File Coverage

include/bearssl_hash.h

Criterion	Covered	Total	%
statement	0	3	0.0
branch			n/a
condition			n/a
subroutine			n/a
pod			n/a
total	0	3	0.0

line	stmt	code
1		/*
2		* Copyright (c) 2016 Thomas Pornin
3		*
4		* Permission is hereby granted, free of charge, to any person obtaining
5		* a copy of this software and associated documentation files (the
6		* "Software"), to deal in the Software without restriction, including
7		* without limitation the rights to use, copy, modify, merge, publish,
8		* distribute, sublicense, and/or sell copies of the Software, and to
9		* permit persons to whom the Software is furnished to do so, subject to
10		* the following conditions:
11		*
12		* The above copyright notice and this permission notice shall be
13		* included in all copies or substantial portions of the Software.
14		*
15		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16		* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17		* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18		* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19		* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20		* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21		* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22		* SOFTWARE.
23		*/
24
25		#ifndef BR_BEARSSL_HASH_H__
26		#define BR_BEARSSL_HASH_H__
27
28		#include
29		#include
30		#include
31
32		#ifdef __cplusplus
33		extern "C" {
34		#endif
35
36		/** \file bearssl_hash.h
37		*
38		* # Hash Functions
39		*
40		* This file documents the API for hash functions.
41		*
42		*
43		* ## Procedural API
44		*
45		* For each implemented hash function, of name "`xxx`", the following
46		* elements are defined:
47		*
48		* - `br_xxx_vtable`
49		*
50		* An externally defined instance of `br_hash_class`.
51		*
52		* - `br_xxx_SIZE`
53		*
54		* A macro that evaluates to the output size (in bytes) of the
55		* hash function.
56		*
57		* - `br_xxx_ID`
58		*
59		* A macro that evaluates to a symbolic identifier for the hash
60		* function. Such identifiers are used with HMAC and signature
61		* algorithm implementations.
62		*
63		* NOTE: for the "standard" hash functions defined in [the TLS
64		* standard](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1),
65		* the symbolic identifiers match the constants used in TLS, i.e.
66		* 1 to 6 for MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512,
67		* respectively.
68		*
69		* - `br_xxx_context`
70		*
71		* Context for an ongoing computation. It is allocated by the
72		* caller, and a pointer to it is passed to all functions. A
73		* context contains no interior pointer, so it can be moved around
74		* and cloned (with a simple `memcpy()` or equivalent) in order to
75		* capture the function state at some point. Computations that use
76		* distinct context structures are independent of each other. The
77		* first field of `br_xxx_context` is always a pointer to the
78		* `br_xxx_vtable` structure; `br_xxx_init()` sets that pointer.
79		*
80		* - `br_xxx_init(br_xxx_context *ctx)`
81		*
82		* Initialise the provided context. Previous contents of the structure
83		* are ignored. This calls resets the context to the start of a new
84		* hash computation; it also sets the first field of the context
85		* structure (called `vtable`) to a pointer to the statically
86		* allocated constant `br_xxx_vtable` structure.
87		*
88		* - `br_xxx_update(br_xxx_context ctx, const void data, size_t len)`
89		*
90		* Add some more bytes to the hash computation represented by the
91		* provided context.
92		*
93		* - `br_xxx_out(const br_xxx_context ctx, void out)`
94		*
95		* Complete the hash computation and write the result in the provided
96		* buffer. The output buffer MUST be large enough to accommodate the
97		* result. The context is NOT modified by this operation, so this
98		* function can be used to get a "partial hash" while still keeping
99		* the possibility of adding more bytes to the input.
100		*
101		* - `br_xxx_state(const br_xxx_context ctx, void out)`
102		*
103		* Get a copy of the "current state" for the computation so far. For
104		* MD functions (MD5, SHA-1, SHA-2 family), this is the running state
105		* resulting from the processing of the last complete input block.
106		* Returned value is the current input length (in bytes).
107		*
108		* - `br_xxx_set_state(br_xxx_context ctx, const void stb, uint64_t count)`
109		*
110		* Set the internal state to the provided values. The 'stb' and
111		* 'count' values shall match that which was obtained from
112		* `br_xxx_state()`. This restores the hash state only if the state
113		* values were at an appropriate block boundary. This does NOT set
114		* the `vtable` pointer in the context.
115		*
116		* Context structures can be discarded without any explicit deallocation.
117		* Hash function implementations are purely software and don't reserve
118		* any resources outside of the context structure itself.
119		*
120		*
121		* ## Object-Oriented API
122		*
123		* For each hash function that follows the procedural API described
124		* above, an object-oriented API is also provided. In that API, function
125		* pointers from the vtable (`br_xxx_vtable`) are used. The vtable
126		* incarnates object-oriented programming. An introduction on the OOP
127		* concept used here can be read on the BearSSL Web site:
128		* [https://www.bearssl.org/oop.html](https://www.bearssl.org/oop.html)
129		*
130		* The vtable offers functions called `init()`, `update()`, `out()`,
131		* `set()` and `set_state()`, which are in fact the functions from
132		* the procedural API. That vtable also contains two informative fields:
133		*
134		* - `context_size`
135		*
136		* The size of the context structure (`br_xxx_context`), in bytes.
137		* This can be used by generic implementations to perform dynamic
138		* context allocation.
139		*
140		* - `desc`
141		*
142		* A "descriptor" field that encodes some information on the hash
143		* function: symbolic identifier, output size, state size,
144		* internal block size, details on the padding.
145		*
146		* Users of this object-oriented API (in particular generic HMAC
147		* implementations) may make the following assumptions:
148		*
149		* - Hash output size is no more than 64 bytes.
150		* - Hash internal state size is no more than 64 bytes.
151		* - Internal block size is a power of two, no less than 16 and no more
152		* than 256.
153		*
154		*
155		* ## Implemented Hash Functions
156		*
157		* Implemented hash functions are:
158		*
159		* \| Function \| Name \| Output length \| State length \|
160		* \| :-------- \| :------ \| :-----------: \| :----------: \|
161		* \| MD5 \| md5 \| 16 \| 16 \|
162		* \| SHA-1 \| sha1 \| 20 \| 20 \|
163		* \| SHA-224 \| sha224 \| 28 \| 32 \|
164		* \| SHA-256 \| sha256 \| 32 \| 32 \|
165		* \| SHA-384 \| sha384 \| 48 \| 64 \|
166		* \| SHA-512 \| sha512 \| 64 \| 64 \|
167		* \| MD5+SHA-1 \| md5sha1 \| 36 \| 36 \|
168		*
169		* (MD5+SHA-1 is the concatenation of MD5 and SHA-1 computed over the
170		* same input; in the implementation, the internal data buffer is
171		* shared, thus making it more memory-efficient than separate MD5 and
172		* SHA-1. It can be useful in implementing SSL 3.0, TLS 1.0 and TLS
173		* 1.1.)
174		*
175		*
176		* ## Multi-Hasher
177		*
178		* An aggregate hasher is provided, that can compute several standard
179		* hash functions in parallel. It uses `br_multihash_context` and a
180		* procedural API. It is configured with the implementations (the vtables)
181		* that it should use; it will then compute all these hash functions in
182		* parallel, on the same input. It is meant to be used in cases when the
183		* hash of an object will be used, but the exact hash function is not
184		* known yet (typically, streamed processing on X.509 certificates).
185		*
186		* Only the standard hash functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384
187		* and SHA-512) are supported by the multi-hasher.
188		*
189		*
190		* ## GHASH
191		*
192		* GHASH is not a generic hash function; it is a _universal_ hash function,
193		* which, as the name does not say, means that it CANNOT be used in most
194		* places where a hash function is needed. GHASH is used within the GCM
195		* encryption mode, to provide the checked integrity functionality.
196		*
197		* A GHASH implementation is basically a function that uses the type defined
198		* in this file under the name `br_ghash`:
199		*
200		* typedef void (br_ghash)(void y, const void h, const void data, size_t len);
201		*
202		* The `y` pointer refers to a 16-byte value which is used as input, and
203		* receives the output of the GHASH invocation. `h` is a 16-byte secret
204		* value (that serves as key). `data` and `len` define the input data.
205		*
206		* Three GHASH implementations are provided, all constant-time, based on
207		* the use of integer multiplications with appropriate masking to cancel
208		* carry propagation.
209		*/
210
211		/**
212		* \brief Class type for hash function implementations.
213		*
214		* A `br_hash_class` instance references the methods implementing a hash
215		* function. Constant instances of this structure are defined for each
216		* implemented hash function. Such instances are also called "vtables".
217		*
218		* Vtables are used to support object-oriented programming, as
219		* described on [the BearSSL Web site](https://www.bearssl.org/oop.html).
220		*/
221		typedef struct br_hash_class_ br_hash_class;
222		struct br_hash_class_ {
223		/**
224		* \brief Size (in bytes) of the context structure appropriate for
225		* computing this hash function.
226		*/
227		size_t context_size;
228
229		/**
230		* \brief Descriptor word that contains information about the hash
231		* function.
232		*
233		* For each word `xxx` described below, use `BR_HASHDESC_xxx_OFF`
234		* and `BR_HASHDESC_xxx_MASK` to access the specific value, as
235		* follows:
236		*
237		* (hf->desc >> BR_HASHDESC_xxx_OFF) & BR_HASHDESC_xxx_MASK
238		*
239		* The defined elements are:
240		*
241		* - `ID`: the symbolic identifier for the function, as defined
242		* in [TLS](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)
243		* (MD5 = 1, SHA-1 = 2,...).
244		*
245		* - `OUT`: hash output size, in bytes.
246		*
247		* - `STATE`: internal running state size, in bytes.
248		*
249		* - `LBLEN`: base-2 logarithm for the internal block size, as
250		* defined for HMAC processing (this is 6 for MD5, SHA-1, SHA-224
251		* and SHA-256, since these functions use 64-byte blocks; for
252		* SHA-384 and SHA-512, this is 7, corresponding to their
253		* 128-byte blocks).
254		*
255		* The descriptor may contain a few other flags.
256		*/
257		uint32_t desc;
258
259		/**
260		* \brief Initialisation method.
261		*
262		* This method takes as parameter a pointer to a context area,
263		* that it initialises. The first field of the context is set
264		* to this vtable; other elements are initialised for a new hash
265		* computation.
266		*
267		* \param ctx pointer to (the first field of) the context.
268		*/
269		void (init)(const br_hash_class *ctx);
270
271		/**
272		* \brief Data injection method.
273		*
274		* The `len` bytes starting at address `data` are injected into
275		* the running hash computation incarnated by the specified
276		* context. The context is updated accordingly. It is allowed
277		* to have `len == 0`, in which case `data` is ignored (and could
278		* be `NULL`), and nothing happens.
279		* on the input data.
280		*
281		* \param ctx pointer to (the first field of) the context.
282		* \param data pointer to the first data byte to inject.
283		* \param len number of bytes to inject.
284		*/
285		void (update)(const br_hash_class ctx, const void data, size_t len);
286
287		/**
288		* \brief Produce hash output.
289		*
290		* The hash output corresponding to all data bytes injected in the
291		* context since the last `init()` call is computed, and written
292		* in the buffer pointed to by `dst`. The hash output size depends
293		* on the implemented hash function (e.g. 16 bytes for MD5).
294		* The context is _not_ modified by this call, so further bytes
295		* may be afterwards injected to continue the current computation.
296		*
297		* \param ctx pointer to (the first field of) the context.
298		* \param dst destination buffer for the hash output.
299		*/
300		void (out)(const br_hash_class const ctx, void dst);
301
302		/**
303		* \brief Get running state.
304		*
305		* This method saves the current running state into the `dst`
306		* buffer. What constitutes the "running state" depends on the
307		* hash function; for Merkle-Damgård hash functions (like
308		* MD5 or SHA-1), this is the output obtained after processing
309		* each block. The number of bytes injected so far is returned.
310		* The context is not modified by this call.
311		*
312		* \param ctx pointer to (the first field of) the context.
313		* \param dst destination buffer for the state.
314		* \return the injected total byte length.
315		*/
316		uint64_t (state)(const br_hash_class const ctx, void dst);
317
318		/**
319		* \brief Set running state.
320		*
321		* This methods replaces the running state for the function.
322		*
323		* \param ctx pointer to (the first field of) the context.
324		* \param stb source buffer for the state.
325		* \param count injected total byte length.
326		*/
327		void (set_state)(const br_hash_class *ctx,
328		const void *stb, uint64_t count);
329		};
330
331		#ifndef BR_DOXYGEN_IGNORE
332		#define BR_HASHDESC_ID(id) ((uint32_t)(id) << BR_HASHDESC_ID_OFF)
333		#define BR_HASHDESC_ID_OFF 0
334		#define BR_HASHDESC_ID_MASK 0xFF
335
336		#define BR_HASHDESC_OUT(size) ((uint32_t)(size) << BR_HASHDESC_OUT_OFF)
337		#define BR_HASHDESC_OUT_OFF 8
338		#define BR_HASHDESC_OUT_MASK 0x7F
339
340		#define BR_HASHDESC_STATE(size) ((uint32_t)(size) << BR_HASHDESC_STATE_OFF)
341		#define BR_HASHDESC_STATE_OFF 15
342		#define BR_HASHDESC_STATE_MASK 0xFF
343
344		#define BR_HASHDESC_LBLEN(ls) ((uint32_t)(ls) << BR_HASHDESC_LBLEN_OFF)
345		#define BR_HASHDESC_LBLEN_OFF 23
346		#define BR_HASHDESC_LBLEN_MASK 0x0F
347
348		#define BR_HASHDESC_MD_PADDING ((uint32_t)1 << 28)
349		#define BR_HASHDESC_MD_PADDING_128 ((uint32_t)1 << 29)
350		#define BR_HASHDESC_MD_PADDING_BE ((uint32_t)1 << 30)
351		#endif
352
353		/*
354		* Specific hash functions.
355		*
356		* Rules for contexts:
357		* -- No interior pointer.
358		* -- No pointer to external dynamically allocated resources.
359		* -- First field is called 'vtable' and is a pointer to a
360		* const-qualified br_hash_class instance (pointer is set by init()).
361		* -- SHA-224 and SHA-256 contexts are identical.
362		* -- SHA-384 and SHA-512 contexts are identical.
363		*
364		* Thus, contexts can be moved and cloned to capture the hash function
365		* current state; and there is no need for any explicit "release" function.
366		*/
367
368		/**
369		* \brief Symbolic identifier for MD5.
370		*/
371		#define br_md5_ID 1
372
373		/**
374		* \brief MD5 output size (in bytes).
375		*/
376		#define br_md5_SIZE 16
377
378		/**
379		* \brief Constant vtable for MD5.
380		*/
381		extern const br_hash_class br_md5_vtable;
382
383		/**
384		* \brief MD5 context.
385		*
386		* First field is a pointer to the vtable; it is set by the initialisation
387		* function. Other fields are not supposed to be accessed by user code.
388		*/
389		typedef struct {
390		/**
391		* \brief Pointer to vtable for this context.
392		*/
393		const br_hash_class *vtable;
394		#ifndef BR_DOXYGEN_IGNORE
395		unsigned char buf[64];
396		uint64_t count;
397		uint32_t val[4];
398		#endif
399		} br_md5_context;
400
401		/**
402		* \brief MD5 context initialisation.
403		*
404		* This function initialises or resets a context for a new MD5
405		* computation. It also sets the vtable pointer.
406		*
407		* \param ctx pointer to the context structure.
408		*/
409		void br_md5_init(br_md5_context *ctx);
410
411		/**
412		* \brief Inject some data bytes in a running MD5 computation.
413		*
414		* The provided context is updated with some data bytes. If the number
415		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
416		* and may be `NULL`, and this function does nothing.
417		*
418		* \param ctx pointer to the context structure.
419		* \param data pointer to the injected data.
420		* \param len injected data length (in bytes).
421		*/
422		void br_md5_update(br_md5_context ctx, const void data, size_t len);
423
424		/**
425		* \brief Compute MD5 output.
426		*
427		* The MD5 output for the concatenation of all bytes injected in the
428		* provided context since the last initialisation or reset call, is
429		* computed and written in the buffer pointed to by `out`. The context
430		* itself is not modified, so extra bytes may be injected afterwards
431		* to continue that computation.
432		*
433		* \param ctx pointer to the context structure.
434		* \param out destination buffer for the hash output.
435		*/
436		void br_md5_out(const br_md5_context ctx, void out);
437
438		/**
439		* \brief Save MD5 running state.
440		*
441		* The running state for MD5 (output of the last internal block
442		* processing) is written in the buffer pointed to by `out`. The
443		* number of bytes injected since the last initialisation or reset
444		* call is returned. The context is not modified.
445		*
446		* \param ctx pointer to the context structure.
447		* \param out destination buffer for the running state.
448		* \return the injected total byte length.
449		*/
450		uint64_t br_md5_state(const br_md5_context ctx, void out);
451
452		/**
453		* \brief Restore MD5 running state.
454		*
455		* The running state for MD5 is set to the provided values.
456		*
457		* \param ctx pointer to the context structure.
458		* \param stb source buffer for the running state.
459		* \param count the injected total byte length.
460		*/
461		void br_md5_set_state(br_md5_context ctx, const void stb, uint64_t count);
462
463		/**
464		* \brief Symbolic identifier for SHA-1.
465		*/
466		#define br_sha1_ID 2
467
468		/**
469		* \brief SHA-1 output size (in bytes).
470		*/
471		#define br_sha1_SIZE 20
472
473		/**
474		* \brief Constant vtable for SHA-1.
475		*/
476		extern const br_hash_class br_sha1_vtable;
477
478		/**
479		* \brief SHA-1 context.
480		*
481		* First field is a pointer to the vtable; it is set by the initialisation
482		* function. Other fields are not supposed to be accessed by user code.
483		*/
484		typedef struct {
485		/**
486		* \brief Pointer to vtable for this context.
487		*/
488		const br_hash_class *vtable;
489		#ifndef BR_DOXYGEN_IGNORE
490		unsigned char buf[64];
491		uint64_t count;
492		uint32_t val[5];
493		#endif
494		} br_sha1_context;
495
496		/**
497		* \brief SHA-1 context initialisation.
498		*
499		* This function initialises or resets a context for a new SHA-1
500		* computation. It also sets the vtable pointer.
501		*
502		* \param ctx pointer to the context structure.
503		*/
504		void br_sha1_init(br_sha1_context *ctx);
505
506		/**
507		* \brief Inject some data bytes in a running SHA-1 computation.
508		*
509		* The provided context is updated with some data bytes. If the number
510		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
511		* and may be `NULL`, and this function does nothing.
512		*
513		* \param ctx pointer to the context structure.
514		* \param data pointer to the injected data.
515		* \param len injected data length (in bytes).
516		*/
517		void br_sha1_update(br_sha1_context ctx, const void data, size_t len);
518
519		/**
520		* \brief Compute SHA-1 output.
521		*
522		* The SHA-1 output for the concatenation of all bytes injected in the
523		* provided context since the last initialisation or reset call, is
524		* computed and written in the buffer pointed to by `out`. The context
525		* itself is not modified, so extra bytes may be injected afterwards
526		* to continue that computation.
527		*
528		* \param ctx pointer to the context structure.
529		* \param out destination buffer for the hash output.
530		*/
531		void br_sha1_out(const br_sha1_context ctx, void out);
532
533		/**
534		* \brief Save SHA-1 running state.
535		*
536		* The running state for SHA-1 (output of the last internal block
537		* processing) is written in the buffer pointed to by `out`. The
538		* number of bytes injected since the last initialisation or reset
539		* call is returned. The context is not modified.
540		*
541		* \param ctx pointer to the context structure.
542		* \param out destination buffer for the running state.
543		* \return the injected total byte length.
544		*/
545		uint64_t br_sha1_state(const br_sha1_context ctx, void out);
546
547		/**
548		* \brief Restore SHA-1 running state.
549		*
550		* The running state for SHA-1 is set to the provided values.
551		*
552		* \param ctx pointer to the context structure.
553		* \param stb source buffer for the running state.
554		* \param count the injected total byte length.
555		*/
556		void br_sha1_set_state(br_sha1_context ctx, const void stb, uint64_t count);
557
558		/**
559		* \brief Symbolic identifier for SHA-224.
560		*/
561		#define br_sha224_ID 3
562
563		/**
564		* \brief SHA-224 output size (in bytes).
565		*/
566		#define br_sha224_SIZE 28
567
568		/**
569		* \brief Constant vtable for SHA-224.
570		*/
571		extern const br_hash_class br_sha224_vtable;
572
573		/**
574		* \brief SHA-224 context.
575		*
576		* First field is a pointer to the vtable; it is set by the initialisation
577		* function. Other fields are not supposed to be accessed by user code.
578		*/
579		typedef struct {
580		/**
581		* \brief Pointer to vtable for this context.
582		*/
583		const br_hash_class *vtable;
584		#ifndef BR_DOXYGEN_IGNORE
585		unsigned char buf[64];
586		uint64_t count;
587		uint32_t val[8];
588		#endif
589		} br_sha224_context;
590
591		/**
592		* \brief SHA-224 context initialisation.
593		*
594		* This function initialises or resets a context for a new SHA-224
595		* computation. It also sets the vtable pointer.
596		*
597		* \param ctx pointer to the context structure.
598		*/
599		void br_sha224_init(br_sha224_context *ctx);
600
601		/**
602		* \brief Inject some data bytes in a running SHA-224 computation.
603		*
604		* The provided context is updated with some data bytes. If the number
605		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
606		* and may be `NULL`, and this function does nothing.
607		*
608		* \param ctx pointer to the context structure.
609		* \param data pointer to the injected data.
610		* \param len injected data length (in bytes).
611		*/
612		void br_sha224_update(br_sha224_context ctx, const void data, size_t len);
613
614		/**
615		* \brief Compute SHA-224 output.
616		*
617		* The SHA-224 output for the concatenation of all bytes injected in the
618		* provided context since the last initialisation or reset call, is
619		* computed and written in the buffer pointed to by `out`. The context
620		* itself is not modified, so extra bytes may be injected afterwards
621		* to continue that computation.
622		*
623		* \param ctx pointer to the context structure.
624		* \param out destination buffer for the hash output.
625		*/
626		void br_sha224_out(const br_sha224_context ctx, void out);
627
628		/**
629		* \brief Save SHA-224 running state.
630		*
631		* The running state for SHA-224 (output of the last internal block
632		* processing) is written in the buffer pointed to by `out`. The
633		* number of bytes injected since the last initialisation or reset
634		* call is returned. The context is not modified.
635		*
636		* \param ctx pointer to the context structure.
637		* \param out destination buffer for the running state.
638		* \return the injected total byte length.
639		*/
640		uint64_t br_sha224_state(const br_sha224_context ctx, void out);
641
642		/**
643		* \brief Restore SHA-224 running state.
644		*
645		* The running state for SHA-224 is set to the provided values.
646		*
647		* \param ctx pointer to the context structure.
648		* \param stb source buffer for the running state.
649		* \param count the injected total byte length.
650		*/
651		void br_sha224_set_state(br_sha224_context *ctx,
652		const void *stb, uint64_t count);
653
654		/**
655		* \brief Symbolic identifier for SHA-256.
656		*/
657		#define br_sha256_ID 4
658
659		/**
660		* \brief SHA-256 output size (in bytes).
661		*/
662		#define br_sha256_SIZE 32
663
664		/**
665		* \brief Constant vtable for SHA-256.
666		*/
667		extern const br_hash_class br_sha256_vtable;
668
669		#ifdef BR_DOXYGEN_IGNORE
670		/**
671		* \brief SHA-256 context.
672		*
673		* First field is a pointer to the vtable; it is set by the initialisation
674		* function. Other fields are not supposed to be accessed by user code.
675		*/
676		typedef struct {
677		/**
678		* \brief Pointer to vtable for this context.
679		*/
680		const br_hash_class *vtable;
681		} br_sha256_context;
682		#else
683		typedef br_sha224_context br_sha256_context;
684		#endif
685
686		/**
687		* \brief SHA-256 context initialisation.
688		*
689		* This function initialises or resets a context for a new SHA-256
690		* computation. It also sets the vtable pointer.
691		*
692		* \param ctx pointer to the context structure.
693		*/
694		void br_sha256_init(br_sha256_context *ctx);
695
696		#ifdef BR_DOXYGEN_IGNORE
697		/**
698		* \brief Inject some data bytes in a running SHA-256 computation.
699		*
700		* The provided context is updated with some data bytes. If the number
701		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
702		* and may be `NULL`, and this function does nothing.
703		*
704		* \param ctx pointer to the context structure.
705		* \param data pointer to the injected data.
706		* \param len injected data length (in bytes).
707		*/
708		void br_sha256_update(br_sha256_context ctx, const void data, size_t len);
709		#else
710		#define br_sha256_update br_sha224_update
711		#endif
712
713		/**
714		* \brief Compute SHA-256 output.
715		*
716		* The SHA-256 output for the concatenation of all bytes injected in the
717		* provided context since the last initialisation or reset call, is
718		* computed and written in the buffer pointed to by `out`. The context
719		* itself is not modified, so extra bytes may be injected afterwards
720		* to continue that computation.
721		*
722		* \param ctx pointer to the context structure.
723		* \param out destination buffer for the hash output.
724		*/
725		void br_sha256_out(const br_sha256_context ctx, void out);
726
727		#ifdef BR_DOXYGEN_IGNORE
728		/**
729		* \brief Save SHA-256 running state.
730		*
731		* The running state for SHA-256 (output of the last internal block
732		* processing) is written in the buffer pointed to by `out`. The
733		* number of bytes injected since the last initialisation or reset
734		* call is returned. The context is not modified.
735		*
736		* \param ctx pointer to the context structure.
737		* \param out destination buffer for the running state.
738		* \return the injected total byte length.
739		*/
740		uint64_t br_sha256_state(const br_sha256_context ctx, void out);
741		#else
742		#define br_sha256_state br_sha224_state
743		#endif
744
745		#ifdef BR_DOXYGEN_IGNORE
746		/**
747		* \brief Restore SHA-256 running state.
748		*
749		* The running state for SHA-256 is set to the provided values.
750		*
751		* \param ctx pointer to the context structure.
752		* \param stb source buffer for the running state.
753		* \param count the injected total byte length.
754		*/
755		void br_sha256_set_state(br_sha256_context *ctx,
756		const void *stb, uint64_t count);
757		#else
758		#define br_sha256_set_state br_sha224_set_state
759		#endif
760
761		/**
762		* \brief Symbolic identifier for SHA-384.
763		*/
764		#define br_sha384_ID 5
765
766		/**
767		* \brief SHA-384 output size (in bytes).
768		*/
769		#define br_sha384_SIZE 48
770
771		/**
772		* \brief Constant vtable for SHA-384.
773		*/
774		extern const br_hash_class br_sha384_vtable;
775
776		/**
777		* \brief SHA-384 context.
778		*
779		* First field is a pointer to the vtable; it is set by the initialisation
780		* function. Other fields are not supposed to be accessed by user code.
781		*/
782		typedef struct {
783		/**
784		* \brief Pointer to vtable for this context.
785		*/
786		const br_hash_class *vtable;
787		#ifndef BR_DOXYGEN_IGNORE
788		unsigned char buf[128];
789		uint64_t count;
790		uint64_t val[8];
791		#endif
792		} br_sha384_context;
793
794		/**
795		* \brief SHA-384 context initialisation.
796		*
797		* This function initialises or resets a context for a new SHA-384
798		* computation. It also sets the vtable pointer.
799		*
800		* \param ctx pointer to the context structure.
801		*/
802		void br_sha384_init(br_sha384_context *ctx);
803
804		/**
805		* \brief Inject some data bytes in a running SHA-384 computation.
806		*
807		* The provided context is updated with some data bytes. If the number
808		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
809		* and may be `NULL`, and this function does nothing.
810		*
811		* \param ctx pointer to the context structure.
812		* \param data pointer to the injected data.
813		* \param len injected data length (in bytes).
814		*/
815		void br_sha384_update(br_sha384_context ctx, const void data, size_t len);
816
817		/**
818		* \brief Compute SHA-384 output.
819		*
820		* The SHA-384 output for the concatenation of all bytes injected in the
821		* provided context since the last initialisation or reset call, is
822		* computed and written in the buffer pointed to by `out`. The context
823		* itself is not modified, so extra bytes may be injected afterwards
824		* to continue that computation.
825		*
826		* \param ctx pointer to the context structure.
827		* \param out destination buffer for the hash output.
828		*/
829		void br_sha384_out(const br_sha384_context ctx, void out);
830
831		/**
832		* \brief Save SHA-384 running state.
833		*
834		* The running state for SHA-384 (output of the last internal block
835		* processing) is written in the buffer pointed to by `out`. The
836		* number of bytes injected since the last initialisation or reset
837		* call is returned. The context is not modified.
838		*
839		* \param ctx pointer to the context structure.
840		* \param out destination buffer for the running state.
841		* \return the injected total byte length.
842		*/
843		uint64_t br_sha384_state(const br_sha384_context ctx, void out);
844
845		/**
846		* \brief Restore SHA-384 running state.
847		*
848		* The running state for SHA-384 is set to the provided values.
849		*
850		* \param ctx pointer to the context structure.
851		* \param stb source buffer for the running state.
852		* \param count the injected total byte length.
853		*/
854		void br_sha384_set_state(br_sha384_context *ctx,
855		const void *stb, uint64_t count);
856
857		/**
858		* \brief Symbolic identifier for SHA-512.
859		*/
860		#define br_sha512_ID 6
861
862		/**
863		* \brief SHA-512 output size (in bytes).
864		*/
865		#define br_sha512_SIZE 64
866
867		/**
868		* \brief Constant vtable for SHA-512.
869		*/
870		extern const br_hash_class br_sha512_vtable;
871
872		#ifdef BR_DOXYGEN_IGNORE
873		/**
874		* \brief SHA-512 context.
875		*
876		* First field is a pointer to the vtable; it is set by the initialisation
877		* function. Other fields are not supposed to be accessed by user code.
878		*/
879		typedef struct {
880		/**
881		* \brief Pointer to vtable for this context.
882		*/
883		const br_hash_class *vtable;
884		} br_sha512_context;
885		#else
886		typedef br_sha384_context br_sha512_context;
887		#endif
888
889		/**
890		* \brief SHA-512 context initialisation.
891		*
892		* This function initialises or resets a context for a new SHA-512
893		* computation. It also sets the vtable pointer.
894		*
895		* \param ctx pointer to the context structure.
896		*/
897		void br_sha512_init(br_sha512_context *ctx);
898
899		#ifdef BR_DOXYGEN_IGNORE
900		/**
901		* \brief Inject some data bytes in a running SHA-512 computation.
902		*
903		* The provided context is updated with some data bytes. If the number
904		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
905		* and may be `NULL`, and this function does nothing.
906		*
907		* \param ctx pointer to the context structure.
908		* \param data pointer to the injected data.
909		* \param len injected data length (in bytes).
910		*/
911		void br_sha512_update(br_sha512_context ctx, const void data, size_t len);
912		#else
913		#define br_sha512_update br_sha384_update
914		#endif
915
916		/**
917		* \brief Compute SHA-512 output.
918		*
919		* The SHA-512 output for the concatenation of all bytes injected in the
920		* provided context since the last initialisation or reset call, is
921		* computed and written in the buffer pointed to by `out`. The context
922		* itself is not modified, so extra bytes may be injected afterwards
923		* to continue that computation.
924		*
925		* \param ctx pointer to the context structure.
926		* \param out destination buffer for the hash output.
927		*/
928		void br_sha512_out(const br_sha512_context ctx, void out);
929
930		#ifdef BR_DOXYGEN_IGNORE
931		/**
932		* \brief Save SHA-512 running state.
933		*
934		* The running state for SHA-512 (output of the last internal block
935		* processing) is written in the buffer pointed to by `out`. The
936		* number of bytes injected since the last initialisation or reset
937		* call is returned. The context is not modified.
938		*
939		* \param ctx pointer to the context structure.
940		* \param out destination buffer for the running state.
941		* \return the injected total byte length.
942		*/
943		uint64_t br_sha512_state(const br_sha512_context ctx, void out);
944		#else
945		#define br_sha512_state br_sha384_state
946		#endif
947
948		#ifdef BR_DOXYGEN_IGNORE
949		/**
950		* \brief Restore SHA-512 running state.
951		*
952		* The running state for SHA-512 is set to the provided values.
953		*
954		* \param ctx pointer to the context structure.
955		* \param stb source buffer for the running state.
956		* \param count the injected total byte length.
957		*/
958		void br_sha512_set_state(br_sha512_context *ctx,
959		const void *stb, uint64_t count);
960		#else
961		#define br_sha512_set_state br_sha384_set_state
962		#endif
963
964		/*
965		* "md5sha1" is a special hash function that computes both MD5 and SHA-1
966		* on the same input, and produces a 36-byte output (MD5 and SHA-1
967		* concatenation, in that order). State size is also 36 bytes.
968		*/
969
970		/**
971		* \brief Symbolic identifier for MD5+SHA-1.
972		*
973		* MD5+SHA-1 is the concatenation of MD5 and SHA-1, computed over the
974		* same input. It is not one of the functions identified in TLS, so
975		* we give it a symbolic identifier of value 0.
976		*/
977		#define br_md5sha1_ID 0
978
979		/**
980		* \brief MD5+SHA-1 output size (in bytes).
981		*/
982		#define br_md5sha1_SIZE 36
983
984		/**
985		* \brief Constant vtable for MD5+SHA-1.
986		*/
987		extern const br_hash_class br_md5sha1_vtable;
988
989		/**
990		* \brief MD5+SHA-1 context.
991		*
992		* First field is a pointer to the vtable; it is set by the initialisation
993		* function. Other fields are not supposed to be accessed by user code.
994		*/
995		typedef struct {
996		/**
997		* \brief Pointer to vtable for this context.
998		*/
999		const br_hash_class *vtable;
1000		#ifndef BR_DOXYGEN_IGNORE
1001		unsigned char buf[64];
1002		uint64_t count;
1003		uint32_t val_md5[4];
1004		uint32_t val_sha1[5];
1005		#endif
1006		} br_md5sha1_context;
1007
1008		/**
1009		* \brief MD5+SHA-1 context initialisation.
1010		*
1011		* This function initialises or resets a context for a new SHA-512
1012		* computation. It also sets the vtable pointer.
1013		*
1014		* \param ctx pointer to the context structure.
1015		*/
1016		void br_md5sha1_init(br_md5sha1_context *ctx);
1017
1018		/**
1019		* \brief Inject some data bytes in a running MD5+SHA-1 computation.
1020		*
1021		* The provided context is updated with some data bytes. If the number
1022		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
1023		* and may be `NULL`, and this function does nothing.
1024		*
1025		* \param ctx pointer to the context structure.
1026		* \param data pointer to the injected data.
1027		* \param len injected data length (in bytes).
1028		*/
1029		void br_md5sha1_update(br_md5sha1_context ctx, const void data, size_t len);
1030
1031		/**
1032		* \brief Compute MD5+SHA-1 output.
1033		*
1034		* The MD5+SHA-1 output for the concatenation of all bytes injected in the
1035		* provided context since the last initialisation or reset call, is
1036		* computed and written in the buffer pointed to by `out`. The context
1037		* itself is not modified, so extra bytes may be injected afterwards
1038		* to continue that computation.
1039		*
1040		* \param ctx pointer to the context structure.
1041		* \param out destination buffer for the hash output.
1042		*/
1043		void br_md5sha1_out(const br_md5sha1_context ctx, void out);
1044
1045		/**
1046		* \brief Save MD5+SHA-1 running state.
1047		*
1048		* The running state for MD5+SHA-1 (output of the last internal block
1049		* processing) is written in the buffer pointed to by `out`. The
1050		* number of bytes injected since the last initialisation or reset
1051		* call is returned. The context is not modified.
1052		*
1053		* \param ctx pointer to the context structure.
1054		* \param out destination buffer for the running state.
1055		* \return the injected total byte length.
1056		*/
1057		uint64_t br_md5sha1_state(const br_md5sha1_context ctx, void out);
1058
1059		/**
1060		* \brief Restore MD5+SHA-1 running state.
1061		*
1062		* The running state for MD5+SHA-1 is set to the provided values.
1063		*
1064		* \param ctx pointer to the context structure.
1065		* \param stb source buffer for the running state.
1066		* \param count the injected total byte length.
1067		*/
1068		void br_md5sha1_set_state(br_md5sha1_context *ctx,
1069		const void *stb, uint64_t count);
1070
1071		/**
1072		* \brief Aggregate context for configurable hash function support.
1073		*
1074		* The `br_hash_compat_context` type is a type which is large enough to
1075		* serve as context for all standard hash functions defined above.
1076		*/
1077		typedef union {
1078		const br_hash_class *vtable;
1079		br_md5_context md5;
1080		br_sha1_context sha1;
1081		br_sha224_context sha224;
1082		br_sha256_context sha256;
1083		br_sha384_context sha384;
1084		br_sha512_context sha512;
1085		br_md5sha1_context md5sha1;
1086		} br_hash_compat_context;
1087
1088		/*
1089		* The multi-hasher is a construct that handles hashing of the same input
1090		* data with several hash functions, with a single shared input buffer.
1091		* It can handle MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
1092		* simultaneously, though which functions are activated depends on
1093		* the set implementation pointers.
1094		*/
1095
1096		/**
1097		* \brief Multi-hasher context structure.
1098		*
1099		* The multi-hasher runs up to six hash functions in the standard TLS list
1100		* (MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512) in parallel, over
1101		* the same input.
1102		*
1103		* The multi-hasher does _not_ follow the OOP structure with a vtable.
1104		* Instead, it is configured with the vtables of the hash functions it
1105		* should run. Structure fields are not supposed to be accessed directly.
1106		*/
1107		typedef struct {
1108		#ifndef BR_DOXYGEN_IGNORE
1109		unsigned char buf[128];
1110		uint64_t count;
1111		uint32_t val_32[25];
1112		uint64_t val_64[16];
1113		const br_hash_class *impl[6];
1114		#endif
1115		} br_multihash_context;
1116
1117		/**
1118		* \brief Clear a multi-hasher context.
1119		*
1120		* This should always be called once on a given context, _before_ setting
1121		* the implementation pointers.
1122		*
1123		* \param ctx the multi-hasher context.
1124		*/
1125		void br_multihash_zero(br_multihash_context *ctx);
1126
1127		/**
1128		* \brief Set a hash function implementation.
1129		*
1130		* Implementations shall be set _after_ clearing the context (with
1131		* `br_multihash_zero()`) but _before_ initialising the computation
1132		* (with `br_multihash_init()`). The hash function implementation
1133		* MUST be one of the standard hash functions (MD5, SHA-1, SHA-224,
1134		* SHA-256, SHA-384 or SHA-512); it may also be `NULL` to remove
1135		* an implementation from the multi-hasher.
1136		*
1137		* \param ctx the multi-hasher context.
1138		* \param id the hash function symbolic identifier.
1139		* \param impl the hash function vtable, or `NULL`.
1140		*/
1141		static inline void
1142	0	br_multihash_setimpl(br_multihash_context *ctx,
1143		int id, const br_hash_class *impl)
1144		{
1145		/*
1146		* This code relies on hash functions ID being values 1 to 6,
1147		* in the MD5 to SHA-512 order.
1148		*/
1149	0	ctx->impl[id - 1] = impl;
1150	0	}
1151
1152		/**
1153		* \brief Get a hash function implementation.
1154		*
1155		* This function returns the currently configured vtable for a given
1156		* hash function (by symbolic ID). If no such function was configured in
1157		* the provided multi-hasher context, then this function returns `NULL`.
1158		*
1159		* \param ctx the multi-hasher context.
1160		* \param id the hash function symbolic identifier.
1161		* \return the hash function vtable, or `NULL`.
1162		*/
1163		static inline const br_hash_class *
1164		br_multihash_getimpl(const br_multihash_context *ctx, int id)
1165		{
1166		return ctx->impl[id - 1];
1167		}
1168
1169		/**
1170		* \brief Reset a multi-hasher context.
1171		*
1172		* This function prepares the context for a new hashing computation,
1173		* for all implementations configured at that point.
1174		*
1175		* \param ctx the multi-hasher context.
1176		*/
1177		void br_multihash_init(br_multihash_context *ctx);
1178
1179		/**
1180		* \brief Inject some data bytes in a running multi-hashing computation.
1181		*
1182		* The provided context is updated with some data bytes. If the number
1183		* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
1184		* and may be `NULL`, and this function does nothing.
1185		*
1186		* \param ctx pointer to the context structure.
1187		* \param data pointer to the injected data.
1188		* \param len injected data length (in bytes).
1189		*/
1190		void br_multihash_update(br_multihash_context *ctx,
1191		const void *data, size_t len);
1192
1193		/**
1194		* \brief Compute a hash output from a multi-hasher.
1195		*
1196		* The hash output for the concatenation of all bytes injected in the
1197		* provided context since the last initialisation or reset call, is
1198		* computed and written in the buffer pointed to by `dst`. The hash
1199		* function to use is identified by `id` and must be one of the standard
1200		* hash functions. If that hash function was indeed configured in the
1201		* multi-hasher context, the corresponding hash value is written in
1202		* `dst` and its length (in bytes) is returned. If the hash function
1203		* was _not_ configured, then nothing is written in `dst` and 0 is
1204		* returned.
1205		*
1206		* The context itself is not modified, so extra bytes may be injected
1207		* afterwards to continue the hash computations.
1208		*
1209		* \param ctx pointer to the context structure.
1210		* \param id the hash function symbolic identifier.
1211		* \param dst destination buffer for the hash output.
1212		* \return the hash output length (in bytes), or 0.
1213		*/
1214		size_t br_multihash_out(const br_multihash_context ctx, int id, void dst);
1215
1216		/**
1217		* \brief Type for a GHASH implementation.
1218		*
1219		* GHASH is a sort of keyed hash meant to be used to implement GCM in
1220		* combination with a block cipher (with 16-byte blocks).
1221		*
1222		* The `y` array has length 16 bytes and is used for input and output; in
1223		* a complete GHASH run, it starts with an all-zero value. `h` is a 16-byte
1224		* value that serves as key (it is derived from the encryption key in GCM,
1225		* using the block cipher). The data length (`len`) is expressed in bytes.
1226		* The `y` array is updated.
1227		*
1228		* If the data length is not a multiple of 16, then the data is implicitly
1229		* padded with zeros up to the next multiple of 16. Thus, when using GHASH
1230		* in GCM, this method may be called twice, for the associated data and
1231		* for the ciphertext, respectively; the zero-padding implements exactly
1232		* the GCM rules.
1233		*
1234		* \param y the array to update.
1235		* \param h the GHASH key.
1236		* \param data the input data (may be `NULL` if `len` is zero).
1237		* \param len the input data length (in bytes).
1238		*/
1239		typedef void (br_ghash)(void y, const void h, const void data, size_t len);
1240
1241		/**
1242		* \brief GHASH implementation using multiplications (mixed 32-bit).
1243		*
1244		* This implementation uses multiplications of 32-bit values, with a
1245		* 64-bit result. It is constant-time (if multiplications are
1246		* constant-time).
1247		*
1248		* \param y the array to update.
1249		* \param h the GHASH key.
1250		* \param data the input data (may be `NULL` if `len` is zero).
1251		* \param len the input data length (in bytes).
1252		*/
1253		void br_ghash_ctmul(void y, const void h, const void *data, size_t len);
1254
1255		/**
1256		* \brief GHASH implementation using multiplications (strict 32-bit).
1257		*
1258		* This implementation uses multiplications of 32-bit values, with a
1259		* 32-bit result. It is usually somewhat slower than `br_ghash_ctmul()`,
1260		* but it is expected to be faster on architectures for which the
1261		* 32-bit multiplication opcode does not yield the upper 32 bits of the
1262		* product. It is constant-time (if multiplications are constant-time).
1263		*
1264		* \param y the array to update.
1265		* \param h the GHASH key.
1266		* \param data the input data (may be `NULL` if `len` is zero).
1267		* \param len the input data length (in bytes).
1268		*/
1269		void br_ghash_ctmul32(void y, const void h, const void *data, size_t len);
1270
1271		/**
1272		* \brief GHASH implementation using multiplications (64-bit).
1273		*
1274		* This implementation uses multiplications of 64-bit values, with a
1275		* 64-bit result. It is constant-time (if multiplications are
1276		* constant-time). It is substantially faster than `br_ghash_ctmul()`
1277		* and `br_ghash_ctmul32()` on most 64-bit architectures.
1278		*
1279		* \param y the array to update.
1280		* \param h the GHASH key.
1281		* \param data the input data (may be `NULL` if `len` is zero).
1282		* \param len the input data length (in bytes).
1283		*/
1284		void br_ghash_ctmul64(void y, const void h, const void *data, size_t len);
1285
1286		/**
1287		* \brief GHASH implementation using the `pclmulqdq` opcode (part of the
1288		* AES-NI instructions).
1289		*
1290		* This implementation is available only on x86 platforms where the
1291		* compiler supports the relevant intrinsic functions. Even if the
1292		* compiler supports these functions, the local CPU might not support
1293		* the `pclmulqdq` opcode, meaning that a call will fail with an
1294		* illegal instruction exception. To safely obtain a pointer to this
1295		* function when supported (or 0 otherwise), use `br_ghash_pclmul_get()`.
1296		*
1297		* \param y the array to update.
1298		* \param h the GHASH key.
1299		* \param data the input data (may be `NULL` if `len` is zero).
1300		* \param len the input data length (in bytes).
1301		*/
1302		void br_ghash_pclmul(void y, const void h, const void *data, size_t len);
1303
1304		/**
1305		* \brief Obtain the `pclmul` GHASH implementation, if available.
1306		*
1307		* If the `pclmul` implementation was compiled in the library (depending
1308		* on the compiler abilities) _and_ the local CPU appears to support the
1309		* opcode, then this function will return a pointer to the
1310		* `br_ghash_pclmul()` function. Otherwise, it will return `0`.
1311		*
1312		* \return the `pclmul` GHASH implementation, or `0`.
1313		*/
1314		br_ghash br_ghash_pclmul_get(void);
1315
1316		/**
1317		* \brief GHASH implementation using the POWER8 opcodes.
1318		*
1319		* This implementation is available only on POWER8 platforms (and later).
1320		* To safely obtain a pointer to this function when supported (or 0
1321		* otherwise), use `br_ghash_pwr8_get()`.
1322		*
1323		* \param y the array to update.
1324		* \param h the GHASH key.
1325		* \param data the input data (may be `NULL` if `len` is zero).
1326		* \param len the input data length (in bytes).
1327		*/
1328		void br_ghash_pwr8(void y, const void h, const void *data, size_t len);
1329
1330		/**
1331		* \brief Obtain the `pwr8` GHASH implementation, if available.
1332		*
1333		* If the `pwr8` implementation was compiled in the library (depending
1334		* on the compiler abilities) _and_ the local CPU appears to support the
1335		* opcode, then this function will return a pointer to the
1336		* `br_ghash_pwr8()` function. Otherwise, it will return `0`.
1337		*
1338		* \return the `pwr8` GHASH implementation, or `0`.
1339		*/
1340		br_ghash br_ghash_pwr8_get(void);
1341
1342		#ifdef __cplusplus
1343		}
1344		#endif
1345
1346		#endif