ape: add libauth, libbio, libmp and libsec as replacements for openssl

26 files changed, 945 insertions, 10 deletions

diff --git a/sys/src/ape/lib/9/ctime.c b/sys/src/ape/lib/9/ctime.c
new file mode 100644
index 000000000..d8cdcef4c
--- /dev/null
+++ b/sys/src/ape/lib/9/ctime.c
@@ -0,0 +1,22 @@
+#include "libc.h"
+
+#undef gmtime
+
+Tm*
+_gmtime(time_t t)
+{
+	static Tm r;
+	struct tm *p;
+
+	p = gmtime(&t);
+	r.sec = p->tm_sec;
+	r.min = p->tm_min;
+	r.hour = p->tm_hour;
+	r.mday = p->tm_mday;
+	r.mon = p->tm_mon;
+	r.year = p->tm_year;
+	r.wday = p->tm_wday;
+	r.yday = p->tm_yday;
+	strcpy(r.zone, "GMT");
+	return &r;
+}
diff --git a/sys/src/ape/lib/9/libc.h b/sys/src/ape/lib/9/libc.h
index 6ec1580c2..de885a964 100644
--- a/sys/src/ape/lib/9/libc.h
+++ b/sys/src/ape/lib/9/libc.h
@@ -1,6 +1,11 @@
 #define _LOCK_EXTENSION
 #define _QLOCK_EXTENSION
 #define _BSD_EXTENSION
+
+#ifdef _NET_EXTENSION
+#include <libnet.h>
+#endif
+
 #include <stdint.h>
 #include <sys/types.h>
 #include <lock.h>
@@ -15,6 +20,7 @@
 #include <utf.h>
 #include <fmt.h>
 #include <signal.h>
+#include <time.h>
 
 #define	nelem(x)	(sizeof(x)/sizeof((x)[0]))
 
@@ -54,6 +60,17 @@ long _dirreadall(int, Dir**);
 void _nulldir(Dir*);
 uint _sizeD2M(Dir*);
 
+#define convM2D	_convM2D
+#define convD2M	_convD2M
+#define dirstat _dirstat
+#define dirwstat _dirwstat
+#define dirfstat _dirfstat
+#define dirfwstat _dirfwstat
+#define dirread _dirread
+#define dirreadall _dirreadall
+#define nulldir _nulldir
+#define sizeD2M _sizeD2M
+
 typedef
 struct Waitmsg
 {
@@ -62,7 +79,6 @@ struct Waitmsg
 	char	*msg;
 } Waitmsg;
 
-
 extern	int	_AWAIT(char*, int);
 extern	int	_ALARM(unsigned long);
 extern	int	_BIND(const char*, const char*, int);
@@ -106,13 +122,14 @@ extern	long	_READN(int, void*, long);
 extern	int	_IOUNIT(int);
 extern	vlong	_NSEC(void);
 
-#define dirstat _dirstat
-#define dirfstat _dirfstat
-
 #define OREAD 0
 #define OWRITE 1
 #define ORDWR 2
-#define OCEXEC 32
+#define	OEXEC	3	/* execute, == read but check execute permission */
+#define	OTRUNC	16	/* or'ed in (except for exec), truncate file first */
+#define	OCEXEC	32	/* or'ed in, close on exec */
+#define	ORCLOSE	64	/* or'ed in, remove on close */
+#define	OEXCL	0x1000	/* or'ed in, exclusive use (create only) */
 
 #define AREAD 4
 #define AWRITE 2
@@ -125,6 +142,8 @@ extern	vlong	_NSEC(void);
 #define create(file, omode, perm) open(file, (omode) |O_CREAT | O_TRUNC, perm)
 #define seek(fd, off, dir) lseek(fd, off, dir)
 
+#define fauth _FAUTH
+#define wait _WAIT
 #define readn _READN
 #define pread _PREAD
 #define pwrite _PWRITE
@@ -132,11 +151,15 @@ extern	vlong	_NSEC(void);
 #define nsec	_NSEC
 #define iounit	_IOUNIT
 
+#define getwd(buf,len)	getcwd(buf,len)
 #define postnote(who,pid,note)	kill(pid,SIGTERM)
 #define atnotify(func,in)
 
 #define ERRMAX 128
 
+int errstr(char*, unsigned int);
+extern void sysfatal(char*, ...);
+
 extern	void		setmalloctag(void*, uintptr_t);
 extern	void		setrealloctag(void*, uintptr_t);
 extern	uintptr_t	getcallerpc(void*);
@@ -148,6 +171,29 @@ extern int  enc32(char *, int, uchar *, int);
 extern int  dec64(uchar *, int, char *, int);
 extern int  enc64(char *, int, uchar *, int);
 
-extern	int tokenize(char*, char**, int);
-extern void sysfatal(char*, ...);
-extern	ulong truerand(void); /* uses /dev/random */
+extern int tokenize(char*, char**, int);
+extern int getfields(char*, char**, int, int, char*);
+extern int gettokens(char*, char**, int, char*);
+
+extern ulong truerand(void); /* uses /dev/random */
+
+extern int encrypt(void*, void*, int len);
+extern int decrypt(void*, void*, int len);
+
+typedef
+struct Tm
+{
+	int	sec;
+	int	min;
+	int	hour;
+	int	mday;
+	int	mon;
+	int	year;
+	int	wday;
+	int	yday;
+	char	zone[4];
+	int	tzoff;
+} Tm;
+
+Tm* _gmtime(time_t);
+#define gmtime _gmtime
diff --git a/sys/src/ape/lib/9/mkfile b/sys/src/ape/lib/9/mkfile
index cc3e5b9b8..f3e9d7f4f 100644
--- a/sys/src/ape/lib/9/mkfile
+++ b/sys/src/ape/lib/9/mkfile
@@ -2,11 +2,15 @@ APE=/sys/src/ape
 <$APE/config
 
 LIB=/$objtype/lib/ape/lib9.a
-OFILES=argv0.$O\
-	errstr.$O\
+OFILES=\
+	argv0.$O\
 	bind.$O\
+	crypt.$O\
+	ctime.$O\
+	errstr.$O\
 	getcallerpc.$O\
 	getfcr.$O\
+	getfields.$O\
 	mount.$O\
 	rendezvous.$O\
 	rfork.$O\
@@ -40,9 +44,15 @@ CFLAGS=-c $CFLAGS -D_POSIX_SOURCE -D_PLAN9_SOURCE
 sysfatal.$O: ../../../libc/9sys/sysfatal.c
 	$CC $CFLAGS -I. ../../../libc/9sys/sysfatal.c
 
+getfields.$O: ../../../libc/port/getfields.c
+	$CC $CFLAGS -I. ../../../libc/port/getfields.c
+
 tokenize.$O: ../../../libc/port/tokenize.c
 	$CC $CFLAGS -I. ../../../libc/port/tokenize.c
 
+crypt.$O: ../../../libc/port/crypt.c
+	$CC $CFLAGS -I. ../../../libc/port/crypt.c
+
 truerand.$O: ../../../libc/9sys/truerand.c
 	$CC $CFLAGS -I. ../../../libc/9sys/truerand.c
 
diff --git a/sys/src/ape/lib/auth/authsrv.h b/sys/src/ape/lib/auth/authsrv.h
new file mode 100644
index 000000000..498dc9870
--- /dev/null
+++ b/sys/src/ape/lib/auth/authsrv.h
@@ -0,0 +1,45 @@
+enum
+{
+	ANAMELEN=	28,	/* name max size in previous proto */
+	AERRLEN=	64,	/* errstr max size in previous proto */
+	DOMLEN=		48,	/* authentication domain name length */
+	DESKEYLEN=	7,	/* encrypt/decrypt des key length */
+	AESKEYLEN=	16,	/* encrypt/decrypt aes key length */
+
+	CHALLEN=	8,	/* plan9 sk1 challenge length */
+	NETCHLEN=	16,	/* max network challenge length (used in AS protocol) */
+	CONFIGLEN=	14,
+	SECRETLEN=	32,	/* secret max size */
+
+	NONCELEN=	32,
+
+	KEYDBOFF=	8,	/* bytes of random data at key file's start */
+	OKEYDBLEN=	ANAMELEN+DESKEYLEN+4+2,	/* old key file entry length */
+	KEYDBLEN=	OKEYDBLEN+SECRETLEN,	/* key file entry length */
+	OMD5LEN=	16,
+
+	/* AuthPAK constants */
+	PAKKEYLEN=	32,
+	PAKSLEN=	(448+7)/8,	/* ed448 scalar */
+	PAKPLEN=	4*PAKSLEN,	/* point in extended format X,Y,Z,T */
+	PAKHASHLEN=	2*PAKPLEN,	/* hashed points PM,PN */
+	PAKXLEN=	PAKSLEN,	/* random scalar secret key */ 
+	PAKYLEN=	PAKSLEN,	/* decaf encoded public key */
+};
+
+typedef struct	Authkey		Authkey;
+struct	Authkey
+{
+	char	des[DESKEYLEN];		/* DES key from password */
+	uchar	aes[AESKEYLEN];		/* AES key from password */
+	uchar	pakkey[PAKKEYLEN];	/* shared key from AuthPAK exchange (see authpak_finish()) */
+	uchar	pakhash[PAKHASHLEN];	/* secret hash from AES key and user name (see authpak_hash()) */
+};
+
+/*
+ *  convert ascii password to auth key
+ */
+extern	void	passtokey(Authkey*, char*);
+
+extern	void	passtodeskey(char key[DESKEYLEN], char *p);
+extern	void	passtoaeskey(uchar key[AESKEYLEN], char *p);
diff --git a/sys/src/ape/lib/auth/fcall.h b/sys/src/ape/lib/auth/fcall.h
new file mode 100644
index 000000000..6da9bbe1d
--- /dev/null
+++ b/sys/src/ape/lib/auth/fcall.h
@@ -0,0 +1,20 @@
+#define	VERSION9P	"9P2000"
+#define	MAXWELEM	16
+
+#define	GBIT8(p)	((p)[0])
+#define	GBIT16(p)	((p)[0]|((p)[1]<<8))
+#define	GBIT32(p)	((p)[0]|((p)[1]<<8)|((p)[2]<<16)|((p)[3]<<24))
+#define	GBIT64(p)	((u32int)((p)[0]|((p)[1]<<8)|((p)[2]<<16)|((p)[3]<<24)) |\
+				((vlong)((p)[4]|((p)[5]<<8)|((p)[6]<<16)|((p)[7]<<24)) << 32))
+
+#define	PBIT8(p,v)	(p)[0]=(v)
+#define	PBIT16(p,v)	(p)[0]=(v);(p)[1]=(v)>>8
+#define	PBIT32(p,v)	(p)[0]=(v);(p)[1]=(v)>>8;(p)[2]=(v)>>16;(p)[3]=(v)>>24
+#define	PBIT64(p,v)	(p)[0]=(v);(p)[1]=(v)>>8;(p)[2]=(v)>>16;(p)[3]=(v)>>24;\
+			(p)[4]=(v)>>32;(p)[5]=(v)>>40;(p)[6]=(v)>>48;(p)[7]=(v)>>56
+
+#define	BIT8SZ		1
+#define	BIT16SZ		2
+#define	BIT32SZ		4
+#define	BIT64SZ		8
+#define	QIDSZ	(BIT8SZ+BIT32SZ+BIT64SZ)
diff --git a/sys/src/ape/lib/auth/mkfile b/sys/src/ape/lib/auth/mkfile
new file mode 100644
index 000000000..fa30d3a83
--- /dev/null
+++ b/sys/src/ape/lib/auth/mkfile
@@ -0,0 +1,43 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libauth.a
+OFILES=\
+	amount.$O\
+	amount_getkey.$O\
+	attr.$O\
+	auth_attr.$O\
+	auth_challenge.$O\
+	auth_chuid.$O\
+	auth_getkey.$O\
+	auth_getuserpasswd.$O\
+	auth_proxy.$O\
+	auth_respond.$O\
+	auth_rpc.$O\
+	auth_userpasswd.$O\
+	auth_wep.$O\
+	login.$O\
+	newns.$O\
+	noworld.$O\
+	passtokey.$O\
+
+HFILES=\
+	/sys/include/ape/auth.h\
+	/sys/src/libauth/authlocal.h\
+	../9/libc.h
+
+UPDATE=\
+	mkfile\
+	$HFILES\
+	${OFILES:%.$O=%.c}\
+	${LIB:/$objtype/%=/386/%}\
+
+</sys/src/cmd/mksyslib
+
+CFLAGS=-TVwc -D_POSIX_SOURCE -D_PLAN9_SOURCE -D_NET_EXTENSION -I. -I../9 -I/sys/src/libauth
+
+%.$O:	/sys/src/libauth/%.c
+	$CC $CFLAGS /sys/src/libauth/$stem.c
+
+passtokey.$O:	/sys/src/libauthsrv/passtokey.c
+	$CC $CFLAGS /sys/src/libauthsrv/passtokey.c
diff --git a/sys/src/ape/lib/bio/mkfile b/sys/src/ape/lib/bio/mkfile
new file mode 100644
index 000000000..c87bcc7e2
--- /dev/null
+++ b/sys/src/ape/lib/bio/mkfile
@@ -0,0 +1,38 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libbio.a
+OFILES=\
+	bbuffered.$O\
+	bfildes.$O\
+	bflush.$O\
+	bgetrune.$O\
+	bgetc.$O\
+#	bgetd.$O\
+	binit.$O\
+	blethal.$O\
+	boffset.$O\
+	bprint.$O\
+	bputrune.$O\
+	bputc.$O\
+	brdline.$O\
+	brdstr.$O\
+	bread.$O\
+	bseek.$O\
+	bwrite.$O\
+	bvprint.$O\
+
+HFILES=/sys/include/ape/bio.h
+
+UPDATE=\
+	mkfile\
+	$HFILES\
+	${OFILES:%.$O=%.c}\
+	${LIB:/$objtype/%=/386/%}\
+
+</sys/src/cmd/mksyslib
+
+CFLAGS=-TVwc -D_PLAN9_SOURCE -D_POSIX_SOURCE -I. -I../9
+
+%.$O:	/sys/src/libbio/%.c
+	$CC $CFLAGS /sys/src/libbio/$stem.c
diff --git a/sys/src/ape/lib/mp/386/mkfile b/sys/src/ape/lib/mp/386/mkfile
new file mode 100644
index 000000000..1dc9bfcd3
--- /dev/null
+++ b/sys/src/ape/lib/mp/386/mkfile
@@ -0,0 +1,26 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+SFILES=\
+	mpvecadd.s\
+	mpvecdigmuladd.s\
+	mpvecdigmulsub.s\
+	mpvecsub.s\
+	mpdigdiv.s\
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	../../../../libmp/386/%.s
+	$AS ../../../../libmp/386/$stem.s
diff --git a/sys/src/ape/lib/mp/alpha/mkfile b/sys/src/ape/lib/mp/alpha/mkfile
new file mode 100644
index 000000000..73b43cf84
--- /dev/null
+++ b/sys/src/ape/lib/mp/alpha/mkfile
@@ -0,0 +1,15 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=\
+
+UPDATE=mkfile\
+	$HFILES\
+
+</sys/src/cmd/mksyslib
diff --git a/sys/src/ape/lib/mp/amd64/mkfile b/sys/src/ape/lib/mp/amd64/mkfile
new file mode 100644
index 000000000..6698f501e
--- /dev/null
+++ b/sys/src/ape/lib/mp/amd64/mkfile
@@ -0,0 +1,26 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+SFILES=\
+	mpvecadd.s\
+	mpvecdigmuladd.s\
+	mpvecdigmulsub.s\
+	mpvecsub.s\
+	mpdigdiv.s\
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	../../../../libmp/amd64/%.s
+	$AS ../../../../libmp/amd64/$stem.s
diff --git a/sys/src/ape/lib/mp/arm/mkfile b/sys/src/ape/lib/mp/arm/mkfile
new file mode 100644
index 000000000..4801b8648
--- /dev/null
+++ b/sys/src/ape/lib/mp/arm/mkfile
@@ -0,0 +1,21 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+SFILES=mpvecdigmuladd.s mpvecdigmulsub.s mpvecadd.s mpvecsub.s
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	../../../../libmp/arm/%.s
+	$AS ../../../../libmp/arm/$stem.s
diff --git a/sys/src/ape/lib/mp/mips/mkfile b/sys/src/ape/lib/mp/mips/mkfile
new file mode 100644
index 000000000..e6df85c48
--- /dev/null
+++ b/sys/src/ape/lib/mp/mips/mkfile
@@ -0,0 +1,26 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+SFILES=\
+	mpvecadd.s\
+	mpvecsub.s\
+	mpvecdigmuladd.s\
+	mpvecdigmulsub.s\
+#	mpdigdiv.s\
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	../../../../libmp/mips/%.s
+	$AS ../../../../libmp/mips/$stem.s
diff --git a/sys/src/ape/lib/mp/mkfile b/sys/src/ape/lib/mp/mkfile
new file mode 100644
index 000000000..2feb712b4
--- /dev/null
+++ b/sys/src/ape/lib/mp/mkfile
@@ -0,0 +1,54 @@
+APE=/sys/src/ape
+<$APE/config
+
+DIRS=port $CPUS
+
+default:V:	all
+
+install all:V:
+	for(i in port $objtype)@{
+		echo $i
+		cd $i
+		mk $MKFLAGS $target
+	}
+
+nuke:V: clean
+	rm -f /$objtype/lib/ape/libmp.a
+
+clean:V:
+	for(i in $DIRS)@{
+		echo $i
+		cd $i
+		mk $MKFLAGS $target
+	}
+
+installall:V:
+	for(objtype in $CPUS) mk $MKFLAGS install
+
+everything:V:
+	rm -f */*.[$OS]
+	for(objtype in 386)@{
+		echo $objtype
+		mk $MKFLAGS install
+	}
+	rm -f */*.[$OS]
+
+test.$O: ../../../libmp/test.c /sys/include/ape/mp.h ../../../libmp/port/dat.h
+	$CC -c -D_POSIX_SOURCE -D_PLAN9_SOURCE -I../9 -I../../../libmp/port ../../../libmp/test.c
+
+$O.test: test.$O /$objtype/lib/ape/libmp.a
+	$LD -o $O.test test.$O
+
+bigtest.$O: ../../../libmp/bigtest.c /sys/include/ape/mp.h ../../../libmp/port/dat.h
+	$CC -c -D_POSIX_SOURCE -D_PLAN9_SOURCE -I../9 -I../../../libmp/port ../../../libmp/bigtest.c
+
+$O.bigtest: bigtest.$O /$objtype/lib/ape/libmp.a
+	$LD -o $O.bigtest bigtest.$O
+
+allout:
+	objtype=386; mk; mk 8.test 8.bigtest
+	objtype=amd64; mk; mk 6.test 6.bigtest
+	objtype=arm; mk; mk 5.test 5.bigtest
+
+cleanout:
+	rm -f [568].* *.[568]
diff --git a/sys/src/ape/lib/mp/port/mkfile b/sys/src/ape/lib/mp/port/mkfile
new file mode 100644
index 000000000..3e7a518e7
--- /dev/null
+++ b/sys/src/ape/lib/mp/port/mkfile
@@ -0,0 +1,72 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+FILES=\
+	mpaux\
+	mpfmt\
+	strtomp\
+	mptobe\
+	mptober\
+	mptole\
+	mptolel\
+	betomp\
+	letomp\
+	mpadd\
+	mpsub\
+	mpcmp\
+	mpsel\
+	mpfactorial\
+	mpmul\
+	mpleft\
+	mpright\
+	mpvecadd\
+	mpvecsub\
+	mpvecdigmuladd\
+	mpveccmp\
+	mpvectscmp\
+	mpdigdiv\
+	mpdiv\
+	mpexp\
+	mpmod\
+	mpmodop\
+	mpextendedgcd\
+	mpinvert\
+	mprand\
+	mpnrand\
+	crt\
+	mptoi\
+	mptoui\
+	mptov\
+	mptouv\
+	mpfield\
+	cnfield\
+	gmfield\
+	mplogic\
+
+ALLOFILES=${FILES:%=%.$O}
+
+# cull things in the per-machine directories from this list
+OFILES=	`{rfork en; \
+	if(~ $objtype spim) objtype=mips; \
+	bind -a ../../../../libmp/$objtype ../$objtype; \
+	rc ../../../../libmp/port/reduce $O $objtype $ALLOFILES}
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h\
+
+CFILES=${FILES:%=%.c}
+
+UPDATE=\
+	mkfile\
+	$HFILES\
+	$CFILES\
+
+</sys/src/cmd/mksyslib
+
+CFLAGS=-TVwc -+ -D_POSIX_SOURCE -D_PLAN9_SOURCE -I. -I../../9
+
+%.$O:	../../../../libmp/port/%.c
+	$CC $CFLAGS ../../../../libmp/port/$stem.c
diff --git a/sys/src/ape/lib/mp/power/mkfile b/sys/src/ape/lib/mp/power/mkfile
new file mode 100644
index 000000000..471bf21da
--- /dev/null
+++ b/sys/src/ape/lib/mp/power/mkfile
@@ -0,0 +1,25 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+SFILES=\
+	mpvecadd.s\
+	mpvecsub.s\
+	mpvecdigmuladd.s\
+	mpvecdigmulsub.s\
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	../../../../libmp/power/%.s
+	$AS ../../../../libmp/power/$stem.s
diff --git a/sys/src/ape/lib/mp/spim/mkfile b/sys/src/ape/lib/mp/spim/mkfile
new file mode 100644
index 000000000..e6df85c48
--- /dev/null
+++ b/sys/src/ape/lib/mp/spim/mkfile
@@ -0,0 +1,26 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libmp.a
+
+SFILES=\
+	mpvecadd.s\
+	mpvecsub.s\
+	mpvecdigmuladd.s\
+	mpvecdigmulsub.s\
+#	mpdigdiv.s\
+
+HFILES=\
+	/sys/include/ape/mp.h\
+	../../../../libmp/port/dat.h
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	../../../../libmp/mips/%.s
+	$AS ../../../../libmp/mips/$stem.s
diff --git a/sys/src/ape/lib/sec/386/mkfile b/sys/src/ape/lib/sec/386/mkfile
new file mode 100644
index 000000000..3e1e3233a
--- /dev/null
+++ b/sys/src/ape/lib/sec/386/mkfile
@@ -0,0 +1,23 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+FILES=\
+	md5block\
+	sha1block\
+
+HFILES=/sys/include/ape/libsec.h
+
+SFILES=${FILES:%=%.s}
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	/sys/src/libsec/$objtype/%.s
+	$AS $AFLAGS /sys/src/libsec/$objtype/$stem.s
diff --git a/sys/src/ape/lib/sec/alpha/mkfile b/sys/src/ape/lib/sec/alpha/mkfile
new file mode 100644
index 000000000..473538cac
--- /dev/null
+++ b/sys/src/ape/lib/sec/alpha/mkfile
@@ -0,0 +1,15 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+OFILES=	\
+
+HFILES=/sys/include/ape/libsec.h
+
+UPDATE=mkfile
+
+</sys/src/cmd/mksyslib
+
+%.$O:	/sys/src/libsec/$objtype/%.s
+	$AS $AFLAGS /sys/src/libsec/$objtype/$stem.s
diff --git a/sys/src/ape/lib/sec/amd64/mkfile b/sys/src/ape/lib/sec/amd64/mkfile
new file mode 100644
index 000000000..41f49d2ae
--- /dev/null
+++ b/sys/src/ape/lib/sec/amd64/mkfile
@@ -0,0 +1,22 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+FILES=\
+	md5block\
+	sha1block\
+
+HFILES=/sys/include/ape/libsec.h
+
+SFILES=${FILES:%=%.s}
+
+OFILES=${FILES:%=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	/sys/src/libsec/$objtype/%.s
+	$AS $AFLAGS /sys/src/libsec/$objtype/$stem.s
diff --git a/sys/src/ape/lib/sec/arm/mkfile b/sys/src/ape/lib/sec/arm/mkfile
new file mode 100644
index 000000000..473538cac
--- /dev/null
+++ b/sys/src/ape/lib/sec/arm/mkfile
@@ -0,0 +1,15 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+OFILES=	\
+
+HFILES=/sys/include/ape/libsec.h
+
+UPDATE=mkfile
+
+</sys/src/cmd/mksyslib
+
+%.$O:	/sys/src/libsec/$objtype/%.s
+	$AS $AFLAGS /sys/src/libsec/$objtype/$stem.s
diff --git a/sys/src/ape/lib/sec/mips/mkfile b/sys/src/ape/lib/sec/mips/mkfile
new file mode 100644
index 000000000..3e1e3233a
--- /dev/null
+++ b/sys/src/ape/lib/sec/mips/mkfile
@@ -0,0 +1,23 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+FILES=\
+	md5block\
+	sha1block\
+
+HFILES=/sys/include/ape/libsec.h
+
+SFILES=${FILES:%=%.s}
+
+OFILES=${SFILES:%.s=%.$O}
+
+UPDATE=mkfile\
+	$HFILES\
+	$SFILES\
+
+</sys/src/cmd/mksyslib
+
+%.$O:	/sys/src/libsec/$objtype/%.s
+	$AS $AFLAGS /sys/src/libsec/$objtype/$stem.s
diff --git a/sys/src/ape/lib/sec/mkfile b/sys/src/ape/lib/sec/mkfile
new file mode 100644
index 000000000..4eabca330
--- /dev/null
+++ b/sys/src/ape/lib/sec/mkfile
@@ -0,0 +1,46 @@
+</$objtype/mkfile
+
+DIRS=port $CPUS
+
+default:V:	all
+
+install all:V:
+	for(i in port $objtype)@{
+		echo $i
+		cd $i
+		mk $MKFLAGS $target
+	}
+
+clean:V:
+	for(i in $DIRS)@{
+		echo $i
+		cd $i
+		mk $MKFLAGS $target
+	}
+
+nuke:V: clean
+	rm -f /$objtype/lib/libsec.a
+
+update:V:
+	for(i in $DIRS)@{
+		echo $i
+		cd $i
+		mk $MKFLAGS update
+	}
+	update $UPDATEFLAGS /386/lib/libsec.a
+
+installall:V:
+	for(objtype in $CPUS) mk $MKFLAGS install
+
+everything:V:
+	rm -f */*.[$OS]
+	for(objtype in $CPUS)@{
+		echo $objtype
+		mk $MKFLAGS install
+	}
+	rm -f */*.[$OS]
+
+APE=/sys/src/ape
+<$APE/config
+$O.tlsclient: tlsclient.c
+	$CC -o $target $CFLAGS -D_POSIX_SOURCE -D_PLAN9_SOURCE -D_NET_EXTENSION tlsclient.c
diff --git a/sys/src/ape/lib/sec/port/mkfile b/sys/src/ape/lib/sec/port/mkfile
new file mode 100644
index 000000000..ef8cc3942
--- /dev/null
+++ b/sys/src/ape/lib/sec/port/mkfile
@@ -0,0 +1,72 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+CFILES = des.c desmodes.c desECB.c desCBC.c des3ECB.c des3CBC.c\
+	aes.c aes_gcm.c blowfish.c \
+	hmac.c md5.c md5block.c md4.c sha1.c sha1block.c\
+	sha2_64.c sha2_128.c sha2block64.c sha2block128.c\
+	sha1pickle.c md5pickle.c\
+	poly1305.c\
+	rc4.c\
+	chacha.c\
+	salsa.c\
+	genrandom.c prng.c fastrand.c nfastrand.c\
+	probably_prime.c smallprimetest.c genprime.c dsaprimes.c\
+	gensafeprime.c genstrongprime.c\
+	rsagen.c rsafill.c rsaencrypt.c rsadecrypt.c rsaalloc.c \
+	rsaprivtopub.c \
+	x509.c \
+	decodepem.c \
+	eggen.c egencrypt.c egdecrypt.c egalloc.c egprivtopub.c \
+	egsign.c egverify.c \
+	dsagen.c dsaalloc.c dsaprivtopub.c dsasign.c dsaverify.c \
+	tlshand.c \
+	thumb.c readcert.c \
+	aes_xts.c  \
+	ecc.c\
+	ripemd.c\
+	dh.c\
+	curve25519.c\
+	curve25519_dh.c\
+	pbkdf2.c\
+	hkdf.c\
+	ccpoly.c\
+	tsmemcmp.c\
+	secp256r1.c\
+	secp256k1.c\
+
+CLEANFILES=secp256r1.c secp256k1.c
+
+ALLOFILES=${CFILES:%.c=%.$O}
+
+# cull things in the per-machine directories from this list
+OFILES=	`{rfork n; \
+	bind -a ../../../../libsec/$objtype ../$objtype; \
+	rc ../../../../libsec/port/reduce $O $objtype $ALLOFILES}
+
+HFILES=/sys/include/ape/libsec.h
+
+UPDATE=mkfile\
+	$HFILES\
+	$CFILES\
+
+</sys/src/cmd/mksyslib
+
+CFLAGS=-TVwc -+ -D_POSIX_SOURCE -D_PLAN9_SOURCE -I. -I../../9 -I../../../../libmp/port
+
+../../../../libsec/port/%.c:D:	../../../../libsec/port/%.mp
+	@{cd ../../../../libsec/port && mk $stem.c}
+
+%.$O:	../../../../libsec/port/%.c
+	$CC $CFLAGS ../../../../libsec/port/$stem.c
+	
+$O.rsatest: rsatest.$O
+	$LD -o $target $prereq
+
+$O.chachatest: chachatest.$O
+	$LD -o $target $prereq
+
+$O.aesgcmtest: aesgcmtest.$O
+	$LD -o $target $prereq
diff --git a/sys/src/ape/lib/sec/power/mkfile b/sys/src/ape/lib/sec/power/mkfile
new file mode 100644
index 000000000..473538cac
--- /dev/null
+++ b/sys/src/ape/lib/sec/power/mkfile
@@ -0,0 +1,15 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+OFILES=	\
+
+HFILES=/sys/include/ape/libsec.h
+
+UPDATE=mkfile
+
+</sys/src/cmd/mksyslib
+
+%.$O:	/sys/src/libsec/$objtype/%.s
+	$AS $AFLAGS /sys/src/libsec/$objtype/$stem.s
diff --git a/sys/src/ape/lib/sec/spim/mkfile b/sys/src/ape/lib/sec/spim/mkfile
new file mode 100644
index 000000000..f8e4ae94f
--- /dev/null
+++ b/sys/src/ape/lib/sec/spim/mkfile
@@ -0,0 +1,12 @@
+APE=/sys/src/ape
+<$APE/config
+
+LIB=/$objtype/lib/ape/libsec.a
+
+HFILES=/sys/include/ape/libsec.h
+
+OFILES=\
+
+UPDATE=mkfile $HFILES
+
+</sys/src/cmd/mksyslib
diff --git a/sys/src/ape/lib/sec/tlsclient.c b/sys/src/ape/lib/sec/tlsclient.c
new file mode 100644
index 000000000..37095a6ab
--- /dev/null
+++ b/sys/src/ape/lib/sec/tlsclient.c
@@ -0,0 +1,177 @@
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <lib9.h>
+
+#include <libsec.h>
+#include <libnet.h>
+
+#include <auth.h>
+
+int debug, auth, dialfile;
+char *keyspec = "";
+char *servername, *file, *filex, *ccert;
+
+void
+sysfatal(char *fmt, ...)
+{
+	va_list a;
+
+	va_start(a, fmt);
+	vfprintf(stderr, fmt, a);
+	va_end(a);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+void
+usage(void)
+{
+	fprint(2, "usage: tlsclient [-D] [-a [-k keyspec] ] [-c lib/tls/clientcert] [-t /sys/lib/tls/xxx] [-x /sys/lib/tls/xxx.exclude] [-n servername] [-o] dialstring [cmd [args...]]\n");
+	exit(1);
+}
+
+void
+xfer(int from, int to)
+{
+	char buf[12*1024];
+	int n;
+
+	while((n = read(from, buf, sizeof buf)) > 0)
+		if(write(to, buf, n) < 0)
+			break;
+}
+
+static int
+reporter(char *fmt, ...)
+{
+	va_list ap;
+	
+	va_start(ap, fmt);
+	fprint(2, "%s:  tls reports ", argv0);
+	vfprint(2, fmt, ap);
+	fprint(2, "\n");
+
+	va_end(ap);
+	return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+	int fd, pid;
+	char *addr;
+	TLSconn *conn;
+	Thumbprint *thumb;
+	AuthInfo *ai = nil;
+
+//	fmtinstall('H', encodefmt);
+
+	ARGBEGIN{
+	case 'D':
+		debug++;
+		break;
+	case 'a':
+		auth++;
+		break;
+	case 'k':
+		keyspec = EARGF(usage());
+		break;
+	case 't':
+		file = EARGF(usage());
+		break;
+	case 'x':
+		filex = EARGF(usage());
+		break;
+	case 'c':
+		ccert = EARGF(usage());
+		break;
+	case 'n':
+		servername = EARGF(usage());
+		break;
+	case 'o':
+		dialfile = 1;
+		break;
+	default:
+		usage();
+	}ARGEND
+
+	if(argc < 1)
+		usage();
+
+	if(filex && !file)	
+		sysfatal("specifying -x without -t is useless");
+
+	if(file){
+		thumb = initThumbprints(file, filex);
+		if(thumb == nil)
+			sysfatal("initThumbprints: %r");
+	} else
+		thumb = nil;
+
+	addr = *argv++;
+	if((fd = dial(addr, 0, 0, 0)) < 0)
+		sysfatal("dial %s: %r", addr);
+
+	conn = (TLSconn*)malloc(sizeof *conn);
+	memset(conn, 0, sizeof(*conn));
+	conn->serverName = servername;
+	if(ccert){
+		conn->cert = readcert(ccert, &conn->certlen);
+		if(conn->cert == nil)
+			sysfatal("readcert: %r");
+	}
+
+	if(auth){
+		ai = auth_proxy(fd, auth_getkey, "proto=p9any role=client %s", keyspec);
+		if(ai == nil)
+			sysfatal("auth_proxy: %r");
+
+		conn->pskID = "p9secret";
+		conn->psk = ai->secret;
+		conn->psklen = ai->nsecret;
+	}
+
+	if(debug)
+		conn->trace = reporter;
+
+	fd = tlsClient(fd, conn);
+	if(fd < 0)
+		sysfatal("tlsclient: %r");
+
+	if(thumb){
+		uchar digest[20];
+
+		if(conn->cert==nil || conn->certlen<=0)
+			sysfatal("server did not provide TLS certificate");
+		sha1(conn->cert, conn->certlen, digest, nil);
+		if(!okThumbprint(digest, thumb))
+			sysfatal("server certificate %.*H not recognized", SHA1dlen, digest);
+		freeThumbprints(thumb);
+	}
+
+	free(conn->cert);
+	free(conn->sessionID);
+	free(conn);
+	if(ai != nil)
+		auth_freeAI(ai);
+
+	pid = fork();
+	switch(pid){
+	case -1:
+		sysfatal("fork: %r");
+	case 0:
+		pid = getppid();
+		xfer(0, fd);
+		break;
+	default:
+		xfer(fd, 1);
+		break;
+	}
+	if(pid) kill(pid, SIGTERM);
+	return 0;
+}