BearSSL
bearssl_hash.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_HASH_H__
26 #define BR_BEARSSL_HASH_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 #include <string.h>
31 
32 #ifdef __cplusplus
33 extern "C" {
34 #endif
35 
36 /** \file bearssl_hash.h
37  *
38  * # Hash Functions
39  *
40  * This file documents the API for hash functions.
41  *
42  *
43  * ## Procedural API
44  *
45  * For each implemented hash function, of name "`xxx`", the following
46  * elements are defined:
47  *
48  * - `br_xxx_vtable`
49  *
50  * An externally defined instance of `br_hash_class`.
51  *
52  * - `br_xxx_SIZE`
53  *
54  * A macro that evaluates to the output size (in bytes) of the
55  * hash function.
56  *
57  * - `br_xxx_ID`
58  *
59  * A macro that evaluates to a symbolic identifier for the hash
60  * function. Such identifiers are used with HMAC and signature
61  * algorithm implementations.
62  *
63  * NOTE: for the "standard" hash functions defined in [the TLS
64  * standard](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1),
65  * the symbolic identifiers match the constants used in TLS, i.e.
66  * 1 to 6 for MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512,
67  * respectively.
68  *
69  * - `br_xxx_context`
70  *
71  * Context for an ongoing computation. It is allocated by the
72  * caller, and a pointer to it is passed to all functions. A
73  * context contains no interior pointer, so it can be moved around
74  * and cloned (with a simple `memcpy()` or equivalent) in order to
75  * capture the function state at some point. Computations that use
76  * distinct context structures are independent of each other. The
77  * first field of `br_xxx_context` is always a pointer to the
78  * `br_xxx_vtable` structure; `br_xxx_init()` sets that pointer.
79  *
80  * - `br_xxx_init(br_xxx_context *ctx)`
81  *
82  * Initialise the provided context. Previous contents of the structure
83  * are ignored. This calls resets the context to the start of a new
84  * hash computation; it also sets the first field of the context
85  * structure (called `vtable`) to a pointer to the statically
86  * allocated constant `br_xxx_vtable` structure.
87  *
88  * - `br_xxx_update(br_xxx_context *ctx, const void *data, size_t len)`
89  *
90  * Add some more bytes to the hash computation represented by the
91  * provided context.
92  *
93  * - `br_xxx_out(const br_xxx_context *ctx, void *out)`
94  *
95  * Complete the hash computation and write the result in the provided
96  * buffer. The output buffer MUST be large enough to accommodate the
97  * result. The context is NOT modified by this operation, so this
98  * function can be used to get a "partial hash" while still keeping
99  * the possibility of adding more bytes to the input.
100  *
101  * - `br_xxx_state(const br_xxx_context *ctx, void *out)`
102  *
103  * Get a copy of the "current state" for the computation so far. For
104  * MD functions (MD5, SHA-1, SHA-2 family), this is the running state
105  * resulting from the processing of the last complete input block.
106  * Returned value is the current input length (in bytes).
107  *
108  * - `br_xxx_set_state(br_xxx_context *ctx, const void *stb, uint64_t count)`
109  *
110  * Set the internal state to the provided values. The 'stb' and
111  * 'count' values shall match that which was obtained from
112  * `br_xxx_state()`. This restores the hash state only if the state
113  * values were at an appropriate block boundary. This does NOT set
114  * the `vtable` pointer in the context.
115  *
116  * Context structures can be discarded without any explicit deallocation.
117  * Hash function implementations are purely software and don't reserve
118  * any resources outside of the context structure itself.
119  *
120  *
121  * ## Object-Oriented API
122  *
123  * For each hash function that follows the procedural API described
124  * above, an object-oriented API is also provided. In that API, function
125  * pointers from the vtable (`br_xxx_vtable`) are used. The vtable
126  * incarnates object-oriented programming. An introduction on the OOP
127  * concept used here can be read on the BearSSL Web site:<br />
128  * &nbsp;&nbsp;&nbsp;[https://www.bearssl.org/oop.html](https://www.bearssl.org/oop.html)
129  *
130  * The vtable offers functions called `init()`, `update()`, `out()`,
131  * `set()` and `set_state()`, which are in fact the functions from
132  * the procedural API. That vtable also contains two informative fields:
133  *
134  * - `context_size`
135  *
136  * The size of the context structure (`br_xxx_context`), in bytes.
137  * This can be used by generic implementations to perform dynamic
138  * context allocation.
139  *
140  * - `desc`
141  *
142  * A "descriptor" field that encodes some information on the hash
143  * function: symbolic identifier, output size, state size,
144  * internal block size, details on the padding.
145  *
146  * Users of this object-oriented API (in particular generic HMAC
147  * implementations) may make the following assumptions:
148  *
149  * - Hash output size is no more than 64 bytes.
150  * - Hash internal state size is no more than 64 bytes.
151  * - Internal block size is a power of two, no less than 16 and no more
152  * than 256.
153  *
154  *
155  * ## Implemented Hash Functions
156  *
157  * Implemented hash functions are:
158  *
159  * | Function | Name | Output length | State length |
160  * | :-------- | :------ | :-----------: | :----------: |
161  * | MD5 | md5 | 16 | 16 |
162  * | SHA-1 | sha1 | 20 | 20 |
163  * | SHA-224 | sha224 | 28 | 32 |
164  * | SHA-256 | sha256 | 32 | 32 |
165  * | SHA-384 | sha384 | 48 | 64 |
166  * | SHA-512 | sha512 | 64 | 64 |
167  * | MD5+SHA-1 | md5sha1 | 36 | 36 |
168  *
169  * (MD5+SHA-1 is the concatenation of MD5 and SHA-1 computed over the
170  * same input; in the implementation, the internal data buffer is
171  * shared, thus making it more memory-efficient than separate MD5 and
172  * SHA-1. It can be useful in implementing SSL 3.0, TLS 1.0 and TLS
173  * 1.1.)
174  *
175  *
176  * ## Multi-Hasher
177  *
178  * An aggregate hasher is provided, that can compute several standard
179  * hash functions in parallel. It uses `br_multihash_context` and a
180  * procedural API. It is configured with the implementations (the vtables)
181  * that it should use; it will then compute all these hash functions in
182  * parallel, on the same input. It is meant to be used in cases when the
183  * hash of an object will be used, but the exact hash function is not
184  * known yet (typically, streamed processing on X.509 certificates).
185  *
186  * Only the standard hash functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384
187  * and SHA-512) are supported by the multi-hasher.
188  *
189  *
190  * ## GHASH
191  *
192  * GHASH is not a generic hash function; it is a _universal_ hash function,
193  * which, as the name does not say, means that it CANNOT be used in most
194  * places where a hash function is needed. GHASH is used within the GCM
195  * encryption mode, to provide the checked integrity functionality.
196  *
197  * A GHASH implementation is basically a function that uses the type defined
198  * in this file under the name `br_ghash`:
199  *
200  * typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
201  *
202  * The `y` pointer refers to a 16-byte value which is used as input, and
203  * receives the output of the GHASH invocation. `h` is a 16-byte secret
204  * value (that serves as key). `data` and `len` define the input data.
205  *
206  * Three GHASH implementations are provided, all constant-time, based on
207  * the use of integer multiplications with appropriate masking to cancel
208  * carry propagation.
209  */
210 
211 /**
212  * \brief Class type for hash function implementations.
213  *
214  * A `br_hash_class` instance references the methods implementing a hash
215  * function. Constant instances of this structure are defined for each
216  * implemented hash function. Such instances are also called "vtables".
217  *
218  * Vtables are used to support object-oriented programming, as
219  * described on [the BearSSL Web site](https://www.bearssl.org/oop.html).
220  */
221 typedef struct br_hash_class_ br_hash_class;
223  /**
224  * \brief Size (in bytes) of the context structure appropriate for
225  * computing this hash function.
226  */
227  size_t context_size;
228 
229  /**
230  * \brief Descriptor word that contains information about the hash
231  * function.
232  *
233  * For each word `xxx` described below, use `BR_HASHDESC_xxx_OFF`
234  * and `BR_HASHDESC_xxx_MASK` to access the specific value, as
235  * follows:
236  *
237  * (hf->desc >> BR_HASHDESC_xxx_OFF) & BR_HASHDESC_xxx_MASK
238  *
239  * The defined elements are:
240  *
241  * - `ID`: the symbolic identifier for the function, as defined
242  * in [TLS](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)
243  * (MD5 = 1, SHA-1 = 2,...).
244  *
245  * - `OUT`: hash output size, in bytes.
246  *
247  * - `STATE`: internal running state size, in bytes.
248  *
249  * - `LBLEN`: base-2 logarithm for the internal block size, as
250  * defined for HMAC processing (this is 6 for MD5, SHA-1, SHA-224
251  * and SHA-256, since these functions use 64-byte blocks; for
252  * SHA-384 and SHA-512, this is 7, corresponding to their
253  * 128-byte blocks).
254  *
255  * The descriptor may contain a few other flags.
256  */
257  uint32_t desc;
258 
259  /**
260  * \brief Initialisation method.
261  *
262  * This method takes as parameter a pointer to a context area,
263  * that it initialises. The first field of the context is set
264  * to this vtable; other elements are initialised for a new hash
265  * computation.
266  *
267  * \param ctx pointer to (the first field of) the context.
268  */
269  void (*init)(const br_hash_class **ctx);
270 
271  /**
272  * \brief Data injection method.
273  *
274  * The `len` bytes starting at address `data` are injected into
275  * the running hash computation incarnated by the specified
276  * context. The context is updated accordingly. It is allowed
277  * to have `len == 0`, in which case `data` is ignored (and could
278  * be `NULL`), and nothing happens.
279  * on the input data.
280  *
281  * \param ctx pointer to (the first field of) the context.
282  * \param data pointer to the first data byte to inject.
283  * \param len number of bytes to inject.
284  */
285  void (*update)(const br_hash_class **ctx, const void *data, size_t len);
286 
287  /**
288  * \brief Produce hash output.
289  *
290  * The hash output corresponding to all data bytes injected in the
291  * context since the last `init()` call is computed, and written
292  * in the buffer pointed to by `dst`. The hash output size depends
293  * on the implemented hash function (e.g. 16 bytes for MD5).
294  * The context is _not_ modified by this call, so further bytes
295  * may be afterwards injected to continue the current computation.
296  *
297  * \param ctx pointer to (the first field of) the context.
298  * \param dst destination buffer for the hash output.
299  */
300  void (*out)(const br_hash_class *const *ctx, void *dst);
301 
302  /**
303  * \brief Get running state.
304  *
305  * This method saves the current running state into the `dst`
306  * buffer. What constitutes the "running state" depends on the
307  * hash function; for Merkle-Damg√•rd hash functions (like
308  * MD5 or SHA-1), this is the output obtained after processing
309  * each block. The number of bytes injected so far is returned.
310  * The context is not modified by this call.
311  *
312  * \param ctx pointer to (the first field of) the context.
313  * \param dst destination buffer for the state.
314  * \return the injected total byte length.
315  */
316  uint64_t (*state)(const br_hash_class *const *ctx, void *dst);
317 
318  /**
319  * \brief Set running state.
320  *
321  * This methods replaces the running state for the function.
322  *
323  * \param ctx pointer to (the first field of) the context.
324  * \param stb source buffer for the state.
325  * \param count injected total byte length.
326  */
327  void (*set_state)(const br_hash_class **ctx,
328  const void *stb, uint64_t count);
329 };
330 
331 #ifndef BR_DOXYGEN_IGNORE
332 #define BR_HASHDESC_ID(id) ((uint32_t)(id) << BR_HASHDESC_ID_OFF)
333 #define BR_HASHDESC_ID_OFF 0
334 #define BR_HASHDESC_ID_MASK 0xFF
335 
336 #define BR_HASHDESC_OUT(size) ((uint32_t)(size) << BR_HASHDESC_OUT_OFF)
337 #define BR_HASHDESC_OUT_OFF 8
338 #define BR_HASHDESC_OUT_MASK 0x7F
339 
340 #define BR_HASHDESC_STATE(size) ((uint32_t)(size) << BR_HASHDESC_STATE_OFF)
341 #define BR_HASHDESC_STATE_OFF 15
342 #define BR_HASHDESC_STATE_MASK 0xFF
343 
344 #define BR_HASHDESC_LBLEN(ls) ((uint32_t)(ls) << BR_HASHDESC_LBLEN_OFF)
345 #define BR_HASHDESC_LBLEN_OFF 23
346 #define BR_HASHDESC_LBLEN_MASK 0x0F
347 
348 #define BR_HASHDESC_MD_PADDING ((uint32_t)1 << 28)
349 #define BR_HASHDESC_MD_PADDING_128 ((uint32_t)1 << 29)
350 #define BR_HASHDESC_MD_PADDING_BE ((uint32_t)1 << 30)
351 #endif
352 
353 /*
354  * Specific hash functions.
355  *
356  * Rules for contexts:
357  * -- No interior pointer.
358  * -- No pointer to external dynamically allocated resources.
359  * -- First field is called 'vtable' and is a pointer to a
360  * const-qualified br_hash_class instance (pointer is set by init()).
361  * -- SHA-224 and SHA-256 contexts are identical.
362  * -- SHA-384 and SHA-512 contexts are identical.
363  *
364  * Thus, contexts can be moved and cloned to capture the hash function
365  * current state; and there is no need for any explicit "release" function.
366  */
367 
368 /**
369  * \brief Symbolic identifier for MD5.
370  */
371 #define br_md5_ID 1
372 
373 /**
374  * \brief MD5 output size (in bytes).
375  */
376 #define br_md5_SIZE 16
377 
378 /**
379  * \brief Constant vtable for MD5.
380  */
381 extern const br_hash_class br_md5_vtable;
382 
383 /**
384  * \brief MD5 context.
385  *
386  * First field is a pointer to the vtable; it is set by the initialisation
387  * function. Other fields are not supposed to be accessed by user code.
388  */
389 typedef struct {
390  /**
391  * \brief Pointer to vtable for this context.
392  */
393  const br_hash_class *vtable;
394 #ifndef BR_DOXYGEN_IGNORE
395  unsigned char buf[64];
396  uint64_t count;
397  uint32_t val[4];
398 #endif
400 
401 /**
402  * \brief MD5 context initialisation.
403  *
404  * This function initialises or resets a context for a new MD5
405  * computation. It also sets the vtable pointer.
406  *
407  * \param ctx pointer to the context structure.
408  */
409 void br_md5_init(br_md5_context *ctx);
410 
411 /**
412  * \brief Inject some data bytes in a running MD5 computation.
413  *
414  * The provided context is updated with some data bytes. If the number
415  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
416  * and may be `NULL`, and this function does nothing.
417  *
418  * \param ctx pointer to the context structure.
419  * \param data pointer to the injected data.
420  * \param len injected data length (in bytes).
421  */
422 void br_md5_update(br_md5_context *ctx, const void *data, size_t len);
423 
424 /**
425  * \brief Compute MD5 output.
426  *
427  * The MD5 output for the concatenation of all bytes injected in the
428  * provided context since the last initialisation or reset call, is
429  * computed and written in the buffer pointed to by `out`. The context
430  * itself is not modified, so extra bytes may be injected afterwards
431  * to continue that computation.
432  *
433  * \param ctx pointer to the context structure.
434  * \param out destination buffer for the hash output.
435  */
436 void br_md5_out(const br_md5_context *ctx, void *out);
437 
438 /**
439  * \brief Save MD5 running state.
440  *
441  * The running state for MD5 (output of the last internal block
442  * processing) is written in the buffer pointed to by `out`. The
443  * number of bytes injected since the last initialisation or reset
444  * call is returned. The context is not modified.
445  *
446  * \param ctx pointer to the context structure.
447  * \param out destination buffer for the running state.
448  * \return the injected total byte length.
449  */
450 uint64_t br_md5_state(const br_md5_context *ctx, void *out);
451 
452 /**
453  * \brief Restore MD5 running state.
454  *
455  * The running state for MD5 is set to the provided values.
456  *
457  * \param ctx pointer to the context structure.
458  * \param stb source buffer for the running state.
459  * \param count the injected total byte length.
460  */
461 void br_md5_set_state(br_md5_context *ctx, const void *stb, uint64_t count);
462 
463 /**
464  * \brief Symbolic identifier for SHA-1.
465  */
466 #define br_sha1_ID 2
467 
468 /**
469  * \brief SHA-1 output size (in bytes).
470  */
471 #define br_sha1_SIZE 20
472 
473 /**
474  * \brief Constant vtable for SHA-1.
475  */
476 extern const br_hash_class br_sha1_vtable;
477 
478 /**
479  * \brief SHA-1 context.
480  *
481  * First field is a pointer to the vtable; it is set by the initialisation
482  * function. Other fields are not supposed to be accessed by user code.
483  */
484 typedef struct {
485  /**
486  * \brief Pointer to vtable for this context.
487  */
488  const br_hash_class *vtable;
489 #ifndef BR_DOXYGEN_IGNORE
490  unsigned char buf[64];
491  uint64_t count;
492  uint32_t val[5];
493 #endif
495 
496 /**
497  * \brief SHA-1 context initialisation.
498  *
499  * This function initialises or resets a context for a new SHA-1
500  * computation. It also sets the vtable pointer.
501  *
502  * \param ctx pointer to the context structure.
503  */
504 void br_sha1_init(br_sha1_context *ctx);
505 
506 /**
507  * \brief Inject some data bytes in a running SHA-1 computation.
508  *
509  * The provided context is updated with some data bytes. If the number
510  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
511  * and may be `NULL`, and this function does nothing.
512  *
513  * \param ctx pointer to the context structure.
514  * \param data pointer to the injected data.
515  * \param len injected data length (in bytes).
516  */
517 void br_sha1_update(br_sha1_context *ctx, const void *data, size_t len);
518 
519 /**
520  * \brief Compute SHA-1 output.
521  *
522  * The SHA-1 output for the concatenation of all bytes injected in the
523  * provided context since the last initialisation or reset call, is
524  * computed and written in the buffer pointed to by `out`. The context
525  * itself is not modified, so extra bytes may be injected afterwards
526  * to continue that computation.
527  *
528  * \param ctx pointer to the context structure.
529  * \param out destination buffer for the hash output.
530  */
531 void br_sha1_out(const br_sha1_context *ctx, void *out);
532 
533 /**
534  * \brief Save SHA-1 running state.
535  *
536  * The running state for SHA-1 (output of the last internal block
537  * processing) is written in the buffer pointed to by `out`. The
538  * number of bytes injected since the last initialisation or reset
539  * call is returned. The context is not modified.
540  *
541  * \param ctx pointer to the context structure.
542  * \param out destination buffer for the running state.
543  * \return the injected total byte length.
544  */
545 uint64_t br_sha1_state(const br_sha1_context *ctx, void *out);
546 
547 /**
548  * \brief Restore SHA-1 running state.
549  *
550  * The running state for SHA-1 is set to the provided values.
551  *
552  * \param ctx pointer to the context structure.
553  * \param stb source buffer for the running state.
554  * \param count the injected total byte length.
555  */
556 void br_sha1_set_state(br_sha1_context *ctx, const void *stb, uint64_t count);
557 
558 /**
559  * \brief Symbolic identifier for SHA-224.
560  */
561 #define br_sha224_ID 3
562 
563 /**
564  * \brief SHA-224 output size (in bytes).
565  */
566 #define br_sha224_SIZE 28
567 
568 /**
569  * \brief Constant vtable for SHA-224.
570  */
571 extern const br_hash_class br_sha224_vtable;
572 
573 /**
574  * \brief SHA-224 context.
575  *
576  * First field is a pointer to the vtable; it is set by the initialisation
577  * function. Other fields are not supposed to be accessed by user code.
578  */
579 typedef struct {
580  /**
581  * \brief Pointer to vtable for this context.
582  */
583  const br_hash_class *vtable;
584 #ifndef BR_DOXYGEN_IGNORE
585  unsigned char buf[64];
586  uint64_t count;
587  uint32_t val[8];
588 #endif
590 
591 /**
592  * \brief SHA-224 context initialisation.
593  *
594  * This function initialises or resets a context for a new SHA-224
595  * computation. It also sets the vtable pointer.
596  *
597  * \param ctx pointer to the context structure.
598  */
600 
601 /**
602  * \brief Inject some data bytes in a running SHA-224 computation.
603  *
604  * The provided context is updated with some data bytes. If the number
605  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
606  * and may be `NULL`, and this function does nothing.
607  *
608  * \param ctx pointer to the context structure.
609  * \param data pointer to the injected data.
610  * \param len injected data length (in bytes).
611  */
612 void br_sha224_update(br_sha224_context *ctx, const void *data, size_t len);
613 
614 /**
615  * \brief Compute SHA-224 output.
616  *
617  * The SHA-224 output for the concatenation of all bytes injected in the
618  * provided context since the last initialisation or reset call, is
619  * computed and written in the buffer pointed to by `out`. The context
620  * itself is not modified, so extra bytes may be injected afterwards
621  * to continue that computation.
622  *
623  * \param ctx pointer to the context structure.
624  * \param out destination buffer for the hash output.
625  */
626 void br_sha224_out(const br_sha224_context *ctx, void *out);
627 
628 /**
629  * \brief Save SHA-224 running state.
630  *
631  * The running state for SHA-224 (output of the last internal block
632  * processing) is written in the buffer pointed to by `out`. The
633  * number of bytes injected since the last initialisation or reset
634  * call is returned. The context is not modified.
635  *
636  * \param ctx pointer to the context structure.
637  * \param out destination buffer for the running state.
638  * \return the injected total byte length.
639  */
640 uint64_t br_sha224_state(const br_sha224_context *ctx, void *out);
641 
642 /**
643  * \brief Restore SHA-224 running state.
644  *
645  * The running state for SHA-224 is set to the provided values.
646  *
647  * \param ctx pointer to the context structure.
648  * \param stb source buffer for the running state.
649  * \param count the injected total byte length.
650  */
652  const void *stb, uint64_t count);
653 
654 /**
655  * \brief Symbolic identifier for SHA-256.
656  */
657 #define br_sha256_ID 4
658 
659 /**
660  * \brief SHA-256 output size (in bytes).
661  */
662 #define br_sha256_SIZE 32
663 
664 /**
665  * \brief Constant vtable for SHA-256.
666  */
667 extern const br_hash_class br_sha256_vtable;
668 
669 #ifdef BR_DOXYGEN_IGNORE
670 /**
671  * \brief SHA-256 context.
672  *
673  * First field is a pointer to the vtable; it is set by the initialisation
674  * function. Other fields are not supposed to be accessed by user code.
675  */
676 typedef struct {
677  /**
678  * \brief Pointer to vtable for this context.
679  */
680  const br_hash_class *vtable;
682 #else
684 #endif
685 
686 /**
687  * \brief SHA-256 context initialisation.
688  *
689  * This function initialises or resets a context for a new SHA-256
690  * computation. It also sets the vtable pointer.
691  *
692  * \param ctx pointer to the context structure.
693  */
694 void br_sha256_init(br_sha256_context *ctx);
695 
696 #ifdef BR_DOXYGEN_IGNORE
697 /**
698  * \brief Inject some data bytes in a running SHA-256 computation.
699  *
700  * The provided context is updated with some data bytes. If the number
701  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
702  * and may be `NULL`, and this function does nothing.
703  *
704  * \param ctx pointer to the context structure.
705  * \param data pointer to the injected data.
706  * \param len injected data length (in bytes).
707  */
708 void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len);
709 #else
710 #define br_sha256_update br_sha224_update
711 #endif
712 
713 /**
714  * \brief Compute SHA-256 output.
715  *
716  * The SHA-256 output for the concatenation of all bytes injected in the
717  * provided context since the last initialisation or reset call, is
718  * computed and written in the buffer pointed to by `out`. The context
719  * itself is not modified, so extra bytes may be injected afterwards
720  * to continue that computation.
721  *
722  * \param ctx pointer to the context structure.
723  * \param out destination buffer for the hash output.
724  */
725 void br_sha256_out(const br_sha256_context *ctx, void *out);
726 
727 #if BR_DOXYGEN_IGNORE
728 /**
729  * \brief Save SHA-256 running state.
730  *
731  * The running state for SHA-256 (output of the last internal block
732  * processing) is written in the buffer pointed to by `out`. The
733  * number of bytes injected since the last initialisation or reset
734  * call is returned. The context is not modified.
735  *
736  * \param ctx pointer to the context structure.
737  * \param out destination buffer for the running state.
738  * \return the injected total byte length.
739  */
740 uint64_t br_sha256_state(const br_sha256_context *ctx, void *out);
741 #else
742 #define br_sha256_state br_sha224_state
743 #endif
744 
745 #if BR_DOXYGEN_IGNORE
746 /**
747  * \brief Restore SHA-256 running state.
748  *
749  * The running state for SHA-256 is set to the provided values.
750  *
751  * \param ctx pointer to the context structure.
752  * \param stb source buffer for the running state.
753  * \param count the injected total byte length.
754  */
755 void br_sha256_set_state(br_sha256_context *ctx,
756  const void *stb, uint64_t count);
757 #else
758 #define br_sha256_set_state br_sha224_set_state
759 #endif
760 
761 /**
762  * \brief Symbolic identifier for SHA-384.
763  */
764 #define br_sha384_ID 5
765 
766 /**
767  * \brief SHA-384 output size (in bytes).
768  */
769 #define br_sha384_SIZE 48
770 
771 /**
772  * \brief Constant vtable for SHA-384.
773  */
774 extern const br_hash_class br_sha384_vtable;
775 
776 /**
777  * \brief SHA-384 context.
778  *
779  * First field is a pointer to the vtable; it is set by the initialisation
780  * function. Other fields are not supposed to be accessed by user code.
781  */
782 typedef struct {
783  /**
784  * \brief Pointer to vtable for this context.
785  */
786  const br_hash_class *vtable;
787 #ifndef BR_DOXYGEN_IGNORE
788  unsigned char buf[128];
789  uint64_t count;
790  uint64_t val[8];
791 #endif
793 
794 /**
795  * \brief SHA-384 context initialisation.
796  *
797  * This function initialises or resets a context for a new SHA-384
798  * computation. It also sets the vtable pointer.
799  *
800  * \param ctx pointer to the context structure.
801  */
803 
804 /**
805  * \brief Inject some data bytes in a running SHA-384 computation.
806  *
807  * The provided context is updated with some data bytes. If the number
808  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
809  * and may be `NULL`, and this function does nothing.
810  *
811  * \param ctx pointer to the context structure.
812  * \param data pointer to the injected data.
813  * \param len injected data length (in bytes).
814  */
815 void br_sha384_update(br_sha384_context *ctx, const void *data, size_t len);
816 
817 /**
818  * \brief Compute SHA-384 output.
819  *
820  * The SHA-384 output for the concatenation of all bytes injected in the
821  * provided context since the last initialisation or reset call, is
822  * computed and written in the buffer pointed to by `out`. The context
823  * itself is not modified, so extra bytes may be injected afterwards
824  * to continue that computation.
825  *
826  * \param ctx pointer to the context structure.
827  * \param out destination buffer for the hash output.
828  */
829 void br_sha384_out(const br_sha384_context *ctx, void *out);
830 
831 /**
832  * \brief Save SHA-384 running state.
833  *
834  * The running state for SHA-384 (output of the last internal block
835  * processing) is written in the buffer pointed to by `out`. The
836  * number of bytes injected since the last initialisation or reset
837  * call is returned. The context is not modified.
838  *
839  * \param ctx pointer to the context structure.
840  * \param out destination buffer for the running state.
841  * \return the injected total byte length.
842  */
843 uint64_t br_sha384_state(const br_sha384_context *ctx, void *out);
844 
845 /**
846  * \brief Restore SHA-384 running state.
847  *
848  * The running state for SHA-384 is set to the provided values.
849  *
850  * \param ctx pointer to the context structure.
851  * \param stb source buffer for the running state.
852  * \param count the injected total byte length.
853  */
855  const void *stb, uint64_t count);
856 
857 /**
858  * \brief Symbolic identifier for SHA-512.
859  */
860 #define br_sha512_ID 6
861 
862 /**
863  * \brief SHA-512 output size (in bytes).
864  */
865 #define br_sha512_SIZE 64
866 
867 /**
868  * \brief Constant vtable for SHA-512.
869  */
870 extern const br_hash_class br_sha512_vtable;
871 
872 #ifdef BR_DOXYGEN_IGNORE
873 /**
874  * \brief SHA-512 context.
875  *
876  * First field is a pointer to the vtable; it is set by the initialisation
877  * function. Other fields are not supposed to be accessed by user code.
878  */
879 typedef struct {
880  /**
881  * \brief Pointer to vtable for this context.
882  */
883  const br_hash_class *vtable;
885 #else
887 #endif
888 
889 /**
890  * \brief SHA-512 context initialisation.
891  *
892  * This function initialises or resets a context for a new SHA-512
893  * computation. It also sets the vtable pointer.
894  *
895  * \param ctx pointer to the context structure.
896  */
897 void br_sha512_init(br_sha512_context *ctx);
898 
899 #ifdef BR_DOXYGEN_IGNORE
900 /**
901  * \brief Inject some data bytes in a running SHA-512 computation.
902  *
903  * The provided context is updated with some data bytes. If the number
904  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
905  * and may be `NULL`, and this function does nothing.
906  *
907  * \param ctx pointer to the context structure.
908  * \param data pointer to the injected data.
909  * \param len injected data length (in bytes).
910  */
911 void br_sha512_update(br_sha512_context *ctx, const void *data, size_t len);
912 #else
913 #define br_sha512_update br_sha384_update
914 #endif
915 
916 /**
917  * \brief Compute SHA-512 output.
918  *
919  * The SHA-512 output for the concatenation of all bytes injected in the
920  * provided context since the last initialisation or reset call, is
921  * computed and written in the buffer pointed to by `out`. The context
922  * itself is not modified, so extra bytes may be injected afterwards
923  * to continue that computation.
924  *
925  * \param ctx pointer to the context structure.
926  * \param out destination buffer for the hash output.
927  */
928 void br_sha512_out(const br_sha512_context *ctx, void *out);
929 
930 #ifdef BR_DOXYGEN_IGNORE
931 /**
932  * \brief Save SHA-512 running state.
933  *
934  * The running state for SHA-512 (output of the last internal block
935  * processing) is written in the buffer pointed to by `out`. The
936  * number of bytes injected since the last initialisation or reset
937  * call is returned. The context is not modified.
938  *
939  * \param ctx pointer to the context structure.
940  * \param out destination buffer for the running state.
941  * \return the injected total byte length.
942  */
943 uint64_t br_sha512_state(const br_sha512_context *ctx, void *out);
944 #else
945 #define br_sha512_state br_sha384_state
946 #endif
947 
948 #ifdef BR_DOXYGEN_IGNORE
949 /**
950  * \brief Restore SHA-512 running state.
951  *
952  * The running state for SHA-512 is set to the provided values.
953  *
954  * \param ctx pointer to the context structure.
955  * \param stb source buffer for the running state.
956  * \param count the injected total byte length.
957  */
958 void br_sha512_set_state(br_sha512_context *ctx,
959  const void *stb, uint64_t count);
960 #else
961 #define br_sha512_set_state br_sha384_set_state
962 #endif
963 
964 /*
965  * "md5sha1" is a special hash function that computes both MD5 and SHA-1
966  * on the same input, and produces a 36-byte output (MD5 and SHA-1
967  * concatenation, in that order). State size is also 36 bytes.
968  */
969 
970 /**
971  * \brief Symbolic identifier for MD5+SHA-1.
972  *
973  * MD5+SHA-1 is the concatenation of MD5 and SHA-1, computed over the
974  * same input. It is not one of the functions identified in TLS, so
975  * we give it a symbolic identifier of value 0.
976  */
977 #define br_md5sha1_ID 0
978 
979 /**
980  * \brief MD5+SHA-1 output size (in bytes).
981  */
982 #define br_md5sha1_SIZE 36
983 
984 /**
985  * \brief Constant vtable for MD5+SHA-1.
986  */
987 extern const br_hash_class br_md5sha1_vtable;
988 
989 /**
990  * \brief MD5+SHA-1 context.
991  *
992  * First field is a pointer to the vtable; it is set by the initialisation
993  * function. Other fields are not supposed to be accessed by user code.
994  */
995 typedef struct {
996  /**
997  * \brief Pointer to vtable for this context.
998  */
999  const br_hash_class *vtable;
1000 #ifndef BR_DOXYGEN_IGNORE
1001  unsigned char buf[64];
1002  uint64_t count;
1003  uint32_t val_md5[4];
1004  uint32_t val_sha1[5];
1005 #endif
1007 
1008 /**
1009  * \brief MD5+SHA-1 context initialisation.
1010  *
1011  * This function initialises or resets a context for a new SHA-512
1012  * computation. It also sets the vtable pointer.
1013  *
1014  * \param ctx pointer to the context structure.
1015  */
1017 
1018 /**
1019  * \brief Inject some data bytes in a running MD5+SHA-1 computation.
1020  *
1021  * The provided context is updated with some data bytes. If the number
1022  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
1023  * and may be `NULL`, and this function does nothing.
1024  *
1025  * \param ctx pointer to the context structure.
1026  * \param data pointer to the injected data.
1027  * \param len injected data length (in bytes).
1028  */
1029 void br_md5sha1_update(br_md5sha1_context *ctx, const void *data, size_t len);
1030 
1031 /**
1032  * \brief Compute MD5+SHA-1 output.
1033  *
1034  * The MD5+SHA-1 output for the concatenation of all bytes injected in the
1035  * provided context since the last initialisation or reset call, is
1036  * computed and written in the buffer pointed to by `out`. The context
1037  * itself is not modified, so extra bytes may be injected afterwards
1038  * to continue that computation.
1039  *
1040  * \param ctx pointer to the context structure.
1041  * \param out destination buffer for the hash output.
1042  */
1043 void br_md5sha1_out(const br_md5sha1_context *ctx, void *out);
1044 
1045 /**
1046  * \brief Save MD5+SHA-1 running state.
1047  *
1048  * The running state for MD5+SHA-1 (output of the last internal block
1049  * processing) is written in the buffer pointed to by `out`. The
1050  * number of bytes injected since the last initialisation or reset
1051  * call is returned. The context is not modified.
1052  *
1053  * \param ctx pointer to the context structure.
1054  * \param out destination buffer for the running state.
1055  * \return the injected total byte length.
1056  */
1057 uint64_t br_md5sha1_state(const br_md5sha1_context *ctx, void *out);
1058 
1059 /**
1060  * \brief Restore MD5+SHA-1 running state.
1061  *
1062  * The running state for MD5+SHA-1 is set to the provided values.
1063  *
1064  * \param ctx pointer to the context structure.
1065  * \param stb source buffer for the running state.
1066  * \param count the injected total byte length.
1067  */
1069  const void *stb, uint64_t count);
1070 
1071 /**
1072  * \brief Aggregate context for configurable hash function support.
1073  *
1074  * The `br_hash_compat_context` type is a type which is large enough to
1075  * serve as context for all standard hash functions defined above.
1076  */
1077 typedef union {
1078  const br_hash_class *vtable;
1082  br_sha256_context sha256;
1084  br_sha512_context sha512;
1087 
1088 /*
1089  * The multi-hasher is a construct that handles hashing of the same input
1090  * data with several hash functions, with a single shared input buffer.
1091  * It can handle MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
1092  * simultaneously, though which functions are activated depends on
1093  * the set implementation pointers.
1094  */
1095 
1096 /**
1097  * \brief Multi-hasher context structure.
1098  *
1099  * The multi-hasher runs up to six hash functions in the standard TLS list
1100  * (MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512) in parallel, over
1101  * the same input.
1102  *
1103  * The multi-hasher does _not_ follow the OOP structure with a vtable.
1104  * Instead, it is configured with the vtables of the hash functions it
1105  * should run. Structure fields are not supposed to be accessed directly.
1106  */
1107 typedef struct {
1108 #ifndef BR_DOXYGEN_IGNORE
1109  unsigned char buf[128];
1110  uint64_t count;
1111  uint32_t val_32[25];
1112  uint64_t val_64[16];
1113  const br_hash_class *impl[6];
1114 #endif
1116 
1117 /**
1118  * \brief Clear a multi-hasher context.
1119  *
1120  * This should always be called once on a given context, _before_ setting
1121  * the implementation pointers.
1122  *
1123  * \param ctx the multi-hasher context.
1124  */
1126 
1127 /**
1128  * \brief Set a hash function implementation.
1129  *
1130  * Implementations shall be set _after_ clearing the context (with
1131  * `br_multihash_zero()`) but _before_ initialising the computation
1132  * (with `br_multihash_init()`). The hash function implementation
1133  * MUST be one of the standard hash functions (MD5, SHA-1, SHA-224,
1134  * SHA-256, SHA-384 or SHA-512); it may also be `NULL` to remove
1135  * an implementation from the multi-hasher.
1136  *
1137  * \param ctx the multi-hasher context.
1138  * \param id the hash function symbolic identifier.
1139  * \param impl the hash function vtable, or `NULL`.
1140  */
1141 static inline void
1143  int id, const br_hash_class *impl)
1144 {
1145  /*
1146  * This code relies on hash functions ID being values 1 to 6,
1147  * in the MD5 to SHA-512 order.
1148  */
1149  ctx->impl[id - 1] = impl;
1150 }
1151 
1152 /**
1153  * \brief Get a hash function implementation.
1154  *
1155  * This function returns the currently configured vtable for a given
1156  * hash function (by symbolic ID). If no such function was configured in
1157  * the provided multi-hasher context, then this function returns `NULL`.
1158  *
1159  * \param ctx the multi-hasher context.
1160  * \param id the hash function symbolic identifier.
1161  * \return the hash function vtable, or `NULL`.
1162  */
1163 static inline const br_hash_class *
1165 {
1166  return ctx->impl[id - 1];
1167 }
1168 
1169 /**
1170  * \brief Reset a multi-hasher context.
1171  *
1172  * This function prepares the context for a new hashing computation,
1173  * for all implementations configured at that point.
1174  *
1175  * \param ctx the multi-hasher context.
1176  */
1178 
1179 /**
1180  * \brief Inject some data bytes in a running multi-hashing computation.
1181  *
1182  * The provided context is updated with some data bytes. If the number
1183  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
1184  * and may be `NULL`, and this function does nothing.
1185  *
1186  * \param ctx pointer to the context structure.
1187  * \param data pointer to the injected data.
1188  * \param len injected data length (in bytes).
1189  */
1191  const void *data, size_t len);
1192 
1193 /**
1194  * \brief Compute a hash output from a multi-hasher.
1195  *
1196  * The hash output for the concatenation of all bytes injected in the
1197  * provided context since the last initialisation or reset call, is
1198  * computed and written in the buffer pointed to by `dst`. The hash
1199  * function to use is identified by `id` and must be one of the standard
1200  * hash functions. If that hash function was indeed configured in the
1201  * multi-hasher context, the corresponding hash value is written in
1202  * `dst` and its length (in bytes) is returned. If the hash function
1203  * was _not_ configured, then nothing is written in `dst` and 0 is
1204  * returned.
1205  *
1206  * The context itself is not modified, so extra bytes may be injected
1207  * afterwards to continue the hash computations.
1208  *
1209  * \param ctx pointer to the context structure.
1210  * \param id the hash function symbolic identifier.
1211  * \param dst destination buffer for the hash output.
1212  * \return the hash output length (in bytes), or 0.
1213  */
1214 size_t br_multihash_out(const br_multihash_context *ctx, int id, void *dst);
1215 
1216 /**
1217  * \brief Type for a GHASH implementation.
1218  *
1219  * GHASH is a sort of keyed hash meant to be used to implement GCM in
1220  * combination with a block cipher (with 16-byte blocks).
1221  *
1222  * The `y` array has length 16 bytes and is used for input and output; in
1223  * a complete GHASH run, it starts with an all-zero value. `h` is a 16-byte
1224  * value that serves as key (it is derived from the encryption key in GCM,
1225  * using the block cipher). The data length (`len`) is expressed in bytes.
1226  * The `y` array is updated.
1227  *
1228  * If the data length is not a multiple of 16, then the data is implicitly
1229  * padded with zeros up to the next multiple of 16. Thus, when using GHASH
1230  * in GCM, this method may be called twice, for the associated data and
1231  * for the ciphertext, respectively; the zero-padding implements exactly
1232  * the GCM rules.
1233  *
1234  * \param y the array to update.
1235  * \param h the GHASH key.
1236  * \param data the input data (may be `NULL` if `len` is zero).
1237  * \param len the input data length (in bytes).
1238  */
1239 typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
1240 
1241 /**
1242  * \brief GHASH implementation using multiplications (mixed 32-bit).
1243  *
1244  * This implementation uses multiplications of 32-bit values, with a
1245  * 64-bit result. It is constant-time (if multiplications are
1246  * constant-time).
1247  *
1248  * \param y the array to update.
1249  * \param h the GHASH key.
1250  * \param data the input data (may be `NULL` if `len` is zero).
1251  * \param len the input data length (in bytes).
1252  */
1253 void br_ghash_ctmul(void *y, const void *h, const void *data, size_t len);
1254 
1255 /**
1256  * \brief GHASH implementation using multiplications (strict 32-bit).
1257  *
1258  * This implementation uses multiplications of 32-bit values, with a
1259  * 32-bit result. It is usually somewhat slower than `br_ghash_ctmul()`,
1260  * but it is expected to be faster on architectures for which the
1261  * 32-bit multiplication opcode does not yield the upper 32 bits of the
1262  * product. It is constant-time (if multiplications are constant-time).
1263  *
1264  * \param y the array to update.
1265  * \param h the GHASH key.
1266  * \param data the input data (may be `NULL` if `len` is zero).
1267  * \param len the input data length (in bytes).
1268  */
1269 void br_ghash_ctmul32(void *y, const void *h, const void *data, size_t len);
1270 
1271 /**
1272  * \brief GHASH implementation using multiplications (64-bit).
1273  *
1274  * This implementation uses multiplications of 64-bit values, with a
1275  * 64-bit result. It is constant-time (if multiplications are
1276  * constant-time). It is substantially faster than `br_ghash_ctmul()`
1277  * and `br_ghash_ctmul32()` on most 64-bit architectures.
1278  *
1279  * \param y the array to update.
1280  * \param h the GHASH key.
1281  * \param data the input data (may be `NULL` if `len` is zero).
1282  * \param len the input data length (in bytes).
1283  */
1284 void br_ghash_ctmul64(void *y, const void *h, const void *data, size_t len);
1285 
1286 /**
1287  * \brief GHASH implementation using the `pclmulqdq` opcode (part of the
1288  * AES-NI instructions).
1289  *
1290  * This implementation is available only on x86 platforms where the
1291  * compiler supports the relevant intrinsic functions. Even if the
1292  * compiler supports these functions, the local CPU might not support
1293  * the `pclmulqdq` opcode, meaning that a call will fail with an
1294  * illegal instruction exception. To safely obtain a pointer to this
1295  * function when supported (or 0 otherwise), use `br_ghash_pclmul_get()`.
1296  *
1297  * \param y the array to update.
1298  * \param h the GHASH key.
1299  * \param data the input data (may be `NULL` if `len` is zero).
1300  * \param len the input data length (in bytes).
1301  */
1302 void br_ghash_pclmul(void *y, const void *h, const void *data, size_t len);
1303 
1304 /**
1305  * \brief Obtain the `pclmul` GHASH implementation, if available.
1306  *
1307  * If the `pclmul` implementation was compiled in the library (depending
1308  * on the compiler abilities) _and_ the local CPU appears to support the
1309  * opcode, then this function will return a pointer to the
1310  * `br_ghash_pclmul()` function. Otherwise, it will return `0`.
1311  *
1312  * \return the `pclmul` GHASH implementation, or `0`.
1313  */
1315 
1316 /**
1317  * \brief GHASH implementation using the POWER8 opcodes.
1318  *
1319  * This implementation is available only on POWER8 platforms (and later).
1320  * To safely obtain a pointer to this function when supported (or 0
1321  * otherwise), use `br_ghash_pwr8_get()`.
1322  *
1323  * \param y the array to update.
1324  * \param h the GHASH key.
1325  * \param data the input data (may be `NULL` if `len` is zero).
1326  * \param len the input data length (in bytes).
1327  */
1328 void br_ghash_pwr8(void *y, const void *h, const void *data, size_t len);
1329 
1330 /**
1331  * \brief Obtain the `pwr8` GHASH implementation, if available.
1332  *
1333  * If the `pwr8` implementation was compiled in the library (depending
1334  * on the compiler abilities) _and_ the local CPU appears to support the
1335  * opcode, then this function will return a pointer to the
1336  * `br_ghash_pwr8()` function. Otherwise, it will return `0`.
1337  *
1338  * \return the `pwr8` GHASH implementation, or `0`.
1339  */
1341 
1342 #ifdef __cplusplus
1343 }
1344 #endif
1345 
1346 #endif
br_sha1_context sha1
Definition: bearssl_hash.h:1080
void br_sha1_update(br_sha1_context *ctx, const void *data, size_t len)
Inject some data bytes in a running SHA-1 computation.
void br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
GHASH implementation using the pclmulqdq opcode (part of the AES-NI instructions).
SHA-224 context.
Definition: bearssl_hash.h:579
const br_hash_class br_md5_vtable
Constant vtable for MD5.
void br_ghash_ctmul64(void *y, const void *h, const void *data, size_t len)
GHASH implementation using multiplications (64-bit).
const br_hash_class br_sha224_vtable
Constant vtable for SHA-224.
uint64_t br_md5sha1_state(const br_md5sha1_context *ctx, void *out)
Save MD5+SHA-1 running state.
const br_hash_class br_sha512_vtable
Constant vtable for SHA-512.
Class type for hash function implementations.
Definition: bearssl_hash.h:222
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:999
br_sha224_context sha224
Definition: bearssl_hash.h:1081
br_md5sha1_context md5sha1
Definition: bearssl_hash.h:1085
MD5+SHA-1 context.
Definition: bearssl_hash.h:995
void(* set_state)(const br_hash_class **ctx, const void *stb, uint64_t count)
Set running state.
Definition: bearssl_hash.h:327
SHA-384 context.
Definition: bearssl_hash.h:782
void br_md5_set_state(br_md5_context *ctx, const void *stb, uint64_t count)
Restore MD5 running state.
void br_sha224_out(const br_sha224_context *ctx, void *out)
Compute SHA-224 output.
void br_multihash_init(br_multihash_context *ctx)
Reset a multi-hasher context.
void br_md5_update(br_md5_context *ctx, const void *data, size_t len)
Inject some data bytes in a running MD5 computation.
uint64_t br_md5_state(const br_md5_context *ctx, void *out)
Save MD5 running state.
void br_ghash_pwr8(void *y, const void *h, const void *data, size_t len)
GHASH implementation using the POWER8 opcodes.
br_ghash br_ghash_pclmul_get(void)
Obtain the pclmul GHASH implementation, if available.
uint64_t br_sha224_state(const br_sha224_context *ctx, void *out)
Save SHA-224 running state.
uint64_t br_sha1_state(const br_sha1_context *ctx, void *out)
Save SHA-1 running state.
void br_md5sha1_out(const br_md5sha1_context *ctx, void *out)
Compute MD5+SHA-1 output.
static const br_hash_class * br_multihash_getimpl(const br_multihash_context *ctx, int id)
Get a hash function implementation.
Definition: bearssl_hash.h:1164
Multi-hasher context structure.
Definition: bearssl_hash.h:1107
void br_sha224_update(br_sha224_context *ctx, const void *data, size_t len)
Inject some data bytes in a running SHA-224 computation.
void br_sha384_init(br_sha384_context *ctx)
SHA-384 context initialisation.
br_ghash br_ghash_pwr8_get(void)
Obtain the pwr8 GHASH implementation, if available.
uint64_t br_sha512_state(const br_sha512_context *ctx, void *out)
Save SHA-512 running state.
void br_sha512_out(const br_sha512_context *ctx, void *out)
Compute SHA-512 output.
void br_sha384_set_state(br_sha384_context *ctx, const void *stb, uint64_t count)
Restore SHA-384 running state.
void br_sha256_init(br_sha256_context *ctx)
SHA-256 context initialisation.
void(* out)(const br_hash_class *const *ctx, void *dst)
Produce hash output.
Definition: bearssl_hash.h:300
Aggregate context for configurable hash function support.
Definition: bearssl_hash.h:1077
void br_multihash_update(br_multihash_context *ctx, const void *data, size_t len)
Inject some data bytes in a running multi-hashing computation.
void br_sha384_update(br_sha384_context *ctx, const void *data, size_t len)
Inject some data bytes in a running SHA-384 computation.
SHA-256 context.
Definition: bearssl_hash.h:676
void br_sha512_set_state(br_sha512_context *ctx, const void *stb, uint64_t count)
Restore SHA-512 running state.
void br_sha1_out(const br_sha1_context *ctx, void *out)
Compute SHA-1 output.
void br_sha224_set_state(br_sha224_context *ctx, const void *stb, uint64_t count)
Restore SHA-224 running state.
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:488
const br_hash_class br_sha256_vtable
Constant vtable for SHA-256.
size_t br_multihash_out(const br_multihash_context *ctx, int id, void *dst)
Compute a hash output from a multi-hasher.
br_sha384_context sha384
Definition: bearssl_hash.h:1083
MD5 context.
Definition: bearssl_hash.h:389
uint32_t desc
Descriptor word that contains information about the hash function.
Definition: bearssl_hash.h:257
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:883
void br_multihash_zero(br_multihash_context *ctx)
Clear a multi-hasher context.
const br_hash_class br_sha384_vtable
Constant vtable for SHA-384.
void br_md5_init(br_md5_context *ctx)
MD5 context initialisation.
void(* br_ghash)(void *y, const void *h, const void *data, size_t len)
Type for a GHASH implementation.
Definition: bearssl_hash.h:1239
void br_sha512_update(br_sha512_context *ctx, const void *data, size_t len)
Inject some data bytes in a running SHA-512 computation.
uint64_t br_sha384_state(const br_sha384_context *ctx, void *out)
Save SHA-384 running state.
void(* init)(const br_hash_class **ctx)
Initialisation method.
Definition: bearssl_hash.h:269
void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len)
Inject some data bytes in a running SHA-256 computation.
br_sha256_context sha256
Definition: bearssl_hash.h:1082
const br_hash_class br_md5sha1_vtable
Constant vtable for MD5+SHA-1.
void br_ghash_ctmul32(void *y, const void *h, const void *data, size_t len)
GHASH implementation using multiplications (strict 32-bit).
uint64_t(* state)(const br_hash_class *const *ctx, void *dst)
Get running state.
Definition: bearssl_hash.h:316
void br_sha1_init(br_sha1_context *ctx)
SHA-1 context initialisation.
size_t context_size
Size (in bytes) of the context structure appropriate for computing this hash function.
Definition: bearssl_hash.h:227
const br_hash_class br_sha1_vtable
Constant vtable for SHA-1.
const br_hash_class * vtable
Definition: bearssl_hash.h:1078
void br_ghash_ctmul(void *y, const void *h, const void *data, size_t len)
GHASH implementation using multiplications (mixed 32-bit).
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:786
br_sha512_context sha512
Definition: bearssl_hash.h:1084
br_md5_context md5
Definition: bearssl_hash.h:1079
void br_sha1_set_state(br_sha1_context *ctx, const void *stb, uint64_t count)
Restore SHA-1 running state.
void br_md5sha1_set_state(br_md5sha1_context *ctx, const void *stb, uint64_t count)
Restore MD5+SHA-1 running state.
void br_md5sha1_update(br_md5sha1_context *ctx, const void *data, size_t len)
Inject some data bytes in a running MD5+SHA-1 computation.
static void br_multihash_setimpl(br_multihash_context *ctx, int id, const br_hash_class *impl)
Set a hash function implementation.
Definition: bearssl_hash.h:1142
void br_sha384_out(const br_sha384_context *ctx, void *out)
Compute SHA-384 output.
void(* update)(const br_hash_class **ctx, const void *data, size_t len)
Data injection method.
Definition: bearssl_hash.h:285
void br_sha224_init(br_sha224_context *ctx)
SHA-224 context initialisation.
void br_md5sha1_init(br_md5sha1_context *ctx)
MD5+SHA-1 context initialisation.
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:583
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:680
uint64_t br_sha256_state(const br_sha256_context *ctx, void *out)
Save SHA-256 running state.
void br_md5_out(const br_md5_context *ctx, void *out)
Compute MD5 output.
void br_sha256_set_state(br_sha256_context *ctx, const void *stb, uint64_t count)
Restore SHA-256 running state.
SHA-512 context.
Definition: bearssl_hash.h:879
SHA-1 context.
Definition: bearssl_hash.h:484
void br_sha256_out(const br_sha256_context *ctx, void *out)
Compute SHA-256 output.
void br_sha512_init(br_sha512_context *ctx)
SHA-512 context initialisation.
const br_hash_class * vtable
Pointer to vtable for this context.
Definition: bearssl_hash.h:393