CoCalc -- symcrypt

GitHub Repository: wine-mirror/wine
Path: blob/master/libs/symcrypt/inc/symcrypt_internal.h
¹⁵⁰¹⁰ views
1
//
2
// SymCrypt_internal.h
3
//
4
// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
5
//
6

7
//
8
// This file contains information that is internal to the symcrypt library,
9
// but which still needs to be known to the compiler to be able to use the library.
10
// This includes structure declarations and all support for inline implementations
11
// of some of the library functions.
12
// Information in this file is not part of the API and can change at any time.
13
//
14

15
#pragma GCC diagnostic ignored "-Wunknown-pragmas"
16

17
//
18
// We use Prefast pragmas, but they are not recognized by the compiler.
19
// We disable the 'unknown pragma' warning if we are not in prefast mode.
20
//
21
#ifndef _PREFAST_
22
#pragma warning(disable:4068)
23
#endif
24

25
//==============================================================================================
26
//  PLATFORM/COMPILER DETECTION
27
//==============================================================================================
28

29
#define SYMCRYPT_PLATFORM_WINDOWS 0
30
#define SYMCRYPT_PLATFORM_APPLE   0 // macOS and other Apple platforms
31
#define SYMCRYPT_PLATFORM_UNIX    0 // Linux and other Unix-likes, besides macOS. Must support POSIX.
32

33
#if defined(_WIN32)
34
    #undef  SYMCRYPT_PLATFORM_WINDOWS
35
    #define SYMCRYPT_PLATFORM_WINDOWS 1
36
#elif defined(__APPLE__)
37
    #undef  SYMCRYPT_PLATFORM_APPLE
38
    #define SYMCRYPT_PLATFORM_APPLE 1
39
#elif (defined(linux) || defined(__unix__))
40
    #undef  SYMCRYPT_PLATFORM_UNIX
41
    #define SYMCRYPT_PLATFORM_UNIX 1
42
#endif
43

44
#define SYMCRYPT_MS_VC       0 // Microsoft compiler (cl.exe - Visual Studio/MSBuild)
45
#define SYMCRYPT_GNUC        0 // GCC and compatible compilers (including Clang)
46

47
#if defined(_MSC_VER)
48
    #undef  SYMCRYPT_MS_VC
49
    #define SYMCRYPT_MS_VC  1
50
#elif defined(__GNUC__)
51
    #undef  SYMCRYPT_GNUC
52
    #define SYMCRYPT_GNUC 1
53
#else
54
    #error Unsupported compiler
55
#endif
56

57
#if SYMCRYPT_MS_VC
58

59
// This should go somewhere else. Same in the other #if branches.
60
#define SYMCRYPT_ANYSIZE_ARRAY               1
61
#define SYMCRYPT_NOINLINE __declspec(noinline)
62
#define SYMCRYPT_CDECL __cdecl
63
#define SYMCRYPT_FASTCALL __fastcall
64

65
#define SYMCRYPT_UNALIGNED
66

67
#elif SYMCRYPT_GNUC
68

69
// Ignore the multi-character character constant warnings
70
#pragma GCC diagnostic ignored "-Wmultichar"
71
#pragma GCC diagnostic ignored "-Wincompatible-pointer-types"
72

73
#define SYMCRYPT_ANYSIZE_ARRAY               1
74
#define SYMCRYPT_NOINLINE           __attribute__ ((noinline))
75
#define SYMCRYPT_UNALIGNED
76
#define SYMCRYPT_CDECL
77
#define SYMCRYPT_FASTCALL           __attribute__((fastcall))
78

79
#endif
80

81
#ifdef __clang__
82
#pragma clang diagnostic ignored "-Wmultichar"
83
#pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
84
#pragma clang diagnostic ignored "-Wincompatible-pointer-types-discards-qualifiers"
85
#endif
86

87
//==============================================================================================
88
//  PLATFORM SPECIFICS
89
//==============================================================================================
90

91
//
92
// SYMCRYPT_CALL & SYMCRYPT_ALIGN
93
//
94
// SYMCRYPT_CALL is a macro that selects the calling convention used by the library.
95
// Crypto functions often have to perform very many small operations, and a fast calling convention is
96
// preferable. We use __fastcall on platforms that support it.
97
//
98
// SYMCRYPT_ALIGN is the default alignment for the platform.
99
// On platforms that have alignment restrictions the default alignment should be large enough that
100
// an aligned BYTE * can be cast to a pointer to a UINT32 and be used.
101
//
102
//
103
// The SYMCRYPT_IGNORE_PLATFORM macro can be defined to switch off any platform-specific
104
// optimizations and run just the C implementations.
105
// The rest of the library uses SYMCRYPT_CPU_* macros to make platform decisions.
106
//
107
//
108
// WARNING: both the library and the calling application must be compiled with the same
109
// set of flags, as the flags affect things like the structure layout and size and
110
// the calling convention, both of which need to be in sync between the lib and the caller.
111
//
112

113
//#define SYMCRYPT_IGNORE_PLATFORM        // #defining this flag disables all platform optimizations.
114

115
#define SYMCRYPT_CPU_X86            0
116
#define SYMCRYPT_CPU_AMD64          0
117
#define SYMCRYPT_CPU_ARM            0
118
#define SYMCRYPT_CPU_ARM64          0
119
#define SYMCRYPT_CPU_UNKNOWN        0
120

121
#if (defined( _X86_ ) || defined( _M_IX86 ) || defined( __i386__ )) && !defined ( SYMCRYPT_IGNORE_PLATFORM )
122

123
#undef  SYMCRYPT_CPU_X86
124
#define SYMCRYPT_CPU_X86        1
125

126
#define SYMCRYPT_CALL           SYMCRYPT_FASTCALL
127
#define SYMCRYPT_ALIGN_VALUE    4
128

129
#ifndef _PREFAST_
130
#pragma warning(push)
131
#pragma warning(disable:4359)   // *** Alignment specifier is less than actual alignment
132
#endif
133

134
#elif (defined( _ARM64_ ) || defined( _ARM64EC_ ) || defined( _M_ARM64 ) || defined( __aarch64__ ) || defined(__arm64ec__)) && !defined( SYMCRYPT_IGNORE_PLATFORM )
135

136
#undef  SYMCRYPT_CPU_ARM64
137
#define SYMCRYPT_CPU_ARM64      1
138
#define SYMCRYPT_CALL
139
#define SYMCRYPT_ALIGN_VALUE    16
140

141
#elif (defined( _AMD64_ ) || defined( _M_AMD64 ) || defined( __amd64__ )) && !defined ( SYMCRYPT_IGNORE_PLATFORM )
142

143
#undef  SYMCRYPT_CPU_AMD64
144
#define SYMCRYPT_CPU_AMD64      1
145

146
#define SYMCRYPT_CALL
147
#define SYMCRYPT_ALIGN_VALUE    16
148

149
#elif (defined( _ARM_ ) || defined( _M_ARM ) || defined( __arm__ )) && !defined( SYMCRYPT_IGNORE_PLATFORM )
150

151
#undef  SYMCRYPT_CPU_ARM
152
#define SYMCRYPT_CPU_ARM        1
153
#define SYMCRYPT_CALL
154
#define SYMCRYPT_ALIGN_VALUE    8
155

156
#elif defined( SYMCRYPT_IGNORE_PLATFORM )
157

158
#undef  SYMCRYPT_CPU_UNKNOWN
159
#define SYMCRYPT_CPU_UNKNOWN    1
160
#define SYMCRYPT_CALL
161
#define SYMCRYPT_ALIGN_VALUE    16
162

163
#ifndef _PREFAST_
164
#pragma warning(push)
165
#pragma warning(disable:4359)   // *** Alignment specifier is less than actual alignment
166
#endif
167

168
#else
169

170
#error Unknown CPU platform
171

172
#endif   // SYMCRYPT_CALL platforms switch
173

174

175
//
176
// Datatypes used by the SymCrypt library. This ensures compatibility
177
// with multiple environments, such as Windows, iOS, and Android.
178
//
179

180
#if SYMCRYPT_PLATFORM_WINDOWS
181

182
    //
183
    // Types included in intsafe.h:
184
    //      BYTE,
185
    //      INT16, UINT16,
186
    //      INT32, UINT32,
187
    //      INT64, UINT64,
188
    //      UINT_PTR
189
    // and macro:
190
    //      UINT32_MAX
191
    //
192
#include <intsafe.h>
193

194
#else
195

196
#include <stdint.h>
197

198
typedef uint8_t         BYTE;
199

200
#ifndef UINT32_MAX
201
#define UINT32_MAX      (0xffffffff)
202
#endif
203

204
#ifndef TRUE
205
#define TRUE            0x01
206
#endif
207

208
#ifndef FALSE
209
#define FALSE           0x00
210
#endif
211

212
// Size_t
213
typedef size_t          SIZE_T;
214

215
#ifndef SIZE_T_MAX
216
#define SIZE_T_MAX      SIZE_MAX
217
#endif
218

219
typedef int                 BOOL;
220

221
typedef int8_t              INT8, *PINT8;
222
typedef int16_t             INT16, *PINT16;
223
typedef int32_t             INT32, *PINT32;
224
typedef int64_t             INT64, *PINT64;
225
typedef uint8_t             UINT8, *PUINT8;
226
typedef uint16_t            UINT16, *PUINT16;
227
typedef uint32_t            UINT32, *PUINT32;
228
typedef uint64_t            UINT64, *PUINT64;
229

230
// minwindef.h
231
typedef char CHAR;
232

233
#endif //WIN32
234

235
#include <stddef.h>
236

237
//
238
// Pointer types
239
//
240
typedef BYTE *          PBYTE;
241
typedef const BYTE *    PCBYTE;
242

243
typedef UINT16 *        PUINT16;
244
typedef const UINT16 *  PCUINT16;
245

246
typedef UINT32 *        PUINT32;
247
typedef const UINT32 *  PCUINT32;
248

249
typedef UINT64 *        PUINT64;
250
typedef const UINT64 *  PCUINT64;
251

252
// Void
253

254
#ifndef VOID
255
#define VOID void
256
#endif
257

258
typedef void *          PVOID;
259
typedef const void *    PCVOID;
260

261
// winnt.h
262
typedef BYTE  BOOLEAN;
263

264
// Useful macros for structs
265
#define SYMCRYPT_FIELD_OFFSET(type, field)      (offsetof(type, field))
266
#define SYMCRYPT_FIELD_SIZE(type, field)        (sizeof( ((type *)0)->field ))
267

268
#if SYMCRYPT_MS_VC
269

270
#ifndef FORCEINLINE
271
#if (_MSC_VER >= 1200)
272
#define FORCEINLINE __forceinline
273
#else
274
#define FORCEINLINE __inline
275
#endif
276
#endif
277

278
#else
279

280
#undef FORCEINLINE
281
#define FORCEINLINE static inline
282

283
#endif
284

285
C_ASSERT( (SYMCRYPT_ALIGN_VALUE & (SYMCRYPT_ALIGN_VALUE - 1 )) == 0 );
286
#define SYMCRYPT_ALIGN_UP( _p ) ((PBYTE) ( ((SIZE_T) (_p) + SYMCRYPT_ALIGN_VALUE - 1) & ~(SYMCRYPT_ALIGN_VALUE - 1 ) ) )
287

288
#if SYMCRYPT_MS_VC
289
    #define SYMCRYPT_ALIGN_AT(alignment)                 __declspec(align(alignment))
290
    #define SYMCRYPT_WEAK_SYMBOL
291
#elif SYMCRYPT_GNUC
292
    #define SYMCRYPT_ALIGN_AT(alignment)                 __attribute__((aligned(alignment)))
293
    #define SYMCRYPT_WEAK_SYMBOL                         __attribute__((weak))
294
#else
295
    #define SYMCRYPT_ALIGN_AT(alignment)
296
    #define SYMCRYPT_WEAK_SYMBOL
297
#endif
298
#define SYMCRYPT_ALIGN_TYPE_AT(typename, alignment)  typename SYMCRYPT_ALIGN_AT(alignment)
299
#define SYMCRYPT_ALIGN          SYMCRYPT_ALIGN_AT(SYMCRYPT_ALIGN_VALUE)
300
#define SYMCRYPT_ALIGN_STRUCT   SYMCRYPT_ALIGN_TYPE_AT(struct, SYMCRYPT_ALIGN_VALUE)
301
#define SYMCRYPT_ALIGN_UNION    SYMCRYPT_ALIGN_TYPE_AT(union, SYMCRYPT_ALIGN_VALUE)
302

303

304
#define SYMCRYPT_MAX( _a, _b )  ((_a)>(_b)?(_a):(_b))
305
#define SYMCRYPT_MIN( _a, _b )  ((_a)<(_b)?(_a):(_b))
306

307
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64
308
//
309
// XMM related declarations, used in data structures.
310
//
311
#pragma prefast(push)
312
#pragma prefast(disable: 28251, "Windows headers define _mm_clflush with SAL annotation, Intel header doesn't have SAL annotation leading to inconsistent annotation errors")
313
#include <emmintrin.h>
314
#pragma prefast(pop)
315
#endif
316

317

318
//
319
// To provide quick error detection we have magic values in all
320
// our data structures, but only in CHKed builds.
321
// Our magic value depends on the address of the structure.
322
// This has the advantage that we detect blind memcpy's of our data structures.
323
// Memcpy is not supported as it limits what the library is allowed to do.
324
// Where needed the library provides for copy functions of its internal data structures.
325
//
326
#if SYMCRYPT_DEBUG
327
    #define SYMCRYPT_MAGIC_ENABLED
328
#endif
329

330
#if defined(SYMCRYPT_MAGIC_ENABLED )
331

332
#define SYMCRYPT_MAGIC_FIELD        SIZE_T   magic;
333
#define SYMCRYPT_MAGIC_VALUE( p )   ((SIZE_T) p + 'S1mv' + SYMCRYPT_API_VERSION)
334

335

336
#define SYMCRYPT_SET_MAGIC( p )     {(p)->magic = SYMCRYPT_MAGIC_VALUE( p );}
337
#define SYMCRYPT_CHECK_MAGIC( p )   {if((p)->magic!=SYMCRYPT_MAGIC_VALUE(p)) SymCryptFatal('magc');}
338
#define SYMCRYPT_WIPE_MAGIC( p )    {(p)->magic = 0;}
339

340
#else
341

342
//
343
// We define the magic field even for FRE builds, because we get too many
344
// hard-to-debug problems with people who accidentally mix FRE headers with CHKed libraries,
345
// or the other way around.
346
// E.g. BitLocker only publishes the FRE version of their library, and building a CHKed binary with
347
// that FRE lib crashes
348
//
349

350
#define SYMCRYPT_MAGIC_FIELD        SIZE_T   magic;
351
#define SYMCRYPT_SET_MAGIC( p )
352
#define SYMCRYPT_CHECK_MAGIC( p )
353
#define SYMCRYPT_WIPE_MAGIC( p )
354

355
#endif
356

357
//
358
// CPU feature detection infrastructure
359
//
360

361
#if !SYMCRYPT_PLATFORM_WINDOWS
362
    // Forward declarations for CPUID intrinsic replacements
363
    void __cpuidex(int CPUInfo[4], int InfoType, int ECXValue);
364
#endif
365

366
#if SYMCRYPT_CPU_ARM || SYMCRYPT_CPU_ARM64
367

368
#define SYMCRYPT_CPU_FEATURE_NEON           0x01
369
#define SYMCRYPT_CPU_FEATURE_NEON_AES       0x02
370
#define SYMCRYPT_CPU_FEATURE_NEON_PMULL     0x04
371
#define SYMCRYPT_CPU_FEATURE_NEON_SHA256    0x08
372

373
#elif SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64
374

375
//
376
// We keep the most commonly tested bits in the least significant byte, to make it easier for the compiler to optimize
377
// There is a many to one relationship between CPUID feature flags and SYMCRYPT_CPU_FEATURE_XXX bits
378
// since a SYMCRYPT_CPU_FEATURE_XXX could require multiple CPUID features.
379

380
#define SYMCRYPT_CPU_FEATURE_SSE2               0x0001          // includes SSE, SSE2
381
#define SYMCRYPT_CPU_FEATURE_SSSE3              0x0002          // includes SSE, SSE2, SSE3, SSSE3
382
#define SYMCRYPT_CPU_FEATURE_AESNI              0x0004
383
#define SYMCRYPT_CPU_FEATURE_PCLMULQDQ          0x0008
384
#define SYMCRYPT_CPU_FEATURE_AVX2               0x0010          // includes AVX, AVX2 - also indicates support for saving/restoring Ymm registers
385
#define SYMCRYPT_CPU_FEATURE_SAVEXMM_NOFAIL     0x0020          // if SymCryptSaveXmm() will never fail
386
#define SYMCRYPT_CPU_FEATURE_SHANI              0x0040
387
#define SYMCRYPT_CPU_FEATURE_BMI2               0x0080          // MULX, RORX, SARX, SHLX, SHRX
388

389
#define SYMCRYPT_CPU_FEATURE_ADX                0x0100          // ADCX, ADOX
390
#define SYMCRYPT_CPU_FEATURE_RDRAND             0x0200
391
#define SYMCRYPT_CPU_FEATURE_RDSEED             0x0400
392
#define SYMCRYPT_CPU_FEATURE_VAES               0x0800          // support for VAES and VPCLMULQDQ (may only be supported on Ymm registers (i.e. Zen3))
393
#define SYMCRYPT_CPU_FEATURE_AVX512             0x1000          // includes F, VL, DQ, BW (VL allows AVX-512 instructions to be used on Xmm and Ymm registers)
394
                                                                // also indicates support for saving/restoring additional AVX-512 state
395

396
#define SYMCRYPT_CPU_FEATURE_CMPXCHG16B         0x2000          // Compare and Swap 128b value
397

398
#endif
399

400
typedef UINT32 SYMCRYPT_CPU_FEATURES;
401

402
//
403
// We have two feature fields.
404
// g_SymCryptCpuFeaturesNotPresent reports with features are not present on the current CPU
405
// SymCryptCpuFeaturesNeverPresent() is a function that returns a static (compiler-predictable) value,
406
//  and allows the environment to lock out features in a way that the compiler can optimize away all the code that uses these features.
407
// Using a function allows the environment macro to forward it to an environment-specific function.
408
//
409

410
extern SYMCRYPT_CPU_FEATURES g_SymCryptCpuFeaturesNotPresent;
411

412
SYMCRYPT_CPU_FEATURES
413
SYMCRYPT_CALL
414
SymCryptCpuFeaturesNeverPresent(void);
415

416
#define SYMCRYPT_CPU_FEATURES_PRESENT( x )   ( ((x) & SymCryptCpuFeaturesNeverPresent()) == 0 && ( (x) & g_SymCryptCpuFeaturesNotPresent ) == 0 )
417

418
//
419
// VOLATILE MEMORY ACCESS
420
//
421
// These macros are used to explicitly handle volatile memory access independent of compiler settings.
422
// If volatile memory is accessed directly without using the appropriate macro, MSVC may emit warning
423
// C4746, because the volatile semantics depend on the value of the /volatile flag, which can result in
424
// undesired hardware memory barriers that impact performance.
425
//
426
// More info:
427
// https://docs.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-c4746?view=msvc-170
428
// https://docs.microsoft.com/en-us/cpp/build/reference/volatile-volatile-keyword-interpretation?view=msvc-170
429
//
430

431
#if SYMCRYPT_MS_VC  // Microsoft VC++ Compiler
432

433
    #if SYMCRYPT_CPU_ARM || SYMCRYPT_CPU_ARM64
434
        #define SYMCRYPT_INTERNAL_VOLATILE_READ8( _p )    ( __iso_volatile_load8( (const volatile char*)(_p) ) )
435
        #define SYMCRYPT_INTERNAL_VOLATILE_READ16( _p )   ( __iso_volatile_load16( (const volatile short*)(_p) ) )
436
        #define SYMCRYPT_INTERNAL_VOLATILE_READ32( _p )   ( __iso_volatile_load32( (const volatile int*)(_p) ) )
437
        #define SYMCRYPT_INTERNAL_VOLATILE_READ64( _p )   ( __iso_volatile_load64( (const volatile __int64*)(_p) ) )
438

439
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE8( _p, _v )  ( __iso_volatile_store8( (volatile char*)(_p), (_v) ) )
440
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE16( _p, _v ) ( __iso_volatile_store16( (volatile short*)(_p), (_v) ) )
441
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE32( _p, _v ) ( __iso_volatile_store32( (volatile int*)(_p), (_v) ) )
442
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE64( _p, _v ) ( __iso_volatile_store64( (volatile __int64*)(_p), (_v) ) )
443
    #elif SYMCRYPT_CPU_X86 || SYMCRYPT_CPU_AMD64
444
        #define SYMCRYPT_INTERNAL_VOLATILE_READ8( _p )    ( *((const volatile BYTE*)  (_p)) )
445
        #define SYMCRYPT_INTERNAL_VOLATILE_READ16( _p )   ( *((const volatile UINT16*)(_p)) )
446
        #define SYMCRYPT_INTERNAL_VOLATILE_READ32( _p )   ( *((const volatile UINT32*)(_p)) )
447
        #define SYMCRYPT_INTERNAL_VOLATILE_READ64( _p )   ( *((const volatile UINT64*)(_p)) )
448

449
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE8( _p, _v )  ( *((volatile BYTE*)  (_p)) = (_v) )
450
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE16( _p, _v ) ( *((volatile UINT16*)(_p)) = (_v) )
451
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE32( _p, _v ) ( *((volatile UINT32*)(_p)) = (_v) )
452
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE64( _p, _v ) ( *((volatile UINT64*)(_p)) = (_v) )
453
    #else // Temporary workaround for CMake compilation issues on Windows. Assume X86/ADM64.
454
        #define SYMCRYPT_INTERNAL_VOLATILE_READ8( _p )    ( *((const volatile BYTE*)  (_p)) )
455
        #define SYMCRYPT_INTERNAL_VOLATILE_READ16( _p )   ( *((const volatile UINT16*)(_p)) )
456
        #define SYMCRYPT_INTERNAL_VOLATILE_READ32( _p )   ( *((const volatile UINT32*)(_p)) )
457
        #define SYMCRYPT_INTERNAL_VOLATILE_READ64( _p )   ( *((const volatile UINT64*)(_p)) )
458

459
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE8( _p, _v )  ( *((volatile BYTE*)  (_p)) = (_v) )
460
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE16( _p, _v ) ( *((volatile UINT16*)(_p)) = (_v) )
461
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE32( _p, _v ) ( *((volatile UINT32*)(_p)) = (_v) )
462
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE64( _p, _v ) ( *((volatile UINT64*)(_p)) = (_v) )
463
    #endif
464

465
#elif SYMCRYPT_GNUC
466

467
    #if !SYMCRYPT_CPU_ARM
468
        #define SYMCRYPT_INTERNAL_VOLATILE_READ8( _p )    ( *((const volatile BYTE*)  (_p)) )
469
        #define SYMCRYPT_INTERNAL_VOLATILE_READ16( _p )   ( *((const volatile UINT16*)(_p)) )
470
        #define SYMCRYPT_INTERNAL_VOLATILE_READ32( _p )   ( *((const volatile UINT32*)(_p)) )
471
        #define SYMCRYPT_INTERNAL_VOLATILE_READ64( _p )   ( *((const volatile UINT64*)(_p)) )
472

473
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE8( _p, _v )  ( *((volatile BYTE*)  (_p)) = (_v) )
474
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE16( _p, _v ) ( *((volatile UINT16*)(_p)) = (_v) )
475
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE32( _p, _v ) ( *((volatile UINT32*)(_p)) = (_v) )
476
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE64( _p, _v ) ( *((volatile UINT64*)(_p)) = (_v) )
477
    #else // SYMCRYPT_CPU_ARM
478
        #define SYMCRYPT_INTERNAL_VOLATILE_READ8( _p )    ( *((const volatile BYTE*)  (_p)) )
479
        #define SYMCRYPT_INTERNAL_VOLATILE_READ16( _p )   ( *((const volatile UINT16*)(_p)) )
480
        #define SYMCRYPT_INTERNAL_VOLATILE_READ32( _p )   ( *((const volatile UINT32*)(_p)) )
481
        #define SYMCRYPT_INTERNAL_VOLATILE_READ64( p ) ( (UINT64)SYMCRYPT_INTERNAL_VOLATILE_READ32(&((PBYTE)p)[4]) << 32 |  SYMCRYPT_INTERNAL_VOLATILE_READ32(&((PBYTE)p)[0]) )
482

483
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE8( _p, _v )  ( *((volatile BYTE*)  (_p)) = (_v) )
484
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE16( _p, _v ) ( *((volatile UINT16*)(_p)) = (_v) )
485
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE32( _p, _v ) ( *((volatile UINT32*)(_p)) = (_v) )
486
        #define SYMCRYPT_INTERNAL_VOLATILE_WRITE64( p, x ) { \
487
            SYMCRYPT_INTERNAL_VOLATILE_WRITE32( &((PBYTE)p)[0], (UINT32)((x)    ) );\
488
            SYMCRYPT_INTERNAL_VOLATILE_WRITE32( &((PBYTE)p)[4], (UINT32)(((UINT64)(x))>>32) );\
489
            }
490
    #endif
491

492
#else
493

494
    #error Unknown compiler
495

496
#endif
497

498
//
499
// FORCED MEMORY ACCESS
500
//
501
// These macros force a memory access. That is, they require that the memory
502
// read or write takes place, and do not allow the compiler to optimize the access
503
// away.
504
// They provide no other memory ordering requirements, so there are no acquire/release
505
// semantics, memory barriers, etc.
506
//
507
// The generic versions are implemented with a volatile access, but that is inefficient on some platforms
508
// because it might introduce memory ordering requirements.
509
//
510

511
#define SYMCRYPT_INTERNAL_FORCE_READ8( _p )    SYMCRYPT_INTERNAL_VOLATILE_READ8( _p )
512
#define SYMCRYPT_INTERNAL_FORCE_READ16( _p )   SYMCRYPT_INTERNAL_VOLATILE_READ16( _p )
513
#define SYMCRYPT_INTERNAL_FORCE_READ32( _p )   SYMCRYPT_INTERNAL_VOLATILE_READ32( _p )
514
#define SYMCRYPT_INTERNAL_FORCE_READ64( _p )   SYMCRYPT_INTERNAL_VOLATILE_READ64( _p )
515

516
#define SYMCRYPT_INTERNAL_FORCE_WRITE8( _p, _v )  SYMCRYPT_INTERNAL_VOLATILE_WRITE8( _p, _v )
517
#define SYMCRYPT_INTERNAL_FORCE_WRITE16( _p, _v ) SYMCRYPT_INTERNAL_VOLATILE_WRITE16( _p, _v )
518
#define SYMCRYPT_INTERNAL_FORCE_WRITE32( _p, _v ) SYMCRYPT_INTERNAL_VOLATILE_WRITE32( _p, _v )
519
#define SYMCRYPT_INTERNAL_FORCE_WRITE64( _p, _v ) SYMCRYPT_INTERNAL_VOLATILE_WRITE64( _p, _v )
520

521
//
522
// FIXED ENDIANNESS ACCESS
523
//
524
// Fixed endianness load and store
525
// We do this by platform because it affected by both endianness and alignment requirements
526
// The p pointer is always a pointer to BYTE
527
//
528
#if SYMCRYPT_MS_VC  // Microsoft VC++ Compiler
529
    #define SYMCRYPT_BSWAP16( x ) _byteswap_ushort(x)
530
    #define SYMCRYPT_BSWAP32( x ) _byteswap_ulong(x)
531
    #define SYMCRYPT_BSWAP64( x ) _byteswap_uint64(x)
532
#elif SYMCRYPT_GNUC
533
    #define SYMCRYPT_BSWAP16( x ) __builtin_bswap16(x)
534
    #define SYMCRYPT_BSWAP32( x ) __builtin_bswap32(x)
535
    #define SYMCRYPT_BSWAP64( x ) __builtin_bswap64(x)
536
#endif
537

538
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64 | SYMCRYPT_CPU_ARM64
539

540

541
//
542
// X86, AMD64, ARM, and ARM64 have no alignment restrictions, and are little-endian.
543
// We do straight store/loads with BSWAPs where required.
544
// This technically relies upon on undefined behavior, as we assume the compiler will translate
545
// operations on unaligned pointers to 2, 4, and 8 bytes types to appropriately unaligned store/load
546
// instructions on these platforms (not just in these macros). This works for all compilers we
547
// currently use.
548
//
549
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST16( p ) SYMCRYPT_BSWAP16( *((UINT16 *)(p)) )
550
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST16( p )                 ( *((UINT16 *)(p)) )
551
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST32( p ) SYMCRYPT_BSWAP32( *((UINT32 *)(p)) )
552
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST32( p )                 ( *((UINT32 *)(p)) )
553
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST64( p ) SYMCRYPT_BSWAP64( *((UINT64 *)(p)) )
554
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST64( p )                 ( *((UINT64 *)(p)) )
555

556
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST16( p, x ) ( *(UINT16 *)(p) = SYMCRYPT_BSWAP16(x) )
557
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST16( p, x ) ( *(UINT16 *)(p) =                 (x) )
558
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST32( p, x ) ( *(UINT32 *)(p) = SYMCRYPT_BSWAP32(x) )
559
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST32( p, x ) ( *(UINT32 *)(p) =                 (x) )
560
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST64( p, x ) ( *(UINT64 *)(p) = SYMCRYPT_BSWAP64(x) )
561
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST64( p, x ) ( *(UINT64 *)(p) =                 (x) )
562

563
#elif SYMCRYPT_CPU_ARM
564

565
//
566
// Only 64 bit accesses need to be aligned.
567
//
568
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST16( p ) SYMCRYPT_BSWAP16( *((UINT16 *)(p)) )
569
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST16( p )                 ( *((UINT16 *)(p)) )
570
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST32( p ) SYMCRYPT_BSWAP32( *((UINT32 *)(p)) )
571
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST32( p )                 ( *((UINT32 *)(p)) )
572

573
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST64( p ) ( (UINT64)SYMCRYPT_INTERNAL_LOAD_MSBFIRST32(&((PBYTE)p)[0]) << 32 | SYMCRYPT_INTERNAL_LOAD_MSBFIRST32(&((PBYTE)p)[4]) )
574
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST64( p ) ( (UINT64)SYMCRYPT_INTERNAL_LOAD_LSBFIRST32(&((PBYTE)p)[4]) << 32 | SYMCRYPT_INTERNAL_LOAD_LSBFIRST32(&((PBYTE)p)[0]) )
575

576

577

578
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST16( p, x ) ( *(UINT16 *)(p) = SYMCRYPT_BSWAP16(x) )
579
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST16( p, x ) ( *(UINT16 *)(p) =                 (x) )
580
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST32( p, x ) ( *(UINT32 *)(p) = SYMCRYPT_BSWAP32(x) )
581
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST32( p, x ) ( *(UINT32 *)(p) =                 (x) )
582
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST64( p, x ) { \
583
    SYMCRYPT_INTERNAL_STORE_MSBFIRST32( &((PBYTE)p)[0],(UINT32)(((UINT64)(x))>>32) );\
584
    SYMCRYPT_INTERNAL_STORE_MSBFIRST32( &((PBYTE)p)[4],(UINT32)(x));\
585
    }
586

587
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST64( p, x ) { \
588
    SYMCRYPT_INTERNAL_STORE_LSBFIRST32( &((PBYTE)p)[0], (UINT32)((x)    ) );\
589
    SYMCRYPT_INTERNAL_STORE_LSBFIRST32( &((PBYTE)p)[4], (UINT32)(((UINT64)(x))>>32) );\
590
    }
591
#else // unknown platform
592

593
//
594
// These functions have to handle arbitrary alignments too, so we do them byte-by-byte in the
595
// generic case.
596
// So far these macros have not been fully tested
597
//
598
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST16( p ) ( ((UINT16)((PBYTE)p)[0]) << 8 | ((PBYTE)p)[1] )
599
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST16( p ) ( ((UINT16)((PBYTE)p)[1]) << 8 | ((PBYTE)p)[0] )
600
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST32( p ) ( (UINT32)SYMCRYPT_INTERNAL_LOAD_MSBFIRST16(&((PBYTE)p)[0]) << 16 | SYMCRYPT_INTERNAL_LOAD_MSBFIRST16(&((PBYTE)p)[2]) )
601
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST32( p ) ( (UINT32)SYMCRYPT_INTERNAL_LOAD_LSBFIRST16(&((PBYTE)p)[2]) << 16 | SYMCRYPT_INTERNAL_LOAD_LSBFIRST16(&((PBYTE)p)[0]) )
602
#define SYMCRYPT_INTERNAL_LOAD_MSBFIRST64( p ) ( (UINT64)SYMCRYPT_INTERNAL_LOAD_MSBFIRST32(&((PBYTE)p)[0]) << 32 | SYMCRYPT_INTERNAL_LOAD_MSBFIRST32(&((PBYTE)p)[4]) )
603
#define SYMCRYPT_INTERNAL_LOAD_LSBFIRST64( p ) ( (UINT64)SYMCRYPT_INTERNAL_LOAD_LSBFIRST32(&((PBYTE)p)[4]) << 32 | SYMCRYPT_INTERNAL_LOAD_LSBFIRST32(&((PBYTE)p)[0]) )
604

605
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST16( p, x ) { \
606
    ((PBYTE)p)[0] = (BYTE)((x)>> 8);\
607
    ((PBYTE)p)[1] = (BYTE)((x)    );\
608
    }
609

610
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST16( p, x ) { \
611
    ((PBYTE)p)[0] = (BYTE)((x)    );\
612
    ((PBYTE)p)[1] = (BYTE)((x)>> 8);\
613
    }
614

615
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST32( p, x ) { \
616
    ((PBYTE)p)[0] = (BYTE)((x)>>24);\
617
    ((PBYTE)p)[1] = (BYTE)((x)>>16);\
618
    ((PBYTE)p)[2] = (BYTE)((x)>> 8);\
619
    ((PBYTE)p)[3] = (BYTE)((x)    );\
620
    }
621

622
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST32( p, x ) { \
623
    ((PBYTE)p)[0] = (BYTE)((x)    );\
624
    ((PBYTE)p)[1] = (BYTE)((x)>> 8);\
625
    ((PBYTE)p)[2] = (BYTE)((x)>>16);\
626
    ((PBYTE)p)[3] = (BYTE)((x)>>24);\
627
    }
628

629
#define SYMCRYPT_INTERNAL_STORE_MSBFIRST64( p, x ) { \
630
    SYMCRYPT_INTERNAL_STORE_MSBFIRST32( &((PBYTE)p)[0],(UINT32)(((UINT64)(x))>>32) );\
631
    SYMCRYPT_INTERNAL_STORE_MSBFIRST32( &((PBYTE)p)[4],(UINT32)(x));\
632
    }
633

634
#define SYMCRYPT_INTERNAL_STORE_LSBFIRST64( p, x ) { \
635
    SYMCRYPT_INTERNAL_STORE_LSBFIRST32( &((PBYTE)p)[0], (UINT32)((x)    ) );\
636
    SYMCRYPT_INTERNAL_STORE_LSBFIRST32( &((PBYTE)p)[4], (UINT32)(((UINT64)(x))>>32) );\
637
    }
638

639
#endif // platform switch for load/store macros
640

641

642
//==============================================================================================
643
//  INTERNAL DATA STRUCTURES
644
//==============================================================================================
645
//
646
// Note: we do not use the symbolic names like SYMCRYPT_SHA1_INPUT_BLOCK_SIZE as this
647
// file is included before that name is defined. Fixing that would make the public API header
648
// file harder to read by moving the constant away from the associated functions, or forcing
649
// the header file to use the struct name rather than the typedef. The current solution
650
// works quite well.
651
//
652

653
//-----------------------------------------------------------------
654
//     Block cipher description table
655
// Below are the typedefs for the block cipher description table type
656
// Callers can use this to define their own block cipher and use the block cipher
657
// modes.
658
//
659

660
typedef struct _SYMCRYPT_BLOCKCIPHER    SYMCRYPT_BLOCKCIPHER, *PSYMCRYPT_BLOCKCIPHER;
661
typedef const SYMCRYPT_BLOCKCIPHER  * PCSYMCRYPT_BLOCKCIPHER;
662

663
//
664
// Note that blockSize must be <= 32 and must be a power of two. This is true for all the block ciphers
665
// implemented in SymCrypt.
666
//
667

668
//
669
// HASH STATES
670
//
671
// All hash states have the same basic structure. This allows all hash implementations to share
672
// the same buffer management code. Some algorithms might still have optimized buffer management code
673
// specific for their algorithm, but most algs use the generic code.
674
// This is especially important for parallel hashing, where the buffer management & parallel organizational
675
// code are tightly coupled.
676
//
677

678
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_COMMON_HASH_STATE
679
{
680
                    UINT32                          bytesInBuffer;
681
                    SYMCRYPT_MAGIC_FIELD
682
                    UINT64                          dataLengthL;            // lower part of msg length
683
                    UINT64                          dataLengthH;            // upper part of msg length
684
    SYMCRYPT_ALIGN  BYTE                            buffer[SYMCRYPT_ANYSIZE_ARRAY];  // Size depends on algorithm
685
    // ...
686
    // Chaining state                                       // type/location depends on algorithm
687
    //
688
} SYMCRYPT_COMMON_HASH_STATE, *PSYMCRYPT_COMMON_HASH_STATE;
689

690

691
//
692
// SYMCRYPT_MD2_STATE
693
//
694
// Data structure that stores the state of an ongoing MD2 computation.
695
//
696
// The field names are from RFC 1319.
697
// It would be more efficient to store only the first 16 bytes of the X array,
698
// but that would complicate the code and MD2 isn't important enough to add
699
// extra complications.
700
//
701
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MD2_CHAINING_STATE
702
{
703
    SYMCRYPT_ALIGN  BYTE    C[16];      // State for internal checksum computation
704
                    BYTE    X[48];      // State for actual hash chaining
705
} SYMCRYPT_MD2_CHAINING_STATE, *PSYMCRYPT_MD2_CHAINING_STATE;
706

707
//
708
// MD2 hash computation state.
709
//
710
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MD2_STATE
711
{
712
                    UINT32                          bytesInBuffer;
713
                    SYMCRYPT_MAGIC_FIELD
714
                    UINT64                          dataLengthL;            // lower part of msg length
715
                    UINT64                          dataLengthH;            // upper part of msg length
716
    SYMCRYPT_ALIGN  BYTE                            buffer[16];             // buffer to keep one input block in
717
                    SYMCRYPT_MD2_CHAINING_STATE     chain;
718
} SYMCRYPT_MD2_STATE, *PSYMCRYPT_MD2_STATE;
719
typedef const SYMCRYPT_MD2_STATE *PCSYMCRYPT_MD2_STATE;
720

721
//
722
// SYMCRYPT_MD4_STATE
723
//
724
// Data structure that stores the state of an ongoing MD4 computation.
725
// The buffer contains dataLength % 64 bytes of data.
726
//
727
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MD4_CHAINING_STATE
728
{
729
    UINT32   H[4];
730
} SYMCRYPT_MD4_CHAINING_STATE, *PSYMCRYPT_MD4_CHAINING_STATE;
731

732
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MD4_STATE
733
{
734
                    UINT32                          bytesInBuffer;
735
                    SYMCRYPT_MAGIC_FIELD
736
                    UINT64                          dataLengthL;            // lower part of msg length
737
                    UINT64                          dataLengthH;            // upper part of msg length
738
    SYMCRYPT_ALIGN  BYTE                            buffer[64];             // buffer to keep one input block in
739
                    SYMCRYPT_MD4_CHAINING_STATE     chain;      // chaining state
740
} SYMCRYPT_MD4_STATE, *PSYMCRYPT_MD4_STATE;
741
typedef const SYMCRYPT_MD4_STATE *PCSYMCRYPT_MD4_STATE;
742

743

744
//
745
// SYMCRYPT_MD5_STATE
746
//
747
// Data structure that stores the state of an ongoing MD5 computation.
748
// The buffer contains dataLength % 64 bytes of data.
749
//
750
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MD5_CHAINING_STATE
751
{
752
    UINT32   H[4];
753
} SYMCRYPT_MD5_CHAINING_STATE, *PSYMCRYPT_MD5_CHAINING_STATE;
754

755

756
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MD5_STATE
757
{
758
                    UINT32                          bytesInBuffer;
759
                    SYMCRYPT_MAGIC_FIELD
760
                    UINT64                          dataLengthL;            // lower part of msg length
761
                    UINT64                          dataLengthH;            // upper part of msg length
762
    SYMCRYPT_ALIGN  BYTE                            buffer[64];             // buffer to keep one input block in
763
                    SYMCRYPT_MD5_CHAINING_STATE     chain;      // chaining state
764
} SYMCRYPT_MD5_STATE, *PSYMCRYPT_MD5_STATE;
765
typedef const SYMCRYPT_MD5_STATE *PCSYMCRYPT_MD5_STATE;
766

767

768
//
769
// SYMCRYPT_SHA1_STATE
770
//
771
// Data structure that stores the state of an ongoing SHA1 computation.
772
// The buffer contains dataLength % 64 bytes of data.
773
//
774
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA1_CHAINING_STATE
775
{
776
    UINT32   H[5];
777
} SYMCRYPT_SHA1_CHAINING_STATE, *PSYMCRYPT_SHA1_CHAINING_STATE;
778

779
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA1_STATE
780
{
781
                    UINT32                          bytesInBuffer;
782
                    SYMCRYPT_MAGIC_FIELD
783
                    UINT64                          dataLengthL;            // lower part of msg length
784
                    UINT64                          dataLengthH;            // upper part of msg length
785
    SYMCRYPT_ALIGN  BYTE                            buffer[64];             // buffer to keep one input block in
786
                    SYMCRYPT_SHA1_CHAINING_STATE    chain;      // chaining state
787
} SYMCRYPT_SHA1_STATE, *PSYMCRYPT_SHA1_STATE;
788
typedef const SYMCRYPT_SHA1_STATE *PCSYMCRYPT_SHA1_STATE;
789

790

791
//
792
// SYMCRYPT_SHA256_STATE
793
//
794
// Data structure that stores the state of an ongoing SHA256 computation.
795
// The buffer contains dataLength % 64 bytes of data.
796
//
797
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA256_CHAINING_STATE
798
{
799
    SYMCRYPT_ALIGN  UINT32   H[8];
800
} SYMCRYPT_SHA256_CHAINING_STATE, * PSYMCRYPT_SHA256_CHAINING_STATE;
801

802
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA256_STATE
803
{
804
                    UINT32                          bytesInBuffer;
805
                    SYMCRYPT_MAGIC_FIELD
806
                    UINT64                          dataLengthL;            // lower part of msg length
807
                    UINT64                          dataLengthH;            // upper part of msg length
808
    SYMCRYPT_ALIGN  BYTE                            buffer[64];             // buffer to keep one input block in
809
                    SYMCRYPT_SHA256_CHAINING_STATE  chain;      // chaining state
810
} SYMCRYPT_SHA256_STATE, *PSYMCRYPT_SHA256_STATE;
811
typedef const SYMCRYPT_SHA256_STATE *PCSYMCRYPT_SHA256_STATE;
812

813

814
//
815
// SYMCRYPT_SHA224_STATE
816
//
817
// This is identical to the SHA256 state.
818
//
819
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA224_STATE
820
{
821
                    UINT32                          bytesInBuffer;
822
                    SYMCRYPT_MAGIC_FIELD
823
                    UINT64                          dataLengthL;            // lower part of msg length
824
                    UINT64                          dataLengthH;            // upper part of msg length
825
    SYMCRYPT_ALIGN  BYTE                            buffer[64];             // buffer to keep one input block in
826
                    SYMCRYPT_SHA256_CHAINING_STATE  chain;      // chaining state
827
} SYMCRYPT_SHA224_STATE, *PSYMCRYPT_SHA224_STATE;
828
typedef const SYMCRYPT_SHA224_STATE *PCSYMCRYPT_SHA224_STATE;
829

830

831
//
832
// SYMCRYPT_SHA512_STATE
833
//
834
// Data structure that stores the state of an ongoing SHA512 computation.
835
// The buffer contains dataLength % 128 bytes of data.
836
//
837
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA512_CHAINING_STATE
838
{
839
    UINT64   H[8];
840
} SYMCRYPT_SHA512_CHAINING_STATE, *PSYMCRYPT_SHA512_CHAINING_STATE;
841

842
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA512_STATE
843
{
844
                    UINT32                          bytesInBuffer;
845
                    SYMCRYPT_MAGIC_FIELD
846
                    UINT64                          dataLengthL;            // lower part of msg length
847
                    UINT64                          dataLengthH;            // upper part of msg length
848
    SYMCRYPT_ALIGN  BYTE                            buffer[128];            // buffer to keep one input block in
849
                    SYMCRYPT_SHA512_CHAINING_STATE  chain;          // chaining state
850
} SYMCRYPT_SHA512_STATE, *PSYMCRYPT_SHA512_STATE;
851
typedef const SYMCRYPT_SHA512_STATE *PCSYMCRYPT_SHA512_STATE;
852

853

854
//
855
// SYMCRYPT_SHA384_STATE
856
//
857
// This is identical to the SHA512.
858
//
859
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA384_STATE
860
{
861
    UINT32                          bytesInBuffer;
862
    SYMCRYPT_MAGIC_FIELD
863
    UINT64                          dataLengthL;            // lower part of msg length
864
    UINT64                          dataLengthH;            // upper part of msg length
865
    SYMCRYPT_ALIGN  BYTE            buffer[128];            // buffer to keep one input block in
866
    SYMCRYPT_SHA512_CHAINING_STATE  chain;          // chaining state
867
} SYMCRYPT_SHA384_STATE, *PSYMCRYPT_SHA384_STATE;
868
typedef const SYMCRYPT_SHA384_STATE *PCSYMCRYPT_SHA384_STATE;
869

870

871
//
872
// SYMCRYPT_SHA512_224_STATE
873
//
874
// This is identical to the SHA512.
875
//
876
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA512_224_STATE
877
{
878
    UINT32                          bytesInBuffer;
879
    SYMCRYPT_MAGIC_FIELD
880
    UINT64                          dataLengthL;            // lower part of msg length
881
    UINT64                          dataLengthH;            // upper part of msg length
882
    SYMCRYPT_ALIGN  BYTE            buffer[128];            // buffer to keep one input block in
883
    SYMCRYPT_SHA512_CHAINING_STATE  chain;          // chaining state
884
} SYMCRYPT_SHA512_224_STATE, *PSYMCRYPT_SHA512_224_STATE;
885
typedef const SYMCRYPT_SHA512_224_STATE *PCSYMCRYPT_SHA512_224_STATE;
886

887

888
//
889
// SYMCRYPT_SHA512_256_STATE
890
//
891
// This is identical to the SHA512.
892
//
893
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA512_256_STATE
894
{
895
    UINT32                          bytesInBuffer;
896
    SYMCRYPT_MAGIC_FIELD
897
    UINT64                          dataLengthL;            // lower part of msg length
898
    UINT64                          dataLengthH;            // upper part of msg length
899
    SYMCRYPT_ALIGN  BYTE            buffer[128];            // buffer to keep one input block in
900
    SYMCRYPT_SHA512_CHAINING_STATE  chain;          // chaining state
901
} SYMCRYPT_SHA512_256_STATE, *PSYMCRYPT_SHA512_256_STATE;
902
typedef const SYMCRYPT_SHA512_256_STATE *PCSYMCRYPT_SHA512_256_STATE;
903

904

905
//
906
// SYMCRYPT_KECCAK_STATE
907
//
908
// Data structure that stores the state of an ongoing SHA-3 derived algorithm computation.
909
//
910

911
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_KECCAK_STATE
912
{
913
    SYMCRYPT_ALIGN  UINT64  state[25];      // state for Keccak-f[1600] permutation
914
    UINT32                  inputBlockSize; // rate
915
    UINT32                  stateIndex;     // position in the state for next merge/extract operation
916
    UINT8                   paddingValue;   // Keccak padding value
917
    BOOLEAN                 squeezeMode;    // denotes whether the state is in squeeze mode
918
} SYMCRYPT_KECCAK_STATE, *PSYMCRYPT_KECCAK_STATE;
919
typedef const SYMCRYPT_KECCAK_STATE *PCSYMCRYPT_KECCAK_STATE;
920

921
//
922
// SYMCRYPT_SHA3_224_STATE
923
//
924
// Data structure that stores the state of an ongoing SHA3-224 computation.
925
//
926
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA3_224_STATE
927
{
928
    SYMCRYPT_KECCAK_STATE   ks;
929
    SYMCRYPT_MAGIC_FIELD
930
} SYMCRYPT_SHA3_224_STATE, * PSYMCRYPT_SHA3_224_STATE;
931
typedef const SYMCRYPT_SHA3_224_STATE* PCSYMCRYPT_SHA3_224_STATE;
932

933
//
934
// SYMCRYPT_SHA3_256_STATE
935
//
936
// Data structure that stores the state of an ongoing SHA3-256 computation.
937
//
938
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA3_256_STATE
939
{
940
    SYMCRYPT_KECCAK_STATE   ks;
941
    SYMCRYPT_MAGIC_FIELD
942
} SYMCRYPT_SHA3_256_STATE, * PSYMCRYPT_SHA3_256_STATE;
943
typedef const SYMCRYPT_SHA3_256_STATE* PCSYMCRYPT_SHA3_256_STATE;
944

945
//
946
// SYMCRYPT_SHA3_384_STATE
947
//
948
// Data structure that stores the state of an ongoing SHA3-384 computation.
949
//
950
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA3_384_STATE
951
{
952
    SYMCRYPT_KECCAK_STATE   ks;
953
    SYMCRYPT_MAGIC_FIELD
954
} SYMCRYPT_SHA3_384_STATE, * PSYMCRYPT_SHA3_384_STATE;
955
typedef const SYMCRYPT_SHA3_384_STATE* PCSYMCRYPT_SHA3_384_STATE;
956

957
//
958
// SYMCRYPT_SHA3_512_STATE
959
//
960
// Data structure that stores the state of an ongoing SHA3-512 computation.
961
//
962
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHA3_512_STATE
963
{
964
    SYMCRYPT_KECCAK_STATE   ks;
965
    SYMCRYPT_MAGIC_FIELD
966
} SYMCRYPT_SHA3_512_STATE, * PSYMCRYPT_SHA3_512_STATE;
967
typedef const SYMCRYPT_SHA3_512_STATE* PCSYMCRYPT_SHA3_512_STATE;
968

969
//
970
// SYMCRYPT_SHAKE128_STATE
971
//
972
// Data structure that stores the state of an ongoing SHAKE128 computation.
973
//
974
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHAKE128_STATE
975
{
976
    SYMCRYPT_KECCAK_STATE   ks;
977
    SYMCRYPT_MAGIC_FIELD
978
} SYMCRYPT_SHAKE128_STATE, * PSYMCRYPT_SHAKE128_STATE;
979
typedef const SYMCRYPT_SHAKE128_STATE* PCSYMCRYPT_SHAKE128_STATE;
980

981
//
982
// SYMCRYPT_SHAKE256_STATE
983
//
984
// Data structure that stores the state of an ongoing SHAKE256 computation.
985
//
986
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_SHAKE256_STATE
987
{
988
    SYMCRYPT_KECCAK_STATE   ks;
989
    SYMCRYPT_MAGIC_FIELD
990
} SYMCRYPT_SHAKE256_STATE, * PSYMCRYPT_SHAKE256_STATE;
991
typedef const SYMCRYPT_SHAKE256_STATE* PCSYMCRYPT_SHAKE256_STATE;
992

993
//
994
// SYMCRYPT_CSHAKE128_STATE
995
//
996
// Data structure that stores the state of an ongoing CSHAKE128 computation.
997
//
998
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_CSHAKE128_STATE
999
{
1000
    SYMCRYPT_KECCAK_STATE   ks;
1001
    SYMCRYPT_MAGIC_FIELD
1002
} SYMCRYPT_CSHAKE128_STATE, * PSYMCRYPT_CSHAKE128_STATE;
1003
typedef const SYMCRYPT_CSHAKE128_STATE* PCSYMCRYPT_CSHAKE128_STATE;
1004

1005
//
1006
// SYMCRYPT_CSHAKE256_STATE
1007
//
1008
// Data structure that stores the state of an ongoing CSHAKE256 computation.
1009
//
1010
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_CSHAKE256_STATE
1011
{
1012
    SYMCRYPT_KECCAK_STATE   ks;
1013
    SYMCRYPT_MAGIC_FIELD
1014
} SYMCRYPT_CSHAKE256_STATE, * PSYMCRYPT_CSHAKE256_STATE;
1015
typedef const SYMCRYPT_CSHAKE256_STATE* PCSYMCRYPT_CSHAKE256_STATE;
1016

1017
//
1018
// SYMCRYPT_KMAC128_EXPANDED_KEY
1019
//
1020
// Data structure that stores the expanded key for KMAC128.
1021
//
1022
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_KMAC128_EXPANDED_KEY
1023
{
1024
    SYMCRYPT_KECCAK_STATE   ks;
1025
    SYMCRYPT_MAGIC_FIELD
1026
} SYMCRYPT_KMAC128_EXPANDED_KEY, * PSYMCRYPT_KMAC128_EXPANDED_KEY;
1027
typedef const SYMCRYPT_KMAC128_EXPANDED_KEY* PCSYMCRYPT_KMAC128_EXPANDED_KEY;
1028

1029
//
1030
// SYMCRYPT_KMAC128_STATE
1031
//
1032
// Data structure that stores the state of an ongoing KMAC128 computation.
1033
//
1034
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_KMAC128_STATE
1035
{
1036
    SYMCRYPT_KECCAK_STATE   ks;
1037
    SYMCRYPT_MAGIC_FIELD
1038
} SYMCRYPT_KMAC128_STATE, * PSYMCRYPT_KMAC128_STATE;
1039
typedef const SYMCRYPT_KMAC128_STATE* PCSYMCRYPT_KMAC128_STATE;
1040

1041
//
1042
// SYMCRYPT_KMAC256_EXPANDED_KEY
1043
//
1044
// Data structure that stores the expanded key for KMAC256.
1045
//
1046
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_KMAC256_EXPANDED_KEY
1047
{
1048
    SYMCRYPT_KECCAK_STATE   ks;
1049
    SYMCRYPT_MAGIC_FIELD
1050
} SYMCRYPT_KMAC256_EXPANDED_KEY, * PSYMCRYPT_KMAC256_EXPANDED_KEY;
1051
typedef const SYMCRYPT_KMAC256_EXPANDED_KEY* PCSYMCRYPT_KMAC256_EXPANDED_KEY;
1052

1053
//
1054
// SYMCRYPT_KMAC256_STATE
1055
//
1056
// Data structure that stores the state of an ongoing KMAC256 computation.
1057
//
1058
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_KMAC256_STATE
1059
{
1060
    SYMCRYPT_KECCAK_STATE   ks;
1061
    SYMCRYPT_MAGIC_FIELD
1062
} SYMCRYPT_KMAC256_STATE, * PSYMCRYPT_KMAC256_STATE;
1063
typedef const SYMCRYPT_KMAC256_STATE* PCSYMCRYPT_KMAC256_STATE;
1064

1065

1066
//
1067
// Generic hashing
1068
//
1069

1070
typedef struct _SYMCRYPT_OID {
1071
    UINT32  cbOID;
1072
    _Field_size_( cbOID ) PCBYTE  pbOID;
1073
} SYMCRYPT_OID, *PSYMCRYPT_OID;
1074
typedef const SYMCRYPT_OID *PCSYMCRYPT_OID;
1075

1076
//
1077
// OID lists for the most commonly used hash functions
1078
//
1079

1080
#define SYMCRYPT_MD5_OID_COUNT         (2)
1081
extern const SYMCRYPT_OID SymCryptMd5OidList[SYMCRYPT_MD5_OID_COUNT];
1082

1083
#define SYMCRYPT_SHA1_OID_COUNT        (2)
1084
extern const SYMCRYPT_OID SymCryptSha1OidList[SYMCRYPT_SHA1_OID_COUNT];
1085

1086
#define SYMCRYPT_SHA224_OID_COUNT      (2)
1087
extern const SYMCRYPT_OID SymCryptSha224OidList[SYMCRYPT_SHA224_OID_COUNT];
1088

1089
#define SYMCRYPT_SHA256_OID_COUNT      (2)
1090
extern const SYMCRYPT_OID SymCryptSha256OidList[SYMCRYPT_SHA256_OID_COUNT];
1091

1092
#define SYMCRYPT_SHA384_OID_COUNT      (2)
1093
extern const SYMCRYPT_OID SymCryptSha384OidList[SYMCRYPT_SHA384_OID_COUNT];
1094

1095
#define SYMCRYPT_SHA512_OID_COUNT      (2)
1096
extern const SYMCRYPT_OID SymCryptSha512OidList[SYMCRYPT_SHA512_OID_COUNT];
1097

1098
#define SYMCRYPT_SHA512_224_OID_COUNT      (2)
1099
extern const SYMCRYPT_OID SymCryptSha512_224OidList[SYMCRYPT_SHA512_224_OID_COUNT];
1100

1101
#define SYMCRYPT_SHA512_256_OID_COUNT      (2)
1102
extern const SYMCRYPT_OID SymCryptSha512_256OidList[SYMCRYPT_SHA512_256_OID_COUNT];
1103

1104
#define SYMCRYPT_SHA3_224_OID_COUNT      (2)
1105
extern const SYMCRYPT_OID SymCryptSha3_224OidList[SYMCRYPT_SHA3_224_OID_COUNT];
1106

1107
#define SYMCRYPT_SHA3_256_OID_COUNT      (2)
1108
extern const SYMCRYPT_OID SymCryptSha3_256OidList[SYMCRYPT_SHA3_256_OID_COUNT];
1109

1110
#define SYMCRYPT_SHA3_384_OID_COUNT      (2)
1111
extern const SYMCRYPT_OID SymCryptSha3_384OidList[SYMCRYPT_SHA3_384_OID_COUNT];
1112

1113
#define SYMCRYPT_SHA3_512_OID_COUNT      (2)
1114
extern const SYMCRYPT_OID SymCryptSha3_512OidList[SYMCRYPT_SHA3_512_OID_COUNT];
1115

1116
#define SYMCRYPT_SHAKE128_OID_COUNT      (2)
1117
extern const SYMCRYPT_OID SymCryptShake128OidList[SYMCRYPT_SHAKE128_OID_COUNT];
1118

1119
#define SYMCRYPT_SHAKE256_OID_COUNT      (2)
1120
extern const SYMCRYPT_OID SymCryptShake256OidList[SYMCRYPT_SHAKE256_OID_COUNT];
1121

1122
typedef enum _SYMCRYPT_OID_LIST_ID
1123
{
1124
    SYMCRYPT_OID_LIST_ID_NULL           = 0,
1125
    SYMCRYPT_OID_LIST_ID_MD5            = 1,
1126
    SYMCRYPT_OID_LIST_ID_SHA1           = 2,
1127
    SYMCRYPT_OID_LIST_ID_SHA224         = 3,
1128
    SYMCRYPT_OID_LIST_ID_SHA256         = 4,
1129
    SYMCRYPT_OID_LIST_ID_SHA384         = 5,
1130
    SYMCRYPT_OID_LIST_ID_SHA512         = 6,
1131
    SYMCRYPT_OID_LIST_ID_SHA512_224     = 7,
1132
    SYMCRYPT_OID_LIST_ID_SHA512_256     = 8,
1133
    SYMCRYPT_OID_LIST_ID_SHA3_224       = 9,
1134
    SYMCRYPT_OID_LIST_ID_SHA3_256       = 10,
1135
    SYMCRYPT_OID_LIST_ID_SHA3_384       = 11,
1136
    SYMCRYPT_OID_LIST_ID_SHA3_512       = 12,
1137
    SYMCRYPT_OID_LIST_ID_SHAKE128       = 13,
1138
    SYMCRYPT_OID_LIST_ID_SHAKE256       = 14
1139
} SYMCRYPT_OID_LIST_ID;
1140

1141
PCSYMCRYPT_OID
1142
SYMCRYPT_CALL
1143
SymCryptGetOidList( SYMCRYPT_OID_LIST_ID oidId, _Out_opt_ SIZE_T* pCount );
1144
//
1145
// Returns a pointer to the OID list for the specified OID list ID. If pCount is non-NULL, the
1146
// pointed-to value will be set to the number of elements in the OID list.
1147
// Returns NULL if the OID list ID is invalid.
1148
//
1149

1150
typedef union _SYMCRYPT_HASH_STATE
1151
{
1152
    SYMCRYPT_MD2_STATE          md2State;
1153
    SYMCRYPT_MD4_STATE          md4State;
1154
    SYMCRYPT_MD5_STATE          md5State;
1155
    SYMCRYPT_SHA1_STATE         sha1State;
1156
    SYMCRYPT_SHA224_STATE       sha224State;
1157
    SYMCRYPT_SHA256_STATE       sha256State;
1158
    SYMCRYPT_SHA384_STATE       sha384State;
1159
    SYMCRYPT_SHA512_STATE       sha512State;
1160
    SYMCRYPT_SHA512_224_STATE   sha512_224State;
1161
    SYMCRYPT_SHA512_256_STATE   sha512_256State;
1162
    SYMCRYPT_SHA3_224_STATE     sha3_224State;
1163
    SYMCRYPT_SHA3_256_STATE     sha3_256State;
1164
    SYMCRYPT_SHA3_384_STATE     sha3_384State;
1165
    SYMCRYPT_SHA3_512_STATE     sha3_512State;
1166
} SYMCRYPT_HASH_STATE, *PSYMCRYPT_HASH_STATE;
1167
typedef const SYMCRYPT_HASH_STATE *PCSYMCRYPT_HASH_STATE;
1168

1169
#define SYMCRYPT_HASH_MAX_RESULT_SIZE    SYMCRYPT_SHA512_RESULT_SIZE
1170

1171
SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HASH;
1172
SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_PARALLEL_HASH;
1173

1174
typedef struct _SYMCRYPT_HASH SYMCRYPT_HASH, *PSYMCRYPT_HASH;
1175
typedef const SYMCRYPT_HASH  *PCSYMCRYPT_HASH;
1176
typedef struct _SYMCRYPT_PARALLEL_HASH SYMCRYPT_PARALLEL_HASH, *PSYMCRYPT_PARALLEL_HASH;
1177
typedef const SYMCRYPT_PARALLEL_HASH  *PCSYMCRYPT_PARALLEL_HASH;
1178

1179
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_HASH_INIT_FUNC)             ( PVOID pState );
1180
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_HASH_APPEND_FUNC)           ( PVOID pState, PCBYTE pbData, SIZE_T cbData );
1181
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_HASH_RESULT_FUNC)           ( PVOID pState, PVOID pbResult );
1182
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_HASH_APPEND_BLOCKS_FUNC)    ( PVOID pChain, PCBYTE pbData, SIZE_T cbData, SIZE_T * pcbRemaining );
1183
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_HASH_STATE_COPY_FUNC)       ( PCVOID pStateSrc, PVOID pStateDst );
1184

1185
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HASH
1186
{
1187
    PSYMCRYPT_HASH_INIT_FUNC            initFunc;
1188
    PSYMCRYPT_HASH_APPEND_FUNC          appendFunc;
1189
    PSYMCRYPT_HASH_RESULT_FUNC          resultFunc;
1190
    PSYMCRYPT_HASH_APPEND_BLOCKS_FUNC   appendBlockFunc;
1191
    PSYMCRYPT_HASH_STATE_COPY_FUNC      stateCopyFunc;
1192
    UINT32                              stateSize;          // sizeof( hash state )
1193
    UINT32                              resultSize;         // size of hash result
1194
    UINT32                              inputBlockSize;
1195
    UINT32                              chainOffset;        // offset into state structure of the chaining state
1196
    UINT32                              chainSize;          // size of chaining state
1197
} SYMCRYPT_HASH, *PSYMCRYPT_HASH;
1198

1199

1200
//
1201
// Parallel hashing
1202
//
1203

1204
#if SYMCRYPT_CPU_ARM
1205
#define SYMCRYPT_PARALLEL_SHA256_MIN_PARALLELISM    (3)
1206
#define SYMCRYPT_PARALLEL_SHA256_MAX_PARALLELISM    (4)
1207
#else
1208
#define SYMCRYPT_PARALLEL_SHA256_MIN_PARALLELISM    (2)
1209
#define SYMCRYPT_PARALLEL_SHA256_MAX_PARALLELISM    (8)
1210
#endif
1211

1212
typedef enum _SYMCRYPT_HASH_OPERATION_TYPE {
1213
    SYMCRYPT_HASH_OPERATION_APPEND = 1,
1214
    SYMCRYPT_HASH_OPERATION_RESULT = 2,
1215
} SYMCRYPT_HASH_OPERATION_TYPE;
1216

1217
typedef struct _SYMCRYPT_PARALLEL_HASH_OPERATION    SYMCRYPT_PARALLEL_HASH_OPERATION, *PSYMCRYPT_PARALLEL_HASH_OPERATION;
1218
typedef const SYMCRYPT_PARALLEL_HASH_OPERATION *PCSYMRYPT_PARALLEL_HASH_OPERATION;
1219

1220
struct _SYMCRYPT_PARALLEL_HASH_OPERATION {
1221
                                SIZE_T                              iHash;          // index of hash object into the state array
1222
                                SYMCRYPT_HASH_OPERATION_TYPE        hashOperation;  // operation to be performed
1223
    _Field_size_( cbBuffer )    PBYTE                               pbBuffer;       // data to be hashed, or result buffer
1224
                                SIZE_T                              cbBuffer;       // size of pbData buffer.
1225
                                PSYMCRYPT_PARALLEL_HASH_OPERATION   next;           // internal scratch space; do not use.
1226
};
1227

1228

1229
SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_PARALLEL_HASH_SCRATCH_OPERATION; // as yet unspecified struct
1230
typedef struct _SYMCRYPT_PARALLEL_HASH_SCRATCH_OPERATION
1231
        SYMCRYPT_PARALLEL_HASH_SCRATCH_OPERATION, *PSYMCRYPT_PARALLEL_HASH_SCRATCH_OPERATION;
1232

1233
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_PARALLEL_HASH_SCRATCH_STATE {
1234
    PVOID                               hashState;          // the actual hash state
1235
    BYTE                                processingState;
1236
    BYTE                                bytesAlreadyProcessed;  // of the next Append operation
1237
    UINT64                              bytes;              // # bytes left to process on this state
1238
    PSYMCRYPT_PARALLEL_HASH_OPERATION   next;               // next operation to be performed.
1239
    PCBYTE                              pbData;             // data/size of ongoing append operation; this op has already been removed from the next linked list
1240
    SIZE_T                              cbData;
1241
}SYMCRYPT_PARALLEL_HASH_SCRATCH_STATE, *PSYMCRYPT_PARALLEL_HASH_SCRATCH_STATE;
1242

1243

1244
//
1245
// The scratch space used by parallel SHA-256 consists of three regions:
1246
// - an array of SYMCRYPT_PARALLEL_HASH_SCRATCH_STATE structures, aligned to SYMCRYPT_ALIGN_VALUE.
1247
// - the work array, an array of pointers to SYMCRYPT_PARALLEL_HASH_SCRATCH_STATEs.
1248
// - an array of 4 + 8 + 64 SIMD vector elements, aligned to the size of those elements.
1249
//
1250
//
1251
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64
1252
#define SYMCRYPT_SIMD_ELEMENT_SIZE  32
1253
#elif SYMCRYPT_CPU_ARM | SYMCRYPT_CPU_ARM64
1254
#define SYMCRYPT_SIMD_ELEMENT_SIZE  16
1255
#elif SYMCRYPT_CPU_UNKNOWN
1256
#define SYMCRYPT_SIMD_ELEMENT_SIZE  0
1257
#else
1258
#error Unknown CPU
1259
#endif
1260

1261
#define SYMCRYPT_PARALLEL_SHA256_FIXED_SCRATCH  ( (4 + 8 + 64) * SYMCRYPT_SIMD_ELEMENT_SIZE + SYMCRYPT_SIMD_ELEMENT_SIZE - 1  + SYMCRYPT_ALIGN_VALUE - 1 )
1262
#define SYMCRYPT_PARALLEL_SHA384_FIXED_SCRATCH  ( (4 + 8 + 80) * SYMCRYPT_SIMD_ELEMENT_SIZE + SYMCRYPT_SIMD_ELEMENT_SIZE - 1  + SYMCRYPT_ALIGN_VALUE - 1 )
1263
#define SYMCRYPT_PARALLEL_SHA512_FIXED_SCRATCH  ( (4 + 8 + 80) * SYMCRYPT_SIMD_ELEMENT_SIZE + SYMCRYPT_SIMD_ELEMENT_SIZE - 1  + SYMCRYPT_ALIGN_VALUE - 1 )
1264
#define SYMCRYPT_PARALLEL_HASH_PER_STATE_SCRATCH  (sizeof( SYMCRYPT_PARALLEL_HASH_SCRATCH_STATE ) + sizeof( PSYMCRYPT_PARALLEL_HASH_SCRATCH_STATE ) )
1265

1266
SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_PARALLEL_HASH;
1267
typedef struct _SYMCRYPT_PARALLEL_HASH SYMCRYPT_PARALLEL_HASH, *PSYMCRYPT_PARALLEL_HASH;
1268
typedef const SYMCRYPT_PARALLEL_HASH  *PCSYMCRYPT_PARALLEL_HASH;
1269

1270
typedef BOOLEAN (SYMCRYPT_CALL * PSYMCRYPT_PARALLEL_HASH_RESULT_FUNC) (PCSYMCRYPT_PARALLEL_HASH pParHash, PSYMCRYPT_COMMON_HASH_STATE pState, PSYMCRYPT_PARALLEL_HASH_SCRATCH_STATE pScratch, BOOLEAN *pRes );
1271
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_PARALLEL_HASH_RESULT_DONE_FUNC ) (PCSYMCRYPT_PARALLEL_HASH pParHash, PSYMCRYPT_COMMON_HASH_STATE pState, PCSYMRYPT_PARALLEL_HASH_OPERATION pOp);
1272
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_PARALLEL_APPEND_FUNC) (
1273
    _Inout_updates_( nPar )                 PSYMCRYPT_PARALLEL_HASH_SCRATCH_STATE * pWork,
1274
                                            SIZE_T                                  nPar,
1275
                                            SIZE_T                                  nBytes,
1276
    _Out_writes_( cbSimdScratch )           PBYTE                                   pbSimdScratch,
1277
                                            SIZE_T                                  cbSimdScratch );
1278

1279
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_PARALLEL_HASH
1280
{
1281
    PCSYMCRYPT_HASH                             pHash;
1282
    UINT32                                      parScratchFixed;    // fixed scratch size for parallel hash
1283
    PSYMCRYPT_PARALLEL_HASH_RESULT_FUNC         parResult1Func;
1284
    PSYMCRYPT_PARALLEL_HASH_RESULT_FUNC         parResult2Func;
1285
    PSYMCRYPT_PARALLEL_HASH_RESULT_DONE_FUNC    parResultDoneFunc;
1286

1287
    PSYMCRYPT_PARALLEL_APPEND_FUNC              parAppendFunc;
1288
} SYMCRYPT_PARALLEL_HASH, *PSYMCRYPT_PARALLEL_HASH;
1289

1290

1291
//======================================================================================================
1292
// MAC
1293
//
1294

1295

1296
//
1297
// SYMCRYPT_HMAC_MD5_EXPANDED_KEY
1298
//
1299
// Data structure to store an expanded key for HMAC-MD5.
1300
//
1301
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_MD5_EXPANDED_KEY
1302
{
1303
    SYMCRYPT_MD5_CHAINING_STATE     innerState;
1304
    SYMCRYPT_MD5_CHAINING_STATE     outerState;
1305
    SYMCRYPT_MAGIC_FIELD
1306
} SYMCRYPT_HMAC_MD5_EXPANDED_KEY, *PSYMCRYPT_HMAC_MD5_EXPANDED_KEY;
1307
typedef const SYMCRYPT_HMAC_MD5_EXPANDED_KEY * PCSYMCRYPT_HMAC_MD5_EXPANDED_KEY;
1308

1309
//
1310
// SYMCRYPT_HMAC_MD5_STATE
1311
//
1312
// Data structure that encodes an ongoing HMAC-MD5 computation.
1313
//
1314
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_MD5_STATE
1315
{
1316
    SYMCRYPT_MD5_STATE                 hash;
1317
    PCSYMCRYPT_HMAC_MD5_EXPANDED_KEY   pKey;
1318
    SYMCRYPT_MAGIC_FIELD
1319
} SYMCRYPT_HMAC_MD5_STATE, *PSYMCRYPT_HMAC_MD5_STATE;
1320
typedef const SYMCRYPT_HMAC_MD5_STATE *PCSYMCRYPT_HMAC_MD5_STATE;
1321

1322

1323
//
1324
// SYMCRYPT_HMAC_SHA1_EXPANDED_KEY
1325
//
1326
// Data structure to store an expanded key for HMAC-SHA1.
1327
//
1328
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA1_EXPANDED_KEY
1329
{
1330
    SYMCRYPT_SHA1_CHAINING_STATE    innerState;
1331
    SYMCRYPT_SHA1_CHAINING_STATE    outerState;
1332
    SYMCRYPT_MAGIC_FIELD
1333
} SYMCRYPT_HMAC_SHA1_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA1_EXPANDED_KEY;
1334
typedef const SYMCRYPT_HMAC_SHA1_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA1_EXPANDED_KEY;
1335

1336
//
1337
// SYMCRYPT_HMAC_SHA1_STATE
1338
//
1339
// Data structure that encodes an ongoing HMAC-SHA1 computation.
1340
//
1341
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA1_STATE
1342
{
1343
    SYMCRYPT_SHA1_STATE                 hash;
1344
    PCSYMCRYPT_HMAC_SHA1_EXPANDED_KEY   pKey;
1345
    SYMCRYPT_MAGIC_FIELD
1346
} SYMCRYPT_HMAC_SHA1_STATE, *PSYMCRYPT_HMAC_SHA1_STATE;
1347
typedef const SYMCRYPT_HMAC_SHA1_STATE *PCSYMCRYPT_HMAC_SHA1_STATE;
1348

1349

1350
//
1351
// SYMCRYPT_HMAC_SHA224_EXPANDED_KEY
1352
//
1353
// Data structure to store an expanded key for HMAC-SHA224.
1354
//
1355
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA224_EXPANDED_KEY
1356
{
1357
    SYMCRYPT_SHA256_CHAINING_STATE  innerState;
1358
    SYMCRYPT_SHA256_CHAINING_STATE  outerState;
1359
    SYMCRYPT_MAGIC_FIELD
1360
} SYMCRYPT_HMAC_SHA224_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA224_EXPANDED_KEY;
1361
typedef const SYMCRYPT_HMAC_SHA224_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA224_EXPANDED_KEY;
1362

1363
//
1364
// SYMCRYPT_HMAC_SHA224_STATE
1365
//
1366
// Data structure that encodes an ongoing HMAC-SHA224 computation.
1367
//
1368
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA224_STATE
1369
{
1370
    SYMCRYPT_SHA224_STATE                 hash;
1371
    PCSYMCRYPT_HMAC_SHA224_EXPANDED_KEY   pKey;
1372
    SYMCRYPT_MAGIC_FIELD
1373
} SYMCRYPT_HMAC_SHA224_STATE, *PSYMCRYPT_HMAC_SHA224_STATE;
1374
typedef const SYMCRYPT_HMAC_SHA224_STATE *PCSYMCRYPT_HMAC_SHA224_STATE;
1375

1376

1377
//
1378
// SYMCRYPT_HMAC_SHA256_EXPANDED_KEY
1379
//
1380
// Data structure to store an expanded key for HMAC-SHA256.
1381
//
1382
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA256_EXPANDED_KEY
1383
{
1384
    SYMCRYPT_SHA256_CHAINING_STATE  innerState;
1385
    SYMCRYPT_SHA256_CHAINING_STATE  outerState;
1386
    SYMCRYPT_MAGIC_FIELD
1387
} SYMCRYPT_HMAC_SHA256_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA256_EXPANDED_KEY;
1388
typedef const SYMCRYPT_HMAC_SHA256_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA256_EXPANDED_KEY;
1389

1390
//
1391
// SYMCRYPT_HMAC_SHA256_STATE
1392
//
1393
// Data structure that encodes an ongoing HMAC-SHA256 computation.
1394
//
1395
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA256_STATE
1396
{
1397
    SYMCRYPT_SHA256_STATE                 hash;
1398
    PCSYMCRYPT_HMAC_SHA256_EXPANDED_KEY   pKey;
1399
    SYMCRYPT_MAGIC_FIELD
1400
} SYMCRYPT_HMAC_SHA256_STATE, *PSYMCRYPT_HMAC_SHA256_STATE;
1401
typedef const SYMCRYPT_HMAC_SHA256_STATE *PCSYMCRYPT_HMAC_SHA256_STATE;
1402

1403

1404
//
1405
// SYMCRYPT_HMAC_SHA384_EXPANDED_KEY
1406
//
1407
// Data structure to store an expanded key for HMAC-SHA384.
1408
//
1409
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA384_EXPANDED_KEY
1410
{
1411
    SYMCRYPT_SHA512_CHAINING_STATE  innerState;
1412
    SYMCRYPT_SHA512_CHAINING_STATE  outerState;
1413
    SYMCRYPT_MAGIC_FIELD
1414
} SYMCRYPT_HMAC_SHA384_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA384_EXPANDED_KEY;
1415
typedef const SYMCRYPT_HMAC_SHA384_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA384_EXPANDED_KEY;
1416

1417
//
1418
// SYMCRYPT_HMAC_SHA384_STATE
1419
//
1420
// Data structure that encodes an ongoing HMAC-SHA384 computation.
1421
//
1422
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA384_STATE
1423
{
1424
    SYMCRYPT_SHA384_STATE                 hash;
1425
    PCSYMCRYPT_HMAC_SHA384_EXPANDED_KEY   pKey;
1426
    SYMCRYPT_MAGIC_FIELD
1427
} SYMCRYPT_HMAC_SHA384_STATE, *PSYMCRYPT_HMAC_SHA384_STATE;
1428
typedef const SYMCRYPT_HMAC_SHA384_STATE *PCSYMCRYPT_HMAC_SHA384_STATE;
1429

1430
//
1431
// SYMCRYPT_HMAC_SHA512_EXPANDED_KEY
1432
//
1433
// Data structure to store an expanded key for HMAC-SHA512.
1434
//
1435
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA512_EXPANDED_KEY
1436
{
1437
    SYMCRYPT_SHA512_CHAINING_STATE  innerState;
1438
    SYMCRYPT_SHA512_CHAINING_STATE  outerState;
1439
    SYMCRYPT_MAGIC_FIELD
1440
} SYMCRYPT_HMAC_SHA512_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA512_EXPANDED_KEY;
1441
typedef const SYMCRYPT_HMAC_SHA512_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA512_EXPANDED_KEY;
1442

1443
//
1444
// SYMCRYPT_HMAC_SHA512_STATE
1445
//
1446
// Data structure that encodes an ongoing HMAC-SHA512 computation.
1447
//
1448
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA512_STATE
1449
{
1450
    SYMCRYPT_SHA512_STATE                 hash;
1451
    PCSYMCRYPT_HMAC_SHA512_EXPANDED_KEY   pKey;
1452
    SYMCRYPT_MAGIC_FIELD
1453
} SYMCRYPT_HMAC_SHA512_STATE, *PSYMCRYPT_HMAC_SHA512_STATE;
1454
typedef const SYMCRYPT_HMAC_SHA512_STATE *PCSYMCRYPT_HMAC_SHA512_STATE;
1455

1456
//
1457
// SYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY
1458
//
1459
// Data structure to store an expanded key for HMAC-SHA512_224.
1460
//
1461
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY
1462
{
1463
    SYMCRYPT_SHA512_CHAINING_STATE  innerState;
1464
    SYMCRYPT_SHA512_CHAINING_STATE  outerState;
1465
    SYMCRYPT_MAGIC_FIELD
1466
} SYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY;
1467
typedef const SYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY;
1468

1469
//
1470
// SYMCRYPT_HMAC_SHA512_224_STATE
1471
//
1472
// Data structure that encodes an ongoing HMAC-SHA512_224 computation.
1473
//
1474
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA512_224_STATE
1475
{
1476
    SYMCRYPT_SHA512_224_STATE                 hash;
1477
    PCSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY   pKey;
1478
    SYMCRYPT_MAGIC_FIELD
1479
} SYMCRYPT_HMAC_SHA512_224_STATE, *PSYMCRYPT_HMAC_SHA512_224_STATE;
1480
typedef const SYMCRYPT_HMAC_SHA512_224_STATE *PCSYMCRYPT_HMAC_SHA512_224_STATE;
1481

1482
//
1483
// SYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY
1484
//
1485
// Data structure to store an expanded key for HMAC-SHA512_256.
1486
//
1487
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY
1488
{
1489
    SYMCRYPT_SHA512_CHAINING_STATE  innerState;
1490
    SYMCRYPT_SHA512_CHAINING_STATE  outerState;
1491
    SYMCRYPT_MAGIC_FIELD
1492
} SYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY;
1493
typedef const SYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY;
1494

1495
//
1496
// SYMCRYPT_HMAC_SHA512_256_STATE
1497
//
1498
// Data structure that encodes an ongoing HMAC-SHA512_256 computation.
1499
//
1500
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA512_256_STATE
1501
{
1502
    SYMCRYPT_SHA512_256_STATE                 hash;
1503
    PCSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY   pKey;
1504
    SYMCRYPT_MAGIC_FIELD
1505
} SYMCRYPT_HMAC_SHA512_256_STATE, *PSYMCRYPT_HMAC_SHA512_256_STATE;
1506
typedef const SYMCRYPT_HMAC_SHA512_256_STATE *PCSYMCRYPT_HMAC_SHA512_256_STATE;
1507

1508
//
1509
// SYMCRYPT_HMAC_EXPANDED_KEY
1510
//
1511
// Generic HMAC Expanded Key data structure
1512
//
1513
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_EXPANDED_KEY
1514
{
1515
    PCSYMCRYPT_HASH     pHash;
1516
    SYMCRYPT_HASH_STATE innerState;
1517
    SYMCRYPT_HASH_STATE outerState;
1518
    SYMCRYPT_MAGIC_FIELD
1519
} SYMCRYPT_HMAC_EXPANDED_KEY, * PSYMCRYPT_HMAC_EXPANDED_KEY;
1520
typedef const SYMCRYPT_HMAC_EXPANDED_KEY* PCSYMCRYPT_HMAC_EXPANDED_KEY;
1521

1522
//
1523
// SYMCRYPT_HMAC_STATE
1524
//
1525
// Generic HMAC data structure
1526
//
1527
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_STATE
1528
{
1529
    PCSYMCRYPT_HMAC_EXPANDED_KEY    pKey;
1530
    SYMCRYPT_HASH_STATE             hash;
1531
    SYMCRYPT_MAGIC_FIELD
1532
} SYMCRYPT_HMAC_STATE, * PSYMCRYPT_HMAC_STATE;
1533
typedef const SYMCRYPT_HMAC_STATE* PCSYMCRYPT_HMAC_STATE;
1534

1535
//
1536
// SYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY
1537
//
1538
// Data structure to store an expanded key for HMAC-SHA3-224
1539
//
1540
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY
1541
{
1542
    SYMCRYPT_HMAC_EXPANDED_KEY  generic;
1543

1544
} SYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY;
1545
typedef const SYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY;
1546

1547
//
1548
// SYMCRYPT_HMAC_SHA3_224_STATE
1549
//
1550
// Data structure that encodes an ongoing HMAC-SHA3-224 computation.
1551
//
1552
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_224_STATE
1553
{
1554
    SYMCRYPT_HMAC_STATE generic;
1555

1556
} SYMCRYPT_HMAC_SHA3_224_STATE, *PSYMCRYPT_HMAC_SHA3_224_STATE;
1557
typedef const SYMCRYPT_HMAC_SHA3_224_STATE *PCSYMCRYPT_HMAC_SHA3_224_STATE;
1558

1559
//
1560
// SYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY
1561
//
1562
// Data structure to store an expanded key for HMAC-SHA3-256
1563
//
1564
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY
1565
{
1566
    SYMCRYPT_HMAC_EXPANDED_KEY  generic;
1567

1568
} SYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY;
1569
typedef const SYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY;
1570

1571
//
1572
// SYMCRYPT_HMAC_SHA3_256_STATE
1573
//
1574
// Data structure that encodes an ongoing HMAC-SHA3-256 computation.
1575
//
1576
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_256_STATE
1577
{
1578
    SYMCRYPT_HMAC_STATE generic;
1579

1580
} SYMCRYPT_HMAC_SHA3_256_STATE, *PSYMCRYPT_HMAC_SHA3_256_STATE;
1581
typedef const SYMCRYPT_HMAC_SHA3_256_STATE *PCSYMCRYPT_HMAC_SHA3_256_STATE;
1582

1583
//
1584
// SYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY
1585
//
1586
// Data structure to store an expanded key for HMAC-SHA3-384
1587
//
1588
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY
1589
{
1590
    SYMCRYPT_HMAC_EXPANDED_KEY  generic;
1591

1592
} SYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY;
1593
typedef const SYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY;
1594

1595
//
1596
// SYMCRYPT_HMAC_SHA3_384_STATE
1597
//
1598
// Data structure that encodes an ongoing HMAC-SHA3-384 computation.
1599
//
1600
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_384_STATE
1601
{
1602
    SYMCRYPT_HMAC_STATE generic;
1603

1604
} SYMCRYPT_HMAC_SHA3_384_STATE, *PSYMCRYPT_HMAC_SHA3_384_STATE;
1605
typedef const SYMCRYPT_HMAC_SHA3_384_STATE *PCSYMCRYPT_HMAC_SHA3_384_STATE;
1606

1607
//
1608
// SYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY
1609
//
1610
// Data structure to store an expanded key for HMAC-SHA3-512
1611
//
1612
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY
1613
{
1614
    SYMCRYPT_HMAC_EXPANDED_KEY  generic;
1615

1616
} SYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY, *PSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY;
1617
typedef const SYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY * PCSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY;
1618

1619
//
1620
// SYMCRYPT_HMAC_SHA3_512_STATE
1621
//
1622
// Data structure that encodes an ongoing HMAC-SHA3-512 computation.
1623
//
1624
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_HMAC_SHA3_512_STATE
1625
{
1626
    SYMCRYPT_HMAC_STATE generic;
1627

1628
} SYMCRYPT_HMAC_SHA3_512_STATE, *PSYMCRYPT_HMAC_SHA3_512_STATE;
1629
typedef const SYMCRYPT_HMAC_SHA3_512_STATE *PCSYMCRYPT_HMAC_SHA3_512_STATE;
1630

1631
//
1632
// SYMCRYPT_AES_EXPANDED_KEY
1633
//
1634
// Expanded key for AES operations.
1635
//
1636
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_AES_EXPANDED_KEY {
1637
    SYMCRYPT_ALIGN BYTE RoundKey[29][4][4];
1638
        // Round keys, first the encryption round keys in encryption order,
1639
        // followed by the decryption round keys in decryption order.
1640
        // The first decryption round key is the last encryption round key.
1641
        // AES-256 has 14 rounds and thus 15 round keys for encryption and 15
1642
        // for decryption. As they share one round key, we need room for 29.
1643
    BYTE   (*lastEncRoundKey)[4][4];    // Pointer to last encryption round key
1644
                                        // also the first round key for decryption
1645
    BYTE   (*lastDecRoundKey)[4][4];    // Pointer to last decryption round key.
1646

1647
    SYMCRYPT_MAGIC_FIELD
1648
} SYMCRYPT_AES_EXPANDED_KEY, *PSYMCRYPT_AES_EXPANDED_KEY;
1649
typedef const SYMCRYPT_AES_EXPANDED_KEY * PCSYMCRYPT_AES_EXPANDED_KEY;
1650

1651
//
1652
// AES-CMAC
1653
//
1654
// Note: SYMCRYPT_AES_BLOCK_SIZE is not yet defined, so we use
1655
// literal constants instead.
1656
//
1657
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_AES_CMAC_EXPANDED_KEY
1658
{
1659
    SYMCRYPT_AES_EXPANDED_KEY   aesKey;
1660
    BYTE                        K1[16];
1661
    BYTE                        K2[16];
1662
    SYMCRYPT_MAGIC_FIELD
1663
} SYMCRYPT_AES_CMAC_EXPANDED_KEY, *PSYMCRYPT_AES_CMAC_EXPANDED_KEY;
1664
typedef const SYMCRYPT_AES_CMAC_EXPANDED_KEY * PCSYMCRYPT_AES_CMAC_EXPANDED_KEY;
1665

1666
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_AES_CMAC_STATE
1667
{
1668
    BYTE                                chain[16];
1669
    BYTE                                buf[16];
1670
    SIZE_T                              bytesInBuf;
1671
    PCSYMCRYPT_AES_CMAC_EXPANDED_KEY    pKey;
1672

1673
    SYMCRYPT_MAGIC_FIELD
1674
} SYMCRYPT_AES_CMAC_STATE, *PSYMCRYPT_AES_CMAC_STATE;
1675
typedef const SYMCRYPT_AES_CMAC_STATE * PCSYMCRYPT_AES_CMAC_STATE;
1676

1677
//
1678
// POLY1305
1679
//
1680

1681
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_POLY1305_STATE
1682
{
1683
    UINT32  r[4];       // R := \sum 2^{32*i} r[i]. R is already clamped.
1684
    UINT32  s[4];       // S := \sum 2^{32*i} s[i]
1685
    UINT32  a[5];       // Accumulator := sum 2^{32*i} a[i], a[4] <= approx 8
1686
    SIZE_T  bytesInBuffer;
1687
    BYTE    buf[16];    // Partial block buffer
1688

1689
    SYMCRYPT_MAGIC_FIELD
1690
} SYMCRYPT_POLY1305_STATE, *PSYMCRYPT_POLY1305_STATE;
1691

1692
//
1693
// XTS-AES
1694
//
1695

1696
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_XTS_AES_EXPANDED_KEY
1697
{
1698
    SYMCRYPT_AES_EXPANDED_KEY   key1;
1699
    SYMCRYPT_AES_EXPANDED_KEY   key2;
1700
} SYMCRYPT_XTS_AES_EXPANDED_KEY, *PSYMCRYPT_XTS_AES_EXPANDED_KEY;
1701
typedef const SYMCRYPT_XTS_AES_EXPANDED_KEY * PCSYMCRYPT_XTS_AES_EXPANDED_KEY;
1702

1703

1704
//-----------------------------------------------------------------
1705
//     Mac description table
1706
// Below are the typedefs for the Mac description table type
1707
// Callers can use this to define Mac algorithm they want to use
1708
//
1709

1710
#define SYMCRYPT_MAC_MAX_RESULT_SIZE    SYMCRYPT_HMAC_SHA512_RESULT_SIZE
1711

1712
typedef union _SYMCRYPT_MAC_STATE
1713
{
1714
    SYMCRYPT_HMAC_MD5_STATE         md5State;
1715
    SYMCRYPT_HMAC_SHA1_STATE        sha1State;
1716
    SYMCRYPT_HMAC_SHA224_STATE      sha224State;
1717
    SYMCRYPT_HMAC_SHA256_STATE      sha256State;
1718
    SYMCRYPT_HMAC_SHA384_STATE      sha384State;
1719
    SYMCRYPT_HMAC_SHA512_STATE      sha512State;
1720
    SYMCRYPT_HMAC_SHA512_224_STATE  sha512_224State;
1721
    SYMCRYPT_HMAC_SHA512_256_STATE  sha512_256State;
1722
    SYMCRYPT_HMAC_SHA3_224_STATE    sha3_224State;
1723
    SYMCRYPT_HMAC_SHA3_256_STATE    sha3_256State;
1724
    SYMCRYPT_HMAC_SHA3_384_STATE    sha3_384State;
1725
    SYMCRYPT_HMAC_SHA3_512_STATE    sha3_512State;
1726
    SYMCRYPT_AES_CMAC_STATE         aescmacState;
1727
    SYMCRYPT_KMAC128_STATE          kmac128State;
1728
    SYMCRYPT_KMAC256_STATE          kmac256State;
1729
} SYMCRYPT_MAC_STATE, *PSYMCRYPT_MAC_STATE;
1730
typedef const SYMCRYPT_MAC_STATE *PCSYMCRYPT_MAC_STATE;
1731

1732
typedef union _SYMCRYPT_MAC_EXPANDED_KEY
1733
{
1734
    SYMCRYPT_HMAC_MD5_EXPANDED_KEY          md5Key;
1735
    SYMCRYPT_HMAC_SHA1_EXPANDED_KEY         sha1Key;
1736
    SYMCRYPT_HMAC_SHA224_EXPANDED_KEY       sha224Key;
1737
    SYMCRYPT_HMAC_SHA256_EXPANDED_KEY       sha256Key;
1738
    SYMCRYPT_HMAC_SHA384_EXPANDED_KEY       sha384Key;
1739
    SYMCRYPT_HMAC_SHA512_EXPANDED_KEY       sha512Key;
1740
    SYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY   sha512_224Key;
1741
    SYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY   sha512_256Key;
1742
    SYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY     sha3_224Key;
1743
    SYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY     sha3_256Key;
1744
    SYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY     sha3_384Key;
1745
    SYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY     sha3_512Key;
1746
    SYMCRYPT_AES_CMAC_EXPANDED_KEY          aescmacKey;
1747
    SYMCRYPT_KMAC128_EXPANDED_KEY           kmac128Key;
1748
    SYMCRYPT_KMAC256_EXPANDED_KEY           kmac256Key;
1749
} SYMCRYPT_MAC_EXPANDED_KEY, *PSYMCRYPT_MAC_EXPANDED_KEY;
1750
typedef const SYMCRYPT_MAC_EXPANDED_KEY *PCSYMCRYPT_MAC_EXPANDED_KEY;
1751

1752
typedef SYMCRYPT_ERROR (SYMCRYPT_CALL * PSYMCRYPT_MAC_EXPAND_KEY)
1753
                                        ( PVOID pExpandedKey, PCBYTE pbKey, SIZE_T cbKey );
1754
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_MAC_INIT)     ( PVOID pState,  PCVOID pExpandedKey );
1755
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_MAC_APPEND)( PVOID pState, PCBYTE pbData, SIZE_T cbData );
1756
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_MAC_RESULT)  ( PVOID pState, PVOID pbResult );
1757
typedef VOID (SYMCRYPT_CALL * PSYMCRYPT_MAC_RESULT_EX)  ( PVOID pState, PVOID pbResult, SIZE_T cbResult );
1758

1759
typedef struct _SYMCRYPT_MAC
1760
{
1761
    PSYMCRYPT_MAC_EXPAND_KEY    expandKeyFunc;
1762
    PSYMCRYPT_MAC_INIT          initFunc;
1763
    PSYMCRYPT_MAC_APPEND        appendFunc;
1764
    PSYMCRYPT_MAC_RESULT        resultFunc;
1765
    SIZE_T                      expandedKeySize;
1766
    SIZE_T                      stateSize;
1767
    SIZE_T                      resultSize;
1768
    const PCSYMCRYPT_HASH     * ppHashAlgorithm;            // NULL for MACs not based on hashes
1769
    UINT32                      outerChainingStateOffset;   // Offset into expanded key of outer chaining state; 0 for non-HMAC algorithms
1770
} SYMCRYPT_MAC, *PSYMCRYPT_MAC;
1771
typedef const SYMCRYPT_MAC  *PCSYMCRYPT_MAC;
1772

1773

1774

1775
//
1776
// 3DES
1777
//
1778
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_3DES_EXPANDED_KEY {
1779
    UINT32  roundKey[3][16][2];     // 3 keys, 16 rounds, 2 UINT32s/round
1780
    SYMCRYPT_MAGIC_FIELD
1781
} SYMCRYPT_3DES_EXPANDED_KEY, *PSYMCRYPT_3DES_EXPANDED_KEY;
1782
typedef const SYMCRYPT_3DES_EXPANDED_KEY * PCSYMCRYPT_3DES_EXPANDED_KEY;
1783

1784
//
1785
// DES
1786
//
1787
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_DES_EXPANDED_KEY {
1788
    SYMCRYPT_3DES_EXPANDED_KEY threeDes;
1789
} SYMCRYPT_DES_EXPANDED_KEY, *PSYMCRYPT_DES_EXPANDED_KEY;
1790
typedef const SYMCRYPT_DES_EXPANDED_KEY * PCSYMCRYPT_DES_EXPANDED_KEY;
1791

1792
//
1793
// DESX
1794
//
1795
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_DESX_EXPANDED_KEY {
1796
    SYMCRYPT_DES_EXPANDED_KEY   desKey;
1797
    BYTE                        inputWhitening[8];
1798
    BYTE                        outputWhitening[8];
1799
} SYMCRYPT_DESX_EXPANDED_KEY, *PSYMCRYPT_DESX_EXPANDED_KEY;
1800
typedef const SYMCRYPT_DESX_EXPANDED_KEY * PCSYMCRYPT_DESX_EXPANDED_KEY;
1801

1802
//
1803
// RC2
1804
//
1805
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_RC2_EXPANDED_KEY {
1806
    UINT16  K[64];
1807
    SYMCRYPT_MAGIC_FIELD
1808
} SYMCRYPT_RC2_EXPANDED_KEY, *PSYMCRYPT_RC2_EXPANDED_KEY;
1809
typedef const SYMCRYPT_RC2_EXPANDED_KEY * PCSYMCRYPT_RC2_EXPANDED_KEY;
1810

1811

1812
//
1813
// CCM states for incremental computations
1814
//
1815
#define SYMCRYPT_CCM_BLOCK_SIZE (16)
1816

1817
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_CCM_STATE {
1818
                                                    PCSYMCRYPT_BLOCKCIPHER  pBlockCipher;
1819
                                                    PCVOID                  pExpandedKey;
1820
                                                    UINT64                  cbData;                                     // exact length of data
1821
                                                    SIZE_T                  cbTag;
1822
                                                    SIZE_T                  cbNonce;
1823
                                                    SIZE_T                  cbCounter;                                  // # bytes in counter field
1824
                                                    UINT64                  bytesProcessed;                             // data bytes processed so far
1825
    _Field_range_( 0, SYMCRYPT_CCM_BLOCK_SIZE-1 )   SIZE_T                  bytesInMacBlock;
1826
                                                    SYMCRYPT_ALIGN BYTE     counterBlock[SYMCRYPT_CCM_BLOCK_SIZE];      // Current counter block value
1827
                                                    SYMCRYPT_ALIGN BYTE     macBlock[SYMCRYPT_CCM_BLOCK_SIZE];          // Current state of the CBC-MAC part of CCM
1828
                                                    SYMCRYPT_ALIGN BYTE     keystreamBlock[SYMCRYPT_CCM_BLOCK_SIZE];    // Remaining key stream if partial block has been processed
1829
                                                    SYMCRYPT_MAGIC_FIELD
1830
} SYMCRYPT_CCM_STATE, *PSYMCRYPT_CCM_STATE;
1831

1832

1833
//
1834
// GHash & GCM
1835
//
1836

1837
typedef union _SYMCRYPT_GCM_SUPPORTED_BLOCKCIPHER_KEYS
1838
{
1839
    SYMCRYPT_AES_EXPANDED_KEY aes;
1840
} SYMCRYPT_GCM_SUPPORTED_BLOCKCIPHER_KEYS;
1841

1842
#define SYMCRYPT_GCM_BLOCKCIPHER_KEY_SIZE sizeof( union _SYMCRYPT_GCM_SUPPORTED_BLOCKCIPHER_KEYS )
1843

1844
#define SYMCRYPT_GF128_FIELD_SIZE   (128)
1845
#define SYMCRYPT_GF128_BLOCK_SIZE   (16)        // # bytes in a field element/block
1846
#define SYMCRYPT_GCM_BLOCK_SIZE     (16)
1847
#define SYMCRYPT_GCM_MAX_KEY_SIZE   (32)
1848

1849

1850
#define SYMCRYPT_GCM_MAX_DATA_SIZE           (((UINT64)1 << 36) - 32)
1851

1852
#define SYMCRYPT_GCM_BLOCK_MOD_MASK      (SYMCRYPT_GCM_BLOCK_SIZE - 1)
1853
#define SYMCRYPT_GCM_BLOCK_ROUND_MASK    (~SYMCRYPT_GCM_BLOCK_MOD_MASK)
1854

1855
#if SYMCRYPT_CPU_X86
1856
    //
1857
    // x86 needs extra alignment of the GHASH expanded key to support
1858
    // aligned (fast) XMM access. AMD64 has enough natural alignment to
1859
    // achieve this.
1860
    //
1861
    #define SYMCRYPT_GHASH_EXTRA_KEY_ALIGNMENT
1862
#endif
1863

1864
#define SYMCRYPT_GHASH_ALLOW_XMM    (SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64)
1865
#define SYMCRYPT_GHASH_ALLOW_NEON   (SYMCRYPT_CPU_ARM | SYMCRYPT_CPU_ARM64)
1866

1867

1868
#if SYMCRYPT_CPU_ARM
1869
#include <arm_neon.h>
1870
#if SYMCRYPT_GNUC || defined(__clang__)
1871
    #define __n128 uint32x4_t
1872
    #define __n64 uint64x1_t
1873
#endif
1874

1875
#elif SYMCRYPT_CPU_ARM64
1876

1877
    #if SYMCRYPT_MS_VC && !defined(__clang__)
1878
        #include <arm64_neon.h>
1879

1880
        // See section 6.7.8 of the C standard for details on this initializer usage.
1881
        #define SYMCRYPT_SET_N128_U64(d0, d1) \
1882
            ((__n128) {.n128_u64 = {d0, d1}})
1883
        #define SYMCRYPT_SET_N64_U64(d0) \
1884
            ((__n64) {.n64_u64 = {d0}})
1885
        #define SYMCRYPT_SET_N128_U8(b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15) \
1886
            ((__n128) {.n128_u8 = {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15}})
1887
    #else
1888
        #include <arm_neon.h>
1889

1890
        #define __n128 uint8x16_t
1891
        #define __n64 uint8x8_t
1892

1893
        #define SYMCRYPT_SET_N128_U64(d0, d1) \
1894
            ((__n128) ((uint64x2_t) {d0, d1}))
1895
        #define SYMCRYPT_SET_N64_U64(d0) \
1896
            ((__n64) ((uint64x1_t) {d0}))
1897
        #define SYMCRYPT_SET_N128_U8(b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15) \
1898
            ((__n128) ((uint8x16_t) {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15}))
1899

1900
        #define vmullq_p64( a, b )      ((__n128) vmull_p64(vgetq_lane_p64((poly64x2_t)a, 0), vgetq_lane_p64((poly64x2_t)b, 0)))
1901
        #define vmull_p64( a, b )       ((__n128) vmull_p64( (poly64_t)a, (poly64_t)b ))
1902
        #define vmull_high_p64( a, b )  ((__n128) vmull_high_p64( (poly64x2_t)a, (poly64x2_t)b ))
1903
    #endif
1904

1905
#endif
1906

1907
//
1908
// All platforms use the same in-memory representation:
1909
// elements of GF(2^128) stored as two 64-bit integers which are best
1910
// interpreted as a single 128-bit integer, least significant half first.
1911
// Note: the actual GF(2^128) bit order is reversed in the standard
1912
// for some reason; the
1913
// polynomial \sum b_i x^i is represented by integer \sum b_i 2^{127-i})
1914
// On x86/amd64 the same in-memory byte structure is also accessed as an
1915
// __m128i, which works as both the UINT64s, UINT32s, and the __m128i use
1916
// LSBfirst convention.
1917
//
1918
typedef SYMCRYPT_ALIGN_UNION _SYMCRYPT_GF128_ELEMENT {
1919
    UINT64 ull[2];
1920
#if SYMCRYPT_GHASH_ALLOW_XMM
1921
    //
1922
    // The XMM code accesses this both as UINT32[] and __m128i
1923
    // This is safe as XMM code only runs on little endian machines so the
1924
    // ordering is known.
1925
    //
1926
    __m128i     m128i;
1927
    UINT32      ul[4];
1928
#endif
1929
#if SYMCRYPT_GHASH_ALLOW_NEON
1930
    __n128      n128;
1931
    UINT32      ul[4];
1932
#endif
1933
} SYMCRYPT_GF128_ELEMENT, *PSYMCRYPT_GF128_ELEMENT;
1934
typedef const SYMCRYPT_GF128_ELEMENT * PCSYMCRYPT_GF128_ELEMENT;
1935

1936

1937

1938
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_GHASH_EXPANDED_KEY {
1939
#if defined( SYMCRYPT_GHASH_EXTRA_KEY_ALIGNMENT )
1940
    UINT32  tableOffset;
1941
    BYTE    tableSpace[ (SYMCRYPT_GF128_FIELD_SIZE + 1) * sizeof( SYMCRYPT_GF128_ELEMENT ) ];
1942
#else
1943
    SYMCRYPT_GF128_ELEMENT  table[ SYMCRYPT_GF128_FIELD_SIZE ];
1944
#endif
1945
} SYMCRYPT_GHASH_EXPANDED_KEY, *PSYMCRYPT_GHASH_EXPANDED_KEY;
1946
typedef const SYMCRYPT_GHASH_EXPANDED_KEY * PCSYMCRYPT_GHASH_EXPANDED_KEY;
1947

1948

1949
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_GCM_EXPANDED_KEY {
1950
    SYMCRYPT_GHASH_EXPANDED_KEY             ghashKey;
1951
    PCSYMCRYPT_BLOCKCIPHER                  pBlockCipher;
1952
    SYMCRYPT_GCM_SUPPORTED_BLOCKCIPHER_KEYS blockcipherKey;
1953
    SIZE_T                                  cbKey;
1954
    BYTE                                    abKey[SYMCRYPT_GCM_MAX_KEY_SIZE];
1955
    SYMCRYPT_MAGIC_FIELD
1956
} SYMCRYPT_GCM_EXPANDED_KEY, * PSYMCRYPT_GCM_EXPANDED_KEY;
1957
typedef const SYMCRYPT_GCM_EXPANDED_KEY * PCSYMCRYPT_GCM_EXPANDED_KEY;
1958

1959

1960
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_GCM_STATE {
1961
                                                    PCSYMCRYPT_GCM_EXPANDED_KEY pKey;
1962
                                                    UINT64                      cbData;         // Number of data bytes
1963
                                                    UINT64                      cbAuthData;     // Number of AAD bytes
1964
    _Field_range_( 0, SYMCRYPT_GCM_BLOCK_SIZE-1 )   SIZE_T                      bytesInMacBlock;
1965
                                                    SYMCRYPT_GF128_ELEMENT      ghashState;
1966
                                                    SYMCRYPT_ALIGN BYTE         counterBlock[SYMCRYPT_GCM_BLOCK_SIZE];
1967
                                                    SYMCRYPT_ALIGN BYTE         macBlock[SYMCRYPT_GCM_BLOCK_SIZE];
1968
                                                    SYMCRYPT_ALIGN BYTE         keystreamBlock[SYMCRYPT_GCM_BLOCK_SIZE];
1969
                                                    SYMCRYPT_MAGIC_FIELD
1970
} SYMCRYPT_GCM_STATE, * PSYMCRYPT_GCM_STATE;
1971
typedef const SYMCRYPT_GCM_STATE * PCSYMCRYPT_GCM_STATE;
1972

1973

1974
//
1975
// Block ciphers
1976
//
1977
#define SYMCRYPT_MAX_BLOCK_SIZE  (32)        // max block length of a block cipher.
1978

1979
typedef SYMCRYPT_ERROR( SYMCRYPT_CALL * PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY )
1980
(PVOID pExpandedKey, PCBYTE pbKey, SIZE_T cbKey);
1981
typedef VOID( SYMCRYPT_CALL * PSYMCRYPT_BLOCKCIPHER_CRYPT )         (PCVOID pExpandedKey, PCBYTE pbSrc, PBYTE pbDst);
1982
typedef VOID( SYMCRYPT_CALL * PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB )     (PCVOID pExpandedKey, PCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData);
1983
typedef VOID( SYMCRYPT_CALL * PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE )    (PCVOID pExpandedKey, PBYTE pbChainingValue, PCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData);
1984
typedef VOID( SYMCRYPT_CALL * PSYMCRYPT_BLOCKCIPHER_MAC_MODE )      (PCVOID pExpandedKey, PBYTE pbChainingValue, PCBYTE pbSrc, SIZE_T cbData);
1985
typedef VOID( SYMCRYPT_CALL * PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE ) (PVOID pState, PCBYTE pbSrc, PBYTE pbDst, SIZE_T cbData);
1986

1987
struct _SYMCRYPT_BLOCKCIPHER {
1988
                                                PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY    expandKeyFunc;      // mandatory
1989
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT         encryptFunc;        // mandatory
1990
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT         decryptFunc;        // mandatory
1991
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbEncryptFunc;     // NULL if no optimized version available
1992
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbDecryptFunc;     // NULL if no optimized version available
1993
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcEncryptFunc;     // NULL if no optimized version available
1994
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcDecryptFunc;     // NULL if no optimized version available
1995
                                                PSYMCRYPT_BLOCKCIPHER_MAC_MODE      cbcMacFunc;         // NULL if no optimized version available
1996
                                                PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    ctrMsb64Func;       // NULL if no optimized version available
1997
                                                PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc; // NULL if no optimized version available
1998
                                                PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc; // NULL if no optimized version available
1999
    _Field_range_( 1, SYMCRYPT_MAX_BLOCK_SIZE ) SIZE_T                              blockSize;          // = SYMCRYPT_XXX_BLOCK_SIZE, power of 2, 1 <= value <= 32.
2000
                                                SIZE_T                              expandedKeySize;    // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY )
2001
};
2002

2003

2004

2005
//
2006
// Session structs
2007
//
2008

2009
#define SYMCRYPT_FLAG_SESSION_ENCRYPT       (0x1)
2010

2011
//
2012
// SYMCRYPT_SESSION tracks the Nonces being used in a session. It is used differently depending on
2013
// whether the session is an Encryption session or a Decryption session.
2014
//
2015
// In Encryption sessions, SYMCRYPT_SESSION tracks the Nonce which was used in the most recent
2016
// attempted encryption in the session.
2017
// messageNumber is atomically incremented by each encryption call, and the encryption method uses
2018
// the messageNumber value that is the _result_ of the increment.
2019
//
2020
// In Decryption sessions, SYMCRYPT_SESSION tracks the most recently received Nonces in a series of
2021
// successful decryptions. Nonces used in unsuccessful decryption calls do not update SYMCRYPT_SESSION.
2022
// Information is tracked such that the decryption function can detect repeated Nonce values and
2023
// fail decryption in this case. In order for this to work the message numbers that are provided
2024
// to decrypt calls must be somewhat ordered. Provided message numbers may be arbitrarily far ahead
2025
// of previously successfully decrypted message numbers, but may only be up to 63 behind the highest
2026
// message number successfully decrypted so far.
2027
// messageNumber normally represents the highest message number used in a successful decryption in
2028
// this session. (The exception is at initialization, where messageNumber is initialized to 64
2029
// without the corresponding 0th bit in the replayMask being set - this initial state represents
2030
// there have been no successful decryptions yet, and that the earliest messageNumber that can be
2031
// successfully received is 1)
2032
// replayMask represents whether a window of 64 message numbers up to messageNumber have already been
2033
// successfully used;
2034
// bit n of replayMask (from n=0 to n=63) represents message number = (messageNumber-n), 0 means not
2035
// yet used, and 1 means already used in a successful decryption call
2036
//
2037

2038
#if SYMCRYPT_CPU_AMD64 | SYMCRYPT_CPU_ARM64
2039
#define SYMCRYPT_USE_CAS128 (1)
2040

2041
// For CompareAndSwap128 method, SYMCRYPT_SESSION must be aligned to 16B
2042
#define SYMCRYPT_ALIGN_SESSION SYMCRYPT_ALIGN_TYPE_AT(struct, 16)
2043
#else
2044
#define SYMCRYPT_USE_CAS128 (0)
2045

2046
// For method with only 64-bit atomics, SYMCRYPT_SESSION must be aligned to 8B
2047
#define SYMCRYPT_ALIGN_SESSION SYMCRYPT_ALIGN_TYPE_AT(struct, 8)
2048
#endif
2049

2050
// Nested struct used within SYMCRYPT_SESSION
2051
typedef SYMCRYPT_ALIGN_SESSION _SYMCRYPT_SESSION_REPLAY_STATE {
2052
    UINT64  replayMask;
2053
    // 64 bit mask representing message numbers previously successfully decrypted up to 63
2054
    // before the most recent message number.
2055

2056
    UINT64  messageNumber;
2057
    // the last 8 bytes of the Nonce (MSB-first)
2058
} SYMCRYPT_SESSION_REPLAY_STATE, * PSYMCRYPT_SESSION_REPLAY_STATE;
2059
typedef const SYMCRYPT_SESSION_REPLAY_STATE * PCSYMCRYPT_SESSION_REPLAY_STATE;
2060

2061
typedef SYMCRYPT_ALIGN_SESSION _SYMCRYPT_SESSION {
2062
    SYMCRYPT_SESSION_REPLAY_STATE replayState;
2063
    // nested replayState struct is to improve code clarity in SymCryptSessionDecryptUpdate*
2064

2065
    UINT32  senderId;
2066
    // the first 4 bytes of the Nonce (MSB-first)
2067
    // (set by the caller and constant for the lifetime of a session)
2068

2069
    UINT32  flags;
2070
    // SYMCRYPT_FLAG_SESSION_ENCRYPT indicates the struct is to be used for an encryption session,
2071
    // otherwise the struct is to be used for a decryption session
2072

2073
    PVOID   pMutex;
2074
    // Pointer to a fast single-process mutex object used to enable atomic update of replayMask and
2075
    // messageNumber in the absence of support for a 128b CAS operation
2076
} SYMCRYPT_SESSION, * PSYMCRYPT_SESSION;
2077

2078
#define SYMCRYPT_SESSION_MAX_MESSAGE_NUMBER (0xffffffff00000000ull)
2079
// We do not allow messageNumber to go above some maximum value (currently 2^64 - 2^32)
2080
// This gives us a large window to prevent many concurrent encryption threads from updating the
2081
// session such that the messageNumber overflows and the same IV is used in many encryptions
2082
// (i.e. we would only potentially get a spurious success using a repeated IV when there are
2083
// >2^32 concurrent threads!)
2084

2085
#if SYMCRYPT_USE_CAS128
2086
C_ASSERT(SYMCRYPT_FIELD_OFFSET(SYMCRYPT_SESSION, replayState.replayMask) == 0);
2087
C_ASSERT(SYMCRYPT_FIELD_OFFSET(SYMCRYPT_SESSION, replayState.messageNumber) == 8);
2088
// For CompareAndSwap128 method, replayMask and messageNumber must be tightly packed
2089
#endif
2090

2091
//
2092
// RC4
2093
//
2094

2095
//
2096
// Some CPUs like the S array type to be larger than BYTE. We abstract the data type
2097
// of the S array to accommodate such CPUs in future.
2098
//
2099

2100
typedef BYTE    SYMCRYPT_RC4_S_TYPE;
2101

2102
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_RC4_STATE {
2103
    SYMCRYPT_RC4_S_TYPE  S[256];
2104
    BYTE i;
2105
    BYTE j;
2106
    SYMCRYPT_MAGIC_FIELD
2107
} SYMCRYPT_RC4_STATE, *PSYMCRYPT_RC4_STATE;
2108

2109
//
2110
// ChaCha20
2111
//
2112

2113
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_CHACHA20_STATE {
2114
    UINT32      key[8];
2115
    UINT32      nonce[3];
2116
    UINT64      offset;                 // offset to use for next operation
2117
    BOOLEAN     keystreamBufferValid;   // keystream buffer matches offset value
2118
    BYTE        keystream[64];
2119
} SYMCRYPT_CHACHA20_STATE, *PSYMCRYPT_CHACHA20_STATE;
2120

2121

2122
//
2123
// AES_CTR_DRBG
2124
//
2125

2126
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_RNG_AES_STATE {
2127
    //
2128
    // Key and V value are in one array, to allow fast generation of both of them
2129
    // in a single call.
2130
    //
2131
    BYTE        keyAndV[32 + 16];
2132
    BYTE        previousBlock[16];
2133
    UINT64      requestCounter;         // called reseed_counter in SP 800-90
2134
    BOOLEAN     fips140_2Check;         // set if the FIPS 140-2 continuous self-test is required
2135
    SYMCRYPT_MAGIC_FIELD
2136
} SYMCRYPT_RNG_AES_STATE, * PSYMCRYPT_RNG_AES_STATE;
2137

2138
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_RNG_AES_FIPS140_2_STATE {
2139
    SYMCRYPT_RNG_AES_STATE  rng;
2140
} SYMCRYPT_RNG_AES_FIPS140_2_STATE, *PSYMCRYPT_RNG_AES_FIPS140_2_STATE;
2141

2142

2143
//
2144
// MARVIN32
2145
//
2146

2147
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MARVIN32_EXPANDED_SEED
2148
{
2149
    UINT32   s[2];
2150
    SYMCRYPT_MAGIC_FIELD
2151
} SYMCRYPT_MARVIN32_EXPANDED_SEED, *PSYMCRYPT_MARVIN32_EXPANDED_SEED;
2152
typedef const SYMCRYPT_MARVIN32_EXPANDED_SEED * PCSYMCRYPT_MARVIN32_EXPANDED_SEED;
2153

2154

2155
typedef SYMCRYPT_MARVIN32_EXPANDED_SEED SYMCRYPT_MARVIN32_CHAINING_STATE, * PSYMCRYPT_MARVIN32_CHAINING_STATE;
2156

2157
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_MARVIN32_STATE
2158
{
2159
    SYMCRYPT_ALIGN  BYTE                                buffer[8];  // 4 bytes of data, 4 more bytes for final padding
2160
                    SYMCRYPT_MARVIN32_CHAINING_STATE    chain;      // chaining state
2161
                    PCSYMCRYPT_MARVIN32_EXPANDED_SEED   pSeed;      //
2162
                    UINT32                              dataLength; // length of the data processed so far, mod 2^32
2163
                    SYMCRYPT_MAGIC_FIELD
2164
} SYMCRYPT_MARVIN32_STATE, *PSYMCRYPT_MARVIN32_STATE;
2165
typedef const SYMCRYPT_MARVIN32_STATE *PCSYMCRYPT_MARVIN32_STATE;
2166

2167

2168
//
2169
// Export blob sizes
2170
//
2171

2172
#define SYMCRYPT_MD2_STATE_EXPORT_SIZE          (80)
2173
#define SYMCRYPT_MD4_STATE_EXPORT_SIZE          (116)
2174
#define SYMCRYPT_MD5_STATE_EXPORT_SIZE          (116)
2175
#define SYMCRYPT_SHA1_STATE_EXPORT_SIZE         (120)
2176
#define SYMCRYPT_SHA224_STATE_EXPORT_SIZE       (132)
2177
#define SYMCRYPT_SHA256_STATE_EXPORT_SIZE       (132)
2178
#define SYMCRYPT_SHA384_STATE_EXPORT_SIZE       (236)
2179
#define SYMCRYPT_SHA512_STATE_EXPORT_SIZE       (236)
2180
#define SYMCRYPT_SHA512_224_STATE_EXPORT_SIZE   (236)
2181
#define SYMCRYPT_SHA512_256_STATE_EXPORT_SIZE   (236)
2182

2183
#define SYMCRYPT_KECCAK_STATE_EXPORT_SIZE   (234)
2184
#define SYMCRYPT_SHA3_224_STATE_EXPORT_SIZE SYMCRYPT_KECCAK_STATE_EXPORT_SIZE
2185
#define SYMCRYPT_SHA3_256_STATE_EXPORT_SIZE SYMCRYPT_KECCAK_STATE_EXPORT_SIZE
2186
#define SYMCRYPT_SHA3_384_STATE_EXPORT_SIZE SYMCRYPT_KECCAK_STATE_EXPORT_SIZE
2187
#define SYMCRYPT_SHA3_512_STATE_EXPORT_SIZE SYMCRYPT_KECCAK_STATE_EXPORT_SIZE
2188

2189

2190
//
2191
// KDF algorithms
2192
//
2193

2194
//
2195
// PBKDF2
2196
//
2197

2198
typedef struct _SYMCRYPT_PBKDF2_EXPANDED_KEY {
2199
    SYMCRYPT_MAC_EXPANDED_KEY   macKey;
2200
    PCSYMCRYPT_MAC              macAlg;
2201
} SYMCRYPT_PBKDF2_EXPANDED_KEY, *PSYMCRYPT_PBKDF2_EXPANDED_KEY;
2202
typedef const SYMCRYPT_PBKDF2_EXPANDED_KEY *PCSYMCRYPT_PBKDF2_EXPANDED_KEY;
2203

2204
//
2205
// SP 800-108
2206
//
2207

2208
typedef struct _SYMCRYPT_SP800_108_EXPANDED_KEY {
2209
    SYMCRYPT_MAC_EXPANDED_KEY   macKey;
2210
    PCSYMCRYPT_MAC              macAlg;
2211
} SYMCRYPT_SP800_108_EXPANDED_KEY, *PSYMCRYPT_SP800_108_EXPANDED_KEY;
2212
typedef const SYMCRYPT_SP800_108_EXPANDED_KEY *PCSYMCRYPT_SP800_108_EXPANDED_KEY;
2213

2214
//
2215
// TLS PRF 1.1
2216
//
2217

2218
typedef struct _SYMCRYPT_TLSPRF1_1_EXPANDED_KEY {
2219
    SYMCRYPT_HMAC_MD5_EXPANDED_KEY   macMd5Key;
2220
    SYMCRYPT_HMAC_SHA1_EXPANDED_KEY   macSha1Key;
2221
} SYMCRYPT_TLSPRF1_1_EXPANDED_KEY, *PSYMCRYPT_TLSPRF1_1_EXPANDED_KEY;
2222
typedef const SYMCRYPT_TLSPRF1_1_EXPANDED_KEY *PCSYMCRYPT_TLSPRF1_1_EXPANDED_KEY;
2223

2224
//
2225
// TLS PRF 1.2
2226
//
2227

2228
typedef struct _SYMCRYPT_TLSPRF1_2_EXPANDED_KEY {
2229
    SYMCRYPT_MAC_EXPANDED_KEY   macKey;
2230
    PCSYMCRYPT_MAC              macAlg;
2231
} SYMCRYPT_TLSPRF1_2_EXPANDED_KEY, *PSYMCRYPT_TLSPRF1_2_EXPANDED_KEY;
2232
typedef const SYMCRYPT_TLSPRF1_2_EXPANDED_KEY *PCSYMCRYPT_TLSPRF1_2_EXPANDED_KEY;
2233

2234
//
2235
// SSH-KDF
2236
//
2237
typedef struct _SYMCRYPT_SSHKDF_EXPANDED_KEY {
2238
    PCSYMCRYPT_HASH     pHashFunc;
2239
    SYMCRYPT_HASH_STATE hashState;
2240
} SYMCRYPT_SSHKDF_EXPANDED_KEY, *PSYMCRYPT_SSHKDF_EXPANDED_KEY;
2241
typedef const SYMCRYPT_SSHKDF_EXPANDED_KEY *PCSYMCRYPT_SSHKDF_EXPANDED_KEY;
2242

2243
//
2244
// SRTP-KDF
2245
//
2246
typedef struct _SYMCRYPT_SRTPKDF_EXPANDED_KEY {
2247
    SYMCRYPT_AES_EXPANDED_KEY     aesExpandedKey;
2248
} SYMCRYPT_SRTPKDF_EXPANDED_KEY, *PSYMCRYPT_SRTPKDF_EXPANDED_KEY;
2249
typedef const SYMCRYPT_SRTPKDF_EXPANDED_KEY *PCSYMCRYPT_SRTPKDF_EXPANDED_KEY;
2250

2251
//
2252
// HKDF
2253
//
2254

2255
typedef struct _SYMCRYPT_HKDF_EXPANDED_KEY {
2256
    SYMCRYPT_MAC_EXPANDED_KEY   macKey;
2257
    PCSYMCRYPT_MAC              macAlg;
2258
} SYMCRYPT_HKDF_EXPANDED_KEY, *PSYMCRYPT_HKDF_EXPANDED_KEY;
2259
typedef const SYMCRYPT_HKDF_EXPANDED_KEY *PCSYMCRYPT_HKDF_EXPANDED_KEY;
2260

2261
//
2262
// SSKDF
2263
//
2264
typedef struct _SYMCRYPT_SSKDF_MAC_EXPANDED_SALT {
2265
    SYMCRYPT_MAC_EXPANDED_KEY   macKey;
2266
    PCSYMCRYPT_MAC              macAlg;
2267
} SYMCRYPT_SSKDF_MAC_EXPANDED_SALT, *PSYMCRYPT_SSKDF_MAC_EXPANDED_SALT;
2268
typedef const SYMCRYPT_SSKDF_MAC_EXPANDED_SALT *PCSYMCRYPT_SSKDF_MAC_EXPANDED_SALT;
2269

2270
//
2271
// Digit & alignment sizes.
2272
//
2273
// WARNING: do not change these without updating all the optimized code,
2274
// including assembler code.
2275
// The FDEF_DIGIT_SIZE is the digit size used by the FDEF format.
2276
//
2277
#if SYMCRYPT_CPU_AMD64
2278

2279
#define SYMCRYPT_FDEF_DIGIT_SIZE    64
2280
#define SYMCRYPT_ASYM_ALIGN_VALUE   32
2281

2282
#elif SYMCRYPT_CPU_ARM64
2283

2284
#define SYMCRYPT_FDEF_DIGIT_SIZE    32
2285
#define SYMCRYPT_ASYM_ALIGN_VALUE   32
2286

2287
#else
2288

2289
#define SYMCRYPT_FDEF_DIGIT_SIZE    16
2290
#define SYMCRYPT_ASYM_ALIGN_VALUE   16              // We have some bugs when ASYM_ALIGN_VALUE > DIGIT_SIZE; need to fix them if we implement AVX2-based x86 code.
2291

2292
#endif
2293

2294
#define SYMCRYPT_ASYM_ALIGN_UP( _p ) ((PBYTE) ( ((SIZE_T) (_p) + SYMCRYPT_ASYM_ALIGN_VALUE - 1) & ~(SYMCRYPT_ASYM_ALIGN_VALUE - 1 ) ) )
2295

2296

2297
//==============================================================================================
2298
// Object types for low-level API
2299
//
2300
// INT          integer in range 0..N for some N
2301
// DIVISOR      an integer > 0 that can be used to divide with.
2302
// MODULUS      a value M > 1 to use in modulo-M computations
2303
// MODELEMENT   An element in a modulo-M ring.
2304
// ECPOINT      A point on an elliptic curve.
2305
//
2306
// These objects are all aligned to SYMCRYPT_ASYM_ALIGN
2307
//
2308
#define SYMCRYPT_ASYM_ALIGN SYMCRYPT_ALIGN_AT(SYMCRYPT_ASYM_ALIGN_VALUE)
2309
#if SYMCRYPT_MS_VC
2310
#define SYMCRYPT_ASYM_ALIGN_STRUCT SYMCRYPT_ASYM_ALIGN struct
2311
#elif SYMCRYPT_GNUC
2312
#define SYMCRYPT_ASYM_ALIGN_STRUCT struct SYMCRYPT_ASYM_ALIGN
2313
#else
2314
#error Unknown compiler
2315
#endif
2316

2317
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_INT;
2318
typedef struct _SYMCRYPT_INT   SYMCRYPT_INT;
2319
typedef       SYMCRYPT_INT * PSYMCRYPT_INT;
2320
typedef const SYMCRYPT_INT * PCSYMCRYPT_INT;
2321

2322
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_DIVISOR;
2323
typedef struct _SYMCRYPT_DIVISOR   SYMCRYPT_DIVISOR;
2324
typedef       SYMCRYPT_DIVISOR * PSYMCRYPT_DIVISOR;
2325
typedef const SYMCRYPT_DIVISOR * PCSYMCRYPT_DIVISOR;
2326

2327
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_MODULUS;
2328
typedef struct _SYMCRYPT_MODULUS   SYMCRYPT_MODULUS;
2329
typedef       SYMCRYPT_MODULUS * PSYMCRYPT_MODULUS;
2330
typedef const SYMCRYPT_MODULUS * PCSYMCRYPT_MODULUS;
2331

2332
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_MODELEMENT;
2333
typedef  struct _SYMCRYPT_MODELEMENT   SYMCRYPT_MODELEMENT;
2334
typedef       SYMCRYPT_MODELEMENT * PSYMCRYPT_MODELEMENT;
2335
typedef const SYMCRYPT_MODELEMENT * PCSYMCRYPT_MODELEMENT;
2336

2337
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_ECPOINT;
2338
typedef struct _SYMCRYPT_ECPOINT   SYMCRYPT_ECPOINT;
2339
typedef       SYMCRYPT_ECPOINT * PSYMCRYPT_ECPOINT;
2340
typedef const SYMCRYPT_ECPOINT * PCSYMCRYPT_ECPOINT;
2341

2342

2343
//
2344
// Arithmetic formats
2345
//
2346

2347
#define SYMCRYPT_ANYSIZE    1       // used to mark arrays of arbitrary size
2348

2349
#define SYMCRYPT_FDEF_DIGIT_BITS    (8*SYMCRYPT_FDEF_DIGIT_SIZE)
2350
#define SYMCRYPT_FDEF_DIGITS_FROM_BITS( _bits )   ( \
2351
                                                   ((_bits)/ SYMCRYPT_FDEF_DIGIT_BITS) + \
2352
                                                   (( ((_bits) & (SYMCRYPT_FDEF_DIGIT_BITS-1)) + (SYMCRYPT_FDEF_DIGIT_BITS - 1) )/SYMCRYPT_FDEF_DIGIT_BITS) \
2353
                                                  )
2354

2355
#define SYMCRYPT_BYTES_FROM_BITS(bits)          ( ( (bits) + 7 ) / 8 )
2356

2357
// The maximum number of bits in any integer value that the library supports. If the
2358
// caller's input exceed this bound then the integer object will not be created.
2359
// The caller either must ensure the bound is not exceeded, or check for NULL before
2360
// using created SymCrypt objects.
2361
// The primary purpose of this limit is to avoid integer overflows in size computations.
2362
// Having a reasonable upper bound avoids all size overflows, even on 32-bit CPUs
2363
#define SYMCRYPT_INT_MAX_BITS       ((UINT32)(1 << 20))
2364

2365
//
2366
// Upper bound for the number of digits: this MUST be enforced on runtime
2367
// on all Allocate, SizeOf, and Create calls which take as input a digit number.
2368
//
2369
// Using this upper bound and the SYMCRYPT_INT_MAX_BITS upper bound we can argue
2370
// that no integer overflow on 32-bit sizes can happen. Note that the computed upper
2371
// bounds are very loose and the actual values are much smaller.
2372
//
2373
#define SYMCRYPT_FDEF_UPB_DIGITS    (SYMCRYPT_FDEF_DIGITS_FROM_BITS(SYMCRYPT_INT_MAX_BITS))
2374

2375

2376

2377

2378
//
2379
// All of the following SYMCRYPT_FDEF_SIZEOF_XXX_FROM_YYY computations for the four
2380
// main SymCrypt objects (INT, DIVISOR, MODULUS, MODELEMENT) return a value not
2381
// larger than 2^19 if the inputs _nDigits and _bits are not larger than
2382
// SYMCRYPT_FDEF_UPB_DIGITS and SYMCRYPT_INT_MAX_BITS respectively (For MODELEMENT this bound
2383
// is 2^17). The latter bounds must be enforced on runtime for all calculations taking as inputs
2384
// number of digits or bits.
2385
//
2386
// The 2^19 upper bound is derived from:
2387
//      - the maximum (byte) size of an "integer": 2^20 bits / 8 = 2^17 bytes
2388
//      - "sizeof" computations add up to less than 2^18 bytes ~ 262 Kb
2389
//      - the modulus object contains two "integers"
2390
//
2391

2392
//
2393
// Type fields contain the following:
2394
// lower 16 bits: offset into virtual table (if any)
2395
// upper 16 bits: bits 16-23: 1-character object type. Bits 24-31: 1 char implementation type
2396
// The upper bits allow objects to be recognized in memory, making debugging easier.
2397
//
2398

2399
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_INT {
2400
                                                    UINT32  type;
2401
    _Field_range_( 1, SYMCRYPT_FDEF_UPB_DIGITS )    UINT32  nDigits;    // digit size depends on run-time decisions...
2402
                                                    UINT32  cbSize;
2403

2404
    SYMCRYPT_MAGIC_FIELD
2405
    SYMCRYPT_ASYM_ALIGN union {
2406
        struct {
2407
            UINT32          uint32[SYMCRYPT_ANYSIZE];   // FDEF: array UINT32[nDigits * # uint32 per digit]
2408
        } fdef;
2409
    } ti;                   // we must have a name here. 'ti' stands for 'Type-Int', it helps catch type errors when type-casting macros are used.
2410
};
2411

2412
#define SYMCRYPT_FDEF_INT_PUINT32( p )  (&(p)->ti.fdef.uint32[0])
2413

2414

2415
#define SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( _nDigits )    ((_nDigits) * SYMCRYPT_FDEF_DIGIT_SIZE + sizeof( SYMCRYPT_INT ) )
2416
#define SYMCRYPT_FDEF_SIZEOF_INT_FROM_BITS( _bits )         SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( SYMCRYPT_FDEF_DIGITS_FROM_BITS( _bits ))
2417

2418
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_DIVISOR {
2419
                                                    UINT32  type;
2420
    _Field_range_( 1, SYMCRYPT_FDEF_UPB_DIGITS )    UINT32  nDigits;    // digit size depends on run-time decisions...
2421
                                                    UINT32  cbSize;
2422

2423
                                                    UINT32  nBits;      // # bits in divisor
2424

2425
    SYMCRYPT_MAGIC_FIELD
2426
    union{
2427
        struct {
2428
            UINT64                  W;              // approximate inverse of the divisor. Some implementations will use 64 bits, others 32 bits.
2429
        } fdef;
2430
    } td;
2431
    SYMCRYPT_INT            Int;                    // Having a full Int here uses more space, but allows any Divisor to still be used as an Int.
2432
    // This structure is directly followed by the Int extension
2433
};
2434

2435
#define SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_DIGITS( _nDigits ) ((_nDigits) * SYMCRYPT_FDEF_DIGIT_SIZE + sizeof( SYMCRYPT_DIVISOR ) )
2436
#define SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_BITS( _bits ) SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_DIGITS( SYMCRYPT_FDEF_DIGITS_FROM_BITS( _bits ))
2437

2438
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_MODULUS {
2439
                                                    UINT32  type;
2440
    _Field_range_( 1, SYMCRYPT_FDEF_UPB_DIGITS )    UINT32  nDigits;        // digit size depends on run-time decisions...
2441
                                                    UINT32  cbSize;         // Size of modulus object
2442

2443
                                                    UINT32  flags;          // The flags the modulus was created with
2444
                                                    UINT32  cbModElement;   // Size of one modElement
2445
                                                    UINT64  inv64;          // -1/modulus mod 2^64 (always set but only to a useful value when the modulus is odd)
2446

2447
    SYMCRYPT_MAGIC_FIELD
2448
    union{
2449
        struct {
2450
            //UINT32          nUint32Used;    // # 32-bit words used in representing numbers. modulus < 2^{32*nUint32Used}.
2451
                                            // only values used are nDigits * uint32-per-digit or specific smaller values for optimized implementations
2452
            PCUINT32        Rsqr;           // R^2 mod modulus, in uint32 form, nUint32Used words. Stored after Divisor. R = 2^{32*nUint32Used}
2453
        } montgomery;
2454
        struct {
2455
            UINT32          k;              // modulus = 2^<bitsize of modelement> - k
2456
        } pseudoMersenne;
2457
    } tm;                                   // type specific data. Every Modulus can be used as a generic modulus, so no type-specific data for generic.
2458

2459
    SYMCRYPT_DIVISOR        Divisor;
2460
    // This structure is directly followed by:
2461
    //  The extensions of the Divisor object
2462
    // and after that:
2463
    // FDEF: Rsqr as an array of UINT32, size = nDigits * digitsize
2464
    // FDEF: negDivisor as an array of UINT32, size = nDigits * digitsize
2465
};
2466

2467
#define SYMCRYPT_FDEF_SIZEOF_MODULUS_FROM_DIGITS( _nDigits )    (sizeof( SYMCRYPT_MODULUS ) + SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_DIGITS( _nDigits ) + (2 * _nDigits * SYMCRYPT_FDEF_DIGIT_SIZE) )
2468
#define SYMCRYPT_FDEF_SIZEOF_MODULUS_FROM_BITS( _bits )         SYMCRYPT_FDEF_SIZEOF_MODULUS_FROM_DIGITS(SYMCRYPT_FDEF_DIGITS_FROM_BITS( _bits ))
2469

2470
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_MODELEMENT {
2471
    // ModElements just store the information without any header. This union makes this well-defined, and allows easy access.
2472
    union{
2473
        UINT32    uint32[SYMCRYPT_ANYSIZE];
2474
    } d;
2475
};
2476

2477
#define SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( _nDigits )    ((_nDigits) * SYMCRYPT_FDEF_DIGIT_SIZE)
2478
#define SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_BITS( _bits )          SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( SYMCRYPT_FDEF_DIGITS_FROM_BITS( _bits ) )
2479

2480
//
2481
// Upper bound for scratch size computations for FDEF objects depending only on digits
2482
//
2483
// The following 14 scratch size computation macros are all of the form:
2484
//      Some SIZEOF macros + max( some other scratch macros )
2485
// and all depend on some number of digits. (Slight exceptions are
2486
// INT_TO_MODULUS and INT_PRIME_GEN but they can fit into the below
2487
// rationale.)
2488
//
2489
// One can see that the deepest recursion in these macros and the biggest
2490
// return value is for
2491
//      INT_PRIME_GEN -> INT_MILLER_RABIN -> MODEXP ->
2492
//      COMMON_MOD_OPERATIONS -> SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD
2493
//
2494
// Using the 2^19 (2^17) bound on the sizeof computations the biggest contribution on the above chain is for MODEXP:
2495
//      ((1 << SYMCRYPT_FDEF_MAX_WINDOW_MODEXP) + 2) * SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( _nModDigits )
2496
// which is bounded above by
2497
//      (2^6 + 2) * 2^17 < 2^24
2498
//
2499
// By doubling on each subsequent recursive call we get the conservative
2500
// upper bound for all scratch size computation macros of 2^26.
2501
//
2502

2503
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_DIVISOR( _nDigits )  (16 * (_nDigits))   // unused currently, but this catches errors
2504

2505
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MUL( _nDigits )         (16 * (_nDigits))   // unused currently, but nonzero size catches errors
2506

2507
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD( _nSrcDigits, _nDivisorDigits )  ( (_nSrcDigits + 1) * SYMCRYPT_FDEF_DIGIT_SIZE )
2508

2509
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_EXTENDED_GCD( _nDigits ) ( \
2510
            4 * SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( _nDigits ) + \
2511
            SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( 2 * _nDigits ) + \
2512
            2 * SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_DIGITS( _nDigits ) + \
2513
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD( 2 * _nDigits, _nDigits ), \
2514
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MUL( 2 * _nDigits ), \
2515
                 SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_DIVISOR( _nDigits ) )) )
2516

2517
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nModDigits ) \
2518
            ( (2*(_nModDigits) * SYMCRYPT_FDEF_DIGIT_SIZE) + \
2519
            SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD( 2*(_nModDigits), _nModDigits )) // for mult: tmp product + divmod scratch
2520

2521
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_CRT_GENERATION( _nDigits ) ( \
2522
            2*SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( _nDigits ) + \
2523
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_EXTENDED_GCD( _nDigits ), \
2524
                 SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nDigits ) ))
2525

2526
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_CRT_SOLUTION( _nDigits ) ( \
2527
            SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( _nDigits ) + \
2528
            SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( _nDigits ) + \
2529
            SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( 2*_nDigits ) + \
2530
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nDigits ), \
2531
                 SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MUL( 2*_nDigits ) ))
2532

2533
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_MODULUS( _nDigits )  ( \
2534
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_DIVISOR( _nDigits ),\
2535
                (2*_nDigits+1) * SYMCRYPT_FDEF_DIGIT_SIZE + SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD( 2*_nDigits + 1, nDigits )) )
2536

2537
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODINV( _nModDigits ) ( \
2538
            4 * SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( _nModDigits ) + \
2539
            3 * SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( _nModDigits ) + \
2540
            SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nModDigits ) )
2541

2542
#define SYMCRYPT_FDEF_MAX_WINDOW_MODEXP         (6)
2543

2544
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODEXP( _nModDigits ) ( \
2545
            ((1 << SYMCRYPT_FDEF_MAX_WINDOW_MODEXP) + 2) * SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( _nModDigits ) + \
2546
            SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nModDigits ) )
2547

2548
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_IS_POTENTIAL_PRIME( _nDigits )  (0)
2549

2550
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MILLER_RABIN( _nDigits ) ( \
2551
            SYMCRYPT_FDEF_SIZEOF_MODULUS_FROM_DIGITS(_nDigits) + \
2552
            3*SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS(_nDigits) + \
2553
            SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS(_nDigits) + \
2554
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_MODULUS(_nDigits), \
2555
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS(_nDigits), \
2556
                 SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODEXP( _nDigits ) )) )
2557

2558
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_IS_PRIME( _nDigits ) ( \
2559
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_IS_POTENTIAL_PRIME( _nDigits ), \
2560
                 SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MILLER_RABIN( _nDigits ) ))
2561

2562
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_PRIME_GEN( _nDigits ) ( \
2563
            SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS * SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_DIGITS( 1 ) + \
2564
            SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( 1 ) + \
2565
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_DIVISOR( 1 ), \
2566
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD( _nDigits, 1 ), \
2567
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SIZEOF_INT_FROM_DIGITS( _nDigits ), \
2568
            SYMCRYPT_MAX( SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_IS_POTENTIAL_PRIME( _nDigits ), \
2569
                 SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MILLER_RABIN( _nDigits ) )))))
2570

2571
//
2572
// Upper bound for SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODMULTIEXP
2573
//
2574
// _nBase and _nBitsExp are bounded by SYMCRYPT_MODMULTIEXP_MAX_NBASES = 8 and
2575
// SYMCRYPT_MODMULTIEXP_MAX_NBITSEXP = 2^20. Therefore the upper bound on this computation
2576
// is
2577
//      2^21 + 2^3*(2^6+4)*2^17 + 2^3*2^20*4 < 2^27
2578
//
2579
#define SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODMULTIEXP( _nModDigits, _nBases, _nBitsExp ) ( \
2580
    SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nModDigits ) + \
2581
    ((_nBases)*(1<<SYMCRYPT_FDEF_MAX_WINDOW_MODEXP) + 4)*SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS( _nModDigits ) + \
2582
    (((_nBases)*(_nBitsExp)*sizeof(UINT32) + SYMCRYPT_ASYM_ALIGN_VALUE - 1) & ~(SYMCRYPT_ASYM_ALIGN_VALUE - 1)) )
2583
// Note: We need +4 multiplied with SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_DIGITS so that SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODMULTIEXP
2584
// is always at least 2 modelements bigger than SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODEXP (see modexp.c)
2585

2586
//
2587
// Support for masked operations
2588

2589
#define SYMCRYPT_MASK32_SET             ((UINT32)-1)
2590
#define SYMCRYPT_MASK32_NONZERO( _v )   ((UINT32)(((UINT64)0 - (_v)) >> 32))
2591
#define SYMCRYPT_MASK32_ZERO( _v )      (~SYMCRYPT_MASK32_NONZERO( _v ))
2592
#define SYMCRYPT_MASK32_EQ( _a, _b )    (~SYMCRYPT_MASK32_NONZERO( (_a) ^ (_b) ))
2593
#define SYMCRYPT_MASK32_LT( _a, _b )    ((UINT32)( ((UINT64)(_a) - (_b)) >> 32 ))
2594

2595

2596
//
2597
// Dispatch definitions
2598
// When multiple formats are supported, this is where the information of the multiple formats is combined.
2599
//
2600
//  See the comments in SYMCRYPT_FDEF_SCRATCH_XXX regarding 32 bit overflow protection. All results
2601
//  are bounded above by 2^27.
2602
//
2603

2604
#define SYMCRYPT_INTERNAL_SIZEOF_INT_FROM_BITS( _bitsize )          SYMCRYPT_FDEF_SIZEOF_INT_FROM_BITS( _bitsize )
2605
#define SYMCRYPT_INTERNAL_SIZEOF_DIVISOR_FROM_BITS( _bitsize )      SYMCRYPT_FDEF_SIZEOF_DIVISOR_FROM_BITS( _bitsize )
2606
#define SYMCRYPT_INTERNAL_SIZEOF_MODULUS_FROM_BITS( _bitsize )      SYMCRYPT_FDEF_SIZEOF_MODULUS_FROM_BITS( _bitsize )
2607
#define SYMCRYPT_INTERNAL_SIZEOF_MODELEMENT_FROM_BITS( _bitsize )   SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_BITS( _bitsize )
2608

2609
#define SYMCRYPT_INTERNAL_SIZEOF_RSAKEY_FROM_PARAMS( modBits, nPrimes, nPubExps ) SYMCRYPT_FDEF_SIZEOF_RSAKEY_FROM_PARAMS( modBits, nPrimes, nPubExps )
2610
// For now we don't need the pubExpBits so we drop them, but we might use them later.
2611

2612
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_INT_TO_DIVISOR( _nDigits )                      SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_DIVISOR( _nDigits )
2613
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_INT_MUL( _nDigits )                             SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_MUL( _nDigits )
2614
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_INT_DIVMOD( _nSrcDigits, _nDivisorDigits )      SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_DIVMOD( _nSrcDigits, _nDivisorDigits )
2615
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_EXTENDED_GCD( _nDigits )                        SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_EXTENDED_GCD( _nDigits )
2616
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nModDigits )            SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_COMMON_MOD_OPERATIONS( _nModDigits )
2617
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_CRT_GENERATION( _nDigits )                      SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_CRT_GENERATION( _nDigits )
2618
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_CRT_SOLUTION( _nDigits )                        SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_CRT_SOLUTION( _nDigits )
2619
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_INT_TO_MODULUS( _nDigits )                      SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_TO_MODULUS( _nDigits )
2620
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_MODINV( _nModDigits )                           SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODINV( _nModDigits )
2621
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_MODEXP( _nModDigits )                           SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODEXP( _nModDigits )
2622
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_INT_IS_PRIME( _nDigits )                        SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_IS_PRIME( _nDigits )
2623
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_INT_PRIME_GEN( _nDigits )                       SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_INT_PRIME_GEN( _nDigits )
2624

2625
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_MODMULTIEXP( _nModDigits, _nBases, _nBitsExp )  SYMCRYPT_FDEF_SCRATCH_BYTES_FOR_MODMULTIEXP( _nModDigits, _nBases, _nBitsExp )
2626

2627
//
2628
// Forward declarations for MlKemkey types
2629
//
2630
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_MLKEMKEY;
2631
typedef struct _SYMCRYPT_MLKEMKEY SYMCRYPT_MLKEMKEY;
2632
typedef       SYMCRYPT_MLKEMKEY * PSYMCRYPT_MLKEMKEY;
2633
typedef const SYMCRYPT_MLKEMKEY * PCSYMCRYPT_MLKEMKEY;
2634

2635
//
2636
// Forward declarations for MlDsakey types
2637
//
2638
struct _SYMCRYPT_MLDSAKEY;
2639
typedef struct _SYMCRYPT_MLDSAKEY SYMCRYPT_MLDSAKEY;
2640
typedef       SYMCRYPT_MLDSAKEY * PSYMCRYPT_MLDSAKEY;
2641
typedef const SYMCRYPT_MLDSAKEY * PCSYMCRYPT_MLDSAKEY;
2642

2643
//
2644
// Forward declarations for CompositeMlKemkey types
2645
//
2646
SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_COMPOSITE_MLKEMKEY;
2647
typedef struct _SYMCRYPT_COMPOSITE_MLKEMKEY SYMCRYPT_COMPOSITE_MLKEMKEY;
2648
typedef       SYMCRYPT_COMPOSITE_MLKEMKEY * PSYMCRYPT_COMPOSITE_MLKEMKEY;
2649
typedef const SYMCRYPT_COMPOSITE_MLKEMKEY * PCSYMCRYPT_COMPOSITE_MLKEMKEY;
2650

2651
//
2652
// RSA padding scratch definitions
2653
//
2654
// The maximum sizes of the state and the result for all hash algorithms are
2655
// sizeof(SYMCRYPT_HASH_STATE) and SYMCRYPT_HASH_MAX_RESULT_SIZE, both not bigger
2656
// 2^20. All the nBytes inputs are bounded by 2^17 (the maximum byte-size
2657
// of the RSA modulus).
2658
//
2659
// Thus a total upper bound on these results is 2^20.
2660
//
2661
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_RSA_OAEP( _hashAlgorithm, _nBytesOAEP ) ( SymCryptHashStateSize( _hashAlgorithm ) + \
2662
                                                                                      SymCryptHashResultSize( _hashAlgorithm ) + \
2663
                                                                                      2*(_nBytesOAEP - 1) )
2664

2665
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_RSA_PKCS1( _nBytesPKCS1 ) ( _nBytesPKCS1 )
2666

2667
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_RSA_PSS( _hashAlgorithm, _nBytesMessage, _nBytesPSS ) ( SymCryptHashStateSize( _hashAlgorithm ) + \
2668
                                                                                                    _nBytesMessage + \
2669
                                                                                                    3*(_nBytesPSS) + 5 )
2670

2671
//
2672
// RSAKEY Type
2673
//
2674

2675
#define SYMCRYPT_FDEF_SIZEOF_RSAKEY_FROM_PARAMS( modBits, nPrimes, nPubExps ) \
2676
    sizeof( SYMCRYPT_RSAKEY ) + \
2677
    (nPrimes + 1) * SYMCRYPT_FDEF_SIZEOF_MODULUS_FROM_BITS( modBits ) + \
2678
    nPrimes * SYMCRYPT_FDEF_SIZEOF_MODELEMENT_FROM_BITS( modBits ) + \
2679
    (nPrimes + 1) * nPubExps * SYMCRYPT_FDEF_SIZEOF_INT_FROM_BITS( modBits )
2680
// 1 modulus object per prime + 1 for the RSA modulus
2681
// 1 modelement for every crtInverse
2682
// 1 int per pubexp for each privexp +  1 int per prime*pubexp for each crtprivexp
2683

2684
#define SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES            (2)
2685
#define SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS           (1)
2686

2687
#define SYMCRYPT_RSAKEY_MIN_BITSIZE_MODULUS         (256)               // Some of our SCS code requires at least 32 bytes...
2688
#define SYMCRYPT_RSAKEY_MAX_BITSIZE_MODULUS         (1 << 16)           // Avoid any integer overflows in size calculations
2689

2690
// RSA FIPS self-tests require at least 496 bits to avoid fatal
2691
// Require caller to specify NO_FIPS for up to 1024 bits as running FIPS tests on too-small keys
2692
// does not make it FIPS certifiable and gives the wrong impression to callers
2693
#define SYMCRYPT_RSAKEY_FIPS_MIN_BITSIZE_MODULUS    (1024)
2694

2695
#define SYMCRYPT_RSAKEY_MIN_BITSIZE_PRIME           (128)
2696
#define SYMCRYPT_RSAKEY_MAX_BITSIZE_PRIME           (SYMCRYPT_RSAKEY_MAX_BITSIZE_MODULUS / 2)
2697

2698
// Minimum allowable bit sizes for generated and imported parameters for
2699
// the RSA modulus and each prime.
2700

2701
typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_RSAKEY {
2702
                    UINT32              fAlgorithmInfo;     // Tracks which algorithms the key can be used in
2703
                                                            // Also tracks which per-key selftests have been performed on this key
2704
                                                            // A bitwise OR of SYMCRYPT_FLAG_KEY_*, SYMCRYPT_FLAG_RSAKEY_*, and
2705
                                                            // SYMCRYPT_PCT_* values
2706

2707
                    UINT32              cbTotalSize;        // Total size of the rsa key
2708
                    BOOLEAN             hasPrivateKey;      // Set to true if there is private key information set
2709

2710
                    UINT32              nSetBitsOfModulus;  // Bits of modulus specified during creation
2711

2712
                    UINT32              nBitsOfModulus;     // Number of bits of the value of the modulus (not the object's size)
2713
                    UINT32              nDigitsOfModulus;   // Number of digits of the modulus object (always equal to SymCryptDigitsFromBits(nSetBitsOfModulus))
2714

2715
                    UINT32              nPubExp;            // Number of public exponents
2716

2717
                    UINT32              nPrimes;            // Number of primes, can be 0 if the object only supports public keys
2718
                    UINT32              nBitsOfPrimes[SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2719
                                                            // Number of bits of the value of each prime (not the object's size)
2720
                    UINT32              nDigitsOfPrimes[SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2721
                                                            // Number of digits of each prime object
2722
                    UINT32              nMaxDigitsOfPrimes; // Maximum number of digits in nDigitsOfPrimes
2723

2724
                    UINT64              au64PubExp[SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS];
2725
                    // SYMCRYPT_ASYM_ALIGN'ed buffers that point to memory allocated for each object
2726
                    PBYTE               pbPrimes[SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2727
                    PBYTE               pbCrtInverses[SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2728
                    PBYTE               pbPrivExps[SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS];
2729
                    PBYTE               pbCrtPrivExps[SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS * SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2730

2731
                    // SymCryptObjects
2732
                    PSYMCRYPT_MODULUS   pmModulus;          // The modulus N=p*q
2733
                    PSYMCRYPT_MODULUS   pmPrimes[SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2734
                                                            // Pointers to the secret primes
2735
                    PSYMCRYPT_MODELEMENT peCrtInverses[SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2736
                                                            // Pointers to the CRT inverses of the primes
2737
                    PSYMCRYPT_INT       piPrivExps[SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS];
2738
                                                            // Pointers to the corresponding private exponents
2739
                    PSYMCRYPT_INT       piCrtPrivExps[SYMCRYPT_RSAKEY_MAX_NUMOF_PUBEXPS * SYMCRYPT_RSAKEY_MAX_NUMOF_PRIMES];
2740
                                                            // Pointers to the private exponents modulo each prime minus 1 (for CRT)
2741

2742
                    SYMCRYPT_MAGIC_FIELD
2743
                    // Followed by:
2744
                    // Modulus
2745
                    // Primes
2746
                    // CrtInverses
2747
                    // PrivExps
2748
                    // CrtPrivExps
2749
} SYMCRYPT_RSAKEY;
2750
typedef       SYMCRYPT_RSAKEY * PSYMCRYPT_RSAKEY;
2751
typedef const SYMCRYPT_RSAKEY * PCSYMCRYPT_RSAKEY;
2752

2753
//
2754
// The following definitions relating to trial division are not needed by normal callers
2755
// but are used by the test program to measure performance of components.
2756
//
2757

2758
typedef struct _SYMCRYPT_TRIALDIVISION_PRIME {
2759
    UINT64  invMod2e64;         // Inverse of prime modulo 2^64
2760
    UINT64  compareLimit;       // floor( (2^{64}-1)/ prime )
2761
} SYMCRYPT_TRIALDIVISION_PRIME, *PSYMCRYPT_TRIALDIVISION_PRIME;
2762
typedef const SYMCRYPT_TRIALDIVISION_PRIME * PCSYMCRYPT_TRIALDIVISION_PRIME;
2763
//
2764
// This structure is used to test whether a UINT64 is a multiple of a (small) prime.
2765
// Let V be the input value, P the small prime, and W the inverse of P modulo 2^64.
2766
// If V = k*P then V * M mod 2^64 = V/P mod 2^64 = k.
2767
// This holds for k = 0, 1, ..., floor( (2^{64}-1)/p ).
2768
// If V is not a multiple of P then the result of the multiplication must be larger than that.
2769
//
2770

2771
typedef struct _SYMCRYPT_TRIALDIVISION_GROUP {
2772
    UINT32  nPrimes;       // # primes are in this group (use the next ones)
2773
    UINT32  factor[9];     // factors[i] = 2^{32*(i+1)} mod Prod where Prod = product of the primes
2774
                           // It is guaranteed that Prod <= (2^{32}-1)/9
2775
} SYMCRYPT_TRIALDIVISION_GROUP, *PSYMCRYPT_TRIALDIVISION_GROUP;
2776
typedef const SYMCRYPT_TRIALDIVISION_GROUP * PCSYMCRYPT_TRIALDIVISION_GROUP;
2777

2778

2779
typedef struct _SYMCRYPT_TRIALDIVISION_CONTEXT {
2780
    SIZE_T                          nBytesAlloc;
2781
    UINT32                          maxTrialPrime;
2782
    PSYMCRYPT_TRIALDIVISION_GROUP   pGroupList; // terminated with 0 record
2783
    PSYMCRYPT_TRIALDIVISION_PRIME   pPrimeList; // terminated with 0 record
2784
    PUINT32                         pPrimes;    // terminated with a 0.
2785
    SYMCRYPT_TRIALDIVISION_PRIME    Primes3_5_17[3];    // Structures for 3, 5 and 17 in that order
2786
} SYMCRYPT_TRIALDIVISION_CONTEXT, *PSYMCRYPT_TRIALDIVISION_CONTEXT;
2787
typedef const SYMCRYPT_TRIALDIVISION_CONTEXT * PCSYMCRYPT_TRIALDIVISION_CONTEXT;
2788

2789
UINT32
2790
SymCryptTestTrialdivisionMaxSmallPrime( PCSYMCRYPT_TRIALDIVISION_CONTEXT pContext );   // Expose small prime limit to help test code
2791

2792
//
2793
// DLGROUP type
2794
//
2795

2796
#define SYMCRYPT_DLGROUP_MIN_BITSIZE_P          (32)
2797
#define SYMCRYPT_DLGROUP_MIN_BITSIZE_Q          (31)  // Q must always be at least 1 bit shorter than P
2798
// Minimum allowable bit sizes for generated and imported parameters for both P and
2799
// Q primes.
2800

2801
typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_DLGROUP {
2802
    UINT32                  cbTotalSize;    // Total size of the dl group object
2803
    BOOLEAN                 fHasPrimeQ;     // Flag that specifies whether the object has a Q parameter
2804

2805
    UINT32                  nBitsOfP;       // Number of bits of the value of P (not the object's size)
2806
    UINT32                  cbPrimeP;       // Number of bytes of the value of P (not the object's size), equal to ceil(nBitsOfP/8)
2807
    UINT32                  nDigitsOfP;     // Number of digits of the object of prime P
2808
    UINT32                  nMaxBitsOfP;    // Maximum number of bits of the value of P
2809

2810
    UINT32                  nBitsOfQ;       // Number of bits of the value of Q (not the object's bits)
2811
    UINT32                  cbPrimeQ;       // Number of bytes of the value of Q (not the object's size), equal to ceil(nBitsOfQ/8)
2812
    UINT32                  nDigitsOfQ;     // Number of digits of the object of prime Q
2813
    UINT32                  nMaxBitsOfQ;    // Maximum number of bits of the value of Q
2814

2815
    BOOLEAN                 isSafePrimeGroup;   // Boolean indicating if this is a Safe Prime group
2816
    UINT32                  nMinBitsPriv;   // Minimum number of bits to be used in private keys for this group
2817
                                            // This only applies to named Safe Prime groups where this is related to the security strength
2818
                                            // i.e. this corresponds to 2s in SP800-56arev3 5.6.1.1.1 / 5.6.2.1.2
2819
    UINT32                  nDefaultBitsPriv;   // Default number of bits used in private keys for this group
2820
                                                // Normally equals nBitsOfQ, but may be further restricted (i.e. for named Safe Prime groups)
2821
                                                // i.e. this corresponds to a default value of N in SP800-56arev3 5.6.1.1.1 / 5.6.2.1.2
2822

2823
    UINT32                  nBitsOfSeed;    // Number of bits of the seed used for generation (seedlen in FIPS 186-3)
2824
    UINT32                  cbSeed;         // Number of bytes of the seed, equal to ceil(nBitsOfSeed/8)
2825

2826
    SYMCRYPT_DLGROUP_FIPS   eFipsStandard;  // Code specifying the FIPS standard used to create the keys. If 0 the group is unverified.
2827

2828
    PCSYMCRYPT_HASH         pHashAlgorithm; // Hash algorithm used for the generation of parameters
2829
    UINT32                  dwGenCounter;   // Number of iterations used for the generation of parameters
2830
    BYTE                    bIndexGenG;     // Index for the generation of generator G (FIPS 186-3) (Always 1 for now)
2831

2832
    PBYTE                   pbQ;            // SYMCRYPT_ASYM_ALIGN'ed buffer that points to the memory allocated for modulus Q
2833

2834
    PSYMCRYPT_MODULUS       pmP;            // Pointer to the prime P
2835
    PSYMCRYPT_MODULUS       pmQ;            // Pointer to the prime Q
2836

2837
    PSYMCRYPT_MODELEMENT    peG;            // Pointer to the generator G
2838

2839
    PBYTE                   pbSeed;         // Buffer that will hold the seed (this is padded at the end so that the entire structure
2840
                                            // has size a multiple of SYMCRYPT_ASYM_ALIGN_VALUE)
2841

2842
    SYMCRYPT_MAGIC_FIELD
2843

2844
    // P
2845
    // Q
2846
    // G
2847
    // Seed
2848
} SYMCRYPT_DLGROUP;
2849
typedef       SYMCRYPT_DLGROUP * PSYMCRYPT_DLGROUP;
2850
typedef const SYMCRYPT_DLGROUP * PCSYMCRYPT_DLGROUP;
2851

2852
//
2853
// DLKEY type
2854
//
2855
typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_DLKEY {
2856
                    UINT32                  fAlgorithmInfo; // Tracks which algorithms the key can be used in
2857
                                                            // Also tracks which per-key selftests have been performed on this key
2858
                                                            // A bitwise OR of SYMCRYPT_FLAG_KEY_*, SYMCRYPT_FLAG_DLKEY_*, and
2859
                                                            // SYMCRYPT_PCT_* values
2860

2861
                    BOOLEAN                 fHasPrivateKey; // Set to true if there is a private key set
2862
                    BOOLEAN                 fPrivateModQ;   // Set to true if the private key is at most Q-1, otherwise it is at most P-2
2863
                    UINT32                  nBitsPriv;      // Number of bits used in private keys
2864

2865
                    PCSYMCRYPT_DLGROUP      pDlgroup;       // Handle to the group which created the key
2866

2867
                    PBYTE                   pbPrivate;      // SYMCRYPT_ASYM_ALIGN'ed buffer that points to the memory allocated for the private key
2868

2869
                    PSYMCRYPT_MODELEMENT    pePublicKey;    // Public key (modelement modulo P)
2870
                    PSYMCRYPT_INT           piPrivateKey;   // Private key (integer up to 2^nBitsPriv-1, Q-1 or P-2)
2871

2872
                    SYMCRYPT_MAGIC_FIELD
2873

2874
                    // PublicKey
2875
                    // PrivateKey                           // The size of this must always be the same as the size of P
2876
} SYMCRYPT_DLKEY;
2877
typedef       SYMCRYPT_DLKEY * PSYMCRYPT_DLKEY;
2878
typedef const SYMCRYPT_DLKEY * PCSYMCRYPT_DLKEY;
2879

2880
//
2881
// Elliptic Curve Function Types
2882
//
2883

2884
#define SYMCRYPT_ECPOINT_FORMAT_MAX_LENGTH                      4   // Number of MODELEMENTs for the largest ECPOINT format
2885

2886
// Coordinate representations for ECPOINTs
2887
// NOTE: The value masked with 0xf gives you the number of coordinates
2888
typedef enum _SYMCRYPT_ECPOINT_COORDINATES {
2889
    SYMCRYPT_ECPOINT_COORDINATES_INVALID             = 0x00,   // Invalid point representation
2890
    SYMCRYPT_ECPOINT_COORDINATES_SINGLE              = 0x11,   // Representation with only X
2891
    SYMCRYPT_ECPOINT_COORDINATES_AFFINE              = 0x22,   // Affine representation (X,Y)
2892
    SYMCRYPT_ECPOINT_COORDINATES_PROJECTIVE          = 0x33,   // Three equally-sized values where the triple (X,Y,Z) represents the affine point (X/Z, Y/Z)
2893
    SYMCRYPT_ECPOINT_COORDINATES_JACOBIAN            = 0x43,   // Three equally-sized values where the triple (X,Y,Z) represents the affine point (X/Z^2, Y/Z^3)
2894
    SYMCRYPT_ECPOINT_COORDINATES_EXTENDED_PROJECTIVE = 0x54,   // Four equally-sized values where (X,Y,Z,T) represents the affine point (X/Z, Y/Z) with T=X*Y*Z
2895
    SYMCRYPT_ECPOINT_COORDINATES_SINGLE_PROJECTIVE   = 0x62,   // Two equally-sized values where (X,Z) represents the point (X/Z)
2896
} SYMCRYPT_ECPOINT_COORDINATES;
2897

2898
#define SYMCRYPT_INTERNAL_NUMOF_COORDINATES( _eCoordinates )              ((_eCoordinates) & 0xf)
2899

2900

2901
//
2902
// Curve-type-dependent information
2903
//
2904

2905
// Short-Weierstrass
2906

2907
#define SYMCRYPT_ECURVE_SW_DEF_WINDOW               (6)         // Default window size for the windowed methods
2908

2909
#define SYMCRYPT_ECURVE_SW_MAX_NPRECOMP_POINTS      (64)        // Maximum number of precomputed points
2910

2911
typedef struct _SYMCRYPT_ECURVE_INFO_PRECOMP {
2912
                    UINT32              window;         // Window size
2913
                    UINT32              nPrecompPoints; // Number of precomputed points
2914
                    UINT32              nRecodedDigits; // Number of recoded digits
2915
                    PSYMCRYPT_ECPOINT   poPrecompPoints[SYMCRYPT_ECURVE_SW_MAX_NPRECOMP_POINTS];
2916
                                                        // Table of pointers to precomputed powers of the distinguished point
2917
} SYMCRYPT_ECURVE_INFO_PRECOMP;
2918

2919
//
2920
//  ECURVE object
2921
//
2922

2923
#define SYMCRYPT_ECURVE_MIN_BITSIZE_FMOD        (32)
2924
#define SYMCRYPT_ECURVE_MIN_BITSIZE_GORD        (32)
2925
#define SYMCRYPT_ECURVE_MAX_COFACTOR_POWER      (8)
2926
// Minimum (maximum for cofactor) allowable bit sizes for imported
2927
// parameters for field modulus, group order of curve (and cofactor).
2928

2929
#define SYMCRYPT_INTERNAL_ECURVE_VERSION_LATEST                         1
2930

2931
typedef enum _SYMCRYPT_INTERNAL_ECURVE_TYPE {
2932
    SYMCRYPT_INTERNAL_ECURVE_TYPE_SHORT_WEIERSTRASS     = 1,
2933
    SYMCRYPT_INTERNAL_ECURVE_TYPE_TWISTED_EDWARDS       = 2,
2934
    SYMCRYPT_INTERNAL_ECURVE_TYPE_MONTGOMERY            = 3,
2935
    SYMCRYPT_INTERNAL_ECURVE_TYPE_SHORT_WEIERSTRASS_AM3 = 4,// This type is a specialization of Short-Weierstrass when A == -3
2936
                                                            // This condition is detected and used for all NIST prime curves
2937
} SYMCRYPT_INTERNAL_ECURVE_TYPE;
2938

2939
C_ASSERT((UINT32)SYMCRYPT_INTERNAL_ECURVE_TYPE_SHORT_WEIERSTRASS   == (UINT32)SYMCRYPT_ECURVE_TYPE_SHORT_WEIERSTRASS );
2940
C_ASSERT((UINT32)SYMCRYPT_INTERNAL_ECURVE_TYPE_TWISTED_EDWARDS     == (UINT32)SYMCRYPT_ECURVE_TYPE_TWISTED_EDWARDS );
2941
C_ASSERT((UINT32)SYMCRYPT_INTERNAL_ECURVE_TYPE_MONTGOMERY          == (UINT32)SYMCRYPT_ECURVE_TYPE_MONTGOMERY );
2942

2943
typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_ECURVE {
2944
                    UINT32                  version;        // Version #
2945
                    SYMCRYPT_INTERNAL_ECURVE_TYPE
2946
                                            type;           // Internal type of the curve
2947
                    SYMCRYPT_ECPOINT_COORDINATES
2948
                                            eCoordinates;   // Default representation of the EC points
2949

2950
                    UINT32                  FModBitsize;    // Bitsize of the field modulus
2951
                    UINT32                  FModDigits;     // Number of digits of the field modulus
2952
                    UINT32                  FModBytesize;   // Bytesize of the field modulus (specified in the curve parameters as cbFieldLength)
2953

2954
                    UINT32                  GOrdBitsize;    // Bitsize of the (sub)group order
2955
                    UINT32                  GOrdDigits;     // Number of digits of the (sub)group order
2956
                    UINT32                  GOrdBytesize;   // Bytesize of the (sub)group order (specified in the curve parameters as cbSubgroupOrder)
2957

2958
                    UINT32                  cbModElement;   // (Internal) bytesize of one mod element
2959

2960
                    UINT32                  cbAlloc;        // Bytesize of the total curve blob
2961

2962
                    UINT32                  cbScratchCommon;        // Size of scratch space for common ecurve operations
2963
                    UINT32                  cbScratchScalar;        // Size of constant scratch space for scalar ecurve operations (without the nPoints dependence)
2964
                    UINT32                  cbScratchScalarMulti;   // Dependence of scratch space for scalar ecurve operations from nPoints
2965
                    UINT32                  cbScratchGetSetValue;   // Size of scratch space for get set value ecpoint operations
2966
                    UINT32                  cbScratchEckey;         // Size of scratch space for eckey operations
2967

2968
                    UINT32                  coFactorPower;  // The cofactor of the curve will be equal to 2^coFactorPower
2969

2970
                    // Parameters V2 Extensions
2971
                    UINT32                  PrivateKeyDefaultFormat;
2972
                    UINT32                  HighBitRestrictionNumOfBits;
2973
                    UINT32                  HighBitRestrictionPosition;
2974
                    UINT32                  HighBitRestrictionValue;
2975

2976
                    union {
2977

2978
                        SYMCRYPT_ECURVE_INFO_PRECOMP sw;    // Info for short Weierstrass curves (only the precomputation parameters are needed now)
2979

2980
                    } info;                                 // Precomputed information related to each curve
2981

2982
                    PSYMCRYPT_MODULUS       FMod;           // Field modulus
2983
                    PSYMCRYPT_MODULUS       GOrd;           // Order of the subgroup
2984

2985
                    PSYMCRYPT_MODELEMENT    A;              // Parameter A
2986
                    PSYMCRYPT_MODELEMENT    B;              // Parameter B
2987
                    PSYMCRYPT_ECPOINT       G;              // Distinguished point (generator of the subgroup)
2988
                    PSYMCRYPT_INT           H;              // Cofactor of the curve
2989

2990
                    SYMCRYPT_MAGIC_FIELD
2991

2992
                    // FMod
2993
                    // A
2994
                    // B
2995
                    // GOrd
2996
                    // H
2997
                    // G
2998
} SYMCRYPT_ECURVE;
2999
typedef       SYMCRYPT_ECURVE * PSYMCRYPT_ECURVE;
3000
typedef const SYMCRYPT_ECURVE * PCSYMCRYPT_ECURVE;
3001

3002
#define SYMCRYPT_INTERNAL_ECPOINT_COORDINATE_OFFSET( _pCurve, _ord )        ( sizeof(SYMCRYPT_ECPOINT) + (_ord) * (_pCurve)->cbModElement )
3003
#define SYMCRYPT_INTERNAL_ECPOINT_COORDINATE( _ord, _pCurve, _pEcpoint )    (PSYMCRYPT_MODELEMENT)( (PBYTE)(_pEcpoint) + SYMCRYPT_INTERNAL_ECPOINT_COORDINATE_OFFSET( (_pCurve), _ord ) )
3004

3005
// Convenience macros to make adding internal specializations easier
3006
#define SYMCRYPT_CURVE_IS_SHORT_WEIERSTRASS_TYPE( _pCurve ) \
3007
    ( _pCurve->type == SYMCRYPT_INTERNAL_ECURVE_TYPE_SHORT_WEIERSTRASS || \
3008
      _pCurve->type == SYMCRYPT_INTERNAL_ECURVE_TYPE_SHORT_WEIERSTRASS_AM3 )
3009

3010
#define SYMCRYPT_CURVE_IS_TWISTED_EDWARDS_TYPE( _pCurve ) \
3011
    ( _pCurve->type == SYMCRYPT_INTERNAL_ECURVE_TYPE_TWISTED_EDWARDS )
3012

3013
#define SYMCRYPT_CURVE_IS_MONTGOMERY_TYPE( _pCurve ) \
3014
    ( _pCurve->type == SYMCRYPT_INTERNAL_ECURVE_TYPE_MONTGOMERY )
3015

3016
//
3017
// Scratch space sizes for ECURVE operations
3018
//
3019
//  Overflow protection is enforced when creating the ECURVE objects on
3020
//  the cbScratchCommon, cbScratchScalar, cbScratchScalarMulti, and cbScratchEckey fields.
3021
//
3022
//  All of them are upper bounded by 2^26 (see SymCrypt<CurveType>FillScratchSpaces functions)
3023
//  and since _nPoints is bounded by SYMCRYPT_ECURVE_MULTI_SCALAR_MUL_MAX_NPOINTS = 2, all
3024
//  the macros are bounded by 2^27.
3025
//
3026

3027
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_COMMON_ECURVE_OPERATIONS( _pCurve )                 ( (_pCurve)->cbScratchCommon)
3028
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_SCALAR_ECURVE_OPERATIONS( _pCurve, _nPoints )       ( (_pCurve)->cbScratchScalar + \
3029
                                                                                                (_nPoints) * (_pCurve)->cbScratchScalarMulti )
3030
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_GETSET_VALUE_ECURVE_OPERATIONS( _pCurve )           ( (_pCurve)->cbScratchGetSetValue)
3031
#define SYMCRYPT_INTERNAL_SCRATCH_BYTES_FOR_ECKEY_ECURVE_OPERATIONS( _pCurve )                  ( (_pCurve)->cbScratchEckey)
3032

3033
typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_ECPOINT {
3034
                    BOOLEAN normalized;     // A flag specifying whether the point is normalized or not. This flag
3035
                                            // makes sense only for PROJECTIVE, JACOBIAN, EXTENDED_PROJECTIVE, and
3036
                                            // SINGLE_PROJECTIVE coordinates. If set to TRUE (non-zero), it means
3037
                                            // that the Z coordinate of the point is equal to 1.
3038
                    PCSYMCRYPT_ECURVE   pCurve; // Handle to the curve which the point is on. Only used in CHKed builds for ASSERTs
3039
                    SYMCRYPT_MAGIC_FIELD
3040
                    // An array of MODELEMENTs. The total size will depend on the MODELEMENT size and the number of MODELEMENTs.
3041
} SYMCRYPT_ECPOINT, *PSYMCRYPT_ECPOINT;
3042
typedef const SYMCRYPT_ECPOINT * PCSYMCRYPT_ECPOINT;
3043

3044
typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_ECKEY {
3045
                    UINT32              fAlgorithmInfo; // Tracks which algorithms the key can be used in
3046
                                                        // Also tracks which per-key selftests have been performed on this key
3047
                                                        // A bitwise OR of SYMCRYPT_FLAG_KEY_*, SYMCRYPT_FLAG_ECKEY_*, and
3048
                                                        // SYMCRYPT_PCT_* values
3049
                    BOOLEAN             hasPrivateKey;  // Set to true if there is a private key set
3050
                    PCSYMCRYPT_ECURVE   pCurve;         // Handle to the curve which created the key
3051

3052
                    PSYMCRYPT_ECPOINT   poPublicKey;    // Public key (ECPOINT)
3053
                    PSYMCRYPT_INT       piPrivateKey;   // Private key
3054

3055
                    SYMCRYPT_MAGIC_FIELD
3056

3057
                    // PublicKey
3058
                    // PrivateKey
3059
} SYMCRYPT_ECKEY;
3060
typedef       SYMCRYPT_ECKEY * PSYMCRYPT_ECKEY;
3061
typedef const SYMCRYPT_ECKEY * PCSYMCRYPT_ECKEY;
3062

3063
SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_802_11_SAE_CUSTOM_STATE {
3064
    PSYMCRYPT_ECURVE        pCurve;
3065
    PCSYMCRYPT_MAC          macAlgorithm;
3066
    PSYMCRYPT_MODELEMENT    peRand;
3067
    PSYMCRYPT_MODELEMENT    peMask;
3068
    PSYMCRYPT_ECPOINT       poPWE;
3069
    BYTE                    counter;
3070
};
3071

3072
//
3073
// XMSS
3074
//
3075

3076
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_XMSS_PARAMS
3077
{
3078
    PCSYMCRYPT_HASH hash;           // hash function
3079
    UINT32          id;             // algorithm identifier
3080
    UINT32          cbHashOutput;   // hash function output size, must be less than or equal to hash->resultSize
3081
    UINT32          nWinternitzWidth;// Winternitz coefficient, width of digits in bits (chain length = 2^nWinternitzWidth)
3082
    UINT32          nTotalTreeHeight;// number of layers times the tree height of one layer (each layer has the same height)
3083
    UINT32          nLayers;        // hyper-tree layers, 1 for single tree
3084
    UINT32          cbPrefix;       // length of the domain separator prefix in PRFs
3085

3086
    //
3087
    // The following are derived from the above
3088
    //
3089
    UINT32          len1;           // number of w-bit digits in the hash output to be signed ( len1 = ceil(8n / w) )
3090
    UINT32          len2;           // number of w-bit digits in the checksum
3091
    UINT32          len;            // len1 + len2
3092
    UINT32          nLayerHeight;   // tree height of a single layer (h / d)
3093
    UINT32          cbIdx;          // size of leaf counter in bytes (for single trees cbIdx = 4)
3094
    UINT32          nLeftShift32;   // left shift count to align the checksum digits to MSB of a 32-bit word
3095

3096
    BYTE            Reserved[16];   // Reserved for future use
3097
} SYMCRYPT_XMSS_PARAMS;
3098

3099
typedef SYMCRYPT_XMSS_PARAMS* PSYMCRYPT_XMSS_PARAMS;
3100
typedef const SYMCRYPT_XMSS_PARAMS* PCSYMCRYPT_XMSS_PARAMS;
3101

3102
struct _SYMCRYPT_XMSS_KEY;
3103
typedef struct _SYMCRYPT_XMSS_KEY SYMCRYPT_XMSS_KEY;
3104
typedef       SYMCRYPT_XMSS_KEY* PSYMCRYPT_XMSS_KEY;
3105
typedef const SYMCRYPT_XMSS_KEY* PCSYMCRYPT_XMSS_KEY;
3106

3107

3108
//==========================================================================
3109
//   LMS internal structures
3110
//==========================================================================
3111

3112
typedef SYMCRYPT_ALIGN_STRUCT _SYMCRYPT_LMS_PARAMS
3113
{
3114
    // algorithm ID of the LMS signature scheme
3115
    UINT32                  lmsAlgID;
3116

3117
    // algorithm ID of the LM-OTS signature scheme
3118
    UINT32                  lmsOtsAlgID;
3119

3120
    // hash function pointer to be used as part of the LMS operations
3121
    PCSYMCRYPT_HASH         pLmsHashFunction;
3122

3123
    // the height of the LMS tree. There are 2^h leaves in the tree - h
3124
    UINT32                  nTreeHeight;
3125

3126
    // the number of bytes for each tree node, equals to the output length of the hash function - m, n
3127
    UINT32                  cbHashOutput;
3128

3129
    // Winternitz coefficient, width of digits in bits (chain length = 2^w) - w
3130
    UINT32                  nWinternitzChainWidth;
3131

3132
    // the number of n-byte string elements that make up the LM-OTS signature - p
3133
    UINT32                  nByteStringCount;
3134

3135
    // the number of left-shift bits used in the checksum function Cksm - ls
3136
    UINT32                  nChecksumLShiftBits;
3137
} SYMCRYPT_LMS_PARAMS;
3138
typedef       SYMCRYPT_LMS_PARAMS* PSYMCRYPT_LMS_PARAMS;
3139
typedef const SYMCRYPT_LMS_PARAMS* PCSYMCRYPT_LMS_PARAMS;
3140

3141
struct _SYMCRYPT_LMS_KEY;
3142
typedef struct _SYMCRYPT_LMS_KEY SYMCRYPT_LMS_KEY;
3143
typedef        SYMCRYPT_LMS_KEY* PSYMCRYPT_LMS_KEY;
3144
typedef const  SYMCRYPT_LMS_KEY* PCSYMCRYPT_LMS_KEY;
3145

3146
#ifndef _PREFAST_
3147
#if SYMCRYPT_CPU_X86
3148
#pragma warning(pop)
3149
#endif
3150
#endif
3151

3152

3153

3154
//////////////////////////////////////////////////////////
3155
//
3156
// Environment macros
3157
//
3158

3159
#ifdef __cplusplus
3160
#define SYMCRYPT_EXTERN_C extern "C" {
3161
#define SYMCRYPT_EXTERN_C_END }
3162
#else
3163
#define SYMCRYPT_EXTERN_C
3164
#define SYMCRYPT_EXTERN_C_END
3165
#endif
3166

3167
//
3168
// Callers of SymCrypt should NOT depend on the function names in these macros.
3169
// The definition of these macros can change in future releases of the library.
3170
//
3171

3172
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64
3173
typedef struct _SYMCRYPT_EXTENDED_SAVE_DATA      SYMCRYPT_EXTENDED_SAVE_DATA, *PSYMCRYPT_EXTENDED_SAVE_DATA;
3174

3175
#define SYMCRYPT_ENVIRONMENT_DEFS_SAVEYMM( envName ) \
3176
    SYMCRYPT_ERROR SYMCRYPT_CALL SymCryptSaveYmmEnv##envName( _Out_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ); \
3177
    SYMCRYPT_ERROR SYMCRYPT_CALL SymCryptSaveYmm( _Out_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ) \
3178
        { return SymCryptSaveYmmEnv##envName( pSaveArea ); } \
3179
    \
3180
    VOID SYMCRYPT_CALL SymCryptRestoreYmmEnv##envName( _Inout_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ); \
3181
    VOID SYMCRYPT_CALL SymCryptRestoreYmm( _Inout_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ) \
3182
        { SymCryptRestoreYmmEnv##envName( pSaveArea ); } \
3183

3184
#define SYMCRYPT_ENVIRONMENT_DEFS_SAVEXMM( envName ) \
3185
    SYMCRYPT_ERROR SYMCRYPT_CALL SymCryptSaveXmmEnv##envName( _Out_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ); \
3186
    SYMCRYPT_ERROR SYMCRYPT_CALL SymCryptSaveXmm( _Out_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ) \
3187
        { return SymCryptSaveXmmEnv##envName( pSaveArea ); } \
3188
    \
3189
    VOID SYMCRYPT_CALL SymCryptRestoreXmmEnv##envName( _Inout_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ); \
3190
    VOID SYMCRYPT_CALL SymCryptRestoreXmm( _Inout_ PSYMCRYPT_EXTENDED_SAVE_DATA pSaveArea ) \
3191
        { SymCryptRestoreXmmEnv##envName( pSaveArea ); } \
3192

3193

3194
#else
3195

3196
#define SYMCRYPT_ENVIRONMENT_DEFS_SAVEYMM( envName )
3197
#define SYMCRYPT_ENVIRONMENT_DEFS_SAVEXMM( envName )
3198

3199
#endif
3200

3201
// Environment forwarding functions.
3202
// CPUIDEX is only forwarded on CPUs that have it.
3203
#if SYMCRYPT_CPU_AMD64 | SYMCRYPT_CPU_X86
3204
#define SYMCRYPT_ENVIRONMENT_FORWARD_CPUIDEX( envName ) \
3205
    VOID SYMCRYPT_CALL SymCryptCpuidExFuncEnv##envName( int cpuInfo[4], int function_id, int subfunction_id ); \
3206
    VOID SYMCRYPT_CALL SymCryptCpuidExFunc( int cpuInfo[4], int function_id, int subfunction_id ) \
3207
        { SymCryptCpuidExFuncEnv##envName( cpuInfo, function_id, subfunction_id ); }
3208
#else
3209
#define SYMCRYPT_ENVIRONMENT_FORWARD_CPUIDEX( envName )
3210
#endif
3211

3212
#define SYMCRYPT_ENVIRONMENT_DEFS( envName ) \
3213
SYMCRYPT_EXTERN_C \
3214
    VOID SYMCRYPT_CALL SymCryptInitEnv##envName( UINT32 version ); \
3215
    VOID SYMCRYPT_CALL SymCryptInit(void) \
3216
        { SymCryptInitEnv##envName( SYMCRYPT_API_VERSION ); } \
3217
    \
3218
    _Analysis_noreturn_ VOID SYMCRYPT_CALL SymCryptFatalEnv##envName( UINT32 fatalCode ); \
3219
    _Analysis_noreturn_ VOID SYMCRYPT_CALL SymCryptFatal( UINT32 fatalCode ) \
3220
        { SymCryptFatalEnv##envName( fatalCode ); } \
3221
    SYMCRYPT_CPU_FEATURES SYMCRYPT_CALL SymCryptCpuFeaturesNeverPresentEnv##envName(void); \
3222
    SYMCRYPT_CPU_FEATURES SYMCRYPT_CALL SymCryptCpuFeaturesNeverPresent(void) \
3223
        { return SymCryptCpuFeaturesNeverPresentEnv##envName(); } \
3224
    \
3225
    SYMCRYPT_ENVIRONMENT_DEFS_SAVEXMM( envName ) \
3226
    SYMCRYPT_ENVIRONMENT_DEFS_SAVEYMM( envName ) \
3227
    \
3228
    VOID SYMCRYPT_CALL SymCryptTestInjectErrorEnv##envName( PBYTE pbBuf, SIZE_T cbBuf ); \
3229
    VOID SYMCRYPT_CALL SymCryptInjectError( PBYTE pbBuf, SIZE_T cbBuf ) \
3230
        { SymCryptTestInjectErrorEnv##envName( pbBuf, cbBuf ); } \
3231
    SYMCRYPT_ENVIRONMENT_FORWARD_CPUIDEX( envName ) \
3232
SYMCRYPT_EXTERN_C_END
3233

3234
//
3235
// To avoid hard-do-diagnose mistakes, we skip defining environment macros in those cases where we
3236
// know they cannot or should not be used.
3237
//
3238

3239
#define SYMCRYPT_ENVIRONMENT_GENERIC                            SYMCRYPT_ENVIRONMENT_DEFS( Generic )
3240

3241
#if defined(EFI) | defined(PCAT) | defined(DIRECT)
3242
#define SYMCRYPT_ENVIRONMENT_WINDOWS_BOOTLIBRARY                SYMCRYPT_ENVIRONMENT_DEFS( WindowsBootlibrary )
3243
#endif
3244

3245
//
3246
// There are no defined symbols that we can use to detect that we are in debugger code
3247
// But this is unlikely to be misused.
3248
//
3249
#define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELDEBUGGER             SYMCRYPT_ENVIRONMENT_DEFS( WindowsKernelDebugger )
3250

3251

3252

3253
#define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LEGACY          SYMCRYPT_ENVIRONMENT_GENERIC
3254

3255
#ifdef NTDDI_VERSION
3256
#if (NTDDI_VERSION >= NTDDI_WIN7)
3257
#define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN7_N_LATER    SYMCRYPT_ENVIRONMENT_DEFS( WindowsKernelmodeWin7nLater )
3258
#endif
3259

3260
#if (NTDDI_VERSION >= NTDDI_WINBLUE)
3261
#define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN8_1_N_LATER  SYMCRYPT_ENVIRONMENT_DEFS( WindowsKernelmodeWin8_1nLater )
3262
#endif
3263

3264
#define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LATEST          SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN8_1_N_LATER
3265

3266

3267

3268
#define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_LEGACY            SYMCRYPT_ENVIRONMENT_GENERIC
3269

3270
#if (NTDDI_VERSION >= NTDDI_WIN7)
3271
#define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN7_N_LATER      SYMCRYPT_ENVIRONMENT_DEFS( WindowsUsermodeWin7nLater )
3272
#endif
3273

3274
#if (NTDDI_VERSION >= NTDDI_WINBLUE)
3275
#define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN8_1_N_LATER    SYMCRYPT_ENVIRONMENT_DEFS( WindowsUsermodeWin8_1nLater )
3276
#endif
3277

3278
#if (NTDDI_VERSION >= NTDDI_WIN10)
3279
#define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN10_SGX         SYMCRYPT_ENVIRONMENT_DEFS( Win10Sgx )
3280
#endif
3281
#endif // NTDDI_VERSION
3282

3283
#define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_LATEST            SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN8_1_N_LATER
3284

3285

3286
#define SYMCRYPT_ENVIRONMENT_POSIX_USERMODE                     SYMCRYPT_ENVIRONMENT_DEFS( PosixUsermode )
3287

3288
// For backwards compatibility with previous macro name
3289
#define SYMCRYPT_ENVIRONMENT_LINUX_USERMODE                     SYMCRYPT_ENVIRONMENT_POSIX_USERMODE
3290

3291

3292
#define SYMCRYPT_ENVIRONMENT_OPTEE_TA                           SYMCRYPT_ENVIRONMENT_DEFS( OpteeTa )
3293

3294
//////////////////////////////////////////////////////////
3295
//
3296
// SymCryptWipe & SymCryptWipeKnownSize
3297
//
3298

3299
VOID
3300
SYMCRYPT_CALL
3301
SymCryptWipe(
3302
    _Out_writes_bytes_(cbData)    PVOID   pbData,
3303
    SIZE_T  cbData);
3304

3305
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64 | SYMCRYPT_CPU_ARM | SYMCRYPT_CPU_ARM64
3306

3307
//
3308
// If the known size is large we call the generic wipe function anyway.
3309
// For small known sizes we perform the wipe inline.
3310
// This is a tradeoff between speed and code size and there are diminishing returns to supporting
3311
// increasingly large sizes.
3312
// We currently put the limit at ~8 native writes, which varies by platform.
3313
//
3314
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_ARM
3315
#define SYMCRYPT_WIPE_FUNCTION_LIMIT (32)   // If this is increased beyond 127 the code below must be updated.
3316
#elif SYMCRYPT_CPU_AMD64 | SYMCRYPT_CPU_ARM64
3317
#define SYMCRYPT_WIPE_FUNCTION_LIMIT (64)   // If this is increased beyond 127 the code below must be updated.
3318
#else
3319
#error ??
3320
#endif
3321

3322
//
3323
// The buffer analysis code doesn't understand our optimized in-line wiping code
3324
// well enough to conclude it is safe.
3325
//
3326
#pragma prefast(push)
3327
#pragma prefast( disable: 26001 )
3328

3329
FORCEINLINE
3330
VOID
3331
SYMCRYPT_CALL
3332
#pragma prefast( suppress: 6101, "Logic why this properly initializes the pbData buffer is too complicated for prefast" )
3333
SymCryptWipeKnownSize(_Out_writes_bytes_(cbData) PVOID pbData, SIZE_T cbData)
3334
{
3335
    volatile BYTE * pb = (volatile BYTE *)pbData;
3336

3337
    if (cbData > SYMCRYPT_WIPE_FUNCTION_LIMIT)
3338
    {
3339
        SymCryptWipe(pbData, cbData);
3340
    }
3341
    else
3342
    {
3343
        //
3344
        // We assume that pb is aligned, so we wipe from the end to the front to keep alignment.
3345
        //
3346
        if (cbData & 1)
3347
        {
3348
            cbData--;
3349
            SYMCRYPT_INTERNAL_FORCE_WRITE8((volatile BYTE *)&pb[cbData], 0);
3350
        }
3351
        if (cbData & 2)
3352
        {
3353
            cbData -= 2;
3354
            SYMCRYPT_INTERNAL_FORCE_WRITE16((volatile UINT16 *)&pb[cbData], 0);
3355
        }
3356
        if (cbData & 4)
3357
        {
3358
            cbData -= 4;
3359
            SYMCRYPT_INTERNAL_FORCE_WRITE32((volatile UINT32 *)&pb[cbData], 0);
3360
        }
3361
        if (cbData & 8)
3362
        {
3363
            cbData -= 8;
3364
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData], 0);
3365
        }
3366
        if (cbData & 16)
3367
        {
3368
            cbData -= 16;
3369
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData], 0);
3370
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 8], 0);
3371
        }
3372
        if (cbData & 32)
3373
        {
3374
            cbData -= 32;
3375
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData], 0);
3376
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 8], 0);
3377
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 16], 0);
3378
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 24], 0);
3379
        }
3380
#if SYMCRYPT_WIPE_FUNCTION_LIMIT >= 64
3381
        if (cbData & 64)
3382
        {
3383
            cbData -= 64;
3384
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData], 0);
3385
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 8], 0);
3386
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 16], 0);
3387
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 24], 0);
3388
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 32], 0);
3389
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 40], 0);
3390
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 48], 0);
3391
            SYMCRYPT_INTERNAL_FORCE_WRITE64((volatile UINT64 *)&pb[cbData + 56], 0);
3392
        }
3393
#endif
3394
    }
3395
}
3396

3397
#pragma prefast(pop)
3398

3399
#else // Platform switch for SymCryptWipeKnownSize
3400

3401
FORCEINLINE
3402
VOID
3403
SYMCRYPT_CALL
3404
SymCryptWipeKnownSize(_Out_writes_bytes_(cbData) PVOID pbData, SIZE_T cbData)
3405
{
3406
    SymCryptWipe(pbData, cbData);
3407
}
3408

3409
#endif  // Platform switch for SymCryptWipeKnownSize
3410

3411
#define SYMCRYPT_FIPS_ASSERT(x) { if(!(x)){ SymCryptFatal('FIPS'); } }
3412

3413
// Flags for FIPS on-demand selftests. When an on-demand selftest succeeds, the corresponding flag
3414
// will be set in g_SymCryptFipsSelftestsPerformed. Other selftests are performed automatically
3415
// when the module is loaded, so they don't have a corresponding flag.
3416
typedef enum _SYMCRYPT_SELFTEST_ALGORITHM {
3417
    SYMCRYPT_SELFTEST_ALGORITHM_NONE    =   0x0,
3418
    SYMCRYPT_SELFTEST_ALGORITHM_STARTUP =   0x1,
3419
    SYMCRYPT_SELFTEST_ALGORITHM_DSA     =   0x2,
3420
    SYMCRYPT_SELFTEST_ALGORITHM_ECDSA   =   0x4,
3421
    SYMCRYPT_SELFTEST_ALGORITHM_RSA     =   0x8,
3422
    SYMCRYPT_SELFTEST_ALGORITHM_DH      =  0x10,
3423
    SYMCRYPT_SELFTEST_ALGORITHM_ECDH    =  0x20,
3424
    SYMCRYPT_SELFTEST_ALGORITHM_MLKEM   =  0x40,
3425
    SYMCRYPT_SELFTEST_ALGORITHM_XMSS    =  0x80,
3426
    SYMCRYPT_SELFTEST_ALGORITHM_LMS     = 0x100,
3427
    SYMCRYPT_SELFTEST_ALGORITHM_MLDSA   = 0x200,
3428
} SYMCRYPT_SELFTEST_ALGORITHM;
3429

3430
// Takes values which are some bitwise OR combination of SYMCRYPT_SELFTEST_ALGORITHM values
3431
// Specified as UINT32 as we will update with 32 bit atomics, and compilers may choose to make enum
3432
// types smaller than 32 bits.
3433
extern UINT32 g_SymCryptFipsSelftestsPerformed;
3434

3435
UINT32
3436
SYMCRYPT_CALL
3437
SymCryptFipsGetSelftestsPerformed(void);
3438
// Returns current value of g_SymCryptFipsSelftestsPerformed so callers may inspect which FIPS
3439
// algorithm selftests have run
3440

3441
// Flags for per-key selftests.
3442
// When an asymmetric key is generated or imported, and SYMCRYPT_FLAG_KEY_NO_FIPS is not specified,
3443
// some selftests must be performed on the key, before its operational use in an algorithm, to
3444
// comply with FIPS.
3445
// The algorithms the key may be used in will be tracked in the key's fAlgorithmInfo field, as a
3446
// bitwise OR of SYMCRYPT_FLAG_<keytype>_<algorithm> (e.g. SYMCRYPT_FLAG_DLKEY_DH).
3447
// This field will also track which per-key selftests have been run on the key using the below flags
3448
// We want to track which selftests have been run independently of which algorithms the key may be
3449
// used in as in some scenarios at key generation / import time we may not know what algorithm the
3450
// key will actually be used in. Tracking the run per-key selftests in fAlgorithmInfo allows us to
3451
// defer running expensive tests until we know they are required (e.g. if we generate an Eckey which
3452
// may be used in ECDH or ECDSA, and only use it for ECDH, the ECDSA PCT is deferred until we first
3453
// attempt to use the key in ECDSA, or export the private key).
3454
//
3455
// For clarity, SYMCRYPT_PCT_* should be used instead of SYMCRYPT_SELFTEST_KEY_* going forward.
3456
// The latter is retained for compatibility with existing code, but may be removed in a future
3457
// breaking change.
3458

3459
// Dlkey selftest flags
3460
// DSA Pairwise Consistency Test to be run on generated keys
3461
#define SYMCRYPT_SELFTEST_KEY_DSA       (0x1)
3462
#define SYMCRYPT_PCT_DSA                SYMCRYPT_SELFTEST_KEY_DSA
3463

3464
// Eckey selftest flags
3465
// ECDSA Pairwise Consistency Test to be run on generated keys
3466
#define SYMCRYPT_SELFTEST_KEY_ECDSA     (0x1)
3467
#define SYMCRYPT_PCT_ECDSA              SYMCRYPT_SELFTEST_KEY_ECDSA
3468

3469
// Rsakey selftest flags
3470
// RSA Pairwise Consistency Test to be run on generated keys
3471
#define SYMCRYPT_SELFTEST_KEY_RSA_SIGN  (0x1)
3472
#define SYMCRYPT_PCT_RSA_SIGN           SYMCRYPT_SELFTEST_KEY_RSA_SIGN
3473

3474
UINT32
3475
SYMCRYPT_CALL
3476
SymCryptDeprecatedStatusIndicator(PBYTE pbOutput, UINT32 cbOutput);
3477
//
3478
// Returns the FIPS Approved Services Status Indicator as an ASCII string.
3479
// This API is required to satisfy FIPS 140-3 requirements, but is *not* recommended
3480
// to be used in production code. It should be considered unstable,
3481
// and may be removed at any time.
3482
//
3483
// The output string will be copied to pbOutput if the size of the buffer
3484
// cbOutput is large enough. The function returns the required buffer size
3485
// when pbOutput is passed as NULL. If pbOutput is not NULL, the function
3486
// returns the number of bytes copied to pbOutput.
3487
//
3488

3489

3490

3491
typedef enum _SYMCRYPT_SI_TYPE {
3492

3493
    // Algorithm types (specific algorithms are represented as a bitmask of a type)
3494
    SYMCRYPT_SI_TYPE_CIPHER             = 0x01,
3495
    SYMCRYPT_SI_TYPE_HASH               = 0x02,
3496
    SYMCRYPT_SI_TYPE_MAC                = 0x03,
3497
    SYMCRYPT_SI_TYPE_KDF                = 0x04,
3498
    SYMCRYPT_SI_TYPE_DRBG               = 0x05,
3499
    SYMCRYPT_SI_TYPE_ASYM_ALG           = 0x06,
3500
    SYMCRYPT_SI_TYPE_KAS                = 0x07,
3501
    SYMCRYPT_SI_TYPE_KEM                = 0x08,
3502

3503
    // Other types where elements are a bitmask
3504
    SYMCRYPT_SI_TYPE_ECURVE             = 0x40,
3505
    SYMCRYPT_SI_TYPE_KAS_SCHEME         = 0x41,
3506
    SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP   = 0x42,
3507

3508
    // Non-bitmask types
3509
    SYMCRYPT_SI_TYPE_INTRANGE           = 0x80,
3510
    SYMCRYPT_SI_TYPE_INTPAIR            = 0x81,
3511
    SYMCRYPT_SI_TYPE_SIZERANGE          = 0x82,
3512

3513
    SYMCRYPT_SI_TYPE_MAX                = 0xFF
3514
} SYMCRYPT_SI_TYPE;
3515

3516
#define SYMCRYPT_SI_CREATE_ID(type, index)  (((UINT64)(type) << 56) + (1ULL << (index)))
3517

3518
#define SYMCRYPT_SI_INTBITS                 ((64 - 8) / 2)  // 8-bits for type, remaining bits shared by two integers
3519
#define SYMCRYPT_SI_INTMASK                 ((1ULL << SYMCRYPT_SI_INTBITS) - 1) // typically should be 0x0FFFFFFF with 28 1s
3520
#define SYMCRYPT_SI_INTPACK(High, Low)      (((((UINT64)High) & SYMCRYPT_SI_INTMASK) << SYMCRYPT_SI_INTBITS) | (((UINT64)Low) & SYMCRYPT_SI_INTMASK))
3521
#define SYMCRYPT_SI_INTUNPACKLO(X)          ((X) & SYMCRYPT_SI_INTMASK)
3522
#define SYMCRYPT_SI_INTUNPACKHI(X)          (((X) >> SYMCRYPT_SI_INTBITS) & SYMCRYPT_SI_INTMASK)
3523

3524
#define SYMCRYPT_SI_INTRANGE(Low, High)     (((UINT64)SYMCRYPT_SI_TYPE_INTRANGE << 56) | SYMCRYPT_SI_INTPACK(High, Low))
3525
#define SYMCRYPT_SI_INTPAIR(X, Y)           (((UINT64)SYMCRYPT_SI_TYPE_INTPAIR << 56) | SYMCRYPT_SI_INTPACK(Y, X))
3526
#define SYMCRYPT_SI_SIZERANGE(Low, High)    (((UINT64)SYMCRYPT_SI_TYPE_SIZERANGE << 56) | SYMCRYPT_SI_INTPACK(High, Low))
3527

3528
#define SYMCRYPT_SI_CHECK_INT(L)            C_ASSERT(L <= SYMCRYPT_SI_INTMASK)
3529

3530
#define SYMCRYPT_SI_KEYBITS(L)              SYMCRYPT_SI_SIZERANGE(L, L)
3531
#define SYMCRYPT_SI_MODULUS(L)              SYMCRYPT_SI_SIZERANGE(L, L)
3532
#define SYMCRYPT_SI_DSAPARAMS(N, L)         SYMCRYPT_SI_INTPAIR(N, L)
3533

3534

3535
// Services
3536
#define SYMCRYPT_SI_SVC_ENCRYPTION                      0x00000001
3537
#define SYMCRYPT_SI_SVC_DECRYPTION                      0x00000002
3538
#define SYMCRYPT_SI_SVC_HASHING                         0x00000004
3539
#define SYMCRYPT_SI_SVC_MESSAGE_AUTHENTICATION          0x00000008
3540
#define SYMCRYPT_SI_SVC_KEY_DERIVATION                  0x00000010
3541
#define SYMCRYPT_SI_SVC_ASYMMETRIC_KEY_GENERATION       0x00000020
3542
#define SYMCRYPT_SI_SVC_ASYMMETRIC_KEY_VERIFICATION     0x00000080
3543
#define SYMCRYPT_SI_SVC_RANDOM_NUMBER_GENERATION        0x00000400
3544
#define SYMCRYPT_SI_SVC_SECRET_AGREEMENT                0x00000800
3545
#define SYMCRYPT_SI_SVC_SIGNATURE_GENERATION            0x00001000
3546
#define SYMCRYPT_SI_SVC_SIGNATURE_VERIFICATION          0x00002000
3547
#define SYMCRYPT_SI_SVC_KEY_ENCAPSULATION               0x00004000
3548
#define SYMCRYPT_SI_SVC_KEY_DECAPSULATION               0x00008000
3549

3550
// Ciphers
3551
#define SYMCRYPT_SI_AES_CBC                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 0)
3552
#define SYMCRYPT_SI_AES_CCM                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 1)
3553
#define SYMCRYPT_SI_AES_CFB128              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 2)
3554
#define SYMCRYPT_SI_AES_CFB8                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 3)
3555
#define SYMCRYPT_SI_AES_CTR                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 4)
3556
#define SYMCRYPT_SI_AES_ECB                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 5)
3557
#define SYMCRYPT_SI_AES_GCM                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 6)
3558
#define SYMCRYPT_SI_AES_XTS                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 7)
3559
#define SYMCRYPT_SI_RC2                     SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 8)
3560
#define SYMCRYPT_SI_RC4                     SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 9)
3561
#define SYMCRYPT_SI_CHACHA                  SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 10)
3562
#define SYMCRYPT_SI_DES                     SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 11)
3563
#define SYMCRYPT_SI_TRIPLEDES               SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 12)
3564
#define SYMCRYPT_SI_CHACHA20                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 13)
3565
#define SYMCRYPT_SI_CHACHA20_POLY1305       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 14)
3566
#define SYMCRYPT_SI_AES_KW                  SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 15)
3567
#define SYMCRYPT_SI_AES_KWP                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_CIPHER, 16)
3568

3569
// Hash Functions
3570
#define SYMCRYPT_SI_MD2                     SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 0)
3571
#define SYMCRYPT_SI_MD4                     SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 1)
3572
#define SYMCRYPT_SI_MD5                     SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 2)
3573
#define SYMCRYPT_SI_SHA1                    SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 3)
3574
#define SYMCRYPT_SI_SHA2_224                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 4)
3575
#define SYMCRYPT_SI_SHA2_256                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 5)
3576
#define SYMCRYPT_SI_SHA2_384                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 6)
3577
#define SYMCRYPT_SI_SHA2_512                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 7)
3578
#define SYMCRYPT_SI_SHA2_512_224            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 8)
3579
#define SYMCRYPT_SI_SHA2_512_256            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 9)
3580
#define SYMCRYPT_SI_SHA3_224                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 10)
3581
#define SYMCRYPT_SI_SHA3_256                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 11)
3582
#define SYMCRYPT_SI_SHA3_384                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 12)
3583
#define SYMCRYPT_SI_SHA3_512                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 13)
3584
#define SYMCRYPT_SI_SHAKE128                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 14)
3585
#define SYMCRYPT_SI_SHAKE256                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 15)
3586
#define SYMCRYPT_SI_CSHAKE128               SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 16)
3587
#define SYMCRYPT_SI_CSHAKE256               SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 17)
3588
#define SYMCRYPT_SI_MARVIN32                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_HASH, 18)
3589

3590
// MAC
3591
#define SYMCRYPT_SI_HMAC_MD2                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 0)
3592
#define SYMCRYPT_SI_HMAC_MD4                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 1)
3593
#define SYMCRYPT_SI_HMAC_MD5                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 2)
3594
#define SYMCRYPT_SI_HMAC_SHA1               SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 3)
3595
#define SYMCRYPT_SI_HMAC_SHA2_224           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 4)
3596
#define SYMCRYPT_SI_HMAC_SHA2_256           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 5)
3597
#define SYMCRYPT_SI_HMAC_SHA2_384           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 6)
3598
#define SYMCRYPT_SI_HMAC_SHA2_512           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 7)
3599
#define SYMCRYPT_SI_HMAC_SHA2_512_224       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 8)
3600
#define SYMCRYPT_SI_HMAC_SHA2_512_256       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 9)
3601
#define SYMCRYPT_SI_HMAC_SHA3_224           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 10)
3602
#define SYMCRYPT_SI_HMAC_SHA3_256           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 11)
3603
#define SYMCRYPT_SI_HMAC_SHA3_384           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 12)
3604
#define SYMCRYPT_SI_HMAC_SHA3_512           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 13)
3605
#define SYMCRYPT_SI_KMAC128                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 14)
3606
#define SYMCRYPT_SI_KMAC256                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 15)
3607
#define SYMCRYPT_SI_AES_GMAC                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 16)
3608
#define SYMCRYPT_SI_AES_CMAC                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 17)
3609
#define SYMCRYPT_SI_AES_CBCMAC              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 18)
3610
#define SYMCRYPT_SI_POLY1305                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_MAC, 19)
3611

3612
// KDF
3613
#define SYMCRYPT_SI_HKDF                    SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 0)
3614
#define SYMCRYPT_SI_PBKDF                   SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 1)
3615
#define SYMCRYPT_SI_KDA_ONESTEP             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 2)
3616
#define SYMCRYPT_SI_KDF_IKEV1               SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 3)
3617
#define SYMCRYPT_SI_KDF_IKEV2               SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 4)
3618
#define SYMCRYPT_SI_KDF_SP800_108_CTR       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 5)
3619
#define SYMCRYPT_SI_KDF_SRTP                SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 6)
3620
#define SYMCRYPT_SI_KDF_SSH                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 7)
3621
#define SYMCRYPT_SI_KDF_TLS                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 8)
3622
#define SYMCRYPT_SI_KDF_TLS_V12             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KDF, 9)
3623

3624
// DRBG
3625
#define SYMCRYPT_SI_CTR_DRBG_AES256         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_DRBG, 0)
3626

3627
// Asymmetric Algorithms
3628
#define SYMCRYPT_SI_SAFE_PRIME_KEYGEN       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 0)
3629
#define SYMCRYPT_SI_DSA_KEYGEN              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 1)
3630
#define SYMCRYPT_SI_DSA_PQGGEN              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 2)
3631
#define SYMCRYPT_SI_DSA_PQGVER              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 3)
3632
#define SYMCRYPT_SI_DSA_SIGVER              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 4)
3633

3634
#define SYMCRYPT_SI_ECDSA_KEYGEN            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 5)
3635
#define SYMCRYPT_SI_ECDSA_KEYVER            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 6)
3636
#define SYMCRYPT_SI_ECDSA_SIGGEN            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 7)
3637
#define SYMCRYPT_SI_ECDSA_SIGVER            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 8)
3638
#define SYMCRYPT_SI_ECDSA_SIGGEN_COMP       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 9)
3639

3640
#define SYMCRYPT_SI_RSA_KEYGEN              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 10)
3641
#define SYMCRYPT_SI_RSA_DEC_PRIM            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 12)
3642
#define SYMCRYPT_SI_RSA_SIG_PRIM            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 13)
3643
#define SYMCRYPT_SI_RSA_SIGGEN_PKCS15       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 14)
3644
#define SYMCRYPT_SI_RSA_SIGGEN_PKCSPSS      SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 15)
3645
#define SYMCRYPT_SI_RSA_SIGVER_PKCS15       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 16)
3646
#define SYMCRYPT_SI_RSA_SIGVER_PKCSPSS      SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 17)
3647

3648
#define SYMCRYPT_SI_KAS_ECC                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 18)
3649
#define SYMCRYPT_SI_KAS_ECC_SSC             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 19)
3650
#define SYMCRYPT_SI_KAS_FFC                 SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 20)
3651
#define SYMCRYPT_SI_KAS_FFC_SSC             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 21)
3652

3653
// PQ Algorithms
3654

3655
// Asym Alg IDs for PQC algorithms in range 22-26 are replaced with more granular
3656
// algorithms as below.
3657
// Keeping this range reserved until there's a need to use it in the future.
3658

3659
#define SYMCRYPT_SI_MLDSA_KEYGEN            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 27)
3660
#define SYMCRYPT_SI_MLDSA_SIGGEN            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 28)
3661
#define SYMCRYPT_SI_MLDSA_SIGVER            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 29)
3662
#define SYMCRYPT_SI_LMS_KEYGEN              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 30)
3663
#define SYMCRYPT_SI_LMS_SIGGEN              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 31)
3664
#define SYMCRYPT_SI_LMS_SIGVER              SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 32)
3665
#define SYMCRYPT_SI_XMSS_KEYGEN             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 33)
3666
#define SYMCRYPT_SI_XMSS_SIGGEN             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 34)
3667
#define SYMCRYPT_SI_XMSS_SIGVER             SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 35)
3668
#define SYMCRYPT_SI_XMSS_MT_KEYGEN          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 36)
3669
#define SYMCRYPT_SI_XMSS_MT_SIGGEN          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 37)
3670
#define SYMCRYPT_SI_XMSS_MT_SIGVER          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ASYM_ALG, 38)
3671

3672
#define SYMCRYPT_SI_MLKEM_KEYGEN            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KEM, 0)
3673
#define SYMCRYPT_SI_MLKEM_ENCAPS            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KEM, 1)
3674
#define SYMCRYPT_SI_MLKEM_DECAPS            SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KEM, 2)
3675

3676

3677
// Elliptic Curves
3678
#define SYMCRYPT_SI_ECURVE_NISTP192         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 0)
3679
#define SYMCRYPT_SI_ECURVE_NISTP224         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 1)
3680
#define SYMCRYPT_SI_ECURVE_NISTP256         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 2)
3681
#define SYMCRYPT_SI_ECURVE_NISTP384         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 3)
3682
#define SYMCRYPT_SI_ECURVE_NISTP521         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 4)
3683
#define SYMCRYPT_SI_ECURVE_NUMSP256T1       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 5)
3684
#define SYMCRYPT_SI_ECURVE_NUMSP384T1       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 6)
3685
#define SYMCRYPT_SI_ECURVE_NUMSP512T1       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 7)
3686
#define SYMCRYPT_SI_ECURVE_CURVE25519       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_ECURVE, 8)
3687

3688
// Safe Prime Groups
3689
#define SYMCRYPT_SI_SPG_FFDHE_2048          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 0)
3690
#define SYMCRYPT_SI_SPG_FFDHE_3072          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 1)
3691
#define SYMCRYPT_SI_SPG_FFDHE_4096          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 2)
3692
#define SYMCRYPT_SI_SPG_FFDHE_6144          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 3)
3693
#define SYMCRYPT_SI_SPG_FFDHE_8192          SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 4)
3694
#define SYMCRYPT_SI_SPG_MODP_2048           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 5)
3695
#define SYMCRYPT_SI_SPG_MODP_3072           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 6)
3696
#define SYMCRYPT_SI_SPG_MODP_4096           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 7)
3697
#define SYMCRYPT_SI_SPG_MODP_6144           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 8)
3698
#define SYMCRYPT_SI_SPG_MODP_8192           SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_SAFE_PRIME_GROUP, 9)
3699

3700
// KAS Schemes
3701
#define SYMCRYPT_SI_SCHEME_EPHEM_UNIFIED    SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KAS_SCHEME, 0)
3702
#define SYMCRYPT_SI_SCHEME_DH_EPHEM         SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KAS_SCHEME, 1)
3703
#define SYMCRYPT_SI_SCHEME_DH_ONEFLOW       SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KAS_SCHEME, 2)
3704
#define SYMCRYPT_SI_SCHEME_DH_STATIC        SYMCRYPT_SI_CREATE_ID(SYMCRYPT_SI_TYPE_KAS_SCHEME, 3)
3705

3706

3707
UINT32
3708
SYMCRYPT_CALL
3709
SymCryptDeprecatedServiceIndicator(
3710
    UINT32 Service,
3711
    UINT64 Alg,
3712
    UINT64 Param1,
3713
    UINT64 Param2,
3714
    UINT64 Param3);
3715
//
3716
// Returns FIPS 140 Approved Services Indicator for an algorithm.
3717
//
3718
// Parameters:
3719
//  - Service. Service identifier, one of SYMCRYPT_SI_SVC_XXX.
3720
//  - Alg. Identifier of the algorithm for which the status is being queried. This must be
3721
//  exactly one of the algorithm identifiers defined above.
3722
//  - Param1, Param2, Param3. Depending on the Alg parameter, these parameters provide
3723
//  additional information about the capabilities and parameters associated with an
3724
//  algorithm. For each algorithm, the number and type of the parameters must be provided
3725
//  as specified below. Any unused parameters must be passed as 0. The algorithms that require
3726
//  parameters to be specified are listed below, the remaining algorithms do not have any parameters.
3727
//
3728
//      Alg Id                          Param1                              Param2
3729
//      -----------------------------   --------------------------------    ---------------
3730
//      SYMCRYPT_SI_AES_XTS             SYMCRYPT_SI_KEYBITS(int)                -
3731
//      SYMCRYPT_SI_DSA_PQGVER          SYMCRYPT_SI_DSAPARAMS(int, int)         -
3732
//      SYMCRYPT_SI_DSA_SIGVER          SYMCRYPT_SI_DSAPARAMS(int, int)         -
3733
//      SYMCRYPT_SI_ECDSA_KEYGEN        SYMCRYPT_SI_ECURVE_XXX                  -
3734
//      SYMCRYPT_SI_ECDSA_KEYVER        SYMCRYPT_SI_ECURVE_XXX                  -
3735
//      SYMCRYPT_SI_ECDSA_SIGGEN        SYMCRYPT_SI_ECURVE_XXX                  Hash Alg Id
3736
//      SYMCRYPT_SI_ECDSA_SIGGEN_COMP   SYMCRYPT_SI_ECURVE_XXX                  Hash Alg Id
3737
//      SYMCRYPT_SI_ECDSA_SIGVER        SYMCRYPT_SI_ECURVE_XXX                  Hash Alg Id
3738
//      SYMCRYPT_SI_RSA_DEC_PRIM        SYMCRYPT_SI_MODULUS(int)                -
3739
//      SYMCRYPT_SI_RSA_KEYGEN          SYMCRYPT_SI_MODULUS(int)                -
3740
//      SYMCRYPT_SI_RSA_SIGGEN_PKCS15   SYMCRYPT_SI_MODULUS(int)                Hash Alg Id
3741
//      SYMCRYPT_SI_RSA_SIGVER_PKCS15   SYMCRYPT_SI_MODULUS(int)                Hash Alg Id
3742
//      SYMCRYPT_SI_RSA_SIGGEN_PKCSPSS  SYMCRYPT_SI_MODULUS(int)                Hash Alg Id
3743
//      SYMCRYPT_SI_RSA_SIGVER_PKCSPSS  SYMCRYPT_SI_MODULUS(int)                Hash Alg Id
3744
//      SYMCRYPT_SI_SAFE_PRIME_KEYGEN   SYMCRYPT_SI_SPG_XXX                     Hash Alg Id
3745
//      SYMCRYPT_SI_HMAC_XXX            SYMCRYPT_SI_KEYBITS(int)                -
3746
//      SYMCRYPT_SI_KDA_ONESTEP         Hash Alg Id or MAC alg Id               -
3747
//      SYMCRYPT_SI_PBKDF               MAC Alg Id                              -
3748
//      SYMCRYPT_SI_KDF_SP800_108_CTR   MAC Alg Id                              -
3749
//      SYMCRYPT_SI_KDF_SSH             Hash Alg Id                             -
3750
//      SYMCRYPT_SI_TLS_V12_KDF         Hash Alg Id                             -
3751
//      SYMCRYPT_SI_KAS_ECC             SYMCRYPT_SI_ECURVE_XXX                  Hash Alg Id
3752
//      SYMCRYPT_SI_KAS_ECC_SSC         SYMCRYPT_SI_ECURVE_XXX                  SYMCRYPT_SI_SCHEME_XXX
3753
//      SYMCRYPT_SI_KAS_FFC             SYMCRYPT_SI_SPG_XXX                     Hash Alg Id
3754
//      SYMCRYPT_SI_KAS_FFC_SSC         SYMCRYPT_SI_SPG_XXX                     SYMCRYPT_SI_SCHEME_XXX
3755
//      SYMCRYPT_SI_LMS_SIGVER          SYMCRYPT_LMS_XXX                        -
3756
//      SYMCRYPT_SI_XMSS_SIGVER         SYMCRYPT_XMSS_XXX                       -
3757
//      SYMCRYPT_SI_XMSS_MT_SIGVER      SYMCRYPT_XMSSMT_XXX                     -
3758
//
3759
//
3760
// Return value:
3761
//  For the specified service and algorithm (and parameters if any), the function
3762
//  returns 0 if SymCrypt implements the algorithm in an approved manner. A non-zero
3763
//  value indicates either the algorithm is non-approved or the parameters were invalid.
3764
//
3765
// Remarks:
3766
// - For parameters that contain integer values, the callers must ensure that the values
3767
// are within the acceptable limits by using the SYMCRYPT_SI_CHECK_INT(L) macro.
3768

3769
Product

Resources

Company
