Commit graph

44 commits

Author SHA1 Message Date
cinap_lenrek
57d95c7325 libsec: move zero check to curve25519_dh_finish()
As checking for all zero has to be done in a timing-safe
way to avoid a side channel, it is best todo this here
instead of letting the caller deal with it.

This adds a return type of int to curve25519_dh_finish()
where returning 0 means we got a all zero shared key.

RFC7748 states:

The check for the all-zero value results from the fact
that the X25519 function produces that value if it
operates on an input corresponding to a point with small
order, where the order divides the cofactor of the curve.
2021-06-20 14:41:26 +00:00
cinap_lenrek
2f976d8b56 libsec: move AES XTS function prototypes to AES definition section in the header file 2020-03-01 16:02:56 +01:00
cinap_lenrek
64640083de libsec: remove hash pickle functions, document ripemd160, cleanup sechash(2) manpage 2020-03-01 15:07:44 +01:00
cinap_lenrek
85216d3d95 auth/rsa2asn1: implement private key export with -a flag (thanks kvik)
kvik writes:

I needed to convert the RSA private key that was laying around in
secstore into a format understood by UNIX® tools like SSH.

With asn12rsa(8) we can go from the ASN.1/DER to Plan 9 format, but not
back - so I wrote the libsec function asn1encodeRSApriv(2) and used it in
rsa2asn1(8) by adding the -a flag which causes the full private key to be
encoded and output.
2019-08-30 07:34:35 +02:00
cinap_lenrek
8ff72ce20d libsec: remove asn1toDSApriv() 2018-01-06 08:34:25 +01:00
cinap_lenrek
57f8b6ec75 libsec: implement SPKI fingerprinting for okCertificate()
Instead of only using a hash over the whole certificate for
white/black-listing, now we can also use a hash over the
Subject Public Key Info (SPKI) field of the certificate which
contians the public key algorithm and the public key itself.

This allows certificates to be renewed independendtly of the
public key.

X509dump() now prints the public key thumbprint in addition
to the certificate thumbprint.

tlsclient will print the certificate when run with -D flag.

okCertificate() will print the public key thumbprint in its
error string when no match has been found.
2017-12-30 03:07:47 +01:00
cinap_lenrek
3356e0e731 libsec: AES-NI support for amd64
Add assembler versions for aes_encrypt/aes_decrypt and the key
setup using AES-NI instruction set. This makes aes_encrypt and
aes_decrypt into function pointers which get initialized by
the first call to setupAESstate().

Note that the expanded round key words are *NOT* stored in big
endian order as with the portable implementation. For that reason
the AESstate.ekey and AESstate.dkey fields have been changed to
void* forcing an error when someone is accessing the roundkey
words. One offender was aesXCBmac, which doesnt appear to be
used and the code looks horrible so it has been deleted.

The AES-NI implementation is for amd64 only as it requires the
kernel to save/restore the FPU state across syscalls and
pagefaults.
2017-11-12 23:15:15 +01:00
cinap_lenrek
c021390e21 libsec: rewrite aex_xts_encrypt()/aes_xts_decrypt()
the previous implementation was not portable at all, assuming
little endian in gf_mulx() and that one can cast unaligned
pointers to ulong in xor128(). also the error code is likely
to be ignored, so better abort() when the length is not a
multiple of the AES block size.

we also pass in full AESstate structures now instead of
the expanded key longs, so that we do not need to hardcode
the number of rounds. this allows each indiviaul keys to
be bigger than 128 bit.
2017-10-29 21:49:24 +01:00
cinap_lenrek
29411f58cf libsec: make sectorNumber argument for aes_xts routines uvlong 2017-10-17 21:36:45 +02:00
cinap_lenrek
45b7d60bf3 libsec: add AES CFB and AES OFB stream ciphers 2017-10-17 21:34:01 +02:00
cinap_lenrek
8a67560183 libsec: export asn1encodedigest(), asn1encodeRSApub(), asn1toRSApub(), pkcs1padbuf() and pkcs1unpadbuf() 2017-10-06 20:52:18 +02:00
cinap_lenrek
346f5828e0 libsec: sha256 support for thumbprint files, use it in ssh as well
initThumbprints() now takes an application tag argument
so x509 and ssh can coexist.

the thumbprint entries can now hold both sha1 and sha256
hashes. okThumbprint() now takes a len argument for the
hash length used.

the new function okCertificate() hashes the certificate
with both and checks for any matches.

on failure, okCertificate() returns 0 and sets error string.

we also check for include loops now in thumbfiles, limiting
the number of includes to 8.
2017-04-23 19:00:08 +02:00
cinap_lenrek
7d4a1e3643 ec(2), rsa(2): document X509toECpub(), X509ecdsaverify(), X509ecdsaverifydigest(), X509rsaverifydigest() 2017-02-10 22:39:47 +01:00
cinap_lenrek
fb2abc2a04 libsec: make X509toECpub() return CN name like X509toRSApub() 2017-02-10 21:36:19 +01:00
cinap_lenrek
2e23780d2f libsec: implement extended 192-bit nonce xchacha variant and hchacha function 2017-01-12 20:16:38 +01:00
cinap_lenrek
c9d55cadb3 libsec: add secp384r1 curve parameters for tls 2016-10-30 02:15:40 +01:00
cinap_lenrek
1492f46f87 libsec: add scrypt password based key derivation function 2016-07-10 21:41:57 +02:00
cinap_lenrek
2fa4c8ef66 libsec: implement elliptic curve group operations in jacobian coordinate system 2016-04-20 20:09:59 +02:00
cinap_lenrek
aa6673fcfb add portable AES-GCM (Galois/Counter Mode) implementation to libsec and devtls 2016-03-23 02:45:35 +01:00
cinap_lenrek
4a92397236 libsec: have 16 32-bit words in DigestState to avoid out of bounds warnings for poly1305 2016-02-28 09:09:41 +01:00
cinap_lenrek
a291bbdedd libsec: ecdsa client support for tlshand, cleanups 2016-02-01 21:34:49 +01:00
cinap_lenrek
7cf11db685 libsec: add salsa20 stream cipher 2016-01-19 12:50:33 +01:00
cinap_lenrek
39f18c9d88 libsec: implement TLS-PSK for tlsClient()/tlsServer() 2015-12-25 17:05:05 +01:00
cinap_lenrek
254031cf70 libsec: add chacha20 poly1305 aead, allow 64 bit iv's for chacha, add tsmemcmp()
chacha20 comes in two variants: ietf rfc7539, using 96 bit iv and 32 bit counter
and draft-agl-tls-chacha20poly1305 using 64 bit iv and a 64 bit counter. so
setupChachastate() now takes a ivlen argument which sets the mode.

add ccpoly_encrypt()/ccpoly_decrypt() routines.

to implement timing safe ccpoly_decrypt(), a constant time memcmp was needed, so
adding tsmemcmp() to libsec.
2015-11-26 15:25:10 +01:00
cinap_lenrek
847f3a0cf5 libsec: add chacha cipher (from charles forsyth) 2015-10-22 07:48:26 +02:00
cinap_lenrek
7effba9d98 libsec: add poly1305 2015-10-22 07:17:25 +02:00
cinap_lenrek
c3e1c158f6 libsec: implement dh parameter signature verification, stop lying about non-rsa ciphers, fix memory leaks in X509 code
actually verify the diffie hellman parameter signature, this
comes in two flavours. TLS1.2 uses X509 signature with a
single hash specified by the signature algorithm field in
the signature itself and pre TLS1.2 where md5+sha1 hashes
of the signed blob are pkcs1 padded and encrypted with the
rsa private key.

stop advertizing non-rsa cipher suits (DSS and ECDSA), as
we have not implmenented them.

fix some memory leaks in X509 code while we'r at it.
2015-09-22 18:10:52 +02:00
cinap_lenrek
7ed22aaeec libsec: add rfc5869 hmac-based key derivation function hkdf_x() 2015-09-02 11:30:17 +02:00
cinap_lenrek
b749f36baa libsec: generalize pbkdf2_hmac_sha1() to pbkdf2_x() passing the hmac as an argument 2015-09-02 11:28:11 +02:00
cinap_lenrek
b5737e8726 libsec: add curve25519 diffie hellman 2015-09-01 21:38:20 +02:00
cinap_lenrek
e3a64494e7 libsec: remove flawed aes() digest and hmac_aes() implementations (thanks aiju) 2015-09-01 21:35:43 +02:00
cinap_lenrek
0e51046942 libsec: add curve25519() from http://code.google.com/p/curve25519-donna/
this is a portable version of curve25519() by google.
2015-08-28 12:08:54 +02:00
cinap_lenrek
3bb0b9f4ea libsec: add q parameter to dh_new() for subgroup support, sanitize dh parameters 2015-08-26 05:59:42 +02:00
glenda
c4fdc6bfdb fix fuckup 2015-08-25 09:35:10 +00:00
mischief
6b402b83cf import E script from bell labs 2015-08-25 02:07:46 -07:00
cinap_lenrek
a40c4006d2 libsec: add pbkdf2_hmac_sha1() (from wpapsk factotum module) 2015-08-20 00:45:08 +02:00
cinap_lenrek
40360a992d libsec: implement tlsClient support for RFC6066 server name identification (SNI)
tlsClient() now can optionally send the server_name in the ClientHello
message by setting the TLSconn.serverName. This is required for some
https sites.
2015-05-21 02:26:57 +02:00
cinap_lenrek
12bb7bcfff libsec: remove aesCTRencrypt()/aesCTRdecrypt() (thanks mischief and qrstuv)
as mischief and qrstuv point out, these functions are not very usefull
and are even implemented wrong (incrementCTR()), so deleting the code.
2015-04-29 02:58:10 +02:00
cinap_lenrek
6c68876db6 libsec: add diffie-hellman functions 2014-09-14 02:29:18 +02:00
aiju
d2357e6961 added ecdsa to factotum 2012-06-06 16:43:15 +02:00
aiju
005248b4c5 added elliptic curve stuff and RIPEMD-160 2012-06-04 11:50:37 +02:00
taruti
9655db2550 devfs crypto code - alpha version 2011-05-24 22:19:33 +00:00
Taru Karttunen
a9060cc06b Import sources from 2011-03-30 iso image - lib 2011-03-30 19:35:09 +03:00
Taru Karttunen
c558a99e0b Import sources from 2011-03-30 iso image - sys/include 2011-03-30 16:47:56 +03:00