1 /* 2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #ifndef BR_BEARSSL_BLOCK_H__ 26 #define BR_BEARSSL_BLOCK_H__ 27 28 #include <stddef.h> 29 #include <stdint.h> 30 31 #ifdef __cplusplus 32 extern "C" { 33 #endif 34 35 /** \file bearssl_block.h 36 * 37 * # Block Ciphers and Symmetric Ciphers 38 * 39 * This file documents the API for block ciphers and other symmetric 40 * ciphers. 41 * 42 * 43 * ## Procedural API 44 * 45 * For a block cipher implementation, up to three separate sets of 46 * functions are provided, for CBC encryption, CBC decryption, and CTR 47 * encryption/decryption. Each set has its own context structure, 48 * initialised with the encryption key. 49 * 50 * For CBC encryption and decryption, the data to encrypt or decrypt is 51 * referenced as a sequence of blocks. The implementations assume that 52 * there is no partial block; no padding is applied or removed. The 53 * caller is responsible for handling any kind of padding. 54 * 55 * Function for CTR encryption are defined only for block ciphers with 56 * blocks of 16 bytes or more (i.e. AES, but not DES/3DES). 57 * 58 * Each implemented block cipher is identified by an "internal name" 59 * from which are derived the names of structures and functions that 60 * implement the cipher. For the block cipher of internal name "`xxx`", 61 * the following are defined: 62 * 63 * - `br_xxx_BLOCK_SIZE` 64 * 65 * A macro that evaluates to the block size (in bytes) of the 66 * cipher. For all implemented block ciphers, this value is a 67 * power of two. 68 * 69 * - `br_xxx_cbcenc_keys` 70 * 71 * Context structure that contains the subkeys resulting from the key 72 * expansion. These subkeys are appropriate for CBC encryption. The 73 * structure first field is called `vtable` and points to the 74 * appropriate OOP structure. 75 * 76 * - `br_xxx_cbcenc_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)` 77 * 78 * Perform key expansion: subkeys for CBC encryption are computed and 79 * written in the provided context structure. The key length MUST be 80 * adequate for the implemented block cipher. This function also sets 81 * the `vtable` field. 82 * 83 * - `br_xxx_cbcenc_run(const br_xxx_cbcenc_keys *ctx, void *iv, void *data, size_t len)` 84 * 85 * Perform CBC encryption of `len` bytes, in place. The encrypted data 86 * replaces the cleartext. `len` MUST be a multiple of the block length 87 * (if it is not, the function may loop forever or overflow a buffer). 88 * The IV is provided with the `iv` pointer; it is also updated with 89 * a copy of the last encrypted block. 90 * 91 * - `br_xxx_cbcdec_keys` 92 * 93 * Context structure that contains the subkeys resulting from the key 94 * expansion. These subkeys are appropriate for CBC decryption. The 95 * structure first field is called `vtable` and points to the 96 * appropriate OOP structure. 97 * 98 * - `br_xxx_cbcdec_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)` 99 * 100 * Perform key expansion: subkeys for CBC decryption are computed and 101 * written in the provided context structure. The key length MUST be 102 * adequate for the implemented block cipher. This function also sets 103 * the `vtable` field. 104 * 105 * - `br_xxx_cbcdec_run(const br_xxx_cbcdec_keys *ctx, void *iv, void *data, size_t num_blocks)` 106 * 107 * Perform CBC decryption of `len` bytes, in place. The decrypted data 108 * replaces the ciphertext. `len` MUST be a multiple of the block length 109 * (if it is not, the function may loop forever or overflow a buffer). 110 * The IV is provided with the `iv` pointer; it is also updated with 111 * a copy of the last _encrypted_ block. 112 * 113 * - `br_xxx_ctr_keys` 114 * 115 * Context structure that contains the subkeys resulting from the key 116 * expansion. These subkeys are appropriate for CTR encryption and 117 * decryption. The structure first field is called `vtable` and 118 * points to the appropriate OOP structure. 119 * 120 * - `br_xxx_ctr_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)` 121 * 122 * Perform key expansion: subkeys for CTR encryption and decryption 123 * are computed and written in the provided context structure. The 124 * key length MUST be adequate for the implemented block cipher. This 125 * function also sets the `vtable` field. 126 * 127 * - `br_xxx_ctr_run(const br_xxx_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len)` (returns `uint32_t`) 128 * 129 * Perform CTR encryption/decryption of some data. Processing is done 130 * "in place" (the output data replaces the input data). This function 131 * implements the "standard incrementing function" from NIST SP800-38A, 132 * annex B: the IV length shall be 4 bytes less than the block size 133 * (i.e. 12 bytes for AES) and the counter is the 32-bit value starting 134 * with `cc`. The data length (`len`) is not necessarily a multiple of 135 * the block size. The new counter value is returned, which supports 136 * chunked processing, provided that each chunk length (except possibly 137 * the last one) is a multiple of the block size. 138 * 139 * - `br_xxx_ctrcbc_keys` 140 * 141 * Context structure that contains the subkeys resulting from the 142 * key expansion. These subkeys are appropriate for doing combined 143 * CTR encryption/decryption and CBC-MAC, as used in the CCM and EAX 144 * authenticated encryption modes. The structure first field is 145 * called `vtable` and points to the appropriate OOP structure. 146 * 147 * - `br_xxx_ctrcbc_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)` 148 * 149 * Perform key expansion: subkeys for combined CTR 150 * encryption/decryption and CBC-MAC are computed and written in the 151 * provided context structure. The key length MUST be adequate for 152 * the implemented block cipher. This function also sets the 153 * `vtable` field. 154 * 155 * - `br_xxx_ctrcbc_encrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)` 156 * 157 * Perform CTR encryption of some data, and CBC-MAC. Processing is 158 * done "in place" (the output data replaces the input data). This 159 * function applies CTR encryption on the data, using a full 160 * block-size counter (i.e. for 128-bit blocks, the counter is 161 * incremented as a 128-bit value). The 'ctr' array contains the 162 * initial value for the counter (used in the first block) and it is 163 * updated with the new value after data processing. The 'cbcmac' 164 * value shall point to a block-sized value which is used as IV for 165 * CBC-MAC, computed over the encrypted data (output of CTR 166 * encryption); the resulting CBC-MAC is written over 'cbcmac' on 167 * output. 168 * 169 * The data length MUST be a multiple of the block size. 170 * 171 * - `br_xxx_ctrcbc_decrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)` 172 * 173 * Perform CTR decryption of some data, and CBC-MAC. Processing is 174 * done "in place" (the output data replaces the input data). This 175 * function applies CTR decryption on the data, using a full 176 * block-size counter (i.e. for 128-bit blocks, the counter is 177 * incremented as a 128-bit value). The 'ctr' array contains the 178 * initial value for the counter (used in the first block) and it is 179 * updated with the new value after data processing. The 'cbcmac' 180 * value shall point to a block-sized value which is used as IV for 181 * CBC-MAC, computed over the encrypted data (input of CTR 182 * encryption); the resulting CBC-MAC is written over 'cbcmac' on 183 * output. 184 * 185 * The data length MUST be a multiple of the block size. 186 * 187 * - `br_xxx_ctrcbc_ctr(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *data, size_t len)` 188 * 189 * Perform CTR encryption or decryption of the provided data. The 190 * data is processed "in place" (the output data replaces the input 191 * data). A full block-sized counter is applied (i.e. for 128-bit 192 * blocks, the counter is incremented as a 128-bit value). The 'ctr' 193 * array contains the initial value for the counter (used in the 194 * first block), and it is updated with the new value after data 195 * processing. 196 * 197 * The data length MUST be a multiple of the block size. 198 * 199 * - `br_xxx_ctrcbc_mac(const br_xxx_ctrcbc_keys *ctx, void *cbcmac, const void *data, size_t len)` 200 * 201 * Compute CBC-MAC over the provided data. The IV for CBC-MAC is 202 * provided as 'cbcmac'; the output is written over the same array. 203 * The data itself is untouched. The data length MUST be a multiple 204 * of the block size. 205 * 206 * 207 * It shall be noted that the key expansion functions return `void`. If 208 * the provided key length is not allowed, then there will be no error 209 * reporting; implementations need not validate the key length, thus an 210 * invalid key length may result in undefined behaviour (e.g. buffer 211 * overflow). 212 * 213 * Subkey structures contain no interior pointer, and no external 214 * resources are allocated upon key expansion. They can thus be 215 * discarded without any explicit deallocation. 216 * 217 * 218 * ## Object-Oriented API 219 * 220 * Each context structure begins with a field (called `vtable`) that 221 * points to an instance of a structure that references the relevant 222 * functions through pointers. Each such structure contains the 223 * following: 224 * 225 * - `context_size` 226 * 227 * The size (in bytes) of the context structure for subkeys. 228 * 229 * - `block_size` 230 * 231 * The cipher block size (in bytes). 232 * 233 * - `log_block_size` 234 * 235 * The base-2 logarithm of cipher block size (e.g. 4 for blocks 236 * of 16 bytes). 237 * 238 * - `init` 239 * 240 * Pointer to the key expansion function. 241 * 242 * - `run` 243 * 244 * Pointer to the encryption/decryption function. 245 * 246 * For combined CTR/CBC-MAC encryption, the `vtable` has a slightly 247 * different structure: 248 * 249 * - `context_size` 250 * 251 * The size (in bytes) of the context structure for subkeys. 252 * 253 * - `block_size` 254 * 255 * The cipher block size (in bytes). 256 * 257 * - `log_block_size` 258 * 259 * The base-2 logarithm of cipher block size (e.g. 4 for blocks 260 * of 16 bytes). 261 * 262 * - `init` 263 * 264 * Pointer to the key expansion function. 265 * 266 * - `encrypt` 267 * 268 * Pointer to the CTR encryption + CBC-MAC function. 269 * 270 * - `decrypt` 271 * 272 * Pointer to the CTR decryption + CBC-MAC function. 273 * 274 * - `ctr` 275 * 276 * Pointer to the CTR encryption/decryption function. 277 * 278 * - `mac` 279 * 280 * Pointer to the CBC-MAC function. 281 * 282 * For block cipher "`xxx`", static, constant instances of these 283 * structures are defined, under the names: 284 * 285 * - `br_xxx_cbcenc_vtable` 286 * - `br_xxx_cbcdec_vtable` 287 * - `br_xxx_ctr_vtable` 288 * - `br_xxx_ctrcbc_vtable` 289 * 290 * 291 * ## Implemented Block Ciphers 292 * 293 * Provided implementations are: 294 * 295 * | Name | Function | Block Size (bytes) | Key lengths (bytes) | 296 * | :-------- | :------- | :----------------: | :-----------------: | 297 * | aes_big | AES | 16 | 16, 24 and 32 | 298 * | aes_small | AES | 16 | 16, 24 and 32 | 299 * | aes_ct | AES | 16 | 16, 24 and 32 | 300 * | aes_ct64 | AES | 16 | 16, 24 and 32 | 301 * | aes_x86ni | AES | 16 | 16, 24 and 32 | 302 * | aes_pwr8 | AES | 16 | 16, 24 and 32 | 303 * | des_ct | DES/3DES | 8 | 8, 16 and 24 | 304 * | des_tab | DES/3DES | 8 | 8, 16 and 24 | 305 * 306 * **Note:** DES/3DES nominally uses keys of 64, 128 and 192 bits (i.e. 8, 307 * 16 and 24 bytes), but some of the bits are ignored by the algorithm, so 308 * the _effective_ key lengths, from a security point of view, are 56, 309 * 112 and 168 bits, respectively. 310 * 311 * `aes_big` is a "classical" AES implementation, using tables. It 312 * is fast but not constant-time, since it makes data-dependent array 313 * accesses. 314 * 315 * `aes_small` is an AES implementation optimized for code size. It 316 * is substantially slower than `aes_big`; it is not constant-time 317 * either. 318 * 319 * `aes_ct` is a constant-time implementation of AES; its code is about 320 * as big as that of `aes_big`, while its performance is comparable to 321 * that of `aes_small`. However, it is constant-time. This 322 * implementation should thus be considered to be the "default" AES in 323 * BearSSL, to be used unless the operational context guarantees that a 324 * non-constant-time implementation is safe, or an architecture-specific 325 * constant-time implementation can be used (e.g. using dedicated 326 * hardware opcodes). 327 * 328 * `aes_ct64` is another constant-time implementation of AES. It is 329 * similar to `aes_ct` but uses 64-bit values. On 32-bit machines, 330 * `aes_ct64` is not faster than `aes_ct`, often a bit slower, and has 331 * a larger footprint; however, on 64-bit architectures, `aes_ct64` 332 * is typically twice faster than `aes_ct` for modes that allow parallel 333 * operations (i.e. CTR, and CBC decryption, but not CBC encryption). 334 * 335 * `aes_x86ni` exists only on x86 architectures (32-bit and 64-bit). It 336 * uses the AES-NI opcodes when available. 337 * 338 * `aes_pwr8` exists only on PowerPC / POWER architectures (32-bit and 339 * 64-bit, both little-endian and big-endian). It uses the AES opcodes 340 * present in POWER8 and later. 341 * 342 * `des_tab` is a classic, table-based implementation of DES/3DES. It 343 * is not constant-time. 344 * 345 * `des_ct` is an constant-time implementation of DES/3DES. It is 346 * substantially slower than `des_tab`. 347 * 348 * ## ChaCha20 and Poly1305 349 * 350 * ChaCha20 is a stream cipher. Poly1305 is a MAC algorithm. They 351 * are described in [RFC 7539](https://tools.ietf.org/html/rfc7539). 352 * 353 * Two function pointer types are defined: 354 * 355 * - `br_chacha20_run` describes a function that implements ChaCha20 356 * only. 357 * 358 * - `br_poly1305_run` describes an implementation of Poly1305, 359 * in the AEAD combination with ChaCha20 specified in RFC 7539 360 * (the ChaCha20 implementation is provided as a function pointer). 361 * 362 * `chacha20_ct` is a straightforward implementation of ChaCha20 in 363 * plain C; it is constant-time, small, and reasonably fast. 364 * 365 * `chacha20_sse2` leverages SSE2 opcodes (on x86 architectures that 366 * support these opcodes). It is faster than `chacha20_ct`. 367 * 368 * `poly1305_ctmul` is an implementation of the ChaCha20+Poly1305 AEAD 369 * construction, where the Poly1305 part is performed with mixed 32-bit 370 * multiplications (operands are 32-bit, result is 64-bit). 371 * 372 * `poly1305_ctmul32` implements ChaCha20+Poly1305 using pure 32-bit 373 * multiplications (32-bit operands, 32-bit result). It is slower than 374 * `poly1305_ctmul`, except on some specific architectures such as 375 * the ARM Cortex M0+. 376 * 377 * `poly1305_ctmulq` implements ChaCha20+Poly1305 with mixed 64-bit 378 * multiplications (operands are 64-bit, result is 128-bit) on 64-bit 379 * platforms that support such operations. 380 * 381 * `poly1305_i15` implements ChaCha20+Poly1305 with the generic "i15" 382 * big integer implementation. It is meant mostly for testing purposes, 383 * although it can help with saving a few hundred bytes of code footprint 384 * on systems where code size is scarce. 385 */ 386 387 /** 388 * \brief Class type for CBC encryption implementations. 389 * 390 * A `br_block_cbcenc_class` instance points to the functions implementing 391 * a specific block cipher, when used in CBC mode for encrypting data. 392 */ 393 typedef struct br_block_cbcenc_class_ br_block_cbcenc_class; 394 struct br_block_cbcenc_class_ { 395 /** 396 * \brief Size (in bytes) of the context structure appropriate 397 * for containing subkeys. 398 */ 399 size_t context_size; 400 401 /** 402 * \brief Size of individual blocks (in bytes). 403 */ 404 unsigned block_size; 405 406 /** 407 * \brief Base-2 logarithm of the size of individual blocks, 408 * expressed in bytes. 409 */ 410 unsigned log_block_size; 411 412 /** 413 * \brief Initialisation function. 414 * 415 * This function sets the `vtable` field in the context structure. 416 * The key length MUST be one of the key lengths supported by 417 * the implementation. 418 * 419 * \param ctx context structure to initialise. 420 * \param key secret key. 421 * \param key_len key length (in bytes). 422 */ 423 void (*init)(const br_block_cbcenc_class **ctx, 424 const void *key, size_t key_len); 425 426 /** 427 * \brief Run the CBC encryption. 428 * 429 * The `iv` parameter points to the IV for this run; it is 430 * updated with a copy of the last encrypted block. The data 431 * is encrypted "in place"; its length (`len`) MUST be a 432 * multiple of the block size. 433 * 434 * \param ctx context structure (already initialised). 435 * \param iv IV for CBC encryption (updated). 436 * \param data data to encrypt. 437 * \param len data length (in bytes, multiple of block size). 438 */ 439 void (*run)(const br_block_cbcenc_class *const *ctx, 440 void *iv, void *data, size_t len); 441 }; 442 443 /** 444 * \brief Class type for CBC decryption implementations. 445 * 446 * A `br_block_cbcdec_class` instance points to the functions implementing 447 * a specific block cipher, when used in CBC mode for decrypting data. 448 */ 449 typedef struct br_block_cbcdec_class_ br_block_cbcdec_class; 450 struct br_block_cbcdec_class_ { 451 /** 452 * \brief Size (in bytes) of the context structure appropriate 453 * for containing subkeys. 454 */ 455 size_t context_size; 456 457 /** 458 * \brief Size of individual blocks (in bytes). 459 */ 460 unsigned block_size; 461 462 /** 463 * \brief Base-2 logarithm of the size of individual blocks, 464 * expressed in bytes. 465 */ 466 unsigned log_block_size; 467 468 /** 469 * \brief Initialisation function. 470 * 471 * This function sets the `vtable` field in the context structure. 472 * The key length MUST be one of the key lengths supported by 473 * the implementation. 474 * 475 * \param ctx context structure to initialise. 476 * \param key secret key. 477 * \param key_len key length (in bytes). 478 */ 479 void (*init)(const br_block_cbcdec_class **ctx, 480 const void *key, size_t key_len); 481 482 /** 483 * \brief Run the CBC decryption. 484 * 485 * The `iv` parameter points to the IV for this run; it is 486 * updated with a copy of the last encrypted block. The data 487 * is decrypted "in place"; its length (`len`) MUST be a 488 * multiple of the block size. 489 * 490 * \param ctx context structure (already initialised). 491 * \param iv IV for CBC decryption (updated). 492 * \param data data to decrypt. 493 * \param len data length (in bytes, multiple of block size). 494 */ 495 void (*run)(const br_block_cbcdec_class *const *ctx, 496 void *iv, void *data, size_t len); 497 }; 498 499 /** 500 * \brief Class type for CTR encryption/decryption implementations. 501 * 502 * A `br_block_ctr_class` instance points to the functions implementing 503 * a specific block cipher, when used in CTR mode for encrypting or 504 * decrypting data. 505 */ 506 typedef struct br_block_ctr_class_ br_block_ctr_class; 507 struct br_block_ctr_class_ { 508 /** 509 * \brief Size (in bytes) of the context structure appropriate 510 * for containing subkeys. 511 */ 512 size_t context_size; 513 514 /** 515 * \brief Size of individual blocks (in bytes). 516 */ 517 unsigned block_size; 518 519 /** 520 * \brief Base-2 logarithm of the size of individual blocks, 521 * expressed in bytes. 522 */ 523 unsigned log_block_size; 524 525 /** 526 * \brief Initialisation function. 527 * 528 * This function sets the `vtable` field in the context structure. 529 * The key length MUST be one of the key lengths supported by 530 * the implementation. 531 * 532 * \param ctx context structure to initialise. 533 * \param key secret key. 534 * \param key_len key length (in bytes). 535 */ 536 void (*init)(const br_block_ctr_class **ctx, 537 const void *key, size_t key_len); 538 539 /** 540 * \brief Run the CTR encryption or decryption. 541 * 542 * The `iv` parameter points to the IV for this run; its 543 * length is exactly 4 bytes less than the block size (e.g. 544 * 12 bytes for AES/CTR). The IV is combined with a 32-bit 545 * block counter to produce the block value which is processed 546 * with the block cipher. 547 * 548 * The data to encrypt or decrypt is updated "in place". Its 549 * length (`len` bytes) is not required to be a multiple of 550 * the block size; if the final block is partial, then the 551 * corresponding key stream bits are dropped. 552 * 553 * The resulting counter value is returned. 554 * 555 * \param ctx context structure (already initialised). 556 * \param iv IV for CTR encryption/decryption. 557 * \param cc initial value for the block counter. 558 * \param data data to encrypt or decrypt. 559 * \param len data length (in bytes). 560 * \return the new block counter value. 561 */ 562 uint32_t (*run)(const br_block_ctr_class *const *ctx, 563 const void *iv, uint32_t cc, void *data, size_t len); 564 }; 565 566 /** 567 * \brief Class type for combined CTR and CBC-MAC implementations. 568 * 569 * A `br_block_ctrcbc_class` instance points to the functions implementing 570 * a specific block cipher, when used in CTR mode for encrypting or 571 * decrypting data, along with CBC-MAC. 572 */ 573 typedef struct br_block_ctrcbc_class_ br_block_ctrcbc_class; 574 struct br_block_ctrcbc_class_ { 575 /** 576 * \brief Size (in bytes) of the context structure appropriate 577 * for containing subkeys. 578 */ 579 size_t context_size; 580 581 /** 582 * \brief Size of individual blocks (in bytes). 583 */ 584 unsigned block_size; 585 586 /** 587 * \brief Base-2 logarithm of the size of individual blocks, 588 * expressed in bytes. 589 */ 590 unsigned log_block_size; 591 592 /** 593 * \brief Initialisation function. 594 * 595 * This function sets the `vtable` field in the context structure. 596 * The key length MUST be one of the key lengths supported by 597 * the implementation. 598 * 599 * \param ctx context structure to initialise. 600 * \param key secret key. 601 * \param key_len key length (in bytes). 602 */ 603 void (*init)(const br_block_ctrcbc_class **ctx, 604 const void *key, size_t key_len); 605 606 /** 607 * \brief Run the CTR encryption + CBC-MAC. 608 * 609 * The `ctr` parameter points to the counter; its length shall 610 * be equal to the block size. It is updated by this function 611 * as encryption proceeds. 612 * 613 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC 614 * is computed over the encrypted data (output of CTR 615 * encryption). Its length shall be equal to the block size. The 616 * computed CBC-MAC value is written over the `cbcmac` array. 617 * 618 * The data to encrypt is updated "in place". Its length (`len` 619 * bytes) MUST be a multiple of the block size. 620 * 621 * \param ctx context structure (already initialised). 622 * \param ctr counter for CTR encryption (initial and final). 623 * \param cbcmac IV and output buffer for CBC-MAC. 624 * \param data data to encrypt. 625 * \param len data length (in bytes). 626 */ 627 void (*encrypt)(const br_block_ctrcbc_class *const *ctx, 628 void *ctr, void *cbcmac, void *data, size_t len); 629 630 /** 631 * \brief Run the CTR decryption + CBC-MAC. 632 * 633 * The `ctr` parameter points to the counter; its length shall 634 * be equal to the block size. It is updated by this function 635 * as decryption proceeds. 636 * 637 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC 638 * is computed over the encrypted data (i.e. before CTR 639 * decryption). Its length shall be equal to the block size. The 640 * computed CBC-MAC value is written over the `cbcmac` array. 641 * 642 * The data to decrypt is updated "in place". Its length (`len` 643 * bytes) MUST be a multiple of the block size. 644 * 645 * \param ctx context structure (already initialised). 646 * \param ctr counter for CTR encryption (initial and final). 647 * \param cbcmac IV and output buffer for CBC-MAC. 648 * \param data data to decrypt. 649 * \param len data length (in bytes). 650 */ 651 void (*decrypt)(const br_block_ctrcbc_class *const *ctx, 652 void *ctr, void *cbcmac, void *data, size_t len); 653 654 /** 655 * \brief Run the CTR encryption/decryption only. 656 * 657 * The `ctr` parameter points to the counter; its length shall 658 * be equal to the block size. It is updated by this function 659 * as decryption proceeds. 660 * 661 * The data to decrypt is updated "in place". Its length (`len` 662 * bytes) MUST be a multiple of the block size. 663 * 664 * \param ctx context structure (already initialised). 665 * \param ctr counter for CTR encryption (initial and final). 666 * \param data data to decrypt. 667 * \param len data length (in bytes). 668 */ 669 void (*ctr)(const br_block_ctrcbc_class *const *ctx, 670 void *ctr, void *data, size_t len); 671 672 /** 673 * \brief Run the CBC-MAC only. 674 * 675 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC 676 * is computed over the encrypted data (i.e. before CTR 677 * decryption). Its length shall be equal to the block size. The 678 * computed CBC-MAC value is written over the `cbcmac` array. 679 * 680 * The data is unmodified. Its length (`len` bytes) MUST be a 681 * multiple of the block size. 682 * 683 * \param ctx context structure (already initialised). 684 * \param cbcmac IV and output buffer for CBC-MAC. 685 * \param data data to decrypt. 686 * \param len data length (in bytes). 687 */ 688 void (*mac)(const br_block_ctrcbc_class *const *ctx, 689 void *cbcmac, const void *data, size_t len); 690 }; 691 692 /* 693 * Traditional, table-based AES implementation. It is fast, but uses 694 * internal tables (in particular a 1 kB table for encryption, another 695 * 1 kB table for decryption, and a 256-byte table for key schedule), 696 * and it is not constant-time. In contexts where cache-timing attacks 697 * apply, this implementation may leak the secret key. 698 */ 699 700 /** \brief AES block size (16 bytes). */ 701 #define br_aes_big_BLOCK_SIZE 16 702 703 /** 704 * \brief Context for AES subkeys (`aes_big` implementation, CBC encryption). 705 * 706 * First field is a pointer to the vtable; it is set by the initialisation 707 * function. Other fields are not supposed to be accessed by user code. 708 */ 709 typedef struct { 710 /** \brief Pointer to vtable for this context. */ 711 const br_block_cbcenc_class *vtable; 712 #ifndef BR_DOXYGEN_IGNORE 713 uint32_t skey[60]; 714 unsigned num_rounds; 715 #endif 716 } br_aes_big_cbcenc_keys; 717 718 /** 719 * \brief Context for AES subkeys (`aes_big` implementation, CBC decryption). 720 * 721 * First field is a pointer to the vtable; it is set by the initialisation 722 * function. Other fields are not supposed to be accessed by user code. 723 */ 724 typedef struct { 725 /** \brief Pointer to vtable for this context. */ 726 const br_block_cbcdec_class *vtable; 727 #ifndef BR_DOXYGEN_IGNORE 728 uint32_t skey[60]; 729 unsigned num_rounds; 730 #endif 731 } br_aes_big_cbcdec_keys; 732 733 /** 734 * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption 735 * and decryption). 736 * 737 * First field is a pointer to the vtable; it is set by the initialisation 738 * function. Other fields are not supposed to be accessed by user code. 739 */ 740 typedef struct { 741 /** \brief Pointer to vtable for this context. */ 742 const br_block_ctr_class *vtable; 743 #ifndef BR_DOXYGEN_IGNORE 744 uint32_t skey[60]; 745 unsigned num_rounds; 746 #endif 747 } br_aes_big_ctr_keys; 748 749 /** 750 * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption 751 * and decryption + CBC-MAC). 752 * 753 * First field is a pointer to the vtable; it is set by the initialisation 754 * function. Other fields are not supposed to be accessed by user code. 755 */ 756 typedef struct { 757 /** \brief Pointer to vtable for this context. */ 758 const br_block_ctrcbc_class *vtable; 759 #ifndef BR_DOXYGEN_IGNORE 760 uint32_t skey[60]; 761 unsigned num_rounds; 762 #endif 763 } br_aes_big_ctrcbc_keys; 764 765 /** 766 * \brief Class instance for AES CBC encryption (`aes_big` implementation). 767 */ 768 extern const br_block_cbcenc_class br_aes_big_cbcenc_vtable; 769 770 /** 771 * \brief Class instance for AES CBC decryption (`aes_big` implementation). 772 */ 773 extern const br_block_cbcdec_class br_aes_big_cbcdec_vtable; 774 775 /** 776 * \brief Class instance for AES CTR encryption and decryption 777 * (`aes_big` implementation). 778 */ 779 extern const br_block_ctr_class br_aes_big_ctr_vtable; 780 781 /** 782 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC 783 * (`aes_big` implementation). 784 */ 785 extern const br_block_ctrcbc_class br_aes_big_ctrcbc_vtable; 786 787 /** 788 * \brief Context initialisation (key schedule) for AES CBC encryption 789 * (`aes_big` implementation). 790 * 791 * \param ctx context to initialise. 792 * \param key secret key. 793 * \param len secret key length (in bytes). 794 */ 795 void br_aes_big_cbcenc_init(br_aes_big_cbcenc_keys *ctx, 796 const void *key, size_t len); 797 798 /** 799 * \brief Context initialisation (key schedule) for AES CBC decryption 800 * (`aes_big` implementation). 801 * 802 * \param ctx context to initialise. 803 * \param key secret key. 804 * \param len secret key length (in bytes). 805 */ 806 void br_aes_big_cbcdec_init(br_aes_big_cbcdec_keys *ctx, 807 const void *key, size_t len); 808 809 /** 810 * \brief Context initialisation (key schedule) for AES CTR encryption 811 * and decryption (`aes_big` implementation). 812 * 813 * \param ctx context to initialise. 814 * \param key secret key. 815 * \param len secret key length (in bytes). 816 */ 817 void br_aes_big_ctr_init(br_aes_big_ctr_keys *ctx, 818 const void *key, size_t len); 819 820 /** 821 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC 822 * (`aes_big` implementation). 823 * 824 * \param ctx context to initialise. 825 * \param key secret key. 826 * \param len secret key length (in bytes). 827 */ 828 void br_aes_big_ctrcbc_init(br_aes_big_ctrcbc_keys *ctx, 829 const void *key, size_t len); 830 831 /** 832 * \brief CBC encryption with AES (`aes_big` implementation). 833 * 834 * \param ctx context (already initialised). 835 * \param iv IV (updated). 836 * \param data data to encrypt (updated). 837 * \param len data length (in bytes, MUST be multiple of 16). 838 */ 839 void br_aes_big_cbcenc_run(const br_aes_big_cbcenc_keys *ctx, void *iv, 840 void *data, size_t len); 841 842 /** 843 * \brief CBC decryption with AES (`aes_big` implementation). 844 * 845 * \param ctx context (already initialised). 846 * \param iv IV (updated). 847 * \param data data to decrypt (updated). 848 * \param len data length (in bytes, MUST be multiple of 16). 849 */ 850 void br_aes_big_cbcdec_run(const br_aes_big_cbcdec_keys *ctx, void *iv, 851 void *data, size_t len); 852 853 /** 854 * \brief CTR encryption and decryption with AES (`aes_big` implementation). 855 * 856 * \param ctx context (already initialised). 857 * \param iv IV (constant, 12 bytes). 858 * \param cc initial block counter value. 859 * \param data data to encrypt or decrypt (updated). 860 * \param len data length (in bytes). 861 * \return new block counter value. 862 */ 863 uint32_t br_aes_big_ctr_run(const br_aes_big_ctr_keys *ctx, 864 const void *iv, uint32_t cc, void *data, size_t len); 865 866 /** 867 * \brief CTR encryption + CBC-MAC with AES (`aes_big` implementation). 868 * 869 * \param ctx context (already initialised). 870 * \param ctr counter for CTR (16 bytes, updated). 871 * \param cbcmac IV for CBC-MAC (updated). 872 * \param data data to encrypt (updated). 873 * \param len data length (in bytes, MUST be a multiple of 16). 874 */ 875 void br_aes_big_ctrcbc_encrypt(const br_aes_big_ctrcbc_keys *ctx, 876 void *ctr, void *cbcmac, void *data, size_t len); 877 878 /** 879 * \brief CTR decryption + CBC-MAC with AES (`aes_big` implementation). 880 * 881 * \param ctx context (already initialised). 882 * \param ctr counter for CTR (16 bytes, updated). 883 * \param cbcmac IV for CBC-MAC (updated). 884 * \param data data to decrypt (updated). 885 * \param len data length (in bytes, MUST be a multiple of 16). 886 */ 887 void br_aes_big_ctrcbc_decrypt(const br_aes_big_ctrcbc_keys *ctx, 888 void *ctr, void *cbcmac, void *data, size_t len); 889 890 /** 891 * \brief CTR encryption/decryption with AES (`aes_big` implementation). 892 * 893 * \param ctx context (already initialised). 894 * \param ctr counter for CTR (16 bytes, updated). 895 * \param data data to MAC (updated). 896 * \param len data length (in bytes, MUST be a multiple of 16). 897 */ 898 void br_aes_big_ctrcbc_ctr(const br_aes_big_ctrcbc_keys *ctx, 899 void *ctr, void *data, size_t len); 900 901 /** 902 * \brief CBC-MAC with AES (`aes_big` implementation). 903 * 904 * \param ctx context (already initialised). 905 * \param cbcmac IV for CBC-MAC (updated). 906 * \param data data to MAC (unmodified). 907 * \param len data length (in bytes, MUST be a multiple of 16). 908 */ 909 void br_aes_big_ctrcbc_mac(const br_aes_big_ctrcbc_keys *ctx, 910 void *cbcmac, const void *data, size_t len); 911 912 /* 913 * AES implementation optimized for size. It is slower than the 914 * traditional table-based AES implementation, but requires much less 915 * code. It still uses data-dependent table accesses (albeit within a 916 * much smaller 256-byte table), which makes it conceptually vulnerable 917 * to cache-timing attacks. 918 */ 919 920 /** \brief AES block size (16 bytes). */ 921 #define br_aes_small_BLOCK_SIZE 16 922 923 /** 924 * \brief Context for AES subkeys (`aes_small` implementation, CBC encryption). 925 * 926 * First field is a pointer to the vtable; it is set by the initialisation 927 * function. Other fields are not supposed to be accessed by user code. 928 */ 929 typedef struct { 930 /** \brief Pointer to vtable for this context. */ 931 const br_block_cbcenc_class *vtable; 932 #ifndef BR_DOXYGEN_IGNORE 933 uint32_t skey[60]; 934 unsigned num_rounds; 935 #endif 936 } br_aes_small_cbcenc_keys; 937 938 /** 939 * \brief Context for AES subkeys (`aes_small` implementation, CBC decryption). 940 * 941 * First field is a pointer to the vtable; it is set by the initialisation 942 * function. Other fields are not supposed to be accessed by user code. 943 */ 944 typedef struct { 945 /** \brief Pointer to vtable for this context. */ 946 const br_block_cbcdec_class *vtable; 947 #ifndef BR_DOXYGEN_IGNORE 948 uint32_t skey[60]; 949 unsigned num_rounds; 950 #endif 951 } br_aes_small_cbcdec_keys; 952 953 /** 954 * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption 955 * and decryption). 956 * 957 * First field is a pointer to the vtable; it is set by the initialisation 958 * function. Other fields are not supposed to be accessed by user code. 959 */ 960 typedef struct { 961 /** \brief Pointer to vtable for this context. */ 962 const br_block_ctr_class *vtable; 963 #ifndef BR_DOXYGEN_IGNORE 964 uint32_t skey[60]; 965 unsigned num_rounds; 966 #endif 967 } br_aes_small_ctr_keys; 968 969 /** 970 * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption 971 * and decryption + CBC-MAC). 972 * 973 * First field is a pointer to the vtable; it is set by the initialisation 974 * function. Other fields are not supposed to be accessed by user code. 975 */ 976 typedef struct { 977 /** \brief Pointer to vtable for this context. */ 978 const br_block_ctrcbc_class *vtable; 979 #ifndef BR_DOXYGEN_IGNORE 980 uint32_t skey[60]; 981 unsigned num_rounds; 982 #endif 983 } br_aes_small_ctrcbc_keys; 984 985 /** 986 * \brief Class instance for AES CBC encryption (`aes_small` implementation). 987 */ 988 extern const br_block_cbcenc_class br_aes_small_cbcenc_vtable; 989 990 /** 991 * \brief Class instance for AES CBC decryption (`aes_small` implementation). 992 */ 993 extern const br_block_cbcdec_class br_aes_small_cbcdec_vtable; 994 995 /** 996 * \brief Class instance for AES CTR encryption and decryption 997 * (`aes_small` implementation). 998 */ 999 extern const br_block_ctr_class br_aes_small_ctr_vtable; 1000 1001 /** 1002 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC 1003 * (`aes_small` implementation). 1004 */ 1005 extern const br_block_ctrcbc_class br_aes_small_ctrcbc_vtable; 1006 1007 /** 1008 * \brief Context initialisation (key schedule) for AES CBC encryption 1009 * (`aes_small` implementation). 1010 * 1011 * \param ctx context to initialise. 1012 * \param key secret key. 1013 * \param len secret key length (in bytes). 1014 */ 1015 void br_aes_small_cbcenc_init(br_aes_small_cbcenc_keys *ctx, 1016 const void *key, size_t len); 1017 1018 /** 1019 * \brief Context initialisation (key schedule) for AES CBC decryption 1020 * (`aes_small` implementation). 1021 * 1022 * \param ctx context to initialise. 1023 * \param key secret key. 1024 * \param len secret key length (in bytes). 1025 */ 1026 void br_aes_small_cbcdec_init(br_aes_small_cbcdec_keys *ctx, 1027 const void *key, size_t len); 1028 1029 /** 1030 * \brief Context initialisation (key schedule) for AES CTR encryption 1031 * and decryption (`aes_small` implementation). 1032 * 1033 * \param ctx context to initialise. 1034 * \param key secret key. 1035 * \param len secret key length (in bytes). 1036 */ 1037 void br_aes_small_ctr_init(br_aes_small_ctr_keys *ctx, 1038 const void *key, size_t len); 1039 1040 /** 1041 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC 1042 * (`aes_small` implementation). 1043 * 1044 * \param ctx context to initialise. 1045 * \param key secret key. 1046 * \param len secret key length (in bytes). 1047 */ 1048 void br_aes_small_ctrcbc_init(br_aes_small_ctrcbc_keys *ctx, 1049 const void *key, size_t len); 1050 1051 /** 1052 * \brief CBC encryption with AES (`aes_small` implementation). 1053 * 1054 * \param ctx context (already initialised). 1055 * \param iv IV (updated). 1056 * \param data data to encrypt (updated). 1057 * \param len data length (in bytes, MUST be multiple of 16). 1058 */ 1059 void br_aes_small_cbcenc_run(const br_aes_small_cbcenc_keys *ctx, void *iv, 1060 void *data, size_t len); 1061 1062 /** 1063 * \brief CBC decryption with AES (`aes_small` implementation). 1064 * 1065 * \param ctx context (already initialised). 1066 * \param iv IV (updated). 1067 * \param data data to decrypt (updated). 1068 * \param len data length (in bytes, MUST be multiple of 16). 1069 */ 1070 void br_aes_small_cbcdec_run(const br_aes_small_cbcdec_keys *ctx, void *iv, 1071 void *data, size_t len); 1072 1073 /** 1074 * \brief CTR encryption and decryption with AES (`aes_small` implementation). 1075 * 1076 * \param ctx context (already initialised). 1077 * \param iv IV (constant, 12 bytes). 1078 * \param cc initial block counter value. 1079 * \param data data to decrypt (updated). 1080 * \param len data length (in bytes). 1081 * \return new block counter value. 1082 */ 1083 uint32_t br_aes_small_ctr_run(const br_aes_small_ctr_keys *ctx, 1084 const void *iv, uint32_t cc, void *data, size_t len); 1085 1086 /** 1087 * \brief CTR encryption + CBC-MAC with AES (`aes_small` implementation). 1088 * 1089 * \param ctx context (already initialised). 1090 * \param ctr counter for CTR (16 bytes, updated). 1091 * \param cbcmac IV for CBC-MAC (updated). 1092 * \param data data to encrypt (updated). 1093 * \param len data length (in bytes, MUST be a multiple of 16). 1094 */ 1095 void br_aes_small_ctrcbc_encrypt(const br_aes_small_ctrcbc_keys *ctx, 1096 void *ctr, void *cbcmac, void *data, size_t len); 1097 1098 /** 1099 * \brief CTR decryption + CBC-MAC with AES (`aes_small` implementation). 1100 * 1101 * \param ctx context (already initialised). 1102 * \param ctr counter for CTR (16 bytes, updated). 1103 * \param cbcmac IV for CBC-MAC (updated). 1104 * \param data data to decrypt (updated). 1105 * \param len data length (in bytes, MUST be a multiple of 16). 1106 */ 1107 void br_aes_small_ctrcbc_decrypt(const br_aes_small_ctrcbc_keys *ctx, 1108 void *ctr, void *cbcmac, void *data, size_t len); 1109 1110 /** 1111 * \brief CTR encryption/decryption with AES (`aes_small` implementation). 1112 * 1113 * \param ctx context (already initialised). 1114 * \param ctr counter for CTR (16 bytes, updated). 1115 * \param data data to MAC (updated). 1116 * \param len data length (in bytes, MUST be a multiple of 16). 1117 */ 1118 void br_aes_small_ctrcbc_ctr(const br_aes_small_ctrcbc_keys *ctx, 1119 void *ctr, void *data, size_t len); 1120 1121 /** 1122 * \brief CBC-MAC with AES (`aes_small` implementation). 1123 * 1124 * \param ctx context (already initialised). 1125 * \param cbcmac IV for CBC-MAC (updated). 1126 * \param data data to MAC (unmodified). 1127 * \param len data length (in bytes, MUST be a multiple of 16). 1128 */ 1129 void br_aes_small_ctrcbc_mac(const br_aes_small_ctrcbc_keys *ctx, 1130 void *cbcmac, const void *data, size_t len); 1131 1132 /* 1133 * Constant-time AES implementation. Its size is similar to that of 1134 * 'aes_big', and its performance is similar to that of 'aes_small' (faster 1135 * decryption, slower encryption). However, it is constant-time, i.e. 1136 * immune to cache-timing and similar attacks. 1137 */ 1138 1139 /** \brief AES block size (16 bytes). */ 1140 #define br_aes_ct_BLOCK_SIZE 16 1141 1142 /** 1143 * \brief Context for AES subkeys (`aes_ct` implementation, CBC encryption). 1144 * 1145 * First field is a pointer to the vtable; it is set by the initialisation 1146 * function. Other fields are not supposed to be accessed by user code. 1147 */ 1148 typedef struct { 1149 /** \brief Pointer to vtable for this context. */ 1150 const br_block_cbcenc_class *vtable; 1151 #ifndef BR_DOXYGEN_IGNORE 1152 uint32_t skey[60]; 1153 unsigned num_rounds; 1154 #endif 1155 } br_aes_ct_cbcenc_keys; 1156 1157 /** 1158 * \brief Context for AES subkeys (`aes_ct` implementation, CBC decryption). 1159 * 1160 * First field is a pointer to the vtable; it is set by the initialisation 1161 * function. Other fields are not supposed to be accessed by user code. 1162 */ 1163 typedef struct { 1164 /** \brief Pointer to vtable for this context. */ 1165 const br_block_cbcdec_class *vtable; 1166 #ifndef BR_DOXYGEN_IGNORE 1167 uint32_t skey[60]; 1168 unsigned num_rounds; 1169 #endif 1170 } br_aes_ct_cbcdec_keys; 1171 1172 /** 1173 * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption 1174 * and decryption). 1175 * 1176 * First field is a pointer to the vtable; it is set by the initialisation 1177 * function. Other fields are not supposed to be accessed by user code. 1178 */ 1179 typedef struct { 1180 /** \brief Pointer to vtable for this context. */ 1181 const br_block_ctr_class *vtable; 1182 #ifndef BR_DOXYGEN_IGNORE 1183 uint32_t skey[60]; 1184 unsigned num_rounds; 1185 #endif 1186 } br_aes_ct_ctr_keys; 1187 1188 /** 1189 * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption 1190 * and decryption + CBC-MAC). 1191 * 1192 * First field is a pointer to the vtable; it is set by the initialisation 1193 * function. Other fields are not supposed to be accessed by user code. 1194 */ 1195 typedef struct { 1196 /** \brief Pointer to vtable for this context. */ 1197 const br_block_ctrcbc_class *vtable; 1198 #ifndef BR_DOXYGEN_IGNORE 1199 uint32_t skey[60]; 1200 unsigned num_rounds; 1201 #endif 1202 } br_aes_ct_ctrcbc_keys; 1203 1204 /** 1205 * \brief Class instance for AES CBC encryption (`aes_ct` implementation). 1206 */ 1207 extern const br_block_cbcenc_class br_aes_ct_cbcenc_vtable; 1208 1209 /** 1210 * \brief Class instance for AES CBC decryption (`aes_ct` implementation). 1211 */ 1212 extern const br_block_cbcdec_class br_aes_ct_cbcdec_vtable; 1213 1214 /** 1215 * \brief Class instance for AES CTR encryption and decryption 1216 * (`aes_ct` implementation). 1217 */ 1218 extern const br_block_ctr_class br_aes_ct_ctr_vtable; 1219 1220 /** 1221 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC 1222 * (`aes_ct` implementation). 1223 */ 1224 extern const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable; 1225 1226 /** 1227 * \brief Context initialisation (key schedule) for AES CBC encryption 1228 * (`aes_ct` implementation). 1229 * 1230 * \param ctx context to initialise. 1231 * \param key secret key. 1232 * \param len secret key length (in bytes). 1233 */ 1234 void br_aes_ct_cbcenc_init(br_aes_ct_cbcenc_keys *ctx, 1235 const void *key, size_t len); 1236 1237 /** 1238 * \brief Context initialisation (key schedule) for AES CBC decryption 1239 * (`aes_ct` implementation). 1240 * 1241 * \param ctx context to initialise. 1242 * \param key secret key. 1243 * \param len secret key length (in bytes). 1244 */ 1245 void br_aes_ct_cbcdec_init(br_aes_ct_cbcdec_keys *ctx, 1246 const void *key, size_t len); 1247 1248 /** 1249 * \brief Context initialisation (key schedule) for AES CTR encryption 1250 * and decryption (`aes_ct` implementation). 1251 * 1252 * \param ctx context to initialise. 1253 * \param key secret key. 1254 * \param len secret key length (in bytes). 1255 */ 1256 void br_aes_ct_ctr_init(br_aes_ct_ctr_keys *ctx, 1257 const void *key, size_t len); 1258 1259 /** 1260 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC 1261 * (`aes_ct` implementation). 1262 * 1263 * \param ctx context to initialise. 1264 * \param key secret key. 1265 * \param len secret key length (in bytes). 1266 */ 1267 void br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx, 1268 const void *key, size_t len); 1269 1270 /** 1271 * \brief CBC encryption with AES (`aes_ct` implementation). 1272 * 1273 * \param ctx context (already initialised). 1274 * \param iv IV (updated). 1275 * \param data data to encrypt (updated). 1276 * \param len data length (in bytes, MUST be multiple of 16). 1277 */ 1278 void br_aes_ct_cbcenc_run(const br_aes_ct_cbcenc_keys *ctx, void *iv, 1279 void *data, size_t len); 1280 1281 /** 1282 * \brief CBC decryption with AES (`aes_ct` implementation). 1283 * 1284 * \param ctx context (already initialised). 1285 * \param iv IV (updated). 1286 * \param data data to decrypt (updated). 1287 * \param len data length (in bytes, MUST be multiple of 16). 1288 */ 1289 void br_aes_ct_cbcdec_run(const br_aes_ct_cbcdec_keys *ctx, void *iv, 1290 void *data, size_t len); 1291 1292 /** 1293 * \brief CTR encryption and decryption with AES (`aes_ct` implementation). 1294 * 1295 * \param ctx context (already initialised). 1296 * \param iv IV (constant, 12 bytes). 1297 * \param cc initial block counter value. 1298 * \param data data to decrypt (updated). 1299 * \param len data length (in bytes). 1300 * \return new block counter value. 1301 */ 1302 uint32_t br_aes_ct_ctr_run(const br_aes_ct_ctr_keys *ctx, 1303 const void *iv, uint32_t cc, void *data, size_t len); 1304 1305 /** 1306 * \brief CTR encryption + CBC-MAC with AES (`aes_ct` implementation). 1307 * 1308 * \param ctx context (already initialised). 1309 * \param ctr counter for CTR (16 bytes, updated). 1310 * \param cbcmac IV for CBC-MAC (updated). 1311 * \param data data to encrypt (updated). 1312 * \param len data length (in bytes, MUST be a multiple of 16). 1313 */ 1314 void br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx, 1315 void *ctr, void *cbcmac, void *data, size_t len); 1316 1317 /** 1318 * \brief CTR decryption + CBC-MAC with AES (`aes_ct` implementation). 1319 * 1320 * \param ctx context (already initialised). 1321 * \param ctr counter for CTR (16 bytes, updated). 1322 * \param cbcmac IV for CBC-MAC (updated). 1323 * \param data data to decrypt (updated). 1324 * \param len data length (in bytes, MUST be a multiple of 16). 1325 */ 1326 void br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx, 1327 void *ctr, void *cbcmac, void *data, size_t len); 1328 1329 /** 1330 * \brief CTR encryption/decryption with AES (`aes_ct` implementation). 1331 * 1332 * \param ctx context (already initialised). 1333 * \param ctr counter for CTR (16 bytes, updated). 1334 * \param data data to MAC (updated). 1335 * \param len data length (in bytes, MUST be a multiple of 16). 1336 */ 1337 void br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx, 1338 void *ctr, void *data, size_t len); 1339 1340 /** 1341 * \brief CBC-MAC with AES (`aes_ct` implementation). 1342 * 1343 * \param ctx context (already initialised). 1344 * \param cbcmac IV for CBC-MAC (updated). 1345 * \param data data to MAC (unmodified). 1346 * \param len data length (in bytes, MUST be a multiple of 16). 1347 */ 1348 void br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx, 1349 void *cbcmac, const void *data, size_t len); 1350 1351 /* 1352 * 64-bit constant-time AES implementation. It is similar to 'aes_ct' 1353 * but uses 64-bit registers, making it about twice faster than 'aes_ct' 1354 * on 64-bit platforms, while remaining constant-time and with a similar 1355 * code size. (The doubling in performance is only for CBC decryption 1356 * and CTR mode; CBC encryption is non-parallel and cannot benefit from 1357 * the larger registers.) 1358 */ 1359 1360 /** \brief AES block size (16 bytes). */ 1361 #define br_aes_ct64_BLOCK_SIZE 16 1362 1363 /** 1364 * \brief Context for AES subkeys (`aes_ct64` implementation, CBC encryption). 1365 * 1366 * First field is a pointer to the vtable; it is set by the initialisation 1367 * function. Other fields are not supposed to be accessed by user code. 1368 */ 1369 typedef struct { 1370 /** \brief Pointer to vtable for this context. */ 1371 const br_block_cbcenc_class *vtable; 1372 #ifndef BR_DOXYGEN_IGNORE 1373 uint64_t skey[30]; 1374 unsigned num_rounds; 1375 #endif 1376 } br_aes_ct64_cbcenc_keys; 1377 1378 /** 1379 * \brief Context for AES subkeys (`aes_ct64` implementation, CBC decryption). 1380 * 1381 * First field is a pointer to the vtable; it is set by the initialisation 1382 * function. Other fields are not supposed to be accessed by user code. 1383 */ 1384 typedef struct { 1385 /** \brief Pointer to vtable for this context. */ 1386 const br_block_cbcdec_class *vtable; 1387 #ifndef BR_DOXYGEN_IGNORE 1388 uint64_t skey[30]; 1389 unsigned num_rounds; 1390 #endif 1391 } br_aes_ct64_cbcdec_keys; 1392 1393 /** 1394 * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption 1395 * and decryption). 1396 * 1397 * First field is a pointer to the vtable; it is set by the initialisation 1398 * function. Other fields are not supposed to be accessed by user code. 1399 */ 1400 typedef struct { 1401 /** \brief Pointer to vtable for this context. */ 1402 const br_block_ctr_class *vtable; 1403 #ifndef BR_DOXYGEN_IGNORE 1404 uint64_t skey[30]; 1405 unsigned num_rounds; 1406 #endif 1407 } br_aes_ct64_ctr_keys; 1408 1409 /** 1410 * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption 1411 * and decryption + CBC-MAC). 1412 * 1413 * First field is a pointer to the vtable; it is set by the initialisation 1414 * function. Other fields are not supposed to be accessed by user code. 1415 */ 1416 typedef struct { 1417 /** \brief Pointer to vtable for this context. */ 1418 const br_block_ctrcbc_class *vtable; 1419 #ifndef BR_DOXYGEN_IGNORE 1420 uint64_t skey[30]; 1421 unsigned num_rounds; 1422 #endif 1423 } br_aes_ct64_ctrcbc_keys; 1424 1425 /** 1426 * \brief Class instance for AES CBC encryption (`aes_ct64` implementation). 1427 */ 1428 extern const br_block_cbcenc_class br_aes_ct64_cbcenc_vtable; 1429 1430 /** 1431 * \brief Class instance for AES CBC decryption (`aes_ct64` implementation). 1432 */ 1433 extern const br_block_cbcdec_class br_aes_ct64_cbcdec_vtable; 1434 1435 /** 1436 * \brief Class instance for AES CTR encryption and decryption 1437 * (`aes_ct64` implementation). 1438 */ 1439 extern const br_block_ctr_class br_aes_ct64_ctr_vtable; 1440 1441 /** 1442 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC 1443 * (`aes_ct64` implementation). 1444 */ 1445 extern const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable; 1446 1447 /** 1448 * \brief Context initialisation (key schedule) for AES CBC encryption 1449 * (`aes_ct64` implementation). 1450 * 1451 * \param ctx context to initialise. 1452 * \param key secret key. 1453 * \param len secret key length (in bytes). 1454 */ 1455 void br_aes_ct64_cbcenc_init(br_aes_ct64_cbcenc_keys *ctx, 1456 const void *key, size_t len); 1457 1458 /** 1459 * \brief Context initialisation (key schedule) for AES CBC decryption 1460 * (`aes_ct64` implementation). 1461 * 1462 * \param ctx context to initialise. 1463 * \param key secret key. 1464 * \param len secret key length (in bytes). 1465 */ 1466 void br_aes_ct64_cbcdec_init(br_aes_ct64_cbcdec_keys *ctx, 1467 const void *key, size_t len); 1468 1469 /** 1470 * \brief Context initialisation (key schedule) for AES CTR encryption 1471 * and decryption (`aes_ct64` implementation). 1472 * 1473 * \param ctx context to initialise. 1474 * \param key secret key. 1475 * \param len secret key length (in bytes). 1476 */ 1477 void br_aes_ct64_ctr_init(br_aes_ct64_ctr_keys *ctx, 1478 const void *key, size_t len); 1479 1480 /** 1481 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC 1482 * (`aes_ct64` implementation). 1483 * 1484 * \param ctx context to initialise. 1485 * \param key secret key. 1486 * \param len secret key length (in bytes). 1487 */ 1488 void br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx, 1489 const void *key, size_t len); 1490 1491 /** 1492 * \brief CBC encryption with AES (`aes_ct64` implementation). 1493 * 1494 * \param ctx context (already initialised). 1495 * \param iv IV (updated). 1496 * \param data data to encrypt (updated). 1497 * \param len data length (in bytes, MUST be multiple of 16). 1498 */ 1499 void br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx, void *iv, 1500 void *data, size_t len); 1501 1502 /** 1503 * \brief CBC decryption with AES (`aes_ct64` implementation). 1504 * 1505 * \param ctx context (already initialised). 1506 * \param iv IV (updated). 1507 * \param data data to decrypt (updated). 1508 * \param len data length (in bytes, MUST be multiple of 16). 1509 */ 1510 void br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx, void *iv, 1511 void *data, size_t len); 1512 1513 /** 1514 * \brief CTR encryption and decryption with AES (`aes_ct64` implementation). 1515 * 1516 * \param ctx context (already initialised). 1517 * \param iv IV (constant, 12 bytes). 1518 * \param cc initial block counter value. 1519 * \param data data to decrypt (updated). 1520 * \param len data length (in bytes). 1521 * \return new block counter value. 1522 */ 1523 uint32_t br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx, 1524 const void *iv, uint32_t cc, void *data, size_t len); 1525 1526 /** 1527 * \brief CTR encryption + CBC-MAC with AES (`aes_ct64` implementation). 1528 * 1529 * \param ctx context (already initialised). 1530 * \param ctr counter for CTR (16 bytes, updated). 1531 * \param cbcmac IV for CBC-MAC (updated). 1532 * \param data data to encrypt (updated). 1533 * \param len data length (in bytes, MUST be a multiple of 16). 1534 */ 1535 void br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx, 1536 void *ctr, void *cbcmac, void *data, size_t len); 1537 1538 /** 1539 * \brief CTR decryption + CBC-MAC with AES (`aes_ct64` implementation). 1540 * 1541 * \param ctx context (already initialised). 1542 * \param ctr counter for CTR (16 bytes, updated). 1543 * \param cbcmac IV for CBC-MAC (updated). 1544 * \param data data to decrypt (updated). 1545 * \param len data length (in bytes, MUST be a multiple of 16). 1546 */ 1547 void br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx, 1548 void *ctr, void *cbcmac, void *data, size_t len); 1549 1550 /** 1551 * \brief CTR encryption/decryption with AES (`aes_ct64` implementation). 1552 * 1553 * \param ctx context (already initialised). 1554 * \param ctr counter for CTR (16 bytes, updated). 1555 * \param data data to MAC (updated). 1556 * \param len data length (in bytes, MUST be a multiple of 16). 1557 */ 1558 void br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx, 1559 void *ctr, void *data, size_t len); 1560 1561 /** 1562 * \brief CBC-MAC with AES (`aes_ct64` implementation). 1563 * 1564 * \param ctx context (already initialised). 1565 * \param cbcmac IV for CBC-MAC (updated). 1566 * \param data data to MAC (unmodified). 1567 * \param len data length (in bytes, MUST be a multiple of 16). 1568 */ 1569 void br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx, 1570 void *cbcmac, const void *data, size_t len); 1571 1572 /* 1573 * AES implementation using AES-NI opcodes (x86 platform). 1574 */ 1575 1576 /** \brief AES block size (16 bytes). */ 1577 #define br_aes_x86ni_BLOCK_SIZE 16 1578 1579 /** 1580 * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC encryption). 1581 * 1582 * First field is a pointer to the vtable; it is set by the initialisation 1583 * function. Other fields are not supposed to be accessed by user code. 1584 */ 1585 typedef struct { 1586 /** \brief Pointer to vtable for this context. */ 1587 const br_block_cbcenc_class *vtable; 1588 #ifndef BR_DOXYGEN_IGNORE 1589 union { 1590 unsigned char skni[16 * 15]; 1591 } skey; 1592 unsigned num_rounds; 1593 #endif 1594 } br_aes_x86ni_cbcenc_keys; 1595 1596 /** 1597 * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC decryption). 1598 * 1599 * First field is a pointer to the vtable; it is set by the initialisation 1600 * function. Other fields are not supposed to be accessed by user code. 1601 */ 1602 typedef struct { 1603 /** \brief Pointer to vtable for this context. */ 1604 const br_block_cbcdec_class *vtable; 1605 #ifndef BR_DOXYGEN_IGNORE 1606 union { 1607 unsigned char skni[16 * 15]; 1608 } skey; 1609 unsigned num_rounds; 1610 #endif 1611 } br_aes_x86ni_cbcdec_keys; 1612 1613 /** 1614 * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption 1615 * and decryption). 1616 * 1617 * First field is a pointer to the vtable; it is set by the initialisation 1618 * function. Other fields are not supposed to be accessed by user code. 1619 */ 1620 typedef struct { 1621 /** \brief Pointer to vtable for this context. */ 1622 const br_block_ctr_class *vtable; 1623 #ifndef BR_DOXYGEN_IGNORE 1624 union { 1625 unsigned char skni[16 * 15]; 1626 } skey; 1627 unsigned num_rounds; 1628 #endif 1629 } br_aes_x86ni_ctr_keys; 1630 1631 /** 1632 * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption 1633 * and decryption + CBC-MAC). 1634 * 1635 * First field is a pointer to the vtable; it is set by the initialisation 1636 * function. Other fields are not supposed to be accessed by user code. 1637 */ 1638 typedef struct { 1639 /** \brief Pointer to vtable for this context. */ 1640 const br_block_ctrcbc_class *vtable; 1641 #ifndef BR_DOXYGEN_IGNORE 1642 union { 1643 unsigned char skni[16 * 15]; 1644 } skey; 1645 unsigned num_rounds; 1646 #endif 1647 } br_aes_x86ni_ctrcbc_keys; 1648 1649 /** 1650 * \brief Class instance for AES CBC encryption (`aes_x86ni` implementation). 1651 * 1652 * Since this implementation might be omitted from the library, or the 1653 * AES opcode unavailable on the current CPU, a pointer to this class 1654 * instance should be obtained through `br_aes_x86ni_cbcenc_get_vtable()`. 1655 */ 1656 extern const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable; 1657 1658 /** 1659 * \brief Class instance for AES CBC decryption (`aes_x86ni` implementation). 1660 * 1661 * Since this implementation might be omitted from the library, or the 1662 * AES opcode unavailable on the current CPU, a pointer to this class 1663 * instance should be obtained through `br_aes_x86ni_cbcdec_get_vtable()`. 1664 */ 1665 extern const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable; 1666 1667 /** 1668 * \brief Class instance for AES CTR encryption and decryption 1669 * (`aes_x86ni` implementation). 1670 * 1671 * Since this implementation might be omitted from the library, or the 1672 * AES opcode unavailable on the current CPU, a pointer to this class 1673 * instance should be obtained through `br_aes_x86ni_ctr_get_vtable()`. 1674 */ 1675 extern const br_block_ctr_class br_aes_x86ni_ctr_vtable; 1676 1677 /** 1678 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC 1679 * (`aes_x86ni` implementation). 1680 * 1681 * Since this implementation might be omitted from the library, or the 1682 * AES opcode unavailable on the current CPU, a pointer to this class 1683 * instance should be obtained through `br_aes_x86ni_ctrcbc_get_vtable()`. 1684 */ 1685 extern const br_block_ctrcbc_class br_aes_x86ni_ctrcbc_vtable; 1686 1687 /** 1688 * \brief Context initialisation (key schedule) for AES CBC encryption 1689 * (`aes_x86ni` implementation). 1690 * 1691 * \param ctx context to initialise. 1692 * \param key secret key. 1693 * \param len secret key length (in bytes). 1694 */ 1695 void br_aes_x86ni_cbcenc_init(br_aes_x86ni_cbcenc_keys *ctx, 1696 const void *key, size_t len); 1697 1698 /** 1699 * \brief Context initialisation (key schedule) for AES CBC decryption 1700 * (`aes_x86ni` implementation). 1701 * 1702 * \param ctx context to initialise. 1703 * \param key secret key. 1704 * \param len secret key length (in bytes). 1705 */ 1706 void br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx, 1707 const void *key, size_t len); 1708 1709 /** 1710 * \brief Context initialisation (key schedule) for AES CTR encryption 1711 * and decryption (`aes_x86ni` implementation). 1712 * 1713 * \param ctx context to initialise. 1714 * \param key secret key. 1715 * \param len secret key length (in bytes). 1716 */ 1717 void br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx, 1718 const void *key, size_t len); 1719 1720 /** 1721 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC 1722 * (`aes_x86ni` implementation). 1723 * 1724 * \param ctx context to initialise. 1725 * \param key secret key. 1726 * \param len secret key length (in bytes). 1727 */ 1728 void br_aes_x86ni_ctrcbc_init(br_aes_x86ni_ctrcbc_keys *ctx, 1729 const void *key, size_t len); 1730 1731 /** 1732 * \brief CBC encryption with AES (`aes_x86ni` implementation). 1733 * 1734 * \param ctx context (already initialised). 1735 * \param iv IV (updated). 1736 * \param data data to encrypt (updated). 1737 * \param len data length (in bytes, MUST be multiple of 16). 1738 */ 1739 void br_aes_x86ni_cbcenc_run(const br_aes_x86ni_cbcenc_keys *ctx, void *iv, 1740 void *data, size_t len); 1741 1742 /** 1743 * \brief CBC decryption with AES (`aes_x86ni` implementation). 1744 * 1745 * \param ctx context (already initialised). 1746 * \param iv IV (updated). 1747 * \param data data to decrypt (updated). 1748 * \param len data length (in bytes, MUST be multiple of 16). 1749 */ 1750 void br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx, void *iv, 1751 void *data, size_t len); 1752 1753 /** 1754 * \brief CTR encryption and decryption with AES (`aes_x86ni` implementation). 1755 * 1756 * \param ctx context (already initialised). 1757 * \param iv IV (constant, 12 bytes). 1758 * \param cc initial block counter value. 1759 * \param data data to decrypt (updated). 1760 * \param len data length (in bytes). 1761 * \return new block counter value. 1762 */ 1763 uint32_t br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx, 1764 const void *iv, uint32_t cc, void *data, size_t len); 1765 1766 /** 1767 * \brief CTR encryption + CBC-MAC with AES (`aes_x86ni` implementation). 1768 * 1769 * \param ctx context (already initialised). 1770 * \param ctr counter for CTR (16 bytes, updated). 1771 * \param cbcmac IV for CBC-MAC (updated). 1772 * \param data data to encrypt (updated). 1773 * \param len data length (in bytes, MUST be a multiple of 16). 1774 */ 1775 void br_aes_x86ni_ctrcbc_encrypt(const br_aes_x86ni_ctrcbc_keys *ctx, 1776 void *ctr, void *cbcmac, void *data, size_t len); 1777 1778 /** 1779 * \brief CTR decryption + CBC-MAC with AES (`aes_x86ni` implementation). 1780 * 1781 * \param ctx context (already initialised). 1782 * \param ctr counter for CTR (16 bytes, updated). 1783 * \param cbcmac IV for CBC-MAC (updated). 1784 * \param data data to decrypt (updated). 1785 * \param len data length (in bytes, MUST be a multiple of 16). 1786 */ 1787 void br_aes_x86ni_ctrcbc_decrypt(const br_aes_x86ni_ctrcbc_keys *ctx, 1788 void *ctr, void *cbcmac, void *data, size_t len); 1789 1790 /** 1791 * \brief CTR encryption/decryption with AES (`aes_x86ni` implementation). 1792 * 1793 * \param ctx context (already initialised). 1794 * \param ctr counter for CTR (16 bytes, updated). 1795 * \param data data to MAC (updated). 1796 * \param len data length (in bytes, MUST be a multiple of 16). 1797 */ 1798 void br_aes_x86ni_ctrcbc_ctr(const br_aes_x86ni_ctrcbc_keys *ctx, 1799 void *ctr, void *data, size_t len); 1800 1801 /** 1802 * \brief CBC-MAC with AES (`aes_x86ni` implementation). 1803 * 1804 * \param ctx context (already initialised). 1805 * \param cbcmac IV for CBC-MAC (updated). 1806 * \param data data to MAC (unmodified). 1807 * \param len data length (in bytes, MUST be a multiple of 16). 1808 */ 1809 void br_aes_x86ni_ctrcbc_mac(const br_aes_x86ni_ctrcbc_keys *ctx, 1810 void *cbcmac, const void *data, size_t len); 1811 1812 /** 1813 * \brief Obtain the `aes_x86ni` AES-CBC (encryption) implementation, if 1814 * available. 1815 * 1816 * This function returns a pointer to `br_aes_x86ni_cbcenc_vtable`, if 1817 * that implementation was compiled in the library _and_ the x86 AES 1818 * opcodes are available on the currently running CPU. If either of 1819 * these conditions is not met, then this function returns `NULL`. 1820 * 1821 * \return the `aes_x86ni` AES-CBC (encryption) implementation, or `NULL`. 1822 */ 1823 const br_block_cbcenc_class *br_aes_x86ni_cbcenc_get_vtable(void); 1824 1825 /** 1826 * \brief Obtain the `aes_x86ni` AES-CBC (decryption) implementation, if 1827 * available. 1828 * 1829 * This function returns a pointer to `br_aes_x86ni_cbcdec_vtable`, if 1830 * that implementation was compiled in the library _and_ the x86 AES 1831 * opcodes are available on the currently running CPU. If either of 1832 * these conditions is not met, then this function returns `NULL`. 1833 * 1834 * \return the `aes_x86ni` AES-CBC (decryption) implementation, or `NULL`. 1835 */ 1836 const br_block_cbcdec_class *br_aes_x86ni_cbcdec_get_vtable(void); 1837 1838 /** 1839 * \brief Obtain the `aes_x86ni` AES-CTR implementation, if available. 1840 * 1841 * This function returns a pointer to `br_aes_x86ni_ctr_vtable`, if 1842 * that implementation was compiled in the library _and_ the x86 AES 1843 * opcodes are available on the currently running CPU. If either of 1844 * these conditions is not met, then this function returns `NULL`. 1845 * 1846 * \return the `aes_x86ni` AES-CTR implementation, or `NULL`. 1847 */ 1848 const br_block_ctr_class *br_aes_x86ni_ctr_get_vtable(void); 1849 1850 /** 1851 * \brief Obtain the `aes_x86ni` AES-CTR + CBC-MAC implementation, if 1852 * available. 1853 * 1854 * This function returns a pointer to `br_aes_x86ni_ctrcbc_vtable`, if 1855 * that implementation was compiled in the library _and_ the x86 AES 1856 * opcodes are available on the currently running CPU. If either of 1857 * these conditions is not met, then this function returns `NULL`. 1858 * 1859 * \return the `aes_x86ni` AES-CTR implementation, or `NULL`. 1860 */ 1861 const br_block_ctrcbc_class *br_aes_x86ni_ctrcbc_get_vtable(void); 1862 1863 /* 1864 * AES implementation using POWER8 opcodes. 1865 */ 1866 1867 /** \brief AES block size (16 bytes). */ 1868 #define br_aes_pwr8_BLOCK_SIZE 16 1869 1870 /** 1871 * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC encryption). 1872 * 1873 * First field is a pointer to the vtable; it is set by the initialisation 1874 * function. Other fields are not supposed to be accessed by user code. 1875 */ 1876 typedef struct { 1877 /** \brief Pointer to vtable for this context. */ 1878 const br_block_cbcenc_class *vtable; 1879 #ifndef BR_DOXYGEN_IGNORE 1880 union { 1881 unsigned char skni[16 * 15]; 1882 } skey; 1883 unsigned num_rounds; 1884 #endif 1885 } br_aes_pwr8_cbcenc_keys; 1886 1887 /** 1888 * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC decryption). 1889 * 1890 * First field is a pointer to the vtable; it is set by the initialisation 1891 * function. Other fields are not supposed to be accessed by user code. 1892 */ 1893 typedef struct { 1894 /** \brief Pointer to vtable for this context. */ 1895 const br_block_cbcdec_class *vtable; 1896 #ifndef BR_DOXYGEN_IGNORE 1897 union { 1898 unsigned char skni[16 * 15]; 1899 } skey; 1900 unsigned num_rounds; 1901 #endif 1902 } br_aes_pwr8_cbcdec_keys; 1903 1904 /** 1905 * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption 1906 * and decryption). 1907 * 1908 * First field is a pointer to the vtable; it is set by the initialisation 1909 * function. Other fields are not supposed to be accessed by user code. 1910 */ 1911 typedef struct { 1912 /** \brief Pointer to vtable for this context. */ 1913 const br_block_ctr_class *vtable; 1914 #ifndef BR_DOXYGEN_IGNORE 1915 union { 1916 unsigned char skni[16 * 15]; 1917 } skey; 1918 unsigned num_rounds; 1919 #endif 1920 } br_aes_pwr8_ctr_keys; 1921 1922 /** 1923 * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption 1924 * and decryption + CBC-MAC). 1925 * 1926 * First field is a pointer to the vtable; it is set by the initialisation 1927 * function. Other fields are not supposed to be accessed by user code. 1928 */ 1929 typedef struct { 1930 /** \brief Pointer to vtable for this context. */ 1931 const br_block_ctrcbc_class *vtable; 1932 #ifndef BR_DOXYGEN_IGNORE 1933 union { 1934 unsigned char skni[16 * 15]; 1935 } skey; 1936 unsigned num_rounds; 1937 #endif 1938 } br_aes_pwr8_ctrcbc_keys; 1939 1940 /** 1941 * \brief Class instance for AES CBC encryption (`aes_pwr8` implementation). 1942 * 1943 * Since this implementation might be omitted from the library, or the 1944 * AES opcode unavailable on the current CPU, a pointer to this class 1945 * instance should be obtained through `br_aes_pwr8_cbcenc_get_vtable()`. 1946 */ 1947 extern const br_block_cbcenc_class br_aes_pwr8_cbcenc_vtable; 1948 1949 /** 1950 * \brief Class instance for AES CBC decryption (`aes_pwr8` implementation). 1951 * 1952 * Since this implementation might be omitted from the library, or the 1953 * AES opcode unavailable on the current CPU, a pointer to this class 1954 * instance should be obtained through `br_aes_pwr8_cbcdec_get_vtable()`. 1955 */ 1956 extern const br_block_cbcdec_class br_aes_pwr8_cbcdec_vtable; 1957 1958 /** 1959 * \brief Class instance for AES CTR encryption and decryption 1960 * (`aes_pwr8` implementation). 1961 * 1962 * Since this implementation might be omitted from the library, or the 1963 * AES opcode unavailable on the current CPU, a pointer to this class 1964 * instance should be obtained through `br_aes_pwr8_ctr_get_vtable()`. 1965 */ 1966 extern const br_block_ctr_class br_aes_pwr8_ctr_vtable; 1967 1968 /** 1969 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC 1970 * (`aes_pwr8` implementation). 1971 * 1972 * Since this implementation might be omitted from the library, or the 1973 * AES opcode unavailable on the current CPU, a pointer to this class 1974 * instance should be obtained through `br_aes_pwr8_ctrcbc_get_vtable()`. 1975 */ 1976 extern const br_block_ctrcbc_class br_aes_pwr8_ctrcbc_vtable; 1977 1978 /** 1979 * \brief Context initialisation (key schedule) for AES CBC encryption 1980 * (`aes_pwr8` implementation). 1981 * 1982 * \param ctx context to initialise. 1983 * \param key secret key. 1984 * \param len secret key length (in bytes). 1985 */ 1986 void br_aes_pwr8_cbcenc_init(br_aes_pwr8_cbcenc_keys *ctx, 1987 const void *key, size_t len); 1988 1989 /** 1990 * \brief Context initialisation (key schedule) for AES CBC decryption 1991 * (`aes_pwr8` implementation). 1992 * 1993 * \param ctx context to initialise. 1994 * \param key secret key. 1995 * \param len secret key length (in bytes). 1996 */ 1997 void br_aes_pwr8_cbcdec_init(br_aes_pwr8_cbcdec_keys *ctx, 1998 const void *key, size_t len); 1999 2000 /** 2001 * \brief Context initialisation (key schedule) for AES CTR encryption 2002 * and decryption (`aes_pwr8` implementation). 2003 * 2004 * \param ctx context to initialise. 2005 * \param key secret key. 2006 * \param len secret key length (in bytes). 2007 */ 2008 void br_aes_pwr8_ctr_init(br_aes_pwr8_ctr_keys *ctx, 2009 const void *key, size_t len); 2010 2011 /** 2012 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC 2013 * (`aes_pwr8` implementation). 2014 * 2015 * \param ctx context to initialise. 2016 * \param key secret key. 2017 * \param len secret key length (in bytes). 2018 */ 2019 void br_aes_pwr8_ctrcbc_init(br_aes_pwr8_ctrcbc_keys *ctx, 2020 const void *key, size_t len); 2021 2022 /** 2023 * \brief CBC encryption with AES (`aes_pwr8` implementation). 2024 * 2025 * \param ctx context (already initialised). 2026 * \param iv IV (updated). 2027 * \param data data to encrypt (updated). 2028 * \param len data length (in bytes, MUST be multiple of 16). 2029 */ 2030 void br_aes_pwr8_cbcenc_run(const br_aes_pwr8_cbcenc_keys *ctx, void *iv, 2031 void *data, size_t len); 2032 2033 /** 2034 * \brief CBC decryption with AES (`aes_pwr8` implementation). 2035 * 2036 * \param ctx context (already initialised). 2037 * \param iv IV (updated). 2038 * \param data data to decrypt (updated). 2039 * \param len data length (in bytes, MUST be multiple of 16). 2040 */ 2041 void br_aes_pwr8_cbcdec_run(const br_aes_pwr8_cbcdec_keys *ctx, void *iv, 2042 void *data, size_t len); 2043 2044 /** 2045 * \brief CTR encryption and decryption with AES (`aes_pwr8` implementation). 2046 * 2047 * \param ctx context (already initialised). 2048 * \param iv IV (constant, 12 bytes). 2049 * \param cc initial block counter value. 2050 * \param data data to decrypt (updated). 2051 * \param len data length (in bytes). 2052 * \return new block counter value. 2053 */ 2054 uint32_t br_aes_pwr8_ctr_run(const br_aes_pwr8_ctr_keys *ctx, 2055 const void *iv, uint32_t cc, void *data, size_t len); 2056 2057 /** 2058 * \brief CTR encryption + CBC-MAC with AES (`aes_pwr8` implementation). 2059 * 2060 * \param ctx context (already initialised). 2061 * \param ctr counter for CTR (16 bytes, updated). 2062 * \param cbcmac IV for CBC-MAC (updated). 2063 * \param data data to encrypt (updated). 2064 * \param len data length (in bytes, MUST be a multiple of 16). 2065 */ 2066 void br_aes_pwr8_ctrcbc_encrypt(const br_aes_pwr8_ctrcbc_keys *ctx, 2067 void *ctr, void *cbcmac, void *data, size_t len); 2068 2069 /** 2070 * \brief CTR decryption + CBC-MAC with AES (`aes_pwr8` implementation). 2071 * 2072 * \param ctx context (already initialised). 2073 * \param ctr counter for CTR (16 bytes, updated). 2074 * \param cbcmac IV for CBC-MAC (updated). 2075 * \param data data to decrypt (updated). 2076 * \param len data length (in bytes, MUST be a multiple of 16). 2077 */ 2078 void br_aes_pwr8_ctrcbc_decrypt(const br_aes_pwr8_ctrcbc_keys *ctx, 2079 void *ctr, void *cbcmac, void *data, size_t len); 2080 2081 /** 2082 * \brief CTR encryption/decryption with AES (`aes_pwr8` implementation). 2083 * 2084 * \param ctx context (already initialised). 2085 * \param ctr counter for CTR (16 bytes, updated). 2086 * \param data data to MAC (updated). 2087 * \param len data length (in bytes, MUST be a multiple of 16). 2088 */ 2089 void br_aes_pwr8_ctrcbc_ctr(const br_aes_pwr8_ctrcbc_keys *ctx, 2090 void *ctr, void *data, size_t len); 2091 2092 /** 2093 * \brief CBC-MAC with AES (`aes_pwr8` implementation). 2094 * 2095 * \param ctx context (already initialised). 2096 * \param cbcmac IV for CBC-MAC (updated). 2097 * \param data data to MAC (unmodified). 2098 * \param len data length (in bytes, MUST be a multiple of 16). 2099 */ 2100 void br_aes_pwr8_ctrcbc_mac(const br_aes_pwr8_ctrcbc_keys *ctx, 2101 void *cbcmac, const void *data, size_t len); 2102 2103 /** 2104 * \brief Obtain the `aes_pwr8` AES-CBC (encryption) implementation, if 2105 * available. 2106 * 2107 * This function returns a pointer to `br_aes_pwr8_cbcenc_vtable`, if 2108 * that implementation was compiled in the library _and_ the POWER8 2109 * crypto opcodes are available on the currently running CPU. If either 2110 * of these conditions is not met, then this function returns `NULL`. 2111 * 2112 * \return the `aes_pwr8` AES-CBC (encryption) implementation, or `NULL`. 2113 */ 2114 const br_block_cbcenc_class *br_aes_pwr8_cbcenc_get_vtable(void); 2115 2116 /** 2117 * \brief Obtain the `aes_pwr8` AES-CBC (decryption) implementation, if 2118 * available. 2119 * 2120 * This function returns a pointer to `br_aes_pwr8_cbcdec_vtable`, if 2121 * that implementation was compiled in the library _and_ the POWER8 2122 * crypto opcodes are available on the currently running CPU. If either 2123 * of these conditions is not met, then this function returns `NULL`. 2124 * 2125 * \return the `aes_pwr8` AES-CBC (decryption) implementation, or `NULL`. 2126 */ 2127 const br_block_cbcdec_class *br_aes_pwr8_cbcdec_get_vtable(void); 2128 2129 /** 2130 * \brief Obtain the `aes_pwr8` AES-CTR implementation, if available. 2131 * 2132 * This function returns a pointer to `br_aes_pwr8_ctr_vtable`, if that 2133 * implementation was compiled in the library _and_ the POWER8 crypto 2134 * opcodes are available on the currently running CPU. If either of 2135 * these conditions is not met, then this function returns `NULL`. 2136 * 2137 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`. 2138 */ 2139 const br_block_ctr_class *br_aes_pwr8_ctr_get_vtable(void); 2140 2141 /** 2142 * \brief Obtain the `aes_pwr8` AES-CTR + CBC-MAC implementation, if 2143 * available. 2144 * 2145 * This function returns a pointer to `br_aes_pwr8_ctrcbc_vtable`, if 2146 * that implementation was compiled in the library _and_ the POWER8 AES 2147 * opcodes are available on the currently running CPU. If either of 2148 * these conditions is not met, then this function returns `NULL`. 2149 * 2150 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`. 2151 */ 2152 const br_block_ctrcbc_class *br_aes_pwr8_ctrcbc_get_vtable(void); 2153 2154 /** 2155 * \brief Aggregate structure large enough to be used as context for 2156 * subkeys (CBC encryption) for all AES implementations. 2157 */ 2158 typedef union { 2159 const br_block_cbcenc_class *vtable; 2160 br_aes_big_cbcenc_keys c_big; 2161 br_aes_small_cbcenc_keys c_small; 2162 br_aes_ct_cbcenc_keys c_ct; 2163 br_aes_ct64_cbcenc_keys c_ct64; 2164 br_aes_x86ni_cbcenc_keys c_x86ni; 2165 br_aes_pwr8_cbcenc_keys c_pwr8; 2166 } br_aes_gen_cbcenc_keys; 2167 2168 /** 2169 * \brief Aggregate structure large enough to be used as context for 2170 * subkeys (CBC decryption) for all AES implementations. 2171 */ 2172 typedef union { 2173 const br_block_cbcdec_class *vtable; 2174 br_aes_big_cbcdec_keys c_big; 2175 br_aes_small_cbcdec_keys c_small; 2176 br_aes_ct_cbcdec_keys c_ct; 2177 br_aes_ct64_cbcdec_keys c_ct64; 2178 br_aes_x86ni_cbcdec_keys c_x86ni; 2179 br_aes_pwr8_cbcdec_keys c_pwr8; 2180 } br_aes_gen_cbcdec_keys; 2181 2182 /** 2183 * \brief Aggregate structure large enough to be used as context for 2184 * subkeys (CTR encryption and decryption) for all AES implementations. 2185 */ 2186 typedef union { 2187 const br_block_ctr_class *vtable; 2188 br_aes_big_ctr_keys c_big; 2189 br_aes_small_ctr_keys c_small; 2190 br_aes_ct_ctr_keys c_ct; 2191 br_aes_ct64_ctr_keys c_ct64; 2192 br_aes_x86ni_ctr_keys c_x86ni; 2193 br_aes_pwr8_ctr_keys c_pwr8; 2194 } br_aes_gen_ctr_keys; 2195 2196 /** 2197 * \brief Aggregate structure large enough to be used as context for 2198 * subkeys (CTR encryption/decryption + CBC-MAC) for all AES implementations. 2199 */ 2200 typedef union { 2201 const br_block_ctrcbc_class *vtable; 2202 br_aes_big_ctrcbc_keys c_big; 2203 br_aes_small_ctrcbc_keys c_small; 2204 br_aes_ct_ctrcbc_keys c_ct; 2205 br_aes_ct64_ctrcbc_keys c_ct64; 2206 br_aes_x86ni_ctrcbc_keys c_x86ni; 2207 br_aes_pwr8_ctrcbc_keys c_pwr8; 2208 } br_aes_gen_ctrcbc_keys; 2209 2210 /* 2211 * Traditional, table-based implementation for DES/3DES. Since tables are 2212 * used, cache-timing attacks are conceptually possible. 2213 */ 2214 2215 /** \brief DES/3DES block size (8 bytes). */ 2216 #define br_des_tab_BLOCK_SIZE 8 2217 2218 /** 2219 * \brief Context for DES subkeys (`des_tab` implementation, CBC encryption). 2220 * 2221 * First field is a pointer to the vtable; it is set by the initialisation 2222 * function. Other fields are not supposed to be accessed by user code. 2223 */ 2224 typedef struct { 2225 /** \brief Pointer to vtable for this context. */ 2226 const br_block_cbcenc_class *vtable; 2227 #ifndef BR_DOXYGEN_IGNORE 2228 uint32_t skey[96]; 2229 unsigned num_rounds; 2230 #endif 2231 } br_des_tab_cbcenc_keys; 2232 2233 /** 2234 * \brief Context for DES subkeys (`des_tab` implementation, CBC decryption). 2235 * 2236 * First field is a pointer to the vtable; it is set by the initialisation 2237 * function. Other fields are not supposed to be accessed by user code. 2238 */ 2239 typedef struct { 2240 /** \brief Pointer to vtable for this context. */ 2241 const br_block_cbcdec_class *vtable; 2242 #ifndef BR_DOXYGEN_IGNORE 2243 uint32_t skey[96]; 2244 unsigned num_rounds; 2245 #endif 2246 } br_des_tab_cbcdec_keys; 2247 2248 /** 2249 * \brief Class instance for DES CBC encryption (`des_tab` implementation). 2250 */ 2251 extern const br_block_cbcenc_class br_des_tab_cbcenc_vtable; 2252 2253 /** 2254 * \brief Class instance for DES CBC decryption (`des_tab` implementation). 2255 */ 2256 extern const br_block_cbcdec_class br_des_tab_cbcdec_vtable; 2257 2258 /** 2259 * \brief Context initialisation (key schedule) for DES CBC encryption 2260 * (`des_tab` implementation). 2261 * 2262 * \param ctx context to initialise. 2263 * \param key secret key. 2264 * \param len secret key length (in bytes). 2265 */ 2266 void br_des_tab_cbcenc_init(br_des_tab_cbcenc_keys *ctx, 2267 const void *key, size_t len); 2268 2269 /** 2270 * \brief Context initialisation (key schedule) for DES CBC decryption 2271 * (`des_tab` implementation). 2272 * 2273 * \param ctx context to initialise. 2274 * \param key secret key. 2275 * \param len secret key length (in bytes). 2276 */ 2277 void br_des_tab_cbcdec_init(br_des_tab_cbcdec_keys *ctx, 2278 const void *key, size_t len); 2279 2280 /** 2281 * \brief CBC encryption with DES (`des_tab` implementation). 2282 * 2283 * \param ctx context (already initialised). 2284 * \param iv IV (updated). 2285 * \param data data to encrypt (updated). 2286 * \param len data length (in bytes, MUST be multiple of 8). 2287 */ 2288 void br_des_tab_cbcenc_run(const br_des_tab_cbcenc_keys *ctx, void *iv, 2289 void *data, size_t len); 2290 2291 /** 2292 * \brief CBC decryption with DES (`des_tab` implementation). 2293 * 2294 * \param ctx context (already initialised). 2295 * \param iv IV (updated). 2296 * \param data data to decrypt (updated). 2297 * \param len data length (in bytes, MUST be multiple of 8). 2298 */ 2299 void br_des_tab_cbcdec_run(const br_des_tab_cbcdec_keys *ctx, void *iv, 2300 void *data, size_t len); 2301 2302 /* 2303 * Constant-time implementation for DES/3DES. It is substantially slower 2304 * (by a factor of about 4x), but also immune to cache-timing attacks. 2305 */ 2306 2307 /** \brief DES/3DES block size (8 bytes). */ 2308 #define br_des_ct_BLOCK_SIZE 8 2309 2310 /** 2311 * \brief Context for DES subkeys (`des_ct` implementation, CBC encryption). 2312 * 2313 * First field is a pointer to the vtable; it is set by the initialisation 2314 * function. Other fields are not supposed to be accessed by user code. 2315 */ 2316 typedef struct { 2317 /** \brief Pointer to vtable for this context. */ 2318 const br_block_cbcenc_class *vtable; 2319 #ifndef BR_DOXYGEN_IGNORE 2320 uint32_t skey[96]; 2321 unsigned num_rounds; 2322 #endif 2323 } br_des_ct_cbcenc_keys; 2324 2325 /** 2326 * \brief Context for DES subkeys (`des_ct` implementation, CBC decryption). 2327 * 2328 * First field is a pointer to the vtable; it is set by the initialisation 2329 * function. Other fields are not supposed to be accessed by user code. 2330 */ 2331 typedef struct { 2332 /** \brief Pointer to vtable for this context. */ 2333 const br_block_cbcdec_class *vtable; 2334 #ifndef BR_DOXYGEN_IGNORE 2335 uint32_t skey[96]; 2336 unsigned num_rounds; 2337 #endif 2338 } br_des_ct_cbcdec_keys; 2339 2340 /** 2341 * \brief Class instance for DES CBC encryption (`des_ct` implementation). 2342 */ 2343 extern const br_block_cbcenc_class br_des_ct_cbcenc_vtable; 2344 2345 /** 2346 * \brief Class instance for DES CBC decryption (`des_ct` implementation). 2347 */ 2348 extern const br_block_cbcdec_class br_des_ct_cbcdec_vtable; 2349 2350 /** 2351 * \brief Context initialisation (key schedule) for DES CBC encryption 2352 * (`des_ct` implementation). 2353 * 2354 * \param ctx context to initialise. 2355 * \param key secret key. 2356 * \param len secret key length (in bytes). 2357 */ 2358 void br_des_ct_cbcenc_init(br_des_ct_cbcenc_keys *ctx, 2359 const void *key, size_t len); 2360 2361 /** 2362 * \brief Context initialisation (key schedule) for DES CBC decryption 2363 * (`des_ct` implementation). 2364 * 2365 * \param ctx context to initialise. 2366 * \param key secret key. 2367 * \param len secret key length (in bytes). 2368 */ 2369 void br_des_ct_cbcdec_init(br_des_ct_cbcdec_keys *ctx, 2370 const void *key, size_t len); 2371 2372 /** 2373 * \brief CBC encryption with DES (`des_ct` implementation). 2374 * 2375 * \param ctx context (already initialised). 2376 * \param iv IV (updated). 2377 * \param data data to encrypt (updated). 2378 * \param len data length (in bytes, MUST be multiple of 8). 2379 */ 2380 void br_des_ct_cbcenc_run(const br_des_ct_cbcenc_keys *ctx, void *iv, 2381 void *data, size_t len); 2382 2383 /** 2384 * \brief CBC decryption with DES (`des_ct` implementation). 2385 * 2386 * \param ctx context (already initialised). 2387 * \param iv IV (updated). 2388 * \param data data to decrypt (updated). 2389 * \param len data length (in bytes, MUST be multiple of 8). 2390 */ 2391 void br_des_ct_cbcdec_run(const br_des_ct_cbcdec_keys *ctx, void *iv, 2392 void *data, size_t len); 2393 2394 /* 2395 * These structures are large enough to accommodate subkeys for all 2396 * DES/3DES implementations. 2397 */ 2398 2399 /** 2400 * \brief Aggregate structure large enough to be used as context for 2401 * subkeys (CBC encryption) for all DES implementations. 2402 */ 2403 typedef union { 2404 const br_block_cbcenc_class *vtable; 2405 br_des_tab_cbcenc_keys tab; 2406 br_des_ct_cbcenc_keys ct; 2407 } br_des_gen_cbcenc_keys; 2408 2409 /** 2410 * \brief Aggregate structure large enough to be used as context for 2411 * subkeys (CBC decryption) for all DES implementations. 2412 */ 2413 typedef union { 2414 const br_block_cbcdec_class *vtable; 2415 br_des_tab_cbcdec_keys c_tab; 2416 br_des_ct_cbcdec_keys c_ct; 2417 } br_des_gen_cbcdec_keys; 2418 2419 /** 2420 * \brief Type for a ChaCha20 implementation. 2421 * 2422 * An implementation follows the description in RFC 7539: 2423 * 2424 * - Key is 256 bits (`key` points to exactly 32 bytes). 2425 * 2426 * - IV is 96 bits (`iv` points to exactly 12 bytes). 2427 * 2428 * - Block counter is over 32 bits and starts at value `cc`; the 2429 * resulting value is returned. 2430 * 2431 * Data (pointed to by `data`, of length `len`) is encrypted/decrypted 2432 * in place. If `len` is not a multiple of 64, then the excess bytes from 2433 * the last block processing are dropped (therefore, "chunked" processing 2434 * works only as long as each non-final chunk has a length multiple of 64). 2435 * 2436 * \param key secret key (32 bytes). 2437 * \param iv IV (12 bytes). 2438 * \param cc initial counter value. 2439 * \param data data to encrypt or decrypt. 2440 * \param len data length (in bytes). 2441 */ 2442 typedef uint32_t (*br_chacha20_run)(const void *key, 2443 const void *iv, uint32_t cc, void *data, size_t len); 2444 2445 /** 2446 * \brief ChaCha20 implementation (straightforward C code, constant-time). 2447 * 2448 * \see br_chacha20_run 2449 * 2450 * \param key secret key (32 bytes). 2451 * \param iv IV (12 bytes). 2452 * \param cc initial counter value. 2453 * \param data data to encrypt or decrypt. 2454 * \param len data length (in bytes). 2455 */ 2456 uint32_t br_chacha20_ct_run(const void *key, 2457 const void *iv, uint32_t cc, void *data, size_t len); 2458 2459 /** 2460 * \brief ChaCha20 implementation (SSE2 code, constant-time). 2461 * 2462 * This implementation is available only on x86 platforms, depending on 2463 * compiler support. Moreover, in 32-bit mode, it might not actually run, 2464 * if the underlying hardware does not implement the SSE2 opcode (in 2465 * 64-bit mode, SSE2 is part of the ABI, so if the code could be compiled 2466 * at all, then it can run). Use `br_chacha20_sse2_get()` to safely obtain 2467 * a pointer to that function. 2468 * 2469 * \see br_chacha20_run 2470 * 2471 * \param key secret key (32 bytes). 2472 * \param iv IV (12 bytes). 2473 * \param cc initial counter value. 2474 * \param data data to encrypt or decrypt. 2475 * \param len data length (in bytes). 2476 */ 2477 uint32_t br_chacha20_sse2_run(const void *key, 2478 const void *iv, uint32_t cc, void *data, size_t len); 2479 2480 /** 2481 * \brief Obtain the `sse2` ChaCha20 implementation, if available. 2482 * 2483 * This function returns a pointer to `br_chacha20_sse2_run`, if 2484 * that implementation was compiled in the library _and_ the SSE2 2485 * opcodes are available on the currently running CPU. If either of 2486 * these conditions is not met, then this function returns `0`. 2487 * 2488 * \return the `sse2` ChaCha20 implementation, or `0`. 2489 */ 2490 br_chacha20_run br_chacha20_sse2_get(void); 2491 2492 /** 2493 * \brief Type for a ChaCha20+Poly1305 AEAD implementation. 2494 * 2495 * The provided data is encrypted or decrypted with ChaCha20. The 2496 * authentication tag is computed on the concatenation of the 2497 * additional data and the ciphertext, with the padding and lengths 2498 * as described in RFC 7539 (section 2.8). 2499 * 2500 * After decryption, the caller is responsible for checking that the 2501 * computed tag matches the expected value. 2502 * 2503 * \param key secret key (32 bytes). 2504 * \param iv nonce (12 bytes). 2505 * \param data data to encrypt or decrypt. 2506 * \param len data length (in bytes). 2507 * \param aad additional authenticated data. 2508 * \param aad_len length of additional authenticated data (in bytes). 2509 * \param tag output buffer for the authentication tag. 2510 * \param ichacha implementation of ChaCha20. 2511 * \param encrypt non-zero for encryption, zero for decryption. 2512 */ 2513 typedef void (*br_poly1305_run)(const void *key, const void *iv, 2514 void *data, size_t len, const void *aad, size_t aad_len, 2515 void *tag, br_chacha20_run ichacha, int encrypt); 2516 2517 /** 2518 * \brief ChaCha20+Poly1305 AEAD implementation (mixed 32-bit multiplications). 2519 * 2520 * \see br_poly1305_run 2521 * 2522 * \param key secret key (32 bytes). 2523 * \param iv nonce (12 bytes). 2524 * \param data data to encrypt or decrypt. 2525 * \param len data length (in bytes). 2526 * \param aad additional authenticated data. 2527 * \param aad_len length of additional authenticated data (in bytes). 2528 * \param tag output buffer for the authentication tag. 2529 * \param ichacha implementation of ChaCha20. 2530 * \param encrypt non-zero for encryption, zero for decryption. 2531 */ 2532 void br_poly1305_ctmul_run(const void *key, const void *iv, 2533 void *data, size_t len, const void *aad, size_t aad_len, 2534 void *tag, br_chacha20_run ichacha, int encrypt); 2535 2536 /** 2537 * \brief ChaCha20+Poly1305 AEAD implementation (pure 32-bit multiplications). 2538 * 2539 * \see br_poly1305_run 2540 * 2541 * \param key secret key (32 bytes). 2542 * \param iv nonce (12 bytes). 2543 * \param data data to encrypt or decrypt. 2544 * \param len data length (in bytes). 2545 * \param aad additional authenticated data. 2546 * \param aad_len length of additional authenticated data (in bytes). 2547 * \param tag output buffer for the authentication tag. 2548 * \param ichacha implementation of ChaCha20. 2549 * \param encrypt non-zero for encryption, zero for decryption. 2550 */ 2551 void br_poly1305_ctmul32_run(const void *key, const void *iv, 2552 void *data, size_t len, const void *aad, size_t aad_len, 2553 void *tag, br_chacha20_run ichacha, int encrypt); 2554 2555 /** 2556 * \brief ChaCha20+Poly1305 AEAD implementation (i15). 2557 * 2558 * This implementation relies on the generic big integer code "i15" 2559 * (which uses pure 32-bit multiplications). As such, it may save a 2560 * little code footprint in a context where "i15" is already included 2561 * (e.g. for elliptic curves or for RSA); however, it is also 2562 * substantially slower than the ctmul and ctmul32 implementations. 2563 * 2564 * \see br_poly1305_run 2565 * 2566 * \param key secret key (32 bytes). 2567 * \param iv nonce (12 bytes). 2568 * \param data data to encrypt or decrypt. 2569 * \param len data length (in bytes). 2570 * \param aad additional authenticated data. 2571 * \param aad_len length of additional authenticated data (in bytes). 2572 * \param tag output buffer for the authentication tag. 2573 * \param ichacha implementation of ChaCha20. 2574 * \param encrypt non-zero for encryption, zero for decryption. 2575 */ 2576 void br_poly1305_i15_run(const void *key, const void *iv, 2577 void *data, size_t len, const void *aad, size_t aad_len, 2578 void *tag, br_chacha20_run ichacha, int encrypt); 2579 2580 /** 2581 * \brief ChaCha20+Poly1305 AEAD implementation (ctmulq). 2582 * 2583 * This implementation uses 64-bit multiplications (result over 128 bits). 2584 * It is available only on platforms that offer such a primitive (in 2585 * practice, 64-bit architectures). Use `br_poly1305_ctmulq_get()` to 2586 * dynamically obtain a pointer to that function, or 0 if not supported. 2587 * 2588 * \see br_poly1305_run 2589 * 2590 * \param key secret key (32 bytes). 2591 * \param iv nonce (12 bytes). 2592 * \param data data to encrypt or decrypt. 2593 * \param len data length (in bytes). 2594 * \param aad additional authenticated data. 2595 * \param aad_len length of additional authenticated data (in bytes). 2596 * \param tag output buffer for the authentication tag. 2597 * \param ichacha implementation of ChaCha20. 2598 * \param encrypt non-zero for encryption, zero for decryption. 2599 */ 2600 void br_poly1305_ctmulq_run(const void *key, const void *iv, 2601 void *data, size_t len, const void *aad, size_t aad_len, 2602 void *tag, br_chacha20_run ichacha, int encrypt); 2603 2604 /** 2605 * \brief Get the ChaCha20+Poly1305 "ctmulq" implementation, if available. 2606 * 2607 * This function returns a pointer to the `br_poly1305_ctmulq_run()` 2608 * function if supported on the current platform; otherwise, it returns 0. 2609 * 2610 * \return the ctmulq ChaCha20+Poly1305 implementation, or 0. 2611 */ 2612 br_poly1305_run br_poly1305_ctmulq_get(void); 2613 2614 #ifdef __cplusplus 2615 } 2616 #endif 2617 2618 #endif 2619