#include "config.h"
#include "bearssl.h"
+/*
+ * On MSVC, disable the warning about applying unary minus on an
+ * unsigned type: it is standard, we do it all the time, and for
+ * good reasons.
+ */
+#if _MSC_VER
+#pragma warning( disable : 4146 )
+#endif
+
/*
* Maximum size for a RSA modulus (in bits). Allocated stack buffers
* depend on that size, so this value should be kept small. Currently,
#endif
#endif
+/*
+ * Set BR_LOMUL on platforms where it makes sense.
+ */
+#ifndef BR_LOMUL
+#if BR_ARMEL_CORTEX_GCC
+#define BR_LOMUL 1
+#endif
+#endif
+
+/*
+ * Determine whether x86 AES instructions are understood by the compiler.
+ */
+#ifndef BR_AES_X86NI
+
+#if (__i386__ || __x86_64__) \
+ && ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 8)) \
+ || (__clang_major__ > 3 \
+ || (__clang_major__ == 3 && __clang_minor__ >= 7)))
+#define BR_AES_X86NI 1
+#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1700)
+#define BR_AES_X86NI 1
+#endif
+#endif
+
+/*
+ * If we use x86 AES instruction, determine the compiler brand.
+ */
+#if BR_AES_X86NI
+#ifndef BR_AES_X86NI_GCC
+#if __GNUC__
+#define BR_AES_X86NI_GCC 1
+#endif
+#endif
+#ifndef BR_AES_X86NI_MSC
+#if _MSC_VER >= 1700
+#define BR_AES_X86NI_MSC 1
+#endif
+#endif
+#endif
+
+/*
+ * A macro to tag a function with a "target" attribute (for GCC and Clang).
+ */
+#if BR_AES_X86NI_GCC
+#define BR_TARGET(x) __attribute__((target(x)))
+#else
+#define BR_TARGET(x)
+#endif
+
/* ==================================================================== */
/*
* Encoding/decoding functions.
br_multihash_copyimpl(br_multihash_context *dst,
const br_multihash_context *src)
{
- memcpy(dst->impl, src->impl, sizeof src->impl);
+ memcpy((void *)dst->impl, src->impl, sizeof src->impl);
}
/* ==================================================================== */
#endif
/*
- * Multiply two words together; each word may contain up to 15 bits of
- * data. If BR_CT_MUL15 is non-zero, then the macro will contain some
- * extra operations that help in making the operation constant-time on
- * some platforms, where the basic 32-bit multiplication is not
- * constant-time.
+ * Multiply two words together; the sum of the lengths of the two
+ * operands must not exceed 31 (for instance, one operand may use 16
+ * bits if the other fits on 15). If BR_CT_MUL15 is non-zero, then the
+ * macro will contain some extra operations that help in making the
+ * operation constant-time on some platforms, where the basic 32-bit
+ * multiplication is not constant-time.
*/
#if BR_CT_MUL15
#define MUL15(x, y) (((uint32_t)(x) | (uint32_t)0x80000000) \
* ((uint32_t)(y) | (uint32_t)0x80000000) \
- & (uint32_t)0x3FFFFFFF)
+ & (uint32_t)0x7FFFFFFF)
#else
#define MUL15(x, y) ((uint32_t)(x) * (uint32_t)(y))
#endif
/* ==================================================================== */
+/*
+ * FIXME: document "i15" functions.
+ */
+
static inline void
br_i15_zero(uint16_t *x, uint16_t bit_len)
{
void br_i15_modpow(uint16_t *x, const unsigned char *e, size_t elen,
const uint16_t *m, uint16_t m0i, uint16_t *t1, uint16_t *t2);
+uint32_t br_i15_modpow_opt(uint16_t *x, const unsigned char *e, size_t elen,
+ const uint16_t *m, uint16_t m0i, uint16_t *tmp, size_t twlen);
+
void br_i15_encode(void *dst, size_t len, const uint16_t *x);
uint32_t br_i15_decode_mod(uint16_t *x,
void br_aes_ct64_skey_expand(uint64_t *skey,
unsigned num_rounds, const uint64_t *comp_skey);
+/*
+ * Test support for AES-NI opcodes.
+ */
+int br_aes_x86ni_supported(void);
+
+/*
+ * AES key schedule, using x86 AES-NI instructions. This yields the
+ * subkeys in the encryption direction. Number of rounds is returned.
+ * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
+ */
+unsigned br_aes_x86ni_keysched_enc(unsigned char *skni,
+ const void *key, size_t len);
+
+/*
+ * AES key schedule, using x86 AES-NI instructions. This yields the
+ * subkeys in the decryption direction. Number of rounds is returned.
+ * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned.
+ */
+unsigned br_aes_x86ni_keysched_dec(unsigned char *skni,
+ const void *key, size_t len);
+
/* ==================================================================== */
/*
* RSA.
extern const br_ec_curve_def br_secp384r1;
extern const br_ec_curve_def br_secp521r1;
-#if 0
-/* obsolete */
/*
- * Type for the parameters for a "prime curve":
- * coordinates are in GF(p), with p prime
- * curve equation is Y^2 = X^3 - 3*X + b
- * b is in Montgomery representation
- * curve order is n and is prime
- * base point is G (encoded) and has order n
+ * For Curve25519, the advertised "order" really is 2^255-1, since the
+ * point multipliction function really works over arbitrary 255-bit
+ * scalars. This value is only meant as a hint for ECDH key generation;
+ * only ECDSA uses the exact curve order, and ECDSA is not used with
+ * that specific curve.
*/
-typedef struct {
- const uint32_t *p;
- const uint32_t *b;
- const uint32_t p0i;
-} br_ec_prime_i31_curve;
-
-extern const br_ec_prime_i31_curve br_ec_prime_i31_secp256r1;
-extern const br_ec_prime_i31_curve br_ec_prime_i31_secp384r1;
-extern const br_ec_prime_i31_curve br_ec_prime_i31_secp521r1;
-
-#define BR_EC_I31_LEN ((BR_MAX_EC_SIZE + 61) / 31)
-#endif
+extern const br_ec_curve_def br_curve25519;
/*
* Decode some bytes as an i31 integer, with truncation (corresponding
projects / BearSSL / blobdiff