Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/bearssl/inc/bearssl_hash.h
39586 views
1
/*

2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>

3
 *

4
 * Permission is hereby granted, free of charge, to any person obtaining 

5
 * a copy of this software and associated documentation files (the

6
 * "Software"), to deal in the Software without restriction, including

7
 * without limitation the rights to use, copy, modify, merge, publish,

8
 * distribute, sublicense, and/or sell copies of the Software, and to

9
 * permit persons to whom the Software is furnished to do so, subject to

10
 * the following conditions:

11
 *

12
 * The above copyright notice and this permission notice shall be 

13
 * included in all copies or substantial portions of the Software.

14
 *

15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 

16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 

18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

22
 * SOFTWARE.

23
 */

24


25
#ifndef BR_BEARSSL_HASH_H__

26
#define BR_BEARSSL_HASH_H__

27


28
#include <stddef.h>

29
#include <stdint.h>

30
#include <string.h>

31


32
#ifdef __cplusplus

33
extern "C" {

34
#endif

35


36
/** \file bearssl_hash.h

37
 *

38
 * # Hash Functions

39
 *

40
 * This file documents the API for hash functions.

41
 *

42
 *

43
 * ## Procedural API

44
 *

45
 * For each implemented hash function, of name "`xxx`", the following

46
 * elements are defined:

47
 *

48
 *   - `br_xxx_vtable`

49
 *

50
 *     An externally defined instance of `br_hash_class`.

51
 *

52
 *   - `br_xxx_SIZE`

53
 *

54
 *     A macro that evaluates to the output size (in bytes) of the

55
 *     hash function.

56
 *

57
 *   - `br_xxx_ID`

58
 *

59
 *     A macro that evaluates to a symbolic identifier for the hash

60
 *     function. Such identifiers are used with HMAC and signature

61
 *     algorithm implementations.

62
 *

63
 *     NOTE: for the "standard" hash functions defined in [the TLS

64
 *     standard](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1),

65
 *     the symbolic identifiers match the constants used in TLS, i.e.

66
 *     1 to 6 for MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512,

67
 *     respectively.

68
 *

69
 *   - `br_xxx_context`

70
 *

71
 *     Context for an ongoing computation. It is allocated by the

72
 *     caller, and a pointer to it is passed to all functions. A

73
 *     context contains no interior pointer, so it can be moved around

74
 *     and cloned (with a simple `memcpy()` or equivalent) in order to

75
 *     capture the function state at some point. Computations that use

76
 *     distinct context structures are independent of each other. The

77
 *     first field of `br_xxx_context` is always a pointer to the

78
 *     `br_xxx_vtable` structure; `br_xxx_init()` sets that pointer.

79
 *

80
 *   - `br_xxx_init(br_xxx_context *ctx)`

81
 *

82
 *     Initialise the provided context. Previous contents of the structure

83
 *     are ignored. This calls resets the context to the start of a new

84
 *     hash computation; it also sets the first field of the context

85
 *     structure (called `vtable`) to a pointer to the statically

86
 *     allocated constant `br_xxx_vtable` structure.

87
 *

88
 *   - `br_xxx_update(br_xxx_context *ctx, const void *data, size_t len)`

89
 *

90
 *     Add some more bytes to the hash computation represented by the

91
 *     provided context.

92
 *

93
 *   - `br_xxx_out(const br_xxx_context *ctx, void *out)`

94
 *

95
 *     Complete the hash computation and write the result in the provided

96
 *     buffer. The output buffer MUST be large enough to accommodate the

97
 *     result. The context is NOT modified by this operation, so this

98
 *     function can be used to get a "partial hash" while still keeping

99
 *     the possibility of adding more bytes to the input.

100
 *

101
 *   - `br_xxx_state(const br_xxx_context *ctx, void *out)`

102
 *

103
 *     Get a copy of the "current state" for the computation so far. For

104
 *     MD functions (MD5, SHA-1, SHA-2 family), this is the running state

105
 *     resulting from the processing of the last complete input block.

106
 *     Returned value is the current input length (in bytes).

107
 *

108
 *   - `br_xxx_set_state(br_xxx_context *ctx, const void *stb, uint64_t count)`

109
 *

110
 *     Set the internal state to the provided values. The 'stb' and

111
 *     'count' values shall match that which was obtained from

112
 *     `br_xxx_state()`. This restores the hash state only if the state

113
 *     values were at an appropriate block boundary. This does NOT set

114
 *     the `vtable` pointer in the context.

115
 *

116
 * Context structures can be discarded without any explicit deallocation.

117
 * Hash function implementations are purely software and don't reserve

118
 * any resources outside of the context structure itself.

119
 *

120
 *

121
 * ## Object-Oriented API

122
 *

123
 * For each hash function that follows the procedural API described

124
 * above, an object-oriented API is also provided. In that API, function

125
 * pointers from the vtable (`br_xxx_vtable`) are used. The vtable

126
 * incarnates object-oriented programming. An introduction on the OOP

127
 * concept used here can be read on the BearSSL Web site:<br />

128
 * &nbsp;&nbsp;&nbsp;[https://www.bearssl.org/oop.html](https://www.bearssl.org/oop.html)

129
 *

130
 * The vtable offers functions called `init()`, `update()`, `out()`,

131
 * `set()` and `set_state()`, which are in fact the functions from

132
 * the procedural API. That vtable also contains two informative fields:

133
 *

134
 *   - `context_size`

135
 *

136
 *     The size of the context structure (`br_xxx_context`), in bytes.

137
 *     This can be used by generic implementations to perform dynamic

138
 *     context allocation.

139
 *

140
 *   - `desc`

141
 *

142
 *     A "descriptor" field that encodes some information on the hash

143
 *     function: symbolic identifier, output size, state size,

144
 *     internal block size, details on the padding.

145
 *

146
 * Users of this object-oriented API (in particular generic HMAC

147
 * implementations) may make the following assumptions:

148
 *

149
 *   - Hash output size is no more than 64 bytes.

150
 *   - Hash internal state size is no more than 64 bytes.

151
 *   - Internal block size is a power of two, no less than 16 and no more

152
 *     than 256.

153
 *

154
 *

155
 * ## Implemented Hash Functions

156
 *

157
 * Implemented hash functions are:

158
 *

159
 * | Function  | Name    | Output length | State length |

160
 * | :-------- | :------ | :-----------: | :----------: |

161
 * | MD5       | md5     |     16        |     16       |

162
 * | SHA-1     | sha1    |     20        |     20       |

163
 * | SHA-224   | sha224  |     28        |     32       |

164
 * | SHA-256   | sha256  |     32        |     32       |

165
 * | SHA-384   | sha384  |     48        |     64       |

166
 * | SHA-512   | sha512  |     64        |     64       |

167
 * | MD5+SHA-1 | md5sha1 |     36        |     36       |

168
 *

169
 * (MD5+SHA-1 is the concatenation of MD5 and SHA-1 computed over the

170
 * same input; in the implementation, the internal data buffer is

171
 * shared, thus making it more memory-efficient than separate MD5 and

172
 * SHA-1. It can be useful in implementing SSL 3.0, TLS 1.0 and TLS

173
 * 1.1.)

174
 *

175
 *

176
 * ## Multi-Hasher

177
 *

178
 * An aggregate hasher is provided, that can compute several standard

179
 * hash functions in parallel. It uses `br_multihash_context` and a

180
 * procedural API. It is configured with the implementations (the vtables)

181
 * that it should use; it will then compute all these hash functions in

182
 * parallel, on the same input. It is meant to be used in cases when the

183
 * hash of an object will be used, but the exact hash function is not

184
 * known yet (typically, streamed processing on X.509 certificates).

185
 *

186
 * Only the standard hash functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384

187
 * and SHA-512) are supported by the multi-hasher.

188
 *

189
 *

190
 * ## GHASH

191
 *

192
 * GHASH is not a generic hash function; it is a _universal_ hash function,

193
 * which, as the name does not say, means that it CANNOT be used in most

194
 * places where a hash function is needed. GHASH is used within the GCM

195
 * encryption mode, to provide the checked integrity functionality.

196
 *

197
 * A GHASH implementation is basically a function that uses the type defined

198
 * in this file under the name `br_ghash`:

199
 *

200
 *     typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);

201
 *

202
 * The `y` pointer refers to a 16-byte value which is used as input, and

203
 * receives the output of the GHASH invocation. `h` is a 16-byte secret

204
 * value (that serves as key). `data` and `len` define the input data.

205
 *

206
 * Three GHASH implementations are provided, all constant-time, based on

207
 * the use of integer multiplications with appropriate masking to cancel

208
 * carry propagation.

209
 */

210


211
/**

212
 * \brief Class type for hash function implementations.

213
 *

214
 * A `br_hash_class` instance references the methods implementing a hash

215
 * function. Constant instances of this structure are defined for each

216
 * implemented hash function. Such instances are also called "vtables".

217
 *

218
 * Vtables are used to support object-oriented programming, as

219
 * described on [the BearSSL Web site](https://www.bearssl.org/oop.html).

220
 */

221
typedef struct br_hash_class_ br_hash_class;

222
struct br_hash_class_ {

223
	/**

224
	 * \brief Size (in bytes) of the context structure appropriate for

225
	 * computing this hash function.

226
	 */

227
	size_t context_size;

228


229
	/**

230
	 * \brief Descriptor word that contains information about the hash

231
	 * function.

232
	 *

233
	 * For each word `xxx` described below, use `BR_HASHDESC_xxx_OFF`

234
	 * and `BR_HASHDESC_xxx_MASK` to access the specific value, as

235
	 * follows:

236
	 *

237
	 *     (hf->desc >> BR_HASHDESC_xxx_OFF) & BR_HASHDESC_xxx_MASK

238
	 *

239
	 * The defined elements are:

240
	 *

241
	 *  - `ID`: the symbolic identifier for the function, as defined

242
	 *    in [TLS](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)

243
	 *    (MD5 = 1, SHA-1 = 2,...).

244
	 *

245
	 *  - `OUT`: hash output size, in bytes.

246
	 *

247
	 *  - `STATE`: internal running state size, in bytes.

248
	 *

249
	 *  - `LBLEN`: base-2 logarithm for the internal block size, as

250
	 *    defined for HMAC processing (this is 6 for MD5, SHA-1, SHA-224

251
	 *    and SHA-256, since these functions use 64-byte blocks; for

252
	 *    SHA-384 and SHA-512, this is 7, corresponding to their

253
	 *    128-byte blocks).

254
	 *

255
	 * The descriptor may contain a few other flags.

256
	 */

257
	uint32_t desc;

258


259
	/**

260
	 * \brief Initialisation method.

261
	 *

262
	 * This method takes as parameter a pointer to a context area,

263
	 * that it initialises. The first field of the context is set

264
	 * to this vtable; other elements are initialised for a new hash

265
	 * computation.

266
	 *

267
	 * \param ctx   pointer to (the first field of) the context.

268
	 */

269
	void (*init)(const br_hash_class **ctx);

270


271
	/**

272
	 * \brief Data injection method.

273
	 *

274
	 * The `len` bytes starting at address `data` are injected into

275
	 * the running hash computation incarnated by the specified

276
	 * context. The context is updated accordingly. It is allowed

277
	 * to have `len == 0`, in which case `data` is ignored (and could

278
	 * be `NULL`), and nothing happens.

279
	 * on the input data.

280
	 *

281
	 * \param ctx    pointer to (the first field of) the context.

282
	 * \param data   pointer to the first data byte to inject.

283
	 * \param len    number of bytes to inject.

284
	 */

285
	void (*update)(const br_hash_class **ctx, const void *data, size_t len);

286


287
	/**

288
	 * \brief Produce hash output.

289
	 *

290
	 * The hash output corresponding to all data bytes injected in the

291
	 * context since the last `init()` call is computed, and written

292
	 * in the buffer pointed to by `dst`. The hash output size depends

293
	 * on the implemented hash function (e.g. 16 bytes for MD5).

294
	 * The context is _not_ modified by this call, so further bytes

295
	 * may be afterwards injected to continue the current computation.

296
	 *

297
	 * \param ctx   pointer to (the first field of) the context.

298
	 * \param dst   destination buffer for the hash output.

299
	 */

300
	void (*out)(const br_hash_class *const *ctx, void *dst);

301


302
	/**

303
	 * \brief Get running state.

304
	 *

305
	 * This method saves the current running state into the `dst`

306
	 * buffer. What constitutes the "running state" depends on the

307
	 * hash function; for Merkle-Damgård hash functions (like

308
	 * MD5 or SHA-1), this is the output obtained after processing

309
	 * each block. The number of bytes injected so far is returned.

310
	 * The context is not modified by this call.

311
	 *

312
	 * \param ctx   pointer to (the first field of) the context.

313
	 * \param dst   destination buffer for the state.

314
	 * \return  the injected total byte length.

315
	 */

316
	uint64_t (*state)(const br_hash_class *const *ctx, void *dst);

317


318
	/**

319
	 * \brief Set running state.

320
	 *

321
	 * This methods replaces the running state for the function.

322
	 *

323
	 * \param ctx     pointer to (the first field of) the context.

324
	 * \param stb     source buffer for the state.

325
	 * \param count   injected total byte length.

326
	 */

327
	void (*set_state)(const br_hash_class **ctx,

328
		const void *stb, uint64_t count);

329
};

330


331
#ifndef BR_DOXYGEN_IGNORE

332
#define BR_HASHDESC_ID(id)           ((uint32_t)(id) << BR_HASHDESC_ID_OFF)

333
#define BR_HASHDESC_ID_OFF           0

334
#define BR_HASHDESC_ID_MASK          0xFF

335


336
#define BR_HASHDESC_OUT(size)        ((uint32_t)(size) << BR_HASHDESC_OUT_OFF)

337
#define BR_HASHDESC_OUT_OFF          8

338
#define BR_HASHDESC_OUT_MASK         0x7F

339


340
#define BR_HASHDESC_STATE(size)      ((uint32_t)(size) << BR_HASHDESC_STATE_OFF)

341
#define BR_HASHDESC_STATE_OFF        15

342
#define BR_HASHDESC_STATE_MASK       0xFF

343


344
#define BR_HASHDESC_LBLEN(ls)        ((uint32_t)(ls) << BR_HASHDESC_LBLEN_OFF)

345
#define BR_HASHDESC_LBLEN_OFF        23

346
#define BR_HASHDESC_LBLEN_MASK       0x0F

347


348
#define BR_HASHDESC_MD_PADDING       ((uint32_t)1 << 28)

349
#define BR_HASHDESC_MD_PADDING_128   ((uint32_t)1 << 29)

350
#define BR_HASHDESC_MD_PADDING_BE    ((uint32_t)1 << 30)

351
#endif

352


353
/*

354
 * Specific hash functions.

355
 *

356
 * Rules for contexts:

357
 * -- No interior pointer.

358
 * -- No pointer to external dynamically allocated resources.

359
 * -- First field is called 'vtable' and is a pointer to a

360
 *    const-qualified br_hash_class instance (pointer is set by init()).

361
 * -- SHA-224 and SHA-256 contexts are identical.

362
 * -- SHA-384 and SHA-512 contexts are identical.

363
 *

364
 * Thus, contexts can be moved and cloned to capture the hash function

365
 * current state; and there is no need for any explicit "release" function.

366
 */

367


368
/**

369
 * \brief Symbolic identifier for MD5.

370
 */

371
#define br_md5_ID     1

372


373
/**

374
 * \brief MD5 output size (in bytes).

375
 */

376
#define br_md5_SIZE   16

377


378
/**

379
 * \brief Constant vtable for MD5.

380
 */

381
extern const br_hash_class br_md5_vtable;

382


383
/**

384
 * \brief MD5 context.

385
 *

386
 * First field is a pointer to the vtable; it is set by the initialisation

387
 * function. Other fields are not supposed to be accessed by user code.

388
 */

389
typedef struct {

390
	/**

391
	 * \brief Pointer to vtable for this context.

392
	 */

393
	const br_hash_class *vtable;

394
#ifndef BR_DOXYGEN_IGNORE

395
	unsigned char buf[64];

396
	uint64_t count;

397
	uint32_t val[4];

398
#endif

399
} br_md5_context;

400


401
/**

402
 * \brief MD5 context initialisation.

403
 *

404
 * This function initialises or resets a context for a new MD5

405
 * computation. It also sets the vtable pointer.

406
 *

407
 * \param ctx   pointer to the context structure.

408
 */

409
void br_md5_init(br_md5_context *ctx);

410


411
/**

412
 * \brief Inject some data bytes in a running MD5 computation.

413
 *

414
 * The provided context is updated with some data bytes. If the number

415
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

416
 * and may be `NULL`, and this function does nothing.

417
 *

418
 * \param ctx    pointer to the context structure.

419
 * \param data   pointer to the injected data.

420
 * \param len    injected data length (in bytes).

421
 */

422
void br_md5_update(br_md5_context *ctx, const void *data, size_t len);

423


424
/**

425
 * \brief Compute MD5 output.

426
 *

427
 * The MD5 output for the concatenation of all bytes injected in the

428
 * provided context since the last initialisation or reset call, is

429
 * computed and written in the buffer pointed to by `out`. The context

430
 * itself is not modified, so extra bytes may be injected afterwards

431
 * to continue that computation.

432
 *

433
 * \param ctx   pointer to the context structure.

434
 * \param out   destination buffer for the hash output.

435
 */

436
void br_md5_out(const br_md5_context *ctx, void *out);

437


438
/**

439
 * \brief Save MD5 running state.

440
 *

441
 * The running state for MD5 (output of the last internal block

442
 * processing) is written in the buffer pointed to by `out`. The

443
 * number of bytes injected since the last initialisation or reset

444
 * call is returned. The context is not modified.

445
 *

446
 * \param ctx   pointer to the context structure.

447
 * \param out   destination buffer for the running state.

448
 * \return  the injected total byte length.

449
 */

450
uint64_t br_md5_state(const br_md5_context *ctx, void *out);

451


452
/**

453
 * \brief Restore MD5 running state.

454
 *

455
 * The running state for MD5 is set to the provided values.

456
 *

457
 * \param ctx     pointer to the context structure.

458
 * \param stb     source buffer for the running state.

459
 * \param count   the injected total byte length.

460
 */

461
void br_md5_set_state(br_md5_context *ctx, const void *stb, uint64_t count);

462


463
/**

464
 * \brief Symbolic identifier for SHA-1.

465
 */

466
#define br_sha1_ID     2

467


468
/**

469
 * \brief SHA-1 output size (in bytes).

470
 */

471
#define br_sha1_SIZE   20

472


473
/**

474
 * \brief Constant vtable for SHA-1.

475
 */

476
extern const br_hash_class br_sha1_vtable;

477


478
/**

479
 * \brief SHA-1 context.

480
 *

481
 * First field is a pointer to the vtable; it is set by the initialisation

482
 * function. Other fields are not supposed to be accessed by user code.

483
 */

484
typedef struct {

485
	/**

486
	 * \brief Pointer to vtable for this context.

487
	 */

488
	const br_hash_class *vtable;

489
#ifndef BR_DOXYGEN_IGNORE

490
	unsigned char buf[64];

491
	uint64_t count;

492
	uint32_t val[5];

493
#endif

494
} br_sha1_context;

495


496
/**

497
 * \brief SHA-1 context initialisation.

498
 *

499
 * This function initialises or resets a context for a new SHA-1

500
 * computation. It also sets the vtable pointer.

501
 *

502
 * \param ctx   pointer to the context structure.

503
 */

504
void br_sha1_init(br_sha1_context *ctx);

505


506
/**

507
 * \brief Inject some data bytes in a running SHA-1 computation.

508
 *

509
 * The provided context is updated with some data bytes. If the number

510
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

511
 * and may be `NULL`, and this function does nothing.

512
 *

513
 * \param ctx    pointer to the context structure.

514
 * \param data   pointer to the injected data.

515
 * \param len    injected data length (in bytes).

516
 */

517
void br_sha1_update(br_sha1_context *ctx, const void *data, size_t len);

518


519
/**

520
 * \brief Compute SHA-1 output.

521
 *

522
 * The SHA-1 output for the concatenation of all bytes injected in the

523
 * provided context since the last initialisation or reset call, is

524
 * computed and written in the buffer pointed to by `out`. The context

525
 * itself is not modified, so extra bytes may be injected afterwards

526
 * to continue that computation.

527
 *

528
 * \param ctx   pointer to the context structure.

529
 * \param out   destination buffer for the hash output.

530
 */

531
void br_sha1_out(const br_sha1_context *ctx, void *out);

532


533
/**

534
 * \brief Save SHA-1 running state.

535
 *

536
 * The running state for SHA-1 (output of the last internal block

537
 * processing) is written in the buffer pointed to by `out`. The

538
 * number of bytes injected since the last initialisation or reset

539
 * call is returned. The context is not modified.

540
 *

541
 * \param ctx   pointer to the context structure.

542
 * \param out   destination buffer for the running state.

543
 * \return  the injected total byte length.

544
 */

545
uint64_t br_sha1_state(const br_sha1_context *ctx, void *out);

546


547
/**

548
 * \brief Restore SHA-1 running state.

549
 *

550
 * The running state for SHA-1 is set to the provided values.

551
 *

552
 * \param ctx     pointer to the context structure.

553
 * \param stb     source buffer for the running state.

554
 * \param count   the injected total byte length.

555
 */

556
void br_sha1_set_state(br_sha1_context *ctx, const void *stb, uint64_t count);

557


558
/**

559
 * \brief Symbolic identifier for SHA-224.

560
 */

561
#define br_sha224_ID     3

562


563
/**

564
 * \brief SHA-224 output size (in bytes).

565
 */

566
#define br_sha224_SIZE   28

567


568
/**

569
 * \brief Constant vtable for SHA-224.

570
 */

571
extern const br_hash_class br_sha224_vtable;

572


573
/**

574
 * \brief SHA-224 context.

575
 *

576
 * First field is a pointer to the vtable; it is set by the initialisation

577
 * function. Other fields are not supposed to be accessed by user code.

578
 */

579
typedef struct {

580
	/**

581
	 * \brief Pointer to vtable for this context.

582
	 */

583
	const br_hash_class *vtable;

584
#ifndef BR_DOXYGEN_IGNORE

585
	unsigned char buf[64];

586
	uint64_t count;

587
	uint32_t val[8];

588
#endif

589
} br_sha224_context;

590


591
/**

592
 * \brief SHA-224 context initialisation.

593
 *

594
 * This function initialises or resets a context for a new SHA-224

595
 * computation. It also sets the vtable pointer.

596
 *

597
 * \param ctx   pointer to the context structure.

598
 */

599
void br_sha224_init(br_sha224_context *ctx);

600


601
/**

602
 * \brief Inject some data bytes in a running SHA-224 computation.

603
 *

604
 * The provided context is updated with some data bytes. If the number

605
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

606
 * and may be `NULL`, and this function does nothing.

607
 *

608
 * \param ctx    pointer to the context structure.

609
 * \param data   pointer to the injected data.

610
 * \param len    injected data length (in bytes).

611
 */

612
void br_sha224_update(br_sha224_context *ctx, const void *data, size_t len);

613


614
/**

615
 * \brief Compute SHA-224 output.

616
 *

617
 * The SHA-224 output for the concatenation of all bytes injected in the

618
 * provided context since the last initialisation or reset call, is

619
 * computed and written in the buffer pointed to by `out`. The context

620
 * itself is not modified, so extra bytes may be injected afterwards

621
 * to continue that computation.

622
 *

623
 * \param ctx   pointer to the context structure.

624
 * \param out   destination buffer for the hash output.

625
 */

626
void br_sha224_out(const br_sha224_context *ctx, void *out);

627


628
/**

629
 * \brief Save SHA-224 running state.

630
 *

631
 * The running state for SHA-224 (output of the last internal block

632
 * processing) is written in the buffer pointed to by `out`. The

633
 * number of bytes injected since the last initialisation or reset

634
 * call is returned. The context is not modified.

635
 *

636
 * \param ctx   pointer to the context structure.

637
 * \param out   destination buffer for the running state.

638
 * \return  the injected total byte length.

639
 */

640
uint64_t br_sha224_state(const br_sha224_context *ctx, void *out);

641


642
/**

643
 * \brief Restore SHA-224 running state.

644
 *

645
 * The running state for SHA-224 is set to the provided values.

646
 *

647
 * \param ctx     pointer to the context structure.

648
 * \param stb     source buffer for the running state.

649
 * \param count   the injected total byte length.

650
 */

651
void br_sha224_set_state(br_sha224_context *ctx,

652
	const void *stb, uint64_t count);

653


654
/**

655
 * \brief Symbolic identifier for SHA-256.

656
 */

657
#define br_sha256_ID     4

658


659
/**

660
 * \brief SHA-256 output size (in bytes).

661
 */

662
#define br_sha256_SIZE   32

663


664
/**

665
 * \brief Constant vtable for SHA-256.

666
 */

667
extern const br_hash_class br_sha256_vtable;

668


669
#ifdef BR_DOXYGEN_IGNORE

670
/**

671
 * \brief SHA-256 context.

672
 *

673
 * First field is a pointer to the vtable; it is set by the initialisation

674
 * function. Other fields are not supposed to be accessed by user code.

675
 */

676
typedef struct {

677
	/**

678
	 * \brief Pointer to vtable for this context.

679
	 */

680
	const br_hash_class *vtable;

681
} br_sha256_context;

682
#else

683
typedef br_sha224_context br_sha256_context;

684
#endif

685


686
/**

687
 * \brief SHA-256 context initialisation.

688
 *

689
 * This function initialises or resets a context for a new SHA-256

690
 * computation. It also sets the vtable pointer.

691
 *

692
 * \param ctx   pointer to the context structure.

693
 */

694
void br_sha256_init(br_sha256_context *ctx);

695


696
#ifdef BR_DOXYGEN_IGNORE

697
/**

698
 * \brief Inject some data bytes in a running SHA-256 computation.

699
 *

700
 * The provided context is updated with some data bytes. If the number

701
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

702
 * and may be `NULL`, and this function does nothing.

703
 *

704
 * \param ctx    pointer to the context structure.

705
 * \param data   pointer to the injected data.

706
 * \param len    injected data length (in bytes).

707
 */

708
void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len);

709
#else

710
#define br_sha256_update      br_sha224_update

711
#endif

712


713
/**

714
 * \brief Compute SHA-256 output.

715
 *

716
 * The SHA-256 output for the concatenation of all bytes injected in the

717
 * provided context since the last initialisation or reset call, is

718
 * computed and written in the buffer pointed to by `out`. The context

719
 * itself is not modified, so extra bytes may be injected afterwards

720
 * to continue that computation.

721
 *

722
 * \param ctx   pointer to the context structure.

723
 * \param out   destination buffer for the hash output.

724
 */

725
void br_sha256_out(const br_sha256_context *ctx, void *out);

726


727
#ifdef BR_DOXYGEN_IGNORE

728
/**

729
 * \brief Save SHA-256 running state.

730
 *

731
 * The running state for SHA-256 (output of the last internal block

732
 * processing) is written in the buffer pointed to by `out`. The

733
 * number of bytes injected since the last initialisation or reset

734
 * call is returned. The context is not modified.

735
 *

736
 * \param ctx   pointer to the context structure.

737
 * \param out   destination buffer for the running state.

738
 * \return  the injected total byte length.

739
 */

740
uint64_t br_sha256_state(const br_sha256_context *ctx, void *out);

741
#else

742
#define br_sha256_state       br_sha224_state

743
#endif

744


745
#ifdef BR_DOXYGEN_IGNORE

746
/**

747
 * \brief Restore SHA-256 running state.

748
 *

749
 * The running state for SHA-256 is set to the provided values.

750
 *

751
 * \param ctx     pointer to the context structure.

752
 * \param stb     source buffer for the running state.

753
 * \param count   the injected total byte length.

754
 */

755
void br_sha256_set_state(br_sha256_context *ctx,

756
	const void *stb, uint64_t count);

757
#else

758
#define br_sha256_set_state   br_sha224_set_state

759
#endif

760


761
/**

762
 * \brief Symbolic identifier for SHA-384.

763
 */

764
#define br_sha384_ID     5

765


766
/**

767
 * \brief SHA-384 output size (in bytes).

768
 */

769
#define br_sha384_SIZE   48

770


771
/**

772
 * \brief Constant vtable for SHA-384.

773
 */

774
extern const br_hash_class br_sha384_vtable;

775


776
/**

777
 * \brief SHA-384 context.

778
 *

779
 * First field is a pointer to the vtable; it is set by the initialisation

780
 * function. Other fields are not supposed to be accessed by user code.

781
 */

782
typedef struct {

783
	/**

784
	 * \brief Pointer to vtable for this context.

785
	 */

786
	const br_hash_class *vtable;

787
#ifndef BR_DOXYGEN_IGNORE

788
	unsigned char buf[128];

789
	uint64_t count;

790
	uint64_t val[8];

791
#endif

792
} br_sha384_context;

793


794
/**

795
 * \brief SHA-384 context initialisation.

796
 *

797
 * This function initialises or resets a context for a new SHA-384

798
 * computation. It also sets the vtable pointer.

799
 *

800
 * \param ctx   pointer to the context structure.

801
 */

802
void br_sha384_init(br_sha384_context *ctx);

803


804
/**

805
 * \brief Inject some data bytes in a running SHA-384 computation.

806
 *

807
 * The provided context is updated with some data bytes. If the number

808
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

809
 * and may be `NULL`, and this function does nothing.

810
 *

811
 * \param ctx    pointer to the context structure.

812
 * \param data   pointer to the injected data.

813
 * \param len    injected data length (in bytes).

814
 */

815
void br_sha384_update(br_sha384_context *ctx, const void *data, size_t len);

816


817
/**

818
 * \brief Compute SHA-384 output.

819
 *

820
 * The SHA-384 output for the concatenation of all bytes injected in the

821
 * provided context since the last initialisation or reset call, is

822
 * computed and written in the buffer pointed to by `out`. The context

823
 * itself is not modified, so extra bytes may be injected afterwards

824
 * to continue that computation.

825
 *

826
 * \param ctx   pointer to the context structure.

827
 * \param out   destination buffer for the hash output.

828
 */

829
void br_sha384_out(const br_sha384_context *ctx, void *out);

830


831
/**

832
 * \brief Save SHA-384 running state.

833
 *

834
 * The running state for SHA-384 (output of the last internal block

835
 * processing) is written in the buffer pointed to by `out`. The

836
 * number of bytes injected since the last initialisation or reset

837
 * call is returned. The context is not modified.

838
 *

839
 * \param ctx   pointer to the context structure.

840
 * \param out   destination buffer for the running state.

841
 * \return  the injected total byte length.

842
 */

843
uint64_t br_sha384_state(const br_sha384_context *ctx, void *out);

844


845
/**

846
 * \brief Restore SHA-384 running state.

847
 *

848
 * The running state for SHA-384 is set to the provided values.

849
 *

850
 * \param ctx     pointer to the context structure.

851
 * \param stb     source buffer for the running state.

852
 * \param count   the injected total byte length.

853
 */

854
void br_sha384_set_state(br_sha384_context *ctx,

855
	const void *stb, uint64_t count);

856


857
/**

858
 * \brief Symbolic identifier for SHA-512.

859
 */

860
#define br_sha512_ID     6

861


862
/**

863
 * \brief SHA-512 output size (in bytes).

864
 */

865
#define br_sha512_SIZE   64

866


867
/**

868
 * \brief Constant vtable for SHA-512.

869
 */

870
extern const br_hash_class br_sha512_vtable;

871


872
#ifdef BR_DOXYGEN_IGNORE

873
/**

874
 * \brief SHA-512 context.

875
 *

876
 * First field is a pointer to the vtable; it is set by the initialisation

877
 * function. Other fields are not supposed to be accessed by user code.

878
 */

879
typedef struct {

880
	/**

881
	 * \brief Pointer to vtable for this context.

882
	 */

883
	const br_hash_class *vtable;

884
} br_sha512_context;

885
#else

886
typedef br_sha384_context br_sha512_context;

887
#endif

888


889
/**

890
 * \brief SHA-512 context initialisation.

891
 *

892
 * This function initialises or resets a context for a new SHA-512

893
 * computation. It also sets the vtable pointer.

894
 *

895
 * \param ctx   pointer to the context structure.

896
 */

897
void br_sha512_init(br_sha512_context *ctx);

898


899
#ifdef BR_DOXYGEN_IGNORE

900
/**

901
 * \brief Inject some data bytes in a running SHA-512 computation.

902
 *

903
 * The provided context is updated with some data bytes. If the number

904
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

905
 * and may be `NULL`, and this function does nothing.

906
 *

907
 * \param ctx    pointer to the context structure.

908
 * \param data   pointer to the injected data.

909
 * \param len    injected data length (in bytes).

910
 */

911
void br_sha512_update(br_sha512_context *ctx, const void *data, size_t len);

912
#else

913
#define br_sha512_update   br_sha384_update

914
#endif

915


916
/**

917
 * \brief Compute SHA-512 output.

918
 *

919
 * The SHA-512 output for the concatenation of all bytes injected in the

920
 * provided context since the last initialisation or reset call, is

921
 * computed and written in the buffer pointed to by `out`. The context

922
 * itself is not modified, so extra bytes may be injected afterwards

923
 * to continue that computation.

924
 *

925
 * \param ctx   pointer to the context structure.

926
 * \param out   destination buffer for the hash output.

927
 */

928
void br_sha512_out(const br_sha512_context *ctx, void *out);

929


930
#ifdef BR_DOXYGEN_IGNORE

931
/**

932
 * \brief Save SHA-512 running state.

933
 *

934
 * The running state for SHA-512 (output of the last internal block

935
 * processing) is written in the buffer pointed to by `out`. The

936
 * number of bytes injected since the last initialisation or reset

937
 * call is returned. The context is not modified.

938
 *

939
 * \param ctx   pointer to the context structure.

940
 * \param out   destination buffer for the running state.

941
 * \return  the injected total byte length.

942
 */

943
uint64_t br_sha512_state(const br_sha512_context *ctx, void *out);

944
#else

945
#define br_sha512_state   br_sha384_state

946
#endif

947


948
#ifdef BR_DOXYGEN_IGNORE

949
/**

950
 * \brief Restore SHA-512 running state.

951
 *

952
 * The running state for SHA-512 is set to the provided values.

953
 *

954
 * \param ctx     pointer to the context structure.

955
 * \param stb     source buffer for the running state.

956
 * \param count   the injected total byte length.

957
 */

958
void br_sha512_set_state(br_sha512_context *ctx,

959
	const void *stb, uint64_t count);

960
#else

961
#define br_sha512_set_state   br_sha384_set_state

962
#endif

963


964
/*

965
 * "md5sha1" is a special hash function that computes both MD5 and SHA-1

966
 * on the same input, and produces a 36-byte output (MD5 and SHA-1

967
 * concatenation, in that order). State size is also 36 bytes.

968
 */

969


970
/**

971
 * \brief Symbolic identifier for MD5+SHA-1.

972
 *

973
 * MD5+SHA-1 is the concatenation of MD5 and SHA-1, computed over the

974
 * same input. It is not one of the functions identified in TLS, so

975
 * we give it a symbolic identifier of value 0.

976
 */

977
#define br_md5sha1_ID     0

978


979
/**

980
 * \brief MD5+SHA-1 output size (in bytes).

981
 */

982
#define br_md5sha1_SIZE   36

983


984
/**

985
 * \brief Constant vtable for MD5+SHA-1.

986
 */

987
extern const br_hash_class br_md5sha1_vtable;

988


989
/**

990
 * \brief MD5+SHA-1 context.

991
 *

992
 * First field is a pointer to the vtable; it is set by the initialisation

993
 * function. Other fields are not supposed to be accessed by user code.

994
 */

995
typedef struct {

996
	/**

997
	 * \brief Pointer to vtable for this context.

998
	 */

999
	const br_hash_class *vtable;

1000
#ifndef BR_DOXYGEN_IGNORE

1001
	unsigned char buf[64];

1002
	uint64_t count;

1003
	uint32_t val_md5[4];

1004
	uint32_t val_sha1[5];

1005
#endif

1006
} br_md5sha1_context;

1007


1008
/**

1009
 * \brief MD5+SHA-1 context initialisation.

1010
 *

1011
 * This function initialises or resets a context for a new SHA-512

1012
 * computation. It also sets the vtable pointer.

1013
 *

1014
 * \param ctx   pointer to the context structure.

1015
 */

1016
void br_md5sha1_init(br_md5sha1_context *ctx);

1017


1018
/**

1019
 * \brief Inject some data bytes in a running MD5+SHA-1 computation.

1020
 *

1021
 * The provided context is updated with some data bytes. If the number

1022
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

1023
 * and may be `NULL`, and this function does nothing.

1024
 *

1025
 * \param ctx    pointer to the context structure.

1026
 * \param data   pointer to the injected data.

1027
 * \param len    injected data length (in bytes).

1028
 */

1029
void br_md5sha1_update(br_md5sha1_context *ctx, const void *data, size_t len);

1030


1031
/**

1032
 * \brief Compute MD5+SHA-1 output.

1033
 *

1034
 * The MD5+SHA-1 output for the concatenation of all bytes injected in the

1035
 * provided context since the last initialisation or reset call, is

1036
 * computed and written in the buffer pointed to by `out`. The context

1037
 * itself is not modified, so extra bytes may be injected afterwards

1038
 * to continue that computation.

1039
 *

1040
 * \param ctx   pointer to the context structure.

1041
 * \param out   destination buffer for the hash output.

1042
 */

1043
void br_md5sha1_out(const br_md5sha1_context *ctx, void *out);

1044


1045
/**

1046
 * \brief Save MD5+SHA-1 running state.

1047
 *

1048
 * The running state for MD5+SHA-1 (output of the last internal block

1049
 * processing) is written in the buffer pointed to by `out`. The

1050
 * number of bytes injected since the last initialisation or reset

1051
 * call is returned. The context is not modified.

1052
 *

1053
 * \param ctx   pointer to the context structure.

1054
 * \param out   destination buffer for the running state.

1055
 * \return  the injected total byte length.

1056
 */

1057
uint64_t br_md5sha1_state(const br_md5sha1_context *ctx, void *out);

1058


1059
/**

1060
 * \brief Restore MD5+SHA-1 running state.

1061
 *

1062
 * The running state for MD5+SHA-1 is set to the provided values.

1063
 *

1064
 * \param ctx     pointer to the context structure.

1065
 * \param stb     source buffer for the running state.

1066
 * \param count   the injected total byte length.

1067
 */

1068
void br_md5sha1_set_state(br_md5sha1_context *ctx,

1069
	const void *stb, uint64_t count);

1070


1071
/**

1072
 * \brief Aggregate context for configurable hash function support.

1073
 *

1074
 * The `br_hash_compat_context` type is a type which is large enough to

1075
 * serve as context for all standard hash functions defined above.

1076
 */

1077
typedef union {

1078
	const br_hash_class *vtable;

1079
	br_md5_context md5;

1080
	br_sha1_context sha1;

1081
	br_sha224_context sha224;

1082
	br_sha256_context sha256;

1083
	br_sha384_context sha384;

1084
	br_sha512_context sha512;

1085
	br_md5sha1_context md5sha1;

1086
} br_hash_compat_context;

1087


1088
/*

1089
 * The multi-hasher is a construct that handles hashing of the same input

1090
 * data with several hash functions, with a single shared input buffer.

1091
 * It can handle MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512

1092
 * simultaneously, though which functions are activated depends on

1093
 * the set implementation pointers.

1094
 */

1095


1096
/**

1097
 * \brief Multi-hasher context structure.

1098
 *

1099
 * The multi-hasher runs up to six hash functions in the standard TLS list

1100
 * (MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512) in parallel, over

1101
 * the same input.

1102
 *

1103
 * The multi-hasher does _not_ follow the OOP structure with a vtable.

1104
 * Instead, it is configured with the vtables of the hash functions it

1105
 * should run. Structure fields are not supposed to be accessed directly.

1106
 */

1107
typedef struct {

1108
#ifndef BR_DOXYGEN_IGNORE

1109
	unsigned char buf[128];

1110
	uint64_t count;

1111
	uint32_t val_32[25];

1112
	uint64_t val_64[16];

1113
	const br_hash_class *impl[6];

1114
#endif

1115
} br_multihash_context;

1116


1117
/**

1118
 * \brief Clear a multi-hasher context.

1119
 *

1120
 * This should always be called once on a given context, _before_ setting

1121
 * the implementation pointers.

1122
 *

1123
 * \param ctx   the multi-hasher context.

1124
 */

1125
void br_multihash_zero(br_multihash_context *ctx);

1126


1127
/**

1128
 * \brief Set a hash function implementation.

1129
 *

1130
 * Implementations shall be set _after_ clearing the context (with

1131
 * `br_multihash_zero()`) but _before_ initialising the computation

1132
 * (with `br_multihash_init()`). The hash function implementation

1133
 * MUST be one of the standard hash functions (MD5, SHA-1, SHA-224,

1134
 * SHA-256, SHA-384 or SHA-512); it may also be `NULL` to remove

1135
 * an implementation from the multi-hasher.

1136
 *

1137
 * \param ctx    the multi-hasher context.

1138
 * \param id     the hash function symbolic identifier.

1139
 * \param impl   the hash function vtable, or `NULL`.

1140
 */

1141
static inline void

1142
br_multihash_setimpl(br_multihash_context *ctx,

1143
	int id, const br_hash_class *impl)

1144
{

1145
	/*

1146
	 * This code relies on hash functions ID being values 1 to 6,

1147
	 * in the MD5 to SHA-512 order.

1148
	 */

1149
	ctx->impl[id - 1] = impl;

1150
}

1151


1152
/**

1153
 * \brief Get a hash function implementation.

1154
 *

1155
 * This function returns the currently configured vtable for a given

1156
 * hash function (by symbolic ID). If no such function was configured in

1157
 * the provided multi-hasher context, then this function returns `NULL`.

1158
 *

1159
 * \param ctx    the multi-hasher context.

1160
 * \param id     the hash function symbolic identifier.

1161
 * \return  the hash function vtable, or `NULL`.

1162
 */

1163
static inline const br_hash_class *

1164
br_multihash_getimpl(const br_multihash_context *ctx, int id)

1165
{

1166
	return ctx->impl[id - 1];

1167
}

1168


1169
/**

1170
 * \brief Reset a multi-hasher context.

1171
 *

1172
 * This function prepares the context for a new hashing computation,

1173
 * for all implementations configured at that point.

1174
 *

1175
 * \param ctx    the multi-hasher context.

1176
 */

1177
void br_multihash_init(br_multihash_context *ctx);

1178


1179
/**

1180
 * \brief Inject some data bytes in a running multi-hashing computation.

1181
 *

1182
 * The provided context is updated with some data bytes. If the number

1183
 * of bytes (`len`) is zero, then the data pointer (`data`) is ignored

1184
 * and may be `NULL`, and this function does nothing.

1185
 *

1186
 * \param ctx    pointer to the context structure.

1187
 * \param data   pointer to the injected data.

1188
 * \param len    injected data length (in bytes).

1189
 */

1190
void br_multihash_update(br_multihash_context *ctx,

1191
	const void *data, size_t len);

1192


1193
/**

1194
 * \brief Compute a hash output from a multi-hasher.

1195
 *

1196
 * The hash output for the concatenation of all bytes injected in the

1197
 * provided context since the last initialisation or reset call, is

1198
 * computed and written in the buffer pointed to by `dst`. The hash

1199
 * function to use is identified by `id` and must be one of the standard

1200
 * hash functions. If that hash function was indeed configured in the

1201
 * multi-hasher context, the corresponding hash value is written in

1202
 * `dst` and its length (in bytes) is returned. If the hash function

1203
 * was _not_ configured, then nothing is written in `dst` and 0 is

1204
 * returned.

1205
 *

1206
 * The context itself is not modified, so extra bytes may be injected

1207
 * afterwards to continue the hash computations.

1208
 *

1209
 * \param ctx   pointer to the context structure.

1210
 * \param id    the hash function symbolic identifier.

1211
 * \param dst   destination buffer for the hash output.

1212
 * \return  the hash output length (in bytes), or 0.

1213
 */

1214
size_t br_multihash_out(const br_multihash_context *ctx, int id, void *dst);

1215


1216
/**

1217
 * \brief Type for a GHASH implementation.

1218
 *

1219
 * GHASH is a sort of keyed hash meant to be used to implement GCM in

1220
 * combination with a block cipher (with 16-byte blocks).

1221
 *

1222
 * The `y` array has length 16 bytes and is used for input and output; in

1223
 * a complete GHASH run, it starts with an all-zero value. `h` is a 16-byte

1224
 * value that serves as key (it is derived from the encryption key in GCM,

1225
 * using the block cipher). The data length (`len`) is expressed in bytes.

1226
 * The `y` array is updated.

1227
 *

1228
 * If the data length is not a multiple of 16, then the data is implicitly

1229
 * padded with zeros up to the next multiple of 16. Thus, when using GHASH

1230
 * in GCM, this method may be called twice, for the associated data and

1231
 * for the ciphertext, respectively; the zero-padding implements exactly

1232
 * the GCM rules.

1233
 *

1234
 * \param y      the array to update.

1235
 * \param h      the GHASH key.

1236
 * \param data   the input data (may be `NULL` if `len` is zero).

1237
 * \param len    the input data length (in bytes).

1238
 */

1239
typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);

1240


1241
/**

1242
 * \brief GHASH implementation using multiplications (mixed 32-bit).

1243
 *

1244
 * This implementation uses multiplications of 32-bit values, with a

1245
 * 64-bit result. It is constant-time (if multiplications are

1246
 * constant-time).

1247
 *

1248
 * \param y      the array to update.

1249
 * \param h      the GHASH key.

1250
 * \param data   the input data (may be `NULL` if `len` is zero).

1251
 * \param len    the input data length (in bytes).

1252
 */

1253
void br_ghash_ctmul(void *y, const void *h, const void *data, size_t len);

1254


1255
/**

1256
 * \brief GHASH implementation using multiplications (strict 32-bit).

1257
 *

1258
 * This implementation uses multiplications of 32-bit values, with a

1259
 * 32-bit result. It is usually somewhat slower than `br_ghash_ctmul()`,

1260
 * but it is expected to be faster on architectures for which the

1261
 * 32-bit multiplication opcode does not yield the upper 32 bits of the

1262
 * product. It is constant-time (if multiplications are constant-time).

1263
 *

1264
 * \param y      the array to update.

1265
 * \param h      the GHASH key.

1266
 * \param data   the input data (may be `NULL` if `len` is zero).

1267
 * \param len    the input data length (in bytes).

1268
 */

1269
void br_ghash_ctmul32(void *y, const void *h, const void *data, size_t len);

1270


1271
/**

1272
 * \brief GHASH implementation using multiplications (64-bit).

1273
 *

1274
 * This implementation uses multiplications of 64-bit values, with a

1275
 * 64-bit result. It is constant-time (if multiplications are

1276
 * constant-time). It is substantially faster than `br_ghash_ctmul()`

1277
 * and `br_ghash_ctmul32()` on most 64-bit architectures.

1278
 *

1279
 * \param y      the array to update.

1280
 * \param h      the GHASH key.

1281
 * \param data   the input data (may be `NULL` if `len` is zero).

1282
 * \param len    the input data length (in bytes).

1283
 */

1284
void br_ghash_ctmul64(void *y, const void *h, const void *data, size_t len);

1285


1286
/**

1287
 * \brief GHASH implementation using the `pclmulqdq` opcode (part of the

1288
 * AES-NI instructions).

1289
 *

1290
 * This implementation is available only on x86 platforms where the

1291
 * compiler supports the relevant intrinsic functions. Even if the

1292
 * compiler supports these functions, the local CPU might not support

1293
 * the `pclmulqdq` opcode, meaning that a call will fail with an

1294
 * illegal instruction exception. To safely obtain a pointer to this

1295
 * function when supported (or 0 otherwise), use `br_ghash_pclmul_get()`.

1296
 *

1297
 * \param y      the array to update.

1298
 * \param h      the GHASH key.

1299
 * \param data   the input data (may be `NULL` if `len` is zero).

1300
 * \param len    the input data length (in bytes).

1301
 */

1302
void br_ghash_pclmul(void *y, const void *h, const void *data, size_t len);

1303


1304
/**

1305
 * \brief Obtain the `pclmul` GHASH implementation, if available.

1306
 *

1307
 * If the `pclmul` implementation was compiled in the library (depending

1308
 * on the compiler abilities) _and_ the local CPU appears to support the

1309
 * opcode, then this function will return a pointer to the

1310
 * `br_ghash_pclmul()` function. Otherwise, it will return `0`.

1311
 *

1312
 * \return  the `pclmul` GHASH implementation, or `0`.

1313
 */

1314
br_ghash br_ghash_pclmul_get(void);

1315


1316
/**

1317
 * \brief GHASH implementation using the POWER8 opcodes.

1318
 *

1319
 * This implementation is available only on POWER8 platforms (and later).

1320
 * To safely obtain a pointer to this function when supported (or 0

1321
 * otherwise), use `br_ghash_pwr8_get()`.

1322
 *

1323
 * \param y      the array to update.

1324
 * \param h      the GHASH key.

1325
 * \param data   the input data (may be `NULL` if `len` is zero).

1326
 * \param len    the input data length (in bytes).

1327
 */

1328
void br_ghash_pwr8(void *y, const void *h, const void *data, size_t len);

1329


1330
/**

1331
 * \brief Obtain the `pwr8` GHASH implementation, if available.

1332
 *

1333
 * If the `pwr8` implementation was compiled in the library (depending

1334
 * on the compiler abilities) _and_ the local CPU appears to support the

1335
 * opcode, then this function will return a pointer to the

1336
 * `br_ghash_pwr8()` function. Otherwise, it will return `0`.

1337
 *

1338
 * \return  the `pwr8` GHASH implementation, or `0`.

1339
 */

1340
br_ghash br_ghash_pwr8_get(void);

1341


1342
#ifdef __cplusplus

1343
}

1344
#endif

1345


1346
#endif

1347


1348