tor-browser

blapit.h (15866B)

---

/*
* blapit.h - public data structures for the freebl library
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef _BLAPIT_H_
#define _BLAPIT_H_

#include "seccomon.h"
#include "prlink.h"
#include "plarena.h"
#include "ecl-exp.h"
#include "pkcs11t.h"
#include "ml_dsat.h"

/* RC2 operation modes */
#define NSS_RC2 0
#define NSS_RC2_CBC 1

/* RC5 operation modes */
#define NSS_RC5 0
#define NSS_RC5_CBC 1

/* DES operation modes */
#define NSS_DES 0
#define NSS_DES_CBC 1
#define NSS_DES_EDE3 2
#define NSS_DES_EDE3_CBC 3

#define DES_KEY_LENGTH 8 /* Bytes */

#define ED25519_SIGN_LEN 64U /* Bytes */

/* AES operation modes */
#define NSS_AES 0
#define NSS_AES_CBC 1
#define NSS_AES_CTS 2
#define NSS_AES_CTR 3
#define NSS_AES_GCM 4

/* Camellia operation modes */
#define NSS_CAMELLIA 0
#define NSS_CAMELLIA_CBC 1

/* SEED operation modes */
#define NSS_SEED 0
#define NSS_SEED_CBC 1

#define DSA1_SUBPRIME_LEN 20                             /* Bytes */
#define DSA1_SIGNATURE_LEN (DSA1_SUBPRIME_LEN * 2)       /* Bytes */
#define DSA_MAX_SUBPRIME_LEN 32                          /* Bytes */
#define DSA_MAX_SIGNATURE_LEN (DSA_MAX_SUBPRIME_LEN * 2) /* Bytes */

/*
* Mark the old defines as deprecated. This will warn code that expected
* DSA1 only that they need to change if the are to support DSA2.
*/
#if defined(__GNUC__) && (__GNUC__ > 3)
/* make GCC warn when we use these #defines */
typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
#define DSA_SUBPRIME_LEN ((__BLAPI_DEPRECATED)DSA1_SUBPRIME_LEN)
#define DSA_SIGNATURE_LEN ((__BLAPI_DEPRECATED)DSA1_SIGNATURE_LEN)
#define DSA_Q_BITS ((__BLAPI_DEPRECATED)(DSA1_SUBPRIME_LEN * 8))
#else
#ifdef _WIN32
/* This magic gets the windows compiler to give us a deprecation
* warning */
#pragma deprecated(DSA_SUBPRIME_LEN, DSA_SIGNATURE_LEN, DSA_QBITS)
#endif
#define DSA_SUBPRIME_LEN DSA1_SUBPRIME_LEN
#define DSA_SIGNATURE_LEN DSA1_SIGNATURE_LEN
#define DSA_Q_BITS (DSA1_SUBPRIME_LEN * 8)
#endif

/* XXX We shouldn't have to hard code this limit. For
* now, this is the quickest way to support ECDSA signature
* processing (ECDSA signature lengths depend on curve
* size). This limit is sufficient for curves upto
* 576 bits.
*/
#define MAX_ECKEY_LEN 72 /* Bytes */

#define EC_MAX_KEY_BITS 521 /* in bits */
#define EC_MIN_KEY_BITS 256 /* in bits */

#define ECD_MAX_KEY_BITS 255 /* in bits */
#define ECD_MIN_KEY_BITS 255 /* in bits */

/* EC point compression format */
#define EC_POINT_FORM_COMPRESSED_Y0 0x02
#define EC_POINT_FORM_COMPRESSED_Y1 0x03
#define EC_POINT_FORM_UNCOMPRESSED 0x04
#define EC_POINT_FORM_HYBRID_Y0 0x06
#define EC_POINT_FORM_HYBRID_Y1 0x07

/*
* Number of bytes each hash algorithm produces
*/
#define MD2_LENGTH 16        /* Bytes */
#define MD5_LENGTH 16        /* Bytes */
#define SHA1_LENGTH 20       /* Bytes */
#define SHA256_LENGTH 32     /* bytes */
#define SHA384_LENGTH 48     /* bytes */
#define SHA512_LENGTH 64     /* bytes */
#define SHA3_224_LENGTH 28   /* bytes */
#define SHA3_256_LENGTH 32   /* bytes */
#define SHA3_384_LENGTH 48   /* bytes */
#define SHA3_512_LENGTH 64   /* bytes */
#define BLAKE2B512_LENGTH 64 /* Bytes */
#define HASH_LENGTH_MAX SHA512_LENGTH

/*
* Input block size for each hash algorithm.
*/

#define MD2_BLOCK_LENGTH 64       /* bytes */
#define MD5_BLOCK_LENGTH 64       /* bytes */
#define SHA1_BLOCK_LENGTH 64      /* bytes */
#define SHA224_BLOCK_LENGTH 64    /* bytes */
#define SHA256_BLOCK_LENGTH 64    /* bytes */
#define SHA384_BLOCK_LENGTH 128   /* bytes */
#define SHA512_BLOCK_LENGTH 128   /* bytes */
#define SHA3_224_BLOCK_LENGTH 144 /* bytes */
#define SHA3_256_BLOCK_LENGTH 136 /* bytes */
#define SHA3_384_BLOCK_LENGTH 104 /* bytes */
#define SHA3_512_BLOCK_LENGTH 72  /* bytes */
#define BLAKE2B_BLOCK_LENGTH 128  /* Bytes */
#define HASH_BLOCK_LENGTH_MAX SHA3_224_BLOCK_LENGTH

#define AES_BLOCK_SIZE 16 /* bytes */
#define AES_KEY_WRAP_BLOCK_SIZE (AES_BLOCK_SIZE / 2)
#define AES_KEY_WRAP_IV_BYTES AES_KEY_WRAP_BLOCK_SIZE

#define AES_128_KEY_LENGTH 16 /* bytes */
#define AES_192_KEY_LENGTH 24 /* bytes */
#define AES_256_KEY_LENGTH 32 /* bytes */

#define CAMELLIA_BLOCK_SIZE 16 /* bytes */

#define SEED_BLOCK_SIZE 16 /* bytes */
#define SEED_KEY_LENGTH 16 /* bytes */

#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048

#define BLAKE2B_KEY_SIZE 64

/*
* These values come from the initial key size limits from the PKCS #11
* module. They may be arbitrarily adjusted to any value freebl supports.
*/
#define RSA_MIN_MODULUS_BITS 128
#define RSA_MAX_MODULUS_BITS 16384
#define RSA_MAX_EXPONENT_BITS 64
#define DH_MIN_P_BITS 128
#define DH_MAX_P_BITS 16384

/* max signature for all our supported signatures */
/* currently ML-DSA is the biggest */
#define MAX_SIGNATURE_LEN MAX_ML_DSA_SIGNATURE_LEN

/*
* The FIPS 186-1 algorithm for generating primes P and Q allows only 9
* distinct values for the length of P, and only one value for the
* length of Q.
* The algorithm uses a variable j to indicate which of the 9 lengths
* of P is to be used.
* The following table relates j to the lengths of P and Q in bits.
*
*  j   bits in P   bits in Q
*  _   _________   _________
*  0    512        160
*  1    576        160
*  2    640        160
*  3    704        160
*  4    768        160
*  5    832        160
*  6    896        160
*  7    960        160
*  8   1024        160
*
* The FIPS-186-1 compliant PQG generator takes j as an input parameter.
*
* FIPS 186-3 algorithm specifies 4 distinct P and Q sizes:
*
*     bits in P       bits in Q
*     _________       _________
*      1024           160
*      2048           224
*      2048           256
*      3072           256
*
* The FIPS-186-3 complaiant PQG generator (PQG V2) takes arbitrary p and q
* lengths as input and returns an error if they aren't in this list.
*/

#define DSA1_Q_BITS 160
#define DSA_MAX_P_BITS 3072
#define DSA_MIN_P_BITS 512
#define DSA_MAX_Q_BITS 256
#define DSA_MIN_Q_BITS 160

#if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN * 8
#error "Inconsistent declaration of DSA SUBPRIME/Q parameters in blapit.h"
#endif

/*
* function takes desired number of bits in P,
* returns index (0..8) or -1 if number of bits is invalid.
*/
#define PQG_PBITS_TO_INDEX(bits) \
   (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? -1 : (int)((bits)-512) / 64)

/*
* function takes index (0-8)
* returns number of bits in P for that index, or -1 if index is invalid.
*/
#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))

/* When we are generating a gcm iv from a random number, we need to calculate
* an acceptable iteration count to avoid birthday attacks. (randomly
* generating the same IV twice).
*
* We use the approximation n = sqrt(2*m*p) to find an acceptable n given m
* and p.
* where n is the number of iterations.
*       m is the number of possible random values.
*       p is the probability of collision (0-1).
*
* We want to calculate the constant number GCM_IV_RANDOM_BIRTHDAY_BITS, which
* is the number of bits we subtract off of the length of the iv (in bits) to
* get a safe count value (log2).
*
* Since we do the calculation in bits, so we need to take the whole
* equation log2:
*       log2 n = (1+(log2 m)+(log2 p))/2
* Since p < 1, log2 p is negative. Also note that the length of the iv in
* bits is log2 m, so if we set GCMIV_RANDOM_BIRTHDAY_BITS =- log2 p - 1.
* then we can calculate a safe counter value with:
*        n = 2^((ivLenBits - GCMIV_RANDOM_BIRTHDAY_BITS)/2)
*
* If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
* we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
* GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
* the variable IV size for TLS is 64 bits, which explains why it's not safe
* to use a random value for the nonce in TLS. */
#define GCMIV_RANDOM_BIRTHDAY_BITS 64

/* flag to tell BLAPI_Verify* to rerun the post and integrity tests */
#define BLAPI_FIPS_RERUN_FLAG '\377'        /* 0xff, 255 invalide code for UFT8/ASCII */
#define BLAPI_FIPS_RERUN_FLAG_STRING "\377" /* The above as a C string */

/***************************************************************************
** Opaque objects
*/

struct DESContextStr;
struct RC2ContextStr;
struct RC4ContextStr;
struct RC5ContextStr;
struct AESContextStr;
struct CamelliaContextStr;
struct MD2ContextStr;
struct MD5ContextStr;
struct SHA1ContextStr;
struct SHA256ContextStr;
struct SHA512ContextStr;
struct SHA3ContextStr;
struct SHAKEContextStr;
struct AESKeyWrapContextStr;
struct SEEDContextStr;
struct ChaCha20ContextStr;
struct ChaCha20Poly1305ContextStr;
struct Blake2bContextStr;

typedef struct DESContextStr DESContext;
typedef struct RC2ContextStr RC2Context;
typedef struct RC4ContextStr RC4Context;
typedef struct RC5ContextStr RC5Context;
typedef struct AESContextStr AESContext;
typedef struct CamelliaContextStr CamelliaContext;
typedef struct MD2ContextStr MD2Context;
typedef struct MD5ContextStr MD5Context;
typedef struct SHA1ContextStr SHA1Context;
typedef struct SHA256ContextStr SHA256Context;
/* SHA224Context is really a SHA256ContextStr.  This is not a mistake. */
typedef struct SHA256ContextStr SHA224Context;
typedef struct SHA512ContextStr SHA512Context;
/* SHA384Context is really a SHA512ContextStr.  This is not a mistake. */
typedef struct SHA512ContextStr SHA384Context;
/* All SHA3_*Contexts are the same.  This is not a mistake. */
typedef struct SHA3ContextStr SHA3_224Context;
typedef struct SHA3ContextStr SHA3_256Context;
typedef struct SHA3ContextStr SHA3_384Context;
typedef struct SHA3ContextStr SHA3_512Context;
typedef struct SHAKEContextStr SHAKE_128Context;
typedef struct SHAKEContextStr SHAKE_256Context;
typedef struct AESKeyWrapContextStr AESKeyWrapContext;
typedef struct SEEDContextStr SEEDContext;
typedef struct ChaCha20ContextStr ChaCha20Context;
typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;
typedef struct Blake2bContextStr BLAKE2BContext;

/***************************************************************************
** RSA Public and Private Key structures
*/

/* member names from PKCS#1, section 7.1 */
struct RSAPublicKeyStr {
   PLArenaPool *arena;
   SECItem modulus;
   SECItem publicExponent;
};
typedef struct RSAPublicKeyStr RSAPublicKey;

/* member names from PKCS#1, section 7.2 */
struct RSAPrivateKeyStr {
   PLArenaPool *arena;
   SECItem version;
   SECItem modulus;
   SECItem publicExponent;
   SECItem privateExponent;
   SECItem prime1;
   SECItem prime2;
   SECItem exponent1;
   SECItem exponent2;
   SECItem coefficient;
};
typedef struct RSAPrivateKeyStr RSAPrivateKey;

/***************************************************************************
** DSA Public and Private Key and related structures
*/

struct PQGParamsStr {
   PLArenaPool *arena;
   SECItem prime;    /* p */
   SECItem subPrime; /* q */
   SECItem base;     /* g */
   /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
};
typedef struct PQGParamsStr PQGParams;

struct PQGVerifyStr {
   PLArenaPool *arena; /* includes this struct, seed, & h. */
   unsigned int counter;
   SECItem seed;
   SECItem h;
};
typedef struct PQGVerifyStr PQGVerify;

struct DSAPublicKeyStr {
   PQGParams params;
   SECItem publicValue;
};
typedef struct DSAPublicKeyStr DSAPublicKey;

struct DSAPrivateKeyStr {
   PQGParams params;
   SECItem publicValue;
   SECItem privateValue;
};
typedef struct DSAPrivateKeyStr DSAPrivateKey;

/* ML DSA structures */
typedef struct MLDSAPrivateKeyStr MLDSAPrivateKey;
typedef struct MLDSAPublicKeyStr MLDSAPublicKey;
typedef struct MLDSAContextStr MLDSAContext;

/* MLDSA keys are 'public' to softoken, while MLDSAContexts are opaque */
struct MLDSAPrivateKeyStr {
   CK_ML_DSA_PARAMETER_SET_TYPE paramSet;
   unsigned char keyVal[MAX_ML_DSA_PRIVATE_KEY_LEN];
   unsigned int keyValLen;
   unsigned char seed[ML_DSA_SEED_LEN];
   unsigned int seedLen;
};

struct MLDSAPublicKeyStr {
   CK_ML_DSA_PARAMETER_SET_TYPE paramSet;
   unsigned char keyVal[MAX_ML_DSA_PUBLIC_KEY_LEN];
   unsigned int keyValLen;
};

/***************************************************************************
** Diffie-Hellman Public and Private Key and related structures
** Structure member names suggested by PKCS#3.
*/

struct DHParamsStr {
   PLArenaPool *arena;
   SECItem prime; /* p */
   SECItem base;  /* g */
};
typedef struct DHParamsStr DHParams;

struct DHPublicKeyStr {
   PLArenaPool *arena;
   SECItem prime;
   SECItem base;
   SECItem publicValue;
};
typedef struct DHPublicKeyStr DHPublicKey;

struct DHPrivateKeyStr {
   PLArenaPool *arena;
   SECItem prime;
   SECItem base;
   SECItem publicValue;
   SECItem privateValue;
};
typedef struct DHPrivateKeyStr DHPrivateKey;

/***************************************************************************
** Data structures used for elliptic curve parameters and
** public and private keys.
*/

/*
** The ECParams data structures can encode elliptic curve
** parameters for both GFp and GF2m curves.
*/

typedef enum { ec_params_explicit,
              ec_params_named,
              ec_params_edwards_named,
              ec_params_montgomery_named,
} ECParamsType;

typedef enum { ec_field_GFp = 1,
              ec_field_GF2m,
              ec_field_plain
} ECFieldType;

struct ECFieldIDStr {
   int size; /* field size in bits */
   ECFieldType type;
   union {
       SECItem prime; /* prime p for (GFp) */
       SECItem poly;  /* irreducible binary polynomial for (GF2m) */
   } u;
   int k1; /* first coefficient of pentanomial or
            * the only coefficient of trinomial
            */
   int k2; /* two remaining coefficients of pentanomial */
   int k3;
};
typedef struct ECFieldIDStr ECFieldID;

struct ECCurveStr {
   SECItem a; /* contains octet stream encoding of
               * field element (X9.62 section 4.3.3)
               */
   SECItem b;
   SECItem seed;
};
typedef struct ECCurveStr ECCurve;

struct ECParamsStr {
   PLArenaPool *arena;
   ECParamsType type;
   ECFieldID fieldID;
   ECCurve curve;
   SECItem base;
   SECItem order;
   int cofactor;
   SECItem DEREncoding;
   ECCurveName name;
   SECItem curveOID;
};
typedef struct ECParamsStr ECParams;

struct ECPublicKeyStr {
   ECParams ecParams;
   SECItem publicValue; /* elliptic curve point encoded as
                         * octet stream.
                         */
};
typedef struct ECPublicKeyStr ECPublicKey;

struct ECPrivateKeyStr {
   ECParams ecParams;
   SECItem publicValue;  /* encoded ec point */
   SECItem privateValue; /* private big integer */
   SECItem version;      /* As per SEC 1, Appendix C, Section C.4 */
};
typedef struct ECPrivateKeyStr ECPrivateKey;

typedef void *(*BLapiAllocateFunc)(void);
typedef void (*BLapiDestroyContextFunc)(void *cx, PRBool freeit);
typedef SECStatus (*BLapiInitContextFunc)(void *cx,
                                         const unsigned char *key,
                                         unsigned int keylen,
                                         const unsigned char *,
                                         int,
                                         unsigned int,
                                         unsigned int);
typedef SECStatus (*BLapiEncrypt)(void *cx, unsigned char *output,
                                 unsigned int *outputLen,
                                 unsigned int maxOutputLen,
                                 const unsigned char *input,
                                 unsigned int inputLen);

#endif /* _BLAPIT_H_ */