4b 9a c6"
+    "28 22 4c 5d e0 1f 32 bb 9b 76 b2 73 54 f2 b1 51"
+    "d0 e8 c4 21 3e 46 15 ad 0b c7 1f 51 5e 30 0d 6a"
+    "64 c6 74 34 11 ff fd e8 e5 ff 19 0e 54 92 30 43"
+    "12 6e cf c4 c4 53 90 22 66 8f b6 75 f2 5c 07 e2"
+    "00 99 ee 31 5b 98 d6 af ec 4b 1a 9a 93 dc 33 49"
+    "6a 15 bd 6f de 16 63 a7 d4 9b 9f 1e 63 9d 38 66"
+    "4b 37 a0 10 b1 f3 5e 65 86 82 d9 cd 63 e5 7d e0"
+    "f1 5e 8b dd 09 65 58 f0 7e c0 ca a2 18 a8 c0 6f"
+    "47 88 45 39 40 28 7c 9d 34 b6 d4 0a 3f 09 bf 77"
+    "99 fe 98 ae 4e b4 9f 3f f4 1c 50 40 a5 0c ef c9"
+    "bd f2 39 4b 74 9c f1 64 48 0d f1 ab 68 80 27 3b";
+
+// PKCS#1 v1.5 Signature Example 15.15
+
+char* message_15 =
+    "9b f8 aa 25 3b 87 2e a7 7a 7e 23 47 6b e2 6b 23 "
+    "29 57 8c f6 ac 9e a2 80 5b 35 7f 6f c3 ad 13 0d "
+    "ba eb 3d 86 9a 13 cc e7 a8 08 bb bb c9 69 85 7e "
+    "03 94 5c 7b b6 1d f1 b5 c2 58 9b 8e 04 6c 2a 5d "
+    "7e 40 57 b1 a7 4f 24 c7 11 21 63 64 28 85 29 ec "
+    "95 70 f2 51 97 21 3b e1 f5 c2 e5 96 f8 bf 8b 2c "
+    "f3 cb 38 aa 56 ff e5 e3 1d f7 39 58 20 e9 4e cf "
+    "3b 11 89 a9 65 dc f9 a9 cb 42 98 d3 c8 8b 29 23 "
+    "c1 9f c6 bc 34 aa ce ca d4 e0 93 1a 7c 4e 5d 73 "
+    "dc 86 df a7 98 a8 47 6d 82 46 3e ef aa 90 a8 a9 "
+    "19 2a b0 8b 23 08 8d d5 8e 12 80 f7 d7 2e 45 48 "
+    "39 6b aa c1 12 25 2d d5 c5 34 6a db 20 04 a2 f7 "
+    "10 1c cc 89 9c c7 fa fa e8 bb e2 95 73 88 96 a5 "
+    "b2 01 22 85 01 4e f6 ";
+
+char* signature_15 =
+    "27 f7 f4 da 9b d6 10 10 6e f5 7d 32 38 3a 44 8a"
+    "8a 62 45 c8 3d c1 30 9c 6d 77 0d 35 7b a8 9e 73"
+    "f2 ad 08 32 06 2e b0 fe 0a c9 15 57 5b cd 6b 8b"
+    "ca db 4e 2b a6 fa 9d a7 3a 59 17 51 52 b2 d4 fe"
+    "72 b0 70 c9 b7 37 9e 50 00 0e 55 e6 c2 69 f6 65"
+    "8c 93 79 72 79 7d 3a dd 69 f1 30 e3 4b 85 bd ec"
+    "9f 3a 9b 39 22 02 d6 f3 e4 30 d0 9c ac a8 22 77"
+    "59 ab 82 5f 70 12 d2 ff 4b 5b 62 c8 50 4d ba d8"
+    "55 c0 5e dd 5c ab 5a 4c cc dc 67 f0 1d d6 51 7c"
+    "7d 41 c4 3e 2a 49 57 af f1 9d b6 f1 8b 17 85 9a"
+    "f0 bc 84 ab 67 14 6e c1 a4 a6 0a 17 d7 e0 5f 8b"
+    "4f 9c ed 6a d1 09 08 d8 d7 8f 7f c8 8b 76 ad c8"
+    "29 0f 87 da f2 a7 be 10 ae 40 85 21 39 5d 54 ed"
+    "25 56 fb 76 61 85 4a 73 0c e3 d8 2c 71 a8 d4 93"
+    "ec 49 a3 78 ac 8a 3c 74 43 9f 7c c5 55 ba 13 f8"
+    "59 07 08 90 ee 18 ff 65 8f a4 d7 41 96 9d 70 a5";
+
+// PKCS#1 v1.5 Signature Example 15.16
+
+char* message_16 =
+    "32 47 48 30 e2 20 37 54 c8 bf 06 81 dc 4f 84 2a "
+    "fe 36 09 30 37 86 16 c1 08 e8 33 65 6e 56 40 c8 "
+    "68 56 88 5b b0 5d 1e b9 43 8e fe de 67 92 63 de "
+    "07 cb 39 55 3f 6a 25 e0 06 b0 a5 23 11 a0 63 ca "
+    "08 82 66 d2 56 4f f6 49 0c 46 b5 60 98 18 54 8f "
+    "88 76 4d ad 34 a2 5e 3a 85 d5 75 02 3f 0b 9e 66 "
+    "50 48 a0 3c 35 05 79 a9 d3 24 46 c7 bb 96 cc 92 "
+    "e0 65 ab 94 d3 c8 95 2e 8d f6 8e f0 d9 fa 45 6b "
+    "3a 06 bb 80 e3 bb c4 b2 8e 6a 94 b6 d0 ff 76 96 "
+    "a6 4e fe 05 e7 35 fe a0 25 d7 bd bc 41 39 f3 a3 "
+    "b5 46 07 5c ba 7e fa 94 73 74 d3 f0 ac 80 a6 8d "
+    "76 5f 5d f6 21 0b ca 06 9a 2d 88 64 7a f7 ea 04 "
+    "2d ac 69 0c b5 73 78 ec 07 77 61 4f b8 b6 5f f4 "
+    "53 ca 6b 7d ce 60 98 45 1a 2f 8c 0d a9 bf ec f1 "
+    "fd f3 91 bb aa 4e 2a 91 ca 18 a1 12 1a 75 23 a2 "
+    "ab d4 25 14 f4 89 e8 ";
+
+char* signature_16 =
+    "69 17 43 72 57 c2 2c cb 54 03 29 0c 3d ee 82 d9"
+    "cf 75 50 b3 1b d3 1c 51 bd 57 bf d3 5d 45 2a b4"
+    "db 7c 4b e6 b2 e2 5a c9 a5 9a 1d 2a 7f eb 62 7f"
+    "0a fd 49 76 b3 00 3c c9 cf fd 88 96 50 5e c3 82"
+    "f2 65 10 4d 4c f8 c9 32 fa 9f e8 6e 00 87 07 95"
+    "99 12 38 9d a4 b2 d6 b3 69 b3 6a 5e 72 e2 9d 24"
+    "c9 a9 8c 9d 31 a3 ab 44 e6 43 e6 94 12 66 a4 7a"
+    "45 e3 44 6c e8 77 6a be 24 1a 8f 5f c6 42 3b 24"
+    "b1 ff 25 0d c2 c3 a8 17 23 53 56 10 77 e8 50 a7"
+    "69 b2 5f 03 25 da c8 89 65 a3 b9 b4 72 c4 94 e9"
+    "5f 71 9b 4e ac 33 2c aa 7a 65 c7 df e4 6d 9a a7"
+    "e6 e0 0f 52 5f 30 3d d6 3a b7 91 92 18 90 18 68"
+    "f9 33 7f 8c d2 6a af e6 f3 3b 7f b2 c9 88 10 af"
+    "19 f7 fc b2 82 ba 15 77 91 2c 1d 36 89 75 fd 5d"
+    "44 0b 86 e1 0c 19 97 15 fa 0b 6f 42 50 b5 33 73"
+    "2d 0b ef e1 54 51 50 fc 47 b8 76 de 09 b0 0a 94";
+
+// PKCS#1 v1.5 Signature Example 15.17
+
+char* message_17 =
+    "00 8e 59 50 5e af b5 50 aa e5 e8 45 58 4c eb b0 "
+    "0b 6d e1 73 3e 9f 95 d4 2c 88 2a 5b be b5 ce 1c "
+    "57 e1 19 e7 c0 d4 da ca 9f 1f f7 87 02 17 f7 cf "
+    "d8 a6 b3 73 97 7c ac 9c ab 8e 71 e4 20 ";
+
+char* signature_17 =
+    "92 25 03 b6 73 ee 5f 3e 69 1e 1c a8 5e 9f f4 17"
+    "3c f7 2b 05 ac 2c 13 1d a5 60 35 93 e3 bc 25 9c"
+    "94 c1 f7 d3 a0 6a 5b 98 91 bf 11 3f a3 9e 59 ff"
+    "7c 1e d6 46 5e 90 80 49 cb 89 e4 e1 25 cd 37 d2"
+    "ff d9 22 7a 41 b4 a0 a1 9c 0a 44 fb bf 3d e5 5b"
+    "ab 80 20 87 a3 bb 8d 4f f6 68 ee 6b bb 8a d8 9e"
+    "68 57 a7 9a 9c 72 78 19 90 df cf 92 cd 51 94 04"
+    "c9 50 f1 3d 11 43 c3 18 4f 1d 25 0c 90 e1 7a c6"
+    "ce 36 16 3b 98 95 62 7a d6 ff ec 14 22 44 1f 55"
+    "e4 49 9d ba 9b e8 95 46 ae 8b c6 3c ca 01 dd 08"
+    "46 3a e7 f1 fc e3 d8 93 99 69 38 77 8c 18 12 e6"
+    "74 ad 9c 30 9c 5a cc a3 fd e4 4e 7d d8 69 59 93"
+    "e9 c1 fa 87 ac da 99 ec e5 c8 49 9e 46 89 57 ad"
+    "66 35 9b f1 2a 51 ad be 78 d3 a2 13 b4 49 bf 0b"
+    "5f 8d 4d 49 6a cf 03 d3 03 3b 7c cd 19 6b c2 2f"
+    "68 fb 7b ef 4f 69 7c 5e a2 b3 50 62 f4 8a 36 dd";
+
+// PKCS#1 v1.5 Signature Example 15.18
+
+char* message_18 =
+    "6a bc 54 cf 8d 1d ff 1f 53 b1 7d 81 60 36 88 78 "
+    "a8 78 8c c6 d2 2f a5 c2 25 8c 88 e6 60 b0 9a 89 "
+    "33 f9 f2 c0 50 4d da dc 21 f6 e7 5e 0b 83 3b eb "
+    "55 52 29 de e6 56 b9 04 7b 92 f6 2e 76 b8 ff cc "
+    "60 da b0 6b 80 ";
+
+char* signature_18 =
+    "0b 6d af 42 f7 a8 62 14 7e 41 74 93 c2 c4 01 ef"
+    "ae 32 63 6a b4 cb d4 41 92 bb f5 f1 95 b5 0a e0"
+    "96 a4 75 a1 61 4f 0a 9f a8 f7 a0 26 cb 46 c6 50"
+    "6e 51 8e 33 d8 3e 56 47 7a 87 5a ca 8c 7e 71 4c"
+    "e1 bd bd 61 ef 5d 53 52 39 b3 3f 2b fd d6 17 71"
+    "ba b6 27 76 d7 81 71 a1 42 3c ea 87 31 f8 2e 60"
+    "76 6d 64 54 26 56 20 b1 5f 5c 5a 58 4f 55 f9 5b"
+    "80 2f e7 8c 57 4e d5 da cf c8 31 f3 cf 2b 05 02"
+    "c0 b2 98 f2 5c cf 11 f9 73 b3 1f 85 e4 74 42 19"
+    "85 f3 cf f7 02 df 39 46 ef 0a 66 05 68 21 11 b2"
+    "f5 5b 1f 8a b0 d2 ea 3a 68 3c 69 98 5e ad 93 ed"
+    "44 9e a4 8f 03 58 dd f7 08 02 cb 41 de 2f d8 3f"
+    "3c 80 80 82 d8 49 36 94 8e 0c 84 a1 31 b4 92 78"
+    "27 46 05 27 bb 5c d2 4b fa b7 b4 8e 07 1b 24 17"
+    "19 30 f9 97 63 27 2f 97 97 bc b7 6f 1d 24 81 57"
+    "55 58 fc f2 60 b1 f0 e5 54 eb b3 df 3c fc b9 58";
+
+// PKCS#1 v1.5 Signature Example 15.19
+
+char* message_19 =
+    "af 2d 78 15 2c f1 0e fe 01 d2 74 f2 17 b1 77 f6 "
+    "b0 1b 5e 74 9f 15 67 71 5d a3 24 85 9c d3 dd 88 "
+    "db 84 8e c7 9f 48 db ba 7b 6f 1d 33 11 1e f3 1b "
+    "64 89 9e 73 91 c2 bf fd 69 f4 90 25 cf 20 1f c5 "
+    "85 db d1 54 2c 1c 77 8a 2c e7 a7 ee 10 8a 30 9f "
+    "ec a2 6d 13 3a 5f fe dc 4e 86 9d cd 76 56 59 6a "
+    "c8 42 7e a3 ef 6e 3f d7 8f e9 9d 8d dc 71 d8 39 "
+    "f6 78 6e 0d a6 e7 86 bd 62 b3 a4 f1 9b 89 1a 56 "
+    "15 7a 55 4e c2 a2 b3 9e 25 a1 d7 c7 d3 73 21 c7 "
+    "a1 d9 46 cf 4f be 75 8d 92 76 f0 85 63 44 9d 67 "
+    "41 4a 2c 03 0f 42 51 cf e2 21 3d 04 a5 41 06 37 "
+    "87 ";
+
+char* signature_19 =
+    "20 9c 61 15 78 57 38 7b 71 e2 4b f3 dd 56 41 45"
+    "50 50 3b ec 18 0f f5 3b dd 9b ac 06 2a 2d 49 95"
+    "09 bf 99 12 81 b7 95 27 df 91 36 61 5b 7a 6d 9d"
+    "b3 a1 03 b5 35 e0 20 2a 2c ac a1 97 a7 b7 4e 53"
+    "56 f3 dd 59 5b 49 ac fd 9d 30 04 9a 98 ca 88 f6"
+    "25 bc a1 d5 f2 2a 39 2d 8a 74 9e fb 6e ed 9b 78"
+    "21 d3 11 0a c0 d2 44 19 9e cb 4a a3 d7 35 a8 3a"
+    "2e 88 93 c6 bf 85 81 38 3c ca ee 83 46 35 b7 fa"
+    "1f af fa 45 b1 3d 15 c1 da 33 af 71 e8 93 03 d6"
+    "80 90 ff 62 ee 61 5f df 5a 84 d1 20 71 1d a5 3c"
+    "28 89 19 8a b3 83 17 a9 73 4a b2 7d 67 92 4c ea"
+    "74 15 6f f9 9b ef 98 76 bb 5c 33 9e 93 74 52 83"
+    "e1 b3 4e 07 22 26 b8 80 45 e0 17 e9 f0 5b 2a 8c"
+    "41 67 40 25 8e 22 3b 26 90 02 74 91 73 22 73 f3"
+    "22 9d 9e f2 b1 b3 80 7e 32 10 18 92 0a d3 e5 3d"
+    "ae 47 e6 d9 39 5c 18 4b 93 a3 74 c6 71 fa a2 ce";
+
+// PKCS#1 v1.5 Signature Example 15.20
+
+char* message_20 =
+    "40 ee 99 24 58 d6 f6 14 86 d2 56 76 a9 6d d2 cb "
+    "93 a3 7f 04 b1 78 48 2f 2b 18 6c f8 82 15 27 0d "
+    "ba 29 d7 86 d7 74 b0 c5 e7 8c 7f 6e 56 a9 56 e7 "
+    "f7 39 50 a2 b0 c0 c1 0a 08 db cd 67 e5 b2 10 bb "
+    "21 c5 8e 27 67 d4 4f 7d d4 01 4e 39 66 14 3b f7 "
+    "e3 d6 6f f0 c0 9b e4 c5 5f 93 b3 99 94 b8 51 8d "
+    "9c 1d 76 d5 b4 73 74 de a0 8f 15 7d 57 d7 06 34 "
+    "97 8f 38 56 e0 e5 b4 81 af bb db 5a 3a c4 8d 48 "
+    "4b e9 2c 93 de 22 91 78 35 4c 2d e5 26 e9 c6 5a "
+    "31 ed e1 ef 68 cb 63 98 d7 91 16 84 fe c0 ba bc "
+    "3a 78 1a 66 66 07 83 50 69 74 d0 e1 48 25 10 1c "
+    "3b fa ea ";
+
+char* signature_20 =
+    "92 75 02 b8 24 af c4 25 13 ca 65 70 de 33 8b 8a"
+    "64 c3 a8 5e b8 28 d3 19 36 24 f2 7e 8b 10 29 c5"
+    "5c 11 9c 97 33 b1 8f 58 49 b3 50 09 18 bc c0 05"
+    "51 d9 a8 fd f5 3a 97 74 9f a8 dc 48 0d 6f e9 74"
+    "2a 58 71 f9 73 92 65 28 97 2a 1a f4 9e 39 25 b0"
+    "ad f1 4a 84 27 19 b4 a5 a2 d8 9f a9 c0 b6 60 5d"
+    "21 2b ed 1e 67 23 b9 34 06 ad 30 e8 68 29 a5 c7"
+    "19 b8 90 b3 89 30 6d c5 50 64 86 ee 2f 36 a8 df"
+    "e0 a9 6a f6 78 c9 cb d6 af f3 97 ca 20 0e 3e dc"
+    "1e 36 bd 2f 08 b3 1d 54 0c 0c b2 82 a9 55 9e 4a"
+    "dd 4f c9 e6 49 2e ed 0c cb d3 a6 98 2e 5f aa 2d"
+    "dd 17 be 47 41 7c 80 b4 e5 45 2d 31 f7 24 01 a0"
+    "42 32 51 09 54 4d 95 4c 01 93 90 79 d4 09 a5 c3"
+    "78 d7 51 2d fc 2d 2a 71 ef cc 34 32 a7 65 d1 c6"
+    "a5 2c fc e8 99 cd 79 b1 5b 4f c3 72 36 41 ef 6b"
+    "d0 0a cc 10 40 7e 5d f5 8d d1 c3 c5 c5 59 a5 06";
+
+
+unsigned char* parsehex(char* str, int* len) {
+    // result can't be longer than input
+    unsigned char* result = malloc(strlen(str));
+
+    unsigned char* p = result;
+    *len = 0;
+
+    while (*str) {
+        int b;
+
+        while (isspace(*str)) str++;
+
+        switch (*str) {
+            case '0': case '1': case '2': case '3': case '4':
+            case '5': case '6': case '7': case '8': case '9':
+                b = (*str - '0') << 4; break;
+            case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+                b = (*str - 'a' + 10) << 4; break;
+            case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+                b = (*str - 'A' + 10) << 4; break;
+            case '\0':
+                return result;
+            default:
+                return NULL;
+        }
+        str++;
+
+        while (isspace(*str)) str++;
+
+        switch (*str) {
+            case '0': case '1': case '2': case '3': case '4':
+            case '5': case '6': case '7': case '8': case '9':
+                b |= *str - '0'; break;
+            case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+                b |= *str - 'a' + 10; break;
+            case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+                b |= *str - 'A' + 10; break;
+            default:
+                return NULL;
+        }
+        str++;
+
+        *p++ = b;
+        ++*len;
+    }
+
+    return result;
+}
+
+
+int main(int arg __unused, char** argv __unused) {
+
+    unsigned char hash[SHA_DIGEST_SIZE];
+
+    unsigned char* message;
+    int mlen;
+    unsigned char* signature;
+    int slen;
+
+#define TEST_MESSAGE(n) do {\
+    message = parsehex(message_##n, &mlen); \
+    SHA_hash(message, mlen, hash); \
+    signature = parsehex(signature_##n, &slen); \
+    int result = RSA_verify(&key_15, signature, slen, hash, sizeof(hash)); \
+    printf("message %d: %s\n", n, result ? "verified" : "not verified"); \
+    success = success && result; \
+    } while(0)
+
+    int success = 1;
+
+    TEST_MESSAGE(1);
+    TEST_MESSAGE(2);
+    TEST_MESSAGE(3);
+    TEST_MESSAGE(4);
+    TEST_MESSAGE(5);
+    TEST_MESSAGE(6);
+    TEST_MESSAGE(7);
+    TEST_MESSAGE(8);
+    TEST_MESSAGE(9);
+    TEST_MESSAGE(10);
+    TEST_MESSAGE(11);
+    TEST_MESSAGE(12);
+    TEST_MESSAGE(13);
+    TEST_MESSAGE(14);
+    TEST_MESSAGE(15);
+    TEST_MESSAGE(16);
+    TEST_MESSAGE(17);
+    TEST_MESSAGE(18);
+    TEST_MESSAGE(19);
+    TEST_MESSAGE(20);
+
+    printf("\n%s\n\n", success ? "PASS" : "FAIL");
+
+    return !success;
+}
diff --git a/libmincrypt/tools/Android.mk b/libmincrypt/tools/Android.mk
new file mode 100644
index 0000000..3154914
--- /dev/null
+++ b/libmincrypt/tools/Android.mk
@@ -0,0 +1,22 @@
+# Copyright (C) 2008 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := dumpkey
+LOCAL_SRC_FILES := DumpPublicKey.java
+LOCAL_JAR_MANIFEST := DumpPublicKey.mf
+LOCAL_STATIC_JAVA_LIBRARIES := bouncycastle-host
+include $(BUILD_HOST_JAVA_LIBRARY)
diff --git a/libmincrypt/tools/DumpPublicKey.java b/libmincrypt/tools/DumpPublicKey.java
new file mode 100644
index 0000000..3eb1398
--- /dev/null
+++ b/libmincrypt/tools/DumpPublicKey.java
@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.dumpkey;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import java.io.FileInputStream;
+import java.math.BigInteger;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.KeyStore;
+import java.security.Key;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.ECPoint;
+
+/**
+ * Command line tool to extract RSA public keys from X.509 certificates
+ * and output source code with data initializers for the keys.
+ * @hide
+ */
+class DumpPublicKey {
+    /**
+     * @param key to perform sanity checks on
+     * @return version number of key.  Supported versions are:
+     *     1: 2048-bit RSA key with e=3 and SHA-1 hash
+     *     2: 2048-bit RSA key with e=65537 and SHA-1 hash
+     *     3: 2048-bit RSA key with e=3 and SHA-256 hash
+     *     4: 2048-bit RSA key with e=65537 and SHA-256 hash
+     * @throws Exception if the key has the wrong size or public exponent
+     */
+    static int checkRSA(RSAPublicKey key, boolean useSHA256) throws Exception {
+        BigInteger pubexp = key.getPublicExponent();
+        BigInteger modulus = key.getModulus();
+        int version;
+
+        if (pubexp.equals(BigInteger.valueOf(3))) {
+            version = useSHA256 ? 3 : 1;
+        } else if (pubexp.equals(BigInteger.valueOf(65537))) {
+            version = useSHA256 ? 4 : 2;
+        } else {
+            throw new Exception("Public exponent should be 3 or 65537 but is " +
+                                pubexp.toString(10) + ".");
+        }
+
+        if (modulus.bitLength() != 2048) {
+             throw new Exception("Modulus should be 2048 bits long but is " +
+                        modulus.bitLength() + " bits.");
+        }
+
+        return version;
+    }
+
+    /**
+     * @param key to perform sanity checks on
+     * @return version number of key.  Supported versions are:
+     *     5: 256-bit EC key with curve NIST P-256
+     * @throws Exception if the key has the wrong size or public exponent
+     */
+    static int checkEC(ECPublicKey key) throws Exception {
+        if (key.getParams().getCurve().getField().getFieldSize() != 256) {
+            throw new Exception("Curve must be NIST P-256");
+        }
+
+        return 5;
+    }
+
+    /**
+     * Perform sanity check on public key.
+     */
+    static int check(PublicKey key, boolean useSHA256) throws Exception {
+        if (key instanceof RSAPublicKey) {
+            return checkRSA((RSAPublicKey) key, useSHA256);
+        } else if (key instanceof ECPublicKey) {
+            if (!useSHA256) {
+                throw new Exception("Must use SHA-256 with EC keys!");
+            }
+            return checkEC((ECPublicKey) key);
+        } else {
+            throw new Exception("Unsupported key class: " + key.getClass().getName());
+        }
+    }
+
+    /**
+     * @param key to output
+     * @return a String representing this public key.  If the key is a
+     *    version 1 key, the string will be a C initializer; this is
+     *    not true for newer key versions.
+     */
+    static String printRSA(RSAPublicKey key, boolean useSHA256) throws Exception {
+        int version = check(key, useSHA256);
+
+        BigInteger N = key.getModulus();
+
+        StringBuilder result = new StringBuilder();
+
+        int nwords = N.bitLength() / 32;    // # of 32 bit integers in modulus
+
+        if (version > 1) {
+            result.append("v");
+            result.append(Integer.toString(version));
+            result.append(" ");
+        }
+
+        result.append("{");
+        result.append(nwords);
+
+        BigInteger B = BigInteger.valueOf(0x100000000L);  // 2^32
+        BigInteger N0inv = B.subtract(N.modInverse(B));   // -1 / N[0] mod 2^32
+
+        result.append(",0x");
+        result.append(N0inv.toString(16));
+
+        BigInteger R = BigInteger.valueOf(2).pow(N.bitLength());
+        BigInteger RR = R.multiply(R).mod(N);    // 2^4096 mod N
+
+        // Write out modulus as little endian array of integers.
+        result.append(",{");
+        for (int i = 0; i < nwords; ++i) {
+            long n = N.mod(B).longValue();
+            result.append(n);
+
+            if (i != nwords - 1) {
+                result.append(",");
+            }
+
+            N = N.divide(B);
+        }
+        result.append("}");
+
+        // Write R^2 as little endian array of integers.
+        result.append(",{");
+        for (int i = 0; i < nwords; ++i) {
+            long rr = RR.mod(B).longValue();
+            result.append(rr);
+
+            if (i != nwords - 1) {
+                result.append(",");
+            }
+
+            RR = RR.divide(B);
+        }
+        result.append("}");
+
+        result.append("}");
+        return result.toString();
+    }
+
+    /**
+     * @param key to output
+     * @return a String representing this public key.  If the key is a
+     *    version 1 key, the string will be a C initializer; this is
+     *    not true for newer key versions.
+     */
+    static String printEC(ECPublicKey key) throws Exception {
+        int version = checkEC(key);
+
+        StringBuilder result = new StringBuilder();
+
+        result.append("v");
+        result.append(Integer.toString(version));
+        result.append(" ");
+
+        BigInteger X = key.getW().getAffineX();
+        BigInteger Y = key.getW().getAffineY();
+        int nbytes = key.getParams().getCurve().getField().getFieldSize() / 8;    // # of 32 bit integers in X coordinate
+
+        result.append("{");
+        result.append(nbytes);
+
+        BigInteger B = BigInteger.valueOf(0x100L);  // 2^8
+
+        // Write out Y coordinate as array of characters.
+        result.append(",{");
+        for (int i = 0; i < nbytes; ++i) {
+            long n = X.mod(B).longValue();
+            result.append(n);
+
+            if (i != nbytes - 1) {
+                result.append(",");
+            }
+
+            X = X.divide(B);
+        }
+        result.append("}");
+
+        // Write out Y coordinate as array of characters.
+        result.append(",{");
+        for (int i = 0; i < nbytes; ++i) {
+            long n = Y.mod(B).longValue();
+            result.append(n);
+
+            if (i != nbytes - 1) {
+                result.append(",");
+            }
+
+            Y = Y.divide(B);
+        }
+        result.append("}");
+
+        result.append("}");
+        return result.toString();
+    }
+
+    static String print(PublicKey key, boolean useSHA256) throws Exception {
+        if (key instanceof RSAPublicKey) {
+            return printRSA((RSAPublicKey) key, useSHA256);
+        } else if (key instanceof ECPublicKey) {
+            return printEC((ECPublicKey) key);
+        } else {
+            throw new Exception("Unsupported key class: " + key.getClass().getName());
+        }
+    }
+
+    public static void main(String[] args) {
+        if (args.length < 1) {
+            System.err.println("Usage: DumpPublicKey certfile ... > source.c");
+            System.exit(1);
+        }
+        Security.addProvider(new BouncyCastleProvider());
+        try {
+            for (int i = 0; i < args.length; i++) {
+                FileInputStream input = new FileInputStream(args[i]);
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
+
+                boolean useSHA256 = false;
+                String sigAlg = cert.getSigAlgName();
+                if ("SHA1withRSA".equals(sigAlg) || "MD5withRSA".equals(sigAlg)) {
+                    // SignApk has historically accepted "MD5withRSA"
+                    // certificates, but treated them as "SHA1withRSA"
+                    // anyway.  Continue to do so for backwards
+                    // compatibility.
+                  useSHA256 = false;
+                } else if ("SHA256withRSA".equals(sigAlg) || "SHA256withECDSA".equals(sigAlg)) {
+                  useSHA256 = true;
+                } else {
+                  System.err.println(args[i] + ": unsupported signature algorithm \"" +
+                                     sigAlg + "\"");
+                  System.exit(1);
+                }
+
+                PublicKey key = cert.getPublicKey();
+                check(key, useSHA256);
+                System.out.print(print(key, useSHA256));
+                System.out.println(i < args.length - 1 ? "," : "");
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        }
+        System.exit(0);
+    }
+}
diff --git a/libmincrypt/tools/DumpPublicKey.mf b/libmincrypt/tools/DumpPublicKey.mf
new file mode 100644
index 0000000..7bb3bc8
--- /dev/null
+++ b/libmincrypt/tools/DumpPublicKey.mf
@@ -0,0 +1 @@
+Main-Class: com.android.dumpkey.DumpPublicKey