Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 61821bf149f774e7110ab3a76cc5e1e32fa5c2c7 / . / include / openssl / aead.h
blob: f61c495eac627290b7c22e9c679362dd354cbb33 [file] [log] [blame]
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#ifndef OPENSSL_HEADER_AEAD_H
16#define OPENSSL_HEADER_AEAD_H
17
18#include <openssl/base.h>
19
20#if defined(__cplusplus)
21extern "C" {
22#endif
23
24
25/* Authenticated Encryption with Additional Data.
26 *
27 * AEAD couples confidentiality and integrity in a single primtive. AEAD
28 * algorithms take a key and then can seal and open individual messages. Each
29 * message has a unique, per-message nonce and, optionally, additional data
30 * which is authenticated but not included in the ciphertext.
31 *
32 * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and
33 * performs any precomputation needed to use |aead| with |key|. The length of
34 * the key, |key_len|, is given in bytes.
35 *
36 * The |tag_len| argument contains the length of the tags, in bytes, and allows
37 * for the processing of truncated authenticators. A zero value indicates that
38 * the default tag length should be used and this is defined as
39 * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using
40 * truncated tags increases an attacker's chance of creating a valid forgery.
41 * Be aware that the attacker's chance may increase more than exponentially as
42 * would naively be expected.
43 *
44 * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be
45 * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.
46 *
47 * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These
48 * operations are intended to meet the standard notions of privacy and
49 * authenticity for authenticated encryption. For formal definitions see
50 * Bellare and Namprempre, "Authenticated encryption: relations among notions
51 * and analysis of the generic composition paradigm," Lecture Notes in Computer
52 * Science B<1976> (2000), 531–545,
53 * http://www-cse.ucsd.edu/~mihir/papers/oem.html.
54 *
55 * When sealing messages, a nonce must be given. The length of the nonce is
56 * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The
57 * nonce must be unique for all messages with the same key*. This is critically
58 * important - nonce reuse may completely undermine the security of the AEAD.
59 * Nonces may be predictable and public, so long as they are unique. Uniqueness
60 * may be achieved with a simple counter or, if large enough, may be generated
61 * randomly. The nonce must be passed into the "open" operation by the receiver
62 * so must either be implicit (e.g. a counter), or must be transmitted along
63 * with the sealed message.
64 *
65 * The "seal" and "open" operations are atomic - an entire message must be
66 * encrypted or decrypted in a single call. Large messages may have to be split
67 * up in order to accomodate this. When doing so, be mindful of the need not to
68 * repeat nonces and the possibility that an attacker could duplicate, reorder
69 * or drop message chunks. For example, using a single key for a given (large)
70 * message and sealing chunks with nonces counting from zero would be secure as
71 * long as the number of chunks was securely transmitted. (Otherwise an
72 * attacker could truncate the message by dropping chunks from the end.)
73 *
74 * The number of chunks could be transmitted by prefixing it to the plaintext,
75 * for example. This also assumes that no other message would ever use the same
76 * key otherwise the rule that nonces must be unique for a given key would be
77 * violated.
78 *
79 * The "seal" and "open" operations also permit additional data to be
80 * authenticated via the |ad| parameter. This data is not included in the
81 * ciphertext and must be identical for both the "seal" and "open" call. This
82 * permits implicit context to be authenticated but may be empty if not needed.
83 *
84 * The "seal" and "open" operations may work in-place if the |out| and |in|
85 * arguments are equal. They may also be used to shift the data left inside the
86 * same buffer if |out| is less than |in|. However, |out| may not point inside
87 * the input data otherwise the input may be overwritten before it has been
88 * read. This situation will cause an error.
89 *
90 * The "seal" and "open" operations return one on success and zero on error. */
91
92
93/* AEAD algorithms. */
94
David Benjamind4178fd2014-08-14 17:07:45 -0400[diff] [blame]95/* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]96OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]97
David Benjamind4178fd2014-08-14 17:07:45 -0400[diff] [blame]98/* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]99OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]100
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]101/* EVP_aead_chacha20_poly1305 is an AEAD built from ChaCha20 and Poly1305. */
David Benjaminc44d2f42014-08-20 16:24:00 -0400[diff] [blame]102OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]103
Adam Langley93a3dcd2014-07-25 15:40:44 -0700[diff] [blame]104/* EVP_aead_aes_128_key_wrap is AES-128 Key Wrap mode. This should never be
105 * used except to interoperate with existing systems that use this mode.
106 *
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]107 * If the nonce is empty then the default nonce will be used, otherwise it must
Adam Langley93a3dcd2014-07-25 15:40:44 -0700[diff] [blame]108 * be eight bytes long. The input must be a multiple of eight bytes long. No
109 * additional data can be given to this mode. */
David Benjaminc44d2f42014-08-20 16:24:00 -0400[diff] [blame]110OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(void);
Adam Langley93a3dcd2014-07-25 15:40:44 -0700[diff] [blame]111
112/* EVP_aead_aes_256_key_wrap is AES-256 in Key Wrap mode. This should never be
113 * used except to interoperate with existing systems that use this mode.
114 *
115 * See |EVP_aead_aes_128_key_wrap| for details. */
David Benjaminc44d2f42014-08-20 16:24:00 -0400[diff] [blame]116OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(void);
Adam Langley93a3dcd2014-07-25 15:40:44 -0700[diff] [blame]117
Adam Langley0e782a92015-03-13 12:11:00 -0700[diff] [blame]118/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
119 * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
120 * block counter, thus the maximum plaintext size is 64GB. */
121OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
122
123/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for
124 * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */
125OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
126
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]127/* EVP_has_aes_hardware returns one if we enable hardware support for fast and
128 * constant-time AES-GCM. */
129OPENSSL_EXPORT int EVP_has_aes_hardware(void);
130
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]131
David Benjamin1b3a9512015-03-17 18:09:23 -0400[diff] [blame]132/* TLS-specific AEAD algorithms.
Adam Langley45ec21b2014-06-24 17:26:59 -0700[diff] [blame]133 *
134 * These AEAD primitives do not meet the definition of generic AEADs. They are
David Benjamin1b3a9512015-03-17 18:09:23 -0400[diff] [blame]135 * all specific to TLS and should not be used outside of that context. They must
136 * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
137 * not be used concurrently. Any nonces are used as IVs, so they must be
138 * unpredictable. They only accept an |ad| parameter of length 11 (the standard
139 * TLS one with length omitted). */
Adam Langley45ec21b2014-06-24 17:26:59 -0700[diff] [blame]140
David Benjaminc44d2f42014-08-20 16:24:00 -0400[diff] [blame]141OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]142OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);
Adam Langley45ec21b2014-06-24 17:26:59 -0700[diff] [blame]143
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]144OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
145OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
146OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);
147
148OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);
149OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
150OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);
151OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);
152
153OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
154OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
Adam Langley45ec21b2014-06-24 17:26:59 -0700[diff] [blame]155
David Benjamincb878e22015-01-15 13:59:11 -0500[diff] [blame]156
David Benjamin1b3a9512015-03-17 18:09:23 -0400[diff] [blame]157/* SSLv3-specific AEAD algorithms.
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]158 *
159 * These AEAD primitives do not meet the definition of generic AEADs. They are
David Benjamin1b3a9512015-03-17 18:09:23 -0400[diff] [blame]160 * all specific to SSLv3 and should not be used outside of that context. They
161 * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
162 * and may not be used concurrently. They only accept an |ad| parameter of
163 * length 9 (the standard TLS one with length and version omitted). */
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]164
165OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);
166OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);
167OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
168OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
169OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);
170
David Benjamincb878e22015-01-15 13:59:11 -0500[diff] [blame]171
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]172/* Utility functions. */
173
174/* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
175 * |aead|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]176OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]177
178/* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce
179 * for |aead|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]180OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]181
182/* EVP_AEAD_max_overhead returns the maximum number of additional bytes added
183 * by the act of sealing data with |aead|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]184OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]185
186/* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This
187 * is the largest value that can be passed as |tag_len| to
188 * |EVP_AEAD_CTX_init|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]189OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]190
191
192/* AEAD operations. */
193
194/* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
195 * and message-independent IV. */
196typedef struct evp_aead_ctx_st {
197 const EVP_AEAD *aead;
198 /* aead_state is an opaque pointer to whatever state the AEAD needs to
199 * maintain. */
200 void *aead_state;
201} EVP_AEAD_CTX;
202
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]203/* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
204 * any AEAD defined in this header. */
205#define EVP_AEAD_MAX_KEY_LENGTH 80
206
207/* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
208 * any AEAD defined in this header. */
209#define EVP_AEAD_MAX_NONCE_LENGTH 16
210
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]211/* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
212 * defined in this header. */
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]213#define EVP_AEAD_MAX_OVERHEAD 64
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]214
215/* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to
216 * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should
217 * be used. */
218#define EVP_AEAD_DEFAULT_TAG_LENGTH 0
219
David Benjaminb34f5102015-02-28 03:59:33 -0500[diff] [blame]220/* evp_aead_direction_t denotes the direction of an AEAD operation. */
221enum evp_aead_direction_t {
222 evp_aead_open,
223 evp_aead_seal,
224};
225
David Benjamin61821bf2015-08-21 18:05:11 -0400[diff] [blame^]226/* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be
227 * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not
228 * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for
229 * more uniform cleanup of |EVP_AEAD_CTX|. */
230OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx);
231
David Benjamin50f54e22015-06-22 19:56:15 -0400[diff] [blame]232/* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|
233 * argument is ignored and should be NULL. Authentication tags may be truncated
234 * by passing a size as |tag_len|. A |tag_len| of zero indicates the default
235 * tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for
236 * readability.
Adam Langley5aa8a862015-05-11 14:28:12 -0700[diff] [blame]237 *
238 * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In
239 * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's
240 * harmless to do so. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]241OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
242 const uint8_t *key, size_t key_len,
243 size_t tag_len, ENGINE *impl);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]244
David Benjaminb34f5102015-02-28 03:59:33 -0500[diff] [blame]245/* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
246 * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
247 * given direction. */
248OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
249 EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
250 size_t tag_len, enum evp_aead_direction_t dir);
251
Adam Langley5aa8a862015-05-11 14:28:12 -0700[diff] [blame]252/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
253 * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
254 * all zeros. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]255OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]256
257/* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
258 * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It
259 * returns one on success and zero otherwise.
260 *
261 * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with
262 * itself or |EVP_AEAD_CTX_open|.
263 *
264 * At most |max_out_len| bytes are written to |out| and, in order to ensure
265 * success, |max_out_len| should be |in_len| plus the result of
Adam Langleyd100c242015-05-08 13:41:58 -0700[diff] [blame]266 * |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the
267 * actual number of bytes written.
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]268 *
269 * The length of |nonce|, |nonce_len|, must be equal to the result of
270 * |EVP_AEAD_nonce_length| for this AEAD.
271 *
272 * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is
273 * insufficient, zero will be returned. (In this case, |*out_len| is set to
274 * zero.)
275 *
276 * If |in| and |out| alias then |out| must be <= |in|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]277OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
278 size_t *out_len, size_t max_out_len,
279 const uint8_t *nonce, size_t nonce_len,
280 const uint8_t *in, size_t in_len,
281 const uint8_t *ad, size_t ad_len);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]282
283/* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes
284 * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on
285 * success and zero otherwise.
286 *
287 * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with
288 * itself or |EVP_AEAD_CTX_seal|.
289 *
290 * At most |in_len| bytes are written to |out|. In order to ensure success,
291 * |max_out_len| should be at least |in_len|. On successful return, |*out_len|
292 * is set to the the actual number of bytes written.
293 *
294 * The length of |nonce|, |nonce_len|, must be equal to the result of
295 * |EVP_AEAD_nonce_length| for this AEAD.
296 *
297 * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is
298 * insufficient, zero will be returned. (In this case, |*out_len| is set to
299 * zero.)
300 *
301 * If |in| and |out| alias then |out| must be <= |in|. */
Adam Langleyeb7d2ed2014-07-30 16:02:14 -0700[diff] [blame]302OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
303 size_t *out_len, size_t max_out_len,
304 const uint8_t *nonce, size_t nonce_len,
305 const uint8_t *in, size_t in_len,
306 const uint8_t *ad, size_t ad_len);
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]307
308
Adam Langley3f92d212015-02-20 15:32:52 -0800[diff] [blame]309/* Obscure functions. */
310
311/* EVP_AEAD_CTX_get_rc4_state sets |*out_key| to point to an RC4 key structure.
312 * It returns one on success or zero if |ctx| doesn't have an RC4 key. */
313OPENSSL_EXPORT int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx,
314 const RC4_KEY **out_key);
315
316
Adam Langleyfd772a52014-06-20 12:00:00 -0700[diff] [blame]317#if defined(__cplusplus)
318} /* extern C */
319#endif
320
321#endif /* OPENSSL_HEADER_AEAD_H */