xref: /freebsd/contrib/bearssl/inc/bearssl_hash.h (revision cc9e6590773dba57440750c124173ed531349a06)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_HASH_H__
26 #define BR_BEARSSL_HASH_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 #include <string.h>
31 
32 #ifdef __cplusplus
33 extern "C" {
34 #endif
35 
36 /** \file bearssl_hash.h
37  *
38  * # Hash Functions
39  *
40  * This file documents the API for hash functions.
41  *
42  *
43  * ## Procedural API
44  *
45  * For each implemented hash function, of name "`xxx`", the following
46  * elements are defined:
47  *
48  *   - `br_xxx_vtable`
49  *
50  *     An externally defined instance of `br_hash_class`.
51  *
52  *   - `br_xxx_SIZE`
53  *
54  *     A macro that evaluates to the output size (in bytes) of the
55  *     hash function.
56  *
57  *   - `br_xxx_ID`
58  *
59  *     A macro that evaluates to a symbolic identifier for the hash
60  *     function. Such identifiers are used with HMAC and signature
61  *     algorithm implementations.
62  *
63  *     NOTE: for the "standard" hash functions defined in [the TLS
64  *     standard](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1),
65  *     the symbolic identifiers match the constants used in TLS, i.e.
66  *     1 to 6 for MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512,
67  *     respectively.
68  *
69  *   - `br_xxx_context`
70  *
71  *     Context for an ongoing computation. It is allocated by the
72  *     caller, and a pointer to it is passed to all functions. A
73  *     context contains no interior pointer, so it can be moved around
74  *     and cloned (with a simple `memcpy()` or equivalent) in order to
75  *     capture the function state at some point. Computations that use
76  *     distinct context structures are independent of each other. The
77  *     first field of `br_xxx_context` is always a pointer to the
78  *     `br_xxx_vtable` structure; `br_xxx_init()` sets that pointer.
79  *
80  *   - `br_xxx_init(br_xxx_context *ctx)`
81  *
82  *     Initialise the provided context. Previous contents of the structure
83  *     are ignored. This calls resets the context to the start of a new
84  *     hash computation; it also sets the first field of the context
85  *     structure (called `vtable`) to a pointer to the statically
86  *     allocated constant `br_xxx_vtable` structure.
87  *
88  *   - `br_xxx_update(br_xxx_context *ctx, const void *data, size_t len)`
89  *
90  *     Add some more bytes to the hash computation represented by the
91  *     provided context.
92  *
93  *   - `br_xxx_out(const br_xxx_context *ctx, void *out)`
94  *
95  *     Complete the hash computation and write the result in the provided
96  *     buffer. The output buffer MUST be large enough to accommodate the
97  *     result. The context is NOT modified by this operation, so this
98  *     function can be used to get a "partial hash" while still keeping
99  *     the possibility of adding more bytes to the input.
100  *
101  *   - `br_xxx_state(const br_xxx_context *ctx, void *out)`
102  *
103  *     Get a copy of the "current state" for the computation so far. For
104  *     MD functions (MD5, SHA-1, SHA-2 family), this is the running state
105  *     resulting from the processing of the last complete input block.
106  *     Returned value is the current input length (in bytes).
107  *
108  *   - `br_xxx_set_state(br_xxx_context *ctx, const void *stb, uint64_t count)`
109  *
110  *     Set the internal state to the provided values. The 'stb' and
111  *     'count' values shall match that which was obtained from
112  *     `br_xxx_state()`. This restores the hash state only if the state
113  *     values were at an appropriate block boundary. This does NOT set
114  *     the `vtable` pointer in the context.
115  *
116  * Context structures can be discarded without any explicit deallocation.
117  * Hash function implementations are purely software and don't reserve
118  * any resources outside of the context structure itself.
119  *
120  *
121  * ## Object-Oriented API
122  *
123  * For each hash function that follows the procedural API described
124  * above, an object-oriented API is also provided. In that API, function
125  * pointers from the vtable (`br_xxx_vtable`) are used. The vtable
126  * incarnates object-oriented programming. An introduction on the OOP
127  * concept used here can be read on the BearSSL Web site:<br />
128  * &nbsp;&nbsp;&nbsp;[https://www.bearssl.org/oop.html](https://www.bearssl.org/oop.html)
129  *
130  * The vtable offers functions called `init()`, `update()`, `out()`,
131  * `set()` and `set_state()`, which are in fact the functions from
132  * the procedural API. That vtable also contains two informative fields:
133  *
134  *   - `context_size`
135  *
136  *     The size of the context structure (`br_xxx_context`), in bytes.
137  *     This can be used by generic implementations to perform dynamic
138  *     context allocation.
139  *
140  *   - `desc`
141  *
142  *     A "descriptor" field that encodes some information on the hash
143  *     function: symbolic identifier, output size, state size,
144  *     internal block size, details on the padding.
145  *
146  * Users of this object-oriented API (in particular generic HMAC
147  * implementations) may make the following assumptions:
148  *
149  *   - Hash output size is no more than 64 bytes.
150  *   - Hash internal state size is no more than 64 bytes.
151  *   - Internal block size is a power of two, no less than 16 and no more
152  *     than 256.
153  *
154  *
155  * ## Implemented Hash Functions
156  *
157  * Implemented hash functions are:
158  *
159  * | Function  | Name    | Output length | State length |
160  * | :-------- | :------ | :-----------: | :----------: |
161  * | MD5       | md5     |     16        |     16       |
162  * | SHA-1     | sha1    |     20        |     20       |
163  * | SHA-224   | sha224  |     28        |     32       |
164  * | SHA-256   | sha256  |     32        |     32       |
165  * | SHA-384   | sha384  |     48        |     64       |
166  * | SHA-512   | sha512  |     64        |     64       |
167  * | MD5+SHA-1 | md5sha1 |     36        |     36       |
168  *
169  * (MD5+SHA-1 is the concatenation of MD5 and SHA-1 computed over the
170  * same input; in the implementation, the internal data buffer is
171  * shared, thus making it more memory-efficient than separate MD5 and
172  * SHA-1. It can be useful in implementing SSL 3.0, TLS 1.0 and TLS
173  * 1.1.)
174  *
175  *
176  * ## Multi-Hasher
177  *
178  * An aggregate hasher is provided, that can compute several standard
179  * hash functions in parallel. It uses `br_multihash_context` and a
180  * procedural API. It is configured with the implementations (the vtables)
181  * that it should use; it will then compute all these hash functions in
182  * parallel, on the same input. It is meant to be used in cases when the
183  * hash of an object will be used, but the exact hash function is not
184  * known yet (typically, streamed processing on X.509 certificates).
185  *
186  * Only the standard hash functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384
187  * and SHA-512) are supported by the multi-hasher.
188  *
189  *
190  * ## GHASH
191  *
192  * GHASH is not a generic hash function; it is a _universal_ hash function,
193  * which, as the name does not say, means that it CANNOT be used in most
194  * places where a hash function is needed. GHASH is used within the GCM
195  * encryption mode, to provide the checked integrity functionality.
196  *
197  * A GHASH implementation is basically a function that uses the type defined
198  * in this file under the name `br_ghash`:
199  *
200  *     typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
201  *
202  * The `y` pointer refers to a 16-byte value which is used as input, and
203  * receives the output of the GHASH invocation. `h` is a 16-byte secret
204  * value (that serves as key). `data` and `len` define the input data.
205  *
206  * Three GHASH implementations are provided, all constant-time, based on
207  * the use of integer multiplications with appropriate masking to cancel
208  * carry propagation.
209  */
210 
211 /**
212  * \brief Class type for hash function implementations.
213  *
214  * A `br_hash_class` instance references the methods implementing a hash
215  * function. Constant instances of this structure are defined for each
216  * implemented hash function. Such instances are also called "vtables".
217  *
218  * Vtables are used to support object-oriented programming, as
219  * described on [the BearSSL Web site](https://www.bearssl.org/oop.html).
220  */
221 typedef struct br_hash_class_ br_hash_class;
222 struct br_hash_class_ {
223 	/**
224 	 * \brief Size (in bytes) of the context structure appropriate for
225 	 * computing this hash function.
226 	 */
227 	size_t context_size;
228 
229 	/**
230 	 * \brief Descriptor word that contains information about the hash
231 	 * function.
232 	 *
233 	 * For each word `xxx` described below, use `BR_HASHDESC_xxx_OFF`
234 	 * and `BR_HASHDESC_xxx_MASK` to access the specific value, as
235 	 * follows:
236 	 *
237 	 *     (hf->desc >> BR_HASHDESC_xxx_OFF) & BR_HASHDESC_xxx_MASK
238 	 *
239 	 * The defined elements are:
240 	 *
241 	 *  - `ID`: the symbolic identifier for the function, as defined
242 	 *    in [TLS](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)
243 	 *    (MD5 = 1, SHA-1 = 2,...).
244 	 *
245 	 *  - `OUT`: hash output size, in bytes.
246 	 *
247 	 *  - `STATE`: internal running state size, in bytes.
248 	 *
249 	 *  - `LBLEN`: base-2 logarithm for the internal block size, as
250 	 *    defined for HMAC processing (this is 6 for MD5, SHA-1, SHA-224
251 	 *    and SHA-256, since these functions use 64-byte blocks; for
252 	 *    SHA-384 and SHA-512, this is 7, corresponding to their
253 	 *    128-byte blocks).
254 	 *
255 	 * The descriptor may contain a few other flags.
256 	 */
257 	uint32_t desc;
258 
259 	/**
260 	 * \brief Initialisation method.
261 	 *
262 	 * This method takes as parameter a pointer to a context area,
263 	 * that it initialises. The first field of the context is set
264 	 * to this vtable; other elements are initialised for a new hash
265 	 * computation.
266 	 *
267 	 * \param ctx   pointer to (the first field of) the context.
268 	 */
269 	void (*init)(const br_hash_class **ctx);
270 
271 	/**
272 	 * \brief Data injection method.
273 	 *
274 	 * The `len` bytes starting at address `data` are injected into
275 	 * the running hash computation incarnated by the specified
276 	 * context. The context is updated accordingly. It is allowed
277 	 * to have `len == 0`, in which case `data` is ignored (and could
278 	 * be `NULL`), and nothing happens.
279 	 * on the input data.
280 	 *
281 	 * \param ctx    pointer to (the first field of) the context.
282 	 * \param data   pointer to the first data byte to inject.
283 	 * \param len    number of bytes to inject.
284 	 */
285 	void (*update)(const br_hash_class **ctx, const void *data, size_t len);
286 
287 	/**
288 	 * \brief Produce hash output.
289 	 *
290 	 * The hash output corresponding to all data bytes injected in the
291 	 * context since the last `init()` call is computed, and written
292 	 * in the buffer pointed to by `dst`. The hash output size depends
293 	 * on the implemented hash function (e.g. 16 bytes for MD5).
294 	 * The context is _not_ modified by this call, so further bytes
295 	 * may be afterwards injected to continue the current computation.
296 	 *
297 	 * \param ctx   pointer to (the first field of) the context.
298 	 * \param dst   destination buffer for the hash output.
299 	 */
300 	void (*out)(const br_hash_class *const *ctx, void *dst);
301 
302 	/**
303 	 * \brief Get running state.
304 	 *
305 	 * This method saves the current running state into the `dst`
306 	 * buffer. What constitutes the "running state" depends on the
307 	 * hash function; for Merkle-Damgård hash functions (like
308 	 * MD5 or SHA-1), this is the output obtained after processing
309 	 * each block. The number of bytes injected so far is returned.
310 	 * The context is not modified by this call.
311 	 *
312 	 * \param ctx   pointer to (the first field of) the context.
313 	 * \param dst   destination buffer for the state.
314 	 * \return  the injected total byte length.
315 	 */
316 	uint64_t (*state)(const br_hash_class *const *ctx, void *dst);
317 
318 	/**
319 	 * \brief Set running state.
320 	 *
321 	 * This methods replaces the running state for the function.
322 	 *
323 	 * \param ctx     pointer to (the first field of) the context.
324 	 * \param stb     source buffer for the state.
325 	 * \param count   injected total byte length.
326 	 */
327 	void (*set_state)(const br_hash_class **ctx,
328 		const void *stb, uint64_t count);
329 };
330 
331 #ifndef BR_DOXYGEN_IGNORE
332 #define BR_HASHDESC_ID(id)           ((uint32_t)(id) << BR_HASHDESC_ID_OFF)
333 #define BR_HASHDESC_ID_OFF           0
334 #define BR_HASHDESC_ID_MASK          0xFF
335 
336 #define BR_HASHDESC_OUT(size)        ((uint32_t)(size) << BR_HASHDESC_OUT_OFF)
337 #define BR_HASHDESC_OUT_OFF          8
338 #define BR_HASHDESC_OUT_MASK         0x7F
339 
340 #define BR_HASHDESC_STATE(size)      ((uint32_t)(size) << BR_HASHDESC_STATE_OFF)
341 #define BR_HASHDESC_STATE_OFF        15
342 #define BR_HASHDESC_STATE_MASK       0xFF
343 
344 #define BR_HASHDESC_LBLEN(ls)        ((uint32_t)(ls) << BR_HASHDESC_LBLEN_OFF)
345 #define BR_HASHDESC_LBLEN_OFF        23
346 #define BR_HASHDESC_LBLEN_MASK       0x0F
347 
348 #define BR_HASHDESC_MD_PADDING       ((uint32_t)1 << 28)
349 #define BR_HASHDESC_MD_PADDING_128   ((uint32_t)1 << 29)
350 #define BR_HASHDESC_MD_PADDING_BE    ((uint32_t)1 << 30)
351 #endif
352 
353 /*
354  * Specific hash functions.
355  *
356  * Rules for contexts:
357  * -- No interior pointer.
358  * -- No pointer to external dynamically allocated resources.
359  * -- First field is called 'vtable' and is a pointer to a
360  *    const-qualified br_hash_class instance (pointer is set by init()).
361  * -- SHA-224 and SHA-256 contexts are identical.
362  * -- SHA-384 and SHA-512 contexts are identical.
363  *
364  * Thus, contexts can be moved and cloned to capture the hash function
365  * current state; and there is no need for any explicit "release" function.
366  */
367 
368 /**
369  * \brief Symbolic identifier for MD5.
370  */
371 #define br_md5_ID     1
372 
373 /**
374  * \brief MD5 output size (in bytes).
375  */
376 #define br_md5_SIZE   16
377 
378 /**
379  * \brief Constant vtable for MD5.
380  */
381 extern const br_hash_class br_md5_vtable;
382 
383 /**
384  * \brief MD5 context.
385  *
386  * First field is a pointer to the vtable; it is set by the initialisation
387  * function. Other fields are not supposed to be accessed by user code.
388  */
389 typedef struct {
390 	/**
391 	 * \brief Pointer to vtable for this context.
392 	 */
393 	const br_hash_class *vtable;
394 #ifndef BR_DOXYGEN_IGNORE
395 	unsigned char buf[64];
396 	uint64_t count;
397 	uint32_t val[4];
398 #endif
399 } br_md5_context;
400 
401 /**
402  * \brief MD5 context initialisation.
403  *
404  * This function initialises or resets a context for a new MD5
405  * computation. It also sets the vtable pointer.
406  *
407  * \param ctx   pointer to the context structure.
408  */
409 void br_md5_init(br_md5_context *ctx);
410 
411 /**
412  * \brief Inject some data bytes in a running MD5 computation.
413  *
414  * The provided context is updated with some data bytes. If the number
415  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
416  * and may be `NULL`, and this function does nothing.
417  *
418  * \param ctx    pointer to the context structure.
419  * \param data   pointer to the injected data.
420  * \param len    injected data length (in bytes).
421  */
422 void br_md5_update(br_md5_context *ctx, const void *data, size_t len);
423 
424 /**
425  * \brief Compute MD5 output.
426  *
427  * The MD5 output for the concatenation of all bytes injected in the
428  * provided context since the last initialisation or reset call, is
429  * computed and written in the buffer pointed to by `out`. The context
430  * itself is not modified, so extra bytes may be injected afterwards
431  * to continue that computation.
432  *
433  * \param ctx   pointer to the context structure.
434  * \param out   destination buffer for the hash output.
435  */
436 void br_md5_out(const br_md5_context *ctx, void *out);
437 
438 /**
439  * \brief Save MD5 running state.
440  *
441  * The running state for MD5 (output of the last internal block
442  * processing) is written in the buffer pointed to by `out`. The
443  * number of bytes injected since the last initialisation or reset
444  * call is returned. The context is not modified.
445  *
446  * \param ctx   pointer to the context structure.
447  * \param out   destination buffer for the running state.
448  * \return  the injected total byte length.
449  */
450 uint64_t br_md5_state(const br_md5_context *ctx, void *out);
451 
452 /**
453  * \brief Restore MD5 running state.
454  *
455  * The running state for MD5 is set to the provided values.
456  *
457  * \param ctx     pointer to the context structure.
458  * \param stb     source buffer for the running state.
459  * \param count   the injected total byte length.
460  */
461 void br_md5_set_state(br_md5_context *ctx, const void *stb, uint64_t count);
462 
463 /**
464  * \brief Symbolic identifier for SHA-1.
465  */
466 #define br_sha1_ID     2
467 
468 /**
469  * \brief SHA-1 output size (in bytes).
470  */
471 #define br_sha1_SIZE   20
472 
473 /**
474  * \brief Constant vtable for SHA-1.
475  */
476 extern const br_hash_class br_sha1_vtable;
477 
478 /**
479  * \brief SHA-1 context.
480  *
481  * First field is a pointer to the vtable; it is set by the initialisation
482  * function. Other fields are not supposed to be accessed by user code.
483  */
484 typedef struct {
485 	/**
486 	 * \brief Pointer to vtable for this context.
487 	 */
488 	const br_hash_class *vtable;
489 #ifndef BR_DOXYGEN_IGNORE
490 	unsigned char buf[64];
491 	uint64_t count;
492 	uint32_t val[5];
493 #endif
494 } br_sha1_context;
495 
496 /**
497  * \brief SHA-1 context initialisation.
498  *
499  * This function initialises or resets a context for a new SHA-1
500  * computation. It also sets the vtable pointer.
501  *
502  * \param ctx   pointer to the context structure.
503  */
504 void br_sha1_init(br_sha1_context *ctx);
505 
506 /**
507  * \brief Inject some data bytes in a running SHA-1 computation.
508  *
509  * The provided context is updated with some data bytes. If the number
510  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
511  * and may be `NULL`, and this function does nothing.
512  *
513  * \param ctx    pointer to the context structure.
514  * \param data   pointer to the injected data.
515  * \param len    injected data length (in bytes).
516  */
517 void br_sha1_update(br_sha1_context *ctx, const void *data, size_t len);
518 
519 /**
520  * \brief Compute SHA-1 output.
521  *
522  * The SHA-1 output for the concatenation of all bytes injected in the
523  * provided context since the last initialisation or reset call, is
524  * computed and written in the buffer pointed to by `out`. The context
525  * itself is not modified, so extra bytes may be injected afterwards
526  * to continue that computation.
527  *
528  * \param ctx   pointer to the context structure.
529  * \param out   destination buffer for the hash output.
530  */
531 void br_sha1_out(const br_sha1_context *ctx, void *out);
532 
533 /**
534  * \brief Save SHA-1 running state.
535  *
536  * The running state for SHA-1 (output of the last internal block
537  * processing) is written in the buffer pointed to by `out`. The
538  * number of bytes injected since the last initialisation or reset
539  * call is returned. The context is not modified.
540  *
541  * \param ctx   pointer to the context structure.
542  * \param out   destination buffer for the running state.
543  * \return  the injected total byte length.
544  */
545 uint64_t br_sha1_state(const br_sha1_context *ctx, void *out);
546 
547 /**
548  * \brief Restore SHA-1 running state.
549  *
550  * The running state for SHA-1 is set to the provided values.
551  *
552  * \param ctx     pointer to the context structure.
553  * \param stb     source buffer for the running state.
554  * \param count   the injected total byte length.
555  */
556 void br_sha1_set_state(br_sha1_context *ctx, const void *stb, uint64_t count);
557 
558 /**
559  * \brief Symbolic identifier for SHA-224.
560  */
561 #define br_sha224_ID     3
562 
563 /**
564  * \brief SHA-224 output size (in bytes).
565  */
566 #define br_sha224_SIZE   28
567 
568 /**
569  * \brief Constant vtable for SHA-224.
570  */
571 extern const br_hash_class br_sha224_vtable;
572 
573 /**
574  * \brief SHA-224 context.
575  *
576  * First field is a pointer to the vtable; it is set by the initialisation
577  * function. Other fields are not supposed to be accessed by user code.
578  */
579 typedef struct {
580 	/**
581 	 * \brief Pointer to vtable for this context.
582 	 */
583 	const br_hash_class *vtable;
584 #ifndef BR_DOXYGEN_IGNORE
585 	unsigned char buf[64];
586 	uint64_t count;
587 	uint32_t val[8];
588 #endif
589 } br_sha224_context;
590 
591 /**
592  * \brief SHA-224 context initialisation.
593  *
594  * This function initialises or resets a context for a new SHA-224
595  * computation. It also sets the vtable pointer.
596  *
597  * \param ctx   pointer to the context structure.
598  */
599 void br_sha224_init(br_sha224_context *ctx);
600 
601 /**
602  * \brief Inject some data bytes in a running SHA-224 computation.
603  *
604  * The provided context is updated with some data bytes. If the number
605  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
606  * and may be `NULL`, and this function does nothing.
607  *
608  * \param ctx    pointer to the context structure.
609  * \param data   pointer to the injected data.
610  * \param len    injected data length (in bytes).
611  */
612 void br_sha224_update(br_sha224_context *ctx, const void *data, size_t len);
613 
614 /**
615  * \brief Compute SHA-224 output.
616  *
617  * The SHA-224 output for the concatenation of all bytes injected in the
618  * provided context since the last initialisation or reset call, is
619  * computed and written in the buffer pointed to by `out`. The context
620  * itself is not modified, so extra bytes may be injected afterwards
621  * to continue that computation.
622  *
623  * \param ctx   pointer to the context structure.
624  * \param out   destination buffer for the hash output.
625  */
626 void br_sha224_out(const br_sha224_context *ctx, void *out);
627 
628 /**
629  * \brief Save SHA-224 running state.
630  *
631  * The running state for SHA-224 (output of the last internal block
632  * processing) is written in the buffer pointed to by `out`. The
633  * number of bytes injected since the last initialisation or reset
634  * call is returned. The context is not modified.
635  *
636  * \param ctx   pointer to the context structure.
637  * \param out   destination buffer for the running state.
638  * \return  the injected total byte length.
639  */
640 uint64_t br_sha224_state(const br_sha224_context *ctx, void *out);
641 
642 /**
643  * \brief Restore SHA-224 running state.
644  *
645  * The running state for SHA-224 is set to the provided values.
646  *
647  * \param ctx     pointer to the context structure.
648  * \param stb     source buffer for the running state.
649  * \param count   the injected total byte length.
650  */
651 void br_sha224_set_state(br_sha224_context *ctx,
652 	const void *stb, uint64_t count);
653 
654 /**
655  * \brief Symbolic identifier for SHA-256.
656  */
657 #define br_sha256_ID     4
658 
659 /**
660  * \brief SHA-256 output size (in bytes).
661  */
662 #define br_sha256_SIZE   32
663 
664 /**
665  * \brief Constant vtable for SHA-256.
666  */
667 extern const br_hash_class br_sha256_vtable;
668 
669 #ifdef BR_DOXYGEN_IGNORE
670 /**
671  * \brief SHA-256 context.
672  *
673  * First field is a pointer to the vtable; it is set by the initialisation
674  * function. Other fields are not supposed to be accessed by user code.
675  */
676 typedef struct {
677 	/**
678 	 * \brief Pointer to vtable for this context.
679 	 */
680 	const br_hash_class *vtable;
681 } br_sha256_context;
682 #else
683 typedef br_sha224_context br_sha256_context;
684 #endif
685 
686 /**
687  * \brief SHA-256 context initialisation.
688  *
689  * This function initialises or resets a context for a new SHA-256
690  * computation. It also sets the vtable pointer.
691  *
692  * \param ctx   pointer to the context structure.
693  */
694 void br_sha256_init(br_sha256_context *ctx);
695 
696 #ifdef BR_DOXYGEN_IGNORE
697 /**
698  * \brief Inject some data bytes in a running SHA-256 computation.
699  *
700  * The provided context is updated with some data bytes. If the number
701  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
702  * and may be `NULL`, and this function does nothing.
703  *
704  * \param ctx    pointer to the context structure.
705  * \param data   pointer to the injected data.
706  * \param len    injected data length (in bytes).
707  */
708 void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len);
709 #else
710 #define br_sha256_update      br_sha224_update
711 #endif
712 
713 /**
714  * \brief Compute SHA-256 output.
715  *
716  * The SHA-256 output for the concatenation of all bytes injected in the
717  * provided context since the last initialisation or reset call, is
718  * computed and written in the buffer pointed to by `out`. The context
719  * itself is not modified, so extra bytes may be injected afterwards
720  * to continue that computation.
721  *
722  * \param ctx   pointer to the context structure.
723  * \param out   destination buffer for the hash output.
724  */
725 void br_sha256_out(const br_sha256_context *ctx, void *out);
726 
727 #ifdef BR_DOXYGEN_IGNORE
728 /**
729  * \brief Save SHA-256 running state.
730  *
731  * The running state for SHA-256 (output of the last internal block
732  * processing) is written in the buffer pointed to by `out`. The
733  * number of bytes injected since the last initialisation or reset
734  * call is returned. The context is not modified.
735  *
736  * \param ctx   pointer to the context structure.
737  * \param out   destination buffer for the running state.
738  * \return  the injected total byte length.
739  */
740 uint64_t br_sha256_state(const br_sha256_context *ctx, void *out);
741 #else
742 #define br_sha256_state       br_sha224_state
743 #endif
744 
745 #ifdef BR_DOXYGEN_IGNORE
746 /**
747  * \brief Restore SHA-256 running state.
748  *
749  * The running state for SHA-256 is set to the provided values.
750  *
751  * \param ctx     pointer to the context structure.
752  * \param stb     source buffer for the running state.
753  * \param count   the injected total byte length.
754  */
755 void br_sha256_set_state(br_sha256_context *ctx,
756 	const void *stb, uint64_t count);
757 #else
758 #define br_sha256_set_state   br_sha224_set_state
759 #endif
760 
761 /**
762  * \brief Symbolic identifier for SHA-384.
763  */
764 #define br_sha384_ID     5
765 
766 /**
767  * \brief SHA-384 output size (in bytes).
768  */
769 #define br_sha384_SIZE   48
770 
771 /**
772  * \brief Constant vtable for SHA-384.
773  */
774 extern const br_hash_class br_sha384_vtable;
775 
776 /**
777  * \brief SHA-384 context.
778  *
779  * First field is a pointer to the vtable; it is set by the initialisation
780  * function. Other fields are not supposed to be accessed by user code.
781  */
782 typedef struct {
783 	/**
784 	 * \brief Pointer to vtable for this context.
785 	 */
786 	const br_hash_class *vtable;
787 #ifndef BR_DOXYGEN_IGNORE
788 	unsigned char buf[128];
789 	uint64_t count;
790 	uint64_t val[8];
791 #endif
792 } br_sha384_context;
793 
794 /**
795  * \brief SHA-384 context initialisation.
796  *
797  * This function initialises or resets a context for a new SHA-384
798  * computation. It also sets the vtable pointer.
799  *
800  * \param ctx   pointer to the context structure.
801  */
802 void br_sha384_init(br_sha384_context *ctx);
803 
804 /**
805  * \brief Inject some data bytes in a running SHA-384 computation.
806  *
807  * The provided context is updated with some data bytes. If the number
808  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
809  * and may be `NULL`, and this function does nothing.
810  *
811  * \param ctx    pointer to the context structure.
812  * \param data   pointer to the injected data.
813  * \param len    injected data length (in bytes).
814  */
815 void br_sha384_update(br_sha384_context *ctx, const void *data, size_t len);
816 
817 /**
818  * \brief Compute SHA-384 output.
819  *
820  * The SHA-384 output for the concatenation of all bytes injected in the
821  * provided context since the last initialisation or reset call, is
822  * computed and written in the buffer pointed to by `out`. The context
823  * itself is not modified, so extra bytes may be injected afterwards
824  * to continue that computation.
825  *
826  * \param ctx   pointer to the context structure.
827  * \param out   destination buffer for the hash output.
828  */
829 void br_sha384_out(const br_sha384_context *ctx, void *out);
830 
831 /**
832  * \brief Save SHA-384 running state.
833  *
834  * The running state for SHA-384 (output of the last internal block
835  * processing) is written in the buffer pointed to by `out`. The
836  * number of bytes injected since the last initialisation or reset
837  * call is returned. The context is not modified.
838  *
839  * \param ctx   pointer to the context structure.
840  * \param out   destination buffer for the running state.
841  * \return  the injected total byte length.
842  */
843 uint64_t br_sha384_state(const br_sha384_context *ctx, void *out);
844 
845 /**
846  * \brief Restore SHA-384 running state.
847  *
848  * The running state for SHA-384 is set to the provided values.
849  *
850  * \param ctx     pointer to the context structure.
851  * \param stb     source buffer for the running state.
852  * \param count   the injected total byte length.
853  */
854 void br_sha384_set_state(br_sha384_context *ctx,
855 	const void *stb, uint64_t count);
856 
857 /**
858  * \brief Symbolic identifier for SHA-512.
859  */
860 #define br_sha512_ID     6
861 
862 /**
863  * \brief SHA-512 output size (in bytes).
864  */
865 #define br_sha512_SIZE   64
866 
867 /**
868  * \brief Constant vtable for SHA-512.
869  */
870 extern const br_hash_class br_sha512_vtable;
871 
872 #ifdef BR_DOXYGEN_IGNORE
873 /**
874  * \brief SHA-512 context.
875  *
876  * First field is a pointer to the vtable; it is set by the initialisation
877  * function. Other fields are not supposed to be accessed by user code.
878  */
879 typedef struct {
880 	/**
881 	 * \brief Pointer to vtable for this context.
882 	 */
883 	const br_hash_class *vtable;
884 } br_sha512_context;
885 #else
886 typedef br_sha384_context br_sha512_context;
887 #endif
888 
889 /**
890  * \brief SHA-512 context initialisation.
891  *
892  * This function initialises or resets a context for a new SHA-512
893  * computation. It also sets the vtable pointer.
894  *
895  * \param ctx   pointer to the context structure.
896  */
897 void br_sha512_init(br_sha512_context *ctx);
898 
899 #ifdef BR_DOXYGEN_IGNORE
900 /**
901  * \brief Inject some data bytes in a running SHA-512 computation.
902  *
903  * The provided context is updated with some data bytes. If the number
904  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
905  * and may be `NULL`, and this function does nothing.
906  *
907  * \param ctx    pointer to the context structure.
908  * \param data   pointer to the injected data.
909  * \param len    injected data length (in bytes).
910  */
911 void br_sha512_update(br_sha512_context *ctx, const void *data, size_t len);
912 #else
913 #define br_sha512_update   br_sha384_update
914 #endif
915 
916 /**
917  * \brief Compute SHA-512 output.
918  *
919  * The SHA-512 output for the concatenation of all bytes injected in the
920  * provided context since the last initialisation or reset call, is
921  * computed and written in the buffer pointed to by `out`. The context
922  * itself is not modified, so extra bytes may be injected afterwards
923  * to continue that computation.
924  *
925  * \param ctx   pointer to the context structure.
926  * \param out   destination buffer for the hash output.
927  */
928 void br_sha512_out(const br_sha512_context *ctx, void *out);
929 
930 #ifdef BR_DOXYGEN_IGNORE
931 /**
932  * \brief Save SHA-512 running state.
933  *
934  * The running state for SHA-512 (output of the last internal block
935  * processing) is written in the buffer pointed to by `out`. The
936  * number of bytes injected since the last initialisation or reset
937  * call is returned. The context is not modified.
938  *
939  * \param ctx   pointer to the context structure.
940  * \param out   destination buffer for the running state.
941  * \return  the injected total byte length.
942  */
943 uint64_t br_sha512_state(const br_sha512_context *ctx, void *out);
944 #else
945 #define br_sha512_state   br_sha384_state
946 #endif
947 
948 #ifdef BR_DOXYGEN_IGNORE
949 /**
950  * \brief Restore SHA-512 running state.
951  *
952  * The running state for SHA-512 is set to the provided values.
953  *
954  * \param ctx     pointer to the context structure.
955  * \param stb     source buffer for the running state.
956  * \param count   the injected total byte length.
957  */
958 void br_sha512_set_state(br_sha512_context *ctx,
959 	const void *stb, uint64_t count);
960 #else
961 #define br_sha512_set_state   br_sha384_set_state
962 #endif
963 
964 /*
965  * "md5sha1" is a special hash function that computes both MD5 and SHA-1
966  * on the same input, and produces a 36-byte output (MD5 and SHA-1
967  * concatenation, in that order). State size is also 36 bytes.
968  */
969 
970 /**
971  * \brief Symbolic identifier for MD5+SHA-1.
972  *
973  * MD5+SHA-1 is the concatenation of MD5 and SHA-1, computed over the
974  * same input. It is not one of the functions identified in TLS, so
975  * we give it a symbolic identifier of value 0.
976  */
977 #define br_md5sha1_ID     0
978 
979 /**
980  * \brief MD5+SHA-1 output size (in bytes).
981  */
982 #define br_md5sha1_SIZE   36
983 
984 /**
985  * \brief Constant vtable for MD5+SHA-1.
986  */
987 extern const br_hash_class br_md5sha1_vtable;
988 
989 /**
990  * \brief MD5+SHA-1 context.
991  *
992  * First field is a pointer to the vtable; it is set by the initialisation
993  * function. Other fields are not supposed to be accessed by user code.
994  */
995 typedef struct {
996 	/**
997 	 * \brief Pointer to vtable for this context.
998 	 */
999 	const br_hash_class *vtable;
1000 #ifndef BR_DOXYGEN_IGNORE
1001 	unsigned char buf[64];
1002 	uint64_t count;
1003 	uint32_t val_md5[4];
1004 	uint32_t val_sha1[5];
1005 #endif
1006 } br_md5sha1_context;
1007 
1008 /**
1009  * \brief MD5+SHA-1 context initialisation.
1010  *
1011  * This function initialises or resets a context for a new SHA-512
1012  * computation. It also sets the vtable pointer.
1013  *
1014  * \param ctx   pointer to the context structure.
1015  */
1016 void br_md5sha1_init(br_md5sha1_context *ctx);
1017 
1018 /**
1019  * \brief Inject some data bytes in a running MD5+SHA-1 computation.
1020  *
1021  * The provided context is updated with some data bytes. If the number
1022  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
1023  * and may be `NULL`, and this function does nothing.
1024  *
1025  * \param ctx    pointer to the context structure.
1026  * \param data   pointer to the injected data.
1027  * \param len    injected data length (in bytes).
1028  */
1029 void br_md5sha1_update(br_md5sha1_context *ctx, const void *data, size_t len);
1030 
1031 /**
1032  * \brief Compute MD5+SHA-1 output.
1033  *
1034  * The MD5+SHA-1 output for the concatenation of all bytes injected in the
1035  * provided context since the last initialisation or reset call, is
1036  * computed and written in the buffer pointed to by `out`. The context
1037  * itself is not modified, so extra bytes may be injected afterwards
1038  * to continue that computation.
1039  *
1040  * \param ctx   pointer to the context structure.
1041  * \param out   destination buffer for the hash output.
1042  */
1043 void br_md5sha1_out(const br_md5sha1_context *ctx, void *out);
1044 
1045 /**
1046  * \brief Save MD5+SHA-1 running state.
1047  *
1048  * The running state for MD5+SHA-1 (output of the last internal block
1049  * processing) is written in the buffer pointed to by `out`. The
1050  * number of bytes injected since the last initialisation or reset
1051  * call is returned. The context is not modified.
1052  *
1053  * \param ctx   pointer to the context structure.
1054  * \param out   destination buffer for the running state.
1055  * \return  the injected total byte length.
1056  */
1057 uint64_t br_md5sha1_state(const br_md5sha1_context *ctx, void *out);
1058 
1059 /**
1060  * \brief Restore MD5+SHA-1 running state.
1061  *
1062  * The running state for MD5+SHA-1 is set to the provided values.
1063  *
1064  * \param ctx     pointer to the context structure.
1065  * \param stb     source buffer for the running state.
1066  * \param count   the injected total byte length.
1067  */
1068 void br_md5sha1_set_state(br_md5sha1_context *ctx,
1069 	const void *stb, uint64_t count);
1070 
1071 /**
1072  * \brief Aggregate context for configurable hash function support.
1073  *
1074  * The `br_hash_compat_context` type is a type which is large enough to
1075  * serve as context for all standard hash functions defined above.
1076  */
1077 typedef union {
1078 	const br_hash_class *vtable;
1079 	br_md5_context md5;
1080 	br_sha1_context sha1;
1081 	br_sha224_context sha224;
1082 	br_sha256_context sha256;
1083 	br_sha384_context sha384;
1084 	br_sha512_context sha512;
1085 	br_md5sha1_context md5sha1;
1086 } br_hash_compat_context;
1087 
1088 /*
1089  * The multi-hasher is a construct that handles hashing of the same input
1090  * data with several hash functions, with a single shared input buffer.
1091  * It can handle MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
1092  * simultaneously, though which functions are activated depends on
1093  * the set implementation pointers.
1094  */
1095 
1096 /**
1097  * \brief Multi-hasher context structure.
1098  *
1099  * The multi-hasher runs up to six hash functions in the standard TLS list
1100  * (MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512) in parallel, over
1101  * the same input.
1102  *
1103  * The multi-hasher does _not_ follow the OOP structure with a vtable.
1104  * Instead, it is configured with the vtables of the hash functions it
1105  * should run. Structure fields are not supposed to be accessed directly.
1106  */
1107 typedef struct {
1108 #ifndef BR_DOXYGEN_IGNORE
1109 	unsigned char buf[128];
1110 	uint64_t count;
1111 	uint32_t val_32[25];
1112 	uint64_t val_64[16];
1113 	const br_hash_class *impl[6];
1114 #endif
1115 } br_multihash_context;
1116 
1117 /**
1118  * \brief Clear a multi-hasher context.
1119  *
1120  * This should always be called once on a given context, _before_ setting
1121  * the implementation pointers.
1122  *
1123  * \param ctx   the multi-hasher context.
1124  */
1125 void br_multihash_zero(br_multihash_context *ctx);
1126 
1127 /**
1128  * \brief Set a hash function implementation.
1129  *
1130  * Implementations shall be set _after_ clearing the context (with
1131  * `br_multihash_zero()`) but _before_ initialising the computation
1132  * (with `br_multihash_init()`). The hash function implementation
1133  * MUST be one of the standard hash functions (MD5, SHA-1, SHA-224,
1134  * SHA-256, SHA-384 or SHA-512); it may also be `NULL` to remove
1135  * an implementation from the multi-hasher.
1136  *
1137  * \param ctx    the multi-hasher context.
1138  * \param id     the hash function symbolic identifier.
1139  * \param impl   the hash function vtable, or `NULL`.
1140  */
1141 static inline void
br_multihash_setimpl(br_multihash_context * ctx,int id,const br_hash_class * impl)1142 br_multihash_setimpl(br_multihash_context *ctx,
1143 	int id, const br_hash_class *impl)
1144 {
1145 	/*
1146 	 * This code relies on hash functions ID being values 1 to 6,
1147 	 * in the MD5 to SHA-512 order.
1148 	 */
1149 	ctx->impl[id - 1] = impl;
1150 }
1151 
1152 /**
1153  * \brief Get a hash function implementation.
1154  *
1155  * This function returns the currently configured vtable for a given
1156  * hash function (by symbolic ID). If no such function was configured in
1157  * the provided multi-hasher context, then this function returns `NULL`.
1158  *
1159  * \param ctx    the multi-hasher context.
1160  * \param id     the hash function symbolic identifier.
1161  * \return  the hash function vtable, or `NULL`.
1162  */
1163 static inline const br_hash_class *
br_multihash_getimpl(const br_multihash_context * ctx,int id)1164 br_multihash_getimpl(const br_multihash_context *ctx, int id)
1165 {
1166 	return ctx->impl[id - 1];
1167 }
1168 
1169 /**
1170  * \brief Reset a multi-hasher context.
1171  *
1172  * This function prepares the context for a new hashing computation,
1173  * for all implementations configured at that point.
1174  *
1175  * \param ctx    the multi-hasher context.
1176  */
1177 void br_multihash_init(br_multihash_context *ctx);
1178 
1179 /**
1180  * \brief Inject some data bytes in a running multi-hashing computation.
1181  *
1182  * The provided context is updated with some data bytes. If the number
1183  * of bytes (`len`) is zero, then the data pointer (`data`) is ignored
1184  * and may be `NULL`, and this function does nothing.
1185  *
1186  * \param ctx    pointer to the context structure.
1187  * \param data   pointer to the injected data.
1188  * \param len    injected data length (in bytes).
1189  */
1190 void br_multihash_update(br_multihash_context *ctx,
1191 	const void *data, size_t len);
1192 
1193 /**
1194  * \brief Compute a hash output from a multi-hasher.
1195  *
1196  * The hash output for the concatenation of all bytes injected in the
1197  * provided context since the last initialisation or reset call, is
1198  * computed and written in the buffer pointed to by `dst`. The hash
1199  * function to use is identified by `id` and must be one of the standard
1200  * hash functions. If that hash function was indeed configured in the
1201  * multi-hasher context, the corresponding hash value is written in
1202  * `dst` and its length (in bytes) is returned. If the hash function
1203  * was _not_ configured, then nothing is written in `dst` and 0 is
1204  * returned.
1205  *
1206  * The context itself is not modified, so extra bytes may be injected
1207  * afterwards to continue the hash computations.
1208  *
1209  * \param ctx   pointer to the context structure.
1210  * \param id    the hash function symbolic identifier.
1211  * \param dst   destination buffer for the hash output.
1212  * \return  the hash output length (in bytes), or 0.
1213  */
1214 size_t br_multihash_out(const br_multihash_context *ctx, int id, void *dst);
1215 
1216 /**
1217  * \brief Type for a GHASH implementation.
1218  *
1219  * GHASH is a sort of keyed hash meant to be used to implement GCM in
1220  * combination with a block cipher (with 16-byte blocks).
1221  *
1222  * The `y` array has length 16 bytes and is used for input and output; in
1223  * a complete GHASH run, it starts with an all-zero value. `h` is a 16-byte
1224  * value that serves as key (it is derived from the encryption key in GCM,
1225  * using the block cipher). The data length (`len`) is expressed in bytes.
1226  * The `y` array is updated.
1227  *
1228  * If the data length is not a multiple of 16, then the data is implicitly
1229  * padded with zeros up to the next multiple of 16. Thus, when using GHASH
1230  * in GCM, this method may be called twice, for the associated data and
1231  * for the ciphertext, respectively; the zero-padding implements exactly
1232  * the GCM rules.
1233  *
1234  * \param y      the array to update.
1235  * \param h      the GHASH key.
1236  * \param data   the input data (may be `NULL` if `len` is zero).
1237  * \param len    the input data length (in bytes).
1238  */
1239 typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
1240 
1241 /**
1242  * \brief GHASH implementation using multiplications (mixed 32-bit).
1243  *
1244  * This implementation uses multiplications of 32-bit values, with a
1245  * 64-bit result. It is constant-time (if multiplications are
1246  * constant-time).
1247  *
1248  * \param y      the array to update.
1249  * \param h      the GHASH key.
1250  * \param data   the input data (may be `NULL` if `len` is zero).
1251  * \param len    the input data length (in bytes).
1252  */
1253 void br_ghash_ctmul(void *y, const void *h, const void *data, size_t len);
1254 
1255 /**
1256  * \brief GHASH implementation using multiplications (strict 32-bit).
1257  *
1258  * This implementation uses multiplications of 32-bit values, with a
1259  * 32-bit result. It is usually somewhat slower than `br_ghash_ctmul()`,
1260  * but it is expected to be faster on architectures for which the
1261  * 32-bit multiplication opcode does not yield the upper 32 bits of the
1262  * product. It is constant-time (if multiplications are constant-time).
1263  *
1264  * \param y      the array to update.
1265  * \param h      the GHASH key.
1266  * \param data   the input data (may be `NULL` if `len` is zero).
1267  * \param len    the input data length (in bytes).
1268  */
1269 void br_ghash_ctmul32(void *y, const void *h, const void *data, size_t len);
1270 
1271 /**
1272  * \brief GHASH implementation using multiplications (64-bit).
1273  *
1274  * This implementation uses multiplications of 64-bit values, with a
1275  * 64-bit result. It is constant-time (if multiplications are
1276  * constant-time). It is substantially faster than `br_ghash_ctmul()`
1277  * and `br_ghash_ctmul32()` on most 64-bit architectures.
1278  *
1279  * \param y      the array to update.
1280  * \param h      the GHASH key.
1281  * \param data   the input data (may be `NULL` if `len` is zero).
1282  * \param len    the input data length (in bytes).
1283  */
1284 void br_ghash_ctmul64(void *y, const void *h, const void *data, size_t len);
1285 
1286 /**
1287  * \brief GHASH implementation using the `pclmulqdq` opcode (part of the
1288  * AES-NI instructions).
1289  *
1290  * This implementation is available only on x86 platforms where the
1291  * compiler supports the relevant intrinsic functions. Even if the
1292  * compiler supports these functions, the local CPU might not support
1293  * the `pclmulqdq` opcode, meaning that a call will fail with an
1294  * illegal instruction exception. To safely obtain a pointer to this
1295  * function when supported (or 0 otherwise), use `br_ghash_pclmul_get()`.
1296  *
1297  * \param y      the array to update.
1298  * \param h      the GHASH key.
1299  * \param data   the input data (may be `NULL` if `len` is zero).
1300  * \param len    the input data length (in bytes).
1301  */
1302 void br_ghash_pclmul(void *y, const void *h, const void *data, size_t len);
1303 
1304 /**
1305  * \brief Obtain the `pclmul` GHASH implementation, if available.
1306  *
1307  * If the `pclmul` implementation was compiled in the library (depending
1308  * on the compiler abilities) _and_ the local CPU appears to support the
1309  * opcode, then this function will return a pointer to the
1310  * `br_ghash_pclmul()` function. Otherwise, it will return `0`.
1311  *
1312  * \return  the `pclmul` GHASH implementation, or `0`.
1313  */
1314 br_ghash br_ghash_pclmul_get(void);
1315 
1316 /**
1317  * \brief GHASH implementation using the POWER8 opcodes.
1318  *
1319  * This implementation is available only on POWER8 platforms (and later).
1320  * To safely obtain a pointer to this function when supported (or 0
1321  * otherwise), use `br_ghash_pwr8_get()`.
1322  *
1323  * \param y      the array to update.
1324  * \param h      the GHASH key.
1325  * \param data   the input data (may be `NULL` if `len` is zero).
1326  * \param len    the input data length (in bytes).
1327  */
1328 void br_ghash_pwr8(void *y, const void *h, const void *data, size_t len);
1329 
1330 /**
1331  * \brief Obtain the `pwr8` GHASH implementation, if available.
1332  *
1333  * If the `pwr8` implementation was compiled in the library (depending
1334  * on the compiler abilities) _and_ the local CPU appears to support the
1335  * opcode, then this function will return a pointer to the
1336  * `br_ghash_pwr8()` function. Otherwise, it will return `0`.
1337  *
1338  * \return  the `pwr8` GHASH implementation, or `0`.
1339  */
1340 br_ghash br_ghash_pwr8_get(void);
1341 
1342 #ifdef __cplusplus
1343 }
1344 #endif
1345 
1346 #endif
1347