Home | History | Annotate | Download | only in openssl 
      1 /* Copyright (c) 2014, Google Inc.
      2  *
      3  * Permission to use, copy, modify, and/or distribute this software for any
      4  * purpose with or without fee is hereby granted, provided that the above
      5  * copyright notice and this permission notice appear in all copies.
      6  *
      7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
      8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
     10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
     12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
     13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
     14 
     15 #ifndef OPENSSL_HEADER_AEAD_H
     16 #define OPENSSL_HEADER_AEAD_H
     17 
     18 #include <openssl/base.h>
     19 
     20 #if defined(__cplusplus)
     21 extern "C" {
     22 #endif
     23 
     24 
     25 /* Authenticated Encryption with Additional Data.
     26  *
     27  * AEAD couples confidentiality and integrity in a single primitive. AEAD
     28  * algorithms take a key and then can seal and open individual messages. Each
     29  * message has a unique, per-message nonce and, optionally, additional data
     30  * which is authenticated but not included in the ciphertext.
     31  *
     32  * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and
     33  * performs any precomputation needed to use |aead| with |key|. The length of
     34  * the key, |key_len|, is given in bytes.
     35  *
     36  * The |tag_len| argument contains the length of the tags, in bytes, and allows
     37  * for the processing of truncated authenticators. A zero value indicates that
     38  * the default tag length should be used and this is defined as
     39  * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using
     40  * truncated tags increases an attacker's chance of creating a valid forgery.
     41  * Be aware that the attacker's chance may increase more than exponentially as
     42  * would naively be expected.
     43  *
     44  * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be
     45  * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.
     46  *
     47  * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These
     48  * operations are intended to meet the standard notions of privacy and
     49  * authenticity for authenticated encryption. For formal definitions see
     50  * Bellare and Namprempre, "Authenticated encryption: relations among notions
     51  * and analysis of the generic composition paradigm," Lecture Notes in Computer
     52  * Science B<1976> (2000), 531545,
     53  * http://www-cse.ucsd.edu/~mihir/papers/oem.html.
     54  *
     55  * When sealing messages, a nonce must be given. The length of the nonce is
     56  * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The
     57  * nonce must be unique for all messages with the same key*. This is critically
     58  * important - nonce reuse may completely undermine the security of the AEAD.
     59  * Nonces may be predictable and public, so long as they are unique. Uniqueness
     60  * may be achieved with a simple counter or, if large enough, may be generated
     61  * randomly. The nonce must be passed into the "open" operation by the receiver
     62  * so must either be implicit (e.g. a counter), or must be transmitted along
     63  * with the sealed message.
     64  *
     65  * The "seal" and "open" operations are atomic - an entire message must be
     66  * encrypted or decrypted in a single call. Large messages may have to be split
     67  * up in order to accomodate this. When doing so, be mindful of the need not to
     68  * repeat nonces and the possibility that an attacker could duplicate, reorder
     69  * or drop message chunks. For example, using a single key for a given (large)
     70  * message and sealing chunks with nonces counting from zero would be secure as
     71  * long as the number of chunks was securely transmitted. (Otherwise an
     72  * attacker could truncate the message by dropping chunks from the end.)
     73  *
     74  * The number of chunks could be transmitted by prefixing it to the plaintext,
     75  * for example. This also assumes that no other message would ever use the same
     76  * key otherwise the rule that nonces must be unique for a given key would be
     77  * violated.
     78  *
     79  * The "seal" and "open" operations also permit additional data to be
     80  * authenticated via the |ad| parameter. This data is not included in the
     81  * ciphertext and must be identical for both the "seal" and "open" call. This
     82  * permits implicit context to be authenticated but may be empty if not needed.
     83  *
     84  * The "seal" and "open" operations may work in-place if the |out| and |in|
     85  * arguments are equal. They may also be used to shift the data left inside the
     86  * same buffer if |out| is less than |in|. However, |out| may not point inside
     87  * the input data otherwise the input may be overwritten before it has been
     88  * read. This situation will cause an error.
     89  *
     90  * The "seal" and "open" operations return one on success and zero on error. */
     91 
     92 
     93 /* AEAD algorithms. */
     94 
     95 /* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */
     96 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);
     97 
     98 /* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */
     99 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);
    100 
    101 /* EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and
    102  * Poly1305 as described in RFC 7539. */
    103 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
    104 
    105 /* EVP_aead_chacha20_poly1305_old is an AEAD built from ChaCha20 and
    106  * Poly1305 that is used in the experimental ChaCha20-Poly1305 TLS cipher
    107  * suites. */
    108 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305_old(void);
    109 
    110 /* EVP_aead_aes_128_key_wrap is AES-128 Key Wrap mode. This should never be
    111  * used except to interoperate with existing systems that use this mode.
    112  *
    113  * If the nonce is empty then the default nonce will be used, otherwise it must
    114  * be eight bytes long. The input must be a multiple of eight bytes long. No
    115  * additional data can be given to this mode. */
    116 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(void);
    117 
    118 /* EVP_aead_aes_256_key_wrap is AES-256 in Key Wrap mode. This should never be
    119  * used except to interoperate with existing systems that use this mode.
    120  *
    121  * See |EVP_aead_aes_128_key_wrap| for details. */
    122 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(void);
    123 
    124 /* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
    125  * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
    126  * block counter, thus the maximum plaintext size is 64GB. */
    127 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
    128 
    129 /* EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for
    130  * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */
    131 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
    132 
    133 /* EVP_has_aes_hardware returns one if we enable hardware support for fast and
    134  * constant-time AES-GCM. */
    135 OPENSSL_EXPORT int EVP_has_aes_hardware(void);
    136 
    137 
    138 /* TLS-specific AEAD algorithms.
    139  *
    140  * These AEAD primitives do not meet the definition of generic AEADs. They are
    141  * all specific to TLS and should not be used outside of that context. They must
    142  * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
    143  * not be used concurrently. Any nonces are used as IVs, so they must be
    144  * unpredictable. They only accept an |ad| parameter of length 11 (the standard
    145  * TLS one with length omitted). */
    146 
    147 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);
    148 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);
    149 
    150 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
    151 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
    152 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);
    153 
    154 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);
    155 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);
    156 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void);
    157 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void);
    158 
    159 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
    160 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
    161 
    162 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
    163 
    164 
    165 /* SSLv3-specific AEAD algorithms.
    166  *
    167  * These AEAD primitives do not meet the definition of generic AEADs. They are
    168  * all specific to SSLv3 and should not be used outside of that context. They
    169  * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
    170  * and may not be used concurrently. They only accept an |ad| parameter of
    171  * length 9 (the standard TLS one with length and version omitted). */
    172 
    173 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);
    174 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);
    175 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
    176 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
    177 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void);
    178 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);
    179 
    180 
    181 /* Utility functions. */
    182 
    183 /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
    184  * |aead|. */
    185 OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);
    186 
    187 /* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce
    188  * for |aead|. */
    189 OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);
    190 
    191 /* EVP_AEAD_max_overhead returns the maximum number of additional bytes added
    192  * by the act of sealing data with |aead|. */
    193 OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);
    194 
    195 /* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This
    196  * is the largest value that can be passed as |tag_len| to
    197  * |EVP_AEAD_CTX_init|. */
    198 OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
    199 
    200 
    201 /* AEAD operations. */
    202 
    203 /* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
    204  * and message-independent IV. */
    205 typedef struct evp_aead_ctx_st {
    206   const EVP_AEAD *aead;
    207   /* aead_state is an opaque pointer to whatever state the AEAD needs to
    208    * maintain. */
    209   void *aead_state;
    210 } EVP_AEAD_CTX;
    211 
    212 /* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
    213  * any AEAD defined in this header. */
    214 #define EVP_AEAD_MAX_KEY_LENGTH 80
    215 
    216 /* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
    217  * any AEAD defined in this header. */
    218 #define EVP_AEAD_MAX_NONCE_LENGTH 16
    219 
    220 /* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
    221  * defined in this header. */
    222 #define EVP_AEAD_MAX_OVERHEAD 64
    223 
    224 /* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to
    225  * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should
    226  * be used. */
    227 #define EVP_AEAD_DEFAULT_TAG_LENGTH 0
    228 
    229 /* evp_aead_direction_t denotes the direction of an AEAD operation. */
    230 enum evp_aead_direction_t {
    231   evp_aead_open,
    232   evp_aead_seal,
    233 };
    234 
    235 /* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be
    236  * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not
    237  * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for
    238  * more uniform cleanup of |EVP_AEAD_CTX|. */
    239 OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx);
    240 
    241 /* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|
    242  * argument is ignored and should be NULL. Authentication tags may be truncated
    243  * by passing a size as |tag_len|. A |tag_len| of zero indicates the default
    244  * tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for
    245  * readability.
    246  *
    247  * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In
    248  * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's
    249  * harmless to do so. */
    250 OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
    251                                      const uint8_t *key, size_t key_len,
    252                                      size_t tag_len, ENGINE *impl);
    253 
    254 /* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
    255  * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
    256  * given direction. */
    257 OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
    258     EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
    259     size_t tag_len, enum evp_aead_direction_t dir);
    260 
    261 /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
    262  * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
    263  * all zeros. */
    264 OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
    265 
    266 /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
    267  * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It
    268  * returns one on success and zero otherwise.
    269  *
    270  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with
    271  * itself or |EVP_AEAD_CTX_open|.
    272  *
    273  * At most |max_out_len| bytes are written to |out| and, in order to ensure
    274  * success, |max_out_len| should be |in_len| plus the result of
    275  * |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the
    276  * actual number of bytes written.
    277  *
    278  * The length of |nonce|, |nonce_len|, must be equal to the result of
    279  * |EVP_AEAD_nonce_length| for this AEAD.
    280  *
    281  * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is
    282  * insufficient, zero will be returned. (In this case, |*out_len| is set to
    283  * zero.)
    284  *
    285  * If |in| and |out| alias then |out| must be <= |in|. */
    286 OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
    287                                      size_t *out_len, size_t max_out_len,
    288                                      const uint8_t *nonce, size_t nonce_len,
    289                                      const uint8_t *in, size_t in_len,
    290                                      const uint8_t *ad, size_t ad_len);
    291 
    292 /* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes
    293  * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on
    294  * success and zero otherwise.
    295  *
    296  * This function may be called (with the same |EVP_AEAD_CTX|) concurrently with
    297  * itself or |EVP_AEAD_CTX_seal|.
    298  *
    299  * At most |in_len| bytes are written to |out|. In order to ensure success,
    300  * |max_out_len| should be at least |in_len|. On successful return, |*out_len|
    301  * is set to the the actual number of bytes written.
    302  *
    303  * The length of |nonce|, |nonce_len|, must be equal to the result of
    304  * |EVP_AEAD_nonce_length| for this AEAD.
    305  *
    306  * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is
    307  * insufficient, zero will be returned. (In this case, |*out_len| is set to
    308  * zero.)
    309  *
    310  * If |in| and |out| alias then |out| must be <= |in|. */
    311 OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    312                                      size_t *out_len, size_t max_out_len,
    313                                      const uint8_t *nonce, size_t nonce_len,
    314                                      const uint8_t *in, size_t in_len,
    315                                      const uint8_t *ad, size_t ad_len);
    316 
    317 
    318 /* Obscure functions. */
    319 
    320 /* EVP_AEAD_CTX_get_rc4_state sets |*out_key| to point to an RC4 key structure.
    321  * It returns one on success or zero if |ctx| doesn't have an RC4 key. */
    322 OPENSSL_EXPORT int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx,
    323                                               const RC4_KEY **out_key);
    324 
    325 /* EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and
    326  * sets |*out_iv| to point to that many bytes of the current IV. This is only
    327  * meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).
    328  *
    329  * It returns one on success or zero on error. */
    330 OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,
    331                                        const uint8_t **out_iv, size_t *out_len);
    332 
    333 
    334 /* Deprecated functions. */
    335 
    336 /* EVP_aead_chacha20_poly1305_rfc7539 calls |EVP_aead_chacha20_poly1305|.
    337  *
    338  * TODO(davidben): Remove this. */
    339 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305_rfc7539(void);
    340 
    341 
    342 #if defined(__cplusplus)
    343 }  /* extern C */
    344 #endif
    345 
    346 #endif  /* OPENSSL_HEADER_AEAD_H */
    347