1 /* 2 * blapi.h - public prototypes for the freebl library 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 7 8 #ifndef _BLAPI_H_ 9 #define _BLAPI_H_ 10 11 #include "blapit.h" 12 #include "hasht.h" 13 #include "cmac.h" 14 #include "alghmac.h" 15 16 SEC_BEGIN_PROTOS 17 18 /* 19 ** RSA encryption/decryption. When encrypting/decrypting the output 20 ** buffer must be at least the size of the public key modulus. 21 */ 22 23 extern SECStatus BL_Init(void); 24 25 /* 26 ** Generate and return a new RSA public and private key. 27 ** Both keys are encoded in a single RSAPrivateKey structure. 28 ** "cx" is the random number generator context 29 ** "keySizeInBits" is the size of the key to be generated, in bits. 30 ** 512, 1024, etc. 31 ** "publicExponent" when not NULL is a pointer to some data that 32 ** represents the public exponent to use. The data is a byte 33 ** encoded integer, in "big endian" order. 34 */ 35 extern RSAPrivateKey *RSA_NewKey(int keySizeInBits, 36 SECItem *publicExponent); 37 38 /* 39 ** Perform a raw public-key operation 40 ** Length of input and output buffers are equal to key's modulus len. 41 */ 42 extern SECStatus RSA_PublicKeyOp(RSAPublicKey *key, 43 unsigned char *output, 44 const unsigned char *input); 45 46 /* 47 ** Perform a raw private-key operation 48 ** Length of input and output buffers are equal to key's modulus len. 49 */ 50 extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *key, 51 unsigned char *output, 52 const unsigned char *input); 53 54 /* 55 ** Perform a raw private-key operation, and check the parameters used in 56 ** the operation for validity by performing a test operation first. 57 ** Length of input and output buffers are equal to key's modulus len. 58 */ 59 extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key, 60 unsigned char *output, 61 const unsigned char *input); 62 63 /* 64 ** Perform a check of private key parameters for consistency. 65 */ 66 extern SECStatus RSA_PrivateKeyCheck(const RSAPrivateKey *key); 67 68 /* 69 ** Given only minimal private key parameters, fill in the rest of the 70 ** parameters. 71 ** 72 ** 73 ** All the entries, including those supplied by the caller, will be 74 ** overwritten with data alocated out of the arena. 75 ** 76 ** If no arena is supplied, one will be created. 77 ** 78 ** The following fields must be supplied in order for this function 79 ** to succeed: 80 ** one of either publicExponent or privateExponent 81 ** two more of the following 5 parameters (not counting the above). 82 ** modulus (n) 83 ** prime1 (p) 84 ** prime2 (q) 85 ** publicExponent (e) 86 ** privateExponent (d) 87 ** 88 ** NOTE: if only the publicExponent, privateExponent, and one prime is given, 89 ** then there may be more than one RSA key that matches that combination. If 90 ** we find 2 possible valid keys that meet this criteria, we return an error. 91 ** If we return the wrong key, and the original modulus is compared to the 92 ** new modulus, both can be factored by calculateing gcd(n_old,n_new) to get 93 ** the common prime. 94 ** 95 ** NOTE: in some cases the publicExponent must be less than 2^23 for this 96 ** function to work correctly. (The case where we have only one of: modulus 97 ** prime1 and prime2). 98 ** 99 ** All parameters will be replaced in the key structure with new parameters 100 ** allocated out of the arena. There is no attempt to free the old structures. 101 ** prime1 will always be greater than prime2 (even if the caller supplies the 102 ** smaller prime as prime1 or the larger prime as prime2). The parameters are 103 ** not overwritten on failure. 104 ** 105 ** While the remaining Chinese remainder theorem parameters (dp,dp, and qinv) 106 ** can also be used in reconstructing the private key, they are currently 107 ** ignored in this implementation. 108 */ 109 extern SECStatus RSA_PopulatePrivateKey(RSAPrivateKey *key); 110 111 /******************************************************************** 112 ** RSA algorithm 113 */ 114 115 /******************************************************************** 116 ** Raw signing/encryption/decryption operations. 117 ** 118 ** No padding or formatting will be applied. 119 ** inputLen MUST be equivalent to the modulus size (in bytes). 120 */ 121 extern SECStatus 122 RSA_SignRaw(RSAPrivateKey *key, 123 unsigned char *output, 124 unsigned int *outputLen, 125 unsigned int maxOutputLen, 126 const unsigned char *input, 127 unsigned int inputLen); 128 129 extern SECStatus 130 RSA_CheckSignRaw(RSAPublicKey *key, 131 const unsigned char *sig, 132 unsigned int sigLen, 133 const unsigned char *hash, 134 unsigned int hashLen); 135 136 extern SECStatus 137 RSA_CheckSignRecoverRaw(RSAPublicKey *key, 138 unsigned char *data, 139 unsigned int *dataLen, 140 unsigned int maxDataLen, 141 const unsigned char *sig, 142 unsigned int sigLen); 143 144 extern SECStatus 145 RSA_EncryptRaw(RSAPublicKey *key, 146 unsigned char *output, 147 unsigned int *outputLen, 148 unsigned int maxOutputLen, 149 const unsigned char *input, 150 unsigned int inputLen); 151 152 extern SECStatus 153 RSA_DecryptRaw(RSAPrivateKey *key, 154 unsigned char *output, 155 unsigned int *outputLen, 156 unsigned int maxOutputLen, 157 const unsigned char *input, 158 unsigned int inputLen); 159 160 /******************************************************************** 161 ** RSAES-OAEP encryption/decryption, as defined in RFC 3447, Section 7.1. 162 ** 163 ** Note: Only MGF1 is supported as the mask generation function. It will be 164 ** used with maskHashAlg as the inner hash function. 165 ** 166 ** Unless performing Known Answer Tests, "seed" should be NULL, indicating that 167 ** freebl should generate a random value. Otherwise, it should be an octet 168 ** string of seedLen bytes, which should be the same size as the output of 169 ** hashAlg. 170 */ 171 extern SECStatus 172 RSA_EncryptOAEP(RSAPublicKey *key, 173 HASH_HashType hashAlg, 174 HASH_HashType maskHashAlg, 175 const unsigned char *label, 176 unsigned int labelLen, 177 const unsigned char *seed, 178 unsigned int seedLen, 179 unsigned char *output, 180 unsigned int *outputLen, 181 unsigned int maxOutputLen, 182 const unsigned char *input, 183 unsigned int inputLen); 184 185 extern SECStatus 186 RSA_DecryptOAEP(RSAPrivateKey *key, 187 HASH_HashType hashAlg, 188 HASH_HashType maskHashAlg, 189 const unsigned char *label, 190 unsigned int labelLen, 191 unsigned char *output, 192 unsigned int *outputLen, 193 unsigned int maxOutputLen, 194 const unsigned char *input, 195 unsigned int inputLen); 196 197 /******************************************************************** 198 ** RSAES-PKCS1-v1_5 encryption/decryption, as defined in RFC 3447, Section 7.2. 199 */ 200 extern SECStatus 201 RSA_EncryptBlock(RSAPublicKey *key, 202 unsigned char *output, 203 unsigned int *outputLen, 204 unsigned int maxOutputLen, 205 const unsigned char *input, 206 unsigned int inputLen); 207 208 extern SECStatus 209 RSA_DecryptBlock(RSAPrivateKey *key, 210 unsigned char *output, 211 unsigned int *outputLen, 212 unsigned int maxOutputLen, 213 const unsigned char *input, 214 unsigned int inputLen); 215 216 /******************************************************************** 217 ** RSASSA-PSS signing/verifying, as defined in RFC 3447, Section 8.1. 218 ** 219 ** Note: Only MGF1 is supported as the mask generation function. It will be 220 ** used with maskHashAlg as the inner hash function. 221 ** 222 ** Unless performing Known Answer Tests, "salt" should be NULL, indicating that 223 ** freebl should generate a random value. 224 */ 225 extern SECStatus 226 RSA_SignPSS(RSAPrivateKey *key, 227 HASH_HashType hashAlg, 228 HASH_HashType maskHashAlg, 229 const unsigned char *salt, 230 unsigned int saltLen, 231 unsigned char *output, 232 unsigned int *outputLen, 233 unsigned int maxOutputLen, 234 const unsigned char *input, 235 unsigned int inputLen); 236 237 extern SECStatus 238 RSA_CheckSignPSS(RSAPublicKey *key, 239 HASH_HashType hashAlg, 240 HASH_HashType maskHashAlg, 241 unsigned int saltLen, 242 const unsigned char *sig, 243 unsigned int sigLen, 244 const unsigned char *hash, 245 unsigned int hashLen); 246 247 /******************************************************************** 248 ** RSASSA-PKCS1-v1_5 signing/verifying, as defined in RFC 3447, Section 8.2. 249 ** 250 ** These functions expect as input to be the raw value to be signed. For most 251 ** cases using PKCS1-v1_5, this should be the value of T, the DER-encoded 252 ** DigestInfo structure defined in Section 9.2, Step 2. 253 ** Note: This can also be used for signatures that use PKCS1-v1_5 padding, such 254 ** as the signatures used in SSL/TLS, which sign a raw hash. 255 */ 256 extern SECStatus 257 RSA_Sign(RSAPrivateKey *key, 258 unsigned char *output, 259 unsigned int *outputLen, 260 unsigned int maxOutputLen, 261 const unsigned char *data, 262 unsigned int dataLen); 263 264 extern SECStatus 265 RSA_CheckSign(RSAPublicKey *key, 266 const unsigned char *sig, 267 unsigned int sigLen, 268 const unsigned char *data, 269 unsigned int dataLen); 270 271 extern SECStatus 272 RSA_CheckSignRecover(RSAPublicKey *key, 273 unsigned char *output, 274 unsigned int *outputLen, 275 unsigned int maxOutputLen, 276 const unsigned char *sig, 277 unsigned int sigLen); 278 279 /******************************************************************** 280 ** DSA signing algorithm 281 */ 282 283 /* Generate a new random value within the interval [2, q-1]. 284 */ 285 extern SECStatus DSA_NewRandom(PLArenaPool *arena, const SECItem *q, 286 SECItem *random); 287 288 /* 289 ** Generate and return a new DSA public and private key pair, 290 ** both of which are encoded into a single DSAPrivateKey struct. 291 ** "params" is a pointer to the PQG parameters for the domain 292 ** Uses a random seed. 293 */ 294 extern SECStatus DSA_NewKey(const PQGParams *params, 295 DSAPrivateKey **privKey); 296 297 /* signature is caller-supplied buffer of at least 20 bytes. 298 ** On input, signature->len == size of buffer to hold signature. 299 ** digest->len == size of digest. 300 ** On output, signature->len == size of signature in buffer. 301 ** Uses a random seed. 302 */ 303 extern SECStatus DSA_SignDigest(DSAPrivateKey *key, 304 SECItem *signature, 305 const SECItem *digest); 306 307 /* signature is caller-supplied buffer of at least 20 bytes. 308 ** On input, signature->len == size of buffer to hold signature. 309 ** digest->len == size of digest. 310 */ 311 extern SECStatus DSA_VerifyDigest(DSAPublicKey *key, 312 const SECItem *signature, 313 const SECItem *digest); 314 315 /* For FIPS compliance testing. Seed must be exactly 20 bytes long */ 316 extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params, 317 const unsigned char *seed, 318 DSAPrivateKey **privKey); 319 320 /* For FIPS compliance testing. Seed must be exactly 20 bytes. */ 321 extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey *key, 322 SECItem *signature, 323 const SECItem *digest, 324 const unsigned char *seed); 325 326 /****************************************************** 327 ** Diffie Helman key exchange algorithm 328 */ 329 330 /* Generates parameters for Diffie-Helman key generation. 331 ** primeLen is the length in bytes of prime P to be generated. 332 */ 333 extern SECStatus DH_GenParam(int primeLen, DHParams **params); 334 335 /* Generates a public and private key, both of which are encoded in a single 336 ** DHPrivateKey struct. Params is input, privKey are output. 337 ** This is Phase 1 of Diffie Hellman. 338 */ 339 extern SECStatus DH_NewKey(DHParams *params, 340 DHPrivateKey **privKey); 341 342 /* 343 ** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 344 ** other party's publicValue, and the prime and our privateValue. 345 ** maxOutBytes is the requested length of the generated secret in bytes. 346 ** A zero value means produce a value of any length up to the size of 347 ** the prime. If successful, derivedSecret->data is set 348 ** to the address of the newly allocated buffer containing the derived 349 ** secret, and derivedSecret->len is the size of the secret produced. 350 ** The size of the secret produced will depend on the value of outBytes. 351 ** If outBytes is 0, the key length will be all the significant bytes of 352 ** the derived secret (leading zeros are dropped). This length could be less 353 ** than the length of the prime. If outBytes is nonzero, the length of the 354 ** produced key will be outBytes long. If the key is truncated, the most 355 ** significant bytes are truncated. If it is expanded, zero bytes are added 356 ** at the beginning. 357 ** It is the caller's responsibility to free the allocated buffer 358 ** containing the derived secret. 359 */ 360 extern SECStatus DH_Derive(SECItem *publicValue, 361 SECItem *prime, 362 SECItem *privateValue, 363 SECItem *derivedSecret, 364 unsigned int outBytes); 365 366 /* 367 ** KEA_CalcKey returns octet string with the private key for a dual 368 ** Diffie-Helman key generation as specified for government key exchange. 369 */ 370 extern SECStatus KEA_Derive(SECItem *prime, 371 SECItem *public1, 372 SECItem *public2, 373 SECItem *private1, 374 SECItem *private2, 375 SECItem *derivedSecret); 376 377 /* 378 * verify that a KEA or DSA public key is a valid key for this prime and 379 * subprime domain. 380 */ 381 extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime); 382 383 /* verify a value is prime */ 384 PRBool KEA_PrimeCheck(SECItem *prime); 385 386 /**************************************** 387 * J-PAKE key transport 388 */ 389 390 /* Given gx == g^x, create a Schnorr zero-knowledge proof for the value x 391 * using the specified hash algorithm and signer ID. The signature is 392 * returned in the values gv and r. testRandom must be NULL for a PRNG 393 * generated random committment to be used in the sigature. When testRandom 394 * is non-NULL, that value must contain a value in the subgroup q; that 395 * value will be used instead of a PRNG-generated committment in order to 396 * facilitate known-answer tests. 397 * 398 * If gxIn is non-NULL then it must contain a pre-computed value of g^x that 399 * will be used by the function; in this case, the gxOut parameter must be NULL. 400 * If the gxIn parameter is NULL then gxOut must be non-NULL; in this case 401 * gxOut will contain the value g^x on output. 402 * 403 * gx (if not supplied by the caller), gv, and r will be allocated in the arena. 404 * The arena is *not* optional so do not pass NULL for the arena parameter. 405 * The arena should be zeroed when it is freed. 406 */ 407 SECStatus 408 JPAKE_Sign(PLArenaPool *arena, const PQGParams *pqg, HASH_HashType hashType, 409 const SECItem *signerID, const SECItem *x, 410 const SECItem *testRandom, const SECItem *gxIn, SECItem *gxOut, 411 SECItem *gv, SECItem *r); 412 413 /* Given gx == g^x, verify the Schnorr zero-knowledge proof (gv, r) for the 414 * value x using the specified hash algorithm and signer ID. 415 * 416 * The arena is *not* optional so do not pass NULL for the arena parameter. 417 */ 418 SECStatus 419 JPAKE_Verify(PLArenaPool *arena, const PQGParams *pqg, 420 HASH_HashType hashType, const SECItem *signerID, 421 const SECItem *peerID, const SECItem *gx, 422 const SECItem *gv, const SECItem *r); 423 424 /* Call before round 2 with x2, s, and x2s all non-NULL. This will calculate 425 * base = g^(x1+x3+x4) (mod p) and x2s = x2*s (mod q). The values to send in 426 * round 2 (A and the proof of knowledge of x2s) can then be calculated with 427 * JPAKE_Sign using pqg->base = base and x = x2s. 428 * 429 * Call after round 2 with x2, s, and x2s all NULL, and passing (gx1, gx2, gx3) 430 * instead of (gx1, gx3, gx4). This will calculate base = g^(x1+x2+x3). Then call 431 * JPAKE_Verify with pqg->base = base and then JPAKE_Final. 432 * 433 * base and x2s will be allocated in the arena. The arena is *not* optional so 434 * do not pass NULL for the arena parameter. The arena should be zeroed when it 435 * is freed. 436 */ 437 SECStatus 438 JPAKE_Round2(PLArenaPool *arena, const SECItem *p, const SECItem *q, 439 const SECItem *gx1, const SECItem *gx3, const SECItem *gx4, 440 SECItem *base, const SECItem *x2, const SECItem *s, SECItem *x2s); 441 442 /* K = (B/g^(x2*x4*s))^x2 (mod p) 443 * 444 * K will be allocated in the arena. The arena is *not* optional so do not pass 445 * NULL for the arena parameter. The arena should be zeroed when it is freed. 446 */ 447 SECStatus 448 JPAKE_Final(PLArenaPool *arena, const SECItem *p, const SECItem *q, 449 const SECItem *x2, const SECItem *gx4, const SECItem *x2s, 450 const SECItem *B, SECItem *K); 451 452 /****************************************************** 453 ** Elliptic Curve algorithms 454 */ 455 456 /* Generates a public and private key, both of which are encoded 457 ** in a single ECPrivateKey struct. Params is input, privKey are 458 ** output. 459 */ 460 extern SECStatus EC_NewKey(ECParams *params, 461 ECPrivateKey **privKey); 462 463 extern SECStatus EC_NewKeyFromSeed(ECParams *params, 464 ECPrivateKey **privKey, 465 const unsigned char *seed, 466 int seedlen); 467 468 /* Validates an EC public key as described in Section 5.2.2 of 469 * X9.62. Such validation prevents against small subgroup attacks 470 * when the ECDH primitive is used with the cofactor. 471 */ 472 extern SECStatus EC_ValidatePublicKey(ECParams *params, 473 SECItem *publicValue); 474 475 /* 476 ** ECDH_Derive performs a scalar point multiplication of a point 477 ** representing a (peer's) public key and a large integer representing 478 ** a private key (its own). Both keys must use the same elliptic curve 479 ** parameters. If the withCofactor parameter is true, the 480 ** multiplication also uses the cofactor associated with the curve 481 ** parameters. The output of this scheme is the x-coordinate of the 482 ** resulting point. If successful, derivedSecret->data is set to the 483 ** address of the newly allocated buffer containing the derived 484 ** secret, and derivedSecret->len is the size of the secret 485 ** produced. It is the caller's responsibility to free the allocated 486 ** buffer containing the derived secret. 487 */ 488 extern SECStatus ECDH_Derive(SECItem *publicValue, 489 ECParams *params, 490 SECItem *privateValue, 491 PRBool withCofactor, 492 SECItem *derivedSecret); 493 494 /* On input, signature->len == size of buffer to hold signature. 495 ** digest->len == size of digest. 496 ** On output, signature->len == size of signature in buffer. 497 ** Uses a random seed. 498 */ 499 extern SECStatus ECDSA_SignDigest(ECPrivateKey *key, 500 SECItem *signature, 501 const SECItem *digest); 502 503 /* On input, signature->len == size of buffer to hold signature. 504 ** digest->len == size of digest. 505 */ 506 extern SECStatus ECDSA_VerifyDigest(ECPublicKey *key, 507 const SECItem *signature, 508 const SECItem *digest); 509 510 /* Uses the provided seed. */ 511 extern SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key, 512 SECItem *signature, 513 const SECItem *digest, 514 const unsigned char *seed, 515 const int seedlen); 516 517 /******************************************/ 518 /* 519 ** RC4 symmetric stream cypher 520 */ 521 522 /* 523 ** Create a new RC4 context suitable for RC4 encryption/decryption. 524 ** "key" raw key data 525 ** "len" the number of bytes of key data 526 */ 527 extern RC4Context *RC4_CreateContext(const unsigned char *key, int len); 528 529 extern RC4Context *RC4_AllocateContext(void); 530 extern SECStatus RC4_InitContext(RC4Context *cx, 531 const unsigned char *key, 532 unsigned int keylen, 533 const unsigned char *, 534 int, 535 unsigned int, 536 unsigned int); 537 538 /* 539 ** Destroy an RC4 encryption/decryption context. 540 ** "cx" the context 541 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 542 */ 543 extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit); 544 545 /* 546 ** Perform RC4 encryption. 547 ** "cx" the context 548 ** "output" the output buffer to store the encrypted data. 549 ** "outputLen" how much data is stored in "output". Set by the routine 550 ** after some data is stored in output. 551 ** "maxOutputLen" the maximum amount of data that can ever be 552 ** stored in "output" 553 ** "input" the input data 554 ** "inputLen" the amount of input data 555 */ 556 extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output, 557 unsigned int *outputLen, unsigned int maxOutputLen, 558 const unsigned char *input, unsigned int inputLen); 559 560 /* 561 ** Perform RC4 decryption. 562 ** "cx" the context 563 ** "output" the output buffer to store the decrypted data. 564 ** "outputLen" how much data is stored in "output". Set by the routine 565 ** after some data is stored in output. 566 ** "maxOutputLen" the maximum amount of data that can ever be 567 ** stored in "output" 568 ** "input" the input data 569 ** "inputLen" the amount of input data 570 */ 571 extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output, 572 unsigned int *outputLen, unsigned int maxOutputLen, 573 const unsigned char *input, unsigned int inputLen); 574 575 /******************************************/ 576 /* 577 ** RC2 symmetric block cypher 578 */ 579 580 /* 581 ** Create a new RC2 context suitable for RC2 encryption/decryption. 582 ** "key" raw key data 583 ** "len" the number of bytes of key data 584 ** "iv" is the CBC initialization vector (if mode is NSS_RC2_CBC) 585 ** "mode" one of NSS_RC2 or NSS_RC2_CBC 586 ** "effectiveKeyLen" is the effective key length (as specified in 587 ** RFC 2268) in bytes (not bits). 588 ** 589 ** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block 590 ** chaining" mode. 591 */ 592 extern RC2Context *RC2_CreateContext(const unsigned char *key, unsigned int len, 593 const unsigned char *iv, int mode, 594 unsigned effectiveKeyLen); 595 extern RC2Context *RC2_AllocateContext(void); 596 extern SECStatus RC2_InitContext(RC2Context *cx, 597 const unsigned char *key, 598 unsigned int keylen, 599 const unsigned char *iv, 600 int mode, 601 unsigned int effectiveKeyLen, 602 unsigned int); 603 604 /* 605 ** Destroy an RC2 encryption/decryption context. 606 ** "cx" the context 607 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 608 */ 609 extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit); 610 611 /* 612 ** Perform RC2 encryption. 613 ** "cx" the context 614 ** "output" the output buffer to store the encrypted data. 615 ** "outputLen" how much data is stored in "output". Set by the routine 616 ** after some data is stored in output. 617 ** "maxOutputLen" the maximum amount of data that can ever be 618 ** stored in "output" 619 ** "input" the input data 620 ** "inputLen" the amount of input data 621 */ 622 extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output, 623 unsigned int *outputLen, unsigned int maxOutputLen, 624 const unsigned char *input, unsigned int inputLen); 625 626 /* 627 ** Perform RC2 decryption. 628 ** "cx" the context 629 ** "output" the output buffer to store the decrypted data. 630 ** "outputLen" how much data is stored in "output". Set by the routine 631 ** after some data is stored in output. 632 ** "maxOutputLen" the maximum amount of data that can ever be 633 ** stored in "output" 634 ** "input" the input data 635 ** "inputLen" the amount of input data 636 */ 637 extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output, 638 unsigned int *outputLen, unsigned int maxOutputLen, 639 const unsigned char *input, unsigned int inputLen); 640 641 /******************************************/ 642 /* 643 ** RC5 symmetric block cypher -- 64-bit block size 644 */ 645 646 /* 647 ** Create a new RC5 context suitable for RC5 encryption/decryption. 648 ** "key" raw key data 649 ** "len" the number of bytes of key data 650 ** "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC) 651 ** "mode" one of NSS_RC5 or NSS_RC5_CBC 652 ** 653 ** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block 654 ** chaining" mode. 655 */ 656 extern RC5Context *RC5_CreateContext(const SECItem *key, unsigned int rounds, 657 unsigned int wordSize, const unsigned char *iv, int mode); 658 extern RC5Context *RC5_AllocateContext(void); 659 extern SECStatus RC5_InitContext(RC5Context *cx, 660 const unsigned char *key, 661 unsigned int keylen, 662 const unsigned char *iv, 663 int mode, 664 unsigned int rounds, 665 unsigned int wordSize); 666 667 /* 668 ** Destroy an RC5 encryption/decryption context. 669 ** "cx" the context 670 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 671 */ 672 extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit); 673 674 /* 675 ** Perform RC5 encryption. 676 ** "cx" the context 677 ** "output" the output buffer to store the encrypted data. 678 ** "outputLen" how much data is stored in "output". Set by the routine 679 ** after some data is stored in output. 680 ** "maxOutputLen" the maximum amount of data that can ever be 681 ** stored in "output" 682 ** "input" the input data 683 ** "inputLen" the amount of input data 684 */ 685 extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output, 686 unsigned int *outputLen, unsigned int maxOutputLen, 687 const unsigned char *input, unsigned int inputLen); 688 689 /* 690 ** Perform RC5 decryption. 691 ** "cx" the context 692 ** "output" the output buffer to store the decrypted data. 693 ** "outputLen" how much data is stored in "output". Set by the routine 694 ** after some data is stored in output. 695 ** "maxOutputLen" the maximum amount of data that can ever be 696 ** stored in "output" 697 ** "input" the input data 698 ** "inputLen" the amount of input data 699 */ 700 701 extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output, 702 unsigned int *outputLen, unsigned int maxOutputLen, 703 const unsigned char *input, unsigned int inputLen); 704 705 /******************************************/ 706 /* 707 ** DES symmetric block cypher 708 */ 709 710 /* 711 ** Create a new DES context suitable for DES encryption/decryption. 712 ** "key" raw key data 713 ** "len" the number of bytes of key data 714 ** "iv" is the CBC initialization vector (if mode is NSS_DES_CBC or 715 ** mode is DES_EDE3_CBC) 716 ** "mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC 717 ** "encrypt" is PR_TRUE if the context will be used for encryption 718 ** 719 ** When mode is set to NSS_DES_CBC or NSS_DES_EDE3_CBC then the DES 720 ** cipher is run in "cipher block chaining" mode. 721 */ 722 extern DESContext *DES_CreateContext(const unsigned char *key, 723 const unsigned char *iv, 724 int mode, PRBool encrypt); 725 extern DESContext *DES_AllocateContext(void); 726 extern SECStatus DES_InitContext(DESContext *cx, 727 const unsigned char *key, 728 unsigned int keylen, 729 const unsigned char *iv, 730 int mode, 731 unsigned int encrypt, 732 unsigned int); 733 734 /* 735 ** Destroy an DES encryption/decryption context. 736 ** "cx" the context 737 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 738 */ 739 extern void DES_DestroyContext(DESContext *cx, PRBool freeit); 740 741 /* 742 ** Perform DES encryption. 743 ** "cx" the context 744 ** "output" the output buffer to store the encrypted data. 745 ** "outputLen" how much data is stored in "output". Set by the routine 746 ** after some data is stored in output. 747 ** "maxOutputLen" the maximum amount of data that can ever be 748 ** stored in "output" 749 ** "input" the input data 750 ** "inputLen" the amount of input data 751 ** 752 ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH 753 */ 754 extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output, 755 unsigned int *outputLen, unsigned int maxOutputLen, 756 const unsigned char *input, unsigned int inputLen); 757 758 /* 759 ** Perform DES decryption. 760 ** "cx" the context 761 ** "output" the output buffer to store the decrypted data. 762 ** "outputLen" how much data is stored in "output". Set by the routine 763 ** after some data is stored in output. 764 ** "maxOutputLen" the maximum amount of data that can ever be 765 ** stored in "output" 766 ** "input" the input data 767 ** "inputLen" the amount of input data 768 ** 769 ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH 770 */ 771 extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output, 772 unsigned int *outputLen, unsigned int maxOutputLen, 773 const unsigned char *input, unsigned int inputLen); 774 775 /******************************************/ 776 /* 777 ** SEED symmetric block cypher 778 */ 779 extern SEEDContext * 780 SEED_CreateContext(const unsigned char *key, const unsigned char *iv, 781 int mode, PRBool encrypt); 782 extern SEEDContext *SEED_AllocateContext(void); 783 extern SECStatus SEED_InitContext(SEEDContext *cx, 784 const unsigned char *key, 785 unsigned int keylen, 786 const unsigned char *iv, 787 int mode, unsigned int encrypt, 788 unsigned int); 789 extern void SEED_DestroyContext(SEEDContext *cx, PRBool freeit); 790 extern SECStatus 791 SEED_Encrypt(SEEDContext *cx, unsigned char *output, 792 unsigned int *outputLen, unsigned int maxOutputLen, 793 const unsigned char *input, unsigned int inputLen); 794 extern SECStatus 795 SEED_Decrypt(SEEDContext *cx, unsigned char *output, 796 unsigned int *outputLen, unsigned int maxOutputLen, 797 const unsigned char *input, unsigned int inputLen); 798 799 /******************************************/ 800 /* 801 ** AES symmetric block cypher (Rijndael) 802 */ 803 804 /* 805 ** Create a new AES context suitable for AES encryption/decryption. 806 ** "key" raw key data 807 ** "keylen" the number of bytes of key data (16, 24, or 32) 808 ** "blocklen" is the blocksize to use. NOTE: only 16 is supported! 809 */ 810 extern AESContext * 811 AES_CreateContext(const unsigned char *key, const unsigned char *iv, 812 int mode, int encrypt, 813 unsigned int keylen, unsigned int blocklen); 814 extern AESContext *AES_AllocateContext(void); 815 extern SECStatus AES_InitContext(AESContext *cx, 816 const unsigned char *key, 817 unsigned int keylen, 818 const unsigned char *iv, 819 int mode, 820 unsigned int encrypt, 821 unsigned int blocklen); 822 823 /* 824 ** Destroy a AES encryption/decryption context. 825 ** "cx" the context 826 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 827 */ 828 extern void 829 AES_DestroyContext(AESContext *cx, PRBool freeit); 830 831 /* 832 ** Perform AES encryption. 833 ** "cx" the context 834 ** "output" the output buffer to store the encrypted data. 835 ** "outputLen" how much data is stored in "output". Set by the routine 836 ** after some data is stored in output. 837 ** "maxOutputLen" the maximum amount of data that can ever be 838 ** stored in "output" 839 ** "input" the input data 840 ** "inputLen" the amount of input data 841 */ 842 extern SECStatus 843 AES_Encrypt(AESContext *cx, unsigned char *output, 844 unsigned int *outputLen, unsigned int maxOutputLen, 845 const unsigned char *input, unsigned int inputLen); 846 847 /* 848 ** Perform AES decryption. 849 ** "cx" the context 850 ** "output" the output buffer to store the decrypted data. 851 ** "outputLen" how much data is stored in "output". Set by the routine 852 ** after some data is stored in output. 853 ** "maxOutputLen" the maximum amount of data that can ever be 854 ** stored in "output" 855 ** "input" the input data 856 ** "inputLen" the amount of input data 857 */ 858 extern SECStatus 859 AES_Decrypt(AESContext *cx, unsigned char *output, 860 unsigned int *outputLen, unsigned int maxOutputLen, 861 const unsigned char *input, unsigned int inputLen); 862 /* 863 ** Perform AES AEAD operation (either encrypt or decrypt), controlled by 864 ** the context. 865 ** "cx" the context 866 ** "output" the output buffer to store the encrypted data. 867 ** "outputLen" how much data is stored in "output". Set by the routine 868 ** after some data is stored in output. 869 ** "maxOutputLen" the maximum amount of data that can ever be 870 ** stored in "output" 871 ** "input" the input data 872 ** "inputLen" the amount of input data 873 ** "params" pointer to an AEAD specific param PKCS #11 param structure 874 ** "paramsLen" length of the param structure pointed to by params 875 ** "aad" addition authenticated data 876 ** "aadLen" the amount of additional authenticated data. 877 */ 878 extern SECStatus 879 AES_AEAD(AESContext *cx, unsigned char *output, 880 unsigned int *outputLen, unsigned int maxOutputLen, 881 const unsigned char *input, unsigned int inputLen, 882 void *params, unsigned int paramsLen, 883 const unsigned char *aad, unsigned int aadLen); 884 885 /******************************************/ 886 /* 887 ** AES key wrap algorithm, RFC 3394 888 */ 889 890 /* 891 ** Create a new AES context suitable for AES encryption/decryption. 892 ** "key" raw key data 893 ** "iv" The 8 byte "initial value" 894 ** "encrypt", a boolean, true for key wrapping, false for unwrapping. 895 ** "keylen" the number of bytes of key data (16, 24, or 32) 896 */ 897 extern AESKeyWrapContext * 898 AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 899 int encrypt, unsigned int keylen); 900 extern AESKeyWrapContext *AESKeyWrap_AllocateContext(void); 901 extern SECStatus 902 AESKeyWrap_InitContext(AESKeyWrapContext *cx, 903 const unsigned char *key, 904 unsigned int keylen, 905 const unsigned char *iv, 906 int, 907 unsigned int encrypt, 908 unsigned int); 909 910 /* 911 ** Destroy a AES KeyWrap context. 912 ** "cx" the context 913 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 914 */ 915 extern void 916 AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit); 917 918 /* 919 ** Perform AES key wrap. 920 ** "cx" the context 921 ** "output" the output buffer to store the encrypted data. 922 ** "outputLen" how much data is stored in "output". Set by the routine 923 ** after some data is stored in output. 924 ** "maxOutputLen" the maximum amount of data that can ever be 925 ** stored in "output" 926 ** "input" the input data 927 ** "inputLen" the amount of input data 928 */ 929 extern SECStatus 930 AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output, 931 unsigned int *outputLen, unsigned int maxOutputLen, 932 const unsigned char *input, unsigned int inputLen); 933 934 /* 935 ** Perform AES key unwrap. 936 ** "cx" the context 937 ** "output" the output buffer to store the decrypted data. 938 ** "outputLen" how much data is stored in "output". Set by the routine 939 ** after some data is stored in output. 940 ** "maxOutputLen" the maximum amount of data that can ever be 941 ** stored in "output" 942 ** "input" the input data 943 ** "inputLen" the amount of input data 944 */ 945 extern SECStatus 946 AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output, 947 unsigned int *outputLen, unsigned int maxOutputLen, 948 const unsigned char *input, unsigned int inputLen); 949 950 /* 951 ** Perform AES padded key wrap. 952 ** "cx" the context 953 ** "output" the output buffer to store the encrypted data. 954 ** "outputLen" how much data is stored in "output". Set by the routine 955 ** after some data is stored in output. 956 ** "maxOutputLen" the maximum amount of data that can ever be 957 ** stored in "output" 958 ** "input" the input data 959 ** "inputLen" the amount of input data 960 */ 961 extern SECStatus 962 AESKeyWrap_EncryptKWP(AESKeyWrapContext *cx, unsigned char *output, 963 unsigned int *outputLen, unsigned int maxOutputLen, 964 const unsigned char *input, unsigned int inputLen); 965 966 /* 967 ** Perform AES padded key unwrap. 968 ** "cx" the context 969 ** "output" the output buffer to store the decrypted data. 970 ** "outputLen" how much data is stored in "output". Set by the routine 971 ** after some data is stored in output. 972 ** "maxOutputLen" the maximum amount of data that can ever be 973 ** stored in "output" 974 ** "input" the input data 975 ** "inputLen" the amount of input data 976 */ 977 extern SECStatus 978 AESKeyWrap_DecryptKWP(AESKeyWrapContext *cx, unsigned char *output, 979 unsigned int *outputLen, unsigned int maxOutputLen, 980 const unsigned char *input, unsigned int inputLen); 981 982 /******************************************/ 983 /* 984 ** Camellia symmetric block cypher 985 */ 986 987 /* 988 ** Create a new Camellia context suitable for Camellia encryption/decryption. 989 ** "key" raw key data 990 ** "keylen" the number of bytes of key data (16, 24, or 32) 991 */ 992 extern CamelliaContext * 993 Camellia_CreateContext(const unsigned char *key, const unsigned char *iv, 994 int mode, int encrypt, unsigned int keylen); 995 996 extern CamelliaContext *Camellia_AllocateContext(void); 997 extern SECStatus Camellia_InitContext(CamelliaContext *cx, 998 const unsigned char *key, 999 unsigned int keylen, 1000 const unsigned char *iv, 1001 int mode, 1002 unsigned int encrypt, 1003 unsigned int unused); 1004 /* 1005 ** Destroy a Camellia encryption/decryption context. 1006 ** "cx" the context 1007 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1008 */ 1009 extern void 1010 Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit); 1011 1012 /* 1013 ** Perform Camellia encryption. 1014 ** "cx" the context 1015 ** "output" the output buffer to store the encrypted data. 1016 ** "outputLen" how much data is stored in "output". Set by the routine 1017 ** after some data is stored in output. 1018 ** "maxOutputLen" the maximum amount of data that can ever be 1019 ** stored in "output" 1020 ** "input" the input data 1021 ** "inputLen" the amount of input data 1022 */ 1023 extern SECStatus 1024 Camellia_Encrypt(CamelliaContext *cx, unsigned char *output, 1025 unsigned int *outputLen, unsigned int maxOutputLen, 1026 const unsigned char *input, unsigned int inputLen); 1027 1028 /* 1029 ** Perform Camellia decryption. 1030 ** "cx" the context 1031 ** "output" the output buffer to store the decrypted data. 1032 ** "outputLen" how much data is stored in "output". Set by the routine 1033 ** after some data is stored in output. 1034 ** "maxOutputLen" the maximum amount of data that can ever be 1035 ** stored in "output" 1036 ** "input" the input data 1037 ** "inputLen" the amount of input data 1038 */ 1039 extern SECStatus 1040 Camellia_Decrypt(CamelliaContext *cx, unsigned char *output, 1041 unsigned int *outputLen, unsigned int maxOutputLen, 1042 const unsigned char *input, unsigned int inputLen); 1043 1044 /******************************************/ 1045 /* 1046 ** ChaCha20 block cipher 1047 */ 1048 1049 extern SECStatus ChaCha20_InitContext(ChaCha20Context *ctx, 1050 const unsigned char *key, 1051 unsigned int keyLen, 1052 const unsigned char *nonce, 1053 unsigned int nonceLen, 1054 PRUint32 ctr); 1055 1056 extern ChaCha20Context *ChaCha20_CreateContext(const unsigned char *key, 1057 unsigned int keyLen, 1058 const unsigned char *nonce, 1059 unsigned int nonceLen, 1060 PRUint32 ctr); 1061 1062 extern void ChaCha20_DestroyContext(ChaCha20Context *ctx, PRBool freeit); 1063 1064 /******************************************/ 1065 /* 1066 ** ChaCha20+Poly1305 AEAD 1067 */ 1068 1069 extern SECStatus ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, 1070 const unsigned char *key, 1071 unsigned int keyLen, 1072 unsigned int tagLen); 1073 1074 extern ChaCha20Poly1305Context *ChaCha20Poly1305_CreateContext( 1075 const unsigned char *key, unsigned int keyLen, unsigned int tagLen); 1076 1077 extern void ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, 1078 PRBool freeit); 1079 1080 extern SECStatus ChaCha20Poly1305_Seal( 1081 const ChaCha20Poly1305Context *ctx, unsigned char *output, 1082 unsigned int *outputLen, unsigned int maxOutputLen, 1083 const unsigned char *input, unsigned int inputLen, 1084 const unsigned char *nonce, unsigned int nonceLen, 1085 const unsigned char *ad, unsigned int adLen); 1086 1087 extern SECStatus ChaCha20Poly1305_Open( 1088 const ChaCha20Poly1305Context *ctx, unsigned char *output, 1089 unsigned int *outputLen, unsigned int maxOutputLen, 1090 const unsigned char *input, unsigned int inputLen, 1091 const unsigned char *nonce, unsigned int nonceLen, 1092 const unsigned char *ad, unsigned int adLen); 1093 1094 extern SECStatus ChaCha20Poly1305_Encrypt( 1095 const ChaCha20Poly1305Context *ctx, unsigned char *output, 1096 unsigned int *outputLen, unsigned int maxOutputLen, 1097 const unsigned char *input, unsigned int inputLen, 1098 const unsigned char *nonce, unsigned int nonceLen, 1099 const unsigned char *ad, unsigned int adLen, unsigned char *tagOut); 1100 1101 extern SECStatus ChaCha20Poly1305_Decrypt( 1102 const ChaCha20Poly1305Context *ctx, unsigned char *output, 1103 unsigned int *outputLen, unsigned int maxOutputLen, 1104 const unsigned char *input, unsigned int inputLen, 1105 const unsigned char *nonce, unsigned int nonceLen, 1106 const unsigned char *ad, unsigned int adLen, unsigned char *tagIn); 1107 1108 extern SECStatus ChaCha20_Xor( 1109 unsigned char *output, const unsigned char *block, unsigned int len, 1110 const unsigned char *k, const unsigned char *nonce, PRUint32 ctr); 1111 1112 /******************************************/ 1113 /* 1114 ** MD5 secure hash function 1115 */ 1116 1117 /* 1118 ** Hash a null terminated string "src" into "dest" using MD5 1119 */ 1120 extern SECStatus MD5_Hash(unsigned char *dest, const char *src); 1121 1122 /* 1123 ** Hash a non-null terminated string "src" into "dest" using MD5 1124 */ 1125 extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src, 1126 PRUint32 src_length); 1127 1128 /* 1129 ** Create a new MD5 context 1130 */ 1131 extern MD5Context *MD5_NewContext(void); 1132 1133 /* 1134 ** Destroy an MD5 secure hash context. 1135 ** "cx" the context 1136 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1137 */ 1138 extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit); 1139 1140 /* 1141 ** Reset an MD5 context, preparing it for a fresh round of hashing 1142 */ 1143 extern void MD5_Begin(MD5Context *cx); 1144 1145 /* 1146 ** Update the MD5 hash function with more data. 1147 ** "cx" the context 1148 ** "input" the data to hash 1149 ** "inputLen" the amount of data to hash 1150 */ 1151 extern void MD5_Update(MD5Context *cx, 1152 const unsigned char *input, unsigned int inputLen); 1153 1154 /* 1155 ** Finish the MD5 hash function. Produce the digested results in "digest" 1156 ** "cx" the context 1157 ** "digest" where the 16 bytes of digest data are stored 1158 ** "digestLen" where the digest length (16) is stored 1159 ** "maxDigestLen" the maximum amount of data that can ever be 1160 ** stored in "digest" 1161 */ 1162 extern void MD5_End(MD5Context *cx, unsigned char *digest, 1163 unsigned int *digestLen, unsigned int maxDigestLen); 1164 1165 /* 1166 ** Export the current state of the MD5 hash without appending the standard 1167 ** padding and length bytes. Produce the digested results in "digest" 1168 ** "cx" the context 1169 ** "digest" where the 16 bytes of digest data are stored 1170 ** "digestLen" where the digest length (16) is stored (optional) 1171 ** "maxDigestLen" the maximum amount of data that can ever be 1172 ** stored in "digest" 1173 */ 1174 extern void MD5_EndRaw(MD5Context *cx, unsigned char *digest, 1175 unsigned int *digestLen, unsigned int maxDigestLen); 1176 1177 /* 1178 * Return the the size of a buffer needed to flatten the MD5 Context into 1179 * "cx" the context 1180 * returns size; 1181 */ 1182 extern unsigned int MD5_FlattenSize(MD5Context *cx); 1183 1184 /* 1185 * Flatten the MD5 Context into a buffer: 1186 * "cx" the context 1187 * "space" the buffer to flatten to 1188 * returns status; 1189 */ 1190 extern SECStatus MD5_Flatten(MD5Context *cx, unsigned char *space); 1191 1192 /* 1193 * Resurrect a flattened context into a MD5 Context 1194 * "space" the buffer of the flattend buffer 1195 * "arg" ptr to void used by cryptographic resurrect 1196 * returns resurected context; 1197 */ 1198 extern MD5Context *MD5_Resurrect(unsigned char *space, void *arg); 1199 extern void MD5_Clone(MD5Context *dest, MD5Context *src); 1200 1201 /* 1202 ** trace the intermediate state info of the MD5 hash. 1203 */ 1204 extern void MD5_TraceState(MD5Context *cx); 1205 1206 /******************************************/ 1207 /* 1208 ** MD2 secure hash function 1209 */ 1210 1211 /* 1212 ** Hash a null terminated string "src" into "dest" using MD2 1213 */ 1214 extern SECStatus MD2_Hash(unsigned char *dest, const char *src); 1215 1216 /* 1217 ** Create a new MD2 context 1218 */ 1219 extern MD2Context *MD2_NewContext(void); 1220 1221 /* 1222 ** Destroy an MD2 secure hash context. 1223 ** "cx" the context 1224 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1225 */ 1226 extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit); 1227 1228 /* 1229 ** Reset an MD2 context, preparing it for a fresh round of hashing 1230 */ 1231 extern void MD2_Begin(MD2Context *cx); 1232 1233 /* 1234 ** Update the MD2 hash function with more data. 1235 ** "cx" the context 1236 ** "input" the data to hash 1237 ** "inputLen" the amount of data to hash 1238 */ 1239 extern void MD2_Update(MD2Context *cx, 1240 const unsigned char *input, unsigned int inputLen); 1241 1242 /* 1243 ** Finish the MD2 hash function. Produce the digested results in "digest" 1244 ** "cx" the context 1245 ** "digest" where the 16 bytes of digest data are stored 1246 ** "digestLen" where the digest length (16) is stored 1247 ** "maxDigestLen" the maximum amount of data that can ever be 1248 ** stored in "digest" 1249 */ 1250 extern void MD2_End(MD2Context *cx, unsigned char *digest, 1251 unsigned int *digestLen, unsigned int maxDigestLen); 1252 1253 /* 1254 * Return the the size of a buffer needed to flatten the MD2 Context into 1255 * "cx" the context 1256 * returns size; 1257 */ 1258 extern unsigned int MD2_FlattenSize(MD2Context *cx); 1259 1260 /* 1261 * Flatten the MD2 Context into a buffer: 1262 * "cx" the context 1263 * "space" the buffer to flatten to 1264 * returns status; 1265 */ 1266 extern SECStatus MD2_Flatten(MD2Context *cx, unsigned char *space); 1267 1268 /* 1269 * Resurrect a flattened context into a MD2 Context 1270 * "space" the buffer of the flattend buffer 1271 * "arg" ptr to void used by cryptographic resurrect 1272 * returns resurected context; 1273 */ 1274 extern MD2Context *MD2_Resurrect(unsigned char *space, void *arg); 1275 extern void MD2_Clone(MD2Context *dest, MD2Context *src); 1276 1277 /******************************************/ 1278 /* 1279 ** SHA-1 secure hash function 1280 */ 1281 1282 /* 1283 ** Hash a null terminated string "src" into "dest" using SHA-1 1284 */ 1285 extern SECStatus SHA1_Hash(unsigned char *dest, const char *src); 1286 1287 /* 1288 ** Hash a non-null terminated string "src" into "dest" using SHA-1 1289 */ 1290 extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src, 1291 PRUint32 src_length); 1292 1293 /* 1294 ** Create a new SHA-1 context 1295 */ 1296 extern SHA1Context *SHA1_NewContext(void); 1297 1298 /* 1299 ** Destroy a SHA-1 secure hash context. 1300 ** "cx" the context 1301 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1302 */ 1303 extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit); 1304 1305 /* 1306 ** Reset a SHA-1 context, preparing it for a fresh round of hashing 1307 */ 1308 extern void SHA1_Begin(SHA1Context *cx); 1309 1310 /* 1311 ** Update the SHA-1 hash function with more data. 1312 ** "cx" the context 1313 ** "input" the data to hash 1314 ** "inputLen" the amount of data to hash 1315 */ 1316 extern void SHA1_Update(SHA1Context *cx, const unsigned char *input, 1317 unsigned int inputLen); 1318 1319 /* 1320 ** Finish the SHA-1 hash function. Produce the digested results in "digest" 1321 ** "cx" the context 1322 ** "digest" where the 16 bytes of digest data are stored 1323 ** "digestLen" where the digest length (20) is stored 1324 ** "maxDigestLen" the maximum amount of data that can ever be 1325 ** stored in "digest" 1326 */ 1327 extern void SHA1_End(SHA1Context *cx, unsigned char *digest, 1328 unsigned int *digestLen, unsigned int maxDigestLen); 1329 1330 /* 1331 ** Export the current state of the SHA-1 hash without appending the standard 1332 ** padding and length bytes. Produce the digested results in "digest" 1333 ** "cx" the context 1334 ** "digest" where the 20 bytes of digest data are stored 1335 ** "digestLen" where the digest length (20) is stored (optional) 1336 ** "maxDigestLen" the maximum amount of data that can ever be 1337 ** stored in "digest" 1338 */ 1339 extern void SHA1_EndRaw(SHA1Context *cx, unsigned char *digest, 1340 unsigned int *digestLen, unsigned int maxDigestLen); 1341 1342 /* 1343 ** trace the intermediate state info of the SHA1 hash. 1344 */ 1345 extern void SHA1_TraceState(SHA1Context *cx); 1346 1347 /* 1348 * Return the the size of a buffer needed to flatten the SHA-1 Context into 1349 * "cx" the context 1350 * returns size; 1351 */ 1352 extern unsigned int SHA1_FlattenSize(SHA1Context *cx); 1353 1354 /* 1355 * Flatten the SHA-1 Context into a buffer: 1356 * "cx" the context 1357 * "space" the buffer to flatten to 1358 * returns status; 1359 */ 1360 extern SECStatus SHA1_Flatten(SHA1Context *cx, unsigned char *space); 1361 1362 /* 1363 * Resurrect a flattened context into a SHA-1 Context 1364 * "space" the buffer of the flattend buffer 1365 * "arg" ptr to void used by cryptographic resurrect 1366 * returns resurected context; 1367 */ 1368 extern SHA1Context *SHA1_Resurrect(unsigned char *space, void *arg); 1369 extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src); 1370 1371 /******************************************/ 1372 1373 extern SHA224Context *SHA224_NewContext(void); 1374 extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit); 1375 extern void SHA224_Begin(SHA224Context *cx); 1376 extern void SHA224_Update(SHA224Context *cx, const unsigned char *input, 1377 unsigned int inputLen); 1378 extern void SHA224_End(SHA224Context *cx, unsigned char *digest, 1379 unsigned int *digestLen, unsigned int maxDigestLen); 1380 /* 1381 ** Export the current state of the SHA-224 hash without appending the standard 1382 ** padding and length bytes. Produce the digested results in "digest" 1383 ** "cx" the context 1384 ** "digest" where the 28 bytes of digest data are stored 1385 ** "digestLen" where the digest length (28) is stored (optional) 1386 ** "maxDigestLen" the maximum amount of data that can ever be 1387 ** stored in "digest" 1388 */ 1389 extern void SHA224_EndRaw(SHA224Context *cx, unsigned char *digest, 1390 unsigned int *digestLen, unsigned int maxDigestLen); 1391 extern SECStatus SHA224_HashBuf(unsigned char *dest, const unsigned char *src, 1392 PRUint32 src_length); 1393 extern SECStatus SHA224_Hash(unsigned char *dest, const char *src); 1394 extern void SHA224_TraceState(SHA224Context *cx); 1395 extern unsigned int SHA224_FlattenSize(SHA224Context *cx); 1396 extern SECStatus SHA224_Flatten(SHA224Context *cx, unsigned char *space); 1397 extern SHA224Context *SHA224_Resurrect(unsigned char *space, void *arg); 1398 extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src); 1399 1400 /******************************************/ 1401 1402 extern SHA256Context *SHA256_NewContext(void); 1403 extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit); 1404 extern void SHA256_Begin(SHA256Context *cx); 1405 extern void SHA256_Update(SHA256Context *cx, const unsigned char *input, 1406 unsigned int inputLen); 1407 extern void SHA256_End(SHA256Context *cx, unsigned char *digest, 1408 unsigned int *digestLen, unsigned int maxDigestLen); 1409 /* 1410 ** Export the current state of the SHA-256 hash without appending the standard 1411 ** padding and length bytes. Produce the digested results in "digest" 1412 ** "cx" the context 1413 ** "digest" where the 32 bytes of digest data are stored 1414 ** "digestLen" where the digest length (32) is stored (optional) 1415 ** "maxDigestLen" the maximum amount of data that can ever be 1416 ** stored in "digest" 1417 */ 1418 extern void SHA256_EndRaw(SHA256Context *cx, unsigned char *digest, 1419 unsigned int *digestLen, unsigned int maxDigestLen); 1420 extern SECStatus SHA256_HashBuf(unsigned char *dest, const unsigned char *src, 1421 PRUint32 src_length); 1422 extern SECStatus SHA256_Hash(unsigned char *dest, const char *src); 1423 extern void SHA256_TraceState(SHA256Context *cx); 1424 extern unsigned int SHA256_FlattenSize(SHA256Context *cx); 1425 extern SECStatus SHA256_Flatten(SHA256Context *cx, unsigned char *space); 1426 extern SHA256Context *SHA256_Resurrect(unsigned char *space, void *arg); 1427 extern void SHA256_Clone(SHA256Context *dest, SHA256Context *src); 1428 1429 /******************************************/ 1430 1431 extern SHA512Context *SHA512_NewContext(void); 1432 extern void SHA512_DestroyContext(SHA512Context *cx, PRBool freeit); 1433 extern void SHA512_Begin(SHA512Context *cx); 1434 extern void SHA512_Update(SHA512Context *cx, const unsigned char *input, 1435 unsigned int inputLen); 1436 /* 1437 ** Export the current state of the SHA-512 hash without appending the standard 1438 ** padding and length bytes. Produce the digested results in "digest" 1439 ** "cx" the context 1440 ** "digest" where the 64 bytes of digest data are stored 1441 ** "digestLen" where the digest length (64) is stored (optional) 1442 ** "maxDigestLen" the maximum amount of data that can ever be 1443 ** stored in "digest" 1444 */ 1445 extern void SHA512_EndRaw(SHA512Context *cx, unsigned char *digest, 1446 unsigned int *digestLen, unsigned int maxDigestLen); 1447 extern void SHA512_End(SHA512Context *cx, unsigned char *digest, 1448 unsigned int *digestLen, unsigned int maxDigestLen); 1449 extern SECStatus SHA512_HashBuf(unsigned char *dest, const unsigned char *src, 1450 PRUint32 src_length); 1451 extern SECStatus SHA512_Hash(unsigned char *dest, const char *src); 1452 extern void SHA512_TraceState(SHA512Context *cx); 1453 extern unsigned int SHA512_FlattenSize(SHA512Context *cx); 1454 extern SECStatus SHA512_Flatten(SHA512Context *cx, unsigned char *space); 1455 extern SHA512Context *SHA512_Resurrect(unsigned char *space, void *arg); 1456 extern void SHA512_Clone(SHA512Context *dest, SHA512Context *src); 1457 1458 /******************************************/ 1459 1460 extern SHA384Context *SHA384_NewContext(void); 1461 extern void SHA384_DestroyContext(SHA384Context *cx, PRBool freeit); 1462 extern void SHA384_Begin(SHA384Context *cx); 1463 extern void SHA384_Update(SHA384Context *cx, const unsigned char *input, 1464 unsigned int inputLen); 1465 extern void SHA384_End(SHA384Context *cx, unsigned char *digest, 1466 unsigned int *digestLen, unsigned int maxDigestLen); 1467 /* 1468 ** Export the current state of the SHA-384 hash without appending the standard 1469 ** padding and length bytes. Produce the digested results in "digest" 1470 ** "cx" the context 1471 ** "digest" where the 48 bytes of digest data are stored 1472 ** "digestLen" where the digest length (48) is stored (optional) 1473 ** "maxDigestLen" the maximum amount of data that can ever be 1474 ** stored in "digest" 1475 */ 1476 extern void SHA384_EndRaw(SHA384Context *cx, unsigned char *digest, 1477 unsigned int *digestLen, unsigned int maxDigestLen); 1478 extern SECStatus SHA384_HashBuf(unsigned char *dest, const unsigned char *src, 1479 PRUint32 src_length); 1480 extern SECStatus SHA384_Hash(unsigned char *dest, const char *src); 1481 extern void SHA384_TraceState(SHA384Context *cx); 1482 extern unsigned int SHA384_FlattenSize(SHA384Context *cx); 1483 extern SECStatus SHA384_Flatten(SHA384Context *cx, unsigned char *space); 1484 extern SHA384Context *SHA384_Resurrect(unsigned char *space, void *arg); 1485 extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src); 1486 1487 /**************************************** 1488 * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function 1489 */ 1490 1491 extern SECStatus 1492 TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 1493 SECItem *result, PRBool isFIPS); 1494 1495 extern SECStatus 1496 TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label, 1497 SECItem *seed, SECItem *result, PRBool isFIPS); 1498 1499 /******************************************/ 1500 /* 1501 ** Implements the Blake2b hash function. 1502 */ 1503 1504 /* 1505 ** Hash a null terminated string "src" into "dest" using Blake2b 1506 */ 1507 extern SECStatus BLAKE2B_Hash(unsigned char *dest, const char *src); 1508 1509 /* 1510 ** Hash a non-null terminated string "src" into "dest" using Blake2b 1511 */ 1512 extern SECStatus BLAKE2B_HashBuf(unsigned char *output, 1513 const unsigned char *input, PRUint32 inlen); 1514 1515 extern SECStatus BLAKE2B_MAC_HashBuf(unsigned char *output, 1516 const unsigned char *input, 1517 unsigned int inlen, 1518 const unsigned char *key, 1519 unsigned int keylen); 1520 1521 /* 1522 ** Create a new Blake2b context 1523 */ 1524 extern BLAKE2BContext *BLAKE2B_NewContext(void); 1525 1526 /* 1527 ** Destroy a Blake2b secure hash context. 1528 ** "ctx" the context 1529 ** "freeit" if PR_TRUE then free the object as well as its sub-objects 1530 */ 1531 extern void BLAKE2B_DestroyContext(BLAKE2BContext *ctx, PRBool freeit); 1532 1533 /* 1534 ** Reset a Blake2b context, preparing it for a fresh round of hashing 1535 */ 1536 extern SECStatus BLAKE2B_Begin(BLAKE2BContext *ctx); 1537 1538 extern SECStatus BLAKE2B_MAC_Begin(BLAKE2BContext *ctx, const PRUint8 *key, 1539 const size_t keylen); 1540 1541 /* 1542 ** Update the Blake hash function with more data. 1543 */ 1544 extern SECStatus BLAKE2B_Update(BLAKE2BContext *ctx, const unsigned char *in, 1545 unsigned int inlen); 1546 1547 /* 1548 ** Finish the Blake hash function. Produce the digested results in "digest" 1549 */ 1550 extern SECStatus BLAKE2B_End(BLAKE2BContext *ctx, unsigned char *out, 1551 unsigned int *digestLen, size_t maxDigestLen); 1552 1553 /* 1554 * Return the size of a buffer needed to flatten the Blake2b Context into 1555 * "ctx" the context 1556 * returns size; 1557 */ 1558 extern unsigned int BLAKE2B_FlattenSize(BLAKE2BContext *ctx); 1559 1560 /* 1561 * Flatten the Blake2b Context into a buffer: 1562 * "ctx" the context 1563 * "space" the buffer to flatten to 1564 * returns status; 1565 */ 1566 extern SECStatus BLAKE2B_Flatten(BLAKE2BContext *ctx, unsigned char *space); 1567 1568 /* 1569 * Resurrect a flattened context into a Blake2b Context 1570 * "space" the buffer of the flattend buffer 1571 * "arg" ptr to void used by cryptographic resurrect 1572 * returns resurected context 1573 */ 1574 extern BLAKE2BContext *BLAKE2B_Resurrect(unsigned char *space, void *arg); 1575 extern void BLAKE2B_Clone(BLAKE2BContext *dest, BLAKE2BContext *src); 1576 1577 /******************************************/ 1578 /* 1579 ** Pseudo Random Number Generation. FIPS compliance desirable. 1580 */ 1581 1582 /* 1583 ** Initialize the global RNG context and give it some seed input taken 1584 ** from the system. This function is thread-safe and will only allow 1585 ** the global context to be initialized once. The seed input is likely 1586 ** small, so it is imperative that RNG_RandomUpdate() be called with 1587 ** additional seed data before the generator is used. A good way to 1588 ** provide the generator with additional entropy is to call 1589 ** RNG_SystemInfoForRNG(). Note that NSS_Init() does exactly that. 1590 */ 1591 extern SECStatus RNG_RNGInit(void); 1592 1593 /* 1594 ** Update the global random number generator with more seeding 1595 ** material 1596 */ 1597 extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes); 1598 1599 /* 1600 ** Generate some random bytes, using the global random number generator 1601 ** object. 1602 */ 1603 extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len); 1604 1605 /* Destroy the global RNG context. After a call to RNG_RNGShutdown() 1606 ** a call to RNG_RNGInit() is required in order to use the generator again, 1607 ** along with seed data (see the comment above RNG_RNGInit()). 1608 */ 1609 extern void RNG_RNGShutdown(void); 1610 1611 extern void RNG_SystemInfoForRNG(void); 1612 1613 /* 1614 * FIPS 186-2 Change Notice 1 RNG Algorithm 1, used both to 1615 * generate the DSA X parameter and as a generic purpose RNG. 1616 * 1617 * The following two FIPS186Change functions are needed for 1618 * NIST RNG Validation System. 1619 */ 1620 1621 /* 1622 * FIPS186Change_GenerateX is now deprecated. It will return SECFailure with 1623 * the error set to PR_NOT_IMPLEMENTED_ERROR. 1624 */ 1625 extern SECStatus 1626 FIPS186Change_GenerateX(unsigned char *XKEY, 1627 const unsigned char *XSEEDj, 1628 unsigned char *x_j); 1629 1630 /* 1631 * When generating the DSA X parameter, we generate 2*GSIZE bytes 1632 * of random output and reduce it mod q. 1633 * 1634 * Input: w, 2*GSIZE bytes 1635 * q, DSA_SUBPRIME_LEN bytes 1636 * Output: xj, DSA_SUBPRIME_LEN bytes 1637 */ 1638 extern SECStatus 1639 FIPS186Change_ReduceModQForDSA(const unsigned char *w, 1640 const unsigned char *q, 1641 unsigned char *xj); 1642 1643 /* To allow NIST KAT tests */ 1644 extern SECStatus 1645 PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len, 1646 const PRUint8 *nonce, unsigned int nonce_len, 1647 const PRUint8 *personal_string, unsigned int ps_len); 1648 1649 /* 1650 * The following functions are for FIPS poweron self test and FIPS algorithm 1651 * testing. 1652 */ 1653 extern SECStatus 1654 PRNGTEST_Instantiate(const PRUint8 *entropy, unsigned int entropy_len, 1655 const PRUint8 *nonce, unsigned int nonce_len, 1656 const PRUint8 *personal_string, unsigned int ps_len); 1657 1658 extern SECStatus 1659 PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len, 1660 const PRUint8 *additional, unsigned int additional_len); 1661 1662 extern SECStatus 1663 PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, 1664 const PRUint8 *additional, unsigned int additional_len); 1665 1666 extern SECStatus 1667 PRNGTEST_Uninstantiate(void); 1668 1669 extern SECStatus 1670 PRNGTEST_RunHealthTests(void); 1671 1672 /* Generate PQGParams and PQGVerify structs. 1673 * Length of seed and length of h both equal length of P. 1674 * All lengths are specified by "j", according to the table above. 1675 * 1676 * The verify parameters will conform to FIPS186-1. 1677 */ 1678 extern SECStatus 1679 PQG_ParamGen(unsigned int j, /* input : determines length of P. */ 1680 PQGParams **pParams, /* output: P Q and G returned here */ 1681 PQGVerify **pVfy); /* output: counter and seed. */ 1682 1683 /* Generate PQGParams and PQGVerify structs. 1684 * Length of P specified by j. Length of h will match length of P. 1685 * Length of SEED in bytes specified in seedBytes. 1686 * seedBbytes must be in the range [20..255] or an error will result. 1687 * 1688 * The verify parameters will conform to FIPS186-1. 1689 */ 1690 extern SECStatus 1691 PQG_ParamGenSeedLen( 1692 unsigned int j, /* input : determines length of P. */ 1693 unsigned int seedBytes, /* input : length of seed in bytes.*/ 1694 PQGParams **pParams, /* output: P Q and G returned here */ 1695 PQGVerify **pVfy); /* output: counter and seed. */ 1696 1697 /* Generate PQGParams and PQGVerify structs. 1698 * Length of P specified by L in bits. 1699 * Length of Q specified by N in bits. 1700 * Length of SEED in bytes specified in seedBytes. 1701 * seedBbytes must be in the range [N..L*2] or an error will result. 1702 * 1703 * Not that J uses the above table, L is the length exact. L and N must 1704 * match the table below or an error will result: 1705 * 1706 * L N 1707 * 1024 160 1708 * 2048 224 1709 * 2048 256 1710 * 3072 256 1711 * 1712 * If N or seedBytes are set to zero, then PQG_ParamGenSeedLen will 1713 * pick a default value (typically the smallest secure value for these 1714 * variables). 1715 * 1716 * The verify parameters will conform to FIPS186-3 using the smallest 1717 * permissible hash for the key strength. 1718 */ 1719 extern SECStatus 1720 PQG_ParamGenV2( 1721 unsigned int L, /* input : determines length of P. */ 1722 unsigned int N, /* input : determines length of Q. */ 1723 unsigned int seedBytes, /* input : length of seed in bytes.*/ 1724 PQGParams **pParams, /* output: P Q and G returned here */ 1725 PQGVerify **pVfy); /* output: counter and seed. */ 1726 1727 /* Test PQGParams for validity as DSS PQG values. 1728 * If vfy is non-NULL, test PQGParams to make sure they were generated 1729 * using the specified seed, counter, and h values. 1730 * 1731 * Return value indicates whether Verification operation ran successfully 1732 * to completion, but does not indicate if PQGParams are valid or not. 1733 * If return value is SECSuccess, then *pResult has these meanings: 1734 * SECSuccess: PQGParams are valid. 1735 * SECFailure: PQGParams are invalid. 1736 * 1737 * Verify the PQG againts the counter, SEED and h. 1738 * These tests are specified in FIPS 186-3 Appendix A.1.1.1, A.1.1.3, and A.2.2 1739 * PQG_VerifyParams will automatically choose the appropriate test. 1740 */ 1741 1742 extern SECStatus PQG_VerifyParams(const PQGParams *params, 1743 const PQGVerify *vfy, SECStatus *result); 1744 1745 extern void PQG_DestroyParams(PQGParams *params); 1746 1747 extern void PQG_DestroyVerify(PQGVerify *vfy); 1748 1749 /* 1750 * clean-up any global tables freebl may have allocated after it starts up. 1751 * This function is not thread safe and should be called only after the 1752 * library has been quiessed. 1753 */ 1754 extern void BL_Cleanup(void); 1755 1756 /* unload freebl shared library from memory */ 1757 extern void BL_Unload(void); 1758 1759 /************************************************************************** 1760 * Verify a given Shared library signature * 1761 **************************************************************************/ 1762 PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr); 1763 1764 /************************************************************************** 1765 * Verify a given filename's signature * 1766 **************************************************************************/ 1767 PRBool BLAPI_SHVerifyFile(const char *shName); 1768 1769 /************************************************************************** 1770 * Verify Are Own Shared library signature * 1771 **************************************************************************/ 1772 PRBool BLAPI_VerifySelf(const char *name); 1773 1774 /*********************************************************************/ 1775 extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); 1776 1777 extern void BL_SetForkState(PRBool forked); 1778 1779 /* 1780 ** pepare an ECParam structure from DEREncoded params 1781 */ 1782 extern SECStatus EC_FillParams(PLArenaPool *arena, 1783 const SECItem *encodedParams, ECParams *params); 1784 extern SECStatus EC_DecodeParams(const SECItem *encodedParams, 1785 ECParams **ecparams); 1786 extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, 1787 const ECParams *srcParams); 1788 1789 /* 1790 * use the internal table to get the size in bytes of a single EC point 1791 */ 1792 extern int EC_GetPointSize(const ECParams *params); 1793 1794 SEC_END_PROTOS 1795 1796 #endif /* _BLAPI_H_ */ 1797