41  * respectively. Of course, in a typical size-constrained application,
108 	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);  in example_client_profile()
114 	 *  -- cipher suites with a name ending in "SHA384" need "prf_sha384";  in example_client_profile()
115 	 *  -- all others need "prf_sha256".  in example_client_profile()
118 	 * use SHA-1 for the per-record MAC (that's what the final "SHA"  in example_client_profile()
119 	 * means), but still SHA-256 for the PRF when selected along with  in example_client_profile()
120 	 * the TLS-1.2 protocol version.  in example_client_profile()
122 	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);  in example_client_profile()
123 	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);  in example_client_profile()
124 	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);  in example_client_profile()
130 	 * -- TLS 1.0 and 1.1 require both MD5 and SHA-1.  in example_client_profile()
131 	 * -- With TLS 1.2, cipher suites with a name ending in "SHA384"  in example_client_profile()
132 	 *    require SHA-384.  in example_client_profile()
133 	 * -- With TLS 1.2, cipher suites with a name ending in "SHA256"  in example_client_profile()
134 	 *    require SHA-256.  in example_client_profile()
135 	 * -- With TLS 1.2, cipher suites with a name ending in "SHA"  in example_client_profile()
136 	 *    require both SHA-256 and SHA-1.  in example_client_profile()
142 	 * 1.0 and 1.1, SHA-1 (and also MD5) will be used, but with TLS  in example_client_profile()
144 	 * server; SHA-256 and/or SHA-384 should be sufficient in  in example_client_profile()
147 	 * Note that with current implementations, SHA-224 and SHA-256  in example_client_profile()
149 	 * one with no additional overhead. Similarly, SHA-384 and SHA-512  in example_client_profile()
152 	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);  in example_client_profile()
153 	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);  in example_client_profile()
154 	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);  in example_client_profile()
155 	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);  in example_client_profile()
156 	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);  in example_client_profile()
157 	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);  in example_client_profile()
165 	br_ssl_engine_set_suites(&cc->eng, suites,  in example_client_profile()
169 	 * Public-key algorithm implementations.  in example_client_profile()
171 	 * -- RSA public core ("rsapub") is needed for "RSA" key exchange  in example_client_profile()
174 	 * -- RSA signature verification ("rsavrfy") is needed for  in example_client_profile()
177 	 * -- Elliptic curve implementation ("ec") is needed for cipher  in example_client_profile()
181 	 * -- ECDSA signature verification is needed for "ECDHE_ECDSA"  in example_client_profile()
187 	 * platform, where "best" means "fastest within constant-time  in example_client_profile()
189 	 * mixture of compile-time and runtime checks.  in example_client_profile()
199 	 * should be preferred (the "i15" code is constant-time, while  in example_client_profile()
208 	 *  - ec_c25519_i15, ec_c25519_i31, ec_c25519_m15 and ec_c25519_m31  in example_client_profile()
211 	 *  - ec_p256_m15 and ec_p256_m31 implement NIST curve P-256.  in example_client_profile()
213 	 *  - ec_prime_i15 and ec_prime_i31 implement NIST curves P-256,  in example_client_profile()
214 	 *    P-384 and P-521.  in example_client_profile()
216 	 *  - ec_all_m15 is an aggregate implementation that uses  in example_client_profile()
219 	 *  - ec_all_m31 is an aggregate implementation that uses  in example_client_profile()
231 	br_ssl_engine_set_default_rsavrfy(&cc->eng);  in example_client_profile()
232 	br_ssl_engine_set_default_ecdsa(&cc->eng);  in example_client_profile()
236 	br_ssl_engine_set_ec(&cc->eng, &br_ec_all_m31);  in example_client_profile()
237 	br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i31_vrfy_asn1);  in example_client_profile()
242 	 * -- Cipher suites in AES_128_CBC, AES_256_CBC and 3DES_EDE_CBC  in example_client_profile()
244 	 * -- Cipher suites in AES_128_GCM and AES_256_GCM need the GCM  in example_client_profile()
246 	 * -- Cipher suites in CHACHA20_POLY1305 need the ChaCha20+Poly1305  in example_client_profile()
249 	br_ssl_engine_set_cbc(&cc->eng,  in example_client_profile()
252 	br_ssl_engine_set_gcm(&cc->eng,  in example_client_profile()
255 	br_ssl_engine_set_chapol(&cc->eng,  in example_client_profile()
261 	 * -- AES_128_CBC and AES_256_CBC require an "aes_cbc" implementation  in example_client_profile()
263 	 * -- 3DES_EDE_CBC requires a "des_cbc" implementation  in example_client_profile()
265 	 * -- AES_128_GCM and AES_256_GCM require an "aes_ctr" imeplementation  in example_client_profile()
270 	 *    des_tab     Classical table-based implementation; it is  in example_client_profile()
271 	 *                not constant-time.  in example_client_profile()
273 	 *    dest_ct     Constant-time DES/3DES implementation. It is  in example_client_profile()
278 	 *    aes_ct      Constant-time AES implementation, for 32-bit  in example_client_profile()
281 	 *    aes_ct64    Constant-time AES implementation, for 64-bit  in example_client_profile()
282 	 *                systems. It actually also runs on 32-bit systems,  in example_client_profile()
284 	 *                slightly worse performance. On 64-bit systems,  in example_client_profile()
290 	 *                slowest, and it is not constant-time. Use it  in example_client_profile()
293 	 *    aes_big     Classical table-based AES implementation. This  in example_client_profile()
295 	 *                but it is not constant-time.  in example_client_profile()
297 	 *    aes_x86ni   Very fast implementation that uses the AES-NI  in example_client_profile()
305 	 * Whether having constant-time implementations is absolutely  in example_client_profile()
308 	 * and while side-channel analysis for non-constant-time AES  in example_client_profile()
312 	 * constant-time code by default, and to consider the other  in example_client_profile()
316 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_client_profile()
319 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_client_profile()
322 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_client_profile()
325 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_client_profile()
329 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_client_profile()
332 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_client_profile()
336 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_client_profile()
339 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_client_profile()
342 	br_ssl_engine_set_des_cbc(&cc->eng,  in example_client_profile()
346 	br_ssl_engine_set_des_cbc(&cc->eng,  in example_client_profile()
355 	 *    ctmul     Uses 32-bit multiplications with a 64-bit result.  in example_client_profile()
357 	 *    ctmul32   Uses 32-bit multiplications with a 32-bit result.  in example_client_profile()
359 	 *    ctmul64   Uses 64-bit multiplications with a 64-bit result.  in example_client_profile()
361 	 * On 64-bit platforms, ctmul64 is the smallest and fastest of  in example_client_profile()
362 	 * the three. On 32-bit systems, ctmul should be preferred. The  in example_client_profile()
364 	 * 32-bit systems that do not have a 32x32->64 multiplier (i.e.  in example_client_profile()
365 	 * the ARM Cortex-M0 and Cortex-M0+).  in example_client_profile()
367 	 * These implementations are all constant-time as long as the  in example_client_profile()
368 	 * underlying multiplication opcode is constant-time (which is  in example_client_profile()
372 	br_ssl_engine_set_ghash(&cc->eng,  in example_client_profile()
375 	br_ssl_engine_set_ghash(&cc->eng,  in example_client_profile()
379 	br_ssl_engine_set_ghash(&cc->eng,  in example_client_profile()
391 	 * public key through an out-of-band mechanism, in which case  in example_client_profile()
406 	 * supported hash function is appropriate; here we use SHA-256.  in example_client_profile()
417 	 * SSL-specific usage of the server's public key. For instance,  in example_client_profile()
445 	br_ssl_engine_set_x509(&cc->eng, &xc->vtable);  in example_client_profile()
479 	br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);  in example_server_profile()
481 	br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);  in example_server_profile()
482 	br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);  in example_server_profile()
483 	br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);  in example_server_profile()
492 	 * standard, it should be SHA-1 in that case).  in example_server_profile()
494 	br_ssl_engine_set_hash(&cc->eng, br_md5_ID, &br_md5_vtable);  in example_server_profile()
495 	br_ssl_engine_set_hash(&cc->eng, br_sha1_ID, &br_sha1_vtable);  in example_server_profile()
496 	br_ssl_engine_set_hash(&cc->eng, br_sha224_ID, &br_sha224_vtable);  in example_server_profile()
497 	br_ssl_engine_set_hash(&cc->eng, br_sha256_ID, &br_sha256_vtable);  in example_server_profile()
498 	br_ssl_engine_set_hash(&cc->eng, br_sha384_ID, &br_sha384_vtable);  in example_server_profile()
499 	br_ssl_engine_set_hash(&cc->eng, br_sha512_ID, &br_sha512_vtable);  in example_server_profile()
501 	br_ssl_engine_set_suites(&cc->eng, suites,  in example_server_profile()
508 	br_ssl_engine_set_ec(&cc->eng, &br_ec_prime_i31);  in example_server_profile()
533 	 * -- "ECDH" cipher suites use only the EC code (&br_ec_prime_i31);  in example_server_profile()
537 	 * -- For "ECDH" (not "ECDHE") cipher suites, the engine must  in example_server_profile()
545 	 * -- BR_KEYTYPE_KEYX allows ECDH, BR_KEYTYPE_SIGN allows  in example_server_profile()
549 	br_ssl_engine_set_cbc(&cc->eng,  in example_server_profile()
552 	br_ssl_engine_set_gcm(&cc->eng,  in example_server_profile()
556 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_server_profile()
559 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_server_profile()
562 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_server_profile()
565 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_server_profile()
569 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_server_profile()
572 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_server_profile()
576 	br_ssl_engine_set_aes_cbc(&cc->eng,  in example_server_profile()
579 	br_ssl_engine_set_aes_ctr(&cc->eng,  in example_server_profile()
582 	br_ssl_engine_set_des_cbc(&cc->eng,  in example_server_profile()
586 	br_ssl_engine_set_des_cbc(&cc->eng,  in example_server_profile()
591 	br_ssl_engine_set_ghash(&cc->eng,  in example_server_profile()
594 	br_ssl_engine_set_ghash(&cc->eng,  in example_server_profile()
598 	br_ssl_engine_set_ghash(&cc->eng,  in example_server_profile()