Source code

Revision control

Copy as Markdown

Other Tools

/*
* Copyright (c) 2017, 2021 [Ribose Inc](https://www.ribose.com).
* Copyright (c) 2009 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is originally derived from software contributed to
* The NetBSD Foundation by Alistair Crooks (agc@netbsd.org), and
* carried further by Ribose Inc (https://www.ribose.com).
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
* Copyright (c) 2005-2008 Nominet UK (www.nic.uk)
* All rights reserved.
* Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted
* their moral rights under the UK Copyright Design and Patents Act 1988 to
* be recorded as the authors of this copyright work.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License.
*
* You may obtain a copy of the License at
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SYMMETRIC_CRYPTO_H_
#define SYMMETRIC_CRYPTO_H_
#include <repgp/repgp_def.h>
#include "crypto/rng.h"
#include "config.h"
#ifdef CRYPTO_BACKEND_OPENSSL
#include <openssl/evp.h>
#include "mem.h"
#endif
/* Nonce len for AEAD/EAX */
#define PGP_AEAD_EAX_NONCE_LEN 16
/* Nonce len for AEAD/OCB */
#define PGP_AEAD_OCB_NONCE_LEN 15
/* Maximum AEAD nonce length */
#define PGP_AEAD_MAX_NONCE_LEN 16
/* Authentication tag len for AEAD/EAX and AEAD/OCB */
#define PGP_AEAD_EAX_OCB_TAG_LEN 16
/* Maximal size of symmetric key */
#define MAX_SYMM_KEY_SIZE 32
/* Maximum AEAD tag length */
#define PGP_AEAD_MAX_TAG_LEN 16
/* Maximum authenticated data length for AEAD */
#define PGP_AEAD_MAX_AD_LEN 32
struct pgp_crypt_cfb_param_t {
#ifdef CRYPTO_BACKEND_BOTAN
struct botan_block_cipher_struct *obj;
#endif
#ifdef CRYPTO_BACKEND_OPENSSL
EVP_CIPHER_CTX *obj;
#endif
size_t remaining;
uint8_t iv[PGP_MAX_BLOCK_SIZE];
};
struct pgp_crypt_aead_param_t {
#ifdef CRYPTO_BACKEND_BOTAN
struct botan_cipher_struct *obj;
#endif
#ifdef CRYPTO_BACKEND_OPENSSL
EVP_CIPHER_CTX * obj;
const EVP_CIPHER * cipher;
rnp::secure_vector<uint8_t> *key;
uint8_t ad[PGP_AEAD_MAX_AD_LEN];
size_t ad_len;
size_t n_len;
#endif
pgp_aead_alg_t alg;
bool decrypt;
size_t granularity;
size_t taglen;
};
/** pgp_crypt_t */
typedef struct pgp_crypt_t {
union {
struct pgp_crypt_cfb_param_t cfb;
#if defined(ENABLE_AEAD)
struct pgp_crypt_aead_param_t aead;
#endif
};
pgp_symm_alg_t alg;
size_t blocksize;
rnp::RNG * rng;
} pgp_crypt_t;
unsigned pgp_block_size(pgp_symm_alg_t);
unsigned pgp_key_size(pgp_symm_alg_t);
bool pgp_is_sa_supported(int alg, bool silent = false);
size_t pgp_cipher_block_size(pgp_crypt_t *crypt);
/**
* Initialize a cipher object.
* @param iv if null an all-zero IV is assumed
*/
bool pgp_cipher_cfb_start(pgp_crypt_t * crypt,
pgp_symm_alg_t alg,
const uint8_t *key,
const uint8_t *iv);
// Deallocate all storage
int pgp_cipher_cfb_finish(pgp_crypt_t *crypt);
// CFB encryption/decryption
int pgp_cipher_cfb_encrypt(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t len);
int pgp_cipher_cfb_decrypt(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t len);
void pgp_cipher_cfb_resync(pgp_crypt_t *crypt, const uint8_t *buf);
#if defined(ENABLE_AEAD)
/** @brief Initialize AEAD cipher instance
* @param crypt pgp crypto object
* @param ealg symmetric encryption algorithm to use together with AEAD cipher mode
* @param aalg AEAD cipher mode. Only EAX is supported now
* @param key key buffer. Number of key bytes is determined by ealg.
* @param decrypt true for decryption, or false for encryption
* @return true on success or false otherwise.
*/
bool pgp_cipher_aead_init(pgp_crypt_t * crypt,
pgp_symm_alg_t ealg,
pgp_aead_alg_t aalg,
const uint8_t *key,
bool decrypt);
/** @brief Return the AEAD cipher update granularity. Botan FFI will consume chunks which are
* multiple of this value. See the description of pgp_cipher_aead_update()
* @param crypt initialized AEAD crypto
* @return Update granularity value in bytes
*/
size_t pgp_cipher_aead_granularity(pgp_crypt_t *crypt);
#endif
/** @brief Return the AEAD cipher tag length
* @param aalg OpenPGP AEAD algorithm
* @return length of authentication tag in bytes, or 0 for unknown algorithm
*/
size_t pgp_cipher_aead_tag_len(pgp_aead_alg_t aalg);
/** @brief Return the AEAD cipher nonce and IV length
* @param aalg OpenPGP AEAD algorithm
* @return length of nonce in bytes, or 0 for unknown algorithm
*/
size_t pgp_cipher_aead_nonce_len(pgp_aead_alg_t aalg);
#if defined(ENABLE_AEAD)
/** @brief Set associated data
* @param crypt initialized AEAD crypto
* @param ad buffer with data. Cannot be NULL.
* @param len number of bytes in ad
* @return true on success or false otherwise.
*/
bool pgp_cipher_aead_set_ad(pgp_crypt_t *crypt, const uint8_t *ad, size_t len);
/** @brief Start the cipher operation, using the given nonce
* @param crypt initialized AEAD crypto
* @param nonce buffer with nonce, cannot be NULL.
* @param len number of bytes in nonce. Must conform to the cipher properties.
* @return true on success or false otherwise.
*/
bool pgp_cipher_aead_start(pgp_crypt_t *crypt, const uint8_t *nonce, size_t len);
/** @brief Update the cipher. This should be called for non-final data, respecting the
* update granularity of underlying botan cipher. Now it is 256 bytes.
* @param crypt initialized AEAD crypto
* @param out buffer to put processed data. Cannot be NULL, and should be large enough to put
* len bytes
* @param in buffer with input, cannot be NULL
* @param len number of bytes to process. Should be multiple of update granularity.
* @return true on success or false otherwise. On success exactly len processed bytes will be
* stored in out buffer
*/
bool pgp_cipher_aead_update(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t len);
/** @brief Do final update on the cipher. For decryption final chunk should contain at least
* authentication tag, for encryption input could be zero-size.
* @param crypt initialized AEAD crypto
* @param out buffer to put processed data. For decryption it should be large enough to put
* len bytes minus authentication tag, for encryption it should be large enough to
* put len byts plus a tag.
* @param in buffer with input, if any. May be NULL for encryption, then len should be zero.
* For decryption it should contain at least authentication tag.
* @param len number of input bytes bytes
* @return true on success or false otherwise. On success for decryption len minus tag size
* bytes will be stored in out, for encryption out will contain len bytes plus
* tag size.
*/
bool pgp_cipher_aead_finish(pgp_crypt_t *crypt, uint8_t *out, const uint8_t *in, size_t len);
/** @brief Reset the AEAD cipher's state, calling the finish() and ignoring the result
* @param crypt initialized AEAD crypto
*/
void pgp_cipher_aead_reset(pgp_crypt_t *crypt);
/** @brief Destroy the cipher object, deallocating all the memory.
* @param crypt initialized AEAD crypto
*/
void pgp_cipher_aead_destroy(pgp_crypt_t *crypt);
/** @brief Helper function to set AEAD nonce for the chunk by its index.
* iv and nonce should be large enough to hold max nonce bytes
* @param aalg AEAD algorithm used
* @param iv Initial vector for the message, must have 16 bytes of data
* @param nonce Nonce to fill up, should have space for 16 bytes of data
* @param index Chunk's index
* @return Length of the nonce, or 0 if algorithm is unknown
*/
size_t pgp_cipher_aead_nonce(pgp_aead_alg_t aalg,
const uint8_t *iv,
uint8_t * nonce,
size_t index);
#endif // ENABLE_AEAD
#endif