kris
/
boringssl
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
1016 提交
12 分支
38 MiB
 
 
 
 
 
 
目录树: ee562b987e
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'ee562b987e'
${ noResults }
boringssl/include/openssl/aead.h

291 行
13 KiB
原始文件 Blame 文件历史 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #ifndef OPENSSL_HEADER_AEAD_H

  16. #define OPENSSL_HEADER_AEAD_H

  17. 

  18. #include <openssl/base.h>

  19. 

  20. #if defined(__cplusplus)

  21. extern "C" {

  22. #endif

  23. 

  24. 

  25. /* Authenticated Encryption with Additional Data.

  26.  *

  27.  * AEAD couples confidentiality and integrity in a single primtive. AEAD

  28.  * algorithms take a key and then can seal and open individual messages. Each

  29.  * message has a unique, per-message nonce and, optionally, additional data

  30.  * which is authenticated but not included in the ciphertext.

  31.  *

  32.  * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and

  33.  * performs any precomputation needed to use |aead| with |key|. The length of

  34.  * the key, |key_len|, is given in bytes.

  35.  *

  36.  * The |tag_len| argument contains the length of the tags, in bytes, and allows

  37.  * for the processing of truncated authenticators. A zero value indicates that

  38.  * the default tag length should be used and this is defined as

  39.  * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using

  40.  * truncated tags increases an attacker's chance of creating a valid forgery.

  41.  * Be aware that the attacker's chance may increase more than exponentially as

  42.  * would naively be expected.

  43.  *

  44.  * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be

  45.  * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.

  46.  *

  47.  * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These

  48.  * operations are intended to meet the standard notions of privacy and

  49.  * authenticity for authenticated encryption. For formal definitions see

  50.  * Bellare and Namprempre, "Authenticated encryption: relations among notions

  51.  * and analysis of the generic composition paradigm," Lecture Notes in Computer

  52.  * Science B<1976> (2000), 531–545,

  53.  * http://www-cse.ucsd.edu/~mihir/papers/oem.html.

  54.  *

  55.  * When sealing messages, a nonce must be given. The length of the nonce is

  56.  * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The

  57.  * nonce must be unique for all messages with the same key*. This is critically

  58.  * important - nonce reuse may completely undermine the security of the AEAD.

  59.  * Nonces may be predictable and public, so long as they are unique. Uniqueness

  60.  * may be achieved with a simple counter or, if large enough, may be generated

  61.  * randomly. The nonce must be passed into the "open" operation by the receiver

  62.  * so must either be implicit (e.g. a counter), or must be transmitted along

  63.  * with the sealed message.

  64.  *

  65.  * The "seal" and "open" operations are atomic - an entire message must be

  66.  * encrypted or decrypted in a single call. Large messages may have to be split

  67.  * up in order to accomodate this. When doing so, be mindful of the need not to

  68.  * repeat nonces and the possibility that an attacker could duplicate, reorder

  69.  * or drop message chunks. For example, using a single key for a given (large)

  70.  * message and sealing chunks with nonces counting from zero would be secure as

  71.  * long as the number of chunks was securely transmitted. (Otherwise an

  72.  * attacker could truncate the message by dropping chunks from the end.)

  73.  *

  74.  * The number of chunks could be transmitted by prefixing it to the plaintext,

  75.  * for example. This also assumes that no other message would ever use the same

  76.  * key otherwise the rule that nonces must be unique for a given key would be

  77.  * violated.

  78.  *

  79.  * The "seal" and "open" operations also permit additional data to be

  80.  * authenticated via the |ad| parameter. This data is not included in the

  81.  * ciphertext and must be identical for both the "seal" and "open" call. This

  82.  * permits implicit context to be authenticated but may be empty if not needed.

  83.  *

  84.  * The "seal" and "open" operations may work in-place if the |out| and |in|

  85.  * arguments are equal. They may also be used to shift the data left inside the

  86.  * same buffer if |out| is less than |in|. However, |out| may not point inside

  87.  * the input data otherwise the input may be overwritten before it has been

  88.  * read. This situation will cause an error.

  89.  *

  90.  * The "seal" and "open" operations return one on success and zero on error. */

  91. 

  92. 

  93. /* AEAD algorithms. */

  94. 

  95. /* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */

  96. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);

  97. 

  98. /* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */

  99. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);

  100. 

  101. /* EVP_aead_chacha20_poly1305 is an AEAD built from ChaCha20 and Poly1305. */

  102. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);

  103. 

  104. /* EVP_aead_aes_128_key_wrap is AES-128 Key Wrap mode. This should never be

  105.  * used except to interoperate with existing systems that use this mode.

  106.  *

  107.  * If the nonce is empty then the default nonce will be used, otherwise it must

  108.  * be eight bytes long. The input must be a multiple of eight bytes long. No

  109.  * additional data can be given to this mode. */

  110. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(void);

  111. 

  112. /* EVP_aead_aes_256_key_wrap is AES-256 in Key Wrap mode. This should never be

  113.  * used except to interoperate with existing systems that use this mode.

  114.  *

  115.  * See |EVP_aead_aes_128_key_wrap| for details. */

  116. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(void);

  117. 

  118. /* EVP_has_aes_hardware returns one if we enable hardware support for fast and

  119.  * constant-time AES-GCM. */

  120. OPENSSL_EXPORT int EVP_has_aes_hardware(void);

  121. 

  122. 

  123. /* TLS specific AEAD algorithms.

  124.  *

  125.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  126.  * all specific to TLS in some fashion and should not be used outside of that

  127.  * context. They require an additional data of length 11 (the standard TLS one

  128.  * with the length omitted). They are also stateful, so a given |EVP_AEAD_CTX|

  129.  * may only be used for one of seal or open, but not both. */

  130. 

  131. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);

  132. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);

  133. 

  134. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);

  135. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);

  136. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);

  137. 

  138. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);

  139. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);

  140. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);

  141. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);

  142. 

  143. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);

  144. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);

  145. 

  146. 

  147. /* SSLv3 specific AEAD algorithms.

  148.  *

  149.  * These AEAD primitives do not meet the definition of generic AEADs. They are

  150.  * all specific to SSLv3 in some fashion and should not be used outside of that

  151.  * context. */

  152. 

  153. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);

  154. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);

  155. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);

  156. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);

  157. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);

  158. 

  159. 

  160. /* Utility functions. */

  161. 

  162. /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by

  163.  * |aead|. */

  164. OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);

  165. 

  166. /* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce

  167.  * for |aead|. */

  168. OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);

  169. 

  170. /* EVP_AEAD_max_overhead returns the maximum number of additional bytes added

  171.  * by the act of sealing data with |aead|. */

  172. OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);

  173. 

  174. /* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This

  175.  * is the largest value that can be passed as |tag_len| to

  176.  * |EVP_AEAD_CTX_init|. */

  177. OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);

  178. 

  179. 

  180. /* AEAD operations. */

  181. 

  182. /* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key

  183.  * and message-independent IV. */

  184. typedef struct evp_aead_ctx_st {

  185.   const EVP_AEAD *aead;

  186.   /* aead_state is an opaque pointer to whatever state the AEAD needs to

  187.    * maintain. */

  188.   void *aead_state;

  189. } EVP_AEAD_CTX;

  190. 

  191. /* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by

  192.  * any AEAD defined in this header. */

  193. #define EVP_AEAD_MAX_KEY_LENGTH 80

  194. 

  195. /* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by

  196.  * any AEAD defined in this header. */

  197. #define EVP_AEAD_MAX_NONCE_LENGTH 16

  198. 

  199. /* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD

  200.  * defined in this header. */

  201. #define EVP_AEAD_MAX_OVERHEAD 64

  202. 

  203. /* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to

  204.  * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should

  205.  * be used. */

  206. #define EVP_AEAD_DEFAULT_TAG_LENGTH 0

  207. 

  208. /* evp_aead_direction_t denotes the direction of an AEAD operation. */

  209. enum evp_aead_direction_t {

  210.   evp_aead_open,

  211.   evp_aead_seal,

  212. };

  213. 

  214. /* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm from |impl|.

  215.  * The |impl| argument may be NULL to choose the default implementation.

  216.  * Authentication tags may be truncated by passing a size as |tag_len|. A

  217.  * |tag_len| of zero indicates the default tag length and this is defined as

  218.  * EVP_AEAD_DEFAULT_TAG_LENGTH for readability.

  219.  * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */

  220. OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,

  221.                                      const uint8_t *key, size_t key_len,

  222.                                      size_t tag_len, ENGINE *impl);

  223. 

  224. /* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal

  225.  * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a

  226.  * given direction. */

  227. OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(

  228.     EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,

  229.     size_t tag_len, enum evp_aead_direction_t dir);

  230. 

  231. /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */

  232. OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);

  233. 

  234. /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and

  235.  * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It

  236.  * returns one on success and zero otherwise.

  237.  *

  238.  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with

  239.  * itself or |EVP_AEAD_CTX_open|.

  240.  *

  241.  * At most |max_out_len| bytes are written to |out| and, in order to ensure

  242.  * success, |max_out_len| should be |in_len| plus the result of

  243.  * |EVP_AEAD_overhead|. On successful return, |*out_len| is set to the actual

  244.  * number of bytes written.

  245.  *

  246.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  247.  * |EVP_AEAD_nonce_length| for this AEAD.

  248.  *

  249.  * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is

  250.  * insufficient, zero will be returned. (In this case, |*out_len| is set to

  251.  * zero.)

  252.  *

  253.  * If |in| and |out| alias then |out| must be <= |in|. */

  254. OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  255.                                      size_t *out_len, size_t max_out_len,

  256.                                      const uint8_t *nonce, size_t nonce_len,

  257.                                      const uint8_t *in, size_t in_len,

  258.                                      const uint8_t *ad, size_t ad_len);

  259. 

  260. /* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes

  261.  * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on

  262.  * success and zero otherwise.

  263.  *

  264.  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with

  265.  * itself or |EVP_AEAD_CTX_seal|.

  266.  *

  267.  * At most |in_len| bytes are written to |out|. In order to ensure success,

  268.  * |max_out_len| should be at least |in_len|. On successful return, |*out_len|

  269.  * is set to the the actual number of bytes written.

  270.  *

  271.  * The length of |nonce|, |nonce_len|, must be equal to the result of

  272.  * |EVP_AEAD_nonce_length| for this AEAD.

  273.  *

  274.  * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is

  275.  * insufficient, zero will be returned. (In this case, |*out_len| is set to

  276.  * zero.)

  277.  *

  278.  * If |in| and |out| alias then |out| must be <= |in|. */

  279. OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  280.                                      size_t *out_len, size_t max_out_len,

  281.                                      const uint8_t *nonce, size_t nonce_len,

  282.                                      const uint8_t *in, size_t in_len,

  283.                                      const uint8_t *ad, size_t ad_len);

  284. 

  285. 

  286. #if defined(__cplusplus)

  287. }  /* extern C */

  288. #endif

  289. 

  290. #endif  /* OPENSSL_HEADER_AEAD_H */