Simon Josefsson simon@josefsson.org writes:

Please release 3.9 before looking at this! :-)

This adds DRBG-CTR-AES256, what do you think?

I've merged this onto a branch add-drbg-ctr-aes256. I've made some additional changes: use union nettle_block16 where that made sense, rename Key -> key, fixed typo in testsite/Makefile, and extracted the output logic to its own helper function.

It could be optimized to call aes256_encrypt with more than one block at a time, when possible, but probably not worth the extra complexity.

Please have a look.

For your sntrup761 patch that depends on this, will you be doing any more work on that in the near future? In the meantime, I've reworked the testing for side-channel silence, so it should be rather straight-forward to add such tests for sntrup761.

Regards, /Niels