kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
1132 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: cfd248b7f6
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „cfd248b7f6“
${ noResults }
boringssl/include/openssl/aead.h

311 Zeilen
14 KiB
Originalformat Blame Verlauf 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #ifndef OPENSSL_HEADER_AEAD_H

  16. #define OPENSSL_HEADER_AEAD_H

  17. 

  18. #include <openssl/base.h>

  19. 

  20. #if defined(__cplusplus)

  21. extern "C" {

  22. #endif

  23. 

  24. 

  25. /* Authenticated Encryption with Additional Data.

  26.  *

  27.  * AEAD couples confidentiality and integrity in a single primtive. AEAD

  28.  * algorithms take a key and then can seal and open individual messages. Each

  29.  * message has a unique, per-message nonce and, optionally, additional data

  30.  * which is authenticated but not included in the ciphertext.

  31.  *

  32.  * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and

  33.  * performs any precomputation needed to use |aead| with |key|. The length of

  34.  * the key, |key_len|, is given in bytes.

  35.  *

  36.  * The |tag_len| argument contains the length of the tags, in bytes, and allows

  37.  * for the processing of truncated authenticators. A zero value indicates that

  38.  * the default tag length should be used and this is defined as

  39.  * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using

  40.  * truncated tags increases an attacker's chance of creating a valid forgery.

  41.  * Be aware that the attacker's chance may increase more than exponentially as

  42.  * would naively be expected.

  43.  *

  44.  * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be

  45.  * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.

  46.  *

  47.  * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These

  48.  * operations are intended to meet the standard notions of privacy and

  49.  * authenticity for authenticated encryption. For formal definitions see

  50.  * Bellare and Namprempre, "Authenticated encryption: relations among notions

  51.  * and analysis of the generic composition paradigm," Lecture Notes in Computer

  52.  * Science B<1976> (2000), 531–545,

  53.  * http://www-cse.ucsd.edu/~mihir/papers/oem.html.

  54.  *

  55.  * When sealing messages, a nonce must be given. The length of the nonce is

  56.  * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The

  57.  * nonce must be unique for all messages with the same key*. This is critically

  58.  * important - nonce reuse may completely undermine the security of the AEAD.

  59.  * Nonces may be predictable and public, so long as they are unique. Uniqueness

  60.  * may be achieved with a simple counter or, if large enough, may be generated

  61.  * randomly. The nonce must be passed into the "open" operation by the receiver

  62.  * so must either be implicit (e.g. a counter), or must be transmitted along

  63.  * with the sealed message.

  64.  *

  65.  * The "seal" and "open" operations are atomic - an entire message must be

  66.  * encrypted or decrypted in a single call. Large messages may have to be split

  67.  * up in order to accomodate this. When doing so, be mindful of the need not to

  68.  * repeat nonces and the possibility that an attacker could duplicate, reorder

  69.  * or drop message chunks. For example, using a single key for a given (large)

  70.  * message and sealing chunks with nonces counting from zero would be secure as

  71.  * long as the number of chunks was securely transmitted. (Otherwise an

  72.  * attacker could truncate the message by dropping chunks from the end.)

  73.  *

  74.  * The number of chunks could be transmitted by prefixing it to the plaintext,

  75.  * for example. This also assumes that no other message would ever use the same

  76.  * key otherwise the rule that nonces must be unique for a given key would be

  77.  * violated.

  78.  *

  79.  * The "seal" and "open" operations also permit additional data to be

  80.  * authenticated via the |ad| parameter. This data is not included in the

  81.  * ciphertext and must be identical for both the "seal" and "open" call. This

  82.  * permits implicit context to be authenticated but may be empty if not needed.

  83.  *

  84.  * The "seal" and "open" operations may work in-place if the |out| and |in|

  85.  * arguments are equal. They may also be used to shift the data left inside the

  86.  * same buffer if |out| is less than |in|. However, |out| may not point inside

  87.  * the input data otherwise the input may be overwritten before it has been

  88.  * read. This situation will cause an error.

  89.  *

  90.  * The "seal" and "open" operations return one on success and zero on error. */

  91. 

  92. 

  93. /* AEAD algorithms. */

  94. 

  95. /* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */

  96. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);

  97. 

  98. /* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */

  99. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);

  100. 

  101. /* EVP_aead_chacha20_poly1305 is an AEAD built from ChaCha20 and Poly1305. */

  102. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);

  103. 

  104. /* EVP_aead_aes_128_key_wrap is AES-128 Key Wrap mode. This should never be

  105.  * used except to interoperate with existing systems that use this mode.

  106.  *

  107.  * If the nonce is empty then the default nonce will be used, otherwise it must

  108.  * be eight bytes long. The input must be a multiple of eight bytes long. No

  109.  * additional data can be given to this mode. */

  110. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(void);

  111. 

  112. /* EVP_aead_aes_256_key_wrap is AES-256 in Key Wrap mode. This should never be

  113.  * used except to interoperate with existing systems that use this mode.

  114.  *

  115.  * See |EVP_aead_aes_128_key_wrap| for details. */

  116. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(void);

  117. 

  118. /* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for

  119.  * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the

  120.  * block counter, thus the maximum plaintext size is 64GB. */

  121. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);

  122. 

  123. /* EVP_aead_aes_128_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for

  124.  * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */

  125. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);

  126. 

  127. /* EVP_has_aes_hardware returns one if we enable hardware support for fast and

  128.  * constant-time AES-GCM. */

  129. OPENSSL_EXPORT int EVP_has_aes_hardware(void);

  130. 

  131. 

  132. /* TLS-specific AEAD algorithms.

  133.  *

  134.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  135.  * all specific to TLS and should not be used outside of that context. They must

  136.  * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may

  137.  * not be used concurrently. Any nonces are used as IVs, so they must be

  138.  * unpredictable. They only accept an |ad| parameter of length 11 (the standard

  139.  * TLS one with length omitted). */

  140. 

  141. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);

  142. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);

  143. 

  144. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);

  145. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);

  146. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);

  147. 

  148. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);

  149. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);

  150. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);

  151. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);

  152. 

  153. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);

  154. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);

  155. 

  156. 

  157. /* SSLv3-specific AEAD algorithms.

  158.  *

  159.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  160.  * all specific to SSLv3 and should not be used outside of that context. They

  161.  * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,

  162.  * and may not be used concurrently. They only accept an |ad| parameter of

  163.  * length 9 (the standard TLS one with length and version omitted). */

  164. 

  165. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);

  166. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);

  167. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);

  168. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);

  169. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);

  170. 

  171. 

  172. /* Utility functions. */

  173. 

  174. /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by

  175.  * |aead|. */

  176. OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);

  177. 

  178. /* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce

  179.  * for |aead|. */

  180. OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);

  181. 

  182. /* EVP_AEAD_max_overhead returns the maximum number of additional bytes added

  183.  * by the act of sealing data with |aead|. */

  184. OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);

  185. 

  186. /* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This

  187.  * is the largest value that can be passed as |tag_len| to

  188.  * |EVP_AEAD_CTX_init|. */

  189. OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);

  190. 

  191. 

  192. /* AEAD operations. */

  193. 

  194. /* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key

  195.  * and message-independent IV. */

  196. typedef struct evp_aead_ctx_st {

  197.   const EVP_AEAD *aead;

  198.   /* aead_state is an opaque pointer to whatever state the AEAD needs to

  199.    * maintain. */

  200.   void *aead_state;

  201. } EVP_AEAD_CTX;

  202. 

  203. /* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by

  204.  * any AEAD defined in this header. */

  205. #define EVP_AEAD_MAX_KEY_LENGTH 80

  206. 

  207. /* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by

  208.  * any AEAD defined in this header. */

  209. #define EVP_AEAD_MAX_NONCE_LENGTH 16

  210. 

  211. /* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD

  212.  * defined in this header. */

  213. #define EVP_AEAD_MAX_OVERHEAD 64

  214. 

  215. /* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to

  216.  * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should

  217.  * be used. */

  218. #define EVP_AEAD_DEFAULT_TAG_LENGTH 0

  219. 

  220. /* evp_aead_direction_t denotes the direction of an AEAD operation. */

  221. enum evp_aead_direction_t {

  222.   evp_aead_open,

  223.   evp_aead_seal,

  224. };

  225. 

  226. /* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm from |impl|.

  227.  * The |impl| argument may be NULL to choose the default implementation.

  228.  * Authentication tags may be truncated by passing a size as |tag_len|. A

  229.  * |tag_len| of zero indicates the default tag length and this is defined as

  230.  * EVP_AEAD_DEFAULT_TAG_LENGTH for readability.

  231.  * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */

  232. OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,

  233.                                      const uint8_t *key, size_t key_len,

  234.                                      size_t tag_len, ENGINE *impl);

  235. 

  236. /* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal

  237.  * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a

  238.  * given direction. */

  239. OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(

  240.     EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,

  241.     size_t tag_len, enum evp_aead_direction_t dir);

  242. 

  243. /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */

  244. OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);

  245. 

  246. /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and

  247.  * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It

  248.  * returns one on success and zero otherwise.

  249.  *

  250.  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with

  251.  * itself or |EVP_AEAD_CTX_open|.

  252.  *

  253.  * At most |max_out_len| bytes are written to |out| and, in order to ensure

  254.  * success, |max_out_len| should be |in_len| plus the result of

  255.  * |EVP_AEAD_overhead|. On successful return, |*out_len| is set to the actual

  256.  * number of bytes written.

  257.  *

  258.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  259.  * |EVP_AEAD_nonce_length| for this AEAD.

  260.  *

  261.  * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is

  262.  * insufficient, zero will be returned. (In this case, |*out_len| is set to

  263.  * zero.)

  264.  *

  265.  * If |in| and |out| alias then |out| must be <= |in|. */

  266. OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  267.                                      size_t *out_len, size_t max_out_len,

  268.                                      const uint8_t *nonce, size_t nonce_len,

  269.                                      const uint8_t *in, size_t in_len,

  270.                                      const uint8_t *ad, size_t ad_len);

  271. 

  272. /* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes

  273.  * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on

  274.  * success and zero otherwise.

  275.  *

  276.  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with

  277.  * itself or |EVP_AEAD_CTX_seal|.

  278.  *

  279.  * At most |in_len| bytes are written to |out|. In order to ensure success,

  280.  * |max_out_len| should be at least |in_len|. On successful return, |*out_len|

  281.  * is set to the the actual number of bytes written.

  282.  *

  283.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  284.  * |EVP_AEAD_nonce_length| for this AEAD.

  285.  *

  286.  * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is

  287.  * insufficient, zero will be returned. (In this case, |*out_len| is set to

  288.  * zero.)

  289.  *

  290.  * If |in| and |out| alias then |out| must be <= |in|. */

  291. OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  292.                                      size_t *out_len, size_t max_out_len,

  293.                                      const uint8_t *nonce, size_t nonce_len,

  294.                                      const uint8_t *in, size_t in_len,

  295.                                      const uint8_t *ad, size_t ad_len);

  296. 

  297. 

  298. /* Obscure functions. */

  299. 

  300. /* EVP_AEAD_CTX_get_rc4_state sets |*out_key| to point to an RC4 key structure.

  301.  * It returns one on success or zero if |ctx| doesn't have an RC4 key. */

  302. OPENSSL_EXPORT int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx,

  303.                                               const RC4_KEY **out_key);

  304. 

  305. 

  306. #if defined(__cplusplus)

  307. }  /* extern C */

  308. #endif

  309. 

  310. #endif  /* OPENSSL_HEADER_AEAD_H */