2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 #ifndef BR_BEARSSL_BLOCK_H__
26 #define BR_BEARSSL_BLOCK_H__
35 /** \file bearssl_block.h
37 * # Block Ciphers and Symmetric Ciphers
39 * This file documents the API for block ciphers and other symmetric
45 * For a block cipher implementation, up to three separate sets of
46 * functions are provided, for CBC encryption, CBC decryption, and CTR
47 * encryption/decryption. Each set has its own context structure,
48 * initialised with the encryption key.
50 * For CBC encryption and decryption, the data to encrypt or decrypt is
51 * referenced as a sequence of blocks. The implementations assume that
52 * there is no partial block; no padding is applied or removed. The
53 * caller is responsible for handling any kind of padding.
55 * Function for CTR encryption are defined only for block ciphers with
56 * blocks of 16 bytes or more (i.e. AES, but not DES/3DES).
58 * Each implemented block cipher is identified by an "internal name"
59 * from which are derived the names of structures and functions that
60 * implement the cipher. For the block cipher of internal name "`xxx`",
61 * the following are defined:
63 * - `br_xxx_BLOCK_SIZE`
65 * A macro that evaluates to the block size (in bytes) of the
66 * cipher. For all implemented block ciphers, this value is a
69 * - `br_xxx_cbcenc_keys`
71 * Context structure that contains the subkeys resulting from the key
72 * expansion. These subkeys are appropriate for CBC encryption. The
73 * structure first field is called `vtable` and points to the
74 * appropriate OOP structure.
76 * - `br_xxx_cbcenc_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
78 * Perform key expansion: subkeys for CBC encryption are computed and
79 * written in the provided context structure. The key length MUST be
80 * adequate for the implemented block cipher. This function also sets
83 * - `br_xxx_cbcenc_run(const br_xxx_cbcenc_keys *ctx, void *iv, void *data, size_t len)`
85 * Perform CBC encryption of `len` bytes, in place. The encrypted data
86 * replaces the cleartext. `len` MUST be a multiple of the block length
87 * (if it is not, the function may loop forever or overflow a buffer).
88 * The IV is provided with the `iv` pointer; it is also updated with
89 * a copy of the last encrypted block.
91 * - `br_xxx_cbcdec_keys`
93 * Context structure that contains the subkeys resulting from the key
94 * expansion. These subkeys are appropriate for CBC decryption. The
95 * structure first field is called `vtable` and points to the
96 * appropriate OOP structure.
98 * - `br_xxx_cbcdec_init(br_xxx_cbcenc_keys *ctx, const void *key, size_t len)`
100 * Perform key expansion: subkeys for CBC decryption are computed and
101 * written in the provided context structure. The key length MUST be
102 * adequate for the implemented block cipher. This function also sets
103 * the `vtable` field.
105 * - `br_xxx_cbcdec_run(const br_xxx_cbcdec_keys *ctx, void *iv, void *data, size_t num_blocks)`
107 * Perform CBC decryption of `len` bytes, in place. The decrypted data
108 * replaces the ciphertext. `len` MUST be a multiple of the block length
109 * (if it is not, the function may loop forever or overflow a buffer).
110 * The IV is provided with the `iv` pointer; it is also updated with
111 * a copy of the last _encrypted_ block.
113 * - `br_xxx_ctr_keys`
115 * Context structure that contains the subkeys resulting from the key
116 * expansion. These subkeys are appropriate for CTR encryption and
117 * decryption. The structure first field is called `vtable` and
118 * points to the appropriate OOP structure.
120 * - `br_xxx_ctr_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
122 * Perform key expansion: subkeys for CTR encryption and decryption
123 * are computed and written in the provided context structure. The
124 * key length MUST be adequate for the implemented block cipher. This
125 * function also sets the `vtable` field.
127 * - `br_xxx_ctr_run(const br_xxx_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len)` (returns `uint32_t`)
129 * Perform CTR encryption/decryption of some data. Processing is done
130 * "in place" (the output data replaces the input data). This function
131 * implements the "standard incrementing function" from NIST SP800-38A,
132 * annex B: the IV length shall be 4 bytes less than the block size
133 * (i.e. 12 bytes for AES) and the counter is the 32-bit value starting
134 * with `cc`. The data length (`len`) is not necessarily a multiple of
135 * the block size. The new counter value is returned, which supports
136 * chunked processing, provided that each chunk length (except possibly
137 * the last one) is a multiple of the block size.
139 * - `br_xxx_ctrcbc_keys`
141 * Context structure that contains the subkeys resulting from the
142 * key expansion. These subkeys are appropriate for doing combined
143 * CTR encryption/decryption and CBC-MAC, as used in the CCM and EAX
144 * authenticated encryption modes. The structure first field is
145 * called `vtable` and points to the appropriate OOP structure.
147 * - `br_xxx_ctrcbc_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)`
149 * Perform key expansion: subkeys for combined CTR
150 * encryption/decryption and CBC-MAC are computed and written in the
151 * provided context structure. The key length MUST be adequate for
152 * the implemented block cipher. This function also sets the
155 * - `br_xxx_ctrcbc_encrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)`
157 * Perform CTR encryption of some data, and CBC-MAC. Processing is
158 * done "in place" (the output data replaces the input data). This
159 * function applies CTR encryption on the data, using a full
160 * block-size counter (i.e. for 128-bit blocks, the counter is
161 * incremented as a 128-bit value). The 'ctr' array contains the
162 * initial value for the counter (used in the first block) and it is
163 * updated with the new value after data processing. The 'cbcmac'
164 * value shall point to a block-sized value which is used as IV for
165 * CBC-MAC, computed over the encrypted data (output of CTR
166 * encryption); the resulting CBC-MAC is written over 'cbcmac' on
169 * The data length MUST be a multiple of the block size.
171 * - `br_xxx_ctrcbc_decrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)`
173 * Perform CTR decryption of some data, and CBC-MAC. Processing is
174 * done "in place" (the output data replaces the input data). This
175 * function applies CTR decryption on the data, using a full
176 * block-size counter (i.e. for 128-bit blocks, the counter is
177 * incremented as a 128-bit value). The 'ctr' array contains the
178 * initial value for the counter (used in the first block) and it is
179 * updated with the new value after data processing. The 'cbcmac'
180 * value shall point to a block-sized value which is used as IV for
181 * CBC-MAC, computed over the encrypted data (input of CTR
182 * encryption); the resulting CBC-MAC is written over 'cbcmac' on
185 * The data length MUST be a multiple of the block size.
187 * - `br_xxx_ctrcbc_ctr(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *data, size_t len)`
189 * Perform CTR encryption or decryption of the provided data. The
190 * data is processed "in place" (the output data replaces the input
191 * data). A full block-sized counter is applied (i.e. for 128-bit
192 * blocks, the counter is incremented as a 128-bit value). The 'ctr'
193 * array contains the initial value for the counter (used in the
194 * first block), and it is updated with the new value after data
197 * The data length MUST be a multiple of the block size.
199 * - `br_xxx_ctrcbc_mac(const br_xxx_ctrcbc_keys *ctx, void *cbcmac, const void *data, size_t len)`
201 * Compute CBC-MAC over the provided data. The IV for CBC-MAC is
202 * provided as 'cbcmac'; the output is written over the same array.
203 * The data itself is untouched. The data length MUST be a multiple
207 * It shall be noted that the key expansion functions return `void`. If
208 * the provided key length is not allowed, then there will be no error
209 * reporting; implementations need not validate the key length, thus an
210 * invalid key length may result in undefined behaviour (e.g. buffer
213 * Subkey structures contain no interior pointer, and no external
214 * resources are allocated upon key expansion. They can thus be
215 * discarded without any explicit deallocation.
218 * ## Object-Oriented API
220 * Each context structure begins with a field (called `vtable`) that
221 * points to an instance of a structure that references the relevant
222 * functions through pointers. Each such structure contains the
227 * The size (in bytes) of the context structure for subkeys.
231 * The cipher block size (in bytes).
235 * The base-2 logarithm of cipher block size (e.g. 4 for blocks
240 * Pointer to the key expansion function.
244 * Pointer to the encryption/decryption function.
246 * For combined CTR/CBC-MAC encryption, the `vtable` has a slightly
247 * different structure:
251 * The size (in bytes) of the context structure for subkeys.
255 * The cipher block size (in bytes).
259 * The base-2 logarithm of cipher block size (e.g. 4 for blocks
264 * Pointer to the key expansion function.
268 * Pointer to the CTR encryption + CBC-MAC function.
272 * Pointer to the CTR decryption + CBC-MAC function.
276 * Pointer to the CTR encryption/decryption function.
280 * Pointer to the CBC-MAC function.
282 * For block cipher "`xxx`", static, constant instances of these
283 * structures are defined, under the names:
285 * - `br_xxx_cbcenc_vtable`
286 * - `br_xxx_cbcdec_vtable`
287 * - `br_xxx_ctr_vtable`
288 * - `br_xxx_ctrcbc_vtable`
291 * ## Implemented Block Ciphers
293 * Provided implementations are:
295 * | Name | Function | Block Size (bytes) | Key lengths (bytes) |
296 * | :-------- | :------- | :----------------: | :-----------------: |
297 * | aes_big | AES | 16 | 16, 24 and 32 |
298 * | aes_small | AES | 16 | 16, 24 and 32 |
299 * | aes_ct | AES | 16 | 16, 24 and 32 |
300 * | aes_ct64 | AES | 16 | 16, 24 and 32 |
301 * | aes_x86ni | AES | 16 | 16, 24 and 32 |
302 * | aes_pwr8 | AES | 16 | 16, 24 and 32 |
303 * | des_ct | DES/3DES | 8 | 8, 16 and 24 |
304 * | des_tab | DES/3DES | 8 | 8, 16 and 24 |
306 * **Note:** DES/3DES nominally uses keys of 64, 128 and 192 bits (i.e. 8,
307 * 16 and 24 bytes), but some of the bits are ignored by the algorithm, so
308 * the _effective_ key lengths, from a security point of view, are 56,
309 * 112 and 168 bits, respectively.
311 * `aes_big` is a "classical" AES implementation, using tables. It
312 * is fast but not constant-time, since it makes data-dependent array
315 * `aes_small` is an AES implementation optimized for code size. It
316 * is substantially slower than `aes_big`; it is not constant-time
319 * `aes_ct` is a constant-time implementation of AES; its code is about
320 * as big as that of `aes_big`, while its performance is comparable to
321 * that of `aes_small`. However, it is constant-time. This
322 * implementation should thus be considered to be the "default" AES in
323 * BearSSL, to be used unless the operational context guarantees that a
324 * non-constant-time implementation is safe, or an architecture-specific
325 * constant-time implementation can be used (e.g. using dedicated
328 * `aes_ct64` is another constant-time implementation of AES. It is
329 * similar to `aes_ct` but uses 64-bit values. On 32-bit machines,
330 * `aes_ct64` is not faster than `aes_ct`, often a bit slower, and has
331 * a larger footprint; however, on 64-bit architectures, `aes_ct64`
332 * is typically twice faster than `aes_ct` for modes that allow parallel
333 * operations (i.e. CTR, and CBC decryption, but not CBC encryption).
335 * `aes_x86ni` exists only on x86 architectures (32-bit and 64-bit). It
336 * uses the AES-NI opcodes when available.
338 * `aes_pwr8` exists only on PowerPC / POWER architectures (32-bit and
339 * 64-bit, both little-endian and big-endian). It uses the AES opcodes
340 * present in POWER8 and later.
342 * `des_tab` is a classic, table-based implementation of DES/3DES. It
343 * is not constant-time.
345 * `des_ct` is an constant-time implementation of DES/3DES. It is
346 * substantially slower than `des_tab`.
348 * ## ChaCha20 and Poly1305
350 * ChaCha20 is a stream cipher. Poly1305 is a MAC algorithm. They
351 * are described in [RFC 7539](https://tools.ietf.org/html/rfc7539).
353 * Two function pointer types are defined:
355 * - `br_chacha20_run` describes a function that implements ChaCha20
358 * - `br_poly1305_run` describes an implementation of Poly1305,
359 * in the AEAD combination with ChaCha20 specified in RFC 7539
360 * (the ChaCha20 implementation is provided as a function pointer).
362 * `chacha20_ct` is a straightforward implementation of ChaCha20 in
363 * plain C; it is constant-time, small, and reasonably fast.
365 * `chacha20_sse2` leverages SSE2 opcodes (on x86 architectures that
366 * support these opcodes). It is faster than `chacha20_ct`.
368 * `poly1305_ctmul` is an implementation of the ChaCha20+Poly1305 AEAD
369 * construction, where the Poly1305 part is performed with mixed 32-bit
370 * multiplications (operands are 32-bit, result is 64-bit).
372 * `poly1305_ctmul32` implements ChaCha20+Poly1305 using pure 32-bit
373 * multiplications (32-bit operands, 32-bit result). It is slower than
374 * `poly1305_ctmul`, except on some specific architectures such as
375 * the ARM Cortex M0+.
377 * `poly1305_ctmulq` implements ChaCha20+Poly1305 with mixed 64-bit
378 * multiplications (operands are 64-bit, result is 128-bit) on 64-bit
379 * platforms that support such operations.
381 * `poly1305_i15` implements ChaCha20+Poly1305 with the generic "i15"
382 * big integer implementation. It is meant mostly for testing purposes,
383 * although it can help with saving a few hundred bytes of code footprint
384 * on systems where code size is scarce.
388 * \brief Class type for CBC encryption implementations.
390 * A `br_block_cbcenc_class` instance points to the functions implementing
391 * a specific block cipher, when used in CBC mode for encrypting data.
393 typedef struct br_block_cbcenc_class_ br_block_cbcenc_class;
394 struct br_block_cbcenc_class_ {
396 * \brief Size (in bytes) of the context structure appropriate
397 * for containing subkeys.
402 * \brief Size of individual blocks (in bytes).
407 * \brief Base-2 logarithm of the size of individual blocks,
408 * expressed in bytes.
410 unsigned log_block_size;
413 * \brief Initialisation function.
415 * This function sets the `vtable` field in the context structure.
416 * The key length MUST be one of the key lengths supported by
417 * the implementation.
419 * \param ctx context structure to initialise.
420 * \param key secret key.
421 * \param key_len key length (in bytes).
423 void (*init)(const br_block_cbcenc_class **ctx,
424 const void *key, size_t key_len);
427 * \brief Run the CBC encryption.
429 * The `iv` parameter points to the IV for this run; it is
430 * updated with a copy of the last encrypted block. The data
431 * is encrypted "in place"; its length (`len`) MUST be a
432 * multiple of the block size.
434 * \param ctx context structure (already initialised).
435 * \param iv IV for CBC encryption (updated).
436 * \param data data to encrypt.
437 * \param len data length (in bytes, multiple of block size).
439 void (*run)(const br_block_cbcenc_class *const *ctx,
440 void *iv, void *data, size_t len);
444 * \brief Class type for CBC decryption implementations.
446 * A `br_block_cbcdec_class` instance points to the functions implementing
447 * a specific block cipher, when used in CBC mode for decrypting data.
449 typedef struct br_block_cbcdec_class_ br_block_cbcdec_class;
450 struct br_block_cbcdec_class_ {
452 * \brief Size (in bytes) of the context structure appropriate
453 * for containing subkeys.
458 * \brief Size of individual blocks (in bytes).
463 * \brief Base-2 logarithm of the size of individual blocks,
464 * expressed in bytes.
466 unsigned log_block_size;
469 * \brief Initialisation function.
471 * This function sets the `vtable` field in the context structure.
472 * The key length MUST be one of the key lengths supported by
473 * the implementation.
475 * \param ctx context structure to initialise.
476 * \param key secret key.
477 * \param key_len key length (in bytes).
479 void (*init)(const br_block_cbcdec_class **ctx,
480 const void *key, size_t key_len);
483 * \brief Run the CBC decryption.
485 * The `iv` parameter points to the IV for this run; it is
486 * updated with a copy of the last encrypted block. The data
487 * is decrypted "in place"; its length (`len`) MUST be a
488 * multiple of the block size.
490 * \param ctx context structure (already initialised).
491 * \param iv IV for CBC decryption (updated).
492 * \param data data to decrypt.
493 * \param len data length (in bytes, multiple of block size).
495 void (*run)(const br_block_cbcdec_class *const *ctx,
496 void *iv, void *data, size_t len);
500 * \brief Class type for CTR encryption/decryption implementations.
502 * A `br_block_ctr_class` instance points to the functions implementing
503 * a specific block cipher, when used in CTR mode for encrypting or
506 typedef struct br_block_ctr_class_ br_block_ctr_class;
507 struct br_block_ctr_class_ {
509 * \brief Size (in bytes) of the context structure appropriate
510 * for containing subkeys.
515 * \brief Size of individual blocks (in bytes).
520 * \brief Base-2 logarithm of the size of individual blocks,
521 * expressed in bytes.
523 unsigned log_block_size;
526 * \brief Initialisation function.
528 * This function sets the `vtable` field in the context structure.
529 * The key length MUST be one of the key lengths supported by
530 * the implementation.
532 * \param ctx context structure to initialise.
533 * \param key secret key.
534 * \param key_len key length (in bytes).
536 void (*init)(const br_block_ctr_class **ctx,
537 const void *key, size_t key_len);
540 * \brief Run the CTR encryption or decryption.
542 * The `iv` parameter points to the IV for this run; its
543 * length is exactly 4 bytes less than the block size (e.g.
544 * 12 bytes for AES/CTR). The IV is combined with a 32-bit
545 * block counter to produce the block value which is processed
546 * with the block cipher.
548 * The data to encrypt or decrypt is updated "in place". Its
549 * length (`len` bytes) is not required to be a multiple of
550 * the block size; if the final block is partial, then the
551 * corresponding key stream bits are dropped.
553 * The resulting counter value is returned.
555 * \param ctx context structure (already initialised).
556 * \param iv IV for CTR encryption/decryption.
557 * \param cc initial value for the block counter.
558 * \param data data to encrypt or decrypt.
559 * \param len data length (in bytes).
560 * \return the new block counter value.
562 uint32_t (*run)(const br_block_ctr_class *const *ctx,
563 const void *iv, uint32_t cc, void *data, size_t len);
567 * \brief Class type for combined CTR and CBC-MAC implementations.
569 * A `br_block_ctrcbc_class` instance points to the functions implementing
570 * a specific block cipher, when used in CTR mode for encrypting or
571 * decrypting data, along with CBC-MAC.
573 typedef struct br_block_ctrcbc_class_ br_block_ctrcbc_class;
574 struct br_block_ctrcbc_class_ {
576 * \brief Size (in bytes) of the context structure appropriate
577 * for containing subkeys.
582 * \brief Size of individual blocks (in bytes).
587 * \brief Base-2 logarithm of the size of individual blocks,
588 * expressed in bytes.
590 unsigned log_block_size;
593 * \brief Initialisation function.
595 * This function sets the `vtable` field in the context structure.
596 * The key length MUST be one of the key lengths supported by
597 * the implementation.
599 * \param ctx context structure to initialise.
600 * \param key secret key.
601 * \param key_len key length (in bytes).
603 void (*init)(const br_block_ctrcbc_class **ctx,
604 const void *key, size_t key_len);
607 * \brief Run the CTR encryption + CBC-MAC.
609 * The `ctr` parameter points to the counter; its length shall
610 * be equal to the block size. It is updated by this function
611 * as encryption proceeds.
613 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
614 * is computed over the encrypted data (output of CTR
615 * encryption). Its length shall be equal to the block size. The
616 * computed CBC-MAC value is written over the `cbcmac` array.
618 * The data to encrypt is updated "in place". Its length (`len`
619 * bytes) MUST be a multiple of the block size.
621 * \param ctx context structure (already initialised).
622 * \param ctr counter for CTR encryption (initial and final).
623 * \param cbcmac IV and output buffer for CBC-MAC.
624 * \param data data to encrypt.
625 * \param len data length (in bytes).
627 void (*encrypt)(const br_block_ctrcbc_class *const *ctx,
628 void *ctr, void *cbcmac, void *data, size_t len);
631 * \brief Run the CTR decryption + CBC-MAC.
633 * The `ctr` parameter points to the counter; its length shall
634 * be equal to the block size. It is updated by this function
635 * as decryption proceeds.
637 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
638 * is computed over the encrypted data (i.e. before CTR
639 * decryption). Its length shall be equal to the block size. The
640 * computed CBC-MAC value is written over the `cbcmac` array.
642 * The data to decrypt is updated "in place". Its length (`len`
643 * bytes) MUST be a multiple of the block size.
645 * \param ctx context structure (already initialised).
646 * \param ctr counter for CTR encryption (initial and final).
647 * \param cbcmac IV and output buffer for CBC-MAC.
648 * \param data data to decrypt.
649 * \param len data length (in bytes).
651 void (*decrypt)(const br_block_ctrcbc_class *const *ctx,
652 void *ctr, void *cbcmac, void *data, size_t len);
655 * \brief Run the CTR encryption/decryption only.
657 * The `ctr` parameter points to the counter; its length shall
658 * be equal to the block size. It is updated by this function
659 * as decryption proceeds.
661 * The data to decrypt is updated "in place". Its length (`len`
662 * bytes) MUST be a multiple of the block size.
664 * \param ctx context structure (already initialised).
665 * \param ctr counter for CTR encryption (initial and final).
666 * \param data data to decrypt.
667 * \param len data length (in bytes).
669 void (*ctr)(const br_block_ctrcbc_class *const *ctx,
670 void *ctr, void *data, size_t len);
673 * \brief Run the CBC-MAC only.
675 * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC
676 * is computed over the encrypted data (i.e. before CTR
677 * decryption). Its length shall be equal to the block size. The
678 * computed CBC-MAC value is written over the `cbcmac` array.
680 * The data is unmodified. Its length (`len` bytes) MUST be a
681 * multiple of the block size.
683 * \param ctx context structure (already initialised).
684 * \param cbcmac IV and output buffer for CBC-MAC.
685 * \param data data to decrypt.
686 * \param len data length (in bytes).
688 void (*mac)(const br_block_ctrcbc_class *const *ctx,
689 void *cbcmac, const void *data, size_t len);
693 * Traditional, table-based AES implementation. It is fast, but uses
694 * internal tables (in particular a 1 kB table for encryption, another
695 * 1 kB table for decryption, and a 256-byte table for key schedule),
696 * and it is not constant-time. In contexts where cache-timing attacks
697 * apply, this implementation may leak the secret key.
700 /** \brief AES block size (16 bytes). */
701 #define br_aes_big_BLOCK_SIZE 16
704 * \brief Context for AES subkeys (`aes_big` implementation, CBC encryption).
706 * First field is a pointer to the vtable; it is set by the initialisation
707 * function. Other fields are not supposed to be accessed by user code.
710 /** \brief Pointer to vtable for this context. */
711 const br_block_cbcenc_class *vtable;
712 #ifndef BR_DOXYGEN_IGNORE
716 } br_aes_big_cbcenc_keys;
719 * \brief Context for AES subkeys (`aes_big` implementation, CBC decryption).
721 * First field is a pointer to the vtable; it is set by the initialisation
722 * function. Other fields are not supposed to be accessed by user code.
725 /** \brief Pointer to vtable for this context. */
726 const br_block_cbcdec_class *vtable;
727 #ifndef BR_DOXYGEN_IGNORE
731 } br_aes_big_cbcdec_keys;
734 * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption
737 * First field is a pointer to the vtable; it is set by the initialisation
738 * function. Other fields are not supposed to be accessed by user code.
741 /** \brief Pointer to vtable for this context. */
742 const br_block_ctr_class *vtable;
743 #ifndef BR_DOXYGEN_IGNORE
747 } br_aes_big_ctr_keys;
750 * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption
751 * and decryption + CBC-MAC).
753 * First field is a pointer to the vtable; it is set by the initialisation
754 * function. Other fields are not supposed to be accessed by user code.
757 /** \brief Pointer to vtable for this context. */
758 const br_block_ctrcbc_class *vtable;
759 #ifndef BR_DOXYGEN_IGNORE
763 } br_aes_big_ctrcbc_keys;
766 * \brief Class instance for AES CBC encryption (`aes_big` implementation).
768 extern const br_block_cbcenc_class br_aes_big_cbcenc_vtable;
771 * \brief Class instance for AES CBC decryption (`aes_big` implementation).
773 extern const br_block_cbcdec_class br_aes_big_cbcdec_vtable;
776 * \brief Class instance for AES CTR encryption and decryption
777 * (`aes_big` implementation).
779 extern const br_block_ctr_class br_aes_big_ctr_vtable;
782 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
783 * (`aes_big` implementation).
785 extern const br_block_ctrcbc_class br_aes_big_ctrcbc_vtable;
788 * \brief Context initialisation (key schedule) for AES CBC encryption
789 * (`aes_big` implementation).
791 * \param ctx context to initialise.
792 * \param key secret key.
793 * \param len secret key length (in bytes).
795 void br_aes_big_cbcenc_init(br_aes_big_cbcenc_keys *ctx,
796 const void *key, size_t len);
799 * \brief Context initialisation (key schedule) for AES CBC decryption
800 * (`aes_big` implementation).
802 * \param ctx context to initialise.
803 * \param key secret key.
804 * \param len secret key length (in bytes).
806 void br_aes_big_cbcdec_init(br_aes_big_cbcdec_keys *ctx,
807 const void *key, size_t len);
810 * \brief Context initialisation (key schedule) for AES CTR encryption
811 * and decryption (`aes_big` implementation).
813 * \param ctx context to initialise.
814 * \param key secret key.
815 * \param len secret key length (in bytes).
817 void br_aes_big_ctr_init(br_aes_big_ctr_keys *ctx,
818 const void *key, size_t len);
821 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
822 * (`aes_big` implementation).
824 * \param ctx context to initialise.
825 * \param key secret key.
826 * \param len secret key length (in bytes).
828 void br_aes_big_ctrcbc_init(br_aes_big_ctrcbc_keys *ctx,
829 const void *key, size_t len);
832 * \brief CBC encryption with AES (`aes_big` implementation).
834 * \param ctx context (already initialised).
835 * \param iv IV (updated).
836 * \param data data to encrypt (updated).
837 * \param len data length (in bytes, MUST be multiple of 16).
839 void br_aes_big_cbcenc_run(const br_aes_big_cbcenc_keys *ctx, void *iv,
840 void *data, size_t len);
843 * \brief CBC decryption with AES (`aes_big` implementation).
845 * \param ctx context (already initialised).
846 * \param iv IV (updated).
847 * \param data data to decrypt (updated).
848 * \param len data length (in bytes, MUST be multiple of 16).
850 void br_aes_big_cbcdec_run(const br_aes_big_cbcdec_keys *ctx, void *iv,
851 void *data, size_t len);
854 * \brief CTR encryption and decryption with AES (`aes_big` implementation).
856 * \param ctx context (already initialised).
857 * \param iv IV (constant, 12 bytes).
858 * \param cc initial block counter value.
859 * \param data data to encrypt or decrypt (updated).
860 * \param len data length (in bytes).
861 * \return new block counter value.
863 uint32_t br_aes_big_ctr_run(const br_aes_big_ctr_keys *ctx,
864 const void *iv, uint32_t cc, void *data, size_t len);
867 * \brief CTR encryption + CBC-MAC with AES (`aes_big` implementation).
869 * \param ctx context (already initialised).
870 * \param ctr counter for CTR (16 bytes, updated).
871 * \param cbcmac IV for CBC-MAC (updated).
872 * \param data data to encrypt (updated).
873 * \param len data length (in bytes, MUST be a multiple of 16).
875 void br_aes_big_ctrcbc_encrypt(const br_aes_big_ctrcbc_keys *ctx,
876 void *ctr, void *cbcmac, void *data, size_t len);
879 * \brief CTR decryption + CBC-MAC with AES (`aes_big` implementation).
881 * \param ctx context (already initialised).
882 * \param ctr counter for CTR (16 bytes, updated).
883 * \param cbcmac IV for CBC-MAC (updated).
884 * \param data data to decrypt (updated).
885 * \param len data length (in bytes, MUST be a multiple of 16).
887 void br_aes_big_ctrcbc_decrypt(const br_aes_big_ctrcbc_keys *ctx,
888 void *ctr, void *cbcmac, void *data, size_t len);
891 * \brief CTR encryption/decryption with AES (`aes_big` implementation).
893 * \param ctx context (already initialised).
894 * \param ctr counter for CTR (16 bytes, updated).
895 * \param data data to MAC (updated).
896 * \param len data length (in bytes, MUST be a multiple of 16).
898 void br_aes_big_ctrcbc_ctr(const br_aes_big_ctrcbc_keys *ctx,
899 void *ctr, void *data, size_t len);
902 * \brief CBC-MAC with AES (`aes_big` implementation).
904 * \param ctx context (already initialised).
905 * \param cbcmac IV for CBC-MAC (updated).
906 * \param data data to MAC (unmodified).
907 * \param len data length (in bytes, MUST be a multiple of 16).
909 void br_aes_big_ctrcbc_mac(const br_aes_big_ctrcbc_keys *ctx,
910 void *cbcmac, const void *data, size_t len);
913 * AES implementation optimized for size. It is slower than the
914 * traditional table-based AES implementation, but requires much less
915 * code. It still uses data-dependent table accesses (albeit within a
916 * much smaller 256-byte table), which makes it conceptually vulnerable
917 * to cache-timing attacks.
920 /** \brief AES block size (16 bytes). */
921 #define br_aes_small_BLOCK_SIZE 16
924 * \brief Context for AES subkeys (`aes_small` implementation, CBC encryption).
926 * First field is a pointer to the vtable; it is set by the initialisation
927 * function. Other fields are not supposed to be accessed by user code.
930 /** \brief Pointer to vtable for this context. */
931 const br_block_cbcenc_class *vtable;
932 #ifndef BR_DOXYGEN_IGNORE
936 } br_aes_small_cbcenc_keys;
939 * \brief Context for AES subkeys (`aes_small` implementation, CBC decryption).
941 * First field is a pointer to the vtable; it is set by the initialisation
942 * function. Other fields are not supposed to be accessed by user code.
945 /** \brief Pointer to vtable for this context. */
946 const br_block_cbcdec_class *vtable;
947 #ifndef BR_DOXYGEN_IGNORE
951 } br_aes_small_cbcdec_keys;
954 * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption
957 * First field is a pointer to the vtable; it is set by the initialisation
958 * function. Other fields are not supposed to be accessed by user code.
961 /** \brief Pointer to vtable for this context. */
962 const br_block_ctr_class *vtable;
963 #ifndef BR_DOXYGEN_IGNORE
967 } br_aes_small_ctr_keys;
970 * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption
971 * and decryption + CBC-MAC).
973 * First field is a pointer to the vtable; it is set by the initialisation
974 * function. Other fields are not supposed to be accessed by user code.
977 /** \brief Pointer to vtable for this context. */
978 const br_block_ctrcbc_class *vtable;
979 #ifndef BR_DOXYGEN_IGNORE
983 } br_aes_small_ctrcbc_keys;
986 * \brief Class instance for AES CBC encryption (`aes_small` implementation).
988 extern const br_block_cbcenc_class br_aes_small_cbcenc_vtable;
991 * \brief Class instance for AES CBC decryption (`aes_small` implementation).
993 extern const br_block_cbcdec_class br_aes_small_cbcdec_vtable;
996 * \brief Class instance for AES CTR encryption and decryption
997 * (`aes_small` implementation).
999 extern const br_block_ctr_class br_aes_small_ctr_vtable;
1002 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1003 * (`aes_small` implementation).
1005 extern const br_block_ctrcbc_class br_aes_small_ctrcbc_vtable;
1008 * \brief Context initialisation (key schedule) for AES CBC encryption
1009 * (`aes_small` implementation).
1011 * \param ctx context to initialise.
1012 * \param key secret key.
1013 * \param len secret key length (in bytes).
1015 void br_aes_small_cbcenc_init(br_aes_small_cbcenc_keys *ctx,
1016 const void *key, size_t len);
1019 * \brief Context initialisation (key schedule) for AES CBC decryption
1020 * (`aes_small` implementation).
1022 * \param ctx context to initialise.
1023 * \param key secret key.
1024 * \param len secret key length (in bytes).
1026 void br_aes_small_cbcdec_init(br_aes_small_cbcdec_keys *ctx,
1027 const void *key, size_t len);
1030 * \brief Context initialisation (key schedule) for AES CTR encryption
1031 * and decryption (`aes_small` implementation).
1033 * \param ctx context to initialise.
1034 * \param key secret key.
1035 * \param len secret key length (in bytes).
1037 void br_aes_small_ctr_init(br_aes_small_ctr_keys *ctx,
1038 const void *key, size_t len);
1041 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1042 * (`aes_small` implementation).
1044 * \param ctx context to initialise.
1045 * \param key secret key.
1046 * \param len secret key length (in bytes).
1048 void br_aes_small_ctrcbc_init(br_aes_small_ctrcbc_keys *ctx,
1049 const void *key, size_t len);
1052 * \brief CBC encryption with AES (`aes_small` implementation).
1054 * \param ctx context (already initialised).
1055 * \param iv IV (updated).
1056 * \param data data to encrypt (updated).
1057 * \param len data length (in bytes, MUST be multiple of 16).
1059 void br_aes_small_cbcenc_run(const br_aes_small_cbcenc_keys *ctx, void *iv,
1060 void *data, size_t len);
1063 * \brief CBC decryption with AES (`aes_small` implementation).
1065 * \param ctx context (already initialised).
1066 * \param iv IV (updated).
1067 * \param data data to decrypt (updated).
1068 * \param len data length (in bytes, MUST be multiple of 16).
1070 void br_aes_small_cbcdec_run(const br_aes_small_cbcdec_keys *ctx, void *iv,
1071 void *data, size_t len);
1074 * \brief CTR encryption and decryption with AES (`aes_small` implementation).
1076 * \param ctx context (already initialised).
1077 * \param iv IV (constant, 12 bytes).
1078 * \param cc initial block counter value.
1079 * \param data data to decrypt (updated).
1080 * \param len data length (in bytes).
1081 * \return new block counter value.
1083 uint32_t br_aes_small_ctr_run(const br_aes_small_ctr_keys *ctx,
1084 const void *iv, uint32_t cc, void *data, size_t len);
1087 * \brief CTR encryption + CBC-MAC with AES (`aes_small` implementation).
1089 * \param ctx context (already initialised).
1090 * \param ctr counter for CTR (16 bytes, updated).
1091 * \param cbcmac IV for CBC-MAC (updated).
1092 * \param data data to encrypt (updated).
1093 * \param len data length (in bytes, MUST be a multiple of 16).
1095 void br_aes_small_ctrcbc_encrypt(const br_aes_small_ctrcbc_keys *ctx,
1096 void *ctr, void *cbcmac, void *data, size_t len);
1099 * \brief CTR decryption + CBC-MAC with AES (`aes_small` implementation).
1101 * \param ctx context (already initialised).
1102 * \param ctr counter for CTR (16 bytes, updated).
1103 * \param cbcmac IV for CBC-MAC (updated).
1104 * \param data data to decrypt (updated).
1105 * \param len data length (in bytes, MUST be a multiple of 16).
1107 void br_aes_small_ctrcbc_decrypt(const br_aes_small_ctrcbc_keys *ctx,
1108 void *ctr, void *cbcmac, void *data, size_t len);
1111 * \brief CTR encryption/decryption with AES (`aes_small` implementation).
1113 * \param ctx context (already initialised).
1114 * \param ctr counter for CTR (16 bytes, updated).
1115 * \param data data to MAC (updated).
1116 * \param len data length (in bytes, MUST be a multiple of 16).
1118 void br_aes_small_ctrcbc_ctr(const br_aes_small_ctrcbc_keys *ctx,
1119 void *ctr, void *data, size_t len);
1122 * \brief CBC-MAC with AES (`aes_small` implementation).
1124 * \param ctx context (already initialised).
1125 * \param cbcmac IV for CBC-MAC (updated).
1126 * \param data data to MAC (unmodified).
1127 * \param len data length (in bytes, MUST be a multiple of 16).
1129 void br_aes_small_ctrcbc_mac(const br_aes_small_ctrcbc_keys *ctx,
1130 void *cbcmac, const void *data, size_t len);
1133 * Constant-time AES implementation. Its size is similar to that of
1134 * 'aes_big', and its performance is similar to that of 'aes_small' (faster
1135 * decryption, slower encryption). However, it is constant-time, i.e.
1136 * immune to cache-timing and similar attacks.
1139 /** \brief AES block size (16 bytes). */
1140 #define br_aes_ct_BLOCK_SIZE 16
1143 * \brief Context for AES subkeys (`aes_ct` implementation, CBC encryption).
1145 * First field is a pointer to the vtable; it is set by the initialisation
1146 * function. Other fields are not supposed to be accessed by user code.
1149 /** \brief Pointer to vtable for this context. */
1150 const br_block_cbcenc_class *vtable;
1151 #ifndef BR_DOXYGEN_IGNORE
1153 unsigned num_rounds;
1155 } br_aes_ct_cbcenc_keys;
1158 * \brief Context for AES subkeys (`aes_ct` implementation, CBC decryption).
1160 * First field is a pointer to the vtable; it is set by the initialisation
1161 * function. Other fields are not supposed to be accessed by user code.
1164 /** \brief Pointer to vtable for this context. */
1165 const br_block_cbcdec_class *vtable;
1166 #ifndef BR_DOXYGEN_IGNORE
1168 unsigned num_rounds;
1170 } br_aes_ct_cbcdec_keys;
1173 * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption
1176 * First field is a pointer to the vtable; it is set by the initialisation
1177 * function. Other fields are not supposed to be accessed by user code.
1180 /** \brief Pointer to vtable for this context. */
1181 const br_block_ctr_class *vtable;
1182 #ifndef BR_DOXYGEN_IGNORE
1184 unsigned num_rounds;
1186 } br_aes_ct_ctr_keys;
1189 * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption
1190 * and decryption + CBC-MAC).
1192 * First field is a pointer to the vtable; it is set by the initialisation
1193 * function. Other fields are not supposed to be accessed by user code.
1196 /** \brief Pointer to vtable for this context. */
1197 const br_block_ctrcbc_class *vtable;
1198 #ifndef BR_DOXYGEN_IGNORE
1200 unsigned num_rounds;
1202 } br_aes_ct_ctrcbc_keys;
1205 * \brief Class instance for AES CBC encryption (`aes_ct` implementation).
1207 extern const br_block_cbcenc_class br_aes_ct_cbcenc_vtable;
1210 * \brief Class instance for AES CBC decryption (`aes_ct` implementation).
1212 extern const br_block_cbcdec_class br_aes_ct_cbcdec_vtable;
1215 * \brief Class instance for AES CTR encryption and decryption
1216 * (`aes_ct` implementation).
1218 extern const br_block_ctr_class br_aes_ct_ctr_vtable;
1221 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1222 * (`aes_ct` implementation).
1224 extern const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable;
1227 * \brief Context initialisation (key schedule) for AES CBC encryption
1228 * (`aes_ct` implementation).
1230 * \param ctx context to initialise.
1231 * \param key secret key.
1232 * \param len secret key length (in bytes).
1234 void br_aes_ct_cbcenc_init(br_aes_ct_cbcenc_keys *ctx,
1235 const void *key, size_t len);
1238 * \brief Context initialisation (key schedule) for AES CBC decryption
1239 * (`aes_ct` implementation).
1241 * \param ctx context to initialise.
1242 * \param key secret key.
1243 * \param len secret key length (in bytes).
1245 void br_aes_ct_cbcdec_init(br_aes_ct_cbcdec_keys *ctx,
1246 const void *key, size_t len);
1249 * \brief Context initialisation (key schedule) for AES CTR encryption
1250 * and decryption (`aes_ct` implementation).
1252 * \param ctx context to initialise.
1253 * \param key secret key.
1254 * \param len secret key length (in bytes).
1256 void br_aes_ct_ctr_init(br_aes_ct_ctr_keys *ctx,
1257 const void *key, size_t len);
1260 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1261 * (`aes_ct` implementation).
1263 * \param ctx context to initialise.
1264 * \param key secret key.
1265 * \param len secret key length (in bytes).
1267 void br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx,
1268 const void *key, size_t len);
1271 * \brief CBC encryption with AES (`aes_ct` implementation).
1273 * \param ctx context (already initialised).
1274 * \param iv IV (updated).
1275 * \param data data to encrypt (updated).
1276 * \param len data length (in bytes, MUST be multiple of 16).
1278 void br_aes_ct_cbcenc_run(const br_aes_ct_cbcenc_keys *ctx, void *iv,
1279 void *data, size_t len);
1282 * \brief CBC decryption with AES (`aes_ct` implementation).
1284 * \param ctx context (already initialised).
1285 * \param iv IV (updated).
1286 * \param data data to decrypt (updated).
1287 * \param len data length (in bytes, MUST be multiple of 16).
1289 void br_aes_ct_cbcdec_run(const br_aes_ct_cbcdec_keys *ctx, void *iv,
1290 void *data, size_t len);
1293 * \brief CTR encryption and decryption with AES (`aes_ct` implementation).
1295 * \param ctx context (already initialised).
1296 * \param iv IV (constant, 12 bytes).
1297 * \param cc initial block counter value.
1298 * \param data data to decrypt (updated).
1299 * \param len data length (in bytes).
1300 * \return new block counter value.
1302 uint32_t br_aes_ct_ctr_run(const br_aes_ct_ctr_keys *ctx,
1303 const void *iv, uint32_t cc, void *data, size_t len);
1306 * \brief CTR encryption + CBC-MAC with AES (`aes_ct` implementation).
1308 * \param ctx context (already initialised).
1309 * \param ctr counter for CTR (16 bytes, updated).
1310 * \param cbcmac IV for CBC-MAC (updated).
1311 * \param data data to encrypt (updated).
1312 * \param len data length (in bytes, MUST be a multiple of 16).
1314 void br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx,
1315 void *ctr, void *cbcmac, void *data, size_t len);
1318 * \brief CTR decryption + CBC-MAC with AES (`aes_ct` implementation).
1320 * \param ctx context (already initialised).
1321 * \param ctr counter for CTR (16 bytes, updated).
1322 * \param cbcmac IV for CBC-MAC (updated).
1323 * \param data data to decrypt (updated).
1324 * \param len data length (in bytes, MUST be a multiple of 16).
1326 void br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx,
1327 void *ctr, void *cbcmac, void *data, size_t len);
1330 * \brief CTR encryption/decryption with AES (`aes_ct` implementation).
1332 * \param ctx context (already initialised).
1333 * \param ctr counter for CTR (16 bytes, updated).
1334 * \param data data to MAC (updated).
1335 * \param len data length (in bytes, MUST be a multiple of 16).
1337 void br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx,
1338 void *ctr, void *data, size_t len);
1341 * \brief CBC-MAC with AES (`aes_ct` implementation).
1343 * \param ctx context (already initialised).
1344 * \param cbcmac IV for CBC-MAC (updated).
1345 * \param data data to MAC (unmodified).
1346 * \param len data length (in bytes, MUST be a multiple of 16).
1348 void br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx,
1349 void *cbcmac, const void *data, size_t len);
1352 * 64-bit constant-time AES implementation. It is similar to 'aes_ct'
1353 * but uses 64-bit registers, making it about twice faster than 'aes_ct'
1354 * on 64-bit platforms, while remaining constant-time and with a similar
1355 * code size. (The doubling in performance is only for CBC decryption
1356 * and CTR mode; CBC encryption is non-parallel and cannot benefit from
1357 * the larger registers.)
1360 /** \brief AES block size (16 bytes). */
1361 #define br_aes_ct64_BLOCK_SIZE 16
1364 * \brief Context for AES subkeys (`aes_ct64` implementation, CBC encryption).
1366 * First field is a pointer to the vtable; it is set by the initialisation
1367 * function. Other fields are not supposed to be accessed by user code.
1370 /** \brief Pointer to vtable for this context. */
1371 const br_block_cbcenc_class *vtable;
1372 #ifndef BR_DOXYGEN_IGNORE
1374 unsigned num_rounds;
1376 } br_aes_ct64_cbcenc_keys;
1379 * \brief Context for AES subkeys (`aes_ct64` implementation, CBC decryption).
1381 * First field is a pointer to the vtable; it is set by the initialisation
1382 * function. Other fields are not supposed to be accessed by user code.
1385 /** \brief Pointer to vtable for this context. */
1386 const br_block_cbcdec_class *vtable;
1387 #ifndef BR_DOXYGEN_IGNORE
1389 unsigned num_rounds;
1391 } br_aes_ct64_cbcdec_keys;
1394 * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption
1397 * First field is a pointer to the vtable; it is set by the initialisation
1398 * function. Other fields are not supposed to be accessed by user code.
1401 /** \brief Pointer to vtable for this context. */
1402 const br_block_ctr_class *vtable;
1403 #ifndef BR_DOXYGEN_IGNORE
1405 unsigned num_rounds;
1407 } br_aes_ct64_ctr_keys;
1410 * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption
1411 * and decryption + CBC-MAC).
1413 * First field is a pointer to the vtable; it is set by the initialisation
1414 * function. Other fields are not supposed to be accessed by user code.
1417 /** \brief Pointer to vtable for this context. */
1418 const br_block_ctrcbc_class *vtable;
1419 #ifndef BR_DOXYGEN_IGNORE
1421 unsigned num_rounds;
1423 } br_aes_ct64_ctrcbc_keys;
1426 * \brief Class instance for AES CBC encryption (`aes_ct64` implementation).
1428 extern const br_block_cbcenc_class br_aes_ct64_cbcenc_vtable;
1431 * \brief Class instance for AES CBC decryption (`aes_ct64` implementation).
1433 extern const br_block_cbcdec_class br_aes_ct64_cbcdec_vtable;
1436 * \brief Class instance for AES CTR encryption and decryption
1437 * (`aes_ct64` implementation).
1439 extern const br_block_ctr_class br_aes_ct64_ctr_vtable;
1442 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1443 * (`aes_ct64` implementation).
1445 extern const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable;
1448 * \brief Context initialisation (key schedule) for AES CBC encryption
1449 * (`aes_ct64` implementation).
1451 * \param ctx context to initialise.
1452 * \param key secret key.
1453 * \param len secret key length (in bytes).
1455 void br_aes_ct64_cbcenc_init(br_aes_ct64_cbcenc_keys *ctx,
1456 const void *key, size_t len);
1459 * \brief Context initialisation (key schedule) for AES CBC decryption
1460 * (`aes_ct64` implementation).
1462 * \param ctx context to initialise.
1463 * \param key secret key.
1464 * \param len secret key length (in bytes).
1466 void br_aes_ct64_cbcdec_init(br_aes_ct64_cbcdec_keys *ctx,
1467 const void *key, size_t len);
1470 * \brief Context initialisation (key schedule) for AES CTR encryption
1471 * and decryption (`aes_ct64` implementation).
1473 * \param ctx context to initialise.
1474 * \param key secret key.
1475 * \param len secret key length (in bytes).
1477 void br_aes_ct64_ctr_init(br_aes_ct64_ctr_keys *ctx,
1478 const void *key, size_t len);
1481 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1482 * (`aes_ct64` implementation).
1484 * \param ctx context to initialise.
1485 * \param key secret key.
1486 * \param len secret key length (in bytes).
1488 void br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx,
1489 const void *key, size_t len);
1492 * \brief CBC encryption with AES (`aes_ct64` implementation).
1494 * \param ctx context (already initialised).
1495 * \param iv IV (updated).
1496 * \param data data to encrypt (updated).
1497 * \param len data length (in bytes, MUST be multiple of 16).
1499 void br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx, void *iv,
1500 void *data, size_t len);
1503 * \brief CBC decryption with AES (`aes_ct64` implementation).
1505 * \param ctx context (already initialised).
1506 * \param iv IV (updated).
1507 * \param data data to decrypt (updated).
1508 * \param len data length (in bytes, MUST be multiple of 16).
1510 void br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx, void *iv,
1511 void *data, size_t len);
1514 * \brief CTR encryption and decryption with AES (`aes_ct64` implementation).
1516 * \param ctx context (already initialised).
1517 * \param iv IV (constant, 12 bytes).
1518 * \param cc initial block counter value.
1519 * \param data data to decrypt (updated).
1520 * \param len data length (in bytes).
1521 * \return new block counter value.
1523 uint32_t br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx,
1524 const void *iv, uint32_t cc, void *data, size_t len);
1527 * \brief CTR encryption + CBC-MAC with AES (`aes_ct64` implementation).
1529 * \param ctx context (already initialised).
1530 * \param ctr counter for CTR (16 bytes, updated).
1531 * \param cbcmac IV for CBC-MAC (updated).
1532 * \param data data to encrypt (updated).
1533 * \param len data length (in bytes, MUST be a multiple of 16).
1535 void br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx,
1536 void *ctr, void *cbcmac, void *data, size_t len);
1539 * \brief CTR decryption + CBC-MAC with AES (`aes_ct64` implementation).
1541 * \param ctx context (already initialised).
1542 * \param ctr counter for CTR (16 bytes, updated).
1543 * \param cbcmac IV for CBC-MAC (updated).
1544 * \param data data to decrypt (updated).
1545 * \param len data length (in bytes, MUST be a multiple of 16).
1547 void br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx,
1548 void *ctr, void *cbcmac, void *data, size_t len);
1551 * \brief CTR encryption/decryption with AES (`aes_ct64` implementation).
1553 * \param ctx context (already initialised).
1554 * \param ctr counter for CTR (16 bytes, updated).
1555 * \param data data to MAC (updated).
1556 * \param len data length (in bytes, MUST be a multiple of 16).
1558 void br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx,
1559 void *ctr, void *data, size_t len);
1562 * \brief CBC-MAC with AES (`aes_ct64` implementation).
1564 * \param ctx context (already initialised).
1565 * \param cbcmac IV for CBC-MAC (updated).
1566 * \param data data to MAC (unmodified).
1567 * \param len data length (in bytes, MUST be a multiple of 16).
1569 void br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx,
1570 void *cbcmac, const void *data, size_t len);
1573 * AES implementation using AES-NI opcodes (x86 platform).
1576 /** \brief AES block size (16 bytes). */
1577 #define br_aes_x86ni_BLOCK_SIZE 16
1580 * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC encryption).
1582 * First field is a pointer to the vtable; it is set by the initialisation
1583 * function. Other fields are not supposed to be accessed by user code.
1586 /** \brief Pointer to vtable for this context. */
1587 const br_block_cbcenc_class *vtable;
1588 #ifndef BR_DOXYGEN_IGNORE
1590 unsigned char skni[16 * 15];
1592 unsigned num_rounds;
1594 } br_aes_x86ni_cbcenc_keys;
1597 * \brief Context for AES subkeys (`aes_x86ni` implementation, CBC decryption).
1599 * First field is a pointer to the vtable; it is set by the initialisation
1600 * function. Other fields are not supposed to be accessed by user code.
1603 /** \brief Pointer to vtable for this context. */
1604 const br_block_cbcdec_class *vtable;
1605 #ifndef BR_DOXYGEN_IGNORE
1607 unsigned char skni[16 * 15];
1609 unsigned num_rounds;
1611 } br_aes_x86ni_cbcdec_keys;
1614 * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption
1617 * First field is a pointer to the vtable; it is set by the initialisation
1618 * function. Other fields are not supposed to be accessed by user code.
1621 /** \brief Pointer to vtable for this context. */
1622 const br_block_ctr_class *vtable;
1623 #ifndef BR_DOXYGEN_IGNORE
1625 unsigned char skni[16 * 15];
1627 unsigned num_rounds;
1629 } br_aes_x86ni_ctr_keys;
1632 * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption
1633 * and decryption + CBC-MAC).
1635 * First field is a pointer to the vtable; it is set by the initialisation
1636 * function. Other fields are not supposed to be accessed by user code.
1639 /** \brief Pointer to vtable for this context. */
1640 const br_block_ctrcbc_class *vtable;
1641 #ifndef BR_DOXYGEN_IGNORE
1643 unsigned char skni[16 * 15];
1645 unsigned num_rounds;
1647 } br_aes_x86ni_ctrcbc_keys;
1650 * \brief Class instance for AES CBC encryption (`aes_x86ni` implementation).
1652 * Since this implementation might be omitted from the library, or the
1653 * AES opcode unavailable on the current CPU, a pointer to this class
1654 * instance should be obtained through `br_aes_x86ni_cbcenc_get_vtable()`.
1656 extern const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable;
1659 * \brief Class instance for AES CBC decryption (`aes_x86ni` implementation).
1661 * Since this implementation might be omitted from the library, or the
1662 * AES opcode unavailable on the current CPU, a pointer to this class
1663 * instance should be obtained through `br_aes_x86ni_cbcdec_get_vtable()`.
1665 extern const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable;
1668 * \brief Class instance for AES CTR encryption and decryption
1669 * (`aes_x86ni` implementation).
1671 * Since this implementation might be omitted from the library, or the
1672 * AES opcode unavailable on the current CPU, a pointer to this class
1673 * instance should be obtained through `br_aes_x86ni_ctr_get_vtable()`.
1675 extern const br_block_ctr_class br_aes_x86ni_ctr_vtable;
1678 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1679 * (`aes_x86ni` implementation).
1681 * Since this implementation might be omitted from the library, or the
1682 * AES opcode unavailable on the current CPU, a pointer to this class
1683 * instance should be obtained through `br_aes_x86ni_ctrcbc_get_vtable()`.
1685 extern const br_block_ctrcbc_class br_aes_x86ni_ctrcbc_vtable;
1688 * \brief Context initialisation (key schedule) for AES CBC encryption
1689 * (`aes_x86ni` implementation).
1691 * \param ctx context to initialise.
1692 * \param key secret key.
1693 * \param len secret key length (in bytes).
1695 void br_aes_x86ni_cbcenc_init(br_aes_x86ni_cbcenc_keys *ctx,
1696 const void *key, size_t len);
1699 * \brief Context initialisation (key schedule) for AES CBC decryption
1700 * (`aes_x86ni` implementation).
1702 * \param ctx context to initialise.
1703 * \param key secret key.
1704 * \param len secret key length (in bytes).
1706 void br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx,
1707 const void *key, size_t len);
1710 * \brief Context initialisation (key schedule) for AES CTR encryption
1711 * and decryption (`aes_x86ni` implementation).
1713 * \param ctx context to initialise.
1714 * \param key secret key.
1715 * \param len secret key length (in bytes).
1717 void br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx,
1718 const void *key, size_t len);
1721 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
1722 * (`aes_x86ni` implementation).
1724 * \param ctx context to initialise.
1725 * \param key secret key.
1726 * \param len secret key length (in bytes).
1728 void br_aes_x86ni_ctrcbc_init(br_aes_x86ni_ctrcbc_keys *ctx,
1729 const void *key, size_t len);
1732 * \brief CBC encryption with AES (`aes_x86ni` implementation).
1734 * \param ctx context (already initialised).
1735 * \param iv IV (updated).
1736 * \param data data to encrypt (updated).
1737 * \param len data length (in bytes, MUST be multiple of 16).
1739 void br_aes_x86ni_cbcenc_run(const br_aes_x86ni_cbcenc_keys *ctx, void *iv,
1740 void *data, size_t len);
1743 * \brief CBC decryption with AES (`aes_x86ni` implementation).
1745 * \param ctx context (already initialised).
1746 * \param iv IV (updated).
1747 * \param data data to decrypt (updated).
1748 * \param len data length (in bytes, MUST be multiple of 16).
1750 void br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx, void *iv,
1751 void *data, size_t len);
1754 * \brief CTR encryption and decryption with AES (`aes_x86ni` implementation).
1756 * \param ctx context (already initialised).
1757 * \param iv IV (constant, 12 bytes).
1758 * \param cc initial block counter value.
1759 * \param data data to decrypt (updated).
1760 * \param len data length (in bytes).
1761 * \return new block counter value.
1763 uint32_t br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx,
1764 const void *iv, uint32_t cc, void *data, size_t len);
1767 * \brief CTR encryption + CBC-MAC with AES (`aes_x86ni` implementation).
1769 * \param ctx context (already initialised).
1770 * \param ctr counter for CTR (16 bytes, updated).
1771 * \param cbcmac IV for CBC-MAC (updated).
1772 * \param data data to encrypt (updated).
1773 * \param len data length (in bytes, MUST be a multiple of 16).
1775 void br_aes_x86ni_ctrcbc_encrypt(const br_aes_x86ni_ctrcbc_keys *ctx,
1776 void *ctr, void *cbcmac, void *data, size_t len);
1779 * \brief CTR decryption + CBC-MAC with AES (`aes_x86ni` implementation).
1781 * \param ctx context (already initialised).
1782 * \param ctr counter for CTR (16 bytes, updated).
1783 * \param cbcmac IV for CBC-MAC (updated).
1784 * \param data data to decrypt (updated).
1785 * \param len data length (in bytes, MUST be a multiple of 16).
1787 void br_aes_x86ni_ctrcbc_decrypt(const br_aes_x86ni_ctrcbc_keys *ctx,
1788 void *ctr, void *cbcmac, void *data, size_t len);
1791 * \brief CTR encryption/decryption with AES (`aes_x86ni` implementation).
1793 * \param ctx context (already initialised).
1794 * \param ctr counter for CTR (16 bytes, updated).
1795 * \param data data to MAC (updated).
1796 * \param len data length (in bytes, MUST be a multiple of 16).
1798 void br_aes_x86ni_ctrcbc_ctr(const br_aes_x86ni_ctrcbc_keys *ctx,
1799 void *ctr, void *data, size_t len);
1802 * \brief CBC-MAC with AES (`aes_x86ni` implementation).
1804 * \param ctx context (already initialised).
1805 * \param cbcmac IV for CBC-MAC (updated).
1806 * \param data data to MAC (unmodified).
1807 * \param len data length (in bytes, MUST be a multiple of 16).
1809 void br_aes_x86ni_ctrcbc_mac(const br_aes_x86ni_ctrcbc_keys *ctx,
1810 void *cbcmac, const void *data, size_t len);
1813 * \brief Obtain the `aes_x86ni` AES-CBC (encryption) implementation, if
1816 * This function returns a pointer to `br_aes_x86ni_cbcenc_vtable`, if
1817 * that implementation was compiled in the library _and_ the x86 AES
1818 * opcodes are available on the currently running CPU. If either of
1819 * these conditions is not met, then this function returns `NULL`.
1821 * \return the `aes_x86ni` AES-CBC (encryption) implementation, or `NULL`.
1823 const br_block_cbcenc_class *br_aes_x86ni_cbcenc_get_vtable(void);
1826 * \brief Obtain the `aes_x86ni` AES-CBC (decryption) implementation, if
1829 * This function returns a pointer to `br_aes_x86ni_cbcdec_vtable`, if
1830 * that implementation was compiled in the library _and_ the x86 AES
1831 * opcodes are available on the currently running CPU. If either of
1832 * these conditions is not met, then this function returns `NULL`.
1834 * \return the `aes_x86ni` AES-CBC (decryption) implementation, or `NULL`.
1836 const br_block_cbcdec_class *br_aes_x86ni_cbcdec_get_vtable(void);
1839 * \brief Obtain the `aes_x86ni` AES-CTR implementation, if available.
1841 * This function returns a pointer to `br_aes_x86ni_ctr_vtable`, if
1842 * that implementation was compiled in the library _and_ the x86 AES
1843 * opcodes are available on the currently running CPU. If either of
1844 * these conditions is not met, then this function returns `NULL`.
1846 * \return the `aes_x86ni` AES-CTR implementation, or `NULL`.
1848 const br_block_ctr_class *br_aes_x86ni_ctr_get_vtable(void);
1851 * \brief Obtain the `aes_x86ni` AES-CTR + CBC-MAC implementation, if
1854 * This function returns a pointer to `br_aes_x86ni_ctrcbc_vtable`, if
1855 * that implementation was compiled in the library _and_ the x86 AES
1856 * opcodes are available on the currently running CPU. If either of
1857 * these conditions is not met, then this function returns `NULL`.
1859 * \return the `aes_x86ni` AES-CTR implementation, or `NULL`.
1861 const br_block_ctrcbc_class *br_aes_x86ni_ctrcbc_get_vtable(void);
1864 * AES implementation using POWER8 opcodes.
1867 /** \brief AES block size (16 bytes). */
1868 #define br_aes_pwr8_BLOCK_SIZE 16
1871 * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC encryption).
1873 * First field is a pointer to the vtable; it is set by the initialisation
1874 * function. Other fields are not supposed to be accessed by user code.
1877 /** \brief Pointer to vtable for this context. */
1878 const br_block_cbcenc_class *vtable;
1879 #ifndef BR_DOXYGEN_IGNORE
1881 unsigned char skni[16 * 15];
1883 unsigned num_rounds;
1885 } br_aes_pwr8_cbcenc_keys;
1888 * \brief Context for AES subkeys (`aes_pwr8` implementation, CBC decryption).
1890 * First field is a pointer to the vtable; it is set by the initialisation
1891 * function. Other fields are not supposed to be accessed by user code.
1894 /** \brief Pointer to vtable for this context. */
1895 const br_block_cbcdec_class *vtable;
1896 #ifndef BR_DOXYGEN_IGNORE
1898 unsigned char skni[16 * 15];
1900 unsigned num_rounds;
1902 } br_aes_pwr8_cbcdec_keys;
1905 * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption
1908 * First field is a pointer to the vtable; it is set by the initialisation
1909 * function. Other fields are not supposed to be accessed by user code.
1912 /** \brief Pointer to vtable for this context. */
1913 const br_block_ctr_class *vtable;
1914 #ifndef BR_DOXYGEN_IGNORE
1916 unsigned char skni[16 * 15];
1918 unsigned num_rounds;
1920 } br_aes_pwr8_ctr_keys;
1923 * \brief Context for AES subkeys (`aes_pwr8` implementation, CTR encryption
1924 * and decryption + CBC-MAC).
1926 * First field is a pointer to the vtable; it is set by the initialisation
1927 * function. Other fields are not supposed to be accessed by user code.
1930 /** \brief Pointer to vtable for this context. */
1931 const br_block_ctrcbc_class *vtable;
1932 #ifndef BR_DOXYGEN_IGNORE
1934 unsigned char skni[16 * 15];
1936 unsigned num_rounds;
1938 } br_aes_pwr8_ctrcbc_keys;
1941 * \brief Class instance for AES CBC encryption (`aes_pwr8` implementation).
1943 * Since this implementation might be omitted from the library, or the
1944 * AES opcode unavailable on the current CPU, a pointer to this class
1945 * instance should be obtained through `br_aes_pwr8_cbcenc_get_vtable()`.
1947 extern const br_block_cbcenc_class br_aes_pwr8_cbcenc_vtable;
1950 * \brief Class instance for AES CBC decryption (`aes_pwr8` implementation).
1952 * Since this implementation might be omitted from the library, or the
1953 * AES opcode unavailable on the current CPU, a pointer to this class
1954 * instance should be obtained through `br_aes_pwr8_cbcdec_get_vtable()`.
1956 extern const br_block_cbcdec_class br_aes_pwr8_cbcdec_vtable;
1959 * \brief Class instance for AES CTR encryption and decryption
1960 * (`aes_pwr8` implementation).
1962 * Since this implementation might be omitted from the library, or the
1963 * AES opcode unavailable on the current CPU, a pointer to this class
1964 * instance should be obtained through `br_aes_pwr8_ctr_get_vtable()`.
1966 extern const br_block_ctr_class br_aes_pwr8_ctr_vtable;
1969 * \brief Class instance for AES CTR encryption/decryption + CBC-MAC
1970 * (`aes_pwr8` implementation).
1972 * Since this implementation might be omitted from the library, or the
1973 * AES opcode unavailable on the current CPU, a pointer to this class
1974 * instance should be obtained through `br_aes_pwr8_ctrcbc_get_vtable()`.
1976 extern const br_block_ctrcbc_class br_aes_pwr8_ctrcbc_vtable;
1979 * \brief Context initialisation (key schedule) for AES CBC encryption
1980 * (`aes_pwr8` implementation).
1982 * \param ctx context to initialise.
1983 * \param key secret key.
1984 * \param len secret key length (in bytes).
1986 void br_aes_pwr8_cbcenc_init(br_aes_pwr8_cbcenc_keys *ctx,
1987 const void *key, size_t len);
1990 * \brief Context initialisation (key schedule) for AES CBC decryption
1991 * (`aes_pwr8` implementation).
1993 * \param ctx context to initialise.
1994 * \param key secret key.
1995 * \param len secret key length (in bytes).
1997 void br_aes_pwr8_cbcdec_init(br_aes_pwr8_cbcdec_keys *ctx,
1998 const void *key, size_t len);
2001 * \brief Context initialisation (key schedule) for AES CTR encryption
2002 * and decryption (`aes_pwr8` implementation).
2004 * \param ctx context to initialise.
2005 * \param key secret key.
2006 * \param len secret key length (in bytes).
2008 void br_aes_pwr8_ctr_init(br_aes_pwr8_ctr_keys *ctx,
2009 const void *key, size_t len);
2012 * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC
2013 * (`aes_pwr8` implementation).
2015 * \param ctx context to initialise.
2016 * \param key secret key.
2017 * \param len secret key length (in bytes).
2019 void br_aes_pwr8_ctrcbc_init(br_aes_pwr8_ctrcbc_keys *ctx,
2020 const void *key, size_t len);
2023 * \brief CBC encryption with AES (`aes_pwr8` implementation).
2025 * \param ctx context (already initialised).
2026 * \param iv IV (updated).
2027 * \param data data to encrypt (updated).
2028 * \param len data length (in bytes, MUST be multiple of 16).
2030 void br_aes_pwr8_cbcenc_run(const br_aes_pwr8_cbcenc_keys *ctx, void *iv,
2031 void *data, size_t len);
2034 * \brief CBC decryption with AES (`aes_pwr8` implementation).
2036 * \param ctx context (already initialised).
2037 * \param iv IV (updated).
2038 * \param data data to decrypt (updated).
2039 * \param len data length (in bytes, MUST be multiple of 16).
2041 void br_aes_pwr8_cbcdec_run(const br_aes_pwr8_cbcdec_keys *ctx, void *iv,
2042 void *data, size_t len);
2045 * \brief CTR encryption and decryption with AES (`aes_pwr8` implementation).
2047 * \param ctx context (already initialised).
2048 * \param iv IV (constant, 12 bytes).
2049 * \param cc initial block counter value.
2050 * \param data data to decrypt (updated).
2051 * \param len data length (in bytes).
2052 * \return new block counter value.
2054 uint32_t br_aes_pwr8_ctr_run(const br_aes_pwr8_ctr_keys *ctx,
2055 const void *iv, uint32_t cc, void *data, size_t len);
2058 * \brief CTR encryption + CBC-MAC with AES (`aes_pwr8` implementation).
2060 * \param ctx context (already initialised).
2061 * \param ctr counter for CTR (16 bytes, updated).
2062 * \param cbcmac IV for CBC-MAC (updated).
2063 * \param data data to encrypt (updated).
2064 * \param len data length (in bytes, MUST be a multiple of 16).
2066 void br_aes_pwr8_ctrcbc_encrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
2067 void *ctr, void *cbcmac, void *data, size_t len);
2070 * \brief CTR decryption + CBC-MAC with AES (`aes_pwr8` implementation).
2072 * \param ctx context (already initialised).
2073 * \param ctr counter for CTR (16 bytes, updated).
2074 * \param cbcmac IV for CBC-MAC (updated).
2075 * \param data data to decrypt (updated).
2076 * \param len data length (in bytes, MUST be a multiple of 16).
2078 void br_aes_pwr8_ctrcbc_decrypt(const br_aes_pwr8_ctrcbc_keys *ctx,
2079 void *ctr, void *cbcmac, void *data, size_t len);
2082 * \brief CTR encryption/decryption with AES (`aes_pwr8` implementation).
2084 * \param ctx context (already initialised).
2085 * \param ctr counter for CTR (16 bytes, updated).
2086 * \param data data to MAC (updated).
2087 * \param len data length (in bytes, MUST be a multiple of 16).
2089 void br_aes_pwr8_ctrcbc_ctr(const br_aes_pwr8_ctrcbc_keys *ctx,
2090 void *ctr, void *data, size_t len);
2093 * \brief CBC-MAC with AES (`aes_pwr8` implementation).
2095 * \param ctx context (already initialised).
2096 * \param cbcmac IV for CBC-MAC (updated).
2097 * \param data data to MAC (unmodified).
2098 * \param len data length (in bytes, MUST be a multiple of 16).
2100 void br_aes_pwr8_ctrcbc_mac(const br_aes_pwr8_ctrcbc_keys *ctx,
2101 void *cbcmac, const void *data, size_t len);
2104 * \brief Obtain the `aes_pwr8` AES-CBC (encryption) implementation, if
2107 * This function returns a pointer to `br_aes_pwr8_cbcenc_vtable`, if
2108 * that implementation was compiled in the library _and_ the POWER8
2109 * crypto opcodes are available on the currently running CPU. If either
2110 * of these conditions is not met, then this function returns `NULL`.
2112 * \return the `aes_pwr8` AES-CBC (encryption) implementation, or `NULL`.
2114 const br_block_cbcenc_class *br_aes_pwr8_cbcenc_get_vtable(void);
2117 * \brief Obtain the `aes_pwr8` AES-CBC (decryption) implementation, if
2120 * This function returns a pointer to `br_aes_pwr8_cbcdec_vtable`, if
2121 * that implementation was compiled in the library _and_ the POWER8
2122 * crypto opcodes are available on the currently running CPU. If either
2123 * of these conditions is not met, then this function returns `NULL`.
2125 * \return the `aes_pwr8` AES-CBC (decryption) implementation, or `NULL`.
2127 const br_block_cbcdec_class *br_aes_pwr8_cbcdec_get_vtable(void);
2130 * \brief Obtain the `aes_pwr8` AES-CTR implementation, if available.
2132 * This function returns a pointer to `br_aes_pwr8_ctr_vtable`, if that
2133 * implementation was compiled in the library _and_ the POWER8 crypto
2134 * opcodes are available on the currently running CPU. If either of
2135 * these conditions is not met, then this function returns `NULL`.
2137 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`.
2139 const br_block_ctr_class *br_aes_pwr8_ctr_get_vtable(void);
2142 * \brief Obtain the `aes_pwr8` AES-CTR + CBC-MAC implementation, if
2145 * This function returns a pointer to `br_aes_pwr8_ctrcbc_vtable`, if
2146 * that implementation was compiled in the library _and_ the POWER8 AES
2147 * opcodes are available on the currently running CPU. If either of
2148 * these conditions is not met, then this function returns `NULL`.
2150 * \return the `aes_pwr8` AES-CTR implementation, or `NULL`.
2152 const br_block_ctrcbc_class *br_aes_pwr8_ctrcbc_get_vtable(void);
2155 * \brief Aggregate structure large enough to be used as context for
2156 * subkeys (CBC encryption) for all AES implementations.
2159 const br_block_cbcenc_class *vtable;
2160 br_aes_big_cbcenc_keys c_big;
2161 br_aes_small_cbcenc_keys c_small;
2162 br_aes_ct_cbcenc_keys c_ct;
2163 br_aes_ct64_cbcenc_keys c_ct64;
2164 br_aes_x86ni_cbcenc_keys c_x86ni;
2165 br_aes_pwr8_cbcenc_keys c_pwr8;
2166 } br_aes_gen_cbcenc_keys;
2169 * \brief Aggregate structure large enough to be used as context for
2170 * subkeys (CBC decryption) for all AES implementations.
2173 const br_block_cbcdec_class *vtable;
2174 br_aes_big_cbcdec_keys c_big;
2175 br_aes_small_cbcdec_keys c_small;
2176 br_aes_ct_cbcdec_keys c_ct;
2177 br_aes_ct64_cbcdec_keys c_ct64;
2178 br_aes_x86ni_cbcdec_keys c_x86ni;
2179 br_aes_pwr8_cbcdec_keys c_pwr8;
2180 } br_aes_gen_cbcdec_keys;
2183 * \brief Aggregate structure large enough to be used as context for
2184 * subkeys (CTR encryption and decryption) for all AES implementations.
2187 const br_block_ctr_class *vtable;
2188 br_aes_big_ctr_keys c_big;
2189 br_aes_small_ctr_keys c_small;
2190 br_aes_ct_ctr_keys c_ct;
2191 br_aes_ct64_ctr_keys c_ct64;
2192 br_aes_x86ni_ctr_keys c_x86ni;
2193 br_aes_pwr8_ctr_keys c_pwr8;
2194 } br_aes_gen_ctr_keys;
2197 * \brief Aggregate structure large enough to be used as context for
2198 * subkeys (CTR encryption/decryption + CBC-MAC) for all AES implementations.
2201 const br_block_ctrcbc_class *vtable;
2202 br_aes_big_ctrcbc_keys c_big;
2203 br_aes_small_ctrcbc_keys c_small;
2204 br_aes_ct_ctrcbc_keys c_ct;
2205 br_aes_ct64_ctrcbc_keys c_ct64;
2206 br_aes_x86ni_ctrcbc_keys c_x86ni;
2207 br_aes_pwr8_ctrcbc_keys c_pwr8;
2208 } br_aes_gen_ctrcbc_keys;
2211 * Traditional, table-based implementation for DES/3DES. Since tables are
2212 * used, cache-timing attacks are conceptually possible.
2215 /** \brief DES/3DES block size (8 bytes). */
2216 #define br_des_tab_BLOCK_SIZE 8
2219 * \brief Context for DES subkeys (`des_tab` implementation, CBC encryption).
2221 * First field is a pointer to the vtable; it is set by the initialisation
2222 * function. Other fields are not supposed to be accessed by user code.
2225 /** \brief Pointer to vtable for this context. */
2226 const br_block_cbcenc_class *vtable;
2227 #ifndef BR_DOXYGEN_IGNORE
2229 unsigned num_rounds;
2231 } br_des_tab_cbcenc_keys;
2234 * \brief Context for DES subkeys (`des_tab` implementation, CBC decryption).
2236 * First field is a pointer to the vtable; it is set by the initialisation
2237 * function. Other fields are not supposed to be accessed by user code.
2240 /** \brief Pointer to vtable for this context. */
2241 const br_block_cbcdec_class *vtable;
2242 #ifndef BR_DOXYGEN_IGNORE
2244 unsigned num_rounds;
2246 } br_des_tab_cbcdec_keys;
2249 * \brief Class instance for DES CBC encryption (`des_tab` implementation).
2251 extern const br_block_cbcenc_class br_des_tab_cbcenc_vtable;
2254 * \brief Class instance for DES CBC decryption (`des_tab` implementation).
2256 extern const br_block_cbcdec_class br_des_tab_cbcdec_vtable;
2259 * \brief Context initialisation (key schedule) for DES CBC encryption
2260 * (`des_tab` implementation).
2262 * \param ctx context to initialise.
2263 * \param key secret key.
2264 * \param len secret key length (in bytes).
2266 void br_des_tab_cbcenc_init(br_des_tab_cbcenc_keys *ctx,
2267 const void *key, size_t len);
2270 * \brief Context initialisation (key schedule) for DES CBC decryption
2271 * (`des_tab` implementation).
2273 * \param ctx context to initialise.
2274 * \param key secret key.
2275 * \param len secret key length (in bytes).
2277 void br_des_tab_cbcdec_init(br_des_tab_cbcdec_keys *ctx,
2278 const void *key, size_t len);
2281 * \brief CBC encryption with DES (`des_tab` implementation).
2283 * \param ctx context (already initialised).
2284 * \param iv IV (updated).
2285 * \param data data to encrypt (updated).
2286 * \param len data length (in bytes, MUST be multiple of 8).
2288 void br_des_tab_cbcenc_run(const br_des_tab_cbcenc_keys *ctx, void *iv,
2289 void *data, size_t len);
2292 * \brief CBC decryption with DES (`des_tab` implementation).
2294 * \param ctx context (already initialised).
2295 * \param iv IV (updated).
2296 * \param data data to decrypt (updated).
2297 * \param len data length (in bytes, MUST be multiple of 8).
2299 void br_des_tab_cbcdec_run(const br_des_tab_cbcdec_keys *ctx, void *iv,
2300 void *data, size_t len);
2303 * Constant-time implementation for DES/3DES. It is substantially slower
2304 * (by a factor of about 4x), but also immune to cache-timing attacks.
2307 /** \brief DES/3DES block size (8 bytes). */
2308 #define br_des_ct_BLOCK_SIZE 8
2311 * \brief Context for DES subkeys (`des_ct` implementation, CBC encryption).
2313 * First field is a pointer to the vtable; it is set by the initialisation
2314 * function. Other fields are not supposed to be accessed by user code.
2317 /** \brief Pointer to vtable for this context. */
2318 const br_block_cbcenc_class *vtable;
2319 #ifndef BR_DOXYGEN_IGNORE
2321 unsigned num_rounds;
2323 } br_des_ct_cbcenc_keys;
2326 * \brief Context for DES subkeys (`des_ct` implementation, CBC decryption).
2328 * First field is a pointer to the vtable; it is set by the initialisation
2329 * function. Other fields are not supposed to be accessed by user code.
2332 /** \brief Pointer to vtable for this context. */
2333 const br_block_cbcdec_class *vtable;
2334 #ifndef BR_DOXYGEN_IGNORE
2336 unsigned num_rounds;
2338 } br_des_ct_cbcdec_keys;
2341 * \brief Class instance for DES CBC encryption (`des_ct` implementation).
2343 extern const br_block_cbcenc_class br_des_ct_cbcenc_vtable;
2346 * \brief Class instance for DES CBC decryption (`des_ct` implementation).
2348 extern const br_block_cbcdec_class br_des_ct_cbcdec_vtable;
2351 * \brief Context initialisation (key schedule) for DES CBC encryption
2352 * (`des_ct` implementation).
2354 * \param ctx context to initialise.
2355 * \param key secret key.
2356 * \param len secret key length (in bytes).
2358 void br_des_ct_cbcenc_init(br_des_ct_cbcenc_keys *ctx,
2359 const void *key, size_t len);
2362 * \brief Context initialisation (key schedule) for DES CBC decryption
2363 * (`des_ct` implementation).
2365 * \param ctx context to initialise.
2366 * \param key secret key.
2367 * \param len secret key length (in bytes).
2369 void br_des_ct_cbcdec_init(br_des_ct_cbcdec_keys *ctx,
2370 const void *key, size_t len);
2373 * \brief CBC encryption with DES (`des_ct` implementation).
2375 * \param ctx context (already initialised).
2376 * \param iv IV (updated).
2377 * \param data data to encrypt (updated).
2378 * \param len data length (in bytes, MUST be multiple of 8).
2380 void br_des_ct_cbcenc_run(const br_des_ct_cbcenc_keys *ctx, void *iv,
2381 void *data, size_t len);
2384 * \brief CBC decryption with DES (`des_ct` implementation).
2386 * \param ctx context (already initialised).
2387 * \param iv IV (updated).
2388 * \param data data to decrypt (updated).
2389 * \param len data length (in bytes, MUST be multiple of 8).
2391 void br_des_ct_cbcdec_run(const br_des_ct_cbcdec_keys *ctx, void *iv,
2392 void *data, size_t len);
2395 * These structures are large enough to accommodate subkeys for all
2396 * DES/3DES implementations.
2400 * \brief Aggregate structure large enough to be used as context for
2401 * subkeys (CBC encryption) for all DES implementations.
2404 const br_block_cbcenc_class *vtable;
2405 br_des_tab_cbcenc_keys tab;
2406 br_des_ct_cbcenc_keys ct;
2407 } br_des_gen_cbcenc_keys;
2410 * \brief Aggregate structure large enough to be used as context for
2411 * subkeys (CBC decryption) for all DES implementations.
2414 const br_block_cbcdec_class *vtable;
2415 br_des_tab_cbcdec_keys c_tab;
2416 br_des_ct_cbcdec_keys c_ct;
2417 } br_des_gen_cbcdec_keys;
2420 * \brief Type for a ChaCha20 implementation.
2422 * An implementation follows the description in RFC 7539:
2424 * - Key is 256 bits (`key` points to exactly 32 bytes).
2426 * - IV is 96 bits (`iv` points to exactly 12 bytes).
2428 * - Block counter is over 32 bits and starts at value `cc`; the
2429 * resulting value is returned.
2431 * Data (pointed to by `data`, of length `len`) is encrypted/decrypted
2432 * in place. If `len` is not a multiple of 64, then the excess bytes from
2433 * the last block processing are dropped (therefore, "chunked" processing
2434 * works only as long as each non-final chunk has a length multiple of 64).
2436 * \param key secret key (32 bytes).
2437 * \param iv IV (12 bytes).
2438 * \param cc initial counter value.
2439 * \param data data to encrypt or decrypt.
2440 * \param len data length (in bytes).
2442 typedef uint32_t (*br_chacha20_run)(const void *key,
2443 const void *iv, uint32_t cc, void *data, size_t len);
2446 * \brief ChaCha20 implementation (straightforward C code, constant-time).
2448 * \see br_chacha20_run
2450 * \param key secret key (32 bytes).
2451 * \param iv IV (12 bytes).
2452 * \param cc initial counter value.
2453 * \param data data to encrypt or decrypt.
2454 * \param len data length (in bytes).
2456 uint32_t br_chacha20_ct_run(const void *key,
2457 const void *iv, uint32_t cc, void *data, size_t len);
2460 * \brief ChaCha20 implementation (SSE2 code, constant-time).
2462 * This implementation is available only on x86 platforms, depending on
2463 * compiler support. Moreover, in 32-bit mode, it might not actually run,
2464 * if the underlying hardware does not implement the SSE2 opcode (in
2465 * 64-bit mode, SSE2 is part of the ABI, so if the code could be compiled
2466 * at all, then it can run). Use `br_chacha20_sse2_get()` to safely obtain
2467 * a pointer to that function.
2469 * \see br_chacha20_run
2471 * \param key secret key (32 bytes).
2472 * \param iv IV (12 bytes).
2473 * \param cc initial counter value.
2474 * \param data data to encrypt or decrypt.
2475 * \param len data length (in bytes).
2477 uint32_t br_chacha20_sse2_run(const void *key,
2478 const void *iv, uint32_t cc, void *data, size_t len);
2481 * \brief Obtain the `sse2` ChaCha20 implementation, if available.
2483 * This function returns a pointer to `br_chacha20_sse2_run`, if
2484 * that implementation was compiled in the library _and_ the SSE2
2485 * opcodes are available on the currently running CPU. If either of
2486 * these conditions is not met, then this function returns `0`.
2488 * \return the `sse2` ChaCha20 implementation, or `0`.
2490 br_chacha20_run br_chacha20_sse2_get(void);
2493 * \brief Type for a ChaCha20+Poly1305 AEAD implementation.
2495 * The provided data is encrypted or decrypted with ChaCha20. The
2496 * authentication tag is computed on the concatenation of the
2497 * additional data and the ciphertext, with the padding and lengths
2498 * as described in RFC 7539 (section 2.8).
2500 * After decryption, the caller is responsible for checking that the
2501 * computed tag matches the expected value.
2503 * \param key secret key (32 bytes).
2504 * \param iv nonce (12 bytes).
2505 * \param data data to encrypt or decrypt.
2506 * \param len data length (in bytes).
2507 * \param aad additional authenticated data.
2508 * \param aad_len length of additional authenticated data (in bytes).
2509 * \param tag output buffer for the authentication tag.
2510 * \param ichacha implementation of ChaCha20.
2511 * \param encrypt non-zero for encryption, zero for decryption.
2513 typedef void (*br_poly1305_run)(const void *key, const void *iv,
2514 void *data, size_t len, const void *aad, size_t aad_len,
2515 void *tag, br_chacha20_run ichacha, int encrypt);
2518 * \brief ChaCha20+Poly1305 AEAD implementation (mixed 32-bit multiplications).
2520 * \see br_poly1305_run
2522 * \param key secret key (32 bytes).
2523 * \param iv nonce (12 bytes).
2524 * \param data data to encrypt or decrypt.
2525 * \param len data length (in bytes).
2526 * \param aad additional authenticated data.
2527 * \param aad_len length of additional authenticated data (in bytes).
2528 * \param tag output buffer for the authentication tag.
2529 * \param ichacha implementation of ChaCha20.
2530 * \param encrypt non-zero for encryption, zero for decryption.
2532 void br_poly1305_ctmul_run(const void *key, const void *iv,
2533 void *data, size_t len, const void *aad, size_t aad_len,
2534 void *tag, br_chacha20_run ichacha, int encrypt);
2537 * \brief ChaCha20+Poly1305 AEAD implementation (pure 32-bit multiplications).
2539 * \see br_poly1305_run
2541 * \param key secret key (32 bytes).
2542 * \param iv nonce (12 bytes).
2543 * \param data data to encrypt or decrypt.
2544 * \param len data length (in bytes).
2545 * \param aad additional authenticated data.
2546 * \param aad_len length of additional authenticated data (in bytes).
2547 * \param tag output buffer for the authentication tag.
2548 * \param ichacha implementation of ChaCha20.
2549 * \param encrypt non-zero for encryption, zero for decryption.
2551 void br_poly1305_ctmul32_run(const void *key, const void *iv,
2552 void *data, size_t len, const void *aad, size_t aad_len,
2553 void *tag, br_chacha20_run ichacha, int encrypt);
2556 * \brief ChaCha20+Poly1305 AEAD implementation (i15).
2558 * This implementation relies on the generic big integer code "i15"
2559 * (which uses pure 32-bit multiplications). As such, it may save a
2560 * little code footprint in a context where "i15" is already included
2561 * (e.g. for elliptic curves or for RSA); however, it is also
2562 * substantially slower than the ctmul and ctmul32 implementations.
2564 * \see br_poly1305_run
2566 * \param key secret key (32 bytes).
2567 * \param iv nonce (12 bytes).
2568 * \param data data to encrypt or decrypt.
2569 * \param len data length (in bytes).
2570 * \param aad additional authenticated data.
2571 * \param aad_len length of additional authenticated data (in bytes).
2572 * \param tag output buffer for the authentication tag.
2573 * \param ichacha implementation of ChaCha20.
2574 * \param encrypt non-zero for encryption, zero for decryption.
2576 void br_poly1305_i15_run(const void *key, const void *iv,
2577 void *data, size_t len, const void *aad, size_t aad_len,
2578 void *tag, br_chacha20_run ichacha, int encrypt);
2581 * \brief ChaCha20+Poly1305 AEAD implementation (ctmulq).
2583 * This implementation uses 64-bit multiplications (result over 128 bits).
2584 * It is available only on platforms that offer such a primitive (in
2585 * practice, 64-bit architectures). Use `br_poly1305_ctmulq_get()` to
2586 * dynamically obtain a pointer to that function, or 0 if not supported.
2588 * \see br_poly1305_run
2590 * \param key secret key (32 bytes).
2591 * \param iv nonce (12 bytes).
2592 * \param data data to encrypt or decrypt.
2593 * \param len data length (in bytes).
2594 * \param aad additional authenticated data.
2595 * \param aad_len length of additional authenticated data (in bytes).
2596 * \param tag output buffer for the authentication tag.
2597 * \param ichacha implementation of ChaCha20.
2598 * \param encrypt non-zero for encryption, zero for decryption.
2600 void br_poly1305_ctmulq_run(const void *key, const void *iv,
2601 void *data, size_t len, const void *aad, size_t aad_len,
2602 void *tag, br_chacha20_run ichacha, int encrypt);
2605 * \brief Get the ChaCha20+Poly1305 "ctmulq" implementation, if available.
2607 * This function returns a pointer to the `br_poly1305_ctmulq_run()`
2608 * function if supported on the current platform; otherwise, it returns 0.
2610 * \return the ctmulq ChaCha20+Poly1305 implementation, or 0.
2612 br_poly1305_run br_poly1305_ctmulq_get(void);