1 /* 2 * blapit.h - public data structures for the freebl library 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8 #ifndef _BLAPIT_H_ 9 #define _BLAPIT_H_ 10 11 #include "seccomon.h" 12 #include "prlink.h" 13 #include "plarena.h" 14 #include "ecl-exp.h" 15 16 /* RC2 operation modes */ 17 #define NSS_RC2 0 18 #define NSS_RC2_CBC 1 19 20 /* RC5 operation modes */ 21 #define NSS_RC5 0 22 #define NSS_RC5_CBC 1 23 24 /* DES operation modes */ 25 #define NSS_DES 0 26 #define NSS_DES_CBC 1 27 #define NSS_DES_EDE3 2 28 #define NSS_DES_EDE3_CBC 3 29 30 #define DES_KEY_LENGTH 8 /* Bytes */ 31 32 /* AES operation modes */ 33 #define NSS_AES 0 34 #define NSS_AES_CBC 1 35 #define NSS_AES_CTS 2 36 #define NSS_AES_CTR 3 37 #define NSS_AES_GCM 4 38 39 /* Camellia operation modes */ 40 #define NSS_CAMELLIA 0 41 #define NSS_CAMELLIA_CBC 1 42 43 /* SEED operation modes */ 44 #define NSS_SEED 0 45 #define NSS_SEED_CBC 1 46 47 #define DSA1_SUBPRIME_LEN 20 /* Bytes */ 48 #define DSA1_SIGNATURE_LEN (DSA1_SUBPRIME_LEN * 2) /* Bytes */ 49 #define DSA_MAX_SUBPRIME_LEN 32 /* Bytes */ 50 #define DSA_MAX_SIGNATURE_LEN (DSA_MAX_SUBPRIME_LEN * 2) /* Bytes */ 51 52 /* 53 * Mark the old defines as deprecated. This will warn code that expected 54 * DSA1 only that they need to change if the are to support DSA2. 55 */ 56 #if defined(__GNUC__) && (__GNUC__ > 3) 57 /* make GCC warn when we use these #defines */ 58 typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); 59 #define DSA_SUBPRIME_LEN ((__BLAPI_DEPRECATED)DSA1_SUBPRIME_LEN) 60 #define DSA_SIGNATURE_LEN ((__BLAPI_DEPRECATED)DSA1_SIGNATURE_LEN) 61 #define DSA_Q_BITS ((__BLAPI_DEPRECATED)(DSA1_SUBPRIME_LEN * 8)) 62 #else 63 #ifdef _WIN32 64 /* This magic gets the windows compiler to give us a deprecation 65 * warning */ 66 #pragma deprecated(DSA_SUBPRIME_LEN, DSA_SIGNATURE_LEN, DSA_QBITS) 67 #endif 68 #define DSA_SUBPRIME_LEN DSA1_SUBPRIME_LEN 69 #define DSA_SIGNATURE_LEN DSA1_SIGNATURE_LEN 70 #define DSA_Q_BITS (DSA1_SUBPRIME_LEN * 8) 71 #endif 72 73 /* XXX We shouldn't have to hard code this limit. For 74 * now, this is the quickest way to support ECDSA signature 75 * processing (ECDSA signature lengths depend on curve 76 * size). This limit is sufficient for curves upto 77 * 576 bits. 78 */ 79 #define MAX_ECKEY_LEN 72 /* Bytes */ 80 81 #define EC_MAX_KEY_BITS 521 /* in bits */ 82 #define EC_MIN_KEY_BITS 256 /* in bits */ 83 84 /* EC point compression format */ 85 #define EC_POINT_FORM_COMPRESSED_Y0 0x02 86 #define EC_POINT_FORM_COMPRESSED_Y1 0x03 87 #define EC_POINT_FORM_UNCOMPRESSED 0x04 88 #define EC_POINT_FORM_HYBRID_Y0 0x06 89 #define EC_POINT_FORM_HYBRID_Y1 0x07 90 91 /* 92 * Number of bytes each hash algorithm produces 93 */ 94 #define MD2_LENGTH 16 /* Bytes */ 95 #define MD5_LENGTH 16 /* Bytes */ 96 #define SHA1_LENGTH 20 /* Bytes */ 97 #define SHA256_LENGTH 32 /* bytes */ 98 #define SHA384_LENGTH 48 /* bytes */ 99 #define SHA512_LENGTH 64 /* bytes */ 100 #define BLAKE2B512_LENGTH 64 /* Bytes */ 101 #define HASH_LENGTH_MAX SHA512_LENGTH 102 103 /* 104 * Input block size for each hash algorithm. 105 */ 106 107 #define MD2_BLOCK_LENGTH 64 /* bytes */ 108 #define MD5_BLOCK_LENGTH 64 /* bytes */ 109 #define SHA1_BLOCK_LENGTH 64 /* bytes */ 110 #define SHA224_BLOCK_LENGTH 64 /* bytes */ 111 #define SHA256_BLOCK_LENGTH 64 /* bytes */ 112 #define SHA384_BLOCK_LENGTH 128 /* bytes */ 113 #define SHA512_BLOCK_LENGTH 128 /* bytes */ 114 #define BLAKE2B_BLOCK_LENGTH 128 /* Bytes */ 115 #define HASH_BLOCK_LENGTH_MAX SHA512_BLOCK_LENGTH 116 117 #define AES_BLOCK_SIZE 16 /* bytes */ 118 #define AES_KEY_WRAP_BLOCK_SIZE (AES_BLOCK_SIZE / 2) 119 #define AES_KEY_WRAP_IV_BYTES AES_KEY_WRAP_BLOCK_SIZE 120 121 #define AES_128_KEY_LENGTH 16 /* bytes */ 122 #define AES_192_KEY_LENGTH 24 /* bytes */ 123 #define AES_256_KEY_LENGTH 32 /* bytes */ 124 125 #define CAMELLIA_BLOCK_SIZE 16 /* bytes */ 126 127 #define SEED_BLOCK_SIZE 16 /* bytes */ 128 #define SEED_KEY_LENGTH 16 /* bytes */ 129 130 #define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048 131 132 #define BLAKE2B_KEY_SIZE 64 133 134 /* 135 * These values come from the initial key size limits from the PKCS #11 136 * module. They may be arbitrarily adjusted to any value freebl supports. 137 */ 138 #define RSA_MIN_MODULUS_BITS 128 139 #define RSA_MAX_MODULUS_BITS 16384 140 #define RSA_MAX_EXPONENT_BITS 64 141 #define DH_MIN_P_BITS 128 142 #define DH_MAX_P_BITS 16384 143 144 /* 145 * The FIPS 186-1 algorithm for generating primes P and Q allows only 9 146 * distinct values for the length of P, and only one value for the 147 * length of Q. 148 * The algorithm uses a variable j to indicate which of the 9 lengths 149 * of P is to be used. 150 * The following table relates j to the lengths of P and Q in bits. 151 * 152 * j bits in P bits in Q 153 * _ _________ _________ 154 * 0 512 160 155 * 1 576 160 156 * 2 640 160 157 * 3 704 160 158 * 4 768 160 159 * 5 832 160 160 * 6 896 160 161 * 7 960 160 162 * 8 1024 160 163 * 164 * The FIPS-186-1 compliant PQG generator takes j as an input parameter. 165 * 166 * FIPS 186-3 algorithm specifies 4 distinct P and Q sizes: 167 * 168 * bits in P bits in Q 169 * _________ _________ 170 * 1024 160 171 * 2048 224 172 * 2048 256 173 * 3072 256 174 * 175 * The FIPS-186-3 complaiant PQG generator (PQG V2) takes arbitrary p and q 176 * lengths as input and returns an error if they aren't in this list. 177 */ 178 179 #define DSA1_Q_BITS 160 180 #define DSA_MAX_P_BITS 3072 181 #define DSA_MIN_P_BITS 512 182 #define DSA_MAX_Q_BITS 256 183 #define DSA_MIN_Q_BITS 160 184 185 #if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN * 8 186 #error "Inconsistent declaration of DSA SUBPRIME/Q parameters in blapit.h" 187 #endif 188 189 /* 190 * function takes desired number of bits in P, 191 * returns index (0..8) or -1 if number of bits is invalid. 192 */ 193 #define PQG_PBITS_TO_INDEX(bits) \ 194 (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? -1 : (int)((bits)-512) / 64) 195 196 /* 197 * function takes index (0-8) 198 * returns number of bits in P for that index, or -1 if index is invalid. 199 */ 200 #define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j))) 201 202 /* When we are generating a gcm iv from a random number, we need to calculate 203 * an acceptable iteration count to avoid birthday attacks. (randomly 204 * generating the same IV twice). 205 * 206 * We use the approximation n = sqrt(2*m*p) to find an acceptable n given m 207 * and p. 208 * where n is the number of iterations. 209 * m is the number of possible random values. 210 * p is the probability of collision (0-1). 211 * 212 * We want to calculate the constant number GCM_IV_RANDOM_BIRTHDAY_BITS, which 213 * is the number of bits we subtract off of the length of the iv (in bits) to 214 * get a safe count value (log2). 215 * 216 * Since we do the calculation in bits, so we need to take the whole 217 * equation log2: 218 * log2 n = (1+(log2 m)+(log2 p))/2 219 * Since p < 1, log2 p is negative. Also note that the length of the iv in 220 * bits is log2 m, so if we set GCMIV_RANDOM_BIRTHDAY_BITS =- log2 p - 1. 221 * then we can calculate a safe counter value with: 222 * n = 2^((ivLenBits - GCMIV_RANDOM_BIRTHDAY_BITS)/2) 223 * 224 * If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation) 225 * we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2) 226 * GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE: 227 * the variable IV size for TLS is 64 bits, which explains why it's not safe 228 * to use a random value for the nonce in TLS. */ 229 #define GCMIV_RANDOM_BIRTHDAY_BITS 64 230 231 /*************************************************************************** 232 ** Opaque objects 233 */ 234 235 struct DESContextStr; 236 struct RC2ContextStr; 237 struct RC4ContextStr; 238 struct RC5ContextStr; 239 struct AESContextStr; 240 struct CamelliaContextStr; 241 struct MD2ContextStr; 242 struct MD5ContextStr; 243 struct SHA1ContextStr; 244 struct SHA256ContextStr; 245 struct SHA512ContextStr; 246 struct AESKeyWrapContextStr; 247 struct SEEDContextStr; 248 struct ChaCha20Poly1305ContextStr; 249 struct Blake2bContextStr; 250 251 typedef struct DESContextStr DESContext; 252 typedef struct RC2ContextStr RC2Context; 253 typedef struct RC4ContextStr RC4Context; 254 typedef struct RC5ContextStr RC5Context; 255 typedef struct AESContextStr AESContext; 256 typedef struct CamelliaContextStr CamelliaContext; 257 typedef struct MD2ContextStr MD2Context; 258 typedef struct MD5ContextStr MD5Context; 259 typedef struct SHA1ContextStr SHA1Context; 260 typedef struct SHA256ContextStr SHA256Context; 261 /* SHA224Context is really a SHA256ContextStr. This is not a mistake. */ 262 typedef struct SHA256ContextStr SHA224Context; 263 typedef struct SHA512ContextStr SHA512Context; 264 /* SHA384Context is really a SHA512ContextStr. This is not a mistake. */ 265 typedef struct SHA512ContextStr SHA384Context; 266 typedef struct AESKeyWrapContextStr AESKeyWrapContext; 267 typedef struct SEEDContextStr SEEDContext; 268 typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context; 269 typedef struct Blake2bContextStr BLAKE2BContext; 270 271 /*************************************************************************** 272 ** RSA Public and Private Key structures 273 */ 274 275 /* member names from PKCS#1, section 7.1 */ 276 struct RSAPublicKeyStr { 277 PLArenaPool *arena; 278 SECItem modulus; 279 SECItem publicExponent; 280 }; 281 typedef struct RSAPublicKeyStr RSAPublicKey; 282 283 /* member names from PKCS#1, section 7.2 */ 284 struct RSAPrivateKeyStr { 285 PLArenaPool *arena; 286 SECItem version; 287 SECItem modulus; 288 SECItem publicExponent; 289 SECItem privateExponent; 290 SECItem prime1; 291 SECItem prime2; 292 SECItem exponent1; 293 SECItem exponent2; 294 SECItem coefficient; 295 }; 296 typedef struct RSAPrivateKeyStr RSAPrivateKey; 297 298 /*************************************************************************** 299 ** DSA Public and Private Key and related structures 300 */ 301 302 struct PQGParamsStr { 303 PLArenaPool *arena; 304 SECItem prime; /* p */ 305 SECItem subPrime; /* q */ 306 SECItem base; /* g */ 307 /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */ 308 }; 309 typedef struct PQGParamsStr PQGParams; 310 311 struct PQGVerifyStr { 312 PLArenaPool *arena; /* includes this struct, seed, & h. */ 313 unsigned int counter; 314 SECItem seed; 315 SECItem h; 316 }; 317 typedef struct PQGVerifyStr PQGVerify; 318 319 struct DSAPublicKeyStr { 320 PQGParams params; 321 SECItem publicValue; 322 }; 323 typedef struct DSAPublicKeyStr DSAPublicKey; 324 325 struct DSAPrivateKeyStr { 326 PQGParams params; 327 SECItem publicValue; 328 SECItem privateValue; 329 }; 330 typedef struct DSAPrivateKeyStr DSAPrivateKey; 331 332 /*************************************************************************** 333 ** Diffie-Hellman Public and Private Key and related structures 334 ** Structure member names suggested by PKCS#3. 335 */ 336 337 struct DHParamsStr { 338 PLArenaPool *arena; 339 SECItem prime; /* p */ 340 SECItem base; /* g */ 341 }; 342 typedef struct DHParamsStr DHParams; 343 344 struct DHPublicKeyStr { 345 PLArenaPool *arena; 346 SECItem prime; 347 SECItem base; 348 SECItem publicValue; 349 }; 350 typedef struct DHPublicKeyStr DHPublicKey; 351 352 struct DHPrivateKeyStr { 353 PLArenaPool *arena; 354 SECItem prime; 355 SECItem base; 356 SECItem publicValue; 357 SECItem privateValue; 358 }; 359 typedef struct DHPrivateKeyStr DHPrivateKey; 360 361 /*************************************************************************** 362 ** Data structures used for elliptic curve parameters and 363 ** public and private keys. 364 */ 365 366 /* 367 ** The ECParams data structures can encode elliptic curve 368 ** parameters for both GFp and GF2m curves. 369 */ 370 371 typedef enum { ec_params_explicit, 372 ec_params_named 373 } ECParamsType; 374 375 typedef enum { ec_field_GFp = 1, 376 ec_field_GF2m, 377 ec_field_plain 378 } ECFieldType; 379 380 struct ECFieldIDStr { 381 int size; /* field size in bits */ 382 ECFieldType type; 383 union { 384 SECItem prime; /* prime p for (GFp) */ 385 SECItem poly; /* irreducible binary polynomial for (GF2m) */ 386 } u; 387 int k1; /* first coefficient of pentanomial or 388 * the only coefficient of trinomial 389 */ 390 int k2; /* two remaining coefficients of pentanomial */ 391 int k3; 392 }; 393 typedef struct ECFieldIDStr ECFieldID; 394 395 struct ECCurveStr { 396 SECItem a; /* contains octet stream encoding of 397 * field element (X9.62 section 4.3.3) 398 */ 399 SECItem b; 400 SECItem seed; 401 }; 402 typedef struct ECCurveStr ECCurve; 403 404 struct ECParamsStr { 405 PLArenaPool *arena; 406 ECParamsType type; 407 ECFieldID fieldID; 408 ECCurve curve; 409 SECItem base; 410 SECItem order; 411 int cofactor; 412 SECItem DEREncoding; 413 ECCurveName name; 414 SECItem curveOID; 415 }; 416 typedef struct ECParamsStr ECParams; 417 418 struct ECPublicKeyStr { 419 ECParams ecParams; 420 SECItem publicValue; /* elliptic curve point encoded as 421 * octet stream. 422 */ 423 }; 424 typedef struct ECPublicKeyStr ECPublicKey; 425 426 struct ECPrivateKeyStr { 427 ECParams ecParams; 428 SECItem publicValue; /* encoded ec point */ 429 SECItem privateValue; /* private big integer */ 430 SECItem version; /* As per SEC 1, Appendix C, Section C.4 */ 431 }; 432 typedef struct ECPrivateKeyStr ECPrivateKey; 433 434 typedef void *(*BLapiAllocateFunc)(void); 435 typedef void (*BLapiDestroyContextFunc)(void *cx, PRBool freeit); 436 typedef SECStatus (*BLapiInitContextFunc)(void *cx, 437 const unsigned char *key, 438 unsigned int keylen, 439 const unsigned char *, 440 int, 441 unsigned int, 442 unsigned int); 443 typedef SECStatus (*BLapiEncrypt)(void *cx, unsigned char *output, 444 unsigned int *outputLen, 445 unsigned int maxOutputLen, 446 const unsigned char *input, 447 unsigned int inputLen); 448 449 #endif /* _BLAPIT_H_ */ 450