diff options
| author | Taru Karttunen <taruti@taruti.net> | 2011-03-30 15:46:40 +0300 |
|---|---|---|
| committer | Taru Karttunen <taruti@taruti.net> | 2011-03-30 15:46:40 +0300 |
| commit | e5888a1ffdae813d7575f5fb02275c6bb07e5199 (patch) | |
| tree | d8d51eac403f07814b9e936eed0c9a79195e2450 /sys/src/libsec | |
Import sources from 2011-03-30 iso image
Diffstat (limited to 'sys/src/libsec')
73 files changed, 14722 insertions, 0 deletions
diff --git a/sys/src/libsec/386/md5block.s b/sys/src/libsec/386/md5block.s new file mode 100755 index 000000000..56966d766 --- /dev/null +++ b/sys/src/libsec/386/md5block.s @@ -0,0 +1,220 @@ +/* + * rfc1321 requires that I include this. The code is new. The constants + * all come from the rfc (hence the copyright). We trade a table for the + * macros in rfc. The total size is a lot less. -- presotto + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD5 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD5 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software forany particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ +#define S11 7 +#define S12 12 +#define S13 17 +#define S14 22 + +#define S21 5 +#define S22 9 +#define S23 14 +#define S24 20 + +#define S31 4 +#define S32 11 +#define S33 16 +#define S34 23 + +#define S41 6 +#define S42 10 +#define S43 15 +#define S44 21 + +/* + * SI is data + * a += FN(B,C,D); + * a += x[sh] + t[sh]; + * a = (a << S11) | (a >> (32 - S11)); + * a += b; + */ + +#define BODY1(off,V,FN,SH,A,B,C,D)\ + FN(B,C,D)\ + LEAL V(A)(DI*1),A;\ + ADDL (off)(BP),A;\ + ROLL $SH,A;\ + ADDL B,A;\ + +#define BODY(off,V,FN,SH,A,B,C,D)\ + FN(B,C,D)\ + LEAL V(A)(DI*1),A;\ + ADDL (off)(BP),A;\ + ROLL $SH,A;\ + ADDL B,A;\ + +/* + * fn1 = ((c ^ d) & b) ^ d + */ +#define FN1(B,C,D)\ + MOVL C,DI;\ + XORL D,DI;\ + ANDL B,DI;\ + XORL D,DI;\ + +/* + * fn2 = ((b ^ c) & d) ^ c; + */ +#define FN2(B,C,D)\ + MOVL B,DI;\ + XORL C,DI;\ + ANDL D,DI;\ + XORL C,DI;\ + +/* + * fn3 = b ^ c ^ d; + */ +#define FN3(B,C,D)\ + MOVL B,DI;\ + XORL C,DI;\ + XORL D,DI;\ + +/* + * fn4 = c ^ (b | ~d); + */ +#define FN4(B,C,D)\ + MOVL D,DI;\ + XORL $-1,DI;\ + ORL B,DI;\ + XORL C,DI;\ + +#define DATA 0 +#define LEN 4 +#define STATE 8 + +#define EDATA (-4) + + TEXT _md5block+0(SB),$4 + + MOVL data+DATA(FP),AX + ADDL len+LEN(FP),AX + MOVL AX,edata+EDATA(SP) + + MOVL data+DATA(FP),BP + +mainloop: + MOVL state+STATE(FP),SI + MOVL (SI),AX + MOVL 4(SI),BX + MOVL 8(SI),CX + MOVL 12(SI),DX + + BODY1( 0*4,0xd76aa478,FN1,S11,AX,BX,CX,DX) + BODY1( 1*4,0xe8c7b756,FN1,S12,DX,AX,BX,CX) + BODY1( 2*4,0x242070db,FN1,S13,CX,DX,AX,BX) + BODY1( 3*4,0xc1bdceee,FN1,S14,BX,CX,DX,AX) + + BODY1( 4*4,0xf57c0faf,FN1,S11,AX,BX,CX,DX) + BODY1( 5*4,0x4787c62a,FN1,S12,DX,AX,BX,CX) + BODY1( 6*4,0xa8304613,FN1,S13,CX,DX,AX,BX) + BODY1( 7*4,0xfd469501,FN1,S14,BX,CX,DX,AX) + + BODY1( 8*4,0x698098d8,FN1,S11,AX,BX,CX,DX) + BODY1( 9*4,0x8b44f7af,FN1,S12,DX,AX,BX,CX) + BODY1(10*4,0xffff5bb1,FN1,S13,CX,DX,AX,BX) + BODY1(11*4,0x895cd7be,FN1,S14,BX,CX,DX,AX) + + BODY1(12*4,0x6b901122,FN1,S11,AX,BX,CX,DX) + BODY1(13*4,0xfd987193,FN1,S12,DX,AX,BX,CX) + BODY1(14*4,0xa679438e,FN1,S13,CX,DX,AX,BX) + BODY1(15*4,0x49b40821,FN1,S14,BX,CX,DX,AX) + + + BODY( 1*4,0xf61e2562,FN2,S21,AX,BX,CX,DX) + BODY( 6*4,0xc040b340,FN2,S22,DX,AX,BX,CX) + BODY(11*4,0x265e5a51,FN2,S23,CX,DX,AX,BX) + BODY( 0*4,0xe9b6c7aa,FN2,S24,BX,CX,DX,AX) + + BODY( 5*4,0xd62f105d,FN2,S21,AX,BX,CX,DX) + BODY(10*4,0x02441453,FN2,S22,DX,AX,BX,CX) + BODY(15*4,0xd8a1e681,FN2,S23,CX,DX,AX,BX) + BODY( 4*4,0xe7d3fbc8,FN2,S24,BX,CX,DX,AX) + + BODY( 9*4,0x21e1cde6,FN2,S21,AX,BX,CX,DX) + BODY(14*4,0xc33707d6,FN2,S22,DX,AX,BX,CX) + BODY( 3*4,0xf4d50d87,FN2,S23,CX,DX,AX,BX) + BODY( 8*4,0x455a14ed,FN2,S24,BX,CX,DX,AX) + + BODY(13*4,0xa9e3e905,FN2,S21,AX,BX,CX,DX) + BODY( 2*4,0xfcefa3f8,FN2,S22,DX,AX,BX,CX) + BODY( 7*4,0x676f02d9,FN2,S23,CX,DX,AX,BX) + BODY(12*4,0x8d2a4c8a,FN2,S24,BX,CX,DX,AX) + + + BODY( 5*4,0xfffa3942,FN3,S31,AX,BX,CX,DX) + BODY( 8*4,0x8771f681,FN3,S32,DX,AX,BX,CX) + BODY(11*4,0x6d9d6122,FN3,S33,CX,DX,AX,BX) + BODY(14*4,0xfde5380c,FN3,S34,BX,CX,DX,AX) + + BODY( 1*4,0xa4beea44,FN3,S31,AX,BX,CX,DX) + BODY( 4*4,0x4bdecfa9,FN3,S32,DX,AX,BX,CX) + BODY( 7*4,0xf6bb4b60,FN3,S33,CX,DX,AX,BX) + BODY(10*4,0xbebfbc70,FN3,S34,BX,CX,DX,AX) + + BODY(13*4,0x289b7ec6,FN3,S31,AX,BX,CX,DX) + BODY( 0*4,0xeaa127fa,FN3,S32,DX,AX,BX,CX) + BODY( 3*4,0xd4ef3085,FN3,S33,CX,DX,AX,BX) + BODY( 6*4,0x04881d05,FN3,S34,BX,CX,DX,AX) + + BODY( 9*4,0xd9d4d039,FN3,S31,AX,BX,CX,DX) + BODY(12*4,0xe6db99e5,FN3,S32,DX,AX,BX,CX) + BODY(15*4,0x1fa27cf8,FN3,S33,CX,DX,AX,BX) + BODY( 2*4,0xc4ac5665,FN3,S34,BX,CX,DX,AX) + + + BODY( 0*4,0xf4292244,FN4,S41,AX,BX,CX,DX) + BODY( 7*4,0x432aff97,FN4,S42,DX,AX,BX,CX) + BODY(14*4,0xab9423a7,FN4,S43,CX,DX,AX,BX) + BODY( 5*4,0xfc93a039,FN4,S44,BX,CX,DX,AX) + + BODY(12*4,0x655b59c3,FN4,S41,AX,BX,CX,DX) + BODY( 3*4,0x8f0ccc92,FN4,S42,DX,AX,BX,CX) + BODY(10*4,0xffeff47d,FN4,S43,CX,DX,AX,BX) + BODY( 1*4,0x85845dd1,FN4,S44,BX,CX,DX,AX) + + BODY( 8*4,0x6fa87e4f,FN4,S41,AX,BX,CX,DX) + BODY(15*4,0xfe2ce6e0,FN4,S42,DX,AX,BX,CX) + BODY( 6*4,0xa3014314,FN4,S43,CX,DX,AX,BX) + BODY(13*4,0x4e0811a1,FN4,S44,BX,CX,DX,AX) + + BODY( 4*4,0xf7537e82,FN4,S41,AX,BX,CX,DX) + BODY(11*4,0xbd3af235,FN4,S42,DX,AX,BX,CX) + BODY( 2*4,0x2ad7d2bb,FN4,S43,CX,DX,AX,BX) + BODY( 9*4,0xeb86d391,FN4,S44,BX,CX,DX,AX) + + ADDL $(16*4),BP + MOVL state+STATE(FP),DI + ADDL AX,0(DI) + ADDL BX,4(DI) + ADDL CX,8(DI) + ADDL DX,12(DI) + + MOVL edata+EDATA(SP),DI + CMPL BP,DI + JCS mainloop + + RET + + END diff --git a/sys/src/libsec/386/mkfile b/sys/src/libsec/386/mkfile new file mode 100755 index 000000000..fd124bbc1 --- /dev/null +++ b/sys/src/libsec/386/mkfile @@ -0,0 +1,19 @@ +objtype=386 +</$objtype/mkfile + +LIB=/$objtype/lib/libsec.a +FILES=\ + md5block\ + sha1block\ + +HFILES=/sys/include/libsec.h + +SFILES=${FILES:%=%.s} + +OFILES=${FILES:%=%.$O} + +UPDATE=mkfile\ + $HFILES\ + $SFILES\ + +</sys/src/cmd/mksyslib diff --git a/sys/src/libsec/386/sha1block.s b/sys/src/libsec/386/sha1block.s new file mode 100755 index 000000000..8f69f3d46 --- /dev/null +++ b/sys/src/libsec/386/sha1block.s @@ -0,0 +1,195 @@ + TEXT _sha1block+0(SB),$352 + +/* x = (wp[off-f] ^ wp[off-8] ^ wp[off-14] ^ wp[off-16]) <<< 1; + * wp[off] = x; + * x += A <<< 5; + * E += 0xca62c1d6 + x; + * x = FN(B,C,D); + * E += x; + * B >>> 2 + */ +#define BSWAPDI BYTE $0x0f; BYTE $0xcf; + +#define BODY(off,FN,V,A,B,C,D,E)\ + MOVL (off-64)(BP),DI;\ + XORL (off-56)(BP),DI;\ + XORL (off-32)(BP),DI;\ + XORL (off-12)(BP),DI;\ + ROLL $1,DI;\ + MOVL DI,off(BP);\ + LEAL V(DI)(E*1),E;\ + MOVL A,DI;\ + ROLL $5,DI;\ + ADDL DI,E;\ + FN(B,C,D)\ + ADDL DI,E;\ + RORL $2,B;\ + +#define BODY0(off,FN,V,A,B,C,D,E)\ + MOVL off(BX),DI;\ + BSWAPDI;\ + MOVL DI,off(BP);\ + LEAL V(DI)(E*1),E;\ + MOVL A,DI;\ + ROLL $5,DI;\ + ADDL DI,E;\ + FN(B,C,D)\ + ADDL DI,E;\ + RORL $2,B;\ + +/* + * fn1 = (((C^D)&B)^D); + */ +#define FN1(B,C,D)\ + MOVL C,DI;\ + XORL D,DI;\ + ANDL B,DI;\ + XORL D,DI;\ + +/* + * fn24 = B ^ C ^ D + */ +#define FN24(B,C,D)\ + MOVL B,DI;\ + XORL C,DI;\ + XORL D,DI;\ + +/* + * fn3 = ((B ^ C) & (D ^= B)) ^ B + * D ^= B to restore D + */ +#define FN3(B,C,D)\ + MOVL B,DI;\ + XORL C,DI;\ + XORL B,D;\ + ANDL D,DI;\ + XORL B,DI;\ + XORL B,D;\ + +/* + * stack offsets + * void sha1block(uchar *DATA, int LEN, ulong *STATE) + */ +#define DATA 0 +#define LEN 4 +#define STATE 8 + +/* + * stack offsets for locals + * ulong w[80]; + * uchar *edata; + * ulong *w15, *w40, *w60, *w80; + * register local + * ulong *wp = BP + * ulong a = eax, b = ebx, c = ecx, d = edx, e = esi + * ulong tmp = edi + */ +#define WARRAY (-4-(80*4)) +#define TMP1 (-8-(80*4)) +#define TMP2 (-12-(80*4)) +#define W15 (-16-(80*4)) +#define W40 (-20-(80*4)) +#define W60 (-24-(80*4)) +#define W80 (-28-(80*4)) +#define EDATA (-32-(80*4)) + + MOVL data+DATA(FP),AX + ADDL len+LEN(FP),AX + MOVL AX,edata+EDATA(SP) + + LEAL aw15+(WARRAY+15*4)(SP),DI + MOVL DI,w15+W15(SP) + LEAL aw40+(WARRAY+40*4)(SP),DX + MOVL DX,w40+W40(SP) + LEAL aw60+(WARRAY+60*4)(SP),CX + MOVL CX,w60+W60(SP) + LEAL aw80+(WARRAY+80*4)(SP),DI + MOVL DI,w80+W80(SP) + +mainloop: + LEAL warray+WARRAY(SP),BP + + MOVL state+STATE(FP),DI + MOVL (DI),AX + MOVL 4(DI),BX + MOVL BX,tmp1+TMP1(SP) + MOVL 8(DI),CX + MOVL 12(DI),DX + MOVL 16(DI),SI + + MOVL data+DATA(FP),BX + +loop1: + BODY0(0,FN1,0x5a827999,AX,tmp1+TMP1(SP),CX,DX,SI) + MOVL SI,tmp2+TMP2(SP) + BODY0(4,FN1,0x5a827999,SI,AX,tmp1+TMP1(SP),CX,DX) + MOVL tmp1+TMP1(SP),SI + BODY0(8,FN1,0x5a827999,DX,tmp2+TMP2(SP),AX,SI,CX) + BODY0(12,FN1,0x5a827999,CX,DX,tmp2+TMP2(SP),AX,SI) + MOVL SI,tmp1+TMP1(SP) + BODY0(16,FN1,0x5a827999,SI,CX,DX,tmp2+TMP2(SP),AX) + MOVL tmp2+TMP2(SP),SI + + ADDL $20,BX + ADDL $20,BP + CMPL BP,w15+W15(SP) + JCS loop1 + + BODY0(0,FN1,0x5a827999,AX,tmp1+TMP1(SP),CX,DX,SI) + ADDL $4,BX + MOVL BX,data+DATA(FP) + MOVL tmp1+TMP1(SP),BX + + BODY(4,FN1,0x5a827999,SI,AX,BX,CX,DX) + BODY(8,FN1,0x5a827999,DX,SI,AX,BX,CX) + BODY(12,FN1,0x5a827999,CX,DX,SI,AX,BX) + BODY(16,FN1,0x5a827999,BX,CX,DX,SI,AX) + + ADDL $20,BP + +loop2: + BODY(0,FN24,0x6ed9eba1,AX,BX,CX,DX,SI) + BODY(4,FN24,0x6ed9eba1,SI,AX,BX,CX,DX) + BODY(8,FN24,0x6ed9eba1,DX,SI,AX,BX,CX) + BODY(12,FN24,0x6ed9eba1,CX,DX,SI,AX,BX) + BODY(16,FN24,0x6ed9eba1,BX,CX,DX,SI,AX) + + ADDL $20,BP + CMPL BP,w40+W40(SP) + JCS loop2 + +loop3: + BODY(0,FN3,0x8f1bbcdc,AX,BX,CX,DX,SI) + BODY(4,FN3,0x8f1bbcdc,SI,AX,BX,CX,DX) + BODY(8,FN3,0x8f1bbcdc,DX,SI,AX,BX,CX) + BODY(12,FN3,0x8f1bbcdc,CX,DX,SI,AX,BX) + BODY(16,FN3,0x8f1bbcdc,BX,CX,DX,SI,AX) + + ADDL $20,BP + CMPL BP,w60+W60(SP) + JCS loop3 + +loop4: + BODY(0,FN24,0xca62c1d6,AX,BX,CX,DX,SI) + BODY(4,FN24,0xca62c1d6,SI,AX,BX,CX,DX) + BODY(8,FN24,0xca62c1d6,DX,SI,AX,BX,CX) + BODY(12,FN24,0xca62c1d6,CX,DX,SI,AX,BX) + BODY(16,FN24,0xca62c1d6,BX,CX,DX,SI,AX) + + ADDL $20,BP + CMPL BP,w80+W80(SP) + JCS loop4 + + MOVL state+STATE(FP),DI + ADDL AX,0(DI) + ADDL BX,4(DI) + ADDL CX,8(DI) + ADDL DX,12(DI) + ADDL SI,16(DI) + + MOVL edata+EDATA(SP),DI + CMPL data+DATA(FP),DI + JCS mainloop + + RET + END diff --git a/sys/src/libsec/alpha/mkfile b/sys/src/libsec/alpha/mkfile new file mode 100755 index 000000000..5978e98f0 --- /dev/null +++ b/sys/src/libsec/alpha/mkfile @@ -0,0 +1,11 @@ +objtype=alpha +</$objtype/mkfile + +LIB=/$objtype/lib/libsec.a +OFILES= \ + +HFILES=/sys/include/libsec.h + +UPDATE=mkfile + +</sys/src/cmd/mksyslib diff --git a/sys/src/libsec/arm/mkfile b/sys/src/libsec/arm/mkfile new file mode 100755 index 000000000..04029d92d --- /dev/null +++ b/sys/src/libsec/arm/mkfile @@ -0,0 +1,11 @@ +objtype=arm +</$objtype/mkfile + +LIB=/$objtype/lib/libsec.a +OFILES= \ + +HFILES=/sys/include/libsec.h + +UPDATE=mkfile + +</sys/src/cmd/mksyslib diff --git a/sys/src/libsec/mips/md5block.s b/sys/src/libsec/mips/md5block.s new file mode 100755 index 000000000..eb7b49ff7 --- /dev/null +++ b/sys/src/libsec/mips/md5block.s @@ -0,0 +1,305 @@ +/* + * rfc1321 requires that I include this. The code is new. The constants + * all come from the rfc (hence the copyright). We trade a table for the + * macros in rfc. The total size is a lot less. -- presotto + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD5 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD5 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software forany particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + + /* round 1 */ + DATA md5tab<>+( 0*4)(SB)/4,$0xd76aa478 + DATA md5tab<>+( 1*4)(SB)/4,$0xe8c7b756 + DATA md5tab<>+( 2*4)(SB)/4,$0x242070db + DATA md5tab<>+( 3*4)(SB)/4,$0xc1bdceee + DATA md5tab<>+( 4*4)(SB)/4,$0xf57c0faf + DATA md5tab<>+( 5*4)(SB)/4,$0x4787c62a + DATA md5tab<>+( 6*4)(SB)/4,$0xa8304613 + DATA md5tab<>+( 7*4)(SB)/4,$0xfd469501 + DATA md5tab<>+( 8*4)(SB)/4,$0x698098d8 + DATA md5tab<>+( 9*4)(SB)/4,$0x8b44f7af + DATA md5tab<>+(10*4)(SB)/4,$0xffff5bb1 + DATA md5tab<>+(11*4)(SB)/4,$0x895cd7be + DATA md5tab<>+(12*4)(SB)/4,$0x6b901122 + DATA md5tab<>+(13*4)(SB)/4,$0xfd987193 + DATA md5tab<>+(14*4)(SB)/4,$0xa679438e + DATA md5tab<>+(15*4)(SB)/4,$0x49b40821 + + /* round 2 */ + DATA md5tab<>+(16*4)(SB)/4,$0xf61e2562 + DATA md5tab<>+(17*4)(SB)/4,$0xc040b340 + DATA md5tab<>+(18*4)(SB)/4,$0x265e5a51 + DATA md5tab<>+(19*4)(SB)/4,$0xe9b6c7aa + DATA md5tab<>+(20*4)(SB)/4,$0xd62f105d + DATA md5tab<>+(21*4)(SB)/4,$0x02441453 + DATA md5tab<>+(22*4)(SB)/4,$0xd8a1e681 + DATA md5tab<>+(23*4)(SB)/4,$0xe7d3fbc8 + DATA md5tab<>+(24*4)(SB)/4,$0x21e1cde6 + DATA md5tab<>+(25*4)(SB)/4,$0xc33707d6 + DATA md5tab<>+(26*4)(SB)/4,$0xf4d50d87 + DATA md5tab<>+(27*4)(SB)/4,$0x455a14ed + DATA md5tab<>+(28*4)(SB)/4,$0xa9e3e905 + DATA md5tab<>+(29*4)(SB)/4,$0xfcefa3f8 + DATA md5tab<>+(30*4)(SB)/4,$0x676f02d9 + DATA md5tab<>+(31*4)(SB)/4,$0x8d2a4c8a + + /* round 3 */ + DATA md5tab<>+(32*4)(SB)/4,$0xfffa3942 + DATA md5tab<>+(33*4)(SB)/4,$0x8771f681 + DATA md5tab<>+(34*4)(SB)/4,$0x6d9d6122 + DATA md5tab<>+(35*4)(SB)/4,$0xfde5380c + DATA md5tab<>+(36*4)(SB)/4,$0xa4beea44 + DATA md5tab<>+(37*4)(SB)/4,$0x4bdecfa9 + DATA md5tab<>+(38*4)(SB)/4,$0xf6bb4b60 + DATA md5tab<>+(39*4)(SB)/4,$0xbebfbc70 + DATA md5tab<>+(40*4)(SB)/4,$0x289b7ec6 + DATA md5tab<>+(41*4)(SB)/4,$0xeaa127fa + DATA md5tab<>+(42*4)(SB)/4,$0xd4ef3085 + DATA md5tab<>+(43*4)(SB)/4,$0x04881d05 + DATA md5tab<>+(44*4)(SB)/4,$0xd9d4d039 + DATA md5tab<>+(45*4)(SB)/4,$0xe6db99e5 + DATA md5tab<>+(46*4)(SB)/4,$0x1fa27cf8 + DATA md5tab<>+(47*4)(SB)/4,$0xc4ac5665 + + /* round 4 */ + DATA md5tab<>+(48*4)(SB)/4,$0xf4292244 + DATA md5tab<>+(49*4)(SB)/4,$0x432aff97 + DATA md5tab<>+(50*4)(SB)/4,$0xab9423a7 + DATA md5tab<>+(51*4)(SB)/4,$0xfc93a039 + DATA md5tab<>+(52*4)(SB)/4,$0x655b59c3 + DATA md5tab<>+(53*4)(SB)/4,$0x8f0ccc92 + DATA md5tab<>+(54*4)(SB)/4,$0xffeff47d + DATA md5tab<>+(55*4)(SB)/4,$0x85845dd1 + DATA md5tab<>+(56*4)(SB)/4,$0x6fa87e4f + DATA md5tab<>+(57*4)(SB)/4,$0xfe2ce6e0 + DATA md5tab<>+(58*4)(SB)/4,$0xa3014314 + DATA md5tab<>+(59*4)(SB)/4,$0x4e0811a1 + DATA md5tab<>+(60*4)(SB)/4,$0xf7537e82 + DATA md5tab<>+(61*4)(SB)/4,$0xbd3af235 + DATA md5tab<>+(62*4)(SB)/4,$0x2ad7d2bb + DATA md5tab<>+(63*4)(SB)/4,$0xeb86d391 + +#define S11 7 +#define S12 12 +#define S13 17 +#define S14 22 + +#define S21 5 +#define S22 9 +#define S23 14 +#define S24 20 + +#define S31 4 +#define S32 11 +#define S33 16 +#define S34 23 + +#define S41 6 +#define S42 10 +#define S43 15 +#define S44 21 + +#define AREG R5 +#define BREG R6 +#define CREG R7 +#define DREG R8 +#define DATAREG R1 +#define TABREG R10 +#define STREG R11 +#define XREG R12 +#define ELOOPREG R13 +#define EDREG R14 +#define IREG R15 + +#define TMP1 R9 +#define TMP2 R2 +#define TMP3 R3 +#define TMP4 R4 + +/* + * decode little endian data into x[off], then the body + * bodies have this form: + * a += FN(B,C,D); + * a += x[off] + t[off]; + * a = (a << S11) | (a >> (32 - S11)); + * a += b; + */ +#define BODY1(off,FN,SH,A,B,C,D)\ + MOVBU off(DATAREG),TMP2;\ + MOVBU (off+1)(DATAREG),TMP3;\ + MOVBU (off+2)(DATAREG),TMP1;\ + MOVBU (off+3)(DATAREG),TMP4;\ + SLL $8,TMP3;\ + OR TMP3,TMP2;\ + SLL $16,TMP1;\ + OR TMP1,TMP2;\ + SLL $24,TMP4;\ + OR TMP4,TMP2;\ + MOVW off(TABREG),TMP3;\ + FN(B,C,D)\ + ADDU TMP1,A;\ + MOVW TMP2,off(XREG);\ + ADDU TMP2,A;\ + ADDU TMP3,A;\ + SLL $SH,A,TMP1;\ + SRL $(32-SH),A;\ + OR TMP1,A;\ + ADDU B,A;\ + +#define BODY(off,inc,FN,SH,A,B,C,D)\ + MOVW off(TABREG),TMP3;\ + ADDU XREG,IREG,TMP4;\ + MOVW (TMP4),TMP2;\ + ADDU $(inc*4),IREG;\ + AND $63,IREG;\ + FN(B,C,D)\ + ADDU TMP1,A;\ + ADDU TMP2,A;\ + ADDU TMP3,A;\ + SLL $SH,A,TMP1;\ + SRL $(32-SH),A;\ + OR TMP1,A;\ + ADDU B,A;\ + +/* + * fn1 = ((c ^ d) & b) ^ d + */ +#define FN1(B,C,D)\ + XOR C,D,TMP1;\ + AND B,TMP1;\ + XOR D,TMP1;\ + +/* + * fn2 = ((b ^ c) & d) ^ c; + */ +#define FN2(B,C,D)\ + XOR B,C,TMP1;\ + AND D,TMP1;\ + XOR C,TMP1;\ + +/* + * fn3 = b ^ c ^ d; + */ +#define FN3(B,C,D)\ + XOR B,C,TMP1;\ + XOR D,TMP1;\ + +/* + * fn4 = c ^ (b | ~d); + */ +#define FN4(B,C,D)\ + XOR $-1,D,TMP1;\ + OR B,TMP1;\ + XOR C,TMP1;\ + +#define DATA 0 +#define LEN 4 +#define STATE 8 + +#define XOFF (-4-16*4) + + TEXT _md5block+0(SB),$68 + + MOVW len+LEN(FP),TMP1 + ADDU DATAREG,TMP1,EDREG + MOVW state+STATE(FP),STREG + + MOVW 0(STREG),AREG + MOVW 4(STREG),BREG + MOVW 8(STREG),CREG + MOVW 12(STREG),DREG + +mainloop: + + MOVW $md5tab<>+0(SB),TABREG + ADDU $(16*4),DATAREG,ELOOPREG + MOVW $x+XOFF(SP),XREG + +loop1: + BODY1(0,FN1,S11,AREG,BREG,CREG,DREG) + BODY1(4,FN1,S12,DREG,AREG,BREG,CREG) + BODY1(8,FN1,S13,CREG,DREG,AREG,BREG) + BODY1(12,FN1,S14,BREG,CREG,DREG,AREG) + + ADDU $16,DATAREG + ADDU $16,TABREG + ADDU $16,XREG + + BNE DATAREG,ELOOPREG,loop1 + + + MOVW $x+XOFF(SP),XREG + MOVW $(1*4),IREG + MOVW $(1*4),ELOOPREG +loop2: + BODY(0,5,FN2,S21,AREG,BREG,CREG,DREG) + BODY(4,5,FN2,S22,DREG,AREG,BREG,CREG) + BODY(8,5,FN2,S23,CREG,DREG,AREG,BREG) + BODY(12,5,FN2,S24,BREG,CREG,DREG,AREG) + + ADDU $16,TABREG + + BNE IREG,ELOOPREG,loop2 + + + MOVW $(5*4),IREG + MOVW $(5*4),ELOOPREG +loop3: + BODY(0,3,FN3,S31,AREG,BREG,CREG,DREG) + BODY(4,3,FN3,S32,DREG,AREG,BREG,CREG) + BODY(8,3,FN3,S33,CREG,DREG,AREG,BREG) + BODY(12,3,FN3,S34,BREG,CREG,DREG,AREG) + + ADDU $16,TABREG + + BNE IREG,ELOOPREG,loop3 + + + MOVW $0,IREG +loop4: + BODY(0,7,FN4,S41,AREG,BREG,CREG,DREG) + BODY(4,7,FN4,S42,DREG,AREG,BREG,CREG) + BODY(8,7,FN4,S43,CREG,DREG,AREG,BREG) + BODY(12,7,FN4,S44,BREG,CREG,DREG,AREG) + + ADDU $16,TABREG + + BNE IREG,R0,loop4 + + MOVW 0(STREG),TMP1 + MOVW 4(STREG),TMP2 + MOVW 8(STREG),TMP3 + MOVW 12(STREG),TMP4 + ADDU TMP1,AREG + ADDU TMP2,BREG + ADDU TMP3,CREG + ADDU TMP4,DREG + MOVW AREG,0(STREG) + MOVW BREG,4(STREG) + MOVW CREG,8(STREG) + MOVW DREG,12(STREG) + + BNE DATAREG,EDREG,mainloop + + RET + + GLOBL md5tab<>+0(SB),$256 + + END diff --git a/sys/src/libsec/mips/mkfile b/sys/src/libsec/mips/mkfile new file mode 100755 index 000000000..20c6d700b --- /dev/null +++ b/sys/src/libsec/mips/mkfile @@ -0,0 +1,19 @@ +objtype=mips +</$objtype/mkfile + +LIB=/$objtype/lib/libsec.a +FILES=\ + md5block\ + sha1block\ + +HFILES=/sys/include/libsec.h + +SFILES=${FILES:%=%.s} + +OFILES=${FILES:%=%.$O} + +UPDATE=mkfile\ + $HFILES\ + $SFILES\ + +</sys/src/cmd/mksyslib diff --git a/sys/src/libsec/mips/sha1block.s b/sys/src/libsec/mips/sha1block.s new file mode 100755 index 000000000..a4262faf7 --- /dev/null +++ b/sys/src/libsec/mips/sha1block.s @@ -0,0 +1,220 @@ + TEXT _sha1block+0(SB),$328 + +/* + * wp[off] = x; + * x += A <<< 5; + * E += 0xca62c1d6 + x; + * x = FN(B,C,D); + * E += x; + * B >>> 2 + */ +#define BODYX(off,FN,V,A,B,C,D,E)\ + FN(B,C,D)\ + ADDU TMP1,E;\ + ADDU V,E;\ + MOVW TMP2,off(WREG);\ + ADDU TMP2,E;\ + SLL $5,A,TMP3;\ + SRL $27,A,TMP4;\ + OR TMP3,TMP4;\ + ADDU TMP4,E;\ + SLL $30,B,TMP4;\ + SRL $2,B;\ + OR TMP4,B + +/* + * x = data[i] + * BODYX + */ +#define BODY1(off,FN,V,A,B,C,D,E)\ + MOVBU off(DATAREG),TMP2;\ + MOVBU (off+1)(DATAREG),TMP3;\ + MOVBU (off+2)(DATAREG),TMP1;\ + MOVBU (off+3)(DATAREG),TMP4;\ + SLL $24,TMP2;\ + SLL $16,TMP3;\ + OR TMP3,TMP2;\ + SLL $8,TMP1;\ + OR TMP1,TMP2;\ + OR TMP4,TMP2;\ + BODYX(off,FN,V,A,B,C,D,E) + +/* + * x = (wp[off-3] ^ wp[off-8] ^ wp[off-14] ^ wp[off-16]) <<< 1; + * BODYX + */ +#define BODY(off,FN,V,A,B,C,D,E)\ + MOVW (off-64)(WREG),TMP1;\ + MOVW (off-56)(WREG),TMP2;\ + MOVW (off-32)(WREG),TMP3;\ + MOVW (off-12)(WREG),TMP4;\ + XOR TMP1,TMP2;\ + XOR TMP3,TMP2;\ + XOR TMP4,TMP2;\ + SLL $1,TMP2,TMP1;\ + SRL $31,TMP2;\ + OR TMP1,TMP2;\ + BODYX(off,FN,V,A,B,C,D,E) + +/* + * fn1 = (((C^D)&B)^D); + */ +#define FN1(B,C,D)\ + XOR C,D,TMP1;\ + AND B,TMP1;\ + XOR D,TMP1; + +/* + * fn24 = B ^ C ^ D + */ +#define FN24(B,C,D)\ + XOR B,C,TMP1;\ + XOR D,TMP1; + +/* + * fn3 = ((B ^ C) & (D ^ B)) ^ B + */ +#define FN3(B,C,D)\ + XOR B,C,TMP1;\ + XOR B,D,TMP4;\ + AND TMP4,TMP1;\ + XOR B,TMP1; + +/* + * stack offsets + * void vtSha1Block(ulong *STATE, uchar *DATA, int LEN) + */ +#define DATA 0 +#define LEN 4 +#define STATE 8 + +/* + * stack offsets for locals + * ulong w[80]; + * uchar *edata; + * ulong *w15, *w40, *w60, *w80; + * register local + * ulong *wp = BP + * ulong a = eax, b = ebx, c = ecx, d = edx, e = esi + * ulong tmp = edi + */ +#define WARRAY (-4-(80*4)) + +#define AREG R5 +#define BREG R6 +#define CREG R7 +#define DREG R8 +#define EREG R9 +#define DATAREG R1 +#define STREG R11 +#define WREG R12 +#define W15REG R13 +#define W60REG R14 +#define W40REG R15 +#define W80REG R16 +#define EDREG R17 +#define VREG R18 + +#define TMP1 R10 +#define TMP2 R2 +#define TMP3 R3 +#define TMP4 R4 +#define TMP5 R19 + + MOVW len+LEN(FP),TMP1 + MOVW state+STATE(FP),STREG + ADDU DATAREG,TMP1,EDREG + + MOVW 0(STREG),AREG + MOVW 4(STREG),BREG + MOVW 8(STREG),CREG + MOVW 12(STREG),DREG + MOVW 16(STREG),EREG + + MOVW $warray+WARRAY(SP),WREG + ADDU $(15*4),WREG,W15REG + ADDU $(40*4),WREG,W40REG + ADDU $(60*4),WREG,W60REG + ADDU $(80*4),WREG,W80REG + +mainloop: + MOVW $warray+WARRAY(SP),WREG + + MOVW $0x5a827999,VREG +loop1: + BODY1(0,FN1,VREG,AREG,BREG,CREG,DREG,EREG) + BODY1(4,FN1,VREG,EREG,AREG,BREG,CREG,DREG) + BODY1(8,FN1,VREG,DREG,EREG,AREG,BREG,CREG) + BODY1(12,FN1,VREG,CREG,DREG,EREG,AREG,BREG) + BODY1(16,FN1,VREG,BREG,CREG,DREG,EREG,AREG) + + ADDU $20,DATAREG + ADDU $20,WREG + BNE WREG,W15REG,loop1 + + BODY1(0,FN1,VREG,AREG,BREG,CREG,DREG,EREG) + ADDU $4,DATAREG + + BODY(4,FN1,VREG,EREG,AREG,BREG,CREG,DREG) + BODY(8,FN1,VREG,DREG,EREG,AREG,BREG,CREG) + BODY(12,FN1,VREG,CREG,DREG,EREG,AREG,BREG) + BODY(16,FN1,VREG,BREG,CREG,DREG,EREG,AREG) + + ADDU $20,WREG + + MOVW $0x6ed9eba1,VREG +loop2: + BODY(0,FN24,VREG,AREG,BREG,CREG,DREG,EREG) + BODY(4,FN24,VREG,EREG,AREG,BREG,CREG,DREG) + BODY(8,FN24,VREG,DREG,EREG,AREG,BREG,CREG) + BODY(12,FN24,VREG,CREG,DREG,EREG,AREG,BREG) + BODY(16,FN24,VREG,BREG,CREG,DREG,EREG,AREG) + + ADDU $20,WREG + BNE WREG,W40REG,loop2 + + MOVW $0x8f1bbcdc,VREG +loop3: + BODY(0,FN3,VREG,AREG,BREG,CREG,DREG,EREG) + BODY(4,FN3,VREG,EREG,AREG,BREG,CREG,DREG) + BODY(8,FN3,VREG,DREG,EREG,AREG,BREG,CREG) + BODY(12,FN3,VREG,CREG,DREG,EREG,AREG,BREG) + BODY(16,FN3,VREG,BREG,CREG,DREG,EREG,AREG) + + ADDU $20,WREG + BNE WREG,W60REG,loop3 + + MOVW $0xca62c1d6,VREG +loop4: + BODY(0,FN24,VREG,AREG,BREG,CREG,DREG,EREG) + BODY(4,FN24,VREG,EREG,AREG,BREG,CREG,DREG) + BODY(8,FN24,VREG,DREG,EREG,AREG,BREG,CREG) + BODY(12,FN24,VREG,CREG,DREG,EREG,AREG,BREG) + BODY(16,FN24,VREG,BREG,CREG,DREG,EREG,AREG) + + ADDU $20,WREG + BNE WREG,W80REG,loop4 + + MOVW 0(STREG),TMP1 + MOVW 4(STREG),TMP2 + MOVW 8(STREG),TMP3 + MOVW 12(STREG),TMP4 + MOVW 16(STREG),TMP5 + + ADDU TMP1,AREG + ADDU TMP2,BREG + ADDU TMP3,CREG + ADDU TMP4,DREG + ADDU TMP5,EREG + + MOVW AREG,0(STREG) + MOVW BREG,4(STREG) + MOVW CREG,8(STREG) + MOVW DREG,12(STREG) + MOVW EREG,16(STREG) + + BNE DATAREG,EDREG,mainloop + + RET + + END diff --git a/sys/src/libsec/mkfile b/sys/src/libsec/mkfile new file mode 100755 index 000000000..e9d5e3353 --- /dev/null +++ b/sys/src/libsec/mkfile @@ -0,0 +1,41 @@ +</$objtype/mkfile + +DIRS=port $CPUS + +default:V: all + +install all:V: + for(i in port $objtype)@{ + echo $i + cd $i + mk $MKFLAGS $target + } + +clean:V: + for(i in $DIRS)@{ + echo $i + cd $i + mk $MKFLAGS $target + } + +nuke:V: clean + rm -f /$objtype/lib/libsec.a + +update:V: + for(i in $DIRS)@{ + echo $i + cd $i + mk $MKFLAGS update + } + update $UPDATEFLAGS /386/lib/libsec.a + +installall:V: + for(objtype in $CPUS) mk $MKFLAGS install + +everything:V: + rm -f */*.[012456789kqv] + for(objtype in 386)@{ + echo $objtype + mk $MKFLAGS install + } + rm -f */*.[012456789kqv] diff --git a/sys/src/libsec/port/aes.c b/sys/src/libsec/port/aes.c new file mode 100755 index 000000000..c90eb10ab --- /dev/null +++ b/sys/src/libsec/port/aes.c @@ -0,0 +1,1846 @@ +/* + * this code is derived from the following source, + * and modified to fit into the plan 9 libsec interface. + * most of the changes are confined to the top section, + * with the exception of converting Te4 and Td4 into u8 rather than u32 arrays. + * + * rijndael-alg-fst.c + * + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> + * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> + * @author Paulo Barreto <paulo.barreto@terra.com.br> + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include <u.h> +#include <libc.h> +#include <mp.h> +#include <libsec.h> + +typedef uchar u8; +typedef ulong u32; + +#define FULL_UNROLL +#define const + +static const u32 Td0[256]; +static const u32 Td1[256]; +static const u32 Td2[256]; +static const u32 Td3[256]; +static const u8 Te4[256]; +static uchar basekey[3][16] = { + { + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + }, + { + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + }, + { + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + }, +}; + +int aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[], + int keyBits); +static int aes_setupDec(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[], + int keyBits); +static int aes_setup(ulong erk[/*4*(Nr + 1)*/], ulong drk[/*4*(Nr + 1)*/], + const uchar cipherKey[], int keyBits); + +void aes_encrypt(const ulong rk[], int Nr, const uchar pt[16], uchar ct[16]); +void aes_decrypt(const ulong rk[], int Nr, const uchar ct[16], uchar pt[16]); + +void +setupAESstate(AESstate *s, uchar key[], int keybytes, uchar *ivec) +{ + memset(s, 0, sizeof(*s)); + if(keybytes > AESmaxkey) + keybytes = AESmaxkey; + memmove(s->key, key, keybytes); + s->keybytes = keybytes; + s->rounds = aes_setup(s->ekey, s->dkey, s->key, keybytes * 8); + if(ivec != nil) + memmove(s->ivec, ivec, AESbsize); + if(keybytes==16 || keybytes==24 || keybytes==32) + s->setup = 0xcafebabe; + /* else aes_setup was invalid */ +} + +/* + * AES-XCBC-MAC-96 message authentication, per rfc3566. + */ + +void +setupAESXCBCstate(AESstate *s) /* was setupmac96 */ +{ + int i, j; + uint q[16 / sizeof(uint)]; + uchar *p; + + assert(s->keybytes == 16); + for(i = 0; i < 3; i++) + aes_encrypt(s->ekey, s->rounds, basekey[i], + s->mackey + AESbsize*i); + + p = s->mackey; + memset(q, 0, AESbsize); + + /* + * put the in the right endian. once figured, probably better + * to use some fcall macros. + * keys for encryption in local endianness for the algorithm... + * only key1 is used for encryption; + * BUG!!: I think this is what I got wrong. + */ + for(i = 0; i < 16 / sizeof(uint); i ++){ + for(j = 0; j < sizeof(uint); j++) + q[i] |= p[sizeof(uint)-j-1] << 8*j; + p += sizeof(uint); + } + memmove(s->mackey, q, 16); +} + +/* + * Not dealing with > 128-bit keys, not dealing with strange corner cases like + * empty message. Should be fine for AES-XCBC-MAC-96. + */ +uchar* +aesXCBCmac(uchar *p, int len, AESstate *s) +{ + uchar *p2, *ip, *eip, *mackey; + uchar q[AESbsize]; + + assert(s->keybytes == 16); /* more complicated for bigger */ + memset(s->ivec, 0, AESbsize); /* E[0] is 0+ */ + + for(; len > AESbsize; len -= AESbsize){ + memmove(q, p, AESbsize); + p2 = q; + ip = s->ivec; + for(eip = ip + AESbsize; ip < eip; ) + *p2++ ^= *ip++; + aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec); + p += AESbsize; + } + /* the last one */ + + memmove(q, p, len); + p2 = q+len; + if(len == AESbsize) + mackey = s->mackey + AESbsize; /* k2 */ + else{ + mackey = s->mackey+2*AESbsize; /* k3 */ + *p2++ = 1 << 7; /* padding */ + len = AESbsize - len - 1; + memset(p2, 0, len); + } + + ip = s->ivec; + p2 = q; + for(eip = ip + AESbsize; ip < eip; ) + *p2++ ^= *ip++ ^ *mackey++; + aes_encrypt((ulong *)s->mackey, s->rounds, q, s->ivec); + return s->ivec; /* only the 12 bytes leftmost */ +} + +/* + * Define by analogy with desCBCencrypt; AES modes are not standardized yet. + * Because of the way that non-multiple-of-16 buffers are handled, + * the decryptor must be fed buffers of the same size as the encryptor. + */ +void +aesCBCencrypt(uchar *p, int len, AESstate *s) +{ + uchar *p2, *ip, *eip; + uchar q[AESbsize]; + + for(; len >= AESbsize; len -= AESbsize){ + p2 = p; + ip = s->ivec; + for(eip = ip+AESbsize; ip < eip; ) + *p2++ ^= *ip++; + aes_encrypt(s->ekey, s->rounds, p, q); + memmove(s->ivec, q, AESbsize); + memmove(p, q, AESbsize); + p += AESbsize; + } + + if(len > 0){ + ip = s->ivec; + aes_encrypt(s->ekey, s->rounds, ip, q); + memmove(s->ivec, q, AESbsize); + for(eip = ip+len; ip < eip; ) + *p++ ^= *ip++; + } +} + +void +aesCBCdecrypt(uchar *p, int len, AESstate *s) +{ + uchar *ip, *eip, *tp; + uchar tmp[AESbsize], q[AESbsize]; + + for(; len >= AESbsize; len -= AESbsize){ + memmove(tmp, p, AESbsize); + aes_decrypt(s->dkey, s->rounds, p, q); + memmove(p, q, AESbsize); + tp = tmp; + ip = s->ivec; + for(eip = ip+AESbsize; ip < eip; ){ + *p++ ^= *ip; + *ip++ = *tp++; + } + } + + if(len > 0){ + ip = s->ivec; + aes_encrypt(s->ekey, s->rounds, ip, q); + memmove(s->ivec, q, AESbsize); + for(eip = ip+len; ip < eip; ) + *p++ ^= *ip++; + } +} + +/* + * AES-CTR mode, per rfc3686. + * CTRs could be precalculated for efficiency + * and there would also be less back and forth mp + */ + +static void +incrementCTR(uchar *p, uint ctrsz) +{ + int len; + uchar *ctr; + mpint *mpctr, *mpctrsz; + + ctr = p + AESbsize - ctrsz; + mpctr = betomp(ctr, ctrsz, nil); + mpctrsz = itomp(1 << (ctrsz*8), nil); + mpadd(mpctr, mpone, mpctr); + mpmod(mpctr, mpctrsz, mpctr); + len = mptobe(mpctr, ctr, ctrsz, nil); + assert(len == ctrsz); + mpfree(mpctrsz); + mpfree(mpctr); +} + +void +aesCTRencrypt(uchar *p, int len, AESstate *s) +{ + uchar q[AESbsize]; + uchar *ip, *eip, *ctr; + + ctr = s->ivec; + for(; len >= AESbsize; len -= AESbsize){ + ip = q; + aes_encrypt(s->ekey, s->rounds, ctr, q); + for(eip = p + AESbsize; p < eip; ) + *p++ ^= *ip++; + incrementCTR(ctr, s->ctrsz); + } + + if(len > 0){ + ip = q; + aes_encrypt(s->ekey, s->rounds, ctr, q); + for(eip = p + len; p < eip; ) + *p++ ^= *ip++; + incrementCTR(ctr, s->ctrsz); + } +} + +void +aesCTRdecrypt(uchar *p, int len, AESstate *s) +{ + aesCTRencrypt(p, len, s); +} + + +/* taken from sha1; TODO: verify suitability (esp. byte order) for aes */ +/* + * encodes input (ulong) into output (uchar). Assumes len is + * a multiple of 4. + */ +static void +encode(uchar *output, ulong *input, ulong len) +{ + ulong x; + uchar *e; + + for(e = output + len; output < e;) { + x = *input++; + *output++ = x >> 24; + *output++ = x >> 16; + *output++ = x >> 8; + *output++ = x; + } +} + +/* TODO: verify use of aes_encrypt here */ +AEShstate* +aes(uchar *p, ulong len, uchar *digest, AEShstate *s) +{ + uchar buf[128]; + ulong x[16]; + int i; + uchar *e; + + if(s == nil){ + s = malloc(sizeof(*s)); + if(s == nil) + return nil; + memset(s, 0, sizeof(*s)); + s->malloced = 1; + } + + if(s->seeded == 0){ + /* seed the state, these constants would look nicer big-endian */ + s->state[0] = 0x67452301; + s->state[1] = 0xefcdab89; + s->state[2] = 0x98badcfe; + s->state[3] = 0x10325476; + /* in sha1 (20-byte digest), but not md5 (16 bytes)*/ + s->state[4] = 0xc3d2e1f0; + s->seeded = 1; + } + + /* fill out the partial 64 byte block from previous calls */ + if(s->blen){ + i = 64 - s->blen; + if(len < i) + i = len; + memmove(s->buf + s->blen, p, i); + len -= i; + s->blen += i; + p += i; + if(s->blen == 64){ + /* encrypt s->buf into s->state */ + // _sha1block(s->buf, s->blen, s->state); + aes_encrypt((ulong *)s->buf, 1, s->buf, (uchar *)s->state); + s->len += s->blen; + s->blen = 0; + } + } + + /* do 64 byte blocks */ + i = len & ~0x3f; + if(i){ + /* encrypt p into s->state */ + // _sha1block(p, i, s->state); + aes_encrypt((ulong *)s->buf, 1, p, (uchar *)s->state); + s->len += i; + len -= i; + p += i; + } + + /* save the left overs if not last call */ + if(digest == 0){ + if(len){ + memmove(s->buf, p, len); + s->blen += len; + } + return s; + } + + /* + * this is the last time through, pad what's left with 0x80, + * 0's, and the input count to create a multiple of 64 bytes + */ + if(s->blen){ + p = s->buf; + len = s->blen; + } else { + memmove(buf, p, len); + p = buf; + } + s->len += len; + e = p + len; + if(len < 56) + i = 56 - len; + else + i = 120 - len; + memset(e, 0, i); + *e = 0x80; + len += i; + + /* append the count */ + x[0] = s->len>>29; /* byte-order dependent */ + x[1] = s->len<<3; + encode(p+len, x, 8); + + /* digest the last part */ + /* encrypt p into s->state */ + // _sha1block(p, len+8, s->state); + aes_encrypt((ulong *)s->buf, 1, p, (uchar *)s->state); + s->len += len+8; /* sha1: +8 */ + + /* return result and free state */ + encode((uchar *)digest, (ulong *)s->state, AESdlen); + if(s->malloced == 1) + free(s); + return nil; +} + +DigestState* +hmac_aes(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, aes, AESdlen); +} + + + +/* + * this function has been changed for plan 9. + * Expand the cipher key into the encryption and decryption key schedules. + * + * @return the number of rounds for the given cipher key size. + */ +static int +aes_setup(ulong erk[/* 4*(Nr + 1) */], ulong drk[/* 4*(Nr + 1) */], + const uchar cipherKey[], int keyBits) +{ + int Nr, i; + + /* expand the cipher key: */ + Nr = aes_setupEnc(erk, cipherKey, keyBits); + + /* + * invert the order of the round keys and apply the inverse MixColumn + * transform to all round keys but the first and the last + */ + drk[0 ] = erk[4*Nr ]; + drk[1 ] = erk[4*Nr + 1]; + drk[2 ] = erk[4*Nr + 2]; + drk[3 ] = erk[4*Nr + 3]; + drk[4*Nr ] = erk[0 ]; + drk[4*Nr + 1] = erk[1 ]; + drk[4*Nr + 2] = erk[2 ]; + drk[4*Nr + 3] = erk[3 ]; + erk += 4 * Nr; + for (i = 1; i < Nr; i++) { + drk += 4; + erk -= 4; + drk[0] = + Td0[Te4[(erk[0] >> 24) ]] ^ + Td1[Te4[(erk[0] >> 16) & 0xff]] ^ + Td2[Te4[(erk[0] >> 8) & 0xff]] ^ + Td3[Te4[(erk[0] ) & 0xff]]; + drk[1] = + Td0[Te4[(erk[1] >> 24) ]] ^ + Td1[Te4[(erk[1] >> 16) & 0xff]] ^ + Td2[Te4[(erk[1] >> 8) & 0xff]] ^ + Td3[Te4[(erk[1] ) & 0xff]]; + drk[2] = + Td0[Te4[(erk[2] >> 24) ]] ^ + Td1[Te4[(erk[2] >> 16) & 0xff]] ^ + Td2[Te4[(erk[2] >> 8) & 0xff]] ^ + Td3[Te4[(erk[2] ) & 0xff]]; + drk[3] = + Td0[Te4[(erk[3] >> 24) ]] ^ + Td1[Te4[(erk[3] >> 16) & 0xff]] ^ + Td2[Te4[(erk[3] >> 8) & 0xff]] ^ + Td3[Te4[(erk[3] ) & 0xff]]; + } + return Nr; +} + + +/* +Te0[x] = S [x].[02, 01, 01, 03]; +Te1[x] = S [x].[03, 02, 01, 01]; +Te2[x] = S [x].[01, 03, 02, 01]; +Te3[x] = S [x].[01, 01, 03, 02]; +Te4[x] = S [x] + +Td0[x] = Si[x].[0e, 09, 0d, 0b]; +Td1[x] = Si[x].[0b, 0e, 09, 0d]; +Td2[x] = Si[x].[0d, 0b, 0e, 09]; +Td3[x] = Si[x].[09, 0d, 0b, 0e]; +Td4[x] = Si[x] +*/ + +static const u32 Te0[256] = { + 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, + 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U, + 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU, + 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU, + 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U, + 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU, + 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU, + 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU, + 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU, + 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU, + 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U, + 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU, + 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU, + 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U, + 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU, + 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU, + 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU, + 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU, + 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU, + 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U, + 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU, + 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU, + 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU, + 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU, + 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U, + 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U, + 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U, + 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U, + 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU, + 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U, + 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U, + 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU, + 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU, + 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U, + 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U, + 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U, + 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU, + 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U, + 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU, + 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U, + 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU, + 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U, + 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U, + 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU, + 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U, + 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U, + 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U, + 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U, + 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U, + 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U, + 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U, + 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U, + 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU, + 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U, + 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U, + 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U, + 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U, + 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U, + 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U, + 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU, + 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U, + 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U, + 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U, + 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU, +}; +static const u32 Te1[256] = { + 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU, + 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U, + 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU, + 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U, + 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU, + 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U, + 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU, + 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U, + 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U, + 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU, + 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U, + 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U, + 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U, + 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU, + 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U, + 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U, + 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU, + 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U, + 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U, + 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U, + 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU, + 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU, + 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U, + 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU, + 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU, + 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U, + 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU, + 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U, + 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU, + 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U, + 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U, + 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U, + 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU, + 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U, + 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU, + 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U, + 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU, + 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U, + 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U, + 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU, + 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU, + 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU, + 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U, + 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U, + 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU, + 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U, + 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU, + 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U, + 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU, + 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U, + 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU, + 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU, + 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U, + 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU, + 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U, + 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU, + 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U, + 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U, + 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U, + 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU, + 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU, + 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U, + 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU, + 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U, +}; +static const u32 Te2[256] = { + 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU, + 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U, + 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU, + 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U, + 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU, + 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U, + 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU, + 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U, + 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U, + 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU, + 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U, + 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U, + 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U, + 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU, + 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U, + 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U, + 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU, + 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U, + 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U, + 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U, + 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU, + 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU, + 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U, + 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU, + 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU, + 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U, + 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU, + 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U, + 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU, + 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U, + 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U, + 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U, + 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU, + 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U, + 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU, + 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U, + 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU, + 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U, + 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U, + 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU, + 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU, + 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU, + 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U, + 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U, + 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU, + 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U, + 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU, + 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U, + 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU, + 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U, + 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU, + 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU, + 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U, + 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU, + 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U, + 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU, + 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U, + 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U, + 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U, + 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU, + 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU, + 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U, + 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU, + 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U, +}; +static const u32 Te3[256] = { + + 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U, + 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U, + 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U, + 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU, + 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU, + 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU, + 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U, + 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU, + 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU, + 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U, + 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U, + 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU, + 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU, + 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU, + 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU, + 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU, + 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U, + 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU, + 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU, + 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U, + 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U, + 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U, + 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U, + 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U, + 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU, + 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U, + 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU, + 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU, + 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U, + 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U, + 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U, + 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU, + 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U, + 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU, + 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU, + 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U, + 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U, + 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU, + 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U, + 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU, + 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U, + 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U, + 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U, + 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U, + 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU, + 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U, + 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU, + 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U, + 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU, + 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U, + 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU, + 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU, + 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU, + 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU, + 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U, + 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U, + 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U, + 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U, + 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U, + 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U, + 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU, + 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U, + 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU, + 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU, +}; +static const u8 Te4[256] = { + 0x63U, 0x7cU, 0x77U, 0x7bU, + 0xf2U, 0x6bU, 0x6fU, 0xc5U, + 0x30U, 0x01U, 0x67U, 0x2bU, + 0xfeU, 0xd7U, 0xabU, 0x76U, + 0xcaU, 0x82U, 0xc9U, 0x7dU, + 0xfaU, 0x59U, 0x47U, 0xf0U, + 0xadU, 0xd4U, 0xa2U, 0xafU, + 0x9cU, 0xa4U, 0x72U, 0xc0U, + 0xb7U, 0xfdU, 0x93U, 0x26U, + 0x36U, 0x3fU, 0xf7U, 0xccU, + 0x34U, 0xa5U, 0xe5U, 0xf1U, + 0x71U, 0xd8U, 0x31U, 0x15U, + 0x04U, 0xc7U, 0x23U, 0xc3U, + 0x18U, 0x96U, 0x05U, 0x9aU, + 0x07U, 0x12U, 0x80U, 0xe2U, + 0xebU, 0x27U, 0xb2U, 0x75U, + 0x09U, 0x83U, 0x2cU, 0x1aU, + 0x1bU, 0x6eU, 0x5aU, 0xa0U, + 0x52U, 0x3bU, 0xd6U, 0xb3U, + 0x29U, 0xe3U, 0x2fU, 0x84U, + 0x53U, 0xd1U, 0x00U, 0xedU, + 0x20U, 0xfcU, 0xb1U, 0x5bU, + 0x6aU, 0xcbU, 0xbeU, 0x39U, + 0x4aU, 0x4cU, 0x58U, 0xcfU, + 0xd0U, 0xefU, 0xaaU, 0xfbU, + 0x43U, 0x4dU, 0x33U, 0x85U, + 0x45U, 0xf9U, 0x02U, 0x7fU, + 0x50U, 0x3cU, 0x9fU, 0xa8U, + 0x51U, 0xa3U, 0x40U, 0x8fU, + 0x92U, 0x9dU, 0x38U, 0xf5U, + 0xbcU, 0xb6U, 0xdaU, 0x21U, + 0x10U, 0xffU, 0xf3U, 0xd2U, + 0xcdU, 0x0cU, 0x13U, 0xecU, + 0x5fU, 0x97U, 0x44U, 0x17U, + 0xc4U, 0xa7U, 0x7eU, 0x3dU, + 0x64U, 0x5dU, 0x19U, 0x73U, + 0x60U, 0x81U, 0x4fU, 0xdcU, + 0x22U, 0x2aU, 0x90U, 0x88U, + 0x46U, 0xeeU, 0xb8U, 0x14U, + 0xdeU, 0x5eU, 0x0bU, 0xdbU, + 0xe0U, 0x32U, 0x3aU, 0x0aU, + 0x49U, 0x06U, 0x24U, 0x5cU, + 0xc2U, 0xd3U, 0xacU, 0x62U, + 0x91U, 0x95U, 0xe4U, 0x79U, + 0xe7U, 0xc8U, 0x37U, 0x6dU, + 0x8dU, 0xd5U, 0x4eU, 0xa9U, + 0x6cU, 0x56U, 0xf4U, 0xeaU, + 0x65U, 0x7aU, 0xaeU, 0x08U, + 0xbaU, 0x78U, 0x25U, 0x2eU, + 0x1cU, 0xa6U, 0xb4U, 0xc6U, + 0xe8U, 0xddU, 0x74U, 0x1fU, + 0x4bU, 0xbdU, 0x8bU, 0x8aU, + 0x70U, 0x3eU, 0xb5U, 0x66U, + 0x48U, 0x03U, 0xf6U, 0x0eU, + 0x61U, 0x35U, 0x57U, 0xb9U, + 0x86U, 0xc1U, 0x1dU, 0x9eU, + 0xe1U, 0xf8U, 0x98U, 0x11U, + 0x69U, 0xd9U, 0x8eU, 0x94U, + 0x9bU, 0x1eU, 0x87U, 0xe9U, + 0xceU, 0x55U, 0x28U, 0xdfU, + 0x8cU, 0xa1U, 0x89U, 0x0dU, + 0xbfU, 0xe6U, 0x42U, 0x68U, + 0x41U, 0x99U, 0x2dU, 0x0fU, + 0xb0U, 0x54U, 0xbbU, 0x16U, +}; +static const u32 Td0[256] = { + 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U, + 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U, + 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U, + 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU, + 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U, + 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U, + 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU, + 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U, + 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU, + 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U, + 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U, + 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U, + 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U, + 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU, + 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U, + 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU, + 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U, + 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU, + 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U, + 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U, + 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U, + 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU, + 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U, + 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU, + 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U, + 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU, + 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U, + 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU, + 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU, + 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U, + 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU, + 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U, + 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU, + 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U, + 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U, + 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U, + 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU, + 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U, + 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U, + 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU, + 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U, + 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U, + 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U, + 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U, + 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U, + 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU, + 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U, + 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U, + 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U, + 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U, + 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U, + 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU, + 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU, + 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU, + 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU, + 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U, + 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U, + 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU, + 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU, + 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U, + 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU, + 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U, + 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U, + 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U, +}; +static const u32 Td1[256] = { + 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU, + 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U, + 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU, + 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U, + 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U, + 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U, + 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U, + 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U, + 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U, + 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU, + 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU, + 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU, + 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U, + 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU, + 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U, + 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U, + 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U, + 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU, + 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU, + 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U, + 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU, + 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U, + 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU, + 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU, + 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U, + 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U, + 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U, + 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU, + 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U, + 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU, + 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U, + 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U, + 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U, + 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU, + 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U, + 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U, + 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U, + 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U, + 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U, + 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U, + 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU, + 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU, + 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U, + 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU, + 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U, + 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU, + 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU, + 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U, + 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU, + 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U, + 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U, + 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U, + 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U, + 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U, + 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U, + 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U, + 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU, + 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U, + 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U, + 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU, + 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U, + 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U, + 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U, + 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U, +}; +static const u32 Td2[256] = { + 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U, + 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U, + 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U, + 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U, + 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU, + 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U, + 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U, + 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U, + 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U, + 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU, + 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U, + 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U, + 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU, + 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U, + 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U, + 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U, + 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U, + 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U, + 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U, + 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU, + + 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U, + 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U, + 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U, + 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U, + 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U, + 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU, + 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU, + 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U, + 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU, + 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U, + 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU, + 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU, + 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU, + 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU, + 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U, + 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U, + 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U, + 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U, + 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U, + 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U, + 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U, + 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU, + 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU, + 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U, + 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U, + 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU, + 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU, + 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U, + 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U, + 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U, + 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U, + 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U, + 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U, + 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U, + 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU, + 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U, + 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U, + 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U, + 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U, + 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U, + 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U, + 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU, + 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U, + 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U, +}; +static const u32 Td3[256] = { + 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU, + 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU, + 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U, + 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U, + 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU, + 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU, + 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U, + 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU, + 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U, + 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU, + 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U, + 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U, + 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U, + 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U, + 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U, + 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU, + 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU, + 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U, + 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U, + 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU, + 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU, + 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U, + 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U, + 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U, + 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U, + 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU, + 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U, + 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U, + 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU, + 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU, + 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U, + 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U, + 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U, + 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU, + 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U, + 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U, + 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U, + 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U, + 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U, + 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U, + 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U, + 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU, + 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U, + 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U, + 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU, + 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU, + 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U, + 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU, + 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U, + 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U, + 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U, + 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U, + 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U, + 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U, + 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU, + 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU, + 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU, + 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU, + 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U, + 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U, + 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U, + 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU, + 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U, + 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U, +}; +static const u8 Td4[256] = { + 0x52U, 0x09U, 0x6aU, 0xd5U, + 0x30U, 0x36U, 0xa5U, 0x38U, + 0xbfU, 0x40U, 0xa3U, 0x9eU, + 0x81U, 0xf3U, 0xd7U, 0xfbU, + 0x7cU, 0xe3U, 0x39U, 0x82U, + 0x9bU, 0x2fU, 0xffU, 0x87U, + 0x34U, 0x8eU, 0x43U, 0x44U, + 0xc4U, 0xdeU, 0xe9U, 0xcbU, + 0x54U, 0x7bU, 0x94U, 0x32U, + 0xa6U, 0xc2U, 0x23U, 0x3dU, + 0xeeU, 0x4cU, 0x95U, 0x0bU, + 0x42U, 0xfaU, 0xc3U, 0x4eU, + 0x08U, 0x2eU, 0xa1U, 0x66U, + 0x28U, 0xd9U, 0x24U, 0xb2U, + 0x76U, 0x5bU, 0xa2U, 0x49U, + 0x6dU, 0x8bU, 0xd1U, 0x25U, + 0x72U, 0xf8U, 0xf6U, 0x64U, + 0x86U, 0x68U, 0x98U, 0x16U, + 0xd4U, 0xa4U, 0x5cU, 0xccU, + 0x5dU, 0x65U, 0xb6U, 0x92U, + 0x6cU, 0x70U, 0x48U, 0x50U, + 0xfdU, 0xedU, 0xb9U, 0xdaU, + 0x5eU, 0x15U, 0x46U, 0x57U, + 0xa7U, 0x8dU, 0x9dU, 0x84U, + 0x90U, 0xd8U, 0xabU, 0x00U, + 0x8cU, 0xbcU, 0xd3U, 0x0aU, + 0xf7U, 0xe4U, 0x58U, 0x05U, + 0xb8U, 0xb3U, 0x45U, 0x06U, + 0xd0U, 0x2cU, 0x1eU, 0x8fU, + 0xcaU, 0x3fU, 0x0fU, 0x02U, + 0xc1U, 0xafU, 0xbdU, 0x03U, + 0x01U, 0x13U, 0x8aU, 0x6bU, + 0x3aU, 0x91U, 0x11U, 0x41U, + 0x4fU, 0x67U, 0xdcU, 0xeaU, + 0x97U, 0xf2U, 0xcfU, 0xceU, + 0xf0U, 0xb4U, 0xe6U, 0x73U, + 0x96U, 0xacU, 0x74U, 0x22U, + 0xe7U, 0xadU, 0x35U, 0x85U, + 0xe2U, 0xf9U, 0x37U, 0xe8U, + 0x1cU, 0x75U, 0xdfU, 0x6eU, + 0x47U, 0xf1U, 0x1aU, 0x71U, + 0x1dU, 0x29U, 0xc5U, 0x89U, + 0x6fU, 0xb7U, 0x62U, 0x0eU, + 0xaaU, 0x18U, 0xbeU, 0x1bU, + 0xfcU, 0x56U, 0x3eU, 0x4bU, + 0xc6U, 0xd2U, 0x79U, 0x20U, + 0x9aU, 0xdbU, 0xc0U, 0xfeU, + 0x78U, 0xcdU, 0x5aU, 0xf4U, + 0x1fU, 0xddU, 0xa8U, 0x33U, + 0x88U, 0x07U, 0xc7U, 0x31U, + 0xb1U, 0x12U, 0x10U, 0x59U, + 0x27U, 0x80U, 0xecU, 0x5fU, + 0x60U, 0x51U, 0x7fU, 0xa9U, + 0x19U, 0xb5U, 0x4aU, 0x0dU, + 0x2dU, 0xe5U, 0x7aU, 0x9fU, + 0x93U, 0xc9U, 0x9cU, 0xefU, + 0xa0U, 0xe0U, 0x3bU, 0x4dU, + 0xaeU, 0x2aU, 0xf5U, 0xb0U, + 0xc8U, 0xebU, 0xbbU, 0x3cU, + 0x83U, 0x53U, 0x99U, 0x61U, + 0x17U, 0x2bU, 0x04U, 0x7eU, + 0xbaU, 0x77U, 0xd6U, 0x26U, + 0xe1U, 0x69U, 0x14U, 0x63U, + 0x55U, 0x21U, 0x0cU, 0x7dU, +}; +static const u32 rcon[] = { + 0x01000000, 0x02000000, 0x04000000, 0x08000000, + 0x10000000, 0x20000000, 0x40000000, 0x80000000, + 0x1B000000, 0x36000000, + /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */ +}; + +#define GETU32(pt) (((u32)(pt)[0]<<24) ^ ((u32)(pt)[1]<<16) ^ \ + ((u32)(pt)[2]<< 8) ^ ((u32)(pt)[3])) +#define PUTU32(ct, st) { (ct)[0] = (u8)((st)>>24); (ct)[1] = (u8)((st)>>16); \ + (ct)[2] = (u8)((st)>> 8); (ct)[3] = (u8)(st); } + +/* + * Expand the cipher key into the encryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +int +aes_setupEnc(ulong rk[/*4*(Nr + 1)*/], const uchar cipherKey[], int keyBits) +{ + int i = 0; + u32 temp; + + rk[0] = GETU32(cipherKey ); + rk[1] = GETU32(cipherKey + 4); + rk[2] = GETU32(cipherKey + 8); + rk[3] = GETU32(cipherKey + 12); + if (keyBits == 128) { + for (;;) { + temp = rk[3]; + rk[4] = rk[0] ^ + (Te4[(temp >> 16) & 0xff] << 24) ^ + (Te4[(temp >> 8) & 0xff] << 16) ^ + (Te4[(temp ) & 0xff] << 8) ^ + (Te4[(temp >> 24) ] ) ^ + rcon[i]; + rk[5] = rk[1] ^ rk[4]; + rk[6] = rk[2] ^ rk[5]; + rk[7] = rk[3] ^ rk[6]; + if (++i == 10) { + return 10; + } + rk += 4; + } + } + rk[4] = GETU32(cipherKey + 16); + rk[5] = GETU32(cipherKey + 20); + if (keyBits == 192) { + for (;;) { + temp = rk[ 5]; + rk[ 6] = rk[ 0] ^ + (Te4[(temp >> 16) & 0xff] << 24) ^ + (Te4[(temp >> 8) & 0xff] << 16) ^ + (Te4[(temp ) & 0xff] << 8) ^ + (Te4[(temp >> 24) ] ) ^ + rcon[i]; + rk[ 7] = rk[ 1] ^ rk[ 6]; + rk[ 8] = rk[ 2] ^ rk[ 7]; + rk[ 9] = rk[ 3] ^ rk[ 8]; + if (++i == 8) { + return 12; + } + rk[10] = rk[ 4] ^ rk[ 9]; + rk[11] = rk[ 5] ^ rk[10]; + rk += 6; + } + } + rk[6] = GETU32(cipherKey + 24); + rk[7] = GETU32(cipherKey + 28); + if (keyBits == 256) { + for (;;) { + temp = rk[ 7]; + rk[ 8] = rk[ 0] ^ + (Te4[(temp >> 16) & 0xff] << 24) ^ + (Te4[(temp >> 8) & 0xff] << 16) ^ + (Te4[(temp ) & 0xff] << 8) ^ + (Te4[(temp >> 24) ] ) ^ + rcon[i]; + rk[ 9] = rk[ 1] ^ rk[ 8]; + rk[10] = rk[ 2] ^ rk[ 9]; + rk[11] = rk[ 3] ^ rk[10]; + if (++i == 7) { + return 14; + } + temp = rk[11]; + rk[12] = rk[ 4] ^ + (Te4[(temp >> 24) ] << 24) ^ + (Te4[(temp >> 16) & 0xff] << 16) ^ + (Te4[(temp >> 8) & 0xff] << 8) ^ + (Te4[(temp ) & 0xff] ); + rk[13] = rk[ 5] ^ rk[12]; + rk[14] = rk[ 6] ^ rk[13]; + rk[15] = rk[ 7] ^ rk[14]; + rk += 8; + } + } + return 0; +} + +/** + * Expand the cipher key into the decryption key schedule. + * + * @return the number of rounds for the given cipher key size. + */ +static int +aes_setupDec(ulong rk[/* 4*(Nr + 1) */], const uchar cipherKey[], int keyBits) +{ + int Nr, i, j; + ulong temp; + + /* expand the cipher key: */ + Nr = aes_setupEnc(rk, cipherKey, keyBits); + /* invert the order of the round keys: */ + for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) { + temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; + temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; + temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; + temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp; + } + /* + * apply the inverse MixColumn transform to all round keys + * but the first and the last: + */ + for (i = 1; i < Nr; i++) { + rk += 4; + rk[0] = + Td0[Te4[(rk[0] >> 24) ]] ^ + Td1[Te4[(rk[0] >> 16) & 0xff]] ^ + Td2[Te4[(rk[0] >> 8) & 0xff]] ^ + Td3[Te4[(rk[0] ) & 0xff]]; + rk[1] = + Td0[Te4[(rk[1] >> 24) ]] ^ + Td1[Te4[(rk[1] >> 16) & 0xff]] ^ + Td2[Te4[(rk[1] >> 8) & 0xff]] ^ + Td3[Te4[(rk[1] ) & 0xff]]; + rk[2] = + Td0[Te4[(rk[2] >> 24) ]] ^ + Td1[Te4[(rk[2] >> 16) & 0xff]] ^ + Td2[Te4[(rk[2] >> 8) & 0xff]] ^ + Td3[Te4[(rk[2] ) & 0xff]]; + rk[3] = + Td0[Te4[(rk[3] >> 24) ]] ^ + Td1[Te4[(rk[3] >> 16) & 0xff]] ^ + Td2[Te4[(rk[3] >> 8) & 0xff]] ^ + Td3[Te4[(rk[3] ) & 0xff]]; + } + return Nr; +} + +/* using round keys in rk, perform Nr rounds of encrypting pt into ct */ +void +aes_encrypt(const ulong rk[/* 4*(Nr + 1) */], int Nr, const uchar pt[16], + uchar ct[16]) +{ + ulong s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(pt ) ^ rk[0]; + s1 = GETU32(pt + 4) ^ rk[1]; + s2 = GETU32(pt + 8) ^ rk[2]; + s3 = GETU32(pt + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Te0[(s0 >> 24) ] ^ + Te1[(s1 >> 16) & 0xff] ^ + Te2[(s2 >> 8) & 0xff] ^ + Te3[(s3 ) & 0xff] ^ + rk[4]; + t1 = + Te0[(s1 >> 24) ] ^ + Te1[(s2 >> 16) & 0xff] ^ + Te2[(s3 >> 8) & 0xff] ^ + Te3[(s0 ) & 0xff] ^ + rk[5]; + t2 = + Te0[(s2 >> 24) ] ^ + Te1[(s3 >> 16) & 0xff] ^ + Te2[(s0 >> 8) & 0xff] ^ + Te3[(s1 ) & 0xff] ^ + rk[6]; + t3 = + Te0[(s3 >> 24) ] ^ + Te1[(s0 >> 16) & 0xff] ^ + Te2[(s1 >> 8) & 0xff] ^ + Te3[(s2 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) + break; + + s0 = + Te0[(t0 >> 24) ] ^ + Te1[(t1 >> 16) & 0xff] ^ + Te2[(t2 >> 8) & 0xff] ^ + Te3[(t3 ) & 0xff] ^ + rk[0]; + s1 = + Te0[(t1 >> 24) ] ^ + Te1[(t2 >> 16) & 0xff] ^ + Te2[(t3 >> 8) & 0xff] ^ + Te3[(t0 ) & 0xff] ^ + rk[1]; + s2 = + Te0[(t2 >> 24) ] ^ + Te1[(t3 >> 16) & 0xff] ^ + Te2[(t0 >> 8) & 0xff] ^ + Te3[(t1 ) & 0xff] ^ + rk[2]; + s3 = + Te0[(t3 >> 24) ] ^ + Te1[(t0 >> 16) & 0xff] ^ + Te2[(t1 >> 8) & 0xff] ^ + Te3[(t2 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Te4[(t0 >> 24) ] << 24) ^ + (Te4[(t1 >> 16) & 0xff] << 16) ^ + (Te4[(t2 >> 8) & 0xff] << 8) ^ + (Te4[(t3 ) & 0xff] ) ^ + rk[0]; + PUTU32(ct , s0); + s1 = + (Te4[(t1 >> 24) ] << 24) ^ + (Te4[(t2 >> 16) & 0xff] << 16) ^ + (Te4[(t3 >> 8) & 0xff] << 8) ^ + (Te4[(t0 ) & 0xff] ) ^ + rk[1]; + PUTU32(ct + 4, s1); + s2 = + (Te4[(t2 >> 24) ] << 24) ^ + (Te4[(t3 >> 16) & 0xff] << 16) ^ + (Te4[(t0 >> 8) & 0xff] << 8) ^ + (Te4[(t1 ) & 0xff] ) ^ + rk[2]; + PUTU32(ct + 8, s2); + s3 = + (Te4[(t3 >> 24) ] << 24) ^ + (Te4[(t0 >> 16) & 0xff] << 16) ^ + (Te4[(t1 >> 8) & 0xff] << 8) ^ + (Te4[(t2 ) & 0xff] ) ^ + rk[3]; + PUTU32(ct + 12, s3); +} + +void +aes_decrypt(const ulong rk[/* 4*(Nr + 1) */], int Nr, const uchar ct[16], + uchar pt[16]) +{ + ulong s0, s1, s2, s3, t0, t1, t2, t3; +#ifndef FULL_UNROLL + int r; +#endif /* ?FULL_UNROLL */ + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(ct ) ^ rk[0]; + s1 = GETU32(ct + 4) ^ rk[1]; + s2 = GETU32(ct + 8) ^ rk[2]; + s3 = GETU32(ct + 12) ^ rk[3]; +#ifdef FULL_UNROLL + /* round 1: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11]; + /* round 3: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19]; + /* round 5: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27]; + /* round 7: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35]; + /* round 9: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39]; + if (Nr > 10) { + /* round 10: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43]; + /* round 11: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47]; + if (Nr > 12) { + /* round 12: */ + s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48]; + s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49]; + s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50]; + s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51]; + /* round 13: */ + t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52]; + t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53]; + t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54]; + t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55]; + } + } + rk += Nr << 2; +#else /* !FULL_UNROLL */ + /* + * Nr - 1 full rounds: + */ + r = Nr >> 1; + for (;;) { + t0 = + Td0[(s0 >> 24) ] ^ + Td1[(s3 >> 16) & 0xff] ^ + Td2[(s2 >> 8) & 0xff] ^ + Td3[(s1 ) & 0xff] ^ + rk[4]; + t1 = + Td0[(s1 >> 24) ] ^ + Td1[(s0 >> 16) & 0xff] ^ + Td2[(s3 >> 8) & 0xff] ^ + Td3[(s2 ) & 0xff] ^ + rk[5]; + t2 = + Td0[(s2 >> 24) ] ^ + Td1[(s1 >> 16) & 0xff] ^ + Td2[(s0 >> 8) & 0xff] ^ + Td3[(s3 ) & 0xff] ^ + rk[6]; + t3 = + Td0[(s3 >> 24) ] ^ + Td1[(s2 >> 16) & 0xff] ^ + Td2[(s1 >> 8) & 0xff] ^ + Td3[(s0 ) & 0xff] ^ + rk[7]; + + rk += 8; + if (--r == 0) + break; + + s0 = + Td0[(t0 >> 24) ] ^ + Td1[(t3 >> 16) & 0xff] ^ + Td2[(t2 >> 8) & 0xff] ^ + Td3[(t1 ) & 0xff] ^ + rk[0]; + s1 = + Td0[(t1 >> 24) ] ^ + Td1[(t0 >> 16) & 0xff] ^ + Td2[(t3 >> 8) & 0xff] ^ + Td3[(t2 ) & 0xff] ^ + rk[1]; + s2 = + Td0[(t2 >> 24) ] ^ + Td1[(t1 >> 16) & 0xff] ^ + Td2[(t0 >> 8) & 0xff] ^ + Td3[(t3 ) & 0xff] ^ + rk[2]; + s3 = + Td0[(t3 >> 24) ] ^ + Td1[(t2 >> 16) & 0xff] ^ + Td2[(t1 >> 8) & 0xff] ^ + Td3[(t0 ) & 0xff] ^ + rk[3]; + } +#endif /* ?FULL_UNROLL */ + /* + * apply last round and + * map cipher state to byte array block: + */ + s0 = + (Td4[(t0 >> 24) ] << 24) ^ + (Td4[(t3 >> 16) & 0xff] << 16) ^ + (Td4[(t2 >> 8) & 0xff] << 8) ^ + (Td4[(t1 ) & 0xff] ) ^ + rk[0]; + PUTU32(pt , s0); + s1 = + (Td4[(t1 >> 24) ] << 24) ^ + (Td4[(t0 >> 16) & 0xff] << 16) ^ + (Td4[(t3 >> 8) & 0xff] << 8) ^ + (Td4[(t2 ) & 0xff] ) ^ + rk[1]; + PUTU32(pt + 4, s1); + s2 = + (Td4[(t2 >> 24) ] << 24) ^ + (Td4[(t1 >> 16) & 0xff] << 16) ^ + (Td4[(t0 >> 8) & 0xff] << 8) ^ + (Td4[(t3 ) & 0xff] ) ^ + rk[2]; + PUTU32(pt + 8, s2); + s3 = + (Td4[(t3 >> 24) ] << 24) ^ + (Td4[(t2 >> 16) & 0xff] << 16) ^ + (Td4[(t1 >> 8) & 0xff] << 8) ^ + (Td4[(t0 ) & 0xff] ) ^ + rk[3]; + PUTU32(pt + 12, s3); +} + +#ifdef INTERMEDIATE_VALUE_KAT + +static void +aes_encryptRound(const u32 rk[/* 4*(Nr + 1) */], int Nr, u8 block[16], + int rounds) +{ + int r; + u32 s0, s1, s2, s3, t0, t1, t2, t3; + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(block ) ^ rk[0]; + s1 = GETU32(block + 4) ^ rk[1]; + s2 = GETU32(block + 8) ^ rk[2]; + s3 = GETU32(block + 12) ^ rk[3]; + rk += 4; + + /* + * Nr - 1 full rounds: + */ + for (r = (rounds < Nr ? rounds : Nr - 1); r > 0; r--) { + t0 = + Te0[(s0 >> 24) ] ^ + Te1[(s1 >> 16) & 0xff] ^ + Te2[(s2 >> 8) & 0xff] ^ + Te3[(s3 ) & 0xff] ^ + rk[0]; + t1 = + Te0[(s1 >> 24) ] ^ + Te1[(s2 >> 16) & 0xff] ^ + Te2[(s3 >> 8) & 0xff] ^ + Te3[(s0 ) & 0xff] ^ + rk[1]; + t2 = + Te0[(s2 >> 24) ] ^ + Te1[(s3 >> 16) & 0xff] ^ + Te2[(s0 >> 8) & 0xff] ^ + Te3[(s1 ) & 0xff] ^ + rk[2]; + t3 = + Te0[(s3 >> 24) ] ^ + Te1[(s0 >> 16) & 0xff] ^ + Te2[(s1 >> 8) & 0xff] ^ + Te3[(s2 ) & 0xff] ^ + rk[3]; + s0 = t0; + s1 = t1; + s2 = t2; + s3 = t3; + rk += 4; + } + + /* + * apply last round and + * map cipher state to byte array block: + */ + if (rounds == Nr) { + t0 = + (Te4[(s0 >> 24) ] << 24) ^ + (Te4[(s1 >> 16) & 0xff] << 16) ^ + (Te4[(s2 >> 8) & 0xff] << 8) ^ + (Te4[(s3 ) & 0xff] ) ^ + rk[0]; + t1 = + (Te4[(s1 >> 24) ] << 24) ^ + (Te4[(s2 >> 16) & 0xff] << 16) ^ + (Te4[(s3 >> 8) & 0xff] << 8) ^ + (Te4[(s0 ) & 0xff] ) ^ + rk[1]; + t2 = + (Te4[(s2 >> 24) ] << 24) ^ + (Te4[(s3 >> 16) & 0xff] << 16) ^ + (Te4[(s0 >> 8) & 0xff] << 8) ^ + (Te4[(s1 ) & 0xff] ) ^ + rk[2]; + t3 = + (Te4[(s3 >> 24) ] << 24) ^ + (Te4[(s0 >> 16) & 0xff] << 16) ^ + (Te4[(s1 >> 8) & 0xff] << 8) ^ + (Te4[(s2 ) & 0xff] ) ^ + rk[3]; + s0 = t0; + s1 = t1; + s2 = t2; + s3 = t3; + } + + PUTU32(block , s0); + PUTU32(block + 4, s1); + PUTU32(block + 8, s2); + PUTU32(block + 12, s3); +} + +static void +aes_decryptRound(const u32 rk[/* 4*(Nr + 1) */], int Nr, u8 block[16], + int rounds) +{ + int r; + u32 s0, s1, s2, s3, t0, t1, t2, t3; + + /* + * map byte array block to cipher state + * and add initial round key: + */ + s0 = GETU32(block ) ^ rk[0]; + s1 = GETU32(block + 4) ^ rk[1]; + s2 = GETU32(block + 8) ^ rk[2]; + s3 = GETU32(block + 12) ^ rk[3]; + rk += 4; + + /* + * Nr - 1 full rounds: + */ + for (r = (rounds < Nr ? rounds : Nr) - 1; r > 0; r--) { + t0 = + Td0[(s0 >> 24) ] ^ + Td1[(s3 >> 16) & 0xff] ^ + Td2[(s2 >> 8) & 0xff] ^ + Td3[(s1 ) & 0xff] ^ + rk[0]; + t1 = + Td0[(s1 >> 24) ] ^ + Td1[(s0 >> 16) & 0xff] ^ + Td2[(s3 >> 8) & 0xff] ^ + Td3[(s2 ) & 0xff] ^ + rk[1]; + t2 = + Td0[(s2 >> 24) ] ^ + Td1[(s1 >> 16) & 0xff] ^ + Td2[(s0 >> 8) & 0xff] ^ + Td3[(s3 ) & 0xff] ^ + rk[2]; + t3 = + Td0[(s3 >> 24) ] ^ + Td1[(s2 >> 16) & 0xff] ^ + Td2[(s1 >> 8) & 0xff] ^ + Td3[(s0 ) & 0xff] ^ + rk[3]; + + s0 = t0; + s1 = t1; + s2 = t2; + s3 = t3; + rk += 4; + } + + /* + * complete the last round and + * map cipher state to byte array block: + */ + t0 = + (Td4[(s0 >> 24) ] << 24) ^ + (Td4[(s3 >> 16) & 0xff] << 16) ^ + (Td4[(s2 >> 8) & 0xff] << 8) ^ + (Td4[(s1 ) & 0xff] ); + t1 = + (Td4[(s1 >> 24) ] << 24) ^ + (Td4[(s0 >> 16) & 0xff] << 16) ^ + (Td4[(s3 >> 8) & 0xff] << 8) ^ + (Td4[(s2 ) & 0xff] ); + t2 = + (Td4[(s2 >> 24) ] << 24) ^ + (Td4[(s1 >> 16) & 0xff] << 16) ^ + (Td4[(s0 >> 8) & 0xff] << 8) ^ + (Td4[(s3 ) & 0xff] ); + t3 = + (Td4[(s3 >> 24) ] << 24) ^ + (Td4[(s2 >> 16) & 0xff] << 16) ^ + (Td4[(s1 >> 8) & 0xff] << 8) ^ + (Td4[(s0 ) & 0xff] ); + + if (rounds == Nr) { + t0 ^= rk[0]; + t1 ^= rk[1]; + t2 ^= rk[2]; + t3 ^= rk[3]; + } + + PUTU32(block , t0); + PUTU32(block + 4, t1); + PUTU32(block + 8, t2); + PUTU32(block + 12, t3); +} + +#endif /* INTERMEDIATE_VALUE_KAT */ diff --git a/sys/src/libsec/port/blowfish.c b/sys/src/libsec/port/blowfish.c new file mode 100755 index 000000000..5dcc677c7 --- /dev/null +++ b/sys/src/libsec/port/blowfish.c @@ -0,0 +1,579 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// Blowfish block cipher. See: +// Lecture Notes in Computer Science 809 +// Fast Software Encryption +// Cambridge Security Workshop, Cambridge, England (1993) + +static u32int sbox[1024]; +static u32int pbox[BFrounds+2]; + +static void bfencrypt(u32int *, BFstate *); +static void bfdecrypt(u32int *, BFstate *); + +void +setupBFstate(BFstate *s, uchar key[], int keybytes, uchar *ivec) +{ + int i, j; + u32int n, buf[2]; + + memset(s, 0, sizeof(*s)); + memset(buf, 0, sizeof buf); + + if (keybytes > sizeof(s->key)) + keybytes = sizeof(s->key); + + memmove(s->key, key, keybytes); + + if (ivec != nil) + memmove(s->ivec, ivec, sizeof(s->ivec)); + else + memset(s->ivec, 0, sizeof(s->ivec)); + + memmove(s->pbox, pbox, sizeof(pbox)); + memmove(s->sbox, sbox, sizeof(sbox)); + + if (keybytes > 4*(BFrounds + 2)) + keybytes = 4*(BFrounds + 2); + + for(i=j=0; i < BFrounds+2; i++) { + n = key[j]; + j = (j+1) % keybytes; + + n <<= 8; + n |= key[j]; + j = (j+1) % keybytes; + + n <<= 8; + n |= key[j]; + j = (j+1) % keybytes; + + n <<= 8; + n |= key[j]; + j = (j+1) % keybytes; + + s->pbox[i] ^= n; + } + + for(i=0; i < BFrounds+2; i += 2) { + bfencrypt(buf, s); + s->pbox[i] = buf[0]; + s->pbox[i+1] = buf[1]; + } + + for(i=0; i < 1024; i += 2) { + bfencrypt(buf, s); + s->sbox[i] = buf[0]; + s->sbox[i+1] = buf[1]; + } + + s->setup = 0xcafebabe; +} + +void +bfCBCencrypt(uchar *buf, int n, BFstate *s) +{ + int i; + uchar *p; + u32int bo[2], bi[2], b; + + assert((n & 7) == 0); + + bo[0] = s->ivec[0] | ((u32int) s->ivec[1]<<8) | ((u32int)s->ivec[2]<<16) | ((u32int)s->ivec[3]<<24); + bo[1] = s->ivec[4] | ((u32int) s->ivec[5]<<8) | ((u32int)s->ivec[6]<<16) | ((u32int)s->ivec[7]<<24); + + for(i=0; i < n; i += 8, buf += 8) { + bi[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24); + bi[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24); + + bi[0] ^= bo[0]; + bi[1] ^= bo[1]; + + bfencrypt(bi, s); + + bo[0] = bi[0]; + bo[1] = bi[1]; + + p = buf; + b = bo[0]; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p++ = b; + + b = bo[1]; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p = b; + } + + s->ivec[7] = bo[1] >> 24; + s->ivec[6] = bo[1] >> 16; + s->ivec[5] = bo[1] >> 8; + s->ivec[4] = bo[1]; + + s->ivec[3] = bo[0] >> 24; + s->ivec[2] = bo[0] >> 16; + s->ivec[1] = bo[0] >> 8; + s->ivec[0] = bo[0]; + + return; +} + +void +bfCBCdecrypt(uchar *buf, int n, BFstate *s) +{ + int i; + uchar *p; + u32int b, bo[2], bi[2], xr[2]; + + assert((n & 7) == 0); + + bo[0] = s->ivec[0] | ((u32int) s->ivec[1]<<8) | ((u32int)s->ivec[2]<<16) | ((u32int)s->ivec[3]<<24); + bo[1] = s->ivec[4] | ((u32int) s->ivec[5]<<8) | ((u32int)s->ivec[6]<<16) | ((u32int)s->ivec[7]<<24); + + for(i=0; i < n; i += 8, buf += 8) { + bi[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24); + bi[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24); + + xr[0] = bi[0]; + xr[1] = bi[1]; + + bfdecrypt(bi, s); + + bo[0] ^= bi[0]; + bo[1] ^= bi[1]; + + p = buf; + b = bo[0]; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p++ = b; + + b = bo[1]; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p++ = b; + b >>= 8; + *p = b; + + bo[0] = xr[0]; + bo[1] = xr[1]; + } + + s->ivec[7] = bo[1] >> 24; + s->ivec[6] = bo[1] >> 16; + s->ivec[5] = bo[1] >> 8; + s->ivec[4] = bo[1]; + + s->ivec[3] = bo[0] >> 24; + s->ivec[2] = bo[0] >> 16; + s->ivec[1] = bo[0] >> 8; + s->ivec[0] = bo[0]; + + return; +} + +void +bfECBencrypt(uchar *buf, int n, BFstate *s) +{ + int i; + u32int b[2]; + + for(i=0; i < n; i += 8, buf += 8) { + b[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24); + b[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24); + + bfencrypt(b, s); + + buf[7] = b[1] >> 24; + buf[6] = b[1] >> 16; + buf[5] = b[1] >> 8; + buf[4] = b[1]; + + buf[3] = b[0] >> 24; + buf[2] = b[0] >> 16; + buf[1] = b[0] >> 8; + buf[0] = b[0]; + } + + return; +} + +void +bfECBdecrypt(uchar *buf, int n, BFstate *s) +{ + int i; + u32int b[2]; + + for(i=0; i < n; i += 8, buf += 8) { + b[0] = buf[0] | ((u32int) buf[1]<<8) | ((u32int)buf[2]<<16) | ((u32int)buf[3]<<24); + b[1] = buf[4] | ((u32int) buf[5]<<8) | ((u32int)buf[6]<<16) | ((u32int)buf[7]<<24); + + bfdecrypt(b, s); + + buf[7] = b[1] >> 24; + buf[6] = b[1] >> 16; + buf[5] = b[1] >> 8; + buf[4] = b[1]; + + buf[3] = b[0] >> 24; + buf[2] = b[0] >> 16; + buf[1] = b[0] >> 8; + buf[0] = b[0]; + } + + return; +} + +static void +bfencrypt(u32int *b, BFstate *s) +{ + int i; + u32int l, r; + u32int *pb, *sb; + + l = b[0]; + r = b[1]; + + pb = s->pbox; + sb = s->sbox; + + l ^= pb[0]; + + for(i=1; i<16; i += 2) { + r ^= pb[i]; + r ^= ( (sb[ (uchar) (l>>24)] + sb[256 + ((uchar) (l>>16))]) ^ + sb[512 + ((uchar) (l>>8))]) + sb[768 +((uchar) l)]; + + l ^= pb[i+1]; + l ^= ( (sb[ (uchar) (r>>24)] + sb[256 + ((uchar) (r>>16))]) ^ + sb[512 + ((uchar) (r>>8))]) + sb[768 +((uchar) r)]; + } + + r ^= pb[BFrounds+1]; + + /* sic */ + b[0] = r; + b[1] = l; + + return; +} + +static void +bfdecrypt(u32int *b, BFstate *s) +{ + int i; + u32int l, r; + u32int *pb, *sb; + + l = b[0]; + r = b[1]; + + pb = s->pbox; + sb = s->sbox; + + l ^= pb[BFrounds+1]; + + for(i=16; i > 0; i -= 2) { + r ^= pb[i]; + r ^= ( (sb[ (uchar) (l>>24)] + sb[256 + ((uchar) (l>>16))]) ^ + sb[512 + ((uchar) (l>>8))]) + sb[768 +((uchar) l)]; + + l ^= pb[i-1]; + l ^= ( (sb[ (uchar) (r>>24)] + sb[256 + ((uchar) (r>>16))]) ^ + sb[512 + ((uchar) (r>>8))]) + sb[768 +((uchar) r)]; + } + + r ^= pb[0]; + + /* sic */ + b[0] = r; + b[1] = l; + + return; +} + +static u32int pbox[BFrounds+2] = { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b +}; + +static u32int sbox[1024] = { + 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, + 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, + 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, + 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, + 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, + 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, + 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, + 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, + 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, + 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, + 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, + 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, + 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, + 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, + 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, + 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, + 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, + 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, + 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, + 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, + 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, + 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, + 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, + 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, + 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, + 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, + 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, + 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, + 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, + 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, + 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, + 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, + 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, + 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, + 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, + 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, + 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, + 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, + 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, + 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, + 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, + 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, + 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, + 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, + 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, + 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, + 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, + 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, + 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, + 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, + 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, + 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, + 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, + 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, + 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, + 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, + 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, + 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, + 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, + 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, + 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, + 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, + 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, + 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, + 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, + 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, + 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, + 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, + 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, + 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, + 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, + 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, + 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, + 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, + 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, + 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, + 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, + 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, + 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, + 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, + 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, + 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, + 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, + 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, + 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, + 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, + 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, + 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, + 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, + 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, + 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, + 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, + 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, + 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, + 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, + 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, + 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, + 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, + 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, + 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, + 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, + 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, + 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, + 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, + 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, + 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, + 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, + 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, + 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, + 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, + 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, + 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, + 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, + 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, + 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, + 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, + 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, + 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, + 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, + 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, + 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, + 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, + 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, + 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, + 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, + 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, + 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, + 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, + 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, + 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, + 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, + 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, + 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, + 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, + 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, + 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, + 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, + 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, + 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, + 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, + 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, + 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, + 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, + 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, + 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, + 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, + 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, + 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, + 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, + 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, + 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, + 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, + 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, + 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, + 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, + 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, + 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, + 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, + 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, + 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, + 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, + 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, + 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, + 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, + 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, + 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, + 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, + 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, + 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, + 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, + 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, + 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, + 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, + 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, + 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, + 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, + 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, + 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, + 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, + 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, + 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, + 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, + 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, + 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, + 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, + 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, + 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, + 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, + 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, + 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, + 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, + 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, + 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, + 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, + 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, + 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, + 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, + 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, + 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, + 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, + 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, + 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, + 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, + 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, + 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, + 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, + 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, + 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, + 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, + 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, + 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, + 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, + 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, + 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, + 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, + 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, + 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, + 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, + 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, + 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, + 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, + 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, + 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, + 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, + 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, + 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, + 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, + 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, + 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, + 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, + 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, + 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, + 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, + 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, + 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, + 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, + 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, + 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, + 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, + 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, + 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, + 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, + 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, + 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, + 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, + 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, + 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, + 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, + 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, + 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, + 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, + 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, + 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, + 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, + 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, + 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, +}; + + diff --git a/sys/src/libsec/port/decodepem.c b/sys/src/libsec/port/decodepem.c new file mode 100755 index 000000000..d732b0a34 --- /dev/null +++ b/sys/src/libsec/port/decodepem.c @@ -0,0 +1,89 @@ +#include <u.h> +#include <libc.h> +#include <mp.h> +#include <libsec.h> + +#define STRLEN(s) (sizeof(s)-1) + +uchar* +decodePEM(char *s, char *type, int *len, char **new_s) +{ + uchar *d; + char *t, *e, *tt; + int n; + + *len = 0; + + /* + * find the correct section of the file, stripping garbage at the beginning and end. + * the data is delimited by -----BEGIN <type>-----\n and -----END <type>-----\n + */ + n = strlen(type); + e = strchr(s, '\0'); + for(t = s; t != nil && t < e; ){ + tt = t; + t = strchr(tt, '\n'); + if(t != nil) + t++; + if(strncmp(tt, "-----BEGIN ", STRLEN("-----BEGIN ")) == 0 + && strncmp(&tt[STRLEN("-----BEGIN ")], type, n) == 0 + && strncmp(&tt[STRLEN("-----BEGIN ")+n], "-----\n", STRLEN("-----\n")) == 0) + break; + } + for(tt = t; tt != nil && tt < e; tt++){ + if(strncmp(tt, "-----END ", STRLEN("-----END ")) == 0 + && strncmp(&tt[STRLEN("-----END ")], type, n) == 0 + && strncmp(&tt[STRLEN("-----END ")+n], "-----\n", STRLEN("-----\n")) == 0) + break; + tt = strchr(tt, '\n'); + if(tt == nil) + break; + } + if(tt == nil || tt == e){ + werrstr("incorrect .pem file format: bad header or trailer"); + return nil; + } + + if(new_s) + *new_s = tt+1; + n = ((tt - t) * 6 + 7) / 8; + d = malloc(n); + if(d == nil){ + werrstr("out of memory"); + return nil; + } + n = dec64(d, n, t, tt - t); + if(n < 0){ + free(d); + werrstr("incorrect .pem file format: bad base64 encoded data"); + return nil; + } + *len = n; + return d; +} + +PEMChain* +decodepemchain(char *s, char *type) +{ + PEMChain *first = nil, *last = nil, *chp; + uchar *d; + char *e; + int n; + + e = strchr(s, '\0'); + while (s < e) { + d = decodePEM(s, type, &n, &s); + if(d == nil) + break; + chp = malloc(sizeof(PEMChain)); + chp->next = nil; + chp->pem = d; + chp->pemlen = n; + if (first == nil) + first = chp; + else + last->next = chp; + last = chp; + } + return first; +} diff --git a/sys/src/libsec/port/des.c b/sys/src/libsec/port/des.c new file mode 100755 index 000000000..c54541c58 --- /dev/null +++ b/sys/src/libsec/port/des.c @@ -0,0 +1,480 @@ +#include "os.h" +#include <libsec.h> + +/* + * integrated sbox & p perm + */ +static u32int spbox[] = { + +0x00808200,0x00000000,0x00008000,0x00808202,0x00808002,0x00008202,0x00000002,0x00008000, +0x00000200,0x00808200,0x00808202,0x00000200,0x00800202,0x00808002,0x00800000,0x00000002, +0x00000202,0x00800200,0x00800200,0x00008200,0x00008200,0x00808000,0x00808000,0x00800202, +0x00008002,0x00800002,0x00800002,0x00008002,0x00000000,0x00000202,0x00008202,0x00800000, +0x00008000,0x00808202,0x00000002,0x00808000,0x00808200,0x00800000,0x00800000,0x00000200, +0x00808002,0x00008000,0x00008200,0x00800002,0x00000200,0x00000002,0x00800202,0x00008202, +0x00808202,0x00008002,0x00808000,0x00800202,0x00800002,0x00000202,0x00008202,0x00808200, +0x00000202,0x00800200,0x00800200,0x00000000,0x00008002,0x00008200,0x00000000,0x00808002, + +0x40084010,0x40004000,0x00004000,0x00084010,0x00080000,0x00000010,0x40080010,0x40004010, +0x40000010,0x40084010,0x40084000,0x40000000,0x40004000,0x00080000,0x00000010,0x40080010, +0x00084000,0x00080010,0x40004010,0x00000000,0x40000000,0x00004000,0x00084010,0x40080000, +0x00080010,0x40000010,0x00000000,0x00084000,0x00004010,0x40084000,0x40080000,0x00004010, +0x00000000,0x00084010,0x40080010,0x00080000,0x40004010,0x40080000,0x40084000,0x00004000, +0x40080000,0x40004000,0x00000010,0x40084010,0x00084010,0x00000010,0x00004000,0x40000000, +0x00004010,0x40084000,0x00080000,0x40000010,0x00080010,0x40004010,0x40000010,0x00080010, +0x00084000,0x00000000,0x40004000,0x00004010,0x40000000,0x40080010,0x40084010,0x00084000, + +0x00000104,0x04010100,0x00000000,0x04010004,0x04000100,0x00000000,0x00010104,0x04000100, +0x00010004,0x04000004,0x04000004,0x00010000,0x04010104,0x00010004,0x04010000,0x00000104, +0x04000000,0x00000004,0x04010100,0x00000100,0x00010100,0x04010000,0x04010004,0x00010104, +0x04000104,0x00010100,0x00010000,0x04000104,0x00000004,0x04010104,0x00000100,0x04000000, +0x04010100,0x04000000,0x00010004,0x00000104,0x00010000,0x04010100,0x04000100,0x00000000, +0x00000100,0x00010004,0x04010104,0x04000100,0x04000004,0x00000100,0x00000000,0x04010004, +0x04000104,0x00010000,0x04000000,0x04010104,0x00000004,0x00010104,0x00010100,0x04000004, +0x04010000,0x04000104,0x00000104,0x04010000,0x00010104,0x00000004,0x04010004,0x00010100, + +0x80401000,0x80001040,0x80001040,0x00000040,0x00401040,0x80400040,0x80400000,0x80001000, +0x00000000,0x00401000,0x00401000,0x80401040,0x80000040,0x00000000,0x00400040,0x80400000, +0x80000000,0x00001000,0x00400000,0x80401000,0x00000040,0x00400000,0x80001000,0x00001040, +0x80400040,0x80000000,0x00001040,0x00400040,0x00001000,0x00401040,0x80401040,0x80000040, +0x00400040,0x80400000,0x00401000,0x80401040,0x80000040,0x00000000,0x00000000,0x00401000, +0x00001040,0x00400040,0x80400040,0x80000000,0x80401000,0x80001040,0x80001040,0x00000040, +0x80401040,0x80000040,0x80000000,0x00001000,0x80400000,0x80001000,0x00401040,0x80400040, +0x80001000,0x00001040,0x00400000,0x80401000,0x00000040,0x00400000,0x00001000,0x00401040, + +0x00000080,0x01040080,0x01040000,0x21000080,0x00040000,0x00000080,0x20000000,0x01040000, +0x20040080,0x00040000,0x01000080,0x20040080,0x21000080,0x21040000,0x00040080,0x20000000, +0x01000000,0x20040000,0x20040000,0x00000000,0x20000080,0x21040080,0x21040080,0x01000080, +0x21040000,0x20000080,0x00000000,0x21000000,0x01040080,0x01000000,0x21000000,0x00040080, +0x00040000,0x21000080,0x00000080,0x01000000,0x20000000,0x01040000,0x21000080,0x20040080, +0x01000080,0x20000000,0x21040000,0x01040080,0x20040080,0x00000080,0x01000000,0x21040000, +0x21040080,0x00040080,0x21000000,0x21040080,0x01040000,0x00000000,0x20040000,0x21000000, +0x00040080,0x01000080,0x20000080,0x00040000,0x00000000,0x20040000,0x01040080,0x20000080, + +0x10000008,0x10200000,0x00002000,0x10202008,0x10200000,0x00000008,0x10202008,0x00200000, +0x10002000,0x00202008,0x00200000,0x10000008,0x00200008,0x10002000,0x10000000,0x00002008, +0x00000000,0x00200008,0x10002008,0x00002000,0x00202000,0x10002008,0x00000008,0x10200008, +0x10200008,0x00000000,0x00202008,0x10202000,0x00002008,0x00202000,0x10202000,0x10000000, +0x10002000,0x00000008,0x10200008,0x00202000,0x10202008,0x00200000,0x00002008,0x10000008, +0x00200000,0x10002000,0x10000000,0x00002008,0x10000008,0x10202008,0x00202000,0x10200000, +0x00202008,0x10202000,0x00000000,0x10200008,0x00000008,0x00002000,0x10200000,0x00202008, +0x00002000,0x00200008,0x10002008,0x00000000,0x10202000,0x10000000,0x00200008,0x10002008, + +0x00100000,0x02100001,0x02000401,0x00000000,0x00000400,0x02000401,0x00100401,0x02100400, +0x02100401,0x00100000,0x00000000,0x02000001,0x00000001,0x02000000,0x02100001,0x00000401, +0x02000400,0x00100401,0x00100001,0x02000400,0x02000001,0x02100000,0x02100400,0x00100001, +0x02100000,0x00000400,0x00000401,0x02100401,0x00100400,0x00000001,0x02000000,0x00100400, +0x02000000,0x00100400,0x00100000,0x02000401,0x02000401,0x02100001,0x02100001,0x00000001, +0x00100001,0x02000000,0x02000400,0x00100000,0x02100400,0x00000401,0x00100401,0x02100400, +0x00000401,0x02000001,0x02100401,0x02100000,0x00100400,0x00000000,0x00000001,0x02100401, +0x00000000,0x00100401,0x02100000,0x00000400,0x02000001,0x02000400,0x00000400,0x00100001, + +0x08000820,0x00000800,0x00020000,0x08020820,0x08000000,0x08000820,0x00000020,0x08000000, +0x00020020,0x08020000,0x08020820,0x00020800,0x08020800,0x00020820,0x00000800,0x00000020, +0x08020000,0x08000020,0x08000800,0x00000820,0x00020800,0x00020020,0x08020020,0x08020800, +0x00000820,0x00000000,0x00000000,0x08020020,0x08000020,0x08000800,0x00020820,0x00020000, +0x00020820,0x00020000,0x08020800,0x00000800,0x00000020,0x08020020,0x00000800,0x00020820, +0x08000800,0x00000020,0x08000020,0x08020000,0x08020020,0x08000000,0x00020000,0x08000820, +0x00000000,0x08020820,0x00020020,0x08000020,0x08020000,0x08000800,0x08000820,0x00000000, +0x08020820,0x00020800,0x00020800,0x00000820,0x00000820,0x00020020,0x08000000,0x08020800, +}; + +/* + * for manual index calculation + * #define fetch(box, i, sh) (*((u32int*)((uchar*)spbox + (box << 8) + ((i >> (sh)) & 0xfc)))) + */ +#define fetch(box, i, sh) ((spbox+(box << 6))[((i >> (sh + 2)) & 0x3f)]) + +/* + * DES electronic codebook encryption of one block + */ +void +block_cipher(ulong key[32], uchar text[8], int decrypting) +{ + u32int right, left, v0, v1; + int i, keystep; + + /* + * initial permutation + */ + v0 = text[0] | ((u32int)text[2]<<8) | ((u32int)text[4]<<16) | ((u32int)text[6]<<24); + left = text[1] | ((u32int)text[3]<<8) | ((u32int)text[5]<<16) | ((u32int)text[7]<<24); + right = (left & 0xaaaaaaaa) | ((v0 >> 1) & 0x55555555); + left = ((left << 1) & 0xaaaaaaaa) | (v0 & 0x55555555); + left = ((left << 6) & 0x33003300) + | (left & 0xcc33cc33) + | ((left >> 6) & 0x00cc00cc); + left = ((left << 12) & 0x0f0f0000) + | (left & 0xf0f00f0f) + | ((left >> 12) & 0x0000f0f0); + right = ((right << 6) & 0x33003300) + | (right & 0xcc33cc33) + | ((right >> 6) & 0x00cc00cc); + right = ((right << 12) & 0x0f0f0000) + | (right & 0xf0f00f0f) + | ((right >> 12) & 0x0000f0f0); + + if (decrypting) { + keystep = -2; + key = key + 32 - 2; + } else + keystep = 2; + for (i = 0; i < 8; i++) { + v0 = key[0]; + v0 ^= (right >> 1) | (right << 31); + left ^= fetch(0, v0, 24) + ^ fetch(2, v0, 16) + ^ fetch(4, v0, 8) + ^ fetch(6, v0, 0); + v1 = key[1]; + v1 ^= (right << 3) | (right >> 29); + left ^= fetch(1, v1, 24) + ^ fetch(3, v1, 16) + ^ fetch(5, v1, 8) + ^ fetch(7, v1, 0); + key += keystep; + + v0 = key[0]; + v0 ^= (left >> 1) | (left << 31); + right ^= fetch(0, v0, 24) + ^ fetch(2, v0, 16) + ^ fetch(4, v0, 8) + ^ fetch(6, v0, 0); + v1 = key[1]; + v1 ^= (left << 3) | (left >> 29); + right ^= fetch(1, v1, 24) + ^ fetch(3, v1, 16) + ^ fetch(5, v1, 8) + ^ fetch(7, v1, 0); + key += keystep; + } + + /* + * final permutation, inverse initial permutation + */ + v0 = ((left << 1) & 0xaaaaaaaa) | (right & 0x55555555); + v1 = (left & 0xaaaaaaaa) | ((right >> 1) & 0x55555555); + v1 = ((v1 << 6) & 0x33003300) + | (v1 & 0xcc33cc33) + | ((v1 >> 6) & 0x00cc00cc); + v1 = ((v1 << 12) & 0x0f0f0000) + | (v1 & 0xf0f00f0f) + | ((v1 >> 12) & 0x0000f0f0); + v0 = ((v0 << 6) & 0x33003300) + | (v0 & 0xcc33cc33) + | ((v0 >> 6) & 0x00cc00cc); + v0 = ((v0 << 12) & 0x0f0f0000) + | (v0 & 0xf0f00f0f) + | ((v0 >> 12) & 0x0000f0f0); + text[0] = v0; + text[2] = v0 >> 8; + text[4] = v0 >> 16; + text[6] = v0 >> 24; + text[1] = v1; + text[3] = v1 >> 8; + text[5] = v1 >> 16; + text[7] = v1 >> 24; +} + +/* + * triple DES electronic codebook encryption of one block + */ +void +triple_block_cipher(ulong expanded_key[3][32], uchar text[8], int ende) +{ + ulong *key; + u32int right, left, v0, v1; + int i, j, keystep; + + /* + * initial permutation + */ + v0 = text[0] | ((u32int)text[2]<<8) | ((u32int)text[4]<<16) | ((u32int)text[6]<<24); + left = text[1] | ((u32int)text[3]<<8) | ((u32int)text[5]<<16) | ((u32int)text[7]<<24); + right = (left & 0xaaaaaaaa) | ((v0 >> 1) & 0x55555555); + left = ((left << 1) & 0xaaaaaaaa) | (v0 & 0x55555555); + left = ((left << 6) & 0x33003300) + | (left & 0xcc33cc33) + | ((left >> 6) & 0x00cc00cc); + left = ((left << 12) & 0x0f0f0000) + | (left & 0xf0f00f0f) + | ((left >> 12) & 0x0000f0f0); + right = ((right << 6) & 0x33003300) + | (right & 0xcc33cc33) + | ((right >> 6) & 0x00cc00cc); + right = ((right << 12) & 0x0f0f0000) + | (right & 0xf0f00f0f) + | ((right >> 12) & 0x0000f0f0); + + for(j = 0; j < 3; j++){ + if((ende & 1) == DES3D) { + key = &expanded_key[2-j][32-2]; + keystep = -2; + } else { + key = &expanded_key[j][0]; + keystep = 2; + } + ende >>= 1; + for (i = 0; i < 8; i++) { + v0 = key[0]; + v0 ^= (right >> 1) | (right << 31); + left ^= fetch(0, v0, 24) + ^ fetch(2, v0, 16) + ^ fetch(4, v0, 8) + ^ fetch(6, v0, 0); + v1 = key[1]; + v1 ^= (right << 3) | (right >> 29); + left ^= fetch(1, v1, 24) + ^ fetch(3, v1, 16) + ^ fetch(5, v1, 8) + ^ fetch(7, v1, 0); + key += keystep; + + v0 = key[0]; + v0 ^= (left >> 1) | (left << 31); + right ^= fetch(0, v0, 24) + ^ fetch(2, v0, 16) + ^ fetch(4, v0, 8) + ^ fetch(6, v0, 0); + v1 = key[1]; + v1 ^= (left << 3) | (left >> 29); + right ^= fetch(1, v1, 24) + ^ fetch(3, v1, 16) + ^ fetch(5, v1, 8) + ^ fetch(7, v1, 0); + key += keystep; + } + + v0 = left; + left = right; + right = v0; + } + + /* + * final permutation, inverse initial permutation + * left and right are swapped here + */ + v0 = ((right << 1) & 0xaaaaaaaa) | (left & 0x55555555); + v1 = (right & 0xaaaaaaaa) | ((left >> 1) & 0x55555555); + v1 = ((v1 << 6) & 0x33003300) + | (v1 & 0xcc33cc33) + | ((v1 >> 6) & 0x00cc00cc); + v1 = ((v1 << 12) & 0x0f0f0000) + | (v1 & 0xf0f00f0f) + | ((v1 >> 12) & 0x0000f0f0); + v0 = ((v0 << 6) & 0x33003300) + | (v0 & 0xcc33cc33) + | ((v0 >> 6) & 0x00cc00cc); + v0 = ((v0 << 12) & 0x0f0f0000) + | (v0 & 0xf0f00f0f) + | ((v0 >> 12) & 0x0000f0f0); + text[0] = v0; + text[2] = v0 >> 8; + text[4] = v0 >> 16; + text[6] = v0 >> 24; + text[1] = v1; + text[3] = v1 >> 8; + text[5] = v1 >> 16; + text[7] = v1 >> 24; +} + +/* + * key compression permutation, 4 bits at a time + */ +static u32int comptab[] = { + +0x000000,0x010000,0x000008,0x010008,0x000080,0x010080,0x000088,0x010088, +0x000000,0x010000,0x000008,0x010008,0x000080,0x010080,0x000088,0x010088, + +0x000000,0x100000,0x000800,0x100800,0x000000,0x100000,0x000800,0x100800, +0x002000,0x102000,0x002800,0x102800,0x002000,0x102000,0x002800,0x102800, + +0x000000,0x000004,0x000400,0x000404,0x000000,0x000004,0x000400,0x000404, +0x400000,0x400004,0x400400,0x400404,0x400000,0x400004,0x400400,0x400404, + +0x000000,0x000020,0x008000,0x008020,0x800000,0x800020,0x808000,0x808020, +0x000002,0x000022,0x008002,0x008022,0x800002,0x800022,0x808002,0x808022, + +0x000000,0x000200,0x200000,0x200200,0x001000,0x001200,0x201000,0x201200, +0x000000,0x000200,0x200000,0x200200,0x001000,0x001200,0x201000,0x201200, + +0x000000,0x000040,0x000010,0x000050,0x004000,0x004040,0x004010,0x004050, +0x040000,0x040040,0x040010,0x040050,0x044000,0x044040,0x044010,0x044050, + +0x000000,0x000100,0x020000,0x020100,0x000001,0x000101,0x020001,0x020101, +0x080000,0x080100,0x0a0000,0x0a0100,0x080001,0x080101,0x0a0001,0x0a0101, + +0x000000,0x000100,0x040000,0x040100,0x000000,0x000100,0x040000,0x040100, +0x000040,0x000140,0x040040,0x040140,0x000040,0x000140,0x040040,0x040140, + +0x000000,0x400000,0x008000,0x408000,0x000008,0x400008,0x008008,0x408008, +0x000400,0x400400,0x008400,0x408400,0x000408,0x400408,0x008408,0x408408, + +0x000000,0x001000,0x080000,0x081000,0x000020,0x001020,0x080020,0x081020, +0x004000,0x005000,0x084000,0x085000,0x004020,0x005020,0x084020,0x085020, + +0x000000,0x000800,0x000000,0x000800,0x000010,0x000810,0x000010,0x000810, +0x800000,0x800800,0x800000,0x800800,0x800010,0x800810,0x800010,0x800810, + +0x000000,0x010000,0x000200,0x010200,0x000000,0x010000,0x000200,0x010200, +0x100000,0x110000,0x100200,0x110200,0x100000,0x110000,0x100200,0x110200, + +0x000000,0x000004,0x000000,0x000004,0x000080,0x000084,0x000080,0x000084, +0x002000,0x002004,0x002000,0x002004,0x002080,0x002084,0x002080,0x002084, + +0x000000,0x000001,0x200000,0x200001,0x020000,0x020001,0x220000,0x220001, +0x000002,0x000003,0x200002,0x200003,0x020002,0x020003,0x220002,0x220003, +}; + +static int keysh[] = +{ + 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, +}; + +static void +keycompperm(u32int left, u32int right, ulong *ek) +{ + u32int v0, v1; + int i; + + for(i = 0; i < 16; i++){ + left = (left << keysh[i]) | (left >> (28 - keysh[i])); + left &= 0xfffffff0; + right = (right << keysh[i]) | (right >> (28 - keysh[i])); + right &= 0xfffffff0; + v0 = comptab[6 * (1 << 4) + ((left >> (32-4)) & 0xf)] + | comptab[5 * (1 << 4) + ((left >> (32-8)) & 0xf)] + | comptab[4 * (1 << 4) + ((left >> (32-12)) & 0xf)] + | comptab[3 * (1 << 4) + ((left >> (32-16)) & 0xf)] + | comptab[2 * (1 << 4) + ((left >> (32-20)) & 0xf)] + | comptab[1 * (1 << 4) + ((left >> (32-24)) & 0xf)] + | comptab[0 * (1 << 4) + ((left >> (32-28)) & 0xf)]; + v1 = comptab[13 * (1 << 4) + ((right >> (32-4)) & 0xf)] + | comptab[12 * (1 << 4) + ((right >> (32-8)) & 0xf)] + | comptab[11 * (1 << 4) + ((right >> (32-12)) & 0xf)] + | comptab[10 * (1 << 4) + ((right >> (32-16)) & 0xf)] + | comptab[9 * (1 << 4) + ((right >> (32-20)) & 0xf)] + | comptab[8 * (1 << 4) + ((right >> (32-24)) & 0xf)] + | comptab[7 * (1 << 4) + ((right >> (32-28)) & 0xf)]; + ek[0] = (((v0 >> (24-6)) & 0x3f) << 26) + | (((v0 >> (24-18)) & 0x3f) << 18) + | (((v1 >> (24-6)) & 0x3f) << 10) + | (((v1 >> (24-18)) & 0x3f) << 2); + ek[1] = (((v0 >> (24-12)) & 0x3f) << 26) + | (((v0 >> (24-24)) & 0x3f) << 18) + | (((v1 >> (24-12)) & 0x3f) << 10) + | (((v1 >> (24-24)) & 0x3f) << 2); + ek += 2; + } +} + +void +des_key_setup(uchar key[8], ulong *ek) +{ + u32int left, right, v0, v1; + + v0 = key[0] | ((u32int)key[2] << 8) | ((u32int)key[4] << 16) | ((u32int)key[6] << 24); + v1 = key[1] | ((u32int)key[3] << 8) | ((u32int)key[5] << 16) | ((u32int)key[7] << 24); + left = ((v0 >> 1) & 0x40404040) + | ((v0 >> 2) & 0x10101010) + | ((v0 >> 3) & 0x04040404) + | ((v0 >> 4) & 0x01010101) + | ((v1 >> 0) & 0x80808080) + | ((v1 >> 1) & 0x20202020) + | ((v1 >> 2) & 0x08080808) + | ((v1 >> 3) & 0x02020202); + right = ((v0 >> 1) & 0x04040404) + | ((v0 << 2) & 0x10101010) + | ((v0 << 5) & 0x40404040) + | ((v1 << 0) & 0x08080808) + | ((v1 << 3) & 0x20202020) + | ((v1 << 6) & 0x80808080); + left = ((left << 6) & 0x33003300) + | (left & 0xcc33cc33) + | ((left >> 6) & 0x00cc00cc); + v0 = ((left << 12) & 0x0f0f0000) + | (left & 0xf0f00f0f) + | ((left >> 12) & 0x0000f0f0); + right = ((right << 6) & 0x33003300) + | (right & 0xcc33cc33) + | ((right >> 6) & 0x00cc00cc); + v1 = ((right << 12) & 0x0f0f0000) + | (right & 0xf0f00f0f) + | ((right >> 12) & 0x0000f0f0); + left = v0 & 0xfffffff0; + right = (v1 & 0xffffff00) | ((v0 << 4) & 0xf0); + + keycompperm(left, right, ek); +} + +static uchar parity[128] = +{ + 0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e, + 0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f, + 0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f, + 0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e, + 0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f, + 0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e, + 0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e, + 0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f, + 0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f, + 0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e, + 0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae, + 0xb0, 0xb3, 0xb5, 0xb6, 0xb9, 0xba, 0xbc, 0xbf, + 0xc1, 0xc2, 0xc4, 0xc7, 0xc8, 0xcb, 0xcd, 0xce, + 0xd0, 0xd3, 0xd5, 0xd6, 0xd9, 0xda, 0xdc, 0xdf, + 0xe0, 0xe3, 0xe5, 0xe6, 0xe9, 0xea, 0xec, 0xef, + 0xf1, 0xf2, 0xf4, 0xf7, 0xf8, 0xfb, 0xfd, 0xfe, +}; + +/* + * convert a 7 byte key to an 8 byte one + */ +void +des56to64(uchar *k56, uchar *k64) +{ + u32int hi, lo; + + hi = ((u32int)k56[0]<<24)|((u32int)k56[1]<<16)|((u32int)k56[2]<<8)|k56[3]; + lo = ((u32int)k56[4]<<24)|((u32int)k56[5]<<16)|((u32int)k56[6]<<8); + + k64[0] = parity[(hi>>25)&0x7f]; + k64[1] = parity[(hi>>18)&0x7f]; + k64[2] = parity[(hi>>11)&0x7f]; + k64[3] = parity[(hi>>4)&0x7f]; + k64[4] = parity[((hi<<3)|(lo>>29))&0x7f]; + k64[5] = parity[(lo>>22)&0x7f]; + k64[6] = parity[(lo>>15)&0x7f]; + k64[7] = parity[(lo>>8)&0x7f]; +} + +/* + * convert an 8 byte key to a 7 byte one + */ +void +des64to56(uchar *k64, uchar *k56) +{ + u32int hi, lo; + + hi = (((u32int)k64[0]&0xfe)<<24)|(((u32int)k64[1]&0xfe)<<17)|(((u32int)k64[2]&0xfe)<<10) + |((k64[3]&0xfe)<<3)|(k64[4]>>4); + lo = (((u32int)k64[4]&0xfe)<<28)|(((u32int)k64[5]&0xfe)<<21)|(((u32int)k64[6]&0xfe)<<14) + |(((u32int)k64[7]&0xfe)<<7); + + k56[0] = hi>>24; + k56[1] = hi>>16; + k56[2] = hi>>8; + k56[3] = hi>>0; + k56[4] = lo>>24; + k56[5] = lo>>16; + k56[6] = lo>>8; +} + +void +key_setup(uchar key[7], ulong *ek) +{ + uchar k64[8]; + + des56to64(key, k64); + des_key_setup(k64, ek); +} diff --git a/sys/src/libsec/port/des3CBC.c b/sys/src/libsec/port/des3CBC.c new file mode 100755 index 000000000..263293004 --- /dev/null +++ b/sys/src/libsec/port/des3CBC.c @@ -0,0 +1,59 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// Because of the way that non multiple of 8 +// buffers are handled, the decryptor must +// be fed buffers of the same size as the +// encryptor + + +// If the length is not a multiple of 8, I encrypt +// the overflow to be compatible with lacy's cryptlib +void +des3CBCencrypt(uchar *p, int len, DES3state *s) +{ + uchar *p2, *ip, *eip; + + for(; len >= 8; len -= 8){ + p2 = p; + ip = s->ivec; + for(eip = ip+8; ip < eip; ) + *p2++ ^= *ip++; + triple_block_cipher(s->expanded, p, DES3EDE); + memmove(s->ivec, p, 8); + p += 8; + } + + if(len > 0){ + ip = s->ivec; + triple_block_cipher(s->expanded, ip, DES3EDE); + for(eip = ip+len; ip < eip; ) + *p++ ^= *ip++; + } +} + +void +des3CBCdecrypt(uchar *p, int len, DES3state *s) +{ + uchar *ip, *eip, *tp; + uchar tmp[8]; + + for(; len >= 8; len -= 8){ + memmove(tmp, p, 8); + triple_block_cipher(s->expanded, p, DES3DED); + tp = tmp; + ip = s->ivec; + for(eip = ip+8; ip < eip; ){ + *p++ ^= *ip; + *ip++ = *tp++; + } + } + + if(len > 0){ + ip = s->ivec; + triple_block_cipher(s->expanded, ip, DES3EDE); + for(eip = ip+len; ip < eip; ) + *p++ ^= *ip++; + } +} diff --git a/sys/src/libsec/port/des3ECB.c b/sys/src/libsec/port/des3ECB.c new file mode 100755 index 000000000..324254b19 --- /dev/null +++ b/sys/src/libsec/port/des3ECB.c @@ -0,0 +1,48 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// I wasn't sure what to do when the buffer was not +// a multiple of 8. I did what lacy's cryptolib did +// to be compatible, but it looks dangerous to me +// since its encrypting plain text with the key. -- presotto + +void +des3ECBencrypt(uchar *p, int len, DES3state *s) +{ + int i; + uchar tmp[8]; + + for(; len >= 8; len -= 8){ + triple_block_cipher(s->expanded, p, DES3EDE); + p += 8; + } + + if(len > 0){ + for (i=0; i<8; i++) + tmp[i] = i; + triple_block_cipher(s->expanded, tmp, DES3EDE); + for (i = 0; i < len; i++) + p[i] ^= tmp[i]; + } +} + +void +des3ECBdecrypt(uchar *p, int len, DES3state *s) +{ + int i; + uchar tmp[8]; + + for(; len >= 8; len -= 8){ + triple_block_cipher(s->expanded, p, DES3DED); + p += 8; + } + + if(len > 0){ + for (i=0; i<8; i++) + tmp[i] = i; + triple_block_cipher(s->expanded, tmp, DES3EDE); + for (i = 0; i < len; i++) + p[i] ^= tmp[i]; + } +} diff --git a/sys/src/libsec/port/desCBC.c b/sys/src/libsec/port/desCBC.c new file mode 100755 index 000000000..ecee29e80 --- /dev/null +++ b/sys/src/libsec/port/desCBC.c @@ -0,0 +1,59 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// Because of the way that non multiple of 8 +// buffers are handled, the decryptor must +// be fed buffers of the same size as the +// encryptor + + +// If the length is not a multiple of 8, I encrypt +// the overflow to be compatible with lacy's cryptlib +void +desCBCencrypt(uchar *p, int len, DESstate *s) +{ + uchar *p2, *ip, *eip; + + for(; len >= 8; len -= 8){ + p2 = p; + ip = s->ivec; + for(eip = ip+8; ip < eip; ) + *p2++ ^= *ip++; + block_cipher(s->expanded, p, 0); + memmove(s->ivec, p, 8); + p += 8; + } + + if(len > 0){ + ip = s->ivec; + block_cipher(s->expanded, ip, 0); + for(eip = ip+len; ip < eip; ) + *p++ ^= *ip++; + } +} + +void +desCBCdecrypt(uchar *p, int len, DESstate *s) +{ + uchar *ip, *eip, *tp; + uchar tmp[8]; + + for(; len >= 8; len -= 8){ + memmove(tmp, p, 8); + block_cipher(s->expanded, p, 1); + tp = tmp; + ip = s->ivec; + for(eip = ip+8; ip < eip; ){ + *p++ ^= *ip; + *ip++ = *tp++; + } + } + + if(len > 0){ + ip = s->ivec; + block_cipher(s->expanded, ip, 0); + for(eip = ip+len; ip < eip; ) + *p++ ^= *ip++; + } +} diff --git a/sys/src/libsec/port/desECB.c b/sys/src/libsec/port/desECB.c new file mode 100755 index 000000000..a9ad00185 --- /dev/null +++ b/sys/src/libsec/port/desECB.c @@ -0,0 +1,48 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// I wasn't sure what to do when the buffer was not +// a multiple of 8. I did what lacy's cryptolib did +// to be compatible, but it looks dangerous to me +// since its encrypting plain text with the key. -- presotto + +void +desECBencrypt(uchar *p, int len, DESstate *s) +{ + int i; + uchar tmp[8]; + + for(; len >= 8; len -= 8){ + block_cipher(s->expanded, p, 0); + p += 8; + } + + if(len > 0){ + for (i=0; i<8; i++) + tmp[i] = i; + block_cipher(s->expanded, tmp, 0); + for (i = 0; i < len; i++) + p[i] ^= tmp[i]; + } +} + +void +desECBdecrypt(uchar *p, int len, DESstate *s) +{ + int i; + uchar tmp[8]; + + for(; len >= 8; len -= 8){ + block_cipher(s->expanded, p, 1); + p += 8; + } + + if(len > 0){ + for (i=0; i<8; i++) + tmp[i] = i; + block_cipher(s->expanded, tmp, 0); + for (i = 0; i < len; i++) + p[i] ^= tmp[i]; + } +} diff --git a/sys/src/libsec/port/desmodes.c b/sys/src/libsec/port/desmodes.c new file mode 100755 index 000000000..da6d98410 --- /dev/null +++ b/sys/src/libsec/port/desmodes.c @@ -0,0 +1,31 @@ +#include "os.h" +#include <libsec.h> + +/* + * these routines use the 64bit format for + * DES keys. + */ + +void +setupDESstate(DESstate *s, uchar key[8], uchar *ivec) +{ + memset(s, 0, sizeof(*s)); + memmove(s->key, key, sizeof(s->key)); + des_key_setup(key, s->expanded); + if(ivec) + memmove(s->ivec, ivec, 8); + s->setup = 0xdeadbeef; +} + +void +setupDES3state(DES3state *s, uchar key[3][8], uchar *ivec) +{ + memset(s, 0, sizeof(*s)); + memmove(s->key, key, sizeof(s->key)); + des_key_setup(key[0], s->expanded[0]); + des_key_setup(key[1], s->expanded[1]); + des_key_setup(key[2], s->expanded[2]); + if(ivec) + memmove(s->ivec, ivec, 8); + s->setup = 0xdeadbeef; +} diff --git a/sys/src/libsec/port/dsaalloc.c b/sys/src/libsec/port/dsaalloc.c new file mode 100755 index 000000000..d82ab3deb --- /dev/null +++ b/sys/src/libsec/port/dsaalloc.c @@ -0,0 +1,72 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +DSApub* +dsapuballoc(void) +{ + DSApub *dsa; + + dsa = mallocz(sizeof(*dsa), 1); + if(dsa == nil) + sysfatal("dsapuballoc"); + return dsa; +} + +void +dsapubfree(DSApub *dsa) +{ + if(dsa == nil) + return; + mpfree(dsa->p); + mpfree(dsa->q); + mpfree(dsa->alpha); + mpfree(dsa->key); + free(dsa); +} + + +DSApriv* +dsaprivalloc(void) +{ + DSApriv *dsa; + + dsa = mallocz(sizeof(*dsa), 1); + if(dsa == nil) + sysfatal("dsaprivalloc"); + return dsa; +} + +void +dsaprivfree(DSApriv *dsa) +{ + if(dsa == nil) + return; + mpfree(dsa->pub.p); + mpfree(dsa->pub.q); + mpfree(dsa->pub.alpha); + mpfree(dsa->pub.key); + mpfree(dsa->secret); + free(dsa); +} + +DSAsig* +dsasigalloc(void) +{ + DSAsig *dsa; + + dsa = mallocz(sizeof(*dsa), 1); + if(dsa == nil) + sysfatal("dsasigalloc"); + return dsa; +} + +void +dsasigfree(DSAsig *dsa) +{ + if(dsa == nil) + return; + mpfree(dsa->r); + mpfree(dsa->s); + free(dsa); +} diff --git a/sys/src/libsec/port/dsagen.c b/sys/src/libsec/port/dsagen.c new file mode 100755 index 000000000..46c369e14 --- /dev/null +++ b/sys/src/libsec/port/dsagen.c @@ -0,0 +1,58 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +DSApriv* +dsagen(DSApub *opub) +{ + DSApub *pub; + DSApriv *priv; + mpint *exp; + mpint *g; + mpint *r; + int bits; + + priv = dsaprivalloc(); + pub = &priv->pub; + + if(opub != nil){ + pub->p = mpcopy(opub->p); + pub->q = mpcopy(opub->q); + } else { + pub->p = mpnew(0); + pub->q = mpnew(0); + DSAprimes(pub->q, pub->p, nil); + } + bits = Dbits*pub->p->top; + + pub->alpha = mpnew(0); + pub->key = mpnew(0); + priv->secret = mpnew(0); + + // find a generator alpha of the multiplicative + // group Z*p, i.e., of order n = p-1. We use the + // fact that q divides p-1 to reduce the exponent. + exp = mpnew(0); + g = mpnew(0); + r = mpnew(0); + mpsub(pub->p, mpone, exp); + mpdiv(exp, pub->q, exp, r); + if(mpcmp(r, mpzero) != 0) + sysfatal("dsagen foul up"); + while(1){ + mprand(bits, genrandom, g); + mpmod(g, pub->p, g); + mpexp(g, exp, pub->p, pub->alpha); + if(mpcmp(pub->alpha, mpone) != 0) + break; + } + mpfree(g); + mpfree(exp); + + // create the secret key + mprand(bits, genrandom, priv->secret); + mpmod(priv->secret, pub->p, priv->secret); + mpexp(pub->alpha, priv->secret, pub->p, pub->key); + + return priv; +} diff --git a/sys/src/libsec/port/dsaprimes.c b/sys/src/libsec/port/dsaprimes.c new file mode 100755 index 000000000..ff1dd5d87 --- /dev/null +++ b/sys/src/libsec/port/dsaprimes.c @@ -0,0 +1,97 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// NIST algorithm for generating DSA primes +// Menezes et al (1997) Handbook of Applied Cryptography, p.151 +// q is a 160-bit prime; p is a 1024-bit prime; q divides p-1 + +// arithmetic on unsigned ints mod 2**160, represented +// as 20-byte, little-endian uchar array + +static void +Hrand(uchar *s) +{ + ulong *u = (ulong*)s; + *u++ = fastrand(); + *u++ = fastrand(); + *u++ = fastrand(); + *u++ = fastrand(); + *u = fastrand(); +} + +static void +Hincr(uchar *s) +{ + int i; + for(i=0; i<20; i++) + if(++s[i]!=0) + break; +} + +// this can run for quite a while; be patient +void +DSAprimes(mpint *q, mpint *p, uchar seed[SHA1dlen]) +{ + int i, j, k, n = 6, b = 63; + uchar s[SHA1dlen], Hs[SHA1dlen], Hs1[SHA1dlen], sj[SHA1dlen], sjk[SHA1dlen]; + mpint *two1023, *mb, *Vk, *W, *X, *q2; + + two1023 = mpnew(1024); + mpleft(mpone, 1023, two1023); + mb = mpnew(0); + mpleft(mpone, b, mb); + W = mpnew(1024); + Vk = mpnew(1024); + X = mpnew(0); + q2 = mpnew(0); +forever: + do{ + Hrand(s); + memcpy(sj, s, 20); + sha1(s, 20, Hs, 0); + Hincr(sj); + sha1(sj, 20, Hs1, 0); + for(i=0; i<20; i++) + Hs[i] ^= Hs1[i]; + Hs[0] |= 1; + Hs[19] |= 0x80; + letomp(Hs, 20, q); + }while(!probably_prime(q, 18)); + if(seed != nil) // allow skeptics to confirm computation + memmove(seed, s, SHA1dlen); + i = 0; + j = 2; + Hincr(sj); + mpleft(q, 1, q2); + while(i<4096){ + memcpy(sjk, sj, 20); + for(k=0; k <= n; k++){ + sha1(sjk, 20, Hs, 0); + letomp(Hs, 20, Vk); + if(k == n) + mpmod(Vk, mb, Vk); + mpleft(Vk, 160*k, Vk); + mpadd(W, Vk, W); + Hincr(sjk); + } + mpadd(W, two1023, X); + mpmod(X, q2, W); + mpsub(W, mpone, W); + mpsub(X, W, p); + if(mpcmp(p, two1023)>=0 && probably_prime(p, 5)) + goto done; + i += 1; + j += n+1; + for(k=0; k<n+1; k++) + Hincr(sj); + } + goto forever; +done: + mpfree(q2); + mpfree(X); + mpfree(Vk); + mpfree(W); + mpfree(mb); + mpfree(two1023); +} diff --git a/sys/src/libsec/port/dsaprivtopub.c b/sys/src/libsec/port/dsaprivtopub.c new file mode 100755 index 000000000..e1790cae1 --- /dev/null +++ b/sys/src/libsec/port/dsaprivtopub.c @@ -0,0 +1,16 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +DSApub* +dsaprivtopub(DSApriv *priv) +{ + DSApub *pub; + + pub = dsapuballoc(); + pub->p = mpcopy(priv->pub.p); + pub->q = mpcopy(priv->pub.q); + pub->alpha = mpcopy(priv->pub.alpha); + pub->key = mpcopy(priv->pub.key); + return pub; +} diff --git a/sys/src/libsec/port/dsasign.c b/sys/src/libsec/port/dsasign.c new file mode 100755 index 000000000..137134be0 --- /dev/null +++ b/sys/src/libsec/port/dsasign.c @@ -0,0 +1,52 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +DSAsig* +dsasign(DSApriv *priv, mpint *m) +{ + DSApub *pub = &priv->pub; + DSAsig *sig; + mpint *qm1, *k, *kinv, *r, *s; + mpint *q = pub->q, *p = pub->p, *alpha = pub->alpha; + int qlen = mpsignif(q); + + qm1 = mpnew(0); + kinv = mpnew(0); + r = mpnew(0); + s = mpnew(0); + k = mpnew(0); + mpsub(pub->q, mpone, qm1); + + // find a k that has an inverse mod q + while(1){ + mprand(qlen, genrandom, k); + if((mpcmp(mpone, k) > 0) || (mpcmp(k, pub->q) >= 0)) + continue; + mpextendedgcd(k, q, r, kinv, s); + if(mpcmp(r, mpone) != 0) + sysfatal("dsasign: pub->q not prime"); + break; + } + + // make kinv positive + mpmod(kinv, pub->q, kinv); + + // r = ((alpha**k) mod p) mod q + mpexp(alpha, k, p, r); + mpmod(r, q, r); + + // s = (kinv*(m + ar)) mod q + mpmul(r, priv->secret, s); + mpadd(s, m, s); + mpmul(s, kinv, s); + mpmod(s, q, s); + + sig = dsasigalloc(); + sig->r = r; + sig->s = s; + mpfree(qm1); + mpfree(k); + mpfree(kinv); + return sig; +} diff --git a/sys/src/libsec/port/dsaverify.c b/sys/src/libsec/port/dsaverify.c new file mode 100755 index 000000000..70e7f3cb8 --- /dev/null +++ b/sys/src/libsec/port/dsaverify.c @@ -0,0 +1,46 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +int +dsaverify(DSApub *pub, DSAsig *sig, mpint *m) +{ + int rv = -1; + mpint *u1, *u2, *v, *sinv; + + if(mpcmp(sig->r, mpone) < 0 || mpcmp(sig->r, pub->q) >= 0) + return rv; + if(mpcmp(sig->s, mpone) < 0 || mpcmp(sig->s, pub->q) >= 0) + return rv; + u1 = mpnew(0); + u2 = mpnew(0); + v = mpnew(0); + sinv = mpnew(0); + + // find (s**-1) mod q, make sure it exists + mpextendedgcd(sig->s, pub->q, u1, sinv, v); + if(mpcmp(u1, mpone) != 0) + goto out; + + // u1 = (sinv * m) mod q, u2 = (r * sinv) mod q + mpmul(sinv, m, u1); + mpmod(u1, pub->q, u1); + mpmul(sig->r, sinv, u2); + mpmod(u2, pub->q, u2); + + // v = (((alpha**u1)*(key**u2)) mod p) mod q + mpexp(pub->alpha, u1, pub->p, sinv); + mpexp(pub->key, u2, pub->p, v); + mpmul(sinv, v, v); + mpmod(v, pub->p, v); + mpmod(v, pub->q, v); + + if(mpcmp(v, sig->r) == 0) + rv = 0; +out: + mpfree(v); + mpfree(u1); + mpfree(u2); + mpfree(sinv); + return rv; +} diff --git a/sys/src/libsec/port/egalloc.c b/sys/src/libsec/port/egalloc.c new file mode 100755 index 000000000..3f0753da8 --- /dev/null +++ b/sys/src/libsec/port/egalloc.c @@ -0,0 +1,70 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +EGpub* +egpuballoc(void) +{ + EGpub *eg; + + eg = mallocz(sizeof(*eg), 1); + if(eg == nil) + sysfatal("egpuballoc"); + return eg; +} + +void +egpubfree(EGpub *eg) +{ + if(eg == nil) + return; + mpfree(eg->p); + mpfree(eg->alpha); + mpfree(eg->key); + free(eg); +} + + +EGpriv* +egprivalloc(void) +{ + EGpriv *eg; + + eg = mallocz(sizeof(*eg), 1); + if(eg == nil) + sysfatal("egprivalloc"); + return eg; +} + +void +egprivfree(EGpriv *eg) +{ + if(eg == nil) + return; + mpfree(eg->pub.p); + mpfree(eg->pub.alpha); + mpfree(eg->pub.key); + mpfree(eg->secret); + free(eg); +} + +EGsig* +egsigalloc(void) +{ + EGsig *eg; + + eg = mallocz(sizeof(*eg), 1); + if(eg == nil) + sysfatal("egsigalloc"); + return eg; +} + +void +egsigfree(EGsig *eg) +{ + if(eg == nil) + return; + mpfree(eg->r); + mpfree(eg->s); + free(eg); +} diff --git a/sys/src/libsec/port/egdecrypt.c b/sys/src/libsec/port/egdecrypt.c new file mode 100755 index 000000000..245788006 --- /dev/null +++ b/sys/src/libsec/port/egdecrypt.c @@ -0,0 +1,28 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +mpint* +egdecrypt(EGpriv *priv, mpint *in, mpint *out) +{ + EGpub *pub = &priv->pub; + mpint *gamma, *delta; + mpint *p = pub->p; + int plen = mpsignif(p)+1; + int shift = ((plen+Dbits-1)/Dbits)*Dbits; + + if(out == nil) + out = mpnew(0); + gamma = mpnew(0); + delta = mpnew(0); + mpright(in, shift, gamma); + mpleft(gamma, shift, delta); + mpsub(in, delta, delta); + mpexp(gamma, priv->secret, p, out); + mpinvert(out, p, gamma); + mpmul(gamma, delta, out); + mpmod(out, p, out); + mpfree(gamma); + mpfree(delta); + return out; +} diff --git a/sys/src/libsec/port/egencrypt.c b/sys/src/libsec/port/egencrypt.c new file mode 100755 index 000000000..9b6b12c6c --- /dev/null +++ b/sys/src/libsec/port/egencrypt.c @@ -0,0 +1,38 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +mpint* +egencrypt(EGpub *pub, mpint *in, mpint *out) +{ + mpint *m, *k, *gamma, *delta, *pm1; + mpint *p = pub->p, *alpha = pub->alpha; + int plen = mpsignif(p); + int shift = ((plen+Dbits)/Dbits)*Dbits; + // in libcrypt version, (int)(LENGTH(pub->p)*sizeof(NumType)*CHARBITS); + + if(out == nil) + out = mpnew(0); + pm1 = mpnew(0); + m = mpnew(0); + gamma = mpnew(0); + delta = mpnew(0); + mpmod(in, p, m); + while(1){ + k = mprand(plen, genrandom, nil); + if((mpcmp(mpone, k) <= 0) && (mpcmp(k, pm1) < 0)) + break; + } + mpexp(alpha, k, p, gamma); + mpexp(pub->key, k, p, delta); + mpmul(m, delta, delta); + mpmod(delta, p, delta); + mpleft(gamma, shift, out); + mpadd(delta, out, out); + mpfree(pm1); + mpfree(m); + mpfree(k); + mpfree(gamma); + mpfree(delta); + return out; +} diff --git a/sys/src/libsec/port/eggen.c b/sys/src/libsec/port/eggen.c new file mode 100755 index 000000000..9ea7d9988 --- /dev/null +++ b/sys/src/libsec/port/eggen.c @@ -0,0 +1,21 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +EGpriv* +eggen(int nlen, int rounds) +{ + EGpub *pub; + EGpriv *priv; + + priv = egprivalloc(); + pub = &priv->pub; + pub->p = mpnew(0); + pub->alpha = mpnew(0); + pub->key = mpnew(0); + priv->secret = mpnew(0); + gensafeprime(pub->p, pub->alpha, nlen, rounds); + mprand(nlen-1, genrandom, priv->secret); + mpexp(pub->alpha, priv->secret, pub->p, pub->key); + return priv; +} diff --git a/sys/src/libsec/port/egprivtopub.c b/sys/src/libsec/port/egprivtopub.c new file mode 100755 index 000000000..e22c5c311 --- /dev/null +++ b/sys/src/libsec/port/egprivtopub.c @@ -0,0 +1,17 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +EGpub* +egprivtopub(EGpriv *priv) +{ + EGpub *pub; + + pub = egpuballoc(); + if(pub == nil) + return nil; + pub->p = mpcopy(priv->pub.p); + pub->alpha = mpcopy(priv->pub.alpha); + pub->key = mpcopy(priv->pub.key); + return pub; +} diff --git a/sys/src/libsec/port/egsign.c b/sys/src/libsec/port/egsign.c new file mode 100755 index 000000000..10540041c --- /dev/null +++ b/sys/src/libsec/port/egsign.c @@ -0,0 +1,43 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +EGsig* +egsign(EGpriv *priv, mpint *m) +{ + EGpub *pub = &priv->pub; + EGsig *sig; + mpint *pm1, *k, *kinv, *r, *s; + mpint *p = pub->p, *alpha = pub->alpha; + int plen = mpsignif(p); + + pm1 = mpnew(0); + kinv = mpnew(0); + r = mpnew(0); + s = mpnew(0); + k = mpnew(0); + mpsub(p, mpone, pm1); + while(1){ + mprand(plen, genrandom, k); + if((mpcmp(mpone, k) > 0) || (mpcmp(k, pm1) >= 0)) + continue; + mpextendedgcd(k, pm1, r, kinv, s); + if(mpcmp(r, mpone) != 0) + continue; + break; + } + mpmod(kinv, pm1, kinv); // make kinv positive + mpexp(alpha, k, p, r); + mpmul(priv->secret, r, s); + mpmod(s, pm1, s); + mpsub(m, s, s); + mpmul(kinv, s, s); + mpmod(s, pm1, s); + sig = egsigalloc(); + sig->r = r; + sig->s = s; + mpfree(pm1); + mpfree(k); + mpfree(kinv); + return sig; +} diff --git a/sys/src/libsec/port/egtest.c b/sys/src/libsec/port/egtest.c new file mode 100755 index 000000000..41b438dcf --- /dev/null +++ b/sys/src/libsec/port/egtest.c @@ -0,0 +1,34 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +void +main(void) +{ + EGpriv *sk; + mpint *m, *gamma, *delta, *in, *out; + int plen, shift; + + fmtinstall('B', mpconv); + + sk = egprivalloc(); + sk->pub.p = uitomp(2357, nil); + sk->pub.alpha = uitomp(2, nil); + sk->pub.key = uitomp(1185, nil); + sk->secret = uitomp(1751, nil); + + m = uitomp(2035, nil); + + plen = mpsignif(sk->pub.p)+1; + shift = ((plen+Dbits-1)/Dbits)*Dbits; + gamma = uitomp(1430, nil); + delta = uitomp(697, nil); + out = mpnew(0); + in = mpnew(0); + mpleft(gamma, shift, in); + mpadd(delta, in, in); + egdecrypt(sk, in, out); + + if(mpcmp(m, out) != 0) + print("decrypt failed to recover message\n"); +} diff --git a/sys/src/libsec/port/egverify.c b/sys/src/libsec/port/egverify.c new file mode 100755 index 000000000..29a95156c --- /dev/null +++ b/sys/src/libsec/port/egverify.c @@ -0,0 +1,29 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +int +egverify(EGpub *pub, EGsig *sig, mpint *m) +{ + mpint *p = pub->p, *alpha = pub->alpha; + mpint *r = sig->r, *s = sig->s; + mpint *v1, *v2, *rs; + int rv = -1; + + if(mpcmp(r, mpone) < 0 || mpcmp(r, p) >= 0) + return rv; + v1 = mpnew(0); + rs = mpnew(0); + v2 = mpnew(0); + mpexp(pub->key, r, p, v1); + mpexp(r, s, p, rs); + mpmul(v1, rs, v1); + mpmod(v1, p, v1); + mpexp(alpha, m, p, v2); + if(mpcmp(v1, v2) == 0) + rv = 0; + mpfree(v1); + mpfree(rs); + mpfree(v2); + return rv; +} diff --git a/sys/src/libsec/port/fastrand.c b/sys/src/libsec/port/fastrand.c new file mode 100755 index 000000000..145712774 --- /dev/null +++ b/sys/src/libsec/port/fastrand.c @@ -0,0 +1,16 @@ +#include <u.h> +#include <libc.h> +#include <libsec.h> + +/* + * use the X917 random number generator to create random + * numbers (faster than truerand() but not as random). + */ +ulong +fastrand(void) +{ + ulong x; + + genrandom((uchar*)&x, sizeof x); + return x; +} diff --git a/sys/src/libsec/port/genprime.c b/sys/src/libsec/port/genprime.c new file mode 100755 index 000000000..c0e16d92b --- /dev/null +++ b/sys/src/libsec/port/genprime.c @@ -0,0 +1,27 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// generate a probable prime. accuracy is the miller-rabin interations +void +genprime(mpint *p, int n, int accuracy) +{ + mpdigit x; + + // generate n random bits with high and low bits set + mpbits(p, n); + genrandom((uchar*)p->p, (n+7)/8); + p->top = (n+Dbits-1)/Dbits; + x = 1; + x <<= ((n-1)%Dbits); + p->p[p->top-1] &= (x-1); + p->p[p->top-1] |= x; + p->p[0] |= 1; + + // keep icrementing till it looks prime + for(;;){ + if(probably_prime(p, accuracy)) + break; + mpadd(p, mptwo, p); + } +} diff --git a/sys/src/libsec/port/genrandom.c b/sys/src/libsec/port/genrandom.c new file mode 100755 index 000000000..2cbaeb8c4 --- /dev/null +++ b/sys/src/libsec/port/genrandom.c @@ -0,0 +1,62 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +typedef struct State{ + QLock lock; + int seeded; + uvlong seed; + DES3state des3; +} State; +static State x917state; + +static void +X917(uchar *rand, int nrand) +{ + int i, m, n8; + uvlong I, x; + + /* 1. Compute intermediate value I = Ek(time). */ + I = nsec(); + triple_block_cipher(x917state.des3.expanded, (uchar*)&I, 0); /* two-key EDE */ + + /* 2. x[i] = Ek(I^seed); seed = Ek(x[i]^I); */ + m = (nrand+7)/8; + for(i=0; i<m; i++){ + x = I ^ x917state.seed; + triple_block_cipher(x917state.des3.expanded, (uchar*)&x, 0); + n8 = (nrand>8) ? 8 : nrand; + memcpy(rand, (uchar*)&x, n8); + rand += 8; + nrand -= 8; + x ^= I; + triple_block_cipher(x917state.des3.expanded, (uchar*)&x, 0); + x917state.seed = x; + } +} + +static void +X917init(void) +{ + int n; + uchar mix[128]; + uchar key3[3][8]; + ulong *ulp; + + ulp = (ulong*)key3; + for(n = 0; n < sizeof(key3)/sizeof(ulong); n++) + ulp[n] = truerand(); + setupDES3state(&x917state.des3, key3, nil); + X917(mix, sizeof mix); + x917state.seeded = 1; +} + +void +genrandom(uchar *p, int n) +{ + qlock(&x917state.lock); + if(x917state.seeded == 0) + X917init(); + X917(p, n); + qunlock(&x917state.lock); +} diff --git a/sys/src/libsec/port/gensafeprime.c b/sys/src/libsec/port/gensafeprime.c new file mode 100755 index 000000000..e95c94c99 --- /dev/null +++ b/sys/src/libsec/port/gensafeprime.c @@ -0,0 +1,36 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// find a prime p of length n and a generator alpha of Z^*_p +// Alg 4.86 Menezes et al () Handbook, p.164 +void +gensafeprime(mpint *p, mpint *alpha, int n, int accuracy) +{ + mpint *q, *b; + + q = mpnew(n-1); + while(1){ + genprime(q, n-1, accuracy); + mpleft(q, 1, p); + mpadd(p, mpone, p); // p = 2*q+1 + if(probably_prime(p, accuracy)) + break; + } + // now find a generator alpha of the multiplicative + // group Z*_p of order p-1=2q + b = mpnew(0); + while(1){ + mprand(n, genrandom, alpha); + mpmod(alpha, p, alpha); + mpmul(alpha, alpha, b); + mpmod(b, p, b); + if(mpcmp(b, mpone) == 0) + continue; + mpexp(alpha, q, p, b); + if(mpcmp(b, mpone) != 0) + break; + } + mpfree(b); + mpfree(q); +} diff --git a/sys/src/libsec/port/genstrongprime.c b/sys/src/libsec/port/genstrongprime.c new file mode 100755 index 000000000..27c43a966 --- /dev/null +++ b/sys/src/libsec/port/genstrongprime.c @@ -0,0 +1,57 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// Gordon's algorithm for generating a strong prime +// Menezes et al () Handbook, p.150 +void +genstrongprime(mpint *p, int n, int accuracy) +{ + mpint *s, *t, *r, *i; + + if(n < 64) + n = 64; + + s = mpnew(n/2); + genprime(s, (n/2)-16, accuracy); + t = mpnew(n/2); + genprime(t, n-mpsignif(s)-32, accuracy); + + // first r = 2it + 1 that's prime + i = mpnew(16); + r = mpnew(0); + itomp(0x8000, i); + mpleft(t, 1, t); // 2t + mpmul(i, t, r); // 2it + mpadd(r, mpone, r); // 2it + 1 + for(;;){ + if(probably_prime(r, 18)) + break; + mpadd(r, t, r); // r += 2t + } + + // p0 = 2(s**(r-2) mod r)s - 1 + itomp(2, p); + mpsub(r, p, p); + mpexp(s, p, r, p); + mpmul(s, p, p); + mpleft(p, 1, p); + mpsub(p, mpone, p); + + // first p = p0 + 2irs that's prime + itomp(0x8000, i); + mpleft(r, 1, r); // 2r + mpmul(r, s, r); // 2rs + mpmul(r, i, i); // 2irs + mpadd(p, i, p); // p0 + 2irs + for(;;){ + if(probably_prime(p, accuracy)) + break; + mpadd(p, r, p); // p += 2rs + } + + mpfree(i); + mpfree(s); + mpfree(r); + mpfree(t); +} diff --git a/sys/src/libsec/port/hmac.c b/sys/src/libsec/port/hmac.c new file mode 100755 index 000000000..aa2fa03f6 --- /dev/null +++ b/sys/src/libsec/port/hmac.c @@ -0,0 +1,41 @@ +#include "os.h" +#include <libsec.h> + +/* rfc2104 */ +DigestState* +hmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DigestState *s, + DigestState*(*x)(uchar*, ulong, uchar*, DigestState*), int xlen) +{ + int i; + uchar pad[Hmacblksz+1], innerdigest[256]; + + if(xlen > sizeof(innerdigest)) + return nil; + if(klen > Hmacblksz) + return nil; + + /* first time through */ + if(s == nil || s->seeded == 0){ + memset(pad, 0x36, Hmacblksz); + pad[Hmacblksz] = 0; + for(i = 0; i < klen; i++) + pad[i] ^= key[i]; + s = (*x)(pad, Hmacblksz, nil, s); + if(s == nil) + return nil; + } + + s = (*x)(p, len, nil, s); + if(digest == nil) + return s; + + /* last time through */ + memset(pad, 0x5c, Hmacblksz); + pad[Hmacblksz] = 0; + for(i = 0; i < klen; i++) + pad[i] ^= key[i]; + (*x)(nil, 0, innerdigest, s); + s = (*x)(pad, Hmacblksz, nil, nil); + (*x)(innerdigest, xlen, digest, s); + return nil; +} diff --git a/sys/src/libsec/port/hmactest.c b/sys/src/libsec/port/hmactest.c new file mode 100755 index 000000000..8c7d896dd --- /dev/null +++ b/sys/src/libsec/port/hmactest.c @@ -0,0 +1,19 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +uchar key[] = "Jefe"; +uchar data[] = "what do ya want for nothing?"; + +void +main(void) +{ + int i; + uchar hash[MD5dlen]; + + hmac_md5(data, strlen((char*)data), key, 4, hash, nil); + for(i=0; i<MD5dlen; i++) + print("%2.2x", hash[i]); + print("\n"); + print("750c783e6ab0b503eaa86e310a5db738\n"); +} diff --git a/sys/src/libsec/port/md4.c b/sys/src/libsec/port/md4.c new file mode 100755 index 000000000..c4a2f32d2 --- /dev/null +++ b/sys/src/libsec/port/md4.c @@ -0,0 +1,271 @@ +#include "os.h" +#include <libsec.h> + +/* + * This MD4 is implemented from the description in Stinson's Cryptography, + * theory and practice. -- presotto + */ + +/* + * Rotate ammounts used in the algorithm + */ +enum +{ + S11= 3, + S12= 7, + S13= 11, + S14= 19, + + S21= 3, + S22= 5, + S23= 9, + S24= 13, + + S31= 3, + S32= 9, + S33= 11, + S34= 15, +}; + +typedef struct MD4Table MD4Table; +struct MD4Table +{ + uchar x; /* index into data block */ + uchar rot; /* amount to rotate left by */ +}; + +static MD4Table tab[] = +{ + /* round 1 */ +/*[0]*/ { 0, S11}, + { 1, S12}, + { 2, S13}, + { 3, S14}, + { 4, S11}, + { 5, S12}, + { 6, S13}, + { 7, S14}, + { 8, S11}, + { 9, S12}, + { 10, S13}, + { 11, S14}, + { 12, S11}, + { 13, S12}, + { 14, S13}, + { 15, S14}, + + /* round 2 */ +/*[16]*/{ 0, S21}, + { 4, S22}, + { 8, S23}, + { 12, S24}, + { 1, S21}, + { 5, S22}, + { 9, S23}, + { 13, S24}, + { 2, S21}, + { 6, S22}, + { 10, S23}, + { 14, S24}, + { 3, S21}, + { 7, S22}, + { 11, S23}, + { 15, S24}, + + /* round 3 */ +/*[32]*/{ 0, S31}, + { 8, S32}, + { 4, S33}, + { 12, S34}, + { 2, S31}, + { 10, S32}, + { 6, S33}, + { 14, S34}, + { 1, S31}, + { 9, S32}, + { 5, S33}, + { 13, S34}, + { 3, S31}, + { 11, S32}, + { 7, S33}, + { 15, S34}, +}; + +static void encode(uchar*, u32int*, ulong); +static void decode(u32int*, uchar*, ulong); + +static void +md4block(uchar *p, ulong len, MD4state *s) +{ + int i; + u32int a, b, c, d, tmp; + MD4Table *t; + uchar *end; + u32int x[16]; + + for(end = p+len; p < end; p += 64){ + a = s->state[0]; + b = s->state[1]; + c = s->state[2]; + d = s->state[3]; + + decode(x, p, 64); + + for(i = 0; i < 48; i++){ + t = tab + i; + switch(i>>4){ + case 0: + a += (b & c) | (~b & d); + break; + case 1: + a += ((b & c) | (b & d) | (c & d)) + 0x5A827999; + break; + case 2: + a += (b ^ c ^ d) + 0x6ED9EBA1; + break; + } + a += x[t->x]; + a = (a << t->rot) | (a >> (32 - t->rot)); + + /* rotate variables */ + tmp = d; + d = c; + c = b; + b = a; + a = tmp; + } + + s->state[0] += a; + s->state[1] += b; + s->state[2] += c; + s->state[3] += d; + + s->len += 64; + } +} + +MD4state* +md4(uchar *p, ulong len, uchar *digest, MD4state *s) +{ + u32int x[16]; + uchar buf[128]; + int i; + uchar *e; + + if(s == nil){ + s = malloc(sizeof(*s)); + if(s == nil) + return nil; + memset(s, 0, sizeof(*s)); + s->malloced = 1; + } + + if(s->seeded == 0){ + /* seed the state, these constants would look nicer big-endian */ + s->state[0] = 0x67452301; + s->state[1] = 0xefcdab89; + s->state[2] = 0x98badcfe; + s->state[3] = 0x10325476; + s->seeded = 1; + } + + /* fill out the partial 64 byte block from previous calls */ + if(s->blen){ + i = 64 - s->blen; + if(len < i) + i = len; + memmove(s->buf + s->blen, p, i); + len -= i; + s->blen += i; + p += i; + if(s->blen == 64){ + md4block(s->buf, s->blen, s); + s->blen = 0; + } + } + + /* do 64 byte blocks */ + i = len & ~0x3f; + if(i){ + md4block(p, i, s); + len -= i; + p += i; + } + + /* save the left overs if not last call */ + if(digest == 0){ + if(len){ + memmove(s->buf, p, len); + s->blen += len; + } + return s; + } + + /* + * this is the last time through, pad what's left with 0x80, + * 0's, and the input count to create a multiple of 64 bytes + */ + if(s->blen){ + p = s->buf; + len = s->blen; + } else { + memmove(buf, p, len); + p = buf; + } + s->len += len; + e = p + len; + if(len < 56) + i = 56 - len; + else + i = 120 - len; + memset(e, 0, i); + *e = 0x80; + len += i; + + /* append the count */ + x[0] = s->len<<3; + x[1] = s->len>>29; + encode(p+len, x, 8); + + /* digest the last part */ + md4block(p, len+8, s); + + /* return result and free state */ + encode(digest, s->state, MD4dlen); + if(s->malloced == 1) + free(s); + return nil; +} + +/* + * encodes input (u32int) into output (uchar). Assumes len is + * a multiple of 4. + */ +static void +encode(uchar *output, u32int *input, ulong len) +{ + u32int x; + uchar *e; + + for(e = output + len; output < e;) { + x = *input++; + *output++ = x; + *output++ = x >> 8; + *output++ = x >> 16; + *output++ = x >> 24; + } +} + +/* + * decodes input (uchar) into output (u32int). Assumes len is + * a multiple of 4. + */ +static void +decode(u32int *output, uchar *input, ulong len) +{ + uchar *e; + + for(e = input+len; input < e; input += 4) + *output++ = input[0] | (input[1] << 8) | + (input[2] << 16) | (input[3] << 24); +} diff --git a/sys/src/libsec/port/md4test.c b/sys/src/libsec/port/md4test.c new file mode 100755 index 000000000..417cb3330 --- /dev/null +++ b/sys/src/libsec/port/md4test.c @@ -0,0 +1,31 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +char *tests[] = { + "", + "a", + "abc", + "message digest", + "abcdefghijklmnopqrstuvwxyz", + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "12345678901234567890123456789012345678901234567890123456789012345678901234567890", + 0 +}; + +void +main(void) +{ + char **pp; + uchar *p; + int i; + uchar digest[MD5dlen]; + + for(pp = tests; *pp; pp++){ + p = (uchar*)*pp; + md4(p, strlen(*pp), digest, 0); + for(i = 0; i < MD5dlen; i++) + print("%2.2ux", digest[i]); + print("\n"); + } +} diff --git a/sys/src/libsec/port/md5.c b/sys/src/libsec/port/md5.c new file mode 100755 index 000000000..e4cafb924 --- /dev/null +++ b/sys/src/libsec/port/md5.c @@ -0,0 +1,154 @@ +#include "os.h" +#include <libsec.h> + +/* + * rfc1321 requires that I include this. The code is new. The constants + * all come from the rfc (hence the copyright). We trade a table for the + * macros in rfc. The total size is a lot less. -- presotto + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD5 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD5 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software forany particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +static void encode(uchar*, u32int*, ulong); + +extern void _md5block(uchar*, ulong, u32int*); + +MD5state* +md5(uchar *p, ulong len, uchar *digest, MD5state *s) +{ + u32int x[16]; + uchar buf[128]; + int i; + uchar *e; + + if(s == nil){ + s = malloc(sizeof(*s)); + if(s == nil) + return nil; + memset(s, 0, sizeof(*s)); + s->malloced = 1; + } + + if(s->seeded == 0){ + /* seed the state, these constants would look nicer big-endian */ + s->state[0] = 0x67452301; + s->state[1] = 0xefcdab89; + s->state[2] = 0x98badcfe; + s->state[3] = 0x10325476; + s->seeded = 1; + } + + /* fill out the partial 64 byte block from previous calls */ + if(s->blen){ + i = 64 - s->blen; + if(len < i) + i = len; + memmove(s->buf + s->blen, p, i); + len -= i; + s->blen += i; + p += i; + if(s->blen == 64){ + _md5block(s->buf, s->blen, s->state); + s->len += s->blen; + s->blen = 0; + } + } + + /* do 64 byte blocks */ + i = len & ~0x3f; + if(i){ + _md5block(p, i, s->state); + s->len += i; + len -= i; + p += i; + } + + /* save the left overs if not last call */ + if(digest == 0){ + if(len){ + memmove(s->buf, p, len); + s->blen += len; + } + return s; + } + + /* + * this is the last time through, pad what's left with 0x80, + * 0's, and the input count to create a multiple of 64 bytes + */ + if(s->blen){ + p = s->buf; + len = s->blen; + } else { + memmove(buf, p, len); + p = buf; + } + s->len += len; + e = p + len; + if(len < 56) + i = 56 - len; + else + i = 120 - len; + memset(e, 0, i); + *e = 0x80; + len += i; + + /* append the count */ + x[0] = s->len<<3; + x[1] = s->len>>29; + encode(p+len, x, 8); + + /* digest the last part */ + _md5block(p, len+8, s->state); + s->len += len; + + /* return result and free state */ + encode(digest, s->state, MD5dlen); + if(s->malloced == 1) + free(s); + return nil; +} + +/* + * encodes input (u32int) into output (uchar). Assumes len is + * a multiple of 4. + */ +static void +encode(uchar *output, u32int *input, ulong len) +{ + u32int x; + uchar *e; + + for(e = output + len; output < e;) { + x = *input++; + *output++ = x; + *output++ = x >> 8; + *output++ = x >> 16; + *output++ = x >> 24; + } +} + +DigestState* +hmac_md5(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, md5, MD5dlen); +} diff --git a/sys/src/libsec/port/md5block.c b/sys/src/libsec/port/md5block.c new file mode 100755 index 000000000..07fe22379 --- /dev/null +++ b/sys/src/libsec/port/md5block.c @@ -0,0 +1,267 @@ +#include "os.h" +#include <libsec.h> + +/* + * rfc1321 requires that I include this. The code is new. The constants + * all come from the rfc (hence the copyright). We trade a table for the + * macros in rfc. The total size is a lot less. -- presotto + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD5 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD5 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software forany particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +/* + * Rotate ammounts used in the algorithm + */ +enum +{ + S11= 7, + S12= 12, + S13= 17, + S14= 22, + + S21= 5, + S22= 9, + S23= 14, + S24= 20, + + S31= 4, + S32= 11, + S33= 16, + S34= 23, + + S41= 6, + S42= 10, + S43= 15, + S44= 21, +}; + +static u32int md5tab[] = +{ + /* round 1 */ +/*[0]*/ 0xd76aa478, + 0xe8c7b756, + 0x242070db, + 0xc1bdceee, + 0xf57c0faf, + 0x4787c62a, + 0xa8304613, + 0xfd469501, + 0x698098d8, + 0x8b44f7af, + 0xffff5bb1, + 0x895cd7be, + 0x6b901122, + 0xfd987193, + 0xa679438e, + 0x49b40821, + + /* round 2 */ +/*[16]*/0xf61e2562, + 0xc040b340, + 0x265e5a51, + 0xe9b6c7aa, + 0xd62f105d, + 0x2441453, + 0xd8a1e681, + 0xe7d3fbc8, + 0x21e1cde6, + 0xc33707d6, + 0xf4d50d87, + 0x455a14ed, + 0xa9e3e905, + 0xfcefa3f8, + 0x676f02d9, + 0x8d2a4c8a, + + /* round 3 */ +/*[32]*/0xfffa3942, + 0x8771f681, + 0x6d9d6122, + 0xfde5380c, + 0xa4beea44, + 0x4bdecfa9, + 0xf6bb4b60, + 0xbebfbc70, + 0x289b7ec6, + 0xeaa127fa, + 0xd4ef3085, + 0x4881d05, + 0xd9d4d039, + 0xe6db99e5, + 0x1fa27cf8, + 0xc4ac5665, + + /* round 4 */ +/*[48]*/0xf4292244, + 0x432aff97, + 0xab9423a7, + 0xfc93a039, + 0x655b59c3, + 0x8f0ccc92, + 0xffeff47d, + 0x85845dd1, + 0x6fa87e4f, + 0xfe2ce6e0, + 0xa3014314, + 0x4e0811a1, + 0xf7537e82, + 0xbd3af235, + 0x2ad7d2bb, + 0xeb86d391, +}; + +static void decode(u32int*, uchar*, ulong); +extern void _md5block(uchar *p, ulong len, u32int *s); + +void +_md5block(uchar *p, ulong len, u32int *s) +{ + u32int a, b, c, d, sh; + u32int *t; + uchar *end; + u32int x[16]; + + for(end = p+len; p < end; p += 64){ + a = s[0]; + b = s[1]; + c = s[2]; + d = s[3]; + + decode(x, p, 64); + + t = md5tab; + sh = 0; + for(; sh != 16; t += 4){ + a += ((c ^ d) & b) ^ d; + a += x[sh] + t[0]; + a = (a << S11) | (a >> (32 - S11)); + a += b; + + d += ((b ^ c) & a) ^ c; + d += x[sh + 1] + t[1]; + d = (d << S12) | (d >> (32 - S12)); + d += a; + + c += ((a ^ b) & d) ^ b; + c += x[sh + 2] + t[2]; + c = (c << S13) | (c >> (32 - S13)); + c += d; + + b += ((d ^ a) & c) ^ a; + b += x[sh + 3] + t[3]; + b = (b << S14) | (b >> (32 - S14)); + b += c; + + sh += 4; + } + sh = 1; + for(; sh != 1+20*4; t += 4){ + a += ((b ^ c) & d) ^ c; + a += x[sh & 0xf] + t[0]; + a = (a << S21) | (a >> (32 - S21)); + a += b; + + d += ((a ^ b) & c) ^ b; + d += x[(sh + 5) & 0xf] + t[1]; + d = (d << S22) | (d >> (32 - S22)); + d += a; + + c += ((d ^ a) & b) ^ a; + c += x[(sh + 10) & 0xf] + t[2]; + c = (c << S23) | (c >> (32 - S23)); + c += d; + + b += ((c ^ d) & a) ^ d; + b += x[(sh + 15) & 0xf] + t[3]; + b = (b << S24) | (b >> (32 - S24)); + b += c; + + sh += 20; + } + sh = 5; + for(; sh != 5+12*4; t += 4){ + a += b ^ c ^ d; + a += x[sh & 0xf] + t[0]; + a = (a << S31) | (a >> (32 - S31)); + a += b; + + d += a ^ b ^ c; + d += x[(sh + 3) & 0xf] + t[1]; + d = (d << S32) | (d >> (32 - S32)); + d += a; + + c += d ^ a ^ b; + c += x[(sh + 6) & 0xf] + t[2]; + c = (c << S33) | (c >> (32 - S33)); + c += d; + + b += c ^ d ^ a; + b += x[(sh + 9) & 0xf] + t[3]; + b = (b << S34) | (b >> (32 - S34)); + b += c; + + sh += 12; + } + sh = 0; + for(; sh != 28*4; t += 4){ + a += c ^ (b | ~d); + a += x[sh & 0xf] + t[0]; + a = (a << S41) | (a >> (32 - S41)); + a += b; + + d += b ^ (a | ~c); + d += x[(sh + 7) & 0xf] + t[1]; + d = (d << S42) | (d >> (32 - S42)); + d += a; + + c += a ^ (d | ~b); + c += x[(sh + 14) & 0xf] + t[2]; + c = (c << S43) | (c >> (32 - S43)); + c += d; + + b += d ^ (c | ~a); + b += x[(sh + 21) & 0xf] + t[3]; + b = (b << S44) | (b >> (32 - S44)); + b += c; + + sh += 28; + } + + s[0] += a; + s[1] += b; + s[2] += c; + s[3] += d; + } +} + +/* + * decodes input (uchar) into output (u32int). Assumes len is + * a multiple of 4. + */ +static void +decode(u32int *output, uchar *input, ulong len) +{ + uchar *e; + + for(e = input+len; input < e; input += 4) + *output++ = input[0] | (input[1] << 8) | + (input[2] << 16) | (input[3] << 24); +} diff --git a/sys/src/libsec/port/md5pickle.c b/sys/src/libsec/port/md5pickle.c new file mode 100755 index 000000000..a3adb51f3 --- /dev/null +++ b/sys/src/libsec/port/md5pickle.c @@ -0,0 +1,39 @@ +#include "os.h" +#include <libsec.h> + +char* +md5pickle(MD5state *s) +{ + char *p; + int m, n; + + m = 17+4*9+4*((s->blen+3)/3 + 1); + p = malloc(m); + if(p == nil) + return p; + n = sprint(p, "%16.16llux %8.8ux %8.8ux %8.8ux %8.8ux ", + s->len, + s->state[0], s->state[1], s->state[2], + s->state[3]); + enc64(p+n, m-n, s->buf, s->blen); + return p; +} + +MD5state* +md5unpickle(char *p) +{ + MD5state *s; + + s = malloc(sizeof(*s)); + if(s == nil) + return nil; + s->len = strtoull(p, &p, 16); + s->state[0] = strtoul(p, &p, 16); + s->state[1] = strtoul(p, &p, 16); + s->state[2] = strtoul(p, &p, 16); + s->state[3] = strtoul(p, &p, 16); + s->blen = dec64(s->buf, sizeof(s->buf), p, strlen(p)); + s->malloced = 1; + s->seeded = 1; + return s; +} diff --git a/sys/src/libsec/port/mkfile b/sys/src/libsec/port/mkfile new file mode 100755 index 000000000..41d1f0c78 --- /dev/null +++ b/sys/src/libsec/port/mkfile @@ -0,0 +1,37 @@ +</$objtype/mkfile + +LIB=/$objtype/lib/libsec.a + +CFILES = des.c desmodes.c desECB.c desCBC.c des3ECB.c des3CBC.c\ + aes.c blowfish.c \ + hmac.c md5.c md5block.c md4.c sha1.c sha1block.c\ + sha2_64.c sha2_128.c sha2block64.c sha2block128.c\ + sha1pickle.c md5pickle.c\ + rc4.c\ + genrandom.c prng.c fastrand.c nfastrand.c\ + probably_prime.c smallprimetest.c genprime.c dsaprimes.c\ + gensafeprime.c genstrongprime.c\ + rsagen.c rsafill.c rsaencrypt.c rsadecrypt.c rsaalloc.c \ + rsaprivtopub.c x509.c decodepem.c \ + eggen.c egencrypt.c egdecrypt.c egalloc.c egprivtopub.c \ + egsign.c egverify.c \ + dsagen.c dsaalloc.c dsaprivtopub.c dsasign.c dsaverify.c \ + tlshand.c thumb.c readcert.c \ + +ALLOFILES=${CFILES:%.c=%.$O} + +# cull things in the per-machine directories from this list +OFILES= `{rc ./reduce $O $objtype $ALLOFILES} + +HFILES=/sys/include/libsec.h + +CFLAGS=$CFLAGS -I../../libmp/port + +UPDATE=mkfile\ + $HFILES\ + $CFILES\ + +</sys/src/cmd/mksyslib + +$O.rsatest: rsatest.$O + $LD -o $target $prereq diff --git a/sys/src/libsec/port/nfastrand.c b/sys/src/libsec/port/nfastrand.c new file mode 100755 index 000000000..3ba77003d --- /dev/null +++ b/sys/src/libsec/port/nfastrand.c @@ -0,0 +1,23 @@ +#include <u.h> +#include <libc.h> +#include <libsec.h> + +#define Maxrand ((1UL<<31)-1) + +ulong +nfastrand(ulong n) +{ + ulong m, r; + + /* + * set m to the maximum multiple of n <= 2^31-1 + * so we want a random number < m. + */ + if(n > Maxrand) + sysfatal("nfastrand: n too large"); + + m = Maxrand - Maxrand % n; + while((r = fastrand()) >= m) + ; + return r%n; +} diff --git a/sys/src/libsec/port/primetest.c b/sys/src/libsec/port/primetest.c new file mode 100755 index 000000000..2d082e64f --- /dev/null +++ b/sys/src/libsec/port/primetest.c @@ -0,0 +1,41 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +void +main(void) +{ + mpint *z = mpnew(0); + mpint *p = mpnew(0); + mpint *q = mpnew(0); + mpint *nine = mpnew(0); + + fmtinstall('B', mpconv); + strtomp("2492491", nil, 16, z); // 38347921 = x*y = (2**28-9)/7, + // an example of 3**(n-1)=1 mod n + strtomp("15662C00E811", nil, 16, p);// 23528569104401, a prime + uitomp(9, nine); + + if(probably_prime(z, 5) == 1) + fprint(2, "tricked primality test\n"); + if(probably_prime(nine, 5) == 1) + fprint(2, "9 passed primality test!\n"); + if(probably_prime(p, 25) == 1) + fprint(2, "ok\n"); + + DSAprimes(q, p, nil); + print("q=%B\np=%B\n", q, p); + + exits(0); +} + +// example output, checked with Maple: +// seed EB7B6E35F7CD37B511D96C67D6688CC4DD440E1E +// q=E0F0EF284E10796C5A2A511E94748BA03C795C13 +// = 1284186945063585093695748280224501481698995297299 +// p=C41CFBE4D4846F67A3DF7DE9921A49D3B42DC33728427AB159CEC8CBBDB12B5F0C244F1A734AEB9840804EA3C25036AD1B61AFF3ABBC247CD4B384224567A863A6F020E7EE9795554BCD08ABAD7321AF27E1E92E3DB1C6E7E94FAAE590AE9C48F96D93D178E809401ABE8A534A1EC44359733475A36A70C7B425125062B1142D +// = 137715385439333164327584575331308277462546592976152006175830654712456008630139443747529133857837818585400418619916530061955288983751958831927807888408309879880101870216437711393638413509484569804814373511469405934988856674935304074081350525593807908358867354528898618574659752879015380013845760006721861915693 +// r=DF310F4E54A5FEC5D86D3E14863921E834113E060F90052AD332B3241CEF2497EFA0303D6344F7C819691A0F9C4A773815AF8EAECFB7EC1D98F039F17A32A7E887D97251A927D093F44A55577F4D70444AEBD06B9B45695EC23962B175F266895C67D21C4656848614D888A4 +// = 107239359478548771267308764204625458348785444483302647285245969203446101233421655396874997253111222983406676955642093641709149748793954493558324738441197139556917622937892491175016280660608595599724194374948056515856812347094848443460715881455884639869144172708 +// g=2F1C308DC46B9A44B52DF7DACCE1208CCEF72F69C743ADD4D2327173444ED6E65E074694246E07F9FD4AE26E0FDDD9F54F813C40CB9BCD4338EA6F242AB94CD410E676C290368A16B1A3594877437E516C53A6EEE5493A038A017E955E218E7819734E3E2A6E0BAE08B14258F8C03CC1B30E0DDADFCF7CEDF0727684D3D255F1 +// = 33081848392740465806285326014906437543653045153885419334085917570615301913274531387168723847139029827598735376746057461417880810924280288611116213062512408829164220104555543445909528701551198146080221790002337033997295756585193926863581671466708482411159477816144226847280417522524922667065714073338662508017 diff --git a/sys/src/libsec/port/prng.c b/sys/src/libsec/port/prng.c new file mode 100755 index 000000000..fc2e508aa --- /dev/null +++ b/sys/src/libsec/port/prng.c @@ -0,0 +1,15 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// +// just use the libc prng to fill a buffer +// +void +prng(uchar *p, int n) +{ + uchar *e; + + for(e = p+n; p < e; p++) + *p = rand(); +} diff --git a/sys/src/libsec/port/probably_prime.c b/sys/src/libsec/port/probably_prime.c new file mode 100755 index 000000000..d9c57d375 --- /dev/null +++ b/sys/src/libsec/port/probably_prime.c @@ -0,0 +1,91 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +/* + * Miller-Rabin probabilistic primality testing + * Knuth (1981) Seminumerical Algorithms, p.379 + * Menezes et al () Handbook, p.39 + * 0 if composite; 1 if almost surely prime, Pr(err)<1/4**nrep + */ +int +probably_prime(mpint *n, int nrep) +{ + int j, k, rep, nbits, isprime; + mpint *nm1, *q, *x, *y, *r; + + if(n->sign < 0) + sysfatal("negative prime candidate"); + + if(nrep <= 0) + nrep = 18; + + k = mptoi(n); + if(k == 2) /* 2 is prime */ + return 1; + if(k < 2) /* 1 is not prime */ + return 0; + if((n->p[0] & 1) == 0) /* even is not prime */ + return 0; + + /* test against small prime numbers */ + if(smallprimetest(n) < 0) + return 0; + + /* fermat test, 2^n mod n == 2 if p is prime */ + x = uitomp(2, nil); + y = mpnew(0); + mpexp(x, n, n, y); + k = mptoi(y); + if(k != 2){ + mpfree(x); + mpfree(y); + return 0; + } + + nbits = mpsignif(n); + nm1 = mpnew(nbits); + mpsub(n, mpone, nm1); /* nm1 = n - 1 */ + k = mplowbits0(nm1); + q = mpnew(0); + mpright(nm1, k, q); /* q = (n-1)/2**k */ + + for(rep = 0; rep < nrep; rep++){ + for(;;){ + /* find x = random in [2, n-2] */ + r = mprand(nbits, prng, nil); + mpmod(r, nm1, x); + mpfree(r); + if(mpcmp(x, mpone) > 0) + break; + } + + /* y = x**q mod n */ + mpexp(x, q, n, y); + + if(mpcmp(y, mpone) == 0 || mpcmp(y, nm1) == 0) + continue; + + for(j = 1;; j++){ + if(j >= k) { + isprime = 0; + goto done; + } + mpmul(y, y, x); + mpmod(x, n, y); /* y = y*y mod n */ + if(mpcmp(y, nm1) == 0) + break; + if(mpcmp(y, mpone) == 0){ + isprime = 0; + goto done; + } + } + } + isprime = 1; +done: + mpfree(y); + mpfree(x); + mpfree(q); + mpfree(nm1); + return isprime; +} diff --git a/sys/src/libsec/port/rc4.c b/sys/src/libsec/port/rc4.c new file mode 100755 index 000000000..beafa4868 --- /dev/null +++ b/sys/src/libsec/port/rc4.c @@ -0,0 +1,104 @@ +#include "os.h" +#include <libsec.h> + +void +setupRC4state(RC4state *key, uchar *start, int n) +{ + int t; + int index2; + uchar *state; + uchar *p, *e, *sp, *se; + + state = key->state; + se = &state[256]; + for(sp = state; sp < se; sp++) + *sp = sp - state; + + key->x = 0; + key->y = 0; + index2 = 0; + e = start + n; + p = start; + for(sp = state; sp < se; sp++) + { + t = *sp; + index2 = (*p + t + index2) & 255; + *sp = state[index2]; + state[index2] = t; + if(++p >= e) + p = start; + } +} + +void +rc4(RC4state *key, uchar *p, int len) +{ + int tx, ty; + int x, y; + uchar *state; + uchar *e; + + x = key->x; + y = key->y; + state = &key->state[0]; + for(e = p + len; p < e; p++) + { + x = (x+1)&255; + tx = state[x]; + y = (y+tx)&255; + ty = state[y]; + state[x] = ty; + state[y] = tx; + *p ^= state[(tx+ty)&255]; + } + key->x = x; + key->y = y; +} + +void +rc4skip(RC4state *key, int len) +{ + int tx, ty; + int x, y; + uchar *state; + int i; + + x = key->x; + y = key->y; + state = &key->state[0]; + for(i=0; i<len; i++) + { + x = (x+1)&255; + tx = state[x]; + y = (y+tx)&255; + ty = state[y]; + state[x] = ty; + state[y] = tx; + } + key->x = x; + key->y = y; +} + +void +rc4back(RC4state *key, int len) +{ + int tx, ty; + int x, y; + uchar *state; + int i; + + x = key->x; + y = key->y; + state = &key->state[0]; + for(i=0; i<len; i++) + { + ty = state[x]; + tx = state[y]; + state[y] = ty; + state[x] = tx; + y = (y-tx)&255; + x = (x-1)&255; + } + key->x = x; + key->y = y; +} diff --git a/sys/src/libsec/port/readcert.c b/sys/src/libsec/port/readcert.c new file mode 100755 index 000000000..6fdb456ea --- /dev/null +++ b/sys/src/libsec/port/readcert.c @@ -0,0 +1,66 @@ +#include <u.h> +#include <libc.h> +#include <auth.h> +#include <mp.h> +#include <libsec.h> + +static char* +readfile(char *name) +{ + int fd; + char *s; + Dir *d; + + fd = open(name, OREAD); + if(fd < 0) + return nil; + if((d = dirfstat(fd)) == nil) { + close(fd); + return nil; + } + s = malloc(d->length + 1); + if(s == nil || readn(fd, s, d->length) != d->length){ + free(s); + free(d); + close(fd); + return nil; + } + close(fd); + s[d->length] = '\0'; + free(d); + return s; +} + +uchar* +readcert(char *filename, int *pcertlen) +{ + char *pem; + uchar *binary; + + pem = readfile(filename); + if(pem == nil){ + werrstr("can't read %s: %r", filename); + return nil; + } + binary = decodePEM(pem, "CERTIFICATE", pcertlen, nil); + free(pem); + if(binary == nil){ + werrstr("can't parse %s", filename); + return nil; + } + return binary; +} + +PEMChain * +readcertchain(char *filename) +{ + char *chfile; + + chfile = readfile(filename); + if (chfile == nil) { + werrstr("can't read %s: %r", filename); + return nil; + } + return decodepemchain(chfile, "CERTIFICATE"); +} + diff --git a/sys/src/libsec/port/reduce b/sys/src/libsec/port/reduce new file mode 100755 index 000000000..a857a28cc --- /dev/null +++ b/sys/src/libsec/port/reduce @@ -0,0 +1,16 @@ +O=$1 +shift +objtype=$1 +shift + +ls -p ../$objtype/*.[cs] >[2]/dev/null | sed 's/..$//' > /tmp/reduce.$pid +# +# if empty directory, just return the input files +# +if (! ~ $status '|') { + echo $* + rm /tmp/reduce.$pid + exit 0 +} +echo $* | tr ' ' \012 | grep -v -f /tmp/reduce.$pid | tr \012 ' ' +rm /tmp/reduce.$pid diff --git a/sys/src/libsec/port/rsaalloc.c b/sys/src/libsec/port/rsaalloc.c new file mode 100755 index 000000000..0caa96d5c --- /dev/null +++ b/sys/src/libsec/port/rsaalloc.c @@ -0,0 +1,52 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +RSApub* +rsapuballoc(void) +{ + RSApub *rsa; + + rsa = mallocz(sizeof(*rsa), 1); + if(rsa == nil) + sysfatal("rsapuballoc"); + return rsa; +} + +void +rsapubfree(RSApub *rsa) +{ + if(rsa == nil) + return; + mpfree(rsa->ek); + mpfree(rsa->n); + free(rsa); +} + + +RSApriv* +rsaprivalloc(void) +{ + RSApriv *rsa; + + rsa = mallocz(sizeof(*rsa), 1); + if(rsa == nil) + sysfatal("rsaprivalloc"); + return rsa; +} + +void +rsaprivfree(RSApriv *rsa) +{ + if(rsa == nil) + return; + mpfree(rsa->pub.ek); + mpfree(rsa->pub.n); + mpfree(rsa->dk); + mpfree(rsa->p); + mpfree(rsa->q); + mpfree(rsa->kp); + mpfree(rsa->kq); + mpfree(rsa->c2); + free(rsa); +} diff --git a/sys/src/libsec/port/rsadecrypt.c b/sys/src/libsec/port/rsadecrypt.c new file mode 100755 index 000000000..1e937bec8 --- /dev/null +++ b/sys/src/libsec/port/rsadecrypt.c @@ -0,0 +1,37 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +// decrypt rsa using garner's algorithm for the chinese remainder theorem +// seminumerical algorithms, knuth, pp 253-254 +// applied cryptography, menezes et al, pg 612 +mpint* +rsadecrypt(RSApriv *rsa, mpint *in, mpint *out) +{ + mpint *v1, *v2; + + if(out == nil) + out = mpnew(0); + + // convert in to modular representation + v1 = mpnew(0); + mpmod(in, rsa->p, v1); + v2 = mpnew(0); + mpmod(in, rsa->q, v2); + + // exponentiate the modular rep + mpexp(v1, rsa->kp, rsa->p, v1); + mpexp(v2, rsa->kq, rsa->q, v2); + + // out = v1 + p*((v2-v1)*c2 mod q) + mpsub(v2, v1, v2); + mpmul(v2, rsa->c2, v2); + mpmod(v2, rsa->q, v2); + mpmul(v2, rsa->p, out); + mpadd(v1, out, out); + + mpfree(v1); + mpfree(v2); + + return out; +} diff --git a/sys/src/libsec/port/rsaencrypt.c b/sys/src/libsec/port/rsaencrypt.c new file mode 100755 index 000000000..ade686dce --- /dev/null +++ b/sys/src/libsec/port/rsaencrypt.c @@ -0,0 +1,12 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +mpint* +rsaencrypt(RSApub *rsa, mpint *in, mpint *out) +{ + if(out == nil) + out = mpnew(0); + mpexp(in, rsa->ek, rsa->n, out); + return out; +} diff --git a/sys/src/libsec/port/rsafill.c b/sys/src/libsec/port/rsafill.c new file mode 100755 index 000000000..f514b073b --- /dev/null +++ b/sys/src/libsec/port/rsafill.c @@ -0,0 +1,61 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +RSApriv* +rsafill(mpint *n, mpint *e, mpint *d, mpint *p, mpint *q) +{ + mpint *c2, *kq, *kp, *x; + RSApriv *rsa; + + // make sure we're not being hoodwinked + if(!probably_prime(p, 10) || !probably_prime(q, 10)){ + werrstr("rsafill: p or q not prime"); + return nil; + } + x = mpnew(0); + mpmul(p, q, x); + if(mpcmp(n, x) != 0){ + werrstr("rsafill: n != p*q"); + mpfree(x); + return nil; + } + c2 = mpnew(0); + mpsub(p, mpone, c2); + mpsub(q, mpone, x); + mpmul(c2, x, x); + mpmul(e, d, c2); + mpmod(c2, x, x); + if(mpcmp(x, mpone) != 0){ + werrstr("rsafill: e*d != 1 mod (p-1)*(q-1)"); + mpfree(x); + mpfree(c2); + return nil; + } + + // compute chinese remainder coefficient + mpinvert(p, q, c2); + + // for crt a**k mod p == (a**(k mod p-1)) mod p + kq = mpnew(0); + kp = mpnew(0); + mpsub(p, mpone, x); + mpmod(d, x, kp); + mpsub(q, mpone, x); + mpmod(d, x, kq); + + rsa = rsaprivalloc(); + rsa->pub.ek = mpcopy(e); + rsa->pub.n = mpcopy(n); + rsa->dk = mpcopy(d); + rsa->kp = kp; + rsa->kq = kq; + rsa->p = mpcopy(p); + rsa->q = mpcopy(q); + rsa->c2 = c2; + + mpfree(x); + + return rsa; +} + diff --git a/sys/src/libsec/port/rsagen.c b/sys/src/libsec/port/rsagen.c new file mode 100755 index 000000000..ebe1079d9 --- /dev/null +++ b/sys/src/libsec/port/rsagen.c @@ -0,0 +1,70 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +RSApriv* +rsagen(int nlen, int elen, int rounds) +{ + mpint *p, *q, *e, *d, *phi, *n, *t1, *t2, *kp, *kq, *c2; + RSApriv *rsa; + + p = mpnew(nlen/2); + q = mpnew(nlen/2); + n = mpnew(nlen); + e = mpnew(elen); + d = mpnew(0); + phi = mpnew(nlen); + + // create the prime factors and euclid's function + genprime(p, nlen/2, rounds); + genprime(q, nlen - mpsignif(p) + 1, rounds); + mpmul(p, q, n); + mpsub(p, mpone, e); + mpsub(q, mpone, d); + mpmul(e, d, phi); + + // find an e relatively prime to phi + t1 = mpnew(0); + t2 = mpnew(0); + mprand(elen, genrandom, e); + if(mpcmp(e,mptwo) <= 0) + itomp(3, e); + // See Menezes et al. p.291 "8.8 Note (selecting primes)" for discussion + // of the merits of various choices of primes and exponents. e=3 is a + // common and recommended exponent, but doesn't necessarily work here + // because we chose strong rather than safe primes. + for(;;){ + mpextendedgcd(e, phi, t1, d, t2); + if(mpcmp(t1, mpone) == 0) + break; + mpadd(mpone, e, e); + } + mpfree(t1); + mpfree(t2); + + // compute chinese remainder coefficient + c2 = mpnew(0); + mpinvert(p, q, c2); + + // for crt a**k mod p == (a**(k mod p-1)) mod p + kq = mpnew(0); + kp = mpnew(0); + mpsub(p, mpone, phi); + mpmod(d, phi, kp); + mpsub(q, mpone, phi); + mpmod(d, phi, kq); + + rsa = rsaprivalloc(); + rsa->pub.ek = e; + rsa->pub.n = n; + rsa->dk = d; + rsa->kp = kp; + rsa->kq = kq; + rsa->p = p; + rsa->q = q; + rsa->c2 = c2; + + mpfree(phi); + + return rsa; +} diff --git a/sys/src/libsec/port/rsaprivtopub.c b/sys/src/libsec/port/rsaprivtopub.c new file mode 100755 index 000000000..d464c87f8 --- /dev/null +++ b/sys/src/libsec/port/rsaprivtopub.c @@ -0,0 +1,16 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +RSApub* +rsaprivtopub(RSApriv *priv) +{ + RSApub *pub; + + pub = rsapuballoc(); + if(pub == nil) + return nil; + pub->n = mpcopy(priv->pub.n); + pub->ek = mpcopy(priv->pub.ek); + return pub; +} diff --git a/sys/src/libsec/port/rsatest.c b/sys/src/libsec/port/rsatest.c new file mode 100755 index 000000000..c7b2e33a1 --- /dev/null +++ b/sys/src/libsec/port/rsatest.c @@ -0,0 +1,56 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> +#include <bio.h> + +void +main(void) +{ + int n; + vlong start; + char *p; + uchar buf[4096]; + Biobuf b; + RSApriv *rsa; + mpint *clr, *enc, *clr2; + + fmtinstall('B', mpfmt); + + rsa = rsagen(1024, 16, 0); + if(rsa == nil) + sysfatal("rsagen"); + Binit(&b, 0, OREAD); + clr = mpnew(0); + clr2 = mpnew(0); + enc = mpnew(0); + + strtomp("123456789abcdef123456789abcdef123456789abcdef123456789abcdef", nil, 16, clr); + rsaencrypt(&rsa->pub, clr, enc); + + start = nsec(); + for(n = 0; n < 10; n++) + rsadecrypt(rsa, enc, clr); + print("%lld\n", nsec()-start); + + start = nsec(); + for(n = 0; n < 10; n++) + mpexp(enc, rsa->dk, rsa->pub.n, clr2); + print("%lld\n", nsec()-start); + + if(mpcmp(clr, clr2) != 0) + print("%B != %B\n", clr, clr2); + + print("> "); + while(p = Brdline(&b, '\n')){ + n = Blinelen(&b); + letomp((uchar*)p, n, clr); + print("clr %B\n", clr); + rsaencrypt(&rsa->pub, clr, enc); + print("enc %B\n", enc); + rsadecrypt(rsa, enc, clr); + print("clr %B\n", clr); + n = mptole(clr, buf, sizeof(buf), nil); + write(1, buf, n); + print("> "); + } +} diff --git a/sys/src/libsec/port/sha1.c b/sys/src/libsec/port/sha1.c new file mode 100755 index 000000000..cd16b2e1d --- /dev/null +++ b/sys/src/libsec/port/sha1.c @@ -0,0 +1,134 @@ +#include "os.h" +#include <libsec.h> + +static void encode(uchar*, u32int*, ulong); + +extern void _sha1block(uchar*, ulong, u32int*); + +/* + * we require len to be a multiple of 64 for all but + * the last call. There must be room in the input buffer + * to pad. + */ +SHA1state* +sha1(uchar *p, ulong len, uchar *digest, SHA1state *s) +{ + uchar buf[128]; + u32int x[16]; + int i; + uchar *e; + + if(s == nil){ + s = malloc(sizeof(*s)); + if(s == nil) + return nil; + memset(s, 0, sizeof(*s)); + s->malloced = 1; + } + + if(s->seeded == 0){ + /* seed the state, these constants would look nicer big-endian */ + s->state[0] = 0x67452301; + s->state[1] = 0xefcdab89; + s->state[2] = 0x98badcfe; + s->state[3] = 0x10325476; + s->state[4] = 0xc3d2e1f0; + s->seeded = 1; + } + + /* fill out the partial 64 byte block from previous calls */ + if(s->blen){ + i = 64 - s->blen; + if(len < i) + i = len; + memmove(s->buf + s->blen, p, i); + len -= i; + s->blen += i; + p += i; + if(s->blen == 64){ + _sha1block(s->buf, s->blen, s->state); + s->len += s->blen; + s->blen = 0; + } + } + + /* do 64 byte blocks */ + i = len & ~0x3f; + if(i){ + _sha1block(p, i, s->state); + s->len += i; + len -= i; + p += i; + } + + /* save the left overs if not last call */ + if(digest == 0){ + if(len){ + memmove(s->buf, p, len); + s->blen += len; + } + return s; + } + + /* + * this is the last time through, pad what's left with 0x80, + * 0's, and the input count to create a multiple of 64 bytes + */ + if(s->blen){ + p = s->buf; + len = s->blen; + } else { + memmove(buf, p, len); + p = buf; + } + s->len += len; + e = p + len; + if(len < 56) + i = 56 - len; + else + i = 120 - len; + memset(e, 0, i); + *e = 0x80; + len += i; + + /* append the count */ + x[0] = s->len>>29; + x[1] = s->len<<3; + encode(p+len, x, 8); + + /* digest the last part */ + _sha1block(p, len+8, s->state); + s->len += len+8; + + /* return result and free state */ + encode(digest, s->state, SHA1dlen); + if(s->malloced == 1) + free(s); + return nil; +} + +/* + * encodes input (ulong) into output (uchar). Assumes len is + * a multiple of 4. + */ +static void +encode(uchar *output, u32int *input, ulong len) +{ + u32int x; + uchar *e; + + for(e = output + len; output < e;) { + x = *input++; + *output++ = x >> 24; + *output++ = x >> 16; + *output++ = x >> 8; + *output++ = x; + } +} + +DigestState* +hmac_sha1(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, sha1, SHA1dlen); +} diff --git a/sys/src/libsec/port/sha1block.c b/sys/src/libsec/port/sha1block.c new file mode 100755 index 000000000..82566f210 --- /dev/null +++ b/sys/src/libsec/port/sha1block.c @@ -0,0 +1,187 @@ +#include "os.h" + +void +_sha1block(uchar *p, ulong len, u32int *s) +{ + u32int a, b, c, d, e, x; + uchar *end; + u32int *wp, *wend; + u32int w[80]; + + /* at this point, we have a multiple of 64 bytes */ + for(end = p+len; p < end;){ + a = s[0]; + b = s[1]; + c = s[2]; + d = s[3]; + e = s[4]; + + wend = w + 15; + for(wp = w; wp < wend; wp += 5){ + wp[0] = (p[0]<<24) | (p[1]<<16) | (p[2]<<8) | p[3]; + e += ((a<<5) | (a>>27)) + wp[0]; + e += 0x5a827999 + (((c^d)&b)^d); + b = (b<<30)|(b>>2); + + wp[1] = (p[4]<<24) | (p[5]<<16) | (p[6]<<8) | p[7]; + d += ((e<<5) | (e>>27)) + wp[1]; + d += 0x5a827999 + (((b^c)&a)^c); + a = (a<<30)|(a>>2); + + wp[2] = (p[8]<<24) | (p[9]<<16) | (p[10]<<8) | p[11]; + c += ((d<<5) | (d>>27)) + wp[2]; + c += 0x5a827999 + (((a^b)&e)^b); + e = (e<<30)|(e>>2); + + wp[3] = (p[12]<<24) | (p[13]<<16) | (p[14]<<8) | p[15]; + b += ((c<<5) | (c>>27)) + wp[3]; + b += 0x5a827999 + (((e^a)&d)^a); + d = (d<<30)|(d>>2); + + wp[4] = (p[16]<<24) | (p[17]<<16) | (p[18]<<8) | p[19]; + a += ((b<<5) | (b>>27)) + wp[4]; + a += 0x5a827999 + (((d^e)&c)^e); + c = (c<<30)|(c>>2); + + p += 20; + } + + wp[0] = (p[0]<<24) | (p[1]<<16) | (p[2]<<8) | p[3]; + e += ((a<<5) | (a>>27)) + wp[0]; + e += 0x5a827999 + (((c^d)&b)^d); + b = (b<<30)|(b>>2); + + x = wp[-2] ^ wp[-7] ^ wp[-13] ^ wp[-15]; + wp[1] = (x<<1) | (x>>31); + d += ((e<<5) | (e>>27)) + wp[1]; + d += 0x5a827999 + (((b^c)&a)^c); + a = (a<<30)|(a>>2); + + x = wp[-1] ^ wp[-6] ^ wp[-12] ^ wp[-14]; + wp[2] = (x<<1) | (x>>31); + c += ((d<<5) | (d>>27)) + wp[2]; + c += 0x5a827999 + (((a^b)&e)^b); + e = (e<<30)|(e>>2); + + x = wp[0] ^ wp[-5] ^ wp[-11] ^ wp[-13]; + wp[3] = (x<<1) | (x>>31); + b += ((c<<5) | (c>>27)) + wp[3]; + b += 0x5a827999 + (((e^a)&d)^a); + d = (d<<30)|(d>>2); + + x = wp[1] ^ wp[-4] ^ wp[-10] ^ wp[-12]; + wp[4] = (x<<1) | (x>>31); + a += ((b<<5) | (b>>27)) + wp[4]; + a += 0x5a827999 + (((d^e)&c)^e); + c = (c<<30)|(c>>2); + + wp += 5; + p += 4; + + wend = w + 40; + for(; wp < wend; wp += 5){ + x = wp[-3] ^ wp[-8] ^ wp[-14] ^ wp[-16]; + wp[0] = (x<<1) | (x>>31); + e += ((a<<5) | (a>>27)) + wp[0]; + e += 0x6ed9eba1 + (b^c^d); + b = (b<<30)|(b>>2); + + x = wp[-2] ^ wp[-7] ^ wp[-13] ^ wp[-15]; + wp[1] = (x<<1) | (x>>31); + d += ((e<<5) | (e>>27)) + wp[1]; + d += 0x6ed9eba1 + (a^b^c); + a = (a<<30)|(a>>2); + + x = wp[-1] ^ wp[-6] ^ wp[-12] ^ wp[-14]; + wp[2] = (x<<1) | (x>>31); + c += ((d<<5) | (d>>27)) + wp[2]; + c += 0x6ed9eba1 + (e^a^b); + e = (e<<30)|(e>>2); + + x = wp[0] ^ wp[-5] ^ wp[-11] ^ wp[-13]; + wp[3] = (x<<1) | (x>>31); + b += ((c<<5) | (c>>27)) + wp[3]; + b += 0x6ed9eba1 + (d^e^a); + d = (d<<30)|(d>>2); + + x = wp[1] ^ wp[-4] ^ wp[-10] ^ wp[-12]; + wp[4] = (x<<1) | (x>>31); + a += ((b<<5) | (b>>27)) + wp[4]; + a += 0x6ed9eba1 + (c^d^e); + c = (c<<30)|(c>>2); + } + + wend = w + 60; + for(; wp < wend; wp += 5){ + x = wp[-3] ^ wp[-8] ^ wp[-14] ^ wp[-16]; + wp[0] = (x<<1) | (x>>31); + e += ((a<<5) | (a>>27)) + wp[0]; + e += 0x8f1bbcdc + ((b&c)|((b|c)&d)); + b = (b<<30)|(b>>2); + + x = wp[-2] ^ wp[-7] ^ wp[-13] ^ wp[-15]; + wp[1] = (x<<1) | (x>>31); + d += ((e<<5) | (e>>27)) + wp[1]; + d += 0x8f1bbcdc + ((a&b)|((a|b)&c)); + a = (a<<30)|(a>>2); + + x = wp[-1] ^ wp[-6] ^ wp[-12] ^ wp[-14]; + wp[2] = (x<<1) | (x>>31); + c += ((d<<5) | (d>>27)) + wp[2]; + c += 0x8f1bbcdc + ((e&a)|((e|a)&b)); + e = (e<<30)|(e>>2); + + x = wp[0] ^ wp[-5] ^ wp[-11] ^ wp[-13]; + wp[3] = (x<<1) | (x>>31); + b += ((c<<5) | (c>>27)) + wp[3]; + b += 0x8f1bbcdc + ((d&e)|((d|e)&a)); + d = (d<<30)|(d>>2); + + x = wp[1] ^ wp[-4] ^ wp[-10] ^ wp[-12]; + wp[4] = (x<<1) | (x>>31); + a += ((b<<5) | (b>>27)) + wp[4]; + a += 0x8f1bbcdc + ((c&d)|((c|d)&e)); + c = (c<<30)|(c>>2); + } + + wend = w + 80; + for(; wp < wend; wp += 5){ + x = wp[-3] ^ wp[-8] ^ wp[-14] ^ wp[-16]; + wp[0] = (x<<1) | (x>>31); + e += ((a<<5) | (a>>27)) + wp[0]; + e += 0xca62c1d6 + (b^c^d); + b = (b<<30)|(b>>2); + + x = wp[-2] ^ wp[-7] ^ wp[-13] ^ wp[-15]; + wp[1] = (x<<1) | (x>>31); + d += ((e<<5) | (e>>27)) + wp[1]; + d += 0xca62c1d6 + (a^b^c); + a = (a<<30)|(a>>2); + + x = wp[-1] ^ wp[-6] ^ wp[-12] ^ wp[-14]; + wp[2] = (x<<1) | (x>>31); + c += ((d<<5) | (d>>27)) + wp[2]; + c += 0xca62c1d6 + (e^a^b); + e = (e<<30)|(e>>2); + + x = wp[0] ^ wp[-5] ^ wp[-11] ^ wp[-13]; + wp[3] = (x<<1) | (x>>31); + b += ((c<<5) | (c>>27)) + wp[3]; + b += 0xca62c1d6 + (d^e^a); + d = (d<<30)|(d>>2); + + x = wp[1] ^ wp[-4] ^ wp[-10] ^ wp[-12]; + wp[4] = (x<<1) | (x>>31); + a += ((b<<5) | (b>>27)) + wp[4]; + a += 0xca62c1d6 + (c^d^e); + c = (c<<30)|(c>>2); + } + + /* save state */ + s[0] += a; + s[1] += b; + s[2] += c; + s[3] += d; + s[4] += e; + } +} diff --git a/sys/src/libsec/port/sha1pickle.c b/sys/src/libsec/port/sha1pickle.c new file mode 100755 index 000000000..6139567b5 --- /dev/null +++ b/sys/src/libsec/port/sha1pickle.c @@ -0,0 +1,38 @@ +#include "os.h" +#include <libsec.h> + +char* +sha1pickle(SHA1state *s) +{ + char *p; + int m, n; + + m = 5*9+4*((s->blen+3)/3); + p = malloc(m); + if(p == nil) + return p; + n = sprint(p, "%8.8ux %8.8ux %8.8ux %8.8ux %8.8ux ", + s->state[0], s->state[1], s->state[2], + s->state[3], s->state[4]); + enc64(p+n, m-n, s->buf, s->blen); + return p; +} + +SHA1state* +sha1unpickle(char *p) +{ + SHA1state *s; + + s = malloc(sizeof(*s)); + if(s == nil) + return nil; + s->state[0] = strtoul(p, &p, 16); + s->state[1] = strtoul(p, &p, 16); + s->state[2] = strtoul(p, &p, 16); + s->state[3] = strtoul(p, &p, 16); + s->state[4] = strtoul(p, &p, 16); + s->blen = dec64(s->buf, sizeof(s->buf), p, strlen(p)); + s->malloced = 1; + s->seeded = 1; + return s; +} diff --git a/sys/src/libsec/port/sha2_128.c b/sys/src/libsec/port/sha2_128.c new file mode 100755 index 000000000..65b93be5e --- /dev/null +++ b/sys/src/libsec/port/sha2_128.c @@ -0,0 +1,191 @@ +/* + * sha2 128-bit + */ +#include <u.h> +#include <libc.h> +#include <libsec.h> + +static void encode64(uchar*, u64int*, ulong); +static DigestState* sha2_128(uchar *, ulong, uchar *, SHA2_256state *, int); + +extern void _sha2block128(uchar*, ulong, u64int*); + +/* + * for sha2_384 and sha2_512, len must be multiple of 128 for all but + * the last call. There must be room in the input buffer to pad. + * + * Note: sha2_384 calls sha2_512block as sha2_384; it just uses a different + * initial seed to produce a truncated 384b hash result. otherwise + * it's the same as sha2_512. + */ +SHA2_384state* +sha2_384(uchar *p, ulong len, uchar *digest, SHA2_384state *s) +{ + if(s == nil) { + s = mallocz(sizeof(*s), 1); + if(s == nil) + return nil; + s->malloced = 1; + } + if(s->seeded == 0){ + /* + * seed the state with the first 64 bits of the fractional + * parts of the square roots of the 9th thru 16th primes. + */ + s->bstate[0] = 0xcbbb9d5dc1059ed8LL; + s->bstate[1] = 0x629a292a367cd507LL; + s->bstate[2] = 0x9159015a3070dd17LL; + s->bstate[3] = 0x152fecd8f70e5939LL; + s->bstate[4] = 0x67332667ffc00b31LL; + s->bstate[5] = 0x8eb44a8768581511LL; + s->bstate[6] = 0xdb0c2e0d64f98fa7LL; + s->bstate[7] = 0x47b5481dbefa4fa4LL; + s->seeded = 1; + } + return sha2_128(p, len, digest, s, SHA2_384dlen); +} + +SHA2_512state* +sha2_512(uchar *p, ulong len, uchar *digest, SHA2_512state *s) +{ + + if(s == nil) { + s = mallocz(sizeof(*s), 1); + if(s == nil) + return nil; + s->malloced = 1; + } + if(s->seeded == 0){ + /* + * seed the state with the first 64 bits of the fractional + * parts of the square roots of the first 8 primes 2..19). + */ + s->bstate[0] = 0x6a09e667f3bcc908LL; + s->bstate[1] = 0xbb67ae8584caa73bLL; + s->bstate[2] = 0x3c6ef372fe94f82bLL; + s->bstate[3] = 0xa54ff53a5f1d36f1LL; + s->bstate[4] = 0x510e527fade682d1LL; + s->bstate[5] = 0x9b05688c2b3e6c1fLL; + s->bstate[6] = 0x1f83d9abfb41bd6bLL; + s->bstate[7] = 0x5be0cd19137e2179LL; + s->seeded = 1; + } + return sha2_128(p, len, digest, s, SHA2_512dlen); +} + +/* common 128 byte block padding and count code for SHA2_384 and SHA2_512 */ +static DigestState* +sha2_128(uchar *p, ulong len, uchar *digest, SHA2_512state *s, int dlen) +{ + int i; + u64int x[16]; + uchar buf[256]; + uchar *e; + + /* fill out the partial 128 byte block from previous calls */ + if(s->blen){ + i = 128 - s->blen; + if(len < i) + i = len; + memmove(s->buf + s->blen, p, i); + len -= i; + s->blen += i; + p += i; + if(s->blen == 128){ + _sha2block128(s->buf, s->blen, s->bstate); + s->len += s->blen; + s->blen = 0; + } + } + + /* do 128 byte blocks */ + i = len & ~(128-1); + if(i){ + _sha2block128(p, i, s->bstate); + s->len += i; + len -= i; + p += i; + } + + /* save the left overs if not last call */ + if(digest == 0){ + if(len){ + memmove(s->buf, p, len); + s->blen += len; + } + return s; + } + + /* + * this is the last time through, pad what's left with 0x80, + * 0's, and the input count to create a multiple of 128 bytes. + */ + if(s->blen){ + p = s->buf; + len = s->blen; + } else { + memmove(buf, p, len); + p = buf; + } + s->len += len; + e = p + len; + if(len < 112) + i = 112 - len; + else + i = 240 - len; + memset(e, 0, i); + *e = 0x80; + len += i; + + /* append the count */ + x[0] = 0; /* assume 32b length, i.e. < 4GB */ + x[1] = s->len<<3; + encode64(p+len, x, 16); + + /* digest the last part */ + _sha2block128(p, len+16, s->bstate); + s->len += len+16; + + /* return result and free state */ + encode64(digest, s->bstate, dlen); + if(s->malloced == 1) + free(s); + return nil; +} + +/* + * Encodes input (ulong long) into output (uchar). + * Assumes len is a multiple of 8. + */ +static void +encode64(uchar *output, u64int *input, ulong len) +{ + u64int x; + uchar *e; + + for(e = output + len; output < e;) { + x = *input++; + *output++ = x >> 56; + *output++ = x >> 48; + *output++ = x >> 40; + *output++ = x >> 32; + *output++ = x >> 24; + *output++ = x >> 16; + *output++ = x >> 8; + *output++ = x; + } +} + +DigestState* +hmac_sha2_384(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, sha2_384, SHA2_384dlen); +} + +DigestState* +hmac_sha2_512(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, sha2_512, SHA2_512dlen); +} diff --git a/sys/src/libsec/port/sha2_64.c b/sys/src/libsec/port/sha2_64.c new file mode 100755 index 000000000..15559cd07 --- /dev/null +++ b/sys/src/libsec/port/sha2_64.c @@ -0,0 +1,187 @@ +/* + * sha2 64-bit + */ +#include <u.h> +#include <libc.h> +#include <libsec.h> + +static void encode32(uchar*, u32int*, ulong); +static DigestState* sha2_64(uchar *, ulong, uchar *, SHA2_256state *, int); + +extern void _sha2block64(uchar*, ulong, u32int*); + +/* + * for sha2_224 and sha2_256, len must be multiple of 64 for all but + * the last call. There must be room in the input buffer to pad. + * + * Note: sha2_224 calls sha2_256block as sha2_224, just uses different + * initial seed and produces a 224b hash result. otherwise it's + * the same as sha2_256. + */ + +SHA2_224state* +sha2_224(uchar *p, ulong len, uchar *digest, SHA2_224state *s) +{ + if(s == nil) { + s = mallocz(sizeof(*s), 1); + if(s == nil) + return nil; + s->malloced = 1; + } + if(s->seeded == 0){ + /* + * seed the state with the first 32 bits of the fractional + * parts of the square roots of the first 8 primes 2..19). + */ + s->state[0] = 0xc1059ed8; + s->state[1] = 0x367cd507; + s->state[2] = 0x3070dd17; + s->state[3] = 0xf70e5939; + s->state[4] = 0xffc00b31; + s->state[5] = 0x68581511; + s->state[6] = 0x64f98fa7; + s->state[7] = 0xbefa4fa4; + s->seeded = 1; + } + return sha2_64(p, len, digest, s, SHA2_224dlen); +} + +SHA2_256state* +sha2_256(uchar *p, ulong len, uchar *digest, SHA2_256state *s) +{ + if(s == nil) { + s = mallocz(sizeof(*s), 1); + if(s == nil) + return nil; + s->malloced = 1; + } + if(s->seeded == 0){ + /* + * seed the state with the first 32 bits of the fractional + * parts of the square roots of the first 8 primes 2..19). + */ + s->state[0] = 0x6a09e667; + s->state[1] = 0xbb67ae85; + s->state[2] = 0x3c6ef372; + s->state[3] = 0xa54ff53a; + s->state[4] = 0x510e527f; + s->state[5] = 0x9b05688c; + s->state[6] = 0x1f83d9ab; + s->state[7] = 0x5be0cd19; + s->seeded = 1; + } + return sha2_64(p, len, digest, s, SHA2_256dlen); +} + +/* common 64 byte block padding and count code for SHA2_224 and SHA2_256 */ +static DigestState* +sha2_64(uchar *p, ulong len, uchar *digest, SHA2_256state *s, int dlen) +{ + int i; + u32int x[16]; + uchar buf[128]; + uchar *e; + + /* fill out the partial 64 byte block from previous calls */ + if(s->blen){ + i = 64 - s->blen; + if(len < i) + i = len; + memmove(s->buf + s->blen, p, i); + len -= i; + s->blen += i; + p += i; + if(s->blen == 64){ + _sha2block64(s->buf, s->blen, s->state); + s->len += s->blen; + s->blen = 0; + } + } + + /* do 64 byte blocks */ + i = len & ~(64-1); + if(i){ + _sha2block64(p, i, s->state); + s->len += i; + len -= i; + p += i; + } + + /* save the left overs if not last call */ + if(digest == 0){ + if(len){ + memmove(s->buf, p, len); + s->blen += len; + } + return s; + } + + /* + * this is the last time through, pad what's left with 0x80, + * 0's, and the input count to create a multiple of 64 bytes. + */ + if(s->blen){ + p = s->buf; + len = s->blen; + } else { + memmove(buf, p, len); + p = buf; + } + s->len += len; + e = p + len; + if(len < 56) + i = 56 - len; + else + i = 120 - len; + memset(e, 0, i); + *e = 0x80; + len += i; + + /* append the count */ + x[0] = s->len>>29; + x[1] = s->len<<3; + encode32(p+len, x, 8); + + /* digest the last part */ + _sha2block64(p, len+8, s->state); + s->len += len+8; + + /* return result and free state */ + encode32(digest, s->state, dlen); + if(s->malloced == 1) + free(s); + return nil; +} + +/* + * Encodes input (ulong) into output (uchar). + * Assumes len is a multiple of 4. + */ +static void +encode32(uchar *output, u32int *input, ulong len) +{ + u32int x; + uchar *e; + + for(e = output + len; output < e;) { + x = *input++; + *output++ = x >> 24; + *output++ = x >> 16; + *output++ = x >> 8; + *output++ = x; + } +} + +DigestState* +hmac_sha2_224(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, sha2_224, SHA2_224dlen); +} + +DigestState* +hmac_sha2_256(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, + DigestState *s) +{ + return hmac_x(p, len, key, klen, digest, s, sha2_256, SHA2_256dlen); +} diff --git a/sys/src/libsec/port/sha2block128.c b/sys/src/libsec/port/sha2block128.c new file mode 100755 index 000000000..0ed0368b8 --- /dev/null +++ b/sys/src/libsec/port/sha2block128.c @@ -0,0 +1,101 @@ +/* + * sha2_512 block cipher + * + * Implementation straight from Federal Information Processing Standards + * publication 180-2 (+Change Notice to include SHA-224) August 1, 2002 + * note: the following upper and lower case macro names are distinct + * and reflect the functions defined in FIPS pub. 180-2. + */ +#include <u.h> +#include <libc.h> + +#define ROTR(x,n) (((x) >> (n)) | ((x) << (64-(n)))) +#define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x) >> 7)) +#define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x) >> 6)) +#define SIGMA0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) +#define SIGMA1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +/* + * first 64 bits of the fractional parts of cube roots of + * first 80 primes (2..311). + */ +static u64int K512[80] = { + 0x428a2f98d728ae22LL, 0x7137449123ef65cdLL, 0xb5c0fbcfec4d3b2fLL, 0xe9b5dba58189dbbcLL, + 0x3956c25bf348b538LL, 0x59f111f1b605d019LL, 0x923f82a4af194f9bLL, 0xab1c5ed5da6d8118LL, + 0xd807aa98a3030242LL, 0x12835b0145706fbeLL, 0x243185be4ee4b28cLL, 0x550c7dc3d5ffb4e2LL, + 0x72be5d74f27b896fLL, 0x80deb1fe3b1696b1LL, 0x9bdc06a725c71235LL, 0xc19bf174cf692694LL, + 0xe49b69c19ef14ad2LL, 0xefbe4786384f25e3LL, 0x0fc19dc68b8cd5b5LL, 0x240ca1cc77ac9c65LL, + 0x2de92c6f592b0275LL, 0x4a7484aa6ea6e483LL, 0x5cb0a9dcbd41fbd4LL, 0x76f988da831153b5LL, + 0x983e5152ee66dfabLL, 0xa831c66d2db43210LL, 0xb00327c898fb213fLL, 0xbf597fc7beef0ee4LL, + 0xc6e00bf33da88fc2LL, 0xd5a79147930aa725LL, 0x06ca6351e003826fLL, 0x142929670a0e6e70LL, + 0x27b70a8546d22ffcLL, 0x2e1b21385c26c926LL, 0x4d2c6dfc5ac42aedLL, 0x53380d139d95b3dfLL, + 0x650a73548baf63deLL, 0x766a0abb3c77b2a8LL, 0x81c2c92e47edaee6LL, 0x92722c851482353bLL, + 0xa2bfe8a14cf10364LL, 0xa81a664bbc423001LL, 0xc24b8b70d0f89791LL, 0xc76c51a30654be30LL, + 0xd192e819d6ef5218LL, 0xd69906245565a910LL, 0xf40e35855771202aLL, 0x106aa07032bbd1b8LL, + 0x19a4c116b8d2d0c8LL, 0x1e376c085141ab53LL, 0x2748774cdf8eeb99LL, 0x34b0bcb5e19b48a8LL, + 0x391c0cb3c5c95a63LL, 0x4ed8aa4ae3418acbLL, 0x5b9cca4f7763e373LL, 0x682e6ff3d6b2b8a3LL, + 0x748f82ee5defb2fcLL, 0x78a5636f43172f60LL, 0x84c87814a1f0ab72LL, 0x8cc702081a6439ecLL, + 0x90befffa23631e28LL, 0xa4506cebde82bde9LL, 0xbef9a3f7b2c67915LL, 0xc67178f2e372532bLL, + 0xca273eceea26619cLL, 0xd186b8c721c0c207LL, 0xeada7dd6cde0eb1eLL, 0xf57d4f7fee6ed178LL, + 0x06f067aa72176fbaLL, 0x0a637dc5a2c898a6LL, 0x113f9804bef90daeLL, 0x1b710b35131c471bLL, + 0x28db77f523047d84LL, 0x32caab7b40c72493LL, 0x3c9ebe0a15c9bebcLL, 0x431d67c49c100d4cLL, + 0x4cc5d4becb3e42b6LL, 0x597f299cfc657e2aLL, 0x5fcb6fab3ad6faecLL, 0x6c44198c4a475817LL }; + +void +_sha2block128(uchar *p, ulong len, u64int *s) +{ + u64int a, b, c, d, e, f, g, h, t1, t2; + u64int *kp, *wp; + u64int w[80]; + uchar *end; + + /* at this point, we have a multiple of 64 bytes */ + for(end = p+len; p < end;){ + a = s[0]; + b = s[1]; + c = s[2]; + d = s[3]; + e = s[4]; + f = s[5]; + g = s[6]; + h = s[7]; + + for(wp = w; wp < &w[16]; wp++, p += 8) + wp[0] = ((vlong)p[0])<<56 | ((vlong)p[1])<<48 | + ((vlong)p[2])<<40 | ((vlong)p[3])<<32 | + p[4] << 24 | p[5] << 16 | p[6] << 8 | p[7]; + for(; wp < &w[80]; wp++) { + u64int s0, s1; + + s0 = sigma0(wp[-15]); + s1 = sigma1(wp[-2]); +// wp[0] = sigma1(wp[-2]) + wp[-7] + sigma0(wp[-15]) + wp[-16]; + wp[0] = s1 + wp[-7] + s0 + wp[-16]; + } + + for(kp = K512, wp = w; wp < &w[80]; ) { + t1 = h + SIGMA1(e) + Ch(e,f,g) + *kp++ + *wp++; + t2 = SIGMA0(a) + Maj(a,b,c); + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + } + + /* save state */ + s[0] += a; + s[1] += b; + s[2] += c; + s[3] += d; + s[4] += e; + s[5] += f; + s[6] += g; + s[7] += h; + } +} diff --git a/sys/src/libsec/port/sha2block64.c b/sys/src/libsec/port/sha2block64.c new file mode 100755 index 000000000..0b3a1b9c9 --- /dev/null +++ b/sys/src/libsec/port/sha2block64.c @@ -0,0 +1,92 @@ +/* + * sha2_256 block cipher + * + * Implementation straight from Federal Information Processing Standards + * publication 180-2 (+Change Notice to include SHA-224) August 1, 2002 + * note: the following upper and lower case macro names are distinct + * and reflect the functions defined in FIPS pub. 180-2. + */ + +#include <u.h> +#include <libc.h> + +#define ROTR(x,n) (((x) >> (n)) | ((x) << (32-(n)))) +#define sigma0(x) (ROTR((x),7) ^ ROTR((x),18) ^ ((x) >> 3)) +#define sigma1(x) (ROTR((x),17) ^ ROTR((x),19) ^ ((x) >> 10)) +#define SIGMA0(x) (ROTR((x),2) ^ ROTR((x),13) ^ ROTR((x),22)) +#define SIGMA1(x) (ROTR((x),6) ^ ROTR((x),11) ^ ROTR((x),25)) +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) + +/* + * first 32 bits of the fractional parts of cube roots of + * first 64 primes (2..311). + */ +static u32int K256[64] = { + 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5, + 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, + 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3, + 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, + 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc, + 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, + 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7, + 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, + 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13, + 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, + 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3, + 0xd192e819,0xd6990624,0xf40e3585,0x106aa070, + 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5, + 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, + 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208, + 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2, +}; + +void +_sha2block64(uchar *p, ulong len, u32int *s) +{ + u32int a, b, c, d, e, f, g, h, t1, t2; + u32int *kp, *wp; + u32int w[64]; + uchar *end; + + /* at this point, we have a multiple of 64 bytes */ + for(end = p+len; p < end;){ + a = s[0]; + b = s[1]; + c = s[2]; + d = s[3]; + e = s[4]; + f = s[5]; + g = s[6]; + h = s[7]; + + for(wp = w; wp < &w[16]; wp++, p += 4) + wp[0] = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; + for(; wp < &w[64]; wp++) + wp[0] = sigma1(wp[-2]) + wp[-7] + + sigma0(wp[-15]) + wp[-16]; + + for(kp = K256, wp = w; wp < &w[64]; ) { + t1 = h + SIGMA1(e) + Ch(e,f,g) + *kp++ + *wp++; + t2 = SIGMA0(a) + Maj(a,b,c); + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + } + + /* save state */ + s[0] += a; + s[1] += b; + s[2] += c; + s[3] += d; + s[4] += e; + s[5] += f; + s[6] += g; + s[7] += h; + } +} diff --git a/sys/src/libsec/port/sha2test.c b/sys/src/libsec/port/sha2test.c new file mode 100755 index 000000000..94b564667 --- /dev/null +++ b/sys/src/libsec/port/sha2test.c @@ -0,0 +1,63 @@ +#include <u.h> +#include <libc.h> +#include "libsec.h" + +char *tests[] = { + "", + "a", + "abc", + "message digest", + "abcdefghijklmnopqrstuvwxyz", + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "123456789012345678901234567890123456789012345678901234567890" + "12345678901234567890", + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi" + "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", + 0 +}; + +void +main(void) +{ + int i; + char **pp; + uchar *p; + uchar digest[SHA2_512dlen]; + + print("SHA2_224 tests:\n"); + for(pp = tests; *pp; pp++){ + p = (uchar*)*pp; + sha2_224(p, strlen(*pp), digest, 0); + for(i = 0; i < SHA2_224dlen; i++) + print("%2.2ux", digest[i]); + print("\n"); + } + + print("\nSHA256 tests:\n"); + for(pp = tests; *pp; pp++){ + p = (uchar*)*pp; + sha2_256(p, strlen(*pp), digest, 0); + for(i = 0; i < SHA2_256dlen; i++) + print("%2.2ux", digest[i]); + print("\n"); + } + + print("\nSHA384 tests:\n"); + for(pp = tests; *pp; pp++){ + p = (uchar*)*pp; + sha2_384(p, strlen(*pp), digest, 0); + for(i = 0; i < SHA2_384dlen; i++) + print("%2.2ux", digest[i]); + print("\n"); + } + + print("\nSHA512 tests:\n"); + for(pp = tests; *pp; pp++){ + p = (uchar*)*pp; + sha2_512(p, strlen(*pp), digest, 0); + for(i = 0; i < SHA2_512dlen; i++) + print("%2.2ux", digest[i]); + print("\n"); + } +} diff --git a/sys/src/libsec/port/smallprimes.c b/sys/src/libsec/port/smallprimes.c new file mode 100755 index 000000000..ac23a2f09 --- /dev/null +++ b/sys/src/libsec/port/smallprimes.c @@ -0,0 +1,1004 @@ +#include "os.h" + +ulong smallprimes[1000] = { + 2, + 3, + 5, + 7, + 11, + 13, + 17, + 19, + 23, + 29, + 31, + 37, + 41, + 43, + 47, + 53, + 59, + 61, + 67, + 71, + 73, + 79, + 83, + 89, + 97, + 101, + 103, + 107, + 109, + 113, + 127, + 131, + 137, + 139, + 149, + 151, + 157, + 163, + 167, + 173, + 179, + 181, + 191, + 193, + 197, + 199, + 211, + 223, + 227, + 229, + 233, + 239, + 241, + 251, + 257, + 263, + 269, + 271, + 277, + 281, + 283, + 293, + 307, + 311, + 313, + 317, + 331, + 337, + 347, + 349, + 353, + 359, + 367, + 373, + 379, + 383, + 389, + 397, + 401, + 409, + 419, + 421, + 431, + 433, + 439, + 443, + 449, + 457, + 461, + 463, + 467, + 479, + 487, + 491, + 499, + 503, + 509, + 521, + 523, + 541, + 547, + 557, + 563, + 569, + 571, + 577, + 587, + 593, + 599, + 601, + 607, + 613, + 617, + 619, + 631, + 641, + 643, + 647, + 653, + 659, + 661, + 673, + 677, + 683, + 691, + 701, + 709, + 719, + 727, + 733, + 739, + 743, + 751, + 757, + 761, + 769, + 773, + 787, + 797, + 809, + 811, + 821, + 823, + 827, + 829, + 839, + 853, + 857, + 859, + 863, + 877, + 881, + 883, + 887, + 907, + 911, + 919, + 929, + 937, + 941, + 947, + 953, + 967, + 971, + 977, + 983, + 991, + 997, + 1009, + 1013, + 1019, + 1021, + 1031, + 1033, + 1039, + 1049, + 1051, + 1061, + 1063, + 1069, + 1087, + 1091, + 1093, + 1097, + 1103, + 1109, + 1117, + 1123, + 1129, + 1151, + 1153, + 1163, + 1171, + 1181, + 1187, + 1193, + 1201, + 1213, + 1217, + 1223, + 1229, + 1231, + 1237, + 1249, + 1259, + 1277, + 1279, + 1283, + 1289, + 1291, + 1297, + 1301, + 1303, + 1307, + 1319, + 1321, + 1327, + 1361, + 1367, + 1373, + 1381, + 1399, + 1409, + 1423, + 1427, + 1429, + 1433, + 1439, + 1447, + 1451, + 1453, + 1459, + 1471, + 1481, + 1483, + 1487, + 1489, + 1493, + 1499, + 1511, + 1523, + 1531, + 1543, + 1549, + 1553, + 1559, + 1567, + 1571, + 1579, + 1583, + 1597, + 1601, + 1607, + 1609, + 1613, + 1619, + 1621, + 1627, + 1637, + 1657, + 1663, + 1667, + 1669, + 1693, + 1697, + 1699, + 1709, + 1721, + 1723, + 1733, + 1741, + 1747, + 1753, + 1759, + 1777, + 1783, + 1787, + 1789, + 1801, + 1811, + 1823, + 1831, + 1847, + 1861, + 1867, + 1871, + 1873, + 1877, + 1879, + 1889, + 1901, + 1907, + 1913, + 1931, + 1933, + 1949, + 1951, + 1973, + 1979, + 1987, + 1993, + 1997, + 1999, + 2003, + 2011, + 2017, + 2027, + 2029, + 2039, + 2053, + 2063, + 2069, + 2081, + 2083, + 2087, + 2089, + 2099, + 2111, + 2113, + 2129, + 2131, + 2137, + 2141, + 2143, + 2153, + 2161, + 2179, + 2203, + 2207, + 2213, + 2221, + 2237, + 2239, + 2243, + 2251, + 2267, + 2269, + 2273, + 2281, + 2287, + 2293, + 2297, + 2309, + 2311, + 2333, + 2339, + 2341, + 2347, + 2351, + 2357, + 2371, + 2377, + 2381, + 2383, + 2389, + 2393, + 2399, + 2411, + 2417, + 2423, + 2437, + 2441, + 2447, + 2459, + 2467, + 2473, + 2477, + 2503, + 2521, + 2531, + 2539, + 2543, + 2549, + 2551, + 2557, + 2579, + 2591, + 2593, + 2609, + 2617, + 2621, + 2633, + 2647, + 2657, + 2659, + 2663, + 2671, + 2677, + 2683, + 2687, + 2689, + 2693, + 2699, + 2707, + 2711, + 2713, + 2719, + 2729, + 2731, + 2741, + 2749, + 2753, + 2767, + 2777, + 2789, + 2791, + 2797, + 2801, + 2803, + 2819, + 2833, + 2837, + 2843, + 2851, + 2857, + 2861, + 2879, + 2887, + 2897, + 2903, + 2909, + 2917, + 2927, + 2939, + 2953, + 2957, + 2963, + 2969, + 2971, + 2999, + 3001, + 3011, + 3019, + 3023, + 3037, + 3041, + 3049, + 3061, + 3067, + 3079, + 3083, + 3089, + 3109, + 3119, + 3121, + 3137, + 3163, + 3167, + 3169, + 3181, + 3187, + 3191, + 3203, + 3209, + 3217, + 3221, + 3229, + 3251, + 3253, + 3257, + 3259, + 3271, + 3299, + 3301, + 3307, + 3313, + 3319, + 3323, + 3329, + 3331, + 3343, + 3347, + 3359, + 3361, + 3371, + 3373, + 3389, + 3391, + 3407, + 3413, + 3433, + 3449, + 3457, + 3461, + 3463, + 3467, + 3469, + 3491, + 3499, + 3511, + 3517, + 3527, + 3529, + 3533, + 3539, + 3541, + 3547, + 3557, + 3559, + 3571, + 3581, + 3583, + 3593, + 3607, + 3613, + 3617, + 3623, + 3631, + 3637, + 3643, + 3659, + 3671, + 3673, + 3677, + 3691, + 3697, + 3701, + 3709, + 3719, + 3727, + 3733, + 3739, + 3761, + 3767, + 3769, + 3779, + 3793, + 3797, + 3803, + 3821, + 3823, + 3833, + 3847, + 3851, + 3853, + 3863, + 3877, + 3881, + 3889, + 3907, + 3911, + 3917, + 3919, + 3923, + 3929, + 3931, + 3943, + 3947, + 3967, + 3989, + 4001, + 4003, + 4007, + 4013, + 4019, + 4021, + 4027, + 4049, + 4051, + 4057, + 4073, + 4079, + 4091, + 4093, + 4099, + 4111, + 4127, + 4129, + 4133, + 4139, + 4153, + 4157, + 4159, + 4177, + 4201, + 4211, + 4217, + 4219, + 4229, + 4231, + 4241, + 4243, + 4253, + 4259, + 4261, + 4271, + 4273, + 4283, + 4289, + 4297, + 4327, + 4337, + 4339, + 4349, + 4357, + 4363, + 4373, + 4391, + 4397, + 4409, + 4421, + 4423, + 4441, + 4447, + 4451, + 4457, + 4463, + 4481, + 4483, + 4493, + 4507, + 4513, + 4517, + 4519, + 4523, + 4547, + 4549, + 4561, + 4567, + 4583, + 4591, + 4597, + 4603, + 4621, + 4637, + 4639, + 4643, + 4649, + 4651, + 4657, + 4663, + 4673, + 4679, + 4691, + 4703, + 4721, + 4723, + 4729, + 4733, + 4751, + 4759, + 4783, + 4787, + 4789, + 4793, + 4799, + 4801, + 4813, + 4817, + 4831, + 4861, + 4871, + 4877, + 4889, + 4903, + 4909, + 4919, + 4931, + 4933, + 4937, + 4943, + 4951, + 4957, + 4967, + 4969, + 4973, + 4987, + 4993, + 4999, + 5003, + 5009, + 5011, + 5021, + 5023, + 5039, + 5051, + 5059, + 5077, + 5081, + 5087, + 5099, + 5101, + 5107, + 5113, + 5119, + 5147, + 5153, + 5167, + 5171, + 5179, + 5189, + 5197, + 5209, + 5227, + 5231, + 5233, + 5237, + 5261, + 5273, + 5279, + 5281, + 5297, + 5303, + 5309, + 5323, + 5333, + 5347, + 5351, + 5381, + 5387, + 5393, + 5399, + 5407, + 5413, + 5417, + 5419, + 5431, + 5437, + 5441, + 5443, + 5449, + 5471, + 5477, + 5479, + 5483, + 5501, + 5503, + 5507, + 5519, + 5521, + 5527, + 5531, + 5557, + 5563, + 5569, + 5573, + 5581, + 5591, + 5623, + 5639, + 5641, + 5647, + 5651, + 5653, + 5657, + 5659, + 5669, + 5683, + 5689, + 5693, + 5701, + 5711, + 5717, + 5737, + 5741, + 5743, + 5749, + 5779, + 5783, + 5791, + 5801, + 5807, + 5813, + 5821, + 5827, + 5839, + 5843, + 5849, + 5851, + 5857, + 5861, + 5867, + 5869, + 5879, + 5881, + 5897, + 5903, + 5923, + 5927, + 5939, + 5953, + 5981, + 5987, + 6007, + 6011, + 6029, + 6037, + 6043, + 6047, + 6053, + 6067, + 6073, + 6079, + 6089, + 6091, + 6101, + 6113, + 6121, + 6131, + 6133, + 6143, + 6151, + 6163, + 6173, + 6197, + 6199, + 6203, + 6211, + 6217, + 6221, + 6229, + 6247, + 6257, + 6263, + 6269, + 6271, + 6277, + 6287, + 6299, + 6301, + 6311, + 6317, + 6323, + 6329, + 6337, + 6343, + 6353, + 6359, + 6361, + 6367, + 6373, + 6379, + 6389, + 6397, + 6421, + 6427, + 6449, + 6451, + 6469, + 6473, + 6481, + 6491, + 6521, + 6529, + 6547, + 6551, + 6553, + 6563, + 6569, + 6571, + 6577, + 6581, + 6599, + 6607, + 6619, + 6637, + 6653, + 6659, + 6661, + 6673, + 6679, + 6689, + 6691, + 6701, + 6703, + 6709, + 6719, + 6733, + 6737, + 6761, + 6763, + 6779, + 6781, + 6791, + 6793, + 6803, + 6823, + 6827, + 6829, + 6833, + 6841, + 6857, + 6863, + 6869, + 6871, + 6883, + 6899, + 6907, + 6911, + 6917, + 6947, + 6949, + 6959, + 6961, + 6967, + 6971, + 6977, + 6983, + 6991, + 6997, + 7001, + 7013, + 7019, + 7027, + 7039, + 7043, + 7057, + 7069, + 7079, + 7103, + 7109, + 7121, + 7127, + 7129, + 7151, + 7159, + 7177, + 7187, + 7193, + 7207, + 7211, + 7213, + 7219, + 7229, + 7237, + 7243, + 7247, + 7253, + 7283, + 7297, + 7307, + 7309, + 7321, + 7331, + 7333, + 7349, + 7351, + 7369, + 7393, + 7411, + 7417, + 7433, + 7451, + 7457, + 7459, + 7477, + 7481, + 7487, + 7489, + 7499, + 7507, + 7517, + 7523, + 7529, + 7537, + 7541, + 7547, + 7549, + 7559, + 7561, + 7573, + 7577, + 7583, + 7589, + 7591, + 7603, + 7607, + 7621, + 7639, + 7643, + 7649, + 7669, + 7673, + 7681, + 7687, + 7691, + 7699, + 7703, + 7717, + 7723, + 7727, + 7741, + 7753, + 7757, + 7759, + 7789, + 7793, + 7817, + 7823, + 7829, + 7841, + 7853, + 7867, + 7873, + 7877, + 7879, + 7883, + 7901, + 7907, + 7919, +}; diff --git a/sys/src/libsec/port/smallprimetest.c b/sys/src/libsec/port/smallprimetest.c new file mode 100755 index 000000000..cf94dac2a --- /dev/null +++ b/sys/src/libsec/port/smallprimetest.c @@ -0,0 +1,1039 @@ +#include "os.h" +#include <mp.h> +#include <libsec.h> + +static ulong smallprimes[] = { + 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, + 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, + 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, + 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, + 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, + 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, + 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, + 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, + 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, + 467, 479, 487, 491, 499, 503, 509, 521, 523, 541, + 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, + 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, + 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, + 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, + 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, + 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, + 947, 953, 967, 971, 977, 983, 991, 997, 1009, 1013, + 1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069, + 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, + 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, + 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289, 1291, + 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, + 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, + 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, + 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, + 1597, 1601, 1607, 1609, 1613, 1619, 1621, 1627, 1637, 1657, + 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, + 1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, + 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879, 1889, + 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, + 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053, + 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, + 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, + 2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, + 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, + 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, + 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521, 2531, + 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, + 2621, 2633, 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687, + 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, + 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, + 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887, 2897, 2903, + 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, + 3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, + 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181, + 3187, 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, + 3259, 3271, 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331, + 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, + 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, + 3517, 3527, 3529, 3533, 3539, 3541, 3547, 3557, 3559, 3571, + 3581, 3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643, + 3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, + 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803, 3821, + 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907, + 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989, + 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, + 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, + 4153, 4157, 4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231, + 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297, + 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, + 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483, 4493, + 4507, 4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, + 4591, 4597, 4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657, + 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, + 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831, + 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937, + 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, + 5009, 5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, + 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179, + 5189, 5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279, + 5281, 5297, 5303, 5309, 5323, 5333, 5347, 5351, 5381, 5387, + 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, + 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, + 5527, 5531, 5557, 5563, 5569, 5573, 5581, 5591, 5623, 5639, + 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693, + 5701, 5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, + 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857, + 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, + 5953, 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, + 6067, 6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, + 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221, + 6229, 6247, 6257, 6263, 6269, 6271, 6277, 6287, 6299, 6301, + 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367, + 6373, 6379, 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, + 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569, 6571, + 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, + 6679, 6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737, 6761, + 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, + 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, + 6947, 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997, + 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, + 7109, 7121, 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, + 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283, 7297, + 7307, 7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411, + 7417, 7433, 7451, 7457, 7459, 7477, 7481, 7487, 7489, 7499, + 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, + 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, + 7649, 7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717, 7723, + 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829, + 7841, 7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, + 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017, + 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, + 8117, 8123, 8147, 8161, 8167, 8171, 8179, 8191, 8209, 8219, + 8221, 8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, + 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387, + 8389, 8419, 8423, 8429, 8431, 8443, 8447, 8461, 8467, 8501, + 8513, 8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597, + 8599, 8609, 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, + 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737, 8741, + 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831, + 8837, 8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929, + 8933, 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, + 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, + 9127, 9133, 9137, 9151, 9157, 9161, 9173, 9181, 9187, 9199, + 9203, 9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283, + 9293, 9311, 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, + 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437, 9439, + 9461, 9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533, + 9539, 9547, 9551, 9587, 9601, 9613, 9619, 9623, 9629, 9631, + 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, + 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811, + 9817, 9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887, + 9901, 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, + 10009, 10037, 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, + 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169, 10177, + 10181, 10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271, + 10273, 10289, 10301, 10303, 10313, 10321, 10331, 10333, 10337, 10343, + 10357, 10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, + 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567, + 10589, 10597, 10601, 10607, 10613, 10627, 10631, 10639, 10651, 10657, + 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739, + 10753, 10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, + 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949, + 10957, 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, + 11069, 11071, 11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149, + 11159, 11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, + 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329, + 11351, 11353, 11369, 11383, 11393, 11399, 11411, 11423, 11437, 11443, + 11447, 11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527, + 11549, 11551, 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, + 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743, 11777, + 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833, + 11839, 11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933, + 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, + 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, + 12113, 12119, 12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211, + 12227, 12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289, + 12301, 12323, 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, + 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479, 12487, + 12491, 12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553, + 12569, 12577, 12583, 12589, 12601, 12611, 12613, 12619, 12637, 12641, + 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, + 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829, + 12841, 12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923, + 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, + 13009, 13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, + 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187, + 13217, 13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309, + 13313, 13327, 13331, 13337, 13339, 13367, 13381, 13397, 13399, 13411, + 13417, 13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, + 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619, + 13627, 13633, 13649, 13669, 13679, 13681, 13687, 13691, 13693, 13697, + 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781, + 13789, 13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, + 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967, + 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, + 14083, 14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197, + 14207, 14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, + 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419, + 14423, 14431, 14437, 14447, 14449, 14461, 14479, 14489, 14503, 14519, + 14533, 14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593, + 14621, 14627, 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, + 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759, 14767, + 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851, + 14867, 14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939, 14947, + 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, + 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, + 15161, 15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259, + 15263, 15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, + 15329, 15331, 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, + 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493, 15497, + 15511, 15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607, + 15619, 15629, 15641, 15643, 15647, 15649, 15661, 15667, 15671, 15679, + 15683, 15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, + 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881, + 15887, 15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959, 15971, + 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069, + 16073, 16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, + 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267, + 16273, 16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, + 16411, 16417, 16421, 16427, 16433, 16447, 16451, 16453, 16477, 16481, + 16487, 16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, + 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691, + 16693, 16699, 16703, 16729, 16741, 16747, 16759, 16763, 16787, 16811, + 16823, 16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903, + 16921, 16927, 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, + 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077, 17093, + 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191, + 17203, 17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317, + 17321, 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, + 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, + 17483, 17489, 17491, 17497, 17509, 17519, 17539, 17551, 17569, 17573, + 17579, 17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669, + 17681, 17683, 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, + 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881, 17891, + 17903, 17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971, + 17977, 17981, 17987, 17989, 18013, 18041, 18043, 18047, 18049, 18059, + 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143, + 18149, 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233, + 18251, 18253, 18257, 18269, 18287, 18289, 18301, 18307, 18311, 18313, + 18329, 18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, + 18433, 18439, 18443, 18451, 18457, 18461, 18481, 18493, 18503, 18517, + 18521, 18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617, 18637, + 18661, 18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749, + 18757, 18773, 18787, 18793, 18797, 18803, 18839, 18859, 18869, 18899, + 18911, 18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009, + 19013, 19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121, + 19139, 19141, 19157, 19163, 19181, 19183, 19207, 19211, 19213, 19219, + 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319, + 19333, 19373, 19379, 19381, 19387, 19391, 19403, 19417, 19421, 19423, + 19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471, 19477, + 19483, 19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, + 19577, 19583, 19597, 19603, 19609, 19661, 19681, 19687, 19697, 19699, + 19709, 19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793, + 19801, 19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891, + 19913, 19919, 19927, 19937, 19949, 19961, 19963, 19973, 19979, 19991, + 19993, 19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071, + 20089, 20101, 20107, 20113, 20117, 20123, 20129, 20143, 20147, 20149, + 20161, 20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249, 20261, + 20269, 20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357, + 20359, 20369, 20389, 20393, 20399, 20407, 20411, 20431, 20441, 20443, + 20477, 20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551, + 20563, 20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693, + 20707, 20717, 20719, 20731, 20743, 20747, 20749, 20753, 20759, 20771, + 20773, 20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897, + 20899, 20903, 20921, 20929, 20939, 20947, 20959, 20963, 20981, 20983, + 21001, 21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061, 21067, + 21089, 21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169, + 21179, 21187, 21191, 21193, 21211, 21221, 21227, 21247, 21269, 21277, + 21283, 21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383, + 21391, 21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491, + 21493, 21499, 21503, 21517, 21521, 21523, 21529, 21557, 21559, 21563, + 21569, 21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647, + 21649, 21661, 21673, 21683, 21701, 21713, 21727, 21737, 21739, 21751, + 21757, 21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839, 21841, + 21851, 21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943, + 21961, 21977, 21991, 21997, 22003, 22013, 22027, 22031, 22037, 22039, + 22051, 22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123, + 22129, 22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229, + 22247, 22259, 22271, 22273, 22277, 22279, 22283, 22291, 22303, 22307, + 22343, 22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441, + 22447, 22453, 22469, 22481, 22483, 22501, 22511, 22531, 22541, 22543, + 22549, 22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639, 22643, + 22651, 22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727, + 22739, 22741, 22751, 22769, 22777, 22783, 22787, 22807, 22811, 22817, + 22853, 22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943, + 22961, 22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029, + 23039, 23041, 23053, 23057, 23059, 23063, 23071, 23081, 23087, 23099, + 23117, 23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203, + 23209, 23227, 23251, 23269, 23279, 23291, 23293, 23297, 23311, 23321, + 23327, 23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431, 23447, + 23459, 23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561, + 23563, 23567, 23581, 23593, 23599, 23603, 23609, 23623, 23627, 23629, + 23633, 23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743, + 23747, 23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827, + 23831, 23833, 23857, 23869, 23873, 23879, 23887, 23893, 23899, 23909, + 23911, 23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007, + 24019, 24023, 24029, 24043, 24049, 24061, 24071, 24077, 24083, 24091, + 24097, 24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151, 24169, + 24179, 24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281, + 24317, 24329, 24337, 24359, 24371, 24373, 24379, 24391, 24407, 24413, + 24419, 24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517, + 24527, 24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659, + 24671, 24677, 24683, 24691, 24697, 24709, 24733, 24749, 24763, 24767, + 24781, 24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877, + 24889, 24907, 24917, 24919, 24923, 24943, 24953, 24967, 24971, 24977, + 24979, 24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087, 25097, + 25111, 25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183, + 25189, 25219, 25229, 25237, 25243, 25247, 25253, 25261, 25301, 25303, + 25307, 25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391, + 25409, 25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471, + 25523, 25537, 25541, 25561, 25577, 25579, 25583, 25589, 25601, 25603, + 25609, 25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693, + 25703, 25717, 25733, 25741, 25747, 25759, 25763, 25771, 25793, 25799, + 25801, 25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903, 25913, + 25919, 25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999, + 26003, 26017, 26021, 26029, 26041, 26053, 26083, 26099, 26107, 26111, + 26113, 26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203, + 26209, 26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297, + 26309, 26317, 26321, 26339, 26347, 26357, 26371, 26387, 26393, 26399, + 26407, 26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497, + 26501, 26513, 26539, 26557, 26561, 26573, 26591, 26597, 26627, 26633, + 26641, 26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701, 26711, + 26713, 26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801, + 26813, 26821, 26833, 26839, 26849, 26861, 26863, 26879, 26881, 26891, + 26893, 26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987, + 26993, 27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077, + 27091, 27103, 27107, 27109, 27127, 27143, 27179, 27191, 27197, 27211, + 27239, 27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329, + 27337, 27361, 27367, 27397, 27407, 27409, 27427, 27431, 27437, 27449, + 27457, 27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541, 27551, + 27581, 27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691, + 27697, 27701, 27733, 27737, 27739, 27743, 27749, 27751, 27763, 27767, + 27773, 27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827, + 27847, 27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947, + 27953, 27961, 27967, 27983, 27997, 28001, 28019, 28027, 28031, 28051, + 28057, 28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151, + 28163, 28181, 28183, 28201, 28211, 28219, 28229, 28277, 28279, 28283, + 28289, 28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393, 28403, + 28409, 28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499, + 28513, 28517, 28537, 28541, 28547, 28549, 28559, 28571, 28573, 28579, + 28591, 28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649, + 28657, 28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729, + 28751, 28753, 28759, 28771, 28789, 28793, 28807, 28813, 28817, 28837, + 28843, 28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933, + 28949, 28961, 28979, 29009, 29017, 29021, 29023, 29027, 29033, 29059, + 29063, 29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153, 29167, + 29173, 29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251, + 29269, 29287, 29297, 29303, 29311, 29327, 29333, 29339, 29347, 29363, + 29383, 29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443, + 29453, 29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573, + 29581, 29587, 29599, 29611, 29629, 29633, 29641, 29663, 29669, 29671, + 29683, 29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819, + 29833, 29837, 29851, 29863, 29867, 29873, 29879, 29881, 29917, 29921, + 29927, 29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047, 30059, + 30071, 30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137, + 30139, 30161, 30169, 30181, 30187, 30197, 30203, 30211, 30223, 30241, + 30253, 30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341, + 30347, 30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469, + 30491, 30493, 30497, 30509, 30517, 30529, 30539, 30553, 30557, 30559, + 30577, 30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689, + 30697, 30703, 30707, 30713, 30727, 30757, 30763, 30773, 30781, 30803, + 30809, 30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869, 30871, + 30881, 30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983, + 31013, 31019, 31033, 31039, 31051, 31063, 31069, 31079, 31081, 31091, + 31121, 31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183, + 31189, 31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259, + 31267, 31271, 31277, 31307, 31319, 31321, 31327, 31333, 31337, 31357, + 31379, 31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511, + 31513, 31517, 31531, 31541, 31543, 31547, 31567, 31573, 31583, 31601, + 31607, 31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699, 31721, + 31723, 31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817, + 31847, 31849, 31859, 31873, 31883, 31891, 31907, 31957, 31963, 31973, + 31981, 31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063, + 32069, 32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159, + 32173, 32183, 32189, 32191, 32203, 32213, 32233, 32237, 32251, 32257, + 32261, 32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353, + 32359, 32363, 32369, 32371, 32377, 32381, 32401, 32411, 32413, 32423, + 32429, 32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507, 32531, + 32533, 32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609, + 32611, 32621, 32633, 32647, 32653, 32687, 32693, 32707, 32713, 32717, + 32719, 32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831, + 32833, 32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939, + 32941, 32957, 32969, 32971, 32983, 32987, 32993, 32999, 33013, 33023, + 33029, 33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113, + 33119, 33149, 33151, 33161, 33179, 33181, 33191, 33199, 33203, 33211, + 33223, 33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331, 33343, + 33347, 33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427, + 33457, 33461, 33469, 33479, 33487, 33493, 33503, 33521, 33529, 33533, + 33547, 33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613, + 33617, 33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713, + 33721, 33739, 33749, 33751, 33757, 33767, 33769, 33773, 33791, 33797, + 33809, 33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893, + 33911, 33923, 33931, 33937, 33941, 33961, 33967, 33997, 34019, 34031, + 34033, 34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147, 34157, + 34159, 34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261, + 34267, 34273, 34283, 34297, 34301, 34303, 34313, 34319, 34327, 34337, + 34351, 34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457, + 34469, 34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537, + 34543, 34549, 34583, 34589, 34591, 34603, 34607, 34613, 34631, 34649, + 34651, 34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739, + 34747, 34757, 34759, 34763, 34781, 34807, 34819, 34841, 34843, 34847, + 34849, 34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949, 34961, + 34963, 34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083, + 35089, 35099, 35107, 35111, 35117, 35129, 35141, 35149, 35153, 35159, + 35171, 35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291, + 35311, 35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401, + 35407, 35419, 35423, 35437, 35447, 35449, 35461, 35491, 35507, 35509, + 35521, 35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593, + 35597, 35603, 35617, 35671, 35677, 35729, 35731, 35747, 35753, 35759, + 35771, 35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851, 35863, + 35869, 35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969, + 35977, 35983, 35993, 35999, 36007, 36011, 36013, 36017, 36037, 36061, + 36067, 36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161, + 36187, 36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277, + 36293, 36299, 36307, 36313, 36319, 36341, 36343, 36353, 36373, 36383, + 36389, 36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497, + 36523, 36527, 36529, 36541, 36551, 36559, 36563, 36571, 36583, 36587, + 36599, 36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683, 36691, + 36697, 36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781, + 36787, 36791, 36793, 36809, 36821, 36833, 36847, 36857, 36871, 36877, + 36887, 36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947, + 36973, 36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057, + 37061, 37087, 37097, 37117, 37123, 37139, 37159, 37171, 37181, 37189, + 37199, 37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309, + 37313, 37321, 37337, 37339, 37357, 37361, 37363, 37369, 37379, 37397, + 37409, 37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501, 37507, + 37511, 37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573, + 37579, 37589, 37591, 37607, 37619, 37633, 37643, 37649, 37657, 37663, + 37691, 37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813, + 37831, 37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951, + 37957, 37963, 37967, 37987, 37991, 37993, 37997, 38011, 38039, 38047, + 38053, 38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183, + 38189, 38197, 38201, 38219, 38231, 38237, 38239, 38261, 38273, 38281, + 38287, 38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351, 38371, + 38377, 38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543, + 38557, 38561, 38567, 38569, 38593, 38603, 38609, 38611, 38629, 38639, + 38651, 38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713, + 38723, 38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821, + 38833, 38839, 38851, 38861, 38867, 38873, 38891, 38903, 38917, 38921, + 38923, 38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041, + 39043, 39047, 39079, 39089, 39097, 39103, 39107, 39113, 39119, 39133, + 39139, 39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217, 39227, + 39229, 39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323, + 39341, 39343, 39359, 39367, 39371, 39373, 39383, 39397, 39409, 39419, + 39439, 39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541, + 39551, 39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667, + 39671, 39679, 39703, 39709, 39719, 39727, 39733, 39749, 39761, 39769, + 39779, 39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857, + 39863, 39869, 39877, 39883, 39887, 39901, 39929, 39937, 39953, 39971, + 39979, 39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063, 40087, + 40093, 40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169, + 40177, 40189, 40193, 40213, 40231, 40237, 40241, 40253, 40277, 40283, + 40289, 40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433, + 40459, 40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531, + 40543, 40559, 40577, 40583, 40591, 40597, 40609, 40627, 40637, 40639, + 40693, 40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787, + 40801, 40813, 40819, 40823, 40829, 40841, 40847, 40849, 40853, 40867, + 40879, 40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961, 40973, + 40993, 41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081, + 41113, 41117, 41131, 41141, 41143, 41149, 41161, 41177, 41179, 41183, + 41189, 41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257, + 41263, 41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387, + 41389, 41399, 41411, 41413, 41443, 41453, 41467, 41479, 41491, 41507, + 41513, 41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603, + 41609, 41611, 41617, 41621, 41627, 41641, 41647, 41651, 41659, 41669, + 41681, 41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777, 41801, + 41809, 41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897, + 41903, 41911, 41927, 41941, 41947, 41953, 41957, 41959, 41969, 41981, + 41983, 41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073, + 42083, 42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187, + 42193, 42197, 42209, 42221, 42223, 42227, 42239, 42257, 42281, 42283, + 42293, 42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379, + 42391, 42397, 42403, 42407, 42409, 42433, 42437, 42443, 42451, 42457, + 42461, 42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533, 42557, + 42569, 42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677, + 42683, 42689, 42697, 42701, 42703, 42709, 42719, 42727, 42737, 42743, + 42751, 42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841, + 42853, 42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953, + 42961, 42967, 42979, 42989, 43003, 43013, 43019, 43037, 43049, 43051, + 43063, 43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189, + 43201, 43207, 43223, 43237, 43261, 43271, 43283, 43291, 43313, 43319, + 43321, 43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441, 43451, + 43457, 43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579, + 43591, 43597, 43607, 43609, 43613, 43627, 43633, 43649, 43651, 43661, + 43669, 43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783, + 43787, 43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933, + 43943, 43951, 43961, 43963, 43969, 43973, 43987, 43991, 43997, 44017, + 44021, 44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101, + 44111, 44119, 44123, 44129, 44131, 44159, 44171, 44179, 44189, 44201, + 44203, 44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273, 44279, + 44281, 44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449, + 44453, 44483, 44491, 44497, 44501, 44507, 44519, 44531, 44533, 44537, + 44543, 44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641, + 44647, 44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741, + 44753, 44771, 44773, 44777, 44789, 44797, 44809, 44819, 44839, 44843, + 44851, 44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953, + 44959, 44963, 44971, 44983, 44987, 45007, 45013, 45053, 45061, 45077, + 45083, 45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179, 45181, + 45191, 45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307, + 45317, 45319, 45329, 45337, 45341, 45343, 45361, 45377, 45389, 45403, + 45413, 45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533, + 45541, 45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641, + 45659, 45667, 45673, 45677, 45691, 45697, 45707, 45737, 45751, 45757, + 45763, 45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853, + 45863, 45869, 45887, 45893, 45943, 45949, 45953, 45959, 45971, 45979, + 45989, 46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093, 46099, + 46103, 46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199, + 46219, 46229, 46237, 46261, 46271, 46273, 46279, 46301, 46307, 46309, + 46327, 46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447, + 46451, 46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549, + 46559, 46567, 46573, 46589, 46591, 46601, 46619, 46633, 46639, 46643, + 46649, 46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747, + 46751, 46757, 46769, 46771, 46807, 46811, 46817, 46819, 46829, 46831, + 46853, 46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957, 46993, + 46997, 47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119, + 47123, 47129, 47137, 47143, 47147, 47149, 47161, 47189, 47207, 47221, + 47237, 47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317, + 47339, 47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419, + 47431, 47441, 47459, 47491, 47497, 47501, 47507, 47513, 47521, 47527, + 47533, 47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629, + 47639, 47653, 47657, 47659, 47681, 47699, 47701, 47711, 47713, 47717, + 47737, 47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809, 47819, + 47837, 47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939, + 47947, 47951, 47963, 47969, 47977, 47981, 48017, 48023, 48029, 48049, + 48073, 48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179, + 48187, 48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299, + 48311, 48313, 48337, 48341, 48353, 48371, 48383, 48397, 48407, 48409, + 48413, 48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497, + 48523, 48527, 48533, 48539, 48541, 48563, 48571, 48589, 48593, 48611, + 48619, 48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731, 48733, + 48751, 48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817, + 48821, 48823, 48847, 48857, 48859, 48869, 48871, 48883, 48889, 48907, + 48947, 48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033, + 49037, 49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123, + 49139, 49157, 49169, 49171, 49177, 49193, 49199, 49201, 49207, 49211, + 49223, 49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339, + 49363, 49367, 49369, 49391, 49393, 49409, 49411, 49417, 49429, 49433, + 49451, 49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531, 49537, + 49547, 49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663, + 49667, 49669, 49681, 49697, 49711, 49727, 49739, 49741, 49747, 49757, + 49783, 49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853, + 49871, 49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957, + 49991, 49993, 49999, 50021, 50023, 50033, 50047, 50051, 50053, 50069, + 50077, 50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147, + 50153, 50159, 50177, 50207, 50221, 50227, 50231, 50261, 50263, 50273, + 50287, 50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363, 50377, + 50383, 50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503, + 50513, 50527, 50539, 50543, 50549, 50551, 50581, 50587, 50591, 50593, + 50599, 50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753, + 50767, 50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867, + 50873, 50891, 50893, 50909, 50923, 50929, 50951, 50957, 50969, 50971, + 50989, 50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109, + 51131, 51133, 51137, 51151, 51157, 51169, 51193, 51197, 51199, 51203, + 51217, 51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307, 51329, + 51341, 51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421, + 51427, 51431, 51437, 51439, 51449, 51461, 51473, 51479, 51481, 51487, + 51503, 51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593, + 51599, 51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683, + 51691, 51713, 51719, 51721, 51749, 51767, 51769, 51787, 51797, 51803, + 51817, 51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899, + 51907, 51913, 51929, 51941, 51949, 51971, 51973, 51977, 51991, 52009, + 52021, 52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121, 52127, + 52147, 52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237, + 52249, 52253, 52259, 52267, 52289, 52291, 52301, 52313, 52321, 52361, + 52363, 52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501, + 52511, 52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579, + 52583, 52609, 52627, 52631, 52639, 52667, 52673, 52691, 52697, 52709, + 52711, 52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813, + 52817, 52837, 52859, 52861, 52879, 52883, 52889, 52901, 52903, 52919, + 52937, 52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003, 53017, + 53047, 53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117, + 53129, 53147, 53149, 53161, 53171, 53173, 53189, 53197, 53201, 53231, + 53233, 53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327, + 53353, 53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441, + 53453, 53479, 53503, 53507, 53527, 53549, 53551, 53569, 53591, 53593, + 53597, 53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657, + 53681, 53693, 53699, 53717, 53719, 53731, 53759, 53773, 53777, 53783, + 53791, 53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887, 53891, + 53897, 53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993, + 54001, 54011, 54013, 54037, 54049, 54059, 54083, 54091, 54101, 54121, + 54133, 54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269, + 54277, 54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367, + 54371, 54377, 54401, 54403, 54409, 54413, 54419, 54421, 54437, 54443, + 54449, 54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541, + 54547, 54559, 54563, 54577, 54581, 54583, 54601, 54617, 54623, 54629, + 54631, 54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727, 54751, + 54767, 54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877, + 54881, 54907, 54917, 54919, 54941, 54949, 54959, 54973, 54979, 54983, + 55001, 55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103, + 55109, 55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217, + 55219, 55229, 55243, 55249, 55259, 55291, 55313, 55331, 55333, 55337, + 55339, 55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457, + 55469, 55487, 55501, 55511, 55529, 55541, 55547, 55579, 55589, 55603, + 55609, 55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667, 55673, + 55681, 55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793, + 55799, 55807, 55813, 55817, 55819, 55823, 55829, 55837, 55843, 55849, + 55871, 55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949, + 55967, 55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087, + 56093, 56099, 56101, 56113, 56123, 56131, 56149, 56167, 56171, 56179, + 56197, 56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299, + 56311, 56333, 56359, 56369, 56377, 56383, 56393, 56401, 56417, 56431, + 56437, 56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501, 56503, + 56509, 56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599, + 56611, 56629, 56633, 56659, 56663, 56671, 56681, 56687, 56701, 56711, + 56713, 56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809, + 56813, 56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909, + 56911, 56921, 56923, 56929, 56941, 56951, 56957, 56963, 56983, 56989, + 56993, 56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097, + 57107, 57119, 57131, 57139, 57143, 57149, 57163, 57173, 57179, 57191, + 57193, 57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271, 57283, + 57287, 57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389, + 57397, 57413, 57427, 57457, 57467, 57487, 57493, 57503, 57527, 57529, + 57557, 57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653, + 57667, 57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737, + 57751, 57773, 57781, 57787, 57791, 57793, 57803, 57809, 57829, 57839, + 57847, 57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947, + 57973, 57977, 57991, 58013, 58027, 58031, 58043, 58049, 58057, 58061, + 58067, 58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153, 58169, + 58171, 58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237, + 58243, 58271, 58309, 58313, 58321, 58337, 58363, 58367, 58369, 58379, + 58391, 58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453, + 58477, 58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601, + 58603, 58613, 58631, 58657, 58661, 58679, 58687, 58693, 58699, 58711, + 58727, 58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889, + 58897, 58901, 58907, 58909, 58913, 58921, 58937, 58943, 58963, 58967, + 58979, 58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051, 59053, + 59063, 59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141, + 59149, 59159, 59167, 59183, 59197, 59207, 59209, 59219, 59221, 59233, + 59239, 59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359, + 59369, 59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443, + 59447, 59453, 59467, 59471, 59473, 59497, 59509, 59513, 59539, 59557, + 59561, 59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659, + 59663, 59669, 59671, 59693, 59699, 59707, 59723, 59729, 59743, 59747, + 59753, 59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879, 59887, + 59921, 59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029, + 60037, 60041, 60077, 60083, 60089, 60091, 60101, 60103, 60107, 60127, + 60133, 60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251, + 60257, 60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353, + 60373, 60383, 60397, 60413, 60427, 60443, 60449, 60457, 60493, 60497, + 60509, 60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623, + 60631, 60637, 60647, 60649, 60659, 60661, 60679, 60689, 60703, 60719, + 60727, 60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793, 60811, + 60821, 60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919, + 60923, 60937, 60943, 60953, 60961, 61001, 61007, 61027, 61031, 61043, + 61051, 61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169, + 61211, 61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333, + 61339, 61343, 61357, 61363, 61379, 61381, 61403, 61409, 61417, 61441, + 61463, 61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543, + 61547, 61553, 61559, 61561, 61583, 61603, 61609, 61613, 61627, 61631, + 61637, 61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703, 61717, + 61723, 61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861, + 61871, 61879, 61909, 61927, 61933, 61949, 61961, 61967, 61979, 61981, + 61987, 61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071, + 62081, 62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189, + 62191, 62201, 62207, 62213, 62219, 62233, 62273, 62297, 62299, 62303, + 62311, 62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459, + 62467, 62473, 62477, 62483, 62497, 62501, 62507, 62533, 62539, 62549, + 62563, 62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639, 62653, + 62659, 62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773, + 62791, 62801, 62819, 62827, 62851, 62861, 62869, 62873, 62897, 62903, + 62921, 62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989, + 63029, 63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127, + 63131, 63149, 63179, 63197, 63199, 63211, 63241, 63247, 63277, 63281, + 63299, 63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367, + 63377, 63389, 63391, 63397, 63409, 63419, 63421, 63439, 63443, 63463, + 63467, 63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541, 63559, + 63577, 63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647, + 63649, 63659, 63667, 63671, 63689, 63691, 63697, 63703, 63709, 63719, + 63727, 63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809, + 63823, 63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929, + 63949, 63977, 63997, 64007, 64013, 64019, 64033, 64037, 64063, 64067, + 64081, 64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189, + 64217, 64223, 64231, 64237, 64271, 64279, 64283, 64301, 64303, 64319, + 64327, 64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451, 64453, + 64483, 64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601, + 64609, 64613, 64621, 64627, 64633, 64661, 64663, 64667, 64679, 64693, + 64709, 64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849, + 64853, 64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937, + 64951, 64969, 64997, 65003, 65011, 65027, 65029, 65033, 65053, 65063, + 65071, 65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147, + 65167, 65171, 65173, 65179, 65183, 65203, 65213, 65239, 65257, 65267, + 65269, 65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371, 65381, + 65393, 65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497, + 65519, 65521, 65537, 65539, 65543, 65551, 65557, 65563, 65579, 65581, + 65587, 65599, 65609, 65617, 65629, 65633, 65647, 65651, 65657, 65677, + 65687, 65699, 65701, 65707, 65713, 65717, 65719, 65729, 65731, 65761, + 65777, 65789, 65809, 65827, 65831, 65837, 65839, 65843, 65851, 65867, + 65881, 65899, 65921, 65927, 65929, 65951, 65957, 65963, 65981, 65983, + 65993, 66029, 66037, 66041, 66047, 66067, 66071, 66083, 66089, 66103, + 66107, 66109, 66137, 66161, 66169, 66173, 66179, 66191, 66221, 66239, + 66271, 66293, 66301, 66337, 66343, 66347, 66359, 66361, 66373, 66377, + 66383, 66403, 66413, 66431, 66449, 66457, 66463, 66467, 66491, 66499, + 66509, 66523, 66529, 66533, 66541, 66553, 66569, 66571, 66587, 66593, + 66601, 66617, 66629, 66643, 66653, 66683, 66697, 66701, 66713, 66721, + 66733, 66739, 66749, 66751, 66763, 66791, 66797, 66809, 66821, 66841, + 66851, 66853, 66863, 66877, 66883, 66889, 66919, 66923, 66931, 66943, + 66947, 66949, 66959, 66973, 66977, 67003, 67021, 67033, 67043, 67049, + 67057, 67061, 67073, 67079, 67103, 67121, 67129, 67139, 67141, 67153, + 67157, 67169, 67181, 67187, 67189, 67211, 67213, 67217, 67219, 67231, + 67247, 67261, 67271, 67273, 67289, 67307, 67339, 67343, 67349, 67369, + 67391, 67399, 67409, 67411, 67421, 67427, 67429, 67433, 67447, 67453, + 67477, 67481, 67489, 67493, 67499, 67511, 67523, 67531, 67537, 67547, + 67559, 67567, 67577, 67579, 67589, 67601, 67607, 67619, 67631, 67651, + 67679, 67699, 67709, 67723, 67733, 67741, 67751, 67757, 67759, 67763, + 67777, 67783, 67789, 67801, 67807, 67819, 67829, 67843, 67853, 67867, + 67883, 67891, 67901, 67927, 67931, 67933, 67939, 67943, 67957, 67961, + 67967, 67979, 67987, 67993, 68023, 68041, 68053, 68059, 68071, 68087, + 68099, 68111, 68113, 68141, 68147, 68161, 68171, 68207, 68209, 68213, + 68219, 68227, 68239, 68261, 68279, 68281, 68311, 68329, 68351, 68371, + 68389, 68399, 68437, 68443, 68447, 68449, 68473, 68477, 68483, 68489, + 68491, 68501, 68507, 68521, 68531, 68539, 68543, 68567, 68581, 68597, + 68611, 68633, 68639, 68659, 68669, 68683, 68687, 68699, 68711, 68713, + 68729, 68737, 68743, 68749, 68767, 68771, 68777, 68791, 68813, 68819, + 68821, 68863, 68879, 68881, 68891, 68897, 68899, 68903, 68909, 68917, + 68927, 68947, 68963, 68993, 69001, 69011, 69019, 69029, 69031, 69061, + 69067, 69073, 69109, 69119, 69127, 69143, 69149, 69151, 69163, 69191, + 69193, 69197, 69203, 69221, 69233, 69239, 69247, 69257, 69259, 69263, + 69313, 69317, 69337, 69341, 69371, 69379, 69383, 69389, 69401, 69403, + 69427, 69431, 69439, 69457, 69463, 69467, 69473, 69481, 69491, 69493, + 69497, 69499, 69539, 69557, 69593, 69623, 69653, 69661, 69677, 69691, + 69697, 69709, 69737, 69739, 69761, 69763, 69767, 69779, 69809, 69821, + 69827, 69829, 69833, 69847, 69857, 69859, 69877, 69899, 69911, 69929, + 69931, 69941, 69959, 69991, 69997, 70001, 70003, 70009, 70019, 70039, + 70051, 70061, 70067, 70079, 70099, 70111, 70117, 70121, 70123, 70139, + 70141, 70157, 70163, 70177, 70181, 70183, 70199, 70201, 70207, 70223, + 70229, 70237, 70241, 70249, 70271, 70289, 70297, 70309, 70313, 70321, + 70327, 70351, 70373, 70379, 70381, 70393, 70423, 70429, 70439, 70451, + 70457, 70459, 70481, 70487, 70489, 70501, 70507, 70529, 70537, 70549, + 70571, 70573, 70583, 70589, 70607, 70619, 70621, 70627, 70639, 70657, + 70663, 70667, 70687, 70709, 70717, 70729, 70753, 70769, 70783, 70793, + 70823, 70841, 70843, 70849, 70853, 70867, 70877, 70879, 70891, 70901, + 70913, 70919, 70921, 70937, 70949, 70951, 70957, 70969, 70979, 70981, + 70991, 70997, 70999, 71011, 71023, 71039, 71059, 71069, 71081, 71089, + 71119, 71129, 71143, 71147, 71153, 71161, 71167, 71171, 71191, 71209, + 71233, 71237, 71249, 71257, 71261, 71263, 71287, 71293, 71317, 71327, + 71329, 71333, 71339, 71341, 71347, 71353, 71359, 71363, 71387, 71389, + 71399, 71411, 71413, 71419, 71429, 71437, 71443, 71453, 71471, 71473, + 71479, 71483, 71503, 71527, 71537, 71549, 71551, 71563, 71569, 71593, + 71597, 71633, 71647, 71663, 71671, 71693, 71699, 71707, 71711, 71713, + 71719, 71741, 71761, 71777, 71789, 71807, 71809, 71821, 71837, 71843, + 71849, 71861, 71867, 71879, 71881, 71887, 71899, 71909, 71917, 71933, + 71941, 71947, 71963, 71971, 71983, 71987, 71993, 71999, 72019, 72031, + 72043, 72047, 72053, 72073, 72077, 72089, 72091, 72101, 72103, 72109, + 72139, 72161, 72167, 72169, 72173, 72211, 72221, 72223, 72227, 72229, + 72251, 72253, 72269, 72271, 72277, 72287, 72307, 72313, 72337, 72341, + 72353, 72367, 72379, 72383, 72421, 72431, 72461, 72467, 72469, 72481, + 72493, 72497, 72503, 72533, 72547, 72551, 72559, 72577, 72613, 72617, + 72623, 72643, 72647, 72649, 72661, 72671, 72673, 72679, 72689, 72701, + 72707, 72719, 72727, 72733, 72739, 72763, 72767, 72797, 72817, 72823, + 72859, 72869, 72871, 72883, 72889, 72893, 72901, 72907, 72911, 72923, + 72931, 72937, 72949, 72953, 72959, 72973, 72977, 72997, 73009, 73013, + 73019, 73037, 73039, 73043, 73061, 73063, 73079, 73091, 73121, 73127, + 73133, 73141, 73181, 73189, 73237, 73243, 73259, 73277, 73291, 73303, + 73309, 73327, 73331, 73351, 73361, 73363, 73369, 73379, 73387, 73417, + 73421, 73433, 73453, 73459, 73471, 73477, 73483, 73517, 73523, 73529, + 73547, 73553, 73561, 73571, 73583, 73589, 73597, 73607, 73609, 73613, + 73637, 73643, 73651, 73673, 73679, 73681, 73693, 73699, 73709, 73721, + 73727, 73751, 73757, 73771, 73783, 73819, 73823, 73847, 73849, 73859, + 73867, 73877, 73883, 73897, 73907, 73939, 73943, 73951, 73961, 73973, + 73999, 74017, 74021, 74027, 74047, 74051, 74071, 74077, 74093, 74099, + 74101, 74131, 74143, 74149, 74159, 74161, 74167, 74177, 74189, 74197, + 74201, 74203, 74209, 74219, 74231, 74257, 74279, 74287, 74293, 74297, + 74311, 74317, 74323, 74353, 74357, 74363, 74377, 74381, 74383, 74411, + 74413, 74419, 74441, 74449, 74453, 74471, 74489, 74507, 74509, 74521, + 74527, 74531, 74551, 74561, 74567, 74573, 74587, 74597, 74609, 74611, + 74623, 74653, 74687, 74699, 74707, 74713, 74717, 74719, 74729, 74731, + 74747, 74759, 74761, 74771, 74779, 74797, 74821, 74827, 74831, 74843, + 74857, 74861, 74869, 74873, 74887, 74891, 74897, 74903, 74923, 74929, + 74933, 74941, 74959, 75011, 75013, 75017, 75029, 75037, 75041, 75079, + 75083, 75109, 75133, 75149, 75161, 75167, 75169, 75181, 75193, 75209, + 75211, 75217, 75223, 75227, 75239, 75253, 75269, 75277, 75289, 75307, + 75323, 75329, 75337, 75347, 75353, 75367, 75377, 75389, 75391, 75401, + 75403, 75407, 75431, 75437, 75479, 75503, 75511, 75521, 75527, 75533, + 75539, 75541, 75553, 75557, 75571, 75577, 75583, 75611, 75617, 75619, + 75629, 75641, 75653, 75659, 75679, 75683, 75689, 75703, 75707, 75709, + 75721, 75731, 75743, 75767, 75773, 75781, 75787, 75793, 75797, 75821, + 75833, 75853, 75869, 75883, 75913, 75931, 75937, 75941, 75967, 75979, + 75983, 75989, 75991, 75997, 76001, 76003, 76031, 76039, 76079, 76081, + 76091, 76099, 76103, 76123, 76129, 76147, 76157, 76159, 76163, 76207, + 76213, 76231, 76243, 76249, 76253, 76259, 76261, 76283, 76289, 76303, + 76333, 76343, 76367, 76369, 76379, 76387, 76403, 76421, 76423, 76441, + 76463, 76471, 76481, 76487, 76493, 76507, 76511, 76519, 76537, 76541, + 76543, 76561, 76579, 76597, 76603, 76607, 76631, 76649, 76651, 76667, + 76673, 76679, 76697, 76717, 76733, 76753, 76757, 76771, 76777, 76781, + 76801, 76819, 76829, 76831, 76837, 76847, 76871, 76873, 76883, 76907, + 76913, 76919, 76943, 76949, 76961, 76963, 76991, 77003, 77017, 77023, + 77029, 77041, 77047, 77069, 77081, 77093, 77101, 77137, 77141, 77153, + 77167, 77171, 77191, 77201, 77213, 77237, 77239, 77243, 77249, 77261, + 77263, 77267, 77269, 77279, 77291, 77317, 77323, 77339, 77347, 77351, + 77359, 77369, 77377, 77383, 77417, 77419, 77431, 77447, 77471, 77477, + 77479, 77489, 77491, 77509, 77513, 77521, 77527, 77543, 77549, 77551, + 77557, 77563, 77569, 77573, 77587, 77591, 77611, 77617, 77621, 77641, + 77647, 77659, 77681, 77687, 77689, 77699, 77711, 77713, 77719, 77723, + 77731, 77743, 77747, 77761, 77773, 77783, 77797, 77801, 77813, 77839, + 77849, 77863, 77867, 77893, 77899, 77929, 77933, 77951, 77969, 77977, + 77983, 77999, 78007, 78017, 78031, 78041, 78049, 78059, 78079, 78101, + 78121, 78137, 78139, 78157, 78163, 78167, 78173, 78179, 78191, 78193, + 78203, 78229, 78233, 78241, 78259, 78277, 78283, 78301, 78307, 78311, + 78317, 78341, 78347, 78367, 78401, 78427, 78437, 78439, 78467, 78479, + 78487, 78497, 78509, 78511, 78517, 78539, 78541, 78553, 78569, 78571, + 78577, 78583, 78593, 78607, 78623, 78643, 78649, 78653, 78691, 78697, + 78707, 78713, 78721, 78737, 78779, 78781, 78787, 78791, 78797, 78803, + 78809, 78823, 78839, 78853, 78857, 78877, 78887, 78889, 78893, 78901, + 78919, 78929, 78941, 78977, 78979, 78989, 79031, 79039, 79043, 79063, + 79087, 79103, 79111, 79133, 79139, 79147, 79151, 79153, 79159, 79181, + 79187, 79193, 79201, 79229, 79231, 79241, 79259, 79273, 79279, 79283, + 79301, 79309, 79319, 79333, 79337, 79349, 79357, 79367, 79379, 79393, + 79397, 79399, 79411, 79423, 79427, 79433, 79451, 79481, 79493, 79531, + 79537, 79549, 79559, 79561, 79579, 79589, 79601, 79609, 79613, 79621, + 79627, 79631, 79633, 79657, 79669, 79687, 79691, 79693, 79697, 79699, + 79757, 79769, 79777, 79801, 79811, 79813, 79817, 79823, 79829, 79841, + 79843, 79847, 79861, 79867, 79873, 79889, 79901, 79903, 79907, 79939, + 79943, 79967, 79973, 79979, 79987, 79997, 79999, 80021, 80039, 80051, + 80071, 80077, 80107, 80111, 80141, 80147, 80149, 80153, 80167, 80173, + 80177, 80191, 80207, 80209, 80221, 80231, 80233, 80239, 80251, 80263, + 80273, 80279, 80287, 80309, 80317, 80329, 80341, 80347, 80363, 80369, + 80387, 80407, 80429, 80447, 80449, 80471, 80473, 80489, 80491, 80513, + 80527, 80537, 80557, 80567, 80599, 80603, 80611, 80621, 80627, 80629, + 80651, 80657, 80669, 80671, 80677, 80681, 80683, 80687, 80701, 80713, + 80737, 80747, 80749, 80761, 80777, 80779, 80783, 80789, 80803, 80809, + 80819, 80831, 80833, 80849, 80863, 80897, 80909, 80911, 80917, 80923, + 80929, 80933, 80953, 80963, 80989, 81001, 81013, 81017, 81019, 81023, + 81031, 81041, 81043, 81047, 81049, 81071, 81077, 81083, 81097, 81101, + 81119, 81131, 81157, 81163, 81173, 81181, 81197, 81199, 81203, 81223, + 81233, 81239, 81281, 81283, 81293, 81299, 81307, 81331, 81343, 81349, + 81353, 81359, 81371, 81373, 81401, 81409, 81421, 81439, 81457, 81463, + 81509, 81517, 81527, 81533, 81547, 81551, 81553, 81559, 81563, 81569, + 81611, 81619, 81629, 81637, 81647, 81649, 81667, 81671, 81677, 81689, + 81701, 81703, 81707, 81727, 81737, 81749, 81761, 81769, 81773, 81799, + 81817, 81839, 81847, 81853, 81869, 81883, 81899, 81901, 81919, 81929, + 81931, 81937, 81943, 81953, 81967, 81971, 81973, 82003, 82007, 82009, + 82013, 82021, 82031, 82037, 82039, 82051, 82067, 82073, 82129, 82139, + 82141, 82153, 82163, 82171, 82183, 82189, 82193, 82207, 82217, 82219, + 82223, 82231, 82237, 82241, 82261, 82267, 82279, 82301, 82307, 82339, + 82349, 82351, 82361, 82373, 82387, 82393, 82421, 82457, 82463, 82469, + 82471, 82483, 82487, 82493, 82499, 82507, 82529, 82531, 82549, 82559, + 82561, 82567, 82571, 82591, 82601, 82609, 82613, 82619, 82633, 82651, + 82657, 82699, 82721, 82723, 82727, 82729, 82757, 82759, 82763, 82781, + 82787, 82793, 82799, 82811, 82813, 82837, 82847, 82883, 82889, 82891, + 82903, 82913, 82939, 82963, 82981, 82997, 83003, 83009, 83023, 83047, + 83059, 83063, 83071, 83077, 83089, 83093, 83101, 83117, 83137, 83177, + 83203, 83207, 83219, 83221, 83227, 83231, 83233, 83243, 83257, 83267, + 83269, 83273, 83299, 83311, 83339, 83341, 83357, 83383, 83389, 83399, + 83401, 83407, 83417, 83423, 83431, 83437, 83443, 83449, 83459, 83471, + 83477, 83497, 83537, 83557, 83561, 83563, 83579, 83591, 83597, 83609, + 83617, 83621, 83639, 83641, 83653, 83663, 83689, 83701, 83717, 83719, + 83737, 83761, 83773, 83777, 83791, 83813, 83833, 83843, 83857, 83869, + 83873, 83891, 83903, 83911, 83921, 83933, 83939, 83969, 83983, 83987, + 84011, 84017, 84047, 84053, 84059, 84061, 84067, 84089, 84121, 84127, + 84131, 84137, 84143, 84163, 84179, 84181, 84191, 84199, 84211, 84221, + 84223, 84229, 84239, 84247, 84263, 84299, 84307, 84313, 84317, 84319, + 84347, 84349, 84377, 84389, 84391, 84401, 84407, 84421, 84431, 84437, + 84443, 84449, 84457, 84463, 84467, 84481, 84499, 84503, 84509, 84521, + 84523, 84533, 84551, 84559, 84589, 84629, 84631, 84649, 84653, 84659, + 84673, 84691, 84697, 84701, 84713, 84719, 84731, 84737, 84751, 84761, + 84787, 84793, 84809, 84811, 84827, 84857, 84859, 84869, 84871, 84913, + 84919, 84947, 84961, 84967, 84977, 84979, 84991, 85009, 85021, 85027, + 85037, 85049, 85061, 85081, 85087, 85091, 85093, 85103, 85109, 85121, + 85133, 85147, 85159, 85193, 85199, 85201, 85213, 85223, 85229, 85237, + 85243, 85247, 85259, 85297, 85303, 85313, 85331, 85333, 85361, 85363, + 85369, 85381, 85411, 85427, 85429, 85439, 85447, 85451, 85453, 85469, + 85487, 85513, 85517, 85523, 85531, 85549, 85571, 85577, 85597, 85601, + 85607, 85619, 85621, 85627, 85639, 85643, 85661, 85667, 85669, 85691, + 85703, 85711, 85717, 85733, 85751, 85781, 85793, 85817, 85819, 85829, + 85831, 85837, 85843, 85847, 85853, 85889, 85903, 85909, 85931, 85933, + 85991, 85999, 86011, 86017, 86027, 86029, 86069, 86077, 86083, 86111, + 86113, 86117, 86131, 86137, 86143, 86161, 86171, 86179, 86183, 86197, + 86201, 86209, 86239, 86243, 86249, 86257, 86263, 86269, 86287, 86291, + 86293, 86297, 86311, 86323, 86341, 86351, 86353, 86357, 86369, 86371, + 86381, 86389, 86399, 86413, 86423, 86441, 86453, 86461, 86467, 86477, + 86491, 86501, 86509, 86531, 86533, 86539, 86561, 86573, 86579, 86587, + 86599, 86627, 86629, 86677, 86689, 86693, 86711, 86719, 86729, 86743, + 86753, 86767, 86771, 86783, 86813, 86837, 86843, 86851, 86857, 86861, + 86869, 86923, 86927, 86929, 86939, 86951, 86959, 86969, 86981, 86993, + 87011, 87013, 87037, 87041, 87049, 87071, 87083, 87103, 87107, 87119, + 87121, 87133, 87149, 87151, 87179, 87181, 87187, 87211, 87221, 87223, + 87251, 87253, 87257, 87277, 87281, 87293, 87299, 87313, 87317, 87323, + 87337, 87359, 87383, 87403, 87407, 87421, 87427, 87433, 87443, 87473, + 87481, 87491, 87509, 87511, 87517, 87523, 87539, 87541, 87547, 87553, + 87557, 87559, 87583, 87587, 87589, 87613, 87623, 87629, 87631, 87641, + 87643, 87649, 87671, 87679, 87683, 87691, 87697, 87701, 87719, 87721, + 87739, 87743, 87751, 87767, 87793, 87797, 87803, 87811, 87833, 87853, + 87869, 87877, 87881, 87887, 87911, 87917, 87931, 87943, 87959, 87961, + 87973, 87977, 87991, 88001, 88003, 88007, 88019, 88037, 88069, 88079, + 88093, 88117, 88129, 88169, 88177, 88211, 88223, 88237, 88241, 88259, + 88261, 88289, 88301, 88321, 88327, 88337, 88339, 88379, 88397, 88411, + 88423, 88427, 88463, 88469, 88471, 88493, 88499, 88513, 88523, 88547, + 88589, 88591, 88607, 88609, 88643, 88651, 88657, 88661, 88663, 88667, + 88681, 88721, 88729, 88741, 88747, 88771, 88789, 88793, 88799, 88801, + 88807, 88811, 88813, 88817, 88819, 88843, 88853, 88861, 88867, 88873, + 88883, 88897, 88903, 88919, 88937, 88951, 88969, 88993, 88997, 89003, + 89009, 89017, 89021, 89041, 89051, 89057, 89069, 89071, 89083, 89087, + 89101, 89107, 89113, 89119, 89123, 89137, 89153, 89189, 89203, 89209, + 89213, 89227, 89231, 89237, 89261, 89269, 89273, 89293, 89303, 89317, + 89329, 89363, 89371, 89381, 89387, 89393, 89399, 89413, 89417, 89431, + 89443, 89449, 89459, 89477, 89491, 89501, 89513, 89519, 89521, 89527, + 89533, 89561, 89563, 89567, 89591, 89597, 89599, 89603, 89611, 89627, + 89633, 89653, 89657, 89659, 89669, 89671, 89681, 89689, 89753, 89759, + 89767, 89779, 89783, 89797, 89809, 89819, 89821, 89833, 89839, 89849, + 89867, 89891, 89897, 89899, 89909, 89917, 89923, 89939, 89959, 89963, + 89977, 89983, 89989, 90001, 90007, 90011, 90017, 90019, 90023, 90031, + 90053, 90059, 90067, 90071, 90073, 90089, 90107, 90121, 90127, 90149, + 90163, 90173, 90187, 90191, 90197, 90199, 90203, 90217, 90227, 90239, + 90247, 90263, 90271, 90281, 90289, 90313, 90353, 90359, 90371, 90373, + 90379, 90397, 90401, 90403, 90407, 90437, 90439, 90469, 90473, 90481, + 90499, 90511, 90523, 90527, 90529, 90533, 90547, 90583, 90599, 90617, + 90619, 90631, 90641, 90647, 90659, 90677, 90679, 90697, 90703, 90709, + 90731, 90749, 90787, 90793, 90803, 90821, 90823, 90833, 90841, 90847, + 90863, 90887, 90901, 90907, 90911, 90917, 90931, 90947, 90971, 90977, + 90989, 90997, 91009, 91019, 91033, 91079, 91081, 91097, 91099, 91121, + 91127, 91129, 91139, 91141, 91151, 91153, 91159, 91163, 91183, 91193, + 91199, 91229, 91237, 91243, 91249, 91253, 91283, 91291, 91297, 91303, + 91309, 91331, 91367, 91369, 91373, 91381, 91387, 91393, 91397, 91411, + 91423, 91433, 91453, 91457, 91459, 91463, 91493, 91499, 91513, 91529, + 91541, 91571, 91573, 91577, 91583, 91591, 91621, 91631, 91639, 91673, + 91691, 91703, 91711, 91733, 91753, 91757, 91771, 91781, 91801, 91807, + 91811, 91813, 91823, 91837, 91841, 91867, 91873, 91909, 91921, 91939, + 91943, 91951, 91957, 91961, 91967, 91969, 91997, 92003, 92009, 92033, + 92041, 92051, 92077, 92083, 92107, 92111, 92119, 92143, 92153, 92173, + 92177, 92179, 92189, 92203, 92219, 92221, 92227, 92233, 92237, 92243, + 92251, 92269, 92297, 92311, 92317, 92333, 92347, 92353, 92357, 92363, + 92369, 92377, 92381, 92383, 92387, 92399, 92401, 92413, 92419, 92431, + 92459, 92461, 92467, 92479, 92489, 92503, 92507, 92551, 92557, 92567, + 92569, 92581, 92593, 92623, 92627, 92639, 92641, 92647, 92657, 92669, + 92671, 92681, 92683, 92693, 92699, 92707, 92717, 92723, 92737, 92753, + 92761, 92767, 92779, 92789, 92791, 92801, 92809, 92821, 92831, 92849, + 92857, 92861, 92863, 92867, 92893, 92899, 92921, 92927, 92941, 92951, + 92957, 92959, 92987, 92993, 93001, 93047, 93053, 93059, 93077, 93083, + 93089, 93097, 93103, 93113, 93131, 93133, 93139, 93151, 93169, 93179, + 93187, 93199, 93229, 93239, 93241, 93251, 93253, 93257, 93263, 93281, + 93283, 93287, 93307, 93319, 93323, 93329, 93337, 93371, 93377, 93383, + 93407, 93419, 93427, 93463, 93479, 93481, 93487, 93491, 93493, 93497, + 93503, 93523, 93529, 93553, 93557, 93559, 93563, 93581, 93601, 93607, + 93629, 93637, 93683, 93701, 93703, 93719, 93739, 93761, 93763, 93787, + 93809, 93811, 93827, 93851, 93871, 93887, 93889, 93893, 93901, 93911, + 93913, 93923, 93937, 93941, 93949, 93967, 93971, 93979, 93983, 93997, + 94007, 94009, 94033, 94049, 94057, 94063, 94079, 94099, 94109, 94111, + 94117, 94121, 94151, 94153, 94169, 94201, 94207, 94219, 94229, 94253, + 94261, 94273, 94291, 94307, 94309, 94321, 94327, 94331, 94343, 94349, + 94351, 94379, 94397, 94399, 94421, 94427, 94433, 94439, 94441, 94447, + 94463, 94477, 94483, 94513, 94529, 94531, 94541, 94543, 94547, 94559, + 94561, 94573, 94583, 94597, 94603, 94613, 94621, 94649, 94651, 94687, + 94693, 94709, 94723, 94727, 94747, 94771, 94777, 94781, 94789, 94793, + 94811, 94819, 94823, 94837, 94841, 94847, 94849, 94873, 94889, 94903, + 94907, 94933, 94949, 94951, 94961, 94993, 94999, 95003, 95009, 95021, + 95027, 95063, 95071, 95083, 95087, 95089, 95093, 95101, 95107, 95111, + 95131, 95143, 95153, 95177, 95189, 95191, 95203, 95213, 95219, 95231, + 95233, 95239, 95257, 95261, 95267, 95273, 95279, 95287, 95311, 95317, + 95327, 95339, 95369, 95383, 95393, 95401, 95413, 95419, 95429, 95441, + 95443, 95461, 95467, 95471, 95479, 95483, 95507, 95527, 95531, 95539, + 95549, 95561, 95569, 95581, 95597, 95603, 95617, 95621, 95629, 95633, + 95651, 95701, 95707, 95713, 95717, 95723, 95731, 95737, 95747, 95773, + 95783, 95789, 95791, 95801, 95803, 95813, 95819, 95857, 95869, 95873, + 95881, 95891, 95911, 95917, 95923, 95929, 95947, 95957, 95959, 95971, + 95987, 95989, 96001, 96013, 96017, 96043, 96053, 96059, 96079, 96097, + 96137, 96149, 96157, 96167, 96179, 96181, 96199, 96211, 96221, 96223, + 96233, 96259, 96263, 96269, 96281, 96289, 96293, 96323, 96329, 96331, + 96337, 96353, 96377, 96401, 96419, 96431, 96443, 96451, 96457, 96461, + 96469, 96479, 96487, 96493, 96497, 96517, 96527, 96553, 96557, 96581, + 96587, 96589, 96601, 96643, 96661, 96667, 96671, 96697, 96703, 96731, + 96737, 96739, 96749, 96757, 96763, 96769, 96779, 96787, 96797, 96799, + 96821, 96823, 96827, 96847, 96851, 96857, 96893, 96907, 96911, 96931, + 96953, 96959, 96973, 96979, 96989, 96997, 97001, 97003, 97007, 97021, + 97039, 97073, 97081, 97103, 97117, 97127, 97151, 97157, 97159, 97169, + 97171, 97177, 97187, 97213, 97231, 97241, 97259, 97283, 97301, 97303, + 97327, 97367, 97369, 97373, 97379, 97381, 97387, 97397, 97423, 97429, + 97441, 97453, 97459, 97463, 97499, 97501, 97511, 97523, 97547, 97549, + 97553, 97561, 97571, 97577, 97579, 97583, 97607, 97609, 97613, 97649, + 97651, 97673, 97687, 97711, 97729, 97771, 97777, 97787, 97789, 97813, + 97829, 97841, 97843, 97847, 97849, 97859, 97861, 97871, 97879, 97883, + 97919, 97927, 97931, 97943, 97961, 97967, 97973, 97987, 98009, 98011, + 98017, 98041, 98047, 98057, 98081, 98101, 98123, 98129, 98143, 98179, + 98207, 98213, 98221, 98227, 98251, 98257, 98269, 98297, 98299, 98317, + 98321, 98323, 98327, 98347, 98369, 98377, 98387, 98389, 98407, 98411, + 98419, 98429, 98443, 98453, 98459, 98467, 98473, 98479, 98491, 98507, + 98519, 98533, 98543, 98561, 98563, 98573, 98597, 98621, 98627, 98639, + 98641, 98663, 98669, 98689, 98711, 98713, 98717, 98729, 98731, 98737, + 98773, 98779, 98801, 98807, 98809, 98837, 98849, 98867, 98869, 98873, + 98887, 98893, 98897, 98899, 98909, 98911, 98927, 98929, 98939, 98947, + 98953, 98963, 98981, 98993, 98999, 99013, 99017, 99023, 99041, 99053, + 99079, 99083, 99089, 99103, 99109, 99119, 99131, 99133, 99137, 99139, + 99149, 99173, 99181, 99191, 99223, 99233, 99241, 99251, 99257, 99259, + 99277, 99289, 99317, 99347, 99349, 99367, 99371, 99377, 99391, 99397, + 99401, 99409, 99431, 99439, 99469, 99487, 99497, 99523, 99527, 99529, + 99551, 99559, 99563, 99571, 99577, 99581, 99607, 99611, 99623, 99643, + 99661, 99667, 99679, 99689, 99707, 99709, 99713, 99719, 99721, 99733, + 99761, 99767, 99787, 99793, 99809, 99817, 99823, 99829, 99833, 99839, + 99859, 99871, 99877, 99881, 99901, 99907, 99923, 99929, 99961, 99971, + 99989, 99991, 100003, 100019, 100043, 100049, 100057, 100069, 100103, 100109, + 100129, 100151, 100153, 100169, 100183, 100189, 100193, 100207, 100213, 100237, + 100267, 100271, 100279, 100291, 100297, 100313, 100333, 100343, 100357, 100361, + 100363, 100379, 100391, 100393, 100403, 100411, 100417, 100447, 100459, 100469, + 100483, 100493, 100501, 100511, 100517, 100519, 100523, 100537, 100547, 100549, + 100559, 100591, 100609, 100613, 100621, 100649, 100669, 100673, 100693, 100699, + 100703, 100733, 100741, 100747, 100769, 100787, 100799, 100801, 100811, 100823, + 100829, 100847, 100853, 100907, 100913, 100927, 100931, 100937, 100943, 100957, + 100981, 100987, 100999, 101009, 101021, 101027, 101051, 101063, 101081, 101089, + 101107, 101111, 101113, 101117, 101119, 101141, 101149, 101159, 101161, 101173, + 101183, 101197, 101203, 101207, 101209, 101221, 101267, 101273, 101279, 101281, + 101287, 101293, 101323, 101333, 101341, 101347, 101359, 101363, 101377, 101383, + 101399, 101411, 101419, 101429, 101449, 101467, 101477, 101483, 101489, 101501, + 101503, 101513, 101527, 101531, 101533, 101537, 101561, 101573, 101581, 101599, + 101603, 101611, 101627, 101641, 101653, 101663, 101681, 101693, 101701, 101719, + 101723, 101737, 101741, 101747, 101749, 101771, 101789, 101797, 101807, 101833, + 101837, 101839, 101863, 101869, 101873, 101879, 101891, 101917, 101921, 101929, + 101939, 101957, 101963, 101977, 101987, 101999, 102001, 102013, 102019, 102023, + 102031, 102043, 102059, 102061, 102071, 102077, 102079, 102101, 102103, 102107, + 102121, 102139, 102149, 102161, 102181, 102191, 102197, 102199, 102203, 102217, + 102229, 102233, 102241, 102251, 102253, 102259, 102293, 102299, 102301, 102317, + 102329, 102337, 102359, 102367, 102397, 102407, 102409, 102433, 102437, 102451, + 102461, 102481, 102497, 102499, 102503, 102523, 102533, 102539, 102547, 102551, + 102559, 102563, 102587, 102593, 102607, 102611, 102643, 102647, 102653, 102667, + 102673, 102677, 102679, 102701, 102761, 102763, 102769, 102793, 102797, 102811, + 102829, 102841, 102859, 102871, 102877, 102881, 102911, 102913, 102929, 102931, + 102953, 102967, 102983, 103001, 103007, 103043, 103049, 103067, 103069, 103079, + 103087, 103091, 103093, 103099, 103123, 103141, 103171, 103177, 103183, 103217, + 103231, 103237, 103289, 103291, 103307, 103319, 103333, 103349, 103357, 103387, + 103391, 103393, 103399, 103409, 103421, 103423, 103451, 103457, 103471, 103483, + 103511, 103529, 103549, 103553, 103561, 103567, 103573, 103577, 103583, 103591, + 103613, 103619, 103643, 103651, 103657, 103669, 103681, 103687, 103699, 103703, + 103723, 103769, 103787, 103801, 103811, 103813, 103837, 103841, 103843, 103867, + 103889, 103903, 103913, 103919, 103951, 103963, 103967, 103969, 103979, 103981, + 103991, 103993, 103997, 104003, 104009, 104021, 104033, 104047, 104053, 104059, + 104087, 104089, 104107, 104113, 104119, 104123, 104147, 104149, 104161, 104173, + 104179, 104183, 104207, 104231, 104233, 104239, 104243, 104281, 104287, 104297, + 104309, 104311, 104323, 104327, 104347, 104369, 104381, 104383, 104393, 104399, + 104417, 104459, 104471, 104473, 104479, 104491, 104513, 104527, 104537, 104543, + 104549, 104551, 104561, 104579, 104593, 104597, 104623, 104639, 104651, 104659, + 104677, 104681, 104683, 104693, 104701, 104707, 104711, 104717, 104723, 104729, +}; + +// return 1 if p is divisable by sp, 0 otherwise +static int +divides(mpint *dividend, ulong divisor) +{ + mpdigit d[2], q; + int i; + + d[1] = 0; + for(i = dividend->top-1; i >= 0; i--){ + d[0] = dividend->p[i]; + mpdigdiv(d, divisor, &q); + d[1] = d[0] - divisor*q; + } + return d[1] == 0; +} + +// return -1 if p is divisable by one of the small primes, 0 otherwise +int +smallprimetest(mpint *p) +{ + int i; + ulong sp; + + for(i = 0; i < nelem(smallprimes); i++){ + sp = smallprimes[i]; + if(p->top == 1 && p->p[0] <= sp) + break; + if(divides(p, sp)) + return -1; + } + return 0; +} diff --git a/sys/src/libsec/port/thumb.c b/sys/src/libsec/port/thumb.c new file mode 100755 index 000000000..cac95a436 --- /dev/null +++ b/sys/src/libsec/port/thumb.c @@ -0,0 +1,97 @@ +#include <u.h> +#include <libc.h> +#include <bio.h> +#include <auth.h> +#include <mp.h> +#include <libsec.h> + +enum{ ThumbTab = 1<<10 }; + +static void * +emalloc(int n) +{ + void *p; + if(n==0) + n=1; + p = malloc(n); + if(p == nil){ + exits("out of memory"); + } + memset(p, 0, n); + return p; +} + +void +freeThumbprints(Thumbprint *table) +{ + Thumbprint *hd, *p, *q; + for(hd = table; hd < table+ThumbTab; hd++){ + for(p = hd->next; p; p = q){ + q = p->next; + free(p); + } + } + free(table); +} + +int +okThumbprint(uchar *sum, Thumbprint *table) +{ + Thumbprint *p; + int i = ((sum[0]<<8) + sum[1]) & (ThumbTab-1); + + for(p = table[i].next; p; p = p->next) + if(memcmp(sum, p->sha1, SHA1dlen) == 0) + return 1; + return 0; +} + +static void +loadThumbprints(char *file, Thumbprint *table, Thumbprint *crltab) +{ + Thumbprint *entry; + Biobuf *bin; + char *line, *field[50]; + uchar sum[SHA1dlen]; + int i; + + bin = Bopen(file, OREAD); + if(bin == nil) + return; + for(; (line = Brdstr(bin, '\n', 1)) != 0; free(line)){ + if(tokenize(line, field, nelem(field)) < 2) + continue; + if(strcmp(field[0], "#include") == 0){ + loadThumbprints(field[1], table, crltab); + continue; + } + if(strcmp(field[0], "x509") != 0 || strncmp(field[1], "sha1=", strlen("sha1=")) != 0) + continue; + field[1] += strlen("sha1="); + dec16(sum, sizeof(sum), field[1], strlen(field[1])); + if(crltab && okThumbprint(sum, crltab)) + continue; + entry = (Thumbprint*)emalloc(sizeof(*entry)); + memcpy(entry->sha1, sum, SHA1dlen); + i = ((sum[0]<<8) + sum[1]) & (ThumbTab-1); + entry->next = table[i].next; + table[i].next = entry; + } + Bterm(bin); +} + +Thumbprint * +initThumbprints(char *ok, char *crl) +{ + Thumbprint *table, *crltab = nil; + + if(crl){ + crltab = emalloc(ThumbTab * sizeof(*table)); + loadThumbprints(crl, crltab, nil); + } + table = emalloc(ThumbTab * sizeof(*table)); + loadThumbprints(ok, table, crltab); + free(crltab); + return table; +} + diff --git a/sys/src/libsec/port/tlshand.c b/sys/src/libsec/port/tlshand.c new file mode 100755 index 000000000..b7457015d --- /dev/null +++ b/sys/src/libsec/port/tlshand.c @@ -0,0 +1,2320 @@ +#include <u.h> +#include <libc.h> +#include <bio.h> +#include <auth.h> +#include <mp.h> +#include <libsec.h> + +// The main groups of functions are: +// client/server - main handshake protocol definition +// message functions - formating handshake messages +// cipher choices - catalog of digest and encrypt algorithms +// security functions - PKCS#1, sslHMAC, session keygen +// general utility functions - malloc, serialization +// The handshake protocol builds on the TLS/SSL3 record layer protocol, +// which is implemented in kernel device #a. See also /lib/rfc/rfc2246. + +enum { + TLSFinishedLen = 12, + SSL3FinishedLen = MD5dlen+SHA1dlen, + MaxKeyData = 104, // amount of secret we may need + MaxChunk = 1<<14, + RandomSize = 32, + SidSize = 32, + MasterSecretSize = 48, + AQueue = 0, + AFlush = 1, +}; + +typedef struct TlsSec TlsSec; + +typedef struct Bytes{ + int len; + uchar data[1]; // [len] +} Bytes; + +typedef struct Ints{ + int len; + int data[1]; // [len] +} Ints; + +typedef struct Algs{ + char *enc; + char *digest; + int nsecret; + int tlsid; + int ok; +} Algs; + +typedef struct Finished{ + uchar verify[SSL3FinishedLen]; + int n; +} Finished; + +typedef struct TlsConnection{ + TlsSec *sec; // security management goo + int hand, ctl; // record layer file descriptors + int erred; // set when tlsError called + int (*trace)(char*fmt, ...); // for debugging + int version; // protocol we are speaking + int verset; // version has been set + int ver2hi; // server got a version 2 hello + int isClient; // is this the client or server? + Bytes *sid; // SessionID + Bytes *cert; // only last - no chain + + Lock statelk; + int state; // must be set using setstate + + // input buffer for handshake messages + uchar buf[MaxChunk+2048]; + uchar *rp, *ep; + + uchar crandom[RandomSize]; // client random + uchar srandom[RandomSize]; // server random + int clientVersion; // version in ClientHello + char *digest; // name of digest algorithm to use + char *enc; // name of encryption algorithm to use + int nsecret; // amount of secret data to init keys + + // for finished messages + MD5state hsmd5; // handshake hash + SHAstate hssha1; // handshake hash + Finished finished; +} TlsConnection; + +typedef struct Msg{ + int tag; + union { + struct { + int version; + uchar random[RandomSize]; + Bytes* sid; + Ints* ciphers; + Bytes* compressors; + } clientHello; + struct { + int version; + uchar random[RandomSize]; + Bytes* sid; + int cipher; + int compressor; + } serverHello; + struct { + int ncert; + Bytes **certs; + } certificate; + struct { + Bytes *types; + int nca; + Bytes **cas; + } certificateRequest; + struct { + Bytes *key; + } clientKeyExchange; + Finished finished; + } u; +} Msg; + +typedef struct TlsSec{ + char *server; // name of remote; nil for server + int ok; // <0 killed; == 0 in progress; >0 reusable + RSApub *rsapub; + AuthRpc *rpc; // factotum for rsa private key + uchar sec[MasterSecretSize]; // master secret + uchar crandom[RandomSize]; // client random + uchar srandom[RandomSize]; // server random + int clientVers; // version in ClientHello + int vers; // final version + // byte generation and handshake checksum + void (*prf)(uchar*, int, uchar*, int, char*, uchar*, int, uchar*, int); + void (*setFinished)(TlsSec*, MD5state, SHAstate, uchar*, int); + int nfin; +} TlsSec; + + +enum { + TLSVersion = 0x0301, + SSL3Version = 0x0300, + ProtocolVersion = 0x0301, // maximum version we speak + MinProtoVersion = 0x0300, // limits on version we accept + MaxProtoVersion = 0x03ff, +}; + +// handshake type +enum { + HHelloRequest, + HClientHello, + HServerHello, + HSSL2ClientHello = 9, /* local convention; see devtls.c */ + HCertificate = 11, + HServerKeyExchange, + HCertificateRequest, + HServerHelloDone, + HCertificateVerify, + HClientKeyExchange, + HFinished = 20, + HMax +}; + +// alerts +enum { + ECloseNotify = 0, + EUnexpectedMessage = 10, + EBadRecordMac = 20, + EDecryptionFailed = 21, + ERecordOverflow = 22, + EDecompressionFailure = 30, + EHandshakeFailure = 40, + ENoCertificate = 41, + EBadCertificate = 42, + EUnsupportedCertificate = 43, + ECertificateRevoked = 44, + ECertificateExpired = 45, + ECertificateUnknown = 46, + EIllegalParameter = 47, + EUnknownCa = 48, + EAccessDenied = 49, + EDecodeError = 50, + EDecryptError = 51, + EExportRestriction = 60, + EProtocolVersion = 70, + EInsufficientSecurity = 71, + EInternalError = 80, + EUserCanceled = 90, + ENoRenegotiation = 100, + EMax = 256 +}; + +// cipher suites +enum { + TLS_NULL_WITH_NULL_NULL = 0x0000, + TLS_RSA_WITH_NULL_MD5 = 0x0001, + TLS_RSA_WITH_NULL_SHA = 0x0002, + TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, + TLS_RSA_WITH_RC4_128_MD5 = 0x0004, + TLS_RSA_WITH_RC4_128_SHA = 0x0005, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0X0006, + TLS_RSA_WITH_IDEA_CBC_SHA = 0X0007, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0008, + TLS_RSA_WITH_DES_CBC_SHA = 0X0009, + TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0X000A, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X000B, + TLS_DH_DSS_WITH_DES_CBC_SHA = 0X000C, + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0X000D, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X000E, + TLS_DH_RSA_WITH_DES_CBC_SHA = 0X000F, + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0X0010, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0X0011, + TLS_DHE_DSS_WITH_DES_CBC_SHA = 0X0012, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0X0013, // ZZZ must be implemented for tls1.0 compliance + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0X0014, + TLS_DHE_RSA_WITH_DES_CBC_SHA = 0X0015, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0X0016, + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017, + TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018, + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0X0019, + TLS_DH_anon_WITH_DES_CBC_SHA = 0X001A, + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0X001B, + + TLS_RSA_WITH_AES_128_CBC_SHA = 0X002f, // aes, aka rijndael with 128 bit blocks + TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0X0030, + TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0X0031, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0X0032, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0X0033, + TLS_DH_anon_WITH_AES_128_CBC_SHA = 0X0034, + TLS_RSA_WITH_AES_256_CBC_SHA = 0X0035, + TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0X0036, + TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0X0037, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0X0038, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0X0039, + TLS_DH_anon_WITH_AES_256_CBC_SHA = 0X003A, + CipherMax +}; + +// compression methods +enum { + CompressionNull = 0, + CompressionMax +}; + +static Algs cipherAlgs[] = { + {"rc4_128", "md5", 2 * (16 + MD5dlen), TLS_RSA_WITH_RC4_128_MD5}, + {"rc4_128", "sha1", 2 * (16 + SHA1dlen), TLS_RSA_WITH_RC4_128_SHA}, + {"3des_ede_cbc","sha1",2*(4*8+SHA1dlen), TLS_RSA_WITH_3DES_EDE_CBC_SHA}, +}; + +static uchar compressors[] = { + CompressionNull, +}; + +static TlsConnection *tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chain); +static TlsConnection *tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...)); + +static void msgClear(Msg *m); +static char* msgPrint(char *buf, int n, Msg *m); +static int msgRecv(TlsConnection *c, Msg *m); +static int msgSend(TlsConnection *c, Msg *m, int act); +static void tlsError(TlsConnection *c, int err, char *msg, ...); +#pragma varargck argpos tlsError 3 +static int setVersion(TlsConnection *c, int version); +static int finishedMatch(TlsConnection *c, Finished *f); +static void tlsConnectionFree(TlsConnection *c); + +static int setAlgs(TlsConnection *c, int a); +static int okCipher(Ints *cv); +static int okCompression(Bytes *cv); +static int initCiphers(void); +static Ints* makeciphers(void); + +static TlsSec* tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom); +static int tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd); +static TlsSec* tlsSecInitc(int cvers, uchar *crandom); +static int tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd); +static int tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient); +static void tlsSecOk(TlsSec *sec); +static void tlsSecKill(TlsSec *sec); +static void tlsSecClose(TlsSec *sec); +static void setMasterSecret(TlsSec *sec, Bytes *pm); +static void serverMasterSecret(TlsSec *sec, uchar *epm, int nepm); +static void setSecrets(TlsSec *sec, uchar *kd, int nkd); +static int clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm); +static Bytes *pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype); +static Bytes *pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm); +static void tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient); +static void sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient); +static void sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, + uchar *seed0, int nseed0, uchar *seed1, int nseed1); +static int setVers(TlsSec *sec, int version); + +static AuthRpc* factotum_rsa_open(uchar *cert, int certlen); +static mpint* factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher); +static void factotum_rsa_close(AuthRpc*rpc); + +static void* emalloc(int); +static void* erealloc(void*, int); +static void put32(uchar *p, u32int); +static void put24(uchar *p, int); +static void put16(uchar *p, int); +static u32int get32(uchar *p); +static int get24(uchar *p); +static int get16(uchar *p); +static Bytes* newbytes(int len); +static Bytes* makebytes(uchar* buf, int len); +static void freebytes(Bytes* b); +static Ints* newints(int len); +static Ints* makeints(int* buf, int len); +static void freeints(Ints* b); + +//================= client/server ======================== + +// push TLS onto fd, returning new (application) file descriptor +// or -1 if error. +int +tlsServer(int fd, TLSconn *conn) +{ + char buf[8]; + char dname[64]; + int n, data, ctl, hand; + TlsConnection *tls; + + if(conn == nil) + return -1; + ctl = open("#a/tls/clone", ORDWR); + if(ctl < 0) + return -1; + n = read(ctl, buf, sizeof(buf)-1); + if(n < 0){ + close(ctl); + return -1; + } + buf[n] = 0; + sprint(conn->dir, "#a/tls/%s", buf); + sprint(dname, "#a/tls/%s/hand", buf); + hand = open(dname, ORDWR); + if(hand < 0){ + close(ctl); + return -1; + } + fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion); + tls = tlsServer2(ctl, hand, conn->cert, conn->certlen, conn->trace, conn->chain); + sprint(dname, "#a/tls/%s/data", buf); + data = open(dname, ORDWR); + close(fd); + close(hand); + close(ctl); + if(data < 0){ + return -1; + } + if(tls == nil){ + close(data); + return -1; + } + if(conn->cert) + free(conn->cert); + conn->cert = 0; // client certificates are not yet implemented + conn->certlen = 0; + conn->sessionIDlen = tls->sid->len; + conn->sessionID = emalloc(conn->sessionIDlen); + memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen); + if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0) + tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst, tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize); + tlsConnectionFree(tls); + return data; +} + +// push TLS onto fd, returning new (application) file descriptor +// or -1 if error. +int +tlsClient(int fd, TLSconn *conn) +{ + char buf[8]; + char dname[64]; + int n, data, ctl, hand; + TlsConnection *tls; + + if(!conn) + return -1; + ctl = open("#a/tls/clone", ORDWR); + if(ctl < 0) + return -1; + n = read(ctl, buf, sizeof(buf)-1); + if(n < 0){ + close(ctl); + return -1; + } + buf[n] = 0; + sprint(conn->dir, "#a/tls/%s", buf); + sprint(dname, "#a/tls/%s/hand", buf); + hand = open(dname, ORDWR); + if(hand < 0){ + close(ctl); + return -1; + } + sprint(dname, "#a/tls/%s/data", buf); + data = open(dname, ORDWR); + if(data < 0) + return -1; + fprint(ctl, "fd %d 0x%x", fd, ProtocolVersion); + tls = tlsClient2(ctl, hand, conn->sessionID, conn->sessionIDlen, conn->trace); + close(fd); + close(hand); + close(ctl); + if(tls == nil){ + close(data); + return -1; + } + conn->certlen = tls->cert->len; + conn->cert = emalloc(conn->certlen); + memcpy(conn->cert, tls->cert->data, conn->certlen); + conn->sessionIDlen = tls->sid->len; + conn->sessionID = emalloc(conn->sessionIDlen); + memcpy(conn->sessionID, tls->sid->data, conn->sessionIDlen); + if(conn->sessionKey != nil && conn->sessionType != nil && strcmp(conn->sessionType, "ttls") == 0) + tls->sec->prf(conn->sessionKey, conn->sessionKeylen, tls->sec->sec, MasterSecretSize, conn->sessionConst, tls->sec->crandom, RandomSize, tls->sec->srandom, RandomSize); + tlsConnectionFree(tls); + return data; +} + +static int +countchain(PEMChain *p) +{ + int i = 0; + + while (p) { + i++; + p = p->next; + } + return i; +} + +static TlsConnection * +tlsServer2(int ctl, int hand, uchar *cert, int ncert, int (*trace)(char*fmt, ...), PEMChain *chp) +{ + TlsConnection *c; + Msg m; + Bytes *csid; + uchar sid[SidSize], kd[MaxKeyData]; + char *secrets; + int cipher, compressor, nsid, rv, numcerts, i; + + if(trace) + trace("tlsServer2\n"); + if(!initCiphers()) + return nil; + c = emalloc(sizeof(TlsConnection)); + c->ctl = ctl; + c->hand = hand; + c->trace = trace; + c->version = ProtocolVersion; + + memset(&m, 0, sizeof(m)); + if(!msgRecv(c, &m)){ + if(trace) + trace("initial msgRecv failed\n"); + goto Err; + } + if(m.tag != HClientHello) { + tlsError(c, EUnexpectedMessage, "expected a client hello"); + goto Err; + } + c->clientVersion = m.u.clientHello.version; + if(trace) + trace("ClientHello version %x\n", c->clientVersion); + if(setVersion(c, m.u.clientHello.version) < 0) { + tlsError(c, EIllegalParameter, "incompatible version"); + goto Err; + } + + memmove(c->crandom, m.u.clientHello.random, RandomSize); + cipher = okCipher(m.u.clientHello.ciphers); + if(cipher < 0) { + // reply with EInsufficientSecurity if we know that's the case + if(cipher == -2) + tlsError(c, EInsufficientSecurity, "cipher suites too weak"); + else + tlsError(c, EHandshakeFailure, "no matching cipher suite"); + goto Err; + } + if(!setAlgs(c, cipher)){ + tlsError(c, EHandshakeFailure, "no matching cipher suite"); + goto Err; + } + compressor = okCompression(m.u.clientHello.compressors); + if(compressor < 0) { + tlsError(c, EHandshakeFailure, "no matching compressor"); + goto Err; + } + + csid = m.u.clientHello.sid; + if(trace) + trace(" cipher %d, compressor %d, csidlen %d\n", cipher, compressor, csid->len); + c->sec = tlsSecInits(c->clientVersion, csid->data, csid->len, c->crandom, sid, &nsid, c->srandom); + if(c->sec == nil){ + tlsError(c, EHandshakeFailure, "can't initialize security: %r"); + goto Err; + } + c->sec->rpc = factotum_rsa_open(cert, ncert); + if(c->sec->rpc == nil){ + tlsError(c, EHandshakeFailure, "factotum_rsa_open: %r"); + goto Err; + } + c->sec->rsapub = X509toRSApub(cert, ncert, nil, 0); + msgClear(&m); + + m.tag = HServerHello; + m.u.serverHello.version = c->version; + memmove(m.u.serverHello.random, c->srandom, RandomSize); + m.u.serverHello.cipher = cipher; + m.u.serverHello.compressor = compressor; + c->sid = makebytes(sid, nsid); + m.u.serverHello.sid = makebytes(c->sid->data, c->sid->len); + if(!msgSend(c, &m, AQueue)) + goto Err; + msgClear(&m); + + m.tag = HCertificate; + numcerts = countchain(chp); + m.u.certificate.ncert = 1 + numcerts; + m.u.certificate.certs = emalloc(m.u.certificate.ncert * sizeof(Bytes)); + m.u.certificate.certs[0] = makebytes(cert, ncert); + for (i = 0; i < numcerts && chp; i++, chp = chp->next) + m.u.certificate.certs[i+1] = makebytes(chp->pem, chp->pemlen); + if(!msgSend(c, &m, AQueue)) + goto Err; + msgClear(&m); + + m.tag = HServerHelloDone; + if(!msgSend(c, &m, AFlush)) + goto Err; + msgClear(&m); + + if(!msgRecv(c, &m)) + goto Err; + if(m.tag != HClientKeyExchange) { + tlsError(c, EUnexpectedMessage, "expected a client key exchange"); + goto Err; + } + if(tlsSecSecrets(c->sec, c->version, m.u.clientKeyExchange.key->data, m.u.clientKeyExchange.key->len, kd, c->nsecret) < 0){ + tlsError(c, EHandshakeFailure, "couldn't set secrets: %r"); + goto Err; + } + if(trace) + trace("tls secrets\n"); + secrets = (char*)emalloc(2*c->nsecret); + enc64(secrets, 2*c->nsecret, kd, c->nsecret); + rv = fprint(c->ctl, "secret %s %s 0 %s", c->digest, c->enc, secrets); + memset(secrets, 0, 2*c->nsecret); + free(secrets); + memset(kd, 0, c->nsecret); + if(rv < 0){ + tlsError(c, EHandshakeFailure, "can't set keys: %r"); + goto Err; + } + msgClear(&m); + + /* no CertificateVerify; skip to Finished */ + if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){ + tlsError(c, EInternalError, "can't set finished: %r"); + goto Err; + } + if(!msgRecv(c, &m)) + goto Err; + if(m.tag != HFinished) { + tlsError(c, EUnexpectedMessage, "expected a finished"); + goto Err; + } + if(!finishedMatch(c, &m.u.finished)) { + tlsError(c, EHandshakeFailure, "finished verification failed"); + goto Err; + } + msgClear(&m); + + /* change cipher spec */ + if(fprint(c->ctl, "changecipher") < 0){ + tlsError(c, EInternalError, "can't enable cipher: %r"); + goto Err; + } + + if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){ + tlsError(c, EInternalError, "can't set finished: %r"); + goto Err; + } + m.tag = HFinished; + m.u.finished = c->finished; + if(!msgSend(c, &m, AFlush)) + goto Err; + msgClear(&m); + if(trace) + trace("tls finished\n"); + + if(fprint(c->ctl, "opened") < 0) + goto Err; + tlsSecOk(c->sec); + return c; + +Err: + msgClear(&m); + tlsConnectionFree(c); + return 0; +} + +static TlsConnection * +tlsClient2(int ctl, int hand, uchar *csid, int ncsid, int (*trace)(char*fmt, ...)) +{ + TlsConnection *c; + Msg m; + uchar kd[MaxKeyData], *epm; + char *secrets; + int creq, nepm, rv; + + if(!initCiphers()) + return nil; + epm = nil; + c = emalloc(sizeof(TlsConnection)); + c->version = ProtocolVersion; + c->ctl = ctl; + c->hand = hand; + c->trace = trace; + c->isClient = 1; + c->clientVersion = c->version; + + c->sec = tlsSecInitc(c->clientVersion, c->crandom); + if(c->sec == nil) + goto Err; + + /* client hello */ + memset(&m, 0, sizeof(m)); + m.tag = HClientHello; + m.u.clientHello.version = c->clientVersion; + memmove(m.u.clientHello.random, c->crandom, RandomSize); + m.u.clientHello.sid = makebytes(csid, ncsid); + m.u.clientHello.ciphers = makeciphers(); + m.u.clientHello.compressors = makebytes(compressors,sizeof(compressors)); + if(!msgSend(c, &m, AFlush)) + goto Err; + msgClear(&m); + + /* server hello */ + if(!msgRecv(c, &m)) + goto Err; + if(m.tag != HServerHello) { + tlsError(c, EUnexpectedMessage, "expected a server hello"); + goto Err; + } + if(setVersion(c, m.u.serverHello.version) < 0) { + tlsError(c, EIllegalParameter, "incompatible version %r"); + goto Err; + } + memmove(c->srandom, m.u.serverHello.random, RandomSize); + c->sid = makebytes(m.u.serverHello.sid->data, m.u.serverHello.sid->len); + if(c->sid->len != 0 && c->sid->len != SidSize) { + tlsError(c, EIllegalParameter, "invalid server session identifier"); + goto Err; + } + if(!setAlgs(c, m.u.serverHello.cipher)) { + tlsError(c, EIllegalParameter, "invalid cipher suite"); + goto Err; + } + if(m.u.serverHello.compressor != CompressionNull) { + tlsError(c, EIllegalParameter, "invalid compression"); + goto Err; + } + msgClear(&m); + + /* certificate */ + if(!msgRecv(c, &m) || m.tag != HCertificate) { + tlsError(c, EUnexpectedMessage, "expected a certificate"); + goto Err; + } + if(m.u.certificate.ncert < 1) { + tlsError(c, EIllegalParameter, "runt certificate"); + goto Err; + } + c->cert = makebytes(m.u.certificate.certs[0]->data, m.u.certificate.certs[0]->len); + msgClear(&m); + + /* server key exchange (optional) */ + if(!msgRecv(c, &m)) + goto Err; + if(m.tag == HServerKeyExchange) { + tlsError(c, EUnexpectedMessage, "got an server key exchange"); + goto Err; + // If implementing this later, watch out for rollback attack + // described in Wagner Schneier 1996, section 4.4. + } + + /* certificate request (optional) */ + creq = 0; + if(m.tag == HCertificateRequest) { + creq = 1; + msgClear(&m); + if(!msgRecv(c, &m)) + goto Err; + } + + if(m.tag != HServerHelloDone) { + tlsError(c, EUnexpectedMessage, "expected a server hello done"); + goto Err; + } + msgClear(&m); + + if(tlsSecSecretc(c->sec, c->sid->data, c->sid->len, c->srandom, + c->cert->data, c->cert->len, c->version, &epm, &nepm, + kd, c->nsecret) < 0){ + tlsError(c, EBadCertificate, "invalid x509/rsa certificate"); + goto Err; + } + secrets = (char*)emalloc(2*c->nsecret); + enc64(secrets, 2*c->nsecret, kd, c->nsecret); + rv = fprint(c->ctl, "secret %s %s 1 %s", c->digest, c->enc, secrets); + memset(secrets, 0, 2*c->nsecret); + free(secrets); + memset(kd, 0, c->nsecret); + if(rv < 0){ + tlsError(c, EHandshakeFailure, "can't set keys: %r"); + goto Err; + } + + if(creq) { + /* send a zero length certificate */ + m.tag = HCertificate; + if(!msgSend(c, &m, AFlush)) + goto Err; + msgClear(&m); + } + + /* client key exchange */ + m.tag = HClientKeyExchange; + m.u.clientKeyExchange.key = makebytes(epm, nepm); + free(epm); + epm = nil; + if(m.u.clientKeyExchange.key == nil) { + tlsError(c, EHandshakeFailure, "can't set secret: %r"); + goto Err; + } + if(!msgSend(c, &m, AFlush)) + goto Err; + msgClear(&m); + + /* change cipher spec */ + if(fprint(c->ctl, "changecipher") < 0){ + tlsError(c, EInternalError, "can't enable cipher: %r"); + goto Err; + } + + // Cipherchange must occur immediately before Finished to avoid + // potential hole; see section 4.3 of Wagner Schneier 1996. + if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 1) < 0){ + tlsError(c, EInternalError, "can't set finished 1: %r"); + goto Err; + } + m.tag = HFinished; + m.u.finished = c->finished; + + if(!msgSend(c, &m, AFlush)) { + fprint(2, "tlsClient nepm=%d\n", nepm); + tlsError(c, EInternalError, "can't flush after client Finished: %r"); + goto Err; + } + msgClear(&m); + + if(tlsSecFinished(c->sec, c->hsmd5, c->hssha1, c->finished.verify, c->finished.n, 0) < 0){ + fprint(2, "tlsClient nepm=%d\n", nepm); + tlsError(c, EInternalError, "can't set finished 0: %r"); + goto Err; + } + if(!msgRecv(c, &m)) { + fprint(2, "tlsClient nepm=%d\n", nepm); + tlsError(c, EInternalError, "can't read server Finished: %r"); + goto Err; + } + if(m.tag != HFinished) { + fprint(2, "tlsClient nepm=%d\n", nepm); + tlsError(c, EUnexpectedMessage, "expected a Finished msg from server"); + goto Err; + } + + if(!finishedMatch(c, &m.u.finished)) { + tlsError(c, EHandshakeFailure, "finished verification failed"); + goto Err; + } + msgClear(&m); + + if(fprint(c->ctl, "opened") < 0){ + if(trace) + trace("unable to do final open: %r\n"); + goto Err; + } + tlsSecOk(c->sec); + return c; + +Err: + free(epm); + msgClear(&m); + tlsConnectionFree(c); + return 0; +} + + +//================= message functions ======================== + +static uchar sendbuf[9000], *sendp; + +static int +msgSend(TlsConnection *c, Msg *m, int act) +{ + uchar *p; // sendp = start of new message; p = write pointer + int nn, n, i; + + if(sendp == nil) + sendp = sendbuf; + p = sendp; + if(c->trace) + c->trace("send %s", msgPrint((char*)p, (sizeof sendbuf) - (p-sendbuf), m)); + + p[0] = m->tag; // header - fill in size later + p += 4; + + switch(m->tag) { + default: + tlsError(c, EInternalError, "can't encode a %d", m->tag); + goto Err; + case HClientHello: + // version + put16(p, m->u.clientHello.version); + p += 2; + + // random + memmove(p, m->u.clientHello.random, RandomSize); + p += RandomSize; + + // sid + n = m->u.clientHello.sid->len; + assert(n < 256); + p[0] = n; + memmove(p+1, m->u.clientHello.sid->data, n); + p += n+1; + + n = m->u.clientHello.ciphers->len; + assert(n > 0 && n < 200); + put16(p, n*2); + p += 2; + for(i=0; i<n; i++) { + put16(p, m->u.clientHello.ciphers->data[i]); + p += 2; + } + + n = m->u.clientHello.compressors->len; + assert(n > 0); + p[0] = n; + memmove(p+1, m->u.clientHello.compressors->data, n); + p += n+1; + break; + case HServerHello: + put16(p, m->u.serverHello.version); + p += 2; + + // random + memmove(p, m->u.serverHello.random, RandomSize); + p += RandomSize; + + // sid + n = m->u.serverHello.sid->len; + assert(n < 256); + p[0] = n; + memmove(p+1, m->u.serverHello.sid->data, n); + p += n+1; + + put16(p, m->u.serverHello.cipher); + p += 2; + p[0] = m->u.serverHello.compressor; + p += 1; + break; + case HServerHelloDone: + break; + case HCertificate: + nn = 0; + for(i = 0; i < m->u.certificate.ncert; i++) + nn += 3 + m->u.certificate.certs[i]->len; + if(p + 3 + nn - sendbuf > sizeof(sendbuf)) { + tlsError(c, EInternalError, "output buffer too small for certificate"); + goto Err; + } + put24(p, nn); + p += 3; + for(i = 0; i < m->u.certificate.ncert; i++){ + put24(p, m->u.certificate.certs[i]->len); + p += 3; + memmove(p, m->u.certificate.certs[i]->data, m->u.certificate.certs[i]->len); + p += m->u.certificate.certs[i]->len; + } + break; + case HClientKeyExchange: + n = m->u.clientKeyExchange.key->len; + if(c->version != SSL3Version){ + put16(p, n); + p += 2; + } + memmove(p, m->u.clientKeyExchange.key->data, n); + p += n; + break; + case HFinished: + memmove(p, m->u.finished.verify, m->u.finished.n); + p += m->u.finished.n; + break; + } + + // go back and fill in size + n = p-sendp; + assert(p <= sendbuf+sizeof(sendbuf)); + put24(sendp+1, n-4); + + // remember hash of Handshake messages + if(m->tag != HHelloRequest) { + md5(sendp, n, 0, &c->hsmd5); + sha1(sendp, n, 0, &c->hssha1); + } + + sendp = p; + if(act == AFlush){ + sendp = sendbuf; + if(write(c->hand, sendbuf, p-sendbuf) < 0){ + fprint(2, "write error: %r\n"); + goto Err; + } + } + msgClear(m); + return 1; +Err: + msgClear(m); + return 0; +} + +static uchar* +tlsReadN(TlsConnection *c, int n) +{ + uchar *p; + int nn, nr; + + nn = c->ep - c->rp; + if(nn < n){ + if(c->rp != c->buf){ + memmove(c->buf, c->rp, nn); + c->rp = c->buf; + c->ep = &c->buf[nn]; + } + for(; nn < n; nn += nr) { + nr = read(c->hand, &c->rp[nn], n - nn); + if(nr <= 0) + return nil; + c->ep += nr; + } + } + p = c->rp; + c->rp += n; + return p; +} + +static int +msgRecv(TlsConnection *c, Msg *m) +{ + uchar *p; + int type, n, nn, i, nsid, nrandom, nciph; + + for(;;) { + p = tlsReadN(c, 4); + if(p == nil) + return 0; + type = p[0]; + n = get24(p+1); + + if(type != HHelloRequest) + break; + if(n != 0) { + tlsError(c, EDecodeError, "invalid hello request during handshake"); + return 0; + } + } + + if(n > sizeof(c->buf)) { + tlsError(c, EDecodeError, "handshake message too long %d %d", n, sizeof(c->buf)); + return 0; + } + + if(type == HSSL2ClientHello){ + /* Cope with an SSL3 ClientHello expressed in SSL2 record format. + This is sent by some clients that we must interoperate + with, such as Java's JSSE and Microsoft's Internet Explorer. */ + p = tlsReadN(c, n); + if(p == nil) + return 0; + md5(p, n, 0, &c->hsmd5); + sha1(p, n, 0, &c->hssha1); + m->tag = HClientHello; + if(n < 22) + goto Short; + m->u.clientHello.version = get16(p+1); + p += 3; + n -= 3; + nn = get16(p); /* cipher_spec_len */ + nsid = get16(p + 2); + nrandom = get16(p + 4); + p += 6; + n -= 6; + if(nsid != 0 /* no sid's, since shouldn't restart using ssl2 header */ + || nrandom < 16 || nn % 3) + goto Err; + if(c->trace && (n - nrandom != nn)) + c->trace("n-nrandom!=nn: n=%d nrandom=%d nn=%d\n", n, nrandom, nn); + /* ignore ssl2 ciphers and look for {0x00, ssl3 cipher} */ + nciph = 0; + for(i = 0; i < nn; i += 3) + if(p[i] == 0) + nciph++; + m->u.clientHello.ciphers = newints(nciph); + nciph = 0; + for(i = 0; i < nn; i += 3) + if(p[i] == 0) + m->u.clientHello.ciphers->data[nciph++] = get16(&p[i + 1]); + p += nn; + m->u.clientHello.sid = makebytes(nil, 0); + if(nrandom > RandomSize) + nrandom = RandomSize; + memset(m->u.clientHello.random, 0, RandomSize - nrandom); + memmove(&m->u.clientHello.random[RandomSize - nrandom], p, nrandom); + m->u.clientHello.compressors = newbytes(1); + m->u.clientHello.compressors->data[0] = CompressionNull; + goto Ok; + } + + md5(p, 4, 0, &c->hsmd5); + sha1(p, 4, 0, &c->hssha1); + + p = tlsReadN(c, n); + if(p == nil) + return 0; + + md5(p, n, 0, &c->hsmd5); + sha1(p, n, 0, &c->hssha1); + + m->tag = type; + + switch(type) { + default: + tlsError(c, EUnexpectedMessage, "can't decode a %d", type); + goto Err; + case HClientHello: + if(n < 2) + goto Short; + m->u.clientHello.version = get16(p); + p += 2; + n -= 2; + + if(n < RandomSize) + goto Short; + memmove(m->u.clientHello.random, p, RandomSize); + p += RandomSize; + n -= RandomSize; + if(n < 1 || n < p[0]+1) + goto Short; + m->u.clientHello.sid = makebytes(p+1, p[0]); + p += m->u.clientHello.sid->len+1; + n -= m->u.clientHello.sid->len+1; + + if(n < 2) + goto Short; + nn = get16(p); + p += 2; + n -= 2; + + if((nn & 1) || n < nn || nn < 2) + goto Short; + m->u.clientHello.ciphers = newints(nn >> 1); + for(i = 0; i < nn; i += 2) + m->u.clientHello.ciphers->data[i >> 1] = get16(&p[i]); + p += nn; + n -= nn; + + if(n < 1 || n < p[0]+1 || p[0] == 0) + goto Short; + nn = p[0]; + m->u.clientHello.compressors = newbytes(nn); + memmove(m->u.clientHello.compressors->data, p+1, nn); + n -= nn + 1; + break; + case HServerHello: + if(n < 2) + goto Short; + m->u.serverHello.version = get16(p); + p += 2; + n -= 2; + + if(n < RandomSize) + goto Short; + memmove(m->u.serverHello.random, p, RandomSize); + p += RandomSize; + n -= RandomSize; + + if(n < 1 || n < p[0]+1) + goto Short; + m->u.serverHello.sid = makebytes(p+1, p[0]); + p += m->u.serverHello.sid->len+1; + n -= m->u.serverHello.sid->len+1; + + if(n < 3) + goto Short; + m->u.serverHello.cipher = get16(p); + m->u.serverHello.compressor = p[2]; + n -= 3; + break; + case HCertificate: + if(n < 3) + goto Short; + nn = get24(p); + p += 3; + n -= 3; + if(n != nn) + goto Short; + /* certs */ + i = 0; + while(n > 0) { + if(n < 3) + goto Short; + nn = get24(p); + p += 3; + n -= 3; + if(nn > n) + goto Short; + m->u.certificate.ncert = i+1; + m->u.certificate.certs = erealloc(m->u.certificate.certs, (i+1)*sizeof(Bytes)); + m->u.certificate.certs[i] = makebytes(p, nn); + p += nn; + n -= nn; + i++; + } + break; + case HCertificateRequest: + if(n < 1) + goto Short; + nn = p[0]; + p += 1; + n -= 1; + if(nn < 1 || nn > n) + goto Short; + m->u.certificateRequest.types = makebytes(p, nn); + p += nn; + n -= nn; + if(n < 2) + goto Short; + nn = get16(p); + p += 2; + n -= 2; + /* nn == 0 can happen; yahoo's servers do it */ + if(nn != n) + goto Short; + /* cas */ + i = 0; + while(n > 0) { + if(n < 2) + goto Short; + nn = get16(p); + p += 2; + n -= 2; + if(nn < 1 || nn > n) + goto Short; + m->u.certificateRequest.nca = i+1; + m->u.certificateRequest.cas = erealloc( + m->u.certificateRequest.cas, (i+1)*sizeof(Bytes)); + m->u.certificateRequest.cas[i] = makebytes(p, nn); + p += nn; + n -= nn; + i++; + } + break; + case HServerHelloDone: + break; + case HClientKeyExchange: + /* + * this message depends upon the encryption selected + * assume rsa. + */ + if(c->version == SSL3Version) + nn = n; + else{ + if(n < 2) + goto Short; + nn = get16(p); + p += 2; + n -= 2; + } + if(n < nn) + goto Short; + m->u.clientKeyExchange.key = makebytes(p, nn); + n -= nn; + break; + case HFinished: + m->u.finished.n = c->finished.n; + if(n < m->u.finished.n) + goto Short; + memmove(m->u.finished.verify, p, m->u.finished.n); + n -= m->u.finished.n; + break; + } + + if(type != HClientHello && n != 0) + goto Short; +Ok: + if(c->trace){ + char *buf; + buf = emalloc(8000); + c->trace("recv %s", msgPrint(buf, 8000, m)); + free(buf); + } + return 1; +Short: + tlsError(c, EDecodeError, "handshake message has invalid length"); +Err: + msgClear(m); + return 0; +} + +static void +msgClear(Msg *m) +{ + int i; + + switch(m->tag) { + default: + sysfatal("msgClear: unknown message type: %d", m->tag); + case HHelloRequest: + break; + case HClientHello: + freebytes(m->u.clientHello.sid); + freeints(m->u.clientHello.ciphers); + freebytes(m->u.clientHello.compressors); + break; + case HServerHello: + freebytes(m->u.clientHello.sid); + break; + case HCertificate: + for(i=0; i<m->u.certificate.ncert; i++) + freebytes(m->u.certificate.certs[i]); + free(m->u.certificate.certs); + break; + case HCertificateRequest: + freebytes(m->u.certificateRequest.types); + for(i=0; i<m->u.certificateRequest.nca; i++) + freebytes(m->u.certificateRequest.cas[i]); + free(m->u.certificateRequest.cas); + break; + case HServerHelloDone: + break; + case HClientKeyExchange: + freebytes(m->u.clientKeyExchange.key); + break; + case HFinished: + break; + } + memset(m, 0, sizeof(Msg)); +} + +static char * +bytesPrint(char *bs, char *be, char *s0, Bytes *b, char *s1) +{ + int i; + + if(s0) + bs = seprint(bs, be, "%s", s0); + bs = seprint(bs, be, "["); + if(b == nil) + bs = seprint(bs, be, "nil"); + else + for(i=0; i<b->len; i++) + bs = seprint(bs, be, "%.2x ", b->data[i]); + bs = seprint(bs, be, "]"); + if(s1) + bs = seprint(bs, be, "%s", s1); + return bs; +} + +static char * +intsPrint(char *bs, char *be, char *s0, Ints *b, char *s1) +{ + int i; + + if(s0) + bs = seprint(bs, be, "%s", s0); + bs = seprint(bs, be, "["); + if(b == nil) + bs = seprint(bs, be, "nil"); + else + for(i=0; i<b->len; i++) + bs = seprint(bs, be, "%x ", b->data[i]); + bs = seprint(bs, be, "]"); + if(s1) + bs = seprint(bs, be, "%s", s1); + return bs; +} + +static char* +msgPrint(char *buf, int n, Msg *m) +{ + int i; + char *bs = buf, *be = buf+n; + + switch(m->tag) { + default: + bs = seprint(bs, be, "unknown %d\n", m->tag); + break; + case HClientHello: + bs = seprint(bs, be, "ClientHello\n"); + bs = seprint(bs, be, "\tversion: %.4x\n", m->u.clientHello.version); + bs = seprint(bs, be, "\trandom: "); + for(i=0; i<RandomSize; i++) + bs = seprint(bs, be, "%.2x", m->u.clientHello.random[i]); + bs = seprint(bs, be, "\n"); + bs = bytesPrint(bs, be, "\tsid: ", m->u.clientHello.sid, "\n"); + bs = intsPrint(bs, be, "\tciphers: ", m->u.clientHello.ciphers, "\n"); + bs = bytesPrint(bs, be, "\tcompressors: ", m->u.clientHello.compressors, "\n"); + break; + case HServerHello: + bs = seprint(bs, be, "ServerHello\n"); + bs = seprint(bs, be, "\tversion: %.4x\n", m->u.serverHello.version); + bs = seprint(bs, be, "\trandom: "); + for(i=0; i<RandomSize; i++) + bs = seprint(bs, be, "%.2x", m->u.serverHello.random[i]); + bs = seprint(bs, be, "\n"); + bs = bytesPrint(bs, be, "\tsid: ", m->u.serverHello.sid, "\n"); + bs = seprint(bs, be, "\tcipher: %.4x\n", m->u.serverHello.cipher); + bs = seprint(bs, be, "\tcompressor: %.2x\n", m->u.serverHello.compressor); + break; + case HCertificate: + bs = seprint(bs, be, "Certificate\n"); + for(i=0; i<m->u.certificate.ncert; i++) + bs = bytesPrint(bs, be, "\t", m->u.certificate.certs[i], "\n"); + break; + case HCertificateRequest: + bs = seprint(bs, be, "CertificateRequest\n"); + bs = bytesPrint(bs, be, "\ttypes: ", m->u.certificateRequest.types, "\n"); + bs = seprint(bs, be, "\tcertificateauthorities\n"); + for(i=0; i<m->u.certificateRequest.nca; i++) + bs = bytesPrint(bs, be, "\t\t", m->u.certificateRequest.cas[i], "\n"); + break; + case HServerHelloDone: + bs = seprint(bs, be, "ServerHelloDone\n"); + break; + case HClientKeyExchange: + bs = seprint(bs, be, "HClientKeyExchange\n"); + bs = bytesPrint(bs, be, "\tkey: ", m->u.clientKeyExchange.key, "\n"); + break; + case HFinished: + bs = seprint(bs, be, "HFinished\n"); + for(i=0; i<m->u.finished.n; i++) + bs = seprint(bs, be, "%.2x", m->u.finished.verify[i]); + bs = seprint(bs, be, "\n"); + break; + } + USED(bs); + return buf; +} + +static void +tlsError(TlsConnection *c, int err, char *fmt, ...) +{ + char msg[512]; + va_list arg; + + va_start(arg, fmt); + vseprint(msg, msg+sizeof(msg), fmt, arg); + va_end(arg); + if(c->trace) + c->trace("tlsError: %s\n", msg); + else if(c->erred) + fprint(2, "double error: %r, %s", msg); + else + werrstr("tls: local %s", msg); + c->erred = 1; + fprint(c->ctl, "alert %d", err); +} + +// commit to specific version number +static int +setVersion(TlsConnection *c, int version) +{ + if(c->verset || version > MaxProtoVersion || version < MinProtoVersion) + return -1; + if(version > c->version) + version = c->version; + if(version == SSL3Version) { + c->version = version; + c->finished.n = SSL3FinishedLen; + }else if(version == TLSVersion){ + c->version = version; + c->finished.n = TLSFinishedLen; + }else + return -1; + c->verset = 1; + return fprint(c->ctl, "version 0x%x", version); +} + +// confirm that received Finished message matches the expected value +static int +finishedMatch(TlsConnection *c, Finished *f) +{ + return memcmp(f->verify, c->finished.verify, f->n) == 0; +} + +// free memory associated with TlsConnection struct +// (but don't close the TLS channel itself) +static void +tlsConnectionFree(TlsConnection *c) +{ + tlsSecClose(c->sec); + freebytes(c->sid); + freebytes(c->cert); + memset(c, 0, sizeof(c)); + free(c); +} + + +//================= cipher choices ======================== + +static int weakCipher[CipherMax] = +{ + 1, /* TLS_NULL_WITH_NULL_NULL */ + 1, /* TLS_RSA_WITH_NULL_MD5 */ + 1, /* TLS_RSA_WITH_NULL_SHA */ + 1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */ + 0, /* TLS_RSA_WITH_RC4_128_MD5 */ + 0, /* TLS_RSA_WITH_RC4_128_SHA */ + 1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */ + 0, /* TLS_RSA_WITH_IDEA_CBC_SHA */ + 1, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */ + 0, /* TLS_RSA_WITH_DES_CBC_SHA */ + 0, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */ + 1, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */ + 0, /* TLS_DH_DSS_WITH_DES_CBC_SHA */ + 0, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */ + 1, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */ + 0, /* TLS_DH_RSA_WITH_DES_CBC_SHA */ + 0, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */ + 1, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */ + 0, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */ + 0, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */ + 1, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */ + 0, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */ + 0, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ + 1, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */ + 1, /* TLS_DH_anon_WITH_RC4_128_MD5 */ + 1, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */ + 1, /* TLS_DH_anon_WITH_DES_CBC_SHA */ + 1, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */ +}; + +static int +setAlgs(TlsConnection *c, int a) +{ + int i; + + for(i = 0; i < nelem(cipherAlgs); i++){ + if(cipherAlgs[i].tlsid == a){ + c->enc = cipherAlgs[i].enc; + c->digest = cipherAlgs[i].digest; + c->nsecret = cipherAlgs[i].nsecret; + if(c->nsecret > MaxKeyData) + return 0; + return 1; + } + } + return 0; +} + +static int +okCipher(Ints *cv) +{ + int weak, i, j, c; + + weak = 1; + for(i = 0; i < cv->len; i++) { + c = cv->data[i]; + if(c >= CipherMax) + weak = 0; + else + weak &= weakCipher[c]; + for(j = 0; j < nelem(cipherAlgs); j++) + if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c) + return c; + } + if(weak) + return -2; + return -1; +} + +static int +okCompression(Bytes *cv) +{ + int i, j, c; + + for(i = 0; i < cv->len; i++) { + c = cv->data[i]; + for(j = 0; j < nelem(compressors); j++) { + if(compressors[j] == c) + return c; + } + } + return -1; +} + +static Lock ciphLock; +static int nciphers; + +static int +initCiphers(void) +{ + enum {MaxAlgF = 1024, MaxAlgs = 10}; + char s[MaxAlgF], *flds[MaxAlgs]; + int i, j, n, ok; + + lock(&ciphLock); + if(nciphers){ + unlock(&ciphLock); + return nciphers; + } + j = open("#a/tls/encalgs", OREAD); + if(j < 0){ + werrstr("can't open #a/tls/encalgs: %r"); + return 0; + } + n = read(j, s, MaxAlgF-1); + close(j); + if(n <= 0){ + werrstr("nothing in #a/tls/encalgs: %r"); + return 0; + } + s[n] = 0; + n = getfields(s, flds, MaxAlgs, 1, " \t\r\n"); + for(i = 0; i < nelem(cipherAlgs); i++){ + ok = 0; + for(j = 0; j < n; j++){ + if(strcmp(cipherAlgs[i].enc, flds[j]) == 0){ + ok = 1; + break; + } + } + cipherAlgs[i].ok = ok; + } + + j = open("#a/tls/hashalgs", OREAD); + if(j < 0){ + werrstr("can't open #a/tls/hashalgs: %r"); + return 0; + } + n = read(j, s, MaxAlgF-1); + close(j); + if(n <= 0){ + werrstr("nothing in #a/tls/hashalgs: %r"); + return 0; + } + s[n] = 0; + n = getfields(s, flds, MaxAlgs, 1, " \t\r\n"); + for(i = 0; i < nelem(cipherAlgs); i++){ + ok = 0; + for(j = 0; j < n; j++){ + if(strcmp(cipherAlgs[i].digest, flds[j]) == 0){ + ok = 1; + break; + } + } + cipherAlgs[i].ok &= ok; + if(cipherAlgs[i].ok) + nciphers++; + } + unlock(&ciphLock); + return nciphers; +} + +static Ints* +makeciphers(void) +{ + Ints *is; + int i, j; + + is = newints(nciphers); + j = 0; + for(i = 0; i < nelem(cipherAlgs); i++){ + if(cipherAlgs[i].ok) + is->data[j++] = cipherAlgs[i].tlsid; + } + return is; +} + + + +//================= security functions ======================== + +// given X.509 certificate, set up connection to factotum +// for using corresponding private key +static AuthRpc* +factotum_rsa_open(uchar *cert, int certlen) +{ + int afd; + char *s; + mpint *pub = nil; + RSApub *rsapub; + AuthRpc *rpc; + + // start talking to factotum + if((afd = open("/mnt/factotum/rpc", ORDWR)) < 0) + return nil; + if((rpc = auth_allocrpc(afd)) == nil){ + close(afd); + return nil; + } + s = "proto=rsa service=tls role=client"; + if(auth_rpc(rpc, "start", s, strlen(s)) != ARok){ + factotum_rsa_close(rpc); + return nil; + } + + // roll factotum keyring around to match certificate + rsapub = X509toRSApub(cert, certlen, nil, 0); + while(1){ + if(auth_rpc(rpc, "read", nil, 0) != ARok){ + factotum_rsa_close(rpc); + rpc = nil; + goto done; + } + pub = strtomp(rpc->arg, nil, 16, nil); + assert(pub != nil); + if(mpcmp(pub,rsapub->n) == 0) + break; + } +done: + mpfree(pub); + rsapubfree(rsapub); + return rpc; +} + +static mpint* +factotum_rsa_decrypt(AuthRpc *rpc, mpint *cipher) +{ + char *p; + int rv; + + if((p = mptoa(cipher, 16, nil, 0)) == nil) + return nil; + rv = auth_rpc(rpc, "write", p, strlen(p)); + free(p); + if(rv != ARok || auth_rpc(rpc, "read", nil, 0) != ARok) + return nil; + mpfree(cipher); + return strtomp(rpc->arg, nil, 16, nil); +} + +static void +factotum_rsa_close(AuthRpc*rpc) +{ + if(!rpc) + return; + close(rpc->afd); + auth_freerpc(rpc); +} + +static void +tlsPmd5(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1) +{ + uchar ai[MD5dlen], tmp[MD5dlen]; + int i, n; + MD5state *s; + + // generate a1 + s = hmac_md5(label, nlabel, key, nkey, nil, nil); + s = hmac_md5(seed0, nseed0, key, nkey, nil, s); + hmac_md5(seed1, nseed1, key, nkey, ai, s); + + while(nbuf > 0) { + s = hmac_md5(ai, MD5dlen, key, nkey, nil, nil); + s = hmac_md5(label, nlabel, key, nkey, nil, s); + s = hmac_md5(seed0, nseed0, key, nkey, nil, s); + hmac_md5(seed1, nseed1, key, nkey, tmp, s); + n = MD5dlen; + if(n > nbuf) + n = nbuf; + for(i = 0; i < n; i++) + buf[i] ^= tmp[i]; + buf += n; + nbuf -= n; + hmac_md5(ai, MD5dlen, key, nkey, tmp, nil); + memmove(ai, tmp, MD5dlen); + } +} + +static void +tlsPsha1(uchar *buf, int nbuf, uchar *key, int nkey, uchar *label, int nlabel, uchar *seed0, int nseed0, uchar *seed1, int nseed1) +{ + uchar ai[SHA1dlen], tmp[SHA1dlen]; + int i, n; + SHAstate *s; + + // generate a1 + s = hmac_sha1(label, nlabel, key, nkey, nil, nil); + s = hmac_sha1(seed0, nseed0, key, nkey, nil, s); + hmac_sha1(seed1, nseed1, key, nkey, ai, s); + + while(nbuf > 0) { + s = hmac_sha1(ai, SHA1dlen, key, nkey, nil, nil); + s = hmac_sha1(label, nlabel, key, nkey, nil, s); + s = hmac_sha1(seed0, nseed0, key, nkey, nil, s); + hmac_sha1(seed1, nseed1, key, nkey, tmp, s); + n = SHA1dlen; + if(n > nbuf) + n = nbuf; + for(i = 0; i < n; i++) + buf[i] ^= tmp[i]; + buf += n; + nbuf -= n; + hmac_sha1(ai, SHA1dlen, key, nkey, tmp, nil); + memmove(ai, tmp, SHA1dlen); + } +} + +// fill buf with md5(args)^sha1(args) +static void +tlsPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1) +{ + int i; + int nlabel = strlen(label); + int n = (nkey + 1) >> 1; + + for(i = 0; i < nbuf; i++) + buf[i] = 0; + tlsPmd5(buf, nbuf, key, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1); + tlsPsha1(buf, nbuf, key+nkey-n, n, (uchar*)label, nlabel, seed0, nseed0, seed1, nseed1); +} + +/* + * for setting server session id's + */ +static Lock sidLock; +static long maxSid = 1; + +/* the keys are verified to have the same public components + * and to function correctly with pkcs 1 encryption and decryption. */ +static TlsSec* +tlsSecInits(int cvers, uchar *csid, int ncsid, uchar *crandom, uchar *ssid, int *nssid, uchar *srandom) +{ + TlsSec *sec = emalloc(sizeof(*sec)); + + USED(csid); USED(ncsid); // ignore csid for now + + memmove(sec->crandom, crandom, RandomSize); + sec->clientVers = cvers; + + put32(sec->srandom, time(0)); + genrandom(sec->srandom+4, RandomSize-4); + memmove(srandom, sec->srandom, RandomSize); + + /* + * make up a unique sid: use our pid, and and incrementing id + * can signal no sid by setting nssid to 0. + */ + memset(ssid, 0, SidSize); + put32(ssid, getpid()); + lock(&sidLock); + put32(ssid+4, maxSid++); + unlock(&sidLock); + *nssid = SidSize; + return sec; +} + +static int +tlsSecSecrets(TlsSec *sec, int vers, uchar *epm, int nepm, uchar *kd, int nkd) +{ + if(epm != nil){ + if(setVers(sec, vers) < 0) + goto Err; + serverMasterSecret(sec, epm, nepm); + }else if(sec->vers != vers){ + werrstr("mismatched session versions"); + goto Err; + } + setSecrets(sec, kd, nkd); + return 0; +Err: + sec->ok = -1; + return -1; +} + +static TlsSec* +tlsSecInitc(int cvers, uchar *crandom) +{ + TlsSec *sec = emalloc(sizeof(*sec)); + sec->clientVers = cvers; + put32(sec->crandom, time(0)); + genrandom(sec->crandom+4, RandomSize-4); + memmove(crandom, sec->crandom, RandomSize); + return sec; +} + +static int +tlsSecSecretc(TlsSec *sec, uchar *sid, int nsid, uchar *srandom, uchar *cert, int ncert, int vers, uchar **epm, int *nepm, uchar *kd, int nkd) +{ + RSApub *pub; + + pub = nil; + + USED(sid); + USED(nsid); + + memmove(sec->srandom, srandom, RandomSize); + + if(setVers(sec, vers) < 0) + goto Err; + + pub = X509toRSApub(cert, ncert, nil, 0); + if(pub == nil){ + werrstr("invalid x509/rsa certificate"); + goto Err; + } + if(clientMasterSecret(sec, pub, epm, nepm) < 0) + goto Err; + rsapubfree(pub); + setSecrets(sec, kd, nkd); + return 0; + +Err: + if(pub != nil) + rsapubfree(pub); + sec->ok = -1; + return -1; +} + +static int +tlsSecFinished(TlsSec *sec, MD5state md5, SHAstate sha1, uchar *fin, int nfin, int isclient) +{ + if(sec->nfin != nfin){ + sec->ok = -1; + werrstr("invalid finished exchange"); + return -1; + } + md5.malloced = 0; + sha1.malloced = 0; + (*sec->setFinished)(sec, md5, sha1, fin, isclient); + return 1; +} + +static void +tlsSecOk(TlsSec *sec) +{ + if(sec->ok == 0) + sec->ok = 1; +} + +static void +tlsSecKill(TlsSec *sec) +{ + if(!sec) + return; + factotum_rsa_close(sec->rpc); + sec->ok = -1; +} + +static void +tlsSecClose(TlsSec *sec) +{ + if(!sec) + return; + factotum_rsa_close(sec->rpc); + free(sec->server); + free(sec); +} + +static int +setVers(TlsSec *sec, int v) +{ + if(v == SSL3Version){ + sec->setFinished = sslSetFinished; + sec->nfin = SSL3FinishedLen; + sec->prf = sslPRF; + }else if(v == TLSVersion){ + sec->setFinished = tlsSetFinished; + sec->nfin = TLSFinishedLen; + sec->prf = tlsPRF; + }else{ + werrstr("invalid version"); + return -1; + } + sec->vers = v; + return 0; +} + +/* + * generate secret keys from the master secret. + * + * different crypto selections will require different amounts + * of key expansion and use of key expansion data, + * but it's all generated using the same function. + */ +static void +setSecrets(TlsSec *sec, uchar *kd, int nkd) +{ + (*sec->prf)(kd, nkd, sec->sec, MasterSecretSize, "key expansion", + sec->srandom, RandomSize, sec->crandom, RandomSize); +} + +/* + * set the master secret from the pre-master secret. + */ +static void +setMasterSecret(TlsSec *sec, Bytes *pm) +{ + (*sec->prf)(sec->sec, MasterSecretSize, pm->data, MasterSecretSize, "master secret", + sec->crandom, RandomSize, sec->srandom, RandomSize); +} + +static void +serverMasterSecret(TlsSec *sec, uchar *epm, int nepm) +{ + Bytes *pm; + + pm = pkcs1_decrypt(sec, epm, nepm); + + // if the client messed up, just continue as if everything is ok, + // to prevent attacks to check for correctly formatted messages. + // Hence the fprint(2,) can't be replaced by tlsError(), which sends an Alert msg to the client. + if(sec->ok < 0 || pm == nil || get16(pm->data) != sec->clientVers){ + fprint(2, "serverMasterSecret failed ok=%d pm=%p pmvers=%x cvers=%x nepm=%d\n", + sec->ok, pm, pm ? get16(pm->data) : -1, sec->clientVers, nepm); + sec->ok = -1; + if(pm != nil) + freebytes(pm); + pm = newbytes(MasterSecretSize); + genrandom(pm->data, MasterSecretSize); + } + setMasterSecret(sec, pm); + memset(pm->data, 0, pm->len); + freebytes(pm); +} + +static int +clientMasterSecret(TlsSec *sec, RSApub *pub, uchar **epm, int *nepm) +{ + Bytes *pm, *key; + + pm = newbytes(MasterSecretSize); + put16(pm->data, sec->clientVers); + genrandom(pm->data+2, MasterSecretSize - 2); + + setMasterSecret(sec, pm); + + key = pkcs1_encrypt(pm, pub, 2); + memset(pm->data, 0, pm->len); + freebytes(pm); + if(key == nil){ + werrstr("tls pkcs1_encrypt failed"); + return -1; + } + + *nepm = key->len; + *epm = malloc(*nepm); + if(*epm == nil){ + freebytes(key); + werrstr("out of memory"); + return -1; + } + memmove(*epm, key->data, *nepm); + + freebytes(key); + + return 1; +} + +static void +sslSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient) +{ + DigestState *s; + uchar h0[MD5dlen], h1[SHA1dlen], pad[48]; + char *label; + + if(isClient) + label = "CLNT"; + else + label = "SRVR"; + + md5((uchar*)label, 4, nil, &hsmd5); + md5(sec->sec, MasterSecretSize, nil, &hsmd5); + memset(pad, 0x36, 48); + md5(pad, 48, nil, &hsmd5); + md5(nil, 0, h0, &hsmd5); + memset(pad, 0x5C, 48); + s = md5(sec->sec, MasterSecretSize, nil, nil); + s = md5(pad, 48, nil, s); + md5(h0, MD5dlen, finished, s); + + sha1((uchar*)label, 4, nil, &hssha1); + sha1(sec->sec, MasterSecretSize, nil, &hssha1); + memset(pad, 0x36, 40); + sha1(pad, 40, nil, &hssha1); + sha1(nil, 0, h1, &hssha1); + memset(pad, 0x5C, 40); + s = sha1(sec->sec, MasterSecretSize, nil, nil); + s = sha1(pad, 40, nil, s); + sha1(h1, SHA1dlen, finished + MD5dlen, s); +} + +// fill "finished" arg with md5(args)^sha1(args) +static void +tlsSetFinished(TlsSec *sec, MD5state hsmd5, SHAstate hssha1, uchar *finished, int isClient) +{ + uchar h0[MD5dlen], h1[SHA1dlen]; + char *label; + + // get current hash value, but allow further messages to be hashed in + md5(nil, 0, h0, &hsmd5); + sha1(nil, 0, h1, &hssha1); + + if(isClient) + label = "client finished"; + else + label = "server finished"; + tlsPRF(finished, TLSFinishedLen, sec->sec, MasterSecretSize, label, h0, MD5dlen, h1, SHA1dlen); +} + +static void +sslPRF(uchar *buf, int nbuf, uchar *key, int nkey, char *label, uchar *seed0, int nseed0, uchar *seed1, int nseed1) +{ + DigestState *s; + uchar sha1dig[SHA1dlen], md5dig[MD5dlen], tmp[26]; + int i, n, len; + + USED(label); + len = 1; + while(nbuf > 0){ + if(len > 26) + return; + for(i = 0; i < len; i++) + tmp[i] = 'A' - 1 + len; + s = sha1(tmp, len, nil, nil); + s = sha1(key, nkey, nil, s); + s = sha1(seed0, nseed0, nil, s); + sha1(seed1, nseed1, sha1dig, s); + s = md5(key, nkey, nil, nil); + md5(sha1dig, SHA1dlen, md5dig, s); + n = MD5dlen; + if(n > nbuf) + n = nbuf; + memmove(buf, md5dig, n); + buf += n; + nbuf -= n; + len++; + } +} + +static mpint* +bytestomp(Bytes* bytes) +{ + mpint* ans; + + ans = betomp(bytes->data, bytes->len, nil); + return ans; +} + +/* + * Convert mpint* to Bytes, putting high order byte first. + */ +static Bytes* +mptobytes(mpint* big) +{ + int n, m; + uchar *a; + Bytes* ans; + + a = nil; + n = (mpsignif(big)+7)/8; + m = mptobe(big, nil, n, &a); + ans = makebytes(a, m); + if(a != nil) + free(a); + return ans; +} + +// Do RSA computation on block according to key, and pad +// result on left with zeros to make it modlen long. +static Bytes* +rsacomp(Bytes* block, RSApub* key, int modlen) +{ + mpint *x, *y; + Bytes *a, *ybytes; + int ylen; + + x = bytestomp(block); + y = rsaencrypt(key, x, nil); + mpfree(x); + ybytes = mptobytes(y); + ylen = ybytes->len; + + if(ylen < modlen) { + a = newbytes(modlen); + memset(a->data, 0, modlen-ylen); + memmove(a->data+modlen-ylen, ybytes->data, ylen); + freebytes(ybytes); + ybytes = a; + } + else if(ylen > modlen) { + // assume it has leading zeros (mod should make it so) + a = newbytes(modlen); + memmove(a->data, ybytes->data, modlen); + freebytes(ybytes); + ybytes = a; + } + mpfree(y); + return ybytes; +} + +// encrypt data according to PKCS#1, /lib/rfc/rfc2437 9.1.2.1 +static Bytes* +pkcs1_encrypt(Bytes* data, RSApub* key, int blocktype) +{ + Bytes *pad, *eb, *ans; + int i, dlen, padlen, modlen; + + modlen = (mpsignif(key->n)+7)/8; + dlen = data->len; + if(modlen < 12 || dlen > modlen - 11) + return nil; + padlen = modlen - 3 - dlen; + pad = newbytes(padlen); + genrandom(pad->data, padlen); + for(i = 0; i < padlen; i++) { + if(blocktype == 0) + pad->data[i] = 0; + else if(blocktype == 1) + pad->data[i] = 255; + else if(pad->data[i] == 0) + pad->data[i] = 1; + } + eb = newbytes(modlen); + eb->data[0] = 0; + eb->data[1] = blocktype; + memmove(eb->data+2, pad->data, padlen); + eb->data[padlen+2] = 0; + memmove(eb->data+padlen+3, data->data, dlen); + ans = rsacomp(eb, key, modlen); + freebytes(eb); + freebytes(pad); + return ans; +} + +// decrypt data according to PKCS#1, with given key. +// expect a block type of 2. +static Bytes* +pkcs1_decrypt(TlsSec *sec, uchar *epm, int nepm) +{ + Bytes *eb, *ans = nil; + int i, modlen; + mpint *x, *y; + + modlen = (mpsignif(sec->rsapub->n)+7)/8; + if(nepm != modlen) + return nil; + x = betomp(epm, nepm, nil); + y = factotum_rsa_decrypt(sec->rpc, x); + if(y == nil) + return nil; + eb = mptobytes(y); + if(eb->len < modlen){ // pad on left with zeros + ans = newbytes(modlen); + memset(ans->data, 0, modlen-eb->len); + memmove(ans->data+modlen-eb->len, eb->data, eb->len); + freebytes(eb); + eb = ans; + } + if(eb->data[0] == 0 && eb->data[1] == 2) { + for(i = 2; i < modlen; i++) + if(eb->data[i] == 0) + break; + if(i < modlen - 1) + ans = makebytes(eb->data+i+1, modlen-(i+1)); + } + freebytes(eb); + return ans; +} + + +//================= general utility functions ======================== + +static void * +emalloc(int n) +{ + void *p; + if(n==0) + n=1; + p = malloc(n); + if(p == nil){ + exits("out of memory"); + } + memset(p, 0, n); + return p; +} + +static void * +erealloc(void *ReallocP, int ReallocN) +{ + if(ReallocN == 0) + ReallocN = 1; + if(!ReallocP) + ReallocP = emalloc(ReallocN); + else if(!(ReallocP = realloc(ReallocP, ReallocN))){ + exits("out of memory"); + } + return(ReallocP); +} + +static void +put32(uchar *p, u32int x) +{ + p[0] = x>>24; + p[1] = x>>16; + p[2] = x>>8; + p[3] = x; +} + +static void +put24(uchar *p, int x) +{ + p[0] = x>>16; + p[1] = x>>8; + p[2] = x; +} + +static void +put16(uchar *p, int x) +{ + p[0] = x>>8; + p[1] = x; +} + +static u32int +get32(uchar *p) +{ + return (p[0]<<24)|(p[1]<<16)|(p[2]<<8)|p[3]; +} + +static int +get24(uchar *p) +{ + return (p[0]<<16)|(p[1]<<8)|p[2]; +} + +static int +get16(uchar *p) +{ + return (p[0]<<8)|p[1]; +} + +#define OFFSET(x, s) offsetof(s, x) + +/* + * malloc and return a new Bytes structure capable of + * holding len bytes. (len >= 0) + * Used to use crypt_malloc, which aborts if malloc fails. + */ +static Bytes* +newbytes(int len) +{ + Bytes* ans; + + ans = (Bytes*)malloc(OFFSET(data[0], Bytes) + len); + ans->len = len; + return ans; +} + +/* + * newbytes(len), with data initialized from buf + */ +static Bytes* +makebytes(uchar* buf, int len) +{ + Bytes* ans; + + ans = newbytes(len); + memmove(ans->data, buf, len); + return ans; +} + +static void +freebytes(Bytes* b) +{ + if(b != nil) + free(b); +} + +/* len is number of ints */ +static Ints* +newints(int len) +{ + Ints* ans; + + ans = (Ints*)malloc(OFFSET(data[0], Ints) + len*sizeof(int)); + ans->len = len; + return ans; +} + +static Ints* +makeints(int* buf, int len) +{ + Ints* ans; + + ans = newints(len); + if(len > 0) + memmove(ans->data, buf, len*sizeof(int)); + return ans; +} + +static void +freeints(Ints* b) +{ + if(b != nil) + free(b); +} diff --git a/sys/src/libsec/port/x509.c b/sys/src/libsec/port/x509.c new file mode 100755 index 000000000..9888015ff --- /dev/null +++ b/sys/src/libsec/port/x509.c @@ -0,0 +1,2640 @@ +#include <u.h> +#include <libc.h> +#include <mp.h> +#include <libsec.h> + +typedef DigestState*(*DigestFun)(uchar*,ulong,uchar*,DigestState*); + +/* ANSI offsetof, backwards. */ +#define OFFSETOF(a, b) offsetof(b, a) + +/*=============================================================*/ +/* general ASN1 declarations and parsing + * + * For now, this is used only for extracting the key from an + * X509 certificate, so the entire collection is hidden. But + * someday we should probably make the functions visible and + * give them their own man page. + */ +typedef struct Elem Elem; +typedef struct Tag Tag; +typedef struct Value Value; +typedef struct Bytes Bytes; +typedef struct Ints Ints; +typedef struct Bits Bits; +typedef struct Elist Elist; + +/* tag classes */ +#define Universal 0 +#define Context 0x80 + +/* universal tags */ +#define BOOLEAN 1 +#define INTEGER 2 +#define BIT_STRING 3 +#define OCTET_STRING 4 +#define NULLTAG 5 +#define OBJECT_ID 6 +#define ObjectDescriptor 7 +#define EXTERNAL 8 +#define REAL 9 +#define ENUMERATED 10 +#define EMBEDDED_PDV 11 +#define UTF8String 12 +#define SEQUENCE 16 /* also SEQUENCE OF */ +#define SETOF 17 /* also SETOF OF */ +#define NumericString 18 +#define PrintableString 19 +#define TeletexString 20 +#define VideotexString 21 +#define IA5String 22 +#define UTCTime 23 +#define GeneralizedTime 24 +#define GraphicString 25 +#define VisibleString 26 +#define GeneralString 27 +#define UniversalString 28 +#define BMPString 30 + +struct Bytes { + int len; + uchar data[1]; +}; + +struct Ints { + int len; + int data[1]; +}; + +struct Bits { + int len; /* number of bytes */ + int unusedbits; /* unused bits in last byte */ + uchar data[1]; /* most-significant bit first */ +}; + +struct Tag { + int class; + int num; +}; + +enum { VBool, VInt, VOctets, VBigInt, VReal, VOther, + VBitString, VNull, VEOC, VObjId, VString, VSeq, VSet }; +struct Value { + int tag; /* VBool, etc. */ + union { + int boolval; + int intval; + Bytes* octetsval; + Bytes* bigintval; + Bytes* realval; /* undecoded; hardly ever used */ + Bytes* otherval; + Bits* bitstringval; + Ints* objidval; + char* stringval; + Elist* seqval; + Elist* setval; + } u; /* (Don't use anonymous unions, for ease of porting) */ +}; + +struct Elem { + Tag tag; + Value val; +}; + +struct Elist { + Elist* tl; + Elem hd; +}; + +/* decoding errors */ +enum { ASN_OK, ASN_ESHORT, ASN_ETOOBIG, ASN_EVALLEN, + ASN_ECONSTR, ASN_EPRIM, ASN_EINVAL, ASN_EUNIMPL }; + + +/* here are the functions to consider making extern someday */ +static Bytes* newbytes(int len); +static Bytes* makebytes(uchar* buf, int len); +static void freebytes(Bytes* b); +static Bytes* catbytes(Bytes* b1, Bytes* b2); +static Ints* newints(int len); +static Ints* makeints(int* buf, int len); +static void freeints(Ints* b); +static Bits* newbits(int len); +static Bits* makebits(uchar* buf, int len, int unusedbits); +static void freebits(Bits* b); +static Elist* mkel(Elem e, Elist* tail); +static void freeelist(Elist* el); +static int elistlen(Elist* el); +static int is_seq(Elem* pe, Elist** pseq); +static int is_set(Elem* pe, Elist** pset); +static int is_int(Elem* pe, int* pint); +static int is_bigint(Elem* pe, Bytes** pbigint); +static int is_bitstring(Elem* pe, Bits** pbits); +static int is_octetstring(Elem* pe, Bytes** poctets); +static int is_oid(Elem* pe, Ints** poid); +static int is_string(Elem* pe, char** pstring); +static int is_time(Elem* pe, char** ptime); +static int decode(uchar* a, int alen, Elem* pelem); +static int decode_seq(uchar* a, int alen, Elist** pelist); +static int decode_value(uchar* a, int alen, int kind, int isconstr, Value* pval); +static int encode(Elem e, Bytes** pbytes); +static int oid_lookup(Ints* o, Ints** tab); +static void freevalfields(Value* v); +static mpint *asn1mpint(Elem *e); + + + +#define TAG_MASK 0x1F +#define CONSTR_MASK 0x20 +#define CLASS_MASK 0xC0 +#define MAXOBJIDLEN 20 + +static int ber_decode(uchar** pp, uchar* pend, Elem* pelem); +static int tag_decode(uchar** pp, uchar* pend, Tag* ptag, int* pisconstr); +static int length_decode(uchar** pp, uchar* pend, int* plength); +static int value_decode(uchar** pp, uchar* pend, int length, int kind, int isconstr, Value* pval); +static int int_decode(uchar** pp, uchar* pend, int count, int unsgned, int* pint); +static int uint7_decode(uchar** pp, uchar* pend, int* pint); +static int octet_decode(uchar** pp, uchar* pend, int length, int isconstr, Bytes** pbytes); +static int seq_decode(uchar** pp, uchar* pend, int length, int isconstr, Elist** pelist); +static int enc(uchar** pp, Elem e, int lenonly); +static int val_enc(uchar** pp, Elem e, int *pconstr, int lenonly); +static void uint7_enc(uchar** pp, int num, int lenonly); +static void int_enc(uchar** pp, int num, int unsgned, int lenonly); + +static void * +emalloc(int n) +{ + void *p; + if(n==0) + n=1; + p = malloc(n); + if(p == nil){ + exits("out of memory"); + } + memset(p, 0, n); + setmalloctag(p, getcallerpc(&n)); + return p; +} + +static char* +estrdup(char *s) +{ + char *d, *d0; + + if(!s) + return 0; + d = d0 = emalloc(strlen(s)+1); + while(*d++ = *s++) + ; + return d0; +} + + +/* + * Decode a[0..len] as a BER encoding of an ASN1 type. + * The return value is one of ASN_OK, etc. + * Depending on the error, the returned elem may or may not + * be nil. + */ +static int +decode(uchar* a, int alen, Elem* pelem) +{ + uchar* p = a; + + return ber_decode(&p, &a[alen], pelem); +} + +/* + * Like decode, but continue decoding after first element + * of array ends. + */ +static int +decode_seq(uchar* a, int alen, Elist** pelist) +{ + uchar* p = a; + + return seq_decode(&p, &a[alen], -1, 1, pelist); +} + +/* + * Decode the whole array as a BER encoding of an ASN1 value, + * (i.e., the part after the tag and length). + * Assume the value is encoded as universal tag "kind". + * The constr arg is 1 if the value is constructed, 0 if primitive. + * If there's an error, the return string will contain the error. + * Depending on the error, the returned value may or may not + * be nil. + */ +static int +decode_value(uchar* a, int alen, int kind, int isconstr, Value* pval) +{ + uchar* p = a; + + return value_decode(&p, &a[alen], alen, kind, isconstr, pval); +} + +/* + * All of the following decoding routines take arguments: + * uchar **pp; + * uchar *pend; + * Where parsing is supposed to start at **pp, and when parsing + * is done, *pp is updated to point at next char to be parsed. + * The pend pointer is just past end of string; an error should + * be returned parsing hasn't finished by then. + * + * The returned int is ASN_OK if all went fine, else ASN_ESHORT, etc. + * The remaining argument(s) are pointers to where parsed entity goes. + */ + +/* Decode an ASN1 'Elem' (tag, length, value) */ +static int +ber_decode(uchar** pp, uchar* pend, Elem* pelem) +{ + int err; + int isconstr; + int length; + Tag tag; + Value val; + + err = tag_decode(pp, pend, &tag, &isconstr); + if(err == ASN_OK) { + err = length_decode(pp, pend, &length); + if(err == ASN_OK) { + if(tag.class == Universal) { + err = value_decode(pp, pend, length, tag.num, isconstr, &val); + if(val.tag == VSeq || val.tag == VSet) + setmalloctag(val.u.seqval, getcallerpc(&pp)); + }else + err = value_decode(pp, pend, length, OCTET_STRING, 0, &val); + if(err == ASN_OK) { + pelem->tag = tag; + pelem->val = val; + } + } + } + return err; +} + +/* Decode a tag field */ +static int +tag_decode(uchar** pp, uchar* pend, Tag* ptag, int* pisconstr) +{ + int err; + int v; + uchar* p; + + err = ASN_OK; + p = *pp; + if(pend-p >= 2) { + v = *p++; + ptag->class = v&CLASS_MASK; + if(v&CONSTR_MASK) + *pisconstr = 1; + else + *pisconstr = 0; + v &= TAG_MASK; + if(v == TAG_MASK) + err = uint7_decode(&p, pend, &v); + ptag->num = v; + } + else + err = ASN_ESHORT; + *pp = p; + return err; +} + +/* Decode a length field */ +static int +length_decode(uchar** pp, uchar* pend, int* plength) +{ + int err; + int num; + int v; + uchar* p; + + err = ASN_OK; + num = 0; + p = *pp; + if(p < pend) { + v = *p++; + if(v&0x80) + err = int_decode(&p, pend, v&0x7F, 1, &num); + else + num = v; + } + else + err = ASN_ESHORT; + *pp = p; + *plength = num; + return err; +} + +/* Decode a value field */ +static int +value_decode(uchar** pp, uchar* pend, int length, int kind, int isconstr, Value* pval) +{ + int err; + Bytes* va; + int num; + int bitsunused; + int subids[MAXOBJIDLEN]; + int isubid; + Elist* vl; + uchar* p; + uchar* pe; + + err = ASN_OK; + p = *pp; + if(length == -1) { /* "indefinite" length spec */ + if(!isconstr) + err = ASN_EINVAL; + } + else if(p + length > pend) + err = ASN_EVALLEN; + if(err != ASN_OK) + return err; + + switch(kind) { + case 0: + /* marker for end of indefinite constructions */ + if(length == 0) + pval->tag = VNull; + else + err = ASN_EINVAL; + break; + + case BOOLEAN: + if(isconstr) + err = ASN_ECONSTR; + else if(length != 1) + err = ASN_EVALLEN; + else { + pval->tag = VBool; + pval->u.boolval = (*p++ != 0); + } + break; + + case INTEGER: + case ENUMERATED: + if(isconstr) + err = ASN_ECONSTR; + else if(length <= 4) { + err = int_decode(&p, pend, length, 0, &num); + if(err == ASN_OK) { + pval->tag = VInt; + pval->u.intval = num; + } + } + else { + pval->tag = VBigInt; + pval->u.bigintval = makebytes(p, length); + p += length; + } + break; + + case BIT_STRING: + pval->tag = VBitString; + if(isconstr) { + if(length == -1 && p + 2 <= pend && *p == 0 && *(p+1) ==0) { + pval->u.bitstringval = makebits(0, 0, 0); + p += 2; + } + else + /* TODO: recurse and concat results */ + err = ASN_EUNIMPL; + } + else { + if(length < 2) { + if(length == 1 && *p == 0) { + pval->u.bitstringval = makebits(0, 0, 0); + p++; + } + else + err = ASN_EINVAL; + } + else { + bitsunused = *p; + if(bitsunused > 7) + err = ASN_EINVAL; + else if(length > 0x0FFFFFFF) + err = ASN_ETOOBIG; + else { + pval->u.bitstringval = makebits(p+1, length-1, bitsunused); + p += length; + } + } + } + break; + + case OCTET_STRING: + case ObjectDescriptor: + err = octet_decode(&p, pend, length, isconstr, &va); + if(err == ASN_OK) { + pval->tag = VOctets; + pval->u.octetsval = va; + } + break; + + case NULLTAG: + if(isconstr) + err = ASN_ECONSTR; + else if(length != 0) + err = ASN_EVALLEN; + else + pval->tag = VNull; + break; + + case OBJECT_ID: + if(isconstr) + err = ASN_ECONSTR; + else if(length == 0) + err = ASN_EVALLEN; + else { + isubid = 0; + pe = p+length; + while(p < pe && isubid < MAXOBJIDLEN) { + err = uint7_decode(&p, pend, &num); + if(err != ASN_OK) + break; + if(isubid == 0) { + subids[isubid++] = num / 40; + subids[isubid++] = num % 40; + } + else + subids[isubid++] = num; + } + if(err == ASN_OK) { + if(p != pe) + err = ASN_EVALLEN; + else { + pval->tag = VObjId; + pval->u.objidval = makeints(subids, isubid); + } + } + } + break; + + case EXTERNAL: + case EMBEDDED_PDV: + /* TODO: parse this internally */ + if(p+length > pend) + err = ASN_EVALLEN; + else { + pval->tag = VOther; + pval->u.otherval = makebytes(p, length); + p += length; + } + break; + + case REAL: + /* Let the application decode */ + if(isconstr) + err = ASN_ECONSTR; + else if(p+length > pend) + err = ASN_EVALLEN; + else { + pval->tag = VReal; + pval->u.realval = makebytes(p, length); + p += length; + } + break; + + case SEQUENCE: + err = seq_decode(&p, pend, length, isconstr, &vl); + setmalloctag(vl, getcallerpc(&pp)); + if(err == ASN_OK) { + pval->tag = VSeq ; + pval->u.seqval = vl; + } + break; + + case SETOF: + err = seq_decode(&p, pend, length, isconstr, &vl); + setmalloctag(vl, getcallerpc(&pp)); + if(err == ASN_OK) { + pval->tag = VSet; + pval->u.setval = vl; + } + break; + case UTF8String: + case NumericString: + case PrintableString: + case TeletexString: + case VideotexString: + case IA5String: + case UTCTime: + case GeneralizedTime: + case GraphicString: + case VisibleString: + case GeneralString: + case UniversalString: + case BMPString: + /* TODO: figure out when character set conversion is necessary */ + err = octet_decode(&p, pend, length, isconstr, &va); + if(err == ASN_OK) { + pval->tag = VString; + pval->u.stringval = (char*)emalloc(va->len+1); + memmove(pval->u.stringval, va->data, va->len); + pval->u.stringval[va->len] = 0; + free(va); + } + break; + + default: + if(p+length > pend) + err = ASN_EVALLEN; + else { + pval->tag = VOther; + pval->u.otherval = makebytes(p, length); + p += length; + } + break; + } + *pp = p; + return err; +} + +/* + * Decode an int in format where count bytes are + * concatenated to form value. + * Although ASN1 allows any size integer, we return + * an error if the result doesn't fit in a 32-bit int. + * If unsgned is not set, make sure to propagate sign bit. + */ +static int +int_decode(uchar** pp, uchar* pend, int count, int unsgned, int* pint) +{ + int err; + int num; + uchar* p; + + p = *pp; + err = ASN_OK; + num = 0; + if(p+count <= pend) { + if((count > 4) || (unsgned && count == 4 && (*p&0x80))) + err = ASN_ETOOBIG; + else { + if(!unsgned && count > 0 && count < 4 && (*p&0x80)) + num = -1; /* set all bits, initially */ + while(count--) + num = (num << 8)|(*p++); + } + } + else + err = ASN_ESHORT; + *pint = num; + *pp = p; + return err; +} + +/* + * Decode an unsigned int in format where each + * byte except last has high bit set, and remaining + * seven bits of each byte are concatenated to form value. + * Although ASN1 allows any size integer, we return + * an error if the result doesn't fit in a 32 bit int. + */ +static int +uint7_decode(uchar** pp, uchar* pend, int* pint) +{ + int err; + int num; + int more; + int v; + uchar* p; + + p = *pp; + err = ASN_OK; + num = 0; + more = 1; + while(more && p < pend) { + v = *p++; + if(num&0x7F000000) { + err = ASN_ETOOBIG; + break; + } + num <<= 7; + more = v&0x80; + num |= (v&0x7F); + } + if(p == pend) + err = ASN_ESHORT; + *pint = num; + *pp = p; + return err; +} + +/* + * Decode an octet string, recursively if isconstr. + * We've already checked that length==-1 implies isconstr==1, + * and otherwise that specified length fits within (*pp..pend) + */ +static int +octet_decode(uchar** pp, uchar* pend, int length, int isconstr, Bytes** pbytes) +{ + int err; + uchar* p; + Bytes* ans; + Bytes* newans; + uchar* pstart; + uchar* pold; + Elem elem; + + err = ASN_OK; + p = *pp; + ans = nil; + if(length >= 0 && !isconstr) { + ans = makebytes(p, length); + p += length; + } + else { + /* constructed, either definite or indefinite length */ + pstart = p; + for(;;) { + if(length >= 0 && p >= pstart + length) { + if(p != pstart + length) + err = ASN_EVALLEN; + break; + } + pold = p; + err = ber_decode(&p, pend, &elem); + if(err != ASN_OK) + break; + switch(elem.val.tag) { + case VOctets: + newans = catbytes(ans, elem.val.u.octetsval); + freebytes(ans); + ans = newans; + break; + + case VEOC: + if(length != -1) { + p = pold; + err = ASN_EINVAL; + } + goto cloop_done; + + default: + p = pold; + err = ASN_EINVAL; + goto cloop_done; + } + } +cloop_done: + ; + } + *pp = p; + *pbytes = ans; + return err; +} + +/* + * Decode a sequence or set. + * We've already checked that length==-1 implies isconstr==1, + * and otherwise that specified length fits within (*p..pend) + */ +static int +seq_decode(uchar** pp, uchar* pend, int length, int isconstr, Elist** pelist) +{ + int err; + uchar* p; + uchar* pstart; + uchar* pold; + Elist* ans; + Elem elem; + Elist* lve; + Elist* lveold; + + err = ASN_OK; + ans = nil; + p = *pp; + if(!isconstr) + err = ASN_EPRIM; + else { + /* constructed, either definite or indefinite length */ + lve = nil; + pstart = p; + for(;;) { + if(length >= 0 && p >= pstart + length) { + if(p != pstart + length) + err = ASN_EVALLEN; + break; + } + pold = p; + err = ber_decode(&p, pend, &elem); + if(err != ASN_OK) + break; + if(elem.val.tag == VEOC) { + if(length != -1) { + p = pold; + err = ASN_EINVAL; + } + break; + } + else + lve = mkel(elem, lve); + } + if(err == ASN_OK) { + /* reverse back to original order */ + while(lve != nil) { + lveold = lve; + lve = lve->tl; + lveold->tl = ans; + ans = lveold; + } + } + } + *pp = p; + *pelist = ans; + setmalloctag(ans, getcallerpc(&pp)); + return err; +} + +/* + * Encode e by BER rules, putting answer in *pbytes. + * This is done by first calling enc with lenonly==1 + * to get the length of the needed buffer, + * then allocating the buffer and using enc again to fill it up. + */ +static int +encode(Elem e, Bytes** pbytes) +{ + uchar* p; + Bytes* ans; + int err; + uchar uc; + + p = &uc; + err = enc(&p, e, 1); + if(err == ASN_OK) { + ans = newbytes(p-&uc); + p = ans->data; + err = enc(&p, e, 0); + *pbytes = ans; + } + return err; +} + +/* + * The various enc functions take a pointer to a pointer + * into a buffer, and encode their entity starting there, + * updating the pointer afterwards. + * If lenonly is 1, only the pointer update is done, + * allowing enc to be called first to calculate the needed + * buffer length. + * If lenonly is 0, it is assumed that the answer will fit. + */ + +static int +enc(uchar** pp, Elem e, int lenonly) +{ + int err; + int vlen; + int constr; + Tag tag; + int v; + int ilen; + uchar* p; + uchar* psave; + + p = *pp; + err = val_enc(&p, e, &constr, 1); + if(err != ASN_OK) + return err; + vlen = p - *pp; + p = *pp; + tag = e.tag; + v = tag.class|constr; + if(tag.num < 31) { + if(!lenonly) + *p = (v|tag.num); + p++; + } + else { + if(!lenonly) + *p = (v|31); + p++; + if(tag.num < 0) + return ASN_EINVAL; + uint7_enc(&p, tag.num, lenonly); + } + if(vlen < 0x80) { + if(!lenonly) + *p = vlen; + p++; + } + else { + psave = p; + int_enc(&p, vlen, 1, 1); + ilen = p-psave; + p = psave; + if(!lenonly) { + *p++ = (0x80 | ilen); + int_enc(&p, vlen, 1, 0); + } + else + p += 1 + ilen; + } + if(!lenonly) + val_enc(&p, e, &constr, 0); + else + p += vlen; + *pp = p; + return err; +} + +static int +val_enc(uchar** pp, Elem e, int *pconstr, int lenonly) +{ + int err; + uchar* p; + int kind; + int cl; + int v; + Bytes* bb = nil; + Bits* bits; + Ints* oid; + int k; + Elist* el; + char* s; + + p = *pp; + err = ASN_OK; + kind = e.tag.num; + cl = e.tag.class; + *pconstr = 0; + if(cl != Universal) { + switch(e.val.tag) { + case VBool: + kind = BOOLEAN; + break; + case VInt: + kind = INTEGER; + break; + case VBigInt: + kind = INTEGER; + break; + case VOctets: + kind = OCTET_STRING; + break; + case VReal: + kind = REAL; + break; + case VOther: + kind = OCTET_STRING; + break; + case VBitString: + kind = BIT_STRING; + break; + case VNull: + kind = NULLTAG; + break; + case VObjId: + kind = OBJECT_ID; + break; + case VString: + kind = UniversalString; + break; + case VSeq: + kind = SEQUENCE; + break; + case VSet: + kind = SETOF; + break; + } + } + switch(kind) { + case BOOLEAN: + if(is_int(&e, &v)) { + if(v != 0) + v = 255; + int_enc(&p, v, 1, lenonly); + } + else + err = ASN_EINVAL; + break; + + case INTEGER: + case ENUMERATED: + if(is_int(&e, &v)) + int_enc(&p, v, 0, lenonly); + else { + if(is_bigint(&e, &bb)) { + if(!lenonly) + memmove(p, bb->data, bb->len); + p += bb->len; + } + else + err = ASN_EINVAL; + } + break; + + case BIT_STRING: + if(is_bitstring(&e, &bits)) { + if(bits->len == 0) { + if(!lenonly) + *p = 0; + p++; + } + else { + v = bits->unusedbits; + if(v < 0 || v > 7) + err = ASN_EINVAL; + else { + if(!lenonly) { + *p = v; + memmove(p+1, bits->data, bits->len); + } + p += 1 + bits->len; + } + } + } + else + err = ASN_EINVAL; + break; + + case OCTET_STRING: + case ObjectDescriptor: + case EXTERNAL: + case REAL: + case EMBEDDED_PDV: + bb = nil; + switch(e.val.tag) { + case VOctets: + bb = e.val.u.octetsval; + break; + case VReal: + bb = e.val.u.realval; + break; + case VOther: + bb = e.val.u.otherval; + break; + } + if(bb != nil) { + if(!lenonly) + memmove(p, bb->data, bb->len); + p += bb->len; + } + else + err = ASN_EINVAL; + break; + + case NULLTAG: + break; + + case OBJECT_ID: + if(is_oid(&e, &oid)) { + for(k = 0; k < oid->len; k++) { + v = oid->data[k]; + if(k == 0) { + v *= 40; + if(oid->len > 1) + v += oid->data[++k]; + } + uint7_enc(&p, v, lenonly); + } + } + else + err = ASN_EINVAL; + break; + + case SEQUENCE: + case SETOF: + el = nil; + if(e.val.tag == VSeq) + el = e.val.u.seqval; + else if(e.val.tag == VSet) + el = e.val.u.setval; + else + err = ASN_EINVAL; + if(el != nil) { + *pconstr = CONSTR_MASK; + for(; el != nil; el = el->tl) { + err = enc(&p, el->hd, lenonly); + if(err != ASN_OK) + break; + } + } + break; + + case UTF8String: + case NumericString: + case PrintableString: + case TeletexString: + case VideotexString: + case IA5String: + case UTCTime: + case GeneralizedTime: + case GraphicString: + case VisibleString: + case GeneralString: + case UniversalString: + case BMPString: + if(e.val.tag == VString) { + s = e.val.u.stringval; + if(s != nil) { + v = strlen(s); + if(!lenonly) + memmove(p, s, v); + p += v; + } + } + else + err = ASN_EINVAL; + break; + + default: + err = ASN_EINVAL; + } + *pp = p; + return err; +} + +/* + * Encode num as unsigned 7 bit values with top bit 1 on all bytes + * except last, only putting in bytes if !lenonly. + */ +static void +uint7_enc(uchar** pp, int num, int lenonly) +{ + int n; + int v; + int k; + uchar* p; + + p = *pp; + n = 1; + v = num >> 7; + while(v > 0) { + v >>= 7; + n++; + } + if(lenonly) + p += n; + else { + for(k = (n - 1)*7; k > 0; k -= 7) + *p++= ((num >> k)|0x80); + *p++ = (num&0x7F); + } + *pp = p; +} + +/* + * Encode num as unsigned or signed integer, + * only putting in bytes if !lenonly. + * Encoding is length followed by bytes to concatenate. + */ +static void +int_enc(uchar** pp, int num, int unsgned, int lenonly) +{ + int v; + int n; + int prevv; + int k; + uchar* p; + + p = *pp; + v = num; + if(v < 0) + v = -(v + 1); + n = 1; + prevv = v; + v >>= 8; + while(v > 0) { + prevv = v; + v >>= 8; + n++; + } + if(!unsgned && (prevv&0x80)) + n++; + if(lenonly) + p += n; + else { + for(k = (n - 1)*8; k >= 0; k -= 8) + *p++ = (num >> k); + } + *pp = p; +} + +static int +ints_eq(Ints* a, Ints* b) +{ + int alen; + int i; + + alen = a->len; + if(alen != b->len) + return 0; + for(i = 0; i < alen; i++) + if(a->data[i] != b->data[i]) + return 0; + return 1; +} + +/* + * Look up o in tab (which must have nil entry to terminate). + * Return index of matching entry, or -1 if none. + */ +static int +oid_lookup(Ints* o, Ints** tab) +{ + int i; + + for(i = 0; tab[i] != nil; i++) + if(ints_eq(o, tab[i])) + return i; + return -1; +} + +/* + * Return true if *pe is a SEQUENCE, and set *pseq to + * the value of the sequence if so. + */ +static int +is_seq(Elem* pe, Elist** pseq) +{ + if(pe->tag.class == Universal && pe->tag.num == SEQUENCE && pe->val.tag == VSeq) { + *pseq = pe->val.u.seqval; + return 1; + } + return 0; +} + +static int +is_set(Elem* pe, Elist** pset) +{ + if(pe->tag.class == Universal && pe->tag.num == SETOF && pe->val.tag == VSet) { + *pset = pe->val.u.setval; + return 1; + } + return 0; +} + +static int +is_int(Elem* pe, int* pint) +{ + if(pe->tag.class == Universal) { + if(pe->tag.num == INTEGER && pe->val.tag == VInt) { + *pint = pe->val.u.intval; + return 1; + } + else if(pe->tag.num == BOOLEAN && pe->val.tag == VBool) { + *pint = pe->val.u.boolval; + return 1; + } + } + return 0; +} + +/* + * for convience, all VInt's are readable via this routine, + * as well as all VBigInt's + */ +static int +is_bigint(Elem* pe, Bytes** pbigint) +{ + int v, n, i; + + if(pe->tag.class == Universal && pe->tag.num == INTEGER) { + if(pe->val.tag == VBigInt) + *pbigint = pe->val.u.bigintval; + else if(pe->val.tag == VInt){ + v = pe->val.u.intval; + for(n = 1; n < 4; n++) + if((1 << (8 * n)) > v) + break; + *pbigint = newbytes(n); + for(i = 0; i < n; i++) + (*pbigint)->data[i] = (v >> ((n - 1 - i) * 8)); + }else + return 0; + return 1; + } + return 0; +} + +static int +is_bitstring(Elem* pe, Bits** pbits) +{ + if(pe->tag.class == Universal && pe->tag.num == BIT_STRING && pe->val.tag == VBitString) { + *pbits = pe->val.u.bitstringval; + return 1; + } + return 0; +} + +static int +is_octetstring(Elem* pe, Bytes** poctets) +{ + if(pe->tag.class == Universal && pe->tag.num == OCTET_STRING && pe->val.tag == VOctets) { + *poctets = pe->val.u.octetsval; + return 1; + } + return 0; +} + +static int +is_oid(Elem* pe, Ints** poid) +{ + if(pe->tag.class == Universal && pe->tag.num == OBJECT_ID && pe->val.tag == VObjId) { + *poid = pe->val.u.objidval; + return 1; + } + return 0; +} + +static int +is_string(Elem* pe, char** pstring) +{ + if(pe->tag.class == Universal) { + switch(pe->tag.num) { + case UTF8String: + case NumericString: + case PrintableString: + case TeletexString: + case VideotexString: + case IA5String: + case GraphicString: + case VisibleString: + case GeneralString: + case UniversalString: + case BMPString: + if(pe->val.tag == VString) { + *pstring = pe->val.u.stringval; + return 1; + } + } + } + return 0; +} + +static int +is_time(Elem* pe, char** ptime) +{ + if(pe->tag.class == Universal + && (pe->tag.num == UTCTime || pe->tag.num == GeneralizedTime) + && pe->val.tag == VString) { + *ptime = pe->val.u.stringval; + return 1; + } + return 0; +} + + +/* + * malloc and return a new Bytes structure capable of + * holding len bytes. (len >= 0) + */ +static Bytes* +newbytes(int len) +{ + Bytes* ans; + + ans = (Bytes*)emalloc(OFFSETOF(data[0], Bytes) + len); + ans->len = len; + return ans; +} + +/* + * newbytes(len), with data initialized from buf + */ +static Bytes* +makebytes(uchar* buf, int len) +{ + Bytes* ans; + + ans = newbytes(len); + memmove(ans->data, buf, len); + return ans; +} + +static void +freebytes(Bytes* b) +{ + if(b != nil) + free(b); +} + +/* + * Make a new Bytes, containing bytes of b1 followed by those of b2. + * Either b1 or b2 or both can be nil. + */ +static Bytes* +catbytes(Bytes* b1, Bytes* b2) +{ + Bytes* ans; + int n; + + if(b1 == nil) { + if(b2 == nil) + ans = newbytes(0); + else + ans = makebytes(b2->data, b2->len); + } + else if(b2 == nil) { + ans = makebytes(b1->data, b1->len); + } + else { + n = b1->len + b2->len; + ans = newbytes(n); + ans->len = n; + memmove(ans->data, b1->data, b1->len); + memmove(ans->data+b1->len, b2->data, b2->len); + } + return ans; +} + +/* len is number of ints */ +static Ints* +newints(int len) +{ + Ints* ans; + + ans = (Ints*)emalloc(OFFSETOF(data[0], Ints) + len*sizeof(int)); + ans->len = len; + return ans; +} + +static Ints* +makeints(int* buf, int len) +{ + Ints* ans; + + ans = newints(len); + if(len > 0) + memmove(ans->data, buf, len*sizeof(int)); + return ans; +} + +static void +freeints(Ints* b) +{ + if(b != nil) + free(b); +} + +/* len is number of bytes */ +static Bits* +newbits(int len) +{ + Bits* ans; + + ans = (Bits*)emalloc(OFFSETOF(data[0], Bits) + len); + ans->len = len; + ans->unusedbits = 0; + return ans; +} + +static Bits* +makebits(uchar* buf, int len, int unusedbits) +{ + Bits* ans; + + ans = newbits(len); + memmove(ans->data, buf, len); + ans->unusedbits = unusedbits; + return ans; +} + +static void +freebits(Bits* b) +{ + if(b != nil) + free(b); +} + +static Elist* +mkel(Elem e, Elist* tail) +{ + Elist* el; + + el = (Elist*)emalloc(sizeof(Elist)); + setmalloctag(el, getcallerpc(&e)); + el->hd = e; + el->tl = tail; + return el; +} + +static int +elistlen(Elist* el) +{ + int ans = 0; + while(el != nil) { + ans++; + el = el->tl; + } + return ans; +} + +/* Frees elist, but not fields inside values of constituent elems */ +static void +freeelist(Elist* el) +{ + Elist* next; + + while(el != nil) { + next = el->tl; + free(el); + el = next; + } +} + +/* free any allocated structures inside v (recursively freeing Elists) */ +static void +freevalfields(Value* v) +{ + Elist* el; + Elist* l; + if(v == nil) + return; + switch(v->tag) { + case VOctets: + freebytes(v->u.octetsval); + break; + case VBigInt: + freebytes(v->u.bigintval); + break; + case VReal: + freebytes(v->u.realval); + break; + case VOther: + freebytes(v->u.otherval); + break; + case VBitString: + freebits(v->u.bitstringval); + break; + case VObjId: + freeints(v->u.objidval); + break; + case VString: + if(v->u.stringval) + free(v->u.stringval); + break; + case VSeq: + el = v->u.seqval; + for(l = el; l != nil; l = l->tl) + freevalfields(&l->hd.val); + if(el) + freeelist(el); + break; + case VSet: + el = v->u.setval; + for(l = el; l != nil; l = l->tl) + freevalfields(&l->hd.val); + if(el) + freeelist(el); + break; + } +} + +/* end of general ASN1 functions */ + + + + + +/*=============================================================*/ +/* + * Decode and parse an X.509 Certificate, defined by this ASN1: + * Certificate ::= SEQUENCE { + * certificateInfo CertificateInfo, + * signatureAlgorithm AlgorithmIdentifier, + * signature BIT STRING } + * + * CertificateInfo ::= SEQUENCE { + * version [0] INTEGER DEFAULT v1 (0), + * serialNumber INTEGER, + * signature AlgorithmIdentifier, + * issuer Name, + * validity Validity, + * subject Name, + * subjectPublicKeyInfo SubjectPublicKeyInfo } + * (version v2 has two more fields, optional unique identifiers for + * issuer and subject; since we ignore these anyway, we won't parse them) + * + * Validity ::= SEQUENCE { + * notBefore UTCTime, + * notAfter UTCTime } + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING } + * + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFER, + * parameters ANY DEFINED BY ALGORITHM OPTIONAL } + * + * Name ::= SEQUENCE OF RelativeDistinguishedName + * + * RelativeDistinguishedName ::= SETOF SIZE(1..MAX) OF AttributeTypeAndValue + * + * AttributeTypeAndValue ::= SEQUENCE { + * type OBJECT IDENTIFER, + * value DirectoryString } + * (selected attributes have these Object Ids: + * commonName {2 5 4 3} + * countryName {2 5 4 6} + * localityName {2 5 4 7} + * stateOrProvinceName {2 5 4 8} + * organizationName {2 5 4 10} + * organizationalUnitName {2 5 4 11} + * ) + * + * DirectoryString ::= CHOICE { + * teletexString TeletexString, + * printableString PrintableString, + * universalString UniversalString } + * + * See rfc1423, rfc2437 for AlgorithmIdentifier, subjectPublicKeyInfo, signature. + * + * Not yet implemented: + * CertificateRevocationList ::= SIGNED SEQUENCE{ + * signature AlgorithmIdentifier, + * issuer Name, + * lastUpdate UTCTime, + * nextUpdate UTCTime, + * revokedCertificates + * SEQUENCE OF CRLEntry OPTIONAL} + * CRLEntry ::= SEQUENCE{ + * userCertificate SerialNumber, + * revocationDate UTCTime} + */ + +typedef struct CertX509 { + int serial; + char* issuer; + char* validity_start; + char* validity_end; + char* subject; + int publickey_alg; + Bytes* publickey; + int signature_alg; + Bytes* signature; +} CertX509; + +/* Algorithm object-ids */ +enum { + ALG_rsaEncryption, + ALG_md2WithRSAEncryption, + ALG_md4WithRSAEncryption, + ALG_md5WithRSAEncryption, + ALG_sha1WithRSAEncryption, + ALG_sha1WithRSAEncryptionOiw, + ALG_md5, + NUMALGS +}; +typedef struct Ints7 { + int len; + int data[7]; +} Ints7; +static Ints7 oid_rsaEncryption = {7, 1, 2, 840, 113549, 1, 1, 1 }; +static Ints7 oid_md2WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 2 }; +static Ints7 oid_md4WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 3 }; +static Ints7 oid_md5WithRSAEncryption = {7, 1, 2, 840, 113549, 1, 1, 4 }; +static Ints7 oid_sha1WithRSAEncryption ={7, 1, 2, 840, 113549, 1, 1, 5 }; +static Ints7 oid_sha1WithRSAEncryptionOiw ={6, 1, 3, 14, 3, 2, 29 }; +static Ints7 oid_md5 ={6, 1, 2, 840, 113549, 2, 5, 0 }; +static Ints *alg_oid_tab[NUMALGS+1] = { + (Ints*)&oid_rsaEncryption, + (Ints*)&oid_md2WithRSAEncryption, + (Ints*)&oid_md4WithRSAEncryption, + (Ints*)&oid_md5WithRSAEncryption, + (Ints*)&oid_sha1WithRSAEncryption, + (Ints*)&oid_sha1WithRSAEncryptionOiw, + (Ints*)&oid_md5, + nil +}; +static DigestFun digestalg[NUMALGS+1] = { md5, md5, md5, md5, sha1, sha1, md5, nil }; + +static void +freecert(CertX509* c) +{ + if(!c) return; + if(c->issuer != nil) + free(c->issuer); + if(c->validity_start != nil) + free(c->validity_start); + if(c->validity_end != nil) + free(c->validity_end); + if(c->subject != nil) + free(c->subject); + freebytes(c->publickey); + freebytes(c->signature); + free(c); +} + +/* + * Parse the Name ASN1 type. + * The sequence of RelativeDistinguishedName's gives a sort of pathname, + * from most general to most specific. Each element of the path can be + * one or more (but usually just one) attribute-value pair, such as + * countryName="US". + * We'll just form a "postal-style" address string by concatenating the elements + * from most specific to least specific, separated by commas. + * Return name-as-string (which must be freed by caller). + */ +static char* +parse_name(Elem* e) +{ + Elist* el; + Elem* es; + Elist* esetl; + Elem* eat; + Elist* eatl; + char* s; + enum { MAXPARTS = 100 }; + char* parts[MAXPARTS]; + int i; + int plen; + char* ans = nil; + + if(!is_seq(e, &el)) + goto errret; + i = 0; + plen = 0; + while(el != nil) { + es = &el->hd; + if(!is_set(es, &esetl)) + goto errret; + while(esetl != nil) { + eat = &esetl->hd; + if(!is_seq(eat, &eatl) || elistlen(eatl) != 2) + goto errret; + if(!is_string(&eatl->tl->hd, &s) || i>=MAXPARTS) + goto errret; + parts[i++] = s; + plen += strlen(s) + 2; /* room for ", " after */ + esetl = esetl->tl; + } + el = el->tl; + } + if(i > 0) { + ans = (char*)emalloc(plen); + *ans = '\0'; + while(--i >= 0) { + s = parts[i]; + strcat(ans, s); + if(i > 0) + strcat(ans, ", "); + } + } + +errret: + return ans; +} + +/* + * Parse an AlgorithmIdentifer ASN1 type. + * Look up the oid in oid_tab and return one of OID_rsaEncryption, etc.., + * or -1 if not found. + * For now, ignore parameters, since none of our algorithms need them. + */ +static int +parse_alg(Elem* e) +{ + Elist* el; + Ints* oid; + + if(!is_seq(e, &el) || el == nil || !is_oid(&el->hd, &oid)) + return -1; + return oid_lookup(oid, alg_oid_tab); +} + +static CertX509* +decode_cert(Bytes* a) +{ + int ok = 0; + int n; + CertX509* c = nil; + Elem ecert; + Elem* ecertinfo; + Elem* esigalg; + Elem* esig; + Elem* eserial; + Elem* eissuer; + Elem* evalidity; + Elem* esubj; + Elem* epubkey; + Elist* el; + Elist* elcert = nil; + Elist* elcertinfo = nil; + Elist* elvalidity = nil; + Elist* elpubkey = nil; + Bits* bits = nil; + Bytes* b; + Elem* e; + + if(decode(a->data, a->len, &ecert) != ASN_OK) + goto errret; + + c = (CertX509*)emalloc(sizeof(CertX509)); + c->serial = -1; + c->issuer = nil; + c->validity_start = nil; + c->validity_end = nil; + c->subject = nil; + c->publickey_alg = -1; + c->publickey = nil; + c->signature_alg = -1; + c->signature = nil; + + /* Certificate */ + if(!is_seq(&ecert, &elcert) || elistlen(elcert) !=3) + goto errret; + ecertinfo = &elcert->hd; + el = elcert->tl; + esigalg = &el->hd; + c->signature_alg = parse_alg(esigalg); + el = el->tl; + esig = &el->hd; + + /* Certificate Info */ + if(!is_seq(ecertinfo, &elcertinfo)) + goto errret; + n = elistlen(elcertinfo); + if(n < 6) + goto errret; + eserial =&elcertinfo->hd; + el = elcertinfo->tl; + /* check for optional version, marked by explicit context tag 0 */ + if(eserial->tag.class == Context && eserial->tag.num == 0) { + eserial = &el->hd; + if(n < 7) + goto errret; + el = el->tl; + } + + if(parse_alg(&el->hd) != c->signature_alg) + goto errret; + el = el->tl; + eissuer = &el->hd; + el = el->tl; + evalidity = &el->hd; + el = el->tl; + esubj = &el->hd; + el = el->tl; + epubkey = &el->hd; + if(!is_int(eserial, &c->serial)) { + if(!is_bigint(eserial, &b)) + goto errret; + c->serial = -1; /* else we have to change cert struct */ + } + c->issuer = parse_name(eissuer); + if(c->issuer == nil) + goto errret; + /* Validity */ + if(!is_seq(evalidity, &elvalidity)) + goto errret; + if(elistlen(elvalidity) != 2) + goto errret; + e = &elvalidity->hd; + if(!is_time(e, &c->validity_start)) + goto errret; + e->val.u.stringval = nil; /* string ownership transfer */ + e = &elvalidity->tl->hd; + if(!is_time(e, &c->validity_end)) + goto errret; + e->val.u.stringval = nil; /* string ownership transfer */ + + /* resume CertificateInfo */ + c->subject = parse_name(esubj); + if(c->subject == nil) + goto errret; + + /* SubjectPublicKeyInfo */ + if(!is_seq(epubkey, &elpubkey)) + goto errret; + if(elistlen(elpubkey) != 2) + goto errret; + + c->publickey_alg = parse_alg(&elpubkey->hd); + if(c->publickey_alg < 0) + goto errret; + if(!is_bitstring(&elpubkey->tl->hd, &bits)) + goto errret; + if(bits->unusedbits != 0) + goto errret; + c->publickey = makebytes(bits->data, bits->len); + + /*resume Certificate */ + if(c->signature_alg < 0) + goto errret; + if(!is_bitstring(esig, &bits)) + goto errret; + c->signature = makebytes(bits->data, bits->len); + ok = 1; + +errret: + freevalfields(&ecert.val); /* recurses through lists, too */ + if(!ok){ + freecert(c); + c = nil; + } + return c; +} + +/* + * RSAPublickKey :: SEQUENCE { + * modulus INTEGER, + * publicExponent INTEGER + * } + */ +static RSApub* +decode_rsapubkey(Bytes* a) +{ + Elem e; + Elist *el, *l; + mpint *mp; + RSApub* key; + + l = nil; + key = rsapuballoc(); + if(decode(a->data, a->len, &e) != ASN_OK) + goto errret; + if(!is_seq(&e, &el) || elistlen(el) != 2) + goto errret; + + l = el; + + key->n = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->ek = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + if(l != nil) + freeelist(l); + return key; +errret: + if(l != nil) + freeelist(l); + rsapubfree(key); + return nil; +} + +/* + * RSAPrivateKey ::= SEQUENCE { + * version Version, + * modulus INTEGER, -- n + * publicExponent INTEGER, -- e + * privateExponent INTEGER, -- d + * prime1 INTEGER, -- p + * prime2 INTEGER, -- q + * exponent1 INTEGER, -- d mod (p-1) + * exponent2 INTEGER, -- d mod (q-1) + * coefficient INTEGER -- (inverse of q) mod p } + */ +static RSApriv* +decode_rsaprivkey(Bytes* a) +{ + int version; + Elem e; + Elist *el; + mpint *mp; + RSApriv* key; + + key = rsaprivalloc(); + if(decode(a->data, a->len, &e) != ASN_OK) + goto errret; + if(!is_seq(&e, &el) || elistlen(el) != 9) + goto errret; + if(!is_int(&el->hd, &version) || version != 0) + goto errret; + + el = el->tl; + key->pub.n = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->pub.ek = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->dk = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->q = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->p = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->kq = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->kp = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->c2 = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + return key; +errret: + rsaprivfree(key); + return nil; +} + +/* + * DSAPrivateKey ::= SEQUENCE{ + * version Version, + * p INTEGER, + * q INTEGER, + * g INTEGER, -- alpha + * pub_key INTEGER, -- key + * priv_key INTEGER, -- secret + * } + */ +static DSApriv* +decode_dsaprivkey(Bytes* a) +{ + int version; + Elem e; + Elist *el; + mpint *mp; + DSApriv* key; + + key = dsaprivalloc(); + if(decode(a->data, a->len, &e) != ASN_OK) + goto errret; + if(!is_seq(&e, &el) || elistlen(el) != 6) + goto errret; +version = -1; + if(!is_int(&el->hd, &version) || version != 0) +{ +fprint(2, "version %d\n", version); + goto errret; +} + + el = el->tl; + key->pub.p = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->pub.q = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->pub.alpha = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->pub.key = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + el = el->tl; + key->secret = mp = asn1mpint(&el->hd); + if(mp == nil) + goto errret; + + return key; +errret: + dsaprivfree(key); + return nil; +} + +static mpint* +asn1mpint(Elem *e) +{ + Bytes *b; + mpint *mp; + int v; + + if(is_int(e, &v)) + return itomp(v, nil); + if(is_bigint(e, &b)) { + mp = betomp(b->data, b->len, nil); + freebytes(b); + return mp; + } + return nil; +} + +static mpint* +pkcs1pad(Bytes *b, mpint *modulus) +{ + int n = (mpsignif(modulus)+7)/8; + int pm1, i; + uchar *p; + mpint *mp; + + pm1 = n - 1 - b->len; + p = (uchar*)emalloc(n); + p[0] = 0; + p[1] = 1; + for(i = 2; i < pm1; i++) + p[i] = 0xFF; + p[pm1] = 0; + memcpy(&p[pm1+1], b->data, b->len); + mp = betomp(p, n, nil); + free(p); + return mp; +} + +RSApriv* +asn1toRSApriv(uchar *kd, int kn) +{ + Bytes *b; + RSApriv *key; + + b = makebytes(kd, kn); + key = decode_rsaprivkey(b); + freebytes(b); + return key; +} + +DSApriv* +asn1toDSApriv(uchar *kd, int kn) +{ + Bytes *b; + DSApriv *key; + + b = makebytes(kd, kn); + key = decode_dsaprivkey(b); + freebytes(b); + return key; +} + +/* + * digest(CertificateInfo) + * Our ASN.1 library doesn't return pointers into the original + * data array, so we need to do a little hand decoding. + */ +static void +digest_certinfo(Bytes *cert, DigestFun digestfun, uchar *digest) +{ + uchar *info, *p, *pend; + ulong infolen; + int isconstr, length; + Tag tag; + Elem elem; + + p = cert->data; + pend = cert->data + cert->len; + if(tag_decode(&p, pend, &tag, &isconstr) != ASN_OK || + tag.class != Universal || tag.num != SEQUENCE || + length_decode(&p, pend, &length) != ASN_OK || + p+length > pend || + p+length < p) + return; + info = p; + if(ber_decode(&p, pend, &elem) != ASN_OK) + return; + freevalfields(&elem.val); + if(elem.tag.num != SEQUENCE) + return; + infolen = p - info; + (*digestfun)(info, infolen, digest, nil); +} + +static char* +verify_signature(Bytes* signature, RSApub *pk, uchar *edigest, Elem **psigalg) +{ + Elem e; + Elist *el; + Bytes *digest; + uchar *pkcs1buf, *buf; + int buflen; + mpint *pkcs1; + int nlen; + char *err; + + err = nil; + pkcs1buf = nil; + + /* one less than the byte length of the modulus */ + nlen = (mpsignif(pk->n)-1)/8; + + /* see 9.2.1 of rfc2437 */ + pkcs1 = betomp(signature->data, signature->len, nil); + mpexp(pkcs1, pk->ek, pk->n, pkcs1); + buflen = mptobe(pkcs1, nil, 0, &pkcs1buf); + buf = pkcs1buf; + if(buflen != nlen || buf[0] != 1) { + err = "expected 1"; + goto end; + } + buf++; + while(buf[0] == 0xff) + buf++; + if(buf[0] != 0) { + err = "expected 0"; + goto end; + } + buf++; + buflen -= buf-pkcs1buf; + if(decode(buf, buflen, &e) != ASN_OK || !is_seq(&e, &el) || elistlen(el) != 2 || + !is_octetstring(&el->tl->hd, &digest)) { + err = "signature parse error"; + goto end; + } + *psigalg = &el->hd; + if(memcmp(digest->data, edigest, digest->len) == 0) + goto end; + err = "digests did not match"; + +end: + if(pkcs1 != nil) + mpfree(pkcs1); + if(pkcs1buf != nil) + free(pkcs1buf); + return err; +} + +RSApub* +X509toRSApub(uchar *cert, int ncert, char *name, int nname) +{ + char *e; + Bytes *b; + CertX509 *c; + RSApub *pk; + + b = makebytes(cert, ncert); + c = decode_cert(b); + freebytes(b); + if(c == nil) + return nil; + if(name != nil && c->subject != nil){ + e = strchr(c->subject, ','); + if(e != nil) + *e = 0; /* take just CN part of Distinguished Name */ + strncpy(name, c->subject, nname); + } + pk = decode_rsapubkey(c->publickey); + freecert(c); + return pk; +} + +char* +X509verify(uchar *cert, int ncert, RSApub *pk) +{ + char *e; + Bytes *b; + CertX509 *c; + uchar digest[SHA1dlen]; + Elem *sigalg; + + b = makebytes(cert, ncert); + c = decode_cert(b); + if(c != nil) + digest_certinfo(b, digestalg[c->signature_alg], digest); + freebytes(b); + if(c == nil) + return "cannot decode cert"; + e = verify_signature(c->signature, pk, digest, &sigalg); + freecert(c); + return e; +} + +/* ------- Elem constructors ---------- */ +static Elem +Null(void) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = NULLTAG; + e.val.tag = VNull; + return e; +} + +static Elem +mkint(int j) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = INTEGER; + e.val.tag = VInt; + e.val.u.intval = j; + return e; +} + +static Elem +mkbigint(mpint *p) +{ + Elem e; + uchar *buf; + int buflen; + + e.tag.class = Universal; + e.tag.num = INTEGER; + e.val.tag = VBigInt; + buflen = mptobe(p, nil, 0, &buf); + e.val.u.bigintval = makebytes(buf, buflen); + free(buf); + return e; +} + +static Elem +mkstring(char *s) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = IA5String; + e.val.tag = VString; + e.val.u.stringval = estrdup(s); + return e; +} + +static Elem +mkoctet(uchar *buf, int buflen) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = OCTET_STRING; + e.val.tag = VOctets; + e.val.u.octetsval = makebytes(buf, buflen); + return e; +} + +static Elem +mkbits(uchar *buf, int buflen) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = BIT_STRING; + e.val.tag = VBitString; + e.val.u.bitstringval = makebits(buf, buflen, 0); + return e; +} + +static Elem +mkutc(long t) +{ + Elem e; + char utc[50]; + Tm *tm = gmtime(t); + + e.tag.class = Universal; + e.tag.num = UTCTime; + e.val.tag = VString; + snprint(utc, 50, "%.2d%.2d%.2d%.2d%.2d%.2dZ", + tm->year % 100, tm->mon+1, tm->mday, tm->hour, tm->min, tm->sec); + e.val.u.stringval = estrdup(utc); + return e; +} + +static Elem +mkoid(Ints *oid) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = OBJECT_ID; + e.val.tag = VObjId; + e.val.u.objidval = makeints(oid->data, oid->len); + return e; +} + +static Elem +mkseq(Elist *el) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = SEQUENCE; + e.val.tag = VSeq; + e.val.u.seqval = el; + return e; +} + +static Elem +mkset(Elist *el) +{ + Elem e; + + e.tag.class = Universal; + e.tag.num = SETOF; + e.val.tag = VSet; + e.val.u.setval = el; + return e; +} + +static Elem +mkalg(int alg) +{ + return mkseq(mkel(mkoid(alg_oid_tab[alg]), mkel(Null(), nil))); +} + +typedef struct Ints7pref { + int len; + int data[7]; + char prefix[4]; +} Ints7pref; +Ints7pref DN_oid[] = { + {4, 2, 5, 4, 6, 0, 0, 0, "C="}, + {4, 2, 5, 4, 8, 0, 0, 0, "ST="}, + {4, 2, 5, 4, 7, 0, 0, 0, "L="}, + {4, 2, 5, 4, 10, 0, 0, 0, "O="}, + {4, 2, 5, 4, 11, 0, 0, 0, "OU="}, + {4, 2, 5, 4, 3, 0, 0, 0, "CN="}, + {7, 1,2,840,113549,1,9,1, "E="}, +}; + +static Elem +mkname(Ints7pref *oid, char *subj) +{ + return mkset(mkel(mkseq(mkel(mkoid((Ints*)oid), mkel(mkstring(subj), nil))), nil)); +} + +static Elem +mkDN(char *dn) +{ + int i, j, nf; + char *f[20], *prefix, *d2 = estrdup(dn); + Elist* el = nil; + + nf = tokenize(d2, f, nelem(f)); + for(i=nf-1; i>=0; i--){ + for(j=0; j<nelem(DN_oid); j++){ + prefix = DN_oid[j].prefix; + if(strncmp(f[i],prefix,strlen(prefix))==0){ + el = mkel(mkname(&DN_oid[j],f[i]+strlen(prefix)), el); + break; + } + } + } + free(d2); + return mkseq(el); +} + + +uchar* +X509gen(RSApriv *priv, char *subj, ulong valid[2], int *certlen) +{ + int serial = 0; + uchar *cert = nil; + RSApub *pk = rsaprivtopub(priv); + Bytes *certbytes, *pkbytes, *certinfobytes, *sigbytes; + Elem e, certinfo, issuer, subject, pubkey, validity, sig; + uchar digest[MD5dlen], *buf; + int buflen; + mpint *pkcs1; + + e.val.tag = VInt; /* so freevalfields at errret is no-op */ + issuer = mkDN(subj); + subject = mkDN(subj); + pubkey = mkseq(mkel(mkbigint(pk->n),mkel(mkint(mptoi(pk->ek)),nil))); + if(encode(pubkey, &pkbytes) != ASN_OK) + goto errret; + freevalfields(&pubkey.val); + pubkey = mkseq( + mkel(mkalg(ALG_rsaEncryption), + mkel(mkbits(pkbytes->data, pkbytes->len), + nil))); + freebytes(pkbytes); + validity = mkseq( + mkel(mkutc(valid[0]), + mkel(mkutc(valid[1]), + nil))); + certinfo = mkseq( + mkel(mkint(serial), + mkel(mkalg(ALG_md5WithRSAEncryption), + mkel(issuer, + mkel(validity, + mkel(subject, + mkel(pubkey, + nil))))))); + if(encode(certinfo, &certinfobytes) != ASN_OK) + goto errret; + md5(certinfobytes->data, certinfobytes->len, digest, 0); + freebytes(certinfobytes); + sig = mkseq( + mkel(mkalg(ALG_md5), + mkel(mkoctet(digest, MD5dlen), + nil))); + if(encode(sig, &sigbytes) != ASN_OK) + goto errret; + pkcs1 = pkcs1pad(sigbytes, pk->n); + freebytes(sigbytes); + rsadecrypt(priv, pkcs1, pkcs1); + buflen = mptobe(pkcs1, nil, 0, &buf); + mpfree(pkcs1); + e = mkseq( + mkel(certinfo, + mkel(mkalg(ALG_md5WithRSAEncryption), + mkel(mkbits(buf, buflen), + nil)))); + free(buf); + if(encode(e, &certbytes) != ASN_OK) + goto errret; + if(certlen) + *certlen = certbytes->len; + cert = certbytes->data; +errret: + freevalfields(&e.val); + return cert; +} + +uchar* +X509req(RSApriv *priv, char *subj, int *certlen) +{ + /* RFC 2314, PKCS #10 Certification Request Syntax */ + int version = 0; + uchar *cert = nil; + RSApub *pk = rsaprivtopub(priv); + Bytes *certbytes, *pkbytes, *certinfobytes, *sigbytes; + Elem e, certinfo, subject, pubkey, sig; + uchar digest[MD5dlen], *buf; + int buflen; + mpint *pkcs1; + + e.val.tag = VInt; /* so freevalfields at errret is no-op */ + subject = mkDN(subj); + pubkey = mkseq(mkel(mkbigint(pk->n),mkel(mkint(mptoi(pk->ek)),nil))); + if(encode(pubkey, &pkbytes) != ASN_OK) + goto errret; + freevalfields(&pubkey.val); + pubkey = mkseq( + mkel(mkalg(ALG_rsaEncryption), + mkel(mkbits(pkbytes->data, pkbytes->len), + nil))); + freebytes(pkbytes); + certinfo = mkseq( + mkel(mkint(version), + mkel(subject, + mkel(pubkey, + nil)))); + if(encode(certinfo, &certinfobytes) != ASN_OK) + goto errret; + md5(certinfobytes->data, certinfobytes->len, digest, 0); + freebytes(certinfobytes); + sig = mkseq( + mkel(mkalg(ALG_md5), + mkel(mkoctet(digest, MD5dlen), + nil))); + if(encode(sig, &sigbytes) != ASN_OK) + goto errret; + pkcs1 = pkcs1pad(sigbytes, pk->n); + freebytes(sigbytes); + rsadecrypt(priv, pkcs1, pkcs1); + buflen = mptobe(pkcs1, nil, 0, &buf); + mpfree(pkcs1); + e = mkseq( + mkel(certinfo, + mkel(mkalg(ALG_md5), + mkel(mkbits(buf, buflen), + nil)))); + free(buf); + if(encode(e, &certbytes) != ASN_OK) + goto errret; + if(certlen) + *certlen = certbytes->len; + cert = certbytes->data; +errret: + freevalfields(&e.val); + return cert; +} + +static char* +tagdump(Tag tag) +{ + if(tag.class != Universal) + return smprint("class%d,num%d", tag.class, tag.num); + switch(tag.num){ + case BOOLEAN: return "BOOLEAN"; + case INTEGER: return "INTEGER"; + case BIT_STRING: return "BIT STRING"; + case OCTET_STRING: return "OCTET STRING"; + case NULLTAG: return "NULLTAG"; + case OBJECT_ID: return "OID"; + case ObjectDescriptor: return "OBJECT_DES"; + case EXTERNAL: return "EXTERNAL"; + case REAL: return "REAL"; + case ENUMERATED: return "ENUMERATED"; + case EMBEDDED_PDV: return "EMBEDDED PDV"; + case SEQUENCE: return "SEQUENCE"; + case SETOF: return "SETOF"; + case UTF8String: return "UTF8String"; + case NumericString: return "NumericString"; + case PrintableString: return "PrintableString"; + case TeletexString: return "TeletexString"; + case VideotexString: return "VideotexString"; + case IA5String: return "IA5String"; + case UTCTime: return "UTCTime"; + case GeneralizedTime: return "GeneralizedTime"; + case GraphicString: return "GraphicString"; + case VisibleString: return "VisibleString"; + case GeneralString: return "GeneralString"; + case UniversalString: return "UniversalString"; + case BMPString: return "BMPString"; + default: + return smprint("Universal,num%d", tag.num); + } +} + +static void +edump(Elem e) +{ + Value v; + Elist *el; + int i; + + print("%s{", tagdump(e.tag)); + v = e.val; + switch(v.tag){ + case VBool: print("Bool %d",v.u.boolval); break; + case VInt: print("Int %d",v.u.intval); break; + case VOctets: print("Octets[%d] %.2x%.2x...",v.u.octetsval->len,v.u.octetsval->data[0],v.u.octetsval->data[1]); break; + case VBigInt: print("BigInt[%d] %.2x%.2x...",v.u.bigintval->len,v.u.bigintval->data[0],v.u.bigintval->data[1]); break; + case VReal: print("Real..."); break; + case VOther: print("Other..."); break; + case VBitString: print("BitString..."); break; + case VNull: print("Null"); break; + case VEOC: print("EOC..."); break; + case VObjId: print("ObjId"); + for(i = 0; i<v.u.objidval->len; i++) + print(" %d", v.u.objidval->data[i]); + break; + case VString: print("String \"%s\"",v.u.stringval); break; + case VSeq: print("Seq\n"); + for(el = v.u.seqval; el!=nil; el = el->tl) + edump(el->hd); + break; + case VSet: print("Set\n"); + for(el = v.u.setval; el!=nil; el = el->tl) + edump(el->hd); + break; + } + print("}\n"); +} + +void +asn1dump(uchar *der, int len) +{ + Elem e; + + if(decode(der, len, &e) != ASN_OK){ + print("didn't parse\n"); + exits("didn't parse"); + } + edump(e); +} + +void +X509dump(uchar *cert, int ncert) +{ + char *e; + Bytes *b; + CertX509 *c; + RSApub *pk; + uchar digest[SHA1dlen]; + Elem *sigalg; + + print("begin X509dump\n"); + b = makebytes(cert, ncert); + c = decode_cert(b); + if(c != nil) + digest_certinfo(b, digestalg[c->signature_alg], digest); + freebytes(b); + if(c == nil){ + print("cannot decode cert"); + return; + } + + print("serial %d\n", c->serial); + print("issuer %s\n", c->issuer); + print("validity %s %s\n", c->validity_start, c->validity_end); + print("subject %s\n", c->subject); + pk = decode_rsapubkey(c->publickey); + print("pubkey e=%B n(%d)=%B\n", pk->ek, mpsignif(pk->n), pk->n); + + print("sigalg=%d digest=%.*H\n", c->signature_alg, MD5dlen, digest); + e = verify_signature(c->signature, pk, digest, &sigalg); + if(e==nil){ + e = "nil (meaning ok)"; + print("sigalg=\n"); + if(sigalg) + edump(*sigalg); + } + print("self-signed verify_signature returns: %s\n", e); + + rsapubfree(pk); + freecert(c); + print("end X509dump\n"); +} diff --git a/sys/src/libsec/power/mkfile b/sys/src/libsec/power/mkfile new file mode 100755 index 000000000..566053539 --- /dev/null +++ b/sys/src/libsec/power/mkfile @@ -0,0 +1,11 @@ +objtype=power +</$objtype/mkfile + +LIB=/$objtype/lib/libsec.a +OFILES= \ + +HFILES=/sys/include/libsec.h + +UPDATE=mkfile + +</sys/src/cmd/mksyslib |