1 /* 2 * blapi.h - public prototypes for the freebl library 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8 #ifndef _BLAPI_H_ 9 #define _BLAPI_H_ 10 11 #include "blapit.h" 12 #include "hasht.h" 13 #include "alghmac.h" 14 15 SEC_BEGIN_PROTOS 16 17 /* 18 ** RSA encryption/decryption. When encrypting/decrypting the output 19 ** buffer must be at least the size of the public key modulus. 20 */ 21 22 extern SECStatus BL_Init(void); 23 24 /* 25 ** Generate and return a new RSA public and private key. 26 ** Both keys are encoded in a single RSAPrivateKey structure. 27 ** "cx" is the random number generator context 28 ** "keySizeInBits" is the size of the key to be generated, in bits. 29 ** 512, 1024, etc. 30 ** "publicExponent" when not NULL is a pointer to some data that 31 ** represents the public exponent to use. The data is a byte 32 ** encoded integer, in "big endian" order. 33 */ 34 extern RSAPrivateKey *RSA_NewKey(int keySizeInBits, 35 SECItem *publicExponent); 36 37 /* 38 ** Perform a raw public-key operation 39 ** Length of input and output buffers are equal to key's modulus len. 40 */ 41 extern SECStatus RSA_PublicKeyOp(RSAPublicKey *key, 42 unsigned char *output, 43 const unsigned char *input); 44 45 /* 46 ** Perform a raw private-key operation 47 ** Length of input and output buffers are equal to key's modulus len. 48 */ 49 extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *key, 50 unsigned char *output, 51 const unsigned char *input); 52 53 /* 54 ** Perform a raw private-key operation, and check the parameters used in 55 ** the operation for validity by performing a test operation first. 56 ** Length of input and output buffers are equal to key's modulus len. 57 */ 58 extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key, 59 unsigned char *output, 60 const unsigned char *input); 61 62 /* 63 ** Perform a check of private key parameters for consistency. 64 */ 65 extern SECStatus RSA_PrivateKeyCheck(const RSAPrivateKey *key); 66 67 /* 68 ** Given only minimal private key parameters, fill in the rest of the 69 ** parameters. 70 ** 71 ** 72 ** All the entries, including those supplied by the caller, will be 73 ** overwritten with data alocated out of the arena. 74 ** 75 ** If no arena is supplied, one will be created. 76 ** 77 ** The following fields must be supplied in order for this function 78 ** to succeed: 79 ** one of either publicExponent or privateExponent 80 ** two more of the following 5 parameters (not counting the above). 81 ** modulus (n) 82 ** prime1 (p) 83 ** prime2 (q) 84 ** publicExponent (e) 85 ** privateExponent (d) 86 ** 87 ** NOTE: if only the publicExponent, privateExponent, and one prime is given, 88 ** then there may be more than one RSA key that matches that combination. If 89 ** we find 2 possible valid keys that meet this criteria, we return an error. 90 ** If we return the wrong key, and the original modulus is compared to the 91 ** new modulus, both can be factored by calculateing gcd(n_old,n_new) to get 92 ** the common prime. 93 ** 94 ** NOTE: in some cases the publicExponent must be less than 2^23 for this 95 ** function to work correctly. (The case where we have only one of: modulus 96 ** prime1 and prime2). 97 ** 98 ** All parameters will be replaced in the key structure with new parameters 99 ** allocated out of the arena. There is no attempt to free the old structures. 100 ** prime1 will always be greater than prime2 (even if the caller supplies the 101 ** smaller prime as prime1 or the larger prime as prime2). The parameters are 102 ** not overwritten on failure. 103 ** 104 ** While the remaining Chinese remainder theorem parameters (dp,dp, and qinv) 105 ** can also be used in reconstructing the private key, they are currently 106 ** ignored in this implementation. 107 */ 108 extern SECStatus RSA_PopulatePrivateKey(RSAPrivateKey *key); 109 110 /******************************************************************** 111 ** RSA algorithm 112 */ 113 114 /******************************************************************** 115 ** Raw signing/encryption/decryption operations. 116 ** 117 ** No padding or formatting will be applied. 118 ** inputLen MUST be equivalent to the modulus size (in bytes). 119 */ 120 extern SECStatus 121 RSA_SignRaw(RSAPrivateKey *key, 122 unsigned char *output, 123 unsigned int *outputLen, 124 unsigned int maxOutputLen, 125 const unsigned char *input, 126 unsigned int inputLen); 127 128 extern SECStatus 129 RSA_CheckSignRaw(RSAPublicKey *key, 130 const unsigned char *sig, 131 unsigned int sigLen, 132 const unsigned char *hash, 133 unsigned int hashLen); 134 135 extern SECStatus 136 RSA_CheckSignRecoverRaw(RSAPublicKey *key, 137 unsigned char *data, 138 unsigned int *dataLen, 139 unsigned int maxDataLen, 140 const unsigned char *sig, 141 unsigned int sigLen); 142 143 extern SECStatus 144 RSA_EncryptRaw(RSAPublicKey *key, 145 unsigned char *output, 146 unsigned int *outputLen, 147 unsigned int maxOutputLen, 148 const unsigned char *input, 149 unsigned int inputLen); 150 151 extern SECStatus 152 RSA_DecryptRaw(RSAPrivateKey *key, 153 unsigned char *output, 154 unsigned int *outputLen, 155 unsigned int maxOutputLen, 156 const unsigned char *input, 157 unsigned int inputLen); 158 159 /******************************************************************** 160 ** RSAES-OAEP encryption/decryption, as defined in RFC 3447, Section 7.1. 161 ** 162 ** Note: Only MGF1 is supported as the mask generation function. It will be 163 ** used with maskHashAlg as the inner hash function. 164 ** 165 ** Unless performing Known Answer Tests, "seed" should be NULL, indicating that 166 ** freebl should generate a random value. Otherwise, it should be an octet 167 ** string of seedLen bytes, which should be the same size as the output of 168 ** hashAlg. 169 */ 170 extern SECStatus 171 RSA_EncryptOAEP(RSAPublicKey *key, 172 HASH_HashType hashAlg, 173 HASH_HashType maskHashAlg, 174 const unsigned char *label, 175 unsigned int labelLen, 176 const unsigned char *seed, 177 unsigned int seedLen, 178 unsigned char *output, 179 unsigned int *outputLen, 180 unsigned int maxOutputLen, 181 const unsigned char *input, 182 unsigned int inputLen); 183 184 extern SECStatus 185 RSA_DecryptOAEP(RSAPrivateKey *key, 186 HASH_HashType hashAlg, 187 HASH_HashType maskHashAlg, 188 const unsigned char *label, 189 unsigned int labelLen, 190 unsigned char *output, 191 unsigned int *outputLen, 192 unsigned int maxOutputLen, 193 const unsigned char *input, 194 unsigned int inputLen); 195 196 /******************************************************************** 197 ** RSAES-PKCS1-v1_5 encryption/decryption, as defined in RFC 3447, Section 7.2. 198 */ 199 extern SECStatus 200 RSA_EncryptBlock(RSAPublicKey *key, 201 unsigned char *output, 202 unsigned int *outputLen, 203 unsigned int maxOutputLen, 204 const unsigned char *input, 205 unsigned int inputLen); 206 207 extern SECStatus 208 RSA_DecryptBlock(RSAPrivateKey *key, 209 unsigned char *output, 210 unsigned int *outputLen, 211 unsigned int maxOutputLen, 212 const unsigned char *input, 213 unsigned int inputLen); 214 215 /******************************************************************** 216 ** RSASSA-PSS signing/verifying, as defined in RFC 3447, Section 8.1. 217 ** 218 ** Note: Only MGF1 is supported as the mask generation function. It will be 219 ** used with maskHashAlg as the inner hash function. 220 ** 221 ** Unless performing Known Answer Tests, "salt" should be NULL, indicating that 222 ** freebl should generate a random value. 223 */ 224 extern SECStatus 225 RSA_SignPSS(RSAPrivateKey *key, 226 HASH_HashType hashAlg, 227 HASH_HashType maskHashAlg, 228 const unsigned char *salt, 229 unsigned int saltLen, 230 unsigned char *output, 231 unsigned int *outputLen, 232 unsigned int maxOutputLen, 233 const unsigned char *input, 234 unsigned int inputLen); 235 236 extern SECStatus 237 RSA_CheckSignPSS(RSAPublicKey *key, 238 HASH_HashType hashAlg, 239 HASH_HashType maskHashAlg, 240 unsigned int saltLen, 241 const unsigned char *sig, 242 unsigned int sigLen, 243 const unsigned char *hash, 244 unsigned int hashLen); 245 246 /******************************************************************** 247 ** RSASSA-PKCS1-v1_5 signing/verifying, as defined in RFC 3447, Section 8.2. 248 ** 249 ** These functions expect as input to be the raw value to be signed. For most 250 ** cases using PKCS1-v1_5, this should be the value of T, the DER-encoded 251 ** DigestInfo structure defined in Section 9.2, Step 2. 252 ** Note: This can also be used for signatures that use PKCS1-v1_5 padding, such 253 ** as the signatures used in SSL/TLS, which sign a raw hash. 254 */ 255 extern SECStatus 256 RSA_Sign(RSAPrivateKey *key, 257 unsigned char *output, 258 unsigned int *outputLen, 259 unsigned int maxOutputLen, 260 const unsigned char *data, 261 unsigned int dataLen); 262 263 extern SECStatus 264 RSA_CheckSign(RSAPublicKey *key, 265 const unsigned char *sig, 266 unsigned int sigLen, 267 const unsigned char *data, 268 unsigned int dataLen); 269 270 extern SECStatus 271 RSA_CheckSignRecover(RSAPublicKey *key, 272 unsigned char *output, 273 unsigned int *outputLen, 274 unsigned int maxOutputLen, 275 const unsigned char *sig, 276 unsigned int sigLen); 277 278 /******************************************************************** 279 ** DSA signing algorithm 280 */ 281 282 /* Generate a new random value within the interval [2, q-1]. 283 */ 284 extern SECStatus DSA_NewRandom(PLArenaPool *arena, const SECItem *q, 285 SECItem *random); 286 287 /* 288 ** Generate and return a new DSA public and private key pair, 289 ** both of which are encoded into a single DSAPrivateKey struct. 290 ** "params" is a pointer to the PQG parameters for the domain 291 ** Uses a random seed. 292 */ 293 extern SECStatus DSA_NewKey(const PQGParams *params, 294 DSAPrivateKey **privKey); 295 296 /* signature is caller-supplied buffer of at least 20 bytes. 297 ** On input, signature->len == size of buffer to hold signature. 298 ** digest->len == size of digest. 299 ** On output, signature->len == size of signature in buffer. 300 ** Uses a random seed. 301 */ 302 extern SECStatus DSA_SignDigest(DSAPrivateKey *key, 303 SECItem *signature, 304 const SECItem *digest); 305 306 /* signature is caller-supplied buffer of at least 20 bytes. 307 ** On input, signature->len == size of buffer to hold signature. 308 ** digest->len == size of digest. 309 */ 310 extern SECStatus DSA_VerifyDigest(DSAPublicKey *key, 311 const SECItem *signature, 312 const SECItem *digest); 313 314 /* For FIPS compliance testing. Seed must be exactly 20 bytes long */ 315 extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params, 316 const unsigned char *seed, 317 DSAPrivateKey **privKey); 318 319 /* For FIPS compliance testing. Seed must be exactly 20 bytes. */ 320 extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey *key, 321 SECItem *signature, 322 const SECItem *digest, 323 const unsigned char *seed); 324 325 /****************************************************** 326 ** Diffie Helman key exchange algorithm 327 */ 328 329 /* Generates parameters for Diffie-Helman key generation. 330 ** primeLen is the length in bytes of prime P to be generated. 331 */ 332 extern SECStatus DH_GenParam(int primeLen, DHParams **params); 333 334 /* Generates a public and private key, both of which are encoded in a single 335 ** DHPrivateKey struct. Params is input, privKey are output. 336 ** This is Phase 1 of Diffie Hellman. 337 */ 338 extern SECStatus DH_NewKey(DHParams *params, 339 DHPrivateKey **privKey); 340 341 /* 342 ** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 343 ** other party's publicValue, and the prime and our privateValue. 344 ** maxOutBytes is the requested length of the generated secret in bytes. 345 ** A zero value means produce a value of any length up to the size of 346 ** the prime. If successful, derivedSecret->data is set 347 ** to the address of the newly allocated buffer containing the derived 348 ** secret, and derivedSecret->len is the size of the secret produced. 349 ** The size of the secret produced will depend on the value of outBytes. 350 ** If outBytes is 0, the key length will be all the significant bytes of 351 ** the derived secret (leading zeros are dropped). This length could be less 352 ** than the length of the prime. If outBytes is nonzero, the length of the 353 ** produced key will be outBytes long. If the key is truncated, the most 354 ** significant bytes are truncated. If it is expanded, zero bytes are added 355 ** at the beginning. 356 ** It is the caller's responsibility to free the allocated buffer 357 ** containing the derived secret. 358 */ 359 extern SECStatus DH_Derive(SECItem *publicValue, 360 SECItem *prime, 361 SECItem *privateValue, 362 SECItem *derivedSecret, 363 unsigned int outBytes); 364 365 /* 366 ** KEA_CalcKey returns octet string with the private key for a dual 367 ** Diffie-Helman key generation as specified for government key exchange. 368 */ 369 extern SECStatus KEA_Derive(SECItem *prime, 370 SECItem *public1, 371 SECItem *public2, 372 SECItem *private1, 373 SECItem *private2, 374 SECItem *derivedSecret); 375 376 /* 377 * verify that a KEA or DSA public key is a valid key for this prime and 378 * subprime domain. 379 */ 380 extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime); 381 382 /**************************************** 383 * J-PAKE key transport 384 */ 385 386 /* Given gx == g^x, create a Schnorr zero-knowledge proof for the value x 387 * using the specified hash algorithm and signer ID. The signature is 388 * returned in the values gv and r. testRandom must be NULL for a PRNG 389 * generated random committment to be used in the sigature. When testRandom 390 * is non-NULL, that value must contain a value in the subgroup q; that 391 * value will be used instead of a PRNG-generated committment in order to 392 * facilitate known-answer tests. 393 * 394 * If gxIn is non-NULL then it must contain a pre-computed value of g^x that 395 * will be used by the function; in this case, the gxOut parameter must be NULL. 396 * If the gxIn parameter is NULL then gxOut must be non-NULL; in this case 397 * gxOut will contain the value g^x on output. 398 * 399 * gx (if not supplied by the caller), gv, and r will be allocated in the arena. 400 * The arena is *not* optional so do not pass NULL for the arena parameter. 401 * The arena should be zeroed when it is freed. 402 */ 403 SECStatus 404 JPAKE_Sign(PLArenaPool *arena, const PQGParams *pqg, HASH_HashType hashType, 405 const SECItem *signerID, const SECItem *x, 406 const SECItem *testRandom, const SECItem *gxIn, SECItem *gxOut, 407 SECItem *gv, SECItem *r); 408 409 /* Given gx == g^x, verify the Schnorr zero-knowledge proof (gv, r) for the 410 * value x using the specified hash algorithm and signer ID. 411 * 412 * The arena is *not* optional so do not pass NULL for the arena parameter. 413 */ 414 SECStatus 415 JPAKE_Verify(PLArenaPool *arena, const PQGParams *pqg, 416 HASH_HashType hashType, const SECItem *signerID, 417 const SECItem *peerID, const SECItem *gx, 418 const SECItem *gv, const SECItem *r); 419 420 /* Call before round 2 with x2, s, and x2s all non-NULL. This will calculate 421 * base = g^(x1+x3+x4) (mod p) and x2s = x2*s (mod q). The values to send in 422 * round 2 (A and the proof of knowledge of x2s) can then be calculated with 423 * JPAKE_Sign using pqg->base = base and x = x2s. 424 * 425 * Call after round 2 with x2, s, and x2s all NULL, and passing (gx1, gx2, gx3) 426 * instead of (gx1, gx3, gx4). This will calculate base = g^(x1+x2+x3). Then call 427 * JPAKE_Verify with pqg->base = base and then JPAKE_Final. 428 * 429 * base and x2s will be allocated in the arena. The arena is *not* optional so 430 * do not pass NULL for the arena parameter. The arena should be zeroed when it 431 * is freed. 432 */ 433 SECStatus 434 JPAKE_Round2(PLArenaPool *arena, const SECItem *p, const SECItem *q, 435 const SECItem *gx1, const SECItem *gx3, const SECItem *gx4, 436 SECItem *base, const SECItem *x2, const SECItem *s, SECItem *x2s); 437 438 /* K = (B/g^(x2*x4*s))^x2 (mod p) 439 * 440 * K will be allocated in the arena. The arena is *not* optional so do not pass 441 * NULL for the arena parameter. The arena should be zeroed when it is freed. 442 */ 443 SECStatus 444 JPAKE_Final(PLArenaPool *arena, const SECItem *p, const SECItem *q, 445 const SECItem *x2, const SECItem *gx4, const SECItem *x2s, 446 const SECItem *B, SECItem *K); 447 448 /****************************************************** 449 ** Elliptic Curve algorithms 450 */ 451 452 /* Generates a public and private key, both of which are encoded 453 ** in a single ECPrivateKey struct. Params is input, privKey are 454 ** output. 455 */ 456 extern SECStatus EC_NewKey(ECParams *params, 457 ECPrivateKey **privKey); 458 459 extern SECStatus EC_NewKeyFromSeed(ECParams *params, 460 ECPrivateKey **privKey, 461 const unsigned char *seed, 462 int seedlen); 463 464 /* Validates an EC public key as described in Section 5.2.2 of 465 * X9.62. Such validation prevents against small subgroup attacks 466 * when the ECDH primitive is used with the cofactor. 467 */ 468 extern SECStatus EC_ValidatePublicKey(ECParams *params, 469 SECItem *publicValue); 470 471 /* 472 ** ECDH_Derive performs a scalar point multiplication of a point 473 ** representing a (peer's) public key and a large integer representing 474 ** a private key (its own). Both keys must use the same elliptic curve 475 ** parameters. If the withCofactor parameter is true, the 476 ** multiplication also uses the cofactor associated with the curve 477 ** parameters. The output of this scheme is the x-coordinate of the 478 ** resulting point. If successful, derivedSecret->data is set to the 479 ** address of the newly allocated buffer containing the derived 480 ** secret, and derivedSecret->len is the size of the secret 481 ** produced. It is the caller's responsibility to free the allocated 482 ** buffer containing the derived secret. 483 */ 484 extern SECStatus ECDH_Derive(SECItem *publicValue, 485 ECParams *params, 486 SECItem *privateValue, 487 PRBool withCofactor, 488 SECItem *derivedSecret); 489 490 /* On input, signature->len == size of buffer to hold signature. 491 ** digest->len == size of digest. 492 ** On output, signature->len == size of signature in buffer. 493 ** Uses a random seed. 494 */ 495 extern SECStatus ECDSA_SignDigest(ECPrivateKey *key, 496 SECItem *signature, 497 const SECItem *digest); 498 499 /* On input, signature->len == size of buffer to hold signature. 500 ** digest->len == size of digest. 501 */ 502 extern SECStatus ECDSA_VerifyDigest(ECPublicKey *key, 503 const SECItem *signature, 504 const SECItem *digest); 505 506 /* Uses the provided seed. */ 507 extern SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, 508 SECItem *signature, 509 const SECItem *digest, 510 const unsigned char *seed, 511 const int seedlen); 512 513 /******************************************/ 514 /* 515 ** RC4 symmetric stream cypher 516 */ 517 518 /* 519 ** Create a new RC4 context suitable for RC4 encryption/decryption. 520 ** "key" raw key data 521 ** "len" the number of bytes of key data 522 */ 523 extern RC4Context *RC4_CreateContext(const unsigned char *key, int len); 524 525 extern RC4Context *RC4_AllocateContext(void); 526 extern SECStatus RC4_InitContext(RC4Context *cx, 527 const unsigned char *key, 528 unsigned int keylen, 529 const unsigned char *, 530 int, 531 unsigned int, 532 unsigned int); 533 534 /* 535 ** Destroy an RC4 encryption/decryption context. 536 ** "cx" the context 537 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 538 */ 539 extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit); 540 541 /* 542 ** Perform RC4 encryption. 543 ** "cx" the context 544 ** "output" the output buffer to store the encrypted data. 545 ** "outputLen" how much data is stored in "output". Set by the routine 546 ** after some data is stored in output. 547 ** "maxOutputLen" the maximum amount of data that can ever be 548 ** stored in "output" 549 ** "input" the input data 550 ** "inputLen" the amount of input data 551 */ 552 extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output, 553 unsigned int *outputLen, unsigned int maxOutputLen, 554 const unsigned char *input, unsigned int inputLen); 555 556 /* 557 ** Perform RC4 decryption. 558 ** "cx" the context 559 ** "output" the output buffer to store the decrypted data. 560 ** "outputLen" how much data is stored in "output". Set by the routine 561 ** after some data is stored in output. 562 ** "maxOutputLen" the maximum amount of data that can ever be 563 ** stored in "output" 564 ** "input" the input data 565 ** "inputLen" the amount of input data 566 */ 567 extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output, 568 unsigned int *outputLen, unsigned int maxOutputLen, 569 const unsigned char *input, unsigned int inputLen); 570 571 /******************************************/ 572 /* 573 ** RC2 symmetric block cypher 574 */ 575 576 /* 577 ** Create a new RC2 context suitable for RC2 encryption/decryption. 578 ** "key" raw key data 579 ** "len" the number of bytes of key data 580 ** "iv" is the CBC initialization vector (if mode is NSS_RC2_CBC) 581 ** "mode" one of NSS_RC2 or NSS_RC2_CBC 582 ** "effectiveKeyLen" is the effective key length (as specified in 583 ** RFC 2268) in bytes (not bits). 584 ** 585 ** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block 586 ** chaining" mode. 587 */ 588 extern RC2Context *RC2_CreateContext(const unsigned char *key, unsigned int len, 589 const unsigned char *iv, int mode, 590 unsigned effectiveKeyLen); 591 extern RC2Context *RC2_AllocateContext(void); 592 extern SECStatus RC2_InitContext(RC2Context *cx, 593 const unsigned char *key, 594 unsigned int keylen, 595 const unsigned char *iv, 596 int mode, 597 unsigned int effectiveKeyLen, 598 unsigned int); 599 600 /* 601 ** Destroy an RC2 encryption/decryption context. 602 ** "cx" the context 603 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 604 */ 605 extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit); 606 607 /* 608 ** Perform RC2 encryption. 609 ** "cx" the context 610 ** "output" the output buffer to store the encrypted data. 611 ** "outputLen" how much data is stored in "output". Set by the routine 612 ** after some data is stored in output. 613 ** "maxOutputLen" the maximum amount of data that can ever be 614 ** stored in "output" 615 ** "input" the input data 616 ** "inputLen" the amount of input data 617 */ 618 extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output, 619 unsigned int *outputLen, unsigned int maxOutputLen, 620 const unsigned char *input, unsigned int inputLen); 621 622 /* 623 ** Perform RC2 decryption. 624 ** "cx" the context 625 ** "output" the output buffer to store the decrypted data. 626 ** "outputLen" how much data is stored in "output". Set by the routine 627 ** after some data is stored in output. 628 ** "maxOutputLen" the maximum amount of data that can ever be 629 ** stored in "output" 630 ** "input" the input data 631 ** "inputLen" the amount of input data 632 */ 633 extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output, 634 unsigned int *outputLen, unsigned int maxOutputLen, 635 const unsigned char *input, unsigned int inputLen); 636 637 /******************************************/ 638 /* 639 ** RC5 symmetric block cypher -- 64-bit block size 640 */ 641 642 /* 643 ** Create a new RC5 context suitable for RC5 encryption/decryption. 644 ** "key" raw key data 645 ** "len" the number of bytes of key data 646 ** "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC) 647 ** "mode" one of NSS_RC5 or NSS_RC5_CBC 648 ** 649 ** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block 650 ** chaining" mode. 651 */ 652 extern RC5Context *RC5_CreateContext(const SECItem *key, unsigned int rounds, 653 unsigned int wordSize, const unsigned char *iv, int mode); 654 extern RC5Context *RC5_AllocateContext(void); 655 extern SECStatus RC5_InitContext(RC5Context *cx, 656 const unsigned char *key, 657 unsigned int keylen, 658 const unsigned char *iv, 659 int mode, 660 unsigned int rounds, 661 unsigned int wordSize); 662 663 /* 664 ** Destroy an RC5 encryption/decryption context. 665 ** "cx" the context 666 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 667 */ 668 extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit); 669 670 /* 671 ** Perform RC5 encryption. 672 ** "cx" the context 673 ** "output" the output buffer to store the encrypted data. 674 ** "outputLen" how much data is stored in "output". Set by the routine 675 ** after some data is stored in output. 676 ** "maxOutputLen" the maximum amount of data that can ever be 677 ** stored in "output" 678 ** "input" the input data 679 ** "inputLen" the amount of input data 680 */ 681 extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output, 682 unsigned int *outputLen, unsigned int maxOutputLen, 683 const unsigned char *input, unsigned int inputLen); 684 685 /* 686 ** Perform RC5 decryption. 687 ** "cx" the context 688 ** "output" the output buffer to store the decrypted data. 689 ** "outputLen" how much data is stored in "output". Set by the routine 690 ** after some data is stored in output. 691 ** "maxOutputLen" the maximum amount of data that can ever be 692 ** stored in "output" 693 ** "input" the input data 694 ** "inputLen" the amount of input data 695 */ 696 697 extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output, 698 unsigned int *outputLen, unsigned int maxOutputLen, 699 const unsigned char *input, unsigned int inputLen); 700 701 /******************************************/ 702 /* 703 ** DES symmetric block cypher 704 */ 705 706 /* 707 ** Create a new DES context suitable for DES encryption/decryption. 708 ** "key" raw key data 709 ** "len" the number of bytes of key data 710 ** "iv" is the CBC initialization vector (if mode is NSS_DES_CBC or 711 ** mode is DES_EDE3_CBC) 712 ** "mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC 713 ** "encrypt" is PR_TRUE if the context will be used for encryption 714 ** 715 ** When mode is set to NSS_DES_CBC or NSS_DES_EDE3_CBC then the DES 716 ** cipher is run in "cipher block chaining" mode. 717 */ 718 extern DESContext *DES_CreateContext(const unsigned char *key, 719 const unsigned char *iv, 720 int mode, PRBool encrypt); 721 extern DESContext *DES_AllocateContext(void); 722 extern SECStatus DES_InitContext(DESContext *cx, 723 const unsigned char *key, 724 unsigned int keylen, 725 const unsigned char *iv, 726 int mode, 727 unsigned int encrypt, 728 unsigned int); 729 730 /* 731 ** Destroy an DES encryption/decryption context. 732 ** "cx" the context 733 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 734 */ 735 extern void DES_DestroyContext(DESContext *cx, PRBool freeit); 736 737 /* 738 ** Perform DES encryption. 739 ** "cx" the context 740 ** "output" the output buffer to store the encrypted data. 741 ** "outputLen" how much data is stored in "output". Set by the routine 742 ** after some data is stored in output. 743 ** "maxOutputLen" the maximum amount of data that can ever be 744 ** stored in "output" 745 ** "input" the input data 746 ** "inputLen" the amount of input data 747 ** 748 ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH 749 */ 750 extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output, 751 unsigned int *outputLen, unsigned int maxOutputLen, 752 const unsigned char *input, unsigned int inputLen); 753 754 /* 755 ** Perform DES decryption. 756 ** "cx" the context 757 ** "output" the output buffer to store the decrypted data. 758 ** "outputLen" how much data is stored in "output". Set by the routine 759 ** after some data is stored in output. 760 ** "maxOutputLen" the maximum amount of data that can ever be 761 ** stored in "output" 762 ** "input" the input data 763 ** "inputLen" the amount of input data 764 ** 765 ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH 766 */ 767 extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output, 768 unsigned int *outputLen, unsigned int maxOutputLen, 769 const unsigned char *input, unsigned int inputLen); 770 771 /******************************************/ 772 /* 773 ** SEED symmetric block cypher 774 */ 775 extern SEEDContext * 776 SEED_CreateContext(const unsigned char *key, const unsigned char *iv, 777 int mode, PRBool encrypt); 778 extern SEEDContext *SEED_AllocateContext(void); 779 extern SECStatus SEED_InitContext(SEEDContext *cx, 780 const unsigned char *key, 781 unsigned int keylen, 782 const unsigned char *iv, 783 int mode, unsigned int encrypt, 784 unsigned int); 785 extern void SEED_DestroyContext(SEEDContext *cx, PRBool freeit); 786 extern SECStatus 787 SEED_Encrypt(SEEDContext *cx, unsigned char *output, 788 unsigned int *outputLen, unsigned int maxOutputLen, 789 const unsigned char *input, unsigned int inputLen); 790 extern SECStatus 791 SEED_Decrypt(SEEDContext *cx, unsigned char *output, 792 unsigned int *outputLen, unsigned int maxOutputLen, 793 const unsigned char *input, unsigned int inputLen); 794 795 /******************************************/ 796 /* 797 ** AES symmetric block cypher (Rijndael) 798 */ 799 800 /* 801 ** Create a new AES context suitable for AES encryption/decryption. 802 ** "key" raw key data 803 ** "keylen" the number of bytes of key data (16, 24, or 32) 804 ** "blocklen" is the blocksize to use. NOTE: only 16 is supported! 805 */ 806 extern AESContext * 807 AES_CreateContext(const unsigned char *key, const unsigned char *iv, 808 int mode, int encrypt, 809 unsigned int keylen, unsigned int blocklen); 810 extern AESContext *AES_AllocateContext(void); 811 extern SECStatus AES_InitContext(AESContext *cx, 812 const unsigned char *key, 813 unsigned int keylen, 814 const unsigned char *iv, 815 int mode, 816 unsigned int encrypt, 817 unsigned int blocklen); 818 819 /* 820 ** Destroy a AES encryption/decryption context. 821 ** "cx" the context 822 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 823 */ 824 extern void 825 AES_DestroyContext(AESContext *cx, PRBool freeit); 826 827 /* 828 ** Perform AES encryption. 829 ** "cx" the context 830 ** "output" the output buffer to store the encrypted data. 831 ** "outputLen" how much data is stored in "output". Set by the routine 832 ** after some data is stored in output. 833 ** "maxOutputLen" the maximum amount of data that can ever be 834 ** stored in "output" 835 ** "input" the input data 836 ** "inputLen" the amount of input data 837 */ 838 extern SECStatus 839 AES_Encrypt(AESContext *cx, unsigned char *output, 840 unsigned int *outputLen, unsigned int maxOutputLen, 841 const unsigned char *input, unsigned int inputLen); 842 843 /* 844 ** Perform AES decryption. 845 ** "cx" the context 846 ** "output" the output buffer to store the decrypted data. 847 ** "outputLen" how much data is stored in "output". Set by the routine 848 ** after some data is stored in output. 849 ** "maxOutputLen" the maximum amount of data that can ever be 850 ** stored in "output" 851 ** "input" the input data 852 ** "inputLen" the amount of input data 853 */ 854 extern SECStatus 855 AES_Decrypt(AESContext *cx, unsigned char *output, 856 unsigned int *outputLen, unsigned int maxOutputLen, 857 const unsigned char *input, unsigned int inputLen); 858 859 /******************************************/ 860 /* 861 ** AES key wrap algorithm, RFC 3394 862 */ 863 864 /* 865 ** Create a new AES context suitable for AES encryption/decryption. 866 ** "key" raw key data 867 ** "iv" The 8 byte "initial value" 868 ** "encrypt", a boolean, true for key wrapping, false for unwrapping. 869 ** "keylen" the number of bytes of key data (16, 24, or 32) 870 */ 871 extern AESKeyWrapContext * 872 AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 873 int encrypt, unsigned int keylen); 874 extern AESKeyWrapContext *AESKeyWrap_AllocateContext(void); 875 extern SECStatus 876 AESKeyWrap_InitContext(AESKeyWrapContext *cx, 877 const unsigned char *key, 878 unsigned int keylen, 879 const unsigned char *iv, 880 int, 881 unsigned int encrypt, 882 unsigned int); 883 884 /* 885 ** Destroy a AES KeyWrap context. 886 ** "cx" the context 887 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 888 */ 889 extern void 890 AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit); 891 892 /* 893 ** Perform AES key wrap. 894 ** "cx" the context 895 ** "output" the output buffer to store the encrypted data. 896 ** "outputLen" how much data is stored in "output". Set by the routine 897 ** after some data is stored in output. 898 ** "maxOutputLen" the maximum amount of data that can ever be 899 ** stored in "output" 900 ** "input" the input data 901 ** "inputLen" the amount of input data 902 */ 903 extern SECStatus 904 AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output, 905 unsigned int *outputLen, unsigned int maxOutputLen, 906 const unsigned char *input, unsigned int inputLen); 907 908 /* 909 ** Perform AES key unwrap. 910 ** "cx" the context 911 ** "output" the output buffer to store the decrypted data. 912 ** "outputLen" how much data is stored in "output". Set by the routine 913 ** after some data is stored in output. 914 ** "maxOutputLen" the maximum amount of data that can ever be 915 ** stored in "output" 916 ** "input" the input data 917 ** "inputLen" the amount of input data 918 */ 919 extern SECStatus 920 AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output, 921 unsigned int *outputLen, unsigned int maxOutputLen, 922 const unsigned char *input, unsigned int inputLen); 923 924 /******************************************/ 925 /* 926 ** Camellia symmetric block cypher 927 */ 928 929 /* 930 ** Create a new Camellia context suitable for Camellia encryption/decryption. 931 ** "key" raw key data 932 ** "keylen" the number of bytes of key data (16, 24, or 32) 933 */ 934 extern CamelliaContext * 935 Camellia_CreateContext(const unsigned char *key, const unsigned char *iv, 936 int mode, int encrypt, unsigned int keylen); 937 938 extern CamelliaContext *Camellia_AllocateContext(void); 939 extern SECStatus Camellia_InitContext(CamelliaContext *cx, 940 const unsigned char *key, 941 unsigned int keylen, 942 const unsigned char *iv, 943 int mode, 944 unsigned int encrypt, 945 unsigned int unused); 946 /* 947 ** Destroy a Camellia encryption/decryption context. 948 ** "cx" the context 949 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 950 */ 951 extern void 952 Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit); 953 954 /* 955 ** Perform Camellia encryption. 956 ** "cx" the context 957 ** "output" the output buffer to store the encrypted data. 958 ** "outputLen" how much data is stored in "output". Set by the routine 959 ** after some data is stored in output. 960 ** "maxOutputLen" the maximum amount of data that can ever be 961 ** stored in "output" 962 ** "input" the input data 963 ** "inputLen" the amount of input data 964 */ 965 extern SECStatus 966 Camellia_Encrypt(CamelliaContext *cx, unsigned char *output, 967 unsigned int *outputLen, unsigned int maxOutputLen, 968 const unsigned char *input, unsigned int inputLen); 969 970 /* 971 ** Perform Camellia decryption. 972 ** "cx" the context 973 ** "output" the output buffer to store the decrypted data. 974 ** "outputLen" how much data is stored in "output". Set by the routine 975 ** after some data is stored in output. 976 ** "maxOutputLen" the maximum amount of data that can ever be 977 ** stored in "output" 978 ** "input" the input data 979 ** "inputLen" the amount of input data 980 */ 981 extern SECStatus 982 Camellia_Decrypt(CamelliaContext *cx, unsigned char *output, 983 unsigned int *outputLen, unsigned int maxOutputLen, 984 const unsigned char *input, unsigned int inputLen); 985 986 /******************************************/ 987 /* 988 ** ChaCha20+Poly1305 AEAD 989 */ 990 991 extern SECStatus ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, 992 const unsigned char *key, 993 unsigned int keyLen, 994 unsigned int tagLen); 995 996 extern ChaCha20Poly1305Context *ChaCha20Poly1305_CreateContext( 997 const unsigned char *key, unsigned int keyLen, unsigned int tagLen); 998 999 extern void ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, 1000 PRBool freeit); 1001 1002 extern SECStatus ChaCha20Poly1305_Seal( 1003 const ChaCha20Poly1305Context *ctx, unsigned char *output, 1004 unsigned int *outputLen, unsigned int maxOutputLen, 1005 const unsigned char *input, unsigned int inputLen, 1006 const unsigned char *nonce, unsigned int nonceLen, 1007 const unsigned char *ad, unsigned int adLen); 1008 1009 extern SECStatus ChaCha20Poly1305_Open( 1010 const ChaCha20Poly1305Context *ctx, unsigned char *output, 1011 unsigned int *outputLen, unsigned int maxOutputLen, 1012 const unsigned char *input, unsigned int inputLen, 1013 const unsigned char *nonce, unsigned int nonceLen, 1014 const unsigned char *ad, unsigned int adLen); 1015 1016 /******************************************/ 1017 /* 1018 ** MD5 secure hash function 1019 */ 1020 1021 /* 1022 ** Hash a null terminated string "src" into "dest" using MD5 1023 */ 1024 extern SECStatus MD5_Hash(unsigned char *dest, const char *src); 1025 1026 /* 1027 ** Hash a non-null terminated string "src" into "dest" using MD5 1028 */ 1029 extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src, 1030 PRUint32 src_length); 1031 1032 /* 1033 ** Create a new MD5 context 1034 */ 1035 extern MD5Context *MD5_NewContext(void); 1036 1037 /* 1038 ** Destroy an MD5 secure hash context. 1039 ** "cx" the context 1040 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1041 */ 1042 extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit); 1043 1044 /* 1045 ** Reset an MD5 context, preparing it for a fresh round of hashing 1046 */ 1047 extern void MD5_Begin(MD5Context *cx); 1048 1049 /* 1050 ** Update the MD5 hash function with more data. 1051 ** "cx" the context 1052 ** "input" the data to hash 1053 ** "inputLen" the amount of data to hash 1054 */ 1055 extern void MD5_Update(MD5Context *cx, 1056 const unsigned char *input, unsigned int inputLen); 1057 1058 /* 1059 ** Finish the MD5 hash function. Produce the digested results in "digest" 1060 ** "cx" the context 1061 ** "digest" where the 16 bytes of digest data are stored 1062 ** "digestLen" where the digest length (16) is stored 1063 ** "maxDigestLen" the maximum amount of data that can ever be 1064 ** stored in "digest" 1065 */ 1066 extern void MD5_End(MD5Context *cx, unsigned char *digest, 1067 unsigned int *digestLen, unsigned int maxDigestLen); 1068 1069 /* 1070 ** Export the current state of the MD5 hash without appending the standard 1071 ** padding and length bytes. Produce the digested results in "digest" 1072 ** "cx" the context 1073 ** "digest" where the 16 bytes of digest data are stored 1074 ** "digestLen" where the digest length (16) is stored (optional) 1075 ** "maxDigestLen" the maximum amount of data that can ever be 1076 ** stored in "digest" 1077 */ 1078 extern void MD5_EndRaw(MD5Context *cx, unsigned char *digest, 1079 unsigned int *digestLen, unsigned int maxDigestLen); 1080 1081 /* 1082 * Return the the size of a buffer needed to flatten the MD5 Context into 1083 * "cx" the context 1084 * returns size; 1085 */ 1086 extern unsigned int MD5_FlattenSize(MD5Context *cx); 1087 1088 /* 1089 * Flatten the MD5 Context into a buffer: 1090 * "cx" the context 1091 * "space" the buffer to flatten to 1092 * returns status; 1093 */ 1094 extern SECStatus MD5_Flatten(MD5Context *cx, unsigned char *space); 1095 1096 /* 1097 * Resurrect a flattened context into a MD5 Context 1098 * "space" the buffer of the flattend buffer 1099 * "arg" ptr to void used by cryptographic resurrect 1100 * returns resurected context; 1101 */ 1102 extern MD5Context *MD5_Resurrect(unsigned char *space, void *arg); 1103 extern void MD5_Clone(MD5Context *dest, MD5Context *src); 1104 1105 /* 1106 ** trace the intermediate state info of the MD5 hash. 1107 */ 1108 extern void MD5_TraceState(MD5Context *cx); 1109 1110 /******************************************/ 1111 /* 1112 ** MD2 secure hash function 1113 */ 1114 1115 /* 1116 ** Hash a null terminated string "src" into "dest" using MD2 1117 */ 1118 extern SECStatus MD2_Hash(unsigned char *dest, const char *src); 1119 1120 /* 1121 ** Create a new MD2 context 1122 */ 1123 extern MD2Context *MD2_NewContext(void); 1124 1125 /* 1126 ** Destroy an MD2 secure hash context. 1127 ** "cx" the context 1128 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1129 */ 1130 extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit); 1131 1132 /* 1133 ** Reset an MD2 context, preparing it for a fresh round of hashing 1134 */ 1135 extern void MD2_Begin(MD2Context *cx); 1136 1137 /* 1138 ** Update the MD2 hash function with more data. 1139 ** "cx" the context 1140 ** "input" the data to hash 1141 ** "inputLen" the amount of data to hash 1142 */ 1143 extern void MD2_Update(MD2Context *cx, 1144 const unsigned char *input, unsigned int inputLen); 1145 1146 /* 1147 ** Finish the MD2 hash function. Produce the digested results in "digest" 1148 ** "cx" the context 1149 ** "digest" where the 16 bytes of digest data are stored 1150 ** "digestLen" where the digest length (16) is stored 1151 ** "maxDigestLen" the maximum amount of data that can ever be 1152 ** stored in "digest" 1153 */ 1154 extern void MD2_End(MD2Context *cx, unsigned char *digest, 1155 unsigned int *digestLen, unsigned int maxDigestLen); 1156 1157 /* 1158 * Return the the size of a buffer needed to flatten the MD2 Context into 1159 * "cx" the context 1160 * returns size; 1161 */ 1162 extern unsigned int MD2_FlattenSize(MD2Context *cx); 1163 1164 /* 1165 * Flatten the MD2 Context into a buffer: 1166 * "cx" the context 1167 * "space" the buffer to flatten to 1168 * returns status; 1169 */ 1170 extern SECStatus MD2_Flatten(MD2Context *cx, unsigned char *space); 1171 1172 /* 1173 * Resurrect a flattened context into a MD2 Context 1174 * "space" the buffer of the flattend buffer 1175 * "arg" ptr to void used by cryptographic resurrect 1176 * returns resurected context; 1177 */ 1178 extern MD2Context *MD2_Resurrect(unsigned char *space, void *arg); 1179 extern void MD2_Clone(MD2Context *dest, MD2Context *src); 1180 1181 /******************************************/ 1182 /* 1183 ** SHA-1 secure hash function 1184 */ 1185 1186 /* 1187 ** Hash a null terminated string "src" into "dest" using SHA-1 1188 */ 1189 extern SECStatus SHA1_Hash(unsigned char *dest, const char *src); 1190 1191 /* 1192 ** Hash a non-null terminated string "src" into "dest" using SHA-1 1193 */ 1194 extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src, 1195 PRUint32 src_length); 1196 1197 /* 1198 ** Create a new SHA-1 context 1199 */ 1200 extern SHA1Context *SHA1_NewContext(void); 1201 1202 /* 1203 ** Destroy a SHA-1 secure hash context. 1204 ** "cx" the context 1205 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1206 */ 1207 extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit); 1208 1209 /* 1210 ** Reset a SHA-1 context, preparing it for a fresh round of hashing 1211 */ 1212 extern void SHA1_Begin(SHA1Context *cx); 1213 1214 /* 1215 ** Update the SHA-1 hash function with more data. 1216 ** "cx" the context 1217 ** "input" the data to hash 1218 ** "inputLen" the amount of data to hash 1219 */ 1220 extern void SHA1_Update(SHA1Context *cx, const unsigned char *input, 1221 unsigned int inputLen); 1222 1223 /* 1224 ** Finish the SHA-1 hash function. Produce the digested results in "digest" 1225 ** "cx" the context 1226 ** "digest" where the 16 bytes of digest data are stored 1227 ** "digestLen" where the digest length (20) is stored 1228 ** "maxDigestLen" the maximum amount of data that can ever be 1229 ** stored in "digest" 1230 */ 1231 extern void SHA1_End(SHA1Context *cx, unsigned char *digest, 1232 unsigned int *digestLen, unsigned int maxDigestLen); 1233 1234 /* 1235 ** Export the current state of the SHA-1 hash without appending the standard 1236 ** padding and length bytes. Produce the digested results in "digest" 1237 ** "cx" the context 1238 ** "digest" where the 20 bytes of digest data are stored 1239 ** "digestLen" where the digest length (20) is stored (optional) 1240 ** "maxDigestLen" the maximum amount of data that can ever be 1241 ** stored in "digest" 1242 */ 1243 extern void SHA1_EndRaw(SHA1Context *cx, unsigned char *digest, 1244 unsigned int *digestLen, unsigned int maxDigestLen); 1245 1246 /* 1247 ** trace the intermediate state info of the SHA1 hash. 1248 */ 1249 extern void SHA1_TraceState(SHA1Context *cx); 1250 1251 /* 1252 * Return the the size of a buffer needed to flatten the SHA-1 Context into 1253 * "cx" the context 1254 * returns size; 1255 */ 1256 extern unsigned int SHA1_FlattenSize(SHA1Context *cx); 1257 1258 /* 1259 * Flatten the SHA-1 Context into a buffer: 1260 * "cx" the context 1261 * "space" the buffer to flatten to 1262 * returns status; 1263 */ 1264 extern SECStatus SHA1_Flatten(SHA1Context *cx, unsigned char *space); 1265 1266 /* 1267 * Resurrect a flattened context into a SHA-1 Context 1268 * "space" the buffer of the flattend buffer 1269 * "arg" ptr to void used by cryptographic resurrect 1270 * returns resurected context; 1271 */ 1272 extern SHA1Context *SHA1_Resurrect(unsigned char *space, void *arg); 1273 extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src); 1274 1275 /******************************************/ 1276 1277 extern SHA224Context *SHA224_NewContext(void); 1278 extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit); 1279 extern void SHA224_Begin(SHA224Context *cx); 1280 extern void SHA224_Update(SHA224Context *cx, const unsigned char *input, 1281 unsigned int inputLen); 1282 extern void SHA224_End(SHA224Context *cx, unsigned char *digest, 1283 unsigned int *digestLen, unsigned int maxDigestLen); 1284 /* 1285 ** Export the current state of the SHA-224 hash without appending the standard 1286 ** padding and length bytes. Produce the digested results in "digest" 1287 ** "cx" the context 1288 ** "digest" where the 28 bytes of digest data are stored 1289 ** "digestLen" where the digest length (28) is stored (optional) 1290 ** "maxDigestLen" the maximum amount of data that can ever be 1291 ** stored in "digest" 1292 */ 1293 extern void SHA224_EndRaw(SHA224Context *cx, unsigned char *digest, 1294 unsigned int *digestLen, unsigned int maxDigestLen); 1295 extern SECStatus SHA224_HashBuf(unsigned char *dest, const unsigned char *src, 1296 PRUint32 src_length); 1297 extern SECStatus SHA224_Hash(unsigned char *dest, const char *src); 1298 extern void SHA224_TraceState(SHA224Context *cx); 1299 extern unsigned int SHA224_FlattenSize(SHA224Context *cx); 1300 extern SECStatus SHA224_Flatten(SHA224Context *cx, unsigned char *space); 1301 extern SHA224Context *SHA224_Resurrect(unsigned char *space, void *arg); 1302 extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src); 1303 1304 /******************************************/ 1305 1306 extern SHA256Context *SHA256_NewContext(void); 1307 extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit); 1308 extern void SHA256_Begin(SHA256Context *cx); 1309 extern void SHA256_Update(SHA256Context *cx, const unsigned char *input, 1310 unsigned int inputLen); 1311 extern void SHA256_End(SHA256Context *cx, unsigned char *digest, 1312 unsigned int *digestLen, unsigned int maxDigestLen); 1313 /* 1314 ** Export the current state of the SHA-256 hash without appending the standard 1315 ** padding and length bytes. Produce the digested results in "digest" 1316 ** "cx" the context 1317 ** "digest" where the 32 bytes of digest data are stored 1318 ** "digestLen" where the digest length (32) is stored (optional) 1319 ** "maxDigestLen" the maximum amount of data that can ever be 1320 ** stored in "digest" 1321 */ 1322 extern void SHA256_EndRaw(SHA256Context *cx, unsigned char *digest, 1323 unsigned int *digestLen, unsigned int maxDigestLen); 1324 extern SECStatus SHA256_HashBuf(unsigned char *dest, const unsigned char *src, 1325 PRUint32 src_length); 1326 extern SECStatus SHA256_Hash(unsigned char *dest, const char *src); 1327 extern void SHA256_TraceState(SHA256Context *cx); 1328 extern unsigned int SHA256_FlattenSize(SHA256Context *cx); 1329 extern SECStatus SHA256_Flatten(SHA256Context *cx, unsigned char *space); 1330 extern SHA256Context *SHA256_Resurrect(unsigned char *space, void *arg); 1331 extern void SHA256_Clone(SHA256Context *dest, SHA256Context *src); 1332 1333 /******************************************/ 1334 1335 extern SHA512Context *SHA512_NewContext(void); 1336 extern void SHA512_DestroyContext(SHA512Context *cx, PRBool freeit); 1337 extern void SHA512_Begin(SHA512Context *cx); 1338 extern void SHA512_Update(SHA512Context *cx, const unsigned char *input, 1339 unsigned int inputLen); 1340 /* 1341 ** Export the current state of the SHA-512 hash without appending the standard 1342 ** padding and length bytes. Produce the digested results in "digest" 1343 ** "cx" the context 1344 ** "digest" where the 64 bytes of digest data are stored 1345 ** "digestLen" where the digest length (64) is stored (optional) 1346 ** "maxDigestLen" the maximum amount of data that can ever be 1347 ** stored in "digest" 1348 */ 1349 extern void SHA512_EndRaw(SHA512Context *cx, unsigned char *digest, 1350 unsigned int *digestLen, unsigned int maxDigestLen); 1351 extern void SHA512_End(SHA512Context *cx, unsigned char *digest, 1352 unsigned int *digestLen, unsigned int maxDigestLen); 1353 extern SECStatus SHA512_HashBuf(unsigned char *dest, const unsigned char *src, 1354 PRUint32 src_length); 1355 extern SECStatus SHA512_Hash(unsigned char *dest, const char *src); 1356 extern void SHA512_TraceState(SHA512Context *cx); 1357 extern unsigned int SHA512_FlattenSize(SHA512Context *cx); 1358 extern SECStatus SHA512_Flatten(SHA512Context *cx, unsigned char *space); 1359 extern SHA512Context *SHA512_Resurrect(unsigned char *space, void *arg); 1360 extern void SHA512_Clone(SHA512Context *dest, SHA512Context *src); 1361 1362 /******************************************/ 1363 1364 extern SHA384Context *SHA384_NewContext(void); 1365 extern void SHA384_DestroyContext(SHA384Context *cx, PRBool freeit); 1366 extern void SHA384_Begin(SHA384Context *cx); 1367 extern void SHA384_Update(SHA384Context *cx, const unsigned char *input, 1368 unsigned int inputLen); 1369 extern void SHA384_End(SHA384Context *cx, unsigned char *digest, 1370 unsigned int *digestLen, unsigned int maxDigestLen); 1371 /* 1372 ** Export the current state of the SHA-384 hash without appending the standard 1373 ** padding and length bytes. Produce the digested results in "digest" 1374 ** "cx" the context 1375 ** "digest" where the 48 bytes of digest data are stored 1376 ** "digestLen" where the digest length (48) is stored (optional) 1377 ** "maxDigestLen" the maximum amount of data that can ever be 1378 ** stored in "digest" 1379 */ 1380 extern void SHA384_EndRaw(SHA384Context *cx, unsigned char *digest, 1381 unsigned int *digestLen, unsigned int maxDigestLen); 1382 extern SECStatus SHA384_HashBuf(unsigned char *dest, const unsigned char *src, 1383 PRUint32 src_length); 1384 extern SECStatus SHA384_Hash(unsigned char *dest, const char *src); 1385 extern void SHA384_TraceState(SHA384Context *cx); 1386 extern unsigned int SHA384_FlattenSize(SHA384Context *cx); 1387 extern SECStatus SHA384_Flatten(SHA384Context *cx, unsigned char *space); 1388 extern SHA384Context *SHA384_Resurrect(unsigned char *space, void *arg); 1389 extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src); 1390 1391 /**************************************** 1392 * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function 1393 */ 1394 1395 extern SECStatus 1396 TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 1397 SECItem *result, PRBool isFIPS); 1398 1399 extern SECStatus 1400 TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label, 1401 SECItem *seed, SECItem *result, PRBool isFIPS); 1402 1403 /******************************************/ 1404 /* 1405 ** Implements the Blake2b hash function. 1406 */ 1407 1408 /* 1409 ** Hash a null terminated string "src" into "dest" using Blake2b 1410 */ 1411 extern SECStatus BLAKE2B_Hash(unsigned char *dest, const char *src); 1412 1413 /* 1414 ** Hash a non-null terminated string "src" into "dest" using Blake2b 1415 */ 1416 extern SECStatus BLAKE2B_HashBuf(unsigned char *output, 1417 const unsigned char *input, PRUint32 inlen); 1418 1419 extern SECStatus BLAKE2B_MAC_HashBuf(unsigned char *output, 1420 const unsigned char *input, 1421 unsigned int inlen, 1422 const unsigned char *key, 1423 unsigned int keylen); 1424 1425 /* 1426 ** Create a new Blake2b context 1427 */ 1428 extern BLAKE2BContext *BLAKE2B_NewContext(); 1429 1430 /* 1431 ** Destroy a Blake2b secure hash context. 1432 ** "ctx" the context 1433 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1434 */ 1435 extern void BLAKE2B_DestroyContext(BLAKE2BContext *ctx, PRBool freeit); 1436 1437 /* 1438 ** Reset a Blake2b context, preparing it for a fresh round of hashing 1439 */ 1440 extern SECStatus BLAKE2B_Begin(BLAKE2BContext *ctx); 1441 1442 extern SECStatus BLAKE2B_MAC_Begin(BLAKE2BContext *ctx, const PRUint8 *key, 1443 const size_t keylen); 1444 1445 /* 1446 ** Update the Blake hash function with more data. 1447 */ 1448 extern SECStatus BLAKE2B_Update(BLAKE2BContext *ctx, const unsigned char *in, 1449 unsigned int inlen); 1450 1451 /* 1452 ** Finish the Blake hash function. Produce the digested results in "digest" 1453 */ 1454 extern SECStatus BLAKE2B_End(BLAKE2BContext *ctx, unsigned char *out, 1455 unsigned int *digestLen, size_t maxDigestLen); 1456 1457 /* 1458 * Return the size of a buffer needed to flatten the Blake2b Context into 1459 * "ctx" the context 1460 * returns size; 1461 */ 1462 extern unsigned int BLAKE2B_FlattenSize(BLAKE2BContext *ctx); 1463 1464 /* 1465 * Flatten the Blake2b Context into a buffer: 1466 * "ctx" the context 1467 * "space" the buffer to flatten to 1468 * returns status; 1469 */ 1470 extern SECStatus BLAKE2B_Flatten(BLAKE2BContext *ctx, unsigned char *space); 1471 1472 /* 1473 * Resurrect a flattened context into a Blake2b Context 1474 * "space" the buffer of the flattend buffer 1475 * "arg" ptr to void used by cryptographic resurrect 1476 * returns resurected context 1477 */ 1478 extern BLAKE2BContext *BLAKE2B_Resurrect(unsigned char *space, void *arg); 1479 extern void BLAKE2B_Clone(BLAKE2BContext *dest, BLAKE2BContext *src); 1480 1481 /******************************************/ 1482 /* 1483 ** Pseudo Random Number Generation. FIPS compliance desirable. 1484 */ 1485 1486 /* 1487 ** Initialize the global RNG context and give it some seed input taken 1488 ** from the system. This function is thread-safe and will only allow 1489 ** the global context to be initialized once. The seed input is likely 1490 ** small, so it is imperative that RNG_RandomUpdate() be called with 1491 ** additional seed data before the generator is used. A good way to 1492 ** provide the generator with additional entropy is to call 1493 ** RNG_SystemInfoForRNG(). Note that NSS_Init() does exactly that. 1494 */ 1495 extern SECStatus RNG_RNGInit(void); 1496 1497 /* 1498 ** Update the global random number generator with more seeding 1499 ** material 1500 */ 1501 extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes); 1502 1503 /* 1504 ** Generate some random bytes, using the global random number generator 1505 ** object. 1506 */ 1507 extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len); 1508 1509 /* Destroy the global RNG context. After a call to RNG_RNGShutdown() 1510 ** a call to RNG_RNGInit() is required in order to use the generator again, 1511 ** along with seed data (see the comment above RNG_RNGInit()). 1512 */ 1513 extern void RNG_RNGShutdown(void); 1514 1515 extern void RNG_SystemInfoForRNG(void); 1516 1517 /* 1518 * FIPS 186-2 Change Notice 1 RNG Algorithm 1, used both to 1519 * generate the DSA X parameter and as a generic purpose RNG. 1520 * 1521 * The following two FIPS186Change functions are needed for 1522 * NIST RNG Validation System. 1523 */ 1524 1525 /* 1526 * FIPS186Change_GenerateX is now deprecated. It will return SECFailure with 1527 * the error set to PR_NOT_IMPLEMENTED_ERROR. 1528 */ 1529 extern SECStatus 1530 FIPS186Change_GenerateX(unsigned char *XKEY, 1531 const unsigned char *XSEEDj, 1532 unsigned char *x_j); 1533 1534 /* 1535 * When generating the DSA X parameter, we generate 2*GSIZE bytes 1536 * of random output and reduce it mod q. 1537 * 1538 * Input: w, 2*GSIZE bytes 1539 * q, DSA_SUBPRIME_LEN bytes 1540 * Output: xj, DSA_SUBPRIME_LEN bytes 1541 */ 1542 extern SECStatus 1543 FIPS186Change_ReduceModQForDSA(const unsigned char *w, 1544 const unsigned char *q, 1545 unsigned char *xj); 1546 1547 /* To allow NIST KAT tests */ 1548 extern SECStatus 1549 PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len, 1550 const PRUint8 *nonce, unsigned int nonce_len, 1551 const PRUint8 *personal_string, unsigned int ps_len); 1552 1553 /* 1554 * The following functions are for FIPS poweron self test and FIPS algorithm 1555 * testing. 1556 */ 1557 extern SECStatus 1558 PRNGTEST_Instantiate(const PRUint8 *entropy, unsigned int entropy_len, 1559 const PRUint8 *nonce, unsigned int nonce_len, 1560 const PRUint8 *personal_string, unsigned int ps_len); 1561 1562 extern SECStatus 1563 PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len, 1564 const PRUint8 *additional, unsigned int additional_len); 1565 1566 extern SECStatus 1567 PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, 1568 const PRUint8 *additional, unsigned int additional_len); 1569 1570 extern SECStatus 1571 PRNGTEST_Uninstantiate(void); 1572 1573 extern SECStatus 1574 PRNGTEST_RunHealthTests(void); 1575 1576 /* Generate PQGParams and PQGVerify structs. 1577 * Length of seed and length of h both equal length of P. 1578 * All lengths are specified by "j", according to the table above. 1579 * 1580 * The verify parameters will conform to FIPS186-1. 1581 */ 1582 extern SECStatus 1583 PQG_ParamGen(unsigned int j, /* input : determines length of P. */ 1584 PQGParams **pParams, /* output: P Q and G returned here */ 1585 PQGVerify **pVfy); /* output: counter and seed. */ 1586 1587 /* Generate PQGParams and PQGVerify structs. 1588 * Length of P specified by j. Length of h will match length of P. 1589 * Length of SEED in bytes specified in seedBytes. 1590 * seedBbytes must be in the range [20..255] or an error will result. 1591 * 1592 * The verify parameters will conform to FIPS186-1. 1593 */ 1594 extern SECStatus 1595 PQG_ParamGenSeedLen( 1596 unsigned int j, /* input : determines length of P. */ 1597 unsigned int seedBytes, /* input : length of seed in bytes.*/ 1598 PQGParams **pParams, /* output: P Q and G returned here */ 1599 PQGVerify **pVfy); /* output: counter and seed. */ 1600 1601 /* Generate PQGParams and PQGVerify structs. 1602 * Length of P specified by L in bits. 1603 * Length of Q specified by N in bits. 1604 * Length of SEED in bytes specified in seedBytes. 1605 * seedBbytes must be in the range [N..L*2] or an error will result. 1606 * 1607 * Not that J uses the above table, L is the length exact. L and N must 1608 * match the table below or an error will result: 1609 * 1610 * L N 1611 * 1024 160 1612 * 2048 224 1613 * 2048 256 1614 * 3072 256 1615 * 1616 * If N or seedBytes are set to zero, then PQG_ParamGenSeedLen will 1617 * pick a default value (typically the smallest secure value for these 1618 * variables). 1619 * 1620 * The verify parameters will conform to FIPS186-3 using the smallest 1621 * permissible hash for the key strength. 1622 */ 1623 extern SECStatus 1624 PQG_ParamGenV2( 1625 unsigned int L, /* input : determines length of P. */ 1626 unsigned int N, /* input : determines length of Q. */ 1627 unsigned int seedBytes, /* input : length of seed in bytes.*/ 1628 PQGParams **pParams, /* output: P Q and G returned here */ 1629 PQGVerify **pVfy); /* output: counter and seed. */ 1630 1631 /* Test PQGParams for validity as DSS PQG values. 1632 * If vfy is non-NULL, test PQGParams to make sure they were generated 1633 * using the specified seed, counter, and h values. 1634 * 1635 * Return value indicates whether Verification operation ran successfully 1636 * to completion, but does not indicate if PQGParams are valid or not. 1637 * If return value is SECSuccess, then *pResult has these meanings: 1638 * SECSuccess: PQGParams are valid. 1639 * SECFailure: PQGParams are invalid. 1640 * 1641 * Verify the PQG againts the counter, SEED and h. 1642 * These tests are specified in FIPS 186-3 Appendix A.1.1.1, A.1.1.3, and A.2.2 1643 * PQG_VerifyParams will automatically choose the appropriate test. 1644 */ 1645 1646 extern SECStatus PQG_VerifyParams(const PQGParams *params, 1647 const PQGVerify *vfy, SECStatus *result); 1648 1649 extern void PQG_DestroyParams(PQGParams *params); 1650 1651 extern void PQG_DestroyVerify(PQGVerify *vfy); 1652 1653 /* 1654 * clean-up any global tables freebl may have allocated after it starts up. 1655 * This function is not thread safe and should be called only after the 1656 * library has been quiessed. 1657 */ 1658 extern void BL_Cleanup(void); 1659 1660 /* unload freebl shared library from memory */ 1661 extern void BL_Unload(void); 1662 1663 /************************************************************************** 1664 * Verify a given Shared library signature * 1665 **************************************************************************/ 1666 PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr); 1667 1668 /************************************************************************** 1669 * Verify a given filename's signature * 1670 **************************************************************************/ 1671 PRBool BLAPI_SHVerifyFile(const char *shName); 1672 1673 /************************************************************************** 1674 * Verify Are Own Shared library signature * 1675 **************************************************************************/ 1676 PRBool BLAPI_VerifySelf(const char *name); 1677 1678 /*********************************************************************/ 1679 extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); 1680 1681 extern void BL_SetForkState(PRBool forked); 1682 1683 /* 1684 ** pepare an ECParam structure from DEREncoded params 1685 */ 1686 extern SECStatus EC_FillParams(PLArenaPool *arena, 1687 const SECItem *encodedParams, ECParams *params); 1688 extern SECStatus EC_DecodeParams(const SECItem *encodedParams, 1689 ECParams **ecparams); 1690 extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, 1691 const ECParams *srcParams); 1692 1693 /* 1694 * use the internal table to get the size in bytes of a single EC point 1695 */ 1696 extern int EC_GetPointSize(const ECParams *params); 1697 1698 SEC_END_PROTOS 1699 1700 #endif /* _BLAPI_H_ */ 1701