X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Finner.h;h=472dc2e6f1099539a9371595f4e74db5b45e6d7b;hp=8417b2439206547bdb1f47e596745c5389d453d2;hb=5f045c759957fdff8c85716e6af99e10901fdac0;hpb=28e4e120b84dacdf53963639f1a8a6fec2793662 diff --git a/src/inner.h b/src/inner.h index 8417b24..472dc2e 100644 --- a/src/inner.h +++ b/src/inner.h @@ -31,6 +31,15 @@ #include "config.h" #include "bearssl.h" +/* + * On MSVC, disable the warning about applying unary minus on an + * unsigned type: it is standard, we do it all the time, and for + * good reasons. + */ +#if _MSC_VER +#pragma warning( disable : 4146 ) +#endif + /* * Maximum size for a RSA modulus (in bits). Allocated stack buffers * depend on that size, so this value should be kept small. Currently, @@ -96,6 +105,55 @@ #endif #endif +/* + * Set BR_LOMUL on platforms where it makes sense. + */ +#ifndef BR_LOMUL +#if BR_ARMEL_CORTEX_GCC +#define BR_LOMUL 1 +#endif +#endif + +/* + * Determine whether x86 AES instructions are understood by the compiler. + */ +#ifndef BR_AES_X86NI + +#if (__i386__ || __x86_64__) \ + && ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 8)) \ + || (__clang_major__ > 3 \ + || (__clang_major__ == 3 && __clang_minor__ >= 7))) +#define BR_AES_X86NI 1 +#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1700) +#define BR_AES_X86NI 1 +#endif +#endif + +/* + * If we use x86 AES instruction, determine the compiler brand. + */ +#if BR_AES_X86NI +#ifndef BR_AES_X86NI_GCC +#if __GNUC__ +#define BR_AES_X86NI_GCC 1 +#endif +#endif +#ifndef BR_AES_X86NI_MSC +#if _MSC_VER >= 1700 +#define BR_AES_X86NI_MSC 1 +#endif +#endif +#endif + +/* + * A macro to tag a function with a "target" attribute (for GCC and Clang). + */ +#if BR_AES_X86NI_GCC +#define BR_TARGET(x) __attribute__((target(x))) +#else +#define BR_TARGET(x) +#endif + /* ==================================================================== */ /* * Encoding/decoding functions. @@ -300,7 +358,7 @@ static inline void br_multihash_copyimpl(br_multihash_context *dst, const br_multihash_context *src) { - memcpy(dst->impl, src->impl, sizeof src->impl); + memcpy((void *)dst->impl, src->impl, sizeof src->impl); } /* ==================================================================== */ @@ -571,16 +629,17 @@ MUL31_lo(uint32_t x, uint32_t y) #endif /* - * Multiply two words together; each word may contain up to 15 bits of - * data. If BR_CT_MUL15 is non-zero, then the macro will contain some - * extra operations that help in making the operation constant-time on - * some platforms, where the basic 32-bit multiplication is not - * constant-time. + * Multiply two words together; the sum of the lengths of the two + * operands must not exceed 31 (for instance, one operand may use 16 + * bits if the other fits on 15). If BR_CT_MUL15 is non-zero, then the + * macro will contain some extra operations that help in making the + * operation constant-time on some platforms, where the basic 32-bit + * multiplication is not constant-time. */ #if BR_CT_MUL15 #define MUL15(x, y) (((uint32_t)(x) | (uint32_t)0x80000000) \ * ((uint32_t)(y) | (uint32_t)0x80000000) \ - & (uint32_t)0x3FFFFFFF) + & (uint32_t)0x7FFFFFFF) #else #define MUL15(x, y) ((uint32_t)(x) * (uint32_t)(y)) #endif @@ -1067,6 +1126,10 @@ void br_i31_mulacc(uint32_t *d, const uint32_t *a, const uint32_t *b); /* ==================================================================== */ +/* + * FIXME: document "i15" functions. + */ + static inline void br_i15_zero(uint16_t *x, uint16_t bit_len) { @@ -1092,6 +1155,9 @@ void br_i15_to_monty(uint16_t *x, const uint16_t *m); void br_i15_modpow(uint16_t *x, const unsigned char *e, size_t elen, const uint16_t *m, uint16_t m0i, uint16_t *t1, uint16_t *t2); +uint32_t br_i15_modpow_opt(uint16_t *x, const unsigned char *e, size_t elen, + const uint16_t *m, uint16_t m0i, uint16_t *tmp, size_t twlen); + void br_i15_encode(void *dst, size_t len, const uint16_t *x); uint32_t br_i15_decode_mod(uint16_t *x, @@ -1411,6 +1477,27 @@ unsigned br_aes_ct64_keysched(uint64_t *comp_skey, void br_aes_ct64_skey_expand(uint64_t *skey, unsigned num_rounds, const uint64_t *comp_skey); +/* + * Test support for AES-NI opcodes. + */ +int br_aes_x86ni_supported(void); + +/* + * AES key schedule, using x86 AES-NI instructions. This yields the + * subkeys in the encryption direction. Number of rounds is returned. + * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned. + */ +unsigned br_aes_x86ni_keysched_enc(unsigned char *skni, + const void *key, size_t len); + +/* + * AES key schedule, using x86 AES-NI instructions. This yields the + * subkeys in the decryption direction. Number of rounds is returned. + * Key size MUST be 16, 24 or 32 bytes; otherwise, 0 is returned. + */ +unsigned br_aes_x86ni_keysched_dec(unsigned char *skni, + const void *key, size_t len); + /* ==================================================================== */ /* * RSA. @@ -1455,28 +1542,14 @@ extern const br_ec_curve_def br_secp256r1; extern const br_ec_curve_def br_secp384r1; extern const br_ec_curve_def br_secp521r1; -#if 0 -/* obsolete */ /* - * Type for the parameters for a "prime curve": - * coordinates are in GF(p), with p prime - * curve equation is Y^2 = X^3 - 3*X + b - * b is in Montgomery representation - * curve order is n and is prime - * base point is G (encoded) and has order n + * For Curve25519, the advertised "order" really is 2^255-1, since the + * point multipliction function really works over arbitrary 255-bit + * scalars. This value is only meant as a hint for ECDH key generation; + * only ECDSA uses the exact curve order, and ECDSA is not used with + * that specific curve. */ -typedef struct { - const uint32_t *p; - const uint32_t *b; - const uint32_t p0i; -} br_ec_prime_i31_curve; - -extern const br_ec_prime_i31_curve br_ec_prime_i31_secp256r1; -extern const br_ec_prime_i31_curve br_ec_prime_i31_secp384r1; -extern const br_ec_prime_i31_curve br_ec_prime_i31_secp521r1; - -#define BR_EC_I31_LEN ((BR_MAX_EC_SIZE + 61) / 31) -#endif +extern const br_ec_curve_def br_curve25519; /* * Decode some bytes as an i31 integer, with truncation (corresponding