struct AESstate
{
ulong setup;
+ ulong offset;
int rounds;
int keybytes;
+ void *ekey; /* expanded encryption round key */
+ void *dkey; /* expanded decryption round key */
uchar key[AESmaxkey]; /* unexpanded key */
- ulong ekey[4*(AESmaxrounds + 1)]; /* encryption key */
- ulong dkey[4*(AESmaxrounds + 1)]; /* decryption key */
uchar ivec[AESbsize]; /* initialization vector */
- uchar mackey[3 * AESbsize]; /* 3 XCBC mac 96 keys */
+ uchar storage[512]; /* storage for expanded keys */
};
/* block ciphers */
-void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16]);
-void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16]);
+extern void (*aes_encrypt)(ulong rk[], int Nr, uchar pt[16], uchar ct[16]);
+extern void (*aes_decrypt)(ulong rk[], int Nr, uchar ct[16], uchar pt[16]);
+
+void setupAESstate(AESstate *s, uchar key[], int nkey, uchar *ivec);
-void setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec);
void aesCBCencrypt(uchar *p, int len, AESstate *s);
void aesCBCdecrypt(uchar *p, int len, AESstate *s);
+void aesCFBencrypt(uchar *p, int len, AESstate *s);
+void aesCFBdecrypt(uchar *p, int len, AESstate *s);
+void aesOFBencrypt(uchar *p, int len, AESstate *s);
+
+typedef struct AESGCMstate AESGCMstate;
+struct AESGCMstate
+{
+ AESstate;
-void setupAESXCBCstate(AESstate *s);
-uchar* aesXCBCmac(uchar *p, int len, AESstate *s);
+ ulong H[4];
+ ulong M[16][256][4];
+};
+
+void setupAESGCMstate(AESGCMstate *s, uchar *key, int keylen, uchar *iv, int ivlen);
+void aesgcm_setiv(AESGCMstate *s, uchar *iv, int ivlen);
+void aesgcm_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s);
+int aesgcm_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], AESGCMstate *s);
/*
* Blowfish Definitions
void bfECBencrypt(uchar*, int, BFstate*);
void bfECBdecrypt(uchar*, int, BFstate*);
+/*
+ * Chacha definitions
+ */
+
+enum
+{
+ ChachaBsize= 64,
+ ChachaKeylen= 256/8,
+ ChachaIVlen= 96/8,
+ XChachaIVlen= 192/8,
+};
+
+typedef struct Chachastate Chachastate;
+struct Chachastate
+{
+ union{
+ u32int input[16];
+ struct {
+ u32int constant[4];
+ u32int key[8];
+ u32int counter;
+ u32int iv[3];
+ };
+ };
+ u32int xkey[8];
+ int rounds;
+ int ivwords;
+};
+
+void setupChachastate(Chachastate*, uchar*, ulong, uchar*, ulong, int);
+void chacha_setiv(Chachastate *, uchar*);
+void chacha_setblock(Chachastate*, u64int);
+void chacha_encrypt(uchar*, ulong, Chachastate*);
+void chacha_encrypt2(uchar*, uchar*, ulong, Chachastate*);
+
+void hchacha(uchar h[32], uchar *key, ulong keylen, uchar nonce[16], int rounds);
+
+void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
+int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
+
+/*
+ * Salsa definitions
+ */
+enum
+{
+ SalsaBsize= 64,
+ SalsaKeylen= 256/8,
+ SalsaIVlen= 64/8,
+ XSalsaIVlen= 192/8,
+};
+
+typedef struct Salsastate Salsastate;
+struct Salsastate
+{
+ u32int input[16];
+ u32int xkey[8];
+ int rounds;
+ int ivwords;
+};
+
+void setupSalsastate(Salsastate*, uchar*, ulong, uchar*, ulong, int);
+void salsa_setiv(Salsastate*, uchar*);
+void salsa_setblock(Salsastate*, u64int);
+void salsa_encrypt(uchar*, ulong, Salsastate*);
+void salsa_encrypt2(uchar*, uchar*, ulong, Salsastate*);
+
+void salsa_core(u32int in[16], u32int out[16], int rounds);
+
+void hsalsa(uchar h[32], uchar *key, ulong keylen, uchar nonce[16], int rounds);
+
/*
* DES definitions
*/
SHA2_512dlen= 64, /* SHA-512 digest length */
MD4dlen= 16, /* MD4 digest length */
MD5dlen= 16, /* MD5 digest length */
- AESdlen= 16, /* TODO: see rfc */
+ Poly1305dlen= 16, /* Poly1305 digest length */
Hmacblksz = 64, /* in bytes; from rfc2104 */
};
{
uvlong len;
union {
- u32int state[8];
+ u32int state[16];
u64int bstate[8];
};
uchar buf[256];
typedef struct DigestState SHA2_512state;
typedef struct DigestState MD5state;
typedef struct DigestState MD4state;
-typedef struct DigestState AEShstate;
DigestState* md4(uchar*, ulong, uchar*, DigestState*);
DigestState* md5(uchar*, ulong, uchar*, DigestState*);
DigestState* sha2_256(uchar*, ulong, uchar*, DigestState*);
DigestState* sha2_384(uchar*, ulong, uchar*, DigestState*);
DigestState* sha2_512(uchar*, ulong, uchar*, DigestState*);
-DigestState* aes(uchar*, ulong, uchar*, DigestState*);
DigestState* hmac_x(uchar *p, ulong len, uchar *key, ulong klen,
uchar *digest, DigestState *s,
DigestState*(*x)(uchar*, ulong, uchar*, DigestState*),
DigestState* hmac_sha2_256(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
DigestState* hmac_sha2_384(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
DigestState* hmac_sha2_512(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
-DigestState* hmac_aes(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
char* md5pickle(MD5state*);
MD5state* md5unpickle(char*);
char* sha1pickle(SHA1state*);
SHA1state* sha1unpickle(char*);
+DigestState* poly1305(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+
/*
* random number generation
*/
void rsaprivfree(RSApriv*);
RSApub* rsaprivtopub(RSApriv*);
RSApub* X509toRSApub(uchar*, int, char*, int);
+RSApub* asn1toRSApub(uchar*, int);
RSApriv* asn1toRSApriv(uchar*, int);
void asn1dump(uchar *der, int len);
uchar* decodePEM(char *s, char *type, int *len, char **new_s);
PEMChain* decodepemchain(char *s, char *type);
-uchar* X509gen(RSApriv *priv, char *subj, ulong valid[2], int *certlen);
-uchar* X509req(RSApriv *priv, char *subj, int *certlen);
-char* X509verify(uchar *cert, int ncert, RSApub *pk);
+uchar* X509rsagen(RSApriv *priv, char *subj, ulong valid[2], int *certlen);
+uchar* X509rsareq(RSApriv *priv, char *subj, int *certlen);
+char* X509rsaverify(uchar *cert, int ncert, RSApub *pk);
+char* X509rsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, RSApub *pk);
+
void X509dump(uchar *cert, int ncert);
+mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus, int blocktype);
+int pkcs1unpadbuf(uchar *buf, int len, mpint *modulus, int blocktype);
+int asn1encodeRSApub(RSApub *pk, uchar *buf, int len);
+int asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*),
+ uchar *digest, uchar *buf, int len);
+
+int X509digestSPKI(uchar *, int, DigestState* (*)(uchar*, ulong, uchar*, DigestState*), uchar *);
+
/*
* elgamal
*/
DSAsig* dsasigalloc(void);
void dsasigfree(DSAsig*);
DSApub* dsaprivtopub(DSApriv*);
-DSApriv* asn1toDSApriv(uchar*, int);
/*
* TLS
*/
typedef struct Thumbprint{
struct Thumbprint *next;
- uchar sha1[SHA1dlen];
+ uchar hash[SHA2_256dlen];
+ uchar len;
} Thumbprint;
typedef struct TLSconn{
char dir[40]; /* connection directory */
uchar *cert; /* certificate (local on input, remote on output) */
uchar *sessionID;
+ uchar *psk;
int certlen;
int sessionIDlen;
+ int psklen;
int (*trace)(char*fmt, ...);
PEMChain*chain; /* optional extra certificate evidence for servers to present */
char *sessionType;
int sessionKeylen;
char *sessionConst;
char *serverName;
+ char *pskID;
} TLSconn;
/* tlshand.c */
int tlsServer(int fd, TLSconn *c);
/* thumb.c */
-Thumbprint* initThumbprints(char *ok, char *crl);
+Thumbprint* initThumbprints(char *ok, char *crl, char *tag);
void freeThumbprints(Thumbprint *ok);
-int okThumbprint(uchar *sha1, Thumbprint *ok);
+int okThumbprint(uchar *hash, int len, Thumbprint *ok);
+int okCertificate(uchar *cert, int len, Thumbprint *ok);
/* readcert.c */
uchar *readcert(char *filename, int *pcertlen);
PEMChain*readcertchain(char *filename);
/* aes_xts.c */
-int aes_xts_encrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len) ;
-int aes_xts_decrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len);
+void aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len);
+void aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len);
typedef struct ECpoint{
int inf;
mpint *x;
mpint *y;
+ mpint *z; /* nil when using affine coordinates */
} ECpoint;
typedef ECpoint ECpub;
mpint *p;
mpint *a;
mpint *b;
- ECpoint *G;
+ ECpoint G;
mpint *n;
mpint *h;
} ECdomain;
+void ecdominit(ECdomain *, void (*init)(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h));
+void ecdomfree(ECdomain *);
+
void ecassign(ECdomain *, ECpoint *old, ECpoint *new);
void ecadd(ECdomain *, ECpoint *a, ECpoint *b, ECpoint *s);
void ecmul(ECdomain *, ECpoint *a, mpint *k, ECpoint *s);
void base58enc(uchar *, char *, int);
int base58dec(char *, uchar *, int);
+ECpub* ecdecodepub(ECdomain *dom, uchar *, int);
+int ecencodepub(ECdomain *dom, ECpub *, uchar *, int);
+void ecpubfree(ECpub *);
+
+ECpub* X509toECpub(uchar *cert, int ncert, char *name, int nname, ECdomain *dom);
+char* X509ecdsaverify(uchar *cert, int ncert, ECdomain *dom, ECpub *pub);
+char* X509ecdsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, ECdomain *dom, ECpub *pub);
+
+/* curves */
+void secp256r1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+void secp256k1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+void secp384r1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+
DigestState* ripemd160(uchar *, ulong, uchar *, DigestState *);
/*
{
mpint *g; /* base g */
mpint *p; /* large prime */
+ mpint *q; /* subgroup prime */
mpint *x; /* random secret */
- mpint *y; /* public key y = g ^ x % p */
+ mpint *y; /* public key y = g**x % p */
};
-/* generate new public key: y = g ^ x % p */
-mpint* dh_new(DHstate *dh, mpint *p, mpint *g);
+/* generate new public key: y = g**x % p */
+mpint* dh_new(DHstate *dh, mpint *p, mpint *q, mpint *g);
+
+/* calculate shared key: k = y**x % p */
+mpint* dh_finish(DHstate *dh, mpint *y);
+
+/* Curve25519 elliptic curve, public key function */
+void curve25519(uchar mypublic[32], uchar secret[32], uchar basepoint[32]);
+
+/* Curve25519 diffie hellman */
+void curve25519_dh_new(uchar x[32], uchar y[32]);
+void curve25519_dh_finish(uchar x[32], uchar y[32], uchar z[32]);
+
+/* password-based key derivation function 2 (rfc2898) */
+void pbkdf2_x(uchar *p, ulong plen, uchar *s, ulong slen, ulong rounds, uchar *d, ulong dlen,
+ DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
+
+/* scrypt password-based key derivation function */
+char* scrypt(uchar *p, ulong plen, uchar *s, ulong slen,
+ ulong N, ulong R, ulong P,
+ uchar *d, ulong dlen);
-/* calculate shared key: k = pub ^ x % p */
-mpint* dh_finish(DHstate *dh, mpint *pub);
+/* hmac-based key derivation function (rfc5869) */
+void hkdf_x(uchar *salt, ulong nsalt, uchar *info, ulong ninfo, uchar *key, ulong nkey, uchar *d, ulong dlen,
+ DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
-/* password-based key derivation function 2 (RFC 2898) */
-void pbkdf2_hmac_sha1(uchar *p, ulong plen, uchar *s, ulong slen, ulong rounds, uchar *d, ulong dlen);
+/* timing safe memcmp() */
+int tsmemcmp(void*, void*, ulong);