X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Finner.h;h=da64f377e6ad568b0c5c3528c3d13cb49096f51b;hp=9edaadd1ffc799655830e87f0d77b447e58d934d;hb=6dd8c51ba7e8ca106ede7ff58b5c507042bbf6eb;hpb=3210f38e0491b39aec1ef419cb4114e9483089fb

diff --git a/src/inner.h b/src/inner.h
index 9edaadd..da64f37 100644
--- a/src/inner.h
+++ b/src/inner.h
@@ -549,6 +549,43 @@ MAX(uint32_t x, uint32_t y)
 
 #endif
 
+/*
+ * Multiply two words together; each word may contain up to 15 bits of
+ * data. If BR_CT_MUL15 is non-zero, then the macro will contain some
+ * extra operations that help in making the operation constant-time on
+ * some platforms, where the basic 32-bit multiplication is not
+ * constant-time.
+ */
+#if BR_CT_MUL15
+#define MUL15(x, y)   (((uint32_t)(x) | (uint32_t)0x80000000) \
+                       * ((uint32_t)(x) | (uint32_t)0x80000000) \
+		       & (uint32_t)0x3FFFFFFF)
+#else
+#define MUL15(x, y)   ((uint32_t)(x) * (uint32_t)(y))
+#endif
+
+/*
+ * Arithmetic right shift (sign bit is copied). What happens when
+ * right-shifting a negative value is _implementation-defined_, so it
+ * does not trigger undefined behaviour, but it is still up to each
+ * compiler to define (and document) what it does. Most/all compilers
+ * will do an arithmetic shift, the sign bit being used to fill the
+ * holes; this is a native operation on the underlying CPU, and it would
+ * make little sense for the compiler to do otherwise. GCC explicitly
+ * documents that it follows that convention.
+ *
+ * Still, if BR_NO_ARITH_SHIFT is defined (and non-zero), then an
+ * alternate version will be used, that does not rely on such
+ * implementation-defined behaviour. Unfortunately, it is also slower
+ * and yields bigger code, which is why it is deactivated by default.
+ */
+#if BR_NO_ARITH_SHIFT
+#define ARSH(x, n)   (((uint32_t)(x) >> (n)) \
+                      | ((-((uint32_t)(x) >> 31)) << (32 - (n))))
+#else
+#define ARSH(x, n)   ((*(int32_t *)&(x)) >> (n))
+#endif
+
 /*
  * Constant-time division. The dividend hi:lo is divided by the
  * divisor d; the quotient is returned and the remainder is written
@@ -1524,6 +1561,24 @@ void br_ssl_engine_switch_gcm_out(br_ssl_engine_context *cc,
 	int is_client, int prf_id,
 	const br_block_ctr_class *bc_impl, size_t cipher_key_len);
 
+/*
+ * Switch to ChaCha20+Poly1305 decryption for incoming records.
+ *    cc               the engine context
+ *    is_client        non-zero for a client, zero for a server
+ *    prf_id           id of hash function for PRF
+ */
+void br_ssl_engine_switch_chapol_in(br_ssl_engine_context *cc,
+	int is_client, int prf_id);
+
+/*
+ * Switch to ChaCha20+Poly1305 encryption for outgoing records.
+ *    cc               the engine context
+ *    is_client        non-zero for a client, zero for a server
+ *    prf_id           id of hash function for PRF
+ */
+void br_ssl_engine_switch_chapol_out(br_ssl_engine_context *cc,
+	int is_client, int prf_id);
+
 /*
  * Calls to T0-generated code.
  */