| blob | 8cba3ec395aed6449d35e937c9a0f7afad68b587 |
1 /*
2 * blapit.h - public data structures for the freebl library
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 #ifndef _BLAPIT_H_
9 #define _BLAPIT_H_
16 /* RC2 operation modes */
17 #define NSS_RC2 0
18 #define NSS_RC2_CBC 1
20 /* RC5 operation modes */
21 #define NSS_RC5 0
22 #define NSS_RC5_CBC 1
24 /* DES operation modes */
25 #define NSS_DES 0
26 #define NSS_DES_CBC 1
27 #define NSS_DES_EDE3 2
28 #define NSS_DES_EDE3_CBC 3
32 /* AES operation modes */
33 #define NSS_AES 0
34 #define NSS_AES_CBC 1
35 #define NSS_AES_CTS 2
36 #define NSS_AES_CTR 3
37 #define NSS_AES_GCM 4
39 /* Camellia operation modes */
40 #define NSS_CAMELLIA 0
41 #define NSS_CAMELLIA_CBC 1
43 /* SEED operation modes */
44 #define NSS_SEED 0
45 #define NSS_SEED_CBC 1
52 /*
53 * Mark the old defines as deprecated. This will warn code that expected
54 * DSA1 only that they need to change if the are to support DSA2.
55 */
56 #if defined(__GNUC__) && (__GNUC__ > 3)
57 /* make GCC warn when we use these #defines */
59 #define DSA_SUBPRIME_LEN ((__BLAPI_DEPRECATED)DSA1_SUBPRIME_LEN)
60 #define DSA_SIGNATURE_LEN ((__BLAPI_DEPRECATED)DSA1_SIGNATURE_LEN)
61 #define DSA_Q_BITS ((__BLAPI_DEPRECATED)(DSA1_SUBPRIME_LEN * 8))
62 #else
63 #ifdef _WIN32
64 /* This magic gets the windows compiler to give us a deprecation
65 * warning */
66 #pragma deprecated(DSA_SUBPRIME_LEN, DSA_SIGNATURE_LEN, DSA_QBITS)
67 #endif
68 #define DSA_SUBPRIME_LEN DSA1_SUBPRIME_LEN
69 #define DSA_SIGNATURE_LEN DSA1_SIGNATURE_LEN
70 #define DSA_Q_BITS (DSA1_SUBPRIME_LEN * 8)
71 #endif
73 /* XXX We shouldn't have to hard code this limit. For
74 * now, this is the quickest way to support ECDSA signature
75 * processing (ECDSA signature lengths depend on curve
76 * size). This limit is sufficient for curves upto
77 * 576 bits.
78 */
84 /* EC point compression format */
85 #define EC_POINT_FORM_COMPRESSED_Y0 0x02
86 #define EC_POINT_FORM_COMPRESSED_Y1 0x03
87 #define EC_POINT_FORM_UNCOMPRESSED 0x04
88 #define EC_POINT_FORM_HYBRID_Y0 0x06
89 #define EC_POINT_FORM_HYBRID_Y1 0x07
91 /*
92 * Number of bytes each hash algorithm produces
93 */
105 #define HASH_LENGTH_MAX SHA512_LENGTH
107 /*
108 * Input block size for each hash algorithm.
109 */
123 #define HASH_BLOCK_LENGTH_MAX SHA3_224_BLOCK_LENGTH
126 #define AES_KEY_WRAP_BLOCK_SIZE (AES_BLOCK_SIZE / 2)
127 #define AES_KEY_WRAP_IV_BYTES AES_KEY_WRAP_BLOCK_SIZE
138 #define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
140 #define BLAKE2B_KEY_SIZE 64
142 /*
143 * These values come from the initial key size limits from the PKCS #11
144 * module. They may be arbitrarily adjusted to any value freebl supports.
145 */
146 #define RSA_MIN_MODULUS_BITS 128
147 #define RSA_MAX_MODULUS_BITS 16384
148 #define RSA_MAX_EXPONENT_BITS 64
149 #define DH_MIN_P_BITS 128
150 #define DH_MAX_P_BITS 16384
152 /*
153 * The FIPS 186-1 algorithm for generating primes P and Q allows only 9
154 * distinct values for the length of P, and only one value for the
155 * length of Q.
156 * The algorithm uses a variable j to indicate which of the 9 lengths
157 * of P is to be used.
158 * The following table relates j to the lengths of P and Q in bits.
159 *
160 * j bits in P bits in Q
161 * _ _________ _________
162 * 0 512 160
163 * 1 576 160
164 * 2 640 160
165 * 3 704 160
166 * 4 768 160
167 * 5 832 160
168 * 6 896 160
169 * 7 960 160
170 * 8 1024 160
171 *
172 * The FIPS-186-1 compliant PQG generator takes j as an input parameter.
173 *
174 * FIPS 186-3 algorithm specifies 4 distinct P and Q sizes:
175 *
176 * bits in P bits in Q
177 * _________ _________
178 * 1024 160
179 * 2048 224
180 * 2048 256
181 * 3072 256
182 *
183 * The FIPS-186-3 complaiant PQG generator (PQG V2) takes arbitrary p and q
184 * lengths as input and returns an error if they aren't in this list.
185 */
187 #define DSA1_Q_BITS 160
188 #define DSA_MAX_P_BITS 3072
189 #define DSA_MIN_P_BITS 512
190 #define DSA_MAX_Q_BITS 256
191 #define DSA_MIN_Q_BITS 160
193 #if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN * 8
195 #endif
197 /*
198 * function takes desired number of bits in P,
199 * returns index (0..8) or -1 if number of bits is invalid.
200 */
201 #define PQG_PBITS_TO_INDEX(bits) \
202 (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? -1 : (int)((bits)-512) / 64)
204 /*
205 * function takes index (0-8)
206 * returns number of bits in P for that index, or -1 if index is invalid.
207 */
208 #define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
210 /* When we are generating a gcm iv from a random number, we need to calculate
211 * an acceptable iteration count to avoid birthday attacks. (randomly
212 * generating the same IV twice).
213 *
214 * We use the approximation n = sqrt(2*m*p) to find an acceptable n given m
215 * and p.
216 * where n is the number of iterations.
217 * m is the number of possible random values.
218 * p is the probability of collision (0-1).
219 *
220 * We want to calculate the constant number GCM_IV_RANDOM_BIRTHDAY_BITS, which
221 * is the number of bits we subtract off of the length of the iv (in bits) to
222 * get a safe count value (log2).
223 *
224 * Since we do the calculation in bits, so we need to take the whole
225 * equation log2:
226 * log2 n = (1+(log2 m)+(log2 p))/2
227 * Since p < 1, log2 p is negative. Also note that the length of the iv in
228 * bits is log2 m, so if we set GCMIV_RANDOM_BIRTHDAY_BITS =- log2 p - 1.
229 * then we can calculate a safe counter value with:
230 * n = 2^((ivLenBits - GCMIV_RANDOM_BIRTHDAY_BITS)/2)
231 *
232 * If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
233 * we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
234 * GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
235 * the variable IV size for TLS is 64 bits, which explains why it's not safe
236 * to use a random value for the nonce in TLS. */
237 #define GCMIV_RANDOM_BIRTHDAY_BITS 64
239 /* flag to tell BLAPI_Verify* to rerun the post and integrity tests */
243 /***************************************************************************
244 ** Opaque objects
245 */
276 /* SHA224Context is really a SHA256ContextStr. This is not a mistake. */
279 /* SHA384Context is really a SHA512ContextStr. This is not a mistake. */
281 /* All SHA3_*Contexts are the same. This is not a mistake. */
294 /***************************************************************************
295 ** RSA Public and Private Key structures
296 */
298 /* member names from PKCS#1, section 7.1 */
301 SECItem modulus;
302 SECItem publicExponent;
303 };
306 /* member names from PKCS#1, section 7.2 */
309 SECItem version;
310 SECItem modulus;
311 SECItem publicExponent;
312 SECItem privateExponent;
313 SECItem prime1;
314 SECItem prime2;
315 SECItem exponent1;
316 SECItem exponent2;
317 SECItem coefficient;
318 };
321 /***************************************************************************
322 ** DSA Public and Private Key and related structures
323 */
330 /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
331 };
337 SECItem seed;
338 SECItem h;
339 };
343 PQGParams params;
344 SECItem publicValue;
345 };
349 PQGParams params;
350 SECItem publicValue;
351 SECItem privateValue;
352 };
355 /***************************************************************************
356 ** Diffie-Hellman Public and Private Key and related structures
357 ** Structure member names suggested by PKCS#3.
358 */
364 };
369 SECItem prime;
370 SECItem base;
371 SECItem publicValue;
372 };
377 SECItem prime;
378 SECItem base;
379 SECItem publicValue;
380 SECItem privateValue;
381 };
384 /***************************************************************************
385 ** Data structures used for elliptic curve parameters and
386 ** public and private keys.
387 */
389 /*
390 ** The ECParams data structures can encode elliptic curve
391 ** parameters for both GFp and GF2m curves.
392 */
395 ec_params_named
399 ec_field_GF2m,
400 ec_field_plain
405 ECFieldType type;
411 * the only coefficient of trinomial
412 */
415 };
420 * field element (X9.62 section 4.3.3)
421 */
422 SECItem b;
423 SECItem seed;
424 };
429 ECParamsType type;
430 ECFieldID fieldID;
431 ECCurve curve;
432 SECItem base;
433 SECItem order;
435 SECItem DEREncoding;
436 ECCurveName name;
437 SECItem curveOID;
438 };
442 ECParams ecParams;
444 * octet stream.
445 */
446 };
450 ECParams ecParams;
454 };