ref: d6ca0cfb326c9ac13c1796de917cc0547d421626
parent: 445b6293d60eb6ebd6d361596cbbc92eb8e81dc8
author: cinap_lenrek <[email protected]>
date: Thu Feb 18 13:37:53 EST 2016
port 9front libauthsrv/libsec/libmp and implement dp9ik and rcpu support
--- a/Make.win32
+++ b/Make.win32
@@ -3,7 +3,7 @@
# on another platform. Otherwise the binaries are just
# named gcc, etc.
-MING=i586-mingw32msvc-
+MING=i686-w64-mingw32-
#MING=
AR=$(MING)ar
CC=$(MING)gcc
--- a/cpu-bl.c
+++ /dev/null
@@ -1,714 +1,0 @@
-/*
- * cpu.c - Make a connection to a cpu server
- *
- * Invoked by listen as 'cpu -R | -N service net netdir'
- * by users as 'cpu [-h system] [-c cmd args ...]'
- */
-
-#include <u.h>
-#include <libc.h>
-#include <auth.h>
-#include <fcall.h>
-#include <authsrv.h>
-#include <libsec.h>
-#include "args.h"
-#include "drawterm.h"
-
-#define Maxfdata 8192
-#define MaxStr 128
-
-static void fatal(int, char*, ...);
-static void usage(void);
-static void writestr(int, char*, char*, int);
-static int readstr(int, char*, int);
-static char *rexcall(int*, char*, char*);
-static char *keyspec = "";
-static AuthInfo *p9any(int);
-
-#define system csystem
-static char *system;
-static int cflag;
-extern int dbg;
-
-static char *srvname = "ncpu";
-static char *ealgs = "rc4_256 sha1";
-
-/* message size for exportfs; may be larger so we can do big graphics in CPU window */
-static int msgsize = Maxfdata+IOHDRSZ;
-
-/* authentication mechanisms */
-static int netkeyauth(int);
-static int netkeysrvauth(int, char*);
-static int p9auth(int);
-static int srvp9auth(int, char*);
-
-char *authserver;
-
-typedef struct AuthMethod AuthMethod;
-struct AuthMethod {
- char *name; /* name of method */
- int (*cf)(int); /* client side authentication */
- int (*sf)(int, char*); /* server side authentication */
-} authmethod[] =
-{
- { "p9", p9auth, srvp9auth,},
- { "netkey", netkeyauth, netkeysrvauth,},
-// { "none", noauth, srvnoauth,},
- { nil, nil}
-};
-AuthMethod *am = authmethod; /* default is p9 */
-
-char *p9authproto = "p9any";
-
-int setam(char*);
-
-void
-exits(char *s)
-{
- print("\ngoodbye\n");
- for(;;) osyield();
-}
-
-void
-usage(void)
-{
- fprint(2, "usage: drawterm [-a authserver] [-c cpuserver] [-s secstore] [-u user]\n");
- exits("usage");
-}
-int fdd;
-
-int
-mountfactotum(void)
-{
- int fd;
-
- if((fd = dialfactotum()) < 0)
- return -1;
- if(sysmount(fd, -1, "/mnt/factotum", MREPL, "") < 0){
- fprint(2, "mount factotum: %r\n");
- return -1;
- }
- if((fd = open("/mnt/factotum/ctl", OREAD)) < 0){
- fprint(2, "open /mnt/factotum/ctl: %r\n");
- return -1;
- }
- close(fd);
- return 0;
-}
-
-void
-cpumain(int argc, char **argv)
-{
- char dat[MaxStr], buf[MaxStr], cmd[MaxStr], *err, *secstoreserver, *p, *s;
- int fd, ms, data;
-
- /* see if we should use a larger message size */
- fd = open("/dev/draw", OREAD);
- if(fd > 0){
- ms = iounit(fd);
- if(msgsize < ms+IOHDRSZ)
- msgsize = ms+IOHDRSZ;
- close(fd);
- }
-
- user = getenv("USER");
- if(user == nil)
- user = readcons("user", nil, 0);
- secstoreserver = nil;
- authserver = getenv("auth");
- if(authserver == nil)
- authserver = "lookout.cs.bell-labs.com";
- system = getenv("cpu");
- if(system == nil)
- system = "anna.cs.bell-labs.com";
- ARGBEGIN{
- case 'o':
- authserver = "plan9.bell-labs.com";
- system = "plan9.bell-labs.com";
- break;
- case 'a':
- authserver = EARGF(usage());
- break;
- case 'c':
- system = EARGF(usage());
- break;
- case 'd':
- dbg++;
- break;
- case 'e':
- ealgs = EARGF(usage());
- if(*ealgs == 0 || strcmp(ealgs, "clear") == 0)
- ealgs = nil;
- break;
- case 'C':
- cflag++;
- cmd[0] = '!';
- cmd[1] = '\0';
- while((p = ARGF()) != nil) {
- strcat(cmd, " ");
- strcat(cmd, p);
- }
- break;
- case 'k':
- keyspec = EARGF(usage());
- break;
- case 'u':
- user = EARGF(usage());
- break;
- case 's':
- secstoreserver = EARGF(usage());
- break;
- default:
- usage();
- }ARGEND;
-
- if(argc != 0)
- usage();
-
- if(mountfactotum() < 0){
- if(secstoreserver == nil)
- secstoreserver = authserver;
- if(havesecstore(secstoreserver, user)){
- s = secstorefetch(secstoreserver, user, nil);
- if(s){
- if(strlen(s) >= sizeof secstorebuf)
- sysfatal("secstore data too big");
- strcpy(secstorebuf, s);
- }
- }
- }
-
- if((err = rexcall(&data, system, srvname)))
- fatal(1, "%s: %s", err, system);
-
- /* Tell the remote side the command to execute and where our working directory is */
- if(cflag)
- writestr(data, cmd, "command", 0);
- if(getcwd(dat, sizeof(dat)) == 0)
- writestr(data, "NO", "dir", 0);
- else
- writestr(data, dat, "dir", 0);
-
- /*
- * Wait for the other end to execute and start our file service
- * of /mnt/term
- */
- if(readstr(data, buf, sizeof(buf)) < 0)
- fatal(1, "waiting for FS: %r");
- if(strncmp("FS", buf, 2) != 0) {
- print("remote cpu: %s", buf);
- exits(buf);
- }
-
- if(readstr(data, buf, sizeof buf) < 0)
- fatal(1, "waiting for remote export: %r");
- if(strcmp(buf, "/") != 0){
- print("remote cpu: %s" , buf);
- exits(buf);
- }
- write(data, "OK", 2);
-
- /* Begin serving the gnot namespace */
- exportfs(data, msgsize);
- fatal(1, "starting exportfs");
-}
-
-void
-fatal(int syserr, char *fmt, ...)
-{
- Fmt f;
- char *str;
- va_list arg;
-
- fmtstrinit(&f);
- fmtprint(&f, "cpu: ");
- va_start(arg, fmt);
- fmtvprint(&f, fmt, arg);
- va_end(arg);
- if(syserr)
- fmtprint(&f, ": %r");
- fmtprint(&f, "\n");
- str = fmtstrflush(&f);
- write(2, str, strlen(str));
- exits(str);
-}
-
-char *negstr = "negotiating authentication method";
-
-char bug[256];
-
-char*
-rexcall(int *fd, char *host, char *service)
-{
- char *na;
- char dir[MaxStr];
- char err[ERRMAX];
- char msg[MaxStr];
- int n;
-
- na = netmkaddr(host, "tcp", "17010");
- if((*fd = dial(na, 0, dir, 0)) < 0)
- return "can't dial";
-
- /* negotiate authentication mechanism */
- if(ealgs != nil)
- snprint(msg, sizeof(msg), "%s %s", am->name, ealgs);
- else
- snprint(msg, sizeof(msg), "%s", am->name);
- writestr(*fd, msg, negstr, 0);
- n = readstr(*fd, err, sizeof err);
- if(n < 0)
- return negstr;
- if(*err){
- werrstr(err);
- return negstr;
- }
-
- /* authenticate */
- *fd = (*am->cf)(*fd);
- if(*fd < 0)
- return "can't authenticate";
- return 0;
-}
-
-void
-writestr(int fd, char *str, char *thing, int ignore)
-{
- int l, n;
-
- l = strlen(str);
- n = write(fd, str, l+1);
- if(!ignore && n < 0)
- fatal(1, "writing network: %s", thing);
-}
-
-int
-readstr(int fd, char *str, int len)
-{
- int n;
-
- while(len) {
- n = read(fd, str, 1);
- if(n < 0)
- return -1;
- if(*str == '\0')
- return 0;
- str++;
- len--;
- }
- return -1;
-}
-
-static int
-readln(char *buf, int n)
-{
- int i;
- char *p;
-
- n--; /* room for \0 */
- p = buf;
- for(i=0; i<n; i++){
- if(read(0, p, 1) != 1)
- break;
- if(*p == '\n' || *p == '\r')
- break;
- p++;
- }
- *p = '\0';
- return p-buf;
-}
-
-/*
- * user level challenge/response
- */
-static int
-netkeyauth(int fd)
-{
- char chall[32];
- char resp[32];
-
- strecpy(chall, chall+sizeof chall, getuser());
- print("user[%s]: ", chall);
- if(readln(resp, sizeof(resp)) < 0)
- return -1;
- if(*resp != 0)
- strcpy(chall, resp);
- writestr(fd, chall, "challenge/response", 1);
-
- for(;;){
- if(readstr(fd, chall, sizeof chall) < 0)
- break;
- if(*chall == 0)
- return fd;
- print("challenge: %s\nresponse: ", chall);
- if(readln(resp, sizeof(resp)) < 0)
- break;
- writestr(fd, resp, "challenge/response", 1);
- }
- return -1;
-}
-
-static int
-netkeysrvauth(int fd, char *user)
-{
- return -1;
-}
-
-static void
-mksecret(char *t, uchar *f)
-{
- sprint(t, "%2.2ux%2.2ux%2.2ux%2.2ux%2.2ux%2.2ux%2.2ux%2.2ux%2.2ux%2.2ux",
- f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7], f[8], f[9]);
-}
-
-/*
- * plan9 authentication followed by rc4 encryption
- */
-static int
-p9auth(int fd)
-{
- uchar key[16];
- uchar digest[SHA1dlen];
- char fromclientsecret[21];
- char fromserversecret[21];
- int i;
- AuthInfo *ai;
-
- ai = p9any(fd);
- if(ai == nil)
- return -1;
- memmove(key+4, ai->secret, ai->nsecret);
- if(ealgs == nil)
- return fd;
-
- /* exchange random numbers */
- for(i = 0; i < 4; i++)
- key[i] = fastrand();
- if(write(fd, key, 4) != 4)
- return -1;
- if(readn(fd, key+12, 4) != 4)
- return -1;
-
- /* scramble into two secrets */
- sha1(key, sizeof(key), digest, nil);
- mksecret(fromclientsecret, digest);
- mksecret(fromserversecret, digest+10);
-
- /* set up encryption */
- i = pushssl(fd, ealgs, fromclientsecret, fromserversecret, nil);
- if(i < 0)
- werrstr("can't establish ssl connection: %r");
- return i;
-}
-
-int
-authdial(char *net, char *dom)
-{
- int fd;
- fd = dial(netmkaddr(authserver, "tcp", "567"), 0, 0, 0);
- //print("authdial %d\n", fd);
- return fd;
-}
-
-static int
-getastickets(Ticketreq *tr, char *trbuf, char *tbuf)
-{
- int asfd, rv;
- char *dom;
-
- dom = tr->authdom;
- asfd = authdial(nil, dom);
- if(asfd < 0)
- return -1;
- rv = _asgetticket(asfd, trbuf, tbuf);
- close(asfd);
- return rv;
-}
-
-static int
-mkserverticket(Ticketreq *tr, char *authkey, char *tbuf)
-{
- int i;
- Ticket t;
-
- if(strcmp(tr->authid, tr->hostid) != 0)
- return -1;
- memset(&t, 0, sizeof(t));
- memmove(t.chal, tr->chal, CHALLEN);
- strcpy(t.cuid, tr->uid);
- strcpy(t.suid, tr->uid);
- for(i=0; i<DESKEYLEN; i++)
- t.key[i] = fastrand();
- t.num = AuthTc;
- convT2M(&t, tbuf, authkey);
- t.num = AuthTs;
- convT2M(&t, tbuf+TICKETLEN, authkey);
- return 0;
-}
-
-static int
-gettickets(Ticketreq *tr, char *key, char *trbuf, char *tbuf)
-{
- if(getastickets(tr, trbuf, tbuf) >= 0)
- return 0;
- return mkserverticket(tr, key, tbuf);
-}
-
-/*
- * prompt user for a key. don't care about memory leaks, runs standalone
- */
-static Attr*
-promptforkey(char *params)
-{
- char *v;
- int fd;
- Attr *a, *attr;
- char *def;
-
- fd = open("/dev/cons", ORDWR);
- if(fd < 0)
- sysfatal("opening /dev/cons: %r");
-
- attr = _parseattr(params);
- fprint(fd, "\n!Adding key:");
- for(a=attr; a; a=a->next)
- if(a->type != AttrQuery && a->name[0] != '!')
- fprint(fd, " %q=%q", a->name, a->val);
- fprint(fd, "\n");
-
- for(a=attr; a; a=a->next){
- v = a->name;
- if(a->type != AttrQuery || v[0]=='!')
- continue;
- def = nil;
- if(strcmp(v, "user") == 0)
- def = getuser();
- a->val = readcons(v, def, 0);
- if(a->val == nil)
- sysfatal("user terminated key input");
- a->type = AttrNameval;
- }
- for(a=attr; a; a=a->next){
- v = a->name;
- if(a->type != AttrQuery || v[0]!='!')
- continue;
- def = nil;
- if(strcmp(v+1, "user") == 0)
- def = getuser();
- a->val = readcons(v+1, def, 1);
- if(a->val == nil)
- sysfatal("user terminated key input");
- a->type = AttrNameval;
- }
- fprint(fd, "!\n");
- close(fd);
- return attr;
-}
-
-/*
- * send a key to the mounted factotum
- */
-static int
-sendkey(Attr *attr)
-{
- int fd, rv;
- char buf[1024];
-
- fd = open("/mnt/factotum/ctl", ORDWR);
- if(fd < 0)
- sysfatal("opening /mnt/factotum/ctl: %r");
- rv = fprint(fd, "key %A\n", attr);
- read(fd, buf, sizeof buf);
- close(fd);
- return rv;
-}
-
-int
-askuser(char *params)
-{
- Attr *attr;
-
- fmtinstall('A', _attrfmt);
-
- attr = promptforkey(params);
- if(attr == nil)
- sysfatal("no key supplied");
- if(sendkey(attr) < 0)
- sysfatal("sending key to factotum: %r");
- return 0;
-}
-
-AuthInfo*
-p9anyfactotum(int fd, int afd)
-{
- return auth_proxy(fd, askuser, "proto=p9any role=client %s", keyspec);
-}
-
-AuthInfo*
-p9any(int fd)
-{
- char buf[1024], buf2[1024], cchal[CHALLEN], *bbuf, *p, *dom, *u;
- char *pass;
- char tbuf[TICKETLEN+TICKETLEN+AUTHENTLEN], trbuf[TICKREQLEN];
- char authkey[DESKEYLEN];
- Authenticator auth;
- int afd, i, v2;
- Ticketreq tr;
- Ticket t;
- AuthInfo *ai;
-
- if((afd = open("/mnt/factotum/ctl", ORDWR)) >= 0)
- return p9anyfactotum(fd, afd);
-
- if(readstr(fd, buf, sizeof buf) < 0)
- fatal(1, "cannot read p9any negotiation");
- bbuf = buf;
- v2 = 0;
- if(strncmp(buf, "v.2 ", 4) == 0){
- v2 = 1;
- bbuf += 4;
- }
- if((p = strchr(bbuf, ' ')))
- *p = 0;
- p = bbuf;
- if((dom = strchr(p, '@')) == nil)
- fatal(1, "bad p9any domain");
- *dom++ = 0;
- if(strcmp(p, "p9sk1") != 0)
- fatal(1, "server did not offer p9sk1");
-
- sprint(buf2, "%s %s", p, dom);
- if(write(fd, buf2, strlen(buf2)+1) != strlen(buf2)+1)
- fatal(1, "cannot write user/domain choice in p9any");
- if(v2){
- if(readstr(fd, buf, sizeof buf) != 3)
- fatal(1, "cannot read OK in p9any");
- if(memcmp(buf, "OK\0", 3) != 0)
- fatal(1, "did not get OK in p9any");
- }
- for(i=0; i<CHALLEN; i++)
- cchal[i] = fastrand();
- if(write(fd, cchal, 8) != 8)
- fatal(1, "cannot write p9sk1 challenge");
-
- if(readn(fd, trbuf, TICKREQLEN) != TICKREQLEN)
- fatal(1, "cannot read ticket request in p9sk1");
-
-
- convM2TR(trbuf, &tr);
- u = user;
- pass = findkey(&u, tr.authdom);
- if(pass == nil)
- again:
- pass = getkey(u, tr.authdom);
- if(pass == nil)
- fatal(1, "no password");
-
- passtokey(authkey, pass);
- memset(pass, 0, strlen(pass));
-
- tr.type = AuthTreq;
- strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, u);
- strecpy(tr.uid, tr.uid+sizeof tr.uid, u);
- convTR2M(&tr, trbuf);
-
- if(gettickets(&tr, authkey, trbuf, tbuf) < 0)
- fatal(1, "cannot get auth tickets in p9sk1");
-
- convM2T(tbuf, &t, authkey);
- if(t.num != AuthTc){
- print("?password mismatch with auth server\n");
- goto again;
- }
- memmove(tbuf, tbuf+TICKETLEN, TICKETLEN);
-
- auth.num = AuthAc;
- memmove(auth.chal, tr.chal, CHALLEN);
- auth.id = 0;
- convA2M(&auth, tbuf+TICKETLEN, t.key);
-
- if(write(fd, tbuf, TICKETLEN+AUTHENTLEN) != TICKETLEN+AUTHENTLEN)
- fatal(1, "cannot send ticket and authenticator back in p9sk1");
-
- if(readn(fd, tbuf, AUTHENTLEN) != AUTHENTLEN)
- fatal(1, "cannot read authenticator in p9sk1");
-
- convM2A(tbuf, &auth, t.key);
- if(auth.num != AuthAs
- || memcmp(auth.chal, cchal, CHALLEN) != 0
- || auth.id != 0){
- print("?you and auth server agree about password.\n");
- print("?server is confused.\n");
- fatal(1, "server lies got %llux.%d want %llux.%d", *(vlong*)auth.chal, auth.id, *(vlong*)cchal, 0);
- }
- //print("i am %s there.\n", t.suid);
- ai = mallocz(sizeof(AuthInfo), 1);
- ai->secret = mallocz(8, 1);
- des56to64((uchar*)t.key, ai->secret);
- ai->nsecret = 8;
- ai->suid = strdup(t.suid);
- ai->cuid = strdup(t.cuid);
- memset(authkey, 0, sizeof authkey);
- return ai;
-}
-
-/*
-static int
-noauth(int fd)
-{
- ealgs = nil;
- return fd;
-}
-
-static int
-srvnoauth(int fd, char *user)
-{
- strecpy(user, user+MaxStr, getuser());
- ealgs = nil;
- return fd;
-}
-*/
-
-void
-loghex(uchar *p, int n)
-{
- char buf[100];
- int i;
-
- for(i = 0; i < n; i++)
- sprint(buf+2*i, "%2.2ux", p[i]);
-// syslog(0, "cpu", buf);
-}
-
-static int
-srvp9auth(int fd, char *user)
-{
- return -1;
-}
-
-/*
- * set authentication mechanism
- */
-int
-setam(char *name)
-{
- for(am = authmethod; am->name != nil; am++)
- if(strcmp(am->name, name) == 0)
- return 0;
- am = authmethod;
- return -1;
-}
-
-/*
- * set authentication mechanism and encryption/hash algs
- *
-int
-setamalg(char *s)
-{
- ealgs = strchr(s, ' ');
- if(ealgs != nil)
- *ealgs++ = 0;
- return setam(s);
-}
-
-*/
--- a/cpu.c
+++ b/cpu.c
@@ -38,8 +38,6 @@
static int msgsize = Maxfdata+IOHDRSZ;
/* authentication mechanisms */
-static int netkeyauth(int);
-static int netkeysrvauth(int, char*);
static int p9auth(int);
static int srvp9auth(int, char*);
@@ -53,8 +51,6 @@
} authmethod[] =
{
{ "p9", p9auth, srvp9auth,},
- { "netkey", netkeyauth, netkeysrvauth,},
-// { "none", noauth, srvnoauth,},
{ 0 }
};
AuthMethod *am = authmethod; /* default is p9 */
@@ -98,6 +94,47 @@
}
void
+rcpu(char *host)
+{
+ static char script[] =
+"mount -nc /fd/0 /mnt/term || exit \n"
+"bind -q /mnt/term/dev/cons /dev/cons \n"
+"</dev/cons >/dev/cons >[2=1] { \n"
+" service=cpu exec rc -li \n"
+"} \n";
+ AuthInfo *ai;
+ TLSconn *conn;
+ char *na;
+ int fd;
+
+ na = netmkaddr(host, "tcp", "17019");
+ if((fd = dial(na, 0, 0, 0)) < 0)
+ return;
+
+ ai = p9any(fd);
+ if(ai == nil)
+ fatal(1, "can't authenticate");
+
+ conn = mallocz(sizeof(TLSconn), 1);
+ conn->pskID = "p9secret";
+ conn->psk = ai->secret;
+ conn->psklen = ai->nsecret;
+
+ fd = tlsClient(fd, conn);
+ if(fd < 0)
+ fatal(1, "tlsClient");
+
+ auth_freeAI(ai);
+
+ if(fprint(fd, "%7ld\n%s", strlen(script), script) < 0)
+ fatal(1, "sending script");
+
+ /* Begin serving the namespace */
+ exportfs(fd, msgsize);
+ fatal(1, "starting exportfs");
+}
+
+void
cpumain(int argc, char **argv)
{
char dat[MaxStr], buf[MaxStr], cmd[MaxStr], *err, *secstoreserver, *p, *s;
@@ -179,6 +216,8 @@
}
}
+ rcpu(system);
+
if((err = rexcall(&data, system, srvname)))
fatal(1, "%s: %s", err, system);
@@ -300,61 +339,6 @@
return -1;
}
-static int
-readln(char *buf, int n)
-{
- int i;
- char *p;
-
- n--; /* room for \0 */
- p = buf;
- for(i=0; i<n; i++){
- if(read(0, p, 1) != 1)
- break;
- if(*p == '\n' || *p == '\r')
- break;
- p++;
- }
- *p = '\0';
- return p-buf;
-}
-
-/*
- * user level challenge/response
- */
-static int
-netkeyauth(int fd)
-{
- char chall[32];
- char resp[32];
-
- strecpy(chall, chall+sizeof chall, getuser());
- print("user[%s]: ", chall);
- if(readln(resp, sizeof(resp)) < 0)
- return -1;
- if(*resp != 0)
- strcpy(chall, resp);
- writestr(fd, chall, "challenge/response", 1);
-
- for(;;){
- if(readstr(fd, chall, sizeof chall) < 0)
- break;
- if(*chall == 0)
- return fd;
- print("challenge: %s\nresponse: ", chall);
- if(readln(resp, sizeof(resp)) < 0)
- break;
- writestr(fd, resp, "challenge/response", 1);
- }
- return -1;
-}
-
-static int
-netkeysrvauth(int fd, char *user)
-{
- return -1;
-}
-
static void
mksecret(char *t, uchar *f)
{
@@ -378,13 +362,17 @@
ai = p9any(fd);
if(ai == nil)
return -1;
- memmove(key+4, ai->secret, ai->nsecret);
if(ealgs == nil)
return fd;
+ if(ai->nsecret < 8){
+ werrstr("secret too small");
+ return -1;
+ }
+ memmove(key+4, ai->secret, 8);
+
/* exchange random numbers */
- for(i = 0; i < 4; i++)
- key[i] = fastrand();
+ genrandom(key, 4);
if(write(fd, key, 4) != 4)
return -1;
if(readn(fd, key+12, 4) != 4)
@@ -412,7 +400,7 @@
}
static int
-getastickets(Ticketreq *tr, char *trbuf, char *tbuf)
+getastickets(Authkey *key, Ticketreq *tr, uchar *y, char *tbuf, int tbuflen)
{
int asfd, rv;
char *dom;
@@ -421,38 +409,71 @@
asfd = authdial(nil, dom);
if(asfd < 0)
return -1;
- rv = _asgetticket(asfd, trbuf, tbuf);
+ if(y != nil){
+ PAKpriv p;
+
+ rv = -1;
+ tr->type = AuthPAK;
+ if(_asrequest(asfd, tr) != 0 || write(asfd, y, PAKYLEN) != PAKYLEN)
+ goto Out;
+
+ authpak_new(&p, key, (uchar*)tbuf, 1);
+ if(write(asfd, tbuf, PAKYLEN) != PAKYLEN)
+ goto Out;
+
+ if(_asrdresp(asfd, tbuf, 2*PAKYLEN) != 2*PAKYLEN)
+ goto Out;
+
+ memmove(y, tbuf, PAKYLEN);
+ if(authpak_finish(&p, key, (uchar*)tbuf+PAKYLEN))
+ goto Out;
+ }
+ tr->type = AuthTreq;
+ rv = _asgetticket(asfd, tr, tbuf, tbuflen);
+Out:
close(asfd);
return rv;
}
static int
-mkserverticket(Ticketreq *tr, char *authkey, char *tbuf)
+mkservertickets(Authkey *key, Ticketreq *tr, uchar *y, char *tbuf, int tbuflen)
{
- int i;
Ticket t;
+ int ret;
if(strcmp(tr->authid, tr->hostid) != 0)
return -1;
memset(&t, 0, sizeof(t));
+ ret = 0;
+ if(y != nil){
+ PAKpriv p;
+
+ t.form = 1;
+ memmove(tbuf, y, PAKYLEN);
+ authpak_new(&p, key, y, 0);
+ authpak_finish(&p, key, (uchar*)tbuf);
+ }
memmove(t.chal, tr->chal, CHALLEN);
strcpy(t.cuid, tr->uid);
strcpy(t.suid, tr->uid);
- for(i=0; i<DESKEYLEN; i++)
- t.key[i] = fastrand();
+ genrandom((uchar*)t.key, sizeof(t.key));
t.num = AuthTc;
- convT2M(&t, tbuf, authkey);
+ ret += convT2M(&t, tbuf+ret, tbuflen-ret, key);
t.num = AuthTs;
- convT2M(&t, tbuf+TICKETLEN, authkey);
- return 0;
+ ret += convT2M(&t, tbuf+ret, tbuflen-ret, key);
+ memset(&t, 0, sizeof(t));
+
+ return ret;
}
static int
-gettickets(Ticketreq *tr, char *key, char *trbuf, char *tbuf)
+gettickets(Authkey *key, Ticketreq *tr, uchar *y, char *tbuf, int tbuflen)
{
- if(getastickets(tr, trbuf, tbuf) >= 0)
- return 0;
- return mkserverticket(tr, key, tbuf);
+ int ret;
+ ret = getastickets(key, tr, y, tbuf, tbuflen);
+ if(ret > 0)
+ return ret;
+ return mkservertickets(key, tr, y, tbuf, tbuflen);
}
/*
@@ -548,12 +569,13 @@
AuthInfo*
p9any(int fd)
{
- char buf[1024], buf2[1024], cchal[CHALLEN], *bbuf, *p, *dom, *u;
+ char buf[1024], buf2[1024], *bbuf, *p, *proto, *dom, *u;
char *pass;
- char tbuf[TICKETLEN+TICKETLEN+AUTHENTLEN], trbuf[TICKREQLEN];
- char authkey[DESKEYLEN];
+ uchar crand[2*NONCELEN], cchal[CHALLEN], y[PAKYLEN];
+ char tbuf[2*MAXTICKETLEN+MAXAUTHENTLEN+PAKYLEN], trbuf[TICKREQLEN+PAKYLEN];
+ Authkey authkey;
Authenticator auth;
- int afd, i, n, v2;
+ int afd, i, n, m, v2, dp9ik;
Ticketreq tr;
Ticket t;
AuthInfo *ai;
@@ -570,16 +592,26 @@
v2 = 1;
bbuf += 4;
}
- if((p = strchr(bbuf, ' ')))
- *p = 0;
- p = bbuf;
- if((dom = strchr(p, '@')) == nil)
- fatal(1, "bad p9any domain");
- *dom++ = 0;
- if(strcmp(p, "p9sk1") != 0)
- fatal(1, "server did not offer p9sk1");
-
- sprint(buf2, "%s %s", p, dom);
+ dp9ik = 0;
+ proto = nil;
+ while(bbuf != nil){
+ if((p = strchr(bbuf, ' ')))
+ *p++ = 0;
+ if((dom = strchr(bbuf, '@')) == nil)
+ fatal(1, "bad p9any domain");
+ *dom++ = 0;
+ if(strcmp(bbuf, "p9sk1") == 0 || strcmp(bbuf, "dp9ik") == 0){
+ proto = bbuf;
+ if(strcmp(proto, "dp9ik") == 0){
+ dp9ik = 1;
+ break;
+ }
+ }
+ bbuf = p;
+ }
+ if(proto == nil)
+ fatal(1, "server did not offer p9sk1 or dp9ik");
+ sprint(buf2, "%s %s", proto, dom);
if(write(fd, buf2, strlen(buf2)+1) != strlen(buf2)+1)
fatal(1, "cannot write user/domain choice in p9any");
if(v2){
@@ -588,16 +620,18 @@
if(memcmp(buf, "OK\0", 3) != 0)
fatal(1, "did not get OK in p9any");
}
- for(i=0; i<CHALLEN; i++)
- cchal[i] = fastrand();
- if(write(fd, cchal, 8) != 8)
+ genrandom(crand, 2*NONCELEN);
+ genrandom(cchal, CHALLEN);
+ if(write(fd, cchal, CHALLEN) != CHALLEN)
fatal(1, "cannot write p9sk1 challenge");
- if(readn(fd, trbuf, TICKREQLEN) != TICKREQLEN)
+ n = TICKREQLEN;
+ if(dp9ik)
+ n += PAKYLEN;
+
+ if(readn(fd, trbuf, n) != n || convM2TR(trbuf, TICKREQLEN, &tr) <= 0)
fatal(1, "cannot read ticket request in p9sk1");
-
- convM2TR(trbuf, &tr);
u = user;
pass = findkey(&u, tr.authdom);
if(pass == nil)
@@ -606,36 +640,45 @@
if(pass == nil)
fatal(1, "no password");
- passtokey(authkey, pass);
+ passtokey(&authkey, pass);
memset(pass, 0, strlen(pass));
- tr.type = AuthTreq;
strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, u);
strecpy(tr.uid, tr.uid+sizeof tr.uid, u);
- convTR2M(&tr, trbuf);
- if(gettickets(&tr, authkey, trbuf, tbuf) < 0)
+ if(dp9ik){
+ authpak_hash(&authkey, tr.hostid);
+ memmove(y, trbuf+TICKREQLEN, PAKYLEN);
+ n = gettickets(&authkey, &tr, y, tbuf, sizeof(tbuf));
+ } else {
+ n = gettickets(&authkey, &tr, nil, tbuf, sizeof(tbuf));
+ }
+ if(n <= 0)
fatal(1, "cannot get auth tickets in p9sk1");
- convM2T(tbuf, &t, authkey);
- if(t.num != AuthTc){
+ m = convM2T(tbuf, n, &t, &authkey);
+ if(m <= 0 || t.num != AuthTc){
print("?password mismatch with auth server\n");
goto again;
}
- memmove(tbuf, tbuf+TICKETLEN, TICKETLEN);
+ n -= m;
+ memmove(tbuf, tbuf+m, n);
+ if(dp9ik && write(fd, y, PAKYLEN) != PAKYLEN)
+ fatal(1, "cannot send authpak public key back");
+
auth.num = AuthAc;
+ memmove(auth.rand, crand, NONCELEN);
memmove(auth.chal, tr.chal, CHALLEN);
- auth.id = 0;
- convA2M(&auth, tbuf+TICKETLEN, t.key);
+ m = convA2M(&auth, tbuf+n, sizeof(tbuf)-n, &t);
+ n += m;
- if(write(fd, tbuf, TICKETLEN+AUTHENTLEN) != TICKETLEN+AUTHENTLEN)
- fatal(1, "cannot send ticket and authenticator back in p9sk1");
+ if(write(fd, tbuf, n) != n)
+ fatal(1, "cannot send ticket and authenticator back");
- if((n=readn(fd, tbuf, AUTHENTLEN)) != AUTHENTLEN ||
- memcmp(tbuf, "cpu:", 4) == 0){
+ if((n=readn(fd, tbuf, m)) != m || memcmp(tbuf, "cpu:", 4) == 0){
if(n <= 4)
- fatal(1, "cannot read authenticator in p9sk1");
+ fatal(1, "cannot read authenticator");
/*
* didn't send back authenticator:
@@ -650,53 +693,43 @@
fatal(0, "server says: %s", buf);
}
- convM2A(tbuf, &auth, t.key);
- if(auth.num != AuthAs
- || memcmp(auth.chal, cchal, CHALLEN) != 0
- || auth.id != 0){
+ if(convM2A(tbuf, n, &auth, &t) <= 0
+ || auth.num != AuthAs || tsmemcmp(auth.chal, cchal, CHALLEN) != 0){
print("?you and auth server agree about password.\n");
print("?server is confused.\n");
- fatal(0, "server lies got %llux.%d want %llux.%d", *(vlong*)auth.chal, auth.id, *(vlong*)cchal, 0);
+ fatal(0, "server lies got %llux want %llux", *(vlong*)auth.chal, *(vlong*)cchal);
}
- //print("i am %s there.\n", t.suid);
+ memmove(crand+NONCELEN, auth.rand, NONCELEN);
+
+ // print("i am %s there.\n", t.suid);
+
ai = mallocz(sizeof(AuthInfo), 1);
- ai->secret = mallocz(8, 1);
- des56to64((uchar*)t.key, ai->secret);
- ai->nsecret = 8;
ai->suid = strdup(t.suid);
ai->cuid = strdup(t.cuid);
- memset(authkey, 0, sizeof authkey);
- return ai;
-}
+ if(dp9ik){
+ static char info[] = "Plan 9 session secret";
+ ai->nsecret = 256;
+ ai->secret = mallocz(ai->nsecret, 1);
+ hkdf_x( crand, 2*NONCELEN,
+ (uchar*)info, sizeof(info)-1,
+ (uchar*)t.key, NONCELEN,
+ ai->secret, ai->nsecret,
+ hmac_sha2_256, SHA2_256dlen);
+ } else {
+ ai->nsecret = 8;
+ ai->secret = mallocz(ai->nsecret, 1);
+ des56to64((uchar*)t.key, ai->secret);
+ }
-/*
-static int
-noauth(int fd)
-{
- ealgs = nil;
- return fd;
-}
+ memset(&t, 0, sizeof(t));
+ memset(&auth, 0, sizeof(auth));
+ memset(&authkey, 0, sizeof(authkey));
+ memset(cchal, 0, sizeof(cchal));
+ memset(crand, 0, sizeof(crand));
-static int
-srvnoauth(int fd, char *user)
-{
- strecpy(user, user+MaxStr, getuser());
- ealgs = nil;
- return fd;
+ return ai;
}
-*/
-void
-loghex(uchar *p, int n)
-{
- char buf[100];
- int i;
-
- for(i = 0; i < n; i++)
- sprint(buf+2*i, "%2.2ux", p[i]);
-// syslog(0, "cpu", buf);
-}
-
static int
srvp9auth(int fd, char *user)
{
@@ -715,17 +748,3 @@
am = authmethod;
return -1;
}
-
-/*
- * set authentication mechanism and encryption/hash algs
- *
-int
-setamalg(char *s)
-{
- ealgs = strchr(s, ' ');
- if(ealgs != nil)
- *ealgs++ = 0;
- return setam(s);
-}
-
-*/
--- a/include/authsrv.h
+++ b/include/authsrv.h
@@ -1,8 +1,3 @@
-#ifdef PLAN9
-#pragma src "/sys/src/libauthsrv"
-#pragma lib "libauthsrv.a"
-#endif
-
/*
* Interface for talking to authentication server.
*/
@@ -14,21 +9,35 @@
typedef struct OChapreply OChapreply;
typedef struct OMSchapreply OMSchapreply;
+typedef struct Authkey Authkey;
+
enum
{
- ANAMELEN= 28, /* maximum size of name in previous proto */
- AERRLEN= 64, /* maximum size of errstr in previous proto */
- DOMLEN= 48, /* length of an authentication domain name */
- DESKEYLEN= 7, /* length of a des key for encrypt/decrypt */
- CHALLEN= 8, /* length of a plan9 sk1 challenge */
- NETCHLEN= 16, /* max network challenge length (used in AS protocol) */
+ ANAMELEN= 28, /* name max size in previous proto */
+ AERRLEN= 64, /* errstr max size in previous proto */
+ DOMLEN= 48, /* authentication domain name length */
+ DESKEYLEN= 7, /* encrypt/decrypt des key length */
+ AESKEYLEN= 16, /* encrypt/decrypt aes key length */
+
+ CHALLEN= 8, /* plan9 sk1 challenge length */
+ NETCHLEN= 16, /* max network challenge length (used in AS protocol) */
CONFIGLEN= 14,
- SECRETLEN= 32, /* max length of a secret */
+ SECRETLEN= 32, /* secret max size */
- KEYDBOFF= 8, /* length of random data at the start of key file */
- OKEYDBLEN= ANAMELEN+DESKEYLEN+4+2, /* length of an entry in old key file */
- KEYDBLEN= OKEYDBLEN+SECRETLEN, /* length of an entry in key file */
+ NONCELEN= 32,
+
+ KEYDBOFF= 8, /* bytes of random data at key file's start */
+ OKEYDBLEN= ANAMELEN+DESKEYLEN+4+2, /* old key file entry length */
+ KEYDBLEN= OKEYDBLEN+SECRETLEN, /* key file entry length */
OMD5LEN= 16,
+
+ /* AuthPAK constants */
+ PAKKEYLEN= 32,
+ PAKSLEN= (448+7)/8, /* ed448 scalar */
+ PAKPLEN= 4*PAKSLEN, /* point in extended format X,Y,Z,T */
+ PAKHASHLEN= 2*PAKPLEN, /* hashed points PM,PN */
+ PAKXLEN= PAKSLEN, /* random scalar secret key */
+ PAKYLEN= PAKSLEN, /* decaf encoded public key */
};
/* encryption numberings (anti-replay) */
@@ -47,8 +56,7 @@
AuthCram=12, /* CRAM verification for IMAP (RFC2195 & rfc2104) */
AuthHttp=13, /* http domain login */
AuthVNC=14, /* VNC server login (deprecated) */
-
-
+ AuthPAK=19, /* authenticated diffie hellman key agreement */
AuthTs=64, /* ticket encrypted with server's key */
AuthTc, /* ticket encrypted with client's key */
AuthAs, /* server generated authenticator */
@@ -74,17 +82,19 @@
char chal[CHALLEN]; /* server challenge */
char cuid[ANAMELEN]; /* uid on client */
char suid[ANAMELEN]; /* uid on server */
- char key[DESKEYLEN]; /* nonce DES key */
+ uchar key[NONCELEN]; /* nonce key */
+
+ char form; /* (not transmitted) format (0 = des, 1 = ccpoly) */
};
-#define TICKETLEN (CHALLEN+2*ANAMELEN+DESKEYLEN+1)
+#define MAXTICKETLEN (12+CHALLEN+2*ANAMELEN+NONCELEN+16)
struct Authenticator
{
char num; /* replay protection */
- char chal[CHALLEN];
- ulong id; /* authenticator id, ++'d with each auth */
+ char chal[CHALLEN]; /* server/client challenge */
+ uchar rand[NONCELEN]; /* server/client nonce */
};
-#define AUTHENTLEN (CHALLEN+4+1)
+#define MAXAUTHENTLEN (12+CHALLEN+NONCELEN+16)
struct Passwordreq
{
@@ -94,7 +104,7 @@
char changesecret;
char secret[SECRETLEN]; /* new secret */
};
-#define PASSREQLEN (2*ANAMELEN+1+1+SECRETLEN)
+#define MAXPASSREQLEN (12+2*ANAMELEN+1+SECRETLEN+16)
struct OChapreply
{
@@ -102,6 +112,7 @@
char uid[ANAMELEN];
char resp[OMD5LEN];
};
+#define OCHAPREPLYLEN (1+ANAMELEN+OMD5LEN)
struct OMSchapreply
{
@@ -109,50 +120,70 @@
char LMresp[24]; /* Lan Manager response */
char NTresp[24]; /* NT response */
};
+#define OMSCHAPREPLYLEN (ANAMELEN+24+24)
+struct Authkey
+{
+ char des[DESKEYLEN]; /* DES key from password */
+ uchar aes[AESKEYLEN]; /* AES key from password */
+ uchar pakkey[PAKKEYLEN]; /* shared key from AuthPAK exchange (see authpak_finish()) */
+ uchar pakhash[PAKHASHLEN]; /* secret hash from AES key and user name (see authpak_hash()) */
+};
+
/*
* convert to/from wire format
*/
-extern int convT2M(Ticket*, char*, char*);
-extern void convM2T(char*, Ticket*, char*);
-extern void convM2Tnoenc(char*, Ticket*);
-extern int convA2M(Authenticator*, char*, char*);
-extern void convM2A(char*, Authenticator*, char*);
-extern int convTR2M(Ticketreq*, char*);
-extern void convM2TR(char*, Ticketreq*);
-extern int convPR2M(Passwordreq*, char*, char*);
-extern void convM2PR(char*, Passwordreq*, char*);
+extern int convT2M(Ticket*, char*, int, Authkey*);
+extern int convM2T(char*, int, Ticket*, Authkey*);
+extern int convA2M(Authenticator*, char*, int, Ticket*);
+extern int convM2A(char*, int, Authenticator*, Ticket*);
+extern int convTR2M(Ticketreq*, char*, int);
+extern int convM2TR(char*, int, Ticketreq*);
+extern int convPR2M(Passwordreq*, char*, int, Ticket*);
+extern int convM2PR(char*, int, Passwordreq*, Ticket*);
/*
- * convert ascii password to DES key
+ * convert ascii password to auth key
*/
-extern int opasstokey(char*, char*);
-extern int passtokey(char*, char*);
+extern void passtokey(Authkey*, char*);
+extern void passtodeskey(char key[DESKEYLEN], char *p);
+extern void passtoaeskey(uchar key[AESKEYLEN], char *p);
+
/*
* Nvram interface
*/
enum {
- NVwrite = 1<<0, /* always prompt and rewrite nvram */
- NVwriteonerr = 1<<1, /* prompt and rewrite nvram when corrupt */
+ NVread = 0, /* just read */
+ NVwrite = 1<<0, /* always prompt and rewrite nvram */
+ NVwriteonerr = 1<<1, /* prompt and rewrite nvram when corrupt */
+ NVwritemem = 1<<2, /* don't prompt, write nvram from argument */
};
+/* storage layout */
struct Nvrsafe
{
- char machkey[DESKEYLEN];
+ char machkey[DESKEYLEN]; /* file server's authid's des key */
uchar machsum;
- char authkey[DESKEYLEN];
+ char authkey[DESKEYLEN]; /* authid's des key from password */
uchar authsum;
+ /*
+ * file server config string of device holding full configuration;
+ * secstore key on non-file-servers.
+ */
char config[CONFIGLEN];
uchar configsum;
- char authid[ANAMELEN];
+ char authid[ANAMELEN]; /* auth userid, e.g., bootes */
uchar authidsum;
- char authdom[DOMLEN];
+ char authdom[DOMLEN]; /* auth domain, e.g., cs.bell-labs.com */
uchar authdomsum;
+
+ uchar aesmachkey[AESKEYLEN];
+ uchar aesmachsum;
};
extern uchar nvcsum(void*, int);
-extern int readnvram(Nvrsafe*, int);
+extern int readnvram(Nvrsafe*, int);
/*
* call up auth server
@@ -162,7 +193,23 @@
/*
* exchange messages with auth server
*/
-extern int _asgetticket(int, char*, char*);
+extern int _asgetpakkey(int, Ticketreq*, Authkey*);
+extern int _asgetticket(int, Ticketreq*, char*, int);
+extern int _asrequest(int, Ticketreq*);
+extern int _asgetresp(int, Ticket*, Authenticator*, Authkey *);
extern int _asrdresp(int, char*, int);
-extern int sslnegotiate(int, Ticket*, char**, char**);
-extern int srvsslnegotiate(int, Ticket*, char**, char**);
+
+/*
+ * AuthPAK protocol
+ */
+typedef struct PAKpriv PAKpriv;
+struct PAKpriv
+{
+ int isclient;
+ uchar x[PAKXLEN];
+ uchar y[PAKYLEN];
+};
+
+extern void authpak_hash(Authkey *k, char *u);
+extern void authpak_new(PAKpriv *p, Authkey *k, uchar y[PAKYLEN], int isclient);
+extern int authpak_finish(PAKpriv *p, Authkey *k, uchar y[PAKYLEN]);
--- a/include/lib.h
+++ b/include/lib.h
@@ -20,6 +20,7 @@
#define strtoll libstrtoll
#undef timeradd
#define timeradd xtimeradd
+#define gmtime libgmtime
#define nil ((void*)0)
@@ -32,6 +33,7 @@
typedef unsigned short p9_ushort;
typedef unsigned int Rune;
typedef unsigned int p9_u32int;
+typedef unsigned long long p9_u64int;
typedef p9_u32int mpdigit;
/* make sure we don't conflict with predefined types */
@@ -40,6 +42,7 @@
#define ushort p9_ushort
#define uint p9_uint
#define u32int p9_u32int
+#define u64int p9_u64int
/* #define long int rather than p9_long so that "unsigned long" is valid */
#define long int
@@ -277,3 +280,23 @@
extern int (*fmtdoquote)(int);
+
+/*
+ * Time-of-day
+ */
+
+typedef
+struct Tm
+{
+ int sec;
+ int min;
+ int hour;
+ int mday;
+ int mon;
+ int year;
+ int wday;
+ int yday;
+ char zone[4];
+ int tzoff;
+} Tm;
+extern Tm* gmtime(long);
--- a/include/libsec.h
+++ b/include/libsec.h
@@ -1,11 +1,10 @@
-
#ifndef _MPINT
typedef struct mpint mpint;
#endif
-/////////////////////////////////////////////////////////
-// AES definitions
-/////////////////////////////////////////////////////////
+/*
+ * AES definitions
+ */
enum
{
@@ -20,27 +19,35 @@
ulong setup;
int rounds;
int keybytes;
- uchar key[AESmaxkey]; /* unexpanded key */
- u32int ekey[4*(AESmaxrounds + 1)]; /* encryption key */
- u32int dkey[4*(AESmaxrounds + 1)]; /* decryption key */
- uchar ivec[AESbsize]; /* initialization vector */
+ uchar key[AESmaxkey]; /* unexpanded key */
+ ulong ekey[4*(AESmaxrounds + 1)]; /* encryption key */
+ ulong dkey[4*(AESmaxrounds + 1)]; /* decryption key */
+ uchar ivec[AESbsize]; /* initialization vector */
+ uchar mackey[3 * AESbsize]; /* 3 XCBC mac 96 keys */
};
+/* block ciphers */
+void aes_encrypt(ulong rk[], int Nr, uchar pt[16], uchar ct[16]);
+void aes_decrypt(ulong rk[], int Nr, uchar ct[16], uchar pt[16]);
+
void setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec);
void aesCBCencrypt(uchar *p, int len, AESstate *s);
void aesCBCdecrypt(uchar *p, int len, AESstate *s);
-/////////////////////////////////////////////////////////
-// Blowfish Definitions
-/////////////////////////////////////////////////////////
+void setupAESXCBCstate(AESstate *s);
+uchar* aesXCBCmac(uchar *p, int len, AESstate *s);
+/*
+ * Blowfish Definitions
+ */
+
enum
{
BFbsize = 8,
- BFrounds = 16
+ BFrounds= 16
};
-// 16-round Blowfish
+/* 16-round Blowfish */
typedef struct BFstate BFstate;
struct BFstate
{
@@ -59,16 +66,80 @@
void bfECBencrypt(uchar*, int, BFstate*);
void bfECBdecrypt(uchar*, int, BFstate*);
-/////////////////////////////////////////////////////////
-// DES definitions
-/////////////////////////////////////////////////////////
+/*
+ * Chacha definitions
+ */
enum
{
+ ChachaBsize= 64,
+ ChachaKeylen= 256/8,
+ ChachaIVlen= 96/8,
+};
+
+typedef struct Chachastate Chachastate;
+struct Chachastate
+{
+ union{
+ u32int input[16];
+ struct {
+ u32int constant[4];
+ u32int key[8];
+ u32int counter;
+ u32int iv[3];
+ };
+ };
+ int rounds;
+ int ivwords;
+};
+
+void setupChachastate(Chachastate*, uchar*, ulong, uchar*, ulong, int);
+void chacha_setiv(Chachastate *, uchar*);
+void chacha_setblock(Chachastate*, u64int);
+void chacha_encrypt(uchar*, ulong, Chachastate*);
+void chacha_encrypt2(uchar*, uchar*, ulong, Chachastate*);
+
+void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
+int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
+
+/*
+ * Salsa definitions
+ */
+enum
+{
+ SalsaBsize= 64,
+ SalsaKeylen= 256/8,
+ SalsaIVlen= 64/8,
+ XSalsaIVlen= 192/8,
+};
+
+typedef struct Salsastate Salsastate;
+struct Salsastate
+{
+ u32int input[16];
+ u32int key[8];
+ int rounds;
+ int ivwords;
+};
+
+void setupSalsastate(Salsastate*, uchar*, ulong, uchar*, ulong, int);
+void salsa_setiv(Salsastate*, uchar*);
+void salsa_setblock(Salsastate*, u64int);
+void salsa_encrypt(uchar*, ulong, Salsastate*);
+void salsa_encrypt2(uchar*, uchar*, ulong, Salsastate*);
+
+void hsalsa(uchar h[32], uchar *key, ulong keylen, uchar nonce[16], int rounds);
+
+/*
+ * DES definitions
+ */
+
+enum
+{
DESbsize= 8
};
-// single des
+/* single des */
typedef struct DESstate DESstate;
struct DESstate
{
@@ -86,12 +157,12 @@
void desECBencrypt(uchar*, int, DESstate*);
void desECBdecrypt(uchar*, int, DESstate*);
-// for backward compatibility with 7 byte DES key format
+/* for backward compatibility with 7-byte DES key format */
void des56to64(uchar *k56, uchar *k64);
void des64to56(uchar *k64, uchar *k56);
void key_setup(uchar[7], ulong[32]);
-// triple des encrypt/decrypt orderings
+/* triple des encrypt/decrypt orderings */
enum {
DES3E= 0,
DES3D= 1,
@@ -117,67 +188,97 @@
void des3ECBencrypt(uchar*, int, DES3state*);
void des3ECBdecrypt(uchar*, int, DES3state*);
-/////////////////////////////////////////////////////////
-// digests
-/////////////////////////////////////////////////////////
+/*
+ * digests
+ */
enum
{
SHA1dlen= 20, /* SHA digest length */
+ SHA2_224dlen= 28, /* SHA-224 digest length */
+ SHA2_256dlen= 32, /* SHA-256 digest length */
+ SHA2_384dlen= 48, /* SHA-384 digest length */
+ SHA2_512dlen= 64, /* SHA-512 digest length */
MD4dlen= 16, /* MD4 digest length */
- MD5dlen= 16 /* MD5 digest length */
+ MD5dlen= 16, /* MD5 digest length */
+ Poly1305dlen= 16, /* Poly1305 digest length */
+
+ Hmacblksz = 64, /* in bytes; from rfc2104 */
};
typedef struct DigestState DigestState;
struct DigestState
{
- ulong len;
- u32int state[5];
- uchar buf[128];
- int blen;
- char malloced;
- char seeded;
+ uvlong len;
+ union {
+ u32int state[8];
+ u64int bstate[8];
+ };
+ uchar buf[256];
+ int blen;
+ char malloced;
+ char seeded;
};
typedef struct DigestState SHAstate; /* obsolete name */
typedef struct DigestState SHA1state;
+typedef struct DigestState SHA2_224state;
+typedef struct DigestState SHA2_256state;
+typedef struct DigestState SHA2_384state;
+typedef struct DigestState SHA2_512state;
typedef struct DigestState MD5state;
typedef struct DigestState MD4state;
-DigestState* md4(uchar*, ulong, uchar*, DigestState*);
-DigestState* md5(uchar*, ulong, uchar*, DigestState*);
-DigestState* sha1(uchar*, ulong, uchar*, DigestState*);
-DigestState* hmac_md5(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
-DigestState* hmac_sha1(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
-char* sha1pickle(SHA1state*);
-SHA1state* sha1unpickle(char*);
+DigestState* md4(uchar*, ulong, uchar*, DigestState*);
+DigestState* md5(uchar*, ulong, uchar*, DigestState*);
+DigestState* sha1(uchar*, ulong, uchar*, DigestState*);
+DigestState* sha2_224(uchar*, ulong, uchar*, DigestState*);
+DigestState* sha2_256(uchar*, ulong, uchar*, DigestState*);
+DigestState* sha2_384(uchar*, ulong, uchar*, DigestState*);
+DigestState* sha2_512(uchar*, ulong, uchar*, DigestState*);
+DigestState* hmac_x(uchar *p, ulong len, uchar *key, ulong klen,
+ uchar *digest, DigestState *s,
+ DigestState*(*x)(uchar*, ulong, uchar*, DigestState*),
+ int xlen);
+DigestState* hmac_md5(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+DigestState* hmac_sha1(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+DigestState* hmac_sha2_224(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+DigestState* hmac_sha2_256(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+DigestState* hmac_sha2_384(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+DigestState* hmac_sha2_512(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+char* md5pickle(MD5state*);
+MD5state* md5unpickle(char*);
+char* sha1pickle(SHA1state*);
+SHA1state* sha1unpickle(char*);
-/////////////////////////////////////////////////////////
-// random number generation
-/////////////////////////////////////////////////////////
+DigestState* poly1305(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+
+/*
+ * random number generation
+ */
void genrandom(uchar *buf, int nbytes);
void prng(uchar *buf, int nbytes);
ulong fastrand(void);
ulong nfastrand(ulong);
-/////////////////////////////////////////////////////////
-// primes
-/////////////////////////////////////////////////////////
-void genprime(mpint *p, int n, int accuracy); // generate an n bit probable prime
-void gensafeprime(mpint *p, mpint *alpha, int n, int accuracy); // prime and generator
-void genstrongprime(mpint *p, int n, int accuracy); // generate an n bit strong prime
+/*
+ * primes
+ */
+void genprime(mpint *p, int n, int accuracy); /* generate n-bit probable prime */
+void gensafeprime(mpint *p, mpint *alpha, int n, int accuracy); /* prime & generator */
+void genstrongprime(mpint *p, int n, int accuracy); /* generate n-bit strong prime */
void DSAprimes(mpint *q, mpint *p, uchar seed[SHA1dlen]);
-int probably_prime(mpint *n, int nrep); // miller-rabin test
-int smallprimetest(mpint *p); // returns -1 if not prime, 0 otherwise
+int probably_prime(mpint *n, int nrep); /* miller-rabin test */
+int smallprimetest(mpint *p); /* returns -1 if not prime, 0 otherwise */
-/////////////////////////////////////////////////////////
-// rc4
-/////////////////////////////////////////////////////////
+/*
+ * rc4
+ */
typedef struct RC4state RC4state;
struct RC4state
{
- uchar state[256];
- uchar x;
- uchar y;
+ uchar state[256];
+ uchar x;
+ uchar y;
};
void setupRC4state(RC4state*, uchar*, int);
@@ -185,34 +286,41 @@
void rc4skip(RC4state*, int);
void rc4back(RC4state*, int);
-/////////////////////////////////////////////////////////
-// rsa
-/////////////////////////////////////////////////////////
+/*
+ * rsa
+ */
typedef struct RSApub RSApub;
typedef struct RSApriv RSApriv;
+typedef struct PEMChain PEMChain;
-// public/encryption key
+/* public/encryption key */
struct RSApub
{
- mpint *n; // modulus
- mpint *ek; // exp (encryption key)
+ mpint *n; /* modulus */
+ mpint *ek; /* exp (encryption key) */
};
-// private/decryption key
+/* private/decryption key */
struct RSApriv
{
RSApub pub;
- mpint *dk; // exp (decryption key)
+ mpint *dk; /* exp (decryption key) */
- // precomputed values to help with chinese remainder theorem calc
+ /* precomputed values to help with chinese remainder theorem calc */
mpint *p;
mpint *q;
- mpint *kp; // dk mod p-1
- mpint *kq; // dk mod q-1
- mpint *c2; // (inv p) mod q
+ mpint *kp; /* dk mod p-1 */
+ mpint *kq; /* dk mod q-1 */
+ mpint *c2; /* (inv p) mod q */
};
+struct PEMChain{
+ PEMChain*next;
+ uchar *pem;
+ int pemlen;
+};
+
RSApriv* rsagen(int nlen, int elen, int rounds);
RSApriv* rsafill(mpint *n, mpint *e, mpint *d, mpint *p, mpint *q);
mpint* rsaencrypt(RSApub *k, mpint *in, mpint *out);
@@ -225,34 +333,38 @@
RSApub* X509toRSApub(uchar*, int, char*, int);
RSApriv* asn1toRSApriv(uchar*, int);
void asn1dump(uchar *der, int len);
-uchar* decodepem(char *s, char *type, int *len);
-uchar* X509gen(RSApriv *priv, char *subj, ulong valid[2], int *certlen);
-uchar* X509req(RSApriv *priv, char *subj, int *certlen);
-char* X509verify(uchar *cert, int ncert, RSApub *pk);
+uchar* decodePEM(char *s, char *type, int *len, char **new_s);
+PEMChain* decodepemchain(char *s, char *type);
+uchar* X509rsagen(RSApriv *priv, char *subj, ulong valid[2], int *certlen);
+uchar* X509rsareq(RSApriv *priv, char *subj, int *certlen);
+char* X509rsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, RSApub *pk);
+char* X509rsaverify(uchar *cert, int ncert, RSApub *pk);
+
void X509dump(uchar *cert, int ncert);
-/////////////////////////////////////////////////////////
-// elgamal
-/////////////////////////////////////////////////////////
+
+/*
+ * elgamal
+ */
typedef struct EGpub EGpub;
typedef struct EGpriv EGpriv;
typedef struct EGsig EGsig;
-// public/encryption key
+/* public/encryption key */
struct EGpub
{
- mpint *p; // modulus
- mpint *alpha; // generator
- mpint *key; // (encryption key) alpha**secret mod p
+ mpint *p; /* modulus */
+ mpint *alpha; /* generator */
+ mpint *key; /* (encryption key) alpha**secret mod p */
};
-// private/decryption key
+/* private/decryption key */
struct EGpriv
{
EGpub pub;
- mpint *secret; // (decryption key)
+ mpint *secret; /* (decryption key) */
};
-// signature
+/* signature */
struct EGsig
{
mpint *r, *s;
@@ -259,7 +371,7 @@
};
EGpriv* eggen(int nlen, int rounds);
-mpint* egencrypt(EGpub *k, mpint *in, mpint *out);
+mpint* egencrypt(EGpub *k, mpint *in, mpint *out); /* deprecated */
mpint* egdecrypt(EGpriv *k, mpint *in, mpint *out);
EGsig* egsign(EGpriv *k, mpint *m);
int egverify(EGpub *k, EGsig *sig, mpint *m);
@@ -271,36 +383,36 @@
void egsigfree(EGsig*);
EGpub* egprivtopub(EGpriv*);
-/////////////////////////////////////////////////////////
-// dsa
-/////////////////////////////////////////////////////////
+/*
+ * dsa
+ */
typedef struct DSApub DSApub;
typedef struct DSApriv DSApriv;
typedef struct DSAsig DSAsig;
-// public/encryption key
+/* public/encryption key */
struct DSApub
{
- mpint *p; // modulus
- mpint *q; // group order, q divides p-1
- mpint *alpha; // group generator
- mpint *key; // (encryption key) alpha**secret mod p
+ mpint *p; /* modulus */
+ mpint *q; /* group order, q divides p-1 */
+ mpint *alpha; /* group generator */
+ mpint *key; /* (encryption key) alpha**secret mod p */
};
-// private/decryption key
+/* private/decryption key */
struct DSApriv
{
DSApub pub;
- mpint *secret; // (decryption key)
+ mpint *secret; /* (decryption key) */
};
-// signature
+/* signature */
struct DSAsig
{
mpint *r, *s;
};
-DSApriv* dsagen(DSApub *opub);
+DSApriv* dsagen(DSApub *opub); /* opub not checked for consistency! */
DSAsig* dsasign(DSApriv *k, mpint *m);
int dsaverify(DSApub *k, DSAsig *sig, mpint *m);
DSApub* dsapuballoc(void);
@@ -310,31 +422,135 @@
DSAsig* dsasigalloc(void);
void dsasigfree(DSAsig*);
DSApub* dsaprivtopub(DSApriv*);
+DSApriv* asn1toDSApriv(uchar*, int);
-/////////////////////////////////////////////////////////
-// TLS
-/////////////////////////////////////////////////////////
+/*
+ * TLS
+ */
typedef struct Thumbprint{
struct Thumbprint *next;
- uchar sha1[SHA1dlen];
+ uchar sha1[SHA1dlen];
} Thumbprint;
typedef struct TLSconn{
- char dir[40]; // connection directory
- uchar *cert; // certificate (local on input, remote on output)
- uchar *sessionID;
- int certlen, sessionIDlen;
- int (*trace)(char*fmt, ...);
+ char dir[40]; /* connection directory */
+ uchar *cert; /* certificate (local on input, remote on output) */
+ uchar *sessionID;
+ uchar *psk;
+ int certlen;
+ int sessionIDlen;
+ int psklen;
+ int (*trace)(char*fmt, ...);
+ PEMChain*chain; /* optional extra certificate evidence for servers to present */
+ char *sessionType;
+ uchar *sessionKey;
+ int sessionKeylen;
+ char *sessionConst;
+ char *serverName;
+ char *pskID;
} TLSconn;
-// tlshand.c
-extern int tlsClient(int fd, TLSconn *c);
-extern int tlsServer(int fd, TLSconn *c);
+/* tlshand.c */
+int tlsClient(int fd, TLSconn *c);
+int tlsServer(int fd, TLSconn *c);
-// thumb.c
-extern Thumbprint* initThumbprints(char *ok, char *crl);
-extern void freeThumbprints(Thumbprint *ok);
-extern int okThumbprint(uchar *sha1, Thumbprint *ok);
+/* thumb.c */
+Thumbprint* initThumbprints(char *ok, char *crl);
+void freeThumbprints(Thumbprint *ok);
+int okThumbprint(uchar *sha1, Thumbprint *ok);
-// readcert.c
-extern uchar *readcert(char *filename, int *pcertlen);
+/* readcert.c */
+uchar *readcert(char *filename, int *pcertlen);
+PEMChain*readcertchain(char *filename);
+
+/* aes_xts.c */
+int aes_xts_encrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len) ;
+int aes_xts_decrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len);
+
+typedef struct ECpoint{
+ int inf;
+ mpint *x;
+ mpint *y;
+} ECpoint;
+
+typedef ECpoint ECpub;
+typedef struct ECpriv{
+ ECpoint;
+ mpint *d;
+} ECpriv;
+
+typedef struct ECdomain{
+ mpint *p;
+ mpint *a;
+ mpint *b;
+ ECpoint G;
+ mpint *n;
+ mpint *h;
+} ECdomain;
+
+void ecdominit(ECdomain *, void (*init)(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h));
+void ecdomfree(ECdomain *);
+
+void ecassign(ECdomain *, ECpoint *old, ECpoint *new);
+void ecadd(ECdomain *, ECpoint *a, ECpoint *b, ECpoint *s);
+void ecmul(ECdomain *, ECpoint *a, mpint *k, ECpoint *s);
+ECpoint* strtoec(ECdomain *, char *, char **, ECpoint *);
+ECpriv* ecgen(ECdomain *, ECpriv*);
+int ecverify(ECdomain *, ECpoint *);
+int ecpubverify(ECdomain *, ECpub *);
+void ecdsasign(ECdomain *, ECpriv *, uchar *, int, mpint *, mpint *);
+int ecdsaverify(ECdomain *, ECpub *, uchar *, int, mpint *, mpint *);
+void base58enc(uchar *, char *, int);
+int base58dec(char *, uchar *, int);
+
+ECpub* ecdecodepub(ECdomain *dom, uchar *, int);
+int ecencodepub(ECdomain *dom, ECpub *, uchar *, int);
+void ecpubfree(ECpub *);
+
+ECpub* X509toECpub(uchar *cert, int ncert, ECdomain *dom);
+char* X509ecdsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, ECdomain *dom, ECpub *pub);
+char* X509ecdsaverify(uchar *sig, int siglen, ECdomain *dom, ECpub *pub);
+
+/* curves */
+void secp256r1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+void secp256k1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+
+DigestState* ripemd160(uchar *, ulong, uchar *, DigestState *);
+
+/*
+ * Diffie-Hellman key exchange
+ */
+
+typedef struct DHstate DHstate;
+struct DHstate
+{
+ mpint *g; /* base g */
+ mpint *p; /* large prime */
+ mpint *q; /* subgroup prime */
+ mpint *x; /* random secret */
+ mpint *y; /* public key y = g**x % p */
+};
+
+/* generate new public key: y = g**x % p */
+mpint* dh_new(DHstate *dh, mpint *p, mpint *q, mpint *g);
+
+/* calculate shared key: k = y**x % p */
+mpint* dh_finish(DHstate *dh, mpint *y);
+
+/* Curve25519 elliptic curve, public key function */
+void curve25519(uchar mypublic[32], uchar secret[32], uchar basepoint[32]);
+
+/* Curve25519 diffie hellman */
+void curve25519_dh_new(uchar x[32], uchar y[32]);
+void curve25519_dh_finish(uchar x[32], uchar y[32], uchar z[32]);
+
+/* password-based key derivation function 2 (rfc2898) */
+void pbkdf2_x(uchar *p, ulong plen, uchar *s, ulong slen, ulong rounds, uchar *d, ulong dlen,
+ DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
+
+/* hmac-based key derivation function (rfc5869) */
+void hkdf_x(uchar *salt, ulong nsalt, uchar *info, ulong ninfo, uchar *key, ulong nkey, uchar *d, ulong dlen,
+ DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
+
+/* timing safe memcmp() */
+int tsmemcmp(void*, void*, ulong);
--- a/include/mp.h
+++ b/include/mp.h
@@ -1,16 +1,17 @@
#define _MPINT 1
-// the code assumes mpdigit to be at least an int
-// mpdigit must be an atomic type. mpdigit is defined
-// in the architecture specific u.h
-
+/*
+ * the code assumes mpdigit to be at least an int
+ * mpdigit must be an atomic type. mpdigit is defined
+ * in the architecture specific u.h
+ */
typedef struct mpint mpint;
struct mpint
{
- int sign; // +1 or -1
- int size; // allocated digits
- int top; // significant digits
+ int sign; /* +1 or -1 */
+ int size; /* allocated digits */
+ int top; /* significant digits */
mpdigit *p;
char flags;
};
@@ -17,118 +18,158 @@
enum
{
- MPstatic= 0x01,
- Dbytes= sizeof(mpdigit), // bytes per digit
- Dbits= Dbytes*8 // bits per digit
+ MPstatic= 0x01, /* static constant */
+ MPnorm= 0x02, /* normalization status */
+ MPtimesafe= 0x04, /* request time invariant computation */
+ MPfield= 0x08, /* this mpint is a field modulus */
+
+ Dbytes= sizeof(mpdigit), /* bytes per digit */
+ Dbits= Dbytes*8 /* bits per digit */
};
-// allocation
-void mpsetminbits(int n); // newly created mpint's get at least n bits
-mpint* mpnew(int n); // create a new mpint with at least n bits
+/* allocation */
+void mpsetminbits(int n); /* newly created mpint's get at least n bits */
+mpint* mpnew(int n); /* create a new mpint with at least n bits */
void mpfree(mpint *b);
-void mpbits(mpint *b, int n); // ensure that b has at least n bits
-void mpnorm(mpint *b); // dump leading zeros
+void mpbits(mpint *b, int n); /* ensure that b has at least n bits */
+mpint* mpnorm(mpint *b); /* dump leading zeros */
mpint* mpcopy(mpint *b);
void mpassign(mpint *old, mpint *new);
-// random bits
+/* random bits */
mpint* mprand(int bits, void (*gen)(uchar*, int), mpint *b);
+/* return uniform random [0..n-1] */
+mpint* mpnrand(mpint *n, void (*gen)(uchar*, int), mpint *b);
-// conversion
-mpint* strtomp(char*, char**, int, mpint*); // ascii
+/* conversion */
+mpint* strtomp(char*, char**, int, mpint*); /* ascii */
int mpfmt(Fmt*);
char* mptoa(mpint*, int, char*, int);
-mpint* letomp(uchar*, uint, mpint*); // byte array, little-endian
+mpint* letomp(uchar*, uint, mpint*); /* byte array, little-endian */
int mptole(mpint*, uchar*, uint, uchar**);
-mpint* betomp(uchar*, uint, mpint*); // byte array, little-endian
+void mptolel(mpint *b, uchar *p, int n);
+mpint* betomp(uchar*, uint, mpint*); /* byte array, big-endian */
int mptobe(mpint*, uchar*, uint, uchar**);
-uint mptoui(mpint*); // unsigned int
+void mptober(mpint *b, uchar *p, int n);
+uint mptoui(mpint*); /* unsigned int */
mpint* uitomp(uint, mpint*);
-int mptoi(mpint*); // int
+int mptoi(mpint*); /* int */
mpint* itomp(int, mpint*);
-uvlong mptouv(mpint*); // unsigned vlong
+uvlong mptouv(mpint*); /* unsigned vlong */
mpint* uvtomp(uvlong, mpint*);
-vlong mptov(mpint*); // vlong
+vlong mptov(mpint*); /* vlong */
mpint* vtomp(vlong, mpint*);
-// divide 2 digits by one
+/* divide 2 digits by one */
void mpdigdiv(mpdigit *dividend, mpdigit divisor, mpdigit *quotient);
-// in the following, the result mpint may be
-// the same as one of the inputs.
-void mpadd(mpint *b1, mpint *b2, mpint *sum); // sum = b1+b2
-void mpsub(mpint *b1, mpint *b2, mpint *diff); // diff = b1-b2
-void mpleft(mpint *b, int shift, mpint *res); // res = b<<shift
-void mpright(mpint *b, int shift, mpint *res); // res = b>>shift
-void mpmul(mpint *b1, mpint *b2, mpint *prod); // prod = b1*b2
-void mpexp(mpint *b, mpint *e, mpint *m, mpint *res); // res = b**e mod m
-void mpmod(mpint *b, mpint *m, mpint *remainder); // remainder = b mod m
+/* in the following, the result mpint may be */
+/* the same as one of the inputs. */
+void mpadd(mpint *b1, mpint *b2, mpint *sum); /* sum = b1+b2 */
+void mpsub(mpint *b1, mpint *b2, mpint *diff); /* diff = b1-b2 */
+void mpleft(mpint *b, int shift, mpint *res); /* res = b<<shift */
+void mpright(mpint *b, int shift, mpint *res); /* res = b>>shift */
+void mpmul(mpint *b1, mpint *b2, mpint *prod); /* prod = b1*b2 */
+void mpexp(mpint *b, mpint *e, mpint *m, mpint *res); /* res = b**e mod m */
+void mpmod(mpint *b, mpint *m, mpint *remainder); /* remainder = b mod m */
-// quotient = dividend/divisor, remainder = dividend % divisor
+/* logical operations */
+void mpand(mpint *b1, mpint *b2, mpint *res);
+void mpbic(mpint *b1, mpint *b2, mpint *res);
+void mpor(mpint *b1, mpint *b2, mpint *res);
+void mpnot(mpint *b, mpint *res);
+void mpxor(mpint *b1, mpint *b2, mpint *res);
+void mptrunc(mpint *b, int n, mpint *res);
+void mpxtend(mpint *b, int n, mpint *res);
+
+/* modular arithmetic, time invariant when 0≤b1≤m-1 and 0≤b2≤m-1 */
+void mpmodadd(mpint *b1, mpint *b2, mpint *m, mpint *sum); /* sum = b1+b2 % m */
+void mpmodsub(mpint *b1, mpint *b2, mpint *m, mpint *diff); /* diff = b1-b2 % m */
+void mpmodmul(mpint *b1, mpint *b2, mpint *m, mpint *prod); /* prod = b1*b2 % m */
+
+/* quotient = dividend/divisor, remainder = dividend % divisor */
void mpdiv(mpint *dividend, mpint *divisor, mpint *quotient, mpint *remainder);
-// return neg, 0, pos as b1-b2 is neg, 0, pos
+/* return neg, 0, pos as b1-b2 is neg, 0, pos */
int mpcmp(mpint *b1, mpint *b2);
-// extended gcd return d, x, and y, s.t. d = gcd(a,b) and ax+by = d
+/* res = s != 0 ? b1 : b2 */
+void mpsel(int s, mpint *b1, mpint *b2, mpint *res);
+
+/* extended gcd return d, x, and y, s.t. d = gcd(a,b) and ax+by = d */
void mpextendedgcd(mpint *a, mpint *b, mpint *d, mpint *x, mpint *y);
-// res = b**-1 mod m
+/* res = b**-1 mod m */
void mpinvert(mpint *b, mpint *m, mpint *res);
-// bit counting
-int mpsignif(mpint*); // number of sigificant bits in mantissa
-int mplowbits0(mpint*); // k, where n = 2**k * q for odd q
+/* bit counting */
+int mpsignif(mpint*); /* number of sigificant bits in mantissa */
+int mplowbits0(mpint*); /* k, where n = 2**k * q for odd q */
-// well known constants
+/* well known constants */
extern mpint *mpzero, *mpone, *mptwo;
-// sum[0:alen] = a[0:alen-1] + b[0:blen-1]
-// prereq: alen >= blen, sum has room for alen+1 digits
+/* sum[0:alen] = a[0:alen-1] + b[0:blen-1] */
+/* prereq: alen >= blen, sum has room for alen+1 digits */
void mpvecadd(mpdigit *a, int alen, mpdigit *b, int blen, mpdigit *sum);
-// diff[0:alen-1] = a[0:alen-1] - b[0:blen-1]
-// prereq: alen >= blen, diff has room for alen digits
+/* diff[0:alen-1] = a[0:alen-1] - b[0:blen-1] */
+/* prereq: alen >= blen, diff has room for alen digits */
void mpvecsub(mpdigit *a, int alen, mpdigit *b, int blen, mpdigit *diff);
-// p[0:n] += m * b[0:n-1]
-// prereq: p has room for n+1 digits
+/* p[0:n] += m * b[0:n-1] */
+/* prereq: p has room for n+1 digits */
void mpvecdigmuladd(mpdigit *b, int n, mpdigit m, mpdigit *p);
-// p[0:n] -= m * b[0:n-1]
-// prereq: p has room for n+1 digits
+/* p[0:n] -= m * b[0:n-1] */
+/* prereq: p has room for n+1 digits */
int mpvecdigmulsub(mpdigit *b, int n, mpdigit m, mpdigit *p);
-// p[0:alen*blen-1] = a[0:alen-1] * b[0:blen-1]
-// prereq: alen >= blen, p has room for m*n digits
+/* p[0:alen+blen-1] = a[0:alen-1] * b[0:blen-1] */
+/* prereq: alen >= blen, p has room for m*n digits */
void mpvecmul(mpdigit *a, int alen, mpdigit *b, int blen, mpdigit *p);
+void mpvectsmul(mpdigit *a, int alen, mpdigit *b, int blen, mpdigit *p);
-// sign of a - b or zero if the same
+/* sign of a - b or zero if the same */
int mpveccmp(mpdigit *a, int alen, mpdigit *b, int blen);
+int mpvectscmp(mpdigit *a, int alen, mpdigit *b, int blen);
-// divide the 2 digit dividend by the one digit divisor and stick in quotient
-// we assume that the result is one digit - overflow is all 1's
+/* divide the 2 digit dividend by the one digit divisor and stick in quotient */
+/* we assume that the result is one digit - overflow is all 1's */
void mpdigdiv(mpdigit *dividend, mpdigit divisor, mpdigit *quotient);
-// playing with magnitudes
+/* playing with magnitudes */
int mpmagcmp(mpint *b1, mpint *b2);
-void mpmagadd(mpint *b1, mpint *b2, mpint *sum); // sum = b1+b2
-void mpmagsub(mpint *b1, mpint *b2, mpint *sum); // sum = b1+b2
+void mpmagadd(mpint *b1, mpint *b2, mpint *sum); /* sum = b1+b2 */
+void mpmagsub(mpint *b1, mpint *b2, mpint *sum); /* sum = b1+b2 */
-// chinese remainder theorem
-typedef struct CRTpre CRTpre; // precomputed values for converting
- // twixt residues and mpint
-typedef struct CRTres CRTres; // residue form of an mpint
+/* chinese remainder theorem */
+typedef struct CRTpre CRTpre; /* precomputed values for converting */
+ /* twixt residues and mpint */
+typedef struct CRTres CRTres; /* residue form of an mpint */
struct CRTres
{
- int n; // number of residues
- mpint *r[1]; // residues
+ int n; /* number of residues */
+ mpint *r[1]; /* residues */
};
-CRTpre* crtpre(int, mpint**); // precompute conversion values
-CRTres* crtin(CRTpre*, mpint*); // convert mpint to residues
-void crtout(CRTpre*, CRTres*, mpint*); // convert residues to mpint
+CRTpre* crtpre(int, mpint**); /* precompute conversion values */
+CRTres* crtin(CRTpre*, mpint*); /* convert mpint to residues */
+void crtout(CRTpre*, CRTres*, mpint*); /* convert residues to mpint */
void crtprefree(CRTpre*);
void crtresfree(CRTres*);
+/* fast field arithmetic */
+typedef struct Mfield Mfield;
+
+struct Mfield
+{
+ mpint;
+ int (*reduce)(Mfield*, mpint*, mpint*);
+};
+
+mpint *mpfield(mpint*);
+
+Mfield *gmfield(mpint*);
+Mfield *cnfield(mpint*);
--- a/include/user.h
+++ b/include/user.h
@@ -81,6 +81,7 @@
extern void sleep(int);
extern void osyield(void);
extern void setmalloctag(void*, uintptr);
+extern void setrealloctag(void*, uintptr);
extern int errstr(char*, uint);
extern int rerrstr(char*, uint);
extern int encrypt(void*, void*, int);
@@ -91,3 +92,4 @@
extern void lock(Lock*);
extern void unlock(Lock*);
extern int iprint(char*, ...);
+extern void exits(char*);
--- a/kern/devcons.c
+++ b/kern/devcons.c
@@ -1191,3 +1191,29 @@
return n;
}
+static ulong randn;
+
+static void
+seedrand(void)
+{
+ if(!waserror()){
+ randomread((void*)&randn, sizeof(randn));
+ poperror();
+ }
+}
+
+int
+nrand(int n)
+{
+ if(randn == 0)
+ seedrand();
+ randn = randn*1103515245 + 12345;
+ return (randn>>16) % n;
+}
+
+int
+rand(void)
+{
+ nrand(1);
+ return randn;
+}
--- a/kern/devssl.c
+++ b/kern/devssl.c
@@ -717,7 +717,7 @@
randfill(uchar *buf, int len)
{
while(len-- > 0)
- *buf++ = fastrand();
+ *buf++ = nrand(256);
}
static long
--- a/kern/devtls.c
+++ b/kern/devtls.c
@@ -8,9 +8,9 @@
#include "error.h"
#include "libsec.h"
-
+
typedef struct OneWay OneWay;
-typedef struct Secret Secret;
+typedef struct Secret Secret;
typedef struct TlsRec TlsRec;
typedef struct TlsErrs TlsErrs;
@@ -17,15 +17,16 @@
enum {
Statlen= 1024, /* max. length of status or stats message */
/* buffer limits */
- MaxRecLen = 1<<14, /* max payload length of a record layer message */
+ MaxRecLen = 1<<14, /* max payload length of a record layer message */
MaxCipherRecLen = MaxRecLen + 2048,
- RecHdrLen = 5,
- MaxMacLen = SHA1dlen,
+ RecHdrLen = 5,
+ MaxMacLen = SHA2_256dlen,
/* protocol versions we can accept */
- TLSVersion = 0x0301,
- SSL3Version = 0x0300,
- ProtocolVersion = 0x0301, /* maximum version we speak */
+ SSL3Version = 0x0300,
+ TLS10Version = 0x0301,
+ TLS11Version = 0x0302,
+ TLS12Version = 0x0303,
MinProtoVersion = 0x0300, /* limits on version we accept */
MaxProtoVersion = 0x03ff,
@@ -72,6 +73,7 @@
EInternalError = 80,
EUserCanceled = 90,
ENoRenegotiation = 100,
+ EUnrecognizedName = 112,
EMAX = 256
};
@@ -84,10 +86,14 @@
int (*dec)(Secret*, uchar*, int);
int (*unpad)(uchar*, int, int);
DigestState *(*mac)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+
+ int (*aead_enc)(Secret*, uchar*, int, uchar*, int);
+ int (*aead_dec)(Secret*, uchar*, int, uchar*, int);
+
int block; /* encryption block len, 0 if none */
int maclen;
void *enckey;
- uchar mackey[MaxMacLen];
+ uchar mackey[MaxMacLen];
};
struct OneWay
@@ -94,7 +100,7 @@
{
QLock io; /* locks io access */
QLock seclock; /* locks secret paramaters */
- ulong seq;
+ u64int seq;
Secret *sec; /* cipher in use */
Secret *new; /* cipher waiting for enable */
};
@@ -116,8 +122,11 @@
int state;
int debug;
- /* record layer mac functions for different protocol versions */
- void (*packMac)(Secret*, uchar*, uchar*, uchar*, uchar*, int, uchar*);
+ /*
+ * function to genrate authenticated data blob for different
+ * protocol versions
+ */
+ int (*packAAD)(u64int, uchar*, uchar*);
/* input side -- protected by in.io */
OneWay in;
@@ -218,13 +227,14 @@
static DigestState*sslmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
static DigestState*sslmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
static DigestState*nomac(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s);
-static void sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
-static void tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac);
-static void put64(uchar *p, vlong x);
+static int sslPackAAD(u64int, uchar*, uchar*);
+static int tlsPackAAD(u64int, uchar*, uchar*);
+static void packMac(Secret*, uchar*, int, uchar*, int, uchar*);
+static void put64(uchar *p, u64int);
static void put32(uchar *p, u32int);
static void put24(uchar *p, int);
static void put16(uchar *p, int);
-/* static u32int get32(uchar *p); */
+static u32int get32(uchar *p);
static int get16(uchar *p);
static void tlsSetState(TlsRec *tr, int new, int old);
static void rcvAlert(TlsRec *tr, int err);
@@ -233,6 +243,10 @@
static int rc4enc(Secret *sec, uchar *buf, int n);
static int des3enc(Secret *sec, uchar *buf, int n);
static int des3dec(Secret *sec, uchar *buf, int n);
+static int aesenc(Secret *sec, uchar *buf, int n);
+static int aesdec(Secret *sec, uchar *buf, int n);
+static int ccpoly_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *data, int len);
+static int ccpoly_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *data, int len);
static int noenc(Secret *sec, uchar *buf, int n);
static int sslunpad(uchar *buf, int n, int block);
static int tlsunpad(uchar *buf, int n, int block);
@@ -241,24 +255,20 @@
static void pdump(int, void*, char*);
static char *tlsnames[] = {
- /* unused */ 0,
- /* topdir */ 0,
- /* protodir */ 0,
- "clone",
- "encalgs",
- "hashalgs",
- /* convdir */ 0,
- "data",
- "ctl",
- "hand",
- "status",
- "stats",
+[Qclonus] "clone",
+[Qencalgs] "encalgs",
+[Qhashalgs] "hashalgs",
+[Qdata] "data",
+[Qctl] "ctl",
+[Qhand] "hand",
+[Qstatus] "status",
+[Qstats] "stats",
};
static int convdir[] = { Qctl, Qdata, Qhand, Qstatus, Qstats };
static int
-tlsgen(Chan *c, char*unused1, Dirtab *unused2, int unused3, int s, Dir *dp)
+tlsgen(Chan *c, char *unused1, Dirtab *unused2, int unused3, int s, Dir *dp)
{
Qid q;
TlsRec *tr;
@@ -377,7 +387,6 @@
unlock(&tdlock);
return 1;
}
- return -1;
}
static Chan*
@@ -467,7 +476,7 @@
lock(&tr->hqlock);
if(tr->handq != nil)
error(Einuse);
- tr->handq = qopen(2 * MaxCipherRecLen, 0, 0, nil);
+ tr->handq = qopen(2 * MaxCipherRecLen, 0, nil, nil);
if(tr->handq == nil)
error("cannot allocate handshake queue");
tr->hqref = 1;
@@ -732,9 +741,10 @@
{
OneWay *volatile in;
Block *volatile b;
- uchar *p, seq[8], header[RecHdrLen], hmac[MD5dlen];
+ uchar *p, aad[8+RecHdrLen], header[RecHdrLen], hmac[MaxMacLen];
int volatile nconsumed;
- int len, type, ver, unpad_len;
+ int len, type, ver, unpad_len, aadlen, ivlen;
+ Secret *sec;
nconsumed = 0;
if(waserror()){
@@ -796,25 +806,46 @@
}
qlock(&in->seclock);
p = b->rp;
- if(in->sec != nil) {
+ sec = in->sec;
+ if(sec != nil) {
/* to avoid Canvel-Hiltgen-Vaudenay-Vuagnoux attack, all errors here
should look alike, including timing of the response. */
- unpad_len = (*in->sec->dec)(in->sec, p, len);
- if(unpad_len >= in->sec->maclen)
- len = unpad_len - in->sec->maclen;
+ if(sec->aead_dec != nil)
+ unpad_len = len;
+ else {
+ unpad_len = (*sec->dec)(sec, p, len);
if(tr->debug) pprint("decrypted %d\n", unpad_len);
if(tr->debug) pdump(unpad_len, p, "decrypted:");
+ }
+ if(tr->version >= TLS11Version){
+ ivlen = sec->block;
+ len -= ivlen;
+ if(len < 0)
+ rcvError(tr, EDecodeError, "runt record message");
+ unpad_len -= ivlen;
+ p += ivlen;
+ }
+
+ if(unpad_len >= sec->maclen)
+ len = unpad_len - sec->maclen;
+
/* update length */
put16(header+3, len);
- put64(seq, in->seq);
- in->seq++;
- (*tr->packMac)(in->sec, in->sec->mackey, seq, header, p, len, hmac);
- if(unpad_len < in->sec->maclen)
- rcvError(tr, EBadRecordMac, "short record mac");
- if(memcmp(hmac, p+len, in->sec->maclen) != 0)
- rcvError(tr, EBadRecordMac, "record mac mismatch");
- b->wp = b->rp + len;
+ aadlen = (*tr->packAAD)(in->seq++, header, aad);
+ if(sec->aead_dec != nil) {
+ len = (*sec->aead_dec)(sec, aad, aadlen, p, unpad_len);
+ if(len < 0)
+ rcvError(tr, EBadRecordMac, "record mac mismatch");
+ } else {
+ packMac(sec, aad, aadlen, p, len, hmac);
+ if(unpad_len < sec->maclen)
+ rcvError(tr, EBadRecordMac, "short record mac");
+ if(tsmemcmp(hmac, p + len, sec->maclen) != 0)
+ rcvError(tr, EBadRecordMac, "record mac mismatch");
+ }
+ b->rp = p;
+ b->wp = p+len;
}
qunlock(&in->seclock);
poperror();
@@ -823,7 +854,7 @@
switch(type) {
default:
- rcvError(tr, EIllegalParameter, "invalid record message 0x%x", type);
+ rcvError(tr, EIllegalParameter, "invalid record message %#x", type);
break;
case RChangeCipherSpec:
if(len != 1 || p[0] != 1)
@@ -848,20 +879,27 @@
rcvError(tr, EIllegalParameter, "invalid alert fatal code");
/*
- * propate non-fatal alerts to handshaker
+ * propagate non-fatal alerts to handshaker
*/
- if(p[1] == ECloseNotify) {
+ switch(p[1]){
+ case ECloseNotify:
tlsclosed(tr, SRClose);
if(tr->opened)
error("tls hungup");
error("close notify");
- }
- if(p[1] == ENoRenegotiation)
+ break;
+ case ENoRenegotiation:
alertHand(tr, "no renegotiation");
- else if(p[1] == EUserCanceled)
+ break;
+ case EUserCanceled:
alertHand(tr, "handshake canceled by user");
- else
+ break;
+ case EUnrecognizedName:
+ /* happens in response to SNI, can be ignored. */
+ break;
+ default:
rcvError(tr, EIllegalParameter, "invalid alert code");
+ }
break;
case RHandshake:
/*
@@ -1074,7 +1112,7 @@
/* return at most what was asked for */
b = qgrab(&tr->processed, n);
-if(tr->debug) pprint("consumed processed %d\n", BLEN(b));
+if(tr->debug) pprint("consumed processed %zd\n", BLEN(b));
if(tr->debug) pdump(BLEN(b), b->rp, "consumed:");
qunlock(&tr->in.io);
poperror();
@@ -1142,7 +1180,7 @@
s = buf;
e = buf + Statlen;
s = seprint(s, e, "State: %s\n", tlsstate(tr->state));
- s = seprint(s, e, "Version: 0x%x\n", tr->version);
+ s = seprint(s, e, "Version: %#x\n", tr->version);
if(tr->in.sec != nil)
s = seprint(s, e, "EncIn: %s\nHashIn: %s\n", tr->in.sec->encalg, tr->in.sec->hashalg);
if(tr->in.new != nil)
@@ -1202,6 +1240,13 @@
return n;
}
+static void
+randfill(uchar *buf, int len)
+{
+ while(len-- > 0)
+ *buf++ = nrand(256);
+}
+
/*
* write a block in tls records
*/
@@ -1210,9 +1255,10 @@
{
Block *volatile bb;
Block *nb;
- uchar *p, seq[8];
+ uchar *p, aad[8+RecHdrLen];
OneWay *volatile out;
- int n, maclen, pad, ok;
+ int n, ivlen, maclen, aadlen, pad, ok;
+ Secret *sec;
out = &tr->out;
bb = b;
@@ -1223,7 +1269,7 @@
nexterror();
}
qlock(&out->io);
-if(tr->debug)pprint("send %d\n", BLEN(b));
+if(tr->debug)pprint("send %zd\n", BLEN(b));
if(tr->debug)pdump(BLEN(b), b->rp, "sent:");
@@ -1245,21 +1291,25 @@
qlock(&out->seclock);
maclen = 0;
pad = 0;
- if(out->sec != nil){
- maclen = out->sec->maclen;
- pad = maclen + out->sec->block;
+ ivlen = 0;
+ sec = out->sec;
+ if(sec != nil){
+ maclen = sec->maclen;
+ pad = maclen + sec->block;
+ if(tr->version >= TLS11Version)
+ ivlen = sec->block;
}
n = BLEN(bb);
if(n > MaxRecLen){
n = MaxRecLen;
- nb = allocb(n + pad + RecHdrLen);
- memmove(nb->wp + RecHdrLen, bb->rp, n);
+ nb = allocb(RecHdrLen + ivlen + n + pad);
+ memmove(nb->wp + RecHdrLen + ivlen, bb->rp, n);
bb->rp += n;
}else{
/*
* carefully reuse bb so it will get freed if we're out of memory
*/
- bb = padblock(bb, RecHdrLen);
+ bb = padblock(bb, RecHdrLen + ivlen);
if(pad)
nb = padblock(bb, -pad);
else
@@ -1272,14 +1322,16 @@
put16(p+1, tr->version);
put16(p+3, n);
- if(out->sec != nil){
- put64(seq, out->seq);
- out->seq++;
- (*tr->packMac)(out->sec, out->sec->mackey, seq, p, p + RecHdrLen, n, p + RecHdrLen + n);
- n += maclen;
-
- /* encrypt */
- n = (*out->sec->enc)(out->sec, p + RecHdrLen, n);
+ if(sec != nil){
+ if(ivlen > 0)
+ randfill(p + RecHdrLen, ivlen);
+ aadlen = (*tr->packAAD)(out->seq++, p, aad);
+ if(sec->aead_enc != nil)
+ n = (*sec->aead_enc)(sec, aad, aadlen, p + RecHdrLen + ivlen, n) + ivlen;
+ else {
+ packMac(sec, aad, aadlen, p + RecHdrLen + ivlen, n, p + RecHdrLen + ivlen + n);
+ n = (*sec->enc)(sec, p + RecHdrLen, ivlen + n + maclen);
+ }
nb->wp = p + RecHdrLen + n;
/* update length */
@@ -1323,7 +1375,7 @@
tr = tlsdevs[CONV(c->qid)];
if(tr == nil)
- panic("tlsbread");
+ panic("tlsbwrite");
ty = TYPE(c->qid);
switch(ty) {
@@ -1363,7 +1415,7 @@
}
static void
-initclearmac(Hashalg *unused1, int unused2, Secret *s, uchar *unused3)
+initclearmac(Hashalg *ha, int version, Secret *s, uchar *p)
{
s->maclen = 0;
s->mac = nomac;
@@ -1380,11 +1432,22 @@
memmove(s->mackey, p, ha->maclen);
}
+static void
+initsha2_256key(Hashalg *ha, int version, Secret *s, uchar *p)
+{
+ if(version == SSL3Version)
+ error("sha256 cannot be used with SSL");
+ s->maclen = ha->maclen;
+ s->mac = hmac_sha2_256;
+ memmove(s->mackey, p, ha->maclen);
+}
+
static Hashalg hashtab[] =
{
- { "clear", 0, initclearmac, },
- { "md5", MD5dlen, initmd5key, },
- { "sha1", SHA1dlen, initsha1key, },
+ { "clear", 0, initclearmac, },
+ { "md5", MD5dlen, initmd5key, },
+ { "sha1", SHA1dlen, initsha1key, },
+ { "sha256", SHA2_256dlen, initsha2_256key, },
{ 0 }
};
@@ -1410,7 +1473,7 @@
};
static void
-initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *unused1)
+initRC4key(Encalg *ea, Secret *s, uchar *p, uchar *iv)
{
s->enckey = smalloc(sizeof(RC4state));
s->enc = rc4enc;
@@ -1420,7 +1483,7 @@
}
static void
-initDES3key(Encalg *unused1, Secret *s, uchar *p, uchar *iv)
+initDES3key(Encalg *ea, Secret *s, uchar *p, uchar *iv)
{
s->enckey = smalloc(sizeof(DES3state));
s->enc = des3enc;
@@ -1430,18 +1493,53 @@
}
static void
-initclearenc(Encalg *unused1, Secret *s, uchar *unused2, uchar *unused3)
+initAESkey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
{
+ s->enckey = smalloc(sizeof(AESstate));
+ s->enc = aesenc;
+ s->dec = aesdec;
+ s->block = 16;
+ setupAESstate(s->enckey, p, ea->keylen, iv);
+}
+
+static void
+initccpolykey(Encalg *ea, Secret *s, uchar *p, uchar *iv)
+{
+ s->enckey = smalloc(sizeof(Chachastate));
s->enc = noenc;
s->dec = noenc;
+ s->mac = nomac;
+ s->aead_enc = ccpoly_aead_enc;
+ s->aead_dec = ccpoly_aead_dec;
s->block = 0;
+ s->maclen = Poly1305dlen;
+ if(ea->ivlen == 0) {
+ /* older draft version, iv is 64-bit sequence number */
+ setupChachastate(s->enckey, p, ea->keylen, nil, 64/8, 20);
+ } else {
+ /* IETF standard, 96-bit iv xored with sequence number */
+ memmove(s->mackey, iv, ea->ivlen);
+ setupChachastate(s->enckey, p, ea->keylen, iv, ea->ivlen, 20);
+ }
}
+static void
+initclearenc(Encalg *ea, Secret *s, uchar *key, uchar *iv)
+{
+ s->enc = noenc;
+ s->dec = noenc;
+ s->block = 0;
+}
+
static Encalg encrypttab[] =
{
{ "clear", 0, 0, initclearenc },
{ "rc4_128", 128/8, 0, initRC4key },
{ "3des_ede_cbc", 3 * 8, 8, initDES3key },
+ { "aes_128_cbc", 128/8, 16, initAESkey },
+ { "aes_256_cbc", 256/8, 16, initAESkey },
+ { "ccpoly64_aead", 256/8, 0, initccpolykey },
+ { "ccpoly96_aead", 256/8, 96/8, initccpolykey },
{ 0 }
};
@@ -1543,12 +1641,12 @@
if(tr->verset)
error("version already set");
m = strtol(cb->f[1], nil, 0);
+ if(m < MinProtoVersion || m > MaxProtoVersion)
+ error("unsupported version");
if(m == SSL3Version)
- tr->packMac = sslPackMac;
- else if(m == TLSVersion)
- tr->packMac = tlsPackMac;
+ tr->packAAD = sslPackAAD;
else
- error("unsupported version");
+ tr->packAAD = tlsPackAAD;
tr->verset = 1;
tr->version = m;
}else if(strcmp(cb->f[0], "secret") == 0){
@@ -1812,7 +1910,7 @@
{
int s;
-if(tr->debug)pprint("tleError %s\n", msg);
+if(tr->debug)pprint("tlsError %s\n", msg);
lock(&tr->statelk);
s = tr->state;
tr->state = SError;
@@ -1951,7 +2049,7 @@
}
static int
-noenc(Secret *unused1, uchar *unused2, int n)
+noenc(Secret *sec, uchar *buf, int n)
{
return n;
}
@@ -2017,9 +2115,64 @@
des3CBCdecrypt(buf, n, sec->enckey);
return (*sec->unpad)(buf, n, 8);
}
+
+static int
+aesenc(Secret *sec, uchar *buf, int n)
+{
+ n = blockpad(buf, n, 16);
+ aesCBCencrypt(buf, n, sec->enckey);
+ return n;
+}
+
+static int
+aesdec(Secret *sec, uchar *buf, int n)
+{
+ aesCBCdecrypt(buf, n, sec->enckey);
+ return (*sec->unpad)(buf, n, 16);
+}
+
+static void
+ccpoly_aead_setiv(Secret *sec, uchar seq[8])
+{
+ uchar iv[ChachaIVlen];
+ Chachastate *cs;
+ int i;
+
+ cs = (Chachastate*)sec->enckey;
+ if(cs->ivwords == 2){
+ chacha_setiv(cs, seq);
+ return;
+ }
+
+ memmove(iv, sec->mackey, ChachaIVlen);
+ for(i=0; i<8; i++)
+ iv[i+(ChachaIVlen-8)] ^= seq[i];
+
+ chacha_setiv(cs, iv);
+}
+
+static int
+ccpoly_aead_enc(Secret *sec, uchar *aad, int aadlen, uchar *data, int len)
+{
+ ccpoly_aead_setiv(sec, aad);
+ ccpoly_encrypt(data, len, aad, aadlen, data+len, sec->enckey);
+ return len + sec->maclen;
+}
+
+static int
+ccpoly_aead_dec(Secret *sec, uchar *aad, int aadlen, uchar *data, int len)
+{
+ len -= sec->maclen;
+ if(len < 0)
+ return -1;
+ ccpoly_aead_setiv(sec, aad);
+ if(ccpoly_decrypt(data, len, aad, aadlen, data+len, sec->enckey) != 0)
+ return -1;
+ return len;
+}
+
static DigestState*
-nomac(uchar *unused1, ulong unused2, uchar *unused3, ulong unused4,
- uchar *unused5, DigestState *unused6)
+nomac(uchar *p, ulong len, uchar *key, ulong keylen, uchar *digest, DigestState *s)
{
return nil;
}
@@ -2077,32 +2230,35 @@
return sslmac_x(p, len, key, klen, digest, s, md5, MD5dlen, 48);
}
-static void
-sslPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
+static int
+sslPackAAD(u64int seq, uchar *hdr, uchar *aad)
{
- DigestState *s;
- uchar buf[11];
+ put64(aad, seq);
+ aad[8] = hdr[0];
+ aad[9] = hdr[3];
+ aad[10] = hdr[4];
+ return 11;
+}
- memmove(buf, seq, 8);
- buf[8] = header[0];
- buf[9] = header[3];
- buf[10] = header[4];
-
- s = (*sec->mac)(buf, 11, mackey, sec->maclen, 0, 0);
- (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
+static int
+tlsPackAAD(u64int seq, uchar *hdr, uchar *aad)
+{
+ put64(aad, seq);
+ aad[8] = hdr[0];
+ aad[9] = hdr[1];
+ aad[10] = hdr[2];
+ aad[11] = hdr[3];
+ aad[12] = hdr[4];
+ return 13;
}
static void
-tlsPackMac(Secret *sec, uchar *mackey, uchar *seq, uchar *header, uchar *body, int len, uchar *mac)
+packMac(Secret *sec, uchar *aad, int aadlen, uchar *body, int bodylen, uchar *mac)
{
DigestState *s;
- uchar buf[13];
- memmove(buf, seq, 8);
- memmove(&buf[8], header, 5);
-
- s = (*sec->mac)(buf, 13, mackey, sec->maclen, 0, 0);
- (*sec->mac)(body, len, mackey, sec->maclen, mac, s);
+ s = (*sec->mac)(aad, aadlen, sec->mackey, sec->maclen, nil, nil);
+ (*sec->mac)(body, bodylen, sec->mackey, sec->maclen, mac, s);
}
static void
@@ -2115,10 +2271,10 @@
}
static void
-put64(uchar *p, vlong x)
+put64(uchar *p, u64int x)
{
- put32(p, (u32int)(x >> 32));
- put32(p+4, (u32int)x);
+ put32(p, x >> 32);
+ put32(p+4, x);
}
static void
@@ -2136,13 +2292,11 @@
p[1] = x;
}
-/*
static u32int
get32(uchar *p)
{
return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3];
}
-*/
static int
get16(uchar *p)
--- a/kern/stub.c
+++ b/kern/stub.c
@@ -145,6 +145,13 @@
USED(tag);
}
+void
+setrealloctag(void *v, uintptr tag)
+{
+ USED(v);
+ USED(tag);
+}
+
int
postnote(Proc *p, int x, char *msg, int flag)
{
--- a/kern/sysfile.c
+++ b/kern/sysfile.c
@@ -850,7 +850,6 @@
return l;
}
-
static void
starterror(void)
{
@@ -858,6 +857,13 @@
}
static void
+enderror(void)
+{
+ assert(up->nerrlab == 1);
+ poperror();
+}
+
+static void
_syserror(void)
{
char *p;
@@ -865,13 +871,6 @@
p = up->syserrstr;
up->syserrstr = up->errstr;
up->errstr = p;
-}
-
-static void
-enderror(void)
-{
- assert(up->nerrlab == 1);
- poperror();
}
int
--- a/libauth/attr.c
+++ b/libauth/attr.c
@@ -139,7 +139,7 @@
a = nil;
for(i=ntok-1; i>=0; i--){
t = tok[i];
- if((p = strchr(t, '='))){
+ if(p = strchr(t, '=')){
*p++ = '\0';
// if(p-2 >= t && p[-2] == ':'){
// p[-2] = '\0';
--- a/libauth/auth_getuserpasswd.c
+++ b/libauth/auth_getuserpasswd.c
@@ -15,7 +15,7 @@
for(;;){
if((ret = auth_rpc(rpc, verb, val, len)) != ARneedkey && ret != ARbadkey)
return ret;
- if(getkey == 0)
+ if(getkey == nil)
return ARgiveup; /* don't know how */
if((*getkey)(rpc->arg) < 0)
return ARgiveup; /* user punted */
--- a/libauth/auth_proxy.c
+++ b/libauth/auth_proxy.c
@@ -4,7 +4,7 @@
#include <auth.h>
#include "authlocal.h"
-enum {
+enum {
ARgiveup = 100,
};
@@ -90,7 +90,6 @@
if(auth_rpc(rpc, "authinfo", nil, 0) != ARok)
return nil;
- a = nil;
if(convM2AI((uchar*)rpc->arg, rpc->narg, &a) == nil){
werrstr("bad auth info from factotum");
return nil;
@@ -106,7 +105,7 @@
for(;;){
if((ret = auth_rpc(rpc, verb, val, len)) != ARneedkey && ret != ARbadkey)
return ret;
- if(getkey == 0)
+ if(getkey == nil)
return ARgiveup; /* don't know how */
if((*getkey)(rpc->arg) < 0)
return ARgiveup; /* user punted */
@@ -124,6 +123,11 @@
AuthInfo *a;
char oerr[ERRMAX];
+ if(rpc == nil){
+ werrstr("fauth_proxy - no factotum");
+ return nil;
+ }
+
rerrstr(oerr, sizeof oerr);
werrstr("UNKNOWN AUTH ERROR");
@@ -140,7 +144,8 @@
case ARdone:
free(buf);
a = auth_getinfo(rpc);
- errstr(oerr, sizeof oerr); /* no error, restore whatever was there */
+ /* no error, restore whatever was there */
+ errstr(oerr, sizeof oerr);
return a;
case ARok:
if(write(fd, rpc->arg, rpc->narg) != rpc->narg){
@@ -152,18 +157,21 @@
n = 0;
memset(buf, 0, AuthRpcMax);
while((ret = dorpc(rpc, "write", buf, n, getkey)) == ARtoosmall){
- if(atoi(rpc->arg) > AuthRpcMax)
+ m = atoi(rpc->arg);
+ if(m <= n || m > AuthRpcMax)
break;
- m = read(fd, buf+n, atoi(rpc->arg)-n);
+ m = read(fd, buf + n, m - n);
if(m <= 0){
if(m == 0)
- werrstr("auth_proxy short read: %s", buf);
+ werrstr("auth_proxy short read");
+ else
+ werrstr("auth_proxy read fd: %r");
goto Error;
}
n += m;
}
if(ret != ARok){
- werrstr("auth_proxy rpc write: %s: %r", buf);
+ werrstr("auth_proxy rpc write: %r");
goto Error;
}
break;
@@ -191,6 +199,7 @@
p = vsmprint(fmt, arg);
va_end(arg);
+ ai = nil;
afd = open("/mnt/factotum/rpc", ORDWR);
if(afd < 0){
werrstr("opening /mnt/factotum/rpc: %r");
@@ -199,15 +208,11 @@
}
rpc = auth_allocrpc(afd);
- if(rpc == nil){
- free(p);
- return nil;
+ if(rpc){
+ ai = fauth_proxy(fd, rpc, getkey, p);
+ auth_freerpc(rpc);
}
-
- ai = fauth_proxy(fd, rpc, getkey, p);
- free(p);
- auth_freerpc(rpc);
close(afd);
+ free(p);
return ai;
}
-
--- a/libauth/auth_respond.c
+++ b/libauth/auth_respond.c
@@ -16,7 +16,7 @@
for(;;){
if((ret = auth_rpc(rpc, verb, val, len)) != ARneedkey && ret != ARbadkey)
return ret;
- if(getkey == 0)
+ if(getkey == nil)
return ARgiveup; /* don't know how */
if((*getkey)(rpc->arg) < 0)
return ARgiveup; /* user punted */
--- a/libauth/auth_userpasswd.c
+++ b/libauth/auth_userpasswd.c
@@ -11,22 +11,21 @@
* this was copied from inet's guard.
*/
static void
-netresp(char *key, long chal, char *answer)
+netresp(char key[DESKEYLEN], long chal, char *answer)
{
uchar buf[8];
- memset(buf, 0, 8);
- sprint((char *)buf, "%lud", chal);
+ memset(buf, 0, sizeof buf);
+ snprint((char *)buf, sizeof buf, "%lud", chal);
if(encrypt(key, buf, 8) < 0)
abort();
- chal = (buf[0]<<24)+(buf[1]<<16)+(buf[2]<<8)+buf[3];
- sprint(answer, "%.8lux", chal);
+ sprint(answer, "%.8ux", buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3]);
}
AuthInfo*
auth_userpasswd(char *user, char *passwd)
{
- char key[DESKEYLEN], resp[16];
+ char resp[16], key[DESKEYLEN];
AuthInfo *ai;
Chalstate *ch;
@@ -38,9 +37,9 @@
if((ch = auth_challenge("user=%q proto=p9cr role=server", user)) == nil)
return nil;
- passtokey(key, passwd);
+ passtodeskey(key, passwd);
netresp(key, atol(ch->chal), resp);
- memset(key, 0, sizeof key);
+ memset(key, 0, sizeof(key));
ch->resp = resp;
ch->nresp = strlen(resp);
--- a/libauthsrv/Makefile
+++ b/libauthsrv/Makefile
@@ -16,11 +16,19 @@
nvcsum.$O\
opasstokey.$O\
passtokey.$O\
+ _asgetpakkey.$O\
+ _asgetresp.$O\
+ _asrequest.$O\
+ authpak.$O\
+ form1.$O\
+
default: $(LIB)
$(LIB): $(OFILES)
$(AR) r $(LIB) $(OFILES)
$(RANLIB) $(LIB)
+
+authpak.$O: msqrt.mpc edwards.mpc ed448.mpc decaf.mpc elligator2.mpc spake2ee.mpc
%.$O: %.c
$(CC) $(CFLAGS) $*.c
--- /dev/null
+++ b/libauthsrv/_asgetpakkey.c
@@ -1,0 +1,26 @@
+#include <u.h>
+#include <libc.h>
+#include <authsrv.h>
+
+int
+_asgetpakkey(int fd, Ticketreq *tr, Authkey *a)
+{
+ uchar y[PAKYLEN];
+ PAKpriv p;
+ int type;
+
+ type = tr->type;
+ tr->type = AuthPAK;
+ if(_asrequest(fd, tr) != 0){
+ tr->type = type;
+ return -1;
+ }
+ tr->type = type;
+ authpak_new(&p, a, y, 1);
+ if(write(fd, y, PAKYLEN) != PAKYLEN
+ || _asrdresp(fd, (char*)y, PAKYLEN) != PAKYLEN){
+ memset(&p, 0, sizeof(p));
+ return -1;
+ }
+ return authpak_finish(&p, a, y);
+}
--- /dev/null
+++ b/libauthsrv/_asgetresp.c
@@ -1,0 +1,44 @@
+#include <u.h>
+#include <libc.h>
+#include <authsrv.h>
+
+int
+_asgetresp(int fd, Ticket *t, Authenticator *a, Authkey *k)
+{
+ char buf[MAXTICKETLEN+MAXAUTHENTLEN], err[ERRMAX];
+ int n, m;
+
+ memset(t, 0, sizeof(Ticket));
+ if(a != nil)
+ memset(a, 0, sizeof(Authenticator));
+
+ strcpy(err, "AS protocol botch");
+ errstr(err, ERRMAX);
+
+ if(_asrdresp(fd, buf, 0) < 0)
+ return -1;
+
+ for(n = 0; (m = convM2T(buf, n, t, k)) <= 0; n += m){
+ m = -m;
+ if(m <= n || m > sizeof(buf))
+ return -1;
+ m -= n;
+ if(readn(fd, buf+n, m) != m)
+ return -1;
+ }
+
+ if(a != nil){
+ for(n = 0; (m = convM2A(buf, n, a, t)) <= 0; n += m){
+ m = -m;
+ if(m <= n || m > sizeof(buf))
+ return -1;
+ m -= n;
+ if(readn(fd, buf+n, m) != m)
+ return -1;
+ }
+ }
+
+ errstr(err, ERRMAX);
+
+ return 0;
+}
--- a/libauthsrv/_asgetticket.c
+++ b/libauthsrv/_asgetticket.c
@@ -2,15 +2,36 @@
#include <libc.h>
#include <authsrv.h>
-static char *pbmsg = "AS protocol botch";
-
int
-_asgetticket(int fd, char *trbuf, char *tbuf)
+_asgetticket(int fd, Ticketreq *tr, char *tbuf, int tbuflen)
{
- if(write(fd, trbuf, TICKREQLEN) < 0){
- close(fd);
- werrstr(pbmsg);
+ char err[ERRMAX];
+ int i, n, m, r;
+
+ strcpy(err, "AS protocol botch");
+ errstr(err, ERRMAX);
+
+ if(_asrequest(fd, tr) < 0)
return -1;
+ if(_asrdresp(fd, tbuf, 0) < 0)
+ return -1;
+
+ r = 0;
+ for(i = 0; i<2; i++){
+ for(n=0; (m = convM2T(tbuf, n, nil, nil)) <= 0; n += m){
+ m = -m;
+ if(m <= n || m > tbuflen)
+ return -1;
+ m -= n;
+ if(readn(fd, tbuf+n, m) != m)
+ return -1;
+ }
+ r += n;
+ tbuf += n;
+ tbuflen -= n;
}
- return _asrdresp(fd, tbuf, 2*TICKETLEN);
+
+ errstr(err, ERRMAX);
+
+ return r;
}
--- /dev/null
+++ b/libauthsrv/_asrequest.c
@@ -1,0 +1,16 @@
+#include <u.h>
+#include <libc.h>
+#include <authsrv.h>
+
+int
+_asrequest(int fd, Ticketreq *tr)
+{
+ char trbuf[TICKREQLEN];
+ int n;
+
+ n = convTR2M(tr, trbuf, sizeof(trbuf));
+ if(write(fd, trbuf, n) != n)
+ return -1;
+
+ return 0;
+}
--- a/libauthsrv/authdial.c
+++ b/libauthsrv/authdial.c
@@ -7,25 +7,45 @@
int
authdial(char *netroot, char *dom)
{
- char server[Ndbvlen];
- Ndbtuple *nt;
+ Ndbtuple *t, *nt;
+ char *p;
+ int rv;
-
- if(dom != nil){
- /* look up an auth server in an authentication domain */
- nt = csgetval(netroot, "authdom", dom, "auth", server);
-
- /* if that didn't work, just try the IP domain */
- if(nt == nil)
- nt = csgetval(netroot, "dom", dom, "auth", server);
- if(nt == nil){
- werrstr("no auth server found for %s", dom);
- return -1;
- }
- ndbfree(nt);
- return dial(netmkaddr(server, netroot, "ticket"), 0, 0, 0);
- } else {
+ if(dom == nil)
/* look for one relative to my machine */
return dial(netmkaddr("$auth", netroot, "ticket"), 0, 0, 0);
+
+ /* look up an auth server in an authentication domain */
+ p = csgetvalue(netroot, "authdom", dom, "auth", &t);
+
+ /* if that didn't work, just try the IP domain */
+ if(p == nil)
+ p = csgetvalue(netroot, "dom", dom, "auth", &t);
+
+ /*
+ * if that didn't work, try p9auth.$dom. this is very helpful if
+ * you can't edit /lib/ndb.
+ */
+ if(p == nil) {
+ p = smprint("p9auth.%s", dom);
+ t = ndbnew("auth", p);
}
+ free(p);
+
+ /*
+ * allow multiple auth= attributes for backup auth servers,
+ * try each one in order.
+ */
+ rv = -1;
+ for(nt = t; nt != nil; nt = nt->entry) {
+ if(strcmp(nt->attr, "auth") == 0) {
+ p = netmkaddr(nt->val, netroot, "ticket");
+ rv = dial(p, 0, 0, 0);
+ if(rv >= 0)
+ break;
+ }
+ }
+ ndbfree(t);
+
+ return rv;
}
--- /dev/null
+++ b/libauthsrv/authpak.c
@@ -1,0 +1,214 @@
+#include <u.h>
+#include <libc.h>
+#include <mp.h>
+#include <libsec.h>
+#include <authsrv.h>
+
+#include "msqrt.mpc"
+#include "decaf.mpc"
+#include "edwards.mpc"
+#include "elligator2.mpc"
+#include "spake2ee.mpc"
+#include "ed448.mpc"
+
+typedef struct PAKcurve PAKcurve;
+struct PAKcurve
+{
+ Lock;
+ mpint *P;
+ mpint *A;
+ mpint *D;
+ mpint *X;
+ mpint *Y;
+};
+
+static PAKcurve*
+authpak_curve(void)
+{
+ static PAKcurve a;
+
+ lock(&a);
+ if(a.P == nil){
+ a.P = mpnew(0);
+ a.A = mpnew(0);
+ a.D = mpnew(0);
+ a.X = mpnew(0);
+ a.Y = mpnew(0);
+ ed448_curve(a.P, a.A, a.D, a.X, a.Y);
+ a.P = mpfield(a.P);
+ }
+ unlock(&a);
+ return &a;
+}
+
+void
+authpak_hash(Authkey *k, char *u)
+{
+ static char info[] = "Plan 9 AuthPAK hash";
+ uchar *bp, salt[SHA2_256dlen], h[2*PAKSLEN];
+ mpint *H, *PX,*PY,*PZ,*PT;
+ PAKcurve *c;
+
+ H = mpnew(0);
+ PX = mpnew(0);
+ PY = mpnew(0);
+ PZ = mpnew(0);
+ PT = mpnew(0);
+
+ sha2_256((uchar*)u, strlen(u), salt, nil);
+
+ hkdf_x( salt, SHA2_256dlen,
+ (uchar*)info, sizeof(info)-1,
+ k->aes, AESKEYLEN,
+ h, sizeof(h),
+ hmac_sha2_256, SHA2_256dlen);
+
+ c = authpak_curve();
+
+ betomp(h + 0*PAKSLEN, PAKSLEN, H); /* HM */
+ spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT); /* PM */
+
+ bp = k->pakhash;
+ mptober(PX, bp, PAKSLEN), bp += PAKSLEN;
+ mptober(PY, bp, PAKSLEN), bp += PAKSLEN;
+ mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;
+ mptober(PT, bp, PAKSLEN), bp += PAKSLEN;
+
+ betomp(h + 1*PAKSLEN, PAKSLEN, H); /* HN */
+ spake2ee_h2P(c->P,c->A,c->D, H, PX,PY,PZ,PT); /* PN */
+
+ mptober(PX, bp, PAKSLEN), bp += PAKSLEN;
+ mptober(PY, bp, PAKSLEN), bp += PAKSLEN;
+ mptober(PZ, bp, PAKSLEN), bp += PAKSLEN;
+ mptober(PT, bp, PAKSLEN);
+
+ mpfree(PX);
+ mpfree(PY);
+ mpfree(PZ);
+ mpfree(PT);
+ mpfree(H);
+}
+
+void
+authpak_new(PAKpriv *p, Authkey *k, uchar y[PAKYLEN], int isclient)
+{
+ mpint *PX,*PY,*PZ,*PT, *X, *Y;
+ PAKcurve *c;
+ uchar *bp;
+
+ memset(p, 0, sizeof(PAKpriv));
+ p->isclient = isclient != 0;
+
+ X = mpnew(0);
+ Y = mpnew(0);
+
+ PX = mpnew(0);
+ PY = mpnew(0);
+ PZ = mpnew(0);
+ PT = mpnew(0);
+
+ PX->flags |= MPtimesafe;
+ PY->flags |= MPtimesafe;
+ PZ->flags |= MPtimesafe;
+ PT->flags |= MPtimesafe;
+
+ bp = k->pakhash + PAKPLEN*(p->isclient == 0);
+ betomp(bp, PAKSLEN, PX), bp += PAKSLEN;
+ betomp(bp, PAKSLEN, PY), bp += PAKSLEN;
+ betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;
+ betomp(bp, PAKSLEN, PT);
+
+ c = authpak_curve();
+
+ X->flags |= MPtimesafe;
+ mpnrand(c->P, genrandom, X);
+
+ spake2ee_1(c->P,c->A,c->D, X, c->X,c->Y, PX,PY,PZ,PT, Y);
+
+ mptober(X, p->x, PAKXLEN);
+ mptober(Y, p->y, PAKYLEN);
+
+ memmove(y, p->y, PAKYLEN);
+
+ mpfree(PX);
+ mpfree(PY);
+ mpfree(PZ);
+ mpfree(PT);
+
+ mpfree(X);
+ mpfree(Y);
+}
+
+int
+authpak_finish(PAKpriv *p, Authkey *k, uchar y[PAKYLEN])
+{
+ static char info[] = "Plan 9 AuthPAK key";
+ uchar *bp, z[PAKSLEN], salt[SHA2_256dlen];
+ mpint *PX,*PY,*PZ,*PT, *X, *Y, *Z, *ok;
+ DigestState *s;
+ PAKcurve *c;
+ int ret;
+
+ X = mpnew(0);
+ Y = mpnew(0);
+ Z = mpnew(0);
+ ok = mpnew(0);
+
+ PX = mpnew(0);
+ PY = mpnew(0);
+ PZ = mpnew(0);
+ PT = mpnew(0);
+
+ PX->flags |= MPtimesafe;
+ PY->flags |= MPtimesafe;
+ PZ->flags |= MPtimesafe;
+ PT->flags |= MPtimesafe;
+
+ bp = k->pakhash + PAKPLEN*(p->isclient != 0);
+ betomp(bp, PAKSLEN, PX), bp += PAKSLEN;
+ betomp(bp, PAKSLEN, PY), bp += PAKSLEN;
+ betomp(bp, PAKSLEN, PZ), bp += PAKSLEN;
+ betomp(bp, PAKSLEN, PT);
+
+ Z->flags |= MPtimesafe;
+ X->flags |= MPtimesafe;
+ betomp(p->x, PAKXLEN, X);
+
+ betomp(y, PAKYLEN, Y);
+
+ c = authpak_curve();
+ spake2ee_2(c->P,c->A,c->D, PX,PY,PZ,PT, X, Y, ok, Z);
+
+ if(mpcmp(ok, mpzero) == 0){
+ ret = -1;
+ goto out;
+ }
+
+ mptober(Z, z, sizeof(z));
+
+ s = sha2_256(p->isclient ? p->y : y, PAKYLEN, nil, nil);
+ sha2_256(p->isclient ? y : p->y, PAKYLEN, salt, s);
+
+ hkdf_x( salt, SHA2_256dlen,
+ (uchar*)info, sizeof(info)-1,
+ z, sizeof(z),
+ k->pakkey, PAKKEYLEN,
+ hmac_sha2_256, SHA2_256dlen);
+
+ ret = 0;
+out:
+ memset(z, 0, sizeof(z));
+ memset(p, 0, sizeof(PAKpriv));
+
+ mpfree(PX);
+ mpfree(PY);
+ mpfree(PZ);
+ mpfree(PT);
+
+ mpfree(X);
+ mpfree(Y);
+ mpfree(Z);
+ mpfree(ok);
+
+ return ret;
+}
--- a/libauthsrv/convA2M.c
+++ b/libauthsrv/convA2M.c
@@ -2,24 +2,35 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) *p++ = f->x
-#define SHORT(x) p[0] = f->x; p[1] = f->x>>8; p += 2
-#define VLONG(q) p[0] = (q); p[1] = (q)>>8; p[2] = (q)>>16; p[3] = (q)>>24; p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(p, f->x, n); p += n
+extern int form1B2M(char *ap, int n, uchar key[32]);
int
-convA2M(Authenticator *f, char *ap, char *key)
+convA2M(Authenticator *f, char *ap, int n, Ticket *t)
{
- int n;
uchar *p;
+ if(n < 1+CHALLEN)
+ return 0;
+
p = (uchar*)ap;
- CHAR(num);
- STRING(chal, CHALLEN);
- LONG(id);
- n = p - (uchar*)ap;
- if(key)
- encrypt(key, ap, n);
- return n;
+ *p++ = f->num;
+ memmove(p, f->chal, CHALLEN), p += CHALLEN;
+ switch(t->form){
+ case 0:
+ if(n < 1+CHALLEN+4)
+ return 0;
+
+ memset(p, 0, 4), p += 4; /* unused id field */
+ n = p - (uchar*)ap;
+ encrypt(t->key, ap, n);
+ return n;
+ case 1:
+ if(n < 12+CHALLEN+NONCELEN+16)
+ return 0;
+
+ memmove(p, f->rand, NONCELEN), p += NONCELEN;
+ return form1B2M(ap, (char*)p - ap, t->key);
+ }
+
+ return 0;
}
--- a/libauthsrv/convM2A.c
+++ b/libauthsrv/convM2A.c
@@ -2,22 +2,35 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) f->x = *p++
-#define SHORT(x) f->x = (p[0] | (p[1]<<8)); p += 2
-#define VLONG(q) q = (p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24)); p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(f->x, p, n); p += n
+extern int form1M2B(char *ap, int n, uchar key[32]);
-void
-convM2A(char *ap, Authenticator *f, char *key)
+int
+convM2A(char *ap, int n, Authenticator *f, Ticket *t)
{
- uchar *p;
+ uchar buf[MAXAUTHENTLEN], *p;
+ int m;
- if(key)
- decrypt(key, ap, AUTHENTLEN);
- p = (uchar*)ap;
- CHAR(num);
- STRING(chal, CHALLEN);
- LONG(id);
- USED(p);
+ memset(f, 0, sizeof(Authenticator));
+ if(t->form == 0){
+ m = 1+CHALLEN+4;
+ if(n < m)
+ return -m;
+ memmove(buf, ap, m);
+ decrypt(t->key, buf, m);
+ } else {
+ m = 12+CHALLEN+NONCELEN+16;
+ if(n < m)
+ return -m;
+ memmove(buf, ap, m);
+ if(form1M2B((char*)buf, m, t->key) < 0)
+ return m;
+ }
+ p = buf;
+ f->num = *p++;
+ memmove(f->chal, p, CHALLEN);
+ p += CHALLEN;
+ if(t->form == 1)
+ memmove(f->rand, p, NONCELEN);
+
+ return m;
}
--- a/libauthsrv/convM2PR.c
+++ b/libauthsrv/convM2PR.c
@@ -2,27 +2,38 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) f->x = *p++
-#define SHORT(x) f->x = (p[0] | (p[1]<<8)); p += 2
-#define VLONG(q) q = (p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24)); p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(f->x, p, n); p += n
+extern int form1M2B(char *ap, int n, uchar key[32]);
-void
-convM2PR(char *ap, Passwordreq *f, char *key)
+int
+convM2PR(char *ap, int n, Passwordreq *f, Ticket *t)
{
- uchar *p;
+ uchar *p, buf[MAXPASSREQLEN];
+ int m;
- p = (uchar*)ap;
- if(key)
- decrypt(key, ap, PASSREQLEN);
- CHAR(num);
- STRING(old, ANAMELEN);
+ memset(f, 0, sizeof(Passwordreq));
+ if(t->form == 0){
+ m = 1+2*ANAMELEN+1+SECRETLEN;
+ if(n < m)
+ return -m;
+ memmove(buf, ap, m);
+ decrypt(t->key, buf, m);
+ } else {
+ m = 12+2*ANAMELEN+1+SECRETLEN+16;
+ if(n < m)
+ return -m;
+ memmove(buf, ap, m);
+ if(form1M2B((char*)buf, m, t->key) < 0)
+ return m;
+ }
+ p = buf;
+ f->num = *p++;
+ memmove(f->old, p, ANAMELEN), p += ANAMELEN;
+ memmove(f->new, p, ANAMELEN), p += ANAMELEN;
+ f->changesecret = *p++;
+ memmove(f->secret, p, SECRETLEN);
f->old[ANAMELEN-1] = 0;
- STRING(new, ANAMELEN);
f->new[ANAMELEN-1] = 0;
- CHAR(changesecret);
- STRING(secret, SECRETLEN);
f->secret[SECRETLEN-1] = 0;
- USED(p);
+
+ return m;
}
--- a/libauthsrv/convM2T.c
+++ b/libauthsrv/convM2T.c
@@ -2,27 +2,50 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) f->x = *p++
-#define SHORT(x) f->x = (p[0] | (p[1]<<8)); p += 2
-#define VLONG(q) q = (p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24)); p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(f->x, p, n); p += n
+extern int form1check(char *ap, int n);
+extern int form1M2B(char *ap, int n, uchar key[32]);
-void
-convM2T(char *ap, Ticket *f, char *key)
+int
+convM2T(char *ap, int n, Ticket *f, Authkey *k)
{
- uchar *p;
+ uchar buf[MAXTICKETLEN], *p;
+ int m;
- if(key)
- decrypt(key, ap, TICKETLEN);
- p = (uchar*)ap;
- CHAR(num);
- STRING(chal, CHALLEN);
- STRING(cuid, ANAMELEN);
+ if(f != nil)
+ memset(f, 0, sizeof(Ticket));
+
+ if(n < 8)
+ return -8;
+
+ if(form1check(ap, n) < 0){
+ m = 1+CHALLEN+2*ANAMELEN+DESKEYLEN;
+ if(n < m)
+ return -m;
+ if(f == nil || k == nil)
+ return m;
+ f->form = 0;
+ memmove(buf, ap, m);
+ decrypt(k->des, buf, m);
+ } else {
+ m = 12+CHALLEN+2*ANAMELEN+NONCELEN+16;
+ if(n < m)
+ return -m;
+ if(f == nil || k == nil)
+ return m;
+ f->form = 1;
+ memmove(buf, ap, m);
+ if(form1M2B((char*)buf, m, k->pakkey) < 0)
+ return m;
+ }
+ p = buf;
+ f->num = *p++;
+ memmove(f->chal, p, CHALLEN), p += CHALLEN;
+ memmove(f->cuid, p, ANAMELEN), p += ANAMELEN;
+ memmove(f->suid, p, ANAMELEN), p += ANAMELEN;
+ memmove(f->key, p, f->form == 0 ? DESKEYLEN : NONCELEN);
+
f->cuid[ANAMELEN-1] = 0;
- STRING(suid, ANAMELEN);
f->suid[ANAMELEN-1] = 0;
- STRING(key, DESKEYLEN);
- USED(p);
-}
+ return m;
+}
--- a/libauthsrv/convM2TR.c
+++ b/libauthsrv/convM2TR.c
@@ -2,27 +2,28 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) f->x = *p++
-#define SHORT(x) f->x = (p[0] | (p[1]<<8)); p += 2
-#define VLONG(q) q = (p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24)); p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(f->x, p, n); p += n
-
-void
-convM2TR(char *ap, Ticketreq *f)
+int
+convM2TR(char *ap, int n, Ticketreq *f)
{
uchar *p;
+ memset(f, 0, sizeof(Ticketreq));
+ if(n < TICKREQLEN)
+ return -TICKREQLEN;
+
p = (uchar*)ap;
- CHAR(type);
- STRING(authid, ANAMELEN);
+ f->type = *p++;
+ memmove(f->authid, p, ANAMELEN), p += ANAMELEN;
+ memmove(f->authdom, p, DOMLEN), p += DOMLEN;
+ memmove(f->chal, p, CHALLEN), p += CHALLEN;
+ memmove(f->hostid, p, ANAMELEN), p += ANAMELEN;
+ memmove(f->uid, p, ANAMELEN), p += ANAMELEN;
+
f->authid[ANAMELEN-1] = 0;
- STRING(authdom, DOMLEN);
f->authdom[DOMLEN-1] = 0;
- STRING(chal, CHALLEN);
- STRING(hostid, ANAMELEN);
f->hostid[ANAMELEN-1] = 0;
- STRING(uid, ANAMELEN);
f->uid[ANAMELEN-1] = 0;
- USED(p);
+ n = p - (uchar*)ap;
+
+ return n;
}
--- a/libauthsrv/convPR2M.c
+++ b/libauthsrv/convPR2M.c
@@ -2,27 +2,33 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) *p++ = f->x
-#define SHORT(x) p[0] = f->x; p[1] = f->x>>8; p += 2
-#define VLONG(q) p[0] = (q); p[1] = (q)>>8; p[2] = (q)>>16; p[3] = (q)>>24; p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(p, f->x, n); p += n
+extern int form1B2M(char *ap, int n, uchar key[32]);
int
-convPR2M(Passwordreq *f, char *ap, char *key)
+convPR2M(Passwordreq *f, char *ap, int n, Ticket *t)
{
- int n;
uchar *p;
+ if(n < 1+2*ANAMELEN+1+SECRETLEN)
+ return 0;
+
p = (uchar*)ap;
- CHAR(num);
- STRING(old, ANAMELEN);
- STRING(new, ANAMELEN);
- CHAR(changesecret);
- STRING(secret, SECRETLEN);
- n = p - (uchar*)ap;
- if(key)
- encrypt(key, ap, n);
- return n;
+ *p++ = f->num;
+ memmove(p, f->old, ANAMELEN), p += ANAMELEN;
+ memmove(p, f->new, ANAMELEN), p += ANAMELEN;
+ *p++ = f->changesecret;
+ memmove(p, f->secret, SECRETLEN), p += SECRETLEN;
+ switch(t->form){
+ case 0:
+ n = p - (uchar*)ap;
+ encrypt(t->key, ap, n);
+ return n;
+ case 1:
+ if(n < 12+2*ANAMELEN+1+SECRETLEN+16)
+ return 0;
+ return form1B2M(ap, p - (uchar*)ap, t->key);
+ }
+
+ return 0;
}
--- a/libauthsrv/convT2M.c
+++ b/libauthsrv/convT2M.c
@@ -1,27 +1,39 @@
#include <u.h>
#include <libc.h>
#include <authsrv.h>
+#include <libsec.h>
-#define CHAR(x) *p++ = f->x
-#define SHORT(x) p[0] = f->x; p[1] = f->x>>8; p += 2
-#define VLONG(q) p[0] = (q); p[1] = (q)>>8; p[2] = (q)>>16; p[3] = (q)>>24; p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(p, f->x, n); p += n
+extern int form1B2M(char *ap, int n, uchar key[32]);
int
-convT2M(Ticket *f, char *ap, char *key)
+convT2M(Ticket *f, char *ap, int n, Authkey *key)
{
- int n;
uchar *p;
+ if(n < 1+CHALLEN+2*ANAMELEN)
+ return 0;
+
p = (uchar*)ap;
- CHAR(num);
- STRING(chal, CHALLEN);
- STRING(cuid, ANAMELEN);
- STRING(suid, ANAMELEN);
- STRING(key, DESKEYLEN);
- n = p - (uchar*)ap;
- if(key)
- encrypt(key, ap, n);
- return n;
+ *p++ = f->num;
+ memmove(p, f->chal, CHALLEN), p += CHALLEN;
+ memmove(p, f->cuid, ANAMELEN), p += ANAMELEN;
+ memmove(p, f->suid, ANAMELEN), p += ANAMELEN;
+ switch(f->form){
+ case 0:
+ if(n < 1+CHALLEN+2*ANAMELEN+DESKEYLEN)
+ return 0;
+
+ memmove(p, f->key, DESKEYLEN), p += DESKEYLEN;
+ n = p - (uchar*)ap;
+ encrypt(key->des, ap, n);
+ return n;
+ case 1:
+ if(n < 12+CHALLEN+2*ANAMELEN+NONCELEN+16)
+ return 0;
+
+ memmove(p, f->key, NONCELEN), p += NONCELEN;
+ return form1B2M(ap, p - (uchar*)ap, key->pakkey);
+ }
+
+ return 0;
}
--- a/libauthsrv/convTR2M.c
+++ b/libauthsrv/convTR2M.c
@@ -2,26 +2,22 @@
#include <libc.h>
#include <authsrv.h>
-#define CHAR(x) *p++ = f->x
-#define SHORT(x) p[0] = f->x; p[1] = f->x>>8; p += 2
-#define VLONG(q) p[0] = (q); p[1] = (q)>>8; p[2] = (q)>>16; p[3] = (q)>>24; p += 4
-#define LONG(x) VLONG(f->x)
-#define STRING(x,n) memmove(p, f->x, n); p += n
-
int
-convTR2M(Ticketreq *f, char *ap)
+convTR2M(Ticketreq *f, char *ap, int n)
{
- int n;
uchar *p;
+ if(n < TICKREQLEN)
+ return 0;
+
p = (uchar*)ap;
- CHAR(type);
- STRING(authid, 28); /* BUG */
- STRING(authdom, DOMLEN);
- STRING(chal, CHALLEN);
- STRING(hostid, 28); /* BUG */
- STRING(uid, 28); /* BUG */
+ *p++ = f->type;
+ memmove(p, f->authid, ANAMELEN), p += ANAMELEN;
+ memmove(p, f->authdom, DOMLEN), p += DOMLEN;
+ memmove(p, f->chal, CHALLEN), p += CHALLEN;
+ memmove(p, f->hostid, ANAMELEN), p += ANAMELEN;
+ memmove(p, f->uid, ANAMELEN), p += ANAMELEN;
n = p - (uchar*)ap;
+
return n;
}
-
--- /dev/null
+++ b/libauthsrv/decaf.mpc
@@ -1,0 +1,130 @@
+void decaf_neg(mpint *p, mpint *n, mpint *r){
+ mpint *m = mpnew(0);
+ mpmodsub(mpzero, r, p, m);
+ mpint *tmp1 = mpnew(0);
+ mpsub(p, mpone, tmp1);
+ mpright(tmp1, 1, tmp1);
+ mpsel(-mpcmp(n, tmp1) >> (sizeof(int)*8-1), m, r, r);
+ mpfree(tmp1);
+ mpfree(m);
+ }
+void decaf_encode(mpint *p, mpint *a, mpint *d, mpint *X, mpint *Y, mpint *Z, mpint *T, mpint *s){
+ mpint *u = mpnew(0);
+ mpint *r = mpnew(0);
+ mpint *tmp1 = mpnew(0);
+ mpint *tmp2 = mpnew(0);
+ mpint *tmp3 = mpnew(0);
+ mpmodsub(a, d, p, tmp3);
+ mpint *tmp4 = mpnew(0);
+ mpmodadd(Z, Y, p, tmp4);
+ mpmodmul(tmp3, tmp4, p, tmp2);
+ mpfree(tmp3);
+ mpfree(tmp4);
+ tmp4 = mpnew(0);
+ mpmodsub(Z, Y, p, tmp4);
+ mpmodmul(tmp2, tmp4, p, tmp1);
+ mpfree(tmp2);
+ mpfree(tmp4);
+ misqrt(tmp1, p, r);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ mpmodsub(a, d, p, tmp1);
+ mpmodmul(tmp1, r, p, u);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ tmp4 = mpnew(0);
+ mpmodadd(u, u, p, tmp4); // 2*u
+ mpmodmul(tmp4, Z, p, tmp1);
+ mpfree(tmp4);
+ mpmodsub(mpzero, tmp1, p, tmp1);
+ decaf_neg(p, tmp1, r);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ tmp4 = mpnew(0);
+ tmp2 = mpnew(0);
+ tmp3 = mpnew(0);
+ mpmodmul(a, Z, p, tmp3);
+ mpmodmul(tmp3, X, p, tmp2);
+ mpfree(tmp3);
+ tmp3 = mpnew(0);
+ mpint *tmp5 = mpnew(0);
+ mpmodmul(d, Y, p, tmp5);
+ mpmodmul(tmp5, T, p, tmp3);
+ mpfree(tmp5);
+ mpmodsub(tmp2, tmp3, p, tmp2);
+ mpfree(tmp3);
+ mpmodmul(r, tmp2, p, tmp4);
+ mpfree(tmp2);
+ mpmodadd(tmp4, Y, p, tmp4);
+ mpmodmul(u, tmp4, p, tmp1);
+ mpfree(tmp4);
+ tmp4 = mpnew(0);
+ mpinvert(a, p, tmp4);
+ mpmodmul(tmp1, tmp4, p, s);
+ mpfree(tmp4);
+ mpfree(tmp1);
+ decaf_neg(p, s, s);
+ mpfree(u);
+ mpfree(r);
+ }
+void decaf_decode(mpint *p, mpint *a, mpint *d, mpint *s, mpint *ok, mpint *X, mpint *Y, mpint *Z, mpint *T){
+ mpint *w = mpnew(0);
+ mpint *v = mpnew(0);
+ mpint *u = mpnew(0);
+ mpint *ss = mpnew(0);
+ mpint *tmp1 = mpnew(0);
+ mpsub(p, mpone, tmp1);
+ mpright(tmp1, 1, tmp1);
+ if(mpcmp(s, tmp1) > 0){
+ mpassign(mpzero, ok);
+ }else{
+ mpmodmul(s, s, p, ss);
+ mpmodmul(a, ss, p, Z);
+ mpmodadd(mpone, Z, p, Z);
+ mpmodmul(Z, Z, p, u);
+ mpint *tmp2 = mpnew(0);
+ mpint *tmp3 = mpnew(0);
+ mpint *tmp4 = mpnew(0);
+ uitomp(4UL, tmp4);
+ mpmodmul(tmp4, d, p, tmp3);
+ mpfree(tmp4);
+ mpmodmul(tmp3, ss, p, tmp2);
+ mpfree(tmp3);
+ mpmodsub(u, tmp2, p, u);
+ mpfree(tmp2);
+ mpmodmul(u, ss, p, v);
+ if(mpcmp(v, mpzero) == 0){
+ mpassign(mpone, ok);
+ }else{
+ msqrt(v, p, ok);
+ if(mpcmp(ok, mpzero) != 0){
+ mpinvert(ok, p, v);
+ mpassign(mpone, ok);
+ }
+ }
+ if(mpcmp(ok, mpzero) != 0){
+ mpint *tmp5 = mpnew(0);
+ mpmodmul(u, v, p, tmp5);
+ decaf_neg(p, tmp5, v);
+ mpfree(tmp5);
+ tmp5 = mpnew(0);
+ mpmodmul(v, s, p, tmp5);
+ mpint *tmp6 = mpnew(0);
+ mpmodsub(mptwo, Z, p, tmp6);
+ mpmodmul(tmp5, tmp6, p, w);
+ mpfree(tmp5);
+ mpfree(tmp6);
+ if(mpcmp(s, mpzero) == 0){
+ mpmodadd(w, mpone, p, w);
+ }
+ mpmodadd(s, s, p, X); // 2*s
+ mpmodmul(w, Z, p, Y);
+ mpmodmul(w, X, p, T);
+ }
+ }
+ mpfree(tmp1);
+ mpfree(w);
+ mpfree(v);
+ mpfree(u);
+ mpfree(ss);
+ }
--- /dev/null
+++ b/libauthsrv/ed448.mpc
@@ -1,0 +1,8 @@
+void ed448_curve(mpint *p, mpint *a, mpint *d, mpint *x, mpint *y){
+ strtomp("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", nil, 16, p);
+ mpassign(mpone, a);
+ uitomp(39081UL, d);
+ d->sign = -1;
+ strtomp("297EA0EA2692FF1B4FAFF46098453A6A26ADF733245F065C3C59D0709CECFA96147EAAF3932D94C63D96C170033F4BA0C7F0DE840AED939F", nil, 16, x);
+ uitomp(19UL, y);
+ }
--- /dev/null
+++ b/libauthsrv/edwards.mpc
@@ -1,0 +1,98 @@
+void edwards_add(mpint *p, mpint *a, mpint *d, mpint *X1, mpint *Y1, mpint *Z1, mpint *T1, mpint *X2, mpint *Y2, mpint *Z2, mpint *T2, mpint *X3, mpint *Y3, mpint *Z3, mpint *T3){
+ mpint *H = mpnew(0);
+ mpint *G = mpnew(0);
+ mpint *F = mpnew(0);
+ mpint *E = mpnew(0);
+ mpint *D = mpnew(0);
+ mpint *C = mpnew(0);
+ mpint *B = mpnew(0);
+ mpint *A = mpnew(0);
+ mpmodmul(X1, X2, p, A);
+ mpmodmul(Y1, Y2, p, B);
+ mpint *tmp1 = mpnew(0);
+ mpmodmul(d, T1, p, tmp1);
+ mpmodmul(tmp1, T2, p, C);
+ mpfree(tmp1);
+ mpmodmul(Z1, Z2, p, D);
+ tmp1 = mpnew(0);
+ mpmodadd(X1, Y1, p, tmp1);
+ mpint *tmp2 = mpnew(0);
+ mpmodadd(X2, Y2, p, tmp2);
+ mpmodmul(tmp1, tmp2, p, E);
+ mpfree(tmp1);
+ mpfree(tmp2);
+ mpmodsub(E, A, p, E);
+ mpmodsub(E, B, p, E);
+ mpmodsub(D, C, p, F);
+ mpmodadd(D, C, p, G);
+ mpmodmul(a, A, p, H);
+ mpmodsub(B, H, p, H);
+ mpmodmul(E, F, p, X3);
+ mpmodmul(G, H, p, Y3);
+ mpmodmul(F, G, p, Z3);
+ mpmodmul(E, H, p, T3);
+ mpfree(H);
+ mpfree(G);
+ mpfree(F);
+ mpfree(E);
+ mpfree(D);
+ mpfree(C);
+ mpfree(B);
+ mpfree(A);
+ }
+void edwards_sel(mpint *s, mpint *X1, mpint *Y1, mpint *Z1, mpint *T1, mpint *X2, mpint *Y2, mpint *Z2, mpint *T2, mpint *X3, mpint *Y3, mpint *Z3, mpint *T3){
+ mpsel(mpcmp(s, mpzero), X1, X2, X3);
+ mpsel(mpcmp(s, mpzero), Y1, Y2, Y3);
+ mpsel(mpcmp(s, mpzero), Z1, Z2, Z3);
+ mpsel(mpcmp(s, mpzero), T1, T2, T3);
+ }
+void edwards_new(mpint *x, mpint *y, mpint *z, mpint *t, mpint *X, mpint *Y, mpint *Z, mpint *T){
+ mpassign(x, X);
+ mpassign(y, Y);
+ mpassign(z, Z);
+ mpassign(t, T);
+ }
+void edwards_scale(mpint *p, mpint *a, mpint *d, mpint *s, mpint *X1, mpint *Y1, mpint *Z1, mpint *T1, mpint *X3, mpint *Y3, mpint *Z3, mpint *T3){
+ mpint *j = mpnew(0);
+ mpint *k = mpnew(0);
+ mpint *T4 = mpnew(0);
+ mpint *Z4 = mpnew(0);
+ mpint *Y4 = mpnew(0);
+ mpint *X4 = mpnew(0);
+ mpint *T2 = mpnew(0);
+ mpint *Z2 = mpnew(0);
+ mpint *Y2 = mpnew(0);
+ mpint *X2 = mpnew(0);
+ edwards_new(X1, Y1, Z1, T1, X2, Y2, Z2, T2);
+ edwards_new(mpzero, mpone, mpone, mpzero, X4, Y4, Z4, T4);
+ mpint *tmp1 = mpnew(0);
+ mpmod(s, mptwo, tmp1);
+ edwards_sel(tmp1, X2, Y2, Z2, T2, X4, Y4, Z4, T4, X3, Y3, Z3, T3);
+ mpfree(tmp1);
+ mpright(s, 1, k);
+ mpright(p, 1, j);
+ for(;;){
+ if(mpcmp(j, mpzero) != 0){
+ edwards_add(p, a, d, X2, Y2, Z2, T2, X2, Y2, Z2, T2, X2, Y2, Z2, T2);
+ edwards_add(p, a, d, X2, Y2, Z2, T2, X3, Y3, Z3, T3, X4, Y4, Z4, T4);
+ mpint *tmp2 = mpnew(0);
+ mpmod(k, mptwo, tmp2);
+ edwards_sel(tmp2, X4, Y4, Z4, T4, X3, Y3, Z3, T3, X3, Y3, Z3, T3);
+ mpfree(tmp2);
+ mpright(k, 1, k);
+ mpright(j, 1, j);
+ }else{
+ break;
+ }
+ }
+ mpfree(j);
+ mpfree(k);
+ mpfree(T4);
+ mpfree(Z4);
+ mpfree(Y4);
+ mpfree(X4);
+ mpfree(T2);
+ mpfree(Z2);
+ mpfree(Y2);
+ mpfree(X2);
+ }
--- /dev/null
+++ b/libauthsrv/elligator2.mpc
@@ -1,0 +1,129 @@
+void elligator2(mpint *p, mpint *a, mpint *d, mpint *n, mpint *r0, mpint *X, mpint *Y, mpint *Z, mpint *T){
+ mpint *t = mpnew(0);
+ mpint *s = mpnew(0);
+ mpint *e = mpnew(0);
+ mpint *c = mpnew(0);
+ mpint *ND = mpnew(0);
+ mpint *N = mpnew(0);
+ mpint *D = mpnew(0);
+ mpint *r = mpnew(0);
+ mpint *tmp1 = mpnew(0);
+ mpmodmul(n, r0, p, tmp1);
+ mpmodmul(tmp1, r0, p, r);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ mpmodmul(d, r, p, tmp1);
+ mpmodadd(tmp1, a, p, tmp1);
+ mpmodsub(tmp1, d, p, tmp1);
+ mpint *tmp2 = mpnew(0);
+ mpmodmul(d, r, p, tmp2);
+ mpint *tmp3 = mpnew(0);
+ mpmodmul(a, r, p, tmp3);
+ mpmodsub(tmp2, tmp3, p, tmp2);
+ mpfree(tmp3);
+ mpmodsub(tmp2, d, p, tmp2);
+ mpmodmul(tmp1, tmp2, p, D);
+ mpfree(tmp1);
+ mpfree(tmp2);
+ tmp2 = mpnew(0);
+ mpmodadd(r, mpone, p, tmp2);
+ tmp1 = mpnew(0);
+ mpmodadd(d, d, p, tmp1); // 2*d
+ mpmodsub(a, tmp1, p, tmp1);
+ mpmodmul(tmp2, tmp1, p, N);
+ mpfree(tmp2);
+ mpfree(tmp1);
+ mpmodmul(N, D, p, ND);
+ if(mpcmp(ND, mpzero) == 0){
+ mpassign(mpone, c);
+ mpassign(mpzero, e);
+ }else{
+ msqrt(ND, p, e);
+ if(mpcmp(e, mpzero) != 0){
+ mpassign(mpone, c);
+ mpinvert(e, p, e);
+ }else{
+ mpmodsub(mpzero, mpone, p, c);
+ mpint *tmp4 = mpnew(0);
+ mpmodmul(n, r0, p, tmp4);
+ mpint *tmp5 = mpnew(0);
+ mpint *tmp6 = mpnew(0);
+ mpmodmul(n, ND, p, tmp6);
+ misqrt(tmp6, p, tmp5);
+ mpfree(tmp6);
+ mpmodmul(tmp4, tmp5, p, e);
+ mpfree(tmp4);
+ mpfree(tmp5);
+ }
+ }
+ tmp1 = mpnew(0);
+ mpmodmul(c, N, p, tmp1);
+ mpmodmul(tmp1, e, p, s);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ tmp2 = mpnew(0);
+ mpmodmul(c, N, p, tmp2);
+ tmp3 = mpnew(0);
+ mpmodsub(r, mpone, p, tmp3);
+ mpmodmul(tmp2, tmp3, p, tmp1);
+ mpfree(tmp2);
+ mpfree(tmp3);
+ tmp3 = mpnew(0);
+ tmp2 = mpnew(0);
+ mpmodadd(d, d, p, tmp2); // 2*d
+ mpmodsub(a, tmp2, p, tmp2);
+ mpmodmul(tmp2, e, p, tmp3);
+ mpfree(tmp2);
+ mpmodmul(tmp3, tmp3, p, tmp3);
+ mpmodmul(tmp1, tmp3, p, t);
+ mpfree(tmp1);
+ mpfree(tmp3);
+ mpmodsub(mpzero, t, p, t);
+ mpmodsub(t, mpone, p, t);
+ tmp3 = mpnew(0);
+ mpmodadd(s, s, p, tmp3); // 2*s
+ mpmodmul(tmp3, t, p, X);
+ mpfree(tmp3);
+ tmp3 = mpnew(0);
+ tmp1 = mpnew(0);
+ mpmodmul(a, s, p, tmp1);
+ mpmodmul(tmp1, s, p, tmp3);
+ mpfree(tmp1);
+ mpmodsub(mpone, tmp3, p, tmp3);
+ tmp1 = mpnew(0);
+ tmp2 = mpnew(0);
+ mpmodmul(a, s, p, tmp2);
+ mpmodmul(tmp2, s, p, tmp1);
+ mpfree(tmp2);
+ mpmodadd(mpone, tmp1, p, tmp1);
+ mpmodmul(tmp3, tmp1, p, Y);
+ mpfree(tmp3);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ tmp3 = mpnew(0);
+ mpmodmul(a, s, p, tmp3);
+ mpmodmul(tmp3, s, p, tmp1);
+ mpfree(tmp3);
+ mpmodadd(mpone, tmp1, p, tmp1);
+ mpmodmul(tmp1, t, p, Z);
+ mpfree(tmp1);
+ tmp1 = mpnew(0);
+ mpmodadd(s, s, p, tmp1); // 2*s
+ tmp3 = mpnew(0);
+ tmp2 = mpnew(0);
+ mpmodmul(a, s, p, tmp2);
+ mpmodmul(tmp2, s, p, tmp3);
+ mpfree(tmp2);
+ mpmodsub(mpone, tmp3, p, tmp3);
+ mpmodmul(tmp1, tmp3, p, T);
+ mpfree(tmp1);
+ mpfree(tmp3);
+ mpfree(t);
+ mpfree(s);
+ mpfree(e);
+ mpfree(c);
+ mpfree(ND);
+ mpfree(N);
+ mpfree(D);
+ mpfree(r);
+ }
--- /dev/null
+++ b/libauthsrv/form1.c
@@ -1,0 +1,90 @@
+#include <u.h>
+#include <libc.h>
+#include <authsrv.h>
+#include <libsec.h>
+
+/*
+ * new ticket format: the reply protector/type is replaced by a
+ * 8 byte signature and a 4 byte counter forming the 12 byte
+ * nonce for chacha20/poly1305 encryption. a 16 byte poly1305
+ * authentication tag is appended for message authentication.
+ * the counter is needed for the AuthPass message which uses
+ * the same key for several messages.
+ */
+
+static struct {
+ char num;
+ char sig[8];
+} form1sig[] = {
+ AuthPass, "form1 PR", /* password change request encrypted with ticket key */
+ AuthTs, "form1 Ts", /* ticket encrypted with server's key */
+ AuthTc, "form1 Tc", /* ticket encrypted with client's key */
+ AuthAs, "form1 As", /* server generated authenticator */
+ AuthAc, "form1 Ac", /* client generated authenticator */
+ AuthTp, "form1 Tp", /* ticket encrypted with client's key for password change */
+ AuthHr, "form1 Hr", /* http reply */
+};
+
+int
+form1check(char *ap, int n)
+{
+ if(n < 8)
+ return -1;
+
+ for(n=0; n<nelem(form1sig); n++)
+ if(memcmp(form1sig[n].sig, ap, 8) == 0)
+ return form1sig[n].num;
+
+ return -1;
+}
+
+int
+form1B2M(char *ap, int n, uchar key[32])
+{
+ static u32int counter;
+ Chachastate s;
+ uchar *p;
+ int i;
+
+ for(i=nelem(form1sig)-1; i>=0; i--)
+ if(form1sig[i].num == *ap)
+ break;
+ if(i < 0)
+ abort();
+
+ p = (uchar*)ap + 12;
+ memmove(p, ap+1, --n);
+
+ /* nonce[12] = sig[8] | counter[4] */
+ memmove(ap, form1sig[i].sig, 8);
+ i = counter++;
+ ap[8] = i, ap[9] = i>>8, ap[10] = i>>16, ap[11] = i>>24;
+
+ setupChachastate(&s, key, 32, (uchar*)ap, 12, 20);
+ ccpoly_encrypt(p, n, nil, 0, p+n, &s);
+ return 12+16 + n;
+}
+
+int
+form1M2B(char *ap, int n, uchar key[32])
+{
+ Chachastate s;
+ uchar *p;
+ int num;
+
+ num = form1check(ap, n);
+ if(num < 0)
+ return -1;
+ n -= 12+16;
+ if(n <= 0)
+ return -1;
+
+ p = (uchar*)ap + 12;
+ setupChachastate(&s, key, 32, (uchar*)ap, 12, 20);
+ if(ccpoly_decrypt(p, n, nil, 0, p+n, &s))
+ return -1;
+
+ memmove(ap+1, p, n);
+ ap[0] = num;
+ return n+1;
+}
--- /dev/null
+++ b/libauthsrv/msqrt.mpc
@@ -1,0 +1,149 @@
+void legendresymbol(mpint *a, mpint *p, mpint *r){
+ mpint *pm1 = mpnew(0);
+ mpsub(p, mpone, pm1);
+ mpright(pm1, 1, r);
+ mpexp(a, r, p, r);
+ if(mpcmp(r, pm1) == 0){
+ mpassign(mpone, r);
+ r->sign = -1;
+ }
+ mpfree(pm1);
+ }
+void msqrt(mpint *a, mpint *p, mpint *r){
+ mpint *gs = mpnew(0);
+ mpint *m = mpnew(0);
+ mpint *t = mpnew(0);
+ mpint *g = mpnew(0);
+ mpint *b = mpnew(0);
+ mpint *x = mpnew(0);
+ mpint *n = mpnew(0);
+ mpint *s = mpnew(0);
+ mpint *e = mpnew(0);
+ mpint *tmp1 = mpnew(0);
+ legendresymbol(a, p, tmp1);
+ if(mpcmp(tmp1, mpone) != 0){
+ mpassign(mpzero, r);
+ }else{
+ if(mpcmp(a, mpzero) == 0){
+ mpassign(mpzero, r);
+ }else{
+ if(mpcmp(p, mptwo) == 0){
+ mpassign(a, r);
+ }else{
+ mpint *tmp2 = mpnew(0);
+ uitomp(4UL, tmp2);
+ mpmod(p, tmp2, tmp2);
+ mpint *tmp3 = mpnew(0);
+ uitomp(3UL, tmp3);
+ if(mpcmp(tmp2, tmp3) == 0){
+ mpadd(p, mpone, e);
+ mpright(e, 2, e);
+ mpexp(a, e, p, r);
+ }else{
+ mpsub(p, mpone, s);
+ mpassign(mpzero, e);
+ for(;;){
+ mpint *tmp4 = mpnew(0);
+ mpmod(s, mptwo, tmp4);
+ if(mpcmp(tmp4, mpzero) == 0){
+ mpright(s, 1, s);
+ mpadd(e, mpone, e);
+ }else{
+ mpfree(tmp4);
+ break;
+ }
+ mpfree(tmp4);
+ }
+ mpassign(mptwo, n);
+ for(;;){
+ mpint *tmp5 = mpnew(0);
+ legendresymbol(n, p, tmp5);
+ mpint *tmp6 = mpnew(0);
+ mpassign(mpone, tmp6);
+ tmp6->sign = -1;
+ if(mpcmp(tmp5, tmp6) != 0){
+ mpadd(n, mpone, n);
+ }else{
+ mpfree(tmp6);
+ mpfree(tmp5);
+ break;
+ }
+ mpfree(tmp5);
+ mpfree(tmp6);
+ }
+ mpmodadd(s, mpone, p, x);
+ mpright(x, 1, x);
+ mpexp(a, x, p, x);
+ mpexp(a, s, p, b);
+ mpexp(n, s, p, g);
+ for(;;){
+ if(0 == 0){
+ mpassign(b, t);
+ mpassign(mpzero, m);
+ for(;;){
+ if(mpcmp(m, e) < 0){
+ if(mpcmp(t, mpone) == 0){
+ break;
+ }
+ mpmul(t, t, t);
+ mpmod(t, p, t);
+ mpadd(m, mpone, m);
+ }else{
+ break;
+ }
+ }
+ if(mpcmp(m, mpzero) == 0){
+ mpassign(x, r);
+ break;
+ }
+ mpsub(e, m, t);
+ mpsub(t, mpone, t);
+ mpexp(mptwo, t, nil, t);
+ mpexp(g, t, p, gs);
+ mpmodmul(gs, gs, p, g);
+ mpmodmul(x, gs, p, x);
+ mpmodmul(b, g, p, b);
+ mpassign(m, e);
+ }else{
+ break;
+ }
+ }
+ }
+ mpfree(tmp2);
+ mpfree(tmp3);
+ }
+ }
+ }
+ mpfree(tmp1);
+ mpfree(gs);
+ mpfree(m);
+ mpfree(t);
+ mpfree(g);
+ mpfree(b);
+ mpfree(x);
+ mpfree(n);
+ mpfree(s);
+ mpfree(e);
+ }
+void misqrt(mpint *a, mpint *p, mpint *r){
+ mpint *e = mpnew(0);
+ mpint *tmp1 = mpnew(0);
+ uitomp(4UL, tmp1);
+ mpmod(p, tmp1, tmp1);
+ mpint *tmp2 = mpnew(0);
+ uitomp(3UL, tmp2);
+ if(mpcmp(tmp1, tmp2) == 0){
+ uitomp(3UL, e);
+ mpsub(p, e, e);
+ mpright(e, 2, e);
+ mpexp(a, e, p, r);
+ }else{
+ msqrt(a, p, r);
+ if(mpcmp(r, mpzero) != 0){
+ mpinvert(r, p, r);
+ }
+ }
+ mpfree(tmp1);
+ mpfree(tmp2);
+ mpfree(e);
+ }
--- a/libauthsrv/passtokey.c
+++ b/libauthsrv/passtokey.c
@@ -1,9 +1,10 @@
#include <u.h>
#include <libc.h>
#include <authsrv.h>
+#include <libsec.h>
-int
-passtokey(char *key, char *p)
+void
+passtodeskey(char key[DESKEYLEN], char *p)
{
uchar buf[ANAMELEN], *t;
int i, n;
@@ -20,7 +21,7 @@
for(i = 0; i < DESKEYLEN; i++)
key[i] = (t[i] >> i) + (t[i+1] << (8 - (i+1)));
if(n <= 8)
- return 1;
+ return;
n -= 8;
t += 8;
if(n < 8){
@@ -29,5 +30,19 @@
}
encrypt(key, t, 8);
}
- return 1; /* not reached */
+}
+
+void
+passtoaeskey(uchar key[AESKEYLEN], char *p)
+{
+ static char salt[] = "Plan 9 key derivation";
+ pbkdf2_x((uchar*)p, strlen(p), (uchar*)salt, sizeof(salt)-1, 9001, key, AESKEYLEN, hmac_sha1, SHA1dlen);
+}
+
+void
+passtokey(Authkey *key, char *pw)
+{
+ memset(key, 0, sizeof(Authkey));
+ passtodeskey(key->des, pw);
+ passtoaeskey(key->aes, pw);
}
--- a/libauthsrv/readnvram.c
+++ b/libauthsrv/readnvram.c
@@ -27,15 +27,29 @@
"sparc", "#r/nvram", 1024+850, sizeof(Nvrsafe),
"pc", "#S/sdC0/nvram", 0, sizeof(Nvrsafe),
"pc", "#S/sdC0/9fat", -1, sizeof(Nvrsafe),
+ "pc", "#S/sdC1/nvram", 0, sizeof(Nvrsafe),
+ "pc", "#S/sdC1/9fat", -1, sizeof(Nvrsafe),
+ "pc", "#S/sdD0/nvram", 0, sizeof(Nvrsafe),
+ "pc", "#S/sdD0/9fat", -1, sizeof(Nvrsafe),
+ "pc", "#S/sdE0/nvram", 0, sizeof(Nvrsafe),
+ "pc", "#S/sdE0/9fat", -1, sizeof(Nvrsafe),
+ "pc", "#S/sdF0/nvram", 0, sizeof(Nvrsafe),
+ "pc", "#S/sdF0/9fat", -1, sizeof(Nvrsafe),
"pc", "#S/sd00/nvram", 0, sizeof(Nvrsafe),
"pc", "#S/sd00/9fat", -1, sizeof(Nvrsafe),
"pc", "#S/sd01/nvram", 0, sizeof(Nvrsafe),
"pc", "#S/sd01/9fat", -1, sizeof(Nvrsafe),
+ "pc", "#S/sd10/nvram", 0, sizeof(Nvrsafe),
+ "pc", "#S/sd10/9fat", -1, sizeof(Nvrsafe),
"pc", "#f/fd0disk", -1, 512, /* 512: #f requires whole sector reads */
"pc", "#f/fd1disk", -1, 512,
"mips", "#r/nvram", 1024+900, sizeof(Nvrsafe),
- "power", "#F/flash/flash0", 0x300000, sizeof(Nvrsafe),
+ "power", "#F/flash/flash0", 0x440000, sizeof(Nvrsafe),
+ "power", "#F/flash/flash", 0x440000, sizeof(Nvrsafe),
"power", "#r/nvram", 4352, sizeof(Nvrsafe), /* OK for MTX-604e */
+ "power", "/nvram", 0, sizeof(Nvrsafe), /* OK for Ucu */
+ "arm", "#F/flash/flash0", 0x100000, sizeof(Nvrsafe),
+ "arm", "#F/flash/flash", 0x100000, sizeof(Nvrsafe),
"debug", "/tmp/nvram", 0, sizeof(Nvrsafe),
};
@@ -109,67 +123,72 @@
buf[m++] = line[0];
}
}
- return buf; /* how does this happen */
}
+typedef struct {
+ int fd;
+ int safelen;
+ vlong safeoff;
+} Nvrwhere;
-/*
- * get key info out of nvram. since there isn't room in the PC's nvram use
- * a disk partition there.
- */
-int
-readnvram(Nvrsafe *safep, int flag)
+static char *nvrfile = nil, *cputype = nil;
+
+/* returns with *locp filled in and locp->fd open, if possible */
+static void
+findnvram(Nvrwhere *locp)
{
- char buf[1024], in[128], *cputype, *nvrfile, *nvrlen, *nvroff, *v[2];
- int fd, err, i, safeoff, safelen;
- Nvrsafe *safe;
+ char *nvrlen, *nvroff, *v[2];
+ int fd, i, safelen;
+ vlong safeoff;
- err = 0;
- memset(safep, 0, sizeof(*safep));
-
- nvrfile = getenv("nvram");
- cputype = getenv("cputype");
+ if (nvrfile == nil)
+ nvrfile = getenv("nvram");
+ if (cputype == nil)
+ cputype = getenv("cputype");
if(cputype == nil)
- cputype = "mips";
- if(strcmp(cputype, "386")==0 || strcmp(cputype, "alpha")==0)
- cputype = "pc";
+ cputype = strdup("mips");
+ if(strcmp(cputype, "386")==0 || strcmp(cputype, "amd64")==0 || strcmp(cputype, "alpha")==0) {
+ free(cputype);
+ cputype = strdup("pc");
+ }
- safe = (Nvrsafe*)buf;
-
fd = -1;
safeoff = -1;
safelen = -1;
- if(nvrfile != nil){
+ if(nvrfile != nil && *nvrfile != '\0'){
/* accept device and device!file */
i = gettokens(nvrfile, v, nelem(v), "!");
+ if (i < 1) {
+ i = 1;
+ v[0] = "";
+ v[1] = nil;
+ }
fd = open(v[0], ORDWR);
+ if (fd < 0)
+ fd = open(v[0], OREAD);
safelen = sizeof(Nvrsafe);
if(strstr(v[0], "/9fat") == nil)
safeoff = 0;
nvrlen = getenv("nvrlen");
if(nvrlen != nil)
- safelen = atoi(nvrlen);
+ safelen = strtol(nvrlen, 0, 0);
nvroff = getenv("nvroff");
- if(nvroff != nil){
+ if(nvroff != nil)
if(strcmp(nvroff, "dos") == 0)
safeoff = -1;
else
- safeoff = atoi(nvroff);
- }
+ safeoff = strtoll(nvroff, 0, 0);
if(safeoff < 0 && fd >= 0){
safelen = 512;
- safeoff = finddosfile(fd, i == 2 ? v[1] : "plan9.nvr");
- if(safeoff < 0){
+ safeoff = finddosfile(fd, i == 2? v[1]: "plan9.nvr");
+ if(safeoff < 0){ /* didn't find plan9.nvr? */
close(fd);
fd = -1;
}
}
- free(nvrfile);
- if(nvrlen != nil)
- free(nvrlen);
- if(nvroff != nil)
- free(nvroff);
- }else{
+ free(nvroff);
+ free(nvrlen);
+ }else
for(i=0; i<nelem(nvtab); i++){
if(strcmp(cputype, nvtab[i].cputype) != 0)
continue;
@@ -179,7 +198,7 @@
safelen = nvtab[i].len;
if(safeoff == -1){
safeoff = finddosfile(fd, "plan9.nvr");
- if(safeoff < 0){
+ if(safeoff < 0){ /* didn't find plan9.nvr? */
close(fd);
fd = -1;
continue;
@@ -187,43 +206,123 @@
}
break;
}
+ locp->fd = fd;
+ locp->safelen = safelen;
+ locp->safeoff = safeoff;
+}
+
+/*
+ * get key info out of nvram. since there isn't room in the PC's nvram use
+ * a disk partition there.
+ */
+int
+readnvram(Nvrsafe *safep, int flag)
+{
+ int err;
+ char buf[512], in[128]; /* 512 for floppy i/o */
+ Nvrsafe *safe;
+ Nvrwhere loc;
+
+ err = 0;
+ safe = (Nvrsafe*)buf;
+ memset(&loc, 0, sizeof loc);
+ findnvram(&loc);
+ if (loc.safelen < 0)
+ loc.safelen = sizeof *safe;
+ else if (loc.safelen > sizeof buf)
+ loc.safelen = sizeof buf;
+ if (loc.safeoff < 0) {
+ fprint(2, "readnvram: couldn't find nvram\n");
+ if(!(flag&NVwritemem))
+ memset(safep, 0, sizeof(*safep));
+ safe = safep;
+ /*
+ * allow user to type the data for authentication,
+ * even if there's no nvram to store it in.
+ */
}
- if(fd < 0
- || seek(fd, safeoff, 0) < 0
- || read(fd, buf, safelen) != safelen){
- err = 1;
- if(flag&(NVwrite|NVwriteonerr))
- fprint(2, "can't read nvram: %r\n");
- memset(safep, 0, sizeof(*safep));
+ if(flag&NVwritemem)
safe = safep;
- }else{
- *safep = *safe;
- safe = safep;
+ else {
+ memset(safep, 0, sizeof(*safep));
+ if(loc.fd < 0
+ || seek(loc.fd, loc.safeoff, 0) < 0
+ || read(loc.fd, buf, loc.safelen) != loc.safelen){
+ err = 1;
+ if(flag&(NVwrite|NVwriteonerr))
+ if(loc.fd < 0)
+ fprint(2, "can't open %s: %r\n", nvrfile);
+ else if (seek(loc.fd, loc.safeoff, 0) < 0)
+ fprint(2, "can't seek %s to %lld: %r\n",
+ nvrfile, loc.safeoff);
+ else
+ fprint(2, "can't read %d bytes from %s: %r\n",
+ loc.safelen, nvrfile);
+ /* start from scratch */
+ memset(safep, 0, sizeof(*safep));
+ safe = safep;
+ }else{
+ *safep = *safe; /* overwrite arg with data read */
+ safe = safep;
- err |= check(safe->machkey, DESKEYLEN, safe->machsum, "bad nvram key");
-// err |= check(safe->config, CONFIGLEN, safe->configsum, "bad secstore key");
- err |= check(safe->authid, ANAMELEN, safe->authidsum, "bad authentication id");
- err |= check(safe->authdom, DOMLEN, safe->authdomsum, "bad authentication domain");
+ /* verify data read */
+ err |= check(safe->machkey, DESKEYLEN, safe->machsum,
+ "bad nvram des key");
+ err |= check(safe->authid, ANAMELEN, safe->authidsum,
+ "bad authentication id");
+ err |= check(safe->authdom, DOMLEN, safe->authdomsum,
+ "bad authentication domain");
+ if(0){
+ err |= check(safe->config, CONFIGLEN, safe->configsum,
+ "bad secstore key");
+ err |= check(safe->aesmachkey, AESKEYLEN, safe->aesmachsum,
+ "bad nvram aes key");
+ } else {
+ if(nvcsum(safe->config, CONFIGLEN) != safe->configsum)
+ memset(safe->config, 0, CONFIGLEN);
+ if(nvcsum(safe->aesmachkey, AESKEYLEN) != safe->aesmachsum)
+ memset(safe->aesmachkey, 0, AESKEYLEN);
+ }
+ if(err == 0)
+ if(safe->authid[0]==0 || safe->authdom[0]==0){
+ fprint(2, "empty nvram authid or authdom\n");
+ err = 1;
+ }
+ }
}
- if((flag&NVwrite) || (err && (flag&NVwriteonerr))){
- readcons("authid", nil, 0, safe->authid, sizeof(safe->authid));
- readcons("authdom", nil, 0, safe->authdom, sizeof(safe->authdom));
- readcons("secstore key", nil, 1, safe->config, sizeof(safe->config));
- for(;;){
- if(readcons("password", nil, 1, in, sizeof in) == nil)
- goto Out;
- if(passtokey(safe->machkey, in))
+ if((flag&(NVwrite|NVwritemem)) || (err && (flag&NVwriteonerr))){
+ if (!(flag&NVwritemem)) {
+ readcons("authid", nil, 0, safe->authid,
+ sizeof safe->authid);
+ readcons("authdom", nil, 0, safe->authdom,
+ sizeof safe->authdom);
+ readcons("secstore key", nil, 1, safe->config,
+ sizeof safe->config);
+ for(;;){
+ Authkey k;
+
+ if(readcons("password", nil, 1, in, sizeof in) == nil)
+ goto Out;
+ passtokey(&k, in);
+ memmove(safe->machkey, k.des, DESKEYLEN);
+ memmove(safe->aesmachkey, k.aes, AESKEYLEN);
break;
+ }
}
+
safe->machsum = nvcsum(safe->machkey, DESKEYLEN);
+ // safe->authsum = nvcsum(safe->authkey, DESKEYLEN);
safe->configsum = nvcsum(safe->config, CONFIGLEN);
- safe->authidsum = nvcsum(safe->authid, sizeof(safe->authid));
- safe->authdomsum = nvcsum(safe->authdom, sizeof(safe->authdom));
+ safe->authidsum = nvcsum(safe->authid, sizeof safe->authid);
+ safe->authdomsum = nvcsum(safe->authdom, sizeof safe->authdom);
+ safe->aesmachsum = nvcsum(safe->aesmachkey, AESKEYLEN);
+
*(Nvrsafe*)buf = *safe;
- if(seek(fd, safeoff, 0) < 0
- || write(fd, buf, safelen) != safelen){
+ if(loc.fd < 0
+ || seek(loc.fd, loc.safeoff, 0) < 0
+ || write(loc.fd, buf, loc.safelen) != loc.safelen){
fprint(2, "can't write key to nvram: %r\n");
err = 1;
}else
@@ -230,8 +329,9 @@
err = 0;
}
Out:
- close(fd);
- return err ? -1 : 0;
+ if (loc.fd >= 0)
+ close(loc.fd);
+ return err? -1: 0;
}
typedef struct Dosboot Dosboot;
@@ -340,7 +440,7 @@
if(rootsects <= 0 || rootsects > 64)
return -1;
- /*
+ /*
* read root. it is contiguous to make stuff like
* this easier
*/
--- /dev/null
+++ b/libauthsrv/spake2ee.mpc
@@ -1,0 +1,63 @@
+void spake2ee_h2P(mpint *p, mpint *a, mpint *d, mpint *h, mpint *PX, mpint *PY, mpint *PZ, mpint *PT){
+ mpint *n = mpnew(0);
+ mpassign(mptwo, n);
+ for(;;){
+ mpint *tmp1 = mpnew(0);
+ legendresymbol(n, p, tmp1);
+ mpint *tmp2 = mpnew(0);
+ mpassign(mpone, tmp2);
+ tmp2->sign = -1;
+ if(mpcmp(tmp1, tmp2) != 0){
+ mpadd(n, mpone, n);
+ }else{
+ mpfree(tmp2);
+ mpfree(tmp1);
+ break;
+ }
+ mpfree(tmp1);
+ mpfree(tmp2);
+ }
+ mpint *tmp3 = mpnew(0);
+ mpmod(h, p, tmp3);
+ elligator2(p, a, d, n, tmp3, PX, PY, PZ, PT);
+ mpfree(tmp3);
+ mpfree(n);
+ }
+void spake2ee_1(mpint *p, mpint *a, mpint *d, mpint *x, mpint *GX, mpint *GY, mpint *PX, mpint *PY, mpint *PZ, mpint *PT, mpint *y){
+ mpint *T = mpnew(0);
+ mpint *Z = mpnew(0);
+ mpint *Y = mpnew(0);
+ mpint *X = mpnew(0);
+ mpint *tmp1 = mpnew(0);
+ mpmodmul(GX, GY, p, tmp1);
+ edwards_scale(p, a, d, x, GX, GY, mpone, tmp1, X, Y, Z, T);
+ mpfree(tmp1);
+ edwards_add(p, a, d, X, Y, Z, T, PX, PY, PZ, PT, X, Y, Z, T);
+ decaf_encode(p, a, d, X, Y, Z, T, y);
+ mpfree(T);
+ mpfree(Z);
+ mpfree(Y);
+ mpfree(X);
+ }
+void spake2ee_2(mpint *p, mpint *a, mpint *d, mpint *PX, mpint *PY, mpint *PZ, mpint *PT, mpint *x, mpint *y, mpint *ok, mpint *z){
+ mpint *T = mpnew(0);
+ mpint *Z = mpnew(0);
+ mpint *Y = mpnew(0);
+ mpint *X = mpnew(0);
+ decaf_decode(p, a, d, y, ok, X, Y, Z, T);
+ if(mpcmp(ok, mpzero) != 0){
+ mpint *tmp1 = mpnew(0);
+ mpmodsub(mpzero, PX, p, tmp1);
+ mpint *tmp2 = mpnew(0);
+ mpmodsub(mpzero, PT, p, tmp2);
+ edwards_add(p, a, d, X, Y, Z, T, tmp1, PY, PZ, tmp2, X, Y, Z, T);
+ mpfree(tmp1);
+ mpfree(tmp2);
+ edwards_scale(p, a, d, x, X, Y, Z, T, X, Y, Z, T);
+ decaf_encode(p, a, d, X, Y, Z, T, z);
+ }
+ mpfree(T);
+ mpfree(Z);
+ mpfree(Y);
+ mpfree(X);
+ }
--- a/libc/Makefile
+++ b/libc/Makefile
@@ -9,6 +9,7 @@
convM2D.$O\
convM2S.$O\
convS2M.$O\
+ ctime.$O\
crypt.$O\
dial.$O\
dirfstat.$O\
--- /dev/null
+++ b/libc/ctime.c
@@ -1,0 +1,118 @@
+/*
+ * This routine converts time as follows.
+ * The epoch is 0000 Jan 1 1970 GMT.
+ * The argument time is in seconds since then.
+ * The localtime(t) entry returns a pointer to an array
+ * containing
+ *
+ * seconds (0-59)
+ * minutes (0-59)
+ * hours (0-23)
+ * day of month (1-31)
+ * month (0-11)
+ * year-1970
+ * weekday (0-6, Sun is 0)
+ * day of the year
+ * daylight savings flag
+ *
+ * The routine gets the daylight savings time from the environment.
+ *
+ * asctime(tvec))
+ * where tvec is produced by localtime
+ * returns a ptr to a character string
+ * that has the ascii time in the form
+ *
+ * \\
+ * Thu Jan 01 00:00:00 GMT 1970n0
+ * 012345678901234567890123456789
+ * 0 1 2
+ *
+ * ctime(t) just calls localtime, then asctime.
+ */
+
+#include <u.h>
+#include <libc.h>
+
+static char dmsize[12] =
+{
+ 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
+};
+
+/*
+ * The following table is used for 1974 and 1975 and
+ * gives the day number of the first day after the Sunday of the
+ * change.
+ */
+
+static int dysize(int);
+
+
+Tm*
+gmtime(long tim)
+{
+ int d0, d1;
+ long hms, day;
+ static Tm xtime;
+
+ /*
+ * break initial number into days
+ */
+ hms = tim % 86400L;
+ day = tim / 86400L;
+ if(hms < 0) {
+ hms += 86400L;
+ day -= 1;
+ }
+
+ /*
+ * generate hours:minutes:seconds
+ */
+ xtime.sec = hms % 60;
+ d1 = hms / 60;
+ xtime.min = d1 % 60;
+ d1 /= 60;
+ xtime.hour = d1;
+
+ /*
+ * day is the day number.
+ * generate day of the week.
+ * The addend is 4 mod 7 (1/1/1970 was Thursday)
+ */
+
+ xtime.wday = (day + 7340036L) % 7;
+
+ /*
+ * year number
+ */
+ if(day >= 0)
+ for(d1 = 1970; day >= dysize(d1); d1++)
+ day -= dysize(d1);
+ else
+ for (d1 = 1970; day < 0; d1--)
+ day += dysize(d1-1);
+ xtime.year = d1-1900;
+ xtime.yday = d0 = day;
+
+ /*
+ * generate month
+ */
+
+ if(dysize(d1) == 366)
+ dmsize[1] = 29;
+ for(d1 = 0; d0 >= dmsize[d1]; d1++)
+ d0 -= dmsize[d1];
+ dmsize[1] = 28;
+ xtime.mday = d0 + 1;
+ xtime.mon = d1;
+ strcpy(xtime.zone, "GMT");
+ return &xtime;
+}
+
+static int
+dysize(int y)
+{
+
+ if(y%4 == 0 && (y%100 != 0 || y%400 == 0))
+ return 366;
+ return 365;
+}
--- a/libmp/Makefile
+++ b/libmp/Makefile
@@ -6,7 +6,9 @@
OFILES=\
betomp.$O\
+ cnfield.$O\
crt.$O\
+ gmfield.$O\
letomp.$O\
mpadd.$O\
mpaux.$O\
@@ -16,17 +18,25 @@
mpeuclid.$O\
mpexp.$O\
mpextendedgcd.$O\
+ mpfactorial.$O\
+ mpfield.$O\
mpfmt.$O\
mpinvert.$O\
mpleft.$O\
+ mplogic.$O\
mpmod.$O\
+ mpmodop.$O\
mpmul.$O\
+ mpnrand.$O\
mprand.$O\
mpright.$O\
+ mpsel.$O\
mpsub.$O\
mptobe.$O\
+ mptober.$O\
mptoi.$O\
mptole.$O\
+ mptolel.$O\
mptoui.$O\
mptouv.$O\
mptov.$O\
@@ -34,6 +44,7 @@
mpveccmp.$O\
mpvecdigmuladd.$O\
mpvecsub.$O\
+ mpvectscmp.$O\
strtomp.$O
default: $(LIB)
--- a/libmp/betomp.c
+++ b/libmp/betomp.c
@@ -9,21 +9,16 @@
int m, s;
mpdigit x;
- if(b == nil)
+ if(b == nil){
b = mpnew(0);
-
- // dump leading zeros
- while(*p == 0 && n > 1){
- p++;
- n--;
+ setmalloctag(b, getcallerpc(&p));
}
-
- // get the space
mpbits(b, n*8);
- b->top = DIGITS(n*8);
- m = b->top-1;
- // first digit might not be Dbytes long
+ m = DIGITS(n*8);
+ b->top = m--;
+ b->sign = 1;
+
s = ((n-1)*8)%Dbits;
x = 0;
for(; n > 0; n--){
@@ -35,6 +30,5 @@
x = 0;
}
}
-
- return b;
+ return mpnorm(b);
}
--- /dev/null
+++ b/libmp/cnfield.c
@@ -1,0 +1,114 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+/*
+ * fast reduction for crandall numbers of the form: 2^n - c
+ */
+
+enum {
+ MAXDIG = 1024 / Dbits,
+};
+
+typedef struct CNfield CNfield;
+struct CNfield
+{
+ Mfield;
+
+ mpint m[1];
+
+ int s;
+ mpdigit c;
+};
+
+static int
+cnreduce(Mfield *m, mpint *a, mpint *r)
+{
+ mpdigit q[MAXDIG-1], t[MAXDIG], d;
+ CNfield *f = (CNfield*)m;
+ int qn, tn, k;
+
+ k = f->top;
+ if((a->top - k) >= MAXDIG)
+ return -1;
+
+ mpleft(a, f->s, r);
+ if(r->top <= k)
+ mpbits(r, (k+1)*Dbits);
+
+ /* q = hi(r) */
+ qn = r->top - k;
+ memmove(q, r->p+k, qn*Dbytes);
+
+ /* r = lo(r) */
+ r->top = k;
+ r->sign = 1;
+
+ do {
+ /* t = q*c */
+ tn = qn+1;
+ memset(t, 0, tn*Dbytes);
+ mpvecdigmuladd(q, qn, f->c, t);
+
+ /* q = hi(t) */
+ qn = tn - k;
+ if(qn <= 0) qn = 0;
+ else memmove(q, t+k, qn*Dbytes);
+
+ /* r += lo(t) */
+ if(tn > k)
+ tn = k;
+ mpvecadd(r->p, k, t, tn, r->p);
+
+ /* if(r >= m) r -= m */
+ mpvecsub(r->p, k+1, f->m->p, k, t);
+ d = t[k];
+ for(tn = 0; tn < k; tn++)
+ r->p[tn] = (r->p[tn] & d) | (t[tn] & ~d);
+ } while(qn > 0);
+
+ if(f->s != 0)
+ mpright(r, f->s, r);
+ mpnorm(r);
+
+ return 0;
+}
+
+Mfield*
+cnfield(mpint *N)
+{
+ mpint *M, *C;
+ CNfield *f;
+ mpdigit d;
+ int s;
+
+ if(N->top <= 2 || N->top >= MAXDIG)
+ return nil;
+ f = nil;
+ d = N->p[N->top-1];
+ for(s = 0; (d & (mpdigit)1<<Dbits-1) == 0; s++)
+ d <<= 1;
+ C = mpnew(0);
+ M = mpcopy(N);
+ mpleft(N, s, M);
+ mpleft(mpone, M->top*Dbits, C);
+ mpsub(C, M, C);
+ if(C->top != 1)
+ goto out;
+ f = mallocz(sizeof(CNfield) + M->top*sizeof(mpdigit), 1);
+ if(f == nil)
+ goto out;
+ f->s = s;
+ f->c = C->p[0];
+ f->m->size = M->top;
+ f->m->p = (mpdigit*)&f[1];
+ mpassign(M, f->m);
+ mpassign(N, (mpint*)f);
+ f->reduce = cnreduce;
+ f->flags |= MPfield;
+out:
+ mpfree(M);
+ mpfree(C);
+
+ return (Mfield*)f;
+}
--- a/libmp/crt.c
+++ b/libmp/crt.c
@@ -1,6 +1,5 @@
#include "os.h"
#include <mp.h>
-#include <libsec.h>
// chinese remainder theorem
//
--- a/libmp/crttest.c
+++ b/libmp/crttest.c
@@ -1,6 +1,5 @@
#include "os.h"
#include <mp.h>
-#include <libsec.h>
void
testcrt(mpint **p)
@@ -8,9 +7,8 @@
CRTpre *crt;
CRTres *res;
mpint *m, *x, *y;
- int i;
- fmtinstall('B', mpconv);
+ fmtinstall('B', mpfmt);
// get a modulus and a test number
m = mpnew(1024+160);
@@ -49,6 +47,6 @@
mpfree(p[0]);
mpfree(p[1]);
}
- print("%d secs with more\n", time(0)-start);
+ print("%ld secs with more\n", time(0)-start);
exits(0);
}
--- a/libmp/dat.h
+++ b/libmp/dat.h
@@ -1,4 +1,4 @@
-#define mpdighi (mpdigit)(1U<<(Dbits-1))
+#define mpdighi (mpdigit)(1<<(Dbits-1))
#define DIGITS(x) ((Dbits - 1 + (x))/Dbits)
// for converting between int's and mpint's
@@ -7,9 +7,6 @@
#define MININT (MAXINT+1)
// for converting between vlongs's and mpint's
-// #define MAXUVLONG (~0ULL)
-// #define MAXVLONG (MAXUVLONG>>1)
-// #define MINVLONG (MAXVLONG+1ULL)
-#define MAXUVLONG ((uvlong) ~0)
+#define MAXUVLONG (~0ULL)
#define MAXVLONG (MAXUVLONG>>1)
-#define MINVLONG (MAXVLONG+((uvlong) 1))
+#define MINVLONG (MAXVLONG+1ULL)
--- /dev/null
+++ b/libmp/gmfield.c
@@ -1,0 +1,173 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+/*
+ * fast reduction for generalized mersenne numbers (GM)
+ * using a series of additions and subtractions.
+ */
+
+enum {
+ MAXDIG = 1024/Dbits,
+};
+
+typedef struct GMfield GMfield;
+struct GMfield
+{
+ Mfield;
+
+ mpint m2[1];
+
+ int nadd;
+ int nsub;
+ int indx[256];
+};
+
+static int
+gmreduce(Mfield *m, mpint *a, mpint *r)
+{
+ GMfield *g = (GMfield*)m;
+ mpdigit d0, t[MAXDIG];
+ int i, j, d, *x;
+
+ if(mpmagcmp(a, g->m2) >= 0)
+ return -1;
+
+ if(a != r)
+ mpassign(a, r);
+
+ d = g->top;
+ mpbits(r, (d+1)*Dbits*2);
+ memmove(t+d, r->p+d, d*Dbytes);
+
+ r->sign = 1;
+ r->top = d;
+ r->p[d] = 0;
+
+ if(g->nsub > 0)
+ mpvecdigmuladd(g->p, d, g->nsub, r->p);
+
+ x = g->indx;
+ for(i=0; i<g->nadd; i++){
+ t[0] = 0;
+ d0 = t[*x++];
+ for(j=1; j<d; j++)
+ t[j] = t[*x++];
+ t[0] = d0;
+
+ mpvecadd(r->p, d+1, t, d, r->p);
+ }
+
+ for(i=0; i<g->nsub; i++){
+ t[0] = 0;
+ d0 = t[*x++];
+ for(j=1; j<d; j++)
+ t[j] = t[*x++];
+ t[0] = d0;
+
+ mpvecsub(r->p, d+1, t, d, r->p);
+ }
+
+ mpvecdigmulsub(g->p, d, r->p[d], r->p);
+ r->p[d] = 0;
+
+ mpvecsub(r->p, d+1, g->p, d, r->p+d+1);
+ d0 = r->p[2*d+1];
+ for(j=0; j<d; j++)
+ r->p[j] = (r->p[j] & d0) | (r->p[j+d+1] & ~d0);
+
+ mpnorm(r);
+
+ return 0;
+}
+
+Mfield*
+gmfield(mpint *N)
+{
+ int i,j,d, s, *C, *X, *x, *e;
+ mpint *M, *T;
+ GMfield *g;
+
+ d = N->top;
+ if(d <= 2 || d > MAXDIG/2 || (mpsignif(N) % Dbits) != 0)
+ return nil;
+ g = nil;
+ T = mpnew(0);
+ M = mpcopy(N);
+ C = malloc(sizeof(int)*(d+1));
+ X = malloc(sizeof(int)*(d*d));
+ if(C == nil || X == nil)
+ goto out;
+
+ for(i=0; i<=d; i++){
+ if((M->p[i]>>8) != 0 && (~M->p[i]>>8) != 0)
+ goto out;
+ j = M->p[i];
+ C[d - i] = -j;
+ itomp(j, T);
+ mpleft(T, i*Dbits, T);
+ mpsub(M, T, M);
+ }
+ for(j=0; j<d; j++)
+ X[j] = C[d-j];
+ for(i=1; i<d; i++){
+ X[d*i] = X[d*(i-1) + d-1]*C[d];
+ for(j=1; j<d; j++)
+ X[d*i + j] = X[d*(i-1) + j-1] + X[d*(i-1) + d-1]*C[d-j];
+ }
+ g = mallocz(sizeof(GMfield) + (d+1)*sizeof(mpdigit)*2, 1);
+ if(g == nil)
+ goto out;
+
+ g->m2->p = (mpdigit*)&g[1];
+ g->m2->size = d*2+1;
+ mpmul(N, N, g->m2);
+ mpassign(N, (mpint*)g);
+ g->reduce = gmreduce;
+ g->flags |= MPfield;
+
+ s = 0;
+ x = g->indx;
+ e = x + nelem(g->indx) - d;
+ for(g->nadd=0; x <= e; x += d, g->nadd++){
+ s = 0;
+ for(i=0; i<d; i++){
+ for(j=0; j<d; j++){
+ if(X[d*i+j] > 0 && x[j] == 0){
+ X[d*i+j]--;
+ x[j] = d+i;
+ s = 1;
+ break;
+ }
+ }
+ }
+ if(s == 0)
+ break;
+ }
+ for(g->nsub=0; x <= e; x += d, g->nsub++){
+ s = 0;
+ for(i=0; i<d; i++){
+ for(j=0; j<d; j++){
+ if(X[d*i+j] < 0 && x[j] == 0){
+ X[d*i+j]++;
+ x[j] = d+i;
+ s = 1;
+ break;
+ }
+ }
+ }
+ if(s == 0)
+ break;
+ }
+ if(s != 0){
+ mpfree((mpint*)g);
+ g = nil;
+ }
+out:
+ free(C);
+ free(X);
+ mpfree(M);
+ mpfree(T);
+ return (Mfield*)g;
+}
+
--- a/libmp/letomp.c
+++ b/libmp/letomp.c
@@ -9,10 +9,11 @@
int i=0, m = 0;
mpdigit x=0;
- if(b == nil)
+ if(b == nil){
b = mpnew(0);
+ setmalloctag(b, getcallerpc(&s));
+ }
mpbits(b, 8*n);
- b->top = DIGITS(8*n);
for(; n > 0; n--){
x |= ((mpdigit)(*s++)) << i;
i += 8;
@@ -25,5 +26,6 @@
if(i > 0)
b->p[m++] = x;
b->top = m;
- return b;
+ b->sign = 1;
+ return mpnorm(b);
}
--- a/libmp/mpadd.c
+++ b/libmp/mpadd.c
@@ -9,6 +9,8 @@
int m, n;
mpint *t;
+ sum->flags |= (b1->flags | b2->flags) & MPtimesafe;
+
// get the sizes right
if(b2->top > b1->top){
t = b1;
@@ -41,6 +43,7 @@
int sign;
if(b1->sign != b2->sign){
+ assert(((b1->flags | b2->flags | sum->flags) & MPtimesafe) == 0);
if(b1->sign < 0)
mpmagsub(b2, b1, sum);
else
--- a/libmp/mpaux.c
+++ b/libmp/mpaux.c
@@ -5,11 +5,9 @@
static mpdigit _mptwodata[1] = { 2 };
static mpint _mptwo =
{
- 1,
- 1,
- 1,
+ 1, 1, 1,
_mptwodata,
- MPstatic
+ MPstatic|MPnorm
};
mpint *mptwo = &_mptwo;
@@ -16,11 +14,9 @@
static mpdigit _mponedata[1] = { 1 };
static mpint _mpone =
{
- 1,
- 1,
- 1,
+ 1, 1, 1,
_mponedata,
- MPstatic
+ MPstatic|MPnorm
};
mpint *mpone = &_mpone;
@@ -27,11 +23,9 @@
static mpdigit _mpzerodata[1] = { 0 };
static mpint _mpzero =
{
- 1,
- 1,
- 0,
+ 1, 1, 0,
_mpzerodata,
- MPstatic
+ MPstatic|MPnorm
};
mpint *mpzero = &_mpzero;
@@ -41,6 +35,8 @@
void
mpsetminbits(int n)
{
+ if(n < 0)
+ sysfatal("mpsetminbits: n < 0");
if(n == 0)
n = 1;
mpmindigits = DIGITS(n);
@@ -52,18 +48,20 @@
{
mpint *b;
- b = mallocz(sizeof(mpint), 1);
- if(b == nil)
- sysfatal("mpnew: %r");
+ if(n < 0)
+ sysfatal("mpsetminbits: n < 0");
+
n = DIGITS(n);
if(n < mpmindigits)
n = mpmindigits;
- n = n;
- b->p = (mpdigit*)mallocz(n*Dbytes, 1);
- if(b->p == nil)
+ b = mallocz(sizeof(mpint) + n*Dbytes, 1);
+ if(b == nil)
sysfatal("mpnew: %r");
+ setmalloctag(b, getcallerpc(&n));
+ b->p = (mpdigit*)&b[1];
b->size = n;
b->sign = 1;
+ b->flags = MPnorm;
return b;
}
@@ -78,16 +76,23 @@
if(b->size >= n){
if(b->top >= n)
return;
- memset(&b->p[b->top], 0, Dbytes*(n - b->top));
- b->top = n;
- return;
+ } else {
+ if(b->p == (mpdigit*)&b[1]){
+ b->p = (mpdigit*)mallocz(n*Dbytes, 0);
+ if(b->p == nil)
+ sysfatal("mpbits: %r");
+ memmove(b->p, &b[1], Dbytes*b->top);
+ memset(&b[1], 0, Dbytes*b->size);
+ } else {
+ b->p = (mpdigit*)realloc(b->p, n*Dbytes);
+ if(b->p == nil)
+ sysfatal("mpbits: %r");
+ }
+ b->size = n;
}
- b->p = (mpdigit*)realloc(b->p, n*Dbytes);
- if(b->p == nil)
- sysfatal("mpbits: %r");
memset(&b->p[b->top], 0, Dbytes*(n - b->top));
- b->size = n;
b->top = n;
+ b->flags &= ~MPnorm;
}
void
@@ -97,16 +102,22 @@
return;
if(b->flags & MPstatic)
sysfatal("freeing mp constant");
- memset(b->p, 0, b->top*Dbytes); // information hiding
- free(b->p);
+ memset(b->p, 0, b->size*Dbytes);
+ if(b->p != (mpdigit*)&b[1])
+ free(b->p);
free(b);
}
-void
+mpint*
mpnorm(mpint *b)
{
int i;
+ if(b->flags & MPtimesafe){
+ assert(b->sign == 1);
+ b->flags &= ~MPnorm;
+ return b;
+ }
for(i = b->top-1; i >= 0; i--)
if(b->p[i] != 0)
break;
@@ -113,6 +124,8 @@
b->top = i+1;
if(b->top == 0)
b->sign = 1;
+ b->flags |= MPnorm;
+ return b;
}
mpint*
@@ -121,8 +134,10 @@
mpint *new;
new = mpnew(Dbits*old->size);
- new->top = old->top;
+ setmalloctag(new, getcallerpc(&old));
new->sign = old->sign;
+ new->top = old->top;
+ new->flags = old->flags & ~(MPstatic|MPfield);
memmove(new->p, old->p, Dbytes*old->top);
return new;
}
@@ -130,9 +145,14 @@
void
mpassign(mpint *old, mpint *new)
{
+ if(new == nil || old == new)
+ return;
+ new->top = 0;
mpbits(new, Dbits*old->top);
new->sign = old->sign;
new->top = old->top;
+ new->flags &= ~MPnorm;
+ new->flags |= old->flags & ~(MPstatic|MPfield);
memmove(new->p, old->p, Dbytes*old->top);
}
@@ -162,6 +182,7 @@
int k, bit, digit;
mpdigit d;
+ assert(n->flags & MPnorm);
if(n->top==0)
return 0;
k = 0;
@@ -182,4 +203,3 @@
}
return k;
}
-
--- a/libmp/mpcmp.c
+++ b/libmp/mpcmp.c
@@ -2,16 +2,20 @@
#include <mp.h>
#include "dat.h"
-// return 1, 0, -1 as abs(b1)-abs(b2) is neg, 0, pos
+// return neg, 0, pos as abs(b1)-abs(b2) is neg, 0, pos
int
mpmagcmp(mpint *b1, mpint *b2)
{
int i;
- i = b1->top - b2->top;
- if(i)
- return i;
-
+ i = b1->flags | b2->flags;
+ if(i & MPtimesafe)
+ return mpvectscmp(b1->p, b1->top, b2->p, b2->top);
+ if(i & MPnorm){
+ i = b1->top - b2->top;
+ if(i)
+ return i;
+ }
return mpveccmp(b1->p, b1->top, b2->p, b2->top);
}
@@ -19,10 +23,8 @@
int
mpcmp(mpint *b1, mpint *b2)
{
- if(b1->sign != b2->sign)
- return b1->sign - b2->sign;
- if(b1->sign < 0)
- return mpmagcmp(b2, b1);
- else
- return mpmagcmp(b1, b2);
+ int sign;
+
+ sign = (b1->sign - b2->sign) >> 1; // -1, 0, 1
+ return sign | (sign&1)-1 & mpmagcmp(b1, b2)*b1->sign;
}
--- a/libmp/mpdigdiv.c
+++ b/libmp/mpdigdiv.c
@@ -21,6 +21,19 @@
return;
}
+ // very common case
+ if(~divisor == 0){
+ lo += hi;
+ if(lo < hi){
+ hi++;
+ lo++;
+ }
+ if(lo+1 == 0)
+ hi++;
+ *quotient = hi;
+ return;
+ }
+
// at this point we know that hi < divisor
// just shift and subtract till we're done
q = 0;
--- a/libmp/mpdiv.c
+++ b/libmp/mpdiv.c
@@ -13,10 +13,29 @@
mpdigit qd, *up, *vp, *qp;
mpint *u, *v, *t;
+ assert(quotient != remainder);
+ assert(divisor->flags & MPnorm);
+
// divide bv zero
if(divisor->top == 0)
abort();
+ // division by one or small powers of two
+ if(divisor->top == 1 && (divisor->p[0] & divisor->p[0]-1) == 0){
+ vlong r = (vlong)dividend->sign * (dividend->p[0] & divisor->p[0]-1);
+ if(quotient != nil){
+ for(s = 0; ((divisor->p[0] >> s) & 1) == 0; s++)
+ ;
+ mpright(dividend, s, quotient);
+ }
+ if(remainder != nil){
+ remainder->flags |= dividend->flags & MPtimesafe;
+ vtomp(r, remainder);
+ }
+ return;
+ }
+ assert((dividend->flags & MPtimesafe) == 0);
+
// quick check
if(mpmagcmp(dividend, divisor) < 0){
if(remainder != nil)
@@ -95,6 +114,7 @@
*up-- = 0;
}
if(qp != nil){
+ assert((quotient->flags & MPtimesafe) == 0);
mpnorm(quotient);
if(dividend->sign != divisor->sign)
quotient->sign = -1;
@@ -101,6 +121,7 @@
}
if(remainder != nil){
+ assert((remainder->flags & MPtimesafe) == 0);
mpright(u, s, remainder); // u is the remainder shifted
remainder->sign = dividend->sign;
}
--- a/libmp/mpeuclid.c
+++ b/libmp/mpeuclid.c
@@ -13,6 +13,12 @@
{
mpint *tmp, *x0, *x1, *x2, *y0, *y1, *y2, *q, *r;
+ assert((a->flags&b->flags) & MPnorm);
+ assert(((a->flags|b->flags|d->flags|x->flags|y->flags) & MPtimesafe) == 0);
+
+ if(a->sign<0 || b->sign<0)
+ sysfatal("mpeuclid: negative arg");
+
if(mpcmp(a, b) < 0){
tmp = a;
a = b;
--- a/libmp/mpexp.c
+++ b/libmp/mpexp.c
@@ -22,6 +22,18 @@
mpdigit d, bit;
int i, j;
+ assert(m == nil || m->flags & MPnorm);
+ assert((e->flags & MPtimesafe) == 0);
+ res->flags |= b->flags & MPtimesafe;
+
+ i = mpcmp(e,mpzero);
+ if(i==0){
+ mpassign(mpone, res);
+ return;
+ }
+ if(i<0)
+ sysfatal("mpexp: negative exponent");
+
t[0] = mpcopy(b);
t[1] = res;
@@ -49,24 +61,22 @@
j = 0;
for(;;){
for(; bit != 0; bit >>= 1){
- mpmul(t[j], t[j], t[j^1]);
- if(bit & d)
- mpmul(t[j^1], b, t[j]);
+ if(m != nil)
+ mpmodmul(t[j], t[j], m, t[j^1]);
else
+ mpmul(t[j], t[j], t[j^1]);
+ if(bit & d) {
+ if(m != nil)
+ mpmodmul(t[j^1], b, m, t[j]);
+ else
+ mpmul(t[j^1], b, t[j]);
+ } else
j ^= 1;
- if(m != nil && t[j]->top > m->top){
- mpmod(t[j], m, t[j^1]);
- j ^= 1;
- }
}
if(--i < 0)
break;
bit = mpdighi;
d = e->p[i];
- }
- if(m != nil){
- mpmod(t[j], m, t[j^1]);
- j ^= 1;
}
if(t[j] == res){
mpfree(t[j^1]);
--- a/libmp/mpextendedgcd.c
+++ b/libmp/mpextendedgcd.c
@@ -5,7 +5,7 @@
// extended binary gcd
//
-// For a anv b it solves, v = gcd(a,b) and finds x and y s.t.
+// For a and b it solves, v = gcd(a,b) and finds x and y s.t.
// ax + by = v
//
// Handbook of Applied Cryptography, Menezes et al, 1997, pg 608.
@@ -15,6 +15,16 @@
mpint *u, *A, *B, *C, *D;
int g;
+ assert((a->flags&b->flags) & MPnorm);
+ assert(((a->flags|b->flags|v->flags|x->flags|y->flags) & MPtimesafe) == 0);
+
+ if(a->sign < 0 || b->sign < 0){
+ mpassign(mpzero, v);
+ mpassign(mpzero, y);
+ mpassign(mpzero, x);
+ return;
+ }
+
if(a->top == 0){
mpassign(b, v);
mpassign(mpone, y);
@@ -94,4 +104,6 @@
mpfree(u);
mpfree(a);
mpfree(b);
+
+ return;
}
--- /dev/null
+++ b/libmp/mpfactorial.c
@@ -1,0 +1,74 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+mpint*
+mpfactorial(ulong n)
+{
+ int i;
+ ulong k;
+ unsigned cnt;
+ int max, mmax;
+ mpdigit p, pp[2];
+ mpint *r, *s, *stk[31];
+
+ cnt = 0;
+ max = mmax = -1;
+ p = 1;
+ r = mpnew(0);
+ for(k=2; k<=n; k++){
+ pp[0] = 0;
+ pp[1] = 0;
+ mpvecdigmuladd(&p, 1, (mpdigit)k, pp);
+ if(pp[1] == 0) /* !overflow */
+ p = pp[0];
+ else{
+ cnt++;
+ if((cnt & 1) == 0){
+ s = stk[max];
+ mpbits(r, Dbits*(s->top+1+1));
+ memset(r->p, 0, Dbytes*(s->top+1+1));
+ mpvecmul(s->p, s->top, &p, 1, r->p);
+ r->sign = 1;
+ r->top = s->top+1+1; /* XXX: norm */
+ mpassign(r, s);
+ for(i=4; (cnt & (i-1)) == 0; i=i<<1){
+ mpmul(stk[max], stk[max-1], r);
+ mpassign(r, stk[max-1]);
+ max--;
+ }
+ }else{
+ max++;
+ if(max > mmax){
+ mmax++;
+ if(max > nelem(stk))
+ abort();
+ stk[max] = mpnew(Dbits);
+ }
+ stk[max]->top = 1;
+ stk[max]->p[0] = p;
+ }
+ p = (mpdigit)k;
+ }
+ }
+ if(max < 0){
+ mpbits(r, Dbits);
+ r->top = 1;
+ r->sign = 1;
+ r->p[0] = p;
+ }else{
+ s = stk[max--];
+ mpbits(r, Dbits*(s->top+1+1));
+ memset(r->p, 0, Dbytes*(s->top+1+1));
+ mpvecmul(s->p, s->top, &p, 1, r->p);
+ r->sign = 1;
+ r->top = s->top+1+1; /* XXX: norm */
+ }
+
+ while(max >= 0)
+ mpmul(r, stk[max--], r);
+ for(max=mmax; max>=0; max--)
+ mpfree(stk[max]);
+ mpnorm(r);
+ return r;
+}
--- /dev/null
+++ b/libmp/mpfield.c
@@ -1,0 +1,21 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+mpint*
+mpfield(mpint *N)
+{
+ Mfield *f;
+
+ if(N == nil || N->flags & (MPfield|MPstatic))
+ return N;
+ if((f = cnfield(N)) != nil)
+ goto Exchange;
+ if((f = gmfield(N)) != nil)
+ goto Exchange;
+ return N;
+Exchange:
+ setmalloctag(f, getcallerpc(&N));
+ mpfree(N);
+ return (mpint*)f;
+}
--- a/libmp/mpfmt.c
+++ b/libmp/mpfmt.c
@@ -1,10 +1,9 @@
#include "os.h"
#include <mp.h>
-#include <libsec.h>
#include "dat.h"
static int
-to64(mpint *b, char *buf, int len)
+toencx(mpint *b, char *buf, int len, int (*enc)(char*, int, uchar*, int))
{
uchar *p;
int n, rv;
@@ -13,52 +12,30 @@
n = mptobe(b, nil, 0, &p);
if(n < 0)
return -1;
- rv = enc64(buf, len, p, n);
+ rv = (*enc)(buf, len, p, n);
free(p);
return rv;
}
-static int
-to32(mpint *b, char *buf, int len)
-{
- uchar *p;
- int n, rv;
-
- // leave room for a multiple of 5 buffer size
- n = b->top*Dbytes + 5;
- p = malloc(n);
- if(p == nil)
- return -1;
- n = mptobe(b, p, n, nil);
- if(n < 0)
- return -1;
-
- // round up buffer size, enc32 only accepts a multiple of 5
- if(n%5)
- n += 5 - (n%5);
- rv = enc32(buf, len, p, n);
- free(p);
- return rv;
-}
-
static char set16[] = "0123456789ABCDEF";
static int
-to16(mpint *b, char *buf, int len)
+topow2(mpint *b, char *buf, int len, int s)
{
mpdigit *p, x;
- int i, j;
+ int i, j, sn;
char *out, *eout;
if(len < 1)
return -1;
+ sn = 1<<s;
out = buf;
eout = buf+len;
for(p = &b->p[b->top-1]; p >= b->p; p--){
x = *p;
- for(i = Dbits-4; i >= 0; i -= 4){
- j = 0xf & (x>>i);
+ for(i = Dbits-s; i >= 0; i -= s){
+ j = x >> i & sn - 1;
if(j != 0 || out != buf){
if(out >= eout)
return -1;
@@ -102,6 +79,8 @@
return -1;
d = mpcopy(b);
+ d->flags &= ~MPtimesafe;
+ mpnorm(d);
r = mpnew(0);
billion = uitomp(1000000000, nil);
out = buf+len;
@@ -124,23 +103,91 @@
return 0;
}
+static int
+to8(mpint *b, char *buf, int len)
+{
+ mpdigit x, y;
+ char *out;
+ int i, j;
+
+ if(len < 2)
+ return -1;
+
+ out = buf+len;
+ *--out = 0;
+
+ i = j = 0;
+ x = y = 0;
+ while(j < b->top){
+ y = b->p[j++];
+ if(i > 0)
+ x |= y << i;
+ else
+ x = y;
+ i += Dbits;
+ while(i >= 3){
+Digout: i -= 3;
+ if(out > buf)
+ out--;
+ else if(x != 0)
+ return -1;
+ *out = '0' + (x & 7);
+ x = y >> Dbits-i;
+ }
+ }
+ if(i > 0)
+ goto Digout;
+
+ while(*out == '0') out++;
+ if(*out == '\0')
+ *--out = '0';
+
+ len -= out-buf;
+ if(out != buf)
+ memmove(buf, out, len);
+ return 0;
+}
+
int
mpfmt(Fmt *fmt)
{
mpint *b;
- char *p;
+ char *x, *p;
+ int base;
b = va_arg(fmt->args, mpint*);
if(b == nil)
return fmtstrcpy(fmt, "*");
-
- p = mptoa(b, fmt->prec, nil, 0);
- fmt->flags &= ~FmtPrec;
+ base = fmt->prec;
+ if(base == 0)
+ base = 16; /* default */
+ fmt->flags &= ~FmtPrec;
+ p = mptoa(b, base, nil, 0);
if(p == nil)
return fmtstrcpy(fmt, "*");
else{
- fmtstrcpy(fmt, p);
+ if((fmt->flags & FmtSharp) != 0){
+ switch(base){
+ case 16:
+ x = "0x";
+ break;
+ case 8:
+ x = "0";
+ break;
+ case 2:
+ x = "0b";
+ break;
+ default:
+ x = "";
+ }
+ if(*p == '-')
+ fmtprint(fmt, "-%s%s", x, p + 1);
+ else
+ fmtprint(fmt, "%s%s", x, p);
+ }
+ else
+ fmtstrcpy(fmt, p);
free(p);
return 0;
}
@@ -152,9 +199,14 @@
char *out;
int rv, alloced;
+ if(base == 0)
+ base = 16; /* default */
alloced = 0;
if(buf == nil){
- len = ((b->top+1)*Dbits+2)/3 + 1;
+ /* rv <= log₂(base) */
+ for(rv=1; (base >> rv) > 1; rv++)
+ ;
+ len = 10 + (b->top*Dbits / rv);
buf = malloc(len);
if(buf == nil)
return nil;
@@ -171,18 +223,29 @@
}
switch(base){
case 64:
- rv = to64(b, out, len);
+ rv = toencx(b, out, len, enc64);
break;
case 32:
- rv = to32(b, out, len);
+ rv = toencx(b, out, len, enc32);
break;
- default:
case 16:
- rv = to16(b, out, len);
+ rv = topow2(b, out, len, 4);
break;
case 10:
rv = to10(b, out, len);
break;
+ case 8:
+ rv = to8(b, out, len);
+ break;
+ case 4:
+ rv = topow2(b, out, len, 2);
+ break;
+ case 2:
+ rv = topow2(b, out, len, 1);
+ break;
+ default:
+ abort();
+ return nil;
}
if(rv < 0){
if(alloced)
--- a/libmp/mpleft.c
+++ b/libmp/mpleft.c
@@ -9,8 +9,14 @@
int d, l, r, i, otop;
mpdigit this, last;
- // a negative left shift is a right shift
- if(shift < 0){
+ res->sign = b->sign;
+ if(b->top==0){
+ res->top = 0;
+ return;
+ }
+
+ // a zero or negative left shift is a right shift
+ if(shift <= 0){
mpright(b, -shift, res);
return;
}
@@ -40,7 +46,6 @@
for(i = 0; i < d; i++)
res->p[i] = 0;
- // normalize
- while(res->top > 0 && res->p[res->top-1] == 0)
- res->top--;
+ res->flags |= b->flags & MPtimesafe;
+ mpnorm(res);
}
--- /dev/null
+++ b/libmp/mplogic.c
@@ -1,0 +1,194 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+/*
+ mplogic calculates b1|b2 subject to the
+ following flag bits (fl)
+
+ bit 0: subtract 1 from b1
+ bit 1: invert b1
+ bit 2: subtract 1 from b2
+ bit 3: invert b2
+ bit 4: add 1 to output
+ bit 5: invert output
+
+ it inverts appropriate bits automatically
+ depending on the signs of the inputs
+*/
+
+static void
+mplogic(mpint *b1, mpint *b2, mpint *sum, int fl)
+{
+ mpint *t;
+ mpdigit *dp1, *dp2, *dpo, d1, d2, d;
+ int c1, c2, co;
+ int i;
+
+ assert(((b1->flags | b2->flags | sum->flags) & MPtimesafe) == 0);
+ if(b1->sign < 0) fl ^= 0x03;
+ if(b2->sign < 0) fl ^= 0x0c;
+ sum->sign = (int)(((fl|fl>>2)^fl>>4)<<30)>>31|1;
+ if(sum->sign < 0) fl ^= 0x30;
+ if(b2->top > b1->top){
+ t = b1;
+ b1 = b2;
+ b2 = t;
+ fl = fl >> 2 & 0x03 | fl << 2 & 0x0c | fl & 0x30;
+ }
+ mpbits(sum, b1->top*Dbits);
+ dp1 = b1->p;
+ dp2 = b2->p;
+ dpo = sum->p;
+ c1 = fl & 1;
+ c2 = fl >> 2 & 1;
+ co = fl >> 4 & 1;
+ for(i = 0; i < b1->top; i++){
+ d1 = dp1[i] - c1;
+ if(i < b2->top)
+ d2 = dp2[i] - c2;
+ else
+ d2 = 0;
+ if(d1 != (mpdigit)-1) c1 = 0;
+ if(d2 != (mpdigit)-1) c2 = 0;
+ if((fl & 2) != 0) d1 ^= -1;
+ if((fl & 8) != 0) d2 ^= -1;
+ d = d1 | d2;
+ if((fl & 32) != 0) d ^= -1;
+ d += co;
+ if(d != 0) co = 0;
+ dpo[i] = d;
+ }
+ sum->top = i;
+ mpnorm(sum);
+}
+
+void
+mpor(mpint *b1, mpint *b2, mpint *sum)
+{
+ mplogic(b1, b2, sum, 0);
+}
+
+void
+mpand(mpint *b1, mpint *b2, mpint *sum)
+{
+ mplogic(b1, b2, sum, 0x2a);
+}
+
+void
+mpbic(mpint *b1, mpint *b2, mpint *sum)
+{
+ mplogic(b1, b2, sum, 0x22);
+}
+
+void
+mpnot(mpint *b, mpint *r)
+{
+ mpadd(b, mpone, r);
+ r->sign ^= -2;
+}
+
+void
+mpxor(mpint *b1, mpint *b2, mpint *sum)
+{
+ mpint *t;
+ mpdigit *dp1, *dp2, *dpo, d1, d2, d;
+ int c1, c2, co;
+ int i, fl;
+
+ assert(((b1->flags | b2->flags | sum->flags) & MPtimesafe) == 0);
+ if(b2->top > b1->top){
+ t = b1;
+ b1 = b2;
+ b2 = t;
+ }
+ fl = (b1->sign & 10) ^ (b2->sign & 12);
+ sum->sign = (int)(fl << 28) >> 31;
+ mpbits(sum, b1->top*Dbits);
+ dp1 = b1->p;
+ dp2 = b2->p;
+ dpo = sum->p;
+ c1 = fl >> 1 & 1;
+ c2 = fl >> 2 & 1;
+ co = fl >> 3 & 1;
+ for(i = 0; i < b1->top; i++){
+ d1 = dp1[i] - c1;
+ if(i < b2->top)
+ d2 = dp2[i] - c2;
+ else
+ d2 = 0;
+ if(d1 != (mpdigit)-1) c1 = 0;
+ if(d2 != (mpdigit)-1) c2 = 0;
+ d = d1 ^ d2;
+ d += co;
+ if(d != 0) co = 0;
+ dpo[i] = d;
+ }
+ sum->top = i;
+ mpnorm(sum);
+}
+
+void
+mptrunc(mpint *b, int n, mpint *r)
+{
+ int d, m, i, c;
+
+ assert(((b->flags | r->flags) & MPtimesafe) == 0);
+ mpbits(r, n);
+ r->top = DIGITS(n);
+ d = n / Dbits;
+ m = n % Dbits;
+ if(b->sign == -1){
+ c = 1;
+ for(i = 0; i <= r->top; i++){
+ if(i < b->top)
+ r->p[i] = ~(b->p[i] - c);
+ else
+ r->p[i] = -1;
+ if(r->p[i] != 0)
+ c = 0;
+ }
+ if(m != 0)
+ r->p[d] &= (1<<m) - 1;
+ }else if(b->sign == 1){
+ if(d >= b->top){
+ mpassign(b, r);
+ return;
+ }
+ if(b != r)
+ for(i = 0; i < d; i++)
+ r->p[i] = b->p[i];
+ if(m != 0)
+ r->p[d] = b->p[d] & (1<<m)-1;
+ }
+ r->sign = 1;
+ mpnorm(r);
+}
+
+void
+mpxtend(mpint *b, int n, mpint *r)
+{
+ int d, m, c, i;
+
+ d = (n - 1) / Dbits;
+ m = (n - 1) % Dbits;
+ if(d >= b->top){
+ mpassign(b, r);
+ return;
+ }
+ mptrunc(b, n, r);
+ mpbits(r, n);
+ if((r->p[d] & 1<<m) == 0){
+ mpnorm(r);
+ return;
+ }
+ r->p[d] |= -(1<<m);
+ r->sign = -1;
+ c = 1;
+ for(i = 0; i < r->top; i++){
+ r->p[i] = ~(r->p[i] - c);
+ if(r->p[i] != 0)
+ c = 0;
+ }
+ mpnorm(r);
+}
--- a/libmp/mpmod.c
+++ b/libmp/mpmod.c
@@ -2,14 +2,15 @@
#include <mp.h>
#include "dat.h"
-// remainder = b mod m
-//
-// knuth, vol 2, pp 398-400
-
void
-mpmod(mpint *b, mpint *m, mpint *remainder)
+mpmod(mpint *x, mpint *n, mpint *r)
{
- mpdiv(b, m, nil, remainder);
- if(remainder->sign < 0)
- mpadd(m, remainder, remainder);
+ int sign;
+
+ sign = x->sign;
+ if((n->flags & MPfield) == 0
+ || ((Mfield*)n)->reduce((Mfield*)n, x, r) != 0)
+ mpdiv(x, n, nil, r);
+ if(sign < 0)
+ mpmagsub(n, r, r);
}
--- /dev/null
+++ b/libmp/mpmodop.c
@@ -1,0 +1,96 @@
+#include <u.h>
+#include <libc.h>
+#include <mp.h>
+
+/* operands need to have m->top+1 digits of space and satisfy 0 ≤ a ≤ m-1 */
+static mpint*
+modarg(mpint *a, mpint *m)
+{
+ if(a->size <= m->top || a->sign < 0 || mpmagcmp(a, m) >= 0){
+ a = mpcopy(a);
+ mpmod(a, m, a);
+ mpbits(a, Dbits*(m->top+1));
+ a->top = m->top;
+ } else if(a->top < m->top){
+ memset(&a->p[a->top], 0, (m->top - a->top)*Dbytes);
+ }
+ return a;
+}
+
+void
+mpmodadd(mpint *b1, mpint *b2, mpint *m, mpint *sum)
+{
+ mpint *a, *b;
+ mpdigit d;
+ int i, j;
+
+ a = modarg(b1, m);
+ b = modarg(b2, m);
+
+ sum->flags |= (a->flags | b->flags) & MPtimesafe;
+ mpbits(sum, Dbits*2*(m->top+1));
+
+ mpvecadd(a->p, m->top, b->p, m->top, sum->p);
+ mpvecsub(sum->p, m->top+1, m->p, m->top, sum->p+m->top+1);
+
+ d = sum->p[2*m->top+1];
+ for(i = 0, j = m->top+1; i < m->top; i++, j++)
+ sum->p[i] = (sum->p[i] & d) | (sum->p[j] & ~d);
+
+ sum->top = m->top;
+ sum->sign = 1;
+ mpnorm(sum);
+
+ if(a != b1)
+ mpfree(a);
+ if(b != b2)
+ mpfree(b);
+}
+
+void
+mpmodsub(mpint *b1, mpint *b2, mpint *m, mpint *diff)
+{
+ mpint *a, *b;
+ mpdigit d;
+ int i, j;
+
+ a = modarg(b1, m);
+ b = modarg(b2, m);
+
+ diff->flags |= (a->flags | b->flags) & MPtimesafe;
+ mpbits(diff, Dbits*2*(m->top+1));
+
+ a->p[m->top] = 0;
+ mpvecsub(a->p, m->top+1, b->p, m->top, diff->p);
+ mpvecadd(diff->p, m->top, m->p, m->top, diff->p+m->top+1);
+
+ d = ~diff->p[m->top];
+ for(i = 0, j = m->top+1; i < m->top; i++, j++)
+ diff->p[i] = (diff->p[i] & d) | (diff->p[j] & ~d);
+
+ diff->top = m->top;
+ diff->sign = 1;
+ mpnorm(diff);
+
+ if(a != b1)
+ mpfree(a);
+ if(b != b2)
+ mpfree(b);
+}
+
+void
+mpmodmul(mpint *b1, mpint *b2, mpint *m, mpint *prod)
+{
+ mpint *a, *b;
+
+ a = modarg(b1, m);
+ b = modarg(b2, m);
+
+ mpmul(a, b, prod);
+ mpmod(prod, m, prod);
+
+ if(a != b1)
+ mpfree(a);
+ if(b != b2)
+ mpfree(b);
+}
--- a/libmp/mpmul.c
+++ b/libmp/mpmul.c
@@ -113,10 +113,6 @@
a = b;
b = t;
}
- if(blen == 0){
- memset(p, 0, Dbytes*(alen+blen));
- return;
- }
if(alen >= KARATSUBAMIN && blen > 1){
// O(n^1.585)
@@ -132,24 +128,48 @@
}
void
+mpvectsmul(mpdigit *a, int alen, mpdigit *b, int blen, mpdigit *p)
+{
+ int i;
+ mpdigit *t;
+
+ if(alen < blen){
+ i = alen;
+ alen = blen;
+ blen = i;
+ t = a;
+ a = b;
+ b = t;
+ }
+ if(blen == 0)
+ return;
+ for(i = 0; i < blen; i++)
+ mpvecdigmuladd(a, alen, b[i], &p[i]);
+}
+
+void
mpmul(mpint *b1, mpint *b2, mpint *prod)
{
mpint *oprod;
- oprod = nil;
+ oprod = prod;
if(prod == b1 || prod == b2){
- oprod = prod;
prod = mpnew(0);
+ prod->flags = oprod->flags;
}
+ prod->flags |= (b1->flags | b2->flags) & MPtimesafe;
prod->top = 0;
mpbits(prod, (b1->top+b2->top+1)*Dbits);
- mpvecmul(b1->p, b1->top, b2->p, b2->top, prod->p);
+ if(prod->flags & MPtimesafe)
+ mpvectsmul(b1->p, b1->top, b2->p, b2->top, prod->p);
+ else
+ mpvecmul(b1->p, b1->top, b2->p, b2->top, prod->p);
prod->top = b1->top+b2->top+1;
prod->sign = b1->sign*b2->sign;
mpnorm(prod);
- if(oprod != nil){
+ if(oprod != prod){
mpassign(prod, oprod);
mpfree(prod);
}
--- /dev/null
+++ b/libmp/mpnrand.c
@@ -1,0 +1,35 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+/* return uniform random [0..n-1] */
+mpint*
+mpnrand(mpint *n, void (*gen)(uchar*, int), mpint *b)
+{
+ mpint *m;
+ int bits;
+
+ /* m = 2^bits - 1 */
+ bits = mpsignif(n);
+ m = mpnew(bits+1);
+ mpleft(mpone, bits, m);
+ mpsub(m, mpone, m);
+
+ if(b == nil){
+ b = mpnew(bits);
+ setmalloctag(b, getcallerpc(&n));
+ }
+
+ /* m = m - (m % n) */
+ mpmod(m, n, b);
+ mpsub(m, b, m);
+
+ do {
+ mprand(bits, gen, b);
+ } while(mpcmp(b, m) >= 0);
+
+ mpmod(b, n, b);
+ mpfree(m);
+
+ return b;
+}
--- a/libmp/mprand.c
+++ b/libmp/mprand.c
@@ -1,24 +1,24 @@
#include "os.h"
#include <mp.h>
-#include <libsec.h>
#include "dat.h"
mpint*
mprand(int bits, void (*gen)(uchar*, int), mpint *b)
{
- int n, m;
mpdigit mask;
+ int n, m;
uchar *p;
n = DIGITS(bits);
- if(b == nil)
+ if(b == nil){
b = mpnew(bits);
- else
+ setmalloctag(b, getcallerpc(&bits));
+ }else
mpbits(b, bits);
p = malloc(n*Dbytes);
if(p == nil)
- return nil;
+ sysfatal("mprand: %r");
(*gen)(p, n*Dbytes);
betomp(p, n*Dbytes, b);
free(p);
@@ -25,18 +25,12 @@
// make sure we don't give too many bits
m = bits%Dbits;
- n--;
- if(m > 0){
- mask = 1;
- mask <<= m;
- mask--;
- b->p[n] &= mask;
- }
+ if(m == 0)
+ return b;
- for(; n >= 0; n--)
- if(b->p[n] != 0)
- break;
- b->top = n+1;
- b->sign = 1;
- return b;
+ mask = 1;
+ mask <<= m;
+ mask--;
+ b->p[n-1] &= mask;
+ return mpnorm(b);
}
--- a/libmp/mpright.c
+++ b/libmp/mpright.c
@@ -9,6 +9,12 @@
int d, l, r, i;
mpdigit this, last;
+ res->sign = b->sign;
+ if(b->top==0){
+ res->top = 0;
+ return;
+ }
+
// a negative right shift is a left shift
if(shift < 0){
mpleft(b, -shift, res);
@@ -17,10 +23,20 @@
if(res != b)
mpbits(res, b->top*Dbits - shift);
+ else if(shift == 0)
+ return;
+
d = shift/Dbits;
r = shift - d*Dbits;
l = Dbits - r;
+ // shift all the bits out == zero
+ if(d>=b->top){
+ res->sign = 1;
+ res->top = 0;
+ return;
+ }
+
// special case digit shifts
if(r == 0){
for(i = 0; i < b->top-d; i++)
@@ -34,7 +50,8 @@
}
res->p[i++] = last>>r;
}
- while(i > 0 && res->p[i-1] == 0)
- i--;
+
res->top = i;
+ res->flags |= b->flags & MPtimesafe;
+ mpnorm(res);
}
--- /dev/null
+++ b/libmp/mpsel.c
@@ -1,0 +1,42 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+// res = s != 0 ? b1 : b2
+void
+mpsel(int s, mpint *b1, mpint *b2, mpint *res)
+{
+ mpdigit d;
+ int n, m, i;
+
+ res->flags |= (b1->flags | b2->flags) & MPtimesafe;
+ if((res->flags & MPtimesafe) == 0){
+ mpassign(s ? b1 : b2, res);
+ return;
+ }
+ res->flags &= ~MPnorm;
+
+ n = b1->top;
+ m = b2->top;
+ mpbits(res, Dbits*(n >= m ? n : m));
+ res->top = n >= m ? n : m;
+
+ s = (-s^s|s)>>(sizeof(s)*8-1);
+ res->sign = (b1->sign & s) | (b2->sign & ~s);
+
+ d = -((mpdigit)s & 1);
+
+ i = 0;
+ while(i < n && i < m){
+ res->p[i] = (b1->p[i] & d) | (b2->p[i] & ~d);
+ i++;
+ }
+ while(i < n){
+ res->p[i] = b1->p[i] & d;
+ i++;
+ }
+ while(i < m){
+ res->p[i] = b2->p[i] & ~d;
+ i++;
+ }
+}
--- a/libmp/mpsub.c
+++ b/libmp/mpsub.c
@@ -11,12 +11,15 @@
// get the sizes right
if(mpmagcmp(b1, b2) < 0){
+ assert(((b1->flags | b2->flags | diff->flags) & MPtimesafe) == 0);
sign = -1;
t = b1;
b1 = b2;
b2 = t;
- } else
+ } else {
+ diff->flags |= (b1->flags | b2->flags) & MPtimesafe;
sign = 1;
+ }
n = b1->top;
m = b2->top;
if(m == 0){
@@ -39,6 +42,7 @@
int sign;
if(b1->sign != b2->sign){
+ assert(((b1->flags | b2->flags | diff->flags) & MPtimesafe) == 0);
sign = b1->sign;
mpmagadd(b1, b2, diff);
diff->sign = sign;
--- a/libmp/mptobe.c
+++ b/libmp/mptobe.c
@@ -2,56 +2,31 @@
#include <mp.h>
#include "dat.h"
-// convert an mpint into a big endian byte array (most significant byte first)
+// convert an mpint into a big endian byte array (most significant byte first; left adjusted)
// return number of bytes converted
// if p == nil, allocate and result array
int
mptobe(mpint *b, uchar *p, uint n, uchar **pp)
{
- int i, j, suppress;
- mpdigit x;
- uchar *e, *s, c;
+ int m;
+ m = (mpsignif(b)+7)/8;
+ if(m == 0)
+ m++;
if(p == nil){
- n = (b->top+1)*Dbytes;
+ n = m;
p = malloc(n);
+ if(p == nil)
+ sysfatal("mptobe: %r");
+ setmalloctag(p, getcallerpc(&b));
+ } else {
+ if(n < m)
+ return -1;
+ if(n > m)
+ memset(p+m, 0, n-m);
}
- if(p == nil)
- return -1;
if(pp != nil)
*pp = p;
- memset(p, 0, n);
-
- // special case 0
- if(b->top == 0){
- if(n < 1)
- return -1;
- else
- return 1;
- }
-
- s = p;
- e = s+n;
- suppress = 1;
- for(i = b->top-1; i >= 0; i--){
- x = b->p[i];
- for(j = Dbits-8; j >= 0; j -= 8){
- c = x>>j;
- if(c == 0 && suppress)
- continue;
- if(p >= e)
- return -1;
- *p++ = c;
- suppress = 0;
- }
- }
-
- // guarantee at least one byte
- if(s == p){
- if(p >= e)
- return -1;
- *p++ = 0;
- }
-
- return p - s;
+ mptober(b, p, m);
+ return m;
}
--- /dev/null
+++ b/libmp/mptober.c
@@ -1,0 +1,34 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+void
+mptober(mpint *b, uchar *p, int n)
+{
+ int i, j, m;
+ mpdigit x;
+
+ memset(p, 0, n);
+
+ p += n;
+ m = b->top*Dbytes;
+ if(m < n)
+ n = m;
+
+ i = 0;
+ while(n >= Dbytes){
+ n -= Dbytes;
+ x = b->p[i++];
+ for(j = 0; j < Dbytes; j++){
+ *--p = x;
+ x >>= 8;
+ }
+ }
+ if(n > 0){
+ x = b->p[i];
+ for(j = 0; j < n; j++){
+ *--p = x;
+ x >>= 8;
+ }
+ }
+}
--- a/libmp/mptoi.c
+++ b/libmp/mptoi.c
@@ -10,17 +10,15 @@
mpint*
itomp(int i, mpint *b)
{
- if(b == nil)
+ if(b == nil){
b = mpnew(0);
- mpassign(mpzero, b);
- if(i != 0)
- b->top = 1;
- if(i < 0){
- b->sign = -1;
- *b->p = -i;
- } else
- *b->p = i;
- return b;
+ setmalloctag(b, getcallerpc(&i));
+ }
+ b->sign = (i >> (sizeof(i)*8 - 1)) | 1;
+ i *= b->sign;
+ *b->p = i;
+ b->top = 1;
+ return mpnorm(b);
}
int
@@ -28,6 +26,8 @@
{
uint x;
+ if(b->top==0)
+ return 0;
x = *b->p;
if(b->sign > 0){
if(b->top > 1 || (x > MAXINT))
--- a/libmp/mptole.c
+++ b/libmp/mptole.c
@@ -3,52 +3,26 @@
#include "dat.h"
// convert an mpint into a little endian byte array (least significant byte first)
-
// return number of bytes converted
// if p == nil, allocate and result array
int
mptole(mpint *b, uchar *p, uint n, uchar **pp)
{
- int i, j;
- mpdigit x;
- uchar *e, *s;
+ int m;
+ m = (mpsignif(b)+7)/8;
+ if(m == 0)
+ m++;
if(p == nil){
- n = (b->top+1)*Dbytes;
+ n = m;
p = malloc(n);
- }
+ if(p == nil)
+ sysfatal("mptole: %r");
+ setmalloctag(p, getcallerpc(&b));
+ } else if(n < m)
+ return -1;
if(pp != nil)
*pp = p;
- if(p == nil)
- return -1;
- memset(p, 0, n);
-
- // special case 0
- if(b->top == 0){
- if(n < 1)
- return -1;
- else
- return 0;
- }
-
- s = p;
- e = s+n;
- for(i = 0; i < b->top-1; i++){
- x = b->p[i];
- for(j = 0; j < Dbytes; j++){
- if(p >= e)
- return -1;
- *p++ = x;
- x >>= 8;
- }
- }
- x = b->p[i];
- while(x > 0){
- if(p >= e)
- return -1;
- *p++ = x;
- x >>= 8;
- }
-
- return p - s;
+ mptolel(b, p, n);
+ return m;
}
--- /dev/null
+++ b/libmp/mptolel.c
@@ -1,0 +1,33 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+void
+mptolel(mpint *b, uchar *p, int n)
+{
+ int i, j, m;
+ mpdigit x;
+
+ memset(p, 0, n);
+
+ m = b->top*Dbytes;
+ if(m < n)
+ n = m;
+
+ i = 0;
+ while(n >= Dbytes){
+ n -= Dbytes;
+ x = b->p[i++];
+ for(j = 0; j < Dbytes; j++){
+ *p++ = x;
+ x >>= 8;
+ }
+ }
+ if(n > 0){
+ x = b->p[i];
+ for(j = 0; j < n; j++){
+ *p++ = x;
+ x >>= 8;
+ }
+ }
+}
--- a/libmp/mptoui.c
+++ b/libmp/mptoui.c
@@ -10,13 +10,14 @@
mpint*
uitomp(uint i, mpint *b)
{
- if(b == nil)
+ if(b == nil){
b = mpnew(0);
- mpassign(mpzero, b);
- if(i != 0)
- b->top = 1;
+ setmalloctag(b, getcallerpc(&i));
+ }
*b->p = i;
- return b;
+ b->top = 1;
+ b->sign = 1;
+ return mpnorm(b);
}
uint
@@ -25,11 +26,9 @@
uint x;
x = *b->p;
- if(b->sign < 0){
+ if(b->sign < 0)
x = 0;
- } else {
- if(b->top > 1 || x > MAXUINT)
- x = MAXUINT;
- }
+ else if(b->top > 1 || (sizeof(mpdigit) > sizeof(uint) && x > MAXUINT))
+ x = MAXUINT;
return x;
}
--- a/libmp/mptouv.c
+++ b/libmp/mptouv.c
@@ -13,19 +13,18 @@
{
int s;
- if(b == nil)
+ if(b == nil){
b = mpnew(VLDIGITS*sizeof(mpdigit));
- else
+ setmalloctag(b, getcallerpc(&v));
+ }else
mpbits(b, VLDIGITS*sizeof(mpdigit));
- mpassign(mpzero, b);
- if(v == 0)
- return b;
- for(s = 0; s < VLDIGITS && v != 0; s++){
+ b->sign = 1;
+ for(s = 0; s < VLDIGITS; s++){
b->p[s] = v;
v >>= sizeof(mpdigit)*8;
}
b->top = s;
- return b;
+ return mpnorm(b);
}
uvlong
@@ -35,15 +34,14 @@
int s;
if(b->top == 0)
- return (vlong) 0;
+ return 0LL;
- mpnorm(b);
if(b->top > VLDIGITS)
return MAXVLONG;
- v = (uvlong) 0;
+ v = 0ULL;
for(s = 0; s < b->top; s++)
- v |= b->p[s]<<(s*sizeof(mpdigit)*8);
+ v |= (uvlong)b->p[s]<<(s*sizeof(mpdigit)*8);
return v;
}
--- a/libmp/mptov.c
+++ b/libmp/mptov.c
@@ -14,24 +14,19 @@
int s;
uvlong uv;
- if(b == nil)
+ if(b == nil){
b = mpnew(VLDIGITS*sizeof(mpdigit));
- else
+ setmalloctag(b, getcallerpc(&v));
+ }else
mpbits(b, VLDIGITS*sizeof(mpdigit));
- mpassign(mpzero, b);
- if(v == 0)
- return b;
- if(v < 0){
- b->sign = -1;
- uv = -v;
- } else
- uv = v;
- for(s = 0; s < VLDIGITS && uv != 0; s++){
+ b->sign = (v >> (sizeof(v)*8 - 1)) | 1;
+ uv = v * b->sign;
+ for(s = 0; s < VLDIGITS; s++){
b->p[s] = uv;
uv >>= sizeof(mpdigit)*8;
}
b->top = s;
- return b;
+ return mpnorm(b);
}
vlong
@@ -41,9 +36,8 @@
int s;
if(b->top == 0)
- return (vlong) 0;
+ return 0LL;
- mpnorm(b);
if(b->top > VLDIGITS){
if(b->sign > 0)
return (vlong)MAXVLONG;
@@ -51,7 +45,7 @@
return (vlong)MINVLONG;
}
- v = (uvlong) 0;
+ v = 0ULL;
for(s = 0; s < b->top; s++)
v |= b->p[s]<<(s*sizeof(mpdigit)*8);
--- a/libmp/mpveccmp.c
+++ b/libmp/mpveccmp.c
@@ -2,7 +2,6 @@
#include <mp.h>
#include "dat.h"
-// prereq: alen >= blen
int
mpveccmp(mpdigit *a, int alen, mpdigit *b, int blen)
{
--- /dev/null
+++ b/libmp/mpvectscmp.c
@@ -1,0 +1,34 @@
+#include "os.h"
+#include <mp.h>
+#include "dat.h"
+
+int
+mpvectscmp(mpdigit *a, int alen, mpdigit *b, int blen)
+{
+ mpdigit x, y, z, v;
+ int m, p;
+
+ if(alen > blen){
+ v = 0;
+ while(alen > blen)
+ v |= a[--alen];
+ m = p = (-v^v|v)>>Dbits-1;
+ } else if(blen > alen){
+ v = 0;
+ while(blen > alen)
+ v |= b[--blen];
+ m = (-v^v|v)>>Dbits-1;
+ p = m^1;
+ } else
+ m = p = 0;
+ while(alen-- > 0){
+ x = a[alen];
+ y = b[alen];
+ z = x - y;
+ x = ~x;
+ v = ((-z^z|z)>>Dbits-1) & ~m;
+ p = ((~(x&y|x&z|y&z)>>Dbits-1) & v) | (p & ~v);
+ m |= v;
+ }
+ return (p-m) | m;
+}
--- a/libmp/strtomp.c
+++ b/libmp/strtomp.c
@@ -1,6 +1,5 @@
#include "os.h"
#include <mp.h>
-#include <libsec.h>
#include "dat.h"
static struct {
@@ -32,37 +31,40 @@
memset(tab.t10, INVAL, sizeof(tab.t10));
for(p = set64; *p; p++)
- tab.t64[(uchar)*p] = p-set64;
+ tab.t64[*p] = p-set64;
for(p = set32; *p; p++)
- tab.t32[(uchar)*p] = p-set32;
+ tab.t32[*p] = p-set32;
for(p = set16; *p; p++)
- tab.t16[(uchar)*p] = (p-set16)%16;
+ tab.t16[*p] = (p-set16)%16;
for(p = set10; *p; p++)
- tab.t10[(uchar)*p] = (p-set10);
+ tab.t10[*p] = (p-set10);
tab.inited = 1;
}
static char*
-from16(char *a, mpint *b)
+frompow2(char *a, mpint *b, int s)
{
char *p, *next;
int i;
mpdigit x;
+ int sn;
- b->top = 0;
+ sn = 1<<s;
for(p = a; *p; p++)
- if(tab.t16[(uchar)*p] == INVAL)
+ if(tab.t16[*(uchar*)p] >= sn)
break;
- mpbits(b, (p-a)*4);
+
+ mpbits(b, (p-a)*s);
b->top = 0;
next = p;
+
while(p > a){
x = 0;
- for(i = 0; i < Dbits; i += 4){
+ for(i = 0; i < Dbits; i += s){
if(p <= a)
break;
- x |= tab.t16[(uchar)*--p]<<i;
+ x |= tab.t16[*(uchar*)--p]<<i;
}
b->p[b->top++] = x;
}
@@ -69,6 +71,40 @@
return next;
}
+static char*
+from8(char *a, mpint *b)
+{
+ char *p, *next;
+ mpdigit x, y;
+ int i;
+
+ for(p = a; *p; p++)
+ if(tab.t10[*(uchar*)p] >= 8)
+ break;
+
+ mpbits(b, (a-p)*3);
+ b->top = 0;
+ next = p;
+
+ i = 0;
+ x = y = 0;
+ while(p > a){
+ y = tab.t10[*(uchar*)--p];
+ x |= y << i;
+ i += 3;
+ if(i >= Dbits){
+Digout:
+ i -= Dbits;
+ b->p[b->top++] = x;
+ x = y >> 3-i;
+ }
+ }
+ if(i > 0)
+ goto Digout;
+
+ return next;
+}
+
static ulong mppow10[] = {
1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000, 1000000000
};
@@ -88,7 +124,7 @@
// do a billion at a time in native arithmetic
x = 0;
for(i = 0; i < 9; i++){
- y = tab.t10[(uchar)*a];
+ y = tab.t10[*(uchar*)a];
if(y == INVAL)
break;
a++;
@@ -112,45 +148,28 @@
}
static char*
-from64(char *a, mpint *b)
+fromdecx(char *a, mpint *b, uchar tab[256], int (*dec)(uchar*, int, char*, int))
{
char *buf = a;
uchar *p;
int n, m;
- for(; tab.t64[(uchar)*a] != INVAL; a++)
+ b->top = 0;
+ for(; tab[*(uchar*)a] != INVAL; a++)
;
n = a-buf;
- mpbits(b, n*6);
- p = malloc(n);
- if(p == nil)
- return a;
- m = dec64(p, n, buf, n);
- betomp(p, m, b);
- free(p);
+ if(n > 0){
+ p = malloc(n);
+ if(p == nil)
+ sysfatal("malloc: %r");
+ m = (*dec)(p, n, buf, n);
+ if(m > 0)
+ betomp(p, m, b);
+ free(p);
+ }
return a;
}
-static char*
-from32(char *a, mpint *b)
-{
- char *buf = a;
- uchar *p;
- int n, m;
-
- for(; tab.t64[(uchar)*a] != INVAL; a++)
- ;
- n = a-buf;
- mpbits(b, n*5);
- p = malloc(n);
- if(p == nil)
- return a;
- m = dec32(p, n, buf, n);
- betomp(p, m, b);
- free(p);
- return a;
-}
-
mpint*
strtomp(char *a, char **pp, int base, mpint *b)
{
@@ -157,8 +176,10 @@
int sign;
char *e;
- if(b == nil)
+ if(b == nil){
b = mpnew(0);
+ setmalloctag(b, getcallerpc(&a));
+ }
if(tab.inited == 0)
init();
@@ -176,20 +197,47 @@
break;
}
+ if(base == 0){
+ base = 10;
+ if(a[0] == '0'){
+ if(a[1] == 'x' || a[1] == 'X') {
+ a += 2;
+ base = 16;
+ } else if(a[1] == 'b' || a[1] == 'B') {
+ a += 2;
+ base = 2;
+ } else if(a[1] >= '0' && a[1] <= '7') {
+ a++;
+ base = 8;
+ }
+ }
+ }
+
switch(base){
+ case 2:
+ e = frompow2(a, b, 1);
+ break;
+ case 4:
+ e = frompow2(a, b, 2);
+ break;
+ case 8:
+ e = from8(a, b);
+ break;
case 10:
e = from10(a, b);
break;
- default:
case 16:
- e = from16(a, b);
+ e = frompow2(a, b, 4);
break;
case 32:
- e = from32(a, b);
+ e = fromdecx(a, b, tab.t32, dec32);
break;
case 64:
- e = from64(a, b);
+ e = fromdecx(a, b, tab.t64, dec64);
break;
+ default:
+ abort();
+ return nil;
}
// if no characters parsed, there wasn't a number to convert
@@ -196,10 +244,9 @@
if(e == a)
return nil;
- mpnorm(b);
- b->sign = sign;
if(pp != nil)
*pp = e;
- return b;
+ b->sign = sign;
+ return mpnorm(b);
}
--- a/libsec/Makefile
+++ b/libsec/Makefile
@@ -4,7 +4,12 @@
OFILES=\
aes.$O\
+ aes_xts.$O\
blowfish.$O\
+ ccpoly.$O\
+ chacha.$O\
+ curve25519.$O\
+ curve25519_dh.$O\
decodepem.$O\
des.$O\
des3CBC.$O\
@@ -12,6 +17,7 @@
desCBC.$O\
desECB.$O\
desmodes.$O\
+ dh.$O\
dsaalloc.$O\
dsagen.$O\
dsaprimes.$O\
@@ -18,6 +24,7 @@
dsaprivtopub.$O\
dsasign.$O\
dsaverify.$O\
+ ecc.$O\
egalloc.$O\
egdecrypt.$O\
egencrypt.$O\
@@ -30,14 +37,18 @@
genrandom.$O\
gensafeprime.$O\
genstrongprime.$O\
+ hkdf.$O\
hmac.$O\
md4.$O\
md5.$O\
md5pickle.$O\
nfastrand.$O\
+ pbkdf2.$O\
+ poly1305.$O\
prng.$O\
probably_prime.$O\
rc4.$O\
+ ripemd.$O\
rsaalloc.$O\
rsadecrypt.$O\
rsaencrypt.$O\
@@ -44,9 +55,19 @@
rsafill.$O\
rsagen.$O\
rsaprivtopub.$O\
+ salsa.$O\
+ secp256k1.$O\
+ secp256r1.$O\
sha1.$O\
sha1pickle.$O\
- smallprimes.$O
+ sha2_128.$O\
+ sha2_64.$O\
+ sha2block128.$O\
+ sha2block64.$O\
+ smallprimes.$O\
+ tsmemcmp.$O\
+ tlshand.$O\
+ x509.$O
default: $(LIB)
$(LIB): $(OFILES)
--- a/libsec/aes.c
+++ b/libsec/aes.c
@@ -30,11 +30,14 @@
*/
#include <u.h>
#include <libc.h>
+#include <mp.h>
#include <libsec.h>
typedef uchar u8;
-typedef u32int u32;
+typedef ulong u32;
+
#define FULL_UNROLL
+#define const
static const u32 Td0[256];
static const u32 Td1[256];
@@ -41,15 +44,30 @@
static const u32 Td2[256];
static const u32 Td3[256];
static const u8 Te4[256];
+static uchar basekey[3][16] = {
+ {
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ },
+ {
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ },
+ {
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ },
+};
-static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits);
+static int aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],
+ int keyBits);
+static int aes_setupDec(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[],
+ int keyBits);
+static int aes_setup(ulong erk[/*4*(Nr + 1)*/], ulong drk[/*4*(Nr + 1)*/],
+ const uchar cipherKey[], int keyBits);
-#ifdef NOT
-static int rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits);
-#endif
-static int rijndaelKeySetup(u32 erk[/*4*(Nr + 1)*/], u32 drk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits);
-static void rijndaelEncrypt(const u32int rk[], int Nr, const uchar pt[16], uchar ct[16]);
-static void rijndaelDecrypt(const u32int rk[], int Nr, const uchar ct[16], uchar pt[16]);
+void aes_encrypt(const ulong rk[], int Nr, const uchar pt[16], uchar ct[16]);
+void aes_decrypt(const ulong rk[], int Nr, const uchar ct[16], uchar pt[16]);
void
setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec)
@@ -59,18 +77,97 @@
keybytes = AESmaxkey;
memmove(s->key, key, keybytes);
s->keybytes = keybytes;
- s->rounds = rijndaelKeySetup(s->ekey, s->dkey, s->key, keybytes * 8);
+ s->rounds = aes_setup(s->ekey, s->dkey, s->key, keybytes * 8);
if(ivec != nil)
memmove(s->ivec, ivec, AESbsize);
if(keybytes==16 || keybytes==24 || keybytes==32)
s->setup = 0xcafebabe;
- // else rijndaelKeySetup was invalid
+ /* else aes_setup was invalid */
}
-// Define by analogy with desCBCencrypt; AES modes are not standardized yet.
-// Because of the way that non-multiple-of-16 buffers are handled,
-// the decryptor must be fed buffers of the same size as the encryptor.
+/*
+ * AES-XCBC-MAC-96 message authentication, per rfc3566.
+ */
+
void
+setupAESXCBCstate(AESstate *s) /* was setupmac96 */
+{
+ int i, j;
+ uint q[16 / sizeof(uint)];
+ uchar *p;
+
+ assert(s->keybytes == 16);
+ for(i = 0; i < 3; i++)
+ aes_encrypt(s->ekey, s->rounds, basekey[i],
+ s->mackey + AESbsize*i);
+
+ p = s->mackey;
+ memset(q, 0, AESbsize);
+
+ /*
+ * put the in the right endian. once figured, probably better
+ * to use some fcall macros.
+ * keys for encryption in local endianness for the algorithm...
+ * only key1 is used for encryption;
+ * BUG!!: I think this is what I got wrong.
+ */
+ for(i = 0; i < 16 / sizeof(uint); i ++){
+ for(j = 0; j < sizeof(uint); j++)
+ q[i] |= p[sizeof(uint)-j-1] << 8*j;
+ p += sizeof(uint);
+ }
+ memmove(s->mackey, q, 16);
+}
+
+/*
+ * Not dealing with > 128-bit keys, not dealing with strange corner cases like
+ * empty message. Should be fine for AES-XCBC-MAC-96.
+ */
+uchar*
+aesXCBCmac(uchar *p, int len, AESstate *s)
+{
+ uchar *p2, *ip, *eip, *mackey;
+ uchar q[AESbsize];
+
+ assert(s->keybytes == 16); /* more complicated for bigger */
+ memset(s->ivec, 0, AESbsize); /* E[0] is 0+ */
+
+ for(; len > AESbsize; len -= AESbsize){
+ memmove(q, p, AESbsize);
+ p2 = q;
+ ip = s->ivec;
+ for(eip = ip + AESbsize; ip < eip; )
+ *p2++ ^= *ip++;
+ aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec);
+ p += AESbsize;
+ }
+ /* the last one */
+
+ memmove(q, p, len);
+ p2 = q+len;
+ if(len == AESbsize)
+ mackey = s->mackey + AESbsize; /* k2 */
+ else{
+ mackey = s->mackey+2*AESbsize; /* k3 */
+ *p2++ = 1 << 7; /* padding */
+ len = AESbsize - len - 1;
+ memset(p2, 0, len);
+ }
+
+ ip = s->ivec;
+ p2 = q;
+ for(eip = ip + AESbsize; ip < eip; )
+ *p2++ ^= *ip++ ^ *mackey++;
+ aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec);
+ return s->ivec; /* only the 12 bytes leftmost */
+}
+
+/*
+ * Define by analogy with desCBCencrypt; AES modes are not standardized yet.
+ * Because of the way that non-multiple-of-16 buffers are handled,
+ * the decryptor must be fed buffers of the same size as the encryptor.
+ */
+void
aesCBCencrypt(uchar *p, int len, AESstate *s)
{
uchar *p2, *ip, *eip;
@@ -81,7 +178,7 @@
ip = s->ivec;
for(eip = ip+AESbsize; ip < eip; )
*p2++ ^= *ip++;
- rijndaelEncrypt(s->ekey, s->rounds, p, q);
+ aes_encrypt(s->ekey, s->rounds, p, q);
memmove(s->ivec, q, AESbsize);
memmove(p, q, AESbsize);
p += AESbsize;
@@ -89,7 +186,7 @@
if(len > 0){
ip = s->ivec;
- rijndaelEncrypt(s->ekey, s->rounds, ip, q);
+ aes_encrypt(s->ekey, s->rounds, ip, q);
memmove(s->ivec, q, AESbsize);
for(eip = ip+len; ip < eip; )
*p++ ^= *ip++;
@@ -104,7 +201,7 @@
for(; len >= AESbsize; len -= AESbsize){
memmove(tmp, p, AESbsize);
- rijndaelDecrypt(s->dkey, s->rounds, p, q);
+ aes_decrypt(s->dkey, s->rounds, p, q);
memmove(p, q, AESbsize);
tp = tmp;
ip = s->ivec;
@@ -116,7 +213,7 @@
if(len > 0){
ip = s->ivec;
- rijndaelEncrypt(s->ekey, s->rounds, ip, q);
+ aes_encrypt(s->ekey, s->rounds, ip, q);
memmove(s->ivec, q, AESbsize);
for(eip = ip+len; ip < eip; )
*p++ ^= *ip++;
@@ -129,23 +226,26 @@
*
* @return the number of rounds for the given cipher key size.
*/
-static int rijndaelKeySetup(u32 erk[/*4*(Nr + 1)*/], u32 drk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
+static int
+aes_setup(ulong erk[/* 4*(Nr + 1) */], ulong drk[/* 4*(Nr + 1) */],
+ const uchar cipherKey[], int keyBits)
+{
int Nr, i;
/* expand the cipher key: */
- Nr = rijndaelKeySetupEnc(erk, cipherKey, keyBits);
+ Nr = aes_setupEnc(erk, cipherKey, keyBits);
/*
- * invert the order of the round keys and
- * apply the inverse MixColumn transform to all round keys but the first and the last
+ * invert the order of the round keys and apply the inverse MixColumn
+ * transform to all round keys but the first and the last
*/
- drk[0 ] = erk[4*Nr ];
+ drk[0 ] = erk[4*Nr ];
drk[1 ] = erk[4*Nr + 1];
- drk[2 ] = erk[4*Nr + 2];
+ drk[2 ] = erk[4*Nr + 2];
drk[3 ] = erk[4*Nr + 3];
- drk[4*Nr ] = erk[0 ];
+ drk[4*Nr ] = erk[0 ];
drk[4*Nr + 1] = erk[1 ];
- drk[4*Nr + 2] = erk[2 ];
+ drk[4*Nr + 2] = erk[2 ];
drk[4*Nr + 3] = erk[3 ];
erk += 4 * Nr;
for (i = 1; i < Nr; i++) {
@@ -175,6 +275,7 @@
return Nr;
}
+
/*
Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];
@@ -854,26 +955,24 @@
static const u32 rcon[] = {
0x01000000, 0x02000000, 0x04000000, 0x08000000,
0x10000000, 0x20000000, 0x40000000, 0x80000000,
- 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+ 0x1B000000, 0x36000000,
+ /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
};
-#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+#define GETU32(pt) (((u32)(pt)[0]<<24) ^ ((u32)(pt)[1]<<16) ^ \
+ ((u32)(pt)[2]<< 8) ^ ((u32)(pt)[3]))
+#define PUTU32(ct, st) { (ct)[0] = (u8)((st)>>24); (ct)[1] = (u8)((st)>>16); \
+ (ct)[2] = (u8)((st)>> 8); (ct)[3] = (u8)(st); }
-#ifdef _MSC_VER
-#define GETU32(p) SWAP(*((u32 *)(p)))
-#define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
-#else
-#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] << 8) ^ ((u32)(pt)[3]))
-#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); }
-#endif
-
-/**
+/*
* Expand the cipher key into the encryption key schedule.
*
* @return the number of rounds for the given cipher key size.
*/
-static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
- int i = 0;
+static int
+aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[], int keyBits)
+{
+ int i = 0;
u32 temp;
rk[0] = GETU32(cipherKey );
@@ -923,32 +1022,31 @@
rk[6] = GETU32(cipherKey + 24);
rk[7] = GETU32(cipherKey + 28);
if (keyBits == 256) {
- for (;;) {
- temp = rk[ 7];
- rk[ 8] = rk[ 0] ^
- (Te4[(temp >> 16) & 0xff] << 24) ^
- (Te4[(temp >> 8) & 0xff] << 16) ^
- (Te4[(temp ) & 0xff] << 8) ^
- (Te4[(temp >> 24) ] ) ^
- rcon[i];
- rk[ 9] = rk[ 1] ^ rk[ 8];
- rk[10] = rk[ 2] ^ rk[ 9];
- rk[11] = rk[ 3] ^ rk[10];
+ for (;;) {
+ temp = rk[ 7];
+ rk[ 8] = rk[ 0] ^
+ (Te4[(temp >> 16) & 0xff] << 24) ^
+ (Te4[(temp >> 8) & 0xff] << 16) ^
+ (Te4[(temp ) & 0xff] << 8) ^
+ (Te4[(temp >> 24) ] ) ^
+ rcon[i];
+ rk[ 9] = rk[ 1] ^ rk[ 8];
+ rk[10] = rk[ 2] ^ rk[ 9];
+ rk[11] = rk[ 3] ^ rk[10];
if (++i == 7) {
return 14;
}
- temp = rk[11];
- rk[12] = rk[ 4] ^
- (Te4[(temp >> 24) ] << 24) ^
- (Te4[(temp >> 16) & 0xff] << 16) ^
- (Te4[(temp >> 8) & 0xff] << 8) ^
- (Te4[(temp ) & 0xff] );
- rk[13] = rk[ 5] ^ rk[12];
- rk[14] = rk[ 6] ^ rk[13];
- rk[15] = rk[ 7] ^ rk[14];
-
+ temp = rk[11];
+ rk[12] = rk[ 4] ^
+ (Te4[(temp >> 24) ] << 24) ^
+ (Te4[(temp >> 16) & 0xff] << 16) ^
+ (Te4[(temp >> 8) & 0xff] << 8) ^
+ (Te4[(temp ) & 0xff] );
+ rk[13] = rk[ 5] ^ rk[12];
+ rk[14] = rk[ 6] ^ rk[13];
+ rk[15] = rk[ 7] ^ rk[14];
rk += 8;
- }
+ }
}
return 0;
}
@@ -958,13 +1056,14 @@
*
* @return the number of rounds for the given cipher key size.
*/
-#ifdef NOTUSED
-static int rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
+static int
+aes_setupDec(ulong rk[/* 4*(Nr + 1) */], const uchar cipherKey[], int keyBits)
+{
int Nr, i, j;
- u32 temp;
+ ulong temp;
/* expand the cipher key: */
- Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
+ Nr = aes_setupEnc(rk, cipherKey, keyBits);
/* invert the order of the round keys: */
for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
@@ -972,7 +1071,10 @@
temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
}
- /* apply the inverse MixColumn transform to all round keys but the first and the last: */
+ /*
+ * apply the inverse MixColumn transform to all round keys
+ * but the first and the last:
+ */
for (i = 1; i < Nr; i++) {
rk += 4;
rk[0] =
@@ -998,15 +1100,18 @@
}
return Nr;
}
-#endif
-static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]) {
- u32 s0, s1, s2, s3, t0, t1, t2, t3;
+/* using round keys in rk, perform Nr rounds of encrypting pt into ct */
+void
+aes_encrypt(const ulong rk[/* 4*(Nr + 1) */], int Nr, const uchar pt[16],
+ uchar ct[16])
+{
+ ulong s0, s1, s2, s3, t0, t1, t2, t3;
#ifndef FULL_UNROLL
- int r;
+ int r;
#endif /* ?FULL_UNROLL */
- /*
+ /*
* map byte array block to cipher state
* and add initial round key:
*/
@@ -1015,7 +1120,7 @@
s2 = GETU32(pt + 8) ^ rk[2];
s3 = GETU32(pt + 12) ^ rk[3];
#ifdef FULL_UNROLL
- /* round 1: */
+ /* round 1: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
@@ -1025,7 +1130,7 @@
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
- /* round 3: */
+ /* round 3: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
@@ -1035,7 +1140,7 @@
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
- /* round 5: */
+ /* round 5: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
@@ -1045,7 +1150,7 @@
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
- /* round 7: */
+ /* round 7: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
@@ -1055,99 +1160,98 @@
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
- /* round 9: */
+ /* round 9: */
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
- if (Nr > 10) {
- /* round 10: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
- /* round 11: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
- if (Nr > 12) {
- /* round 12: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
- /* round 13: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
- }
- }
- rk += Nr << 2;
-#else /* !FULL_UNROLL */
- /*
+ if (Nr > 10) {
+ /* round 10: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
+ /* round 11: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
+ if (Nr > 12) {
+ /* round 12: */
+ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
+ s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
+ s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
+ s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
+ /* round 13: */
+ t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
+ t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
+ t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
+ t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
+ }
+ }
+ rk += Nr << 2;
+#else /* !FULL_UNROLL */
+ /*
* Nr - 1 full rounds:
*/
- r = Nr >> 1;
- for (;;) {
- t0 =
- Te0[(s0 >> 24) ] ^
- Te1[(s1 >> 16) & 0xff] ^
- Te2[(s2 >> 8) & 0xff] ^
- Te3[(s3 ) & 0xff] ^
- rk[4];
- t1 =
- Te0[(s1 >> 24) ] ^
- Te1[(s2 >> 16) & 0xff] ^
- Te2[(s3 >> 8) & 0xff] ^
- Te3[(s0 ) & 0xff] ^
- rk[5];
- t2 =
- Te0[(s2 >> 24) ] ^
- Te1[(s3 >> 16) & 0xff] ^
- Te2[(s0 >> 8) & 0xff] ^
- Te3[(s1 ) & 0xff] ^
- rk[6];
- t3 =
- Te0[(s3 >> 24) ] ^
- Te1[(s0 >> 16) & 0xff] ^
- Te2[(s1 >> 8) & 0xff] ^
- Te3[(s2 ) & 0xff] ^
- rk[7];
+ r = Nr >> 1;
+ for (;;) {
+ t0 =
+ Te0[(s0 >> 24) ] ^
+ Te1[(s1 >> 16) & 0xff] ^
+ Te2[(s2 >> 8) & 0xff] ^
+ Te3[(s3 ) & 0xff] ^
+ rk[4];
+ t1 =
+ Te0[(s1 >> 24) ] ^
+ Te1[(s2 >> 16) & 0xff] ^
+ Te2[(s3 >> 8) & 0xff] ^
+ Te3[(s0 ) & 0xff] ^
+ rk[5];
+ t2 =
+ Te0[(s2 >> 24) ] ^
+ Te1[(s3 >> 16) & 0xff] ^
+ Te2[(s0 >> 8) & 0xff] ^
+ Te3[(s1 ) & 0xff] ^
+ rk[6];
+ t3 =
+ Te0[(s3 >> 24) ] ^
+ Te1[(s0 >> 16) & 0xff] ^
+ Te2[(s1 >> 8) & 0xff] ^
+ Te3[(s2 ) & 0xff] ^
+ rk[7];
- rk += 8;
- if (--r == 0) {
- break;
- }
+ rk += 8;
+ if (--r == 0)
+ break;
- s0 =
- Te0[(t0 >> 24) ] ^
- Te1[(t1 >> 16) & 0xff] ^
- Te2[(t2 >> 8) & 0xff] ^
- Te3[(t3 ) & 0xff] ^
- rk[0];
- s1 =
- Te0[(t1 >> 24) ] ^
- Te1[(t2 >> 16) & 0xff] ^
- Te2[(t3 >> 8) & 0xff] ^
- Te3[(t0 ) & 0xff] ^
- rk[1];
- s2 =
- Te0[(t2 >> 24) ] ^
- Te1[(t3 >> 16) & 0xff] ^
- Te2[(t0 >> 8) & 0xff] ^
- Te3[(t1 ) & 0xff] ^
- rk[2];
- s3 =
- Te0[(t3 >> 24) ] ^
- Te1[(t0 >> 16) & 0xff] ^
- Te2[(t1 >> 8) & 0xff] ^
- Te3[(t2 ) & 0xff] ^
- rk[3];
- }
-#endif /* ?FULL_UNROLL */
- /*
+ s0 =
+ Te0[(t0 >> 24) ] ^
+ Te1[(t1 >> 16) & 0xff] ^
+ Te2[(t2 >> 8) & 0xff] ^
+ Te3[(t3 ) & 0xff] ^
+ rk[0];
+ s1 =
+ Te0[(t1 >> 24) ] ^
+ Te1[(t2 >> 16) & 0xff] ^
+ Te2[(t3 >> 8) & 0xff] ^
+ Te3[(t0 ) & 0xff] ^
+ rk[1];
+ s2 =
+ Te0[(t2 >> 24) ] ^
+ Te1[(t3 >> 16) & 0xff] ^
+ Te2[(t0 >> 8) & 0xff] ^
+ Te3[(t1 ) & 0xff] ^
+ rk[2];
+ s3 =
+ Te0[(t3 >> 24) ] ^
+ Te1[(t0 >> 16) & 0xff] ^
+ Te2[(t1 >> 8) & 0xff] ^
+ Te3[(t2 ) & 0xff] ^
+ rk[3];
+ }
+#endif /* ?FULL_UNROLL */
+ /*
* apply last round and
* map cipher state to byte array block:
*/
@@ -1181,13 +1285,16 @@
PUTU32(ct + 12, s3);
}
-static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]) {
- u32 s0, s1, s2, s3, t0, t1, t2, t3;
+void
+aes_decrypt(const ulong rk[/* 4*(Nr + 1) */], int Nr, const uchar ct[16],
+ uchar pt[16])
+{
+ ulong s0, s1, s2, s3, t0, t1, t2, t3;
#ifndef FULL_UNROLL
- int r;
-#endif /* ?FULL_UNROLL */
+ int r;
+#endif /* ?FULL_UNROLL */
- /*
+ /*
* map byte array block to cipher state
* and add initial round key:
*/
@@ -1265,8 +1372,8 @@
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
}
}
- rk += Nr << 2;
-#else /* !FULL_UNROLL */
+ rk += Nr << 2;
+#else /* !FULL_UNROLL */
/*
* Nr - 1 full rounds:
*/
@@ -1298,9 +1405,8 @@
rk[7];
rk += 8;
- if (--r == 0) {
+ if (--r == 0)
break;
- }
s0 =
Td0[(t0 >> 24) ] ^
@@ -1327,8 +1433,8 @@
Td3[(t0 ) & 0xff] ^
rk[3];
}
-#endif /* ?FULL_UNROLL */
- /*
+#endif /* ?FULL_UNROLL */
+ /*
* apply last round and
* map cipher state to byte array block:
*/
@@ -1364,11 +1470,14 @@
#ifdef INTERMEDIATE_VALUE_KAT
-static void rijndaelEncryptRound(const u32 rk[/*4*(Nr + 1)*/], int Nr, u8 block[16], int rounds) {
+static void
+aes_encryptRound(const u32 rk[/* 4*(Nr + 1) */], int Nr, u8 block[16],
+ int rounds)
+{
int r;
u32 s0, s1, s2, s3, t0, t1, t2, t3;
- /*
+ /*
* map byte array block to cipher state
* and add initial round key:
*/
@@ -1376,9 +1485,9 @@
s1 = GETU32(block + 4) ^ rk[1];
s2 = GETU32(block + 8) ^ rk[2];
s3 = GETU32(block + 12) ^ rk[3];
- rk += 4;
+ rk += 4;
- /*
+ /*
* Nr - 1 full rounds:
*/
for (r = (rounds < Nr ? rounds : Nr - 1); r > 0; r--) {
@@ -1406,45 +1515,42 @@
Te2[(s1 >> 8) & 0xff] ^
Te3[(s2 ) & 0xff] ^
rk[3];
-
s0 = t0;
s1 = t1;
s2 = t2;
s3 = t3;
rk += 4;
+ }
- }
-
- /*
+ /*
* apply last round and
* map cipher state to byte array block:
*/
if (rounds == Nr) {
- t0 =
- (Te4[(s0 >> 24) ] << 24) ^
- (Te4[(s1 >> 16) & 0xff] << 16) ^
- (Te4[(s2 >> 8) & 0xff] << 8) ^
- (Te4[(s3 ) & 0xff] ) ^
- rk[0];
- t1 =
- (Te4[(s1 >> 24) ] << 24) ^
- (Te4[(s2 >> 16) & 0xff] << 16) ^
- (Te4[(s3 >> 8) & 0xff] << 8) ^
- (Te4[(s0 ) & 0xff] ) ^
- rk[1];
- t2 =
- (Te4[(s2 >> 24) ] << 24) ^
- (Te4[(s3 >> 16) & 0xff] << 16) ^
- (Te4[(s0 >> 8) & 0xff] << 8) ^
- (Te4[(s1 ) & 0xff] ) ^
- rk[2];
- t3 =
- (Te4[(s3 >> 24) ] << 24) ^
- (Te4[(s0 >> 16) & 0xff] << 16) ^
- (Te4[(s1 >> 8) & 0xff] << 8) ^
- (Te4[(s2 ) & 0xff] ) ^
- rk[3];
-
+ t0 =
+ (Te4[(s0 >> 24) ] << 24) ^
+ (Te4[(s1 >> 16) & 0xff] << 16) ^
+ (Te4[(s2 >> 8) & 0xff] << 8) ^
+ (Te4[(s3 ) & 0xff] ) ^
+ rk[0];
+ t1 =
+ (Te4[(s1 >> 24) ] << 24) ^
+ (Te4[(s2 >> 16) & 0xff] << 16) ^
+ (Te4[(s3 >> 8) & 0xff] << 8) ^
+ (Te4[(s0 ) & 0xff] ) ^
+ rk[1];
+ t2 =
+ (Te4[(s2 >> 24) ] << 24) ^
+ (Te4[(s3 >> 16) & 0xff] << 16) ^
+ (Te4[(s0 >> 8) & 0xff] << 8) ^
+ (Te4[(s1 ) & 0xff] ) ^
+ rk[2];
+ t3 =
+ (Te4[(s3 >> 24) ] << 24) ^
+ (Te4[(s0 >> 16) & 0xff] << 16) ^
+ (Te4[(s1 >> 8) & 0xff] << 8) ^
+ (Te4[(s2 ) & 0xff] ) ^
+ rk[3];
s0 = t0;
s1 = t1;
s2 = t2;
@@ -1457,11 +1563,14 @@
PUTU32(block + 12, s3);
}
-static void rijndaelDecryptRound(const u32 rk[/*4*(Nr + 1)*/], int Nr, u8 block[16], int rounds) {
+static void
+aes_decryptRound(const u32 rk[/* 4*(Nr + 1) */], int Nr, u8 block[16],
+ int rounds)
+{
int r;
u32 s0, s1, s2, s3, t0, t1, t2, t3;
- /*
+ /*
* map byte array block to cipher state
* and add initial round key:
*/
@@ -1469,9 +1578,9 @@
s1 = GETU32(block + 4) ^ rk[1];
s2 = GETU32(block + 8) ^ rk[2];
s3 = GETU32(block + 12) ^ rk[3];
- rk += 4;
+ rk += 4;
- /*
+ /*
* Nr - 1 full rounds:
*/
for (r = (rounds < Nr ? rounds : Nr) - 1; r > 0; r--) {
@@ -1505,10 +1614,9 @@
s2 = t2;
s3 = t3;
rk += 4;
+ }
- }
-
- /*
+ /*
* complete the last round and
* map cipher state to byte array block:
*/
@@ -1534,10 +1642,10 @@
(Td4[(s0 ) & 0xff] );
if (rounds == Nr) {
- t0 ^= rk[0];
- t1 ^= rk[1];
- t2 ^= rk[2];
- t3 ^= rk[3];
+ t0 ^= rk[0];
+ t1 ^= rk[1];
+ t2 ^= rk[2];
+ t3 ^= rk[3];
}
PUTU32(block , t0);
@@ -1546,4 +1654,4 @@
PUTU32(block + 12, t3);
}
-#endif /* INTERMEDIATE_VALUE_KAT */
+#endif /* INTERMEDIATE_VALUE_KAT */
--- /dev/null
+++ b/libsec/aes_xts.c
@@ -1,0 +1,70 @@
+// Author Taru Karttunen <[email protected]>
+// This file can be used as both Public Domain or Creative Commons CC0.
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+#define AesBlockSize 16
+
+static void xor128(uchar* o,uchar* i1,uchar* i2) {
+ ((ulong*)o)[0] = ((ulong*)i1)[0] ^ ((ulong*)i2)[0];
+ ((ulong*)o)[1] = ((ulong*)i1)[1] ^ ((ulong*)i2)[1];
+ ((ulong*)o)[2] = ((ulong*)i1)[2] ^ ((ulong*)i2)[2];
+ ((ulong*)o)[3] = ((ulong*)i1)[3] ^ ((ulong*)i2)[3];
+}
+
+static void gf_mulx(uchar* x) {
+ ulong t = ((((ulong*)(x))[3] & 0x80000000u) ? 0x00000087u : 0);;
+ ((ulong*)(x))[3] = (((ulong*)(x))[3] << 1) | (((ulong*)(x))[2] & 0x80000000u ? 1 : 0);
+ ((ulong*)(x))[2] = (((ulong*)(x))[2] << 1) | (((ulong*)(x))[1] & 0x80000000u ? 1 : 0);
+ ((ulong*)(x))[1] = (((ulong*)(x))[1] << 1) | (((ulong*)(x))[0] & 0x80000000u ? 1 : 0);
+ ((ulong*)(x))[0] = (((ulong*)(x))[0] << 1) ^ t;
+
+}
+
+int aes_xts_encrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len) {
+ uchar T[16], x[16];
+ int i;
+
+ if(len % 16 != 0)
+ return -1;
+
+ for(i=0; i<AesBlockSize; i++) {
+ T[i] = (uchar)(sectorNumber & 0xFF);
+ sectorNumber = sectorNumber >> 8;
+ }
+
+ aes_encrypt(tweak, 10, T, T);
+
+ for (i=0; i<len; i+=AesBlockSize) {
+ xor128(&x[0], &input[i], &T[0]);
+ aes_encrypt(ecb, 10, x, x);
+ xor128(&output[i], &x[0], &T[0]);
+ gf_mulx(&T[0]);
+ }
+ return 0;
+}
+
+int aes_xts_decrypt(ulong tweak[], ulong ecb[], vlong sectorNumber, uchar *input, uchar *output, ulong len) {
+ uchar T[16], x[16];
+ int i;
+
+ if(len % 16 != 0)
+ return -1;
+
+ for(i=0; i<AesBlockSize; i++) {
+ T[i] = (uchar)(sectorNumber & 0xFF);
+ sectorNumber = sectorNumber >> 8;
+ }
+
+ aes_encrypt(tweak, 10, T, T);
+
+ for (i=0; i<len; i+=AesBlockSize) {
+ xor128(&x[0], &input[i], &T[0]);
+ aes_decrypt(ecb, 10, x, x);
+ xor128(&output[i], &x[0], &T[0]);
+ gf_mulx(&T[0]);
+ }
+ return 0;
+}
+
--- a/libsec/blowfish.c
+++ b/libsec/blowfish.c
@@ -13,6 +13,37 @@
static void bfencrypt(u32int *, BFstate *);
static void bfdecrypt(u32int *, BFstate *);
+/*
+ * Endianess agnostic functions to convert a
+ * block (8-byte buffer) to a u32int array and
+ * viceversa.
+ */
+
+static void
+buf2ints(uchar *p, u32int *b)
+{
+ b[0] = p[0]<<24 | p[1]<<16 | p[2]<<8 | p[3];
+ b[1] = p[4]<<24 | p[5]<<16 | p[6]<<8 | p[7];
+}
+
+static void
+ints2buf(u32int *b, uchar *p)
+{
+ u32int u;
+
+ u = b[0];
+ p[0] = u>>24;
+ p[1] = u>>16;
+ p[2] = u>>8;
+ p[3] = u;
+
+ u = b[1];
+ p[4] = u>>24;
+ p[5] = u>>16;
+ p[6] = u>>8;
+ p[7] = u;
+}
+
void
setupBFstate(BFstate *s, uchar key[], int keybytes, uchar *ivec)
{
@@ -31,7 +62,7 @@
memmove(s->ivec, ivec, sizeof(s->ivec));
else
memset(s->ivec, 0, sizeof(s->ivec));
-
+
memmove(s->pbox, pbox, sizeof(pbox));
memmove(s->sbox, sbox, sizeof(sbox));
@@ -76,17 +107,13 @@
bfCBCencrypt(uchar *buf, int n, BFstate *s)
{
int i;
- uchar *p;
- u32int bo[2], bi[2], b;
+ u32int bo[2], bi[2];
assert((n & 7) == 0);
- bo[0] = s->ivec[0] | ((u32int) s->ivec[1]<<8) | ((u32int)s->ivec[2]<<16) | ((u32int)s->ivec[3]<<24);
- bo[1] = s->ivec[4] | ((u32int) s->ivec[5]<<8) | ((u32int)s->ivec[6]<<16) | ((u32int)s->ivec[7]<<24);
-
+ buf2ints(s->ivec, bo);
for(i=0; i < n; i += 8, buf += 8) {
- bi[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24);
- bi[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24);
+ buf2ints(buf, bi);
bi[0] ^= bo[0];
bi[1] ^= bo[1];
@@ -96,36 +123,9 @@
bo[0] = bi[0];
bo[1] = bi[1];
- p = buf;
- b = bo[0];
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p++ = b;
-
- b = bo[1];
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p = b;
+ ints2buf(bi, buf);
}
-
- s->ivec[7] = bo[1] >> 24;
- s->ivec[6] = bo[1] >> 16;
- s->ivec[5] = bo[1] >> 8;
- s->ivec[4] = bo[1];
-
- s->ivec[3] = bo[0] >> 24;
- s->ivec[2] = bo[0] >> 16;
- s->ivec[1] = bo[0] >> 8;
- s->ivec[0] = bo[0];
-
+ ints2buf(bo, s->ivec);
return;
}
@@ -133,17 +133,13 @@
bfCBCdecrypt(uchar *buf, int n, BFstate *s)
{
int i;
- uchar *p;
- u32int b, bo[2], bi[2], xr[2];
+ u32int bo[2], bi[2], xr[2];
assert((n & 7) == 0);
- bo[0] = s->ivec[0] | ((u32int) s->ivec[1]<<8) | ((u32int)s->ivec[2]<<16) | ((u32int)s->ivec[3]<<24);
- bo[1] = s->ivec[4] | ((u32int) s->ivec[5]<<8) | ((u32int)s->ivec[6]<<16) | ((u32int)s->ivec[7]<<24);
-
+ buf2ints(s->ivec, bo);
for(i=0; i < n; i += 8, buf += 8) {
- bi[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24);
- bi[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24);
+ buf2ints(buf, bi);
xr[0] = bi[0];
xr[1] = bi[1];
@@ -153,39 +149,12 @@
bo[0] ^= bi[0];
bo[1] ^= bi[1];
- p = buf;
- b = bo[0];
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p++ = b;
+ ints2buf(bo, buf);
- b = bo[1];
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p++ = b;
- b >>= 8;
- *p = b;
-
bo[0] = xr[0];
bo[1] = xr[1];
}
-
- s->ivec[7] = bo[1] >> 24;
- s->ivec[6] = bo[1] >> 16;
- s->ivec[5] = bo[1] >> 8;
- s->ivec[4] = bo[1];
-
- s->ivec[3] = bo[0] >> 24;
- s->ivec[2] = bo[0] >> 16;
- s->ivec[1] = bo[0] >> 8;
- s->ivec[0] = bo[0];
-
+ ints2buf(bo, s->ivec);
return;
}
@@ -196,20 +165,9 @@
u32int b[2];
for(i=0; i < n; i += 8, buf += 8) {
- b[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24);
- b[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24);
-
+ buf2ints(buf, b);
bfencrypt(b, s);
-
- buf[7] = b[1] >> 24;
- buf[6] = b[1] >> 16;
- buf[5] = b[1] >> 8;
- buf[4] = b[1];
-
- buf[3] = b[0] >> 24;
- buf[2] = b[0] >> 16;
- buf[1] = b[0] >> 8;
- buf[0] = b[0];
+ ints2buf(b, buf);
}
return;
@@ -222,20 +180,9 @@
u32int b[2];
for(i=0; i < n; i += 8, buf += 8) {
- b[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24);
- b[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24);
-
+ buf2ints(buf, b);
bfdecrypt(b, s);
-
- buf[7] = b[1] >> 24;
- buf[6] = b[1] >> 16;
- buf[5] = b[1] >> 8;
- buf[4] = b[1];
-
- buf[3] = b[0] >> 24;
- buf[2] = b[0] >> 16;
- buf[1] = b[0] >> 8;
- buf[0] = b[0];
+ ints2buf(b, buf);
}
return;
@@ -575,5 +522,4 @@
0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
};
-
--- /dev/null
+++ b/libsec/ccpoly.c
@@ -1,0 +1,91 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+static void
+ccpolyotk(Chachastate *cs, DigestState *ds)
+{
+ uchar otk[ChachaBsize];
+
+ memset(ds, 0, sizeof(*ds));
+ memset(otk, 0, 32);
+ chacha_setblock(cs, 0);
+ chacha_encrypt(otk, ChachaBsize, cs);
+ poly1305(nil, 0, otk, 32, nil, ds);
+}
+
+static void
+ccpolypad(uchar *buf, ulong nbuf, DigestState *ds)
+{
+ static uchar zeros[16] = {0};
+ ulong npad;
+
+ if(nbuf == 0)
+ return;
+ poly1305(buf, nbuf, nil, 0, nil, ds);
+ npad = nbuf % 16;
+ if(npad == 0)
+ return;
+ poly1305(zeros, 16 - npad, nil, 0, nil, ds);
+}
+
+static void
+ccpolylen(ulong n, uchar tag[16], DigestState *ds)
+{
+ uchar info[8];
+
+ info[0] = n;
+ info[1] = n>>8;
+ info[2] = n>>16;
+ info[3] = n>>24;
+ info[4] = 0;
+ info[5] = 0;
+ info[6] = 0;
+ info[7] = 0;
+ poly1305(info, 8, nil, 0, tag, ds);
+}
+
+void
+ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs)
+{
+ DigestState ds;
+
+ ccpolyotk(cs, &ds);
+ if(cs->ivwords == 2){
+ poly1305(aad, naad, nil, 0, nil, &ds);
+ ccpolylen(naad, nil, &ds);
+ chacha_encrypt(dat, ndat, cs);
+ poly1305(dat, ndat, nil, 0, nil, &ds);
+ ccpolylen(ndat, tag, &ds);
+ } else {
+ ccpolypad(aad, naad, &ds);
+ chacha_encrypt(dat, ndat, cs);
+ ccpolypad(dat, ndat, &ds);
+ ccpolylen(naad, nil, &ds);
+ ccpolylen(ndat, tag, &ds);
+ }
+}
+
+int
+ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs)
+{
+ DigestState ds;
+ uchar tmp[16];
+
+ ccpolyotk(cs, &ds);
+ if(cs->ivwords == 2){
+ poly1305(aad, naad, nil, 0, nil, &ds);
+ ccpolylen(naad, nil, &ds);
+ poly1305(dat, ndat, nil, 0, nil, &ds);
+ ccpolylen(ndat, tmp, &ds);
+ } else {
+ ccpolypad(aad, naad, &ds);
+ ccpolypad(dat, ndat, &ds);
+ ccpolylen(naad, nil, &ds);
+ ccpolylen(ndat, tmp, &ds);
+ }
+ if(tsmemcmp(tag, tmp, 16) != 0)
+ return -1;
+ chacha_encrypt(dat, ndat, cs);
+ return 0;
+}
--- /dev/null
+++ b/libsec/chacha.c
@@ -1,0 +1,187 @@
+/*
+Adapted from chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+
+modified for use in Plan 9 and Inferno (no algorithmic changes),
+and including the changes to block number and nonce defined in RFC7539
+*/
+
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+enum{
+ Blockwords= ChachaBsize/sizeof(u32int)
+};
+
+/* little-endian data order */
+#define GET4(p) ((((((p)[3]<<8) | (p)[2])<<8) | (p)[1])<<8 | (p)[0])
+#define PUT4(p, v) (((p)[0]=v), (v>>=8), ((p)[1]=v), (v>>=8), ((p)[2]=v), (v>>=8), ((p)[3]=v))
+
+#define ROTATE(v,c) ((u32int)((v) << (c)) | ((v) >> (32 - (c))))
+
+#define QUARTERROUND(ia,ib,ic,id) { \
+ u32int a, b, c, d, t;\
+ a = x[ia]; b = x[ib]; c = x[ic]; d = x[id]; \
+ a += b; t = d^a; d = ROTATE(t,16); \
+ c += d; t = b^c; b = ROTATE(t,12); \
+ a += b; t = d^a; d = ROTATE(t, 8); \
+ c += d; t = b^c; b = ROTATE(t, 7); \
+ x[ia] = a; x[ib] = b; x[ic] = c; x[id] = d; \
+}
+
+#define ENCRYPT(s, x, y, d) {\
+ u32int v; \
+ uchar *sp, *dp; \
+ sp = (s); \
+ v = GET4(sp); \
+ v ^= (x)+(y); \
+ dp = (d); \
+ PUT4(dp, v); \
+}
+
+static uchar sigma[16] = "expand 32-byte k";
+static uchar tau[16] = "expand 16-byte k";
+
+static void
+load(u32int *d, uchar *s, int nw)
+{
+ int i;
+
+ for(i = 0; i < nw; i++, s+=4)
+ d[i] = GET4(s);
+}
+
+void
+setupChachastate(Chachastate *s, uchar *key, ulong keylen, uchar *iv, ulong ivlen, int rounds)
+{
+ if(keylen != 256/8 && keylen != 128/8)
+ sysfatal("invalid chacha key length");
+ if(ivlen != 96/8 && ivlen != 64/8)
+ sysfatal("invalid chacha iv length");
+ if(rounds == 0)
+ rounds = 20;
+ s->rounds = rounds;
+ if(keylen == 256/8) { /* recommended */
+ load(&s->input[0], sigma, 4);
+ load(&s->input[4], key, 8);
+ }else{
+ load(&s->input[0], tau, 4);
+ load(&s->input[4], key, 4);
+ load(&s->input[8], key, 4);
+ }
+ s->ivwords = ivlen/sizeof(u32int);
+ s->input[12] = 0;
+ s->input[13] = 0;
+ if(iv == nil){
+ s->input[14] = 0;
+ s->input[15] = 0;
+ }else
+ chacha_setiv(s, iv);
+}
+
+void
+chacha_setiv(Chachastate *s, uchar *iv)
+{
+ load(&s->input[16 - s->ivwords], iv, s->ivwords);
+}
+
+void
+chacha_setblock(Chachastate *s, u64int blockno)
+{
+ s->input[12] = blockno;
+ if(s->ivwords == 2)
+ s->input[13] = blockno>>32;
+}
+
+static void
+encryptblock(Chachastate *s, uchar *src, uchar *dst)
+{
+ u32int x[Blockwords];
+ int i, rounds;
+
+ rounds = s->rounds;
+ x[0] = s->input[0];
+ x[1] = s->input[1];
+ x[2] = s->input[2];
+ x[3] = s->input[3];
+ x[4] = s->input[4];
+ x[5] = s->input[5];
+ x[6] = s->input[6];
+ x[7] = s->input[7];
+ x[8] = s->input[8];
+ x[9] = s->input[9];
+ x[10] = s->input[10];
+ x[11] = s->input[11];
+ x[12] = s->input[12];
+ x[13] = s->input[13];
+ x[14] = s->input[14];
+ x[15] = s->input[15];
+
+ for(i = rounds; i > 0; i -= 2) {
+ QUARTERROUND(0, 4, 8,12)
+ QUARTERROUND(1, 5, 9,13)
+ QUARTERROUND(2, 6,10,14)
+ QUARTERROUND(3, 7,11,15)
+
+ QUARTERROUND(0, 5,10,15)
+ QUARTERROUND(1, 6,11,12)
+ QUARTERROUND(2, 7, 8,13)
+ QUARTERROUND(3, 4, 9,14)
+ }
+
+#ifdef FULL_UNROLL
+ ENCRYPT(src+0*4, x[0], s->input[0], dst+0*4);
+ ENCRYPT(src+1*4, x[1], s->input[1], dst+1*4);
+ ENCRYPT(src+2*4, x[2], s->input[2], dst+2*4);
+ ENCRYPT(src+3*4, x[3], s->input[3], dst+3*4);
+ ENCRYPT(src+4*4, x[4], s->input[4], dst+4*4);
+ ENCRYPT(src+5*4, x[5], s->input[5], dst+5*4);
+ ENCRYPT(src+6*4, x[6], s->input[6], dst+6*4);
+ ENCRYPT(src+7*4, x[7], s->input[7], dst+7*4);
+ ENCRYPT(src+8*4, x[8], s->input[8], dst+8*4);
+ ENCRYPT(src+9*4, x[9], s->input[9], dst+9*4);
+ ENCRYPT(src+10*4, x[10], s->input[10], dst+10*4);
+ ENCRYPT(src+11*4, x[11], s->input[11], dst+11*4);
+ ENCRYPT(src+12*4, x[12], s->input[12], dst+12*4);
+ ENCRYPT(src+13*4, x[13], s->input[13], dst+13*4);
+ ENCRYPT(src+14*4, x[14], s->input[14], dst+14*4);
+ ENCRYPT(src+15*4, x[15], s->input[15], dst+15*4);
+#else
+ for(i=0; i<nelem(x); i+=4){
+ ENCRYPT(src, x[i], s->input[i], dst);
+ ENCRYPT(src+4, x[i+1], s->input[i+1], dst+4);
+ ENCRYPT(src+8, x[i+2], s->input[i+2], dst+8);
+ ENCRYPT(src+12, x[i+3], s->input[i+3], dst+12);
+ src += 16;
+ dst += 16;
+ }
+#endif
+
+ if(++s->input[12] == 0 && s->ivwords == 2)
+ s->input[13]++;
+}
+
+void
+chacha_encrypt2(uchar *src, uchar *dst, ulong bytes, Chachastate *s)
+{
+ uchar tmp[ChachaBsize];
+
+ for(; bytes >= ChachaBsize; bytes -= ChachaBsize){
+ encryptblock(s, src, dst);
+ src += ChachaBsize;
+ dst += ChachaBsize;
+ }
+ if(bytes > 0){
+ memmove(tmp, src, bytes);
+ encryptblock(s, tmp, tmp);
+ memmove(dst, tmp, bytes);
+ }
+}
+
+void
+chacha_encrypt(uchar *buf, ulong bytes, Chachastate *s)
+{
+ chacha_encrypt2(buf, buf, bytes, s);
+}
--- /dev/null
+++ b/libsec/curve25519.c
@@ -1,0 +1,571 @@
+/* Copyright 2008, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * curve25519: Curve25519 elliptic curve, public key function
+ *
+ * http://code.google.com/p/curve25519-donna/
+ *
+ * Adam Langley <[email protected]>
+ *
+ * Derived from public domain C code by Daniel J. Bernstein <[email protected]>
+ *
+ * More information about curve25519 can be found here
+ * http://cr.yp.to/ecdh.html
+ *
+ * djb's sample implementation of curve25519 is written in a special assembly
+ * language called qhasm and uses the floating point registers.
+ *
+ * This is, almost, a clean room reimplementation from the curve25519 paper. It
+ * uses many of the tricks described therein. Only the crecip function is taken
+ * from the sample implementation.
+ */
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+typedef vlong felem;
+
+/* Sum two numbers: output += in */
+static void fsum(felem *output, felem *in) {
+ unsigned i;
+ for (i = 0; i < 10; i += 2) {
+ output[0+i] = (output[0+i] + in[0+i]);
+ output[1+i] = (output[1+i] + in[1+i]);
+ }
+}
+
+/* Find the difference of two numbers: output = in - output
+ * (note the order of the arguments!)
+ */
+static void fdifference(felem *output, felem *in) {
+ unsigned i;
+ for (i = 0; i < 10; ++i) {
+ output[i] = (in[i] - output[i]);
+ }
+}
+
+/* Multiply a number my a scalar: output = in * scalar */
+static void fscalar_product(felem *output, felem *in, felem scalar) {
+ unsigned i;
+ for (i = 0; i < 10; ++i) {
+ output[i] = in[i] * scalar;
+ }
+}
+
+/* Multiply two numbers: output = in2 * in
+ *
+ * output must be distinct to both inputs. The inputs are reduced coefficient
+ * form, the output is not.
+ */
+static void fproduct(felem *output, felem *in2, felem *in) {
+ output[0] = in2[0] * in[0];
+ output[1] = in2[0] * in[1] +
+ in2[1] * in[0];
+ output[2] = 2 * in2[1] * in[1] +
+ in2[0] * in[2] +
+ in2[2] * in[0];
+ output[3] = in2[1] * in[2] +
+ in2[2] * in[1] +
+ in2[0] * in[3] +
+ in2[3] * in[0];
+ output[4] = in2[2] * in[2] +
+ 2 * (in2[1] * in[3] +
+ in2[3] * in[1]) +
+ in2[0] * in[4] +
+ in2[4] * in[0];
+ output[5] = in2[2] * in[3] +
+ in2[3] * in[2] +
+ in2[1] * in[4] +
+ in2[4] * in[1] +
+ in2[0] * in[5] +
+ in2[5] * in[0];
+ output[6] = 2 * (in2[3] * in[3] +
+ in2[1] * in[5] +
+ in2[5] * in[1]) +
+ in2[2] * in[4] +
+ in2[4] * in[2] +
+ in2[0] * in[6] +
+ in2[6] * in[0];
+ output[7] = in2[3] * in[4] +
+ in2[4] * in[3] +
+ in2[2] * in[5] +
+ in2[5] * in[2] +
+ in2[1] * in[6] +
+ in2[6] * in[1] +
+ in2[0] * in[7] +
+ in2[7] * in[0];
+ output[8] = in2[4] * in[4] +
+ 2 * (in2[3] * in[5] +
+ in2[5] * in[3] +
+ in2[1] * in[7] +
+ in2[7] * in[1]) +
+ in2[2] * in[6] +
+ in2[6] * in[2] +
+ in2[0] * in[8] +
+ in2[8] * in[0];
+ output[9] = in2[4] * in[5] +
+ in2[5] * in[4] +
+ in2[3] * in[6] +
+ in2[6] * in[3] +
+ in2[2] * in[7] +
+ in2[7] * in[2] +
+ in2[1] * in[8] +
+ in2[8] * in[1] +
+ in2[0] * in[9] +
+ in2[9] * in[0];
+ output[10] = 2 * (in2[5] * in[5] +
+ in2[3] * in[7] +
+ in2[7] * in[3] +
+ in2[1] * in[9] +
+ in2[9] * in[1]) +
+ in2[4] * in[6] +
+ in2[6] * in[4] +
+ in2[2] * in[8] +
+ in2[8] * in[2];
+ output[11] = in2[5] * in[6] +
+ in2[6] * in[5] +
+ in2[4] * in[7] +
+ in2[7] * in[4] +
+ in2[3] * in[8] +
+ in2[8] * in[3] +
+ in2[2] * in[9] +
+ in2[9] * in[2];
+ output[12] = in2[6] * in[6] +
+ 2 * (in2[5] * in[7] +
+ in2[7] * in[5] +
+ in2[3] * in[9] +
+ in2[9] * in[3]) +
+ in2[4] * in[8] +
+ in2[8] * in[4];
+ output[13] = in2[6] * in[7] +
+ in2[7] * in[6] +
+ in2[5] * in[8] +
+ in2[8] * in[5] +
+ in2[4] * in[9] +
+ in2[9] * in[4];
+ output[14] = 2 * (in2[7] * in[7] +
+ in2[5] * in[9] +
+ in2[9] * in[5]) +
+ in2[6] * in[8] +
+ in2[8] * in[6];
+ output[15] = in2[7] * in[8] +
+ in2[8] * in[7] +
+ in2[6] * in[9] +
+ in2[9] * in[6];
+ output[16] = in2[8] * in[8] +
+ 2 * (in2[7] * in[9] +
+ in2[9] * in[7]);
+ output[17] = in2[8] * in[9] +
+ in2[9] * in[8];
+ output[18] = 2 * in2[9] * in[9];
+}
+
+/* Reduce a long form to a short form by taking the input mod 2^255 - 19. */
+static void freduce_degree(felem *output) {
+ output[8] += 19 * output[18];
+ output[7] += 19 * output[17];
+ output[6] += 19 * output[16];
+ output[5] += 19 * output[15];
+ output[4] += 19 * output[14];
+ output[3] += 19 * output[13];
+ output[2] += 19 * output[12];
+ output[1] += 19 * output[11];
+ output[0] += 19 * output[10];
+}
+
+/* Reduce all coefficients of the short form input to be -2**25 <= x <= 2**25
+ */
+static void freduce_coefficients(felem *output) {
+ unsigned i;
+ do {
+ output[10] = 0;
+
+ for (i = 0; i < 10; i += 2) {
+ felem over = output[i] / 0x2000000l;
+ felem over2 = (over + ((over >> 63) * 2) + 1) / 2;
+ output[i+1] += over2;
+ output[i] -= over2 * 0x4000000l;
+
+ over = output[i+1] / 0x2000000;
+ output[i+2] += over;
+ output[i+1] -= over * 0x2000000;
+ }
+ output[0] += 19 * output[10];
+ } while (output[10]);
+}
+
+/* A helpful wrapper around fproduct: output = in * in2.
+ *
+ * output must be distinct to both inputs. The output is reduced degree and
+ * reduced coefficient.
+ */
+static void
+fmul(felem *output, felem *in, felem *in2) {
+ felem t[19];
+ fproduct(t, in, in2);
+ freduce_degree(t);
+ freduce_coefficients(t);
+ memcpy(output, t, sizeof(felem) * 10);
+}
+
+static void fsquare_inner(felem *output, felem *in) {
+ felem tmp;
+ output[0] = in[0] * in[0];
+ output[1] = 2 * in[0] * in[1];
+ output[2] = 2 * (in[1] * in[1] +
+ in[0] * in[2]);
+ output[3] = 2 * (in[1] * in[2] +
+ in[0] * in[3]);
+ output[4] = in[2] * in[2] +
+ 4 * in[1] * in[3] +
+ 2 * in[0] * in[4];
+ output[5] = 2 * (in[2] * in[3] +
+ in[1] * in[4] +
+ in[0] * in[5]);
+ output[6] = 2 * (in[3] * in[3] +
+ in[2] * in[4] +
+ in[0] * in[6] +
+ 2 * in[1] * in[5]);
+ output[7] = 2 * (in[3] * in[4] +
+ in[2] * in[5] +
+ in[1] * in[6] +
+ in[0] * in[7]);
+ tmp = in[1] * in[7] + in[3] * in[5];
+ output[8] = in[4] * in[4] +
+ 2 * (in[2] * in[6] +
+ in[0] * in[8] +
+ 2 * tmp);
+ output[9] = 2 * (in[4] * in[5] +
+ in[3] * in[6] +
+ in[2] * in[7] +
+ in[1] * in[8] +
+ in[0] * in[9]);
+ tmp = in[3] * in[7] + in[1] * in[9];
+ output[10] = 2 * (in[5] * in[5] +
+ in[4] * in[6] +
+ in[2] * in[8] +
+ 2 * tmp);
+ output[11] = 2 * (in[5] * in[6] +
+ in[4] * in[7] +
+ in[3] * in[8] +
+ in[2] * in[9]);
+ output[12] = in[6] * in[6] +
+ 2 * (in[4] * in[8] +
+ 2 * (in[5] * in[7] +
+ in[3] * in[9]));
+ output[13] = 2 * (in[6] * in[7] +
+ in[5] * in[8] +
+ in[4] * in[9]);
+ output[14] = 2 * (in[7] * in[7] +
+ in[6] * in[8] +
+ 2 * in[5] * in[9]);
+ output[15] = 2 * (in[7] * in[8] +
+ in[6] * in[9]);
+ output[16] = in[8] * in[8] +
+ 4 * in[7] * in[9];
+ output[17] = 2 * in[8] * in[9];
+ output[18] = 2 * in[9] * in[9];
+}
+
+static void
+fsquare(felem *output, felem *in) {
+ felem t[19];
+ fsquare_inner(t, in);
+ freduce_degree(t);
+ freduce_coefficients(t);
+ memcpy(output, t, sizeof(felem) * 10);
+}
+
+/* Take a little-endian, 32-byte number and expand it into polynomial form */
+static void
+fexpand(felem *output, uchar *input) {
+#define F(n,start,shift,mask) \
+ output[n] = ((((felem) input[start + 0]) | \
+ ((felem) input[start + 1]) << 8 | \
+ ((felem) input[start + 2]) << 16 | \
+ ((felem) input[start + 3]) << 24) >> shift) & mask;
+ F(0, 0, 0, 0x3ffffff);
+ F(1, 3, 2, 0x1ffffff);
+ F(2, 6, 3, 0x3ffffff);
+ F(3, 9, 5, 0x1ffffff);
+ F(4, 12, 6, 0x3ffffff);
+ F(5, 16, 0, 0x1ffffff);
+ F(6, 19, 1, 0x3ffffff);
+ F(7, 22, 3, 0x1ffffff);
+ F(8, 25, 4, 0x3ffffff);
+ F(9, 28, 6, 0x1ffffff);
+#undef F
+}
+
+/* Take a fully reduced polynomial form number and contract it into a
+ * little-endian, 32-byte array
+ */
+static void
+fcontract(uchar *output, felem *input) {
+ int i;
+
+ do {
+ for (i = 0; i < 9; ++i) {
+ if ((i & 1) == 1) {
+ while (input[i] < 0) {
+ input[i] += 0x2000000;
+ input[i + 1]--;
+ }
+ } else {
+ while (input[i] < 0) {
+ input[i] += 0x4000000;
+ input[i + 1]--;
+ }
+ }
+ }
+ while (input[9] < 0) {
+ input[9] += 0x2000000;
+ input[0] -= 19;
+ }
+ } while (input[0] < 0);
+
+ input[1] <<= 2;
+ input[2] <<= 3;
+ input[3] <<= 5;
+ input[4] <<= 6;
+ input[6] <<= 1;
+ input[7] <<= 3;
+ input[8] <<= 4;
+ input[9] <<= 6;
+#define F(i, s) \
+ output[s+0] |= input[i] & 0xff; \
+ output[s+1] = (input[i] >> 8) & 0xff; \
+ output[s+2] = (input[i] >> 16) & 0xff; \
+ output[s+3] = (input[i] >> 24) & 0xff;
+ output[0] = 0;
+ output[16] = 0;
+ F(0,0);
+ F(1,3);
+ F(2,6);
+ F(3,9);
+ F(4,12);
+ F(5,16);
+ F(6,19);
+ F(7,22);
+ F(8,25);
+ F(9,28);
+#undef F
+}
+
+/* Input: Q, Q', Q-Q'
+ * Output: 2Q, Q+Q'
+ *
+ * x2 z3: long form
+ * x3 z3: long form
+ * x z: short form, destroyed
+ * xprime zprime: short form, destroyed
+ * qmqp: short form, preserved
+ */
+static void fmonty(felem *x2, felem *z2, /* output 2Q */
+ felem *x3, felem *z3, /* output Q + Q' */
+ felem *x, felem *z, /* input Q */
+ felem *xprime, felem *zprime, /* input Q' */
+ felem *qmqp /* input Q - Q' */) {
+ felem origx[10], origxprime[10], zzz[19], xx[19], zz[19], xxprime[19],
+ zzprime[19], zzzprime[19], xxxprime[19];
+
+ memcpy(origx, x, 10 * sizeof(felem));
+ fsum(x, z);
+ fdifference(z, origx); // does x - z
+
+ memcpy(origxprime, xprime, sizeof(felem) * 10);
+ fsum(xprime, zprime);
+ fdifference(zprime, origxprime);
+ fproduct(xxprime, xprime, z);
+ fproduct(zzprime, x, zprime);
+ freduce_degree(xxprime);
+ freduce_coefficients(xxprime);
+ freduce_degree(zzprime);
+ freduce_coefficients(zzprime);
+ memcpy(origxprime, xxprime, sizeof(felem) * 10);
+ fsum(xxprime, zzprime);
+ fdifference(zzprime, origxprime);
+ fsquare(xxxprime, xxprime);
+ fsquare(zzzprime, zzprime);
+ fproduct(zzprime, zzzprime, qmqp);
+ freduce_degree(zzprime);
+ freduce_coefficients(zzprime);
+ memcpy(x3, xxxprime, sizeof(felem) * 10);
+ memcpy(z3, zzprime, sizeof(felem) * 10);
+
+ fsquare(xx, x);
+ fsquare(zz, z);
+ fproduct(x2, xx, zz);
+ freduce_degree(x2);
+ freduce_coefficients(x2);
+ fdifference(zz, xx); // does zz = xx - zz
+ memset(zzz + 10, 0, sizeof(felem) * 9);
+ fscalar_product(zzz, zz, 121665);
+ freduce_degree(zzz);
+ freduce_coefficients(zzz);
+ fsum(zzz, xx);
+ fproduct(z2, zz, zzz);
+ freduce_degree(z2);
+ freduce_coefficients(z2);
+}
+
+/* Calculates nQ where Q is the x-coordinate of a point on the curve
+ *
+ * resultx/resultz: the x coordinate of the resulting curve point (short form)
+ * n: a little endian, 32-byte number
+ * q: a point of the curve (short form)
+ */
+static void
+cmult(felem *resultx, felem *resultz, uchar *n, felem *q) {
+ felem a[19] = {0}, b[19] = {1}, c[19] = {1}, d[19] = {0};
+ felem *nqpqx = a, *nqpqz = b, *nqx = c, *nqz = d, *t;
+ felem e[19] = {0}, f[19] = {1}, g[19] = {0}, h[19] = {1};
+ felem *nqpqx2 = e, *nqpqz2 = f, *nqx2 = g, *nqz2 = h;
+
+ unsigned i, j;
+
+ memcpy(nqpqx, q, sizeof(felem) * 10);
+
+ for (i = 0; i < 32; ++i) {
+ uchar byte = n[31 - i];
+ for (j = 0; j < 8; ++j) {
+ if (byte & 0x80) {
+ fmonty(nqpqx2, nqpqz2,
+ nqx2, nqz2,
+ nqpqx, nqpqz,
+ nqx, nqz,
+ q);
+ } else {
+ fmonty(nqx2, nqz2,
+ nqpqx2, nqpqz2,
+ nqx, nqz,
+ nqpqx, nqpqz,
+ q);
+ }
+
+ t = nqx;
+ nqx = nqx2;
+ nqx2 = t;
+ t = nqz;
+ nqz = nqz2;
+ nqz2 = t;
+ t = nqpqx;
+ nqpqx = nqpqx2;
+ nqpqx2 = t;
+ t = nqpqz;
+ nqpqz = nqpqz2;
+ nqpqz2 = t;
+
+ byte <<= 1;
+ }
+ }
+
+ memcpy(resultx, nqx, sizeof(felem) * 10);
+ memcpy(resultz, nqz, sizeof(felem) * 10);
+}
+
+// -----------------------------------------------------------------------------
+// Shamelessly copied from djb's code
+// -----------------------------------------------------------------------------
+static void
+crecip(felem *out, felem *z) {
+ felem z2[10];
+ felem z9[10];
+ felem z11[10];
+ felem z2_5_0[10];
+ felem z2_10_0[10];
+ felem z2_20_0[10];
+ felem z2_50_0[10];
+ felem z2_100_0[10];
+ felem t0[10];
+ felem t1[10];
+ int i;
+
+ /* 2 */ fsquare(z2,z);
+ /* 4 */ fsquare(t1,z2);
+ /* 8 */ fsquare(t0,t1);
+ /* 9 */ fmul(z9,t0,z);
+ /* 11 */ fmul(z11,z9,z2);
+ /* 22 */ fsquare(t0,z11);
+ /* 2^5 - 2^0 = 31 */ fmul(z2_5_0,t0,z9);
+
+ /* 2^6 - 2^1 */ fsquare(t0,z2_5_0);
+ /* 2^7 - 2^2 */ fsquare(t1,t0);
+ /* 2^8 - 2^3 */ fsquare(t0,t1);
+ /* 2^9 - 2^4 */ fsquare(t1,t0);
+ /* 2^10 - 2^5 */ fsquare(t0,t1);
+ /* 2^10 - 2^0 */ fmul(z2_10_0,t0,z2_5_0);
+
+ /* 2^11 - 2^1 */ fsquare(t0,z2_10_0);
+ /* 2^12 - 2^2 */ fsquare(t1,t0);
+ /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^20 - 2^0 */ fmul(z2_20_0,t1,z2_10_0);
+
+ /* 2^21 - 2^1 */ fsquare(t0,z2_20_0);
+ /* 2^22 - 2^2 */ fsquare(t1,t0);
+ /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^40 - 2^0 */ fmul(t0,t1,z2_20_0);
+
+ /* 2^41 - 2^1 */ fsquare(t1,t0);
+ /* 2^42 - 2^2 */ fsquare(t0,t1);
+ /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t1,t0); fsquare(t0,t1); }
+ /* 2^50 - 2^0 */ fmul(z2_50_0,t0,z2_10_0);
+
+ /* 2^51 - 2^1 */ fsquare(t0,z2_50_0);
+ /* 2^52 - 2^2 */ fsquare(t1,t0);
+ /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^100 - 2^0 */ fmul(z2_100_0,t1,z2_50_0);
+
+ /* 2^101 - 2^1 */ fsquare(t1,z2_100_0);
+ /* 2^102 - 2^2 */ fsquare(t0,t1);
+ /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fsquare(t1,t0); fsquare(t0,t1); }
+ /* 2^200 - 2^0 */ fmul(t1,t0,z2_100_0);
+
+ /* 2^201 - 2^1 */ fsquare(t0,t1);
+ /* 2^202 - 2^2 */ fsquare(t1,t0);
+ /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); }
+ /* 2^250 - 2^0 */ fmul(t0,t1,z2_50_0);
+
+ /* 2^251 - 2^1 */ fsquare(t1,t0);
+ /* 2^252 - 2^2 */ fsquare(t0,t1);
+ /* 2^253 - 2^3 */ fsquare(t1,t0);
+ /* 2^254 - 2^4 */ fsquare(t0,t1);
+ /* 2^255 - 2^5 */ fsquare(t1,t0);
+ /* 2^255 - 21 */ fmul(out,t1,z11);
+}
+
+void
+curve25519(uchar mypublic[32], uchar secret[32], uchar basepoint[32]) {
+ felem bp[10], x[10], z[10], zmone[10];
+ fexpand(bp, basepoint);
+ cmult(x, z, secret, bp);
+ crecip(zmone, z);
+ fmul(z, x, zmone);
+ fcontract(mypublic, z);
+}
--- /dev/null
+++ b/libsec/curve25519_dh.c
@@ -1,0 +1,34 @@
+#include "os.h"
+#include <mp.h>
+#include <libsec.h>
+
+static uchar nine[32] = {9};
+
+void
+curve25519_dh_new(uchar x[32], uchar y[32])
+{
+ uchar b;
+
+ /* new public/private key pair */
+ genrandom(x, 32);
+ b = x[31];
+ x[0] &= ~7; /* clear bit 0,1,2 */
+ x[31] = 0x40 | (b & 0x7f); /* set bit 254, clear bit 255 */
+ curve25519(y, x, nine);
+
+ /* bit 255 is always 0, so make it random */
+ y[31] |= b & 0x80;
+}
+
+void
+curve25519_dh_finish(uchar x[32], uchar y[32], uchar z[32])
+{
+ /* remove the random bit */
+ y[31] &= 0x7f;
+
+ /* calculate dhx key */
+ curve25519(z, x, y);
+
+ memset(x, 0, 32);
+ memset(y, 0, 32);
+}
--- a/libsec/decodepem.c
+++ b/libsec/decodepem.c
@@ -6,12 +6,14 @@
#define STRLEN(s) (sizeof(s)-1)
uchar*
-decodepem(char *s, char *type, int *len)
+decodePEM(char *s, char *type, int *len, char **new_s)
{
uchar *d;
char *t, *e, *tt;
int n;
+ *len = 0;
+
/*
* find the correct section of the file, stripping garbage at the beginning and end.
* the data is delimited by -----BEGIN <type>-----\n and -----END <type>-----\n
@@ -42,6 +44,8 @@
return nil;
}
+ if(new_s)
+ *new_s = tt+1;
n = ((tt - t) * 6 + 7) / 8;
d = malloc(n);
if(d == nil){
@@ -56,4 +60,30 @@
}
*len = n;
return d;
+}
+
+PEMChain*
+decodepemchain(char *s, char *type)
+{
+ PEMChain *first = nil, *last = nil, *chp;
+ uchar *d;
+ char *e;
+ int n;
+
+ e = strchr(s, '\0');
+ while (s < e) {
+ d = decodePEM(s, type, &n, &s);
+ if(d == nil)
+ break;
+ chp = malloc(sizeof(PEMChain));
+ chp->next = nil;
+ chp->pem = d;
+ chp->pemlen = n;
+ if (first == nil)
+ first = chp;
+ else
+ last->next = chp;
+ last = chp;
+ }
+ return first;
}
--- /dev/null
+++ b/libsec/dh.c
@@ -1,0 +1,74 @@
+#include "os.h"
+#include <mp.h>
+#include <libsec.h>
+
+mpint*
+dh_new(DHstate *dh, mpint *p, mpint *q, mpint *g)
+{
+ mpint *pm1;
+ int n;
+
+ memset(dh, 0, sizeof(*dh));
+ if(mpcmp(g, mpone) <= 0)
+ return nil;
+
+ n = mpsignif(p);
+ pm1 = mpnew(n);
+ mpsub(p, mpone, pm1);
+ dh->p = mpcopy(p);
+ dh->g = mpcopy(g);
+ dh->q = mpcopy(q != nil ? q : pm1);
+ dh->x = mpnew(mpsignif(dh->q));
+ dh->y = mpnew(n);
+ for(;;){
+ mpnrand(dh->q, genrandom, dh->x);
+ mpexp(dh->g, dh->x, dh->p, dh->y);
+ if(mpcmp(dh->y, mpone) > 0 && mpcmp(dh->y, pm1) < 0)
+ break;
+ }
+ mpfree(pm1);
+
+ return dh->y;
+}
+
+mpint*
+dh_finish(DHstate *dh, mpint *y)
+{
+ mpint *k = nil;
+
+ if(y == nil || dh->x == nil || dh->p == nil || dh->q == nil)
+ goto Out;
+
+ /* y > 1 */
+ if(mpcmp(y, mpone) <= 0)
+ goto Out;
+
+ k = mpnew(mpsignif(dh->p));
+
+ /* y < p-1 */
+ mpsub(dh->p, mpone, k);
+ if(mpcmp(y, k) >= 0){
+Bad:
+ mpfree(k);
+ k = nil;
+ goto Out;
+ }
+
+ /* y**q % p == 1 if q < p-1 */
+ if(mpcmp(dh->q, k) < 0){
+ mpexp(y, dh->q, dh->p, k);
+ if(mpcmp(k, mpone) != 0)
+ goto Bad;
+ }
+
+ mpexp(y, dh->x, dh->p, k);
+
+Out:
+ mpfree(dh->p);
+ mpfree(dh->q);
+ mpfree(dh->g);
+ mpfree(dh->x);
+ mpfree(dh->y);
+ memset(dh, 0, sizeof(*dh));
+ return k;
+}
--- a/libsec/dsaalloc.c
+++ b/libsec/dsaalloc.c
@@ -22,6 +22,7 @@
mpfree(dsa->q);
mpfree(dsa->alpha);
mpfree(dsa->key);
+ free(dsa);
}
@@ -46,6 +47,7 @@
mpfree(dsa->pub.alpha);
mpfree(dsa->pub.key);
mpfree(dsa->secret);
+ free(dsa);
}
DSAsig*
@@ -66,4 +68,5 @@
return;
mpfree(dsa->r);
mpfree(dsa->s);
+ free(dsa);
}
--- a/libsec/dsagen.c
+++ b/libsec/dsagen.c
@@ -32,9 +32,6 @@
// find a generator alpha of the multiplicative
// group Z*p, i.e., of order n = p-1. We use the
// fact that q divides p-1 to reduce the exponent.
- //
- // This isn't very efficient. If anyone has a better
- // idea, mail [email protected]
exp = mpnew(0);
g = mpnew(0);
r = mpnew(0);
--- a/libsec/dsaprimes.c
+++ b/libsec/dsaprimes.c
@@ -12,7 +12,7 @@
static void
Hrand(uchar *s)
{
- ulong *u = (ulong*)s;
+ u32int *u = (u32int*)s;
*u++ = fastrand();
*u++ = fastrand();
*u++ = fastrand();
--- a/libsec/dsasign.c
+++ b/libsec/dsasign.c
@@ -21,16 +21,16 @@
// find a k that has an inverse mod q
while(1){
mprand(qlen, genrandom, k);
- if((mpcmp(mpone, k) > 0) || (mpcmp(k, qm1) >= 0))
+ if((mpcmp(mpone, k) > 0) || (mpcmp(k, pub->q) >= 0))
continue;
mpextendedgcd(k, q, r, kinv, s);
if(mpcmp(r, mpone) != 0)
- continue;
+ sysfatal("dsasign: pub->q not prime");
break;
}
// make kinv positive
- mpmod(kinv, qm1, kinv);
+ mpmod(kinv, pub->q, kinv);
// r = ((alpha**k) mod p) mod q
mpexp(alpha, k, p, r);
--- a/libsec/dsaverify.c
+++ b/libsec/dsaverify.c
@@ -8,9 +8,9 @@
int rv = -1;
mpint *u1, *u2, *v, *sinv;
- if(sig->r->sign < 0 || mpcmp(sig->r, pub->q) >= 0)
+ if(mpcmp(sig->r, mpone) < 0 || mpcmp(sig->r, pub->q) >= 0)
return rv;
- if(sig->s->sign < 0 || mpcmp(sig->s, pub->q) >= 0)
+ if(mpcmp(sig->s, mpone) < 0 || mpcmp(sig->s, pub->q) >= 0)
return rv;
u1 = mpnew(0);
u2 = mpnew(0);
--- /dev/null
+++ b/libsec/ecc.c
@@ -1,0 +1,620 @@
+#include "os.h"
+#include <mp.h>
+#include <libsec.h>
+#include <ctype.h>
+
+void
+ecassign(ECdomain *dom, ECpoint *a, ECpoint *b)
+{
+ USED(dom);
+ b->inf = a->inf;
+ mpassign(a->x, b->x);
+ mpassign(a->y, b->y);
+}
+
+void
+ecadd(ECdomain *dom, ECpoint *a, ECpoint *b, ECpoint *s)
+{
+ mpint *l, *k, *sx, *sy;
+
+ if(a->inf && b->inf){
+ s->inf = 1;
+ return;
+ }
+ if(a->inf){
+ ecassign(dom, b, s);
+ return;
+ }
+ if(b->inf){
+ ecassign(dom, a, s);
+ return;
+ }
+ if(mpcmp(a->x, b->x) == 0 && (mpcmp(a->y, mpzero) == 0 || mpcmp(a->y, b->y) != 0)){
+ s->inf = 1;
+ return;
+ }
+ l = mpnew(0);
+ k = mpnew(0);
+ sx = mpnew(0);
+ sy = mpnew(0);
+ if(mpcmp(a->x, b->x) == 0 && mpcmp(a->y, b->y) == 0){
+ mpadd(mpone, mptwo, k);
+ mpmul(a->x, a->x, l);
+ mpmul(l, k, l);
+ mpadd(l, dom->a, l);
+ mpleft(a->y, 1, k);
+ mpmod(k, dom->p, k);
+ mpinvert(k, dom->p, k);
+ mpmul(k, l, l);
+ mpmod(l, dom->p, l);
+
+ mpleft(a->x, 1, k);
+ mpmul(l, l, sx);
+ mpsub(sx, k, sx);
+ mpmod(sx, dom->p, sx);
+
+ mpsub(a->x, sx, sy);
+ mpmul(l, sy, sy);
+ mpsub(sy, a->y, sy);
+ mpmod(sy, dom->p, sy);
+ mpassign(sx, s->x);
+ mpassign(sy, s->y);
+ mpfree(sx);
+ mpfree(sy);
+ mpfree(l);
+ mpfree(k);
+ return;
+ }
+ mpsub(b->y, a->y, l);
+ mpmod(l, dom->p, l);
+ mpsub(b->x, a->x, k);
+ mpmod(k, dom->p, k);
+ mpinvert(k, dom->p, k);
+ mpmul(k, l, l);
+ mpmod(l, dom->p, l);
+
+ mpmul(l, l, sx);
+ mpsub(sx, a->x, sx);
+ mpsub(sx, b->x, sx);
+ mpmod(sx, dom->p, sx);
+
+ mpsub(a->x, sx, sy);
+ mpmul(sy, l, sy);
+ mpsub(sy, a->y, sy);
+ mpmod(sy, dom->p, sy);
+
+ mpassign(sx, s->x);
+ mpassign(sy, s->y);
+ mpfree(sx);
+ mpfree(sy);
+ mpfree(l);
+ mpfree(k);
+}
+
+void
+ecmul(ECdomain *dom, ECpoint *a, mpint *k, ECpoint *s)
+{
+ ECpoint ns, na;
+ mpint *l;
+
+ if(a->inf || mpcmp(k, mpzero) == 0){
+ s->inf = 1;
+ return;
+ }
+ ns.inf = 1;
+ ns.x = mpnew(0);
+ ns.y = mpnew(0);
+ na.x = mpnew(0);
+ na.y = mpnew(0);
+ ecassign(dom, a, &na);
+ l = mpcopy(k);
+ l->sign = 1;
+ while(mpcmp(l, mpzero) != 0){
+ if(l->p[0] & 1)
+ ecadd(dom, &na, &ns, &ns);
+ ecadd(dom, &na, &na, &na);
+ mpright(l, 1, l);
+ }
+ if(k->sign < 0){
+ ns.y->sign = -1;
+ mpmod(ns.y, dom->p, ns.y);
+ }
+ ecassign(dom, &ns, s);
+ mpfree(ns.x);
+ mpfree(ns.y);
+ mpfree(na.x);
+ mpfree(na.y);
+ mpfree(l);
+}
+
+int
+ecverify(ECdomain *dom, ECpoint *a)
+{
+ mpint *p, *q;
+ int r;
+
+ if(a->inf)
+ return 1;
+
+ p = mpnew(0);
+ q = mpnew(0);
+ mpmul(a->y, a->y, p);
+ mpmod(p, dom->p, p);
+ mpmul(a->x, a->x, q);
+ mpadd(q, dom->a, q);
+ mpmul(a->x, q, q);
+ mpadd(q, dom->b, q);
+ mpmod(q, dom->p, q);
+ r = mpcmp(p, q);
+ mpfree(p);
+ mpfree(q);
+ return r == 0;
+}
+
+int
+ecpubverify(ECdomain *dom, ECpub *a)
+{
+ ECpoint p;
+ int r;
+
+ if(a->inf)
+ return 0;
+ if(!ecverify(dom, a))
+ return 0;
+ p.x = mpnew(0);
+ p.y = mpnew(0);
+ ecmul(dom, a, dom->n, &p);
+ r = p.inf;
+ mpfree(p.x);
+ mpfree(p.y);
+ return r;
+}
+
+static void
+fixnibble(uchar *a)
+{
+ if(*a >= 'a')
+ *a -= 'a'-10;
+ else if(*a >= 'A')
+ *a -= 'A'-10;
+ else
+ *a -= '0';
+}
+
+static int
+octet(char **s)
+{
+ uchar c, d;
+
+ c = *(*s)++;
+ if(!isxdigit(c))
+ return -1;
+ d = *(*s)++;
+ if(!isxdigit(d))
+ return -1;
+ fixnibble(&c);
+ fixnibble(&d);
+ return (c << 4) | d;
+}
+
+static mpint*
+halfpt(ECdomain *dom, char *s, char **rptr, mpint *out)
+{
+ char *buf, *r;
+ int n;
+ mpint *ret;
+
+ n = ((mpsignif(dom->p)+7)/8)*2;
+ if(strlen(s) < n)
+ return 0;
+ buf = malloc(n+1);
+ buf[n] = 0;
+ memcpy(buf, s, n);
+ ret = strtomp(buf, &r, 16, out);
+ *rptr = s + (r - buf);
+ free(buf);
+ return ret;
+}
+
+static int
+mpleg(mpint *a, mpint *b)
+{
+ int r, k;
+ mpint *m, *n, *t;
+
+ r = 1;
+ m = mpcopy(a);
+ n = mpcopy(b);
+ for(;;){
+ if(mpcmp(m, n) > 0)
+ mpmod(m, n, m);
+ if(mpcmp(m, mpzero) == 0){
+ r = 0;
+ break;
+ }
+ if(mpcmp(m, mpone) == 0)
+ break;
+ k = mplowbits0(m);
+ if(k > 0){
+ if(k & 1)
+ switch(n->p[0] & 15){
+ case 3: case 5: case 11: case 13:
+ r = -r;
+ }
+ mpright(m, k, m);
+ }
+ if((n->p[0] & 3) == 3 && (m->p[0] & 3) == 3)
+ r = -r;
+ t = m;
+ m = n;
+ n = t;
+ }
+ mpfree(m);
+ mpfree(n);
+ return r;
+}
+
+static int
+mpsqrt(mpint *n, mpint *p, mpint *r)
+{
+ mpint *a, *t, *s, *xp, *xq, *yp, *yq, *zp, *zq, *N;
+
+ if(mpleg(n, p) == -1)
+ return 0;
+ a = mpnew(0);
+ t = mpnew(0);
+ s = mpnew(0);
+ N = mpnew(0);
+ xp = mpnew(0);
+ xq = mpnew(0);
+ yp = mpnew(0);
+ yq = mpnew(0);
+ zp = mpnew(0);
+ zq = mpnew(0);
+ for(;;){
+ for(;;){
+ mprand(mpsignif(p), genrandom, a);
+ if(mpcmp(a, mpzero) > 0 && mpcmp(a, p) < 0)
+ break;
+ }
+ mpmul(a, a, t);
+ mpsub(t, n, t);
+ mpmod(t, p, t);
+ if(mpleg(t, p) == -1)
+ break;
+ }
+ mpadd(p, mpone, N);
+ mpright(N, 1, N);
+ mpmul(a, a, t);
+ mpsub(t, n, t);
+ mpassign(a, xp);
+ uitomp(1, xq);
+ uitomp(1, yp);
+ uitomp(0, yq);
+ while(mpcmp(N, mpzero) != 0){
+ if(N->p[0] & 1){
+ mpmul(xp, yp, zp);
+ mpmul(xq, yq, zq);
+ mpmul(zq, t, zq);
+ mpadd(zp, zq, zp);
+ mpmod(zp, p, zp);
+ mpmul(xp, yq, zq);
+ mpmul(xq, yp, s);
+ mpadd(zq, s, zq);
+ mpmod(zq, p, yq);
+ mpassign(zp, yp);
+ }
+ mpmul(xp, xp, zp);
+ mpmul(xq, xq, zq);
+ mpmul(zq, t, zq);
+ mpadd(zp, zq, zp);
+ mpmod(zp, p, zp);
+ mpmul(xp, xq, zq);
+ mpadd(zq, zq, zq);
+ mpmod(zq, p, xq);
+ mpassign(zp, xp);
+ mpright(N, 1, N);
+ }
+ if(mpcmp(yq, mpzero) != 0)
+ abort();
+ mpassign(yp, r);
+ mpfree(a);
+ mpfree(t);
+ mpfree(s);
+ mpfree(N);
+ mpfree(xp);
+ mpfree(xq);
+ mpfree(yp);
+ mpfree(yq);
+ mpfree(zp);
+ mpfree(zq);
+ return 1;
+}
+
+ECpoint*
+strtoec(ECdomain *dom, char *s, char **rptr, ECpoint *ret)
+{
+ int allocd, o;
+ mpint *r;
+
+ allocd = 0;
+ if(ret == nil){
+ allocd = 1;
+ ret = mallocz(sizeof(*ret), 1);
+ if(ret == nil)
+ return nil;
+ ret->x = mpnew(0);
+ ret->y = mpnew(0);
+ }
+ o = 0;
+ switch(octet(&s)){
+ case 0:
+ ret->inf = 1;
+ return ret;
+ case 3:
+ o = 1;
+ case 2:
+ if(halfpt(dom, s, &s, ret->x) == nil)
+ goto err;
+ r = mpnew(0);
+ mpmul(ret->x, ret->x, r);
+ mpadd(r, dom->a, r);
+ mpmul(r, ret->x, r);
+ mpadd(r, dom->b, r);
+ if(!mpsqrt(r, dom->p, r)){
+ mpfree(r);
+ goto err;
+ }
+ if((r->p[0] & 1) != o)
+ mpsub(dom->p, r, r);
+ mpassign(r, ret->y);
+ mpfree(r);
+ if(!ecverify(dom, ret))
+ goto err;
+ return ret;
+ case 4:
+ if(halfpt(dom, s, &s, ret->x) == nil)
+ goto err;
+ if(halfpt(dom, s, &s, ret->y) == nil)
+ goto err;
+ if(!ecverify(dom, ret))
+ goto err;
+ return ret;
+ }
+err:
+ if(rptr)
+ *rptr = s;
+ if(allocd){
+ mpfree(ret->x);
+ mpfree(ret->y);
+ free(ret);
+ }
+ return nil;
+}
+
+ECpriv*
+ecgen(ECdomain *dom, ECpriv *p)
+{
+ if(p == nil){
+ p = mallocz(sizeof(*p), 1);
+ if(p == nil)
+ return nil;
+ p->x = mpnew(0);
+ p->y = mpnew(0);
+ p->d = mpnew(0);
+ }
+ for(;;){
+ mprand(mpsignif(dom->n), genrandom, p->d);
+ if(mpcmp(p->d, mpzero) > 0 && mpcmp(p->d, dom->n) < 0)
+ break;
+ }
+ ecmul(dom, &dom->G, p->d, (ECpoint*)p);
+ return p;
+}
+
+void
+ecdsasign(ECdomain *dom, ECpriv *priv, uchar *dig, int len, mpint *r, mpint *s)
+{
+ ECpriv tmp;
+ mpint *E, *t;
+
+ tmp.x = mpnew(0);
+ tmp.y = mpnew(0);
+ tmp.d = mpnew(0);
+ E = betomp(dig, len, nil);
+ t = mpnew(0);
+ if(mpsignif(dom->n) < 8*len)
+ mpright(E, 8*len - mpsignif(dom->n), E);
+ for(;;){
+ ecgen(dom, &tmp);
+ mpmod(tmp.x, dom->n, r);
+ if(mpcmp(r, mpzero) == 0)
+ continue;
+ mpmul(r, priv->d, s);
+ mpadd(E, s, s);
+ mpinvert(tmp.d, dom->n, t);
+ mpmul(s, t, s);
+ mpmod(s, dom->n, s);
+ if(mpcmp(s, mpzero) != 0)
+ break;
+ }
+ mpfree(t);
+ mpfree(E);
+ mpfree(tmp.x);
+ mpfree(tmp.y);
+ mpfree(tmp.d);
+}
+
+int
+ecdsaverify(ECdomain *dom, ECpub *pub, uchar *dig, int len, mpint *r, mpint *s)
+{
+ mpint *E, *t, *u1, *u2;
+ ECpoint R, S;
+ int ret;
+
+ if(mpcmp(r, mpone) < 0 || mpcmp(s, mpone) < 0 || mpcmp(r, dom->n) >= 0 || mpcmp(r, dom->n) >= 0)
+ return 0;
+ E = betomp(dig, len, nil);
+ if(mpsignif(dom->n) < 8*len)
+ mpright(E, 8*len - mpsignif(dom->n), E);
+ t = mpnew(0);
+ u1 = mpnew(0);
+ u2 = mpnew(0);
+ R.x = mpnew(0);
+ R.y = mpnew(0);
+ S.x = mpnew(0);
+ S.y = mpnew(0);
+ mpinvert(s, dom->n, t);
+ mpmul(E, t, u1);
+ mpmod(u1, dom->n, u1);
+ mpmul(r, t, u2);
+ mpmod(u2, dom->n, u2);
+ ecmul(dom, &dom->G, u1, &R);
+ ecmul(dom, pub, u2, &S);
+ ecadd(dom, &R, &S, &R);
+ ret = 0;
+ if(!R.inf){
+ mpmod(R.x, dom->n, t);
+ ret = mpcmp(r, t) == 0;
+ }
+ mpfree(E);
+ mpfree(t);
+ mpfree(u1);
+ mpfree(u2);
+ mpfree(R.x);
+ mpfree(R.y);
+ mpfree(S.x);
+ mpfree(S.y);
+ return ret;
+}
+
+static char *code = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+
+void
+base58enc(uchar *src, char *dst, int len)
+{
+ mpint *n, *r, *b;
+ char *sdst, t;
+
+ sdst = dst;
+ n = betomp(src, len, nil);
+ b = uitomp(58, nil);
+ r = mpnew(0);
+ while(mpcmp(n, mpzero) != 0){
+ mpdiv(n, b, n, r);
+ *dst++ = code[mptoui(r)];
+ }
+ for(; *src == 0; src++)
+ *dst++ = code[0];
+ dst--;
+ while(dst > sdst){
+ t = *sdst;
+ *sdst++ = *dst;
+ *dst-- = t;
+ }
+}
+
+int
+base58dec(char *src, uchar *dst, int len)
+{
+ mpint *n, *b, *r;
+ char *t;
+
+ n = mpnew(0);
+ r = mpnew(0);
+ b = uitomp(58, nil);
+ for(; *src; src++){
+ t = strchr(code, *src);
+ if(t == nil){
+ mpfree(n);
+ mpfree(r);
+ mpfree(b);
+ werrstr("invalid base58 char");
+ return -1;
+ }
+ uitomp(t - code, r);
+ mpmul(n, b, n);
+ mpadd(n, r, n);
+ }
+ mptober(n, dst, len);
+ mpfree(n);
+ mpfree(r);
+ mpfree(b);
+ return 0;
+}
+
+void
+ecdominit(ECdomain *dom, void (*init)(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h))
+{
+ memset(dom, 0, sizeof(*dom));
+ dom->p = mpnew(0);
+ dom->a = mpnew(0);
+ dom->b = mpnew(0);
+ dom->G.x = mpnew(0);
+ dom->G.y = mpnew(0);
+ dom->n = mpnew(0);
+ dom->h = mpnew(0);
+ if(init){
+ (*init)(dom->p, dom->a, dom->b, dom->G.x, dom->G.y, dom->n, dom->h);
+ dom->p = mpfield(dom->p);
+ }
+}
+
+void
+ecdomfree(ECdomain *dom)
+{
+ mpfree(dom->p);
+ mpfree(dom->a);
+ mpfree(dom->b);
+ mpfree(dom->G.x);
+ mpfree(dom->G.y);
+ mpfree(dom->n);
+ mpfree(dom->h);
+ memset(dom, 0, sizeof(*dom));
+}
+
+int
+ecencodepub(ECdomain *dom, ECpub *pub, uchar *data, int len)
+{
+ int n;
+
+ n = (mpsignif(dom->p)+7)/8;
+ if(len < 1 + 2*n)
+ return 0;
+ len = 1 + 2*n;
+ data[0] = 0x04;
+ mptober(pub->x, data+1, n);
+ mptober(pub->y, data+1+n, n);
+ return len;
+}
+
+ECpub*
+ecdecodepub(ECdomain *dom, uchar *data, int len)
+{
+ ECpub *pub;
+ int n;
+
+ n = (mpsignif(dom->p)+7)/8;
+ if(len != 1 + 2*n || data[0] != 0x04)
+ return nil;
+ pub = mallocz(sizeof(*pub), 1);
+ if(pub == nil)
+ return nil;
+ pub->x = betomp(data+1, n, nil);
+ pub->y = betomp(data+1+n, n, nil);
+ if(!ecpubverify(dom, pub)){
+ ecpubfree(pub);
+ pub = nil;
+ }
+ return pub;
+}
+
+void
+ecpubfree(ECpub *p)
+{
+ if(p == nil)
+ return;
+ mpfree(p->x);
+ mpfree(p->y);
+ free(p);
+}
--- a/libsec/egalloc.c
+++ b/libsec/egalloc.c
@@ -21,6 +21,7 @@
mpfree(eg->p);
mpfree(eg->alpha);
mpfree(eg->key);
+ free(eg);
}
@@ -44,6 +45,7 @@
mpfree(eg->pub.alpha);
mpfree(eg->pub.key);
mpfree(eg->secret);
+ free(eg);
}
EGsig*
@@ -64,4 +66,5 @@
return;
mpfree(eg->r);
mpfree(eg->s);
+ free(eg);
}
--- a/libsec/genprime.c
+++ b/libsec/genprime.c
@@ -17,6 +17,7 @@
p->p[p->top-1] &= (x-1);
p->p[p->top-1] |= x;
p->p[0] |= 1;
+ mpnorm(p);
// keep icrementing till it looks prime
for(;;){
--- /dev/null
+++ b/libsec/hkdf.c
@@ -1,0 +1,39 @@
+#include "os.h"
+#include <mp.h>
+#include <libsec.h>
+
+/* rfc5869 */
+void
+hkdf_x(salt, nsalt, info, ninfo, key, nkey, d, dlen, x, xlen)
+ uchar *salt, *info, *key, *d;
+ ulong nsalt, ninfo, nkey, dlen;
+ DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+ int xlen;
+{
+ uchar prk[256], tmp[256], cnt;
+ DigestState *ds;
+
+ assert(xlen <= sizeof(tmp));
+
+ memset(tmp, 0, xlen);
+ if(nsalt == 0){
+ salt = tmp;
+ nsalt = xlen;
+ }
+ /* note that salt and key are swapped in this case */
+ (*x)(key, nkey, salt, nsalt, prk, nil);
+ ds = nil;
+ for(cnt=1;; cnt++) {
+ if(ninfo > 0)
+ ds = (*x)(info, ninfo, prk, xlen, nil, ds);
+ (*x)(&cnt, 1, prk, xlen, tmp, ds);
+ if(dlen <= xlen){
+ memmove(d, tmp, dlen);
+ break;
+ }
+ memmove(d, tmp, xlen);
+ dlen -= xlen;
+ d += xlen;
+ ds = (*x)(tmp, xlen, prk, xlen, nil, nil);
+ }
+}
--- a/libsec/hmac.c
+++ b/libsec/hmac.c
@@ -2,27 +2,30 @@
#include <libsec.h>
/* rfc2104 */
-static DigestState*
+DigestState*
hmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s,
DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen)
{
int i;
- uchar pad[65], innerdigest[256];
+ uchar pad[Hmacblksz+1], innerdigest[256];
if(xlen > sizeof(innerdigest))
return nil;
+ if(klen > Hmacblksz){
+ if(xlen > Hmacblksz)
+ return nil;
+ (*x)(key, klen, innerdigest, nil);
+ key = innerdigest;
+ klen = xlen;
+ }
- if(klen>64)
- return nil;
-
/* first time through */
- if(s == nil){
- for(i=0; i<64; i++)
- pad[i] = 0x36;
- pad[64] = 0;
- for(i=0; i<klen; i++)
+ if(s == nil || s->seeded == 0){
+ memset(pad, 0x36, Hmacblksz);
+ pad[Hmacblksz] = 0;
+ for(i = 0; i < klen; i++)
pad[i] ^= key[i];
- s = (*x)(pad, 64, nil, nil);
+ s = (*x)(pad, Hmacblksz, nil, s);
if(s == nil)
return nil;
}
@@ -32,25 +35,12 @@
return s;
/* last time through */
- for(i=0; i<64; i++)
- pad[i] = 0x5c;
- pad[64] = 0;
- for(i=0; i<klen; i++)
+ memset(pad, 0x5c, Hmacblksz);
+ pad[Hmacblksz] = 0;
+ for(i = 0; i < klen; i++)
pad[i] ^= key[i];
(*x)(nil, 0, innerdigest, s);
- s = (*x)(pad, 64, nil, nil);
+ s = (*x)(pad, Hmacblksz, nil, nil);
(*x)(innerdigest, xlen, digest, s);
return nil;
-}
-
-DigestState*
-hmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
-{
- return hmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen);
-}
-
-DigestState*
-hmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
-{
- return hmac_x(p, len, key, klen, digest, s, md5, MD5dlen);
}
--- a/libsec/hmactest.c
+++ /dev/null
@@ -1,19 +1,0 @@
-#include "os.h"
-#include <mp.h>
-#include <libsec.h>
-
-uchar key[] = "Jefe";
-uchar data[] = "what do ya want for nothing?";
-
-void
-main(void)
-{
- int i;
- uchar hash[MD5dlen];
-
- hmac_md5(data, strlen((char*)data), key, 4, hash, nil);
- for(i=0; i<MD5dlen; i++)
- print("%2.2x", hash[i]);
- print("\n");
- print("750c783e6ab0b503eaa86e310a5db738\n");
-}
--- a/libsec/md4test.c
+++ /dev/null
@@ -1,31 +1,0 @@
-#include "os.h"
-#include <mp.h>
-#include <libsec.h>
-
-char *tests[] = {
- "",
- "a",
- "abc",
- "message digest",
- "abcdefghijklmnopqrstuvwxyz",
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
- "12345678901234567890123456789012345678901234567890123456789012345678901234567890",
- 0
-};
-
-void
-main(void)
-{
- char **pp;
- uchar *p;
- int i;
- uchar digest[MD5dlen];
-
- for(pp = tests; *pp; pp++){
- p = (uchar*)*pp;
- md4(p, strlen(*pp), digest, 0);
- for(i = 0; i < MD5dlen; i++)
- print("%2.2ux", digest[i]);
- print("\n");
- }
-}
--- a/libsec/md5.c
+++ b/libsec/md5.c
@@ -145,3 +145,10 @@
*output++ = x >> 24;
}
}
+
+DigestState*
+hmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
+ DigestState *s)
+{
+ return hmac_x(p, len, key, klen, digest, s, md5, MD5dlen);
+}
--- a/libsec/md5pickle.c
+++ b/libsec/md5pickle.c
@@ -7,11 +7,12 @@
char *p;
int m, n;
- m = 4*9+4*((s->blen+3)/3);
+ m = 17+4*9+4*((s->blen+3)/3 + 1);
p = malloc(m);
if(p == nil)
return p;
- n = sprint(p, "%8.8ux %8.8ux %8.8ux %8.8ux ",
+ n = sprint(p, "%16.16llux %8.8ux %8.8ux %8.8ux %8.8ux ",
+ s->len,
s->state[0], s->state[1], s->state[2],
s->state[3]);
enc64(p+n, m-n, s->buf, s->blen);
@@ -26,6 +27,7 @@
s = malloc(sizeof(*s));
if(s == nil)
return nil;
+ s->len = strtoull(p, &p, 16);
s->state[0] = strtoul(p, &p, 16);
s->state[1] = strtoul(p, &p, 16);
s->state[2] = strtoul(p, &p, 16);
--- a/libsec/nfastrand.c
+++ b/libsec/nfastrand.c
@@ -14,7 +14,7 @@
* so we want a random number < m.
*/
if(n > Maxrand)
- abort();
+ sysfatal("nfastrand: n too large");
m = Maxrand - Maxrand % n;
while((r = fastrand()) >= m)
--- /dev/null
+++ b/libsec/pbkdf2.c
@@ -1,0 +1,35 @@
+#include "os.h"
+#include <mp.h>
+#include <libsec.h>
+
+/* rfc2898 */
+void
+pbkdf2_x(p, plen, s, slen, rounds, d, dlen, x, xlen)
+ uchar *p, *s, *d;
+ ulong plen, slen, dlen, rounds;
+ DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*);
+ int xlen;
+{
+ uchar block[256], tmp[256];
+ ulong i, j, k, n;
+ DigestState *ds;
+
+ assert(xlen <= sizeof(tmp));
+
+ for(i = 1; dlen > 0; i++, d += n, dlen -= n){
+ tmp[3] = i;
+ tmp[2] = i >> 8;
+ tmp[1] = i >> 16;
+ tmp[0] = i >> 24;
+ ds = (*x)(s, slen, p, plen, nil, nil);
+ (*x)(tmp, 4, p, plen, block, ds);
+ memmove(tmp, block, xlen);
+ for(j = 1; j < rounds; j++){
+ (*x)(tmp, xlen, p, plen, tmp, nil);
+ for(k=0; k<xlen; k++)
+ block[k] ^= tmp[k];
+ }
+ n = dlen > xlen ? xlen : dlen;
+ memmove(d, block, n);
+ }
+}
--- /dev/null
+++ b/libsec/poly1305.c
@@ -1,0 +1,196 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+/*
+ poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication and 64 bit addition
+
+ derived from http://github.com/floodberry/poly1305-donna
+*/
+
+#define U8TO32(p) ((u32int)(p)[0] | (u32int)(p)[1]<<8 | (u32int)(p)[2]<<16 | (u32int)(p)[3]<<24)
+#define U32TO8(p, v) (p)[0]=(v), (p)[1]=(v)>>8, (p)[2]=(v)>>16, (p)[3]=(v)>>24
+
+/* (r,s) = (key[0:15],key[16:31]), the one time key */
+DigestState*
+poly1305(uchar *m, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s)
+{
+ u32int r0,r1,r2,r3,r4, s1,s2,s3,s4, h0,h1,h2,h3,h4, g0,g1,g2,g3,g4;
+ u64int d0,d1,d2,d3,d4, f;
+ u32int hibit, mask, c;
+
+ if(s == nil){
+ s = malloc(sizeof(*s));
+ if(s == nil)
+ return nil;
+ memset(s, 0, sizeof(*s));
+ s->malloced = 1;
+ }
+
+ if(s->seeded == 0){
+ assert(klen == 32);
+
+ /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
+ s->state[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff;
+ s->state[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03;
+ s->state[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff;
+ s->state[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff;
+ s->state[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
+
+ /* h = 0 */
+ s->state[5] = 0;
+ s->state[6] = 0;
+ s->state[7] = 0;
+ s->state[8] = 0;
+ s->state[9] = 0;
+
+ /* save pad for later */
+ s->state[10] = U8TO32(&key[16]);
+ s->state[11] = U8TO32(&key[20]);
+ s->state[12] = U8TO32(&key[24]);
+ s->state[13] = U8TO32(&key[28]);
+
+ s->seeded = 1;
+ }
+
+ if(s->blen){
+ c = 16 - s->blen;
+ if(c > len)
+ c = len;
+ memmove(s->buf + s->blen, m, c);
+ len -= c, m += c;
+ s->blen += c;
+ if(s->blen == 16){
+ s->blen = 0;
+ poly1305(s->buf, 16, key, klen, nil, s);
+ } else if(len == 0){
+ m = s->buf;
+ len = s->blen;
+ s->blen = 0;
+ }
+ }
+
+ r0 = s->state[0];
+ r1 = s->state[1];
+ r2 = s->state[2];
+ r3 = s->state[3];
+ r4 = s->state[4];
+
+ h0 = s->state[5];
+ h1 = s->state[6];
+ h2 = s->state[7];
+ h3 = s->state[8];
+ h4 = s->state[9];
+
+ s1 = r1 * 5;
+ s2 = r2 * 5;
+ s3 = r3 * 5;
+ s4 = r4 * 5;
+
+ hibit = 1<<24; /* 1<<128 */
+
+ while(len >= 16){
+Block:
+ /* h += m[i] */
+ h0 += (U8TO32(&m[0]) ) & 0x3ffffff;
+ h1 += (U8TO32(&m[3]) >> 2) & 0x3ffffff;
+ h2 += (U8TO32(&m[6]) >> 4) & 0x3ffffff;
+ h3 += (U8TO32(&m[9]) >> 6) & 0x3ffffff;
+ h4 += (U8TO32(&m[12])>> 8) | hibit;
+
+ /* h *= r */
+ d0 = ((u64int)h0 * r0) + ((u64int)h1 * s4) + ((u64int)h2 * s3) + ((u64int)h3 * s2) + ((u64int)h4 * s1);
+ d1 = ((u64int)h0 * r1) + ((u64int)h1 * r0) + ((u64int)h2 * s4) + ((u64int)h3 * s3) + ((u64int)h4 * s2);
+ d2 = ((u64int)h0 * r2) + ((u64int)h1 * r1) + ((u64int)h2 * r0) + ((u64int)h3 * s4) + ((u64int)h4 * s3);
+ d3 = ((u64int)h0 * r3) + ((u64int)h1 * r2) + ((u64int)h2 * r1) + ((u64int)h3 * r0) + ((u64int)h4 * s4);
+ d4 = ((u64int)h0 * r4) + ((u64int)h1 * r3) + ((u64int)h2 * r2) + ((u64int)h3 * r1) + ((u64int)h4 * r0);
+
+ /* (partial) h %= p */
+ c = (u32int)(d0 >> 26); h0 = (u32int)d0 & 0x3ffffff;
+ d1 += c; c = (u32int)(d1 >> 26); h1 = (u32int)d1 & 0x3ffffff;
+ d2 += c; c = (u32int)(d2 >> 26); h2 = (u32int)d2 & 0x3ffffff;
+ d3 += c; c = (u32int)(d3 >> 26); h3 = (u32int)d3 & 0x3ffffff;
+ d4 += c; c = (u32int)(d4 >> 26); h4 = (u32int)d4 & 0x3ffffff;
+ h0 += c * 5; c = (h0 >> 26); h0 = h0 & 0x3ffffff;
+ h1 += c;
+
+ len -= 16, m += 16;
+ }
+
+ if(len){
+ s->blen = len;
+ memmove(s->buf, m, len);
+ }
+
+ if(digest == nil){
+ s->state[5] = h0;
+ s->state[6] = h1;
+ s->state[7] = h2;
+ s->state[8] = h3;
+ s->state[9] = h4;
+ return s;
+ }
+
+ if(len){
+ m = s->buf;
+ m[len++] = 1;
+ while(len < 16)
+ m[len++] = 0;
+ hibit = 0;
+ goto Block;
+ }
+
+ c = h1 >> 26; h1 = h1 & 0x3ffffff;
+ h2 += c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
+ h3 += c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
+ h4 += c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
+ h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
+ h1 += c;
+
+ /* compute h + -p */
+ g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
+ g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
+ g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
+ g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
+ g4 = h4 + c - (1 << 26);
+
+ /* select h if h < p, or h + -p if h >= p */
+ mask = (g4 >> 31) - 1;
+ g0 &= mask;
+ g1 &= mask;
+ g2 &= mask;
+ g3 &= mask;
+ g4 &= mask;
+ mask = ~mask;
+ h0 = (h0 & mask) | g0;
+ h1 = (h1 & mask) | g1;
+ h2 = (h2 & mask) | g2;
+ h3 = (h3 & mask) | g3;
+ h4 = (h4 & mask) | g4;
+
+ /* h = h % (2^128) */
+ h0 = (h0 ) | (h1 << 26);
+ h1 = (h1 >> 6) | (h2 << 20);
+ h2 = (h2 >> 12) | (h3 << 14);
+ h3 = (h3 >> 18) | (h4 << 8);
+
+ /* digest = (h + pad) % (2^128) */
+ f = (u64int)h0 + s->state[10] ; h0 = (u32int)f;
+ f = (u64int)h1 + s->state[11] + (f >> 32); h1 = (u32int)f;
+ f = (u64int)h2 + s->state[12] + (f >> 32); h2 = (u32int)f;
+ f = (u64int)h3 + s->state[13] + (f >> 32); h3 = (u32int)f;
+
+ U32TO8(&digest[0], h0);
+ U32TO8(&digest[4], h1);
+ U32TO8(&digest[8], h2);
+ U32TO8(&digest[12], h3);
+
+ if(s->malloced){
+ memset(s, 0, sizeof(*s));
+ free(s);
+ return nil;
+ }
+
+ memset(s, 0, sizeof(*s));
+ return nil;
+}
--- a/libsec/probably_prime.c
+++ b/libsec/probably_prime.c
@@ -2,14 +2,16 @@
#include <mp.h>
#include <libsec.h>
-// Miller-Rabin probabilistic primality testing
-// Knuth (1981) Seminumerical Algorithms, p.379
-// Menezes et al () Handbook, p.39
-// 0 if composite; 1 if almost surely prime, Pr(err)<1/4**nrep
+/*
+ * Miller-Rabin probabilistic primality testing
+ * Knuth (1981) Seminumerical Algorithms, p.379
+ * Menezes et al () Handbook, p.39
+ * 0 if composite; 1 if almost surely prime, Pr(err)<1/4**nrep
+ */
int
probably_prime(mpint *n, int nrep)
{
- int j, k, rep, nbits, isprime = 1;
+ int j, k, rep, nbits, isprime;
mpint *nm1, *q, *x, *y, *r;
if(n->sign < 0)
@@ -19,18 +21,18 @@
nrep = 18;
k = mptoi(n);
- if(k == 2) // 2 is prime
+ if(k < 2) /* 1 is not prime */
+ return 0;
+ if(k == 2 || k == 3) /* 2, 3 is prime */
return 1;
- if(k < 2) // 1 is not prime
+ if((n->p[0] & 1) == 0) /* even is not prime */
return 0;
- if((n->p[0] & 1) == 0) // even is not prime
- return 0;
- // test against small prime numbers
+ /* test against small prime numbers */
if(smallprimetest(n) < 0)
return 0;
- // fermat test, 2^n mod n == 2 if p is prime
+ /* fermat test, 2^n mod n == 2 if p is prime */
x = uitomp(2, nil);
y = mpnew(0);
mpexp(x, n, n, y);
@@ -43,38 +45,43 @@
nbits = mpsignif(n);
nm1 = mpnew(nbits);
- mpsub(n, mpone, nm1); // nm1 = n - 1 */
+ mpsub(n, mpone, nm1); /* nm1 = n - 1 */
k = mplowbits0(nm1);
q = mpnew(0);
- mpright(nm1, k, q); // q = (n-1)/2**k
+ mpright(nm1, k, q); /* q = (n-1)/2**k */
for(rep = 0; rep < nrep; rep++){
-
- // x = random in [2, n-2]
- r = mprand(nbits, prng, nil);
- mpmod(r, nm1, x);
- mpfree(r);
- if(mpcmp(x, mpone) <= 0)
- continue;
+ for(;;){
+ /* find x = random in [2, n-2] */
+ r = mprand(nbits, prng, nil);
+ mpmod(r, nm1, x);
+ mpfree(r);
+ if(mpcmp(x, mpone) > 0)
+ break;
+ }
- // y = x**q mod n
+ /* y = x**q mod n */
mpexp(x, q, n, y);
if(mpcmp(y, mpone) == 0 || mpcmp(y, nm1) == 0)
- goto done;
+ continue;
- for(j = 1; j < k; j++){
- mpmul(y, y, x);
- mpmod(x, n, y); // y = y*y mod n
- if(mpcmp(y, nm1) == 0)
- goto done;
- if(mpcmp(y, mpone) == 0){
- isprime = 0;
- goto done;
- }
+ for(j = 1;; j++){
+ if(j >= k) {
+ isprime = 0;
+ goto done;
+ }
+ mpmul(y, y, x);
+ mpmod(x, n, y); /* y = y*y mod n */
+ if(mpcmp(y, nm1) == 0)
+ break;
+ if(mpcmp(y, mpone) == 0){
+ isprime = 0;
+ goto done;
+ }
}
- isprime = 0;
}
+ isprime = 1;
done:
mpfree(y);
mpfree(x);
--- a/libsec/readcert.c
+++ b/libsec/readcert.c
@@ -1,5 +1,6 @@
#include <u.h>
#include <libc.h>
+#include <auth.h>
#include <mp.h>
#include <libsec.h>
@@ -13,8 +14,10 @@
fd = open(name, OREAD);
if(fd < 0)
return nil;
- if((d = dirfstat(fd)) == nil)
+ if((d = dirfstat(fd)) == nil) {
+ close(fd);
return nil;
+ }
s = malloc(d->length + 1);
if(s == nil || readn(fd, s, d->length) != d->length){
free(s);
@@ -36,10 +39,10 @@
pem = readfile(filename);
if(pem == nil){
- werrstr("can't read %s", filename);
+ werrstr("can't read %s: %r", filename);
return nil;
}
- binary = decodepem(pem, "CERTIFICATE", pcertlen);
+ binary = decodePEM(pem, "CERTIFICATE", pcertlen, nil);
free(pem);
if(binary == nil){
werrstr("can't parse %s", filename);
@@ -46,5 +49,18 @@
return nil;
}
return binary;
+}
+
+PEMChain *
+readcertchain(char *filename)
+{
+ char *chfile;
+
+ chfile = readfile(filename);
+ if (chfile == nil) {
+ werrstr("can't read %s: %r", filename);
+ return nil;
+ }
+ return decodepemchain(chfile, "CERTIFICATE");
}
--- /dev/null
+++ b/libsec/ripemd.c
@@ -1,0 +1,383 @@
+#include "os.h"
+
+#include <libsec.h>
+
+#define BYTES_TO_DWORD(strptr) \
+ (((u32int) *((strptr)+3) << 24) | \
+ ((u32int) *((strptr)+2) << 16) | \
+ ((u32int) *((strptr)+1) << 8) | \
+ ((u32int) *(strptr)))
+
+#define ROL(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* the five basic functions F(), G() and H() */
+#define F(x, y, z) ((x) ^ (y) ^ (z))
+#define G(x, y, z) (((x) & (y)) | (~(x) & (z)))
+#define H(x, y, z) (((x) | ~(y)) ^ (z))
+#define I(x, y, z) (((x) & (z)) | ((y) & ~(z)))
+#define J(x, y, z) ((x) ^ ((y) | ~(z)))
+
+/* the ten basic operations FF() through III() */
+#define FF(a, b, c, d, e, x, s) {\
+ (a) += F((b), (c), (d)) + (x);\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define GG(a, b, c, d, e, x, s) {\
+ (a) += G((b), (c), (d)) + (x) + 0x5a827999UL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define HH(a, b, c, d, e, x, s) {\
+ (a) += H((b), (c), (d)) + (x) + 0x6ed9eba1UL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define II(a, b, c, d, e, x, s) {\
+ (a) += I((b), (c), (d)) + (x) + 0x8f1bbcdcUL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define JJ(a, b, c, d, e, x, s) {\
+ (a) += J((b), (c), (d)) + (x) + 0xa953fd4eUL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define FFF(a, b, c, d, e, x, s) {\
+ (a) += F((b), (c), (d)) + (x);\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define GGG(a, b, c, d, e, x, s) {\
+ (a) += G((b), (c), (d)) + (x) + 0x7a6d76e9UL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define HHH(a, b, c, d, e, x, s) {\
+ (a) += H((b), (c), (d)) + (x) + 0x6d703ef3UL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define III(a, b, c, d, e, x, s) {\
+ (a) += I((b), (c), (d)) + (x) + 0x5c4dd124UL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+#define JJJ(a, b, c, d, e, x, s) {\
+ (a) += J((b), (c), (d)) + (x) + 0x50a28be6UL;\
+ (a) = ROL((a), (s)) + (e);\
+ (c) = ROL((c), 10);\
+ }
+
+
+static void MDinit(u32int *MDbuf)
+{
+ MDbuf[0] = 0x67452301UL;
+ MDbuf[1] = 0xefcdab89UL;
+ MDbuf[2] = 0x98badcfeUL;
+ MDbuf[3] = 0x10325476UL;
+ MDbuf[4] = 0xc3d2e1f0UL;
+
+ return;
+}
+
+static void compress(u32int *MDbuf, u32int *X)
+{
+ u32int aa = MDbuf[0], bb = MDbuf[1], cc = MDbuf[2],
+ dd = MDbuf[3], ee = MDbuf[4];
+ u32int aaa = MDbuf[0], bbb = MDbuf[1], ccc = MDbuf[2],
+ ddd = MDbuf[3], eee = MDbuf[4];
+
+ /* round 1 */
+ FF(aa, bb, cc, dd, ee, X[ 0], 11);
+ FF(ee, aa, bb, cc, dd, X[ 1], 14);
+ FF(dd, ee, aa, bb, cc, X[ 2], 15);
+ FF(cc, dd, ee, aa, bb, X[ 3], 12);
+ FF(bb, cc, dd, ee, aa, X[ 4], 5);
+ FF(aa, bb, cc, dd, ee, X[ 5], 8);
+ FF(ee, aa, bb, cc, dd, X[ 6], 7);
+ FF(dd, ee, aa, bb, cc, X[ 7], 9);
+ FF(cc, dd, ee, aa, bb, X[ 8], 11);
+ FF(bb, cc, dd, ee, aa, X[ 9], 13);
+ FF(aa, bb, cc, dd, ee, X[10], 14);
+ FF(ee, aa, bb, cc, dd, X[11], 15);
+ FF(dd, ee, aa, bb, cc, X[12], 6);
+ FF(cc, dd, ee, aa, bb, X[13], 7);
+ FF(bb, cc, dd, ee, aa, X[14], 9);
+ FF(aa, bb, cc, dd, ee, X[15], 8);
+
+ /* round 2 */
+ GG(ee, aa, bb, cc, dd, X[ 7], 7);
+ GG(dd, ee, aa, bb, cc, X[ 4], 6);
+ GG(cc, dd, ee, aa, bb, X[13], 8);
+ GG(bb, cc, dd, ee, aa, X[ 1], 13);
+ GG(aa, bb, cc, dd, ee, X[10], 11);
+ GG(ee, aa, bb, cc, dd, X[ 6], 9);
+ GG(dd, ee, aa, bb, cc, X[15], 7);
+ GG(cc, dd, ee, aa, bb, X[ 3], 15);
+ GG(bb, cc, dd, ee, aa, X[12], 7);
+ GG(aa, bb, cc, dd, ee, X[ 0], 12);
+ GG(ee, aa, bb, cc, dd, X[ 9], 15);
+ GG(dd, ee, aa, bb, cc, X[ 5], 9);
+ GG(cc, dd, ee, aa, bb, X[ 2], 11);
+ GG(bb, cc, dd, ee, aa, X[14], 7);
+ GG(aa, bb, cc, dd, ee, X[11], 13);
+ GG(ee, aa, bb, cc, dd, X[ 8], 12);
+
+ /* round 3 */
+ HH(dd, ee, aa, bb, cc, X[ 3], 11);
+ HH(cc, dd, ee, aa, bb, X[10], 13);
+ HH(bb, cc, dd, ee, aa, X[14], 6);
+ HH(aa, bb, cc, dd, ee, X[ 4], 7);
+ HH(ee, aa, bb, cc, dd, X[ 9], 14);
+ HH(dd, ee, aa, bb, cc, X[15], 9);
+ HH(cc, dd, ee, aa, bb, X[ 8], 13);
+ HH(bb, cc, dd, ee, aa, X[ 1], 15);
+ HH(aa, bb, cc, dd, ee, X[ 2], 14);
+ HH(ee, aa, bb, cc, dd, X[ 7], 8);
+ HH(dd, ee, aa, bb, cc, X[ 0], 13);
+ HH(cc, dd, ee, aa, bb, X[ 6], 6);
+ HH(bb, cc, dd, ee, aa, X[13], 5);
+ HH(aa, bb, cc, dd, ee, X[11], 12);
+ HH(ee, aa, bb, cc, dd, X[ 5], 7);
+ HH(dd, ee, aa, bb, cc, X[12], 5);
+
+ /* round 4 */
+ II(cc, dd, ee, aa, bb, X[ 1], 11);
+ II(bb, cc, dd, ee, aa, X[ 9], 12);
+ II(aa, bb, cc, dd, ee, X[11], 14);
+ II(ee, aa, bb, cc, dd, X[10], 15);
+ II(dd, ee, aa, bb, cc, X[ 0], 14);
+ II(cc, dd, ee, aa, bb, X[ 8], 15);
+ II(bb, cc, dd, ee, aa, X[12], 9);
+ II(aa, bb, cc, dd, ee, X[ 4], 8);
+ II(ee, aa, bb, cc, dd, X[13], 9);
+ II(dd, ee, aa, bb, cc, X[ 3], 14);
+ II(cc, dd, ee, aa, bb, X[ 7], 5);
+ II(bb, cc, dd, ee, aa, X[15], 6);
+ II(aa, bb, cc, dd, ee, X[14], 8);
+ II(ee, aa, bb, cc, dd, X[ 5], 6);
+ II(dd, ee, aa, bb, cc, X[ 6], 5);
+ II(cc, dd, ee, aa, bb, X[ 2], 12);
+
+ /* round 5 */
+ JJ(bb, cc, dd, ee, aa, X[ 4], 9);
+ JJ(aa, bb, cc, dd, ee, X[ 0], 15);
+ JJ(ee, aa, bb, cc, dd, X[ 5], 5);
+ JJ(dd, ee, aa, bb, cc, X[ 9], 11);
+ JJ(cc, dd, ee, aa, bb, X[ 7], 6);
+ JJ(bb, cc, dd, ee, aa, X[12], 8);
+ JJ(aa, bb, cc, dd, ee, X[ 2], 13);
+ JJ(ee, aa, bb, cc, dd, X[10], 12);
+ JJ(dd, ee, aa, bb, cc, X[14], 5);
+ JJ(cc, dd, ee, aa, bb, X[ 1], 12);
+ JJ(bb, cc, dd, ee, aa, X[ 3], 13);
+ JJ(aa, bb, cc, dd, ee, X[ 8], 14);
+ JJ(ee, aa, bb, cc, dd, X[11], 11);
+ JJ(dd, ee, aa, bb, cc, X[ 6], 8);
+ JJ(cc, dd, ee, aa, bb, X[15], 5);
+ JJ(bb, cc, dd, ee, aa, X[13], 6);
+
+ /* parallel round 1 */
+ JJJ(aaa, bbb, ccc, ddd, eee, X[ 5], 8);
+ JJJ(eee, aaa, bbb, ccc, ddd, X[14], 9);
+ JJJ(ddd, eee, aaa, bbb, ccc, X[ 7], 9);
+ JJJ(ccc, ddd, eee, aaa, bbb, X[ 0], 11);
+ JJJ(bbb, ccc, ddd, eee, aaa, X[ 9], 13);
+ JJJ(aaa, bbb, ccc, ddd, eee, X[ 2], 15);
+ JJJ(eee, aaa, bbb, ccc, ddd, X[11], 15);
+ JJJ(ddd, eee, aaa, bbb, ccc, X[ 4], 5);
+ JJJ(ccc, ddd, eee, aaa, bbb, X[13], 7);
+ JJJ(bbb, ccc, ddd, eee, aaa, X[ 6], 7);
+ JJJ(aaa, bbb, ccc, ddd, eee, X[15], 8);
+ JJJ(eee, aaa, bbb, ccc, ddd, X[ 8], 11);
+ JJJ(ddd, eee, aaa, bbb, ccc, X[ 1], 14);
+ JJJ(ccc, ddd, eee, aaa, bbb, X[10], 14);
+ JJJ(bbb, ccc, ddd, eee, aaa, X[ 3], 12);
+ JJJ(aaa, bbb, ccc, ddd, eee, X[12], 6);
+
+ /* parallel round 2 */
+ III(eee, aaa, bbb, ccc, ddd, X[ 6], 9);
+ III(ddd, eee, aaa, bbb, ccc, X[11], 13);
+ III(ccc, ddd, eee, aaa, bbb, X[ 3], 15);
+ III(bbb, ccc, ddd, eee, aaa, X[ 7], 7);
+ III(aaa, bbb, ccc, ddd, eee, X[ 0], 12);
+ III(eee, aaa, bbb, ccc, ddd, X[13], 8);
+ III(ddd, eee, aaa, bbb, ccc, X[ 5], 9);
+ III(ccc, ddd, eee, aaa, bbb, X[10], 11);
+ III(bbb, ccc, ddd, eee, aaa, X[14], 7);
+ III(aaa, bbb, ccc, ddd, eee, X[15], 7);
+ III(eee, aaa, bbb, ccc, ddd, X[ 8], 12);
+ III(ddd, eee, aaa, bbb, ccc, X[12], 7);
+ III(ccc, ddd, eee, aaa, bbb, X[ 4], 6);
+ III(bbb, ccc, ddd, eee, aaa, X[ 9], 15);
+ III(aaa, bbb, ccc, ddd, eee, X[ 1], 13);
+ III(eee, aaa, bbb, ccc, ddd, X[ 2], 11);
+
+ /* parallel round 3 */
+ HHH(ddd, eee, aaa, bbb, ccc, X[15], 9);
+ HHH(ccc, ddd, eee, aaa, bbb, X[ 5], 7);
+ HHH(bbb, ccc, ddd, eee, aaa, X[ 1], 15);
+ HHH(aaa, bbb, ccc, ddd, eee, X[ 3], 11);
+ HHH(eee, aaa, bbb, ccc, ddd, X[ 7], 8);
+ HHH(ddd, eee, aaa, bbb, ccc, X[14], 6);
+ HHH(ccc, ddd, eee, aaa, bbb, X[ 6], 6);
+ HHH(bbb, ccc, ddd, eee, aaa, X[ 9], 14);
+ HHH(aaa, bbb, ccc, ddd, eee, X[11], 12);
+ HHH(eee, aaa, bbb, ccc, ddd, X[ 8], 13);
+ HHH(ddd, eee, aaa, bbb, ccc, X[12], 5);
+ HHH(ccc, ddd, eee, aaa, bbb, X[ 2], 14);
+ HHH(bbb, ccc, ddd, eee, aaa, X[10], 13);
+ HHH(aaa, bbb, ccc, ddd, eee, X[ 0], 13);
+ HHH(eee, aaa, bbb, ccc, ddd, X[ 4], 7);
+ HHH(ddd, eee, aaa, bbb, ccc, X[13], 5);
+
+ /* parallel round 4 */
+ GGG(ccc, ddd, eee, aaa, bbb, X[ 8], 15);
+ GGG(bbb, ccc, ddd, eee, aaa, X[ 6], 5);
+ GGG(aaa, bbb, ccc, ddd, eee, X[ 4], 8);
+ GGG(eee, aaa, bbb, ccc, ddd, X[ 1], 11);
+ GGG(ddd, eee, aaa, bbb, ccc, X[ 3], 14);
+ GGG(ccc, ddd, eee, aaa, bbb, X[11], 14);
+ GGG(bbb, ccc, ddd, eee, aaa, X[15], 6);
+ GGG(aaa, bbb, ccc, ddd, eee, X[ 0], 14);
+ GGG(eee, aaa, bbb, ccc, ddd, X[ 5], 6);
+ GGG(ddd, eee, aaa, bbb, ccc, X[12], 9);
+ GGG(ccc, ddd, eee, aaa, bbb, X[ 2], 12);
+ GGG(bbb, ccc, ddd, eee, aaa, X[13], 9);
+ GGG(aaa, bbb, ccc, ddd, eee, X[ 9], 12);
+ GGG(eee, aaa, bbb, ccc, ddd, X[ 7], 5);
+ GGG(ddd, eee, aaa, bbb, ccc, X[10], 15);
+ GGG(ccc, ddd, eee, aaa, bbb, X[14], 8);
+
+ /* parallel round 5 */
+ FFF(bbb, ccc, ddd, eee, aaa, X[12] , 8);
+ FFF(aaa, bbb, ccc, ddd, eee, X[15] , 5);
+ FFF(eee, aaa, bbb, ccc, ddd, X[10] , 12);
+ FFF(ddd, eee, aaa, bbb, ccc, X[ 4] , 9);
+ FFF(ccc, ddd, eee, aaa, bbb, X[ 1] , 12);
+ FFF(bbb, ccc, ddd, eee, aaa, X[ 5] , 5);
+ FFF(aaa, bbb, ccc, ddd, eee, X[ 8] , 14);
+ FFF(eee, aaa, bbb, ccc, ddd, X[ 7] , 6);
+ FFF(ddd, eee, aaa, bbb, ccc, X[ 6] , 8);
+ FFF(ccc, ddd, eee, aaa, bbb, X[ 2] , 13);
+ FFF(bbb, ccc, ddd, eee, aaa, X[13] , 6);
+ FFF(aaa, bbb, ccc, ddd, eee, X[14] , 5);
+ FFF(eee, aaa, bbb, ccc, ddd, X[ 0] , 15);
+ FFF(ddd, eee, aaa, bbb, ccc, X[ 3] , 13);
+ FFF(ccc, ddd, eee, aaa, bbb, X[ 9] , 11);
+ FFF(bbb, ccc, ddd, eee, aaa, X[11] , 11);
+
+ /* combine results */
+ ddd += cc + MDbuf[1]; /* final result for MDbuf[0] */
+ MDbuf[1] = MDbuf[2] + dd + eee;
+ MDbuf[2] = MDbuf[3] + ee + aaa;
+ MDbuf[3] = MDbuf[4] + aa + bbb;
+ MDbuf[4] = MDbuf[0] + bb + ccc;
+ MDbuf[0] = ddd;
+
+ return;
+}
+
+static void MDfinish(u32int *MDbuf, uchar *strptr, u32int lswlen, u32int mswlen)
+{
+ unsigned int i; /* counter */
+ u32int X[16]; /* message words */
+
+ memset(X, 0, 16*sizeof(u32int));
+
+ /* put bytes from strptr into X */
+ for (i=0; i<(lswlen&63); i++) {
+ /* byte i goes into word X[i div 4] at pos. 8*(i mod 4) */
+ X[i>>2] ^= (u32int) *strptr++ << (8 * (i&3));
+ }
+
+ /* append the bit m_n == 1 */
+ X[(lswlen>>2)&15] ^= (u32int)1 << (8*(lswlen&3) + 7);
+
+ if ((lswlen & 63) > 55) {
+ /* length goes to next block */
+ compress(MDbuf, X);
+ memset(X, 0, 16*sizeof(u32int));
+ }
+
+ /* append length in bits*/
+ X[14] = lswlen << 3;
+ X[15] = (lswlen >> 29) | (mswlen << 3);
+ compress(MDbuf, X);
+
+ return;
+}
+
+DigestState*
+ripemd160(uchar *p, ulong len, uchar *digest, DigestState *s)
+{
+ u32int x[16];
+ int i, j, k;
+
+ if(s == nil){
+ s = malloc(sizeof(*s));
+ if(s == nil)
+ return nil;
+ memset(s, 0, sizeof(*s));
+ s->malloced = 1;
+ }
+
+ if(s->seeded == 0){
+ MDinit(s->state);
+ s->seeded = 1;
+ }
+
+ /* fill out the partial 64 byte block from previous calls */
+ if(s->blen){
+ i = 64 - s->blen;
+ if(len < i)
+ i = len;
+ memmove(s->buf + s->blen, p, i);
+ len -= i;
+ s->blen += i;
+ p += i;
+ if(s->blen == 64){
+ for(i = 0; i < 16; i++)
+ x[i] = BYTES_TO_DWORD(s->buf + i * 4);
+ compress(s->state, x);
+ s->len += s->blen;
+ s->blen = 0;
+ }
+ }
+
+ /* do 64 byte blocks */
+ i = len & ~0x3f;
+ if(i){
+ for(j = 0; j < i; j += 64){
+ for(k = 0; k < 16; k++)
+ x[k] = BYTES_TO_DWORD(p + j + k * 4);
+ compress(s->state, x);
+ }
+ s->len += i;
+ len -= i;
+ p += i;
+ }
+
+ /* save the left overs if not last call */
+ if(digest == 0){
+ if(len){
+ memmove(s->buf, p, len);
+ s->blen += len;
+ }
+ return s;
+ }
+
+ MDfinish(s->state, p, s->len + len, 0);
+ for(i = 0; i < 5; i++){
+ digest[4 * i] = s->state[i];
+ digest[4 * i + 1] = s->state[i] >> 8;
+ digest[4 * i + 2] = s->state[i] >> 16;
+ digest[4 * i + 3] = s->state[i] >> 24;
+
+ }
+ if(s->malloced == 1)
+ free(s);
+ return nil;
+
+}
--- a/libsec/rsagen.c
+++ b/libsec/rsagen.c
@@ -2,21 +2,6 @@
#include <mp.h>
#include <libsec.h>
-static void
-genrand(mpint *p, int n)
-{
- mpdigit x;
-
- // generate n random bits with high set
- mpbits(p, n);
- genrandom((uchar*)p->p, (n+7)/8);
- p->top = (n+Dbits-1)/Dbits;
- x = 1;
- x <<= ((n-1)%Dbits);
- p->p[p->top-1] &= (x-1);
- p->p[p->top-1] |= x;
-}
-
RSApriv*
rsagen(int nlen, int elen, int rounds)
{
@@ -31,8 +16,8 @@
phi = mpnew(nlen);
// create the prime factors and euclid's function
- genstrongprime(p, nlen/2, rounds);
- genstrongprime(q, nlen - mpsignif(p) + 1, rounds);
+ genprime(p, nlen/2, rounds);
+ genprime(q, nlen - mpsignif(p) + 1, rounds);
mpmul(p, q, n);
mpsub(p, mpone, e);
mpsub(q, mpone, d);
@@ -41,18 +26,21 @@
// find an e relatively prime to phi
t1 = mpnew(0);
t2 = mpnew(0);
- genrand(e, elen);
+ mprand(elen, genrandom, e);
+ if(mpcmp(e,mptwo) <= 0)
+ itomp(3, e);
+ // See Menezes et al. p.291 "8.8 Note (selecting primes)" for discussion
+ // of the merits of various choices of primes and exponents. e=3 is a
+ // common and recommended exponent, but doesn't necessarily work here
+ // because we chose strong rather than safe primes.
for(;;){
- mpextendedgcd(e, phi, d, t1, t2);
- if(mpcmp(d, mpone) == 0)
+ mpextendedgcd(e, phi, t1, d, t2);
+ if(mpcmp(t1, mpone) == 0)
break;
mpadd(mpone, e, e);
}
mpfree(t1);
mpfree(t2);
-
- // d = e**-1 mod phi
- mpinvert(e, phi, d);
// compute chinese remainder coefficient
c2 = mpnew(0);
--- /dev/null
+++ b/libsec/salsa.c
@@ -1,0 +1,320 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+enum{
+ Blockwords= SalsaBsize/sizeof(u32int)
+};
+
+/* little-endian data order */
+#define GET4(p) ((((((p)[3]<<8) | (p)[2])<<8) | (p)[1])<<8 | (p)[0])
+#define PUT4(p, v) (((p)[0]=v), (v>>=8), ((p)[1]=v), (v>>=8), ((p)[2]=v), (v>>=8), ((p)[3]=v))
+
+#define ROTATE(v,c) (t = v, (u32int)(t << (c)) | (t >> (32 - (c))))
+
+#define ENCRYPT(s, x, y, d) {\
+ u32int v; \
+ uchar *sp, *dp; \
+ sp = (s); \
+ v = GET4(sp); \
+ v ^= (x)+(y); \
+ dp = (d); \
+ PUT4(dp, v); \
+}
+
+static uchar sigma[16] = "expand 32-byte k";
+static uchar tau[16] = "expand 16-byte k";
+
+static void
+load(u32int *d, uchar *s, int nw)
+{
+ int i;
+
+ for(i = 0; i < nw; i++, s+=4)
+ d[i] = GET4(s);
+}
+
+void
+setupSalsastate(Salsastate *s, uchar *key, ulong keylen, uchar *iv, ulong ivlen, int rounds)
+{
+ if(keylen != 256/8 && keylen != 128/8)
+ sysfatal("invalid salsa key length");
+ if(ivlen != 64/8 && ivlen != 128/8 && ivlen != 192/8)
+ sysfatal("invalid salsa iv length");
+ if(rounds == 0)
+ rounds = 20;
+ s->rounds = rounds;
+ if(keylen == 256/8) { /* recommended */
+ load(&s->input[0], sigma+4*0, 1);
+ load(&s->input[1], key +16*0, 4);
+ load(&s->input[5], sigma+4*1, 1);
+ load(&s->input[10], sigma+4*2, 1);
+ load(&s->input[11], key +16*1, 4);
+ load(&s->input[15], sigma+4*3, 1);
+ }else{
+ load(&s->input[0], tau +4*0, 1);
+ load(&s->input[1], key, 4);
+ load(&s->input[5], tau +4*1, 1);
+ load(&s->input[10], tau +4*2, 1);
+ load(&s->input[11], key, 4);
+ load(&s->input[15], tau +4*3, 1);
+ }
+ s->key[0] = s->input[1];
+ s->key[1] = s->input[2];
+ s->key[2] = s->input[3];
+ s->key[3] = s->input[4];
+ s->key[4] = s->input[11];
+ s->key[5] = s->input[12];
+ s->key[6] = s->input[13];
+ s->key[7] = s->input[14];
+
+ s->ivwords = ivlen/4;
+ s->input[8] = 0;
+ s->input[9] = 0;
+ if(iv == nil){
+ s->input[6] = 0;
+ s->input[7] = 0;
+ }else
+ salsa_setiv(s, iv);
+}
+
+static void
+hsalsablock(uchar h[32], Salsastate *s)
+{
+ u32int x[Blockwords], t;
+ int i, rounds;
+
+ rounds = s->rounds;
+ x[0] = s->input[0];
+ x[1] = s->input[1];
+ x[2] = s->input[2];
+ x[3] = s->input[3];
+ x[4] = s->input[4];
+ x[5] = s->input[5];
+ x[6] = s->input[6];
+ x[7] = s->input[7];
+ x[8] = s->input[8];
+ x[9] = s->input[9];
+ x[10] = s->input[10];
+ x[11] = s->input[11];
+ x[12] = s->input[12];
+ x[13] = s->input[13];
+ x[14] = s->input[14];
+ x[15] = s->input[15];
+
+ for(i = rounds; i > 0; i -= 2) {
+ x[4] ^= ROTATE( x[0]+x[12], 7);
+ x[8] ^= ROTATE( x[4]+ x[0], 9);
+ x[12] ^= ROTATE( x[8]+ x[4],13);
+ x[0] ^= ROTATE(x[12]+ x[8],18);
+ x[9] ^= ROTATE( x[5]+ x[1], 7);
+ x[13] ^= ROTATE( x[9]+ x[5], 9);
+ x[1] ^= ROTATE(x[13]+ x[9],13);
+ x[5] ^= ROTATE( x[1]+x[13],18);
+ x[14] ^= ROTATE(x[10]+ x[6], 7);
+ x[2] ^= ROTATE(x[14]+x[10], 9);
+ x[6] ^= ROTATE( x[2]+x[14],13);
+ x[10] ^= ROTATE( x[6]+ x[2],18);
+ x[3] ^= ROTATE(x[15]+x[11], 7);
+ x[7] ^= ROTATE( x[3]+x[15], 9);
+ x[11] ^= ROTATE( x[7]+ x[3],13);
+ x[15] ^= ROTATE(x[11]+ x[7],18);
+ x[1] ^= ROTATE( x[0]+ x[3], 7);
+ x[2] ^= ROTATE( x[1]+ x[0], 9);
+ x[3] ^= ROTATE( x[2]+ x[1],13);
+ x[0] ^= ROTATE( x[3]+ x[2],18);
+ x[6] ^= ROTATE( x[5]+ x[4], 7);
+ x[7] ^= ROTATE( x[6]+ x[5], 9);
+ x[4] ^= ROTATE( x[7]+ x[6],13);
+ x[5] ^= ROTATE( x[4]+ x[7],18);
+ x[11] ^= ROTATE(x[10]+ x[9], 7);
+ x[8] ^= ROTATE(x[11]+x[10], 9);
+ x[9] ^= ROTATE( x[8]+x[11],13);
+ x[10] ^= ROTATE( x[9]+ x[8],18);
+ x[12] ^= ROTATE(x[15]+x[14], 7);
+ x[13] ^= ROTATE(x[12]+x[15], 9);
+ x[14] ^= ROTATE(x[13]+x[12],13);
+ x[15] ^= ROTATE(x[14]+x[13],18);
+ }
+
+ PUT4(h+0*4, x[0]);
+ PUT4(h+1*4, x[5]);
+ PUT4(h+2*4, x[10]);
+ PUT4(h+3*4, x[15]);
+ PUT4(h+4*4, x[6]);
+ PUT4(h+5*4, x[7]);
+ PUT4(h+6*4, x[8]);
+ PUT4(h+7*4, x[9]);
+}
+
+void
+salsa_setiv(Salsastate *s, uchar *iv)
+{
+ if(s->ivwords == 128/32){
+ /* hsalsa 128-bit iv */
+ load(&s->input[6], iv, 4);
+ return;
+ }
+ if(s->ivwords == 192/32){
+ /* xsalsa with 192-bit iv */
+ u32int counter[2];
+ uchar h[32];
+
+ counter[0] = s->input[8];
+ counter[1] = s->input[9];
+
+ s->input[1] = s->key[0];
+ s->input[2] = s->key[1];
+ s->input[3] = s->key[2];
+ s->input[4] = s->key[3];
+ s->input[11] = s->key[4];
+ s->input[12] = s->key[5];
+ s->input[13] = s->key[6];
+ s->input[14] = s->key[7];
+
+ load(&s->input[6], iv, 4);
+
+ hsalsablock(h, s);
+ load(&s->input[1], h+16*0, 4);
+ load(&s->input[11], h+16*1, 4);
+ memset(h, 0, 32);
+
+ s->input[8] = counter[0];
+ s->input[9] = counter[1];
+
+ iv += 16;
+ }
+ /* 64-bit iv */
+ load(&s->input[6], iv, 2);
+}
+
+void
+salsa_setblock(Salsastate *s, u64int blockno)
+{
+ s->input[8] = blockno;
+ s->input[9] = blockno>>32;
+}
+
+static void
+encryptblock(Salsastate *s, uchar *src, uchar *dst)
+{
+ u32int x[Blockwords], t;
+ int i, rounds;
+
+ rounds = s->rounds;
+ x[0] = s->input[0];
+ x[1] = s->input[1];
+ x[2] = s->input[2];
+ x[3] = s->input[3];
+ x[4] = s->input[4];
+ x[5] = s->input[5];
+ x[6] = s->input[6];
+ x[7] = s->input[7];
+ x[8] = s->input[8];
+ x[9] = s->input[9];
+ x[10] = s->input[10];
+ x[11] = s->input[11];
+ x[12] = s->input[12];
+ x[13] = s->input[13];
+ x[14] = s->input[14];
+ x[15] = s->input[15];
+
+ for(i = rounds; i > 0; i -= 2) {
+ x[4] ^= ROTATE( x[0]+x[12], 7);
+ x[8] ^= ROTATE( x[4]+ x[0], 9);
+ x[12] ^= ROTATE( x[8]+ x[4],13);
+ x[0] ^= ROTATE(x[12]+ x[8],18);
+ x[9] ^= ROTATE( x[5]+ x[1], 7);
+ x[13] ^= ROTATE( x[9]+ x[5], 9);
+ x[1] ^= ROTATE(x[13]+ x[9],13);
+ x[5] ^= ROTATE( x[1]+x[13],18);
+ x[14] ^= ROTATE(x[10]+ x[6], 7);
+ x[2] ^= ROTATE(x[14]+x[10], 9);
+ x[6] ^= ROTATE( x[2]+x[14],13);
+ x[10] ^= ROTATE( x[6]+ x[2],18);
+ x[3] ^= ROTATE(x[15]+x[11], 7);
+ x[7] ^= ROTATE( x[3]+x[15], 9);
+ x[11] ^= ROTATE( x[7]+ x[3],13);
+ x[15] ^= ROTATE(x[11]+ x[7],18);
+ x[1] ^= ROTATE( x[0]+ x[3], 7);
+ x[2] ^= ROTATE( x[1]+ x[0], 9);
+ x[3] ^= ROTATE( x[2]+ x[1],13);
+ x[0] ^= ROTATE( x[3]+ x[2],18);
+ x[6] ^= ROTATE( x[5]+ x[4], 7);
+ x[7] ^= ROTATE( x[6]+ x[5], 9);
+ x[4] ^= ROTATE( x[7]+ x[6],13);
+ x[5] ^= ROTATE( x[4]+ x[7],18);
+ x[11] ^= ROTATE(x[10]+ x[9], 7);
+ x[8] ^= ROTATE(x[11]+x[10], 9);
+ x[9] ^= ROTATE( x[8]+x[11],13);
+ x[10] ^= ROTATE( x[9]+ x[8],18);
+ x[12] ^= ROTATE(x[15]+x[14], 7);
+ x[13] ^= ROTATE(x[12]+x[15], 9);
+ x[14] ^= ROTATE(x[13]+x[12],13);
+ x[15] ^= ROTATE(x[14]+x[13],18);
+ }
+
+#ifdef FULL_UNROLL
+ ENCRYPT(src+0*4, x[0], s->input[0], dst+0*4);
+ ENCRYPT(src+1*4, x[1], s->input[1], dst+1*4);
+ ENCRYPT(src+2*4, x[2], s->input[2], dst+2*4);
+ ENCRYPT(src+3*4, x[3], s->input[3], dst+3*4);
+ ENCRYPT(src+4*4, x[4], s->input[4], dst+4*4);
+ ENCRYPT(src+5*4, x[5], s->input[5], dst+5*4);
+ ENCRYPT(src+6*4, x[6], s->input[6], dst+6*4);
+ ENCRYPT(src+7*4, x[7], s->input[7], dst+7*4);
+ ENCRYPT(src+8*4, x[8], s->input[8], dst+8*4);
+ ENCRYPT(src+9*4, x[9], s->input[9], dst+9*4);
+ ENCRYPT(src+10*4, x[10], s->input[10], dst+10*4);
+ ENCRYPT(src+11*4, x[11], s->input[11], dst+11*4);
+ ENCRYPT(src+12*4, x[12], s->input[12], dst+12*4);
+ ENCRYPT(src+13*4, x[13], s->input[13], dst+13*4);
+ ENCRYPT(src+14*4, x[14], s->input[14], dst+14*4);
+ ENCRYPT(src+15*4, x[15], s->input[15], dst+15*4);
+#else
+ for(i=0; i<nelem(x); i+=4){
+ ENCRYPT(src, x[i], s->input[i], dst);
+ ENCRYPT(src+4, x[i+1], s->input[i+1], dst+4);
+ ENCRYPT(src+8, x[i+2], s->input[i+2], dst+8);
+ ENCRYPT(src+12, x[i+3], s->input[i+3], dst+12);
+ src += 16;
+ dst += 16;
+ }
+#endif
+
+ if(++s->input[8] == 0)
+ s->input[9]++;
+}
+
+void
+salsa_encrypt2(uchar *src, uchar *dst, ulong bytes, Salsastate *s)
+{
+ uchar tmp[SalsaBsize];
+
+ for(; bytes >= SalsaBsize; bytes -= SalsaBsize){
+ encryptblock(s, src, dst);
+ src += SalsaBsize;
+ dst += SalsaBsize;
+ }
+ if(bytes > 0){
+ memmove(tmp, src, bytes);
+ encryptblock(s, tmp, tmp);
+ memmove(dst, tmp, bytes);
+ }
+}
+
+void
+salsa_encrypt(uchar *buf, ulong bytes, Salsastate *s)
+{
+ salsa_encrypt2(buf, buf, bytes, s);
+}
+
+void
+hsalsa(uchar h[32], uchar *key, ulong keylen, uchar nonce[16], int rounds)
+{
+ Salsastate s[1];
+
+ setupSalsastate(s, key, keylen, nonce, 16, rounds);
+ hsalsablock(h, s);
+ memset(s, 0, sizeof(s));
+}
--- /dev/null
+++ b/libsec/secp256k1.c
@@ -1,0 +1,12 @@
+#include <u.h>
+#include <libc.h>
+#include <mp.h>
+void secp256k1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h){
+ strtomp("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", nil, 16, p);
+ mpassign(mpzero, a);
+ uitomp(7UL, b);
+ strtomp("79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", nil, 16, x);
+ strtomp("483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", nil, 16, y);
+ strtomp("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", nil, 16, n);
+ mpassign(mpone, h);
+ }
--- /dev/null
+++ b/libsec/secp256r1.c
@@ -1,0 +1,13 @@
+#include <u.h>
+#include <libc.h>
+#include <mp.h>
+void secp256r1(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h){
+ strtomp("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", nil, 16, p);
+ uitomp(3UL, a);
+ mpsub(p, a, a);
+ strtomp("5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", nil, 16, b);
+ strtomp("6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", nil, 16, x);
+ strtomp("4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", nil, 16, y);
+ strtomp("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", nil, 16, n);
+ mpassign(mpone, h);
+ }
--- a/libsec/sha1.c
+++ b/libsec/sha1.c
@@ -125,3 +125,10 @@
*output++ = x;
}
}
+
+DigestState*
+hmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
+ DigestState *s)
+{
+ return hmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen);
+}
--- /dev/null
+++ b/libsec/sha2_128.c
@@ -1,0 +1,191 @@
+/*
+ * sha2 128-bit
+ */
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+static void encode64(uchar*, u64int*, ulong);
+static DigestState* sha2_128(uchar *, ulong, uchar *, SHA2_256state *, int);
+
+extern void _sha2block128(uchar*, ulong, u64int*);
+
+/*
+ * for sha2_384 and sha2_512, len must be multiple of 128 for all but
+ * the last call. There must be room in the input buffer to pad.
+ *
+ * Note: sha2_384 calls sha2_512block as sha2_384; it just uses a different
+ * initial seed to produce a truncated 384b hash result. otherwise
+ * it's the same as sha2_512.
+ */
+SHA2_384state*
+sha2_384(uchar *p, ulong len, uchar *digest, SHA2_384state *s)
+{
+ if(s == nil) {
+ s = mallocz(sizeof(*s), 1);
+ if(s == nil)
+ return nil;
+ s->malloced = 1;
+ }
+ if(s->seeded == 0){
+ /*
+ * seed the state with the first 64 bits of the fractional
+ * parts of the square roots of the 9th thru 16th primes.
+ */
+ s->bstate[0] = 0xcbbb9d5dc1059ed8LL;
+ s->bstate[1] = 0x629a292a367cd507LL;
+ s->bstate[2] = 0x9159015a3070dd17LL;
+ s->bstate[3] = 0x152fecd8f70e5939LL;
+ s->bstate[4] = 0x67332667ffc00b31LL;
+ s->bstate[5] = 0x8eb44a8768581511LL;
+ s->bstate[6] = 0xdb0c2e0d64f98fa7LL;
+ s->bstate[7] = 0x47b5481dbefa4fa4LL;
+ s->seeded = 1;
+ }
+ return sha2_128(p, len, digest, s, SHA2_384dlen);
+}
+
+SHA2_512state*
+sha2_512(uchar *p, ulong len, uchar *digest, SHA2_512state *s)
+{
+
+ if(s == nil) {
+ s = mallocz(sizeof(*s), 1);
+ if(s == nil)
+ return nil;
+ s->malloced = 1;
+ }
+ if(s->seeded == 0){
+ /*
+ * seed the state with the first 64 bits of the fractional
+ * parts of the square roots of the first 8 primes 2..19).
+ */
+ s->bstate[0] = 0x6a09e667f3bcc908LL;
+ s->bstate[1] = 0xbb67ae8584caa73bLL;
+ s->bstate[2] = 0x3c6ef372fe94f82bLL;
+ s->bstate[3] = 0xa54ff53a5f1d36f1LL;
+ s->bstate[4] = 0x510e527fade682d1LL;
+ s->bstate[5] = 0x9b05688c2b3e6c1fLL;
+ s->bstate[6] = 0x1f83d9abfb41bd6bLL;
+ s->bstate[7] = 0x5be0cd19137e2179LL;
+ s->seeded = 1;
+ }
+ return sha2_128(p, len, digest, s, SHA2_512dlen);
+}
+
+/* common 128 byte block padding and count code for SHA2_384 and SHA2_512 */
+static DigestState*
+sha2_128(uchar *p, ulong len, uchar *digest, SHA2_512state *s, int dlen)
+{
+ int i;
+ u64int x[16];
+ uchar buf[256];
+ uchar *e;
+
+ /* fill out the partial 128 byte block from previous calls */
+ if(s->blen){
+ i = 128 - s->blen;
+ if(len < i)
+ i = len;
+ memmove(s->buf + s->blen, p, i);
+ len -= i;
+ s->blen += i;
+ p += i;
+ if(s->blen == 128){
+ _sha2block128(s->buf, s->blen, s->bstate);
+ s->len += s->blen;
+ s->blen = 0;
+ }
+ }
+
+ /* do 128 byte blocks */
+ i = len & ~(128-1);
+ if(i){
+ _sha2block128(p, i, s->bstate);
+ s->len += i;
+ len -= i;
+ p += i;
+ }
+
+ /* save the left overs if not last call */
+ if(digest == 0){
+ if(len){
+ memmove(s->buf, p, len);
+ s->blen += len;
+ }
+ return s;
+ }
+
+ /*
+ * this is the last time through, pad what's left with 0x80,
+ * 0's, and the input count to create a multiple of 128 bytes.
+ */
+ if(s->blen){
+ p = s->buf;
+ len = s->blen;
+ } else {
+ memmove(buf, p, len);
+ p = buf;
+ }
+ s->len += len;
+ e = p + len;
+ if(len < 112)
+ i = 112 - len;
+ else
+ i = 240 - len;
+ memset(e, 0, i);
+ *e = 0x80;
+ len += i;
+
+ /* append the count */
+ x[0] = 0; /* assume 32b length, i.e. < 4GB */
+ x[1] = s->len<<3;
+ encode64(p+len, x, 16);
+
+ /* digest the last part */
+ _sha2block128(p, len+16, s->bstate);
+ s->len += len+16;
+
+ /* return result and free state */
+ encode64(digest, s->bstate, dlen);
+ if(s->malloced == 1)
+ free(s);
+ return nil;
+}
+
+/*
+ * Encodes input (ulong long) into output (uchar).
+ * Assumes len is a multiple of 8.
+ */
+static void
+encode64(uchar *output, u64int *input, ulong len)
+{
+ u64int x;
+ uchar *e;
+
+ for(e = output + len; output < e;) {
+ x = *input++;
+ *output++ = x >> 56;
+ *output++ = x >> 48;
+ *output++ = x >> 40;
+ *output++ = x >> 32;
+ *output++ = x >> 24;
+ *output++ = x >> 16;
+ *output++ = x >> 8;
+ *output++ = x;
+ }
+}
+
+DigestState*
+hmac_sha2_384(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
+ DigestState *s)
+{
+ return hmac_x(p, len, key, klen, digest, s, sha2_384, SHA2_384dlen);
+}
+
+DigestState*
+hmac_sha2_512(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
+ DigestState *s)
+{
+ return hmac_x(p, len, key, klen, digest, s, sha2_512, SHA2_512dlen);
+}
--- /dev/null
+++ b/libsec/sha2_64.c
@@ -1,0 +1,187 @@
+/*
+ * sha2 64-bit
+ */
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+static void encode32(uchar*, u32int*, ulong);
+static DigestState* sha2_64(uchar *, ulong, uchar *, SHA2_256state *, int);
+
+extern void _sha2block64(uchar*, ulong, u32int*);
+
+/*
+ * for sha2_224 and sha2_256, len must be multiple of 64 for all but
+ * the last call. There must be room in the input buffer to pad.
+ *
+ * Note: sha2_224 calls sha2_256block as sha2_224, just uses different
+ * initial seed and produces a 224b hash result. otherwise it's
+ * the same as sha2_256.
+ */
+
+SHA2_224state*
+sha2_224(uchar *p, ulong len, uchar *digest, SHA2_224state *s)
+{
+ if(s == nil) {
+ s = mallocz(sizeof(*s), 1);
+ if(s == nil)
+ return nil;
+ s->malloced = 1;
+ }
+ if(s->seeded == 0){
+ /*
+ * seed the state with the first 32 bits of the fractional
+ * parts of the square roots of the first 8 primes 2..19).
+ */
+ s->state[0] = 0xc1059ed8;
+ s->state[1] = 0x367cd507;
+ s->state[2] = 0x3070dd17;
+ s->state[3] = 0xf70e5939;
+ s->state[4] = 0xffc00b31;
+ s->state[5] = 0x68581511;
+ s->state[6] = 0x64f98fa7;
+ s->state[7] = 0xbefa4fa4;
+ s->seeded = 1;
+ }
+ return sha2_64(p, len, digest, s, SHA2_224dlen);
+}
+
+SHA2_256state*
+sha2_256(uchar *p, ulong len, uchar *digest, SHA2_256state *s)
+{
+ if(s == nil) {
+ s = mallocz(sizeof(*s), 1);
+ if(s == nil)
+ return nil;
+ s->malloced = 1;
+ }
+ if(s->seeded == 0){
+ /*
+ * seed the state with the first 32 bits of the fractional
+ * parts of the square roots of the first 8 primes 2..19).
+ */
+ s->state[0] = 0x6a09e667;
+ s->state[1] = 0xbb67ae85;
+ s->state[2] = 0x3c6ef372;
+ s->state[3] = 0xa54ff53a;
+ s->state[4] = 0x510e527f;
+ s->state[5] = 0x9b05688c;
+ s->state[6] = 0x1f83d9ab;
+ s->state[7] = 0x5be0cd19;
+ s->seeded = 1;
+ }
+ return sha2_64(p, len, digest, s, SHA2_256dlen);
+}
+
+/* common 64 byte block padding and count code for SHA2_224 and SHA2_256 */
+static DigestState*
+sha2_64(uchar *p, ulong len, uchar *digest, SHA2_256state *s, int dlen)
+{
+ int i;
+ u32int x[16];
+ uchar buf[128];
+ uchar *e;
+
+ /* fill out the partial 64 byte block from previous calls */
+ if(s->blen){
+ i = 64 - s->blen;
+ if(len < i)
+ i = len;
+ memmove(s->buf + s->blen, p, i);
+ len -= i;
+ s->blen += i;
+ p += i;
+ if(s->blen == 64){
+ _sha2block64(s->buf, s->blen, s->state);
+ s->len += s->blen;
+ s->blen = 0;
+ }
+ }
+
+ /* do 64 byte blocks */
+ i = len & ~(64-1);
+ if(i){
+ _sha2block64(p, i, s->state);
+ s->len += i;
+ len -= i;
+ p += i;
+ }
+
+ /* save the left overs if not last call */
+ if(digest == 0){
+ if(len){
+ memmove(s->buf, p, len);
+ s->blen += len;
+ }
+ return s;
+ }
+
+ /*
+ * this is the last time through, pad what's left with 0x80,
+ * 0's, and the input count to create a multiple of 64 bytes.
+ */
+ if(s->blen){
+ p = s->buf;
+ len = s->blen;
+ } else {
+ memmove(buf, p, len);
+ p = buf;
+ }
+ s->len += len;
+ e = p + len;
+ if(len < 56)
+ i = 56 - len;
+ else
+ i = 120 - len;
+ memset(e, 0, i);
+ *e = 0x80;
+ len += i;
+
+ /* append the count */
+ x[0] = s->len>>29;
+ x[1] = s->len<<3;
+ encode32(p+len, x, 8);
+
+ /* digest the last part */
+ _sha2block64(p, len+8, s->state);
+ s->len += len+8;
+
+ /* return result and free state */
+ encode32(digest, s->state, dlen);
+ if(s->malloced == 1)
+ free(s);
+ return nil;
+}
+
+/*
+ * Encodes input (ulong) into output (uchar).
+ * Assumes len is a multiple of 4.
+ */
+static void
+encode32(uchar *output, u32int *input, ulong len)
+{
+ u32int x;
+ uchar *e;
+
+ for(e = output + len; output < e;) {
+ x = *input++;
+ *output++ = x >> 24;
+ *output++ = x >> 16;
+ *output++ = x >> 8;
+ *output++ = x;
+ }
+}
+
+DigestState*
+hmac_sha2_224(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
+ DigestState *s)
+{
+ return hmac_x(p, len, key, klen, digest, s, sha2_224, SHA2_224dlen);
+}
+
+DigestState*
+hmac_sha2_256(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest,
+ DigestState *s)
+{
+ return hmac_x(p, len, key, klen, digest, s, sha2_256, SHA2_256dlen);
+}
--- /dev/null
+++ b/libsec/sha2block128.c
@@ -1,0 +1,101 @@
+/*
+ * sha2_512 block cipher
+ *
+ * Implementation straight from Federal Information Processing Standards
+ * publication 180-2 (+Change Notice to include SHA-224) August 1, 2002
+ * note: the following upper and lower case macro names are distinct
+ * and reflect the functions defined in FIPS pub. 180-2.
+ */
+#include <u.h>
+#include <libc.h>
+
+#define ROTR(x,n) (((x) >> (n)) | ((x) << (64-(n))))
+#define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x) >> 7))
+#define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x) >> 6))
+#define SIGMA0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
+#define SIGMA1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
+#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/*
+ * first 64 bits of the fractional parts of cube roots of
+ * first 80 primes (2..311).
+ */
+static u64int K512[80] = {
+ 0x428a2f98d728ae22LL, 0x7137449123ef65cdLL, 0xb5c0fbcfec4d3b2fLL, 0xe9b5dba58189dbbcLL,
+ 0x3956c25bf348b538LL, 0x59f111f1b605d019LL, 0x923f82a4af194f9bLL, 0xab1c5ed5da6d8118LL,
+ 0xd807aa98a3030242LL, 0x12835b0145706fbeLL, 0x243185be4ee4b28cLL, 0x550c7dc3d5ffb4e2LL,
+ 0x72be5d74f27b896fLL, 0x80deb1fe3b1696b1LL, 0x9bdc06a725c71235LL, 0xc19bf174cf692694LL,
+ 0xe49b69c19ef14ad2LL, 0xefbe4786384f25e3LL, 0x0fc19dc68b8cd5b5LL, 0x240ca1cc77ac9c65LL,
+ 0x2de92c6f592b0275LL, 0x4a7484aa6ea6e483LL, 0x5cb0a9dcbd41fbd4LL, 0x76f988da831153b5LL,
+ 0x983e5152ee66dfabLL, 0xa831c66d2db43210LL, 0xb00327c898fb213fLL, 0xbf597fc7beef0ee4LL,
+ 0xc6e00bf33da88fc2LL, 0xd5a79147930aa725LL, 0x06ca6351e003826fLL, 0x142929670a0e6e70LL,
+ 0x27b70a8546d22ffcLL, 0x2e1b21385c26c926LL, 0x4d2c6dfc5ac42aedLL, 0x53380d139d95b3dfLL,
+ 0x650a73548baf63deLL, 0x766a0abb3c77b2a8LL, 0x81c2c92e47edaee6LL, 0x92722c851482353bLL,
+ 0xa2bfe8a14cf10364LL, 0xa81a664bbc423001LL, 0xc24b8b70d0f89791LL, 0xc76c51a30654be30LL,
+ 0xd192e819d6ef5218LL, 0xd69906245565a910LL, 0xf40e35855771202aLL, 0x106aa07032bbd1b8LL,
+ 0x19a4c116b8d2d0c8LL, 0x1e376c085141ab53LL, 0x2748774cdf8eeb99LL, 0x34b0bcb5e19b48a8LL,
+ 0x391c0cb3c5c95a63LL, 0x4ed8aa4ae3418acbLL, 0x5b9cca4f7763e373LL, 0x682e6ff3d6b2b8a3LL,
+ 0x748f82ee5defb2fcLL, 0x78a5636f43172f60LL, 0x84c87814a1f0ab72LL, 0x8cc702081a6439ecLL,
+ 0x90befffa23631e28LL, 0xa4506cebde82bde9LL, 0xbef9a3f7b2c67915LL, 0xc67178f2e372532bLL,
+ 0xca273eceea26619cLL, 0xd186b8c721c0c207LL, 0xeada7dd6cde0eb1eLL, 0xf57d4f7fee6ed178LL,
+ 0x06f067aa72176fbaLL, 0x0a637dc5a2c898a6LL, 0x113f9804bef90daeLL, 0x1b710b35131c471bLL,
+ 0x28db77f523047d84LL, 0x32caab7b40c72493LL, 0x3c9ebe0a15c9bebcLL, 0x431d67c49c100d4cLL,
+ 0x4cc5d4becb3e42b6LL, 0x597f299cfc657e2aLL, 0x5fcb6fab3ad6faecLL, 0x6c44198c4a475817LL };
+
+void
+_sha2block128(uchar *p, ulong len, u64int *s)
+{
+ u64int a, b, c, d, e, f, g, h, t1, t2;
+ u64int *kp, *wp;
+ u64int w[80];
+ uchar *end;
+
+ /* at this point, we have a multiple of 64 bytes */
+ for(end = p+len; p < end;){
+ a = s[0];
+ b = s[1];
+ c = s[2];
+ d = s[3];
+ e = s[4];
+ f = s[5];
+ g = s[6];
+ h = s[7];
+
+ for(wp = w; wp < &w[16]; wp++, p += 8)
+ wp[0] = ((vlong)p[0])<<56 | ((vlong)p[1])<<48 |
+ ((vlong)p[2])<<40 | ((vlong)p[3])<<32 |
+ p[4] << 24 | p[5] << 16 | p[6] << 8 | p[7];
+ for(; wp < &w[80]; wp++) {
+ u64int s0, s1;
+
+ s0 = sigma0(wp[-15]);
+ s1 = sigma1(wp[-2]);
+// wp[0] = sigma1(wp[-2]) + wp[-7] + sigma0(wp[-15]) + wp[-16];
+ wp[0] = s1 + wp[-7] + s0 + wp[-16];
+ }
+
+ for(kp = K512, wp = w; wp < &w[80]; ) {
+ t1 = h + SIGMA1(e) + Ch(e,f,g) + *kp++ + *wp++;
+ t2 = SIGMA0(a) + Maj(a,b,c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + t1;
+ d = c;
+ c = b;
+ b = a;
+ a = t1 + t2;
+ }
+
+ /* save state */
+ s[0] += a;
+ s[1] += b;
+ s[2] += c;
+ s[3] += d;
+ s[4] += e;
+ s[5] += f;
+ s[6] += g;
+ s[7] += h;
+ }
+}
--- /dev/null
+++ b/libsec/sha2block64.c
@@ -1,0 +1,92 @@
+/*
+ * sha2_256 block cipher
+ *
+ * Implementation straight from Federal Information Processing Standards
+ * publication 180-2 (+Change Notice to include SHA-224) August 1, 2002
+ * note: the following upper and lower case macro names are distinct
+ * and reflect the functions defined in FIPS pub. 180-2.
+ */
+
+#include <u.h>
+#include <libc.h>
+
+#define ROTR(x,n) (((x) >> (n)) | ((x) << (32-(n))))
+#define sigma0(x) (ROTR((x),7) ^ ROTR((x),18) ^ ((x) >> 3))
+#define sigma1(x) (ROTR((x),17) ^ ROTR((x),19) ^ ((x) >> 10))
+#define SIGMA0(x) (ROTR((x),2) ^ ROTR((x),13) ^ ROTR((x),22))
+#define SIGMA1(x) (ROTR((x),6) ^ ROTR((x),11) ^ ROTR((x),25))
+#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/*
+ * first 32 bits of the fractional parts of cube roots of
+ * first 64 primes (2..311).
+ */
+static u32int K256[64] = {
+ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,
+ 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,
+ 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,
+ 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,
+ 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,
+ 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,
+ 0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,
+ 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,
+ 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+};
+
+void
+_sha2block64(uchar *p, ulong len, u32int *s)
+{
+ u32int a, b, c, d, e, f, g, h, t1, t2;
+ u32int *kp, *wp;
+ u32int w[64];
+ uchar *end;
+
+ /* at this point, we have a multiple of 64 bytes */
+ for(end = p+len; p < end;){
+ a = s[0];
+ b = s[1];
+ c = s[2];
+ d = s[3];
+ e = s[4];
+ f = s[5];
+ g = s[6];
+ h = s[7];
+
+ for(wp = w; wp < &w[16]; wp++, p += 4)
+ wp[0] = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3];
+ for(; wp < &w[64]; wp++)
+ wp[0] = sigma1(wp[-2]) + wp[-7] +
+ sigma0(wp[-15]) + wp[-16];
+
+ for(kp = K256, wp = w; wp < &w[64]; ) {
+ t1 = h + SIGMA1(e) + Ch(e,f,g) + *kp++ + *wp++;
+ t2 = SIGMA0(a) + Maj(a,b,c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + t1;
+ d = c;
+ c = b;
+ b = a;
+ a = t1 + t2;
+ }
+
+ /* save state */
+ s[0] += a;
+ s[1] += b;
+ s[2] += c;
+ s[3] += d;
+ s[4] += e;
+ s[5] += f;
+ s[6] += g;
+ s[7] += h;
+ }
+}
--- a/libsec/smallprimetest.c
+++ /dev/null
@@ -1,1039 +1,0 @@
-#include "os.h"
-#include <mp.h>
-#include <libsec.h>
-
-static ulong smallprimes[] = {
- 2, 3, 5, 7, 11, 13, 17, 19, 23, 29,
- 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
- 73, 79, 83, 89, 97, 101, 103, 107, 109, 113,
- 127, 131, 137, 139, 149, 151, 157, 163, 167, 173,
- 179, 181, 191, 193, 197, 199, 211, 223, 227, 229,
- 233, 239, 241, 251, 257, 263, 269, 271, 277, 281,
- 283, 293, 307, 311, 313, 317, 331, 337, 347, 349,
- 353, 359, 367, 373, 379, 383, 389, 397, 401, 409,
- 419, 421, 431, 433, 439, 443, 449, 457, 461, 463,
- 467, 479, 487, 491, 499, 503, 509, 521, 523, 541,
- 547, 557, 563, 569, 571, 577, 587, 593, 599, 601,
- 607, 613, 617, 619, 631, 641, 643, 647, 653, 659,
- 661, 673, 677, 683, 691, 701, 709, 719, 727, 733,
- 739, 743, 751, 757, 761, 769, 773, 787, 797, 809,
- 811, 821, 823, 827, 829, 839, 853, 857, 859, 863,
- 877, 881, 883, 887, 907, 911, 919, 929, 937, 941,
- 947, 953, 967, 971, 977, 983, 991, 997, 1009, 1013,
- 1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069,
- 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
- 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223,
- 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289, 1291,
- 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373,
- 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
- 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511,
- 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583,
- 1597, 1601, 1607, 1609, 1613, 1619, 1621, 1627, 1637, 1657,
- 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
- 1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811,
- 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879, 1889,
- 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987,
- 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
- 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129,
- 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213,
- 2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287,
- 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
- 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423,
- 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521, 2531,
- 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617,
- 2621, 2633, 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
- 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741,
- 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819,
- 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887, 2897, 2903,
- 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
- 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
- 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181,
- 3187, 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257,
- 3259, 3271, 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
- 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413,
- 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511,
- 3517, 3527, 3529, 3533, 3539, 3541, 3547, 3557, 3559, 3571,
- 3581, 3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
- 3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727,
- 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803, 3821,
- 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907,
- 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
- 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057,
- 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139,
- 4153, 4157, 4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231,
- 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
- 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409,
- 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483, 4493,
- 4507, 4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583,
- 4591, 4597, 4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
- 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751,
- 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831,
- 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,
- 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003,
- 5009, 5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087,
- 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179,
- 5189, 5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279,
- 5281, 5297, 5303, 5309, 5323, 5333, 5347, 5351, 5381, 5387,
- 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443,
- 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521,
- 5527, 5531, 5557, 5563, 5569, 5573, 5581, 5591, 5623, 5639,
- 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693,
- 5701, 5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791,
- 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857,
- 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939,
- 5953, 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053,
- 6067, 6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133,
- 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221,
- 6229, 6247, 6257, 6263, 6269, 6271, 6277, 6287, 6299, 6301,
- 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367,
- 6373, 6379, 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473,
- 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569, 6571,
- 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673,
- 6679, 6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737, 6761,
- 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
- 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917,
- 6947, 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997,
- 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103,
- 7109, 7121, 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207,
- 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283, 7297,
- 7307, 7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411,
- 7417, 7433, 7451, 7457, 7459, 7477, 7481, 7487, 7489, 7499,
- 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561,
- 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643,
- 7649, 7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717, 7723,
- 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829,
- 7841, 7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919,
- 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017,
- 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111,
- 8117, 8123, 8147, 8161, 8167, 8171, 8179, 8191, 8209, 8219,
- 8221, 8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291,
- 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387,
- 8389, 8419, 8423, 8429, 8431, 8443, 8447, 8461, 8467, 8501,
- 8513, 8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597,
- 8599, 8609, 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677,
- 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737, 8741,
- 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831,
- 8837, 8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929,
- 8933, 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011,
- 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109,
- 9127, 9133, 9137, 9151, 9157, 9161, 9173, 9181, 9187, 9199,
- 9203, 9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283,
- 9293, 9311, 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377,
- 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437, 9439,
- 9461, 9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533,
- 9539, 9547, 9551, 9587, 9601, 9613, 9619, 9623, 9629, 9631,
- 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733,
- 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811,
- 9817, 9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887,
- 9901, 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007,
- 10009, 10037, 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099,
- 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169, 10177,
- 10181, 10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271,
- 10273, 10289, 10301, 10303, 10313, 10321, 10331, 10333, 10337, 10343,
- 10357, 10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459,
- 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567,
- 10589, 10597, 10601, 10607, 10613, 10627, 10631, 10639, 10651, 10657,
- 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739,
- 10753, 10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
- 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949,
- 10957, 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059,
- 11069, 11071, 11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149,
- 11159, 11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251,
- 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329,
- 11351, 11353, 11369, 11383, 11393, 11399, 11411, 11423, 11437, 11443,
- 11447, 11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527,
- 11549, 11551, 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657,
- 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743, 11777,
- 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833,
- 11839, 11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933,
- 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011,
- 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109,
- 12113, 12119, 12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211,
- 12227, 12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289,
- 12301, 12323, 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401,
- 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479, 12487,
- 12491, 12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553,
- 12569, 12577, 12583, 12589, 12601, 12611, 12613, 12619, 12637, 12641,
- 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739,
- 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829,
- 12841, 12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923,
- 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007,
- 13009, 13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109,
- 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187,
- 13217, 13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309,
- 13313, 13327, 13331, 13337, 13339, 13367, 13381, 13397, 13399, 13411,
- 13417, 13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499,
- 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619,
- 13627, 13633, 13649, 13669, 13679, 13681, 13687, 13691, 13693, 13697,
- 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781,
- 13789, 13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879,
- 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967,
- 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081,
- 14083, 14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197,
- 14207, 14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323,
- 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419,
- 14423, 14431, 14437, 14447, 14449, 14461, 14479, 14489, 14503, 14519,
- 14533, 14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593,
- 14621, 14627, 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699,
- 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759, 14767,
- 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851,
- 14867, 14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939, 14947,
- 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
- 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149,
- 15161, 15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259,
- 15263, 15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319,
- 15329, 15331, 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401,
- 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493, 15497,
- 15511, 15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607,
- 15619, 15629, 15641, 15643, 15647, 15649, 15661, 15667, 15671, 15679,
- 15683, 15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773,
- 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881,
- 15887, 15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959, 15971,
- 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069,
- 16073, 16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183,
- 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267,
- 16273, 16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381,
- 16411, 16417, 16421, 16427, 16433, 16447, 16451, 16453, 16477, 16481,
- 16487, 16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603,
- 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691,
- 16693, 16699, 16703, 16729, 16741, 16747, 16759, 16763, 16787, 16811,
- 16823, 16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903,
- 16921, 16927, 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993,
- 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077, 17093,
- 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191,
- 17203, 17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317,
- 17321, 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389,
- 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477,
- 17483, 17489, 17491, 17497, 17509, 17519, 17539, 17551, 17569, 17573,
- 17579, 17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669,
- 17681, 17683, 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783,
- 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881, 17891,
- 17903, 17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971,
- 17977, 17981, 17987, 17989, 18013, 18041, 18043, 18047, 18049, 18059,
- 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143,
- 18149, 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233,
- 18251, 18253, 18257, 18269, 18287, 18289, 18301, 18307, 18311, 18313,
- 18329, 18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427,
- 18433, 18439, 18443, 18451, 18457, 18461, 18481, 18493, 18503, 18517,
- 18521, 18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617, 18637,
- 18661, 18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749,
- 18757, 18773, 18787, 18793, 18797, 18803, 18839, 18859, 18869, 18899,
- 18911, 18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009,
- 19013, 19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121,
- 19139, 19141, 19157, 19163, 19181, 19183, 19207, 19211, 19213, 19219,
- 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319,
- 19333, 19373, 19379, 19381, 19387, 19391, 19403, 19417, 19421, 19423,
- 19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471, 19477,
- 19483, 19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571,
- 19577, 19583, 19597, 19603, 19609, 19661, 19681, 19687, 19697, 19699,
- 19709, 19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793,
- 19801, 19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891,
- 19913, 19919, 19927, 19937, 19949, 19961, 19963, 19973, 19979, 19991,
- 19993, 19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071,
- 20089, 20101, 20107, 20113, 20117, 20123, 20129, 20143, 20147, 20149,
- 20161, 20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249, 20261,
- 20269, 20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357,
- 20359, 20369, 20389, 20393, 20399, 20407, 20411, 20431, 20441, 20443,
- 20477, 20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551,
- 20563, 20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693,
- 20707, 20717, 20719, 20731, 20743, 20747, 20749, 20753, 20759, 20771,
- 20773, 20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897,
- 20899, 20903, 20921, 20929, 20939, 20947, 20959, 20963, 20981, 20983,
- 21001, 21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061, 21067,
- 21089, 21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169,
- 21179, 21187, 21191, 21193, 21211, 21221, 21227, 21247, 21269, 21277,
- 21283, 21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383,
- 21391, 21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491,
- 21493, 21499, 21503, 21517, 21521, 21523, 21529, 21557, 21559, 21563,
- 21569, 21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647,
- 21649, 21661, 21673, 21683, 21701, 21713, 21727, 21737, 21739, 21751,
- 21757, 21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839, 21841,
- 21851, 21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943,
- 21961, 21977, 21991, 21997, 22003, 22013, 22027, 22031, 22037, 22039,
- 22051, 22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123,
- 22129, 22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229,
- 22247, 22259, 22271, 22273, 22277, 22279, 22283, 22291, 22303, 22307,
- 22343, 22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441,
- 22447, 22453, 22469, 22481, 22483, 22501, 22511, 22531, 22541, 22543,
- 22549, 22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639, 22643,
- 22651, 22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727,
- 22739, 22741, 22751, 22769, 22777, 22783, 22787, 22807, 22811, 22817,
- 22853, 22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943,
- 22961, 22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029,
- 23039, 23041, 23053, 23057, 23059, 23063, 23071, 23081, 23087, 23099,
- 23117, 23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203,
- 23209, 23227, 23251, 23269, 23279, 23291, 23293, 23297, 23311, 23321,
- 23327, 23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431, 23447,
- 23459, 23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561,
- 23563, 23567, 23581, 23593, 23599, 23603, 23609, 23623, 23627, 23629,
- 23633, 23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743,
- 23747, 23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827,
- 23831, 23833, 23857, 23869, 23873, 23879, 23887, 23893, 23899, 23909,
- 23911, 23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007,
- 24019, 24023, 24029, 24043, 24049, 24061, 24071, 24077, 24083, 24091,
- 24097, 24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151, 24169,
- 24179, 24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281,
- 24317, 24329, 24337, 24359, 24371, 24373, 24379, 24391, 24407, 24413,
- 24419, 24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517,
- 24527, 24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659,
- 24671, 24677, 24683, 24691, 24697, 24709, 24733, 24749, 24763, 24767,
- 24781, 24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877,
- 24889, 24907, 24917, 24919, 24923, 24943, 24953, 24967, 24971, 24977,
- 24979, 24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087, 25097,
- 25111, 25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183,
- 25189, 25219, 25229, 25237, 25243, 25247, 25253, 25261, 25301, 25303,
- 25307, 25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391,
- 25409, 25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471,
- 25523, 25537, 25541, 25561, 25577, 25579, 25583, 25589, 25601, 25603,
- 25609, 25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693,
- 25703, 25717, 25733, 25741, 25747, 25759, 25763, 25771, 25793, 25799,
- 25801, 25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903, 25913,
- 25919, 25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999,
- 26003, 26017, 26021, 26029, 26041, 26053, 26083, 26099, 26107, 26111,
- 26113, 26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203,
- 26209, 26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297,
- 26309, 26317, 26321, 26339, 26347, 26357, 26371, 26387, 26393, 26399,
- 26407, 26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497,
- 26501, 26513, 26539, 26557, 26561, 26573, 26591, 26597, 26627, 26633,
- 26641, 26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701, 26711,
- 26713, 26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801,
- 26813, 26821, 26833, 26839, 26849, 26861, 26863, 26879, 26881, 26891,
- 26893, 26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987,
- 26993, 27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077,
- 27091, 27103, 27107, 27109, 27127, 27143, 27179, 27191, 27197, 27211,
- 27239, 27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329,
- 27337, 27361, 27367, 27397, 27407, 27409, 27427, 27431, 27437, 27449,
- 27457, 27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541, 27551,
- 27581, 27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691,
- 27697, 27701, 27733, 27737, 27739, 27743, 27749, 27751, 27763, 27767,
- 27773, 27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827,
- 27847, 27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947,
- 27953, 27961, 27967, 27983, 27997, 28001, 28019, 28027, 28031, 28051,
- 28057, 28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151,
- 28163, 28181, 28183, 28201, 28211, 28219, 28229, 28277, 28279, 28283,
- 28289, 28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393, 28403,
- 28409, 28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499,
- 28513, 28517, 28537, 28541, 28547, 28549, 28559, 28571, 28573, 28579,
- 28591, 28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649,
- 28657, 28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729,
- 28751, 28753, 28759, 28771, 28789, 28793, 28807, 28813, 28817, 28837,
- 28843, 28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933,
- 28949, 28961, 28979, 29009, 29017, 29021, 29023, 29027, 29033, 29059,
- 29063, 29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153, 29167,
- 29173, 29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251,
- 29269, 29287, 29297, 29303, 29311, 29327, 29333, 29339, 29347, 29363,
- 29383, 29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443,
- 29453, 29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573,
- 29581, 29587, 29599, 29611, 29629, 29633, 29641, 29663, 29669, 29671,
- 29683, 29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819,
- 29833, 29837, 29851, 29863, 29867, 29873, 29879, 29881, 29917, 29921,
- 29927, 29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047, 30059,
- 30071, 30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137,
- 30139, 30161, 30169, 30181, 30187, 30197, 30203, 30211, 30223, 30241,
- 30253, 30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341,
- 30347, 30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469,
- 30491, 30493, 30497, 30509, 30517, 30529, 30539, 30553, 30557, 30559,
- 30577, 30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689,
- 30697, 30703, 30707, 30713, 30727, 30757, 30763, 30773, 30781, 30803,
- 30809, 30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869, 30871,
- 30881, 30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983,
- 31013, 31019, 31033, 31039, 31051, 31063, 31069, 31079, 31081, 31091,
- 31121, 31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183,
- 31189, 31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259,
- 31267, 31271, 31277, 31307, 31319, 31321, 31327, 31333, 31337, 31357,
- 31379, 31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511,
- 31513, 31517, 31531, 31541, 31543, 31547, 31567, 31573, 31583, 31601,
- 31607, 31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699, 31721,
- 31723, 31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817,
- 31847, 31849, 31859, 31873, 31883, 31891, 31907, 31957, 31963, 31973,
- 31981, 31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063,
- 32069, 32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159,
- 32173, 32183, 32189, 32191, 32203, 32213, 32233, 32237, 32251, 32257,
- 32261, 32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353,
- 32359, 32363, 32369, 32371, 32377, 32381, 32401, 32411, 32413, 32423,
- 32429, 32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507, 32531,
- 32533, 32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609,
- 32611, 32621, 32633, 32647, 32653, 32687, 32693, 32707, 32713, 32717,
- 32719, 32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831,
- 32833, 32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939,
- 32941, 32957, 32969, 32971, 32983, 32987, 32993, 32999, 33013, 33023,
- 33029, 33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113,
- 33119, 33149, 33151, 33161, 33179, 33181, 33191, 33199, 33203, 33211,
- 33223, 33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331, 33343,
- 33347, 33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427,
- 33457, 33461, 33469, 33479, 33487, 33493, 33503, 33521, 33529, 33533,
- 33547, 33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613,
- 33617, 33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713,
- 33721, 33739, 33749, 33751, 33757, 33767, 33769, 33773, 33791, 33797,
- 33809, 33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893,
- 33911, 33923, 33931, 33937, 33941, 33961, 33967, 33997, 34019, 34031,
- 34033, 34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147, 34157,
- 34159, 34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261,
- 34267, 34273, 34283, 34297, 34301, 34303, 34313, 34319, 34327, 34337,
- 34351, 34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457,
- 34469, 34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537,
- 34543, 34549, 34583, 34589, 34591, 34603, 34607, 34613, 34631, 34649,
- 34651, 34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739,
- 34747, 34757, 34759, 34763, 34781, 34807, 34819, 34841, 34843, 34847,
- 34849, 34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949, 34961,
- 34963, 34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083,
- 35089, 35099, 35107, 35111, 35117, 35129, 35141, 35149, 35153, 35159,
- 35171, 35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291,
- 35311, 35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401,
- 35407, 35419, 35423, 35437, 35447, 35449, 35461, 35491, 35507, 35509,
- 35521, 35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593,
- 35597, 35603, 35617, 35671, 35677, 35729, 35731, 35747, 35753, 35759,
- 35771, 35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851, 35863,
- 35869, 35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969,
- 35977, 35983, 35993, 35999, 36007, 36011, 36013, 36017, 36037, 36061,
- 36067, 36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161,
- 36187, 36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277,
- 36293, 36299, 36307, 36313, 36319, 36341, 36343, 36353, 36373, 36383,
- 36389, 36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497,
- 36523, 36527, 36529, 36541, 36551, 36559, 36563, 36571, 36583, 36587,
- 36599, 36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683, 36691,
- 36697, 36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781,
- 36787, 36791, 36793, 36809, 36821, 36833, 36847, 36857, 36871, 36877,
- 36887, 36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947,
- 36973, 36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057,
- 37061, 37087, 37097, 37117, 37123, 37139, 37159, 37171, 37181, 37189,
- 37199, 37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309,
- 37313, 37321, 37337, 37339, 37357, 37361, 37363, 37369, 37379, 37397,
- 37409, 37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501, 37507,
- 37511, 37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573,
- 37579, 37589, 37591, 37607, 37619, 37633, 37643, 37649, 37657, 37663,
- 37691, 37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813,
- 37831, 37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951,
- 37957, 37963, 37967, 37987, 37991, 37993, 37997, 38011, 38039, 38047,
- 38053, 38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183,
- 38189, 38197, 38201, 38219, 38231, 38237, 38239, 38261, 38273, 38281,
- 38287, 38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351, 38371,
- 38377, 38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543,
- 38557, 38561, 38567, 38569, 38593, 38603, 38609, 38611, 38629, 38639,
- 38651, 38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713,
- 38723, 38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821,
- 38833, 38839, 38851, 38861, 38867, 38873, 38891, 38903, 38917, 38921,
- 38923, 38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041,
- 39043, 39047, 39079, 39089, 39097, 39103, 39107, 39113, 39119, 39133,
- 39139, 39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217, 39227,
- 39229, 39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323,
- 39341, 39343, 39359, 39367, 39371, 39373, 39383, 39397, 39409, 39419,
- 39439, 39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541,
- 39551, 39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667,
- 39671, 39679, 39703, 39709, 39719, 39727, 39733, 39749, 39761, 39769,
- 39779, 39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857,
- 39863, 39869, 39877, 39883, 39887, 39901, 39929, 39937, 39953, 39971,
- 39979, 39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063, 40087,
- 40093, 40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169,
- 40177, 40189, 40193, 40213, 40231, 40237, 40241, 40253, 40277, 40283,
- 40289, 40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433,
- 40459, 40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531,
- 40543, 40559, 40577, 40583, 40591, 40597, 40609, 40627, 40637, 40639,
- 40693, 40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787,
- 40801, 40813, 40819, 40823, 40829, 40841, 40847, 40849, 40853, 40867,
- 40879, 40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961, 40973,
- 40993, 41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081,
- 41113, 41117, 41131, 41141, 41143, 41149, 41161, 41177, 41179, 41183,
- 41189, 41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257,
- 41263, 41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387,
- 41389, 41399, 41411, 41413, 41443, 41453, 41467, 41479, 41491, 41507,
- 41513, 41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603,
- 41609, 41611, 41617, 41621, 41627, 41641, 41647, 41651, 41659, 41669,
- 41681, 41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777, 41801,
- 41809, 41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897,
- 41903, 41911, 41927, 41941, 41947, 41953, 41957, 41959, 41969, 41981,
- 41983, 41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073,
- 42083, 42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187,
- 42193, 42197, 42209, 42221, 42223, 42227, 42239, 42257, 42281, 42283,
- 42293, 42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379,
- 42391, 42397, 42403, 42407, 42409, 42433, 42437, 42443, 42451, 42457,
- 42461, 42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533, 42557,
- 42569, 42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677,
- 42683, 42689, 42697, 42701, 42703, 42709, 42719, 42727, 42737, 42743,
- 42751, 42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841,
- 42853, 42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953,
- 42961, 42967, 42979, 42989, 43003, 43013, 43019, 43037, 43049, 43051,
- 43063, 43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189,
- 43201, 43207, 43223, 43237, 43261, 43271, 43283, 43291, 43313, 43319,
- 43321, 43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441, 43451,
- 43457, 43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579,
- 43591, 43597, 43607, 43609, 43613, 43627, 43633, 43649, 43651, 43661,
- 43669, 43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783,
- 43787, 43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933,
- 43943, 43951, 43961, 43963, 43969, 43973, 43987, 43991, 43997, 44017,
- 44021, 44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101,
- 44111, 44119, 44123, 44129, 44131, 44159, 44171, 44179, 44189, 44201,
- 44203, 44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273, 44279,
- 44281, 44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449,
- 44453, 44483, 44491, 44497, 44501, 44507, 44519, 44531, 44533, 44537,
- 44543, 44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641,
- 44647, 44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741,
- 44753, 44771, 44773, 44777, 44789, 44797, 44809, 44819, 44839, 44843,
- 44851, 44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953,
- 44959, 44963, 44971, 44983, 44987, 45007, 45013, 45053, 45061, 45077,
- 45083, 45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179, 45181,
- 45191, 45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307,
- 45317, 45319, 45329, 45337, 45341, 45343, 45361, 45377, 45389, 45403,
- 45413, 45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533,
- 45541, 45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641,
- 45659, 45667, 45673, 45677, 45691, 45697, 45707, 45737, 45751, 45757,
- 45763, 45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853,
- 45863, 45869, 45887, 45893, 45943, 45949, 45953, 45959, 45971, 45979,
- 45989, 46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093, 46099,
- 46103, 46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199,
- 46219, 46229, 46237, 46261, 46271, 46273, 46279, 46301, 46307, 46309,
- 46327, 46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447,
- 46451, 46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549,
- 46559, 46567, 46573, 46589, 46591, 46601, 46619, 46633, 46639, 46643,
- 46649, 46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747,
- 46751, 46757, 46769, 46771, 46807, 46811, 46817, 46819, 46829, 46831,
- 46853, 46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957, 46993,
- 46997, 47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119,
- 47123, 47129, 47137, 47143, 47147, 47149, 47161, 47189, 47207, 47221,
- 47237, 47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317,
- 47339, 47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419,
- 47431, 47441, 47459, 47491, 47497, 47501, 47507, 47513, 47521, 47527,
- 47533, 47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629,
- 47639, 47653, 47657, 47659, 47681, 47699, 47701, 47711, 47713, 47717,
- 47737, 47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809, 47819,
- 47837, 47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939,
- 47947, 47951, 47963, 47969, 47977, 47981, 48017, 48023, 48029, 48049,
- 48073, 48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179,
- 48187, 48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299,
- 48311, 48313, 48337, 48341, 48353, 48371, 48383, 48397, 48407, 48409,
- 48413, 48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497,
- 48523, 48527, 48533, 48539, 48541, 48563, 48571, 48589, 48593, 48611,
- 48619, 48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731, 48733,
- 48751, 48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817,
- 48821, 48823, 48847, 48857, 48859, 48869, 48871, 48883, 48889, 48907,
- 48947, 48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033,
- 49037, 49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123,
- 49139, 49157, 49169, 49171, 49177, 49193, 49199, 49201, 49207, 49211,
- 49223, 49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339,
- 49363, 49367, 49369, 49391, 49393, 49409, 49411, 49417, 49429, 49433,
- 49451, 49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531, 49537,
- 49547, 49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663,
- 49667, 49669, 49681, 49697, 49711, 49727, 49739, 49741, 49747, 49757,
- 49783, 49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853,
- 49871, 49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957,
- 49991, 49993, 49999, 50021, 50023, 50033, 50047, 50051, 50053, 50069,
- 50077, 50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147,
- 50153, 50159, 50177, 50207, 50221, 50227, 50231, 50261, 50263, 50273,
- 50287, 50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363, 50377,
- 50383, 50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503,
- 50513, 50527, 50539, 50543, 50549, 50551, 50581, 50587, 50591, 50593,
- 50599, 50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753,
- 50767, 50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867,
- 50873, 50891, 50893, 50909, 50923, 50929, 50951, 50957, 50969, 50971,
- 50989, 50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109,
- 51131, 51133, 51137, 51151, 51157, 51169, 51193, 51197, 51199, 51203,
- 51217, 51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307, 51329,
- 51341, 51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421,
- 51427, 51431, 51437, 51439, 51449, 51461, 51473, 51479, 51481, 51487,
- 51503, 51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593,
- 51599, 51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683,
- 51691, 51713, 51719, 51721, 51749, 51767, 51769, 51787, 51797, 51803,
- 51817, 51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899,
- 51907, 51913, 51929, 51941, 51949, 51971, 51973, 51977, 51991, 52009,
- 52021, 52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121, 52127,
- 52147, 52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237,
- 52249, 52253, 52259, 52267, 52289, 52291, 52301, 52313, 52321, 52361,
- 52363, 52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501,
- 52511, 52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579,
- 52583, 52609, 52627, 52631, 52639, 52667, 52673, 52691, 52697, 52709,
- 52711, 52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813,
- 52817, 52837, 52859, 52861, 52879, 52883, 52889, 52901, 52903, 52919,
- 52937, 52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003, 53017,
- 53047, 53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117,
- 53129, 53147, 53149, 53161, 53171, 53173, 53189, 53197, 53201, 53231,
- 53233, 53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327,
- 53353, 53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441,
- 53453, 53479, 53503, 53507, 53527, 53549, 53551, 53569, 53591, 53593,
- 53597, 53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657,
- 53681, 53693, 53699, 53717, 53719, 53731, 53759, 53773, 53777, 53783,
- 53791, 53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887, 53891,
- 53897, 53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993,
- 54001, 54011, 54013, 54037, 54049, 54059, 54083, 54091, 54101, 54121,
- 54133, 54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269,
- 54277, 54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367,
- 54371, 54377, 54401, 54403, 54409, 54413, 54419, 54421, 54437, 54443,
- 54449, 54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541,
- 54547, 54559, 54563, 54577, 54581, 54583, 54601, 54617, 54623, 54629,
- 54631, 54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727, 54751,
- 54767, 54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877,
- 54881, 54907, 54917, 54919, 54941, 54949, 54959, 54973, 54979, 54983,
- 55001, 55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103,
- 55109, 55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217,
- 55219, 55229, 55243, 55249, 55259, 55291, 55313, 55331, 55333, 55337,
- 55339, 55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457,
- 55469, 55487, 55501, 55511, 55529, 55541, 55547, 55579, 55589, 55603,
- 55609, 55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667, 55673,
- 55681, 55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793,
- 55799, 55807, 55813, 55817, 55819, 55823, 55829, 55837, 55843, 55849,
- 55871, 55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949,
- 55967, 55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087,
- 56093, 56099, 56101, 56113, 56123, 56131, 56149, 56167, 56171, 56179,
- 56197, 56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299,
- 56311, 56333, 56359, 56369, 56377, 56383, 56393, 56401, 56417, 56431,
- 56437, 56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501, 56503,
- 56509, 56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599,
- 56611, 56629, 56633, 56659, 56663, 56671, 56681, 56687, 56701, 56711,
- 56713, 56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809,
- 56813, 56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909,
- 56911, 56921, 56923, 56929, 56941, 56951, 56957, 56963, 56983, 56989,
- 56993, 56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097,
- 57107, 57119, 57131, 57139, 57143, 57149, 57163, 57173, 57179, 57191,
- 57193, 57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271, 57283,
- 57287, 57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389,
- 57397, 57413, 57427, 57457, 57467, 57487, 57493, 57503, 57527, 57529,
- 57557, 57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653,
- 57667, 57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737,
- 57751, 57773, 57781, 57787, 57791, 57793, 57803, 57809, 57829, 57839,
- 57847, 57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947,
- 57973, 57977, 57991, 58013, 58027, 58031, 58043, 58049, 58057, 58061,
- 58067, 58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153, 58169,
- 58171, 58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237,
- 58243, 58271, 58309, 58313, 58321, 58337, 58363, 58367, 58369, 58379,
- 58391, 58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453,
- 58477, 58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601,
- 58603, 58613, 58631, 58657, 58661, 58679, 58687, 58693, 58699, 58711,
- 58727, 58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889,
- 58897, 58901, 58907, 58909, 58913, 58921, 58937, 58943, 58963, 58967,
- 58979, 58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051, 59053,
- 59063, 59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141,
- 59149, 59159, 59167, 59183, 59197, 59207, 59209, 59219, 59221, 59233,
- 59239, 59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359,
- 59369, 59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443,
- 59447, 59453, 59467, 59471, 59473, 59497, 59509, 59513, 59539, 59557,
- 59561, 59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659,
- 59663, 59669, 59671, 59693, 59699, 59707, 59723, 59729, 59743, 59747,
- 59753, 59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879, 59887,
- 59921, 59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029,
- 60037, 60041, 60077, 60083, 60089, 60091, 60101, 60103, 60107, 60127,
- 60133, 60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251,
- 60257, 60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353,
- 60373, 60383, 60397, 60413, 60427, 60443, 60449, 60457, 60493, 60497,
- 60509, 60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623,
- 60631, 60637, 60647, 60649, 60659, 60661, 60679, 60689, 60703, 60719,
- 60727, 60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793, 60811,
- 60821, 60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919,
- 60923, 60937, 60943, 60953, 60961, 61001, 61007, 61027, 61031, 61043,
- 61051, 61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169,
- 61211, 61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333,
- 61339, 61343, 61357, 61363, 61379, 61381, 61403, 61409, 61417, 61441,
- 61463, 61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543,
- 61547, 61553, 61559, 61561, 61583, 61603, 61609, 61613, 61627, 61631,
- 61637, 61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703, 61717,
- 61723, 61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861,
- 61871, 61879, 61909, 61927, 61933, 61949, 61961, 61967, 61979, 61981,
- 61987, 61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071,
- 62081, 62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189,
- 62191, 62201, 62207, 62213, 62219, 62233, 62273, 62297, 62299, 62303,
- 62311, 62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459,
- 62467, 62473, 62477, 62483, 62497, 62501, 62507, 62533, 62539, 62549,
- 62563, 62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639, 62653,
- 62659, 62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773,
- 62791, 62801, 62819, 62827, 62851, 62861, 62869, 62873, 62897, 62903,
- 62921, 62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989,
- 63029, 63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127,
- 63131, 63149, 63179, 63197, 63199, 63211, 63241, 63247, 63277, 63281,
- 63299, 63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367,
- 63377, 63389, 63391, 63397, 63409, 63419, 63421, 63439, 63443, 63463,
- 63467, 63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541, 63559,
- 63577, 63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647,
- 63649, 63659, 63667, 63671, 63689, 63691, 63697, 63703, 63709, 63719,
- 63727, 63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809,
- 63823, 63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929,
- 63949, 63977, 63997, 64007, 64013, 64019, 64033, 64037, 64063, 64067,
- 64081, 64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189,
- 64217, 64223, 64231, 64237, 64271, 64279, 64283, 64301, 64303, 64319,
- 64327, 64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451, 64453,
- 64483, 64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601,
- 64609, 64613, 64621, 64627, 64633, 64661, 64663, 64667, 64679, 64693,
- 64709, 64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849,
- 64853, 64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937,
- 64951, 64969, 64997, 65003, 65011, 65027, 65029, 65033, 65053, 65063,
- 65071, 65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147,
- 65167, 65171, 65173, 65179, 65183, 65203, 65213, 65239, 65257, 65267,
- 65269, 65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371, 65381,
- 65393, 65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497,
- 65519, 65521, 65537, 65539, 65543, 65551, 65557, 65563, 65579, 65581,
- 65587, 65599, 65609, 65617, 65629, 65633, 65647, 65651, 65657, 65677,
- 65687, 65699, 65701, 65707, 65713, 65717, 65719, 65729, 65731, 65761,
- 65777, 65789, 65809, 65827, 65831, 65837, 65839, 65843, 65851, 65867,
- 65881, 65899, 65921, 65927, 65929, 65951, 65957, 65963, 65981, 65983,
- 65993, 66029, 66037, 66041, 66047, 66067, 66071, 66083, 66089, 66103,
- 66107, 66109, 66137, 66161, 66169, 66173, 66179, 66191, 66221, 66239,
- 66271, 66293, 66301, 66337, 66343, 66347, 66359, 66361, 66373, 66377,
- 66383, 66403, 66413, 66431, 66449, 66457, 66463, 66467, 66491, 66499,
- 66509, 66523, 66529, 66533, 66541, 66553, 66569, 66571, 66587, 66593,
- 66601, 66617, 66629, 66643, 66653, 66683, 66697, 66701, 66713, 66721,
- 66733, 66739, 66749, 66751, 66763, 66791, 66797, 66809, 66821, 66841,
- 66851, 66853, 66863, 66877, 66883, 66889, 66919, 66923, 66931, 66943,
- 66947, 66949, 66959, 66973, 66977, 67003, 67021, 67033, 67043, 67049,
- 67057, 67061, 67073, 67079, 67103, 67121, 67129, 67139, 67141, 67153,
- 67157, 67169, 67181, 67187, 67189, 67211, 67213, 67217, 67219, 67231,
- 67247, 67261, 67271, 67273, 67289, 67307, 67339, 67343, 67349, 67369,
- 67391, 67399, 67409, 67411, 67421, 67427, 67429, 67433, 67447, 67453,
- 67477, 67481, 67489, 67493, 67499, 67511, 67523, 67531, 67537, 67547,
- 67559, 67567, 67577, 67579, 67589, 67601, 67607, 67619, 67631, 67651,
- 67679, 67699, 67709, 67723, 67733, 67741, 67751, 67757, 67759, 67763,
- 67777, 67783, 67789, 67801, 67807, 67819, 67829, 67843, 67853, 67867,
- 67883, 67891, 67901, 67927, 67931, 67933, 67939, 67943, 67957, 67961,
- 67967, 67979, 67987, 67993, 68023, 68041, 68053, 68059, 68071, 68087,
- 68099, 68111, 68113, 68141, 68147, 68161, 68171, 68207, 68209, 68213,
- 68219, 68227, 68239, 68261, 68279, 68281, 68311, 68329, 68351, 68371,
- 68389, 68399, 68437, 68443, 68447, 68449, 68473, 68477, 68483, 68489,
- 68491, 68501, 68507, 68521, 68531, 68539, 68543, 68567, 68581, 68597,
- 68611, 68633, 68639, 68659, 68669, 68683, 68687, 68699, 68711, 68713,
- 68729, 68737, 68743, 68749, 68767, 68771, 68777, 68791, 68813, 68819,
- 68821, 68863, 68879, 68881, 68891, 68897, 68899, 68903, 68909, 68917,
- 68927, 68947, 68963, 68993, 69001, 69011, 69019, 69029, 69031, 69061,
- 69067, 69073, 69109, 69119, 69127, 69143, 69149, 69151, 69163, 69191,
- 69193, 69197, 69203, 69221, 69233, 69239, 69247, 69257, 69259, 69263,
- 69313, 69317, 69337, 69341, 69371, 69379, 69383, 69389, 69401, 69403,
- 69427, 69431, 69439, 69457, 69463, 69467, 69473, 69481, 69491, 69493,
- 69497, 69499, 69539, 69557, 69593, 69623, 69653, 69661, 69677, 69691,
- 69697, 69709, 69737, 69739, 69761, 69763, 69767, 69779, 69809, 69821,
- 69827, 69829, 69833, 69847, 69857, 69859, 69877, 69899, 69911, 69929,
- 69931, 69941, 69959, 69991, 69997, 70001, 70003, 70009, 70019, 70039,
- 70051, 70061, 70067, 70079, 70099, 70111, 70117, 70121, 70123, 70139,
- 70141, 70157, 70163, 70177, 70181, 70183, 70199, 70201, 70207, 70223,
- 70229, 70237, 70241, 70249, 70271, 70289, 70297, 70309, 70313, 70321,
- 70327, 70351, 70373, 70379, 70381, 70393, 70423, 70429, 70439, 70451,
- 70457, 70459, 70481, 70487, 70489, 70501, 70507, 70529, 70537, 70549,
- 70571, 70573, 70583, 70589, 70607, 70619, 70621, 70627, 70639, 70657,
- 70663, 70667, 70687, 70709, 70717, 70729, 70753, 70769, 70783, 70793,
- 70823, 70841, 70843, 70849, 70853, 70867, 70877, 70879, 70891, 70901,
- 70913, 70919, 70921, 70937, 70949, 70951, 70957, 70969, 70979, 70981,
- 70991, 70997, 70999, 71011, 71023, 71039, 71059, 71069, 71081, 71089,
- 71119, 71129, 71143, 71147, 71153, 71161, 71167, 71171, 71191, 71209,
- 71233, 71237, 71249, 71257, 71261, 71263, 71287, 71293, 71317, 71327,
- 71329, 71333, 71339, 71341, 71347, 71353, 71359, 71363, 71387, 71389,
- 71399, 71411, 71413, 71419, 71429, 71437, 71443, 71453, 71471, 71473,
- 71479, 71483, 71503, 71527, 71537, 71549, 71551, 71563, 71569, 71593,
- 71597, 71633, 71647, 71663, 71671, 71693, 71699, 71707, 71711, 71713,
- 71719, 71741, 71761, 71777, 71789, 71807, 71809, 71821, 71837, 71843,
- 71849, 71861, 71867, 71879, 71881, 71887, 71899, 71909, 71917, 71933,
- 71941, 71947, 71963, 71971, 71983, 71987, 71993, 71999, 72019, 72031,
- 72043, 72047, 72053, 72073, 72077, 72089, 72091, 72101, 72103, 72109,
- 72139, 72161, 72167, 72169, 72173, 72211, 72221, 72223, 72227, 72229,
- 72251, 72253, 72269, 72271, 72277, 72287, 72307, 72313, 72337, 72341,
- 72353, 72367, 72379, 72383, 72421, 72431, 72461, 72467, 72469, 72481,
- 72493, 72497, 72503, 72533, 72547, 72551, 72559, 72577, 72613, 72617,
- 72623, 72643, 72647, 72649, 72661, 72671, 72673, 72679, 72689, 72701,
- 72707, 72719, 72727, 72733, 72739, 72763, 72767, 72797, 72817, 72823,
- 72859, 72869, 72871, 72883, 72889, 72893, 72901, 72907, 72911, 72923,
- 72931, 72937, 72949, 72953, 72959, 72973, 72977, 72997, 73009, 73013,
- 73019, 73037, 73039, 73043, 73061, 73063, 73079, 73091, 73121, 73127,
- 73133, 73141, 73181, 73189, 73237, 73243, 73259, 73277, 73291, 73303,
- 73309, 73327, 73331, 73351, 73361, 73363, 73369, 73379, 73387, 73417,
- 73421, 73433, 73453, 73459, 73471, 73477, 73483, 73517, 73523, 73529,
- 73547, 73553, 73561, 73571, 73583, 73589, 73597, 73607, 73609, 73613,
- 73637, 73643, 73651, 73673, 73679, 73681, 73693, 73699, 73709, 73721,
- 73727, 73751, 73757, 73771, 73783, 73819, 73823, 73847, 73849, 73859,
- 73867, 73877, 73883, 73897, 73907, 73939, 73943, 73951, 73961, 73973,
- 73999, 74017, 74021, 74027, 74047, 74051, 74071, 74077, 74093, 74099,
- 74101, 74131, 74143, 74149, 74159, 74161, 74167, 74177, 74189, 74197,
- 74201, 74203, 74209, 74219, 74231, 74257, 74279, 74287, 74293, 74297,
- 74311, 74317, 74323, 74353, 74357, 74363, 74377, 74381, 74383, 74411,
- 74413, 74419, 74441, 74449, 74453, 74471, 74489, 74507, 74509, 74521,
- 74527, 74531, 74551, 74561, 74567, 74573, 74587, 74597, 74609, 74611,
- 74623, 74653, 74687, 74699, 74707, 74713, 74717, 74719, 74729, 74731,
- 74747, 74759, 74761, 74771, 74779, 74797, 74821, 74827, 74831, 74843,
- 74857, 74861, 74869, 74873, 74887, 74891, 74897, 74903, 74923, 74929,
- 74933, 74941, 74959, 75011, 75013, 75017, 75029, 75037, 75041, 75079,
- 75083, 75109, 75133, 75149, 75161, 75167, 75169, 75181, 75193, 75209,
- 75211, 75217, 75223, 75227, 75239, 75253, 75269, 75277, 75289, 75307,
- 75323, 75329, 75337, 75347, 75353, 75367, 75377, 75389, 75391, 75401,
- 75403, 75407, 75431, 75437, 75479, 75503, 75511, 75521, 75527, 75533,
- 75539, 75541, 75553, 75557, 75571, 75577, 75583, 75611, 75617, 75619,
- 75629, 75641, 75653, 75659, 75679, 75683, 75689, 75703, 75707, 75709,
- 75721, 75731, 75743, 75767, 75773, 75781, 75787, 75793, 75797, 75821,
- 75833, 75853, 75869, 75883, 75913, 75931, 75937, 75941, 75967, 75979,
- 75983, 75989, 75991, 75997, 76001, 76003, 76031, 76039, 76079, 76081,
- 76091, 76099, 76103, 76123, 76129, 76147, 76157, 76159, 76163, 76207,
- 76213, 76231, 76243, 76249, 76253, 76259, 76261, 76283, 76289, 76303,
- 76333, 76343, 76367, 76369, 76379, 76387, 76403, 76421, 76423, 76441,
- 76463, 76471, 76481, 76487, 76493, 76507, 76511, 76519, 76537, 76541,
- 76543, 76561, 76579, 76597, 76603, 76607, 76631, 76649, 76651, 76667,
- 76673, 76679, 76697, 76717, 76733, 76753, 76757, 76771, 76777, 76781,
- 76801, 76819, 76829, 76831, 76837, 76847, 76871, 76873, 76883, 76907,
- 76913, 76919, 76943, 76949, 76961, 76963, 76991, 77003, 77017, 77023,
- 77029, 77041, 77047, 77069, 77081, 77093, 77101, 77137, 77141, 77153,
- 77167, 77171, 77191, 77201, 77213, 77237, 77239, 77243, 77249, 77261,
- 77263, 77267, 77269, 77279, 77291, 77317, 77323, 77339, 77347, 77351,
- 77359, 77369, 77377, 77383, 77417, 77419, 77431, 77447, 77471, 77477,
- 77479, 77489, 77491, 77509, 77513, 77521, 77527, 77543, 77549, 77551,
- 77557, 77563, 77569, 77573, 77587, 77591, 77611, 77617, 77621, 77641,
- 77647, 77659, 77681, 77687, 77689, 77699, 77711, 77713, 77719, 77723,
- 77731, 77743, 77747, 77761, 77773, 77783, 77797, 77801, 77813, 77839,
- 77849, 77863, 77867, 77893, 77899, 77929, 77933, 77951, 77969, 77977,
- 77983, 77999, 78007, 78017, 78031, 78041, 78049, 78059, 78079, 78101,
- 78121, 78137, 78139, 78157, 78163, 78167, 78173, 78179, 78191, 78193,
- 78203, 78229, 78233, 78241, 78259, 78277, 78283, 78301, 78307, 78311,
- 78317, 78341, 78347, 78367, 78401, 78427, 78437, 78439, 78467, 78479,
- 78487, 78497, 78509, 78511, 78517, 78539, 78541, 78553, 78569, 78571,
- 78577, 78583, 78593, 78607, 78623, 78643, 78649, 78653, 78691, 78697,
- 78707, 78713, 78721, 78737, 78779, 78781, 78787, 78791, 78797, 78803,
- 78809, 78823, 78839, 78853, 78857, 78877, 78887, 78889, 78893, 78901,
- 78919, 78929, 78941, 78977, 78979, 78989, 79031, 79039, 79043, 79063,
- 79087, 79103, 79111, 79133, 79139, 79147, 79151, 79153, 79159, 79181,
- 79187, 79193, 79201, 79229, 79231, 79241, 79259, 79273, 79279, 79283,
- 79301, 79309, 79319, 79333, 79337, 79349, 79357, 79367, 79379, 79393,
- 79397, 79399, 79411, 79423, 79427, 79433, 79451, 79481, 79493, 79531,
- 79537, 79549, 79559, 79561, 79579, 79589, 79601, 79609, 79613, 79621,
- 79627, 79631, 79633, 79657, 79669, 79687, 79691, 79693, 79697, 79699,
- 79757, 79769, 79777, 79801, 79811, 79813, 79817, 79823, 79829, 79841,
- 79843, 79847, 79861, 79867, 79873, 79889, 79901, 79903, 79907, 79939,
- 79943, 79967, 79973, 79979, 79987, 79997, 79999, 80021, 80039, 80051,
- 80071, 80077, 80107, 80111, 80141, 80147, 80149, 80153, 80167, 80173,
- 80177, 80191, 80207, 80209, 80221, 80231, 80233, 80239, 80251, 80263,
- 80273, 80279, 80287, 80309, 80317, 80329, 80341, 80347, 80363, 80369,
- 80387, 80407, 80429, 80447, 80449, 80471, 80473, 80489, 80491, 80513,
- 80527, 80537, 80557, 80567, 80599, 80603, 80611, 80621, 80627, 80629,
- 80651, 80657, 80669, 80671, 80677, 80681, 80683, 80687, 80701, 80713,
- 80737, 80747, 80749, 80761, 80777, 80779, 80783, 80789, 80803, 80809,
- 80819, 80831, 80833, 80849, 80863, 80897, 80909, 80911, 80917, 80923,
- 80929, 80933, 80953, 80963, 80989, 81001, 81013, 81017, 81019, 81023,
- 81031, 81041, 81043, 81047, 81049, 81071, 81077, 81083, 81097, 81101,
- 81119, 81131, 81157, 81163, 81173, 81181, 81197, 81199, 81203, 81223,
- 81233, 81239, 81281, 81283, 81293, 81299, 81307, 81331, 81343, 81349,
- 81353, 81359, 81371, 81373, 81401, 81409, 81421, 81439, 81457, 81463,
- 81509, 81517, 81527, 81533, 81547, 81551, 81553, 81559, 81563, 81569,
- 81611, 81619, 81629, 81637, 81647, 81649, 81667, 81671, 81677, 81689,
- 81701, 81703, 81707, 81727, 81737, 81749, 81761, 81769, 81773, 81799,
- 81817, 81839, 81847, 81853, 81869, 81883, 81899, 81901, 81919, 81929,
- 81931, 81937, 81943, 81953, 81967, 81971, 81973, 82003, 82007, 82009,
- 82013, 82021, 82031, 82037, 82039, 82051, 82067, 82073, 82129, 82139,
- 82141, 82153, 82163, 82171, 82183, 82189, 82193, 82207, 82217, 82219,
- 82223, 82231, 82237, 82241, 82261, 82267, 82279, 82301, 82307, 82339,
- 82349, 82351, 82361, 82373, 82387, 82393, 82421, 82457, 82463, 82469,
- 82471, 82483, 82487, 82493, 82499, 82507, 82529, 82531, 82549, 82559,
- 82561, 82567, 82571, 82591, 82601, 82609, 82613, 82619, 82633, 82651,
- 82657, 82699, 82721, 82723, 82727, 82729, 82757, 82759, 82763, 82781,
- 82787, 82793, 82799, 82811, 82813, 82837, 82847, 82883, 82889, 82891,
- 82903, 82913, 82939, 82963, 82981, 82997, 83003, 83009, 83023, 83047,
- 83059, 83063, 83071, 83077, 83089, 83093, 83101, 83117, 83137, 83177,
- 83203, 83207, 83219, 83221, 83227, 83231, 83233, 83243, 83257, 83267,
- 83269, 83273, 83299, 83311, 83339, 83341, 83357, 83383, 83389, 83399,
- 83401, 83407, 83417, 83423, 83431, 83437, 83443, 83449, 83459, 83471,
- 83477, 83497, 83537, 83557, 83561, 83563, 83579, 83591, 83597, 83609,
- 83617, 83621, 83639, 83641, 83653, 83663, 83689, 83701, 83717, 83719,
- 83737, 83761, 83773, 83777, 83791, 83813, 83833, 83843, 83857, 83869,
- 83873, 83891, 83903, 83911, 83921, 83933, 83939, 83969, 83983, 83987,
- 84011, 84017, 84047, 84053, 84059, 84061, 84067, 84089, 84121, 84127,
- 84131, 84137, 84143, 84163, 84179, 84181, 84191, 84199, 84211, 84221,
- 84223, 84229, 84239, 84247, 84263, 84299, 84307, 84313, 84317, 84319,
- 84347, 84349, 84377, 84389, 84391, 84401, 84407, 84421, 84431, 84437,
- 84443, 84449, 84457, 84463, 84467, 84481, 84499, 84503, 84509, 84521,
- 84523, 84533, 84551, 84559, 84589, 84629, 84631, 84649, 84653, 84659,
- 84673, 84691, 84697, 84701, 84713, 84719, 84731, 84737, 84751, 84761,
- 84787, 84793, 84809, 84811, 84827, 84857, 84859, 84869, 84871, 84913,
- 84919, 84947, 84961, 84967, 84977, 84979, 84991, 85009, 85021, 85027,
- 85037, 85049, 85061, 85081, 85087, 85091, 85093, 85103, 85109, 85121,
- 85133, 85147, 85159, 85193, 85199, 85201, 85213, 85223, 85229, 85237,
- 85243, 85247, 85259, 85297, 85303, 85313, 85331, 85333, 85361, 85363,
- 85369, 85381, 85411, 85427, 85429, 85439, 85447, 85451, 85453, 85469,
- 85487, 85513, 85517, 85523, 85531, 85549, 85571, 85577, 85597, 85601,
- 85607, 85619, 85621, 85627, 85639, 85643, 85661, 85667, 85669, 85691,
- 85703, 85711, 85717, 85733, 85751, 85781, 85793, 85817, 85819, 85829,
- 85831, 85837, 85843, 85847, 85853, 85889, 85903, 85909, 85931, 85933,
- 85991, 85999, 86011, 86017, 86027, 86029, 86069, 86077, 86083, 86111,
- 86113, 86117, 86131, 86137, 86143, 86161, 86171, 86179, 86183, 86197,
- 86201, 86209, 86239, 86243, 86249, 86257, 86263, 86269, 86287, 86291,
- 86293, 86297, 86311, 86323, 86341, 86351, 86353, 86357, 86369, 86371,
- 86381, 86389, 86399, 86413, 86423, 86441, 86453, 86461, 86467, 86477,
- 86491, 86501, 86509, 86531, 86533, 86539, 86561, 86573, 86579, 86587,
- 86599, 86627, 86629, 86677, 86689, 86693, 86711, 86719, 86729, 86743,
- 86753, 86767, 86771, 86783, 86813, 86837, 86843, 86851, 86857, 86861,
- 86869, 86923, 86927, 86929, 86939, 86951, 86959, 86969, 86981, 86993,
- 87011, 87013, 87037, 87041, 87049, 87071, 87083, 87103, 87107, 87119,
- 87121, 87133, 87149, 87151, 87179, 87181, 87187, 87211, 87221, 87223,
- 87251, 87253, 87257, 87277, 87281, 87293, 87299, 87313, 87317, 87323,
- 87337, 87359, 87383, 87403, 87407, 87421, 87427, 87433, 87443, 87473,
- 87481, 87491, 87509, 87511, 87517, 87523, 87539, 87541, 87547, 87553,
- 87557, 87559, 87583, 87587, 87589, 87613, 87623, 87629, 87631, 87641,
- 87643, 87649, 87671, 87679, 87683, 87691, 87697, 87701, 87719, 87721,
- 87739, 87743, 87751, 87767, 87793, 87797, 87803, 87811, 87833, 87853,
- 87869, 87877, 87881, 87887, 87911, 87917, 87931, 87943, 87959, 87961,
- 87973, 87977, 87991, 88001, 88003, 88007, 88019, 88037, 88069, 88079,
- 88093, 88117, 88129, 88169, 88177, 88211, 88223, 88237, 88241, 88259,
- 88261, 88289, 88301, 88321, 88327, 88337, 88339, 88379, 88397, 88411,
- 88423, 88427, 88463, 88469, 88471, 88493, 88499, 88513, 88523, 88547,
- 88589, 88591, 88607, 88609, 88643, 88651, 88657, 88661, 88663, 88667,
- 88681, 88721, 88729, 88741, 88747, 88771, 88789, 88793, 88799, 88801,
- 88807, 88811, 88813, 88817, 88819, 88843, 88853, 88861, 88867, 88873,
- 88883, 88897, 88903, 88919, 88937, 88951, 88969, 88993, 88997, 89003,
- 89009, 89017, 89021, 89041, 89051, 89057, 89069, 89071, 89083, 89087,
- 89101, 89107, 89113, 89119, 89123, 89137, 89153, 89189, 89203, 89209,
- 89213, 89227, 89231, 89237, 89261, 89269, 89273, 89293, 89303, 89317,
- 89329, 89363, 89371, 89381, 89387, 89393, 89399, 89413, 89417, 89431,
- 89443, 89449, 89459, 89477, 89491, 89501, 89513, 89519, 89521, 89527,
- 89533, 89561, 89563, 89567, 89591, 89597, 89599, 89603, 89611, 89627,
- 89633, 89653, 89657, 89659, 89669, 89671, 89681, 89689, 89753, 89759,
- 89767, 89779, 89783, 89797, 89809, 89819, 89821, 89833, 89839, 89849,
- 89867, 89891, 89897, 89899, 89909, 89917, 89923, 89939, 89959, 89963,
- 89977, 89983, 89989, 90001, 90007, 90011, 90017, 90019, 90023, 90031,
- 90053, 90059, 90067, 90071, 90073, 90089, 90107, 90121, 90127, 90149,
- 90163, 90173, 90187, 90191, 90197, 90199, 90203, 90217, 90227, 90239,
- 90247, 90263, 90271, 90281, 90289, 90313, 90353, 90359, 90371, 90373,
- 90379, 90397, 90401, 90403, 90407, 90437, 90439, 90469, 90473, 90481,
- 90499, 90511, 90523, 90527, 90529, 90533, 90547, 90583, 90599, 90617,
- 90619, 90631, 90641, 90647, 90659, 90677, 90679, 90697, 90703, 90709,
- 90731, 90749, 90787, 90793, 90803, 90821, 90823, 90833, 90841, 90847,
- 90863, 90887, 90901, 90907, 90911, 90917, 90931, 90947, 90971, 90977,
- 90989, 90997, 91009, 91019, 91033, 91079, 91081, 91097, 91099, 91121,
- 91127, 91129, 91139, 91141, 91151, 91153, 91159, 91163, 91183, 91193,
- 91199, 91229, 91237, 91243, 91249, 91253, 91283, 91291, 91297, 91303,
- 91309, 91331, 91367, 91369, 91373, 91381, 91387, 91393, 91397, 91411,
- 91423, 91433, 91453, 91457, 91459, 91463, 91493, 91499, 91513, 91529,
- 91541, 91571, 91573, 91577, 91583, 91591, 91621, 91631, 91639, 91673,
- 91691, 91703, 91711, 91733, 91753, 91757, 91771, 91781, 91801, 91807,
- 91811, 91813, 91823, 91837, 91841, 91867, 91873, 91909, 91921, 91939,
- 91943, 91951, 91957, 91961, 91967, 91969, 91997, 92003, 92009, 92033,
- 92041, 92051, 92077, 92083, 92107, 92111, 92119, 92143, 92153, 92173,
- 92177, 92179, 92189, 92203, 92219, 92221, 92227, 92233, 92237, 92243,
- 92251, 92269, 92297, 92311, 92317, 92333, 92347, 92353, 92357, 92363,
- 92369, 92377, 92381, 92383, 92387, 92399, 92401, 92413, 92419, 92431,
- 92459, 92461, 92467, 92479, 92489, 92503, 92507, 92551, 92557, 92567,
- 92569, 92581, 92593, 92623, 92627, 92639, 92641, 92647, 92657, 92669,
- 92671, 92681, 92683, 92693, 92699, 92707, 92717, 92723, 92737, 92753,
- 92761, 92767, 92779, 92789, 92791, 92801, 92809, 92821, 92831, 92849,
- 92857, 92861, 92863, 92867, 92893, 92899, 92921, 92927, 92941, 92951,
- 92957, 92959, 92987, 92993, 93001, 93047, 93053, 93059, 93077, 93083,
- 93089, 93097, 93103, 93113, 93131, 93133, 93139, 93151, 93169, 93179,
- 93187, 93199, 93229, 93239, 93241, 93251, 93253, 93257, 93263, 93281,
- 93283, 93287, 93307, 93319, 93323, 93329, 93337, 93371, 93377, 93383,
- 93407, 93419, 93427, 93463, 93479, 93481, 93487, 93491, 93493, 93497,
- 93503, 93523, 93529, 93553, 93557, 93559, 93563, 93581, 93601, 93607,
- 93629, 93637, 93683, 93701, 93703, 93719, 93739, 93761, 93763, 93787,
- 93809, 93811, 93827, 93851, 93871, 93887, 93889, 93893, 93901, 93911,
- 93913, 93923, 93937, 93941, 93949, 93967, 93971, 93979, 93983, 93997,
- 94007, 94009, 94033, 94049, 94057, 94063, 94079, 94099, 94109, 94111,
- 94117, 94121, 94151, 94153, 94169, 94201, 94207, 94219, 94229, 94253,
- 94261, 94273, 94291, 94307, 94309, 94321, 94327, 94331, 94343, 94349,
- 94351, 94379, 94397, 94399, 94421, 94427, 94433, 94439, 94441, 94447,
- 94463, 94477, 94483, 94513, 94529, 94531, 94541, 94543, 94547, 94559,
- 94561, 94573, 94583, 94597, 94603, 94613, 94621, 94649, 94651, 94687,
- 94693, 94709, 94723, 94727, 94747, 94771, 94777, 94781, 94789, 94793,
- 94811, 94819, 94823, 94837, 94841, 94847, 94849, 94873, 94889, 94903,
- 94907, 94933, 94949, 94951, 94961, 94993, 94999, 95003, 95009, 95021,
- 95027, 95063, 95071, 95083, 95087, 95089, 95093, 95101, 95107, 95111,
- 95131, 95143, 95153, 95177, 95189, 95191, 95203, 95213, 95219, 95231,
- 95233, 95239, 95257, 95261, 95267, 95273, 95279, 95287, 95311, 95317,
- 95327, 95339, 95369, 95383, 95393, 95401, 95413, 95419, 95429, 95441,
- 95443, 95461, 95467, 95471, 95479, 95483, 95507, 95527, 95531, 95539,
- 95549, 95561, 95569, 95581, 95597, 95603, 95617, 95621, 95629, 95633,
- 95651, 95701, 95707, 95713, 95717, 95723, 95731, 95737, 95747, 95773,
- 95783, 95789, 95791, 95801, 95803, 95813, 95819, 95857, 95869, 95873,
- 95881, 95891, 95911, 95917, 95923, 95929, 95947, 95957, 95959, 95971,
- 95987, 95989, 96001, 96013, 96017, 96043, 96053, 96059, 96079, 96097,
- 96137, 96149, 96157, 96167, 96179, 96181, 96199, 96211, 96221, 96223,
- 96233, 96259, 96263, 96269, 96281, 96289, 96293, 96323, 96329, 96331,
- 96337, 96353, 96377, 96401, 96419, 96431, 96443, 96451, 96457, 96461,
- 96469, 96479, 96487, 96493, 96497, 96517, 96527, 96553, 96557, 96581,
- 96587, 96589, 96601, 96643, 96661, 96667, 96671, 96697, 96703, 96731,
- 96737, 96739, 96749, 96757, 96763, 96769, 96779, 96787, 96797, 96799,
- 96821, 96823, 96827, 96847, 96851, 96857, 96893, 96907, 96911, 96931,
- 96953, 96959, 96973, 96979, 96989, 96997, 97001, 97003, 97007, 97021,
- 97039, 97073, 97081, 97103, 97117, 97127, 97151, 97157, 97159, 97169,
- 97171, 97177, 97187, 97213, 97231, 97241, 97259, 97283, 97301, 97303,
- 97327, 97367, 97369, 97373, 97379, 97381, 97387, 97397, 97423, 97429,
- 97441, 97453, 97459, 97463, 97499, 97501, 97511, 97523, 97547, 97549,
- 97553, 97561, 97571, 97577, 97579, 97583, 97607, 97609, 97613, 97649,
- 97651, 97673, 97687, 97711, 97729, 97771, 97777, 97787, 97789, 97813,
- 97829, 97841, 97843, 97847, 97849, 97859, 97861, 97871, 97879, 97883,
- 97919, 97927, 97931, 97943, 97961, 97967, 97973, 97987, 98009, 98011,
- 98017, 98041, 98047, 98057, 98081, 98101, 98123, 98129, 98143, 98179,
- 98207, 98213, 98221, 98227, 98251, 98257, 98269, 98297, 98299, 98317,
- 98321, 98323, 98327, 98347, 98369, 98377, 98387, 98389, 98407, 98411,
- 98419, 98429, 98443, 98453, 98459, 98467, 98473, 98479, 98491, 98507,
- 98519, 98533, 98543, 98561, 98563, 98573, 98597, 98621, 98627, 98639,
- 98641, 98663, 98669, 98689, 98711, 98713, 98717, 98729, 98731, 98737,
- 98773, 98779, 98801, 98807, 98809, 98837, 98849, 98867, 98869, 98873,
- 98887, 98893, 98897, 98899, 98909, 98911, 98927, 98929, 98939, 98947,
- 98953, 98963, 98981, 98993, 98999, 99013, 99017, 99023, 99041, 99053,
- 99079, 99083, 99089, 99103, 99109, 99119, 99131, 99133, 99137, 99139,
- 99149, 99173, 99181, 99191, 99223, 99233, 99241, 99251, 99257, 99259,
- 99277, 99289, 99317, 99347, 99349, 99367, 99371, 99377, 99391, 99397,
- 99401, 99409, 99431, 99439, 99469, 99487, 99497, 99523, 99527, 99529,
- 99551, 99559, 99563, 99571, 99577, 99581, 99607, 99611, 99623, 99643,
- 99661, 99667, 99679, 99689, 99707, 99709, 99713, 99719, 99721, 99733,
- 99761, 99767, 99787, 99793, 99809, 99817, 99823, 99829, 99833, 99839,
- 99859, 99871, 99877, 99881, 99901, 99907, 99923, 99929, 99961, 99971,
- 99989, 99991, 100003, 100019, 100043, 100049, 100057, 100069, 100103, 100109,
- 100129, 100151, 100153, 100169, 100183, 100189, 100193, 100207, 100213, 100237,
- 100267, 100271, 100279, 100291, 100297, 100313, 100333, 100343, 100357, 100361,
- 100363, 100379, 100391, 100393, 100403, 100411, 100417, 100447, 100459, 100469,
- 100483, 100493, 100501, 100511, 100517, 100519, 100523, 100537, 100547, 100549,
- 100559, 100591, 100609, 100613, 100621, 100649, 100669, 100673, 100693, 100699,
- 100703, 100733, 100741, 100747, 100769, 100787, 100799, 100801, 100811, 100823,
- 100829, 100847, 100853, 100907, 100913, 100927, 100931, 100937, 100943, 100957,
- 100981, 100987, 100999, 101009, 101021, 101027, 101051, 101063, 101081, 101089,
- 101107, 101111, 101113, 101117, 101119, 101141, 101149, 101159, 101161, 101173,
- 101183, 101197, 101203, 101207, 101209, 101221, 101267, 101273, 101279, 101281,
- 101287, 101293, 101323, 101333, 101341, 101347, 101359, 101363, 101377, 101383,
- 101399, 101411, 101419, 101429, 101449, 101467, 101477, 101483, 101489, 101501,
- 101503, 101513, 101527, 101531, 101533, 101537, 101561, 101573, 101581, 101599,
- 101603, 101611, 101627, 101641, 101653, 101663, 101681, 101693, 101701, 101719,
- 101723, 101737, 101741, 101747, 101749, 101771, 101789, 101797, 101807, 101833,
- 101837, 101839, 101863, 101869, 101873, 101879, 101891, 101917, 101921, 101929,
- 101939, 101957, 101963, 101977, 101987, 101999, 102001, 102013, 102019, 102023,
- 102031, 102043, 102059, 102061, 102071, 102077, 102079, 102101, 102103, 102107,
- 102121, 102139, 102149, 102161, 102181, 102191, 102197, 102199, 102203, 102217,
- 102229, 102233, 102241, 102251, 102253, 102259, 102293, 102299, 102301, 102317,
- 102329, 102337, 102359, 102367, 102397, 102407, 102409, 102433, 102437, 102451,
- 102461, 102481, 102497, 102499, 102503, 102523, 102533, 102539, 102547, 102551,
- 102559, 102563, 102587, 102593, 102607, 102611, 102643, 102647, 102653, 102667,
- 102673, 102677, 102679, 102701, 102761, 102763, 102769, 102793, 102797, 102811,
- 102829, 102841, 102859, 102871, 102877, 102881, 102911, 102913, 102929, 102931,
- 102953, 102967, 102983, 103001, 103007, 103043, 103049, 103067, 103069, 103079,
- 103087, 103091, 103093, 103099, 103123, 103141, 103171, 103177, 103183, 103217,
- 103231, 103237, 103289, 103291, 103307, 103319, 103333, 103349, 103357, 103387,
- 103391, 103393, 103399, 103409, 103421, 103423, 103451, 103457, 103471, 103483,
- 103511, 103529, 103549, 103553, 103561, 103567, 103573, 103577, 103583, 103591,
- 103613, 103619, 103643, 103651, 103657, 103669, 103681, 103687, 103699, 103703,
- 103723, 103769, 103787, 103801, 103811, 103813, 103837, 103841, 103843, 103867,
- 103889, 103903, 103913, 103919, 103951, 103963, 103967, 103969, 103979, 103981,
- 103991, 103993, 103997, 104003, 104009, 104021, 104033, 104047, 104053, 104059,
- 104087, 104089, 104107, 104113, 104119, 104123, 104147, 104149, 104161, 104173,
- 104179, 104183, 104207, 104231, 104233, 104239, 104243, 104281, 104287, 104297,
- 104309, 104311, 104323, 104327, 104347, 104369, 104381, 104383, 104393, 104399,
- 104417, 104459, 104471, 104473, 104479, 104491, 104513, 104527, 104537, 104543,
- 104549, 104551, 104561, 104579, 104593, 104597, 104623, 104639, 104651, 104659,
- 104677, 104681, 104683, 104693, 104701, 104707, 104711, 104717, 104723, 104729,
-};
-
-// return 1 if p is divisable by sp, 0 otherwise
-static int
-divides(mpint *dividend, ulong divisor)
-{
- mpdigit d[2], q;
- int i;
-
- d[1] = 0;
- for(i = dividend->top-1; i >= 0; i--){
- d[0] = dividend->p[i];
- mpdigdiv(d, divisor, &q);
- d[1] = d[0] - divisor*q;
- }
- return d[1] == 0;
-}
-
-// return -1 if p is divisable by one of the small primes, 0 otherwise
-int
-smallprimetest(mpint *p)
-{
- int i;
- ulong sp;
-
- for(i = 0; i < nelem(smallprimes); i++){
- sp = smallprimes[i];
- if(p->top == 1 && p->p[0] <= sp)
- break;
- if(divides(p, sp))
- return -1;
- }
- return 0;
-}
--- a/libsec/thumb.c
+++ b/libsec/thumb.c
@@ -7,18 +7,10 @@
enum{ ThumbTab = 1<<10 };
-static void *
-emalloc(int n)
+static Thumbprint*
+tablehead(uchar *sum, Thumbprint *table)
{
- void *p;
- if(n==0)
- n=1;
- p = malloc(n);
- if(p == nil){
- exits("out of memory");
- }
- memset(p, 0, n);
- return p;
+ return &table[((sum[0]<<8) + sum[1]) & (ThumbTab-1)];
}
void
@@ -25,8 +17,11 @@
freeThumbprints(Thumbprint *table)
{
Thumbprint *hd, *p, *q;
+
+ if(table == nil)
+ return;
for(hd = table; hd < table+ThumbTab; hd++){
- for(p = hd->next; p; p = q){
+ for(p = hd->next; p && p != hd; p = q){
q = p->next;
free(p);
}
@@ -37,61 +32,89 @@
int
okThumbprint(uchar *sum, Thumbprint *table)
{
- Thumbprint *p;
- int i = ((sum[0]<<8) + sum[1]) & (ThumbTab-1);
+ Thumbprint *hd, *p;
- for(p = table[i].next; p; p = p->next)
+ if(table == nil)
+ return 0;
+ hd = tablehead(sum, table);
+ for(p = hd->next; p; p = p->next){
if(memcmp(sum, p->sha1, SHA1dlen) == 0)
return 1;
+ if(p == hd)
+ break;
+ }
return 0;
}
-static void
+static int
loadThumbprints(char *file, Thumbprint *table, Thumbprint *crltab)
{
- Thumbprint *entry;
- Biobuf *bin;
+ Thumbprint *hd, *entry;
char *line, *field[50];
uchar sum[SHA1dlen];
- int i;
+ Biobuf *bin;
- bin = Bopen(file, OREAD);
- if(bin == nil)
- return;
- for(; (line = Brdstr(bin, '\n', 1)) != 0; free(line)){
+ if(access(file, AEXIST) < 0)
+ return 0; /* not an error */
+ if((bin = Bopen(file, OREAD)) == nil)
+ return -1;
+ for(; (line = Brdstr(bin, '\n', 1)) != nil; free(line)){
if(tokenize(line, field, nelem(field)) < 2)
continue;
if(strcmp(field[0], "#include") == 0){
- loadThumbprints(field[1], table, crltab);
+ if(loadThumbprints(field[1], table, crltab) < 0)
+ goto err;
continue;
}
- if(strcmp(field[0], "x509") != 0 || strncmp(field[1], "sha1=", strlen("sha1=")) != 0)
+ if(strcmp(field[0], "x509") != 0 || strncmp(field[1], "sha1=", 5) != 0)
continue;
- field[1] += strlen("sha1=");
- dec16(sum, sizeof(sum), field[1], strlen(field[1]));
+ field[1] += 5;
+ if(dec16(sum, SHA1dlen, field[1], strlen(field[1])) != SHA1dlen){
+ werrstr("malformed x509 entry in %s: %s", file, field[1]);
+ goto err;
+ }
if(crltab && okThumbprint(sum, crltab))
continue;
- entry = (Thumbprint*)emalloc(sizeof(*entry));
+ hd = tablehead(sum, table);
+ if(hd->next == nil)
+ entry = hd;
+ else {
+ if((entry = malloc(sizeof(*entry))) == nil)
+ goto err;
+ entry->next = hd->next;
+ }
+ hd->next = entry;
memcpy(entry->sha1, sum, SHA1dlen);
- i = ((sum[0]<<8) + sum[1]) & (ThumbTab-1);
- entry->next = table[i].next;
- table[i].next = entry;
}
Bterm(bin);
+ return 0;
+err:
+ free(line);
+ Bterm(bin);
+ return -1;
}
Thumbprint *
initThumbprints(char *ok, char *crl)
{
- Thumbprint *table, *crltab = nil;
+ Thumbprint *table, *crltab;
+ table = crltab = nil;
if(crl){
- crltab = emalloc(ThumbTab * sizeof(*table));
- loadThumbprints(crl, crltab, nil);
+ if((crltab = malloc(ThumbTab * sizeof(*crltab))) == nil)
+ goto err;
+ memset(crltab, 0, ThumbTab * sizeof(*crltab));
+ if(loadThumbprints(crl, crltab, nil) < 0)
+ goto err;
}
- table = emalloc(ThumbTab * sizeof(*table));
- loadThumbprints(ok, table, crltab);
- free(crltab);
+ if((table = malloc(ThumbTab * sizeof(*table))) == nil)
+ goto err;
+ memset(table, 0, ThumbTab * sizeof(*table));
+ if(loadThumbprints(ok, table, crltab) < 0){
+ freeThumbprints(table);
+ table = nil;
+ }
+err:
+ freeThumbprints(crltab);
return table;
}
-
--- a/libsec/tlshand.c
+++ b/libsec/tlshand.c
@@ -1,6 +1,5 @@
#include <u.h>
#include <libc.h>
-#include <bio.h>
#include <auth.h>
#include <mp.h>
#include <libsec.h>
@@ -17,8 +16,9 @@
enum {
TLSFinishedLen = 12,
SSL3FinishedLen = MD5dlen+SHA1dlen,
- MaxKeyData = 104, // amount of secret we may need
- MaxChunk = 1<<14,
+ MaxKeyData = 160, // amount of secret we may need
+ MaxChunk = 1<<15,
+ MAXdlen = SHA2_512dlen,
RandomSize = 32,
SidSize = 32,
MasterSecretSize = 48,
@@ -46,11 +46,22 @@
int ok;
} Algs;
+typedef struct Namedcurve{
+ int tlsid;
+ void (*init)(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h);
+} Namedcurve;
+
typedef struct Finished{
uchar verify[SSL3FinishedLen];
int n;
} Finished;
+typedef struct HandshakeHash {
+ MD5state md5;
+ SHAstate sha1;
+ SHA2_256state sha2_256;
+} HandshakeHash;
+
typedef struct TlsConnection{
TlsSec *sec; // security management goo
int hand, ctl; // record layer file descriptors
@@ -67,19 +78,23 @@
int state; // must be set using setstate
// input buffer for handshake messages
- uchar buf[MaxChunk+2048];
+ uchar recvbuf[MaxChunk];
uchar *rp, *ep;
+ // output buffer
+ uchar sendbuf[MaxChunk];
+ uchar *sendp;
+
uchar crandom[RandomSize]; // client random
uchar srandom[RandomSize]; // server random
int clientVersion; // version in ClientHello
+ int cipher;
char *digest; // name of digest algorithm to use
char *enc; // name of encryption algorithm to use
int nsecret; // amount of secret data to init keys
// for finished messages
- MD5state hsmd5; // handshake hash
- SHAstate hssha1; // handshake hash
+ HandshakeHash handhash;
Finished finished;
} TlsConnection;
@@ -92,13 +107,15 @@
Bytes* sid;
Ints* ciphers;
Bytes* compressors;
+ Bytes* extensions;
} clientHello;
struct {
int version;
- uchar random[RandomSize];
+ uchar random[RandomSize];
Bytes* sid;
- int cipher;
- int compressor;
+ int cipher;
+ int compressor;
+ Bytes* extensions;
} serverHello;
struct {
int ncert;
@@ -106,12 +123,28 @@
} certificate;
struct {
Bytes *types;
+ Ints *sigalgs;
int nca;
Bytes **cas;
} certificateRequest;
struct {
+ Bytes *pskid;
Bytes *key;
} clientKeyExchange;
+ struct {
+ Bytes *pskid;
+ Bytes *dh_p;
+ Bytes *dh_g;
+ Bytes *dh_Ys;
+ Bytes *dh_parameters;
+ Bytes *dh_signature;
+ int sigalg;
+ int curve;
+ } serverKeyExchange;
+ struct {
+ int sigalg;
+ Bytes *signature;
+ } certificateVerify;
Finished finished;
} u;
} Msg;
@@ -118,9 +151,11 @@
typedef struct TlsSec{
char *server; // name of remote; nil for server
- int ok; // <0 killed; ==0 in progress; >0 reusable
+ int ok; // <0 killed; == 0 in progress; >0 reusable
RSApub *rsapub;
AuthRpc *rpc; // factotum for rsa private key
+ uchar *psk; // pre-shared key
+ int psklen;
uchar sec[MasterSecretSize]; // master secret
uchar crandom[RandomSize]; // client random
uchar srandom[RandomSize]; // server random
@@ -128,16 +163,18 @@
int vers; // final version
// byte generation and handshake checksum
void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int);
- void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int);
+ void (*setFinished)(TlsSec*, HandshakeHash, uchar*, int);
int nfin;
} TlsSec;
enum {
- TLSVersion = 0x0301,
- SSL3Version = 0x0300,
- ProtocolVersion = 0x0301, // maximum version we speak
- MinProtoVersion = 0x0300, // limits on version we accept
+ SSL3Version = 0x0300,
+ TLS10Version = 0x0301,
+ TLS11Version = 0x0302,
+ TLS12Version = 0x0303,
+ ProtocolVersion = TLS12Version, // maximum version we speak
+ MinProtoVersion = 0x0300, // limits on version we accept
MaxProtoVersion = 0x03ff,
};
@@ -183,19 +220,20 @@
EInternalError = 80,
EUserCanceled = 90,
ENoRenegotiation = 100,
+ EUnknownPSKidentity = 115,
EMax = 256
};
// cipher suites
enum {
- TLS_NULL_WITH_NULL_NULL = 0x0000,
- TLS_RSA_WITH_NULL_MD5 = 0x0001,
- TLS_RSA_WITH_NULL_SHA = 0x0002,
- TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
- TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
- TLS_RSA_WITH_RC4_128_SHA = 0x0005,
+ TLS_NULL_WITH_NULL_NULL = 0x0000,
+ TLS_RSA_WITH_NULL_MD5 = 0x0001,
+ TLS_RSA_WITH_NULL_SHA = 0x0002,
+ TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
+ TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
+ TLS_RSA_WITH_RC4_128_SHA = 0x0005,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006,
- TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
+ TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008,
TLS_RSA_WITH_DES_CBC_SHA = 0X0009,
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A,
@@ -212,12 +250,11 @@
TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016,
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017,
- TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
+ TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018,
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019,
TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A,
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B,
-
- TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks
+ TLS_RSA_WITH_AES_128_CBC_SHA = 0X002F, // aes, aka rijndael with 128 bit blocks
TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030,
TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032,
@@ -229,7 +266,25 @@
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039,
TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A,
- CipherMax
+ TLS_RSA_WITH_AES_128_CBC_SHA256 = 0X003C,
+ TLS_RSA_WITH_AES_256_CBC_SHA256 = 0X003D,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0X0067,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0XC013,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0XC014,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
+
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = 0xCCA8,
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = 0xCCA9,
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = 0xCCAA,
+
+ GOOGLE_ECDHE_RSA_WITH_CHACHA20_POLY1305 = 0xCC13,
+ GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = 0xCC14,
+ GOOGLE_DHE_RSA_WITH_CHACHA20_POLY1305 = 0xCC15,
+
+ TLS_PSK_WITH_CHACHA20_POLY1305 = 0xCCAB,
+ TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
+ TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
};
// compression methods
@@ -239,9 +294,32 @@
};
static Algs cipherAlgs[] = {
- {"rc4_128", "md5", 2 * (16 + MD5dlen), TLS_RSA_WITH_RC4_128_MD5},
- {"rc4_128", "sha1", 2 * (16 + SHA1dlen), TLS_RSA_WITH_RC4_128_SHA},
- {"3des_ede_cbc","sha1",2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+ {"ccpoly96_aead", "clear", 2*(32+12), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+ {"ccpoly96_aead", "clear", 2*(32+12), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305},
+ {"ccpoly96_aead", "clear", 2*(32+12), TLS_DHE_RSA_WITH_CHACHA20_POLY1305},
+
+ {"ccpoly64_aead", "clear", 2*32, GOOGLE_ECDHE_RSA_WITH_CHACHA20_POLY1305},
+ {"ccpoly64_aead", "clear", 2*32, GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305},
+ {"ccpoly64_aead", "clear", 2*32, GOOGLE_DHE_RSA_WITH_CHACHA20_POLY1305},
+
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
+ {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+ {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
+ {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
+ {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_RSA_WITH_AES_128_CBC_SHA256},
+ {"aes_256_cbc", "sha256", 2*(32+16+SHA2_256dlen), TLS_RSA_WITH_AES_256_CBC_SHA256},
+ {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_RSA_WITH_AES_128_CBC_SHA},
+ {"aes_256_cbc", "sha1", 2*(32+16+SHA1dlen), TLS_RSA_WITH_AES_256_CBC_SHA},
+ {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
+ {"3des_ede_cbc","sha1", 2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+
+ // PSK cipher suits
+ {"ccpoly96_aead", "clear", 2*(32+12), TLS_PSK_WITH_CHACHA20_POLY1305},
+ {"aes_128_cbc", "sha256", 2*(16+16+SHA2_256dlen), TLS_PSK_WITH_AES_128_CBC_SHA256},
+ {"aes_128_cbc", "sha1", 2*(16+16+SHA1dlen), TLS_PSK_WITH_AES_128_CBC_SHA},
};
static uchar compressors[] = {
@@ -248,41 +326,82 @@
CompressionNull,
};
-static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...));
-static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...));
+static Namedcurve namedcurves[] = {
+ 0x0017, secp256r1,
+};
+static uchar pointformats[] = {
+ CompressionNull /* support of uncompressed point format is mandatory */
+};
+
+static struct {
+ DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*);
+ int len;
+} hashfun[] = {
+ [0x01] {md5, MD5dlen},
+ [0x02] {sha1, SHA1dlen},
+ [0x03] {sha2_224, SHA2_224dlen},
+ [0x04] {sha2_256, SHA2_256dlen},
+ [0x05] {sha2_384, SHA2_384dlen},
+ [0x06] {sha2_512, SHA2_512dlen},
+};
+
+// signature algorithms (only RSA and ECDSA at the moment)
+static int sigalgs[] = {
+ 0x0603, /* SHA512 ECDSA */
+ 0x0503, /* SHA384 ECDSA */
+ 0x0403, /* SHA256 ECDSA */
+ 0x0203, /* SHA1 ECDSA */
+
+ 0x0601, /* SHA512 RSA */
+ 0x0501, /* SHA384 RSA */
+ 0x0401, /* SHA256 RSA */
+ 0x0201, /* SHA1 RSA */
+};
+
+static TlsConnection *tlsServer2(int ctl, int hand,
+ uchar *cert, int certlen,
+ char *pskid, uchar *psk, int psklen,
+ int (*trace)(char*fmt, ...), PEMChain *chain);
+static TlsConnection *tlsClient2(int ctl, int hand,
+ uchar *csid, int ncsid,
+ uchar *cert, int certlen,
+ char *pskid, uchar *psk, int psklen,
+ uchar *ext, int extlen, int (*trace)(char*fmt, ...));
static void msgClear(Msg *m);
static char* msgPrint(char *buf, int n, Msg *m);
static int msgRecv(TlsConnection *c, Msg *m);
static int msgSend(TlsConnection *c, Msg *m, int act);
static void tlsError(TlsConnection *c, int err, char *msg, ...);
-#pragma varargck argpos tlsError 3
static int setVersion(TlsConnection *c, int version);
static int finishedMatch(TlsConnection *c, Finished *f);
static void tlsConnectionFree(TlsConnection *c);
static int setAlgs(TlsConnection *c, int a);
-static int okCipher(Ints *cv);
+static int okCipher(Ints *cv, int ispsk);
static int okCompression(Bytes *cv);
static int initCiphers(void);
-static Ints* makeciphers(void);
+static Ints* makeciphers(int ispsk);
-static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
-static int tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd);
+static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom);
+static int tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm);
+static int tlsSecPSKs(TlsSec *sec, int vers);
static TlsSec* tlsSecInitc(int cvers, uchar *crandom);
-static int tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd);
-static int tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient);
+static Bytes* tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers);
+static int tlsSecPSKc(TlsSec *sec, uchar *srandom, int vers);
+static Bytes* tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers, Bytes *p, Bytes *g, Bytes *Ys);
+static Bytes* tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys);
+static int tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient);
static void tlsSecOk(TlsSec *sec);
static void tlsSecKill(TlsSec *sec);
static void tlsSecClose(TlsSec *sec);
static void setMasterSecret(TlsSec *sec, Bytes *pm);
-static void serverMasterSecret(TlsSec *sec, uchar *epm, int nepm);
static void setSecrets(TlsSec *sec, uchar *kd, int nkd);
-static int clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm);
-static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
-static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm);
-static void tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
-static void sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient);
+static Bytes* pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype);
+static Bytes* pkcs1_decrypt(TlsSec *sec, Bytes *cipher);
+static void tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
+static void tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
+static void sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient);
static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label,
uchar *seed0, int nseed0, uchar *seed1, int nseed1);
static int setVers(TlsSec *sec, int version);
@@ -301,11 +420,16 @@
static int get16(uchar *p);
static Bytes* newbytes(int len);
static Bytes* makebytes(uchar* buf, int len);
+static Bytes* mptobytes(mpint* big);
+static mpint* bytestomp(Bytes* bytes);
static void freebytes(Bytes* b);
static Ints* newints(int len);
-static Ints* makeints(int* buf, int len);
static void freeints(Ints* b);
+/* x509.c */
+extern mpint* pkcs1padbuf(uchar *buf, int len, mpint *modulus);
+extern int asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*), uchar *digest, uchar *buf, int len);
+
//================= client/server ========================
// push TLS onto fd, returning new (application) file descriptor
@@ -329,8 +453,8 @@
return -1;
}
buf[n] = 0;
- sprint(conn->dir, "#a/tls/%s", buf);
- sprint(dname, "#a/tls/%s/hand", buf);
+ snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
+ snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
hand = open(dname, ORDWR);
if(hand < 0){
close(ctl);
@@ -337,30 +461,108 @@
return -1;
}
fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
- tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace);
- sprint(dname, "#a/tls/%s/data", buf);
+ tls = tlsServer2(ctl, hand,
+ conn->cert, conn->certlen,
+ conn->pskID, conn->psk, conn->psklen,
+ conn->trace, conn->chain);
+ snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
data = open(dname, ORDWR);
- close(fd);
close(hand);
close(ctl);
- if(data < 0){
+ if(data < 0 || tls == nil){
+ if(tls != nil)
+ tlsConnectionFree(tls);
return -1;
}
- if(tls == nil){
- close(data);
- return -1;
- }
- if(conn->cert)
- free(conn->cert);
- conn->cert = 0; // client certificates are not yet implemented
+ free(conn->cert);
+ conn->cert = nil; // client certificates are not yet implemented
conn->certlen = 0;
conn->sessionIDlen = tls->sid->len;
conn->sessionID = emalloc(conn->sessionIDlen);
memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
+ if(conn->sessionKey != nil
+ && conn->sessionType != nil
+ && strcmp(conn->sessionType, "ttls") == 0)
+ tls->sec->prf(
+ conn->sessionKey, conn->sessionKeylen,
+ tls->sec->sec, MasterSecretSize,
+ conn->sessionConst,
+ tls->sec->crandom, RandomSize,
+ tls->sec->srandom, RandomSize);
tlsConnectionFree(tls);
+ close(fd);
return data;
}
+static uchar*
+tlsClientExtensions(TLSconn *conn, int *plen)
+{
+ uchar *b, *p;
+ int i, n, m;
+
+ p = b = nil;
+
+ // RFC6066 - Server Name Identification
+ if(conn->serverName != nil){
+ n = strlen(conn->serverName);
+
+ m = p - b;
+ b = erealloc(b, m + 2+2+2+1+2+n);
+ p = b + m;
+
+ put16(p, 0), p += 2; /* Type: server_name */
+ put16(p, 2+1+2+n), p += 2; /* Length */
+ put16(p, 1+2+n), p += 2; /* Server Name list length */
+ *p++ = 0; /* Server Name Type: host_name */
+ put16(p, n), p += 2; /* Server Name length */
+ memmove(p, conn->serverName, n);
+ p += n;
+ }
+
+ // ECDHE
+ if(1){
+ m = p - b;
+ b = erealloc(b, m + 2+2+2+nelem(namedcurves)*2 + 2+2+1+nelem(pointformats));
+ p = b + m;
+
+ n = nelem(namedcurves);
+ put16(p, 0x000a), p += 2; /* Type: elliptic_curves */
+ put16(p, (n+1)*2), p += 2; /* Length */
+ put16(p, n*2), p += 2; /* Elliptic Curves Length */
+ for(i=0; i < n; i++){ /* Elliptic curves */
+ put16(p, namedcurves[i].tlsid);
+ p += 2;
+ }
+
+ n = nelem(pointformats);
+ put16(p, 0x000b), p += 2; /* Type: ec_point_formats */
+ put16(p, n+1), p += 2; /* Length */
+ *p++ = n; /* EC point formats Length */
+ for(i=0; i < n; i++) /* Elliptic curves point formats */
+ *p++ = pointformats[i];
+ }
+
+ // signature algorithms
+ if(ProtocolVersion >= TLS12Version){
+ n = nelem(sigalgs);
+
+ m = p - b;
+ b = erealloc(b, m + 2+2+2+n*2);
+ p = b + m;
+
+ put16(p, 0x000d), p += 2;
+ put16(p, n*2 + 2), p += 2;
+ put16(p, n*2), p += 2;
+ for(i=0; i < n; i++){
+ put16(p, sigalgs[i]);
+ p += 2;
+ }
+ }
+
+ *plen = p - b;
+ return b;
+}
+
// push TLS onto fd, returning new (application) file descriptor
// or -1 if error.
int
@@ -370,8 +572,9 @@
char dname[64];
int n, data, ctl, hand;
TlsConnection *tls;
+ uchar *ext;
- if(!conn)
+ if(conn == nil)
return -1;
ctl = open("#a/tls/clone", ORDWR);
if(ctl < 0)
@@ -382,20 +585,28 @@
return -1;
}
buf[n] = 0;
- sprint(conn->dir, "#a/tls/%s", buf);
- sprint(dname, "#a/tls/%s/hand", buf);
+ snprint(conn->dir, sizeof(conn->dir), "#a/tls/%s", buf);
+ snprint(dname, sizeof(dname), "#a/tls/%s/hand", buf);
hand = open(dname, ORDWR);
if(hand < 0){
close(ctl);
return -1;
}
- sprint(dname, "#a/tls/%s/data", buf);
+ snprint(dname, sizeof(dname), "#a/tls/%s/data", buf);
data = open(dname, ORDWR);
- if(data < 0)
+ if(data < 0){
+ close(hand);
+ close(ctl);
return -1;
+ }
fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion);
- tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace);
- close(fd);
+ ext = tlsClientExtensions(conn, &n);
+ tls = tlsClient2(ctl, hand,
+ conn->sessionID, conn->sessionIDlen,
+ conn->cert, conn->certlen,
+ conn->pskID, conn->psk, conn->psklen,
+ ext, n, conn->trace);
+ free(ext);
close(hand);
close(ctl);
if(tls == nil){
@@ -402,18 +613,48 @@
close(data);
return -1;
}
- conn->certlen = tls->cert->len;
- conn->cert = emalloc(conn->certlen);
- memcpy(conn->cert, tls->cert->data, conn->certlen);
+ if(tls->cert != nil){
+ conn->certlen = tls->cert->len;
+ conn->cert = emalloc(conn->certlen);
+ memcpy(conn->cert, tls->cert->data, conn->certlen);
+ } else {
+ conn->certlen = 0;
+ conn->cert = nil;
+ }
conn->sessionIDlen = tls->sid->len;
conn->sessionID = emalloc(conn->sessionIDlen);
memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen);
+ if(conn->sessionKey != nil
+ && conn->sessionType != nil
+ && strcmp(conn->sessionType, "ttls") == 0)
+ tls->sec->prf(
+ conn->sessionKey, conn->sessionKeylen,
+ tls->sec->sec, MasterSecretSize,
+ conn->sessionConst,
+ tls->sec->crandom, RandomSize,
+ tls->sec->srandom, RandomSize);
tlsConnectionFree(tls);
+ close(fd);
return data;
}
+static int
+countchain(PEMChain *p)
+{
+ int i = 0;
+
+ while (p) {
+ i++;
+ p = p->next;
+ }
+ return i;
+}
+
static TlsConnection *
-tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...))
+tlsServer2(int ctl, int hand,
+ uchar *cert, int certlen,
+ char *pskid, uchar *psk, int psklen,
+ int (*trace)(char*fmt, ...), PEMChain *chp)
{
TlsConnection *c;
Msg m;
@@ -420,7 +661,7 @@
Bytes *csid;
uchar sid[SidSize], kd[MaxKeyData];
char *secrets;
- int cipher, compressor, nsid, rv;
+ int cipher, compressor, nsid, rv, numcerts, i;
if(trace)
trace("tlsServer2\n");
@@ -445,13 +686,13 @@
c->clientVersion = m.u.clientHello.version;
if(trace)
trace("ClientHello version %x\n", c->clientVersion);
- if(setVersion(c, m.u.clientHello.version) < 0) {
+ if(setVersion(c, c->clientVersion) < 0) {
tlsError(c, EIllegalParameter, "incompatible version");
goto Err;
}
memmove(c->crandom, m.u.clientHello.random, RandomSize);
- cipher = okCipher(m.u.clientHello.ciphers);
+ cipher = okCipher(m.u.clientHello.ciphers, psklen > 0);
if(cipher < 0) {
// reply with EInsufficientSecurity if we know that's the case
if(cipher == -2)
@@ -472,18 +713,28 @@
csid = m.u.clientHello.sid;
if(trace)
- trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len);
+ trace(" cipher %x, compressor %x, csidlen %d\n", cipher, compressor, csid->len);
c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom);
if(c->sec == nil){
tlsError(c, EHandshakeFailure, "can't initialize security: %r");
goto Err;
}
- c->sec->rpc = factotum_rsa_open(cert, ncert);
- if(c->sec->rpc == nil){
- tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
- goto Err;
+ if(psklen > 0){
+ c->sec->psk = psk;
+ c->sec->psklen = psklen;
}
- c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0);
+ if(certlen > 0){
+ c->sec->rpc = factotum_rsa_open(cert, certlen);
+ if(c->sec->rpc == nil){
+ tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
+ goto Err;
+ }
+ c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
+ if(c->sec->rsapub == nil){
+ tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
+ goto Err;
+ }
+ }
msgClear(&m);
m.tag = HServerHello;
@@ -497,13 +748,18 @@
goto Err;
msgClear(&m);
- m.tag = HCertificate;
- m.u.certificate.ncert = 1;
- m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes));
- m.u.certificate.certs[0] = makebytes(cert, ncert);
- if(!msgSend(c, &m, AQueue))
- goto Err;
- msgClear(&m);
+ if(certlen > 0){
+ m.tag = HCertificate;
+ numcerts = countchain(chp);
+ m.u.certificate.ncert = 1 + numcerts;
+ m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
+ m.u.certificate.certs[0] = makebytes(cert, certlen);
+ for (i = 0; i < numcerts && chp; i++, chp = chp->next)
+ m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen);
+ if(!msgSend(c, &m, AQueue))
+ goto Err;
+ msgClear(&m);
+ }
m.tag = HServerHelloDone;
if(!msgSend(c, &m, AFlush))
@@ -516,10 +772,30 @@
tlsError(c, EUnexpectedMessage, "expected a client key exchange");
goto Err;
}
- if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){
- tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
+ if(pskid != nil){
+ if(m.u.clientKeyExchange.pskid == nil
+ || m.u.clientKeyExchange.pskid->len != strlen(pskid)
+ || memcmp(pskid, m.u.clientKeyExchange.pskid->data, m.u.clientKeyExchange.pskid->len) != 0){
+ tlsError(c, EUnknownPSKidentity, "unknown or missing pskid");
+ goto Err;
+ }
+ }
+ if(certlen > 0){
+ if(tlsSecRSAs(c->sec, c->version, m.u.clientKeyExchange.key) < 0){
+ tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
+ goto Err;
+ }
+ } else if(psklen > 0){
+ if(tlsSecPSKs(c->sec, c->version) < 0){
+ tlsError(c, EHandshakeFailure, "couldn't set secrets: %r");
+ goto Err;
+ }
+ } else {
+ tlsError(c, EInternalError, "no psk or certificate");
goto Err;
}
+
+ setSecrets(c->sec, kd, c->nsecret);
if(trace)
trace("tls secrets\n");
secrets = (char*)emalloc(2*c->nsecret);
@@ -535,7 +811,7 @@
msgClear(&m);
/* no CertificateVerify; skip to Finished */
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
+ if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
tlsError(c, EInternalError, "can't set finished: %r");
goto Err;
}
@@ -557,7 +833,7 @@
goto Err;
}
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
+ if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
tlsError(c, EInternalError, "can't set finished: %r");
goto Err;
}
@@ -580,14 +856,235 @@
return 0;
}
+static int
+isDHE(int tlsid)
+{
+ switch(tlsid){
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
+ case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
+ case TLS_DHE_RSA_WITH_CHACHA20_POLY1305:
+ case GOOGLE_DHE_RSA_WITH_CHACHA20_POLY1305:
+ return 1;
+ }
+ return 0;
+}
+
+static int
+isECDHE(int tlsid)
+{
+ switch(tlsid){
+ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
+ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
+
+ case GOOGLE_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
+ case GOOGLE_ECDHE_RSA_WITH_CHACHA20_POLY1305:
+
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+ return 1;
+ }
+ return 0;
+}
+
+static int
+isPSK(int tlsid)
+{
+ switch(tlsid){
+ case TLS_PSK_WITH_CHACHA20_POLY1305:
+ case TLS_PSK_WITH_AES_128_CBC_SHA256:
+ case TLS_PSK_WITH_AES_128_CBC_SHA:
+ return 1;
+ }
+ return 0;
+}
+
+static Bytes*
+tlsSecDHEc(TlsSec *sec, uchar *srandom, int vers,
+ Bytes *p, Bytes *g, Bytes *Ys)
+{
+ mpint *G, *P, *Y, *K;
+ Bytes *epm;
+ DHstate dh;
+
+ if(p == nil || g == nil || Ys == nil)
+ return nil;
+
+ memmove(sec->srandom, srandom, RandomSize);
+ if(setVers(sec, vers) < 0)
+ return nil;
+
+ epm = nil;
+ P = bytestomp(p);
+ G = bytestomp(g);
+ Y = bytestomp(Ys);
+ K = nil;
+
+ if(P == nil || G == nil || Y == nil || dh_new(&dh, P, nil, G) == nil)
+ goto Out;
+ epm = mptobytes(dh.y);
+ K = dh_finish(&dh, Y);
+ if(K == nil){
+ freebytes(epm);
+ epm = nil;
+ goto Out;
+ }
+ setMasterSecret(sec, mptobytes(K));
+
+Out:
+ mpfree(K);
+ mpfree(Y);
+ mpfree(G);
+ mpfree(P);
+
+ return epm;
+}
+
+static Bytes*
+tlsSecECDHEc(TlsSec *sec, uchar *srandom, int vers, int curve, Bytes *Ys)
+{
+ Namedcurve *nc, *enc;
+ Bytes *epm;
+ ECdomain dom;
+ ECpub *pub;
+ ECpoint K;
+ ECpriv Q;
+
+ if(Ys == nil)
+ return nil;
+
+ enc = &namedcurves[nelem(namedcurves)];
+ for(nc = namedcurves; nc != enc; nc++)
+ if(nc->tlsid == curve)
+ break;
+
+ if(nc == enc)
+ return nil;
+
+ memmove(sec->srandom, srandom, RandomSize);
+ if(setVers(sec, vers) < 0)
+ return nil;
+
+ ecdominit(&dom, nc->init);
+ pub = ecdecodepub(&dom, Ys->data, Ys->len);
+ if(pub == nil){
+ ecdomfree(&dom);
+ return nil;
+ }
+
+ memset(&Q, 0, sizeof(Q));
+ Q.x = mpnew(0);
+ Q.y = mpnew(0);
+ Q.d = mpnew(0);
+
+ memset(&K, 0, sizeof(K));
+ K.x = mpnew(0);
+ K.y = mpnew(0);
+
+ epm = nil;
+ if(ecgen(&dom, &Q) != nil){
+ ecmul(&dom, pub, Q.d, &K);
+ setMasterSecret(sec, mptobytes(K.x));
+ epm = newbytes(1 + 2*((mpsignif(dom.p)+7)/8));
+ epm->len = ecencodepub(&dom, (ECpub*)&Q, epm->data, epm->len);
+ }
+
+ mpfree(K.x);
+ mpfree(K.y);
+ mpfree(Q.x);
+ mpfree(Q.y);
+ mpfree(Q.d);
+
+ ecpubfree(pub);
+ ecdomfree(&dom);
+
+ return epm;
+}
+
+static char*
+verifyDHparams(TlsConnection *c, Bytes *par, Bytes *sig, int sigalg)
+{
+ uchar digest[MAXdlen];
+ int digestlen;
+ ECdomain dom;
+ ECpub *ecpk;
+ RSApub *rsapk;
+ Bytes *blob;
+ char *err;
+
+ if(par == nil || par->len <= 0)
+ return "no dh parameters";
+
+ if(sig == nil || sig->len <= 0){
+ if(c->sec->psklen > 0)
+ return nil;
+ return "no signature";
+ }
+
+ if(c->cert == nil)
+ return "no certificate";
+
+ blob = newbytes(2*RandomSize + par->len);
+ memmove(blob->data+0*RandomSize, c->crandom, RandomSize);
+ memmove(blob->data+1*RandomSize, c->srandom, RandomSize);
+ memmove(blob->data+2*RandomSize, par->data, par->len);
+ if(c->version < TLS12Version){
+ digestlen = MD5dlen + SHA1dlen;
+ md5(blob->data, blob->len, digest, nil);
+ sha1(blob->data, blob->len, digest+MD5dlen, nil);
+ } else {
+ int hashalg = (sigalg>>8) & 0xFF;
+ digestlen = -1;
+ if(hashalg < nelem(hashfun) && hashfun[hashalg].fun != nil){
+ digestlen = hashfun[hashalg].len;
+ (*hashfun[hashalg].fun)(blob->data, blob->len, digest, nil);
+ }
+ }
+ freebytes(blob);
+
+ if(digestlen <= 0)
+ return "unknown signature digest algorithm";
+
+ switch(sigalg & 0xFF){
+ case 0x01:
+ rsapk = X509toRSApub(c->cert->data, c->cert->len, nil, 0);
+ if(rsapk == nil)
+ return "bad certificate";
+ err = X509rsaverifydigest(sig->data, sig->len, digest, digestlen, rsapk);
+ rsapubfree(rsapk);
+ break;
+ case 0x03:
+ ecpk = X509toECpub(c->cert->data, c->cert->len, &dom);
+ if(ecpk == nil)
+ return "bad certificate";
+ err = X509ecdsaverifydigest(sig->data, sig->len, digest, digestlen, &dom, ecpk);
+ ecdomfree(&dom);
+ ecpubfree(ecpk);
+ break;
+ default:
+ err = "signaure algorithm not RSA or ECDSA";
+ }
+
+ return err;
+}
+
static TlsConnection *
-tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...))
+tlsClient2(int ctl, int hand,
+ uchar *csid, int ncsid,
+ uchar *cert, int certlen,
+ char *pskid, uchar *psk, int psklen,
+ uchar *ext, int extlen,
+ int (*trace)(char*fmt, ...))
{
TlsConnection *c;
Msg m;
- uchar kd[MaxKeyData], *epm;
+ uchar kd[MaxKeyData];
char *secrets;
- int creq, nepm, rv;
+ int creq, dhx, rv, cipher;
+ Bytes *epm;
if(!initCiphers())
return nil;
@@ -594,16 +1091,23 @@
epm = nil;
c = emalloc(sizeof(TlsConnection));
c->version = ProtocolVersion;
+
c->ctl = ctl;
c->hand = hand;
c->trace = trace;
c->isClient = 1;
c->clientVersion = c->version;
+ c->cert = nil;
c->sec = tlsSecInitc(c->clientVersion, c->crandom);
if(c->sec == nil)
goto Err;
+ if(psklen > 0){
+ c->sec->psk = psk;
+ c->sec->psklen = psklen;
+ }
+
/* client hello */
memset(&m, 0, sizeof(m));
m.tag = HClientHello;
@@ -610,8 +1114,9 @@
m.u.clientHello.version = c->clientVersion;
memmove(m.u.clientHello.random, c->crandom, RandomSize);
m.u.clientHello.sid = makebytes(csid, ncsid);
- m.u.clientHello.ciphers = makeciphers();
+ m.u.clientHello.ciphers = makeciphers(psklen > 0);
m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors));
+ m.u.clientHello.extensions = makebytes(ext, extlen);
if(!msgSend(c, &m, AFlush))
goto Err;
msgClear(&m);
@@ -624,7 +1129,7 @@
goto Err;
}
if(setVersion(c, m.u.serverHello.version) < 0) {
- tlsError(c, EIllegalParameter, "incompatible version %r");
+ tlsError(c, EIllegalParameter, "incompatible version: %r");
goto Err;
}
memmove(c->srandom, m.u.serverHello.random, RandomSize);
@@ -633,7 +1138,8 @@
tlsError(c, EIllegalParameter, "invalid server session identifier");
goto Err;
}
- if(!setAlgs(c, m.u.serverHello.cipher)) {
+ cipher = m.u.serverHello.cipher;
+ if((psklen > 0) != isPSK(cipher) || !setAlgs(c, cipher)) {
tlsError(c, EIllegalParameter, "invalid cipher suite");
goto Err;
}
@@ -643,26 +1149,53 @@
}
msgClear(&m);
- /* certificate */
- if(!msgRecv(c, &m) || m.tag != HCertificate) {
+ dhx = isDHE(cipher) || isECDHE(cipher);
+ if(!msgRecv(c, &m))
+ goto Err;
+ if(m.tag == HCertificate){
+ if(m.u.certificate.ncert < 1) {
+ tlsError(c, EIllegalParameter, "runt certificate");
+ goto Err;
+ }
+ c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
+ msgClear(&m);
+ if(!msgRecv(c, &m))
+ goto Err;
+ } else if(psklen == 0) {
tlsError(c, EUnexpectedMessage, "expected a certificate");
goto Err;
}
- if(m.u.certificate.ncert < 1) {
- tlsError(c, EIllegalParameter, "runt certificate");
- goto Err;
- }
- c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len);
- msgClear(&m);
-
- /* server key exchange (optional) */
- if(!msgRecv(c, &m))
- goto Err;
if(m.tag == HServerKeyExchange) {
- tlsError(c, EUnexpectedMessage, "got an server key exchange");
+ if(dhx){
+ char *err = verifyDHparams(c,
+ m.u.serverKeyExchange.dh_parameters,
+ m.u.serverKeyExchange.dh_signature,
+ m.u.serverKeyExchange.sigalg);
+ if(err != nil){
+ tlsError(c, EBadCertificate, "can't verify dh parameters: %s", err);
+ goto Err;
+ }
+ if(isECDHE(cipher))
+ epm = tlsSecECDHEc(c->sec, c->srandom, c->version,
+ m.u.serverKeyExchange.curve,
+ m.u.serverKeyExchange.dh_Ys);
+ else
+ epm = tlsSecDHEc(c->sec, c->srandom, c->version,
+ m.u.serverKeyExchange.dh_p,
+ m.u.serverKeyExchange.dh_g,
+ m.u.serverKeyExchange.dh_Ys);
+ if(epm == nil)
+ goto Badcert;
+ } else if(psklen == 0){
+ tlsError(c, EUnexpectedMessage, "got an server key exchange");
+ goto Err;
+ }
+ msgClear(&m);
+ if(!msgRecv(c, &m))
+ goto Err;
+ } else if(dhx){
+ tlsError(c, EUnexpectedMessage, "expected server key exchange");
goto Err;
- // If implementing this later, watch out for rollback attack
- // described in Wagner Schneier 1996, section 4.4.
}
/* certificate request (optional) */
@@ -680,12 +1213,25 @@
}
msgClear(&m);
- if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom,
- c->cert->data, c->cert->len, c->version, &epm, &nepm,
- kd, c->nsecret) < 0){
- tlsError(c, EBadCertificate, "invalid x509/rsa certificate");
- goto Err;
+ if(!dhx){
+ if(c->cert != nil){
+ epm = tlsSecRSAc(c->sec, c->sid->data, c->sid->len, c->srandom,
+ c->cert->data, c->cert->len, c->version);
+ if(epm == nil){
+ Badcert:
+ tlsError(c, EBadCertificate, "bad certificate: %r");
+ goto Err;
+ }
+ } else if(psklen > 0) {
+ if(tlsSecPSKc(c->sec, c->srandom, c->version) < 0)
+ goto Badcert;
+ } else {
+ tlsError(c, EInternalError, "no psk or certificate");
+ goto Err;
+ }
}
+
+ setSecrets(c->sec, kd, c->nsecret);
secrets = (char*)emalloc(2*c->nsecret);
enc64(secrets, 2*c->nsecret, kd, c->nsecret);
rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets);
@@ -698,7 +1244,11 @@
}
if(creq) {
- /* send a zero length certificate */
+ if(cert != nil && certlen > 0){
+ m.u.certificate.ncert = 1;
+ m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes*));
+ m.u.certificate.certs[0] = makebytes(cert, certlen);
+ }
m.tag = HCertificate;
if(!msgSend(c, &m, AFlush))
goto Err;
@@ -707,17 +1257,71 @@
/* client key exchange */
m.tag = HClientKeyExchange;
- m.u.clientKeyExchange.key = makebytes(epm, nepm);
- free(epm);
- epm = nil;
- if(m.u.clientKeyExchange.key == nil) {
- tlsError(c, EHandshakeFailure, "can't set secret: %r");
- goto Err;
+ if(psklen > 0){
+ if(pskid == nil)
+ pskid = "";
+ m.u.clientKeyExchange.pskid = makebytes((uchar*)pskid, strlen(pskid));
}
+ m.u.clientKeyExchange.key = epm;
+ epm = nil;
+
if(!msgSend(c, &m, AFlush))
goto Err;
msgClear(&m);
+ /* certificate verify */
+ if(creq && cert != nil && certlen > 0) {
+ mpint *signedMP, *paddedHashes;
+ HandshakeHash hsave;
+ uchar buf[512];
+ int buflen;
+
+ c->sec->rpc = factotum_rsa_open(cert, certlen);
+ if(c->sec->rpc == nil){
+ tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r");
+ goto Err;
+ }
+ c->sec->rsapub = X509toRSApub(cert, certlen, nil, 0);
+ if(c->sec->rsapub == nil){
+ tlsError(c, EHandshakeFailure, "invalid X509/rsa certificate");
+ goto Err;
+ }
+
+ /* save the state for the Finish message */
+ hsave = c->handhash;
+ if(c->version >= TLS12Version){
+ uchar digest[SHA2_256dlen];
+
+ m.u.certificateVerify.sigalg = 0x0401; /* RSA SHA256 */
+ sha2_256(nil, 0, digest, &c->handhash.sha2_256);
+ buflen = asn1encodedigest(sha2_256, digest, buf, sizeof(buf));
+ } else {
+ md5(nil, 0, buf, &c->handhash.md5);
+ sha1(nil, 0, buf+MD5dlen, &c->handhash.sha1);
+ buflen = MD5dlen+SHA1dlen;
+ }
+ c->handhash = hsave;
+
+ if(buflen <= 0){
+ tlsError(c, EInternalError, "can't encode handshake hashes");
+ goto Err;
+ }
+
+ paddedHashes = pkcs1padbuf(buf, buflen, c->sec->rsapub->n);
+ signedMP = factotum_rsa_decrypt(c->sec->rpc, paddedHashes);
+ if(signedMP == nil){
+ tlsError(c, EHandshakeFailure, "factotum_rsa_decrypt: %r");
+ goto Err;
+ }
+ m.u.certificateVerify.signature = mptobytes(signedMP);
+ mpfree(signedMP);
+
+ m.tag = HCertificateVerify;
+ if(!msgSend(c, &m, AFlush))
+ goto Err;
+ msgClear(&m);
+ }
+
/* change cipher spec */
if(fprint(c->ctl, "changecipher") < 0){
tlsError(c, EInternalError, "can't enable cipher: %r");
@@ -726,32 +1330,27 @@
// Cipherchange must occur immediately before Finished to avoid
// potential hole; see section 4.3 of Wagner Schneier 1996.
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){
+ if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 1) < 0){
tlsError(c, EInternalError, "can't set finished 1: %r");
goto Err;
}
m.tag = HFinished;
m.u.finished = c->finished;
-
if(!msgSend(c, &m, AFlush)) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
tlsError(c, EInternalError, "can't flush after client Finished: %r");
goto Err;
}
msgClear(&m);
- if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){
- fprint(2, "tlsClient nepm=%d\n", nepm);
+ if(tlsSecFinished(c->sec, c->handhash, c->finished.verify, c->finished.n, 0) < 0){
tlsError(c, EInternalError, "can't set finished 0: %r");
goto Err;
}
if(!msgRecv(c, &m)) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
tlsError(c, EInternalError, "can't read server Finished: %r");
goto Err;
}
if(m.tag != HFinished) {
- fprint(2, "tlsClient nepm=%d\n", nepm);
tlsError(c, EUnexpectedMessage, "expected a Finished msg from server");
goto Err;
}
@@ -780,7 +1379,14 @@
//================= message functions ========================
-static uchar sendbuf[9000], *sendp;
+static void
+msgHash(TlsConnection *c, uchar *p, int n)
+{
+ md5(p, n, 0, &c->handhash.md5);
+ sha1(p, n, 0, &c->handhash.sha1);
+ if(c->version >= TLS12Version)
+ sha2_256(p, n, 0, &c->handhash.sha2_256);
+}
static int
msgSend(TlsConnection *c, Msg *m, int act)
@@ -788,11 +1394,11 @@
uchar *p; // sendp = start of new message; p = write pointer
int nn, n, i;
- if(sendp == nil)
- sendp = sendbuf;
- p = sendp;
+ if(c->sendp == nil)
+ c->sendp = c->sendbuf;
+ p = c->sendp;
if(c->trace)
- c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m));
+ c->trace("send %s", msgPrint((char*)p, (sizeof(c->sendbuf)) - (p - c->sendbuf), m));
p[0] = m->tag; // header - fill in size later
p += 4;
@@ -831,6 +1437,15 @@
p[0] = n;
memmove(p+1, m->u.clientHello.compressors->data, n);
p += n+1;
+
+ if(m->u.clientHello.extensions == nil)
+ break;
+ n = m->u.clientHello.extensions->len;
+ if(n == 0)
+ break;
+ put16(p, n);
+ memmove(p+2, m->u.clientHello.extensions->data, n);
+ p += n+2;
break;
case HServerHello:
put16(p, m->u.serverHello.version);
@@ -851,6 +1466,15 @@
p += 2;
p[0] = m->u.serverHello.compressor;
p += 1;
+
+ if(m->u.serverHello.extensions == nil)
+ break;
+ n = m->u.serverHello.extensions->len;
+ if(n == 0)
+ break;
+ put16(p, n);
+ memmove(p+2, m->u.serverHello.extensions->data, n);
+ p += n+2;
break;
case HServerHelloDone:
break;
@@ -858,7 +1482,7 @@
nn = 0;
for(i = 0; i < m->u.certificate.ncert; i++)
nn += 3 + m->u.certificate.certs[i]->len;
- if(p + 3 + nn - sendbuf > sizeof(sendbuf)) {
+ if(p + 3 + nn - c->sendbuf > sizeof(c->sendbuf)) {
tlsError(c, EInternalError, "output buffer too small for certificate");
goto Err;
}
@@ -871,12 +1495,33 @@
p += m->u.certificate.certs[i]->len;
}
break;
+ case HCertificateVerify:
+ if(m->u.certificateVerify.sigalg != 0){
+ put16(p, m->u.certificateVerify.sigalg);
+ p += 2;
+ }
+ put16(p, m->u.certificateVerify.signature->len);
+ p += 2;
+ memmove(p, m->u.certificateVerify.signature->data, m->u.certificateVerify.signature->len);
+ p += m->u.certificateVerify.signature->len;
+ break;
case HClientKeyExchange:
- n = m->u.clientKeyExchange.key->len;
- if(c->version != SSL3Version){
+ if(m->u.clientKeyExchange.pskid != nil){
+ n = m->u.clientKeyExchange.pskid->len;
put16(p, n);
p += 2;
+ memmove(p, m->u.clientKeyExchange.pskid->data, n);
+ p += n;
}
+ if(m->u.clientKeyExchange.key == nil)
+ break;
+ n = m->u.clientKeyExchange.key->len;
+ if(c->version != SSL3Version){
+ if(isECDHE(c->cipher))
+ *p++ = n;
+ else
+ put16(p, n), p += 2;
+ }
memmove(p, m->u.clientKeyExchange.key->data, n);
p += n;
break;
@@ -887,20 +1532,18 @@
}
// go back and fill in size
- n = p-sendp;
- assert(p <= sendbuf+sizeof(sendbuf));
- put24(sendp+1, n-4);
+ n = p - c->sendp;
+ assert(p <= c->sendbuf + sizeof(c->sendbuf));
+ put24(c->sendp+1, n-4);
// remember hash of Handshake messages
- if(m->tag != HHelloRequest) {
- md5(sendp, n, 0, &c->hsmd5);
- sha1(sendp, n, 0, &c->hssha1);
- }
+ if(m->tag != HHelloRequest)
+ msgHash(c, c->sendp, n);
- sendp = p;
+ c->sendp = p;
if(act == AFlush){
- sendp = sendbuf;
- if(write(c->hand, sendbuf, p-sendbuf) < 0){
+ c->sendp = c->sendbuf;
+ if(write(c->hand, c->sendbuf, p - c->sendbuf) < 0){
fprint(2, "write error: %r\n");
goto Err;
}
@@ -920,10 +1563,10 @@
nn = c->ep - c->rp;
if(nn < n){
- if(c->rp != c->buf){
- memmove(c->buf, c->rp, nn);
- c->rp = c->buf;
- c->ep = &c->buf[nn];
+ if(c->rp != c->recvbuf){
+ memmove(c->recvbuf, c->rp, nn);
+ c->rp = c->recvbuf;
+ c->ep = &c->recvbuf[nn];
}
for(; nn < n; nn += nr) {
nr = read(c->hand, &c->rp[nn], n - nn);
@@ -940,7 +1583,7 @@
static int
msgRecv(TlsConnection *c, Msg *m)
{
- uchar *p;
+ uchar *p, *s;
int type, n, nn, i, nsid, nrandom, nciph;
for(;;) {
@@ -958,8 +1601,8 @@
}
}
- if(n > sizeof(c->buf)) {
- tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf));
+ if(n > sizeof(c->recvbuf)) {
+ tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->recvbuf));
return 0;
}
@@ -970,8 +1613,7 @@
p = tlsReadN(c, n);
if(p == nil)
return 0;
- md5(p, n, 0, &c->hsmd5);
- sha1(p, n, 0, &c->hssha1);
+ msgHash(c, p, n);
m->tag = HClientHello;
if(n < 22)
goto Short;
@@ -1008,16 +1650,13 @@
m->u.clientHello.compressors->data[0] = CompressionNull;
goto Ok;
}
+ msgHash(c, p, 4);
- md5(p, 4, 0, &c->hsmd5);
- sha1(p, 4, 0, &c->hssha1);
-
p = tlsReadN(c, n);
if(p == nil)
return 0;
- md5(p, n, 0, &c->hsmd5);
- sha1(p, n, 0, &c->hssha1);
+ msgHash(c, p, n);
m->tag = type;
@@ -1060,9 +1699,17 @@
if(n < 1 || n < p[0]+1 || p[0] == 0)
goto Short;
nn = p[0];
- m->u.clientHello.compressors = newbytes(nn);
- memmove(m->u.clientHello.compressors->data, p+1, nn);
+ m->u.clientHello.compressors = makebytes(p+1, nn);
+ p += nn + 1;
n -= nn + 1;
+
+ if(n < 2)
+ break;
+ nn = get16(p);
+ if(nn > n-2)
+ goto Short;
+ m->u.clientHello.extensions = makebytes(p+2, nn);
+ n -= nn + 2;
break;
case HServerHello:
if(n < 2)
@@ -1087,7 +1734,16 @@
goto Short;
m->u.serverHello.cipher = get16(p);
m->u.serverHello.compressor = p[2];
+ p += 3;
n -= 3;
+
+ if(n < 2)
+ break;
+ nn = get16(p);
+ if(nn > n-2)
+ goto Short;
+ m->u.serverHello.extensions = makebytes(p+2, nn);
+ n -= nn + 2;
break;
case HCertificate:
if(n < 3)
@@ -1095,7 +1751,7 @@
nn = get24(p);
p += 3;
n -= 3;
- if(n != nn)
+ if(nn == 0 && n > 0)
goto Short;
/* certs */
i = 0;
@@ -1108,7 +1764,7 @@
if(nn > n)
goto Short;
m->u.certificate.ncert = i+1;
- m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes));
+ m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes*));
m->u.certificate.certs[i] = makebytes(p, nn);
p += nn;
n -= nn;
@@ -1116,19 +1772,39 @@
}
break;
case HCertificateRequest:
+ if(n < 1)
+ goto Short;
+ nn = p[0];
+ p += 1;
+ n -= 1;
+ if(nn > n)
+ goto Short;
+ m->u.certificateRequest.types = makebytes(p, nn);
+ p += nn;
+ n -= nn;
+ if(c->version >= TLS12Version){
+ if(n < 2)
+ goto Short;
+ nn = get16(p);
+ p += 2;
+ n -= 2;
+ if(nn & 1)
+ goto Short;
+ m->u.certificateRequest.sigalgs = newints(nn>>1);
+ for(i = 0; i < nn; i += 2)
+ m->u.certificateRequest.sigalgs->data[i >> 1] = get16(&p[i]);
+ p += nn;
+ n -= nn;
+
+ }
if(n < 2)
goto Short;
nn = get16(p);
p += 2;
n -= 2;
- if(nn < 1 || nn > n)
+ /* nn == 0 can happen; yahoo's servers do it */
+ if(nn != n)
goto Short;
- m->u.certificateRequest.types = makebytes(p, nn);
- nn = get24(p);
- p += 3;
- n -= 3;
- if(nn == 0 || n != nn)
- goto Short;
/* cas */
i = 0;
while(n > 0) {
@@ -1140,7 +1816,8 @@
if(nn < 1 || nn > n)
goto Short;
m->u.certificateRequest.nca = i+1;
- m->u.certificateRequest.cas = erealloc(m->u.certificateRequest.cas, (i+1)*sizeof(Bytes));
+ m->u.certificateRequest.cas = erealloc(
+ m->u.certificateRequest.cas, (i+1)*sizeof(Bytes*));
m->u.certificateRequest.cas[i] = makebytes(p, nn);
p += nn;
n -= nn;
@@ -1149,11 +1826,99 @@
break;
case HServerHelloDone:
break;
+ case HServerKeyExchange:
+ if(isPSK(c->cipher)){
+ if(n < 2)
+ goto Short;
+ nn = get16(p);
+ p += 2, n -= 2;
+ if(nn > n)
+ goto Short;
+ m->u.serverKeyExchange.pskid = makebytes(p, nn);
+ p += nn, n -= nn;
+ if(n == 0)
+ break;
+ }
+ if(n < 2)
+ goto Short;
+ s = p;
+ if(isECDHE(c->cipher)){
+ nn = *p;
+ p++, n--;
+ if(nn != 3 || nn > n) /* not a named curve */
+ goto Short;
+ nn = get16(p);
+ p += 2, n -= 2;
+ m->u.serverKeyExchange.curve = nn;
+
+ nn = *p++, n--;
+ if(nn < 1 || nn > n)
+ goto Short;
+ m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
+ p += nn, n -= nn;
+ }else if(isDHE(c->cipher)){
+ nn = get16(p);
+ p += 2, n -= 2;
+ if(nn < 1 || nn > n)
+ goto Short;
+ m->u.serverKeyExchange.dh_p = makebytes(p, nn);
+ p += nn, n -= nn;
+
+ if(n < 2)
+ goto Short;
+ nn = get16(p);
+ p += 2, n -= 2;
+ if(nn < 1 || nn > n)
+ goto Short;
+ m->u.serverKeyExchange.dh_g = makebytes(p, nn);
+ p += nn, n -= nn;
+
+ if(n < 2)
+ goto Short;
+ nn = get16(p);
+ p += 2, n -= 2;
+ if(nn < 1 || nn > n)
+ goto Short;
+ m->u.serverKeyExchange.dh_Ys = makebytes(p, nn);
+ p += nn, n -= nn;
+ } else {
+ /* should not happen */
+ goto Short;
+ }
+ m->u.serverKeyExchange.dh_parameters = makebytes(s, p - s);
+ if(n >= 2){
+ m->u.serverKeyExchange.sigalg = 0;
+ if(c->version >= TLS12Version){
+ m->u.serverKeyExchange.sigalg = get16(p);
+ p += 2, n -= 2;
+ if(n < 2)
+ goto Short;
+ }
+ nn = get16(p);
+ p += 2, n -= 2;
+ if(nn > 0 && nn <= n){
+ m->u.serverKeyExchange.dh_signature = makebytes(p, nn);
+ n -= nn;
+ }
+ }
+ break;
case HClientKeyExchange:
/*
* this message depends upon the encryption selected
* assume rsa.
*/
+ if(isPSK(c->cipher)){
+ if(n < 2)
+ goto Short;
+ nn = get16(p);
+ p += 2, n -= 2;
+ if(nn > n)
+ goto Short;
+ m->u.clientKeyExchange.pskid = makebytes(p, nn);
+ p += nn, n -= nn;
+ if(n == 0)
+ break;
+ }
if(c->version == SSL3Version)
nn = n;
else{
@@ -1177,16 +1942,18 @@
break;
}
- if(type != HClientHello && n != 0)
+ if(type != HClientHello && type != HServerHello && n != 0)
goto Short;
Ok:
if(c->trace){
- char buf[8000];
- c->trace("recv %s", msgPrint(buf, sizeof buf, m));
+ char *buf;
+ buf = emalloc(8000);
+ c->trace("recv %s", msgPrint(buf, 8000, m));
+ free(buf);
}
return 1;
Short:
- tlsError(c, EDecodeError, "handshake message has invalid length");
+ tlsError(c, EDecodeError, "handshake message (%d) has invalid length", type);
Err:
msgClear(m);
return 0;
@@ -1206,9 +1973,11 @@
freebytes(m->u.clientHello.sid);
freeints(m->u.clientHello.ciphers);
freebytes(m->u.clientHello.compressors);
+ freebytes(m->u.clientHello.extensions);
break;
case HServerHello:
- freebytes(m->u.clientHello.sid);
+ freebytes(m->u.serverHello.sid);
+ freebytes(m->u.serverHello.extensions);
break;
case HCertificate:
for(i=0; i<m->u.certificate.ncert; i++)
@@ -1217,13 +1986,26 @@
break;
case HCertificateRequest:
freebytes(m->u.certificateRequest.types);
+ freeints(m->u.certificateRequest.sigalgs);
for(i=0; i<m->u.certificateRequest.nca; i++)
freebytes(m->u.certificateRequest.cas[i]);
free(m->u.certificateRequest.cas);
break;
+ case HCertificateVerify:
+ freebytes(m->u.certificateVerify.signature);
+ break;
case HServerHelloDone:
break;
+ case HServerKeyExchange:
+ freebytes(m->u.serverKeyExchange.pskid);
+ freebytes(m->u.serverKeyExchange.dh_p);
+ freebytes(m->u.serverKeyExchange.dh_g);
+ freebytes(m->u.serverKeyExchange.dh_Ys);
+ freebytes(m->u.serverKeyExchange.dh_parameters);
+ freebytes(m->u.serverKeyExchange.dh_signature);
+ break;
case HClientKeyExchange:
+ freebytes(m->u.clientKeyExchange.pskid);
freebytes(m->u.clientKeyExchange.key);
break;
case HFinished:
@@ -1239,12 +2021,13 @@
if(s0)
bs = seprint(bs, be, "%s", s0);
- bs = seprint(bs, be, "[");
if(b == nil)
bs = seprint(bs, be, "nil");
- else
+ else {
+ bs = seprint(bs, be, "<%d> [", b->len);
for(i=0; i<b->len; i++)
bs = seprint(bs, be, "%.2x ", b->data[i]);
+ }
bs = seprint(bs, be, "]");
if(s1)
bs = seprint(bs, be, "%s", s1);
@@ -1290,6 +2073,8 @@
bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n");
bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n");
bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n");
+ if(m->u.clientHello.extensions != nil)
+ bs = bytesPrint(bs, be, "\textensions: ", m->u.clientHello.extensions, "\n");
break;
case HServerHello:
bs = seprint(bs, be, "ServerHello\n");
@@ -1301,6 +2086,8 @@
bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n");
bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher);
bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor);
+ if(m->u.serverHello.extensions != nil)
+ bs = bytesPrint(bs, be, "\textensions: ", m->u.serverHello.extensions, "\n");
break;
case HCertificate:
bs = seprint(bs, be, "Certificate\n");
@@ -1310,16 +2097,45 @@
case HCertificateRequest:
bs = seprint(bs, be, "CertificateRequest\n");
bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n");
+ if(m->u.certificateRequest.sigalgs != nil)
+ bs = intsPrint(bs, be, "\tsigalgs: ", m->u.certificateRequest.sigalgs, "\n");
bs = seprint(bs, be, "\tcertificateauthorities\n");
for(i=0; i<m->u.certificateRequest.nca; i++)
bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n");
break;
+ case HCertificateVerify:
+ bs = seprint(bs, be, "HCertificateVerify\n");
+ if(m->u.certificateVerify.sigalg != 0)
+ bs = seprint(bs, be, "\tsigalg: %.4x\n", m->u.certificateVerify.sigalg);
+ bs = bytesPrint(bs, be, "\tsignature: ", m->u.certificateVerify.signature,"\n");
+ break;
case HServerHelloDone:
bs = seprint(bs, be, "ServerHelloDone\n");
break;
+ case HServerKeyExchange:
+ bs = seprint(bs, be, "HServerKeyExchange\n");
+ if(m->u.serverKeyExchange.pskid != nil)
+ bs = bytesPrint(bs, be, "\tpskid: ", m->u.serverKeyExchange.pskid, "\n");
+ if(m->u.serverKeyExchange.dh_parameters == nil)
+ break;
+ if(m->u.serverKeyExchange.curve != 0){
+ bs = seprint(bs, be, "\tcurve: %.4x\n", m->u.serverKeyExchange.curve);
+ } else {
+ bs = bytesPrint(bs, be, "\tdh_p: ", m->u.serverKeyExchange.dh_p, "\n");
+ bs = bytesPrint(bs, be, "\tdh_g: ", m->u.serverKeyExchange.dh_g, "\n");
+ }
+ bs = bytesPrint(bs, be, "\tdh_Ys: ", m->u.serverKeyExchange.dh_Ys, "\n");
+ if(m->u.serverKeyExchange.sigalg != 0)
+ bs = seprint(bs, be, "\tsigalg: %.4x\n", m->u.serverKeyExchange.sigalg);
+ bs = bytesPrint(bs, be, "\tdh_parameters: ", m->u.serverKeyExchange.dh_parameters, "\n");
+ bs = bytesPrint(bs, be, "\tdh_signature: ", m->u.serverKeyExchange.dh_signature, "\n");
+ break;
case HClientKeyExchange:
bs = seprint(bs, be, "HClientKeyExchange\n");
- bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
+ if(m->u.clientKeyExchange.pskid != nil)
+ bs = bytesPrint(bs, be, "\tpskid: ", m->u.clientKeyExchange.pskid, "\n");
+ if(m->u.clientKeyExchange.key != nil)
+ bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n");
break;
case HFinished:
bs = seprint(bs, be, "HFinished\n");
@@ -1362,11 +2178,10 @@
if(version == SSL3Version) {
c->version = version;
c->finished.n = SSL3FinishedLen;
- }else if(version == TLSVersion){
+ }else {
c->version = version;
c->finished.n = TLSFinishedLen;
- }else
- return -1;
+ }
c->verset = 1;
return fprint(c->ctl, "version 0x%x", version);
}
@@ -1375,7 +2190,7 @@
static int
finishedMatch(TlsConnection *c, Finished *f)
{
- return memcmp(f->verify, c->finished.verify, f->n) == 0;
+ return tsmemcmp(f->verify, c->finished.verify, f->n) == 0;
}
// free memory associated with TlsConnection struct
@@ -1386,7 +2201,7 @@
tlsSecClose(c->sec);
freebytes(c->sid);
freebytes(c->cert);
- memset(c, 0, sizeof(c));
+ memset(c, 0, sizeof(*c));
free(c);
}
@@ -1393,36 +2208,36 @@
//================= cipher choices ========================
-static int weakCipher[CipherMax] =
+static char weakCipher[] =
{
- 1, /* TLS_NULL_WITH_NULL_NULL */
- 1, /* TLS_RSA_WITH_NULL_MD5 */
- 1, /* TLS_RSA_WITH_NULL_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_MD5 */
- 0, /* TLS_RSA_WITH_RC4_128_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
- 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */
- 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
- 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
- 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
- 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */
- 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */
- 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
+[TLS_NULL_WITH_NULL_NULL] 1,
+[TLS_RSA_WITH_NULL_MD5] 1,
+[TLS_RSA_WITH_NULL_SHA] 1,
+[TLS_RSA_EXPORT_WITH_RC4_40_MD5] 1,
+[TLS_RSA_WITH_RC4_128_MD5] 1,
+[TLS_RSA_WITH_RC4_128_SHA] 1,
+[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] 1,
+[TLS_RSA_WITH_IDEA_CBC_SHA] 0,
+[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_RSA_WITH_DES_CBC_SHA] 0,
+[TLS_RSA_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DH_DSS_WITH_DES_CBC_SHA] 0,
+[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DH_RSA_WITH_DES_CBC_SHA] 0,
+[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DHE_DSS_WITH_DES_CBC_SHA] 0,
+[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DHE_RSA_WITH_DES_CBC_SHA] 0,
+[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] 0,
+[TLS_DH_anon_EXPORT_WITH_RC4_40_MD5] 1,
+[TLS_DH_anon_WITH_RC4_128_MD5] 1,
+[TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA] 1,
+[TLS_DH_anon_WITH_DES_CBC_SHA] 1,
+[TLS_DH_anon_WITH_3DES_EDE_CBC_SHA] 1,
};
static int
@@ -1432,6 +2247,7 @@
for(i = 0; i < nelem(cipherAlgs); i++){
if(cipherAlgs[i].tlsid == a){
+ c->cipher = a;
c->enc = cipherAlgs[i].enc;
c->digest = cipherAlgs[i].digest;
c->nsecret = cipherAlgs[i].nsecret;
@@ -1444,7 +2260,7 @@
}
static int
-okCipher(Ints *cv)
+okCipher(Ints *cv, int ispsk)
{
int weak, i, j, c;
@@ -1451,10 +2267,14 @@
weak = 1;
for(i = 0; i < cv->len; i++) {
c = cv->data[i];
- if(c >= CipherMax)
+ if(c >= nelem(weakCipher))
weak = 0;
else
weak &= weakCipher[c];
+ if(isPSK(c) != ispsk)
+ continue;
+ if(isDHE(c) || isECDHE(c))
+ continue; /* TODO: not implemented for server */
for(j = 0; j < nelem(cipherAlgs); j++)
if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
return c;
@@ -1497,13 +2317,13 @@
j = open("#a/tls/encalgs", OREAD);
if(j < 0){
werrstr("can't open #a/tls/encalgs: %r");
- return 0;
+ goto out;
}
n = read(j, s, MaxAlgF-1);
close(j);
if(n <= 0){
werrstr("nothing in #a/tls/encalgs: %r");
- return 0;
+ goto out;
}
s[n] = 0;
n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
@@ -1521,13 +2341,13 @@
j = open("#a/tls/hashalgs", OREAD);
if(j < 0){
werrstr("can't open #a/tls/hashalgs: %r");
- return 0;
+ goto out;
}
n = read(j, s, MaxAlgF-1);
close(j);
if(n <= 0){
werrstr("nothing in #a/tls/hashalgs: %r");
- return 0;
+ goto out;
}
s[n] = 0;
n = getfields(s, flds, MaxAlgs, 1, " \t\r\n");
@@ -1543,12 +2363,13 @@
if(cipherAlgs[i].ok)
nciphers++;
}
+out:
unlock(&ciphLock);
return nciphers;
}
static Ints*
-makeciphers(void)
+makeciphers(int ispsk)
{
Ints *is;
int i, j;
@@ -1555,10 +2376,10 @@
is = newints(nciphers);
j = 0;
- for(i = 0; i < nelem(cipherAlgs); i++){
- if(cipherAlgs[i].ok)
+ for(i = 0; i < nelem(cipherAlgs); i++)
+ if(cipherAlgs[i].ok && isPSK(cipherAlgs[i].tlsid) == ispsk)
is->data[j++] = cipherAlgs[i].tlsid;
- }
+ is->len = j;
return is;
}
@@ -1615,20 +2436,21 @@
char *p;
int rv;
- if((p = mptoa(cipher, 16, nil, 0)) == nil)
+ p = mptoa(cipher, 16, nil, 0);
+ mpfree(cipher);
+ if(p == nil)
return nil;
rv = auth_rpc(rpc, "write", p, strlen(p));
free(p);
if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok)
return nil;
- mpfree(cipher);
return strtomp(rpc->arg, nil, 16, nil);
}
static void
-factotum_rsa_close(AuthRpc*rpc)
+factotum_rsa_close(AuthRpc *rpc)
{
- if(!rpc)
+ if(rpc == nil)
return;
close(rpc->afd);
auth_freerpc(rpc);
@@ -1692,20 +2514,55 @@
}
}
+static void
+p_sha256(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed, int nseed)
+{
+ uchar ai[SHA2_256dlen], tmp[SHA2_256dlen];
+ SHAstate *s;
+ int n;
+
+ // generate a1
+ s = hmac_sha2_256(label, nlabel, key, nkey, nil, nil);
+ hmac_sha2_256(seed, nseed, key, nkey, ai, s);
+
+ while(nbuf > 0) {
+ s = hmac_sha2_256(ai, SHA2_256dlen, key, nkey, nil, nil);
+ s = hmac_sha2_256(label, nlabel, key, nkey, nil, s);
+ hmac_sha2_256(seed, nseed, key, nkey, tmp, s);
+ n = SHA2_256dlen;
+ if(n > nbuf)
+ n = nbuf;
+ memmove(buf, tmp, n);
+ buf += n;
+ nbuf -= n;
+ hmac_sha2_256(ai, SHA2_256dlen, key, nkey, tmp, nil);
+ memmove(ai, tmp, SHA2_256dlen);
+ }
+}
+
// fill buf with md5(args)^sha1(args)
static void
-tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+tls10PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
{
- int i;
int nlabel = strlen(label);
int n = (nkey + 1) >> 1;
- for(i = 0; i < nbuf; i++)
- buf[i] = 0;
+ memset(buf, 0, nbuf);
tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1);
}
+static void
+tls12PRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
+{
+ uchar seed[2*RandomSize];
+
+ assert(nseed0+nseed1 <= sizeof(seed));
+ memmove(seed, seed0, nseed0);
+ memmove(seed+nseed0, seed1, nseed1);
+ p_sha256(buf, nbuf, key, nkey, (uchar*)label, strlen(label), seed, nseed0+nseed1);
+}
+
/*
* for setting server session id's
*/
@@ -1742,17 +2599,29 @@
}
static int
-tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd)
+tlsSecRSAs(TlsSec *sec, int vers, Bytes *epm)
{
- if(epm != nil){
- if(setVers(sec, vers) < 0)
- goto Err;
- serverMasterSecret(sec, epm, nepm);
- }else if(sec->vers != vers){
- werrstr("mismatched session versions");
+ Bytes *pm;
+
+ if(setVers(sec, vers) < 0)
goto Err;
+ if(epm == nil){
+ werrstr("no encrypted premaster secret");
+ goto Err;
}
- setSecrets(sec, kd, nkd);
+ // if the client messed up, just continue as if everything is ok,
+ // to prevent attacks to check for correctly formatted messages.
+ // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
+ pm = pkcs1_decrypt(sec, epm);
+ if(sec->ok < 0 || pm == nil || pm->len != MasterSecretSize || get16(pm->data) != sec->clientVers){
+ fprint(2, "tlsSecRSAs failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
+ sec->ok, pm, pm != nil ? get16(pm->data) : -1, sec->clientVers, epm->len);
+ sec->ok = -1;
+ freebytes(pm);
+ pm = newbytes(MasterSecretSize);
+ genrandom(pm->data, MasterSecretSize);
+ }
+ setMasterSecret(sec, pm);
return 0;
Err:
sec->ok = -1;
@@ -1759,6 +2628,17 @@
return -1;
}
+static int
+tlsSecPSKs(TlsSec *sec, int vers)
+{
+ if(setVers(sec, vers) < 0){
+ sec->ok = -1;
+ return -1;
+ }
+ setMasterSecret(sec, newbytes(sec->psklen));
+ return 0;
+}
+
static TlsSec*
tlsSecInitc(int cvers, uchar *crandom)
{
@@ -1771,40 +2651,49 @@
}
static int
-tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd)
+tlsSecPSKc(TlsSec *sec, uchar *srandom, int vers)
{
+ memmove(sec->srandom, srandom, RandomSize);
+ if(setVers(sec, vers) < 0){
+ sec->ok = -1;
+ return -1;
+ }
+ setMasterSecret(sec, newbytes(sec->psklen));
+ return 0;
+}
+
+static Bytes*
+tlsSecRSAc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers)
+{
RSApub *pub;
+ Bytes *pm, *epm;
- pub = nil;
-
USED(sid);
USED(nsid);
memmove(sec->srandom, srandom, RandomSize);
-
if(setVers(sec, vers) < 0)
goto Err;
-
pub = X509toRSApub(cert, ncert, nil, 0);
if(pub == nil){
werrstr("invalid x509/rsa certificate");
goto Err;
}
- if(clientMasterSecret(sec, pub, epm, nepm) < 0)
- goto Err;
+ pm = newbytes(MasterSecretSize);
+ put16(pm->data, sec->clientVers);
+ genrandom(pm->data+2, MasterSecretSize - 2);
+ epm = pkcs1_encrypt(pm, pub, 2);
+ setMasterSecret(sec, pm);
rsapubfree(pub);
- setSecrets(sec, kd, nkd);
- return 0;
-
+ if(epm != nil)
+ return epm;
Err:
- if(pub != nil)
- rsapubfree(pub);
sec->ok = -1;
- return -1;
+ return nil;
}
static int
-tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient)
+tlsSecFinished(TlsSec *sec, HandshakeHash hsh, uchar *fin, int nfin, int isclient)
{
if(sec->nfin != nfin){
sec->ok = -1;
@@ -1811,9 +2700,10 @@
werrstr("invalid finished exchange");
return -1;
}
- md5.malloced = 0;
- sha1.malloced = 0;
- (*sec->setFinished)(sec, md5, sha1, fin, isclient);
+ hsh.md5.malloced = 0;
+ hsh.sha1.malloced = 0;
+ hsh.sha2_256.malloced = 0;
+ (*sec->setFinished)(sec, hsh, fin, isclient);
return 1;
}
@@ -1836,7 +2726,7 @@
static void
tlsSecClose(TlsSec *sec)
{
- if(!sec)
+ if(sec == nil)
return;
factotum_rsa_close(sec->rpc);
free(sec->server);
@@ -1850,13 +2740,14 @@
sec->setFinished = sslSetFinished;
sec->nfin = SSL3FinishedLen;
sec->prf = sslPRF;
- }else if(v == TLSVersion){
- sec->setFinished = tlsSetFinished;
+ }else if(v < TLS12Version) {
+ sec->setFinished = tls10SetFinished;
sec->nfin = TLSFinishedLen;
- sec->prf = tlsPRF;
- }else{
- werrstr("invalid version");
- return -1;
+ sec->prf = tls10PRF;
+ }else {
+ sec->setFinished = tls12SetFinished;
+ sec->nfin = TLSFinishedLen;
+ sec->prf = tls12PRF;
}
sec->vers = v;
return 0;
@@ -1877,74 +2768,37 @@
}
/*
- * set the master secret from the pre-master secret.
+ * set the master secret from the pre-master secret,
+ * destroys premaster.
*/
static void
setMasterSecret(TlsSec *sec, Bytes *pm)
{
- (*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret",
- sec->crandom, RandomSize, sec->srandom, RandomSize);
-}
+ if(sec->psklen > 0){
+ Bytes *opm = pm;
+ uchar *p;
-static void
-serverMasterSecret(TlsSec *sec, uchar *epm, int nepm)
-{
- Bytes *pm;
+ /* concatenate psk to pre-master secret */
+ pm = newbytes(4 + opm->len + sec->psklen);
+ p = pm->data;
+ put16(p, opm->len), p += 2;
+ memmove(p, opm->data, opm->len), p += opm->len;
+ put16(p, sec->psklen), p += 2;
+ memmove(p, sec->psk, sec->psklen);
- pm = pkcs1_decrypt(sec, epm, nepm);
-
- // if the client messed up, just continue as if everything is ok,
- // to prevent attacks to check for correctly formatted messages.
- // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client.
- if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){
- fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n",
- sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm);
- sec->ok = -1;
- if(pm != nil)
- freebytes(pm);
- pm = newbytes(MasterSecretSize);
- genrandom(pm->data, MasterSecretSize);
+ memset(opm->data, 0, opm->len);
+ freebytes(opm);
}
- setMasterSecret(sec, pm);
- memset(pm->data, 0, pm->len);
- freebytes(pm);
-}
-static int
-clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm)
-{
- Bytes *pm, *key;
+ (*sec->prf)(sec->sec, MasterSecretSize, pm->data, pm->len, "master secret",
+ sec->crandom, RandomSize, sec->srandom, RandomSize);
- pm = newbytes(MasterSecretSize);
- put16(pm->data, sec->clientVers);
- genrandom(pm->data+2, MasterSecretSize - 2);
-
- setMasterSecret(sec, pm);
-
- key = pkcs1_encrypt(pm, pub, 2);
- memset(pm->data, 0, pm->len);
+ memset(pm->data, 0, pm->len);
freebytes(pm);
- if(key == nil){
- werrstr("tls pkcs1_encrypt failed");
- return -1;
- }
-
- *nepm = key->len;
- *epm = malloc(*nepm);
- if(*epm == nil){
- freebytes(key);
- werrstr("out of memory");
- return -1;
- }
- memmove(*epm, key->data, *nepm);
-
- freebytes(key);
-
- return 1;
}
static void
-sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
+sslSetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
{
DigestState *s;
uchar h0[MD5dlen], h1[SHA1dlen], pad[48];
@@ -1955,21 +2809,21 @@
else
label = "SRVR";
- md5((uchar*)label, 4, nil, &hsmd5);
- md5(sec->sec, MasterSecretSize, nil, &hsmd5);
+ md5((uchar*)label, 4, nil, &hsh.md5);
+ md5(sec->sec, MasterSecretSize, nil, &hsh.md5);
memset(pad, 0x36, 48);
- md5(pad, 48, nil, &hsmd5);
- md5(nil, 0, h0, &hsmd5);
+ md5(pad, 48, nil, &hsh.md5);
+ md5(nil, 0, h0, &hsh.md5);
memset(pad, 0x5C, 48);
s = md5(sec->sec, MasterSecretSize, nil, nil);
s = md5(pad, 48, nil, s);
md5(h0, MD5dlen, finished, s);
- sha1((uchar*)label, 4, nil, &hssha1);
- sha1(sec->sec, MasterSecretSize, nil, &hssha1);
+ sha1((uchar*)label, 4, nil, &hsh.sha1);
+ sha1(sec->sec, MasterSecretSize, nil, &hsh.sha1);
memset(pad, 0x36, 40);
- sha1(pad, 40, nil, &hssha1);
- sha1(nil, 0, h1, &hssha1);
+ sha1(pad, 40, nil, &hsh.sha1);
+ sha1(nil, 0, h1, &hsh.sha1);
memset(pad, 0x5C, 40);
s = sha1(sec->sec, MasterSecretSize, nil, nil);
s = sha1(pad, 40, nil, s);
@@ -1978,27 +2832,43 @@
// fill "finished" arg with md5(args)^sha1(args)
static void
-tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient)
+tls10SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
{
uchar h0[MD5dlen], h1[SHA1dlen];
char *label;
// get current hash value, but allow further messages to be hashed in
- md5(nil, 0, h0, &hsmd5);
- sha1(nil, 0, h1, &hssha1);
+ md5(nil, 0, h0, &hsh.md5);
+ sha1(nil, 0, h1, &hsh.sha1);
if(isClient)
label = "client finished";
else
label = "server finished";
- tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
+ tls10PRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen);
}
static void
+tls12SetFinished(TlsSec *sec, HandshakeHash hsh, uchar *finished, int isClient)
+{
+ uchar seed[SHA2_256dlen];
+ char *label;
+
+ // get current hash value, but allow further messages to be hashed in
+ sha2_256(nil, 0, seed, &hsh.sha2_256);
+
+ if(isClient)
+ label = "client finished";
+ else
+ label = "server finished";
+ p_sha256(finished, TLSFinishedLen, sec->sec, MasterSecretSize, (uchar*)label, strlen(label), seed, SHA2_256dlen);
+}
+
+static void
sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1)
{
- DigestState *s;
uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26];
+ DigestState *s;
int i, n, len;
USED(label);
@@ -2027,10 +2897,7 @@
static mpint*
bytestomp(Bytes* bytes)
{
- mpint* ans;
-
- ans = betomp(bytes->data, bytes->len, nil);
- return ans;
+ return betomp(bytes->data, bytes->len, nil);
}
/*
@@ -2039,13 +2906,13 @@
static Bytes*
mptobytes(mpint* big)
{
- int n, m;
- uchar *a;
Bytes* ans;
+ int n;
n = (mpsignif(big)+7)/8;
- m = mptobe(big, nil, n, &a);
- ans = makebytes(a, m);
+ if(n == 0) n = 1;
+ ans = newbytes(n);
+ mptober(big, ans->data, ans->len);
return ans;
}
@@ -2063,6 +2930,7 @@
mpfree(x);
ybytes = mptobytes(y);
ylen = ybytes->len;
+ mpfree(y);
if(ylen < modlen) {
a = newbytes(modlen);
@@ -2078,7 +2946,6 @@
freebytes(ybytes);
ybytes = a;
}
- mpfree(y);
return ybytes;
}
@@ -2119,36 +2986,34 @@
// decrypt data according to PKCS#1, with given key.
// expect a block type of 2.
static Bytes*
-pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm)
+pkcs1_decrypt(TlsSec *sec, Bytes *cipher)
{
- Bytes *eb, *ans = nil;
+ Bytes *eb;
int i, modlen;
mpint *x, *y;
modlen = (mpsignif(sec->rsapub->n)+7)/8;
- if(nepm != modlen)
+ if(cipher->len != modlen)
return nil;
- x = betomp(epm, nepm, nil);
+ x = bytestomp(cipher);
y = factotum_rsa_decrypt(sec->rpc, x);
if(y == nil)
return nil;
- eb = mptobytes(y);
- if(eb->len < modlen){ // pad on left with zeros
- ans = newbytes(modlen);
- memset(ans->data, 0, modlen-eb->len);
- memmove(ans->data+modlen-eb->len, eb->data, eb->len);
- freebytes(eb);
- eb = ans;
- }
+ eb = newbytes(modlen);
+ mptober(y, eb->data, eb->len);
+ mpfree(y);
if(eb->data[0] == 0 && eb->data[1] == 2) {
- for(i = 2; i < modlen; i++)
+ for(i = 2; i < eb->len; i++)
if(eb->data[i] == 0)
break;
- if(i < modlen - 1)
- ans = makebytes(eb->data+i+1, modlen-(i+1));
+ if(++i < eb->len){
+ eb->len -= i;
+ memmove(eb->data, eb->data+i, eb->len);
+ return eb;
+ }
}
freebytes(eb);
- return ans;
+ return nil;
}
@@ -2161,10 +3026,10 @@
if(n==0)
n=1;
p = malloc(n);
- if(p == nil){
- exits("out of memory");
- }
+ if(p == nil)
+ sysfatal("out of memory");
memset(p, 0, n);
+ setmalloctag(p, getcallerpc(&n));
return p;
}
@@ -2173,11 +3038,11 @@
{
if(ReallocN == 0)
ReallocN = 1;
- if(!ReallocP)
+ if(ReallocP == nil)
ReallocP = emalloc(ReallocN);
- else if(!(ReallocP = realloc(ReallocP, ReallocN))){
- exits("out of memory");
- }
+ else if((ReallocP = realloc(ReallocP, ReallocN)) == nil)
+ sysfatal("out of memory");
+ setrealloctag(ReallocP, getcallerpc(&ReallocP));
return(ReallocP);
}
@@ -2223,20 +3088,14 @@
return (p[0]<<8)|p[1];
}
-/* ANSI offsetof() */
-#define OFFSET(x, s) ((int)(&(((s*)0)->x)))
-
-/*
- * malloc and return a new Bytes structure capable of
- * holding len bytes. (len >= 0)
- * Used to use crypt_malloc, which aborts if malloc fails.
- */
static Bytes*
newbytes(int len)
{
Bytes* ans;
- ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len);
+ if(len < 0)
+ abort();
+ ans = emalloc(sizeof(Bytes) + len);
ans->len = len;
return ans;
}
@@ -2257,8 +3116,7 @@
static void
freebytes(Bytes* b)
{
- if(b != nil)
- free(b);
+ free(b);
}
/* len is number of ints */
@@ -2267,25 +3125,15 @@
{
Ints* ans;
- ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int));
+ if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
+ abort();
+ ans = emalloc(sizeof(Ints) + len*sizeof(int));
ans->len = len;
return ans;
}
-static Ints*
-makeints(int* buf, int len)
-{
- Ints* ans;
-
- ans = newints(len);
- if(len > 0)
- memmove(ans->data, buf, len*sizeof(int));
- return ans;
-}
-
static void
freeints(Ints* b)
{
- if(b != nil)
- free(b);
+ free(b);
}
--- /dev/null
+++ b/libsec/tsmemcmp.c
@@ -1,0 +1,26 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+/*
+ * timing safe memcmp()
+ */
+int
+tsmemcmp(void *a1, void *a2, ulong n)
+{
+ int lt, gt, c1, c2, r, m;
+ uchar *s1, *s2;
+
+ r = m = 0;
+ s1 = a1;
+ s2 = a2;
+ while(n--){
+ c1 = *s1++;
+ c2 = *s2++;
+ lt = (c1 - c2) >> 8;
+ gt = (c2 - c1) >> 8;
+ r |= (lt - gt) & ~m;
+ m |= lt | gt;
+ }
+ return r;
+}
--- a/libsec/x509.c
+++ b/libsec/x509.c
@@ -3,11 +3,6 @@
#include <mp.h>
#include <libsec.h>
-typedef DigestState*(*DigestFun)(uchar*,ulong,uchar*,DigestState*);
-
-/* ANSI offsetof, backwards. */
-#define OFFSETOF(a, b) offsetof(b, a)
-
/*=============================================================*/
/* general ASN1 declarations and parsing
*
@@ -40,6 +35,7 @@
#define REAL 9
#define ENUMERATED 10
#define EMBEDDED_PDV 11
+#define UTF8String 12
#define SEQUENCE 16 /* also SEQUENCE OF */
#define SETOF 17 /* also SETOF OF */
#define NumericString 18
@@ -62,13 +58,13 @@
struct Ints {
int len;
- int data[1];
+ int data[];
};
struct Bits {
int len; /* number of bytes */
int unusedbits; /* unused bits in last byte */
- uchar data[1]; /* most-significant bit first */
+ uchar data[]; /* most-significant bit first */
};
struct Tag {
@@ -134,15 +130,12 @@
static int is_string(Elem* pe, char** pstring);
static int is_time(Elem* pe, char** ptime);
static int decode(uchar* a, int alen, Elem* pelem);
-static int decode_seq(uchar* a, int alen, Elist** pelist);
-static int decode_value(uchar* a, int alen, int kind, int isconstr, Value* pval);
static int encode(Elem e, Bytes** pbytes);
static int oid_lookup(Ints* o, Ints** tab);
static void freevalfields(Value* v);
static mpint *asn1mpint(Elem *e);
+static void edump(Elem);
-
-
#define TAG_MASK 0x1F
#define CONSTR_MASK 0x20
#define CLASS_MASK 0xC0
@@ -168,10 +161,10 @@
if(n==0)
n=1;
p = malloc(n);
- if(p == nil){
- exits("out of memory");
- }
+ if(p == nil)
+ sysfatal("out of memory");
memset(p, 0, n);
+ setmalloctag(p, getcallerpc(&n));
return p;
}
@@ -178,14 +171,13 @@
static char*
estrdup(char *s)
{
- char *d, *d0;
+ char *d;
+ int n;
- if(!s)
- return 0;
- d = d0 = emalloc(strlen(s)+1);
- while(*d++ = *s++)
- ;
- return d0;
+ n = strlen(s)+1;
+ d = emalloc(n);
+ memmove(d, s, n);
+ return d;
}
@@ -199,40 +191,15 @@
decode(uchar* a, int alen, Elem* pelem)
{
uchar* p = a;
+ int err;
- return ber_decode(&p, &a[alen], pelem);
+ err = ber_decode(&p, &a[alen], pelem);
+ if(err == ASN_OK && p != &a[alen])
+ err = ASN_EVALLEN;
+ return err;
}
/*
- * Like decode, but continue decoding after first element
- * of array ends.
- */
-static int
-decode_seq(uchar* a, int alen, Elist** pelist)
-{
- uchar* p = a;
-
- return seq_decode(&p, &a[alen], -1, 1, pelist);
-}
-
-/*
- * Decode the whole array as a BER encoding of an ASN1 value,
- * (i.e., the part after the tag and length).
- * Assume the value is encoded as universal tag "kind".
- * The constr arg is 1 if the value is constructed, 0 if primitive.
- * If there's an error, the return string will contain the error.
- * Depending on the error, the returned value may or may not
- * be nil.
- */
-static int
-decode_value(uchar* a, int alen, int kind, int isconstr, Value* pval)
-{
- uchar* p = a;
-
- return value_decode(&p, &a[alen], alen, kind, isconstr, pval);
-}
-
-/*
* All of the following decoding routines take arguments:
* uchar **pp;
* uchar *pend;
@@ -255,6 +222,7 @@
Tag tag;
Value val;
+ memset(pelem, 0, sizeof(*pelem));
err = tag_decode(pp, pend, &tag, &isconstr);
if(err == ASN_OK) {
err = length_decode(pp, pend, &length);
@@ -316,8 +284,6 @@
v = *p++;
if(v&0x80)
err = int_decode(&p, pend, v&0x7F, 1, &num);
- else if(v == 0x80)
- num = -1;
else
num = v;
}
@@ -398,8 +364,7 @@
pval->u.bitstringval = makebits(0, 0, 0);
p += 2;
}
- else
- /* TODO: recurse and concat results */
+ else /* TODO: recurse and concat results */
err = ASN_EUNIMPL;
}
else {
@@ -513,7 +478,7 @@
pval->u.setval = vl;
}
break;
-
+ case UTF8String:
case NumericString:
case PrintableString:
case TeletexString:
@@ -573,7 +538,7 @@
err = ASN_ETOOBIG;
else {
if(!unsgned && count > 0 && count < 4 && (*p&0x80))
- num = -1; // set all bits, initially
+ num = -1; /* set all bits, initially */
while(count--)
num = (num << 8)|(*p++);
}
@@ -661,18 +626,17 @@
switch(elem.val.tag) {
case VOctets:
newans = catbytes(ans, elem.val.u.octetsval);
+ freevalfields(&elem.val);
freebytes(ans);
ans = newans;
break;
case VEOC:
- if(length != -1) {
- p = pold;
- err = ASN_EINVAL;
- }
- goto cloop_done;
-
+ if(length == -1)
+ goto cloop_done;
+ /* no break */
default:
+ freevalfields(&elem.val);
p = pold;
err = ASN_EINVAL;
goto cloop_done;
@@ -679,7 +643,10 @@
}
}
cloop_done:
- ;
+ if(err != ASN_OK){
+ freebytes(ans);
+ ans = nil;
+ }
}
*pp = p;
*pbytes = ans;
@@ -732,7 +699,9 @@
else
lve = mkel(elem, lve);
}
- if(err == ASN_OK) {
+ if(err != ASN_OK)
+ freeelist(lve);
+ else {
/* reverse back to original order */
while(lve != nil) {
lveold = lve;
@@ -972,8 +941,8 @@
memmove(p, bb->data, bb->len);
p += bb->len;
}
- else
- err = ASN_EINVAL;
+ else
+ err = ASN_EINVAL;
break;
case NULLTAG:
@@ -1014,6 +983,7 @@
}
break;
+ case UTF8String:
case NumericString:
case PrintableString:
case TeletexString:
@@ -1189,21 +1159,8 @@
static int
is_bigint(Elem* pe, Bytes** pbigint)
{
- int v, n, i;
-
- if(pe->tag.class == Universal && pe->tag.num == INTEGER) {
- if(pe->val.tag == VBigInt)
- *pbigint = pe->val.u.bigintval;
- else if(pe->val.tag == VInt){
- v = pe->val.u.intval;
- for(n = 1; n < 4; n++)
- if((1 << (8 * n)) > v)
- break;
- *pbigint = newbytes(n);
- for(i = 0; i < n; i++)
- (*pbigint)->data[i] = (v >> ((n - 1 - i) * 8));
- }else
- return 0;
+ if(pe->tag.class == Universal && pe->tag.num == INTEGER && pe->val.tag == VBigInt) {
+ *pbigint = pe->val.u.bigintval;
return 1;
}
return 0;
@@ -1244,6 +1201,7 @@
{
if(pe->tag.class == Universal) {
switch(pe->tag.num) {
+ case UTF8String:
case NumericString:
case PrintableString:
case TeletexString:
@@ -1285,7 +1243,9 @@
{
Bytes* ans;
- ans = (Bytes*)emalloc(OFFSETOF(data[0], Bytes) + len);
+ if(len < 0)
+ abort();
+ ans = emalloc(sizeof(Bytes) + len);
ans->len = len;
return ans;
}
@@ -1306,8 +1266,7 @@
static void
freebytes(Bytes* b)
{
- if(b != nil)
- free(b);
+ free(b);
}
/*
@@ -1345,7 +1304,9 @@
{
Ints* ans;
- ans = (Ints*)emalloc(OFFSETOF(data[0], Ints) + len*sizeof(int));
+ if(len < 0 || len > ((uint)-1>>1)/sizeof(int))
+ abort();
+ ans = emalloc(sizeof(Ints) + len*sizeof(int));
ans->len = len;
return ans;
}
@@ -1356,8 +1317,7 @@
Ints* ans;
ans = newints(len);
- if(len > 0)
- memmove(ans->data, buf, len*sizeof(int));
+ memmove(ans->data, buf, len*sizeof(int));
return ans;
}
@@ -1364,8 +1324,7 @@
static void
freeints(Ints* b)
{
- if(b != nil)
- free(b);
+ free(b);
}
/* len is number of bytes */
@@ -1374,7 +1333,9 @@
{
Bits* ans;
- ans = (Bits*)emalloc(OFFSETOF(data[0], Bits) + len);
+ if(len < 0)
+ abort();
+ ans = emalloc(sizeof(Bits) + len);
ans->len = len;
ans->unusedbits = 0;
return ans;
@@ -1394,8 +1355,7 @@
static void
freebits(Bits* b)
{
- if(b != nil)
- free(b);
+ free(b);
}
static Elist*
@@ -1404,6 +1364,7 @@
Elist* el;
el = (Elist*)emalloc(sizeof(Elist));
+ setmalloctag(el, getcallerpc(&e));
el->hd = e;
el->tl = tail;
return el;
@@ -1461,7 +1422,7 @@
freeints(v->u.objidval);
break;
case VString:
- if (v->u.stringval)
+ if(v->u.stringval)
free(v->u.stringval);
break;
case VSeq:
@@ -1468,15 +1429,13 @@
el = v->u.seqval;
for(l = el; l != nil; l = l->tl)
freevalfields(&l->hd.val);
- if (el)
- freeelist(el);
+ freeelist(el);
break;
case VSet:
el = v->u.setval;
for(l = el; l != nil; l = l->tl)
freevalfields(&l->hd.val);
- if (el)
- freeelist(el);
+ freeelist(el);
break;
}
}
@@ -1564,6 +1523,7 @@
Bytes* publickey;
int signature_alg;
Bytes* signature;
+ int curve;
} CertX509;
/* Algorithm object-ids */
@@ -1572,45 +1532,140 @@
ALG_md2WithRSAEncryption,
ALG_md4WithRSAEncryption,
ALG_md5WithRSAEncryption,
+
ALG_sha1WithRSAEncryption,
+ ALG_sha1WithRSAEncryptionOiw,
+
+ ALG_sha256WithRSAEncryption,
+ ALG_sha384WithRSAEncryption,
+ ALG_sha512WithRSAEncryption,
+ ALG_sha224WithRSAEncryption,
+
+ ALG_ecPublicKey,
+ ALG_sha1WithECDSA,
+ ALG_sha256WithECDSA,
+ ALG_sha384WithECDSA,
+ ALG_sha512WithECDSA,
+
ALG_md5,
+ ALG_sha1,
+ ALG_sha256,
+ ALG_sha384,
+ ALG_sha512,
+ ALG_sha224,
+
NUMALGS
};
-typedef struct Ints7 {
+
+typedef struct Ints15 {
int len;
- int data[7];
-} Ints7;
-static Ints7 oid_rsaEncryption = {7, 1, 2, 840, 113549, 1, 1, 1 };
-static Ints7 oid_md2WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 2 };
-static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
-static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
-static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
-static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 };
+ int data[15];
+} Ints15;
+
+typedef struct DigestAlg {
+ int alg;
+ DigestState* (*fun)(uchar*,ulong,uchar*,DigestState*);
+ int len;
+} DigestAlg;
+
+static DigestAlg alg_md5 = { ALG_md5, md5, MD5dlen};
+static DigestAlg alg_sha1 = { ALG_sha1, sha1, SHA1dlen };
+static DigestAlg alg_sha256 = { ALG_sha256, sha2_256, SHA2_256dlen };
+static DigestAlg alg_sha384 = { ALG_sha384, sha2_384, SHA2_384dlen };
+static DigestAlg alg_sha512 = { ALG_sha512, sha2_512, SHA2_512dlen };
+static DigestAlg alg_sha224 = { ALG_sha224, sha2_224, SHA2_224dlen };
+
+/* maximum length of digest output of the digest algs above */
+enum {
+ MAXdlen = SHA2_512dlen,
+};
+
+static Ints15 oid_rsaEncryption = {7, 1, 2, 840, 113549, 1, 1, 1 };
+
+static Ints15 oid_md2WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 2 };
+static Ints15 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 };
+static Ints15 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 };
+static Ints15 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 };
+static Ints15 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 };
+static Ints15 oid_sha256WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 11 };
+static Ints15 oid_sha384WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 12 };
+static Ints15 oid_sha512WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 13 };
+static Ints15 oid_sha224WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 14 };
+
+static Ints15 oid_ecPublicKey = {6, 1, 2, 840, 10045, 2, 1 };
+static Ints15 oid_sha1WithECDSA = {6, 1, 2, 840, 10045, 4, 1 };
+static Ints15 oid_sha256WithECDSA = {7, 1, 2, 840, 10045, 4, 3, 2 };
+static Ints15 oid_sha384WithECDSA = {7, 1, 2, 840, 10045, 4, 3, 3 };
+static Ints15 oid_sha512WithECDSA = {7, 1, 2, 840, 10045, 4, 3, 4 };
+
+static Ints15 oid_md5 = {6, 1, 2, 840, 113549, 2, 5 };
+static Ints15 oid_sha1 = {6, 1, 3, 14, 3, 2, 26 };
+static Ints15 oid_sha256= {9, 2, 16, 840, 1, 101, 3, 4, 2, 1 };
+static Ints15 oid_sha384= {9, 2, 16, 840, 1, 101, 3, 4, 2, 2 };
+static Ints15 oid_sha512= {9, 2, 16, 840, 1, 101, 3, 4, 2, 3 };
+static Ints15 oid_sha224= {9, 2, 16, 840, 1, 101, 3, 4, 2, 4 };
+
static Ints *alg_oid_tab[NUMALGS+1] = {
(Ints*)&oid_rsaEncryption,
(Ints*)&oid_md2WithRSAEncryption,
(Ints*)&oid_md4WithRSAEncryption,
(Ints*)&oid_md5WithRSAEncryption,
+
(Ints*)&oid_sha1WithRSAEncryption,
+ (Ints*)&oid_sha1WithRSAEncryptionOiw,
+
+ (Ints*)&oid_sha256WithRSAEncryption,
+ (Ints*)&oid_sha384WithRSAEncryption,
+ (Ints*)&oid_sha512WithRSAEncryption,
+ (Ints*)&oid_sha224WithRSAEncryption,
+
+ (Ints*)&oid_ecPublicKey,
+ (Ints*)&oid_sha1WithECDSA,
+ (Ints*)&oid_sha256WithECDSA,
+ (Ints*)&oid_sha384WithECDSA,
+ (Ints*)&oid_sha512WithECDSA,
+
(Ints*)&oid_md5,
+ (Ints*)&oid_sha1,
+ (Ints*)&oid_sha256,
+ (Ints*)&oid_sha384,
+ (Ints*)&oid_sha512,
+ (Ints*)&oid_sha224,
nil
};
-static DigestFun digestalg[NUMALGS+1] = { md5, md5, md5, md5, sha1, md5, nil };
+static DigestAlg *digestalg[NUMALGS+1] = {
+ &alg_md5, &alg_md5, &alg_md5, &alg_md5,
+ &alg_sha1, &alg_sha1,
+ &alg_sha256, &alg_sha384, &alg_sha512, &alg_sha224,
+ &alg_sha256, &alg_sha1, &alg_sha256, &alg_sha384, &alg_sha512,
+ &alg_md5, &alg_sha1, &alg_sha256, &alg_sha384, &alg_sha512, &alg_sha224,
+ nil
+};
+
+static Ints15 oid_secp256r1 = {7, 1, 2, 840, 10045, 3, 1, 7};
+
+static Ints *namedcurves_oid_tab[] = {
+ (Ints*)&oid_secp256r1,
+ nil,
+};
+static void (*namedcurves[])(mpint *p, mpint *a, mpint *b, mpint *x, mpint *y, mpint *n, mpint *h) = {
+ secp256r1,
+ nil,
+};
+
static void
freecert(CertX509* c)
{
- if (!c) return;
- if(c->issuer != nil)
- free(c->issuer);
- if(c->validity_start != nil)
- free(c->validity_start);
- if(c->validity_end != nil)
- free(c->validity_end);
- if(c->subject != nil)
- free(c->subject);
+ if(c == nil)
+ return;
+ free(c->issuer);
+ free(c->validity_start);
+ free(c->validity_end);
+ free(c->subject);
freebytes(c->publickey);
freebytes(c->signature);
+ free(c);
}
/*
@@ -1690,6 +1745,17 @@
return oid_lookup(oid, alg_oid_tab);
}
+static int
+parse_curve(Elem* e)
+{
+ Elist* el;
+ Ints* oid;
+
+ if(!is_seq(e, &el) || elistlen(el)<2 || !is_oid(&el->tl->hd, &oid))
+ return -1;
+ return oid_lookup(oid, namedcurves_oid_tab);
+}
+
static CertX509*
decode_cert(Bytes* a)
{
@@ -1792,7 +1858,7 @@
goto errret;
/* SubjectPublicKeyInfo */
- if(!is_seq(epubkey, &elpubkey))
+ if(!is_seq(epubkey, &elpubkey))
goto errret;
if(elistlen(elpubkey) != 2)
goto errret;
@@ -1800,6 +1866,12 @@
c->publickey_alg = parse_alg(&elpubkey->hd);
if(c->publickey_alg < 0)
goto errret;
+ c->curve = -1;
+ if(c->publickey_alg == ALG_ecPublicKey){
+ c->curve = parse_curve(&elpubkey->hd);
+ if(c->curve < 0)
+ goto errret;
+ }
if(!is_bitstring(&elpubkey->tl->hd, &bits))
goto errret;
if(bits->unusedbits != 0)
@@ -1824,7 +1896,7 @@
}
/*
- * RSAPublickKey :: SEQUENCE {
+ * RSAPublickKey ::= SEQUENCE {
* modulus INTEGER,
* publicExponent INTEGER
* }
@@ -1834,7 +1906,6 @@
{
Elem e;
Elist *el;
- mpint *mp;
RSApub* key;
key = rsapuballoc();
@@ -1842,17 +1913,15 @@
goto errret;
if(!is_seq(&e, &el) || elistlen(el) != 2)
goto errret;
-
- key->n = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->n = asn1mpint(&el->hd)) == nil)
goto errret;
-
el = el->tl;
- key->ek = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->ek = asn1mpint(&el->hd)) == nil)
goto errret;
+ freevalfields(&e.val);
return key;
errret:
+ freevalfields(&e.val);
rsapubfree(key);
return nil;
}
@@ -1875,7 +1944,6 @@
int version;
Elem e;
Elist *el;
- mpint *mp;
RSApriv* key;
key = rsaprivalloc();
@@ -1887,70 +1955,115 @@
goto errret;
el = el->tl;
- key->pub.n = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->pub.n = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->pub.ek = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->pub.ek = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->dk = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->dk = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->q = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->q = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->p = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->p = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->kq = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->kq = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->kp = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->kp = asn1mpint(&el->hd)) == nil)
goto errret;
el = el->tl;
- key->c2 = mp = asn1mpint(&el->hd);
- if(mp == nil)
+ if((key->c2 = asn1mpint(&el->hd)) == nil)
goto errret;
+ freevalfields(&e.val);
return key;
errret:
+ freevalfields(&e.val);
rsaprivfree(key);
return nil;
}
+/*
+ * DSAPrivateKey ::= SEQUENCE{
+ * version Version,
+ * p INTEGER,
+ * q INTEGER,
+ * g INTEGER, -- alpha
+ * pub_key INTEGER, -- key
+ * priv_key INTEGER, -- secret
+ * }
+ */
+static DSApriv*
+decode_dsaprivkey(Bytes* a)
+{
+ int version;
+ Elem e;
+ Elist *el;
+ DSApriv* key;
+
+ key = dsaprivalloc();
+ if(decode(a->data, a->len, &e) != ASN_OK)
+ goto errret;
+ if(!is_seq(&e, &el) || elistlen(el) != 6)
+ goto errret;
+ version = -1;
+ if(!is_int(&el->hd, &version) || version != 0)
+ goto errret;
+
+ el = el->tl;
+ if((key->pub.p = asn1mpint(&el->hd)) == nil)
+ goto errret;
+
+ el = el->tl;
+ if((key->pub.q = asn1mpint(&el->hd)) == nil)
+ goto errret;
+
+ el = el->tl;
+ if((key->pub.alpha = asn1mpint(&el->hd)) == nil)
+ goto errret;
+
+ el = el->tl;
+ if((key->pub.key = asn1mpint(&el->hd)) == nil)
+ goto errret;
+
+ el = el->tl;
+ if((key->secret = asn1mpint(&el->hd)) == nil)
+ goto errret;
+
+ freevalfields(&e.val);
+ return key;
+errret:
+ freevalfields(&e.val);
+ dsaprivfree(key);
+ return nil;
+}
+
static mpint*
asn1mpint(Elem *e)
{
Bytes *b;
- mpint *mp;
int v;
if(is_int(e, &v))
return itomp(v, nil);
- if(is_bigint(e, &b)) {
- mp = betomp(b->data, b->len, nil);
- freebytes(b);
- return mp;
- }
+ if(is_bigint(e, &b))
+ return betomp(b->data, b->len, nil);
return nil;
}
-static mpint*
-pkcs1pad(Bytes *b, mpint *modulus)
+mpint*
+pkcs1padbuf(uchar *buf, int len, mpint *modulus)
{
int n = (mpsignif(modulus)+7)/8;
int pm1, i;
@@ -1957,7 +2070,7 @@
uchar *p;
mpint *mp;
- pm1 = n - 1 - b->len;
+ pm1 = n - 1 - len;
p = (uchar*)emalloc(n);
p[0] = 0;
p[1] = 1;
@@ -1964,12 +2077,18 @@
for(i = 2; i < pm1; i++)
p[i] = 0xFF;
p[pm1] = 0;
- memcpy(&p[pm1+1], b->data, b->len);
+ memcpy(&p[pm1+1], buf, len);
mp = betomp(p, n, nil);
free(p);
return mp;
}
+static mpint*
+pkcs1pad(Bytes *b, mpint *modulus)
+{
+ return pkcs1padbuf(b->data, b->len, modulus);
+}
+
RSApriv*
asn1toRSApriv(uchar *kd, int kn)
{
@@ -1982,13 +2101,25 @@
return key;
}
+DSApriv*
+asn1toDSApriv(uchar *kd, int kn)
+{
+ Bytes *b;
+ DSApriv *key;
+
+ b = makebytes(kd, kn);
+ key = decode_dsaprivkey(b);
+ freebytes(b);
+ return key;
+}
+
/*
* digest(CertificateInfo)
* Our ASN.1 library doesn't return pointers into the original
* data array, so we need to do a little hand decoding.
*/
-static void
-digest_certinfo(Bytes *cert, DigestFun digestfun, uchar *digest)
+static int
+digest_certinfo(Bytes *cert, DigestAlg *da, uchar *digest)
{
uchar *info, *p, *pend;
ulong infolen;
@@ -1999,50 +2130,178 @@
p = cert->data;
pend = cert->data + cert->len;
if(tag_decode(&p, pend, &tag, &isconstr) != ASN_OK ||
- tag.class != Universal || tag.num != SEQUENCE ||
- length_decode(&p, pend, &length) != ASN_OK ||
- p+length > pend)
- return;
+ tag.class != Universal || tag.num != SEQUENCE ||
+ length_decode(&p, pend, &length) != ASN_OK ||
+ p+length > pend ||
+ p+length < p)
+ return -1;
info = p;
- if(ber_decode(&p, pend, &elem) != ASN_OK || elem.tag.num != SEQUENCE)
- return;
+ if(ber_decode(&p, pend, &elem) != ASN_OK)
+ return -1;
+ freevalfields(&elem.val);
+ if(elem.tag.num != SEQUENCE)
+ return -1;
infolen = p - info;
- (*digestfun)(info, infolen, digest, nil);
+ (*da->fun)(info, infolen, digest, nil);
+ return da->len;
}
-static char*
-verify_signature(Bytes* signature, RSApub *pk, uchar *edigest, Elem **psigalg)
+static int
+pkcs1decryptsignature(uchar *sig, int siglen, RSApub *pk, uchar **pbuf)
{
- Elem e;
- Elist *el;
- Bytes *digest;
- uchar *pkcs1buf, *buf;
- int buflen;
+ int nlen, buflen;
mpint *pkcs1;
+ uchar *buf;
+ *pbuf = nil;
+
+ /* one less than the byte length of the modulus */
+ nlen = (mpsignif(pk->n)-1)/8;
+
/* see 9.2.1 of rfc2437 */
- pkcs1 = betomp(signature->data, signature->len, nil);
+ pkcs1 = betomp(sig, siglen, nil);
mpexp(pkcs1, pk->ek, pk->n, pkcs1);
- buflen = mptobe(pkcs1, nil, 0, &pkcs1buf);
- buf = pkcs1buf;
- if(buflen < 4 || buf[0] != 1)
- return "expected 1";
- buf++;
- while(buf[0] == 0xff)
- buf++;
- if(buf[0] != 0)
- return "expected 0";
- buf++;
- buflen -= buf-pkcs1buf;
- if(decode(buf, buflen, &e) != ASN_OK || !is_seq(&e, &el) || elistlen(el) != 2 ||
- !is_octetstring(&el->tl->hd, &digest))
- return "signature parse error";
- *psigalg = &el->hd;
- if(memcmp(digest->data, edigest, digest->len) == 0)
+ buflen = mptobe(pkcs1, nil, 0, pbuf);
+ mpfree(pkcs1);
+
+ buf = *pbuf;
+ if(buflen != nlen || buf[0] != 1)
+ goto bad;
+ buf++, buflen--;
+ while(buflen > 0 && buf[0] == 0xff)
+ buf++, buflen--;
+ if(buflen < 1 || buf[0] != 0)
+ goto bad;
+ buf++, buflen--;
+ memmove(*pbuf, buf, buflen);
+ return buflen;
+bad:
+ free(*pbuf);
+ *pbuf = nil;
+ return -1;
+}
+
+char*
+X509rsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, RSApub *pk)
+{
+ Elem e;
+ Elist *el;
+ Bytes *digest;
+ uchar *buf;
+ int alg, buflen;
+ char *err;
+
+ buflen = pkcs1decryptsignature(sig, siglen, pk, &buf);
+ if(buflen == edigestlen && tsmemcmp(buf, edigest, edigestlen) == 0){
+ free(buf);
return nil;
- return "digests did not match";
+ }
+ el = nil;
+ memset(&e, 0, sizeof(e));
+ if(buflen < 0 || decode(buf, buflen, &e) != ASN_OK
+ || !is_seq(&e, &el) || elistlen(el) != 2 || !is_octetstring(&el->tl->hd, &digest)) {
+ err = "signature parse error";
+ goto end;
+ }
+ alg = parse_alg(&el->hd);
+ if(alg < 0){
+ err = "unknown signature algorithm";
+ goto end;
+ }
+ if(digest->len != edigestlen || digest->len != digestalg[alg]->len){
+ err = "bad digest length";
+ goto end;
+ }
+ if(tsmemcmp(digest->data, edigest, edigestlen) != 0){
+ err = "digest did not match";
+ goto end;
+ }
+ err = nil;
+end:
+ freevalfields(&e.val);
+ free(buf);
+ return err;
}
-
+
+char*
+X509ecdsaverifydigest(uchar *sig, int siglen, uchar *edigest, int edigestlen, ECdomain *dom, ECpub *pub)
+{
+ Elem e;
+ Elist *el;
+ mpint *r, *s;
+ char *err;
+
+ r = s = nil;
+ err = "bad signature";
+ if(decode(sig, siglen, &e) != ASN_OK)
+ goto end;
+ if(!is_seq(&e, &el) || elistlen(el) != 2)
+ goto end;
+ r = asn1mpint(&el->hd);
+ if(r == nil)
+ goto end;
+ el = el->tl;
+ s = asn1mpint(&el->hd);
+ if(s == nil)
+ goto end;
+ if(ecdsaverify(dom, pub, edigest, edigestlen, r, s))
+ err = nil;
+end:
+ freevalfields(&e.val);
+ mpfree(s);
+ mpfree(r);
+ return err;
+}
+
+ECpub*
+X509toECpub(uchar *cert, int ncert, ECdomain *dom)
+{
+ CertX509 *c;
+ ECpub *pub;
+ Bytes *b;
+
+ b = makebytes(cert, ncert);
+ c = decode_cert(b);
+ freebytes(b);
+ if(c == nil)
+ return nil;
+ pub = nil;
+ if(c->publickey_alg == ALG_ecPublicKey){
+ ecdominit(dom, namedcurves[c->curve]);
+ pub = ecdecodepub(dom, c->publickey->data, c->publickey->len);
+ if(pub == nil)
+ ecdomfree(dom);
+ }
+ freecert(c);
+ return pub;
+}
+
+char*
+X509ecdsaverify(uchar *cert, int ncert, ECdomain *dom, ECpub *pk)
+{
+ char *e;
+ Bytes *b;
+ CertX509 *c;
+ int digestlen;
+ uchar digest[MAXdlen];
+
+ b = makebytes(cert, ncert);
+ c = decode_cert(b);
+ if(c == nil){
+ freebytes(b);
+ return "cannot decode cert";
+ }
+ digestlen = digest_certinfo(b, digestalg[c->signature_alg], digest);
+ freebytes(b);
+ if(digestlen <= 0){
+ freecert(c);
+ return "cannot decode certinfo";
+ }
+ e = X509ecdsaverifydigest(c->signature->data, c->signature->len, digest, digestlen, dom, pk);
+ freecert(c);
+ return e;
+}
+
RSApub*
X509toRSApub(uchar *cert, int ncert, char *name, int nname)
{
@@ -2049,7 +2308,7 @@
char *e;
Bytes *b;
CertX509 *c;
- RSApub *pk;
+ RSApub *pub;
b = makebytes(cert, ncert);
c = decode_cert(b);
@@ -2059,31 +2318,38 @@
if(name != nil && c->subject != nil){
e = strchr(c->subject, ',');
if(e != nil)
- *e = 0; // take just CN part of Distinguished Name
+ *e = 0; /* take just CN part of Distinguished Name */
strncpy(name, c->subject, nname);
}
- pk = decode_rsapubkey(c->publickey);
+ pub = nil;
+ if(c->publickey_alg == ALG_rsaEncryption)
+ pub = decode_rsapubkey(c->publickey);
freecert(c);
- return pk;
+ return pub;
}
char*
-X509verify(uchar *cert, int ncert, RSApub *pk)
+X509rsaverify(uchar *cert, int ncert, RSApub *pk)
{
char *e;
Bytes *b;
CertX509 *c;
- uchar digest[SHA1dlen];
- Elem *sigalg;
+ int digestlen;
+ uchar digest[MAXdlen];
b = makebytes(cert, ncert);
c = decode_cert(b);
- if(c != nil)
- digest_certinfo(b, digestalg[c->signature_alg], digest);
- freebytes(b);
- if(c == nil)
+ if(c == nil){
+ freebytes(b);
return "cannot decode cert";
- e = verify_signature(c->signature, pk, digest, &sigalg);
+ }
+ digestlen = digest_certinfo(b, digestalg[c->signature_alg], digest);
+ freebytes(b);
+ if(digestlen <= 0){
+ freecert(c);
+ return "cannot decode certinfo";
+ }
+ e = X509rsaverifydigest(c->signature->data, c->signature->len, digest, digestlen, pk);
freecert(c);
return e;
}
@@ -2128,13 +2394,33 @@
return e;
}
+static int
+printable(char *s)
+{
+ int c;
+
+ while((c = (uchar)*s++) != 0){
+ if((c >= 'a' && c <= 'z')
+ || (c >= 'A' && c <= 'Z')
+ || (c >= '0' && c <= '9')
+ || strchr("'=()+,-./:? ", c) != nil)
+ continue;
+ return 0;
+ }
+ return 1;
+}
+
+#define DirectoryString 0
+
static Elem
-mkstring(char *s)
+mkstring(char *s, int t)
{
Elem e;
+ if(t == DirectoryString)
+ t = printable(s) ? PrintableString : UTF8String;
e.tag.class = Universal;
- e.tag.num = IA5String;
+ e.tag.num = t;
e.val.tag = VString;
e.val.u.stringval = estrdup(s);
return e;
@@ -2174,7 +2460,7 @@
e.tag.class = Universal;
e.tag.num = UTCTime;
e.val.tag = VString;
- snprint(utc, 50, "%.2d%.2d%.2d%.2d%.2d%.2dZ",
+ snprint(utc, sizeof(utc), "%.2d%.2d%.2d%.2d%.2d%.2dZ",
tm->year % 100, tm->mon+1, tm->mday, tm->hour, tm->min, tm->sec);
e.val.u.stringval = estrdup(utc);
return e;
@@ -2223,24 +2509,26 @@
}
typedef struct Ints7pref {
- int len;
- int data[7];
+ int len;
+ int data[7];
char prefix[4];
+ int stype;
} Ints7pref;
Ints7pref DN_oid[] = {
- {4, 2, 5, 4, 6, 0, 0, 0, "C="},
- {4, 2, 5, 4, 8, 0, 0, 0, "ST="},
- {4, 2, 5, 4, 7, 0, 0, 0, "L="},
- {4, 2, 5, 4, 10, 0, 0, 0, "O="},
- {4, 2, 5, 4, 11, 0, 0, 0, "OU="},
- {4, 2, 5, 4, 3, 0, 0, 0, "CN="},
- {7, 1,2,840,113549,1,9,1, "E="},
+ {4, 2, 5, 4, 6, 0, 0, 0, "C=", PrintableString},
+ {4, 2, 5, 4, 8, 0, 0, 0, "ST=",DirectoryString},
+ {4, 2, 5, 4, 7, 0, 0, 0, "L=", DirectoryString},
+ {4, 2, 5, 4, 10, 0, 0, 0, "O=", DirectoryString},
+ {4, 2, 5, 4, 11, 0, 0, 0, "OU=",DirectoryString},
+ {4, 2, 5, 4, 3, 0, 0, 0, "CN=",DirectoryString},
+ {7, 1,2,840,113549,1,9,1, "E=", IA5String},
+ {7, 0,9,2342,19200300,100,1,25, "DC=",IA5String},
};
static Elem
mkname(Ints7pref *oid, char *subj)
{
- return mkset(mkel(mkseq(mkel(mkoid((Ints*)oid), mkel(mkstring(subj), nil))), nil));
+ return mkset(mkel(mkseq(mkel(mkoid((Ints*)oid), mkel(mkstring(subj, oid->stype), nil))), nil));
}
static Elem
@@ -2264,61 +2552,106 @@
return mkseq(el);
}
+/*
+ * DigestInfo ::= SEQUENCE {
+ * digestAlgorithm AlgorithmIdentifier,
+ * digest OCTET STRING }
+ */
+static Bytes*
+encode_digest(DigestAlg *da, uchar *digest)
+{
+ Bytes *ans;
+ int err;
+ Elem e;
+ e = mkseq(
+ mkel(mkalg(da->alg),
+ mkel(mkoctet(digest, da->len),
+ nil)));
+ err = encode(e, &ans);
+ freevalfields(&e.val);
+ if(err != ASN_OK)
+ return nil;
+
+ return ans;
+}
+
+int
+asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*), uchar *digest, uchar *buf, int len)
+{
+ Bytes *bytes;
+ DigestAlg **dp;
+
+ for(dp = digestalg; *dp != nil; dp++){
+ if((*dp)->fun != fun)
+ continue;
+ bytes = encode_digest(*dp, digest);
+ if(bytes == nil)
+ break;
+ if(bytes->len > len){
+ freebytes(bytes);
+ break;
+ }
+ len = bytes->len;
+ memmove(buf, bytes->data, len);
+ freebytes(bytes);
+ return len;
+ }
+ return -1;
+}
+
uchar*
-X509gen(RSApriv *priv, char *subj, ulong valid[2], int *certlen)
+X509rsagen(RSApriv *priv, char *subj, ulong valid[2], int *certlen)
{
- int serial = 0;
+ int serial = 0, sigalg = ALG_sha256WithRSAEncryption;
uchar *cert = nil;
RSApub *pk = rsaprivtopub(priv);
Bytes *certbytes, *pkbytes, *certinfobytes, *sigbytes;
- Elem e, certinfo, issuer, subject, pubkey, validity, sig;
- uchar digest[MD5dlen], *buf;
+ Elem e, certinfo;
+ DigestAlg *da;
+ uchar digest[MAXdlen], *buf;
int buflen;
mpint *pkcs1;
- e.val.tag = VInt; /* so freevalfields at errret is no-op */
- issuer = mkDN(subj);
- subject = mkDN(subj);
- pubkey = mkseq(mkel(mkbigint(pk->n),mkel(mkint(mptoi(pk->ek)),nil)));
- if(encode(pubkey, &pkbytes) != ASN_OK)
+ e = mkseq(mkel(mkbigint(pk->n),mkel(mkint(mptoi(pk->ek)),nil)));
+ if(encode(e, &pkbytes) != ASN_OK)
goto errret;
- freevalfields(&pubkey.val);
- pubkey = mkseq(
- mkel(mkalg(ALG_rsaEncryption),
- mkel(mkbits(pkbytes->data, pkbytes->len),
- nil)));
- freebytes(pkbytes);
- validity = mkseq(
- mkel(mkutc(valid[0]),
- mkel(mkutc(valid[1]),
- nil)));
- certinfo = mkseq(
+ freevalfields(&e.val);
+ e = mkseq(
mkel(mkint(serial),
- mkel(mkalg(ALG_md5WithRSAEncryption),
- mkel(issuer,
- mkel(validity,
- mkel(subject,
- mkel(pubkey,
+ mkel(mkalg(sigalg),
+ mkel(mkDN(subj),
+ mkel(mkseq(
+ mkel(mkutc(valid[0]),
+ mkel(mkutc(valid[1]),
+ nil))),
+ mkel(mkDN(subj),
+ mkel(mkseq(
+ mkel(mkalg(ALG_rsaEncryption),
+ mkel(mkbits(pkbytes->data, pkbytes->len),
+ nil))),
nil)))))));
- if(encode(certinfo, &certinfobytes) != ASN_OK)
+ freebytes(pkbytes);
+ if(encode(e, &certinfobytes) != ASN_OK)
goto errret;
- md5(certinfobytes->data, certinfobytes->len, digest, 0);
+
+ da = digestalg[sigalg];
+ (*da->fun)(certinfobytes->data, certinfobytes->len, digest, 0);
freebytes(certinfobytes);
- sig = mkseq(
- mkel(mkalg(ALG_md5),
- mkel(mkoctet(digest, MD5dlen),
- nil)));
- if(encode(sig, &sigbytes) != ASN_OK)
+ certinfo = e;
+
+ sigbytes = encode_digest(da, digest);
+ if(sigbytes == nil)
goto errret;
pkcs1 = pkcs1pad(sigbytes, pk->n);
freebytes(sigbytes);
+
rsadecrypt(priv, pkcs1, pkcs1);
buflen = mptobe(pkcs1, nil, 0, &buf);
mpfree(pkcs1);
e = mkseq(
mkel(certinfo,
- mkel(mkalg(ALG_md5WithRSAEncryption),
+ mkel(mkalg(sigalg),
mkel(mkbits(buf, buflen),
nil))));
free(buf);
@@ -2326,7 +2659,10 @@
goto errret;
if(certlen)
*certlen = certbytes->len;
- cert = certbytes->data;
+ cert = malloc(certbytes->len);
+ if(cert != nil)
+ memmove(cert, certbytes->data, certbytes->len);
+ freebytes(certbytes);
errret:
freevalfields(&e.val);
return cert;
@@ -2333,52 +2669,51 @@
}
uchar*
-X509req(RSApriv *priv, char *subj, int *certlen)
+X509rsareq(RSApriv *priv, char *subj, int *certlen)
{
/* RFC 2314, PKCS #10 Certification Request Syntax */
- int version = 0;
+ int version = 0, sigalg = ALG_sha256WithRSAEncryption;
uchar *cert = nil;
RSApub *pk = rsaprivtopub(priv);
Bytes *certbytes, *pkbytes, *certinfobytes, *sigbytes;
- Elem e, certinfo, subject, pubkey, sig;
- uchar digest[MD5dlen], *buf;
+ Elem e, certinfo;
+ DigestAlg *da;
+ uchar digest[MAXdlen], *buf;
int buflen;
mpint *pkcs1;
- e.val.tag = VInt; /* so freevalfields at errret is no-op */
- subject = mkDN(subj);
- pubkey = mkseq(mkel(mkbigint(pk->n),mkel(mkint(mptoi(pk->ek)),nil)));
- if(encode(pubkey, &pkbytes) != ASN_OK)
+ e = mkseq(mkel(mkbigint(pk->n),mkel(mkint(mptoi(pk->ek)),nil)));
+ if(encode(e, &pkbytes) != ASN_OK)
goto errret;
- freevalfields(&pubkey.val);
- pubkey = mkseq(
- mkel(mkalg(ALG_rsaEncryption),
- mkel(mkbits(pkbytes->data, pkbytes->len),
- nil)));
- freebytes(pkbytes);
- certinfo = mkseq(
+ freevalfields(&e.val);
+ e = mkseq(
mkel(mkint(version),
- mkel(subject,
- mkel(pubkey,
+ mkel(mkDN(subj),
+ mkel(mkseq(
+ mkel(mkalg(ALG_rsaEncryption),
+ mkel(mkbits(pkbytes->data, pkbytes->len),
+ nil))),
nil))));
- if(encode(certinfo, &certinfobytes) != ASN_OK)
+ freebytes(pkbytes);
+ if(encode(e, &certinfobytes) != ASN_OK)
goto errret;
- md5(certinfobytes->data, certinfobytes->len, digest, 0);
+ da = digestalg[sigalg];
+ (*da->fun)(certinfobytes->data, certinfobytes->len, digest, 0);
freebytes(certinfobytes);
- sig = mkseq(
- mkel(mkalg(ALG_md5),
- mkel(mkoctet(digest, MD5dlen),
- nil)));
- if(encode(sig, &sigbytes) != ASN_OK)
+ certinfo = e;
+
+ sigbytes = encode_digest(da, digest);
+ if(sigbytes == nil)
goto errret;
pkcs1 = pkcs1pad(sigbytes, pk->n);
freebytes(sigbytes);
+
rsadecrypt(priv, pkcs1, pkcs1);
buflen = mptobe(pkcs1, nil, 0, &buf);
mpfree(pkcs1);
e = mkseq(
mkel(certinfo,
- mkel(mkalg(ALG_md5),
+ mkel(mkalg(sigalg),
mkel(mkbits(buf, buflen),
nil))));
free(buf);
@@ -2386,7 +2721,10 @@
goto errret;
if(certlen)
*certlen = certbytes->len;
- cert = certbytes->data;
+ cert = malloc(certbytes->len);
+ if(cert != nil)
+ memmove(cert, certbytes->data, certbytes->len);
+ freebytes(certbytes);
errret:
freevalfields(&e.val);
return cert;
@@ -2398,33 +2736,34 @@
if(tag.class != Universal)
return smprint("class%d,num%d", tag.class, tag.num);
switch(tag.num){
- case BOOLEAN: return "BOOLEAN"; break;
- case INTEGER: return "INTEGER"; break;
- case BIT_STRING: return "BIT STRING"; break;
- case OCTET_STRING: return "OCTET STRING"; break;
- case NULLTAG: return "NULLTAG"; break;
- case OBJECT_ID: return "OID"; break;
- case ObjectDescriptor: return "OBJECT_DES"; break;
- case EXTERNAL: return "EXTERNAL"; break;
- case REAL: return "REAL"; break;
- case ENUMERATED: return "ENUMERATED"; break;
- case EMBEDDED_PDV: return "EMBEDDED PDV"; break;
- case SEQUENCE: return "SEQUENCE"; break;
- case SETOF: return "SETOF"; break;
- case NumericString: return "NumericString"; break;
- case PrintableString: return "PrintableString"; break;
- case TeletexString: return "TeletexString"; break;
- case VideotexString: return "VideotexString"; break;
- case IA5String: return "IA5String"; break;
- case UTCTime: return "UTCTime"; break;
- case GeneralizedTime: return "GeneralizedTime"; break;
- case GraphicString: return "GraphicString"; break;
- case VisibleString: return "VisibleString"; break;
- case GeneralString: return "GeneralString"; break;
- case UniversalString: return "UniversalString"; break;
- case BMPString: return "BMPString"; break;
- default:
- return smprint("Universal,num%d", tag.num);
+ case BOOLEAN: return "BOOLEAN";
+ case INTEGER: return "INTEGER";
+ case BIT_STRING: return "BIT STRING";
+ case OCTET_STRING: return "OCTET STRING";
+ case NULLTAG: return "NULLTAG";
+ case OBJECT_ID: return "OID";
+ case ObjectDescriptor: return "OBJECT_DES";
+ case EXTERNAL: return "EXTERNAL";
+ case REAL: return "REAL";
+ case ENUMERATED: return "ENUMERATED";
+ case EMBEDDED_PDV: return "EMBEDDED PDV";
+ case SEQUENCE: return "SEQUENCE";
+ case SETOF: return "SETOF";
+ case UTF8String: return "UTF8String";
+ case NumericString: return "NumericString";
+ case PrintableString: return "PrintableString";
+ case TeletexString: return "TeletexString";
+ case VideotexString: return "VideotexString";
+ case IA5String: return "IA5String";
+ case UTCTime: return "UTCTime";
+ case GeneralizedTime: return "GeneralizedTime";
+ case GraphicString: return "GraphicString";
+ case VisibleString: return "VisibleString";
+ case GeneralString: return "GeneralString";
+ case UniversalString: return "UniversalString";
+ case BMPString: return "BMPString";
+ default:
+ return smprint("Universal,num%d", tag.num);
}
}
@@ -2482,39 +2821,62 @@
char *e;
Bytes *b;
CertX509 *c;
- RSApub *pk;
- uchar digest[SHA1dlen];
- Elem *sigalg;
+ RSApub *rsapub;
+ ECpub *ecpub;
+ ECdomain ecdom;
+ int digestlen;
+ uchar digest[MAXdlen];
print("begin X509dump\n");
b = makebytes(cert, ncert);
c = decode_cert(b);
- if(c != nil)
- digest_certinfo(b, digestalg[c->signature_alg], digest);
- freebytes(b);
if(c == nil){
- print("cannot decode cert");
+ freebytes(b);
+ print("cannot decode cert\n");
return;
}
+ digestlen = digest_certinfo(b, digestalg[c->signature_alg], digest);
+ freebytes(b);
+ if(digestlen <= 0){
+ freecert(c);
+ print("cannot decode certinfo\n");
+ return;
+ }
print("serial %d\n", c->serial);
print("issuer %s\n", c->issuer);
print("validity %s %s\n", c->validity_start, c->validity_end);
print("subject %s\n", c->subject);
- pk = decode_rsapubkey(c->publickey);
- print("pubkey e=%B n(%d)=%B\n", pk->ek, mpsignif(pk->n), pk->n);
- print("sigalg=%d digest=%.*H\n", c->signature_alg, MD5dlen, digest);
- e = verify_signature(c->signature, pk, digest, &sigalg);
- if(e==nil){
- e = "nil (meaning ok)";
- print("sigalg=\n");
- if(sigalg)
- edump(*sigalg);
- }
- print("self-signed verify_signature returns: %s\n", e);
+ print("sigalg=%d digest=%.*H\n", c->signature_alg, digestlen, digest);
+ print("publickey_alg=%d pubkey[%d] %.*H\n", c->publickey_alg, c->publickey->len,
+ c->publickey->len, c->publickey->data);
- rsapubfree(pk);
+ switch(c->publickey_alg){
+ case ALG_rsaEncryption:
+ rsapub = decode_rsapubkey(c->publickey);
+ if(rsapub != nil){
+ print("rsa pubkey e=%B n(%d)=%B\n", rsapub->ek, mpsignif(rsapub->n), rsapub->n);
+ e = X509rsaverifydigest(c->signature->data, c->signature->len, digest, digestlen, rsapub);
+ if(e==nil)
+ e = "nil (meaning ok)";
+ print("self-signed X509rsaverifydigest returns: %s\n", e);
+ rsapubfree(rsapub);
+ }
+ break;
+ case ALG_ecPublicKey:
+ ecdominit(&ecdom, namedcurves[c->curve]);
+ ecpub = ecdecodepub(&ecdom, c->publickey->data, c->publickey->len);
+ if(ecpub != nil){
+ e = X509ecdsaverifydigest(c->signature->data, c->signature->len, digest, digestlen, &ecdom, ecpub);
+ if(e==nil)
+ e = "nil (meaning ok)";
+ print("self-signed X509ecdsaverifydigest returns: %s\n", e);
+ ecpubfree(ecpub);
+ }
+ ecdomfree(&ecdom);
+ break;
+ }
freecert(c);
print("end X509dump\n");
}