2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
35 * On MSVC, disable the warning about applying unary minus on an
36 * unsigned type: it is standard, we do it all the time, and for
40 #pragma warning( disable : 4146 )
44 * Maximum size for a RSA modulus (in bits). Allocated stack buffers
45 * depend on that size, so this value should be kept small. Currently,
46 * 2048-bit RSA keys offer adequate security, and should still do so for
47 * the next few decades; however, a number of widespread PKI have
48 * already set their root keys to RSA-4096, so we should be able to
51 * This value MUST be a multiple of 64. This value MUST NOT exceed 47666
52 * (some computations in RSA key generation rely on the factor size being
53 * no more than 23833 bits). RSA key sizes beyond 3072 bits don't make a
54 * lot of sense anyway.
56 #define BR_MAX_RSA_SIZE 4096
59 * Minimum size for a RSA modulus (in bits); this value is used only to
60 * filter out invalid parameters for key pair generation. Normally,
61 * applications should not use RSA keys smaller than 2048 bits; but some
62 * specific cases might need shorter keys, for legacy or research
65 #define BR_MIN_RSA_SIZE 512
68 * Maximum size for a RSA factor (in bits). This is for RSA private-key
69 * operations. Default is to support factors up to a bit more than half
70 * the maximum modulus size.
72 * This value MUST be a multiple of 32.
74 #define BR_MAX_RSA_FACTOR ((BR_MAX_RSA_SIZE + 64) >> 1)
77 * Maximum size for an EC curve (modulus or order), in bits. Size of
78 * stack buffers depends on that parameter. This size MUST be a multiple
79 * of 8 (so that decoding an integer with that many bytes does not
82 #define BR_MAX_EC_SIZE 528
85 * Some macros to recognize the current architecture. Right now, we are
86 * interested into automatically recognizing architecture with efficient
87 * 64-bit types so that we may automatically use implementations that
88 * use 64-bit registers in that case. Future versions may detect, e.g.,
89 * availability of SSE2 intrinsics.
91 * If 'unsigned long' is a 64-bit type, then we assume that 64-bit types
92 * are efficient. Otherwise, we rely on macros that depend on compiler,
93 * OS and architecture. In any case, failure to detect the architecture
94 * as 64-bit means that the 32-bit code will be used, and that code
95 * works also on 64-bit architectures (the 64-bit code may simply be
98 * The test on 'unsigned long' should already catch most cases, the one
99 * notable exception being Windows code where 'unsigned long' is kept to
100 * 32-bit for compatibility with all the legacy code that liberally uses
101 * the 'DWORD' type for 32-bit values.
103 * Macro names are taken from: http://nadeausoftware.com/articles/2012/02/c_c_tip_how_detect_processor_type_using_compiler_predefined_macros
106 #if ((ULONG_MAX >> 31) >> 31) == 3
108 #elif defined(__ia64) || defined(__itanium__) || defined(_M_IA64)
110 #elif defined(__powerpc64__) || defined(__ppc64__) || defined(__PPC64__) \
111 || defined(__64BIT__) || defined(_LP64) || defined(__LP64__)
113 #elif defined(__sparc64__)
115 #elif defined(__x86_64__) || defined(_M_X64)
117 #elif defined(__aarch64__) || defined(_M_ARM64)
119 #elif defined(__mips64)
125 * Set BR_LOMUL on platforms where it makes sense.
128 #if BR_ARMEL_CORTEXM_GCC
134 * Architecture detection.
137 #if __i386__ || _M_IX86
143 #if __x86_64__ || _M_X64
149 * Compiler brand and version.
151 * Implementations that use intrinsics need to detect the compiler type
152 * and version because some specific actions may be needed to activate
153 * the corresponding opcodes, both for header inclusion, and when using
154 * them in a function.
156 * BR_GCC, BR_CLANG and BR_MSC will be set to 1 for, respectively, GCC,
157 * Clang and MS Visual C. For each of them, sub-macros will be defined
158 * for versions; each sub-macro is set whenever the compiler version is
159 * at least as recent as the one corresponding to the macro.
163 * GCC thresholds are on versions 4.4 to 4.9 and 5.0.
166 #if __GNUC__ && !__clang__
171 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9
173 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 8
175 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 7
177 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 6
179 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 5
181 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 4
208 * Clang thresholds are on versions 3.7.0 and 3.8.0.
214 #if __clang_major__ > 3 || (__clang_major__ == 3 && __clang_minor__ >= 8)
215 #define BR_CLANG_3_8 1
216 #elif __clang_major__ == 3 && __clang_minor__ >= 7
217 #define BR_CLANG_3_7 1
221 #define BR_CLANG_3_7 1
228 * MS Visual C thresholds are on Visual Studio 2005 to 2015.
235 #define BR_MSC_2015 1
236 #elif _MSC_VER >= 1800
237 #define BR_MSC_2013 1
238 #elif _MSC_VER >= 1700
239 #define BR_MSC_2012 1
240 #elif _MSC_VER >= 1600
241 #define BR_MSC_2010 1
242 #elif _MSC_VER >= 1500
243 #define BR_MSC_2008 1
244 #elif _MSC_VER >= 1400
245 #define BR_MSC_2005 1
249 #define BR_MSC_2013 1
252 #define BR_MSC_2012 1
255 #define BR_MSC_2010 1
258 #define BR_MSC_2008 1
261 #define BR_MSC_2005 1
268 * GCC 4.4+ and Clang 3.7+ allow tagging specific functions with a
269 * 'target' attribute that activates support for specific opcodes.
271 #if BR_GCC_4_4 || BR_CLANG_3_7
272 #define BR_TARGET(x) __attribute__((target(x)))
278 * AES-NI intrinsics are available on x86 (32-bit and 64-bit) with
279 * GCC 4.8+, Clang 3.7+ and MSC 2012+.
282 #if (BR_i386 || BR_amd64) && (BR_GCC_4_8 || BR_CLANG_3_7 || BR_MSC_2012)
283 #define BR_AES_X86NI 1
288 * SSE2 intrinsics are available on x86 (32-bit and 64-bit) with
289 * GCC 4.4+, Clang 3.7+ and MSC 2005+.
292 #if (BR_i386 || BR_amd64) && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005)
298 * RDRAND intrinsics are available on x86 (32-bit and 64-bit) with
299 * GCC 4.6+, Clang 3.7+ and MSC 2012+.
302 #if (BR_i386 || BR_amd64) && (BR_GCC_4_6 || BR_CLANG_3_7 || BR_MSC_2012)
308 * Determine type of OS for random number generation. Macro names and
309 * values are documented on:
310 * https://sourceforge.net/p/predef/wiki/OperatingSystems/
312 * TODO: enrich the list of detected system. Also add detection for
313 * alternate system calls like getentropy(), which are usually
314 * preferable when available.
317 #ifndef BR_USE_URANDOM
319 || defined __ANDROID__ \
320 || defined __FreeBSD__ \
321 || defined __NetBSD__ \
322 || defined __OpenBSD__ \
323 || defined __DragonFly__ \
324 || defined __linux__ \
325 || (defined __sun && (defined __SVR4 || defined __svr4__)) \
326 || (defined __APPLE__ && defined __MACH__)
327 #define BR_USE_URANDOM 1
331 #ifndef BR_USE_WIN32_RAND
332 #if defined _WIN32 || defined _WIN64
333 #define BR_USE_WIN32_RAND 1
338 * POWER8 crypto support. We rely on compiler macros for the
339 * architecture, since we do not have a reliable, simple way to detect
340 * the required support at runtime (we could try running an opcode, and
341 * trapping the exception or signal on illegal instruction, but this
342 * induces some non-trivial OS dependencies that we would prefer to
343 * avoid if possible).
346 #if __GNUC__ && ((_ARCH_PWR8 || _ARCH_PPC) && __CRYPTO__)
352 * Detect endinanness on POWER8.
355 #if defined BR_POWER8_LE
358 #define BR_POWER8_BE 0
360 #define BR_POWER8_BE 1
362 #elif defined BR_POWER8_BE
365 #define BR_POWER8_LE 0
367 #define BR_POWER8_LE 1
370 #if __LITTLE_ENDIAN__
371 #define BR_POWER8_LE 1
372 #define BR_POWER8_BE 0
374 #define BR_POWER8_LE 0
375 #define BR_POWER8_BE 1
381 * Detect support for 128-bit integers.
383 #if !defined BR_INT128 && !defined BR_UMUL128
384 #ifdef __SIZEOF_INT128__
392 * Detect support for unaligned accesses with known endianness.
394 * x86 (both 32-bit and 64-bit) is little-endian and allows unaligned
397 * POWER/PowerPC allows unaligned accesses when big-endian. POWER8 and
398 * later also allow unaligned accesses when little-endian.
400 #if !defined BR_LE_UNALIGNED && !defined BR_BE_UNALIGNED
402 #if __i386 || __i386__ || __x86_64__ || _M_IX86 || _M_X64
403 #define BR_LE_UNALIGNED 1
405 #define BR_BE_UNALIGNED 1
407 #define BR_LE_UNALIGNED 1
408 #elif (__powerpc__ || __powerpc64__ || _M_PPC || _ARCH_PPC || _ARCH_PPC64) \
410 #define BR_BE_UNALIGNED 1
416 * Detect support for an OS-provided time source.
419 #ifndef BR_USE_UNIX_TIME
420 #if defined __unix__ || defined __linux__ \
421 || defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
422 || (defined __APPLE__ && defined __MACH__)
423 #define BR_USE_UNIX_TIME 1
427 #ifndef BR_USE_WIN32_TIME
428 #if defined _WIN32 || defined _WIN64
429 #define BR_USE_WIN32_TIME 1
433 /* ==================================================================== */
435 * Encoding/decoding functions.
437 * 32-bit and 64-bit decoding, both little-endian and big-endian, is
438 * implemented with the inline functions below.
440 * When allowed by some compile-time options (autodetected or provided),
441 * optimised code is used, to perform direct memory access when the
442 * underlying architecture supports it, both for endianness and
443 * alignment. This, however, may trigger strict aliasing issues; the
444 * code below uses unions to perform (supposedly) safe type punning.
445 * Since the C aliasing rules are relatively complex and were amended,
446 * or at least re-explained with different phrasing, in all successive
447 * versions of the C standard, it is always a bit risky to bet that any
448 * specific version of a C compiler got it right, for some notion of
454 unsigned char b
[sizeof(uint16_t)];
459 unsigned char b
[sizeof(uint32_t)];
464 unsigned char b
[sizeof(uint64_t)];
468 br_enc16le(void *dst
, unsigned x
)
471 ((br_union_u16
*)dst
)->u
= x
;
476 buf
[0] = (unsigned char)x
;
477 buf
[1] = (unsigned char)(x
>> 8);
482 br_enc16be(void *dst
, unsigned x
)
485 ((br_union_u16
*)dst
)->u
= x
;
490 buf
[0] = (unsigned char)(x
>> 8);
491 buf
[1] = (unsigned char)x
;
495 static inline unsigned
496 br_dec16le(const void *src
)
499 return ((const br_union_u16
*)src
)->u
;
501 const unsigned char *buf
;
504 return (unsigned)buf
[0] | ((unsigned)buf
[1] << 8);
508 static inline unsigned
509 br_dec16be(const void *src
)
512 return ((const br_union_u16
*)src
)->u
;
514 const unsigned char *buf
;
517 return ((unsigned)buf
[0] << 8) | (unsigned)buf
[1];
522 br_enc32le(void *dst
, uint32_t x
)
525 ((br_union_u32
*)dst
)->u
= x
;
530 buf
[0] = (unsigned char)x
;
531 buf
[1] = (unsigned char)(x
>> 8);
532 buf
[2] = (unsigned char)(x
>> 16);
533 buf
[3] = (unsigned char)(x
>> 24);
538 br_enc32be(void *dst
, uint32_t x
)
541 ((br_union_u32
*)dst
)->u
= x
;
546 buf
[0] = (unsigned char)(x
>> 24);
547 buf
[1] = (unsigned char)(x
>> 16);
548 buf
[2] = (unsigned char)(x
>> 8);
549 buf
[3] = (unsigned char)x
;
553 static inline uint32_t
554 br_dec32le(const void *src
)
557 return ((const br_union_u32
*)src
)->u
;
559 const unsigned char *buf
;
562 return (uint32_t)buf
[0]
563 | ((uint32_t)buf
[1] << 8)
564 | ((uint32_t)buf
[2] << 16)
565 | ((uint32_t)buf
[3] << 24);
569 static inline uint32_t
570 br_dec32be(const void *src
)
573 return ((const br_union_u32
*)src
)->u
;
575 const unsigned char *buf
;
578 return ((uint32_t)buf
[0] << 24)
579 | ((uint32_t)buf
[1] << 16)
580 | ((uint32_t)buf
[2] << 8)
586 br_enc64le(void *dst
, uint64_t x
)
589 ((br_union_u64
*)dst
)->u
= x
;
594 br_enc32le(buf
, (uint32_t)x
);
595 br_enc32le(buf
+ 4, (uint32_t)(x
>> 32));
600 br_enc64be(void *dst
, uint64_t x
)
603 ((br_union_u64
*)dst
)->u
= x
;
608 br_enc32be(buf
, (uint32_t)(x
>> 32));
609 br_enc32be(buf
+ 4, (uint32_t)x
);
613 static inline uint64_t
614 br_dec64le(const void *src
)
617 return ((const br_union_u64
*)src
)->u
;
619 const unsigned char *buf
;
622 return (uint64_t)br_dec32le(buf
)
623 | ((uint64_t)br_dec32le(buf
+ 4) << 32);
627 static inline uint64_t
628 br_dec64be(const void *src
)
631 return ((const br_union_u64
*)src
)->u
;
633 const unsigned char *buf
;
636 return ((uint64_t)br_dec32be(buf
) << 32)
637 | (uint64_t)br_dec32be(buf
+ 4);
642 * Range decoding and encoding (for several successive values).
644 void br_range_dec16le(uint16_t *v
, size_t num
, const void *src
);
645 void br_range_dec16be(uint16_t *v
, size_t num
, const void *src
);
646 void br_range_enc16le(void *dst
, const uint16_t *v
, size_t num
);
647 void br_range_enc16be(void *dst
, const uint16_t *v
, size_t num
);
649 void br_range_dec32le(uint32_t *v
, size_t num
, const void *src
);
650 void br_range_dec32be(uint32_t *v
, size_t num
, const void *src
);
651 void br_range_enc32le(void *dst
, const uint32_t *v
, size_t num
);
652 void br_range_enc32be(void *dst
, const uint32_t *v
, size_t num
);
654 void br_range_dec64le(uint64_t *v
, size_t num
, const void *src
);
655 void br_range_dec64be(uint64_t *v
, size_t num
, const void *src
);
656 void br_range_enc64le(void *dst
, const uint64_t *v
, size_t num
);
657 void br_range_enc64be(void *dst
, const uint64_t *v
, size_t num
);
660 * Byte-swap a 32-bit integer.
662 static inline uint32_t
663 br_swap32(uint32_t x
)
665 x
= ((x
& (uint32_t)0x00FF00FF) << 8)
666 | ((x
>> 8) & (uint32_t)0x00FF00FF);
667 return (x
<< 16) | (x
>> 16);
670 /* ==================================================================== */
672 * Support code for hash functions.
676 * IV for MD5, SHA-1, SHA-224 and SHA-256.
678 extern const uint32_t br_md5_IV
[];
679 extern const uint32_t br_sha1_IV
[];
680 extern const uint32_t br_sha224_IV
[];
681 extern const uint32_t br_sha256_IV
[];
684 * Round functions for MD5, SHA-1, SHA-224 and SHA-256 (SHA-224 and
685 * SHA-256 use the same round function).
687 void br_md5_round(const unsigned char *buf
, uint32_t *val
);
688 void br_sha1_round(const unsigned char *buf
, uint32_t *val
);
689 void br_sha2small_round(const unsigned char *buf
, uint32_t *val
);
692 * The core function for the TLS PRF. It computes
693 * P_hash(secret, label + seed), and XORs the result into the dst buffer.
695 void br_tls_phash(void *dst
, size_t len
,
696 const br_hash_class
*dig
,
697 const void *secret
, size_t secret_len
, const char *label
,
698 size_t seed_num
, const br_tls_prf_seed_chunk
*seed
);
701 * Copy all configured hash implementations from a multihash context
705 br_multihash_copyimpl(br_multihash_context
*dst
,
706 const br_multihash_context
*src
)
708 memcpy((void *)dst
->impl
, src
->impl
, sizeof src
->impl
);
711 /* ==================================================================== */
713 * Constant-time primitives. These functions manipulate 32-bit values in
714 * order to provide constant-time comparisons and multiplexers.
716 * Boolean values (the "ctl" bits) MUST have value 0 or 1.
718 * Implementation notes:
719 * =====================
721 * The uintN_t types are unsigned and with width exactly N bits; the C
722 * standard guarantees that computations are performed modulo 2^N, and
723 * there can be no overflow. Negation (unary '-') works on unsigned types
726 * The intN_t types are guaranteed to have width exactly N bits, with no
727 * padding bit, and using two's complement representation. Casting
728 * intN_t to uintN_t really is conversion modulo 2^N. Beware that intN_t
729 * types, being signed, trigger implementation-defined behaviour on
730 * overflow (including raising some signal): with GCC, while modular
731 * arithmetics are usually applied, the optimizer may assume that
732 * overflows don't occur (unless the -fwrapv command-line option is
733 * added); Clang has the additional -ftrapv option to explicitly trap on
734 * integer overflow or underflow.
740 static inline uint32_t
747 * Multiplexer: returns x if ctl == 1, y if ctl == 0.
749 static inline uint32_t
750 MUX(uint32_t ctl
, uint32_t x
, uint32_t y
)
752 return y
^ (-ctl
& (x
^ y
));
756 * Equality check: returns 1 if x == y, 0 otherwise.
758 static inline uint32_t
759 EQ(uint32_t x
, uint32_t y
)
764 return NOT((q
| -q
) >> 31);
768 * Inequality check: returns 1 if x != y, 0 otherwise.
770 static inline uint32_t
771 NEQ(uint32_t x
, uint32_t y
)
776 return (q
| -q
) >> 31;
780 * Comparison: returns 1 if x > y, 0 otherwise.
782 static inline uint32_t
783 GT(uint32_t x
, uint32_t y
)
786 * If both x < 2^31 and x < 2^31, then y-x will have its high
787 * bit set if x > y, cleared otherwise.
789 * If either x >= 2^31 or y >= 2^31 (but not both), then the
790 * result is the high bit of x.
792 * If both x >= 2^31 and y >= 2^31, then we can virtually
793 * subtract 2^31 from both, and we are back to the first case.
794 * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already
800 return (z
^ ((x
^ y
) & (x
^ z
))) >> 31;
804 * Other comparisons (greater-or-equal, lower-than, lower-or-equal).
806 #define GE(x, y) NOT(GT(y, x))
807 #define LT(x, y) GT(y, x)
808 #define LE(x, y) NOT(GT(x, y))
811 * General comparison: returned value is -1, 0 or 1, depending on
812 * whether x is lower than, equal to, or greater than y.
814 static inline int32_t
815 CMP(uint32_t x
, uint32_t y
)
817 return (int32_t)GT(x
, y
) | -(int32_t)GT(y
, x
);
821 * Returns 1 if x == 0, 0 otherwise. Take care that the operand is signed.
823 static inline uint32_t
829 return ~(q
| -q
) >> 31;
833 * Returns 1 if x > 0, 0 otherwise. Take care that the operand is signed.
835 static inline uint32_t
839 * High bit of -x is 0 if x == 0, but 1 if x > 0.
844 return (~q
& -q
) >> 31;
848 * Returns 1 if x >= 0, 0 otherwise. Take care that the operand is signed.
850 static inline uint32_t
853 return ~(uint32_t)x
>> 31;
857 * Returns 1 if x < 0, 0 otherwise. Take care that the operand is signed.
859 static inline uint32_t
862 return (uint32_t)x
>> 31;
866 * Returns 1 if x <= 0, 0 otherwise. Take care that the operand is signed.
868 static inline uint32_t
874 * ~-x has its high bit set if and only if -x is nonnegative (as
875 * a signed int), i.e. x is in the -(2^31-1) to 0 range. We must
876 * do an OR with x itself to account for x = -2^31.
879 return (q
| ~-q
) >> 31;
883 * Conditional copy: src[] is copied into dst[] if and only if ctl is 1.
884 * dst[] and src[] may overlap completely (but not partially).
886 void br_ccopy(uint32_t ctl
, void *dst
, const void *src
, size_t len
);
888 #define CCOPY br_ccopy
891 * Compute the bit length of a 32-bit integer. Returned value is between 0
892 * and 32 (inclusive).
894 static inline uint32_t
895 BIT_LENGTH(uint32_t x
)
900 c
= GT(x
, 0xFFFF); x
= MUX(c
, x
>> 16, x
); k
+= c
<< 4;
901 c
= GT(x
, 0x00FF); x
= MUX(c
, x
>> 8, x
); k
+= c
<< 3;
902 c
= GT(x
, 0x000F); x
= MUX(c
, x
>> 4, x
); k
+= c
<< 2;
903 c
= GT(x
, 0x0003); x
= MUX(c
, x
>> 2, x
); k
+= c
<< 1;
909 * Compute the minimum of x and y.
911 static inline uint32_t
912 MIN(uint32_t x
, uint32_t y
)
914 return MUX(GT(x
, y
), y
, x
);
918 * Compute the maximum of x and y.
920 static inline uint32_t
921 MAX(uint32_t x
, uint32_t y
)
923 return MUX(GT(x
, y
), x
, y
);
927 * Multiply two 32-bit integers, with a 64-bit result. This default
928 * implementation assumes that the basic multiplication operator
929 * yields constant-time code.
931 #define MUL(x, y) ((uint64_t)(x) * (uint64_t)(y))
936 * Alternate implementation of MUL31, that will be constant-time on some
937 * (old) platforms where the default MUL31 is not. Unfortunately, it is
938 * also substantially slower, and yields larger code, on more modern
939 * platforms, which is why it is deactivated by default.
941 * MUL31_lo() must do some extra work because on some platforms, the
942 * _signed_ multiplication may return early if the top bits are 1.
943 * Simply truncating (casting) the output of MUL31() would not be
944 * sufficient, because the compiler may notice that we keep only the low
945 * word, and then replace automatically the unsigned multiplication with
946 * a signed multiplication opcode.
948 #define MUL31(x, y) ((uint64_t)((x) | (uint32_t)0x80000000) \
949 * (uint64_t)((y) | (uint32_t)0x80000000) \
950 - ((uint64_t)(x) << 31) - ((uint64_t)(y) << 31) \
951 - ((uint64_t)1 << 62))
952 static inline uint32_t
953 MUL31_lo(uint32_t x
, uint32_t y
)
958 xl
= (x
& 0xFFFF) | (uint32_t)0x80000000;
959 xh
= (x
>> 16) | (uint32_t)0x80000000;
960 yl
= (y
& 0xFFFF) | (uint32_t)0x80000000;
961 yh
= (y
>> 16) | (uint32_t)0x80000000;
962 return (xl
* yl
+ ((xl
* yh
+ xh
* yl
) << 16)) & (uint32_t)0x7FFFFFFF;
968 * Multiply two 31-bit integers, with a 62-bit result. This default
969 * implementation assumes that the basic multiplication operator
970 * yields constant-time code.
971 * The MUL31_lo() macro returns only the low 31 bits of the product.
973 #define MUL31(x, y) ((uint64_t)(x) * (uint64_t)(y))
974 #define MUL31_lo(x, y) (((uint32_t)(x) * (uint32_t)(y)) & (uint32_t)0x7FFFFFFF)
979 * Multiply two words together; the sum of the lengths of the two
980 * operands must not exceed 31 (for instance, one operand may use 16
981 * bits if the other fits on 15). If BR_CT_MUL15 is non-zero, then the
982 * macro will contain some extra operations that help in making the
983 * operation constant-time on some platforms, where the basic 32-bit
984 * multiplication is not constant-time.
987 #define MUL15(x, y) (((uint32_t)(x) | (uint32_t)0x80000000) \
988 * ((uint32_t)(y) | (uint32_t)0x80000000) \
989 & (uint32_t)0x7FFFFFFF)
991 #define MUL15(x, y) ((uint32_t)(x) * (uint32_t)(y))
995 * Arithmetic right shift (sign bit is copied). What happens when
996 * right-shifting a negative value is _implementation-defined_, so it
997 * does not trigger undefined behaviour, but it is still up to each
998 * compiler to define (and document) what it does. Most/all compilers
999 * will do an arithmetic shift, the sign bit being used to fill the
1000 * holes; this is a native operation on the underlying CPU, and it would
1001 * make little sense for the compiler to do otherwise. GCC explicitly
1002 * documents that it follows that convention.
1004 * Still, if BR_NO_ARITH_SHIFT is defined (and non-zero), then an
1005 * alternate version will be used, that does not rely on such
1006 * implementation-defined behaviour. Unfortunately, it is also slower
1007 * and yields bigger code, which is why it is deactivated by default.
1009 #if BR_NO_ARITH_SHIFT
1010 #define ARSH(x, n) (((uint32_t)(x) >> (n)) \
1011 | ((-((uint32_t)(x) >> 31)) << (32 - (n))))
1013 #define ARSH(x, n) ((*(int32_t *)&(x)) >> (n))
1017 * Constant-time division. The dividend hi:lo is divided by the
1018 * divisor d; the quotient is returned and the remainder is written
1019 * in *r. If hi == d, then the quotient does not fit on 32 bits;
1020 * returned value is thus truncated. If hi > d, returned values are
1023 uint32_t br_divrem(uint32_t hi
, uint32_t lo
, uint32_t d
, uint32_t *r
);
1026 * Wrapper for br_divrem(); the remainder is returned, and the quotient
1029 static inline uint32_t
1030 br_rem(uint32_t hi
, uint32_t lo
, uint32_t d
)
1034 br_divrem(hi
, lo
, d
, &r
);
1039 * Wrapper for br_divrem(); the quotient is returned, and the remainder
1042 static inline uint32_t
1043 br_div(uint32_t hi
, uint32_t lo
, uint32_t d
)
1047 return br_divrem(hi
, lo
, d
, &r
);
1050 /* ==================================================================== */
1056 * The 'i32' functions implement computations on big integers using
1057 * an internal representation as an array of 32-bit integers. For
1059 * -- x[0] contains the "announced bit length" of the integer
1060 * -- x[1], x[2]... contain the value in little-endian order (x[1]
1061 * contains the least significant 32 bits)
1063 * Multiplications rely on the elementary 32x32->64 multiplication.
1065 * The announced bit length specifies the number of bits that are
1066 * significant in the subsequent 32-bit words. Unused bits in the
1067 * last (most significant) word are set to 0; subsequent words are
1068 * uninitialized and need not exist at all.
1070 * The execution time and memory access patterns of all computations
1071 * depend on the announced bit length, but not on the actual word
1072 * values. For modular integers, the announced bit length of any integer
1073 * modulo n is equal to the actual bit length of n; thus, computations
1074 * on modular integers are "constant-time" (only the modulus length may
1079 * Compute the actual bit length of an integer. The argument x should
1080 * point to the first (least significant) value word of the integer.
1081 * The len 'xlen' contains the number of 32-bit words to access.
1083 * CT: value or length of x does not leak.
1085 uint32_t br_i32_bit_length(uint32_t *x
, size_t xlen
);
1088 * Decode an integer from its big-endian unsigned representation. The
1089 * "true" bit length of the integer is computed, but all words of x[]
1090 * corresponding to the full 'len' bytes of the source are set.
1092 * CT: value or length of x does not leak.
1094 void br_i32_decode(uint32_t *x
, const void *src
, size_t len
);
1097 * Decode an integer from its big-endian unsigned representation. The
1098 * integer MUST be lower than m[]; the announced bit length written in
1099 * x[] will be equal to that of m[]. All 'len' bytes from the source are
1102 * Returned value is 1 if the decode value fits within the modulus, 0
1103 * otherwise. In the latter case, the x[] buffer will be set to 0 (but
1104 * still with the announced bit length of m[]).
1106 * CT: value or length of x does not leak. Memory access pattern depends
1107 * only of 'len' and the announced bit length of m. Whether x fits or
1108 * not does not leak either.
1110 uint32_t br_i32_decode_mod(uint32_t *x
,
1111 const void *src
, size_t len
, const uint32_t *m
);
1114 * Reduce an integer (a[]) modulo another (m[]). The result is written
1115 * in x[] and its announced bit length is set to be equal to that of m[].
1117 * x[] MUST be distinct from a[] and m[].
1119 * CT: only announced bit lengths leak, not values of x, a or m.
1121 void br_i32_reduce(uint32_t *x
, const uint32_t *a
, const uint32_t *m
);
1124 * Decode an integer from its big-endian unsigned representation, and
1125 * reduce it modulo the provided modulus m[]. The announced bit length
1126 * of the result is set to be equal to that of the modulus.
1128 * x[] MUST be distinct from m[].
1130 void br_i32_decode_reduce(uint32_t *x
,
1131 const void *src
, size_t len
, const uint32_t *m
);
1134 * Encode an integer into its big-endian unsigned representation. The
1135 * output length in bytes is provided (parameter 'len'); if the length
1136 * is too short then the integer is appropriately truncated; if it is
1137 * too long then the extra bytes are set to 0.
1139 void br_i32_encode(void *dst
, size_t len
, const uint32_t *x
);
1142 * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
1143 * function assumes that x[] and m[] have the same announced bit
1144 * length, and the announced bit length of m[] matches its true
1147 * x[] and m[] MUST be distinct arrays.
1149 * CT: only the common announced bit length of x and m leaks, not
1150 * the values of x, z or m.
1152 void br_i32_muladd_small(uint32_t *x
, uint32_t z
, const uint32_t *m
);
1155 * Extract one word from an integer. The offset is counted in bits.
1156 * The word MUST entirely fit within the word elements corresponding
1157 * to the announced bit length of a[].
1159 static inline uint32_t
1160 br_i32_word(const uint32_t *a
, uint32_t off
)
1165 u
= (size_t)(off
>> 5) + 1;
1166 j
= (unsigned)off
& 31;
1170 return (a
[u
] >> j
) | (a
[u
+ 1] << (32 - j
));
1175 * Test whether an integer is zero.
1177 uint32_t br_i32_iszero(const uint32_t *x
);
1180 * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
1181 * is unmodified, but the carry is still computed and returned. The
1182 * arrays a[] and b[] MUST have the same announced bit length.
1184 * a[] and b[] MAY be the same array, but partial overlap is not allowed.
1186 uint32_t br_i32_add(uint32_t *a
, const uint32_t *b
, uint32_t ctl
);
1189 * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
1190 * then a[] is unmodified, but the carry is still computed and returned.
1191 * The arrays a[] and b[] MUST have the same announced bit length.
1193 * a[] and b[] MAY be the same array, but partial overlap is not allowed.
1195 uint32_t br_i32_sub(uint32_t *a
, const uint32_t *b
, uint32_t ctl
);
1198 * Compute d+a*b, result in d. The initial announced bit length of d[]
1199 * MUST match that of a[]. The d[] array MUST be large enough to
1200 * accommodate the full result, plus (possibly) an extra word. The
1201 * resulting announced bit length of d[] will be the sum of the announced
1202 * bit lengths of a[] and b[] (therefore, it may be larger than the actual
1203 * bit length of the numerical result).
1205 * a[] and b[] may be the same array. d[] must be disjoint from both a[]
1208 void br_i32_mulacc(uint32_t *d
, const uint32_t *a
, const uint32_t *b
);
1211 * Zeroize an integer. The announced bit length is set to the provided
1212 * value, and the corresponding words are set to 0.
1215 br_i32_zero(uint32_t *x
, uint32_t bit_len
)
1218 memset(x
, 0, ((bit_len
+ 31) >> 5) * sizeof *x
);
1222 * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
1224 uint32_t br_i32_ninv32(uint32_t x
);
1227 * Convert a modular integer to Montgomery representation. The integer x[]
1228 * MUST be lower than m[], but with the same announced bit length.
1230 void br_i32_to_monty(uint32_t *x
, const uint32_t *m
);
1233 * Convert a modular integer back from Montgomery representation. The
1234 * integer x[] MUST be lower than m[], but with the same announced bit
1235 * length. The "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is
1236 * the least significant value word of m[] (this works only if m[] is
1239 void br_i32_from_monty(uint32_t *x
, const uint32_t *m
, uint32_t m0i
);
1242 * Compute a modular Montgomery multiplication. d[] is filled with the
1243 * value of x*y/R modulo m[] (where R is the Montgomery factor). The
1244 * array d[] MUST be distinct from x[], y[] and m[]. x[] and y[] MUST be
1245 * numerically lower than m[]. x[] and y[] MAY be the same array. The
1246 * "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is the least
1247 * significant value word of m[] (this works only if m[] is an odd
1250 void br_i32_montymul(uint32_t *d
, const uint32_t *x
, const uint32_t *y
,
1251 const uint32_t *m
, uint32_t m0i
);
1254 * Compute a modular exponentiation. x[] MUST be an integer modulo m[]
1255 * (same announced bit length, lower value). m[] MUST be odd. The
1256 * exponent is in big-endian unsigned notation, over 'elen' bytes. The
1257 * "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is the least
1258 * significant value word of m[] (this works only if m[] is an odd
1259 * integer). The t1[] and t2[] parameters must be temporary arrays,
1260 * each large enough to accommodate an integer with the same size as m[].
1262 void br_i32_modpow(uint32_t *x
, const unsigned char *e
, size_t elen
,
1263 const uint32_t *m
, uint32_t m0i
, uint32_t *t1
, uint32_t *t2
);
1265 /* ==================================================================== */
1271 * The 'i31' functions implement computations on big integers using
1272 * an internal representation as an array of 32-bit integers. For
1274 * -- x[0] encodes the array length and the "announced bit length"
1275 * of the integer: namely, if the announced bit length is k,
1276 * then x[0] = ((k / 31) << 5) + (k % 31).
1277 * -- x[1], x[2]... contain the value in little-endian order, 31
1278 * bits per word (x[1] contains the least significant 31 bits).
1279 * The upper bit of each word is 0.
1281 * Multiplications rely on the elementary 32x32->64 multiplication.
1283 * The announced bit length specifies the number of bits that are
1284 * significant in the subsequent 32-bit words. Unused bits in the
1285 * last (most significant) word are set to 0; subsequent words are
1286 * uninitialized and need not exist at all.
1288 * The execution time and memory access patterns of all computations
1289 * depend on the announced bit length, but not on the actual word
1290 * values. For modular integers, the announced bit length of any integer
1291 * modulo n is equal to the actual bit length of n; thus, computations
1292 * on modular integers are "constant-time" (only the modulus length may
1297 * Test whether an integer is zero.
1299 uint32_t br_i31_iszero(const uint32_t *x
);
1302 * Add b[] to a[] and return the carry (0 or 1). If ctl is 0, then a[]
1303 * is unmodified, but the carry is still computed and returned. The
1304 * arrays a[] and b[] MUST have the same announced bit length.
1306 * a[] and b[] MAY be the same array, but partial overlap is not allowed.
1308 uint32_t br_i31_add(uint32_t *a
, const uint32_t *b
, uint32_t ctl
);
1311 * Subtract b[] from a[] and return the carry (0 or 1). If ctl is 0,
1312 * then a[] is unmodified, but the carry is still computed and returned.
1313 * The arrays a[] and b[] MUST have the same announced bit length.
1315 * a[] and b[] MAY be the same array, but partial overlap is not allowed.
1317 uint32_t br_i31_sub(uint32_t *a
, const uint32_t *b
, uint32_t ctl
);
1320 * Compute the ENCODED actual bit length of an integer. The argument x
1321 * should point to the first (least significant) value word of the
1322 * integer. The len 'xlen' contains the number of 32-bit words to
1323 * access. The upper bit of each value word MUST be 0.
1324 * Returned value is ((k / 31) << 5) + (k % 31) if the bit length is k.
1326 * CT: value or length of x does not leak.
1328 uint32_t br_i31_bit_length(uint32_t *x
, size_t xlen
);
1331 * Decode an integer from its big-endian unsigned representation. The
1332 * "true" bit length of the integer is computed and set in the encoded
1333 * announced bit length (x[0]), but all words of x[] corresponding to
1334 * the full 'len' bytes of the source are set.
1336 * CT: value or length of x does not leak.
1338 void br_i31_decode(uint32_t *x
, const void *src
, size_t len
);
1341 * Decode an integer from its big-endian unsigned representation. The
1342 * integer MUST be lower than m[]; the (encoded) announced bit length
1343 * written in x[] will be equal to that of m[]. All 'len' bytes from the
1346 * Returned value is 1 if the decode value fits within the modulus, 0
1347 * otherwise. In the latter case, the x[] buffer will be set to 0 (but
1348 * still with the announced bit length of m[]).
1350 * CT: value or length of x does not leak. Memory access pattern depends
1351 * only of 'len' and the announced bit length of m. Whether x fits or
1352 * not does not leak either.
1354 uint32_t br_i31_decode_mod(uint32_t *x
,
1355 const void *src
, size_t len
, const uint32_t *m
);
1358 * Zeroize an integer. The announced bit length is set to the provided
1359 * value, and the corresponding words are set to 0. The ENCODED bit length
1363 br_i31_zero(uint32_t *x
, uint32_t bit_len
)
1366 memset(x
, 0, ((bit_len
+ 31) >> 5) * sizeof *x
);
1370 * Right-shift an integer. The shift amount must be lower than 31
1373 void br_i31_rshift(uint32_t *x
, int count
);
1376 * Reduce an integer (a[]) modulo another (m[]). The result is written
1377 * in x[] and its announced bit length is set to be equal to that of m[].
1379 * x[] MUST be distinct from a[] and m[].
1381 * CT: only announced bit lengths leak, not values of x, a or m.
1383 void br_i31_reduce(uint32_t *x
, const uint32_t *a
, const uint32_t *m
);
1386 * Decode an integer from its big-endian unsigned representation, and
1387 * reduce it modulo the provided modulus m[]. The announced bit length
1388 * of the result is set to be equal to that of the modulus.
1390 * x[] MUST be distinct from m[].
1392 void br_i31_decode_reduce(uint32_t *x
,
1393 const void *src
, size_t len
, const uint32_t *m
);
1396 * Multiply x[] by 2^31 and then add integer z, modulo m[]. This
1397 * function assumes that x[] and m[] have the same announced bit
1398 * length, the announced bit length of m[] matches its true
1401 * x[] and m[] MUST be distinct arrays. z MUST fit in 31 bits (upper
1404 * CT: only the common announced bit length of x and m leaks, not
1405 * the values of x, z or m.
1407 void br_i31_muladd_small(uint32_t *x
, uint32_t z
, const uint32_t *m
);
1410 * Encode an integer into its big-endian unsigned representation. The
1411 * output length in bytes is provided (parameter 'len'); if the length
1412 * is too short then the integer is appropriately truncated; if it is
1413 * too long then the extra bytes are set to 0.
1415 void br_i31_encode(void *dst
, size_t len
, const uint32_t *x
);
1418 * Compute -(1/x) mod 2^31. If x is even, then this function returns 0.
1420 uint32_t br_i31_ninv31(uint32_t x
);
1423 * Compute a modular Montgomery multiplication. d[] is filled with the
1424 * value of x*y/R modulo m[] (where R is the Montgomery factor). The
1425 * array d[] MUST be distinct from x[], y[] and m[]. x[] and y[] MUST be
1426 * numerically lower than m[]. x[] and y[] MAY be the same array. The
1427 * "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
1428 * significant value word of m[] (this works only if m[] is an odd
1431 void br_i31_montymul(uint32_t *d
, const uint32_t *x
, const uint32_t *y
,
1432 const uint32_t *m
, uint32_t m0i
);
1435 * Convert a modular integer to Montgomery representation. The integer x[]
1436 * MUST be lower than m[], but with the same announced bit length.
1438 void br_i31_to_monty(uint32_t *x
, const uint32_t *m
);
1441 * Convert a modular integer back from Montgomery representation. The
1442 * integer x[] MUST be lower than m[], but with the same announced bit
1443 * length. The "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is
1444 * the least significant value word of m[] (this works only if m[] is
1447 void br_i31_from_monty(uint32_t *x
, const uint32_t *m
, uint32_t m0i
);
1450 * Compute a modular exponentiation. x[] MUST be an integer modulo m[]
1451 * (same announced bit length, lower value). m[] MUST be odd. The
1452 * exponent is in big-endian unsigned notation, over 'elen' bytes. The
1453 * "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
1454 * significant value word of m[] (this works only if m[] is an odd
1455 * integer). The t1[] and t2[] parameters must be temporary arrays,
1456 * each large enough to accommodate an integer with the same size as m[].
1458 void br_i31_modpow(uint32_t *x
, const unsigned char *e
, size_t elen
,
1459 const uint32_t *m
, uint32_t m0i
, uint32_t *t1
, uint32_t *t2
);
1462 * Compute a modular exponentiation. x[] MUST be an integer modulo m[]
1463 * (same announced bit length, lower value). m[] MUST be odd. The
1464 * exponent is in big-endian unsigned notation, over 'elen' bytes. The
1465 * "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
1466 * significant value word of m[] (this works only if m[] is an odd
1467 * integer). The tmp[] array is used for temporaries, and has size
1468 * 'twlen' words; it must be large enough to accommodate at least two
1469 * temporary values with the same size as m[] (including the leading
1470 * "bit length" word). If there is room for more temporaries, then this
1471 * function may use the extra room for window-based optimisation,
1472 * resulting in faster computations.
1474 * Returned value is 1 on success, 0 on error. An error is reported if
1475 * the provided tmp[] array is too short.
1477 uint32_t br_i31_modpow_opt(uint32_t *x
, const unsigned char *e
, size_t elen
,
1478 const uint32_t *m
, uint32_t m0i
, uint32_t *tmp
, size_t twlen
);
1481 * Compute d+a*b, result in d. The initial announced bit length of d[]
1482 * MUST match that of a[]. The d[] array MUST be large enough to
1483 * accommodate the full result, plus (possibly) an extra word. The
1484 * resulting announced bit length of d[] will be the sum of the announced
1485 * bit lengths of a[] and b[] (therefore, it may be larger than the actual
1486 * bit length of the numerical result).
1488 * a[] and b[] may be the same array. d[] must be disjoint from both a[]
1491 void br_i31_mulacc(uint32_t *d
, const uint32_t *a
, const uint32_t *b
);
1494 * Compute x/y mod m, result in x. Values x and y must be between 0 and
1495 * m-1, and have the same announced bit length as m. Modulus m must be
1496 * odd. The "m0i" parameter is equal to -1/m mod 2^31. The array 't'
1497 * must point to a temporary area that can hold at least three integers
1500 * m may not overlap x and y. x and y may overlap each other (this can
1501 * be useful to test whether a value is invertible modulo m). t must be
1502 * disjoint from all other arrays.
1504 * Returned value is 1 on success, 0 otherwise. Success is attained if
1505 * y is invertible modulo m.
1507 uint32_t br_i31_moddiv(uint32_t *x
, const uint32_t *y
,
1508 const uint32_t *m
, uint32_t m0i
, uint32_t *t
);
1510 /* ==================================================================== */
1513 * FIXME: document "i15" functions.
1517 br_i15_zero(uint16_t *x
, uint16_t bit_len
)
1520 memset(x
, 0, ((bit_len
+ 15) >> 4) * sizeof *x
);
1523 uint32_t br_i15_iszero(const uint16_t *x
);
1525 uint16_t br_i15_ninv15(uint16_t x
);
1527 uint32_t br_i15_add(uint16_t *a
, const uint16_t *b
, uint32_t ctl
);
1529 uint32_t br_i15_sub(uint16_t *a
, const uint16_t *b
, uint32_t ctl
);
1531 void br_i15_muladd_small(uint16_t *x
, uint16_t z
, const uint16_t *m
);
1533 void br_i15_montymul(uint16_t *d
, const uint16_t *x
, const uint16_t *y
,
1534 const uint16_t *m
, uint16_t m0i
);
1536 void br_i15_to_monty(uint16_t *x
, const uint16_t *m
);
1538 void br_i15_modpow(uint16_t *x
, const unsigned char *e
, size_t elen
,
1539 const uint16_t *m
, uint16_t m0i
, uint16_t *t1
, uint16_t *t2
);
1541 uint32_t br_i15_modpow_opt(uint16_t *x
, const unsigned char *e
, size_t elen
,
1542 const uint16_t *m
, uint16_t m0i
, uint16_t *tmp
, size_t twlen
);
1544 void br_i15_encode(void *dst
, size_t len
, const uint16_t *x
);
1546 uint32_t br_i15_decode_mod(uint16_t *x
,
1547 const void *src
, size_t len
, const uint16_t *m
);
1549 void br_i15_rshift(uint16_t *x
, int count
);
1551 uint32_t br_i15_bit_length(uint16_t *x
, size_t xlen
);
1553 void br_i15_decode(uint16_t *x
, const void *src
, size_t len
);
1555 void br_i15_from_monty(uint16_t *x
, const uint16_t *m
, uint16_t m0i
);
1557 void br_i15_decode_reduce(uint16_t *x
,
1558 const void *src
, size_t len
, const uint16_t *m
);
1560 void br_i15_reduce(uint16_t *x
, const uint16_t *a
, const uint16_t *m
);
1562 void br_i15_mulacc(uint16_t *d
, const uint16_t *a
, const uint16_t *b
);
1564 uint32_t br_i15_moddiv(uint16_t *x
, const uint16_t *y
,
1565 const uint16_t *m
, uint16_t m0i
, uint16_t *t
);
1568 * Variant of br_i31_modpow_opt() that internally uses 64x64->128
1569 * multiplications. It expects the same parameters as br_i31_modpow_opt(),
1570 * except that the temporaries should be 64-bit integers, not 32-bit
1573 uint32_t br_i62_modpow_opt(uint32_t *x31
, const unsigned char *e
, size_t elen
,
1574 const uint32_t *m31
, uint32_t m0i31
, uint64_t *tmp
, size_t twlen
);
1577 * Type for a function with the same API as br_i31_modpow_opt() (some
1578 * implementations of this type may have stricter alignment requirements
1579 * on the temporaries).
1581 typedef uint32_t (*br_i31_modpow_opt_type
)(uint32_t *x
,
1582 const unsigned char *e
, size_t elen
,
1583 const uint32_t *m
, uint32_t m0i
, uint32_t *tmp
, size_t twlen
);
1586 * Wrapper for br_i62_modpow_opt() that uses the same type as
1587 * br_i31_modpow_opt(); however, it requires its 'tmp' argument to the
1590 uint32_t br_i62_modpow_opt_as_i31(uint32_t *x
,
1591 const unsigned char *e
, size_t elen
,
1592 const uint32_t *m
, uint32_t m0i
, uint32_t *tmp
, size_t twlen
);
1594 /* ==================================================================== */
1596 static inline size_t
1597 br_digest_size(const br_hash_class
*digest_class
)
1599 return (size_t)(digest_class
->desc
>> BR_HASHDESC_OUT_OFF
)
1600 & BR_HASHDESC_OUT_MASK
;
1604 * Get the output size (in bytes) of a hash function.
1606 size_t br_digest_size_by_ID(int digest_id
);
1609 * Get the OID (encoded OBJECT IDENTIFIER value, without tag and length)
1610 * for a hash function. If digest_id is not a supported digest identifier
1611 * (in particular if it is equal to 0, i.e. br_md5sha1_ID), then NULL is
1612 * returned and *len is set to 0.
1614 const unsigned char *br_digest_OID(int digest_id
, size_t *len
);
1616 /* ==================================================================== */
1618 * DES support functions.
1622 * Apply DES Initial Permutation.
1624 void br_des_do_IP(uint32_t *xl
, uint32_t *xr
);
1627 * Apply DES Final Permutation (inverse of IP).
1629 void br_des_do_invIP(uint32_t *xl
, uint32_t *xr
);
1632 * Key schedule unit: for a DES key (8 bytes), compute 16 subkeys. Each
1633 * subkey is two 28-bit words represented as two 32-bit words; the PC-2
1634 * bit extration is NOT applied.
1636 void br_des_keysched_unit(uint32_t *skey
, const void *key
);
1639 * Reversal of 16 DES sub-keys (for decryption).
1641 void br_des_rev_skey(uint32_t *skey
);
1644 * DES/3DES key schedule for 'des_tab' (encryption direction). Returned
1645 * value is the number of rounds.
1647 unsigned br_des_tab_keysched(uint32_t *skey
, const void *key
, size_t key_len
);
1650 * DES/3DES key schedule for 'des_ct' (encryption direction). Returned
1651 * value is the number of rounds.
1653 unsigned br_des_ct_keysched(uint32_t *skey
, const void *key
, size_t key_len
);
1656 * DES/3DES subkey decompression (from the compressed bitsliced subkeys).
1658 void br_des_ct_skey_expand(uint32_t *sk_exp
,
1659 unsigned num_rounds
, const uint32_t *skey
);
1662 * DES/3DES block encryption/decryption ('des_tab').
1664 void br_des_tab_process_block(unsigned num_rounds
,
1665 const uint32_t *skey
, void *block
);
1668 * DES/3DES block encryption/decryption ('des_ct').
1670 void br_des_ct_process_block(unsigned num_rounds
,
1671 const uint32_t *skey
, void *block
);
1673 /* ==================================================================== */
1675 * AES support functions.
1679 * The AES S-box (256-byte table).
1681 extern const unsigned char br_aes_S
[];
1684 * AES key schedule. skey[] is filled with n+1 128-bit subkeys, where n
1685 * is the number of rounds (10 to 14, depending on key size). The number
1686 * of rounds is returned. If the key size is invalid (not 16, 24 or 32),
1687 * then 0 is returned.
1689 * This implementation uses a 256-byte table and is NOT constant-time.
1691 unsigned br_aes_keysched(uint32_t *skey
, const void *key
, size_t key_len
);
1694 * AES key schedule for decryption ('aes_big' implementation).
1696 unsigned br_aes_big_keysched_inv(uint32_t *skey
,
1697 const void *key
, size_t key_len
);
1700 * AES block encryption with the 'aes_big' implementation (fast, but
1701 * not constant-time). This function encrypts a single block "in place".
1703 void br_aes_big_encrypt(unsigned num_rounds
, const uint32_t *skey
, void *data
);
1706 * AES block decryption with the 'aes_big' implementation (fast, but
1707 * not constant-time). This function decrypts a single block "in place".
1709 void br_aes_big_decrypt(unsigned num_rounds
, const uint32_t *skey
, void *data
);
1712 * AES block encryption with the 'aes_small' implementation (small, but
1713 * slow and not constant-time). This function encrypts a single block
1716 void br_aes_small_encrypt(unsigned num_rounds
,
1717 const uint32_t *skey
, void *data
);
1720 * AES block decryption with the 'aes_small' implementation (small, but
1721 * slow and not constant-time). This function decrypts a single block
1724 void br_aes_small_decrypt(unsigned num_rounds
,
1725 const uint32_t *skey
, void *data
);
1728 * The constant-time implementation is "bitsliced": the 128-bit state is
1729 * split over eight 32-bit words q* in the following way:
1731 * -- Input block consists in 16 bytes:
1732 * a00 a10 a20 a30 a01 a11 a21 a31 a02 a12 a22 a32 a03 a13 a23 a33
1733 * In the terminology of FIPS 197, this is a 4x4 matrix which is read
1736 * -- Each byte is split into eight bits which are distributed over the
1737 * eight words, at the same rank. Thus, for a byte x at rank k, bit 0
1738 * (least significant) of x will be at rank k in q0 (if that bit is b,
1739 * then it contributes "b << k" to the value of q0), bit 1 of x will be
1740 * at rank k in q1, and so on.
1742 * -- Ranks given to bits are in "row order" and are either all even, or
1743 * all odd. Two independent AES states are thus interleaved, one using
1744 * the even ranks, the other the odd ranks. Row order means:
1745 * a00 a01 a02 a03 a10 a11 a12 a13 a20 a21 a22 a23 a30 a31 a32 a33
1747 * Converting input bytes from two AES blocks to bitslice representation
1748 * is done in the following way:
1749 * -- Decode first block into the four words q0 q2 q4 q6, in that order,
1750 * using little-endian convention.
1751 * -- Decode second block into the four words q1 q3 q5 q7, in that order,
1752 * using little-endian convention.
1753 * -- Call br_aes_ct_ortho().
1755 * Converting back to bytes is done by using the reverse operations. Note
1756 * that br_aes_ct_ortho() is its own inverse.
1760 * Perform bytewise orthogonalization of eight 32-bit words. Bytes
1761 * of q0..q7 are spread over all words: for a byte x that occurs
1762 * at rank i in q[j] (byte x uses bits 8*i to 8*i+7 in q[j]), the bit
1763 * of rank k in x (0 <= k <= 7) goes to q[k] at rank 8*i+j.
1765 * This operation is an involution.
1767 void br_aes_ct_ortho(uint32_t *q
);
1770 * The AES S-box, as a bitsliced constant-time version. The input array
1771 * consists in eight 32-bit words; 32 S-box instances are computed in
1772 * parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant)
1773 * are spread over the words 0 to 7, at the same rank.
1775 void br_aes_ct_bitslice_Sbox(uint32_t *q
);
1778 * Like br_aes_bitslice_Sbox(), but for the inverse S-box.
1780 void br_aes_ct_bitslice_invSbox(uint32_t *q
);
1783 * Compute AES encryption on bitsliced data. Since input is stored on
1784 * eight 32-bit words, two block encryptions are actually performed
1787 void br_aes_ct_bitslice_encrypt(unsigned num_rounds
,
1788 const uint32_t *skey
, uint32_t *q
);
1791 * Compute AES decryption on bitsliced data. Since input is stored on
1792 * eight 32-bit words, two block decryptions are actually performed
1795 void br_aes_ct_bitslice_decrypt(unsigned num_rounds
,
1796 const uint32_t *skey
, uint32_t *q
);
1799 * AES key schedule, constant-time version. skey[] is filled with n+1
1800 * 128-bit subkeys, where n is the number of rounds (10 to 14, depending
1801 * on key size). The number of rounds is returned. If the key size is
1802 * invalid (not 16, 24 or 32), then 0 is returned.
1804 unsigned br_aes_ct_keysched(uint32_t *comp_skey
,
1805 const void *key
, size_t key_len
);
1808 * Expand AES subkeys as produced by br_aes_ct_keysched(), into
1809 * a larger array suitable for br_aes_ct_bitslice_encrypt() and
1810 * br_aes_ct_bitslice_decrypt().
1812 void br_aes_ct_skey_expand(uint32_t *skey
,
1813 unsigned num_rounds
, const uint32_t *comp_skey
);
1816 * For the ct64 implementation, the same bitslicing technique is used,
1817 * but four instances are interleaved. First instance uses bits 0, 4,
1818 * 8, 12,... of each word; second instance uses bits 1, 5, 9, 13,...
1823 * Perform bytewise orthogonalization of eight 64-bit words. Bytes
1824 * of q0..q7 are spread over all words: for a byte x that occurs
1825 * at rank i in q[j] (byte x uses bits 8*i to 8*i+7 in q[j]), the bit
1826 * of rank k in x (0 <= k <= 7) goes to q[k] at rank 8*i+j.
1828 * This operation is an involution.
1830 void br_aes_ct64_ortho(uint64_t *q
);
1833 * Interleave bytes for an AES input block. If input bytes are
1834 * denoted 0123456789ABCDEF, and have been decoded with little-endian
1835 * convention (w[0] contains 0123, with '3' being most significant;
1836 * w[1] contains 4567, and so on), then output word q0 will be
1837 * set to 08192A3B (again little-endian convention) and q1 will
1838 * be set to 4C5D6E7F.
1840 void br_aes_ct64_interleave_in(uint64_t *q0
, uint64_t *q1
, const uint32_t *w
);
1843 * Perform the opposite of br_aes_ct64_interleave_in().
1845 void br_aes_ct64_interleave_out(uint32_t *w
, uint64_t q0
, uint64_t q1
);
1848 * The AES S-box, as a bitsliced constant-time version. The input array
1849 * consists in eight 64-bit words; 64 S-box instances are computed in
1850 * parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant)
1851 * are spread over the words 0 to 7, at the same rank.
1853 void br_aes_ct64_bitslice_Sbox(uint64_t *q
);
1856 * Like br_aes_bitslice_Sbox(), but for the inverse S-box.
1858 void br_aes_ct64_bitslice_invSbox(uint64_t *q
);
1861 * Compute AES encryption on bitsliced data. Since input is stored on
1862 * eight 64-bit words, four block encryptions are actually performed
1865 void br_aes_ct64_bitslice_encrypt(unsigned num_rounds
,
1866 const uint64_t *skey
, uint64_t *q
);
1869 * Compute AES decryption on bitsliced data. Since input is stored on
1870 * eight 64-bit words, four block decryptions are actually performed
1873 void br_aes_ct64_bitslice_decrypt(unsigned num_rounds
,
1874 const uint64_t *skey
, uint64_t *q
);
1877 * AES key schedule, constant-time version. skey[] is filled with n+1
1878 * 128-bit subkeys, where n is the number of rounds (10 to 14, depending
1879 * on key size). The number of rounds is returned. If the key size is
1880 * invalid (not 16, 24 or 32), then 0 is returned.
1882 unsigned br_aes_ct64_keysched(uint64_t *comp_skey
,
1883 const void *key
, size_t key_len
);
1886 * Expand AES subkeys as produced by br_aes_ct64_keysched(), into
1887 * a larger array suitable for br_aes_ct64_bitslice_encrypt() and
1888 * br_aes_ct64_bitslice_decrypt().
1890 void br_aes_ct64_skey_expand(uint64_t *skey
,
1891 unsigned num_rounds
, const uint64_t *comp_skey
);
1894 * Test support for AES-NI opcodes.
1896 int br_aes_x86ni_supported(void);
1899 * AES key schedule, using x86 AES-NI instructions. This yields the
1900 * subkeys in the encryption direction. Number of rounds is returned.
1901 * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
1903 unsigned br_aes_x86ni_keysched_enc(unsigned char *skni
,
1904 const void *key
, size_t len
);
1907 * AES key schedule, using x86 AES-NI instructions. This yields the
1908 * subkeys in the decryption direction. Number of rounds is returned.
1909 * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
1911 unsigned br_aes_x86ni_keysched_dec(unsigned char *skni
,
1912 const void *key
, size_t len
);
1915 * Test support for AES POWER8 opcodes.
1917 int br_aes_pwr8_supported(void);
1920 * AES key schedule, using POWER8 instructions. This yields the
1921 * subkeys in the encryption direction. Number of rounds is returned.
1922 * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
1924 unsigned br_aes_pwr8_keysched(unsigned char *skni
,
1925 const void *key
, size_t len
);
1927 /* ==================================================================== */
1933 * Apply proper PKCS#1 v1.5 padding (for signatures). 'hash_oid' is
1934 * the encoded hash function OID, or NULL.
1936 uint32_t br_rsa_pkcs1_sig_pad(const unsigned char *hash_oid
,
1937 const unsigned char *hash
, size_t hash_len
,
1938 uint32_t n_bitlen
, unsigned char *x
);
1941 * Check PKCS#1 v1.5 padding (for signatures). 'hash_oid' is the encoded
1942 * hash function OID, or NULL. The provided 'sig' value is _after_ the
1943 * modular exponentiation, i.e. it should be the padded hash. On
1944 * success, the hashed message is extracted.
1946 uint32_t br_rsa_pkcs1_sig_unpad(const unsigned char *sig
, size_t sig_len
,
1947 const unsigned char *hash_oid
, size_t hash_len
,
1948 unsigned char *hash_out
);
1951 * Apply proper PSS padding. The 'x' buffer is output only: it
1952 * receives the value that is to be exponentiated.
1954 uint32_t br_rsa_pss_sig_pad(const br_prng_class
**rng
,
1955 const br_hash_class
*hf_data
, const br_hash_class
*hf_mgf1
,
1956 const unsigned char *hash
, size_t salt_len
,
1957 uint32_t n_bitlen
, unsigned char *x
);
1960 * Check PSS padding. The provided value is the one _after_
1961 * the modular exponentiation; it is modified by this function.
1962 * This function infers the signature length from the public key
1963 * size, i.e. it assumes that this has already been verified (as
1964 * part of the exponentiation).
1966 uint32_t br_rsa_pss_sig_unpad(
1967 const br_hash_class
*hf_data
, const br_hash_class
*hf_mgf1
,
1968 const unsigned char *hash
, size_t salt_len
,
1969 const br_rsa_public_key
*pk
, unsigned char *x
);
1972 * Apply OAEP padding. Returned value is the actual padded string length,
1975 size_t br_rsa_oaep_pad(const br_prng_class
**rnd
, const br_hash_class
*dig
,
1976 const void *label
, size_t label_len
, const br_rsa_public_key
*pk
,
1977 void *dst
, size_t dst_nax_len
, const void *src
, size_t src_len
);
1980 * Unravel and check OAEP padding. If the padding is correct, then 1 is
1981 * returned, '*len' is adjusted to the length of the message, and the
1982 * data is moved to the start of the 'data' buffer. If the padding is
1983 * incorrect, then 0 is returned and '*len' is untouched. Either way,
1984 * the complete buffer contents are altered.
1986 uint32_t br_rsa_oaep_unpad(const br_hash_class
*dig
,
1987 const void *label
, size_t label_len
, void *data
, size_t *len
);
1990 * Compute MGF1 for a given seed, and XOR the output into the provided
1993 void br_mgf1_xor(void *data
, size_t len
,
1994 const br_hash_class
*dig
, const void *seed
, size_t seed_len
);
1997 * Inner function for RSA key generation; used by the "i31" and "i62"
2000 uint32_t br_rsa_i31_keygen_inner(const br_prng_class
**rng
,
2001 br_rsa_private_key
*sk
, void *kbuf_priv
,
2002 br_rsa_public_key
*pk
, void *kbuf_pub
,
2003 unsigned size
, uint32_t pubexp
, br_i31_modpow_opt_type mp31
);
2005 /* ==================================================================== */
2011 * Type for generic EC parameters: curve order (unsigned big-endian
2012 * encoding) and encoded conventional generator.
2016 const unsigned char *order
;
2018 const unsigned char *generator
;
2019 size_t generator_len
;
2022 extern const br_ec_curve_def br_secp256r1
;
2023 extern const br_ec_curve_def br_secp384r1
;
2024 extern const br_ec_curve_def br_secp521r1
;
2027 * For Curve25519, the advertised "order" really is 2^255-1, since the
2028 * point multipliction function really works over arbitrary 255-bit
2029 * scalars. This value is only meant as a hint for ECDH key generation;
2030 * only ECDSA uses the exact curve order, and ECDSA is not used with
2031 * that specific curve.
2033 extern const br_ec_curve_def br_curve25519
;
2036 * Decode some bytes as an i31 integer, with truncation (corresponding
2037 * to the 'bits2int' operation in RFC 6979). The target ENCODED bit
2038 * length is provided as last parameter. The resulting value will have
2039 * this declared bit length, and consists the big-endian unsigned decoding
2040 * of exactly that many bits in the source (capped at the source length).
2042 void br_ecdsa_i31_bits2int(uint32_t *x
,
2043 const void *src
, size_t len
, uint32_t ebitlen
);
2046 * Decode some bytes as an i15 integer, with truncation (corresponding
2047 * to the 'bits2int' operation in RFC 6979). The target ENCODED bit
2048 * length is provided as last parameter. The resulting value will have
2049 * this declared bit length, and consists the big-endian unsigned decoding
2050 * of exactly that many bits in the source (capped at the source length).
2052 void br_ecdsa_i15_bits2int(uint16_t *x
,
2053 const void *src
, size_t len
, uint32_t ebitlen
);
2055 /* ==================================================================== */
2057 * ASN.1 support functions.
2061 * A br_asn1_uint structure contains encoding information about an
2062 * INTEGER nonnegative value: pointer to the integer contents (unsigned
2063 * big-endian representation), length of the integer contents,
2064 * and length of the encoded value. The data shall have minimal length:
2065 * - If the integer value is zero, then 'len' must be zero.
2066 * - If the integer value is not zero, then data[0] must be non-zero.
2068 * Under these conditions, 'asn1len' is necessarily equal to either len
2072 const unsigned char *data
;
2078 * Given an encoded integer (unsigned big-endian, with possible leading
2079 * bytes of value 0), returned the "prepared INTEGER" structure.
2081 br_asn1_uint
br_asn1_uint_prepare(const void *xdata
, size_t xlen
);
2084 * Encode an ASN.1 length. The length of the encoded length is returned.
2085 * If 'dest' is NULL, then no encoding is performed, but the length of
2086 * the encoded length is still computed and returned.
2088 size_t br_asn1_encode_length(void *dest
, size_t len
);
2091 * Convenient macro for computing lengths of lengths.
2093 #define len_of_len(len) br_asn1_encode_length(NULL, len)
2096 * Encode a (prepared) ASN.1 INTEGER. The encoded length is returned.
2097 * If 'dest' is NULL, then no encoding is performed, but the length of
2098 * the encoded integer is still computed and returned.
2100 size_t br_asn1_encode_uint(void *dest
, br_asn1_uint pp
);
2103 * Get the OID that identifies an elliptic curve. Returned value is
2104 * the DER-encoded OID, with the length (always one byte) but without
2105 * the tag. Thus, the first byte of the returned buffer contains the
2106 * number of subsequent bytes in the value. If the curve is not
2107 * recognised, NULL is returned.
2109 const unsigned char *br_get_curve_OID(int curve
);
2112 * Inner function for EC private key encoding. This is equivalent to
2113 * the API function br_encode_ec_raw_der(), except for an extra
2114 * parameter: if 'include_curve_oid' is zero, then the curve OID is
2115 * _not_ included in the output blob (this is for PKCS#8 support).
2117 size_t br_encode_ec_raw_der_inner(void *dest
,
2118 const br_ec_private_key
*sk
, const br_ec_public_key
*pk
,
2119 int include_curve_oid
);
2121 /* ==================================================================== */
2123 * SSL/TLS support functions.
2129 #define BR_SSL_CHANGE_CIPHER_SPEC 20
2130 #define BR_SSL_ALERT 21
2131 #define BR_SSL_HANDSHAKE 22
2132 #define BR_SSL_APPLICATION_DATA 23
2135 * Handshake message types.
2137 #define BR_SSL_HELLO_REQUEST 0
2138 #define BR_SSL_CLIENT_HELLO 1
2139 #define BR_SSL_SERVER_HELLO 2
2140 #define BR_SSL_CERTIFICATE 11
2141 #define BR_SSL_SERVER_KEY_EXCHANGE 12
2142 #define BR_SSL_CERTIFICATE_REQUEST 13
2143 #define BR_SSL_SERVER_HELLO_DONE 14
2144 #define BR_SSL_CERTIFICATE_VERIFY 15
2145 #define BR_SSL_CLIENT_KEY_EXCHANGE 16
2146 #define BR_SSL_FINISHED 20
2151 #define BR_LEVEL_WARNING 1
2152 #define BR_LEVEL_FATAL 2
2155 * Low-level I/O state.
2157 #define BR_IO_FAILED 0
2160 #define BR_IO_INOUT 3
2163 * Mark a SSL engine as failed. The provided error code is recorded if
2164 * the engine was not already marked as failed. If 'err' is 0, then the
2165 * engine is marked as closed (without error).
2167 void br_ssl_engine_fail(br_ssl_engine_context
*cc
, int err
);
2170 * Test whether the engine is closed (normally or as a failure).
2173 br_ssl_engine_closed(const br_ssl_engine_context
*cc
)
2175 return cc
->iomode
== BR_IO_FAILED
;
2179 * Configure a new maximum fragment length. If possible, the maximum
2180 * length for outgoing records is immediately adjusted (if there are
2181 * not already too many buffered bytes for that).
2183 void br_ssl_engine_new_max_frag_len(
2184 br_ssl_engine_context
*rc
, unsigned max_frag_len
);
2187 * Test whether the current incoming record has been fully received
2188 * or not. This functions returns 0 only if a complete record header
2189 * has been received, but some of the (possibly encrypted) payload
2190 * has not yet been obtained.
2192 int br_ssl_engine_recvrec_finished(const br_ssl_engine_context
*rc
);
2195 * Flush the current record (if not empty). This is meant to be called
2196 * from the handshake processor only.
2198 void br_ssl_engine_flush_record(br_ssl_engine_context
*cc
);
2201 * Test whether there is some accumulated payload to send.
2204 br_ssl_engine_has_pld_to_send(const br_ssl_engine_context
*rc
)
2206 return rc
->oxa
!= rc
->oxb
&& rc
->oxa
!= rc
->oxc
;
2210 * Initialize RNG in engine. Returned value is 1 on success, 0 on error.
2211 * This function will try to use the OS-provided RNG, if available. If
2212 * there is no OS-provided RNG, or if it failed, and no entropy was
2213 * injected by the caller, then a failure will be reported. On error,
2214 * the context error code is set.
2216 int br_ssl_engine_init_rand(br_ssl_engine_context
*cc
);
2219 * Reset the handshake-related parts of the engine.
2221 void br_ssl_engine_hs_reset(br_ssl_engine_context
*cc
,
2222 void (*hsinit
)(void *), void (*hsrun
)(void *));
2225 * Get the PRF to use for this context, for the provided PRF hash
2228 br_tls_prf_impl
br_ssl_engine_get_PRF(br_ssl_engine_context
*cc
, int prf_id
);
2231 * Consume the provided pre-master secret and compute the corresponding
2232 * master secret. The 'prf_id' is the ID of the hash function to use
2233 * with the TLS 1.2 PRF (ignored if the version is TLS 1.0 or 1.1).
2235 void br_ssl_engine_compute_master(br_ssl_engine_context
*cc
,
2236 int prf_id
, const void *pms
, size_t len
);
2239 * Switch to CBC decryption for incoming records.
2240 * cc the engine context
2241 * is_client non-zero for a client, zero for a server
2242 * prf_id id of hash function for PRF (ignored if not TLS 1.2+)
2243 * mac_id id of hash function for HMAC
2244 * bc_impl block cipher implementation (CBC decryption)
2245 * cipher_key_len block cipher key length (in bytes)
2247 void br_ssl_engine_switch_cbc_in(br_ssl_engine_context
*cc
,
2248 int is_client
, int prf_id
, int mac_id
,
2249 const br_block_cbcdec_class
*bc_impl
, size_t cipher_key_len
);
2252 * Switch to CBC encryption for outgoing records.
2253 * cc the engine context
2254 * is_client non-zero for a client, zero for a server
2255 * prf_id id of hash function for PRF (ignored if not TLS 1.2+)
2256 * mac_id id of hash function for HMAC
2257 * bc_impl block cipher implementation (CBC encryption)
2258 * cipher_key_len block cipher key length (in bytes)
2260 void br_ssl_engine_switch_cbc_out(br_ssl_engine_context
*cc
,
2261 int is_client
, int prf_id
, int mac_id
,
2262 const br_block_cbcenc_class
*bc_impl
, size_t cipher_key_len
);
2265 * Switch to GCM decryption for incoming records.
2266 * cc the engine context
2267 * is_client non-zero for a client, zero for a server
2268 * prf_id id of hash function for PRF
2269 * bc_impl block cipher implementation (CTR)
2270 * cipher_key_len block cipher key length (in bytes)
2272 void br_ssl_engine_switch_gcm_in(br_ssl_engine_context
*cc
,
2273 int is_client
, int prf_id
,
2274 const br_block_ctr_class
*bc_impl
, size_t cipher_key_len
);
2277 * Switch to GCM encryption for outgoing records.
2278 * cc the engine context
2279 * is_client non-zero for a client, zero for a server
2280 * prf_id id of hash function for PRF
2281 * bc_impl block cipher implementation (CTR)
2282 * cipher_key_len block cipher key length (in bytes)
2284 void br_ssl_engine_switch_gcm_out(br_ssl_engine_context
*cc
,
2285 int is_client
, int prf_id
,
2286 const br_block_ctr_class
*bc_impl
, size_t cipher_key_len
);
2289 * Switch to ChaCha20+Poly1305 decryption for incoming records.
2290 * cc the engine context
2291 * is_client non-zero for a client, zero for a server
2292 * prf_id id of hash function for PRF
2294 void br_ssl_engine_switch_chapol_in(br_ssl_engine_context
*cc
,
2295 int is_client
, int prf_id
);
2298 * Switch to ChaCha20+Poly1305 encryption for outgoing records.
2299 * cc the engine context
2300 * is_client non-zero for a client, zero for a server
2301 * prf_id id of hash function for PRF
2303 void br_ssl_engine_switch_chapol_out(br_ssl_engine_context
*cc
,
2304 int is_client
, int prf_id
);
2307 * Switch to CCM decryption for incoming records.
2308 * cc the engine context
2309 * is_client non-zero for a client, zero for a server
2310 * prf_id id of hash function for PRF
2311 * bc_impl block cipher implementation (CTR+CBC)
2312 * cipher_key_len block cipher key length (in bytes)
2313 * tag_len tag length (in bytes)
2315 void br_ssl_engine_switch_ccm_in(br_ssl_engine_context
*cc
,
2316 int is_client
, int prf_id
,
2317 const br_block_ctrcbc_class
*bc_impl
,
2318 size_t cipher_key_len
, size_t tag_len
);
2321 * Switch to GCM encryption for outgoing records.
2322 * cc the engine context
2323 * is_client non-zero for a client, zero for a server
2324 * prf_id id of hash function for PRF
2325 * bc_impl block cipher implementation (CTR+CBC)
2326 * cipher_key_len block cipher key length (in bytes)
2327 * tag_len tag length (in bytes)
2329 void br_ssl_engine_switch_ccm_out(br_ssl_engine_context
*cc
,
2330 int is_client
, int prf_id
,
2331 const br_block_ctrcbc_class
*bc_impl
,
2332 size_t cipher_key_len
, size_t tag_len
);
2335 * Calls to T0-generated code.
2337 void br_ssl_hs_client_init_main(void *ctx
);
2338 void br_ssl_hs_client_run(void *ctx
);
2339 void br_ssl_hs_server_init_main(void *ctx
);
2340 void br_ssl_hs_server_run(void *ctx
);
2343 * Get the hash function to use for signatures, given a bit mask of
2344 * supported hash functions. This implements a strict choice order
2345 * (namely SHA-256, SHA-384, SHA-512, SHA-224, SHA-1). If the mask
2346 * does not document support of any of these hash functions, then this
2347 * functions returns 0.
2349 int br_ssl_choose_hash(unsigned bf
);
2351 /* ==================================================================== */
2354 * PowerPC / POWER assembly stuff. The special BR_POWER_ASM_MACROS macro
2355 * must be defined before including this file; this is done by source
2356 * files that use some inline assembly for PowerPC / POWER machines.
2359 #if BR_POWER_ASM_MACROS
2361 #define lxvw4x(xt, ra, rb) lxvw4x_(xt, ra, rb)
2362 #define stxvw4x(xt, ra, rb) stxvw4x_(xt, ra, rb)
2364 #define bdnz(foo) bdnz_(foo)
2365 #define bdz(foo) bdz_(foo)
2366 #define beq(foo) beq_(foo)
2368 #define li(rx, value) li_(rx, value)
2369 #define addi(rx, ra, imm) addi_(rx, ra, imm)
2370 #define cmpldi(rx, imm) cmpldi_(rx, imm)
2371 #define mtctr(rx) mtctr_(rx)
2372 #define vspltb(vrt, vrb, uim) vspltb_(vrt, vrb, uim)
2373 #define vspltw(vrt, vrb, uim) vspltw_(vrt, vrb, uim)
2374 #define vspltisb(vrt, imm) vspltisb_(vrt, imm)
2375 #define vspltisw(vrt, imm) vspltisw_(vrt, imm)
2376 #define vrlw(vrt, vra, vrb) vrlw_(vrt, vra, vrb)
2377 #define vsbox(vrt, vra) vsbox_(vrt, vra)
2378 #define vxor(vrt, vra, vrb) vxor_(vrt, vra, vrb)
2379 #define vand(vrt, vra, vrb) vand_(vrt, vra, vrb)
2380 #define vsro(vrt, vra, vrb) vsro_(vrt, vra, vrb)
2381 #define vsl(vrt, vra, vrb) vsl_(vrt, vra, vrb)
2382 #define vsldoi(vt, va, vb, sh) vsldoi_(vt, va, vb, sh)
2383 #define vsr(vrt, vra, vrb) vsr_(vrt, vra, vrb)
2384 #define vaddcuw(vrt, vra, vrb) vaddcuw_(vrt, vra, vrb)
2385 #define vadduwm(vrt, vra, vrb) vadduwm_(vrt, vra, vrb)
2386 #define vsububm(vrt, vra, vrb) vsububm_(vrt, vra, vrb)
2387 #define vsubuwm(vrt, vra, vrb) vsubuwm_(vrt, vra, vrb)
2388 #define vsrw(vrt, vra, vrb) vsrw_(vrt, vra, vrb)
2389 #define vcipher(vt, va, vb) vcipher_(vt, va, vb)
2390 #define vcipherlast(vt, va, vb) vcipherlast_(vt, va, vb)
2391 #define vncipher(vt, va, vb) vncipher_(vt, va, vb)
2392 #define vncipherlast(vt, va, vb) vncipherlast_(vt, va, vb)
2393 #define vperm(vt, va, vb, vc) vperm_(vt, va, vb, vc)
2394 #define vpmsumd(vt, va, vb) vpmsumd_(vt, va, vb)
2395 #define xxpermdi(vt, va, vb, d) xxpermdi_(vt, va, vb, d)
2397 #define lxvw4x_(xt, ra, rb) "\tlxvw4x\t" #xt "," #ra "," #rb "\n"
2398 #define stxvw4x_(xt, ra, rb) "\tstxvw4x\t" #xt "," #ra "," #rb "\n"
2400 #define label(foo) #foo "%=:\n"
2401 #define bdnz_(foo) "\tbdnz\t" #foo "%=\n"
2402 #define bdz_(foo) "\tbdz\t" #foo "%=\n"
2403 #define beq_(foo) "\tbeq\t" #foo "%=\n"
2405 #define li_(rx, value) "\tli\t" #rx "," #value "\n"
2406 #define addi_(rx, ra, imm) "\taddi\t" #rx "," #ra "," #imm "\n"
2407 #define cmpldi_(rx, imm) "\tcmpldi\t" #rx "," #imm "\n"
2408 #define mtctr_(rx) "\tmtctr\t" #rx "\n"
2409 #define vspltb_(vrt, vrb, uim) "\tvspltb\t" #vrt "," #vrb "," #uim "\n"
2410 #define vspltw_(vrt, vrb, uim) "\tvspltw\t" #vrt "," #vrb "," #uim "\n"
2411 #define vspltisb_(vrt, imm) "\tvspltisb\t" #vrt "," #imm "\n"
2412 #define vspltisw_(vrt, imm) "\tvspltisw\t" #vrt "," #imm "\n"
2413 #define vrlw_(vrt, vra, vrb) "\tvrlw\t" #vrt "," #vra "," #vrb "\n"
2414 #define vsbox_(vrt, vra) "\tvsbox\t" #vrt "," #vra "\n"
2415 #define vxor_(vrt, vra, vrb) "\tvxor\t" #vrt "," #vra "," #vrb "\n"
2416 #define vand_(vrt, vra, vrb) "\tvand\t" #vrt "," #vra "," #vrb "\n"
2417 #define vsro_(vrt, vra, vrb) "\tvsro\t" #vrt "," #vra "," #vrb "\n"
2418 #define vsl_(vrt, vra, vrb) "\tvsl\t" #vrt "," #vra "," #vrb "\n"
2419 #define vsldoi_(vt, va, vb, sh) "\tvsldoi\t" #vt "," #va "," #vb "," #sh "\n"
2420 #define vsr_(vrt, vra, vrb) "\tvsr\t" #vrt "," #vra "," #vrb "\n"
2421 #define vaddcuw_(vrt, vra, vrb) "\tvaddcuw\t" #vrt "," #vra "," #vrb "\n"
2422 #define vadduwm_(vrt, vra, vrb) "\tvadduwm\t" #vrt "," #vra "," #vrb "\n"
2423 #define vsububm_(vrt, vra, vrb) "\tvsububm\t" #vrt "," #vra "," #vrb "\n"
2424 #define vsubuwm_(vrt, vra, vrb) "\tvsubuwm\t" #vrt "," #vra "," #vrb "\n"
2425 #define vsrw_(vrt, vra, vrb) "\tvsrw\t" #vrt "," #vra "," #vrb "\n"
2426 #define vcipher_(vt, va, vb) "\tvcipher\t" #vt "," #va "," #vb "\n"
2427 #define vcipherlast_(vt, va, vb) "\tvcipherlast\t" #vt "," #va "," #vb "\n"
2428 #define vncipher_(vt, va, vb) "\tvncipher\t" #vt "," #va "," #vb "\n"
2429 #define vncipherlast_(vt, va, vb) "\tvncipherlast\t" #vt "," #va "," #vb "\n"
2430 #define vperm_(vt, va, vb, vc) "\tvperm\t" #vt "," #va "," #vb "," #vc "\n"
2431 #define vpmsumd_(vt, va, vb) "\tvpmsumd\t" #vt "," #va "," #vb "\n"
2432 #define xxpermdi_(vt, va, vb, d) "\txxpermdi\t" #vt "," #va "," #vb "," #d "\n"
2436 /* ==================================================================== */
2438 * Special "activate intrinsics" code, needed for some compiler versions.
2439 * This is defined at the end of this file, so that it won't impact any
2440 * of the inline functions defined previously; and it is controlled by
2441 * a specific macro defined in the caller code.
2443 * Calling code conventions:
2445 * - Caller must define BR_ENABLE_INTRINSICS before including "inner.h".
2446 * - Functions that use intrinsics must be enclosed in an "enabled"
2447 * region (between BR_TARGETS_X86_UP and BR_TARGETS_X86_DOWN).
2448 * - Functions that use intrinsics must be tagged with the appropriate
2452 #if BR_ENABLE_INTRINSICS && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005)
2455 * x86 intrinsics (both 32-bit and 64-bit).
2457 #if BR_i386 || BR_amd64
2460 * On GCC before version 5.0, we need to use the pragma to enable the
2461 * target options globally, because the 'target' function attribute
2462 * appears to be unreliable. Before 4.6 we must also avoid the
2463 * push_options / pop_options mechanism, because it tends to trigger
2464 * some internal compiler errors.
2466 #if BR_GCC && !BR_GCC_5_0
2468 #define BR_TARGETS_X86_UP \
2469 _Pragma("GCC push_options") \
2470 _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul,rdrnd\")")
2471 #define BR_TARGETS_X86_DOWN \
2472 _Pragma("GCC pop_options")
2474 #define BR_TARGETS_X86_UP \
2475 _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul\")")
2476 #define BR_TARGETS_X86_DOWN
2478 #pragma GCC diagnostic ignored "-Wpsabi"
2481 #if BR_CLANG && !BR_CLANG_3_8
2492 #define __SSE4_1__ 1
2494 #define __PCLMUL__ 1
2498 #ifndef BR_TARGETS_X86_UP
2499 #define BR_TARGETS_X86_UP
2501 #ifndef BR_TARGETS_X86_DOWN
2502 #define BR_TARGETS_X86_DOWN
2505 #if BR_GCC || BR_CLANG
2507 #include <x86intrin.h>
2509 #define br_bswap32 __builtin_bswap32
2516 #include <immintrin.h>
2517 #define br_bswap32 _byteswap_ulong
2521 br_cpuid(uint32_t mask_eax
, uint32_t mask_ebx
,
2522 uint32_t mask_ecx
, uint32_t mask_edx
)
2524 #if BR_GCC || BR_CLANG
2525 unsigned eax
, ebx
, ecx
, edx
;
2527 if (__get_cpuid(1, &eax
, &ebx
, &ecx
, &edx
)) {
2528 if ((eax
& mask_eax
) == mask_eax
2529 && (ebx
& mask_ebx
) == mask_ebx
2530 && (ecx
& mask_ecx
) == mask_ecx
2531 && (edx
& mask_edx
) == mask_edx
)
2540 if (((uint32_t)info
[0] & mask_eax
) == mask_eax
2541 && ((uint32_t)info
[1] & mask_ebx
) == mask_ebx
2542 && ((uint32_t)info
[2] & mask_ecx
) == mask_ecx
2543 && ((uint32_t)info
[3] & mask_edx
) == mask_edx
)
2555 /* ==================================================================== */