kris
/
boringssl
1
0
Fork 0
Código Issues 0 Pull requests 0 Versões 0 Wiki Atividade
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
4206 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tag: 768e6822cc
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 768e6822cc
${ noResults }
boringssl/include/openssl/aead.h

357 linhas
16 KiB
Original Anotar Histórico 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #ifndef OPENSSL_HEADER_AEAD_H

  16. #define OPENSSL_HEADER_AEAD_H

  17. 

  18. #include <openssl/base.h>

  19. 

  20. #if defined(__cplusplus)

  21. extern "C" {

  22. #endif

  23. 

  24. 

  25. /* Authenticated Encryption with Additional Data.

  26.  *

  27.  * AEAD couples confidentiality and integrity in a single primitive. AEAD

  28.  * algorithms take a key and then can seal and open individual messages. Each

  29.  * message has a unique, per-message nonce and, optionally, additional data

  30.  * which is authenticated but not included in the ciphertext.

  31.  *

  32.  * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and

  33.  * performs any precomputation needed to use |aead| with |key|. The length of

  34.  * the key, |key_len|, is given in bytes.

  35.  *

  36.  * The |tag_len| argument contains the length of the tags, in bytes, and allows

  37.  * for the processing of truncated authenticators. A zero value indicates that

  38.  * the default tag length should be used and this is defined as

  39.  * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using

  40.  * truncated tags increases an attacker's chance of creating a valid forgery.

  41.  * Be aware that the attacker's chance may increase more than exponentially as

  42.  * would naively be expected.

  43.  *

  44.  * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be

  45.  * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.

  46.  *

  47.  * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These

  48.  * operations are intended to meet the standard notions of privacy and

  49.  * authenticity for authenticated encryption. For formal definitions see

  50.  * Bellare and Namprempre, "Authenticated encryption: relations among notions

  51.  * and analysis of the generic composition paradigm," Lecture Notes in Computer

  52.  * Science B<1976> (2000), 531–545,

  53.  * http://www-cse.ucsd.edu/~mihir/papers/oem.html.

  54.  *

  55.  * When sealing messages, a nonce must be given. The length of the nonce is

  56.  * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The

  57.  * nonce must be unique for all messages with the same key*. This is critically

  58.  * important - nonce reuse may completely undermine the security of the AEAD.

  59.  * Nonces may be predictable and public, so long as they are unique. Uniqueness

  60.  * may be achieved with a simple counter or, if large enough, may be generated

  61.  * randomly. The nonce must be passed into the "open" operation by the receiver

  62.  * so must either be implicit (e.g. a counter), or must be transmitted along

  63.  * with the sealed message.

  64.  *

  65.  * The "seal" and "open" operations are atomic - an entire message must be

  66.  * encrypted or decrypted in a single call. Large messages may have to be split

  67.  * up in order to accommodate this. When doing so, be mindful of the need not to

  68.  * repeat nonces and the possibility that an attacker could duplicate, reorder

  69.  * or drop message chunks. For example, using a single key for a given (large)

  70.  * message and sealing chunks with nonces counting from zero would be secure as

  71.  * long as the number of chunks was securely transmitted. (Otherwise an

  72.  * attacker could truncate the message by dropping chunks from the end.)

  73.  *

  74.  * The number of chunks could be transmitted by prefixing it to the plaintext,

  75.  * for example. This also assumes that no other message would ever use the same

  76.  * key otherwise the rule that nonces must be unique for a given key would be

  77.  * violated.

  78.  *

  79.  * The "seal" and "open" operations also permit additional data to be

  80.  * authenticated via the |ad| parameter. This data is not included in the

  81.  * ciphertext and must be identical for both the "seal" and "open" call. This

  82.  * permits implicit context to be authenticated but may be empty if not needed.

  83.  *

  84.  * The "seal" and "open" operations may work in-place if the |out| and |in|

  85.  * arguments are equal. Otherwise, if |out| and |in| alias, input data may be

  86.  * overwritten before it is read. This situation will cause an error.

  87.  *

  88.  * The "seal" and "open" operations return one on success and zero on error. */

  89. 

  90. 

  91. /* AEAD algorithms. */

  92. 

  93. /* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */

  94. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);

  95. 

  96. /* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */

  97. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);

  98. 

  99. /* EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and

  100.  * Poly1305 as described in RFC 7539. */

  101. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);

  102. 

  103. /* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for

  104.  * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the

  105.  * block counter, thus the maximum plaintext size is 64GB. */

  106. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);

  107. 

  108. /* EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for

  109.  * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */

  110. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);

  111. 

  112. /* EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See

  113.  * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */

  114. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);

  115. 

  116. /* EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See

  117.  * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */

  118. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);

  119. 

  120. /* EVP_aead_aes_128_gcm_fips_testonly is AES-128 in Galois Counter Mode with

  121.  * an internally-generated random nonce. This is unsafe and should not be

  122.  * used. */

  123. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_fips_testonly(void);

  124. 

  125. /* EVP_aead_aes_256_gcm_fips_testonly is AES-256 in Galois Counter Mode with

  126.  * an internally-generated random nonce. This is unsafe and should not be

  127.  * used. */

  128. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_fips_testonly(void);

  129. 

  130. /* EVP_has_aes_hardware returns one if we enable hardware support for fast and

  131.  * constant-time AES-GCM. */

  132. OPENSSL_EXPORT int EVP_has_aes_hardware(void);

  133. 

  134. 

  135. /* Utility functions. */

  136. 

  137. /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by

  138.  * |aead|. */

  139. OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);

  140. 

  141. /* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce

  142.  * for |aead|. */

  143. OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);

  144. 

  145. /* EVP_AEAD_max_overhead returns the maximum number of additional bytes added

  146.  * by the act of sealing data with |aead|. */

  147. OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);

  148. 

  149. /* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This

  150.  * is the largest value that can be passed as |tag_len| to

  151.  * |EVP_AEAD_CTX_init|. */

  152. OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);

  153. 

  154. 

  155. /* AEAD operations. */

  156. 

  157. /* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key

  158.  * and message-independent IV. */

  159. typedef struct evp_aead_ctx_st {

  160.   const EVP_AEAD *aead;

  161.   /* aead_state is an opaque pointer to whatever state the AEAD needs to

  162.    * maintain. */

  163.   void *aead_state;

  164. } EVP_AEAD_CTX;

  165. 

  166. /* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by

  167.  * any AEAD defined in this header. */

  168. #define EVP_AEAD_MAX_KEY_LENGTH 80

  169. 

  170. /* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by

  171.  * any AEAD defined in this header. */

  172. #define EVP_AEAD_MAX_NONCE_LENGTH 16

  173. 

  174. /* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD

  175.  * defined in this header. */

  176. #define EVP_AEAD_MAX_OVERHEAD 64

  177. 

  178. /* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to

  179.  * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should

  180.  * be used. */

  181. #define EVP_AEAD_DEFAULT_TAG_LENGTH 0

  182. 

  183. /* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be

  184.  * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not

  185.  * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for

  186.  * more uniform cleanup of |EVP_AEAD_CTX|. */

  187. OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx);

  188. 

  189. /* EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and

  190.  * returns the |EVP_AEAD_CTX|, or NULL on error. */

  191. OPENSSL_EXPORT EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead,

  192.                                               const uint8_t *key,

  193.                                               size_t key_len, size_t tag_len);

  194. 

  195. /* EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on

  196.  * |ctx|. */

  197. OPENSSL_EXPORT void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx);

  198. 

  199. /* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|

  200.  * argument is ignored and should be NULL. Authentication tags may be truncated

  201.  * by passing a size as |tag_len|. A |tag_len| of zero indicates the default

  202.  * tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for

  203.  * readability.

  204.  *

  205.  * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In

  206.  * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's

  207.  * harmless to do so. */

  208. OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,

  209.                                      const uint8_t *key, size_t key_len,

  210.                                      size_t tag_len, ENGINE *impl);

  211. 

  212. /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to

  213.  * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to

  214.  * all zeros. */

  215. OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);

  216. 

  217. /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and

  218.  * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It

  219.  * returns one on success and zero otherwise.

  220.  *

  221.  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with

  222.  * itself or |EVP_AEAD_CTX_open|.

  223.  *

  224.  * At most |max_out_len| bytes are written to |out| and, in order to ensure

  225.  * success, |max_out_len| should be |in_len| plus the result of

  226.  * |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the

  227.  * actual number of bytes written.

  228.  *

  229.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  230.  * |EVP_AEAD_nonce_length| for this AEAD.

  231.  *

  232.  * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is

  233.  * insufficient, zero will be returned. (In this case, |*out_len| is set to

  234.  * zero.)

  235.  *

  236.  * If |in| and |out| alias then |out| must be == |in|. */

  237. OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  238.                                      size_t *out_len, size_t max_out_len,

  239.                                      const uint8_t *nonce, size_t nonce_len,

  240.                                      const uint8_t *in, size_t in_len,

  241.                                      const uint8_t *ad, size_t ad_len);

  242. 

  243. /* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes

  244.  * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on

  245.  * success and zero otherwise.

  246.  *

  247.  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with

  248.  * itself or |EVP_AEAD_CTX_seal|.

  249.  *

  250.  * At most |in_len| bytes are written to |out|. In order to ensure success,

  251.  * |max_out_len| should be at least |in_len|. On successful return, |*out_len|

  252.  * is set to the the actual number of bytes written.

  253.  *

  254.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  255.  * |EVP_AEAD_nonce_length| for this AEAD.

  256.  *

  257.  * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is

  258.  * insufficient, zero will be returned. (In this case, |*out_len| is set to

  259.  * zero.)

  260.  *

  261.  * If |in| and |out| alias then |out| must be == |in|. */

  262. OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  263.                                      size_t *out_len, size_t max_out_len,

  264.                                      const uint8_t *nonce, size_t nonce_len,

  265.                                      const uint8_t *in, size_t in_len,

  266.                                      const uint8_t *ad, size_t ad_len);

  267. 

  268. /* EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has

  269.  * not been set. */

  270. OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx);

  271. 

  272. 

  273. /* TLS-specific AEAD algorithms.

  274.  *

  275.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  276.  * all specific to TLS and should not be used outside of that context. They must

  277.  * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may

  278.  * not be used concurrently. Any nonces are used as IVs, so they must be

  279.  * unpredictable. They only accept an |ad| parameter of length 11 (the standard

  280.  * TLS one with length omitted). */

  281. 

  282. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);

  283. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);

  284. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);

  285. 

  286. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);

  287. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);

  288. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);

  289. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);

  290. 

  291. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);

  292. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);

  293. 

  294. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);

  295. 

  296. 

  297. /* SSLv3-specific AEAD algorithms.

  298.  *

  299.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  300.  * all specific to SSLv3 and should not be used outside of that context. They

  301.  * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,

  302.  * and may not be used concurrently. They only accept an |ad| parameter of

  303.  * length 9 (the standard TLS one with length and version omitted). */

  304. 

  305. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);

  306. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);

  307. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);

  308. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);

  309. 

  310. 

  311. /* Obscure functions. */

  312. 

  313. /* evp_aead_direction_t denotes the direction of an AEAD operation. */

  314. enum evp_aead_direction_t {

  315.   evp_aead_open,

  316.   evp_aead_seal,

  317. };

  318. 

  319. /* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal

  320.  * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a

  321.  * given direction. */

  322. OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(

  323.     EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,

  324.     size_t tag_len, enum evp_aead_direction_t dir);

  325. 

  326. /* EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and

  327.  * sets |*out_iv| to point to that many bytes of the current IV. This is only

  328.  * meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).

  329.  *

  330.  * It returns one on success or zero on error. */

  331. OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,

  332.                                        const uint8_t **out_iv, size_t *out_len);

  333. 

  334. 

  335. #if defined(__cplusplus)

  336. }  /* extern C */

  337. 

  338. #if !defined(BORINGSSL_NO_CXX)

  339. extern "C++" {

  340. 

  341. namespace bssl {

  342. 

  343. using ScopedEVP_AEAD_CTX =

  344.     internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero,

  345.                              EVP_AEAD_CTX_cleanup>;

  346. 

  347. BORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free)

  348. 

  349. }  // namespace bssl

  350. 

  351. }  // extern C++

  352. #endif

  353. 

  354. #endif

  355. 

  356. #endif  /* OPENSSL_HEADER_AEAD_H */