1
0
mirror of https://github.com/esp8266/Arduino.git synced 2025-10-24 07:13:45 +03:00
Files
esp8266/tools/sdk/include/bearssl/bearssl_hash.h
Earle F. Philhower, III f6dd826437 Fix MFLN probe and allow returning whether MFLN succeeded or not after a connection. (#6000)
Fixes #5996

* Add extensions to probe message for EC, others

probeMFLN was failing on some connection attempts to servers which only
supported EC based ciphers because it did not include the proper TLS
handshake extensions to list what kinds of ECs it supported.

Add those to the probeMFLN ClientHello message to make probes pass.

* Add client.getMFLNStatus method, returns MFLN state

After a connection it is useful to check whether MFLN negotiation
succeeded.  getMFLNStatus returns a bool (valid only after
client.connect() succeeds, of course) indicating whether the requested
buffer sizes were negotiated successfully.
2019-04-25 12:40:26 -07:00

1347 lines
44 KiB
C

/*
* Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef BR_BEARSSL_HASH_H__
#define BR_BEARSSL_HASH_H__
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
/** \file bearssl_hash.h
*
* # Hash Functions
*
* This file documents the API for hash functions.
*
*
* ## Procedural API
*
* For each implemented hash function, of name "`xxx`", the following
* elements are defined:
*
* - `br_xxx_vtable`
*
* An externally defined instance of `br_hash_class`.
*
* - `br_xxx_SIZE`
*
* A macro that evaluates to the output size (in bytes) of the
* hash function.
*
* - `br_xxx_ID`
*
* A macro that evaluates to a symbolic identifier for the hash
* function. Such identifiers are used with HMAC and signature
* algorithm implementations.
*
* NOTE: for the "standard" hash functions defined in [the TLS
* standard](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1),
* the symbolic identifiers match the constants used in TLS, i.e.
* 1 to 6 for MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512,
* respectively.
*
* - `br_xxx_context`
*
* Context for an ongoing computation. It is allocated by the
* caller, and a pointer to it is passed to all functions. A
* context contains no interior pointer, so it can be moved around
* and cloned (with a simple `memcpy()` or equivalent) in order to
* capture the function state at some point. Computations that use
* distinct context structures are independent of each other. The
* first field of `br_xxx_context` is always a pointer to the
* `br_xxx_vtable` structure; `br_xxx_init()` sets that pointer.
*
* - `br_xxx_init(br_xxx_context *ctx)`
*
* Initialise the provided context. Previous contents of the structure
* are ignored. This calls resets the context to the start of a new
* hash computation; it also sets the first field of the context
* structure (called `vtable`) to a pointer to the statically
* allocated constant `br_xxx_vtable` structure.
*
* - `br_xxx_update(br_xxx_context *ctx, const void *data, size_t len)`
*
* Add some more bytes to the hash computation represented by the
* provided context.
*
* - `br_xxx_out(const br_xxx_context *ctx, void *out)`
*
* Complete the hash computation and write the result in the provided
* buffer. The output buffer MUST be large enough to accommodate the
* result. The context is NOT modified by this operation, so this
* function can be used to get a "partial hash" while still keeping
* the possibility of adding more bytes to the input.
*
* - `br_xxx_state(const br_xxx_context *ctx, void *out)`
*
* Get a copy of the "current state" for the computation so far. For
* MD functions (MD5, SHA-1, SHA-2 family), this is the running state
* resulting from the processing of the last complete input block.
* Returned value is the current input length (in bytes).
*
* - `br_xxx_set_state(br_xxx_context *ctx, const void *stb, uint64_t count)`
*
* Set the internal state to the provided values. The 'stb' and
* 'count' values shall match that which was obtained from
* `br_xxx_state()`. This restores the hash state only if the state
* values were at an appropriate block boundary. This does NOT set
* the `vtable` pointer in the context.
*
* Context structures can be discarded without any explicit deallocation.
* Hash function implementations are purely software and don't reserve
* any resources outside of the context structure itself.
*
*
* ## Object-Oriented API
*
* For each hash function that follows the procedural API described
* above, an object-oriented API is also provided. In that API, function
* pointers from the vtable (`br_xxx_vtable`) are used. The vtable
* incarnates object-oriented programming. An introduction on the OOP
* concept used here can be read on the BearSSL Web site:<br />
* &nbsp;&nbsp;&nbsp;[https://www.bearssl.org/oop.html](https://www.bearssl.org/oop.html)
*
* The vtable offers functions called `init()`, `update()`, `out()`,
* `set()` and `set_state()`, which are in fact the functions from
* the procedural API. That vtable also contains two informative fields:
*
* - `context_size`
*
* The size of the context structure (`br_xxx_context`), in bytes.
* This can be used by generic implementations to perform dynamic
* context allocation.
*
* - `desc`
*
* A "descriptor" field that encodes some information on the hash
* function: symbolic identifier, output size, state size,
* internal block size, details on the padding.
*
* Users of this object-oriented API (in particular generic HMAC
* implementations) may make the following assumptions:
*
* - Hash output size is no more than 64 bytes.
* - Hash internal state size is no more than 64 bytes.
* - Internal block size is a power of two, no less than 16 and no more
* than 256.
*
*
* ## Implemented Hash Functions
*
* Implemented hash functions are:
*
* | Function | Name | Output length | State length |
* | :-------- | :------ | :-----------: | :----------: |
* | MD5 | md5 | 16 | 16 |
* | SHA-1 | sha1 | 20 | 20 |
* | SHA-224 | sha224 | 28 | 32 |
* | SHA-256 | sha256 | 32 | 32 |
* | SHA-384 | sha384 | 48 | 64 |
* | SHA-512 | sha512 | 64 | 64 |
* | MD5+SHA-1 | md5sha1 | 36 | 36 |
*
* (MD5+SHA-1 is the concatenation of MD5 and SHA-1 computed over the
* same input; in the implementation, the internal data buffer is
* shared, thus making it more memory-efficient than separate MD5 and
* SHA-1. It can be useful in implementing SSL 3.0, TLS 1.0 and TLS
* 1.1.)
*
*
* ## Multi-Hasher
*
* An aggregate hasher is provided, that can compute several standard
* hash functions in parallel. It uses `br_multihash_context` and a
* procedural API. It is configured with the implementations (the vtables)
* that it should use; it will then compute all these hash functions in
* parallel, on the same input. It is meant to be used in cases when the
* hash of an object will be used, but the exact hash function is not
* known yet (typically, streamed processing on X.509 certificates).
*
* Only the standard hash functions (MD5, SHA-1, SHA-224, SHA-256, SHA-384
* and SHA-512) are supported by the multi-hasher.
*
*
* ## GHASH
*
* GHASH is not a generic hash function; it is a _universal_ hash function,
* which, as the name does not say, means that it CANNOT be used in most
* places where a hash function is needed. GHASH is used within the GCM
* encryption mode, to provide the checked integrity functionality.
*
* A GHASH implementation is basically a function that uses the type defined
* in this file under the name `br_ghash`:
*
* typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
*
* The `y` pointer refers to a 16-byte value which is used as input, and
* receives the output of the GHASH invocation. `h` is a 16-byte secret
* value (that serves as key). `data` and `len` define the input data.
*
* Three GHASH implementations are provided, all constant-time, based on
* the use of integer multiplications with appropriate masking to cancel
* carry propagation.
*/
/**
* \brief Class type for hash function implementations.
*
* A `br_hash_class` instance references the methods implementing a hash
* function. Constant instances of this structure are defined for each
* implemented hash function. Such instances are also called "vtables".
*
* Vtables are used to support object-oriented programming, as
* described on [the BearSSL Web site](https://www.bearssl.org/oop.html).
*/
typedef struct br_hash_class_ br_hash_class;
struct br_hash_class_ {
/**
* \brief Size (in bytes) of the context structure appropriate for
* computing this hash function.
*/
size_t context_size;
/**
* \brief Descriptor word that contains information about the hash
* function.
*
* For each word `xxx` described below, use `BR_HASHDESC_xxx_OFF`
* and `BR_HASHDESC_xxx_MASK` to access the specific value, as
* follows:
*
* (hf->desc >> BR_HASHDESC_xxx_OFF) & BR_HASHDESC_xxx_MASK
*
* The defined elements are:
*
* - `ID`: the symbolic identifier for the function, as defined
* in [TLS](https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1)
* (MD5 = 1, SHA-1 = 2,...).
*
* - `OUT`: hash output size, in bytes.
*
* - `STATE`: internal running state size, in bytes.
*
* - `LBLEN`: base-2 logarithm for the internal block size, as
* defined for HMAC processing (this is 6 for MD5, SHA-1, SHA-224
* and SHA-256, since these functions use 64-byte blocks; for
* SHA-384 and SHA-512, this is 7, corresponding to their
* 128-byte blocks).
*
* The descriptor may contain a few other flags.
*/
uint32_t desc;
/**
* \brief Initialisation method.
*
* This method takes as parameter a pointer to a context area,
* that it initialises. The first field of the context is set
* to this vtable; other elements are initialised for a new hash
* computation.
*
* \param ctx pointer to (the first field of) the context.
*/
void (*init)(const br_hash_class **ctx);
/**
* \brief Data injection method.
*
* The `len` bytes starting at address `data` are injected into
* the running hash computation incarnated by the specified
* context. The context is updated accordingly. It is allowed
* to have `len == 0`, in which case `data` is ignored (and could
* be `NULL`), and nothing happens.
* on the input data.
*
* \param ctx pointer to (the first field of) the context.
* \param data pointer to the first data byte to inject.
* \param len number of bytes to inject.
*/
void (*update)(const br_hash_class **ctx, const void *data, size_t len);
/**
* \brief Produce hash output.
*
* The hash output corresponding to all data bytes injected in the
* context since the last `init()` call is computed, and written
* in the buffer pointed to by `dst`. The hash output size depends
* on the implemented hash function (e.g. 16 bytes for MD5).
* The context is _not_ modified by this call, so further bytes
* may be afterwards injected to continue the current computation.
*
* \param ctx pointer to (the first field of) the context.
* \param dst destination buffer for the hash output.
*/
void (*out)(const br_hash_class *const *ctx, void *dst);
/**
* \brief Get running state.
*
* This method saves the current running state into the `dst`
* buffer. What constitutes the "running state" depends on the
* hash function; for Merkle-Damgård hash functions (like
* MD5 or SHA-1), this is the output obtained after processing
* each block. The number of bytes injected so far is returned.
* The context is not modified by this call.
*
* \param ctx pointer to (the first field of) the context.
* \param dst destination buffer for the state.
* \return the injected total byte length.
*/
uint64_t (*state)(const br_hash_class *const *ctx, void *dst);
/**
* \brief Set running state.
*
* This methods replaces the running state for the function.
*
* \param ctx pointer to (the first field of) the context.
* \param stb source buffer for the state.
* \param count injected total byte length.
*/
void (*set_state)(const br_hash_class **ctx,
const void *stb, uint64_t count);
};
#ifndef BR_DOXYGEN_IGNORE
#define BR_HASHDESC_ID(id) ((uint32_t)(id) << BR_HASHDESC_ID_OFF)
#define BR_HASHDESC_ID_OFF 0
#define BR_HASHDESC_ID_MASK 0xFF
#define BR_HASHDESC_OUT(size) ((uint32_t)(size) << BR_HASHDESC_OUT_OFF)
#define BR_HASHDESC_OUT_OFF 8
#define BR_HASHDESC_OUT_MASK 0x7F
#define BR_HASHDESC_STATE(size) ((uint32_t)(size) << BR_HASHDESC_STATE_OFF)
#define BR_HASHDESC_STATE_OFF 15
#define BR_HASHDESC_STATE_MASK 0xFF
#define BR_HASHDESC_LBLEN(ls) ((uint32_t)(ls) << BR_HASHDESC_LBLEN_OFF)
#define BR_HASHDESC_LBLEN_OFF 23
#define BR_HASHDESC_LBLEN_MASK 0x0F
#define BR_HASHDESC_MD_PADDING ((uint32_t)1 << 28)
#define BR_HASHDESC_MD_PADDING_128 ((uint32_t)1 << 29)
#define BR_HASHDESC_MD_PADDING_BE ((uint32_t)1 << 30)
#endif
/*
* Specific hash functions.
*
* Rules for contexts:
* -- No interior pointer.
* -- No pointer to external dynamically allocated resources.
* -- First field is called 'vtable' and is a pointer to a
* const-qualified br_hash_class instance (pointer is set by init()).
* -- SHA-224 and SHA-256 contexts are identical.
* -- SHA-384 and SHA-512 contexts are identical.
*
* Thus, contexts can be moved and cloned to capture the hash function
* current state; and there is no need for any explicit "release" function.
*/
/**
* \brief Symbolic identifier for MD5.
*/
#define br_md5_ID 1
/**
* \brief MD5 output size (in bytes).
*/
#define br_md5_SIZE 16
/**
* \brief Constant vtable for MD5.
*/
extern const br_hash_class br_md5_vtable;
/**
* \brief MD5 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val[4];
#endif
} br_md5_context;
/**
* \brief MD5 context initialisation.
*
* This function initialises or resets a context for a new MD5
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_md5_init(br_md5_context *ctx);
/**
* \brief Inject some data bytes in a running MD5 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_md5_update(br_md5_context *ctx, const void *data, size_t len);
/**
* \brief Compute MD5 output.
*
* The MD5 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_md5_out(const br_md5_context *ctx, void *out);
/**
* \brief Save MD5 running state.
*
* The running state for MD5 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_md5_state(const br_md5_context *ctx, void *out);
/**
* \brief Restore MD5 running state.
*
* The running state for MD5 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_md5_set_state(br_md5_context *ctx, const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-1.
*/
#define br_sha1_ID 2
/**
* \brief SHA-1 output size (in bytes).
*/
#define br_sha1_SIZE 20
/**
* \brief Constant vtable for SHA-1.
*/
extern const br_hash_class br_sha1_vtable;
/**
* \brief SHA-1 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val[5];
#endif
} br_sha1_context;
/**
* \brief SHA-1 context initialisation.
*
* This function initialises or resets a context for a new SHA-1
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha1_init(br_sha1_context *ctx);
/**
* \brief Inject some data bytes in a running SHA-1 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha1_update(br_sha1_context *ctx, const void *data, size_t len);
/**
* \brief Compute SHA-1 output.
*
* The SHA-1 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha1_out(const br_sha1_context *ctx, void *out);
/**
* \brief Save SHA-1 running state.
*
* The running state for SHA-1 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha1_state(const br_sha1_context *ctx, void *out);
/**
* \brief Restore SHA-1 running state.
*
* The running state for SHA-1 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha1_set_state(br_sha1_context *ctx, const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-224.
*/
#define br_sha224_ID 3
/**
* \brief SHA-224 output size (in bytes).
*/
#define br_sha224_SIZE 28
/**
* \brief Constant vtable for SHA-224.
*/
extern const br_hash_class br_sha224_vtable;
/**
* \brief SHA-224 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val[8];
#endif
} br_sha224_context;
/**
* \brief SHA-224 context initialisation.
*
* This function initialises or resets a context for a new SHA-224
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha224_init(br_sha224_context *ctx);
/**
* \brief Inject some data bytes in a running SHA-224 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha224_update(br_sha224_context *ctx, const void *data, size_t len);
/**
* \brief Compute SHA-224 output.
*
* The SHA-224 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha224_out(const br_sha224_context *ctx, void *out);
/**
* \brief Save SHA-224 running state.
*
* The running state for SHA-224 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha224_state(const br_sha224_context *ctx, void *out);
/**
* \brief Restore SHA-224 running state.
*
* The running state for SHA-224 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha224_set_state(br_sha224_context *ctx,
const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-256.
*/
#define br_sha256_ID 4
/**
* \brief SHA-256 output size (in bytes).
*/
#define br_sha256_SIZE 32
/**
* \brief Constant vtable for SHA-256.
*/
extern const br_hash_class br_sha256_vtable;
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief SHA-256 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
} br_sha256_context;
#else
typedef br_sha224_context br_sha256_context;
#endif
/**
* \brief SHA-256 context initialisation.
*
* This function initialises or resets a context for a new SHA-256
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha256_init(br_sha256_context *ctx);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Inject some data bytes in a running SHA-256 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len);
#else
#define br_sha256_update br_sha224_update
#endif
/**
* \brief Compute SHA-256 output.
*
* The SHA-256 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha256_out(const br_sha256_context *ctx, void *out);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Save SHA-256 running state.
*
* The running state for SHA-256 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha256_state(const br_sha256_context *ctx, void *out);
#else
#define br_sha256_state br_sha224_state
#endif
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Restore SHA-256 running state.
*
* The running state for SHA-256 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha256_set_state(br_sha256_context *ctx,
const void *stb, uint64_t count);
#else
#define br_sha256_set_state br_sha224_set_state
#endif
/**
* \brief Symbolic identifier for SHA-384.
*/
#define br_sha384_ID 5
/**
* \brief SHA-384 output size (in bytes).
*/
#define br_sha384_SIZE 48
/**
* \brief Constant vtable for SHA-384.
*/
extern const br_hash_class br_sha384_vtable;
/**
* \brief SHA-384 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[128];
uint64_t count;
uint64_t val[8];
#endif
} br_sha384_context;
/**
* \brief SHA-384 context initialisation.
*
* This function initialises or resets a context for a new SHA-384
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha384_init(br_sha384_context *ctx);
/**
* \brief Inject some data bytes in a running SHA-384 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha384_update(br_sha384_context *ctx, const void *data, size_t len);
/**
* \brief Compute SHA-384 output.
*
* The SHA-384 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha384_out(const br_sha384_context *ctx, void *out);
/**
* \brief Save SHA-384 running state.
*
* The running state for SHA-384 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha384_state(const br_sha384_context *ctx, void *out);
/**
* \brief Restore SHA-384 running state.
*
* The running state for SHA-384 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha384_set_state(br_sha384_context *ctx,
const void *stb, uint64_t count);
/**
* \brief Symbolic identifier for SHA-512.
*/
#define br_sha512_ID 6
/**
* \brief SHA-512 output size (in bytes).
*/
#define br_sha512_SIZE 64
/**
* \brief Constant vtable for SHA-512.
*/
extern const br_hash_class br_sha512_vtable;
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief SHA-512 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
} br_sha512_context;
#else
typedef br_sha384_context br_sha512_context;
#endif
/**
* \brief SHA-512 context initialisation.
*
* This function initialises or resets a context for a new SHA-512
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_sha512_init(br_sha512_context *ctx);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Inject some data bytes in a running SHA-512 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_sha512_update(br_sha512_context *ctx, const void *data, size_t len);
#else
#define br_sha512_update br_sha384_update
#endif
/**
* \brief Compute SHA-512 output.
*
* The SHA-512 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_sha512_out(const br_sha512_context *ctx, void *out);
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Save SHA-512 running state.
*
* The running state for SHA-512 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_sha512_state(const br_sha512_context *ctx, void *out);
#else
#define br_sha512_state br_sha384_state
#endif
#ifdef BR_DOXYGEN_IGNORE
/**
* \brief Restore SHA-512 running state.
*
* The running state for SHA-512 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_sha512_set_state(br_sha512_context *ctx,
const void *stb, uint64_t count);
#else
#define br_sha512_set_state br_sha384_set_state
#endif
/*
* "md5sha1" is a special hash function that computes both MD5 and SHA-1
* on the same input, and produces a 36-byte output (MD5 and SHA-1
* concatenation, in that order). State size is also 36 bytes.
*/
/**
* \brief Symbolic identifier for MD5+SHA-1.
*
* MD5+SHA-1 is the concatenation of MD5 and SHA-1, computed over the
* same input. It is not one of the functions identified in TLS, so
* we give it a symbolic identifier of value 0.
*/
#define br_md5sha1_ID 0
/**
* \brief MD5+SHA-1 output size (in bytes).
*/
#define br_md5sha1_SIZE 36
/**
* \brief Constant vtable for MD5+SHA-1.
*/
extern const br_hash_class br_md5sha1_vtable;
/**
* \brief MD5+SHA-1 context.
*
* First field is a pointer to the vtable; it is set by the initialisation
* function. Other fields are not supposed to be accessed by user code.
*/
typedef struct {
/**
* \brief Pointer to vtable for this context.
*/
const br_hash_class *vtable;
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[64];
uint64_t count;
uint32_t val_md5[4];
uint32_t val_sha1[5];
#endif
} br_md5sha1_context;
/**
* \brief MD5+SHA-1 context initialisation.
*
* This function initialises or resets a context for a new SHA-512
* computation. It also sets the vtable pointer.
*
* \param ctx pointer to the context structure.
*/
void br_md5sha1_init(br_md5sha1_context *ctx);
/**
* \brief Inject some data bytes in a running MD5+SHA-1 computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_md5sha1_update(br_md5sha1_context *ctx, const void *data, size_t len);
/**
* \brief Compute MD5+SHA-1 output.
*
* The MD5+SHA-1 output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `out`. The context
* itself is not modified, so extra bytes may be injected afterwards
* to continue that computation.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the hash output.
*/
void br_md5sha1_out(const br_md5sha1_context *ctx, void *out);
/**
* \brief Save MD5+SHA-1 running state.
*
* The running state for MD5+SHA-1 (output of the last internal block
* processing) is written in the buffer pointed to by `out`. The
* number of bytes injected since the last initialisation or reset
* call is returned. The context is not modified.
*
* \param ctx pointer to the context structure.
* \param out destination buffer for the running state.
* \return the injected total byte length.
*/
uint64_t br_md5sha1_state(const br_md5sha1_context *ctx, void *out);
/**
* \brief Restore MD5+SHA-1 running state.
*
* The running state for MD5+SHA-1 is set to the provided values.
*
* \param ctx pointer to the context structure.
* \param stb source buffer for the running state.
* \param count the injected total byte length.
*/
void br_md5sha1_set_state(br_md5sha1_context *ctx,
const void *stb, uint64_t count);
/**
* \brief Aggregate context for configurable hash function support.
*
* The `br_hash_compat_context` type is a type which is large enough to
* serve as context for all standard hash functions defined above.
*/
typedef union {
const br_hash_class *vtable;
br_md5_context md5;
br_sha1_context sha1;
br_sha224_context sha224;
br_sha256_context sha256;
br_sha384_context sha384;
br_sha512_context sha512;
br_md5sha1_context md5sha1;
} br_hash_compat_context;
/*
* The multi-hasher is a construct that handles hashing of the same input
* data with several hash functions, with a single shared input buffer.
* It can handle MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
* simultaneously, though which functions are activated depends on
* the set implementation pointers.
*/
/**
* \brief Multi-hasher context structure.
*
* The multi-hasher runs up to six hash functions in the standard TLS list
* (MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512) in parallel, over
* the same input.
*
* The multi-hasher does _not_ follow the OOP structure with a vtable.
* Instead, it is configured with the vtables of the hash functions it
* should run. Structure fields are not supposed to be accessed directly.
*/
typedef struct {
#ifndef BR_DOXYGEN_IGNORE
unsigned char buf[128];
uint64_t count;
uint32_t val_32[25];
uint64_t val_64[16];
const br_hash_class *impl[6];
#endif
} br_multihash_context;
/**
* \brief Clear a multi-hasher context.
*
* This should always be called once on a given context, _before_ setting
* the implementation pointers.
*
* \param ctx the multi-hasher context.
*/
void br_multihash_zero(br_multihash_context *ctx);
/**
* \brief Set a hash function implementation.
*
* Implementations shall be set _after_ clearing the context (with
* `br_multihash_zero()`) but _before_ initialising the computation
* (with `br_multihash_init()`). The hash function implementation
* MUST be one of the standard hash functions (MD5, SHA-1, SHA-224,
* SHA-256, SHA-384 or SHA-512); it may also be `NULL` to remove
* an implementation from the multi-hasher.
*
* \param ctx the multi-hasher context.
* \param id the hash function symbolic identifier.
* \param impl the hash function vtable, or `NULL`.
*/
static inline void
br_multihash_setimpl(br_multihash_context *ctx,
int id, const br_hash_class *impl)
{
/*
* This code relies on hash functions ID being values 1 to 6,
* in the MD5 to SHA-512 order.
*/
ctx->impl[id - 1] = impl;
}
/**
* \brief Get a hash function implementation.
*
* This function returns the currently configured vtable for a given
* hash function (by symbolic ID). If no such function was configured in
* the provided multi-hasher context, then this function returns `NULL`.
*
* \param ctx the multi-hasher context.
* \param id the hash function symbolic identifier.
* \return the hash function vtable, or `NULL`.
*/
static inline const br_hash_class *
br_multihash_getimpl(const br_multihash_context *ctx, int id)
{
return ctx->impl[id - 1];
}
/**
* \brief Reset a multi-hasher context.
*
* This function prepares the context for a new hashing computation,
* for all implementations configured at that point.
*
* \param ctx the multi-hasher context.
*/
void br_multihash_init(br_multihash_context *ctx);
/**
* \brief Inject some data bytes in a running multi-hashing computation.
*
* The provided context is updated with some data bytes. If the number
* of bytes (`len`) is zero, then the data pointer (`data`) is ignored
* and may be `NULL`, and this function does nothing.
*
* \param ctx pointer to the context structure.
* \param data pointer to the injected data.
* \param len injected data length (in bytes).
*/
void br_multihash_update(br_multihash_context *ctx,
const void *data, size_t len);
/**
* \brief Compute a hash output from a multi-hasher.
*
* The hash output for the concatenation of all bytes injected in the
* provided context since the last initialisation or reset call, is
* computed and written in the buffer pointed to by `dst`. The hash
* function to use is identified by `id` and must be one of the standard
* hash functions. If that hash function was indeed configured in the
* multi-hasher context, the corresponding hash value is written in
* `dst` and its length (in bytes) is returned. If the hash function
* was _not_ configured, then nothing is written in `dst` and 0 is
* returned.
*
* The context itself is not modified, so extra bytes may be injected
* afterwards to continue the hash computations.
*
* \param ctx pointer to the context structure.
* \param id the hash function symbolic identifier.
* \param dst destination buffer for the hash output.
* \return the hash output length (in bytes), or 0.
*/
size_t br_multihash_out(const br_multihash_context *ctx, int id, void *dst);
/**
* \brief Type for a GHASH implementation.
*
* GHASH is a sort of keyed hash meant to be used to implement GCM in
* combination with a block cipher (with 16-byte blocks).
*
* The `y` array has length 16 bytes and is used for input and output; in
* a complete GHASH run, it starts with an all-zero value. `h` is a 16-byte
* value that serves as key (it is derived from the encryption key in GCM,
* using the block cipher). The data length (`len`) is expressed in bytes.
* The `y` array is updated.
*
* If the data length is not a multiple of 16, then the data is implicitly
* padded with zeros up to the next multiple of 16. Thus, when using GHASH
* in GCM, this method may be called twice, for the associated data and
* for the ciphertext, respectively; the zero-padding implements exactly
* the GCM rules.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
typedef void (*br_ghash)(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using multiplications (mixed 32-bit).
*
* This implementation uses multiplications of 32-bit values, with a
* 64-bit result. It is constant-time (if multiplications are
* constant-time).
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_ctmul(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using multiplications (strict 32-bit).
*
* This implementation uses multiplications of 32-bit values, with a
* 32-bit result. It is usually somewhat slower than `br_ghash_ctmul()`,
* but it is expected to be faster on architectures for which the
* 32-bit multiplication opcode does not yield the upper 32 bits of the
* product. It is constant-time (if multiplications are constant-time).
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_ctmul32(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using multiplications (64-bit).
*
* This implementation uses multiplications of 64-bit values, with a
* 64-bit result. It is constant-time (if multiplications are
* constant-time). It is substantially faster than `br_ghash_ctmul()`
* and `br_ghash_ctmul32()` on most 64-bit architectures.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_ctmul64(void *y, const void *h, const void *data, size_t len);
/**
* \brief GHASH implementation using the `pclmulqdq` opcode (part of the
* AES-NI instructions).
*
* This implementation is available only on x86 platforms where the
* compiler supports the relevant intrinsic functions. Even if the
* compiler supports these functions, the local CPU might not support
* the `pclmulqdq` opcode, meaning that a call will fail with an
* illegal instruction exception. To safely obtain a pointer to this
* function when supported (or 0 otherwise), use `br_ghash_pclmul_get()`.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_pclmul(void *y, const void *h, const void *data, size_t len);
/**
* \brief Obtain the `pclmul` GHASH implementation, if available.
*
* If the `pclmul` implementation was compiled in the library (depending
* on the compiler abilities) _and_ the local CPU appears to support the
* opcode, then this function will return a pointer to the
* `br_ghash_pclmul()` function. Otherwise, it will return `0`.
*
* \return the `pclmul` GHASH implementation, or `0`.
*/
br_ghash br_ghash_pclmul_get(void);
/**
* \brief GHASH implementation using the POWER8 opcodes.
*
* This implementation is available only on POWER8 platforms (and later).
* To safely obtain a pointer to this function when supported (or 0
* otherwise), use `br_ghash_pwr8_get()`.
*
* \param y the array to update.
* \param h the GHASH key.
* \param data the input data (may be `NULL` if `len` is zero).
* \param len the input data length (in bytes).
*/
void br_ghash_pwr8(void *y, const void *h, const void *data, size_t len);
/**
* \brief Obtain the `pwr8` GHASH implementation, if available.
*
* If the `pwr8` implementation was compiled in the library (depending
* on the compiler abilities) _and_ the local CPU appears to support the
* opcode, then this function will return a pointer to the
* `br_ghash_pwr8()` function. Otherwise, it will return `0`.
*
* \return the `pwr8` GHASH implementation, or `0`.
*/
br_ghash br_ghash_pwr8_get(void);
#ifdef __cplusplus
}
#endif
#endif