1 /* Copyright (c) 2014, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #ifndef OPENSSL_HEADER_AEAD_H 16 #define OPENSSL_HEADER_AEAD_H 17 18 #include <openssl/base.h> 19 20 #if defined(__cplusplus) 21 extern "C" { 22 #endif 23 24 25 /* Authenticated Encryption with Additional Data. 26 * 27 * AEAD couples confidentiality and integrity in a single primitive. AEAD 28 * algorithms take a key and then can seal and open individual messages. Each 29 * message has a unique, per-message nonce and, optionally, additional data 30 * which is authenticated but not included in the ciphertext. 31 * 32 * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and 33 * performs any precomputation needed to use |aead| with |key|. The length of 34 * the key, |key_len|, is given in bytes. 35 * 36 * The |tag_len| argument contains the length of the tags, in bytes, and allows 37 * for the processing of truncated authenticators. A zero value indicates that 38 * the default tag length should be used and this is defined as 39 * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using 40 * truncated tags increases an attacker's chance of creating a valid forgery. 41 * Be aware that the attacker's chance may increase more than exponentially as 42 * would naively be expected. 43 * 44 * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be 45 * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used. 46 * 47 * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These 48 * operations are intended to meet the standard notions of privacy and 49 * authenticity for authenticated encryption. For formal definitions see 50 * Bellare and Namprempre, "Authenticated encryption: relations among notions 51 * and analysis of the generic composition paradigm," Lecture Notes in Computer 52 * Science B<1976> (2000), 531–545, 53 * http://www-cse.ucsd.edu/~mihir/papers/oem.html. 54 * 55 * When sealing messages, a nonce must be given. The length of the nonce is 56 * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The 57 * nonce must be unique for all messages with the same key*. This is critically 58 * important - nonce reuse may completely undermine the security of the AEAD. 59 * Nonces may be predictable and public, so long as they are unique. Uniqueness 60 * may be achieved with a simple counter or, if large enough, may be generated 61 * randomly. The nonce must be passed into the "open" operation by the receiver 62 * so must either be implicit (e.g. a counter), or must be transmitted along 63 * with the sealed message. 64 * 65 * The "seal" and "open" operations are atomic - an entire message must be 66 * encrypted or decrypted in a single call. Large messages may have to be split 67 * up in order to accommodate this. When doing so, be mindful of the need not to 68 * repeat nonces and the possibility that an attacker could duplicate, reorder 69 * or drop message chunks. For example, using a single key for a given (large) 70 * message and sealing chunks with nonces counting from zero would be secure as 71 * long as the number of chunks was securely transmitted. (Otherwise an 72 * attacker could truncate the message by dropping chunks from the end.) 73 * 74 * The number of chunks could be transmitted by prefixing it to the plaintext, 75 * for example. This also assumes that no other message would ever use the same 76 * key otherwise the rule that nonces must be unique for a given key would be 77 * violated. 78 * 79 * The "seal" and "open" operations also permit additional data to be 80 * authenticated via the |ad| parameter. This data is not included in the 81 * ciphertext and must be identical for both the "seal" and "open" call. This 82 * permits implicit context to be authenticated but may be empty if not needed. 83 * 84 * The "seal" and "open" operations may work in-place if the |out| and |in| 85 * arguments are equal. Otherwise, if |out| and |in| alias, input data may be 86 * overwritten before it is read. This situation will cause an error. 87 * 88 * The "seal" and "open" operations return one on success and zero on error. */ 89 90 91 /* AEAD algorithms. */ 92 93 /* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */ 94 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void); 95 96 /* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */ 97 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void); 98 99 /* EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and 100 * Poly1305 as described in RFC 7539. */ 101 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void); 102 103 /* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for 104 * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the 105 * block counter, thus the maximum plaintext size is 64GB. */ 106 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void); 107 108 /* EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for 109 * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */ 110 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void); 111 112 /* EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See 113 * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */ 114 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void); 115 116 /* EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See 117 * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */ 118 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void); 119 120 /* EVP_has_aes_hardware returns one if we enable hardware support for fast and 121 * constant-time AES-GCM. */ 122 OPENSSL_EXPORT int EVP_has_aes_hardware(void); 123 124 125 /* Utility functions. */ 126 127 /* EVP_AEAD_key_length returns the length, in bytes, of the keys used by 128 * |aead|. */ 129 OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead); 130 131 /* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce 132 * for |aead|. */ 133 OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead); 134 135 /* EVP_AEAD_max_overhead returns the maximum number of additional bytes added 136 * by the act of sealing data with |aead|. */ 137 OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead); 138 139 /* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This 140 * is the largest value that can be passed as |tag_len| to 141 * |EVP_AEAD_CTX_init|. */ 142 OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead); 143 144 145 /* AEAD operations. */ 146 147 /* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key 148 * and message-independent IV. */ 149 typedef struct evp_aead_ctx_st { 150 const EVP_AEAD *aead; 151 /* aead_state is an opaque pointer to whatever state the AEAD needs to 152 * maintain. */ 153 void *aead_state; 154 /* tag_len may contain the actual length of the authentication tag if it is 155 * known at initialization time. */ 156 uint8_t tag_len; 157 } EVP_AEAD_CTX; 158 159 /* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by 160 * any AEAD defined in this header. */ 161 #define EVP_AEAD_MAX_KEY_LENGTH 80 162 163 /* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by 164 * any AEAD defined in this header. */ 165 #define EVP_AEAD_MAX_NONCE_LENGTH 16 166 167 /* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD 168 * defined in this header. */ 169 #define EVP_AEAD_MAX_OVERHEAD 64 170 171 /* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to 172 * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should 173 * be used. */ 174 #define EVP_AEAD_DEFAULT_TAG_LENGTH 0 175 176 /* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be 177 * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not 178 * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for 179 * more uniform cleanup of |EVP_AEAD_CTX|. */ 180 OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx); 181 182 /* EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and 183 * returns the |EVP_AEAD_CTX|, or NULL on error. */ 184 OPENSSL_EXPORT EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead, 185 const uint8_t *key, 186 size_t key_len, size_t tag_len); 187 188 /* EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on 189 * |ctx|. */ 190 OPENSSL_EXPORT void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx); 191 192 /* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl| 193 * argument is ignored and should be NULL. Authentication tags may be truncated 194 * by passing a size as |tag_len|. A |tag_len| of zero indicates the default 195 * tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for 196 * readability. 197 * 198 * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In 199 * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's 200 * harmless to do so. */ 201 OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, 202 const uint8_t *key, size_t key_len, 203 size_t tag_len, ENGINE *impl); 204 205 /* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to 206 * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to 207 * all zeros. */ 208 OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx); 209 210 /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and 211 * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It 212 * returns one on success and zero otherwise. 213 * 214 * This function may be called concurrently with itself or any other seal/open 215 * function on the same |EVP_AEAD_CTX|. 216 * 217 * At most |max_out_len| bytes are written to |out| and, in order to ensure 218 * success, |max_out_len| should be |in_len| plus the result of 219 * |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the 220 * actual number of bytes written. 221 * 222 * The length of |nonce|, |nonce_len|, must be equal to the result of 223 * |EVP_AEAD_nonce_length| for this AEAD. 224 * 225 * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is 226 * insufficient, zero will be returned. If any error occurs, |out| will be 227 * filled with zero bytes and |*out_len| set to zero. 228 * 229 * If |in| and |out| alias then |out| must be == |in|. */ 230 OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, 231 size_t *out_len, size_t max_out_len, 232 const uint8_t *nonce, size_t nonce_len, 233 const uint8_t *in, size_t in_len, 234 const uint8_t *ad, size_t ad_len); 235 236 /* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes 237 * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on 238 * success and zero otherwise. 239 * 240 * This function may be called concurrently with itself or any other seal/open 241 * function on the same |EVP_AEAD_CTX|. 242 * 243 * At most |in_len| bytes are written to |out|. In order to ensure success, 244 * |max_out_len| should be at least |in_len|. On successful return, |*out_len| 245 * is set to the the actual number of bytes written. 246 * 247 * The length of |nonce|, |nonce_len|, must be equal to the result of 248 * |EVP_AEAD_nonce_length| for this AEAD. 249 * 250 * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is 251 * insufficient, zero will be returned. If any error occurs, |out| will be 252 * filled with zero bytes and |*out_len| set to zero. 253 * 254 * If |in| and |out| alias then |out| must be == |in|. */ 255 OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, 256 size_t *out_len, size_t max_out_len, 257 const uint8_t *nonce, size_t nonce_len, 258 const uint8_t *in, size_t in_len, 259 const uint8_t *ad, size_t ad_len); 260 261 /* EVP_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in| 262 * and authenticates |ad_len| bytes from |ad|. It writes |in_len| bytes of 263 * ciphertext to |out| and the authentication tag to |out_tag|. It returns one 264 * on success and zero otherwise. 265 * 266 * This function may be called concurrently with itself or any other seal/open 267 * function on the same |EVP_AEAD_CTX|. 268 * 269 * Exactly |in_len| bytes are written to |out|, and up to 270 * |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful 271 * return, |*out_tag_len| is set to the actual number of bytes written to 272 * |out_tag|. 273 * 274 * |extra_in| may point to an additional plaintext input buffer if the cipher 275 * supports it. If present, |extra_in_len| additional bytes of plaintext are 276 * encrypted and authenticated, and the ciphertext is written (before the tag) 277 * to |out_tag|. |max_out_tag_len| must be sized to allow for the additional 278 * |extra_in_len| bytes. 279 * 280 * The length of |nonce|, |nonce_len|, must be equal to the result of 281 * |EVP_AEAD_nonce_length| for this AEAD. 282 * 283 * |EVP_AEAD_CTX_seal_scatter| never results in a partial output. If 284 * |max_out_tag_len| is insufficient, zero will be returned. If any error 285 * occurs, |out| and |out_tag| will be filled with zero bytes and |*out_tag_len| 286 * set to zero. 287 * 288 * If |in| and |out| alias then |out| must be == |in|. |out_tag| may not alias 289 * any other argument. */ 290 OPENSSL_EXPORT int EVP_AEAD_CTX_seal_scatter( 291 const EVP_AEAD_CTX *ctx, uint8_t *out, 292 uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len, 293 const uint8_t *nonce, size_t nonce_len, 294 const uint8_t *in, size_t in_len, 295 const uint8_t *extra_in, size_t extra_in_len, 296 const uint8_t *ad, size_t ad_len); 297 298 /* EVP_AEAD_CTX_open_gather decrypts and authenticates |in_len| bytes from |in| 299 * and authenticates |ad_len| bytes from |ad| using |in_tag_len| bytes of 300 * authentication tag from |in_tag|. If successful, it writes |in_len| bytes of 301 * plaintext to |out|. It returns one on success and zero otherwise. 302 * 303 * This function may be called concurrently with itself or any other seal/open 304 * function on the same |EVP_AEAD_CTX|. 305 * 306 * The length of |nonce|, |nonce_len|, must be equal to the result of 307 * |EVP_AEAD_nonce_length| for this AEAD. 308 * 309 * |EVP_AEAD_CTX_open_gather| never results in a partial output. If any error 310 * occurs, |out| will be filled with zero bytes. 311 * 312 * If |in| and |out| alias then |out| must be == |in|. */ 313 OPENSSL_EXPORT int EVP_AEAD_CTX_open_gather( 314 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, 315 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, 316 size_t in_tag_len, const uint8_t *ad, size_t ad_len); 317 318 /* EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has 319 * not been set. */ 320 OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx); 321 322 323 /* TLS-specific AEAD algorithms. 324 * 325 * These AEAD primitives do not meet the definition of generic AEADs. They are 326 * all specific to TLS and should not be used outside of that context. They must 327 * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may 328 * not be used concurrently. Any nonces are used as IVs, so they must be 329 * unpredictable. They only accept an |ad| parameter of length 11 (the standard 330 * TLS one with length omitted). */ 331 332 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void); 333 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void); 334 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void); 335 336 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void); 337 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void); 338 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void); 339 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void); 340 341 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void); 342 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void); 343 344 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void); 345 346 /* EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS 347 * 1.2 nonce construction. */ 348 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void); 349 350 /* EVP_aead_aes_256_gcm_tls12 is AES-256 in Galois Counter Mode using the TLS 351 * 1.2 nonce construction. */ 352 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void); 353 354 355 /* SSLv3-specific AEAD algorithms. 356 * 357 * These AEAD primitives do not meet the definition of generic AEADs. They are 358 * all specific to SSLv3 and should not be used outside of that context. They 359 * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, 360 * and may not be used concurrently. They only accept an |ad| parameter of 361 * length 9 (the standard TLS one with length and version omitted). */ 362 363 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void); 364 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void); 365 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void); 366 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void); 367 368 369 /* Obscure functions. */ 370 371 /* evp_aead_direction_t denotes the direction of an AEAD operation. */ 372 enum evp_aead_direction_t { 373 evp_aead_open, 374 evp_aead_seal, 375 }; 376 377 /* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal 378 * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a 379 * given direction. */ 380 OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction( 381 EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, 382 size_t tag_len, enum evp_aead_direction_t dir); 383 384 /* EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and 385 * sets |*out_iv| to point to that many bytes of the current IV. This is only 386 * meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0). 387 * 388 * It returns one on success or zero on error. */ 389 OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx, 390 const uint8_t **out_iv, size_t *out_len); 391 392 393 #if defined(__cplusplus) 394 } /* extern C */ 395 396 #if !defined(BORINGSSL_NO_CXX) 397 extern "C++" { 398 399 namespace bssl { 400 401 using ScopedEVP_AEAD_CTX = 402 internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero, 403 EVP_AEAD_CTX_cleanup>; 404 405 BORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free) 406 407 } // namespace bssl 408 409 } // extern C++ 410 #endif 411 412 #endif 413 414 #endif /* OPENSSL_HEADER_AEAD_H */ 415