xref: /freebsd/contrib/bearssl/inc/bearssl_block.h (revision 2008043f386721d58158e37e0d7e50df8095942d)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_BLOCK_H__
26 #define BR_BEARSSL_BLOCK_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34 
35 /** \file bearssl_block.h
36  *
37  * # Block Ciphers and Symmetric Ciphers
38  *
39  * This file documents the API for block ciphers and other symmetric
40  * ciphers.
41  *
42  *
43  * ## Procedural API
44  *
45  * For a block cipher implementation, up to three separate sets of
46  * functions are provided, for CBC encryption, CBC decryption, and CTR
47  * encryption/decryption. Each set has its own context structure,
48  * initialised with the encryption key.
49  *
50  * For CBC encryption and decryption, the data to encrypt or decrypt is
51  * referenced as a sequence of blocks. The implementations assume that
52  * there is no partial block; no padding is applied or removed. The
53  * caller is responsible for handling any kind of padding.
54  *
55  * Function for CTR encryption are defined only for block ciphers with
56  * blocks of 16 bytes or more (i.e. AES, but not DES/3DES).
57  *
58  * Each implemented block cipher is identified by an "internal name"
59  * from which are derived the names of structures and functions that
60  * implement the cipher. For the block cipher of internal name "`xxx`",
61  * the following are defined:
62  *
63  *   - `br_xxx_BLOCK_SIZE`
64  *
65  *     A macro that evaluates to the block size (in bytes) of the
66  *     cipher. For all implemented block ciphers, this value is a
67  *     power of two.
68  *
69  *   - `br_xxx_cbcenc_keys`
70  *
71  *     Context structure that contains the subkeys resulting from the key
72  *     expansion. These subkeys are appropriate for CBC encryption. The
73  *     structure first field is called `vtable` and points to the
74  *     appropriate OOP structure.
75  *
76  *   - `br_xxx_cbcenc_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
77  *
78  *     Perform key expansion: subkeys for CBC encryption are computed and
79  *     written in the provided context structure. The key length MUST be
80  *     adequate for the implemented block cipher. This function also sets
81  *     the `vtable` field.
82  *
83  *   - `br_xxx_cbcenc_run(const br_xxx_cbcenc_keys *ctx, void *iv, void *data, size_t len)`
84  *
85  *     Perform CBC encryption of `len` bytes, in place. The encrypted data
86  *     replaces the cleartext. `len` MUST be a multiple of the block length
87  *     (if it is not, the function may loop forever or overflow a buffer).
88  *     The IV is provided with the `iv` pointer; it is also updated with
89  *     a copy of the last encrypted block.
90  *
91  *   - `br_xxx_cbcdec_keys`
92  *
93  *     Context structure that contains the subkeys resulting from the key
94  *     expansion. These subkeys are appropriate for CBC decryption. The
95  *     structure first field is called `vtable` and points to the
96  *     appropriate OOP structure.
97  *
98  *   - `br_xxx_cbcdec_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
99  *
100  *     Perform key expansion: subkeys for CBC decryption are computed and
101  *     written in the provided context structure. The key length MUST be
102  *     adequate for the implemented block cipher. This function also sets
103  *     the `vtable` field.
104  *
105  *   - `br_xxx_cbcdec_run(const br_xxx_cbcdec_keys *ctx, void *iv, void *data, size_t num_blocks)`
106  *
107  *     Perform CBC decryption of `len` bytes, in place. The decrypted data
108  *     replaces the ciphertext. `len` MUST be a multiple of the block length
109  *     (if it is not, the function may loop forever or overflow a buffer).
110  *     The IV is provided with the `iv` pointer; it is also updated with
111  *     a copy of the last _encrypted_ block.
112  *
113  *   - `br_xxx_ctr_keys`
114  *
115  *     Context structure that contains the subkeys resulting from the key
116  *     expansion. These subkeys are appropriate for CTR encryption and
117  *     decryption. The structure first field is called `vtable` and
118  *     points to the appropriate OOP structure.
119  *
120  *   - `br_xxx_ctr_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
121  *
122  *     Perform key expansion: subkeys for CTR encryption and decryption
123  *     are computed and written in the provided context structure. The
124  *     key length MUST be adequate for the implemented block cipher. This
125  *     function also sets the `vtable` field.
126  *
127  *   - `br_xxx_ctr_run(const br_xxx_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len)` (returns `uint32_t`)
128  *
129  *     Perform CTR encryption/decryption of some data. Processing is done
130  *     "in place" (the output data replaces the input data). This function
131  *     implements the "standard incrementing function" from NIST SP800-38A,
132  *     annex B: the IV length shall be 4 bytes less than the block size
133  *     (i.e. 12 bytes for AES) and the counter is the 32-bit value starting
134  *     with `cc`. The data length (`len`) is not necessarily a multiple of
135  *     the block size. The new counter value is returned, which supports
136  *     chunked processing, provided that each chunk length (except possibly
137  *     the last one) is a multiple of the block size.
138  *
139  *   - `br_xxx_ctrcbc_keys`
140  *
141  *     Context structure that contains the subkeys resulting from the
142  *     key expansion. These subkeys are appropriate for doing combined
143  *     CTR encryption/decryption and CBC-MAC, as used in the CCM and EAX
144  *     authenticated encryption modes. The structure first field is
145  *     called `vtable` and points to the appropriate OOP structure.
146  *
147  *   - `br_xxx_ctrcbc_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
148  *
149  *     Perform key expansion: subkeys for combined CTR
150  *     encryption/decryption and CBC-MAC are computed and written in the
151  *     provided context structure. The key length MUST be adequate for
152  *     the implemented block cipher. This function also sets the
153  *     `vtable` field.
154  *
155  *   - `br_xxx_ctrcbc_encrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)`
156  *
157  *     Perform CTR encryption of some data, and CBC-MAC. Processing is
158  *     done "in place" (the output data replaces the input data). This
159  *     function applies CTR encryption on the data, using a full
160  *     block-size counter (i.e. for 128-bit blocks, the counter is
161  *     incremented as a 128-bit value). The 'ctr' array contains the
162  *     initial value for the counter (used in the first block) and it is
163  *     updated with the new value after data processing. The 'cbcmac'
164  *     value shall point to a block-sized value which is used as IV for
165  *     CBC-MAC, computed over the encrypted data (output of CTR
166  *     encryption); the resulting CBC-MAC is written over 'cbcmac' on
167  *     output.
168  *
169  *     The data length MUST be a multiple of the block size.
170  *
171  *   - `br_xxx_ctrcbc_decrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)`
172  *
173  *     Perform CTR decryption of some data, and CBC-MAC. Processing is
174  *     done "in place" (the output data replaces the input data). This
175  *     function applies CTR decryption on the data, using a full
176  *     block-size counter (i.e. for 128-bit blocks, the counter is
177  *     incremented as a 128-bit value). The 'ctr' array contains the
178  *     initial value for the counter (used in the first block) and it is
179  *     updated with the new value after data processing. The 'cbcmac'
180  *     value shall point to a block-sized value which is used as IV for
181  *     CBC-MAC, computed over the encrypted data (input of CTR
182  *     encryption); the resulting CBC-MAC is written over 'cbcmac' on
183  *     output.
184  *
185  *     The data length MUST be a multiple of the block size.
186  *
187  *   - `br_xxx_ctrcbc_ctr(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *data, size_t len)`
188  *
189  *     Perform CTR encryption or decryption of the provided data. The
190  *     data is processed "in place" (the output data replaces the input
191  *     data). A full block-sized counter is applied (i.e. for 128-bit
192  *     blocks, the counter is incremented as a 128-bit value). The 'ctr'
193  *     array contains the initial value for the counter (used in the
194  *     first block), and it is updated with the new value after data
195  *     processing.
196  *
197  *     The data length MUST be a multiple of the block size.
198  *
199  *   - `br_xxx_ctrcbc_mac(const br_xxx_ctrcbc_keys *ctx, void *cbcmac, const void *data, size_t len)`
200  *
201  *     Compute CBC-MAC over the provided data. The IV for CBC-MAC is
202  *     provided as 'cbcmac'; the output is written over the same array.
203  *     The data itself is untouched. The data length MUST be a multiple
204  *     of the block size.
205  *
206  *
207  * It shall be noted that the key expansion functions return `void`. If
208  * the provided key length is not allowed, then there will be no error
209  * reporting; implementations need not validate the key length, thus an
210  * invalid key length may result in undefined behaviour (e.g. buffer
211  * overflow).
212  *
213  * Subkey structures contain no interior pointer, and no external
214  * resources are allocated upon key expansion. They can thus be
215  * discarded without any explicit deallocation.
216  *
217  *
218  * ## Object-Oriented API
219  *
220  * Each context structure begins with a field (called `vtable`) that
221  * points to an instance of a structure that references the relevant
222  * functions through pointers. Each such structure contains the
223  * following:
224  *
225  *   - `context_size`
226  *
227  *     The size (in bytes) of the context structure for subkeys.
228  *
229  *   - `block_size`
230  *
231  *     The cipher block size (in bytes).
232  *
233  *   - `log_block_size`
234  *
235  *     The base-2 logarithm of cipher block size (e.g. 4 for blocks
236  *     of 16 bytes).
237  *
238  *   - `init`
239  *
240  *     Pointer to the key expansion function.
241  *
242  *   - `run`
243  *
244  *     Pointer to the encryption/decryption function.
245  *
246  * For combined CTR/CBC-MAC encryption, the `vtable` has a slightly
247  * different structure:
248  *
249  *   - `context_size`
250  *
251  *     The size (in bytes) of the context structure for subkeys.
252  *
253  *   - `block_size`
254  *
255  *     The cipher block size (in bytes).
256  *
257  *   - `log_block_size`
258  *
259  *     The base-2 logarithm of cipher block size (e.g. 4 for blocks
260  *     of 16 bytes).
261  *
262  *   - `init`
263  *
264  *     Pointer to the key expansion function.
265  *
266  *   - `encrypt`
267  *
268  *     Pointer to the CTR encryption + CBC-MAC function.
269  *
270  *   - `decrypt`
271  *
272  *     Pointer to the CTR decryption + CBC-MAC function.
273  *
274  *   - `ctr`
275  *
276  *     Pointer to the CTR encryption/decryption function.
277  *
278  *   - `mac`
279  *
280  *     Pointer to the CBC-MAC function.
281  *
282  * For block cipher "`xxx`", static, constant instances of these
283  * structures are defined, under the names:
284  *
285  *   - `br_xxx_cbcenc_vtable`
286  *   - `br_xxx_cbcdec_vtable`
287  *   - `br_xxx_ctr_vtable`
288  *   - `br_xxx_ctrcbc_vtable`
289  *
290  *
291  * ## Implemented Block Ciphers
292  *
293  * Provided implementations are:
294  *
295  * | Name      | Function | Block Size (bytes) | Key lengths (bytes) |
296  * | :-------- | :------- | :----------------: | :-----------------: |
297  * | aes_big   | AES      |        16          | 16, 24 and 32       |
298  * | aes_small | AES      |        16          | 16, 24 and 32       |
299  * | aes_ct    | AES      |        16          | 16, 24 and 32       |
300  * | aes_ct64  | AES      |        16          | 16, 24 and 32       |
301  * | aes_x86ni | AES      |        16          | 16, 24 and 32       |
302  * | aes_pwr8  | AES      |        16          | 16, 24 and 32       |
303  * | des_ct    | DES/3DES |         8          | 8, 16 and 24        |
304  * | des_tab   | DES/3DES |         8          | 8, 16 and 24        |
305  *
306  * **Note:** DES/3DES nominally uses keys of 64, 128 and 192 bits (i.e. 8,
307  * 16 and 24 bytes), but some of the bits are ignored by the algorithm, so
308  * the _effective_ key lengths, from a security point of view, are 56,
309  * 112 and 168 bits, respectively.
310  *
311  * `aes_big` is a "classical" AES implementation, using tables. It
312  * is fast but not constant-time, since it makes data-dependent array
313  * accesses.
314  *
315  * `aes_small` is an AES implementation optimized for code size. It
316  * is substantially slower than `aes_big`; it is not constant-time
317  * either.
318  *
319  * `aes_ct` is a constant-time implementation of AES; its code is about
320  * as big as that of `aes_big`, while its performance is comparable to
321  * that of `aes_small`. However, it is constant-time. This
322  * implementation should thus be considered to be the "default" AES in
323  * BearSSL, to be used unless the operational context guarantees that a
324  * non-constant-time implementation is safe, or an architecture-specific
325  * constant-time implementation can be used (e.g. using dedicated
326  * hardware opcodes).
327  *
328  * `aes_ct64` is another constant-time implementation of AES. It is
329  * similar to `aes_ct` but uses 64-bit values. On 32-bit machines,
330  * `aes_ct64` is not faster than `aes_ct`, often a bit slower, and has
331  * a larger footprint; however, on 64-bit architectures, `aes_ct64`
332  * is typically twice faster than `aes_ct` for modes that allow parallel
333  * operations (i.e. CTR, and CBC decryption, but not CBC encryption).
334  *
335  * `aes_x86ni` exists only on x86 architectures (32-bit and 64-bit). It
336  * uses the AES-NI opcodes when available.
337  *
338  * `aes_pwr8` exists only on PowerPC / POWER architectures (32-bit and
339  * 64-bit, both little-endian and big-endian). It uses the AES opcodes
340  * present in POWER8 and later.
341  *
342  * `des_tab` is a classic, table-based implementation of DES/3DES. It
343  * is not constant-time.
344  *
345  * `des_ct` is an constant-time implementation of DES/3DES. It is
346  * substantially slower than `des_tab`.
347  *
348  * ## ChaCha20 and Poly1305
349  *
350  * ChaCha20 is a stream cipher. Poly1305 is a MAC algorithm. They
351  * are described in [RFC 7539](https://tools.ietf.org/html/rfc7539).
352  *
353  * Two function pointer types are defined:
354  *
355  *   - `br_chacha20_run` describes a function that implements ChaCha20
356  *     only.
357  *
358  *   - `br_poly1305_run` describes an implementation of Poly1305,
359  *     in the AEAD combination with ChaCha20 specified in RFC 7539
360  *     (the ChaCha20 implementation is provided as a function pointer).
361  *
362  * `chacha20_ct` is a straightforward implementation of ChaCha20 in
363  * plain C; it is constant-time, small, and reasonably fast.
364  *
365  * `chacha20_sse2` leverages SSE2 opcodes (on x86 architectures that
366  * support these opcodes). It is faster than `chacha20_ct`.
367  *
368  * `poly1305_ctmul` is an implementation of the ChaCha20+Poly1305 AEAD
369  * construction, where the Poly1305 part is performed with mixed 32-bit
370  * multiplications (operands are 32-bit, result is 64-bit).
371  *
372  * `poly1305_ctmul32` implements ChaCha20+Poly1305 using pure 32-bit
373  * multiplications (32-bit operands, 32-bit result). It is slower than
374  * `poly1305_ctmul`, except on some specific architectures such as
375  * the ARM Cortex M0+.
376  *
377  * `poly1305_ctmulq` implements ChaCha20+Poly1305 with mixed 64-bit
378  * multiplications (operands are 64-bit, result is 128-bit) on 64-bit
379  * platforms that support such operations.
380  *
381  * `poly1305_i15` implements ChaCha20+Poly1305 with the generic "i15"
382  * big integer implementation. It is meant mostly for testing purposes,
383  * although it can help with saving a few hundred bytes of code footprint
384  * on systems where code size is scarce.
385  */
386 
387 /**
388  * \brief Class type for CBC encryption implementations.
389  *
390  * A `br_block_cbcenc_class` instance points to the functions implementing
391  * a specific block cipher, when used in CBC mode for encrypting data.
392  */
393 typedef struct br_block_cbcenc_class_ br_block_cbcenc_class;
394 struct br_block_cbcenc_class_ {
395 	/**
396 	 * \brief Size (in bytes) of the context structure appropriate
397 	 * for containing subkeys.
398 	 */
399 	size_t context_size;
400 
401 	/**
402 	 * \brief Size of individual blocks (in bytes).
403 	 */
404 	unsigned block_size;
405 
406 	/**
407 	 * \brief Base-2 logarithm of the size of individual blocks,
408 	 * expressed in bytes.
409 	 */
410 	unsigned log_block_size;
411 
412 	/**
413 	 * \brief Initialisation function.
414 	 *
415 	 * This function sets the `vtable` field in the context structure.
416 	 * The key length MUST be one of the key lengths supported by
417 	 * the implementation.
418 	 *
419 	 * \param ctx       context structure to initialise.
420 	 * \param key       secret key.
421 	 * \param key_len   key length (in bytes).
422 	 */
423 	void (*init)(const br_block_cbcenc_class **ctx,
424 		const void *key, size_t key_len);
425 
426 	/**
427 	 * \brief Run the CBC encryption.
428 	 *
429 	 * The `iv` parameter points to the IV for this run; it is
430 	 * updated with a copy of the last encrypted block. The data
431 	 * is encrypted "in place"; its length (`len`) MUST be a
432 	 * multiple of the block size.
433 	 *
434 	 * \param ctx    context structure (already initialised).
435 	 * \param iv     IV for CBC encryption (updated).
436 	 * \param data   data to encrypt.
437 	 * \param len    data length (in bytes, multiple of block size).
438 	 */
439 	void (*run)(const br_block_cbcenc_class *const *ctx,
440 		void *iv, void *data, size_t len);
441 };
442 
443 /**
444  * \brief Class type for CBC decryption implementations.
445  *
446  * A `br_block_cbcdec_class` instance points to the functions implementing
447  * a specific block cipher, when used in CBC mode for decrypting data.
448  */
449 typedef struct br_block_cbcdec_class_ br_block_cbcdec_class;
450 struct br_block_cbcdec_class_ {
451 	/**
452 	 * \brief Size (in bytes) of the context structure appropriate
453 	 * for containing subkeys.
454 	 */
455 	size_t context_size;
456 
457 	/**
458 	 * \brief Size of individual blocks (in bytes).
459 	 */
460 	unsigned block_size;
461 
462 	/**
463 	 * \brief Base-2 logarithm of the size of individual blocks,
464 	 * expressed in bytes.
465 	 */
466 	unsigned log_block_size;
467 
468 	/**
469 	 * \brief Initialisation function.
470 	 *
471 	 * This function sets the `vtable` field in the context structure.
472 	 * The key length MUST be one of the key lengths supported by
473 	 * the implementation.
474 	 *
475 	 * \param ctx       context structure to initialise.
476 	 * \param key       secret key.
477 	 * \param key_len   key length (in bytes).
478 	 */
479 	void (*init)(const br_block_cbcdec_class **ctx,
480 		const void *key, size_t key_len);
481 
482 	/**
483 	 * \brief Run the CBC decryption.
484 	 *
485 	 * The `iv` parameter points to the IV for this run; it is
486 	 * updated with a copy of the last encrypted block. The data
487 	 * is decrypted "in place"; its length (`len`) MUST be a
488 	 * multiple of the block size.
489 	 *
490 	 * \param ctx    context structure (already initialised).
491 	 * \param iv     IV for CBC decryption (updated).
492 	 * \param data   data to decrypt.
493 	 * \param len    data length (in bytes, multiple of block size).
494 	 */
495 	void (*run)(const br_block_cbcdec_class *const *ctx,
496 		void *iv, void *data, size_t len);
497 };
498 
499 /**
500  * \brief Class type for CTR encryption/decryption implementations.
501  *
502  * A `br_block_ctr_class` instance points to the functions implementing
503  * a specific block cipher, when used in CTR mode for encrypting or
504  * decrypting data.
505  */
506 typedef struct br_block_ctr_class_ br_block_ctr_class;
507 struct br_block_ctr_class_ {
508 	/**
509 	 * \brief Size (in bytes) of the context structure appropriate
510 	 * for containing subkeys.
511 	 */
512 	size_t context_size;
513 
514 	/**
515 	 * \brief Size of individual blocks (in bytes).
516 	 */
517 	unsigned block_size;
518 
519 	/**
520 	 * \brief Base-2 logarithm of the size of individual blocks,
521 	 * expressed in bytes.
522 	 */
523 	unsigned log_block_size;
524 
525 	/**
526 	 * \brief Initialisation function.
527 	 *
528 	 * This function sets the `vtable` field in the context structure.
529 	 * The key length MUST be one of the key lengths supported by
530 	 * the implementation.
531 	 *
532 	 * \param ctx       context structure to initialise.
533 	 * \param key       secret key.
534 	 * \param key_len   key length (in bytes).
535 	 */
536 	void (*init)(const br_block_ctr_class **ctx,
537 		const void *key, size_t key_len);
538 
539 	/**
540 	 * \brief Run the CTR encryption or decryption.
541 	 *
542 	 * The `iv` parameter points to the IV for this run; its
543 	 * length is exactly 4 bytes less than the block size (e.g.
544 	 * 12 bytes for AES/CTR). The IV is combined with a 32-bit
545 	 * block counter to produce the block value which is processed
546 	 * with the block cipher.
547 	 *
548 	 * The data to encrypt or decrypt is updated "in place". Its
549 	 * length (`len` bytes) is not required to be a multiple of
550 	 * the block size; if the final block is partial, then the
551 	 * corresponding key stream bits are dropped.
552 	 *
553 	 * The resulting counter value is returned.
554 	 *
555 	 * \param ctx    context structure (already initialised).
556 	 * \param iv     IV for CTR encryption/decryption.
557 	 * \param cc     initial value for the block counter.
558 	 * \param data   data to encrypt or decrypt.
559 	 * \param len    data length (in bytes).
560 	 * \return  the new block counter value.
561 	 */
562 	uint32_t (*run)(const br_block_ctr_class *const *ctx,
563 		const void *iv, uint32_t cc, void *data, size_t len);
564 };
565 
566 /**
567  * \brief Class type for combined CTR and CBC-MAC implementations.
568  *
569  * A `br_block_ctrcbc_class` instance points to the functions implementing
570  * a specific block cipher, when used in CTR mode for encrypting or
571  * decrypting data, along with CBC-MAC.
572  */
573 typedef struct br_block_ctrcbc_class_ br_block_ctrcbc_class;
574 struct br_block_ctrcbc_class_ {
575 	/**
576 	 * \brief Size (in bytes) of the context structure appropriate
577 	 * for containing subkeys.
578 	 */
579 	size_t context_size;
580 
581 	/**
582 	 * \brief Size of individual blocks (in bytes).
583 	 */
584 	unsigned block_size;
585 
586 	/**
587 	 * \brief Base-2 logarithm of the size of individual blocks,
588 	 * expressed in bytes.
589 	 */
590 	unsigned log_block_size;
591 
592 	/**
593 	 * \brief Initialisation function.
594 	 *
595 	 * This function sets the `vtable` field in the context structure.
596 	 * The key length MUST be one of the key lengths supported by
597 	 * the implementation.
598 	 *
599 	 * \param ctx       context structure to initialise.
600 	 * \param key       secret key.
601 	 * \param key_len   key length (in bytes).
602 	 */
603 	void (*init)(const br_block_ctrcbc_class **ctx,
604 		const void *key, size_t key_len);
605 
606 	/**
607 	 * \brief Run the CTR encryption + CBC-MAC.
608 	 *
609 	 * The `ctr` parameter points to the counter; its length shall
610 	 * be equal to the block size. It is updated by this function
611 	 * as encryption proceeds.
612 	 *
613 	 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
614 	 * is computed over the encrypted data (output of CTR
615 	 * encryption). Its length shall be equal to the block size. The
616 	 * computed CBC-MAC value is written over the `cbcmac` array.
617 	 *
618 	 * The data to encrypt is updated "in place". Its length (`len`
619 	 * bytes) MUST be a multiple of the block size.
620 	 *
621 	 * \param ctx      context structure (already initialised).
622 	 * \param ctr      counter for CTR encryption (initial and final).
623 	 * \param cbcmac   IV and output buffer for CBC-MAC.
624 	 * \param data     data to encrypt.
625 	 * \param len      data length (in bytes).
626 	 */
627 	void (*encrypt)(const br_block_ctrcbc_class *const *ctx,
628 		void *ctr, void *cbcmac, void *data, size_t len);
629 
630 	/**
631 	 * \brief Run the CTR decryption + CBC-MAC.
632 	 *
633 	 * The `ctr` parameter points to the counter; its length shall
634 	 * be equal to the block size. It is updated by this function
635 	 * as decryption proceeds.
636 	 *
637 	 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
638 	 * is computed over the encrypted data (i.e. before CTR
639 	 * decryption). Its length shall be equal to the block size. The
640 	 * computed CBC-MAC value is written over the `cbcmac` array.
641 	 *
642 	 * The data to decrypt is updated "in place". Its length (`len`
643 	 * bytes) MUST be a multiple of the block size.
644 	 *
645 	 * \param ctx      context structure (already initialised).
646 	 * \param ctr      counter for CTR encryption (initial and final).
647 	 * \param cbcmac   IV and output buffer for CBC-MAC.
648 	 * \param data     data to decrypt.
649 	 * \param len      data length (in bytes).
650 	 */
651 	void (*decrypt)(const br_block_ctrcbc_class *const *ctx,
652 		void *ctr, void *cbcmac, void *data, size_t len);
653 
654 	/**
655 	 * \brief Run the CTR encryption/decryption only.
656 	 *
657 	 * The `ctr` parameter points to the counter; its length shall
658 	 * be equal to the block size. It is updated by this function
659 	 * as decryption proceeds.
660 	 *
661 	 * The data to decrypt is updated "in place". Its length (`len`
662 	 * bytes) MUST be a multiple of the block size.
663 	 *
664 	 * \param ctx      context structure (already initialised).
665 	 * \param ctr      counter for CTR encryption (initial and final).
666 	 * \param data     data to decrypt.
667 	 * \param len      data length (in bytes).
668 	 */
669 	void (*ctr)(const br_block_ctrcbc_class *const *ctx,
670 		void *ctr, void *data, size_t len);
671 
672 	/**
673 	 * \brief Run the CBC-MAC only.
674 	 *
675 	 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
676 	 * is computed over the encrypted data (i.e. before CTR
677 	 * decryption). Its length shall be equal to the block size. The
678 	 * computed CBC-MAC value is written over the `cbcmac` array.
679 	 *
680 	 * The data is unmodified. Its length (`len` bytes) MUST be a
681 	 * multiple of the block size.
682 	 *
683 	 * \param ctx      context structure (already initialised).
684 	 * \param cbcmac   IV and output buffer for CBC-MAC.
685 	 * \param data     data to decrypt.
686 	 * \param len      data length (in bytes).
687 	 */
688 	void (*mac)(const br_block_ctrcbc_class *const *ctx,
689 		void *cbcmac, const void *data, size_t len);
690 };
691 
692 /*
693  * Traditional, table-based AES implementation. It is fast, but uses
694  * internal tables (in particular a 1 kB table for encryption, another
695  * 1 kB table for decryption, and a 256-byte table for key schedule),
696  * and it is not constant-time. In contexts where cache-timing attacks
697  * apply, this implementation may leak the secret key.
698  */
699 
700 /** \brief AES block size (16 bytes). */
701 #define br_aes_big_BLOCK_SIZE   16
702 
703 /**
704  * \brief Context for AES subkeys (`aes_big` implementation, CBC encryption).
705  *
706  * First field is a pointer to the vtable; it is set by the initialisation
707  * function. Other fields are not supposed to be accessed by user code.
708  */
709 typedef struct {
710 	/** \brief Pointer to vtable for this context. */
711 	const br_block_cbcenc_class *vtable;
712 #ifndef BR_DOXYGEN_IGNORE
713 	uint32_t skey[60];
714 	unsigned num_rounds;
715 #endif
716 } br_aes_big_cbcenc_keys;
717 
718 /**
719  * \brief Context for AES subkeys (`aes_big` implementation, CBC decryption).
720  *
721  * First field is a pointer to the vtable; it is set by the initialisation
722  * function. Other fields are not supposed to be accessed by user code.
723  */
724 typedef struct {
725 	/** \brief Pointer to vtable for this context. */
726 	const br_block_cbcdec_class *vtable;
727 #ifndef BR_DOXYGEN_IGNORE
728 	uint32_t skey[60];
729 	unsigned num_rounds;
730 #endif
731 } br_aes_big_cbcdec_keys;
732 
733 /**
734  * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption
735  * and decryption).
736  *
737  * First field is a pointer to the vtable; it is set by the initialisation
738  * function. Other fields are not supposed to be accessed by user code.
739  */
740 typedef struct {
741 	/** \brief Pointer to vtable for this context. */
742 	const br_block_ctr_class *vtable;
743 #ifndef BR_DOXYGEN_IGNORE
744 	uint32_t skey[60];
745 	unsigned num_rounds;
746 #endif
747 } br_aes_big_ctr_keys;
748 
749 /**
750  * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption
751  * and decryption + CBC-MAC).
752  *
753  * First field is a pointer to the vtable; it is set by the initialisation
754  * function. Other fields are not supposed to be accessed by user code.
755  */
756 typedef struct {
757 	/** \brief Pointer to vtable for this context. */
758 	const br_block_ctrcbc_class *vtable;
759 #ifndef BR_DOXYGEN_IGNORE
760 	uint32_t skey[60];
761 	unsigned num_rounds;
762 #endif
763 } br_aes_big_ctrcbc_keys;
764 
765 /**
766  * \brief Class instance for AES CBC encryption (`aes_big` implementation).
767  */
768 extern const br_block_cbcenc_class br_aes_big_cbcenc_vtable;
769 
770 /**
771  * \brief Class instance for AES CBC decryption (`aes_big` implementation).
772  */
773 extern const br_block_cbcdec_class br_aes_big_cbcdec_vtable;
774 
775 /**
776  * \brief Class instance for AES CTR encryption and decryption
777  * (`aes_big` implementation).
778  */
779 extern const br_block_ctr_class br_aes_big_ctr_vtable;
780 
781 /**
782  * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
783  * (`aes_big` implementation).
784  */
785 extern const br_block_ctrcbc_class br_aes_big_ctrcbc_vtable;
786 
787 /**
788  * \brief Context initialisation (key schedule) for AES CBC encryption
789  * (`aes_big` implementation).
790  *
791  * \param ctx   context to initialise.
792  * \param key   secret key.
793  * \param len   secret key length (in bytes).
794  */
795 void br_aes_big_cbcenc_init(br_aes_big_cbcenc_keys *ctx,
796 	const void *key, size_t len);
797 
798 /**
799  * \brief Context initialisation (key schedule) for AES CBC decryption
800  * (`aes_big` implementation).
801  *
802  * \param ctx   context to initialise.
803  * \param key   secret key.
804  * \param len   secret key length (in bytes).
805  */
806 void br_aes_big_cbcdec_init(br_aes_big_cbcdec_keys *ctx,
807 	const void *key, size_t len);
808 
809 /**
810  * \brief Context initialisation (key schedule) for AES CTR encryption
811  * and decryption (`aes_big` implementation).
812  *
813  * \param ctx   context to initialise.
814  * \param key   secret key.
815  * \param len   secret key length (in bytes).
816  */
817 void br_aes_big_ctr_init(br_aes_big_ctr_keys *ctx,
818 	const void *key, size_t len);
819 
820 /**
821  * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
822  * (`aes_big` implementation).
823  *
824  * \param ctx   context to initialise.
825  * \param key   secret key.
826  * \param len   secret key length (in bytes).
827  */
828 void br_aes_big_ctrcbc_init(br_aes_big_ctrcbc_keys *ctx,
829 	const void *key, size_t len);
830 
831 /**
832  * \brief CBC encryption with AES (`aes_big` implementation).
833  *
834  * \param ctx    context (already initialised).
835  * \param iv     IV (updated).
836  * \param data   data to encrypt (updated).
837  * \param len    data length (in bytes, MUST be multiple of 16).
838  */
839 void br_aes_big_cbcenc_run(const br_aes_big_cbcenc_keys *ctx, void *iv,
840 	void *data, size_t len);
841 
842 /**
843  * \brief CBC decryption with AES (`aes_big` implementation).
844  *
845  * \param ctx    context (already initialised).
846  * \param iv     IV (updated).
847  * \param data   data to decrypt (updated).
848  * \param len    data length (in bytes, MUST be multiple of 16).
849  */
850 void br_aes_big_cbcdec_run(const br_aes_big_cbcdec_keys *ctx, void *iv,
851 	void *data, size_t len);
852 
853 /**
854  * \brief CTR encryption and decryption with AES (`aes_big` implementation).
855  *
856  * \param ctx    context (already initialised).
857  * \param iv     IV (constant, 12 bytes).
858  * \param cc     initial block counter value.
859  * \param data   data to encrypt or decrypt (updated).
860  * \param len    data length (in bytes).
861  * \return  new block counter value.
862  */
863 uint32_t br_aes_big_ctr_run(const br_aes_big_ctr_keys *ctx,
864 	const void *iv, uint32_t cc, void *data, size_t len);
865 
866 /**
867  * \brief CTR encryption + CBC-MAC with AES (`aes_big` implementation).
868  *
869  * \param ctx      context (already initialised).
870  * \param ctr      counter for CTR (16 bytes, updated).
871  * \param cbcmac   IV for CBC-MAC (updated).
872  * \param data     data to encrypt (updated).
873  * \param len      data length (in bytes, MUST be a multiple of 16).
874  */
875 void br_aes_big_ctrcbc_encrypt(const br_aes_big_ctrcbc_keys *ctx,
876 	void *ctr, void *cbcmac, void *data, size_t len);
877 
878 /**
879  * \brief CTR decryption + CBC-MAC with AES (`aes_big` implementation).
880  *
881  * \param ctx      context (already initialised).
882  * \param ctr      counter for CTR (16 bytes, updated).
883  * \param cbcmac   IV for CBC-MAC (updated).
884  * \param data     data to decrypt (updated).
885  * \param len      data length (in bytes, MUST be a multiple of 16).
886  */
887 void br_aes_big_ctrcbc_decrypt(const br_aes_big_ctrcbc_keys *ctx,
888 	void *ctr, void *cbcmac, void *data, size_t len);
889 
890 /**
891  * \brief CTR encryption/decryption with AES (`aes_big` implementation).
892  *
893  * \param ctx      context (already initialised).
894  * \param ctr      counter for CTR (16 bytes, updated).
895  * \param data     data to MAC (updated).
896  * \param len      data length (in bytes, MUST be a multiple of 16).
897  */
898 void br_aes_big_ctrcbc_ctr(const br_aes_big_ctrcbc_keys *ctx,
899 	void *ctr, void *data, size_t len);
900 
901 /**
902  * \brief CBC-MAC with AES (`aes_big` implementation).
903  *
904  * \param ctx      context (already initialised).
905  * \param cbcmac   IV for CBC-MAC (updated).
906  * \param data     data to MAC (unmodified).
907  * \param len      data length (in bytes, MUST be a multiple of 16).
908  */
909 void br_aes_big_ctrcbc_mac(const br_aes_big_ctrcbc_keys *ctx,
910 	void *cbcmac, const void *data, size_t len);
911 
912 /*
913  * AES implementation optimized for size. It is slower than the
914  * traditional table-based AES implementation, but requires much less
915  * code. It still uses data-dependent table accesses (albeit within a
916  * much smaller 256-byte table), which makes it conceptually vulnerable
917  * to cache-timing attacks.
918  */
919 
920 /** \brief AES block size (16 bytes). */
921 #define br_aes_small_BLOCK_SIZE   16
922 
923 /**
924  * \brief Context for AES subkeys (`aes_small` implementation, CBC encryption).
925  *
926  * First field is a pointer to the vtable; it is set by the initialisation
927  * function. Other fields are not supposed to be accessed by user code.
928  */
929 typedef struct {
930 	/** \brief Pointer to vtable for this context. */
931 	const br_block_cbcenc_class *vtable;
932 #ifndef BR_DOXYGEN_IGNORE
933 	uint32_t skey[60];
934 	unsigned num_rounds;
935 #endif
936 } br_aes_small_cbcenc_keys;
937 
938 /**
939  * \brief Context for AES subkeys (`aes_small` implementation, CBC decryption).
940  *
941  * First field is a pointer to the vtable; it is set by the initialisation
942  * function. Other fields are not supposed to be accessed by user code.
943  */
944 typedef struct {
945 	/** \brief Pointer to vtable for this context. */
946 	const br_block_cbcdec_class *vtable;
947 #ifndef BR_DOXYGEN_IGNORE
948 	uint32_t skey[60];
949 	unsigned num_rounds;
950 #endif
951 } br_aes_small_cbcdec_keys;
952 
953 /**
954  * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption
955  * and decryption).
956  *
957  * First field is a pointer to the vtable; it is set by the initialisation
958  * function. Other fields are not supposed to be accessed by user code.
959  */
960 typedef struct {
961 	/** \brief Pointer to vtable for this context. */
962 	const br_block_ctr_class *vtable;
963 #ifndef BR_DOXYGEN_IGNORE
964 	uint32_t skey[60];
965 	unsigned num_rounds;
966 #endif
967 } br_aes_small_ctr_keys;
968 
969 /**
970  * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption
971  * and decryption + CBC-MAC).
972  *
973  * First field is a pointer to the vtable; it is set by the initialisation
974  * function. Other fields are not supposed to be accessed by user code.
975  */
976 typedef struct {
977 	/** \brief Pointer to vtable for this context. */
978 	const br_block_ctrcbc_class *vtable;
979 #ifndef BR_DOXYGEN_IGNORE
980 	uint32_t skey[60];
981 	unsigned num_rounds;
982 #endif
983 } br_aes_small_ctrcbc_keys;
984 
985 /**
986  * \brief Class instance for AES CBC encryption (`aes_small` implementation).
987  */
988 extern const br_block_cbcenc_class br_aes_small_cbcenc_vtable;
989 
990 /**
991  * \brief Class instance for AES CBC decryption (`aes_small` implementation).
992  */
993 extern const br_block_cbcdec_class br_aes_small_cbcdec_vtable;
994 
995 /**
996  * \brief Class instance for AES CTR encryption and decryption
997  * (`aes_small` implementation).
998  */
999 extern const br_block_ctr_class br_aes_small_ctr_vtable;
1000 
1001 /**
1002  * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1003  * (`aes_small` implementation).
1004  */
1005 extern const br_block_ctrcbc_class br_aes_small_ctrcbc_vtable;
1006 
1007 /**
1008  * \brief Context initialisation (key schedule) for AES CBC encryption
1009  * (`aes_small` implementation).
1010  *
1011  * \param ctx   context to initialise.
1012  * \param key   secret key.
1013  * \param len   secret key length (in bytes).
1014  */
1015 void br_aes_small_cbcenc_init(br_aes_small_cbcenc_keys *ctx,
1016 	const void *key, size_t len);
1017 
1018 /**
1019  * \brief Context initialisation (key schedule) for AES CBC decryption
1020  * (`aes_small` implementation).
1021  *
1022  * \param ctx   context to initialise.
1023  * \param key   secret key.
1024  * \param len   secret key length (in bytes).
1025  */
1026 void br_aes_small_cbcdec_init(br_aes_small_cbcdec_keys *ctx,
1027 	const void *key, size_t len);
1028 
1029 /**
1030  * \brief Context initialisation (key schedule) for AES CTR encryption
1031  * and decryption (`aes_small` implementation).
1032  *
1033  * \param ctx   context to initialise.
1034  * \param key   secret key.
1035  * \param len   secret key length (in bytes).
1036  */
1037 void br_aes_small_ctr_init(br_aes_small_ctr_keys *ctx,
1038 	const void *key, size_t len);
1039 
1040 /**
1041  * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1042  * (`aes_small` implementation).
1043  *
1044  * \param ctx   context to initialise.
1045  * \param key   secret key.
1046  * \param len   secret key length (in bytes).
1047  */
1048 void br_aes_small_ctrcbc_init(br_aes_small_ctrcbc_keys *ctx,
1049 	const void *key, size_t len);
1050 
1051 /**
1052  * \brief CBC encryption with AES (`aes_small` implementation).
1053  *
1054  * \param ctx    context (already initialised).
1055  * \param iv     IV (updated).
1056  * \param data   data to encrypt (updated).
1057  * \param len    data length (in bytes, MUST be multiple of 16).
1058  */
1059 void br_aes_small_cbcenc_run(const br_aes_small_cbcenc_keys *ctx, void *iv,
1060 	void *data, size_t len);
1061 
1062 /**
1063  * \brief CBC decryption with AES (`aes_small` implementation).
1064  *
1065  * \param ctx    context (already initialised).
1066  * \param iv     IV (updated).
1067  * \param data   data to decrypt (updated).
1068  * \param len    data length (in bytes, MUST be multiple of 16).
1069  */
1070 void br_aes_small_cbcdec_run(const br_aes_small_cbcdec_keys *ctx, void *iv,
1071 	void *data, size_t len);
1072 
1073 /**
1074  * \brief CTR encryption and decryption with AES (`aes_small` implementation).
1075  *
1076  * \param ctx    context (already initialised).
1077  * \param iv     IV (constant, 12 bytes).
1078  * \param cc     initial block counter value.
1079  * \param data   data to decrypt (updated).
1080  * \param len    data length (in bytes).
1081  * \return  new block counter value.
1082  */
1083 uint32_t br_aes_small_ctr_run(const br_aes_small_ctr_keys *ctx,
1084 	const void *iv, uint32_t cc, void *data, size_t len);
1085 
1086 /**
1087  * \brief CTR encryption + CBC-MAC with AES (`aes_small` implementation).
1088  *
1089  * \param ctx      context (already initialised).
1090  * \param ctr      counter for CTR (16 bytes, updated).
1091  * \param cbcmac   IV for CBC-MAC (updated).
1092  * \param data     data to encrypt (updated).
1093  * \param len      data length (in bytes, MUST be a multiple of 16).
1094  */
1095 void br_aes_small_ctrcbc_encrypt(const br_aes_small_ctrcbc_keys *ctx,
1096 	void *ctr, void *cbcmac, void *data, size_t len);
1097 
1098 /**
1099  * \brief CTR decryption + CBC-MAC with AES (`aes_small` implementation).
1100  *
1101  * \param ctx      context (already initialised).
1102  * \param ctr      counter for CTR (16 bytes, updated).
1103  * \param cbcmac   IV for CBC-MAC (updated).
1104  * \param data     data to decrypt (updated).
1105  * \param len      data length (in bytes, MUST be a multiple of 16).
1106  */
1107 void br_aes_small_ctrcbc_decrypt(const br_aes_small_ctrcbc_keys *ctx,
1108 	void *ctr, void *cbcmac, void *data, size_t len);
1109 
1110 /**
1111  * \brief CTR encryption/decryption with AES (`aes_small` implementation).
1112  *
1113  * \param ctx      context (already initialised).
1114  * \param ctr      counter for CTR (16 bytes, updated).
1115  * \param data     data to MAC (updated).
1116  * \param len      data length (in bytes, MUST be a multiple of 16).
1117  */
1118 void br_aes_small_ctrcbc_ctr(const br_aes_small_ctrcbc_keys *ctx,
1119 	void *ctr, void *data, size_t len);
1120 
1121 /**
1122  * \brief CBC-MAC with AES (`aes_small` implementation).
1123  *
1124  * \param ctx      context (already initialised).
1125  * \param cbcmac   IV for CBC-MAC (updated).
1126  * \param data     data to MAC (unmodified).
1127  * \param len      data length (in bytes, MUST be a multiple of 16).
1128  */
1129 void br_aes_small_ctrcbc_mac(const br_aes_small_ctrcbc_keys *ctx,
1130 	void *cbcmac, const void *data, size_t len);
1131 
1132 /*
1133  * Constant-time AES implementation. Its size is similar to that of
1134  * 'aes_big', and its performance is similar to that of 'aes_small' (faster
1135  * decryption, slower encryption). However, it is constant-time, i.e.
1136  * immune to cache-timing and similar attacks.
1137  */
1138 
1139 /** \brief AES block size (16 bytes). */
1140 #define br_aes_ct_BLOCK_SIZE   16
1141 
1142 /**
1143  * \brief Context for AES subkeys (`aes_ct` implementation, CBC encryption).
1144  *
1145  * First field is a pointer to the vtable; it is set by the initialisation
1146  * function. Other fields are not supposed to be accessed by user code.
1147  */
1148 typedef struct {
1149 	/** \brief Pointer to vtable for this context. */
1150 	const br_block_cbcenc_class *vtable;
1151 #ifndef BR_DOXYGEN_IGNORE
1152 	uint32_t skey[60];
1153 	unsigned num_rounds;
1154 #endif
1155 } br_aes_ct_cbcenc_keys;
1156 
1157 /**
1158  * \brief Context for AES subkeys (`aes_ct` implementation, CBC decryption).
1159  *
1160  * First field is a pointer to the vtable; it is set by the initialisation
1161  * function. Other fields are not supposed to be accessed by user code.
1162  */
1163 typedef struct {
1164 	/** \brief Pointer to vtable for this context. */
1165 	const br_block_cbcdec_class *vtable;
1166 #ifndef BR_DOXYGEN_IGNORE
1167 	uint32_t skey[60];
1168 	unsigned num_rounds;
1169 #endif
1170 } br_aes_ct_cbcdec_keys;
1171 
1172 /**
1173  * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption
1174  * and decryption).
1175  *
1176  * First field is a pointer to the vtable; it is set by the initialisation
1177  * function. Other fields are not supposed to be accessed by user code.
1178  */
1179 typedef struct {
1180 	/** \brief Pointer to vtable for this context. */
1181 	const br_block_ctr_class *vtable;
1182 #ifndef BR_DOXYGEN_IGNORE
1183 	uint32_t skey[60];
1184 	unsigned num_rounds;
1185 #endif
1186 } br_aes_ct_ctr_keys;
1187 
1188 /**
1189  * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption
1190  * and decryption + CBC-MAC).
1191  *
1192  * First field is a pointer to the vtable; it is set by the initialisation
1193  * function. Other fields are not supposed to be accessed by user code.
1194  */
1195 typedef struct {
1196 	/** \brief Pointer to vtable for this context. */
1197 	const br_block_ctrcbc_class *vtable;
1198 #ifndef BR_DOXYGEN_IGNORE
1199 	uint32_t skey[60];
1200 	unsigned num_rounds;
1201 #endif
1202 } br_aes_ct_ctrcbc_keys;
1203 
1204 /**
1205  * \brief Class instance for AES CBC encryption (`aes_ct` implementation).
1206  */
1207 extern const br_block_cbcenc_class br_aes_ct_cbcenc_vtable;
1208 
1209 /**
1210  * \brief Class instance for AES CBC decryption (`aes_ct` implementation).
1211  */
1212 extern const br_block_cbcdec_class br_aes_ct_cbcdec_vtable;
1213 
1214 /**
1215  * \brief Class instance for AES CTR encryption and decryption
1216  * (`aes_ct` implementation).
1217  */
1218 extern const br_block_ctr_class br_aes_ct_ctr_vtable;
1219 
1220 /**
1221  * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1222  * (`aes_ct` implementation).
1223  */
1224 extern const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable;
1225 
1226 /**
1227  * \brief Context initialisation (key schedule) for AES CBC encryption
1228  * (`aes_ct` implementation).
1229  *
1230  * \param ctx   context to initialise.
1231  * \param key   secret key.
1232  * \param len   secret key length (in bytes).
1233  */
1234 void br_aes_ct_cbcenc_init(br_aes_ct_cbcenc_keys *ctx,
1235 	const void *key, size_t len);
1236 
1237 /**
1238  * \brief Context initialisation (key schedule) for AES CBC decryption
1239  * (`aes_ct` implementation).
1240  *
1241  * \param ctx   context to initialise.
1242  * \param key   secret key.
1243  * \param len   secret key length (in bytes).
1244  */
1245 void br_aes_ct_cbcdec_init(br_aes_ct_cbcdec_keys *ctx,
1246 	const void *key, size_t len);
1247 
1248 /**
1249  * \brief Context initialisation (key schedule) for AES CTR encryption
1250  * and decryption (`aes_ct` implementation).
1251  *
1252  * \param ctx   context to initialise.
1253  * \param key   secret key.
1254  * \param len   secret key length (in bytes).
1255  */
1256 void br_aes_ct_ctr_init(br_aes_ct_ctr_keys *ctx,
1257 	const void *key, size_t len);
1258 
1259 /**
1260  * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1261  * (`aes_ct` implementation).
1262  *
1263  * \param ctx   context to initialise.
1264  * \param key   secret key.
1265  * \param len   secret key length (in bytes).
1266  */
1267 void br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx,
1268 	const void *key, size_t len);
1269 
1270 /**
1271  * \brief CBC encryption with AES (`aes_ct` implementation).
1272  *
1273  * \param ctx    context (already initialised).
1274  * \param iv     IV (updated).
1275  * \param data   data to encrypt (updated).
1276  * \param len    data length (in bytes, MUST be multiple of 16).
1277  */
1278 void br_aes_ct_cbcenc_run(const br_aes_ct_cbcenc_keys *ctx, void *iv,
1279 	void *data, size_t len);
1280 
1281 /**
1282  * \brief CBC decryption with AES (`aes_ct` implementation).
1283  *
1284  * \param ctx    context (already initialised).
1285  * \param iv     IV (updated).
1286  * \param data   data to decrypt (updated).
1287  * \param len    data length (in bytes, MUST be multiple of 16).
1288  */
1289 void br_aes_ct_cbcdec_run(const br_aes_ct_cbcdec_keys *ctx, void *iv,
1290 	void *data, size_t len);
1291 
1292 /**
1293  * \brief CTR encryption and decryption with AES (`aes_ct` implementation).
1294  *
1295  * \param ctx    context (already initialised).
1296  * \param iv     IV (constant, 12 bytes).
1297  * \param cc     initial block counter value.
1298  * \param data   data to decrypt (updated).
1299  * \param len    data length (in bytes).
1300  * \return  new block counter value.
1301  */
1302 uint32_t br_aes_ct_ctr_run(const br_aes_ct_ctr_keys *ctx,
1303 	const void *iv, uint32_t cc, void *data, size_t len);
1304 
1305 /**
1306  * \brief CTR encryption + CBC-MAC with AES (`aes_ct` implementation).
1307  *
1308  * \param ctx      context (already initialised).
1309  * \param ctr      counter for CTR (16 bytes, updated).
1310  * \param cbcmac   IV for CBC-MAC (updated).
1311  * \param data     data to encrypt (updated).
1312  * \param len      data length (in bytes, MUST be a multiple of 16).
1313  */
1314 void br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx,
1315 	void *ctr, void *cbcmac, void *data, size_t len);
1316 
1317 /**
1318  * \brief CTR decryption + CBC-MAC with AES (`aes_ct` implementation).
1319  *
1320  * \param ctx      context (already initialised).
1321  * \param ctr      counter for CTR (16 bytes, updated).
1322  * \param cbcmac   IV for CBC-MAC (updated).
1323  * \param data     data to decrypt (updated).
1324  * \param len      data length (in bytes, MUST be a multiple of 16).
1325  */
1326 void br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx,
1327 	void *ctr, void *cbcmac, void *data, size_t len);
1328 
1329 /**
1330  * \brief CTR encryption/decryption with AES (`aes_ct` implementation).
1331  *
1332  * \param ctx      context (already initialised).
1333  * \param ctr      counter for CTR (16 bytes, updated).
1334  * \param data     data to MAC (updated).
1335  * \param len      data length (in bytes, MUST be a multiple of 16).
1336  */
1337 void br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx,
1338 	void *ctr, void *data, size_t len);
1339 
1340 /**
1341  * \brief CBC-MAC with AES (`aes_ct` implementation).
1342  *
1343  * \param ctx      context (already initialised).
1344  * \param cbcmac   IV for CBC-MAC (updated).
1345  * \param data     data to MAC (unmodified).
1346  * \param len      data length (in bytes, MUST be a multiple of 16).
1347  */
1348 void br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx,
1349 	void *cbcmac, const void *data, size_t len);
1350 
1351 /*
1352  * 64-bit constant-time AES implementation. It is similar to 'aes_ct'
1353  * but uses 64-bit registers, making it about twice faster than 'aes_ct'
1354  * on 64-bit platforms, while remaining constant-time and with a similar
1355  * code size. (The doubling in performance is only for CBC decryption
1356  * and CTR mode; CBC encryption is non-parallel and cannot benefit from
1357  * the larger registers.)
1358  */
1359 
1360 /** \brief AES block size (16 bytes). */
1361 #define br_aes_ct64_BLOCK_SIZE   16
1362 
1363 /**
1364  * \brief Context for AES subkeys (`aes_ct64` implementation, CBC encryption).
1365  *
1366  * First field is a pointer to the vtable; it is set by the initialisation
1367  * function. Other fields are not supposed to be accessed by user code.
1368  */
1369 typedef struct {
1370 	/** \brief Pointer to vtable for this context. */
1371 	const br_block_cbcenc_class *vtable;
1372 #ifndef BR_DOXYGEN_IGNORE
1373 	uint64_t skey[30];
1374 	unsigned num_rounds;
1375 #endif
1376 } br_aes_ct64_cbcenc_keys;
1377 
1378 /**
1379  * \brief Context for AES subkeys (`aes_ct64` implementation, CBC decryption).
1380  *
1381  * First field is a pointer to the vtable; it is set by the initialisation
1382  * function. Other fields are not supposed to be accessed by user code.
1383  */
1384 typedef struct {
1385 	/** \brief Pointer to vtable for this context. */
1386 	const br_block_cbcdec_class *vtable;
1387 #ifndef BR_DOXYGEN_IGNORE
1388 	uint64_t skey[30];
1389 	unsigned num_rounds;
1390 #endif
1391 } br_aes_ct64_cbcdec_keys;
1392 
1393 /**
1394  * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption
1395  * and decryption).
1396  *
1397  * First field is a pointer to the vtable; it is set by the initialisation
1398  * function. Other fields are not supposed to be accessed by user code.
1399  */
1400 typedef struct {
1401 	/** \brief Pointer to vtable for this context. */
1402 	const br_block_ctr_class *vtable;
1403 #ifndef BR_DOXYGEN_IGNORE
1404 	uint64_t skey[30];
1405 	unsigned num_rounds;
1406 #endif
1407 } br_aes_ct64_ctr_keys;
1408 
1409 /**
1410  * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption
1411  * and decryption + CBC-MAC).
1412  *
1413  * First field is a pointer to the vtable; it is set by the initialisation
1414  * function. Other fields are not supposed to be accessed by user code.
1415  */
1416 typedef struct {
1417 	/** \brief Pointer to vtable for this context. */
1418 	const br_block_ctrcbc_class *vtable;
1419 #ifndef BR_DOXYGEN_IGNORE
1420 	uint64_t skey[30];
1421 	unsigned num_rounds;
1422 #endif
1423 } br_aes_ct64_ctrcbc_keys;
1424 
1425 /**
1426  * \brief Class instance for AES CBC encryption (`aes_ct64` implementation).
1427  */
1428 extern const br_block_cbcenc_class br_aes_ct64_cbcenc_vtable;
1429 
1430 /**
1431  * \brief Class instance for AES CBC decryption (`aes_ct64` implementation).
1432  */
1433 extern const br_block_cbcdec_class br_aes_ct64_cbcdec_vtable;
1434 
1435 /**
1436  * \brief Class instance for AES CTR encryption and decryption
1437  * (`aes_ct64` implementation).
1438  */
1439 extern const br_block_ctr_class br_aes_ct64_ctr_vtable;
1440 
1441 /**
1442  * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1443  * (`aes_ct64` implementation).
1444  */
1445 extern const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable;
1446 
1447 /**
1448  * \brief Context initialisation (key schedule) for AES CBC encryption
1449  * (`aes_ct64` implementation).
1450  *
1451  * \param ctx   context to initialise.
1452  * \param key   secret key.
1453  * \param len   secret key length (in bytes).
1454  */
1455 void br_aes_ct64_cbcenc_init(br_aes_ct64_cbcenc_keys *ctx,
1456 	const void *key, size_t len);
1457 
1458 /**
1459  * \brief Context initialisation (key schedule) for AES CBC decryption
1460  * (`aes_ct64` implementation).
1461  *
1462  * \param ctx   context to initialise.
1463  * \param key   secret key.
1464  * \param len   secret key length (in bytes).
1465  */
1466 void br_aes_ct64_cbcdec_init(br_aes_ct64_cbcdec_keys *ctx,
1467 	const void *key, size_t len);
1468 
1469 /**
1470  * \brief Context initialisation (key schedule) for AES CTR encryption
1471  * and decryption (`aes_ct64` implementation).
1472  *
1473  * \param ctx   context to initialise.
1474  * \param key   secret key.
1475  * \param len   secret key length (in bytes).
1476  */
1477 void br_aes_ct64_ctr_init(br_aes_ct64_ctr_keys *ctx,
1478 	const void *key, size_t len);
1479 
1480 /**
1481  * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1482  * (`aes_ct64` implementation).
1483  *
1484  * \param ctx   context to initialise.
1485  * \param key   secret key.
1486  * \param len   secret key length (in bytes).
1487  */
1488 void br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx,
1489 	const void *key, size_t len);
1490 
1491 /**
1492  * \brief CBC encryption with AES (`aes_ct64` implementation).
1493  *
1494  * \param ctx    context (already initialised).
1495  * \param iv     IV (updated).
1496  * \param data   data to encrypt (updated).
1497  * \param len    data length (in bytes, MUST be multiple of 16).
1498  */
1499 void br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx, void *iv,
1500 	void *data, size_t len);
1501 
1502 /**
1503  * \brief CBC decryption with AES (`aes_ct64` implementation).
1504  *
1505  * \param ctx    context (already initialised).
1506  * \param iv     IV (updated).
1507  * \param data   data to decrypt (updated).
1508  * \param len    data length (in bytes, MUST be multiple of 16).
1509  */
1510 void br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx, void *iv,
1511 	void *data, size_t len);
1512 
1513 /**
1514  * \brief CTR encryption and decryption with AES (`aes_ct64` implementation).
1515  *
1516  * \param ctx    context (already initialised).
1517  * \param iv     IV (constant, 12 bytes).
1518  * \param cc     initial block counter value.
1519  * \param data   data to decrypt (updated).
1520  * \param len    data length (in bytes).
1521  * \return  new block counter value.
1522  */
1523 uint32_t br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx,
1524 	const void *iv, uint32_t cc, void *data, size_t len);
1525 
1526 /**
1527  * \brief CTR encryption + CBC-MAC with AES (`aes_ct64` implementation).
1528  *
1529  * \param ctx      context (already initialised).
1530  * \param ctr      counter for CTR (16 bytes, updated).
1531  * \param cbcmac   IV for CBC-MAC (updated).
1532  * \param data     data to encrypt (updated).
1533  * \param len      data length (in bytes, MUST be a multiple of 16).
1534  */
1535 void br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx,
1536 	void *ctr, void *cbcmac, void *data, size_t len);
1537 
1538 /**
1539  * \brief CTR decryption + CBC-MAC with AES (`aes_ct64` implementation).
1540  *
1541  * \param ctx      context (already initialised).
1542  * \param ctr      counter for CTR (16 bytes, updated).
1543  * \param cbcmac   IV for CBC-MAC (updated).
1544  * \param data     data to decrypt (updated).
1545  * \param len      data length (in bytes, MUST be a multiple of 16).
1546  */
1547 void br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx,
1548 	void *ctr, void *cbcmac, void *data, size_t len);
1549 
1550 /**
1551  * \brief CTR encryption/decryption with AES (`aes_ct64` implementation).
1552  *
1553  * \param ctx      context (already initialised).
1554  * \param ctr      counter for CTR (16 bytes, updated).
1555  * \param data     data to MAC (updated).
1556  * \param len      data length (in bytes, MUST be a multiple of 16).
1557  */
1558 void br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx,
1559 	void *ctr, void *data, size_t len);
1560 
1561 /**
1562  * \brief CBC-MAC with AES (`aes_ct64` implementation).
1563  *
1564  * \param ctx      context (already initialised).
1565  * \param cbcmac   IV for CBC-MAC (updated).
1566  * \param data     data to MAC (unmodified).
1567  * \param len      data length (in bytes, MUST be a multiple of 16).
1568  */
1569 void br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx,
1570 	void *cbcmac, const void *data, size_t len);
1571 
1572 /*
1573  * AES implementation using AES-NI opcodes (x86 platform).
1574  */
1575 
1576 /** \brief AES block size (16 bytes). */
1577 #define br_aes_x86ni_BLOCK_SIZE   16
1578 
1579 /**
1580  * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC encryption).
1581  *
1582  * First field is a pointer to the vtable; it is set by the initialisation
1583  * function. Other fields are not supposed to be accessed by user code.
1584  */
1585 typedef struct {
1586 	/** \brief Pointer to vtable for this context. */
1587 	const br_block_cbcenc_class *vtable;
1588 #ifndef BR_DOXYGEN_IGNORE
1589 	union {
1590 		unsigned char skni[16 * 15];
1591 	} skey;
1592 	unsigned num_rounds;
1593 #endif
1594 } br_aes_x86ni_cbcenc_keys;
1595 
1596 /**
1597  * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC decryption).
1598  *
1599  * First field is a pointer to the vtable; it is set by the initialisation
1600  * function. Other fields are not supposed to be accessed by user code.
1601  */
1602 typedef struct {
1603 	/** \brief Pointer to vtable for this context. */
1604 	const br_block_cbcdec_class *vtable;
1605 #ifndef BR_DOXYGEN_IGNORE
1606 	union {
1607 		unsigned char skni[16 * 15];
1608 	} skey;
1609 	unsigned num_rounds;
1610 #endif
1611 } br_aes_x86ni_cbcdec_keys;
1612 
1613 /**
1614  * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption
1615  * and decryption).
1616  *
1617  * First field is a pointer to the vtable; it is set by the initialisation
1618  * function. Other fields are not supposed to be accessed by user code.
1619  */
1620 typedef struct {
1621 	/** \brief Pointer to vtable for this context. */
1622 	const br_block_ctr_class *vtable;
1623 #ifndef BR_DOXYGEN_IGNORE
1624 	union {
1625 		unsigned char skni[16 * 15];
1626 	} skey;
1627 	unsigned num_rounds;
1628 #endif
1629 } br_aes_x86ni_ctr_keys;
1630 
1631 /**
1632  * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption
1633  * and decryption + CBC-MAC).
1634  *
1635  * First field is a pointer to the vtable; it is set by the initialisation
1636  * function. Other fields are not supposed to be accessed by user code.
1637  */
1638 typedef struct {
1639 	/** \brief Pointer to vtable for this context. */
1640 	const br_block_ctrcbc_class *vtable;
1641 #ifndef BR_DOXYGEN_IGNORE
1642 	union {
1643 		unsigned char skni[16 * 15];
1644 	} skey;
1645 	unsigned num_rounds;
1646 #endif
1647 } br_aes_x86ni_ctrcbc_keys;
1648 
1649 /**
1650  * \brief Class instance for AES CBC encryption (`aes_x86ni` implementation).
1651  *
1652  * Since this implementation might be omitted from the library, or the
1653  * AES opcode unavailable on the current CPU, a pointer to this class
1654  * instance should be obtained through `br_aes_x86ni_cbcenc_get_vtable()`.
1655  */
1656 extern const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable;
1657 
1658 /**
1659  * \brief Class instance for AES CBC decryption (`aes_x86ni` implementation).
1660  *
1661  * Since this implementation might be omitted from the library, or the
1662  * AES opcode unavailable on the current CPU, a pointer to this class
1663  * instance should be obtained through `br_aes_x86ni_cbcdec_get_vtable()`.
1664  */
1665 extern const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable;
1666 
1667 /**
1668  * \brief Class instance for AES CTR encryption and decryption
1669  * (`aes_x86ni` implementation).
1670  *
1671  * Since this implementation might be omitted from the library, or the
1672  * AES opcode unavailable on the current CPU, a pointer to this class
1673  * instance should be obtained through `br_aes_x86ni_ctr_get_vtable()`.
1674  */
1675 extern const br_block_ctr_class br_aes_x86ni_ctr_vtable;
1676 
1677 /**
1678  * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1679  * (`aes_x86ni` implementation).
1680  *
1681  * Since this implementation might be omitted from the library, or the
1682  * AES opcode unavailable on the current CPU, a pointer to this class
1683  * instance should be obtained through `br_aes_x86ni_ctrcbc_get_vtable()`.
1684  */
1685 extern const br_block_ctrcbc_class br_aes_x86ni_ctrcbc_vtable;
1686 
1687 /**
1688  * \brief Context initialisation (key schedule) for AES CBC encryption
1689  * (`aes_x86ni` implementation).
1690  *
1691  * \param ctx   context to initialise.
1692  * \param key   secret key.
1693  * \param len   secret key length (in bytes).
1694  */
1695 void br_aes_x86ni_cbcenc_init(br_aes_x86ni_cbcenc_keys *ctx,
1696 	const void *key, size_t len);
1697 
1698 /**
1699  * \brief Context initialisation (key schedule) for AES CBC decryption
1700  * (`aes_x86ni` implementation).
1701  *
1702  * \param ctx   context to initialise.
1703  * \param key   secret key.
1704  * \param len   secret key length (in bytes).
1705  */
1706 void br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx,
1707 	const void *key, size_t len);
1708 
1709 /**
1710  * \brief Context initialisation (key schedule) for AES CTR encryption
1711  * and decryption (`aes_x86ni` implementation).
1712  *
1713  * \param ctx   context to initialise.
1714  * \param key   secret key.
1715  * \param len   secret key length (in bytes).
1716  */
1717 void br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx,
1718 	const void *key, size_t len);
1719 
1720 /**
1721  * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1722  * (`aes_x86ni` implementation).
1723  *
1724  * \param ctx   context to initialise.
1725  * \param key   secret key.
1726  * \param len   secret key length (in bytes).
1727  */
1728 void br_aes_x86ni_ctrcbc_init(br_aes_x86ni_ctrcbc_keys *ctx,
1729 	const void *key, size_t len);
1730 
1731 /**
1732  * \brief CBC encryption with AES (`aes_x86ni` implementation).
1733  *
1734  * \param ctx    context (already initialised).
1735  * \param iv     IV (updated).
1736  * \param data   data to encrypt (updated).
1737  * \param len    data length (in bytes, MUST be multiple of 16).
1738  */
1739 void br_aes_x86ni_cbcenc_run(const br_aes_x86ni_cbcenc_keys *ctx, void *iv,
1740 	void *data, size_t len);
1741 
1742 /**
1743  * \brief CBC decryption with AES (`aes_x86ni` implementation).
1744  *
1745  * \param ctx    context (already initialised).
1746  * \param iv     IV (updated).
1747  * \param data   data to decrypt (updated).
1748  * \param len    data length (in bytes, MUST be multiple of 16).
1749  */
1750 void br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx, void *iv,
1751 	void *data, size_t len);
1752 
1753 /**
1754  * \brief CTR encryption and decryption with AES (`aes_x86ni` implementation).
1755  *
1756  * \param ctx    context (already initialised).
1757  * \param iv     IV (constant, 12 bytes).
1758  * \param cc     initial block counter value.
1759  * \param data   data to decrypt (updated).
1760  * \param len    data length (in bytes).
1761  * \return  new block counter value.
1762  */
1763 uint32_t br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx,
1764 	const void *iv, uint32_t cc, void *data, size_t len);
1765 
1766 /**
1767  * \brief CTR encryption + CBC-MAC with AES (`aes_x86ni` implementation).
1768  *
1769  * \param ctx      context (already initialised).
1770  * \param ctr      counter for CTR (16 bytes, updated).
1771  * \param cbcmac   IV for CBC-MAC (updated).
1772  * \param data     data to encrypt (updated).
1773  * \param len      data length (in bytes, MUST be a multiple of 16).
1774  */
1775 void br_aes_x86ni_ctrcbc_encrypt(const br_aes_x86ni_ctrcbc_keys *ctx,
1776 	void *ctr, void *cbcmac, void *data, size_t len);
1777 
1778 /**
1779  * \brief CTR decryption + CBC-MAC with AES (`aes_x86ni` implementation).
1780  *
1781  * \param ctx      context (already initialised).
1782  * \param ctr      counter for CTR (16 bytes, updated).
1783  * \param cbcmac   IV for CBC-MAC (updated).
1784  * \param data     data to decrypt (updated).
1785  * \param len      data length (in bytes, MUST be a multiple of 16).
1786  */
1787 void br_aes_x86ni_ctrcbc_decrypt(const br_aes_x86ni_ctrcbc_keys *ctx,
1788 	void *ctr, void *cbcmac, void *data, size_t len);
1789 
1790 /**
1791  * \brief CTR encryption/decryption with AES (`aes_x86ni` implementation).
1792  *
1793  * \param ctx      context (already initialised).
1794  * \param ctr      counter for CTR (16 bytes, updated).
1795  * \param data     data to MAC (updated).
1796  * \param len      data length (in bytes, MUST be a multiple of 16).
1797  */
1798 void br_aes_x86ni_ctrcbc_ctr(const br_aes_x86ni_ctrcbc_keys *ctx,
1799 	void *ctr, void *data, size_t len);
1800 
1801 /**
1802  * \brief CBC-MAC with AES (`aes_x86ni` implementation).
1803  *
1804  * \param ctx      context (already initialised).
1805  * \param cbcmac   IV for CBC-MAC (updated).
1806  * \param data     data to MAC (unmodified).
1807  * \param len      data length (in bytes, MUST be a multiple of 16).
1808  */
1809 void br_aes_x86ni_ctrcbc_mac(const br_aes_x86ni_ctrcbc_keys *ctx,
1810 	void *cbcmac, const void *data, size_t len);
1811 
1812 /**
1813  * \brief Obtain the `aes_x86ni` AES-CBC (encryption) implementation, if
1814  * available.
1815  *
1816  * This function returns a pointer to `br_aes_x86ni_cbcenc_vtable`, if
1817  * that implementation was compiled in the library _and_ the x86 AES
1818  * opcodes are available on the currently running CPU. If either of
1819  * these conditions is not met, then this function returns `NULL`.
1820  *
1821  * \return  the `aes_x86ni` AES-CBC (encryption) implementation, or `NULL`.
1822  */
1823 const br_block_cbcenc_class *br_aes_x86ni_cbcenc_get_vtable(void);
1824 
1825 /**
1826  * \brief Obtain the `aes_x86ni` AES-CBC (decryption) implementation, if
1827  * available.
1828  *
1829  * This function returns a pointer to `br_aes_x86ni_cbcdec_vtable`, if
1830  * that implementation was compiled in the library _and_ the x86 AES
1831  * opcodes are available on the currently running CPU. If either of
1832  * these conditions is not met, then this function returns `NULL`.
1833  *
1834  * \return  the `aes_x86ni` AES-CBC (decryption) implementation, or `NULL`.
1835  */
1836 const br_block_cbcdec_class *br_aes_x86ni_cbcdec_get_vtable(void);
1837 
1838 /**
1839  * \brief Obtain the `aes_x86ni` AES-CTR implementation, if available.
1840  *
1841  * This function returns a pointer to `br_aes_x86ni_ctr_vtable`, if
1842  * that implementation was compiled in the library _and_ the x86 AES
1843  * opcodes are available on the currently running CPU. If either of
1844  * these conditions is not met, then this function returns `NULL`.
1845  *
1846  * \return  the `aes_x86ni` AES-CTR implementation, or `NULL`.
1847  */
1848 const br_block_ctr_class *br_aes_x86ni_ctr_get_vtable(void);
1849 
1850 /**
1851  * \brief Obtain the `aes_x86ni` AES-CTR + CBC-MAC implementation, if
1852  * available.
1853  *
1854  * This function returns a pointer to `br_aes_x86ni_ctrcbc_vtable`, if
1855  * that implementation was compiled in the library _and_ the x86 AES
1856  * opcodes are available on the currently running CPU. If either of
1857  * these conditions is not met, then this function returns `NULL`.
1858  *
1859  * \return  the `aes_x86ni` AES-CTR implementation, or `NULL`.
1860  */
1861 const br_block_ctrcbc_class *br_aes_x86ni_ctrcbc_get_vtable(void);
1862 
1863 /*
1864  * AES implementation using POWER8 opcodes.
1865  */
1866 
1867 /** \brief AES block size (16 bytes). */
1868 #define br_aes_pwr8_BLOCK_SIZE   16
1869 
1870 /**
1871  * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC encryption).
1872  *
1873  * First field is a pointer to the vtable; it is set by the initialisation
1874  * function. Other fields are not supposed to be accessed by user code.
1875  */
1876 typedef struct {
1877 	/** \brief Pointer to vtable for this context. */
1878 	const br_block_cbcenc_class *vtable;
1879 #ifndef BR_DOXYGEN_IGNORE
1880 	union {
1881 		unsigned char skni[16 * 15];
1882 	} skey;
1883 	unsigned num_rounds;
1884 #endif
1885 } br_aes_pwr8_cbcenc_keys;
1886 
1887 /**
1888  * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC decryption).
1889  *
1890  * First field is a pointer to the vtable; it is set by the initialisation
1891  * function. Other fields are not supposed to be accessed by user code.
1892  */
1893 typedef struct {
1894 	/** \brief Pointer to vtable for this context. */
1895 	const br_block_cbcdec_class *vtable;
1896 #ifndef BR_DOXYGEN_IGNORE
1897 	union {
1898 		unsigned char skni[16 * 15];
1899 	} skey;
1900 	unsigned num_rounds;
1901 #endif
1902 } br_aes_pwr8_cbcdec_keys;
1903 
1904 /**
1905  * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption
1906  * and decryption).
1907  *
1908  * First field is a pointer to the vtable; it is set by the initialisation
1909  * function. Other fields are not supposed to be accessed by user code.
1910  */
1911 typedef struct {
1912 	/** \brief Pointer to vtable for this context. */
1913 	const br_block_ctr_class *vtable;
1914 #ifndef BR_DOXYGEN_IGNORE
1915 	union {
1916 		unsigned char skni[16 * 15];
1917 	} skey;
1918 	unsigned num_rounds;
1919 #endif
1920 } br_aes_pwr8_ctr_keys;
1921 
1922 /**
1923  * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption
1924  * and decryption + CBC-MAC).
1925  *
1926  * First field is a pointer to the vtable; it is set by the initialisation
1927  * function. Other fields are not supposed to be accessed by user code.
1928  */
1929 typedef struct {
1930 	/** \brief Pointer to vtable for this context. */
1931 	const br_block_ctrcbc_class *vtable;
1932 #ifndef BR_DOXYGEN_IGNORE
1933 	union {
1934 		unsigned char skni[16 * 15];
1935 	} skey;
1936 	unsigned num_rounds;
1937 #endif
1938 } br_aes_pwr8_ctrcbc_keys;
1939 
1940 /**
1941  * \brief Class instance for AES CBC encryption (`aes_pwr8` implementation).
1942  *
1943  * Since this implementation might be omitted from the library, or the
1944  * AES opcode unavailable on the current CPU, a pointer to this class
1945  * instance should be obtained through `br_aes_pwr8_cbcenc_get_vtable()`.
1946  */
1947 extern const br_block_cbcenc_class br_aes_pwr8_cbcenc_vtable;
1948 
1949 /**
1950  * \brief Class instance for AES CBC decryption (`aes_pwr8` implementation).
1951  *
1952  * Since this implementation might be omitted from the library, or the
1953  * AES opcode unavailable on the current CPU, a pointer to this class
1954  * instance should be obtained through `br_aes_pwr8_cbcdec_get_vtable()`.
1955  */
1956 extern const br_block_cbcdec_class br_aes_pwr8_cbcdec_vtable;
1957 
1958 /**
1959  * \brief Class instance for AES CTR encryption and decryption
1960  * (`aes_pwr8` implementation).
1961  *
1962  * Since this implementation might be omitted from the library, or the
1963  * AES opcode unavailable on the current CPU, a pointer to this class
1964  * instance should be obtained through `br_aes_pwr8_ctr_get_vtable()`.
1965  */
1966 extern const br_block_ctr_class br_aes_pwr8_ctr_vtable;
1967 
1968 /**
1969  * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1970  * (`aes_pwr8` implementation).
1971  *
1972  * Since this implementation might be omitted from the library, or the
1973  * AES opcode unavailable on the current CPU, a pointer to this class
1974  * instance should be obtained through `br_aes_pwr8_ctrcbc_get_vtable()`.
1975  */
1976 extern const br_block_ctrcbc_class br_aes_pwr8_ctrcbc_vtable;
1977 
1978 /**
1979  * \brief Context initialisation (key schedule) for AES CBC encryption
1980  * (`aes_pwr8` implementation).
1981  *
1982  * \param ctx   context to initialise.
1983  * \param key   secret key.
1984  * \param len   secret key length (in bytes).
1985  */
1986 void br_aes_pwr8_cbcenc_init(br_aes_pwr8_cbcenc_keys *ctx,
1987 	const void *key, size_t len);
1988 
1989 /**
1990  * \brief Context initialisation (key schedule) for AES CBC decryption
1991  * (`aes_pwr8` implementation).
1992  *
1993  * \param ctx   context to initialise.
1994  * \param key   secret key.
1995  * \param len   secret key length (in bytes).
1996  */
1997 void br_aes_pwr8_cbcdec_init(br_aes_pwr8_cbcdec_keys *ctx,
1998 	const void *key, size_t len);
1999 
2000 /**
2001  * \brief Context initialisation (key schedule) for AES CTR encryption
2002  * and decryption (`aes_pwr8` implementation).
2003  *
2004  * \param ctx   context to initialise.
2005  * \param key   secret key.
2006  * \param len   secret key length (in bytes).
2007  */
2008 void br_aes_pwr8_ctr_init(br_aes_pwr8_ctr_keys *ctx,
2009 	const void *key, size_t len);
2010 
2011 /**
2012  * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
2013  * (`aes_pwr8` implementation).
2014  *
2015  * \param ctx   context to initialise.
2016  * \param key   secret key.
2017  * \param len   secret key length (in bytes).
2018  */
2019 void br_aes_pwr8_ctrcbc_init(br_aes_pwr8_ctrcbc_keys *ctx,
2020 	const void *key, size_t len);
2021 
2022 /**
2023  * \brief CBC encryption with AES (`aes_pwr8` implementation).
2024  *
2025  * \param ctx    context (already initialised).
2026  * \param iv     IV (updated).
2027  * \param data   data to encrypt (updated).
2028  * \param len    data length (in bytes, MUST be multiple of 16).
2029  */
2030 void br_aes_pwr8_cbcenc_run(const br_aes_pwr8_cbcenc_keys *ctx, void *iv,
2031 	void *data, size_t len);
2032 
2033 /**
2034  * \brief CBC decryption with AES (`aes_pwr8` implementation).
2035  *
2036  * \param ctx    context (already initialised).
2037  * \param iv     IV (updated).
2038  * \param data   data to decrypt (updated).
2039  * \param len    data length (in bytes, MUST be multiple of 16).
2040  */
2041 void br_aes_pwr8_cbcdec_run(const br_aes_pwr8_cbcdec_keys *ctx, void *iv,
2042 	void *data, size_t len);
2043 
2044 /**
2045  * \brief CTR encryption and decryption with AES (`aes_pwr8` implementation).
2046  *
2047  * \param ctx    context (already initialised).
2048  * \param iv     IV (constant, 12 bytes).
2049  * \param cc     initial block counter value.
2050  * \param data   data to decrypt (updated).
2051  * \param len    data length (in bytes).
2052  * \return  new block counter value.
2053  */
2054 uint32_t br_aes_pwr8_ctr_run(const br_aes_pwr8_ctr_keys *ctx,
2055 	const void *iv, uint32_t cc, void *data, size_t len);
2056 
2057 /**
2058  * \brief CTR encryption + CBC-MAC with AES (`aes_pwr8` implementation).
2059  *
2060  * \param ctx      context (already initialised).
2061  * \param ctr      counter for CTR (16 bytes, updated).
2062  * \param cbcmac   IV for CBC-MAC (updated).
2063  * \param data     data to encrypt (updated).
2064  * \param len      data length (in bytes, MUST be a multiple of 16).
2065  */
2066 void br_aes_pwr8_ctrcbc_encrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
2067 	void *ctr, void *cbcmac, void *data, size_t len);
2068 
2069 /**
2070  * \brief CTR decryption + CBC-MAC with AES (`aes_pwr8` implementation).
2071  *
2072  * \param ctx      context (already initialised).
2073  * \param ctr      counter for CTR (16 bytes, updated).
2074  * \param cbcmac   IV for CBC-MAC (updated).
2075  * \param data     data to decrypt (updated).
2076  * \param len      data length (in bytes, MUST be a multiple of 16).
2077  */
2078 void br_aes_pwr8_ctrcbc_decrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
2079 	void *ctr, void *cbcmac, void *data, size_t len);
2080 
2081 /**
2082  * \brief CTR encryption/decryption with AES (`aes_pwr8` implementation).
2083  *
2084  * \param ctx      context (already initialised).
2085  * \param ctr      counter for CTR (16 bytes, updated).
2086  * \param data     data to MAC (updated).
2087  * \param len      data length (in bytes, MUST be a multiple of 16).
2088  */
2089 void br_aes_pwr8_ctrcbc_ctr(const br_aes_pwr8_ctrcbc_keys *ctx,
2090 	void *ctr, void *data, size_t len);
2091 
2092 /**
2093  * \brief CBC-MAC with AES (`aes_pwr8` implementation).
2094  *
2095  * \param ctx      context (already initialised).
2096  * \param cbcmac   IV for CBC-MAC (updated).
2097  * \param data     data to MAC (unmodified).
2098  * \param len      data length (in bytes, MUST be a multiple of 16).
2099  */
2100 void br_aes_pwr8_ctrcbc_mac(const br_aes_pwr8_ctrcbc_keys *ctx,
2101 	void *cbcmac, const void *data, size_t len);
2102 
2103 /**
2104  * \brief Obtain the `aes_pwr8` AES-CBC (encryption) implementation, if
2105  * available.
2106  *
2107  * This function returns a pointer to `br_aes_pwr8_cbcenc_vtable`, if
2108  * that implementation was compiled in the library _and_ the POWER8
2109  * crypto opcodes are available on the currently running CPU. If either
2110  * of these conditions is not met, then this function returns `NULL`.
2111  *
2112  * \return  the `aes_pwr8` AES-CBC (encryption) implementation, or `NULL`.
2113  */
2114 const br_block_cbcenc_class *br_aes_pwr8_cbcenc_get_vtable(void);
2115 
2116 /**
2117  * \brief Obtain the `aes_pwr8` AES-CBC (decryption) implementation, if
2118  * available.
2119  *
2120  * This function returns a pointer to `br_aes_pwr8_cbcdec_vtable`, if
2121  * that implementation was compiled in the library _and_ the POWER8
2122  * crypto opcodes are available on the currently running CPU. If either
2123  * of these conditions is not met, then this function returns `NULL`.
2124  *
2125  * \return  the `aes_pwr8` AES-CBC (decryption) implementation, or `NULL`.
2126  */
2127 const br_block_cbcdec_class *br_aes_pwr8_cbcdec_get_vtable(void);
2128 
2129 /**
2130  * \brief Obtain the `aes_pwr8` AES-CTR implementation, if available.
2131  *
2132  * This function returns a pointer to `br_aes_pwr8_ctr_vtable`, if that
2133  * implementation was compiled in the library _and_ the POWER8 crypto
2134  * opcodes are available on the currently running CPU. If either of
2135  * these conditions is not met, then this function returns `NULL`.
2136  *
2137  * \return  the `aes_pwr8` AES-CTR implementation, or `NULL`.
2138  */
2139 const br_block_ctr_class *br_aes_pwr8_ctr_get_vtable(void);
2140 
2141 /**
2142  * \brief Obtain the `aes_pwr8` AES-CTR + CBC-MAC implementation, if
2143  * available.
2144  *
2145  * This function returns a pointer to `br_aes_pwr8_ctrcbc_vtable`, if
2146  * that implementation was compiled in the library _and_ the POWER8 AES
2147  * opcodes are available on the currently running CPU. If either of
2148  * these conditions is not met, then this function returns `NULL`.
2149  *
2150  * \return  the `aes_pwr8` AES-CTR implementation, or `NULL`.
2151  */
2152 const br_block_ctrcbc_class *br_aes_pwr8_ctrcbc_get_vtable(void);
2153 
2154 /**
2155  * \brief Aggregate structure large enough to be used as context for
2156  * subkeys (CBC encryption) for all AES implementations.
2157  */
2158 typedef union {
2159 	const br_block_cbcenc_class *vtable;
2160 	br_aes_big_cbcenc_keys c_big;
2161 	br_aes_small_cbcenc_keys c_small;
2162 	br_aes_ct_cbcenc_keys c_ct;
2163 	br_aes_ct64_cbcenc_keys c_ct64;
2164 	br_aes_x86ni_cbcenc_keys c_x86ni;
2165 	br_aes_pwr8_cbcenc_keys c_pwr8;
2166 } br_aes_gen_cbcenc_keys;
2167 
2168 /**
2169  * \brief Aggregate structure large enough to be used as context for
2170  * subkeys (CBC decryption) for all AES implementations.
2171  */
2172 typedef union {
2173 	const br_block_cbcdec_class *vtable;
2174 	br_aes_big_cbcdec_keys c_big;
2175 	br_aes_small_cbcdec_keys c_small;
2176 	br_aes_ct_cbcdec_keys c_ct;
2177 	br_aes_ct64_cbcdec_keys c_ct64;
2178 	br_aes_x86ni_cbcdec_keys c_x86ni;
2179 	br_aes_pwr8_cbcdec_keys c_pwr8;
2180 } br_aes_gen_cbcdec_keys;
2181 
2182 /**
2183  * \brief Aggregate structure large enough to be used as context for
2184  * subkeys (CTR encryption and decryption) for all AES implementations.
2185  */
2186 typedef union {
2187 	const br_block_ctr_class *vtable;
2188 	br_aes_big_ctr_keys c_big;
2189 	br_aes_small_ctr_keys c_small;
2190 	br_aes_ct_ctr_keys c_ct;
2191 	br_aes_ct64_ctr_keys c_ct64;
2192 	br_aes_x86ni_ctr_keys c_x86ni;
2193 	br_aes_pwr8_ctr_keys c_pwr8;
2194 } br_aes_gen_ctr_keys;
2195 
2196 /**
2197  * \brief Aggregate structure large enough to be used as context for
2198  * subkeys (CTR encryption/decryption + CBC-MAC) for all AES implementations.
2199  */
2200 typedef union {
2201 	const br_block_ctrcbc_class *vtable;
2202 	br_aes_big_ctrcbc_keys c_big;
2203 	br_aes_small_ctrcbc_keys c_small;
2204 	br_aes_ct_ctrcbc_keys c_ct;
2205 	br_aes_ct64_ctrcbc_keys c_ct64;
2206 	br_aes_x86ni_ctrcbc_keys c_x86ni;
2207 	br_aes_pwr8_ctrcbc_keys c_pwr8;
2208 } br_aes_gen_ctrcbc_keys;
2209 
2210 /*
2211  * Traditional, table-based implementation for DES/3DES. Since tables are
2212  * used, cache-timing attacks are conceptually possible.
2213  */
2214 
2215 /** \brief DES/3DES block size (8 bytes). */
2216 #define br_des_tab_BLOCK_SIZE   8
2217 
2218 /**
2219  * \brief Context for DES subkeys (`des_tab` implementation, CBC encryption).
2220  *
2221  * First field is a pointer to the vtable; it is set by the initialisation
2222  * function. Other fields are not supposed to be accessed by user code.
2223  */
2224 typedef struct {
2225 	/** \brief Pointer to vtable for this context. */
2226 	const br_block_cbcenc_class *vtable;
2227 #ifndef BR_DOXYGEN_IGNORE
2228 	uint32_t skey[96];
2229 	unsigned num_rounds;
2230 #endif
2231 } br_des_tab_cbcenc_keys;
2232 
2233 /**
2234  * \brief Context for DES subkeys (`des_tab` implementation, CBC decryption).
2235  *
2236  * First field is a pointer to the vtable; it is set by the initialisation
2237  * function. Other fields are not supposed to be accessed by user code.
2238  */
2239 typedef struct {
2240 	/** \brief Pointer to vtable for this context. */
2241 	const br_block_cbcdec_class *vtable;
2242 #ifndef BR_DOXYGEN_IGNORE
2243 	uint32_t skey[96];
2244 	unsigned num_rounds;
2245 #endif
2246 } br_des_tab_cbcdec_keys;
2247 
2248 /**
2249  * \brief Class instance for DES CBC encryption (`des_tab` implementation).
2250  */
2251 extern const br_block_cbcenc_class br_des_tab_cbcenc_vtable;
2252 
2253 /**
2254  * \brief Class instance for DES CBC decryption (`des_tab` implementation).
2255  */
2256 extern const br_block_cbcdec_class br_des_tab_cbcdec_vtable;
2257 
2258 /**
2259  * \brief Context initialisation (key schedule) for DES CBC encryption
2260  * (`des_tab` implementation).
2261  *
2262  * \param ctx   context to initialise.
2263  * \param key   secret key.
2264  * \param len   secret key length (in bytes).
2265  */
2266 void br_des_tab_cbcenc_init(br_des_tab_cbcenc_keys *ctx,
2267 	const void *key, size_t len);
2268 
2269 /**
2270  * \brief Context initialisation (key schedule) for DES CBC decryption
2271  * (`des_tab` implementation).
2272  *
2273  * \param ctx   context to initialise.
2274  * \param key   secret key.
2275  * \param len   secret key length (in bytes).
2276  */
2277 void br_des_tab_cbcdec_init(br_des_tab_cbcdec_keys *ctx,
2278 	const void *key, size_t len);
2279 
2280 /**
2281  * \brief CBC encryption with DES (`des_tab` implementation).
2282  *
2283  * \param ctx    context (already initialised).
2284  * \param iv     IV (updated).
2285  * \param data   data to encrypt (updated).
2286  * \param len    data length (in bytes, MUST be multiple of 8).
2287  */
2288 void br_des_tab_cbcenc_run(const br_des_tab_cbcenc_keys *ctx, void *iv,
2289 	void *data, size_t len);
2290 
2291 /**
2292  * \brief CBC decryption with DES (`des_tab` implementation).
2293  *
2294  * \param ctx    context (already initialised).
2295  * \param iv     IV (updated).
2296  * \param data   data to decrypt (updated).
2297  * \param len    data length (in bytes, MUST be multiple of 8).
2298  */
2299 void br_des_tab_cbcdec_run(const br_des_tab_cbcdec_keys *ctx, void *iv,
2300 	void *data, size_t len);
2301 
2302 /*
2303  * Constant-time implementation for DES/3DES. It is substantially slower
2304  * (by a factor of about 4x), but also immune to cache-timing attacks.
2305  */
2306 
2307 /** \brief DES/3DES block size (8 bytes). */
2308 #define br_des_ct_BLOCK_SIZE   8
2309 
2310 /**
2311  * \brief Context for DES subkeys (`des_ct` implementation, CBC encryption).
2312  *
2313  * First field is a pointer to the vtable; it is set by the initialisation
2314  * function. Other fields are not supposed to be accessed by user code.
2315  */
2316 typedef struct {
2317 	/** \brief Pointer to vtable for this context. */
2318 	const br_block_cbcenc_class *vtable;
2319 #ifndef BR_DOXYGEN_IGNORE
2320 	uint32_t skey[96];
2321 	unsigned num_rounds;
2322 #endif
2323 } br_des_ct_cbcenc_keys;
2324 
2325 /**
2326  * \brief Context for DES subkeys (`des_ct` implementation, CBC decryption).
2327  *
2328  * First field is a pointer to the vtable; it is set by the initialisation
2329  * function. Other fields are not supposed to be accessed by user code.
2330  */
2331 typedef struct {
2332 	/** \brief Pointer to vtable for this context. */
2333 	const br_block_cbcdec_class *vtable;
2334 #ifndef BR_DOXYGEN_IGNORE
2335 	uint32_t skey[96];
2336 	unsigned num_rounds;
2337 #endif
2338 } br_des_ct_cbcdec_keys;
2339 
2340 /**
2341  * \brief Class instance for DES CBC encryption (`des_ct` implementation).
2342  */
2343 extern const br_block_cbcenc_class br_des_ct_cbcenc_vtable;
2344 
2345 /**
2346  * \brief Class instance for DES CBC decryption (`des_ct` implementation).
2347  */
2348 extern const br_block_cbcdec_class br_des_ct_cbcdec_vtable;
2349 
2350 /**
2351  * \brief Context initialisation (key schedule) for DES CBC encryption
2352  * (`des_ct` implementation).
2353  *
2354  * \param ctx   context to initialise.
2355  * \param key   secret key.
2356  * \param len   secret key length (in bytes).
2357  */
2358 void br_des_ct_cbcenc_init(br_des_ct_cbcenc_keys *ctx,
2359 	const void *key, size_t len);
2360 
2361 /**
2362  * \brief Context initialisation (key schedule) for DES CBC decryption
2363  * (`des_ct` implementation).
2364  *
2365  * \param ctx   context to initialise.
2366  * \param key   secret key.
2367  * \param len   secret key length (in bytes).
2368  */
2369 void br_des_ct_cbcdec_init(br_des_ct_cbcdec_keys *ctx,
2370 	const void *key, size_t len);
2371 
2372 /**
2373  * \brief CBC encryption with DES (`des_ct` implementation).
2374  *
2375  * \param ctx    context (already initialised).
2376  * \param iv     IV (updated).
2377  * \param data   data to encrypt (updated).
2378  * \param len    data length (in bytes, MUST be multiple of 8).
2379  */
2380 void br_des_ct_cbcenc_run(const br_des_ct_cbcenc_keys *ctx, void *iv,
2381 	void *data, size_t len);
2382 
2383 /**
2384  * \brief CBC decryption with DES (`des_ct` implementation).
2385  *
2386  * \param ctx    context (already initialised).
2387  * \param iv     IV (updated).
2388  * \param data   data to decrypt (updated).
2389  * \param len    data length (in bytes, MUST be multiple of 8).
2390  */
2391 void br_des_ct_cbcdec_run(const br_des_ct_cbcdec_keys *ctx, void *iv,
2392 	void *data, size_t len);
2393 
2394 /*
2395  * These structures are large enough to accommodate subkeys for all
2396  * DES/3DES implementations.
2397  */
2398 
2399 /**
2400  * \brief Aggregate structure large enough to be used as context for
2401  * subkeys (CBC encryption) for all DES implementations.
2402  */
2403 typedef union {
2404 	const br_block_cbcenc_class *vtable;
2405 	br_des_tab_cbcenc_keys tab;
2406 	br_des_ct_cbcenc_keys ct;
2407 } br_des_gen_cbcenc_keys;
2408 
2409 /**
2410  * \brief Aggregate structure large enough to be used as context for
2411  * subkeys (CBC decryption) for all DES implementations.
2412  */
2413 typedef union {
2414 	const br_block_cbcdec_class *vtable;
2415 	br_des_tab_cbcdec_keys c_tab;
2416 	br_des_ct_cbcdec_keys c_ct;
2417 } br_des_gen_cbcdec_keys;
2418 
2419 /**
2420  * \brief Type for a ChaCha20 implementation.
2421  *
2422  * An implementation follows the description in RFC 7539:
2423  *
2424  *   - Key is 256 bits (`key` points to exactly 32 bytes).
2425  *
2426  *   - IV is 96 bits (`iv` points to exactly 12 bytes).
2427  *
2428  *   - Block counter is over 32 bits and starts at value `cc`; the
2429  *     resulting value is returned.
2430  *
2431  * Data (pointed to by `data`, of length `len`) is encrypted/decrypted
2432  * in place. If `len` is not a multiple of 64, then the excess bytes from
2433  * the last block processing are dropped (therefore, "chunked" processing
2434  * works only as long as each non-final chunk has a length multiple of 64).
2435  *
2436  * \param key    secret key (32 bytes).
2437  * \param iv     IV (12 bytes).
2438  * \param cc     initial counter value.
2439  * \param data   data to encrypt or decrypt.
2440  * \param len    data length (in bytes).
2441  */
2442 typedef uint32_t (*br_chacha20_run)(const void *key,
2443 	const void *iv, uint32_t cc, void *data, size_t len);
2444 
2445 /**
2446  * \brief ChaCha20 implementation (straightforward C code, constant-time).
2447  *
2448  * \see br_chacha20_run
2449  *
2450  * \param key    secret key (32 bytes).
2451  * \param iv     IV (12 bytes).
2452  * \param cc     initial counter value.
2453  * \param data   data to encrypt or decrypt.
2454  * \param len    data length (in bytes).
2455  */
2456 uint32_t br_chacha20_ct_run(const void *key,
2457 	const void *iv, uint32_t cc, void *data, size_t len);
2458 
2459 /**
2460  * \brief ChaCha20 implementation (SSE2 code, constant-time).
2461  *
2462  * This implementation is available only on x86 platforms, depending on
2463  * compiler support. Moreover, in 32-bit mode, it might not actually run,
2464  * if the underlying hardware does not implement the SSE2 opcode (in
2465  * 64-bit mode, SSE2 is part of the ABI, so if the code could be compiled
2466  * at all, then it can run). Use `br_chacha20_sse2_get()` to safely obtain
2467  * a pointer to that function.
2468  *
2469  * \see br_chacha20_run
2470  *
2471  * \param key    secret key (32 bytes).
2472  * \param iv     IV (12 bytes).
2473  * \param cc     initial counter value.
2474  * \param data   data to encrypt or decrypt.
2475  * \param len    data length (in bytes).
2476  */
2477 uint32_t br_chacha20_sse2_run(const void *key,
2478 	const void *iv, uint32_t cc, void *data, size_t len);
2479 
2480 /**
2481  * \brief Obtain the `sse2` ChaCha20 implementation, if available.
2482  *
2483  * This function returns a pointer to `br_chacha20_sse2_run`, if
2484  * that implementation was compiled in the library _and_ the SSE2
2485  * opcodes are available on the currently running CPU. If either of
2486  * these conditions is not met, then this function returns `0`.
2487  *
2488  * \return  the `sse2` ChaCha20 implementation, or `0`.
2489  */
2490 br_chacha20_run br_chacha20_sse2_get(void);
2491 
2492 /**
2493  * \brief Type for a ChaCha20+Poly1305 AEAD implementation.
2494  *
2495  * The provided data is encrypted or decrypted with ChaCha20. The
2496  * authentication tag is computed on the concatenation of the
2497  * additional data and the ciphertext, with the padding and lengths
2498  * as described in RFC 7539 (section 2.8).
2499  *
2500  * After decryption, the caller is responsible for checking that the
2501  * computed tag matches the expected value.
2502  *
2503  * \param key       secret key (32 bytes).
2504  * \param iv        nonce (12 bytes).
2505  * \param data      data to encrypt or decrypt.
2506  * \param len       data length (in bytes).
2507  * \param aad       additional authenticated data.
2508  * \param aad_len   length of additional authenticated data (in bytes).
2509  * \param tag       output buffer for the authentication tag.
2510  * \param ichacha   implementation of ChaCha20.
2511  * \param encrypt   non-zero for encryption, zero for decryption.
2512  */
2513 typedef void (*br_poly1305_run)(const void *key, const void *iv,
2514 	void *data, size_t len, const void *aad, size_t aad_len,
2515 	void *tag, br_chacha20_run ichacha, int encrypt);
2516 
2517 /**
2518  * \brief ChaCha20+Poly1305 AEAD implementation (mixed 32-bit multiplications).
2519  *
2520  * \see br_poly1305_run
2521  *
2522  * \param key       secret key (32 bytes).
2523  * \param iv        nonce (12 bytes).
2524  * \param data      data to encrypt or decrypt.
2525  * \param len       data length (in bytes).
2526  * \param aad       additional authenticated data.
2527  * \param aad_len   length of additional authenticated data (in bytes).
2528  * \param tag       output buffer for the authentication tag.
2529  * \param ichacha   implementation of ChaCha20.
2530  * \param encrypt   non-zero for encryption, zero for decryption.
2531  */
2532 void br_poly1305_ctmul_run(const void *key, const void *iv,
2533 	void *data, size_t len, const void *aad, size_t aad_len,
2534 	void *tag, br_chacha20_run ichacha, int encrypt);
2535 
2536 /**
2537  * \brief ChaCha20+Poly1305 AEAD implementation (pure 32-bit multiplications).
2538  *
2539  * \see br_poly1305_run
2540  *
2541  * \param key       secret key (32 bytes).
2542  * \param iv        nonce (12 bytes).
2543  * \param data      data to encrypt or decrypt.
2544  * \param len       data length (in bytes).
2545  * \param aad       additional authenticated data.
2546  * \param aad_len   length of additional authenticated data (in bytes).
2547  * \param tag       output buffer for the authentication tag.
2548  * \param ichacha   implementation of ChaCha20.
2549  * \param encrypt   non-zero for encryption, zero for decryption.
2550  */
2551 void br_poly1305_ctmul32_run(const void *key, const void *iv,
2552 	void *data, size_t len, const void *aad, size_t aad_len,
2553 	void *tag, br_chacha20_run ichacha, int encrypt);
2554 
2555 /**
2556  * \brief ChaCha20+Poly1305 AEAD implementation (i15).
2557  *
2558  * This implementation relies on the generic big integer code "i15"
2559  * (which uses pure 32-bit multiplications). As such, it may save a
2560  * little code footprint in a context where "i15" is already included
2561  * (e.g. for elliptic curves or for RSA); however, it is also
2562  * substantially slower than the ctmul and ctmul32 implementations.
2563  *
2564  * \see br_poly1305_run
2565  *
2566  * \param key       secret key (32 bytes).
2567  * \param iv        nonce (12 bytes).
2568  * \param data      data to encrypt or decrypt.
2569  * \param len       data length (in bytes).
2570  * \param aad       additional authenticated data.
2571  * \param aad_len   length of additional authenticated data (in bytes).
2572  * \param tag       output buffer for the authentication tag.
2573  * \param ichacha   implementation of ChaCha20.
2574  * \param encrypt   non-zero for encryption, zero for decryption.
2575  */
2576 void br_poly1305_i15_run(const void *key, const void *iv,
2577 	void *data, size_t len, const void *aad, size_t aad_len,
2578 	void *tag, br_chacha20_run ichacha, int encrypt);
2579 
2580 /**
2581  * \brief ChaCha20+Poly1305 AEAD implementation (ctmulq).
2582  *
2583  * This implementation uses 64-bit multiplications (result over 128 bits).
2584  * It is available only on platforms that offer such a primitive (in
2585  * practice, 64-bit architectures). Use `br_poly1305_ctmulq_get()` to
2586  * dynamically obtain a pointer to that function, or 0 if not supported.
2587  *
2588  * \see br_poly1305_run
2589  *
2590  * \param key       secret key (32 bytes).
2591  * \param iv        nonce (12 bytes).
2592  * \param data      data to encrypt or decrypt.
2593  * \param len       data length (in bytes).
2594  * \param aad       additional authenticated data.
2595  * \param aad_len   length of additional authenticated data (in bytes).
2596  * \param tag       output buffer for the authentication tag.
2597  * \param ichacha   implementation of ChaCha20.
2598  * \param encrypt   non-zero for encryption, zero for decryption.
2599  */
2600 void br_poly1305_ctmulq_run(const void *key, const void *iv,
2601 	void *data, size_t len, const void *aad, size_t aad_len,
2602 	void *tag, br_chacha20_run ichacha, int encrypt);
2603 
2604 /**
2605  * \brief Get the ChaCha20+Poly1305 "ctmulq" implementation, if available.
2606  *
2607  * This function returns a pointer to the `br_poly1305_ctmulq_run()`
2608  * function if supported on the current platform; otherwise, it returns 0.
2609  *
2610  * \return  the ctmulq ChaCha20+Poly1305 implementation, or 0.
2611  */
2612 br_poly1305_run br_poly1305_ctmulq_get(void);
2613 
2614 #ifdef __cplusplus
2615 }
2616 #endif
2617 
2618 #endif
2619