projects / BearSSL / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added function to forget saved session parameters (for tests).
[BearSSL] / inc / bearssl_block.h
1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #ifndef BR_BEARSSL_BLOCK_H__
26 #define BR_BEARSSL_BLOCK_H__
27
28 #include <stddef.h>
29 #include <stdint.h>
30
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34
35 /** \file bearssl_block.h
36 *
37 * # Block Ciphers and Symmetric Ciphers
38 *
39 * This file documents the API for block ciphers and other symmetric
40 * ciphers.
41 *
42 *
43 * ## Procedural API
44 *
45 * For a block cipher implementation, up to three separate sets of
46 * functions are provided, for CBC encryption, CBC decryption, and CTR
47 * encryption/decryption. Each set has its own context structure,
48 * initialised with the encryption key.
49 *
50 * For CBC encryption and decryption, the data to encrypt or decrypt is
51 * referenced as a sequence of blocks. The implementations assume that
52 * there is no partial block; no padding is applied or removed. The
53 * caller is responsible for handling any kind of padding.
54 *
55 * Function for CTR encryption are defined only for block ciphers with
56 * blocks of 16 bytes or more (i.e. AES, but not DES/3DES).
57 *
58 * Each implemented block cipher is identified by an "internal name"
59 * from which are derived the names of structures and functions that
60 * implement the cipher. For the block cipher of internal name "`xxx`",
61 * the following are defined:
62 *
63 * - `br_xxx_BLOCK_SIZE`
64 *
65 * A macro that evaluates to the block size (in bytes) of the
66 * cipher. For all implemented block ciphers, this value is a
67 * power of two.
68 *
69 * - `br_xxx_cbcenc_keys`
70 *
71 * Context structure that contains the subkeys resulting from the key
72 * expansion. These subkeys are appropriate for CBC encryption. The
73 * structure first field is called `vtable` and points to the
74 * appropriate OOP structure.
75 *
76 * - `br_xxx_cbcenc_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
77 *
78 * Perform key expansion: subkeys for CBC encryption are computed and
79 * written in the provided context structure. The key length MUST be
80 * adequate for the implemented block cipher. This function also sets
81 * the `vtable` field.
82 *
83 * - `br_xxx_cbcenc_run(const br_xxx_cbcenc_keys *ctx, void *iv, void *data, size_t len)`
84 *
85 * Perform CBC encryption of `len` bytes, in place. The encrypted data
86 * replaces the cleartext. `len` MUST be a multiple of the block length
87 * (if it is not, the function may loop forever or overflow a buffer).
88 * The IV is provided with the `iv` pointer; it is also updated with
89 * a copy of the last encrypted block.
90 *
91 * - `br_xxx_cbcdec_keys`
92 *
93 * Context structure that contains the subkeys resulting from the key
94 * expansion. These subkeys are appropriate for CBC decryption. The
95 * structure first field is called `vtable` and points to the
96 * appropriate OOP structure.
97 *
98 * - `br_xxx_cbcdec_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
99 *
100 * Perform key expansion: subkeys for CBC decryption are computed and
101 * written in the provided context structure. The key length MUST be
102 * adequate for the implemented block cipher. This function also sets
103 * the `vtable` field.
104 *
105 * - `br_xxx_cbcdec_run(const br_xxx_cbcdec_keys *ctx, void *iv, void *data, size_t num_blocks)`
106 *
107 * Perform CBC decryption of `len` bytes, in place. The decrypted data
108 * replaces the ciphertext. `len` MUST be a multiple of the block length
109 * (if it is not, the function may loop forever or overflow a buffer).
110 * The IV is provided with the `iv` pointer; it is also updated with
111 * a copy of the last _encrypted_ block.
112 *
113 * - `br_xxx_ctr_keys`
114 *
115 * Context structure that contains the subkeys resulting from the key
116 * expansion. These subkeys are appropriate for CTR encryption and
117 * decryption. The structure first field is called `vtable` and
118 * points to the appropriate OOP structure.
119 *
120 * - `br_xxx_ctr_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
121 *
122 * Perform key expansion: subkeys for CTR encryption and decryption
123 * are computed and written in the provided context structure. The
124 * key length MUST be adequate for the implemented block cipher. This
125 * function also sets the `vtable` field.
126 *
127 * - `br_xxx_ctr_run(const br_xxx_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len)` (returns `uint32_t`)
128 *
129 * Perform CTR encryption/decryption of some data. Processing is done
130 * "in place" (the output data replaces the input data). This function
131 * implements the "standard incrementing function" from NIST SP800-38A,
132 * annex B: the IV length shall be 4 bytes less than the block size
133 * (i.e. 12 bytes for AES) and the counter is the 32-bit value starting
134 * with `cc`. The data length (`len`) is not necessarily a multiple of
135 * the block size. The new counter value is returned, which supports
136 * chunked processing, provided that each chunk length (except possibly
137 * the last one) is a multiple of the block size.
138 *
139 *
140 * It shall be noted that the key expansion functions return `void`. If
141 * the provided key length is not allowed, then there will be no error
142 * reporting; implementations need not validate the key length, thus an
143 * invalid key length may result in undefined behaviour (e.g. buffer
144 * overflow).
145 *
146 * Subkey structures contain no interior pointer, and no external
147 * resources are allocated upon key expansion. They can thus be
148 * discarded without any explicit deallocation.
149 *
150 *
151 * ## Object-Oriented API
152 *
153 * Each context structure begins with a field (called `vtable`) that
154 * points to an instance of a structure that references the relevant
155 * functions through pointers. Each such structure contains the
156 * following:
157 *
158 * - `context_size`
159 *
160 * The size (in bytes) of the context structure for subkeys.
161 *
162 * - `block_size`
163 *
164 * The cipher block size (in bytes).
165 *
166 * - `log_block_size`
167 *
168 * The base-2 logarithm of cipher block size (e.g. 4 for blocks
169 * of 16 bytes).
170 *
171 * - `init`
172 *
173 * Pointer to the key expansion function.
174 *
175 * - `run`
176 *
177 * Pointer to the encryption/decryption function.
178 *
179 *
180 * For block cipher "`xxx`", static, constant instances of these
181 * structures are defined, under the names:
182 *
183 * - `br_xxx_cbcenc_vtable`
184 * - `br_xxx_cbcdec_vtable`
185 * - `br_xxx_ctr_vtable`
186 *
187 *
188 * ## Implemented Block Ciphers
189 *
190 * Provided implementations are:
191 *
192 * | Name | Function | Block Size (bytes) | Key lengths (bytes) |
193 * | :-------- | :------- | :----------------: | :-----------------: |
194 * | aes_big | AES | 16 | 16, 24 and 32 |
195 * | aes_small | AES | 16 | 16, 24 and 32 |
196 * | aes_ct | AES | 16 | 16, 24 and 32 |
197 * | aes_ct64 | AES | 16 | 16, 24 and 32 |
198 * | aes_x86ni | AES | 16 | 16, 24 and 32 |
199 * | aes_pwr8 | AES | 16 | 16, 24 and 32 |
200 * | des_ct | DES/3DES | 8 | 8, 16 and 24 |
201 * | des_tab | DES/3DES | 8 | 8, 16 and 24 |
202 *
203 * **Note:** DES/3DES nominally uses keys of 64, 128 and 192 bits (i.e. 8,
204 * 16 and 24 bytes), but some of the bits are ignored by the algorithm, so
205 * the _effective_ key lengths, from a security point of view, are 56,
206 * 112 and 168 bits, respectively.
207 *
208 * `aes_big` is a "classical" AES implementation, using tables. It
209 * is fast but not constant-time, since it makes data-dependent array
210 * accesses.
211 *
212 * `aes_small` is an AES implementation optimized for code size. It
213 * is substantially slower than `aes_big`; it is not constant-time
214 * either.
215 *
216 * `aes_ct` is a constant-time implementation of AES; its code is about
217 * as big as that of `aes_big`, while its performance is comparable to
218 * that of `aes_small`. However, it is constant-time. This
219 * implementation should thus be considered to be the "default" AES in
220 * BearSSL, to be used unless the operational context guarantees that a
221 * non-constant-time implementation is safe, or an architecture-specific
222 * constant-time implementation can be used (e.g. using dedicated
223 * hardware opcodes).
224 *
225 * `aes_ct64` is another constant-time implementation of AES. It is
226 * similar to `aes_ct` but uses 64-bit values. On 32-bit machines,
227 * `aes_ct64` is not faster than `aes_ct`, often a bit slower, and has
228 * a larger footprint; however, on 64-bit architectures, `aes_ct64`
229 * is typically twice faster than `aes_ct` for modes that allow parallel
230 * operations (i.e. CTR, and CBC decryption, but not CBC encryption).
231 *
232 * `aes_x86ni` exists only on x86 architectures (32-bit and 64-bit). It
233 * uses the AES-NI opcodes when available.
234 *
235 * `aes_pwr8` exists only on PowerPC / POWER architectures (32-bit and
236 * 64-bit, both little-endian and big-endian). It uses the AES opcodes
237 * present in POWER8 and later.
238 *
239 * `des_tab` is a classic, table-based implementation of DES/3DES. It
240 * is not constant-time.
241 *
242 * `des_ct` is an constant-time implementation of DES/3DES. It is
243 * substantially slower than `des_tab`.
244 *
245 * ## ChaCha20 and Poly1305
246 *
247 * ChaCha20 is a stream cipher. Poly1305 is a MAC algorithm. They
248 * are described in [RFC 7539](https://tools.ietf.org/html/rfc7539).
249 *
250 * Two function pointer types are defined:
251 *
252 * - `br_chacha20_run` describes a function that implements ChaCha20
253 * only.
254 *
255 * - `br_poly1305_run` describes an implementation of Poly1305,
256 * in the AEAD combination with ChaCha20 specified in RFC 7539
257 * (the ChaCha20 implementation is provided as a function pointer).
258 *
259 * `chacha20_ct` is a straightforward implementation of ChaCha20 in
260 * plain C; it is constant-time, small, and reasonably fast.
261 *
262 * `poly1305_ctmul` is an implementation of the ChaCha20+Poly1305 AEAD
263 * construction, where the Poly1305 part is performed with mixed 32-bit
264 * multiplications (operands are 32-bit, result is 64-bit).
265 */
266
267 /**
268 * \brief Class type for CBC encryption implementations.
269 *
270 * A `br_block_cbcenc_class` instance points to the functions implementing
271 * a specific block cipher, when used in CBC mode for encrypting data.
272 */
273 typedef struct br_block_cbcenc_class_ br_block_cbcenc_class;
274 struct br_block_cbcenc_class_ {
275 /**
276 * \brief Size (in bytes) of the context structure appropriate
277 * for containing subkeys.
278 */
279 size_t context_size;
280
281 /**
282 * \brief Size of individual blocks (in bytes).
283 */
284 unsigned block_size;
285
286 /**
287 * \brief Base-2 logarithm of the size of individual blocks,
288 * expressed in bytes.
289 */
290 unsigned log_block_size;
291
292 /**
293 * \brief Initialisation function.
294 *
295 * This function sets the `vtable` field in the context structure.
296 * The key length MUST be one of the key lengths supported by
297 * the implementation.
298 *
299 * \param ctx context structure to initialise.
300 * \param key secret key.
301 * \param key_len key length (in bytes).
302 */
303 void (*init)(const br_block_cbcenc_class **ctx,
304 const void *key, size_t key_len);
305
306 /**
307 * \brief Run the CBC encryption.
308 *
309 * The `iv` parameter points to the IV for this run; it is
310 * updated with a copy of the last encrypted block. The data
311 * is encrypted "in place"; its length (`len`) MUST be a
312 * multiple of the block size.
313 *
314 * \param ctx context structure (already initialised).
315 * \param iv IV for CBC encryption (updated).
316 * \param data data to encrypt.
317 * \param len data length (in bytes, multiple of block size).
318 */
319 void (*run)(const br_block_cbcenc_class *const *ctx,
320 void *iv, void *data, size_t len);
321 };
322
323 /**
324 * \brief Class type for CBC decryption implementations.
325 *
326 * A `br_block_cbcdec_class` instance points to the functions implementing
327 * a specific block cipher, when used in CBC mode for decrypting data.
328 */
329 typedef struct br_block_cbcdec_class_ br_block_cbcdec_class;
330 struct br_block_cbcdec_class_ {
331 /**
332 * \brief Size (in bytes) of the context structure appropriate
333 * for containing subkeys.
334 */
335 size_t context_size;
336
337 /**
338 * \brief Size of individual blocks (in bytes).
339 */
340 unsigned block_size;
341
342 /**
343 * \brief Base-2 logarithm of the size of individual blocks,
344 * expressed in bytes.
345 */
346 unsigned log_block_size;
347
348 /**
349 * \brief Initialisation function.
350 *
351 * This function sets the `vtable` field in the context structure.
352 * The key length MUST be one of the key lengths supported by
353 * the implementation.
354 *
355 * \param ctx context structure to initialise.
356 * \param key secret key.
357 * \param key_len key length (in bytes).
358 */
359 void (*init)(const br_block_cbcdec_class **ctx,
360 const void *key, size_t key_len);
361
362 /**
363 * \brief Run the CBC decryption.
364 *
365 * The `iv` parameter points to the IV for this run; it is
366 * updated with a copy of the last encrypted block. The data
367 * is decrypted "in place"; its length (`len`) MUST be a
368 * multiple of the block size.
369 *
370 * \param ctx context structure (already initialised).
371 * \param iv IV for CBC decryption (updated).
372 * \param data data to decrypt.
373 * \param len data length (in bytes, multiple of block size).
374 */
375 void (*run)(const br_block_cbcdec_class *const *ctx,
376 void *iv, void *data, size_t len);
377 };
378
379 /**
380 * \brief Class type for CTR encryption/decryption implementations.
381 *
382 * A `br_block_ctr_class` instance points to the functions implementing
383 * a specific block cipher, when used in CTR mode for encrypting or
384 * decrypting data.
385 */
386 typedef struct br_block_ctr_class_ br_block_ctr_class;
387 struct br_block_ctr_class_ {
388 /**
389 * \brief Size (in bytes) of the context structure appropriate
390 * for containing subkeys.
391 */
392 size_t context_size;
393
394 /**
395 * \brief Size of individual blocks (in bytes).
396 */
397 unsigned block_size;
398
399 /**
400 * \brief Base-2 logarithm of the size of individual blocks,
401 * expressed in bytes.
402 */
403 unsigned log_block_size;
404
405 /**
406 * \brief Initialisation function.
407 *
408 * This function sets the `vtable` field in the context structure.
409 * The key length MUST be one of the key lengths supported by
410 * the implementation.
411 *
412 * \param ctx context structure to initialise.
413 * \param key secret key.
414 * \param key_len key length (in bytes).
415 */
416 void (*init)(const br_block_ctr_class **ctx,
417 const void *key, size_t key_len);
418
419 /**
420 * \brief Run the CTR encryption or decryption.
421 *
422 * The `iv` parameter points to the IV for this run; its
423 * length is exactly 4 bytes less than the block size (e.g.
424 * 12 bytes for AES/CTR). The IV is combined with a 32-bit
425 * block counter to produce the block value which is processed
426 * with the block cipher.
427 *
428 * The data to encrypt or decrypt is updated "in place". Its
429 * length (`len` bytes) is not required to be a multiple of
430 * the block size; if the final block is partial, then the
431 * corresponding key stream bits are dropped.
432 *
433 * The resulting counter value is returned.
434 *
435 * \param ctx context structure (already initialised).
436 * \param iv IV for CTR encryption/decryption.
437 * \param cc initial value for the block counter.
438 * \param data data to encrypt or decrypt.
439 * \param len data length (in bytes).
440 * \return the new block counter value.
441 */
442 uint32_t (*run)(const br_block_ctr_class *const *ctx,
443 const void *iv, uint32_t cc, void *data, size_t len);
444 };
445
446 /*
447 * Traditional, table-based AES implementation. It is fast, but uses
448 * internal tables (in particular a 1 kB table for encryption, another
449 * 1 kB table for decryption, and a 256-byte table for key schedule),
450 * and it is not constant-time. In contexts where cache-timing attacks
451 * apply, this implementation may leak the secret key.
452 */
453
454 /** \brief AES block size (16 bytes). */
455 #define br_aes_big_BLOCK_SIZE 16
456
457 /**
458 * \brief Context for AES subkeys (`aes_big` implementation, CBC encryption).
459 *
460 * First field is a pointer to the vtable; it is set by the initialisation
461 * function. Other fields are not supposed to be accessed by user code.
462 */
463 typedef struct {
464 /** \brief Pointer to vtable for this context. */
465 const br_block_cbcenc_class *vtable;
466 #ifndef BR_DOXYGEN_IGNORE
467 uint32_t skey[60];
468 unsigned num_rounds;
469 #endif
470 } br_aes_big_cbcenc_keys;
471
472 /**
473 * \brief Context for AES subkeys (`aes_big` implementation, CBC decryption).
474 *
475 * First field is a pointer to the vtable; it is set by the initialisation
476 * function. Other fields are not supposed to be accessed by user code.
477 */
478 typedef struct {
479 /** \brief Pointer to vtable for this context. */
480 const br_block_cbcdec_class *vtable;
481 #ifndef BR_DOXYGEN_IGNORE
482 uint32_t skey[60];
483 unsigned num_rounds;
484 #endif
485 } br_aes_big_cbcdec_keys;
486
487 /**
488 * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption
489 * and decryption).
490 *
491 * First field is a pointer to the vtable; it is set by the initialisation
492 * function. Other fields are not supposed to be accessed by user code.
493 */
494 typedef struct {
495 /** \brief Pointer to vtable for this context. */
496 const br_block_ctr_class *vtable;
497 #ifndef BR_DOXYGEN_IGNORE
498 uint32_t skey[60];
499 unsigned num_rounds;
500 #endif
501 } br_aes_big_ctr_keys;
502
503 /**
504 * \brief Class instance for AES CBC encryption (`aes_big` implementation).
505 */
506 extern const br_block_cbcenc_class br_aes_big_cbcenc_vtable;
507
508 /**
509 * \brief Class instance for AES CBC decryption (`aes_big` implementation).
510 */
511 extern const br_block_cbcdec_class br_aes_big_cbcdec_vtable;
512
513 /**
514 * \brief Class instance for AES CTR encryption and decryption
515 * (`aes_big` implementation).
516 */
517 extern const br_block_ctr_class br_aes_big_ctr_vtable;
518
519 /**
520 * \brief Context initialisation (key schedule) for AES CBC encryption
521 * (`aes_big` implementation).
522 *
523 * \param ctx context to initialise.
524 * \param key secret key.
525 * \param len secret key length (in bytes).
526 */
527 void br_aes_big_cbcenc_init(br_aes_big_cbcenc_keys *ctx,
528 const void *key, size_t len);
529
530 /**
531 * \brief Context initialisation (key schedule) for AES CBC decryption
532 * (`aes_big` implementation).
533 *
534 * \param ctx context to initialise.
535 * \param key secret key.
536 * \param len secret key length (in bytes).
537 */
538 void br_aes_big_cbcdec_init(br_aes_big_cbcdec_keys *ctx,
539 const void *key, size_t len);
540
541 /**
542 * \brief Context initialisation (key schedule) for AES CTR encryption
543 * and decryption (`aes_big` implementation).
544 *
545 * \param ctx context to initialise.
546 * \param key secret key.
547 * \param len secret key length (in bytes).
548 */
549 void br_aes_big_ctr_init(br_aes_big_ctr_keys *ctx,
550 const void *key, size_t len);
551
552 /**
553 * \brief CBC encryption with AES (`aes_big` implementation).
554 *
555 * \param ctx context (already initialised).
556 * \param iv IV (updated).
557 * \param data data to encrypt (updated).
558 * \param len data length (in bytes, MUST be multiple of 16).
559 */
560 void br_aes_big_cbcenc_run(const br_aes_big_cbcenc_keys *ctx, void *iv,
561 void *data, size_t len);
562
563 /**
564 * \brief CBC decryption with AES (`aes_big` implementation).
565 *
566 * \param ctx context (already initialised).
567 * \param iv IV (updated).
568 * \param data data to decrypt (updated).
569 * \param len data length (in bytes, MUST be multiple of 16).
570 */
571 void br_aes_big_cbcdec_run(const br_aes_big_cbcdec_keys *ctx, void *iv,
572 void *data, size_t len);
573
574 /**
575 * \brief CTR encryption and decryption with AES (`aes_big` implementation).
576 *
577 * \param ctx context (already initialised).
578 * \param iv IV (constant, 12 bytes).
579 * \param cc initial block counter value.
580 * \param data data to decrypt (updated).
581 * \param len data length (in bytes).
582 * \return new block counter value.
583 */
584 uint32_t br_aes_big_ctr_run(const br_aes_big_ctr_keys *ctx,
585 const void *iv, uint32_t cc, void *data, size_t len);
586
587 /*
588 * AES implementation optimized for size. It is slower than the
589 * traditional table-based AES implementation, but requires much less
590 * code. It still uses data-dependent table accesses (albeit within a
591 * much smaller 256-byte table), which makes it conceptually vulnerable
592 * to cache-timing attacks.
593 */
594
595 /** \brief AES block size (16 bytes). */
596 #define br_aes_small_BLOCK_SIZE 16
597
598 /**
599 * \brief Context for AES subkeys (`aes_small` implementation, CBC encryption).
600 *
601 * First field is a pointer to the vtable; it is set by the initialisation
602 * function. Other fields are not supposed to be accessed by user code.
603 */
604 typedef struct {
605 /** \brief Pointer to vtable for this context. */
606 const br_block_cbcenc_class *vtable;
607 #ifndef BR_DOXYGEN_IGNORE
608 uint32_t skey[60];
609 unsigned num_rounds;
610 #endif
611 } br_aes_small_cbcenc_keys;
612
613 /**
614 * \brief Context for AES subkeys (`aes_small` implementation, CBC decryption).
615 *
616 * First field is a pointer to the vtable; it is set by the initialisation
617 * function. Other fields are not supposed to be accessed by user code.
618 */
619 typedef struct {
620 /** \brief Pointer to vtable for this context. */
621 const br_block_cbcdec_class *vtable;
622 #ifndef BR_DOXYGEN_IGNORE
623 uint32_t skey[60];
624 unsigned num_rounds;
625 #endif
626 } br_aes_small_cbcdec_keys;
627
628 /**
629 * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption
630 * and decryption).
631 *
632 * First field is a pointer to the vtable; it is set by the initialisation
633 * function. Other fields are not supposed to be accessed by user code.
634 */
635 typedef struct {
636 /** \brief Pointer to vtable for this context. */
637 const br_block_ctr_class *vtable;
638 #ifndef BR_DOXYGEN_IGNORE
639 uint32_t skey[60];
640 unsigned num_rounds;
641 #endif
642 } br_aes_small_ctr_keys;
643
644 /**
645 * \brief Class instance for AES CBC encryption (`aes_small` implementation).
646 */
647 extern const br_block_cbcenc_class br_aes_small_cbcenc_vtable;
648
649 /**
650 * \brief Class instance for AES CBC decryption (`aes_small` implementation).
651 */
652 extern const br_block_cbcdec_class br_aes_small_cbcdec_vtable;
653
654 /**
655 * \brief Class instance for AES CTR encryption and decryption
656 * (`aes_small` implementation).
657 */
658 extern const br_block_ctr_class br_aes_small_ctr_vtable;
659
660 /**
661 * \brief Context initialisation (key schedule) for AES CBC encryption
662 * (`aes_small` implementation).
663 *
664 * \param ctx context to initialise.
665 * \param key secret key.
666 * \param len secret key length (in bytes).
667 */
668 void br_aes_small_cbcenc_init(br_aes_small_cbcenc_keys *ctx,
669 const void *key, size_t len);
670
671 /**
672 * \brief Context initialisation (key schedule) for AES CBC decryption
673 * (`aes_small` implementation).
674 *
675 * \param ctx context to initialise.
676 * \param key secret key.
677 * \param len secret key length (in bytes).
678 */
679 void br_aes_small_cbcdec_init(br_aes_small_cbcdec_keys *ctx,
680 const void *key, size_t len);
681
682 /**
683 * \brief Context initialisation (key schedule) for AES CTR encryption
684 * and decryption (`aes_small` implementation).
685 *
686 * \param ctx context to initialise.
687 * \param key secret key.
688 * \param len secret key length (in bytes).
689 */
690 void br_aes_small_ctr_init(br_aes_small_ctr_keys *ctx,
691 const void *key, size_t len);
692
693 /**
694 * \brief CBC encryption with AES (`aes_small` implementation).
695 *
696 * \param ctx context (already initialised).
697 * \param iv IV (updated).
698 * \param data data to encrypt (updated).
699 * \param len data length (in bytes, MUST be multiple of 16).
700 */
701 void br_aes_small_cbcenc_run(const br_aes_small_cbcenc_keys *ctx, void *iv,
702 void *data, size_t len);
703
704 /**
705 * \brief CBC decryption with AES (`aes_small` implementation).
706 *
707 * \param ctx context (already initialised).
708 * \param iv IV (updated).
709 * \param data data to decrypt (updated).
710 * \param len data length (in bytes, MUST be multiple of 16).
711 */
712 void br_aes_small_cbcdec_run(const br_aes_small_cbcdec_keys *ctx, void *iv,
713 void *data, size_t len);
714
715 /**
716 * \brief CTR encryption and decryption with AES (`aes_small` implementation).
717 *
718 * \param ctx context (already initialised).
719 * \param iv IV (constant, 12 bytes).
720 * \param cc initial block counter value.
721 * \param data data to decrypt (updated).
722 * \param len data length (in bytes).
723 * \return new block counter value.
724 */
725 uint32_t br_aes_small_ctr_run(const br_aes_small_ctr_keys *ctx,
726 const void *iv, uint32_t cc, void *data, size_t len);
727
728 /*
729 * Constant-time AES implementation. Its size is similar to that of
730 * 'aes_big', and its performance is similar to that of 'aes_small' (faster
731 * decryption, slower encryption). However, it is constant-time, i.e.
732 * immune to cache-timing and similar attacks.
733 */
734
735 /** \brief AES block size (16 bytes). */
736 #define br_aes_ct_BLOCK_SIZE 16
737
738 /**
739 * \brief Context for AES subkeys (`aes_ct` implementation, CBC encryption).
740 *
741 * First field is a pointer to the vtable; it is set by the initialisation
742 * function. Other fields are not supposed to be accessed by user code.
743 */
744 typedef struct {
745 /** \brief Pointer to vtable for this context. */
746 const br_block_cbcenc_class *vtable;
747 #ifndef BR_DOXYGEN_IGNORE
748 uint32_t skey[60];
749 unsigned num_rounds;
750 #endif
751 } br_aes_ct_cbcenc_keys;
752
753 /**
754 * \brief Context for AES subkeys (`aes_ct` implementation, CBC decryption).
755 *
756 * First field is a pointer to the vtable; it is set by the initialisation
757 * function. Other fields are not supposed to be accessed by user code.
758 */
759 typedef struct {
760 /** \brief Pointer to vtable for this context. */
761 const br_block_cbcdec_class *vtable;
762 #ifndef BR_DOXYGEN_IGNORE
763 uint32_t skey[60];
764 unsigned num_rounds;
765 #endif
766 } br_aes_ct_cbcdec_keys;
767
768 /**
769 * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption
770 * and decryption).
771 *
772 * First field is a pointer to the vtable; it is set by the initialisation
773 * function. Other fields are not supposed to be accessed by user code.
774 */
775 typedef struct {
776 /** \brief Pointer to vtable for this context. */
777 const br_block_ctr_class *vtable;
778 #ifndef BR_DOXYGEN_IGNORE
779 uint32_t skey[60];
780 unsigned num_rounds;
781 #endif
782 } br_aes_ct_ctr_keys;
783
784 /**
785 * \brief Class instance for AES CBC encryption (`aes_ct` implementation).
786 */
787 extern const br_block_cbcenc_class br_aes_ct_cbcenc_vtable;
788
789 /**
790 * \brief Class instance for AES CBC decryption (`aes_ct` implementation).
791 */
792 extern const br_block_cbcdec_class br_aes_ct_cbcdec_vtable;
793
794 /**
795 * \brief Class instance for AES CTR encryption and decryption
796 * (`aes_ct` implementation).
797 */
798 extern const br_block_ctr_class br_aes_ct_ctr_vtable;
799
800 /**
801 * \brief Context initialisation (key schedule) for AES CBC encryption
802 * (`aes_ct` implementation).
803 *
804 * \param ctx context to initialise.
805 * \param key secret key.
806 * \param len secret key length (in bytes).
807 */
808 void br_aes_ct_cbcenc_init(br_aes_ct_cbcenc_keys *ctx,
809 const void *key, size_t len);
810
811 /**
812 * \brief Context initialisation (key schedule) for AES CBC decryption
813 * (`aes_ct` implementation).
814 *
815 * \param ctx context to initialise.
816 * \param key secret key.
817 * \param len secret key length (in bytes).
818 */
819 void br_aes_ct_cbcdec_init(br_aes_ct_cbcdec_keys *ctx,
820 const void *key, size_t len);
821
822 /**
823 * \brief Context initialisation (key schedule) for AES CTR encryption
824 * and decryption (`aes_ct` implementation).
825 *
826 * \param ctx context to initialise.
827 * \param key secret key.
828 * \param len secret key length (in bytes).
829 */
830 void br_aes_ct_ctr_init(br_aes_ct_ctr_keys *ctx,
831 const void *key, size_t len);
832
833 /**
834 * \brief CBC encryption with AES (`aes_ct` implementation).
835 *
836 * \param ctx context (already initialised).
837 * \param iv IV (updated).
838 * \param data data to encrypt (updated).
839 * \param len data length (in bytes, MUST be multiple of 16).
840 */
841 void br_aes_ct_cbcenc_run(const br_aes_ct_cbcenc_keys *ctx, void *iv,
842 void *data, size_t len);
843
844 /**
845 * \brief CBC decryption with AES (`aes_ct` implementation).
846 *
847 * \param ctx context (already initialised).
848 * \param iv IV (updated).
849 * \param data data to decrypt (updated).
850 * \param len data length (in bytes, MUST be multiple of 16).
851 */
852 void br_aes_ct_cbcdec_run(const br_aes_ct_cbcdec_keys *ctx, void *iv,
853 void *data, size_t len);
854
855 /**
856 * \brief CTR encryption and decryption with AES (`aes_ct` implementation).
857 *
858 * \param ctx context (already initialised).
859 * \param iv IV (constant, 12 bytes).
860 * \param cc initial block counter value.
861 * \param data data to decrypt (updated).
862 * \param len data length (in bytes).
863 * \return new block counter value.
864 */
865 uint32_t br_aes_ct_ctr_run(const br_aes_ct_ctr_keys *ctx,
866 const void *iv, uint32_t cc, void *data, size_t len);
867
868 /*
869 * 64-bit constant-time AES implementation. It is similar to 'aes_ct'
870 * but uses 64-bit registers, making it about twice faster than 'aes_ct'
871 * on 64-bit platforms, while remaining constant-time and with a similar
872 * code size. (The doubling in performance is only for CBC decryption
873 * and CTR mode; CBC encryption is non-parallel and cannot benefit from
874 * the larger registers.)
875 */
876
877 /** \brief AES block size (16 bytes). */
878 #define br_aes_ct64_BLOCK_SIZE 16
879
880 /**
881 * \brief Context for AES subkeys (`aes_ct64` implementation, CBC encryption).
882 *
883 * First field is a pointer to the vtable; it is set by the initialisation
884 * function. Other fields are not supposed to be accessed by user code.
885 */
886 typedef struct {
887 /** \brief Pointer to vtable for this context. */
888 const br_block_cbcenc_class *vtable;
889 #ifndef BR_DOXYGEN_IGNORE
890 uint64_t skey[30];
891 unsigned num_rounds;
892 #endif
893 } br_aes_ct64_cbcenc_keys;
894
895 /**
896 * \brief Context for AES subkeys (`aes_ct64` implementation, CBC decryption).
897 *
898 * First field is a pointer to the vtable; it is set by the initialisation
899 * function. Other fields are not supposed to be accessed by user code.
900 */
901 typedef struct {
902 /** \brief Pointer to vtable for this context. */
903 const br_block_cbcdec_class *vtable;
904 #ifndef BR_DOXYGEN_IGNORE
905 uint64_t skey[30];
906 unsigned num_rounds;
907 #endif
908 } br_aes_ct64_cbcdec_keys;
909
910 /**
911 * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption
912 * and decryption).
913 *
914 * First field is a pointer to the vtable; it is set by the initialisation
915 * function. Other fields are not supposed to be accessed by user code.
916 */
917 typedef struct {
918 /** \brief Pointer to vtable for this context. */
919 const br_block_ctr_class *vtable;
920 #ifndef BR_DOXYGEN_IGNORE
921 uint64_t skey[30];
922 unsigned num_rounds;
923 #endif
924 } br_aes_ct64_ctr_keys;
925
926 /**
927 * \brief Class instance for AES CBC encryption (`aes_ct64` implementation).
928 */
929 extern const br_block_cbcenc_class br_aes_ct64_cbcenc_vtable;
930
931 /**
932 * \brief Class instance for AES CBC decryption (`aes_ct64` implementation).
933 */
934 extern const br_block_cbcdec_class br_aes_ct64_cbcdec_vtable;
935
936 /**
937 * \brief Class instance for AES CTR encryption and decryption
938 * (`aes_ct64` implementation).
939 */
940 extern const br_block_ctr_class br_aes_ct64_ctr_vtable;
941
942 /**
943 * \brief Context initialisation (key schedule) for AES CBC encryption
944 * (`aes_ct64` implementation).
945 *
946 * \param ctx context to initialise.
947 * \param key secret key.
948 * \param len secret key length (in bytes).
949 */
950 void br_aes_ct64_cbcenc_init(br_aes_ct64_cbcenc_keys *ctx,
951 const void *key, size_t len);
952
953 /**
954 * \brief Context initialisation (key schedule) for AES CBC decryption
955 * (`aes_ct64` implementation).
956 *
957 * \param ctx context to initialise.
958 * \param key secret key.
959 * \param len secret key length (in bytes).
960 */
961 void br_aes_ct64_cbcdec_init(br_aes_ct64_cbcdec_keys *ctx,
962 const void *key, size_t len);
963
964 /**
965 * \brief Context initialisation (key schedule) for AES CTR encryption
966 * and decryption (`aes_ct64` implementation).
967 *
968 * \param ctx context to initialise.
969 * \param key secret key.
970 * \param len secret key length (in bytes).
971 */
972 void br_aes_ct64_ctr_init(br_aes_ct64_ctr_keys *ctx,
973 const void *key, size_t len);
974
975 /**
976 * \brief CBC encryption with AES (`aes_ct64` implementation).
977 *
978 * \param ctx context (already initialised).
979 * \param iv IV (updated).
980 * \param data data to encrypt (updated).
981 * \param len data length (in bytes, MUST be multiple of 16).
982 */
983 void br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx, void *iv,
984 void *data, size_t len);
985
986 /**
987 * \brief CBC decryption with AES (`aes_ct64` implementation).
988 *
989 * \param ctx context (already initialised).
990 * \param iv IV (updated).
991 * \param data data to decrypt (updated).
992 * \param len data length (in bytes, MUST be multiple of 16).
993 */
994 void br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx, void *iv,
995 void *data, size_t len);
996
997 /**
998 * \brief CTR encryption and decryption with AES (`aes_ct64` implementation).
999 *
1000 * \param ctx context (already initialised).
1001 * \param iv IV (constant, 12 bytes).
1002 * \param cc initial block counter value.
1003 * \param data data to decrypt (updated).
1004 * \param len data length (in bytes).
1005 * \return new block counter value.
1006 */
1007 uint32_t br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx,
1008 const void *iv, uint32_t cc, void *data, size_t len);
1009
1010 /*
1011 * AES implementation using AES-NI opcodes (x86 platform).
1012 */
1013
1014 /** \brief AES block size (16 bytes). */
1015 #define br_aes_x86ni_BLOCK_SIZE 16
1016
1017 /**
1018 * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC encryption).
1019 *
1020 * First field is a pointer to the vtable; it is set by the initialisation
1021 * function. Other fields are not supposed to be accessed by user code.
1022 */
1023 typedef struct {
1024 /** \brief Pointer to vtable for this context. */
1025 const br_block_cbcenc_class *vtable;
1026 #ifndef BR_DOXYGEN_IGNORE
1027 union {
1028 unsigned char skni[16 * 15];
1029 } skey;
1030 unsigned num_rounds;
1031 #endif
1032 } br_aes_x86ni_cbcenc_keys;
1033
1034 /**
1035 * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC decryption).
1036 *
1037 * First field is a pointer to the vtable; it is set by the initialisation
1038 * function. Other fields are not supposed to be accessed by user code.
1039 */
1040 typedef struct {
1041 /** \brief Pointer to vtable for this context. */
1042 const br_block_cbcdec_class *vtable;
1043 #ifndef BR_DOXYGEN_IGNORE
1044 union {
1045 unsigned char skni[16 * 15];
1046 } skey;
1047 unsigned num_rounds;
1048 #endif
1049 } br_aes_x86ni_cbcdec_keys;
1050
1051 /**
1052 * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption
1053 * and decryption).
1054 *
1055 * First field is a pointer to the vtable; it is set by the initialisation
1056 * function. Other fields are not supposed to be accessed by user code.
1057 */
1058 typedef struct {
1059 /** \brief Pointer to vtable for this context. */
1060 const br_block_ctr_class *vtable;
1061 #ifndef BR_DOXYGEN_IGNORE
1062 union {
1063 unsigned char skni[16 * 15];
1064 } skey;
1065 unsigned num_rounds;
1066 #endif
1067 } br_aes_x86ni_ctr_keys;
1068
1069 /**
1070 * \brief Class instance for AES CBC encryption (`aes_x86ni` implementation).
1071 *
1072 * Since this implementation might be omitted from the library, or the
1073 * AES opcode unavailable on the current CPU, a pointer to this class
1074 * instance should be obtained through `br_aes_x86ni_cbcenc_get_vtable()`.
1075 */
1076 extern const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable;
1077
1078 /**
1079 * \brief Class instance for AES CBC decryption (`aes_x86ni` implementation).
1080 *
1081 * Since this implementation might be omitted from the library, or the
1082 * AES opcode unavailable on the current CPU, a pointer to this class
1083 * instance should be obtained through `br_aes_x86ni_cbcdec_get_vtable()`.
1084 */
1085 extern const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable;
1086
1087 /**
1088 * \brief Class instance for AES CTR encryption and decryption
1089 * (`aes_x86ni` implementation).
1090 *
1091 * Since this implementation might be omitted from the library, or the
1092 * AES opcode unavailable on the current CPU, a pointer to this class
1093 * instance should be obtained through `br_aes_x86ni_ctr_get_vtable()`.
1094 */
1095 extern const br_block_ctr_class br_aes_x86ni_ctr_vtable;
1096
1097 /**
1098 * \brief Context initialisation (key schedule) for AES CBC encryption
1099 * (`aes_x86ni` implementation).
1100 *
1101 * \param ctx context to initialise.
1102 * \param key secret key.
1103 * \param len secret key length (in bytes).
1104 */
1105 void br_aes_x86ni_cbcenc_init(br_aes_x86ni_cbcenc_keys *ctx,
1106 const void *key, size_t len);
1107
1108 /**
1109 * \brief Context initialisation (key schedule) for AES CBC decryption
1110 * (`aes_x86ni` implementation).
1111 *
1112 * \param ctx context to initialise.
1113 * \param key secret key.
1114 * \param len secret key length (in bytes).
1115 */
1116 void br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx,
1117 const void *key, size_t len);
1118
1119 /**
1120 * \brief Context initialisation (key schedule) for AES CTR encryption
1121 * and decryption (`aes_x86ni` implementation).
1122 *
1123 * \param ctx context to initialise.
1124 * \param key secret key.
1125 * \param len secret key length (in bytes).
1126 */
1127 void br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx,
1128 const void *key, size_t len);
1129
1130 /**
1131 * \brief CBC encryption with AES (`aes_x86ni` implementation).
1132 *
1133 * \param ctx context (already initialised).
1134 * \param iv IV (updated).
1135 * \param data data to encrypt (updated).
1136 * \param len data length (in bytes, MUST be multiple of 16).
1137 */
1138 void br_aes_x86ni_cbcenc_run(const br_aes_x86ni_cbcenc_keys *ctx, void *iv,
1139 void *data, size_t len);
1140
1141 /**
1142 * \brief CBC decryption with AES (`aes_x86ni` implementation).
1143 *
1144 * \param ctx context (already initialised).
1145 * \param iv IV (updated).
1146 * \param data data to decrypt (updated).
1147 * \param len data length (in bytes, MUST be multiple of 16).
1148 */
1149 void br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx, void *iv,
1150 void *data, size_t len);
1151
1152 /**
1153 * \brief CTR encryption and decryption with AES (`aes_x86ni` implementation).
1154 *
1155 * \param ctx context (already initialised).
1156 * \param iv IV (constant, 12 bytes).
1157 * \param cc initial block counter value.
1158 * \param data data to decrypt (updated).
1159 * \param len data length (in bytes).
1160 * \return new block counter value.
1161 */
1162 uint32_t br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx,
1163 const void *iv, uint32_t cc, void *data, size_t len);
1164
1165 /**
1166 * \brief Obtain the `aes_x86ni` AES-CBC (encryption) implementation, if
1167 * available.
1168 *
1169 * This function returns a pointer to `br_aes_x86ni_cbcenc_vtable`, if
1170 * that implementation was compiled in the library _and_ the x86 AES
1171 * opcodes are available on the currently running CPU. If either of
1172 * these conditions is not met, then this function returns `NULL`.
1173 *
1174 * \return the `aes_x868ni` AES-CBC (encryption) implementation, or `NULL`.
1175 */
1176 const br_block_cbcenc_class *br_aes_x86ni_cbcenc_get_vtable(void);
1177
1178 /**
1179 * \brief Obtain the `aes_x86ni` AES-CBC (decryption) implementation, if
1180 * available.
1181 *
1182 * This function returns a pointer to `br_aes_x86ni_cbcdec_vtable`, if
1183 * that implementation was compiled in the library _and_ the x86 AES
1184 * opcodes are available on the currently running CPU. If either of
1185 * these conditions is not met, then this function returns `NULL`.
1186 *
1187 * \return the `aes_x868ni` AES-CBC (decryption) implementation, or `NULL`.
1188 */
1189 const br_block_cbcdec_class *br_aes_x86ni_cbcdec_get_vtable(void);
1190
1191 /**
1192 * \brief Obtain the `aes_x86ni` AES-CTR implementation, if available.
1193 *
1194 * This function returns a pointer to `br_aes_x86ni_ctr_vtable`, if
1195 * that implementation was compiled in the library _and_ the x86 AES
1196 * opcodes are available on the currently running CPU. If either of
1197 * these conditions is not met, then this function returns `NULL`.
1198 *
1199 * \return the `aes_x868ni` AES-CTR implementation, or `NULL`.
1200 */
1201 const br_block_ctr_class *br_aes_x86ni_ctr_get_vtable(void);
1202
1203 /*
1204 * AES implementation using POWER8 opcodes.
1205 */
1206
1207 /** \brief AES block size (16 bytes). */
1208 #define br_aes_pwr8_BLOCK_SIZE 16
1209
1210 /**
1211 * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC encryption).
1212 *
1213 * First field is a pointer to the vtable; it is set by the initialisation
1214 * function. Other fields are not supposed to be accessed by user code.
1215 */
1216 typedef struct {
1217 /** \brief Pointer to vtable for this context. */
1218 const br_block_cbcenc_class *vtable;
1219 #ifndef BR_DOXYGEN_IGNORE
1220 union {
1221 unsigned char skni[16 * 15];
1222 } skey;
1223 unsigned num_rounds;
1224 #endif
1225 } br_aes_pwr8_cbcenc_keys;
1226
1227 /**
1228 * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC decryption).
1229 *
1230 * First field is a pointer to the vtable; it is set by the initialisation
1231 * function. Other fields are not supposed to be accessed by user code.
1232 */
1233 typedef struct {
1234 /** \brief Pointer to vtable for this context. */
1235 const br_block_cbcdec_class *vtable;
1236 #ifndef BR_DOXYGEN_IGNORE
1237 union {
1238 unsigned char skni[16 * 15];
1239 } skey;
1240 unsigned num_rounds;
1241 #endif
1242 } br_aes_pwr8_cbcdec_keys;
1243
1244 /**
1245 * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption
1246 * and decryption).
1247 *
1248 * First field is a pointer to the vtable; it is set by the initialisation
1249 * function. Other fields are not supposed to be accessed by user code.
1250 */
1251 typedef struct {
1252 /** \brief Pointer to vtable for this context. */
1253 const br_block_ctr_class *vtable;
1254 #ifndef BR_DOXYGEN_IGNORE
1255 union {
1256 unsigned char skni[16 * 15];
1257 } skey;
1258 unsigned num_rounds;
1259 #endif
1260 } br_aes_pwr8_ctr_keys;
1261
1262 /**
1263 * \brief Class instance for AES CBC encryption (`aes_pwr8` implementation).
1264 *
1265 * Since this implementation might be omitted from the library, or the
1266 * AES opcode unavailable on the current CPU, a pointer to this class
1267 * instance should be obtained through `br_aes_pwr8_cbcenc_get_vtable()`.
1268 */
1269 extern const br_block_cbcenc_class br_aes_pwr8_cbcenc_vtable;
1270
1271 /**
1272 * \brief Class instance for AES CBC decryption (`aes_pwr8` implementation).
1273 *
1274 * Since this implementation might be omitted from the library, or the
1275 * AES opcode unavailable on the current CPU, a pointer to this class
1276 * instance should be obtained through `br_aes_pwr8_cbcdec_get_vtable()`.
1277 */
1278 extern const br_block_cbcdec_class br_aes_pwr8_cbcdec_vtable;
1279
1280 /**
1281 * \brief Class instance for AES CTR encryption and decryption
1282 * (`aes_pwr8` implementation).
1283 *
1284 * Since this implementation might be omitted from the library, or the
1285 * AES opcode unavailable on the current CPU, a pointer to this class
1286 * instance should be obtained through `br_aes_pwr8_ctr_get_vtable()`.
1287 */
1288 extern const br_block_ctr_class br_aes_pwr8_ctr_vtable;
1289
1290 /**
1291 * \brief Context initialisation (key schedule) for AES CBC encryption
1292 * (`aes_pwr8` implementation).
1293 *
1294 * \param ctx context to initialise.
1295 * \param key secret key.
1296 * \param len secret key length (in bytes).
1297 */
1298 void br_aes_pwr8_cbcenc_init(br_aes_pwr8_cbcenc_keys *ctx,
1299 const void *key, size_t len);
1300
1301 /**
1302 * \brief Context initialisation (key schedule) for AES CBC decryption
1303 * (`aes_pwr8` implementation).
1304 *
1305 * \param ctx context to initialise.
1306 * \param key secret key.
1307 * \param len secret key length (in bytes).
1308 */
1309 void br_aes_pwr8_cbcdec_init(br_aes_pwr8_cbcdec_keys *ctx,
1310 const void *key, size_t len);
1311
1312 /**
1313 * \brief Context initialisation (key schedule) for AES CTR encryption
1314 * and decryption (`aes_pwr8` implementation).
1315 *
1316 * \param ctx context to initialise.
1317 * \param key secret key.
1318 * \param len secret key length (in bytes).
1319 */
1320 void br_aes_pwr8_ctr_init(br_aes_pwr8_ctr_keys *ctx,
1321 const void *key, size_t len);
1322
1323 /**
1324 * \brief CBC encryption with AES (`aes_pwr8` implementation).
1325 *
1326 * \param ctx context (already initialised).
1327 * \param iv IV (updated).
1328 * \param data data to encrypt (updated).
1329 * \param len data length (in bytes, MUST be multiple of 16).
1330 */
1331 void br_aes_pwr8_cbcenc_run(const br_aes_pwr8_cbcenc_keys *ctx, void *iv,
1332 void *data, size_t len);
1333
1334 /**
1335 * \brief CBC decryption with AES (`aes_pwr8` implementation).
1336 *
1337 * \param ctx context (already initialised).
1338 * \param iv IV (updated).
1339 * \param data data to decrypt (updated).
1340 * \param len data length (in bytes, MUST be multiple of 16).
1341 */
1342 void br_aes_pwr8_cbcdec_run(const br_aes_pwr8_cbcdec_keys *ctx, void *iv,
1343 void *data, size_t len);
1344
1345 /**
1346 * \brief CTR encryption and decryption with AES (`aes_pwr8` implementation).
1347 *
1348 * \param ctx context (already initialised).
1349 * \param iv IV (constant, 12 bytes).
1350 * \param cc initial block counter value.
1351 * \param data data to decrypt (updated).
1352 * \param len data length (in bytes).
1353 * \return new block counter value.
1354 */
1355 uint32_t br_aes_pwr8_ctr_run(const br_aes_pwr8_ctr_keys *ctx,
1356 const void *iv, uint32_t cc, void *data, size_t len);
1357
1358 /**
1359 * \brief Obtain the `aes_pwr8` AES-CBC (encryption) implementation, if
1360 * available.
1361 *
1362 * This function returns a pointer to `br_aes_pwr8_cbcenc_vtable`, if
1363 * that implementation was compiled in the library _and_ the POWER8
1364 * crypto opcodes are available on the currently running CPU. If either
1365 * of these conditions is not met, then this function returns `NULL`.
1366 *
1367 * \return the `aes_pwr8` AES-CBC (encryption) implementation, or `NULL`.
1368 */
1369 const br_block_cbcenc_class *br_aes_pwr8_cbcenc_get_vtable(void);
1370
1371 /**
1372 * \brief Obtain the `aes_pwr8` AES-CBC (decryption) implementation, if
1373 * available.
1374 *
1375 * This function returns a pointer to `br_aes_pwr8_cbcdec_vtable`, if
1376 * that implementation was compiled in the library _and_ the POWER8
1377 * crypto opcodes are available on the currently running CPU. If either
1378 * of these conditions is not met, then this function returns `NULL`.
1379 *
1380 * \return the `aes_pwr8` AES-CBC (decryption) implementation, or `NULL`.
1381 */
1382 const br_block_cbcdec_class *br_aes_pwr8_cbcdec_get_vtable(void);
1383
1384 /**
1385 * \brief Obtain the `aes_pwr8` AES-CTR implementation, if available.
1386 *
1387 * This function returns a pointer to `br_aes_pwr8_ctr_vtable`, if that
1388 * implementation was compiled in the library _and_ the POWER8 crypto
1389 * opcodes are available on the currently running CPU. If either of
1390 * these conditions is not met, then this function returns `NULL`.
1391 *
1392 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`.
1393 */
1394 const br_block_ctr_class *br_aes_pwr8_ctr_get_vtable(void);
1395
1396 /**
1397 * \brief Aggregate structure large enough to be used as context for
1398 * subkeys (CBC encryption) for all AES implementations.
1399 */
1400 typedef union {
1401 const br_block_cbcenc_class *vtable;
1402 br_aes_big_cbcenc_keys c_big;
1403 br_aes_small_cbcenc_keys c_small;
1404 br_aes_ct_cbcenc_keys c_ct;
1405 br_aes_ct64_cbcenc_keys c_ct64;
1406 br_aes_x86ni_cbcenc_keys c_x86ni;
1407 br_aes_pwr8_cbcenc_keys c_pwr8;
1408 } br_aes_gen_cbcenc_keys;
1409
1410 /**
1411 * \brief Aggregate structure large enough to be used as context for
1412 * subkeys (CBC decryption) for all AES implementations.
1413 */
1414 typedef union {
1415 const br_block_cbcdec_class *vtable;
1416 br_aes_big_cbcdec_keys c_big;
1417 br_aes_small_cbcdec_keys c_small;
1418 br_aes_ct_cbcdec_keys c_ct;
1419 br_aes_ct64_cbcdec_keys c_ct64;
1420 br_aes_x86ni_cbcdec_keys c_x86ni;
1421 br_aes_pwr8_cbcdec_keys c_pwr8;
1422 } br_aes_gen_cbcdec_keys;
1423
1424 /**
1425 * \brief Aggregate structure large enough to be used as context for
1426 * subkeys (CTR encryption and decryption) for all AES implementations.
1427 */
1428 typedef union {
1429 const br_block_ctr_class *vtable;
1430 br_aes_big_ctr_keys c_big;
1431 br_aes_small_ctr_keys c_small;
1432 br_aes_ct_ctr_keys c_ct;
1433 br_aes_ct64_ctr_keys c_ct64;
1434 br_aes_x86ni_ctr_keys c_x86ni;
1435 br_aes_pwr8_ctr_keys c_pwr8;
1436 } br_aes_gen_ctr_keys;
1437
1438 /*
1439 * Traditional, table-based implementation for DES/3DES. Since tables are
1440 * used, cache-timing attacks are conceptually possible.
1441 */
1442
1443 /** \brief DES/3DES block size (8 bytes). */
1444 #define br_des_tab_BLOCK_SIZE 8
1445
1446 /**
1447 * \brief Context for DES subkeys (`des_tab` implementation, CBC encryption).
1448 *
1449 * First field is a pointer to the vtable; it is set by the initialisation
1450 * function. Other fields are not supposed to be accessed by user code.
1451 */
1452 typedef struct {
1453 /** \brief Pointer to vtable for this context. */
1454 const br_block_cbcenc_class *vtable;
1455 #ifndef BR_DOXYGEN_IGNORE
1456 uint32_t skey[96];
1457 unsigned num_rounds;
1458 #endif
1459 } br_des_tab_cbcenc_keys;
1460
1461 /**
1462 * \brief Context for DES subkeys (`des_tab` implementation, CBC decryption).
1463 *
1464 * First field is a pointer to the vtable; it is set by the initialisation
1465 * function. Other fields are not supposed to be accessed by user code.
1466 */
1467 typedef struct {
1468 /** \brief Pointer to vtable for this context. */
1469 const br_block_cbcdec_class *vtable;
1470 #ifndef BR_DOXYGEN_IGNORE
1471 uint32_t skey[96];
1472 unsigned num_rounds;
1473 #endif
1474 } br_des_tab_cbcdec_keys;
1475
1476 /**
1477 * \brief Class instance for DES CBC encryption (`des_tab` implementation).
1478 */
1479 extern const br_block_cbcenc_class br_des_tab_cbcenc_vtable;
1480
1481 /**
1482 * \brief Class instance for DES CBC decryption (`des_tab` implementation).
1483 */
1484 extern const br_block_cbcdec_class br_des_tab_cbcdec_vtable;
1485
1486 /**
1487 * \brief Context initialisation (key schedule) for DES CBC encryption
1488 * (`des_tab` implementation).
1489 *
1490 * \param ctx context to initialise.
1491 * \param key secret key.
1492 * \param len secret key length (in bytes).
1493 */
1494 void br_des_tab_cbcenc_init(br_des_tab_cbcenc_keys *ctx,
1495 const void *key, size_t len);
1496
1497 /**
1498 * \brief Context initialisation (key schedule) for DES CBC decryption
1499 * (`des_tab` implementation).
1500 *
1501 * \param ctx context to initialise.
1502 * \param key secret key.
1503 * \param len secret key length (in bytes).
1504 */
1505 void br_des_tab_cbcdec_init(br_des_tab_cbcdec_keys *ctx,
1506 const void *key, size_t len);
1507
1508 /**
1509 * \brief CBC encryption with DES (`des_tab` implementation).
1510 *
1511 * \param ctx context (already initialised).
1512 * \param iv IV (updated).
1513 * \param data data to encrypt (updated).
1514 * \param len data length (in bytes, MUST be multiple of 8).
1515 */
1516 void br_des_tab_cbcenc_run(const br_des_tab_cbcenc_keys *ctx, void *iv,
1517 void *data, size_t len);
1518
1519 /**
1520 * \brief CBC decryption with DES (`des_tab` implementation).
1521 *
1522 * \param ctx context (already initialised).
1523 * \param iv IV (updated).
1524 * \param data data to decrypt (updated).
1525 * \param len data length (in bytes, MUST be multiple of 8).
1526 */
1527 void br_des_tab_cbcdec_run(const br_des_tab_cbcdec_keys *ctx, void *iv,
1528 void *data, size_t len);
1529
1530 /*
1531 * Constant-time implementation for DES/3DES. It is substantially slower
1532 * (by a factor of about 4x), but also immune to cache-timing attacks.
1533 */
1534
1535 /** \brief DES/3DES block size (8 bytes). */
1536 #define br_des_ct_BLOCK_SIZE 8
1537
1538 /**
1539 * \brief Context for DES subkeys (`des_ct` implementation, CBC encryption).
1540 *
1541 * First field is a pointer to the vtable; it is set by the initialisation
1542 * function. Other fields are not supposed to be accessed by user code.
1543 */
1544 typedef struct {
1545 /** \brief Pointer to vtable for this context. */
1546 const br_block_cbcenc_class *vtable;
1547 #ifndef BR_DOXYGEN_IGNORE
1548 uint32_t skey[96];
1549 unsigned num_rounds;
1550 #endif
1551 } br_des_ct_cbcenc_keys;
1552
1553 /**
1554 * \brief Context for DES subkeys (`des_ct` implementation, CBC decryption).
1555 *
1556 * First field is a pointer to the vtable; it is set by the initialisation
1557 * function. Other fields are not supposed to be accessed by user code.
1558 */
1559 typedef struct {
1560 /** \brief Pointer to vtable for this context. */
1561 const br_block_cbcdec_class *vtable;
1562 #ifndef BR_DOXYGEN_IGNORE
1563 uint32_t skey[96];
1564 unsigned num_rounds;
1565 #endif
1566 } br_des_ct_cbcdec_keys;
1567
1568 /**
1569 * \brief Class instance for DES CBC encryption (`des_ct` implementation).
1570 */
1571 extern const br_block_cbcenc_class br_des_ct_cbcenc_vtable;
1572
1573 /**
1574 * \brief Class instance for DES CBC decryption (`des_ct` implementation).
1575 */
1576 extern const br_block_cbcdec_class br_des_ct_cbcdec_vtable;
1577
1578 /**
1579 * \brief Context initialisation (key schedule) for DES CBC encryption
1580 * (`des_ct` implementation).
1581 *
1582 * \param ctx context to initialise.
1583 * \param key secret key.
1584 * \param len secret key length (in bytes).
1585 */
1586 void br_des_ct_cbcenc_init(br_des_ct_cbcenc_keys *ctx,
1587 const void *key, size_t len);
1588
1589 /**
1590 * \brief Context initialisation (key schedule) for DES CBC decryption
1591 * (`des_ct` implementation).
1592 *
1593 * \param ctx context to initialise.
1594 * \param key secret key.
1595 * \param len secret key length (in bytes).
1596 */
1597 void br_des_ct_cbcdec_init(br_des_ct_cbcdec_keys *ctx,
1598 const void *key, size_t len);
1599
1600 /**
1601 * \brief CBC encryption with DES (`des_ct` implementation).
1602 *
1603 * \param ctx context (already initialised).
1604 * \param iv IV (updated).
1605 * \param data data to encrypt (updated).
1606 * \param len data length (in bytes, MUST be multiple of 8).
1607 */
1608 void br_des_ct_cbcenc_run(const br_des_ct_cbcenc_keys *ctx, void *iv,
1609 void *data, size_t len);
1610
1611 /**
1612 * \brief CBC decryption with DES (`des_ct` implementation).
1613 *
1614 * \param ctx context (already initialised).
1615 * \param iv IV (updated).
1616 * \param data data to decrypt (updated).
1617 * \param len data length (in bytes, MUST be multiple of 8).
1618 */
1619 void br_des_ct_cbcdec_run(const br_des_ct_cbcdec_keys *ctx, void *iv,
1620 void *data, size_t len);
1621
1622 /*
1623 * These structures are large enough to accommodate subkeys for all
1624 * DES/3DES implementations.
1625 */
1626
1627 /**
1628 * \brief Aggregate structure large enough to be used as context for
1629 * subkeys (CBC encryption) for all DES implementations.
1630 */
1631 typedef union {
1632 const br_block_cbcenc_class *vtable;
1633 br_des_tab_cbcenc_keys tab;
1634 br_des_ct_cbcenc_keys ct;
1635 } br_des_gen_cbcenc_keys;
1636
1637 /**
1638 * \brief Aggregate structure large enough to be used as context for
1639 * subkeys (CBC decryption) for all DES implementations.
1640 */
1641 typedef union {
1642 const br_block_cbcdec_class *vtable;
1643 br_des_tab_cbcdec_keys c_tab;
1644 br_des_ct_cbcdec_keys c_ct;
1645 } br_des_gen_cbcdec_keys;
1646
1647 /**
1648 * \brief Type for a ChaCha20 implementation.
1649 *
1650 * An implementation follows the description in RFC 7539:
1651 *
1652 * - Key is 256 bits (`key` points to exactly 32 bytes).
1653 *
1654 * - IV is 96 bits (`iv` points to exactly 12 bytes).
1655 *
1656 * - Block counter is over 32 bits and starts at value `cc`; the
1657 * resulting value is returned.
1658 *
1659 * Data (pointed to by `data`, of length `len`) is encrypted/decrypted
1660 * in place. If `len` is not a multiple of 64, then the excess bytes from
1661 * the last block processing are dropped (therefore, "chunked" processing
1662 * works only as long as each non-final chunk has a length multiple of 64).
1663 *
1664 * \param key secret key (32 bytes).
1665 * \param iv IV (12 bytes).
1666 * \param cc initial counter value.
1667 * \param data data to encrypt or decrypt.
1668 * \param len data length (in bytes).
1669 */
1670 typedef uint32_t (*br_chacha20_run)(const void *key,
1671 const void *iv, uint32_t cc, void *data, size_t len);
1672
1673 /**
1674 * \brief ChaCha20 implementation (straightforward C code, constant-time).
1675 *
1676 * \see br_chacha20_run
1677 *
1678 * \param key secret key (32 bytes).
1679 * \param iv IV (12 bytes).
1680 * \param cc initial counter value.
1681 * \param data data to encrypt or decrypt.
1682 * \param len data length (in bytes).
1683 */
1684 uint32_t br_chacha20_ct_run(const void *key,
1685 const void *iv, uint32_t cc, void *data, size_t len);
1686
1687 /**
1688 * \brief Type for a ChaCha20+Poly1305 AEAD implementation.
1689 *
1690 * The provided data is encrypted or decrypted with ChaCha20. The
1691 * authentication tag is computed on the concatenation of the
1692 * additional data and the ciphertext, with the padding and lengths
1693 * as described in RFC 7539 (section 2.8).
1694 *
1695 * After decryption, the caller is responsible for checking that the
1696 * computed tag matches the expected value.
1697 *
1698 * \param key secret key (32 bytes).
1699 * \param iv nonce (12 bytes).
1700 * \param data data to encrypt or decrypt.
1701 * \param len data length (in bytes).
1702 * \param aad additional authenticated data.
1703 * \param aad_len length of additional authenticated data (in bytes).
1704 * \param tag output buffer for the authentication tag.
1705 * \param ichacha implementation of ChaCha20.
1706 * \param encrypt non-zero for encryption, zero for decryption.
1707 */
1708 typedef void (*br_poly1305_run)(const void *key, const void *iv,
1709 void *data, size_t len, const void *aad, size_t aad_len,
1710 void *tag, br_chacha20_run ichacha, int encrypt);
1711
1712 /**
1713 * \brief ChaCha20+Poly1305 AEAD implementation (mixed 32-bit multiplications).
1714 *
1715 * \see br_poly1305_run
1716 *
1717 * \param key secret key (32 bytes).
1718 * \param iv nonce (12 bytes).
1719 * \param data data to encrypt or decrypt.
1720 * \param len data length (in bytes).
1721 * \param aad additional authenticated data.
1722 * \param aad_len length of additional authenticated data (in bytes).
1723 * \param tag output buffer for the authentication tag.
1724 * \param ichacha implementation of ChaCha20.
1725 * \param encrypt non-zero for encryption, zero for decryption.
1726 */
1727 void br_poly1305_ctmul_run(const void *key, const void *iv,
1728 void *data, size_t len, const void *aad, size_t aad_len,
1729 void *tag, br_chacha20_run ichacha, int encrypt);
1730
1731 /**
1732 * \brief ChaCha20+Poly1305 AEAD implementation (pure 32-bit multiplications).
1733 *
1734 * \see br_poly1305_run
1735 *
1736 * \param key secret key (32 bytes).
1737 * \param iv nonce (12 bytes).
1738 * \param data data to encrypt or decrypt.
1739 * \param len data length (in bytes).
1740 * \param aad additional authenticated data.
1741 * \param aad_len length of additional authenticated data (in bytes).
1742 * \param tag output buffer for the authentication tag.
1743 * \param ichacha implementation of ChaCha20.
1744 * \param encrypt non-zero for encryption, zero for decryption.
1745 */
1746 void br_poly1305_ctmul32_run(const void *key, const void *iv,
1747 void *data, size_t len, const void *aad, size_t aad_len,
1748 void *tag, br_chacha20_run ichacha, int encrypt);
1749
1750 /**
1751 * \brief ChaCha20+Poly1305 AEAD implementation (i15).
1752 *
1753 * This implementation relies on the generic big integer code "i15"
1754 * (which uses pure 32-bit multiplications). As such, it may save a
1755 * little code footprint in a context where "i15" is already included
1756 * (e.g. for elliptic curves or for RSA); however, it is also
1757 * substantially slower than the ctmul and ctmul32 implementations.
1758 *
1759 * \see br_poly1305_run
1760 *
1761 * \param key secret key (32 bytes).
1762 * \param iv nonce (12 bytes).
1763 * \param data data to encrypt or decrypt.
1764 * \param len data length (in bytes).
1765 * \param aad additional authenticated data.
1766 * \param aad_len length of additional authenticated data (in bytes).
1767 * \param tag output buffer for the authentication tag.
1768 * \param ichacha implementation of ChaCha20.
1769 * \param encrypt non-zero for encryption, zero for decryption.
1770 */
1771 void br_poly1305_i15_run(const void *key, const void *iv,
1772 void *data, size_t len, const void *aad, size_t aad_len,
1773 void *tag, br_chacha20_run ichacha, int encrypt);
1774
1775 /**
1776 * \brief ChaCha20+Poly1305 AEAD implementation (ctmulq).
1777 *
1778 * This implementation uses 64-bit multiplications (result over 128 bits).
1779 * It is available only on platforms that offer such a primitive (in
1780 * practice, 64-bit architectures). Use `br_poly1305_ctmulq_get()` to
1781 * dynamically obtain a pointer to that function, or 0 if not supported.
1782 *
1783 * \see br_poly1305_run
1784 *
1785 * \param key secret key (32 bytes).
1786 * \param iv nonce (12 bytes).
1787 * \param data data to encrypt or decrypt.
1788 * \param len data length (in bytes).
1789 * \param aad additional authenticated data.
1790 * \param aad_len length of additional authenticated data (in bytes).
1791 * \param tag output buffer for the authentication tag.
1792 * \param ichacha implementation of ChaCha20.
1793 * \param encrypt non-zero for encryption, zero for decryption.
1794 */
1795 void br_poly1305_ctmulq_run(const void *key, const void *iv,
1796 void *data, size_t len, const void *aad, size_t aad_len,
1797 void *tag, br_chacha20_run ichacha, int encrypt);
1798
1799 /**
1800 * \brief Get the ChaCha20+Poly1305 "ctmulq" implementation, if available.
1801 *
1802 * This function returns a pointer to the `br_poly1305_ctmulq_run()`
1803 * function if supported on the current platform; otherwise, it returns 0.
1804 *
1805 * \return the ctmulq ChaCha20+Poly1305 implementation, or 0.
1806 */
1807 br_poly1305_run br_poly1305_ctmulq_get(void);
1808
1809 #ifdef __cplusplus
1810 }
1811 #endif
1812
1813 #endif
The BearSSL library and tools.