Lines Matching +full:rx +full:- +full:input +full:- +full:m
46 * 2048-bit RSA keys offer adequate security, and should still do so for
48 * already set their root keys to RSA-4096, so we should be able to
68 * Maximum size for a RSA factor (in bits). This is for RSA private-key
87 * 64-bit types so that we may automatically use implementations that
88 * use 64-bit registers in that case. Future versions may detect, e.g.,
91 * If 'unsigned long' is a 64-bit type, then we assume that 64-bit types
94 * as 64-bit means that the 32-bit code will be used, and that code
95 * works also on 64-bit architectures (the 64-bit code may simply be
100 * 32-bit for compatibility with all the legacy code that liberally uses
101 * the 'DWORD' type for 32-bit values.
157 * Clang and MS Visual C. For each of them, sub-macros will be defined
158 * for versions; each sub-macro is set whenever the compiler version is
278 * AES-NI intrinsics are available on x86 (32-bit and 64-bit) with
288 * SSE2 intrinsics are available on x86 (32-bit and 64-bit) with
298 * RDRAND intrinsics are available on x86 (32-bit and 64-bit) with
314 * /dev/urandom should work on all Unix-like systems (including macOS X).
362 * induces some non-trivial OS dependencies that we would prefer to
401 * Detect support for 128-bit integers.
414 * x86 (both 32-bit and 64-bit) is little-endian and allows unaligned
417 * POWER/PowerPC allows unaligned accesses when big-endian. POWER8 and
418 * later also allow unaligned accesses when little-endian.
436 * Detect support for an OS-provided time source.
457 * 32-bit and 64-bit decoding, both little-endian and big-endian, is
460 * When allowed by some compile-time options (autodetected or provided),
466 * or at least re-explained with different phrasing, in all successive
491 ((br_union_u16 *)dst)->u = x; in br_enc16le()
505 ((br_union_u16 *)dst)->u = x; in br_enc16be()
519 return ((const br_union_u16 *)src)->u; in br_dec16le()
532 return ((const br_union_u16 *)src)->u; in br_dec16be()
545 ((br_union_u32 *)dst)->u = x; in br_enc32le()
561 ((br_union_u32 *)dst)->u = x; in br_enc32be()
577 return ((const br_union_u32 *)src)->u; in br_dec32le()
593 return ((const br_union_u32 *)src)->u; in br_dec32be()
609 ((br_union_u64 *)dst)->u = x; in br_enc64le()
623 ((br_union_u64 *)dst)->u = x; in br_enc64be()
637 return ((const br_union_u64 *)src)->u; in br_dec64le()
651 return ((const br_union_u64 *)src)->u; in br_dec64be()
680 * Byte-swap a 32-bit integer.
696 * IV for MD5, SHA-1, SHA-224 and SHA-256.
704 * Round functions for MD5, SHA-1, SHA-224 and SHA-256 (SHA-224 and
705 * SHA-256 use the same round function).
728 memcpy((void *)dst->impl, src->impl, sizeof src->impl); in br_multihash_copyimpl()
733 * Constant-time primitives. These functions manipulate 32-bit values in
734 * order to provide constant-time comparisons and multiplexers.
743 * there can be no overflow. Negation (unary '-') works on unsigned types
749 * types, being signed, trigger implementation-defined behaviour on
752 * overflows don't occur (unless the -fwrapv command-line option is
753 * added); Clang has the additional -ftrapv option to explicitly trap on
772 return y ^ (-ctl & (x ^ y)); in MUX()
784 return NOT((q | -q) >> 31); in EQ()
796 return (q | -q) >> 31; in NEQ()
806 * If both x < 2^31 and x < 2^31, then y-x will have its high in GT()
814 * Since (y-2^31)-(x-2^31) = y-x, the subtraction is already in GT()
819 z = y - x; in GT()
824 * Other comparisons (greater-or-equal, lower-than, lower-or-equal).
831 * General comparison: returned value is -1, 0 or 1, depending on
837 return (int32_t)GT(x, y) | -(int32_t)GT(y, x); in CMP()
849 return ~(q | -q) >> 31; in EQ0()
859 * High bit of -x is 0 if x == 0, but 1 if x > 0. in GT0()
864 return (~q & -q) >> 31; in GT0()
894 * ~-x has its high bit set if and only if -x is nonnegative (as in LE0()
895 * a signed int), i.e. x is in the -(2^31-1) to 0 range. We must in LE0()
896 * do an OR with x itself to account for x = -2^31. in LE0()
899 return (q | ~-q) >> 31; in LE0()
911 * Compute the bit length of a 32-bit integer. Returned value is between 0
947 * Multiply two 32-bit integers, with a 64-bit result. This default
949 * yields constant-time code.
956 * Alternate implementation of MUL31, that will be constant-time on some
970 - ((uint64_t)(x) << 31) - ((uint64_t)(y) << 31) \
971 - ((uint64_t)1 << 62))
988 * Multiply two 31-bit integers, with a 62-bit result. This default
990 * yields constant-time code.
1001 * bits if the other fits on 15). If BR_CT_MUL15 is non-zero, then the
1003 * operation constant-time on some platforms, where the basic 32-bit
1004 * multiplication is not constant-time.
1016 * right-shifting a negative value is _implementation-defined_, so it
1024 * Still, if BR_NO_ARITH_SHIFT is defined (and non-zero), then an
1026 * implementation-defined behaviour. Unfortunately, it is also slower
1031 | ((-((uint32_t)(x) >> 31)) << (32 - (n))))
1037 * Constant-time division. The dividend hi:lo is divided by the
1074 * --------------
1077 * an internal representation as an array of 32-bit integers. For
1079 * -- x[0] contains the "announced bit length" of the integer
1080 * -- x[1], x[2]... contain the value in little-endian order (x[1]
1083 * Multiplications rely on the elementary 32x32->64 multiplication.
1086 * significant in the subsequent 32-bit words. Unused bits in the
1094 * on modular integers are "constant-time" (only the modulus length may
1101 * The len 'xlen' contains the number of 32-bit words to access.
1108 * Decode an integer from its big-endian unsigned representation. The
1117 * Decode an integer from its big-endian unsigned representation. The
1118 * integer MUST be lower than m[]; the announced bit length written in
1119 * x[] will be equal to that of m[]. All 'len' bytes from the source are
1124 * still with the announced bit length of m[]).
1127 * only of 'len' and the announced bit length of m. Whether x fits or
1131 const void *src, size_t len, const uint32_t *m);
1134 * Reduce an integer (a[]) modulo another (m[]). The result is written
1135 * in x[] and its announced bit length is set to be equal to that of m[].
1137 * x[] MUST be distinct from a[] and m[].
1139 * CT: only announced bit lengths leak, not values of x, a or m.
1141 void br_i32_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m);
1144 * Decode an integer from its big-endian unsigned representation, and
1145 * reduce it modulo the provided modulus m[]. The announced bit length
1148 * x[] MUST be distinct from m[].
1151 const void *src, size_t len, const uint32_t *m);
1154 * Encode an integer into its big-endian unsigned representation. The
1162 * Multiply x[] by 2^32 and then add integer z, modulo m[]. This
1163 * function assumes that x[] and m[] have the same announced bit
1164 * length, and the announced bit length of m[] matches its true
1167 * x[] and m[] MUST be distinct arrays.
1169 * CT: only the common announced bit length of x and m leaks, not
1170 * the values of x, z or m.
1172 void br_i32_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m);
1190 return (a[u] >> j) | (a[u + 1] << (32 - j)); in br_i32_word()
1242 * Compute -(1/x) mod 2^32. If x is even, then this function returns 0.
1248 * MUST be lower than m[], but with the same announced bit length.
1250 void br_i32_to_monty(uint32_t *x, const uint32_t *m);
1254 * integer x[] MUST be lower than m[], but with the same announced bit
1255 * length. The "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is
1256 * the least significant value word of m[] (this works only if m[] is
1259 void br_i32_from_monty(uint32_t *x, const uint32_t *m, uint32_t m0i);
1263 * value of x*y/R modulo m[] (where R is the Montgomery factor). The
1264 * array d[] MUST be distinct from x[], y[] and m[]. x[] and y[] MUST be
1265 * numerically lower than m[]. x[] and y[] MAY be the same array. The
1266 * "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is the least
1267 * significant value word of m[] (this works only if m[] is an odd
1271 const uint32_t *m, uint32_t m0i);
1274 * Compute a modular exponentiation. x[] MUST be an integer modulo m[]
1275 * (same announced bit length, lower value). m[] MUST be odd. The
1276 * exponent is in big-endian unsigned notation, over 'elen' bytes. The
1277 * "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is the least
1278 * significant value word of m[] (this works only if m[] is an odd
1280 * each large enough to accommodate an integer with the same size as m[].
1283 const uint32_t *m, uint32_t m0i, uint32_t *t1, uint32_t *t2);
1289 * --------------
1292 * an internal representation as an array of 32-bit integers. For
1294 * -- x[0] encodes the array length and the "announced bit length"
1297 * -- x[1], x[2]... contain the value in little-endian order, 31
1301 * Multiplications rely on the elementary 32x32->64 multiplication.
1304 * significant in the subsequent 32-bit words. Unused bits in the
1312 * on modular integers are "constant-time" (only the modulus length may
1342 * integer. The len 'xlen' contains the number of 32-bit words to
1351 * Decode an integer from its big-endian unsigned representation. The
1361 * Decode an integer from its big-endian unsigned representation. The
1362 * integer MUST be lower than m[]; the (encoded) announced bit length
1363 * written in x[] will be equal to that of m[]. All 'len' bytes from the
1368 * still with the announced bit length of m[]).
1371 * only of 'len' and the announced bit length of m. Whether x fits or
1375 const void *src, size_t len, const uint32_t *m);
1390 * Right-shift an integer. The shift amount must be lower than 31
1396 * Reduce an integer (a[]) modulo another (m[]). The result is written
1397 * in x[] and its announced bit length is set to be equal to that of m[].
1399 * x[] MUST be distinct from a[] and m[].
1401 * CT: only announced bit lengths leak, not values of x, a or m.
1403 void br_i31_reduce(uint32_t *x, const uint32_t *a, const uint32_t *m);
1406 * Decode an integer from its big-endian unsigned representation, and
1407 * reduce it modulo the provided modulus m[]. The announced bit length
1410 * x[] MUST be distinct from m[].
1413 const void *src, size_t len, const uint32_t *m);
1416 * Multiply x[] by 2^31 and then add integer z, modulo m[]. This
1417 * function assumes that x[] and m[] have the same announced bit
1418 * length, the announced bit length of m[] matches its true
1421 * x[] and m[] MUST be distinct arrays. z MUST fit in 31 bits (upper
1424 * CT: only the common announced bit length of x and m leaks, not
1425 * the values of x, z or m.
1427 void br_i31_muladd_small(uint32_t *x, uint32_t z, const uint32_t *m);
1430 * Encode an integer into its big-endian unsigned representation. The
1438 * Compute -(1/x) mod 2^31. If x is even, then this function returns 0.
1444 * value of x*y/R modulo m[] (where R is the Montgomery factor). The
1445 * array d[] MUST be distinct from x[], y[] and m[]. x[] and y[] MUST be
1446 * numerically lower than m[]. x[] and y[] MAY be the same array. The
1447 * "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
1448 * significant value word of m[] (this works only if m[] is an odd
1452 const uint32_t *m, uint32_t m0i);
1456 * MUST be lower than m[], but with the same announced bit length.
1458 void br_i31_to_monty(uint32_t *x, const uint32_t *m);
1462 * integer x[] MUST be lower than m[], but with the same announced bit
1463 * length. The "m0i" parameter is equal to -(1/m0) mod 2^32, where m0 is
1464 * the least significant value word of m[] (this works only if m[] is
1467 void br_i31_from_monty(uint32_t *x, const uint32_t *m, uint32_t m0i);
1470 * Compute a modular exponentiation. x[] MUST be an integer modulo m[]
1471 * (same announced bit length, lower value). m[] MUST be odd. The
1472 * exponent is in big-endian unsigned notation, over 'elen' bytes. The
1473 * "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
1474 * significant value word of m[] (this works only if m[] is an odd
1476 * each large enough to accommodate an integer with the same size as m[].
1479 const uint32_t *m, uint32_t m0i, uint32_t *t1, uint32_t *t2);
1482 * Compute a modular exponentiation. x[] MUST be an integer modulo m[]
1483 * (same announced bit length, lower value). m[] MUST be odd. The
1484 * exponent is in big-endian unsigned notation, over 'elen' bytes. The
1485 * "m0i" parameter is equal to -(1/m0) mod 2^31, where m0 is the least
1486 * significant value word of m[] (this works only if m[] is an odd
1489 * temporary values with the same size as m[] (including the leading
1491 * function may use the extra room for window-based optimisation,
1498 const uint32_t *m, uint32_t m0i, uint32_t *tmp, size_t twlen);
1514 * Compute x/y mod m, result in x. Values x and y must be between 0 and
1515 * m-1, and have the same announced bit length as m. Modulus m must be
1516 * odd. The "m0i" parameter is equal to -1/m mod 2^31. The array 't'
1518 * of the size of m.
1520 * m may not overlap x and y. x and y may overlap each other (this can
1521 * be useful to test whether a value is invertible modulo m). t must be
1525 * y is invertible modulo m.
1528 const uint32_t *m, uint32_t m0i, uint32_t *t);
1551 void br_i15_muladd_small(uint16_t *x, uint16_t z, const uint16_t *m);
1554 const uint16_t *m, uint16_t m0i);
1556 void br_i15_to_monty(uint16_t *x, const uint16_t *m);
1559 const uint16_t *m, uint16_t m0i, uint16_t *t1, uint16_t *t2);
1562 const uint16_t *m, uint16_t m0i, uint16_t *tmp, size_t twlen);
1567 const void *src, size_t len, const uint16_t *m);
1575 void br_i15_from_monty(uint16_t *x, const uint16_t *m, uint16_t m0i);
1578 const void *src, size_t len, const uint16_t *m);
1580 void br_i15_reduce(uint16_t *x, const uint16_t *a, const uint16_t *m);
1585 const uint16_t *m, uint16_t m0i, uint16_t *t);
1588 * Variant of br_i31_modpow_opt() that internally uses 64x64->128
1590 * except that the temporaries should be 64-bit integers, not 32-bit
1603 const uint32_t *m, uint32_t m0i, uint32_t *tmp, size_t twlen);
1608 * 64-bit aligned.
1612 const uint32_t *m, uint32_t m0i, uint32_t *tmp, size_t twlen);
1619 return (size_t)(digest_class->desc >> BR_HASHDESC_OUT_OFF) in br_digest_size()
1653 * subkey is two 28-bit words represented as two 32-bit words; the PC-2
1659 * Reversal of 16 DES sub-keys (for decryption).
1699 * The AES S-box (256-byte table).
1704 * AES key schedule. skey[] is filled with n+1 128-bit subkeys, where n
1709 * This implementation uses a 256-byte table and is NOT constant-time.
1721 * not constant-time). This function encrypts a single block "in place".
1727 * not constant-time). This function decrypts a single block "in place".
1733 * slow and not constant-time). This function encrypts a single block
1741 * slow and not constant-time). This function decrypts a single block
1748 * The constant-time implementation is "bitsliced": the 128-bit state is
1749 * split over eight 32-bit words q* in the following way:
1751 * -- Input block consists in 16 bytes:
1756 * -- Each byte is split into eight bits which are distributed over the
1762 * -- Ranks given to bits are in "row order" and are either all even, or
1767 * Converting input bytes from two AES blocks to bitslice representation
1769 * -- Decode first block into the four words q0 q2 q4 q6, in that order,
1770 * using little-endian convention.
1771 * -- Decode second block into the four words q1 q3 q5 q7, in that order,
1772 * using little-endian convention.
1773 * -- Call br_aes_ct_ortho().
1780 * Perform bytewise orthogonalization of eight 32-bit words. Bytes
1790 * The AES S-box, as a bitsliced constant-time version. The input array
1791 * consists in eight 32-bit words; 32 S-box instances are computed in
1792 * parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant)
1798 * Like br_aes_bitslice_Sbox(), but for the inverse S-box.
1803 * Compute AES encryption on bitsliced data. Since input is stored on
1804 * eight 32-bit words, two block encryptions are actually performed
1811 * Compute AES decryption on bitsliced data. Since input is stored on
1812 * eight 32-bit words, two block decryptions are actually performed
1819 * AES key schedule, constant-time version. skey[] is filled with n+1
1820 * 128-bit subkeys, where n is the number of rounds (10 to 14, depending
1843 * Perform bytewise orthogonalization of eight 64-bit words. Bytes
1853 * Interleave bytes for an AES input block. If input bytes are
1854 * denoted 0123456789ABCDEF, and have been decoded with little-endian
1857 * set to 08192A3B (again little-endian convention) and q1 will
1868 * The AES S-box, as a bitsliced constant-time version. The input array
1869 * consists in eight 64-bit words; 64 S-box instances are computed in
1870 * parallel. Bits 0 to 7 of each S-box input (bit 0 is least significant)
1876 * Like br_aes_bitslice_Sbox(), but for the inverse S-box.
1881 * Compute AES encryption on bitsliced data. Since input is stored on
1882 * eight 64-bit words, four block encryptions are actually performed
1889 * Compute AES decryption on bitsliced data. Since input is stored on
1890 * eight 64-bit words, four block decryptions are actually performed
1897 * AES key schedule, constant-time version. skey[] is filled with n+1
1898 * 128-bit subkeys, where n is the number of rounds (10 to 14, depending
1914 * Test support for AES-NI opcodes.
1919 * AES key schedule, using x86 AES-NI instructions. This yields the
1927 * AES key schedule, using x86 AES-NI instructions. This yields the
2031 * Type for generic EC parameters: curve order (unsigned big-endian
2047 * For Curve25519, the advertised "order" really is 2^255-1, since the
2048 * point multipliction function really works over arbitrary 255-bit
2059 * this declared bit length, and consists the big-endian unsigned decoding
2069 * this declared bit length, and consists the big-endian unsigned decoding
2083 * big-endian representation), length of the integer contents,
2085 * - If the integer value is zero, then 'len' must be zero.
2086 * - If the integer value is not zero, then data[0] must be non-zero.
2098 * Given an encoded integer (unsigned big-endian, with possible leading
2124 * the DER-encoded OID, with the length (always one byte) but without
2175 * Low-level I/O state.
2195 return cc->iomode == BR_IO_FAILED; in br_ssl_engine_closed()
2226 return rc->oxa != rc->oxb && rc->oxa != rc->oxc; in br_ssl_engine_has_pld_to_send()
2231 * This function will try to use the OS-provided RNG, if available. If
2232 * there is no OS-provided RNG, or if it failed, and no entropy was
2239 * Reset the handshake-related parts of the engine.
2251 * Consume the provided pre-master secret and compute the corresponding
2261 * is_client non-zero for a client, zero for a server
2274 * is_client non-zero for a client, zero for a server
2287 * is_client non-zero for a client, zero for a server
2299 * is_client non-zero for a client, zero for a server
2311 * is_client non-zero for a client, zero for a server
2320 * is_client non-zero for a client, zero for a server
2329 * is_client non-zero for a client, zero for a server
2343 * is_client non-zero for a client, zero for a server
2355 * Calls to T0-generated code.
2365 * (namely SHA-256, SHA-384, SHA-512, SHA-224, SHA-1). If the mask
2388 #define li(rx, value) li_(rx, value) argument
2389 #define addi(rx, ra, imm) addi_(rx, ra, imm) argument
2390 #define cmpldi(rx, imm) cmpldi_(rx, imm) argument
2391 #define mtctr(rx) mtctr_(rx) argument
2425 #define li_(rx, value) "\tli\t" #rx "," #value "\n" argument
2426 #define addi_(rx, ra, imm) "\taddi\t" #rx "," #ra "," #imm "\n" argument
2427 #define cmpldi_(rx, imm) "\tcmpldi\t" #rx "," #imm "\n" argument
2428 #define mtctr_(rx) "\tmtctr\t" #rx "\n" argument
2465 * - Caller must define BR_ENABLE_INTRINSICS before including "inner.h".
2466 * - Functions that use intrinsics must be enclosed in an "enabled"
2468 * - Functions that use intrinsics must be tagged with the appropriate
2475 * x86 intrinsics (both 32-bit and 64-bit).
2498 #pragma GCC diagnostic ignored "-Wpsabi"