2 #pragma src "/sys/src/libsec"
6 typedef struct mpint mpint;
20 typedef struct AESstate AESstate;
26 uchar key[AESmaxkey]; /* unexpanded key */
27 ulong ekey[4*(AESmaxrounds + 1)]; /* encryption key */
28 ulong dkey[4*(AESmaxrounds + 1)]; /* decryption key */
29 uchar ivec[AESbsize]; /* initialization vector */
30 uchar mackey[3 * AESbsize]; /* 3 XCBC mac 96 keys */
34 void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16]);
35 void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16]);
37 void setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec);
38 void aesCBCencrypt(uchar *p, int len, AESstate *s);
39 void aesCBCdecrypt(uchar *p, int len, AESstate *s);
41 void setupAESXCBCstate(AESstate *s);
42 uchar* aesXCBCmac(uchar *p, int len, AESstate *s);
45 * Blowfish Definitions
54 /* 16-round Blowfish */
55 typedef struct BFstate BFstate;
63 u32int pbox[BFrounds+2];
67 void setupBFstate(BFstate *s, uchar key[], int keybytes, uchar *ivec);
68 void bfCBCencrypt(uchar*, int, BFstate*);
69 void bfCBCdecrypt(uchar*, int, BFstate*);
70 void bfECBencrypt(uchar*, int, BFstate*);
71 void bfECBdecrypt(uchar*, int, BFstate*);
84 typedef struct Chachastate Chachastate;
100 void setupChachastate(Chachastate*, uchar*, ulong, uchar*, ulong, int);
101 void chacha_setiv(Chachastate *, uchar*);
102 void chacha_setblock(Chachastate*, u64int);
103 void chacha_encrypt(uchar*, ulong, Chachastate*);
104 void chacha_encrypt2(uchar*, uchar*, ulong, Chachastate*);
106 void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
107 int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
120 typedef struct Salsastate Salsastate;
129 void setupSalsastate(Salsastate*, uchar*, ulong, uchar*, ulong, int);
130 void salsa_setiv(Salsastate*, uchar*);
131 void salsa_setblock(Salsastate*, u64int);
132 void salsa_encrypt(uchar*, ulong, Salsastate*);
133 void salsa_encrypt2(uchar*, uchar*, ulong, Salsastate*);
135 void hsalsa(uchar h[32], uchar *key, ulong keylen, uchar nonce[16], int rounds);
147 typedef struct DESstate DESstate;
151 uchar key[8]; /* unexpanded key */
152 ulong expanded[32]; /* expanded key */
153 uchar ivec[8]; /* initialization vector */
156 void setupDESstate(DESstate *s, uchar key[8], uchar *ivec);
157 void des_key_setup(uchar[8], ulong[32]);
158 void block_cipher(ulong*, uchar*, int);
159 void desCBCencrypt(uchar*, int, DESstate*);
160 void desCBCdecrypt(uchar*, int, DESstate*);
161 void desECBencrypt(uchar*, int, DESstate*);
162 void desECBdecrypt(uchar*, int, DESstate*);
164 /* for backward compatibility with 7-byte DES key format */
165 void des56to64(uchar *k56, uchar *k64);
166 void des64to56(uchar *k64, uchar *k56);
167 void key_setup(uchar[7], ulong[32]);
169 /* triple des encrypt/decrypt orderings */
179 typedef struct DES3state DES3state;
183 uchar key[3][8]; /* unexpanded key */
184 ulong expanded[3][32]; /* expanded key */
185 uchar ivec[8]; /* initialization vector */
188 void setupDES3state(DES3state *s, uchar key[3][8], uchar *ivec);
189 void triple_block_cipher(ulong keys[3][32], uchar*, int);
190 void des3CBCencrypt(uchar*, int, DES3state*);
191 void des3CBCdecrypt(uchar*, int, DES3state*);
192 void des3ECBencrypt(uchar*, int, DES3state*);
193 void des3ECBdecrypt(uchar*, int, DES3state*);
201 SHA1dlen= 20, /* SHA digest length */
202 SHA2_224dlen= 28, /* SHA-224 digest length */
203 SHA2_256dlen= 32, /* SHA-256 digest length */
204 SHA2_384dlen= 48, /* SHA-384 digest length */
205 SHA2_512dlen= 64, /* SHA-512 digest length */
206 MD4dlen= 16, /* MD4 digest length */
207 MD5dlen= 16, /* MD5 digest length */
208 Poly1305dlen= 16, /* Poly1305 digest length */
210 Hmacblksz = 64, /* in bytes; from rfc2104 */
213 typedef struct DigestState DigestState;
226 typedef struct DigestState SHAstate; /* obsolete name */
227 typedef struct DigestState SHA1state;
228 typedef struct DigestState SHA2_224state;
229 typedef struct DigestState SHA2_256state;
230 typedef struct DigestState SHA2_384state;
231 typedef struct DigestState SHA2_512state;
232 typedef struct DigestState MD5state;
233 typedef struct DigestState MD4state;
235 DigestState* md4(uchar*, ulong, uchar*, DigestState*);
236 DigestState* md5(uchar*, ulong, uchar*, DigestState*);
237 DigestState* sha1(uchar*, ulong, uchar*, DigestState*);
238 DigestState* sha2_224(uchar*, ulong, uchar*, DigestState*);
239 DigestState* sha2_256(uchar*, ulong, uchar*, DigestState*);
240 DigestState* sha2_384(uchar*, ulong, uchar*, DigestState*);
241 DigestState* sha2_512(uchar*, ulong, uchar*, DigestState*);
242 DigestState* hmac_x(uchar *p, ulong len, uchar *key, ulong klen,
243 uchar *digest, DigestState *s,
244 DigestState*(*x)(uchar*, ulong, uchar*, DigestState*),
246 DigestState* hmac_md5(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
247 DigestState* hmac_sha1(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
248 DigestState* hmac_sha2_224(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
249 DigestState* hmac_sha2_256(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
250 DigestState* hmac_sha2_384(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
251 DigestState* hmac_sha2_512(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
252 char* md5pickle(MD5state*);
253 MD5state* md5unpickle(char*);
254 char* sha1pickle(SHA1state*);
255 SHA1state* sha1unpickle(char*);
257 DigestState* poly1305(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
260 * random number generation
262 void genrandom(uchar *buf, int nbytes);
263 void prng(uchar *buf, int nbytes);
264 ulong fastrand(void);
265 ulong nfastrand(ulong);
270 void genprime(mpint *p, int n, int accuracy); /* generate n-bit probable prime */
271 void gensafeprime(mpint *p, mpint *alpha, int n, int accuracy); /* prime & generator */
272 void genstrongprime(mpint *p, int n, int accuracy); /* generate n-bit strong prime */
273 void DSAprimes(mpint *q, mpint *p, uchar seed[SHA1dlen]);
274 int probably_prime(mpint *n, int nrep); /* miller-rabin test */
275 int smallprimetest(mpint *p); /* returns -1 if not prime, 0 otherwise */
280 typedef struct RC4state RC4state;
288 void setupRC4state(RC4state*, uchar*, int);
289 void rc4(RC4state*, uchar*, int);
290 void rc4skip(RC4state*, int);
291 void rc4back(RC4state*, int);
296 typedef struct RSApub RSApub;
297 typedef struct RSApriv RSApriv;
298 typedef struct PEMChain PEMChain;
300 /* public/encryption key */
303 mpint *n; /* modulus */
304 mpint *ek; /* exp (encryption key) */
307 /* private/decryption key */
312 mpint *dk; /* exp (decryption key) */
314 /* precomputed values to help with chinese remainder theorem calc */
317 mpint *kp; /* dk mod p-1 */
318 mpint *kq; /* dk mod q-1 */
319 mpint *c2; /* (inv p) mod q */
328 RSApriv* rsagen(int nlen, int elen, int rounds);
329 RSApriv* rsafill(mpint *n, mpint *e, mpint *d, mpint *p, mpint *q);
330 mpint* rsaencrypt(RSApub *k, mpint *in, mpint *out);
331 mpint* rsadecrypt(RSApriv *k, mpint *in, mpint *out);
332 RSApub* rsapuballoc(void);
333 void rsapubfree(RSApub*);
334 RSApriv* rsaprivalloc(void);
335 void rsaprivfree(RSApriv*);
336 RSApub* rsaprivtopub(RSApriv*);
337 RSApub* X509toRSApub(uchar*, int, char*, int);
338 RSApriv* asn1toRSApriv(uchar*, int);
339 void asn1dump(uchar *der, int len);
340 uchar* decodePEM(char *s, char *type, int *len, char **new_s);
341 PEMChain* decodepemchain(char *s, char *type);
342 uchar* X509rsagen(RSApriv *priv, char *subj, ulong valid[2], int *certlen);
343 uchar* X509rsareq(RSApriv *priv, char *subj, int *certlen);
344 char* X509rsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, RSApub *pk);
345 char* X509rsaverify(uchar *cert, int ncert, RSApub *pk);
347 void X509dump(uchar *cert, int ncert);
352 typedef struct EGpub EGpub;
353 typedef struct EGpriv EGpriv;
354 typedef struct EGsig EGsig;
356 /* public/encryption key */
359 mpint *p; /* modulus */
360 mpint *alpha; /* generator */
361 mpint *key; /* (encryption key) alpha**secret mod p */
364 /* private/decryption key */
368 mpint *secret; /* (decryption key) */
377 EGpriv* eggen(int nlen, int rounds);
378 mpint* egencrypt(EGpub *k, mpint *in, mpint *out); /* deprecated */
379 mpint* egdecrypt(EGpriv *k, mpint *in, mpint *out);
380 EGsig* egsign(EGpriv *k, mpint *m);
381 int egverify(EGpub *k, EGsig *sig, mpint *m);
382 EGpub* egpuballoc(void);
383 void egpubfree(EGpub*);
384 EGpriv* egprivalloc(void);
385 void egprivfree(EGpriv*);
386 EGsig* egsigalloc(void);
387 void egsigfree(EGsig*);
388 EGpub* egprivtopub(EGpriv*);
393 typedef struct DSApub DSApub;
394 typedef struct DSApriv DSApriv;
395 typedef struct DSAsig DSAsig;
397 /* public/encryption key */
400 mpint *p; /* modulus */
401 mpint *q; /* group order, q divides p-1 */
402 mpint *alpha; /* group generator */
403 mpint *key; /* (encryption key) alpha**secret mod p */
406 /* private/decryption key */
410 mpint *secret; /* (decryption key) */
419 DSApriv* dsagen(DSApub *opub); /* opub not checked for consistency! */
420 DSAsig* dsasign(DSApriv *k, mpint *m);
421 int dsaverify(DSApub *k, DSAsig *sig, mpint *m);
422 DSApub* dsapuballoc(void);
423 void dsapubfree(DSApub*);
424 DSApriv* dsaprivalloc(void);
425 void dsaprivfree(DSApriv*);
426 DSAsig* dsasigalloc(void);
427 void dsasigfree(DSAsig*);
428 DSApub* dsaprivtopub(DSApriv*);
429 DSApriv* asn1toDSApriv(uchar*, int);
434 typedef struct Thumbprint{
435 struct Thumbprint *next;
436 uchar sha1[SHA1dlen];
439 typedef struct TLSconn{
440 char dir[40]; /* connection directory */
441 uchar *cert; /* certificate (local on input, remote on output) */
447 int (*trace)(char*fmt, ...);
448 PEMChain*chain; /* optional extra certificate evidence for servers to present */
458 int tlsClient(int fd, TLSconn *c);
459 int tlsServer(int fd, TLSconn *c);
462 Thumbprint* initThumbprints(char *ok, char *crl);
463 void freeThumbprints(Thumbprint *ok);
464 int okThumbprint(uchar *sha1, Thumbprint *ok);
467 uchar *readcert(char *filename, int *pcertlen);
468 PEMChain*readcertchain(char *filename);
471 int aes_xts_encrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len) ;
472 int aes_xts_decrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len);
474 typedef struct ECpoint{
480 typedef ECpoint ECpub;
481 typedef struct ECpriv{
486 typedef struct ECdomain{
495 void ecdominit(ECdomain *, void (*init)(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h));
496 void ecdomfree(ECdomain *);
498 void ecassign(ECdomain *, ECpoint *old, ECpoint *new);
499 void ecadd(ECdomain *, ECpoint *a, ECpoint *b, ECpoint *s);
500 void ecmul(ECdomain *, ECpoint *a, mpint *k, ECpoint *s);
501 ECpoint* strtoec(ECdomain *, char *, char **, ECpoint *);
502 ECpriv* ecgen(ECdomain *, ECpriv*);
503 int ecverify(ECdomain *, ECpoint *);
504 int ecpubverify(ECdomain *, ECpub *);
505 void ecdsasign(ECdomain *, ECpriv *, uchar *, int, mpint *, mpint *);
506 int ecdsaverify(ECdomain *, ECpub *, uchar *, int, mpint *, mpint *);
507 void base58enc(uchar *, char *, int);
508 int base58dec(char *, uchar *, int);
510 ECpub* ecdecodepub(ECdomain *dom, uchar *, int);
511 int ecencodepub(ECdomain *dom, ECpub *, uchar *, int);
512 void ecpubfree(ECpub *);
514 ECpub* X509toECpub(uchar *cert, int ncert, ECdomain *dom);
515 char* X509ecdsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, ECdomain *dom, ECpub *pub);
516 char* X509ecdsaverify(uchar *sig, int siglen, ECdomain *dom, ECpub *pub);
519 void secp256r1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
520 void secp256k1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
522 DigestState* ripemd160(uchar *, ulong, uchar *, DigestState *);
525 * Diffie-Hellman key exchange
528 typedef struct DHstate DHstate;
531 mpint *g; /* base g */
532 mpint *p; /* large prime */
533 mpint *q; /* subgroup prime */
534 mpint *x; /* random secret */
535 mpint *y; /* public key y = g**x % p */
538 /* generate new public key: y = g**x % p */
539 mpint* dh_new(DHstate *dh, mpint *p, mpint *q, mpint *g);
541 /* calculate shared key: k = y**x % p */
542 mpint* dh_finish(DHstate *dh, mpint *y);
544 /* Curve25519 elliptic curve, public key function */
545 void curve25519(uchar mypublic[32], uchar secret[32], uchar basepoint[32]);
547 /* Curve25519 diffie hellman */
548 void curve25519_dh_new(uchar x[32], uchar y[32]);
549 void curve25519_dh_finish(uchar x[32], uchar y[32], uchar z[32]);
551 /* password-based key derivation function 2 (rfc2898) */
552 void pbkdf2_x(uchar *p, ulong plen, uchar *s, ulong slen, ulong rounds, uchar *d, ulong dlen,
553 DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
555 /* hmac-based key derivation function (rfc5869) */
556 void hkdf_x(uchar *salt, ulong nsalt, uchar *info, ulong ninfo, uchar *key, ulong nkey, uchar *d, ulong dlen,
557 DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
559 /* timing safe memcmp() */
560 int tsmemcmp(void*, void*, ulong);