Apache Portable Runtime
apr_crypto.h
Go to the documentation of this file.
00001 /* Licensed to the Apache Software Foundation (ASF) under one or more
00002  * contributor license agreements.  See the NOTICE file distributed with
00003  * this work for additional information regarding copyright ownership.
00004  * The ASF licenses this file to You under the Apache License, Version 2.0
00005  * (the "License"); you may not use this file except in compliance with
00006  * the License.  You may obtain a copy of the License at
00007  *
00008  *     http://www.apache.org/licenses/LICENSE-2.0
00009  *
00010  * Unless required by applicable law or agreed to in writing, software
00011  * distributed under the License is distributed on an "AS IS" BASIS,
00012  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00013  * See the License for the specific language governing permissions and
00014  * limitations under the License.
00015  */
00016 
00017 #ifndef APR_CRYPTO_H
00018 #define APR_CRYPTO_H
00019 
00020 #include "apu.h"
00021 #include "apr_pools.h"
00022 #include "apr_tables.h"
00023 #include "apr_hash.h"
00024 #include "apu_errno.h"
00025 
00026 #ifdef __cplusplus
00027 extern "C" {
00028 #endif
00029 
00030 /**
00031  * @file apr_crypto.h
00032  * @brief APR-UTIL Crypto library
00033  */
00034 /**
00035  * @defgroup APR_Util_Crypto Crypto routines
00036  * @ingroup APR
00037  * @{
00038  */
00039 
00040 #if APU_HAVE_CRYPTO
00041 
00042 #ifndef APU_CRYPTO_RECOMMENDED_DRIVER
00043 #if APU_HAVE_OPENSSL
00044 #define APU_CRYPTO_RECOMMENDED_DRIVER "openssl"
00045 #else
00046 #if APU_HAVE_NSS
00047 #define APU_CRYPTO_RECOMMENDED_DRIVER "nss"
00048 #else
00049 #if APU_HAVE_MSCNG
00050 #define APU_CRYPTO_RECOMMENDED_DRIVER "mscng"
00051 #else
00052 #if APU_HAVE_MSCAPI
00053 #define APU_CRYPTO_RECOMMENDED_DRIVER "mscapi"
00054 #else
00055 #endif
00056 #endif
00057 #endif
00058 #endif
00059 #endif
00060 
00061 /**
00062  * Symmetric Key types understood by the library.
00063  *
00064  * NOTE: It is expected that this list will grow over time.
00065  *
00066  * Interoperability Matrix:
00067  *
00068  * The matrix is based on the testcrypto.c unit test, which attempts to
00069  * test whether a simple encrypt/decrypt will succeed, as well as testing
00070  * whether an encrypted string by one library can be decrypted by the
00071  * others.
00072  *
00073  * Some libraries will successfully encrypt and decrypt their own data,
00074  * but won't decrypt data from another library. It is hoped that over
00075  * time these anomalies will be found and fixed, but until then it is
00076  * recommended that ciphers are chosen that interoperate across platform.
00077  *
00078  * An X below means the test passes, it does not necessarily mean that
00079  * encryption performed is correct or secure. Applications should stick
00080  * to ciphers that pass the interoperablity tests on the right hand side
00081  * of the table.
00082  *
00083  * Aligned data is data whose length is a multiple of the block size for
00084  * the chosen cipher. Padded data is data that is not aligned by block
00085  * size and must be padded by the crypto library.
00086  *
00087  *                  OpenSSL      NSS      Interop
00088  *                 Align Pad  Align Pad  Align Pad
00089  * 3DES_192/CBC    X     X    X     X    X     X
00090  * 3DES_192/ECB    X     X
00091  * AES_256/CBC     X     X    X     X    X     X
00092  * AES_256/ECB     X     X    X          X
00093  * AES_192/CBC     X     X    X     X
00094  * AES_192/ECB     X     X    X
00095  * AES_128/CBC     X     X    X     X
00096  * AES_128/ECB     X     X    X
00097  *
00098  * Conclusion: for padded data, use 3DES_192/CBC or AES_256/CBC. For
00099  * aligned data, use 3DES_192/CBC, AES_256/CBC or AES_256/ECB.
00100  */
00101 
00102 typedef enum
00103 {
00104     APR_KEY_NONE, APR_KEY_3DES_192, /** 192 bit (3-Key) 3DES */
00105     APR_KEY_AES_128, /** 128 bit AES */
00106     APR_KEY_AES_192, /** 192 bit AES */
00107     APR_KEY_AES_256
00108 /** 256 bit AES */
00109 } apr_crypto_block_key_type_e;
00110 
00111 typedef enum
00112 {
00113     APR_MODE_NONE, /** An error condition */
00114     APR_MODE_ECB, /** Electronic Code Book */
00115     APR_MODE_CBC
00116 /** Cipher Block Chaining */
00117 } apr_crypto_block_key_mode_e;
00118 
00119 /* These are opaque structs.  Instantiation is up to each backend */
00120 typedef struct apr_crypto_driver_t apr_crypto_driver_t;
00121 typedef struct apr_crypto_t apr_crypto_t;
00122 typedef struct apr_crypto_config_t apr_crypto_config_t;
00123 typedef struct apr_crypto_key_t apr_crypto_key_t;
00124 typedef struct apr_crypto_block_t apr_crypto_block_t;
00125 
00126 /**
00127  * @brief Perform once-only initialisation. Call once only.
00128  *
00129  * @param pool - pool to register any shutdown cleanups, etc
00130  * @return APR_NOTIMPL in case of no crypto support.
00131  */
00132 APR_DECLARE(apr_status_t) apr_crypto_init(apr_pool_t *pool);
00133 
00134 /**
00135  * @brief Register a cleanup to zero out the buffer provided
00136  * when the pool is cleaned up.
00137  *
00138  * @param pool - pool to register the cleanup
00139  * @param buffer - buffer to zero out
00140  * @param size - size of the buffer to zero out
00141  */
00142 APR_DECLARE(apr_status_t) apr_crypto_clear(apr_pool_t *pool, void *buffer,
00143         apr_size_t size);
00144 
00145 /**
00146  * @brief Get the driver struct for a name
00147  *
00148  * @param driver - pointer to driver struct.
00149  * @param name - driver name
00150  * @param params - array of initialisation parameters
00151  * @param result - result and error message on failure
00152  * @param pool - (process) pool to register cleanup
00153  * @return APR_SUCCESS for success
00154  * @return APR_ENOTIMPL for no driver (when DSO not enabled)
00155  * @return APR_EDSOOPEN if DSO driver file can't be opened
00156  * @return APR_ESYMNOTFOUND if the driver file doesn't contain a driver
00157  * @remarks NSS: the params can have "dir", "key3", "cert7" and "secmod"
00158  *  keys, each followed by an equal sign and a value. Such key/value pairs can
00159  *  be delimited by space or tab. If the value contains a space, surround the
00160  *  whole key value pair in quotes: "dir=My Directory".
00161  * @remarks OpenSSL: currently no params are supported.
00162  */
00163 APR_DECLARE(apr_status_t) apr_crypto_get_driver(
00164         const apr_crypto_driver_t **driver, const char *name,
00165         const char *params, const apu_err_t **result, apr_pool_t *pool);
00166 
00167 /**
00168  * @brief Return the name of the driver.
00169  *
00170  * @param driver - The driver in use.
00171  * @return The name of the driver.
00172  */
00173 APR_DECLARE(const char *) apr_crypto_driver_name(
00174         const apr_crypto_driver_t *driver);
00175 
00176 /**
00177  * @brief Get the result of the last operation on a context. If the result
00178  *        is NULL, the operation was successful.
00179  * @param result - the result structure
00180  * @param f - context pointer
00181  * @return APR_SUCCESS for success
00182  */
00183 APR_DECLARE(apr_status_t) apr_crypto_error(const apu_err_t **result,
00184         const apr_crypto_t *f);
00185 
00186 /**
00187  * @brief Create a context for supporting encryption. Keys, certificates,
00188  *        algorithms and other parameters will be set per context. More than
00189  *        one context can be created at one time. A cleanup will be automatically
00190  *        registered with the given pool to guarantee a graceful shutdown.
00191  * @param f - context pointer will be written here
00192  * @param driver - driver to use
00193  * @param params - array of key parameters
00194  * @param pool - process pool
00195  * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE
00196  * if the engine cannot be initialised.
00197  * @remarks NSS: currently no params are supported.
00198  * @remarks OpenSSL: the params can have "engine" as a key, followed by an equal
00199  *  sign and a value.
00200  */
00201 APR_DECLARE(apr_status_t)
00202         apr_crypto_make(apr_crypto_t **f, const apr_crypto_driver_t *driver,
00203                 const char *params, apr_pool_t *pool);
00204 
00205 /**
00206  * @brief Get a hash table of key types, keyed by the name of the type against
00207  * an integer pointer constant.
00208  *
00209  * @param types - hashtable of key types keyed to constants.
00210  * @param f - encryption context
00211  * @return APR_SUCCESS for success
00212  */
00213 APR_DECLARE(apr_status_t) apr_crypto_get_block_key_types(apr_hash_t **types,
00214         const apr_crypto_t *f);
00215 
00216 /**
00217  * @brief Get a hash table of key modes, keyed by the name of the mode against
00218  * an integer pointer constant.
00219  *
00220  * @param modes - hashtable of key modes keyed to constants.
00221  * @param f - encryption context
00222  * @return APR_SUCCESS for success
00223  */
00224 APR_DECLARE(apr_status_t) apr_crypto_get_block_key_modes(apr_hash_t **modes,
00225         const apr_crypto_t *f);
00226 
00227 /**
00228  * @brief Create a key from the given passphrase. By default, the PBKDF2
00229  *        algorithm is used to generate the key from the passphrase. It is expected
00230  *        that the same pass phrase will generate the same key, regardless of the
00231  *        backend crypto platform used. The key is cleaned up when the context
00232  *        is cleaned, and may be reused with multiple encryption or decryption
00233  *        operations.
00234  * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If
00235  *       *key is not NULL, *key must point at a previously created structure.
00236  * @param key The key returned, see note.
00237  * @param ivSize The size of the initialisation vector will be returned, based
00238  *               on whether an IV is relevant for this type of crypto.
00239  * @param pass The passphrase to use.
00240  * @param passLen The passphrase length in bytes
00241  * @param salt The salt to use.
00242  * @param saltLen The salt length in bytes
00243  * @param type 3DES_192, AES_128, AES_192, AES_256.
00244  * @param mode Electronic Code Book / Cipher Block Chaining.
00245  * @param doPad Pad if necessary.
00246  * @param iterations Number of iterations to use in algorithm
00247  * @param f The context to use.
00248  * @param p The pool to use.
00249  * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend
00250  *         error occurred while generating the key. APR_ENOCIPHER if the type or mode
00251  *         is not supported by the particular backend. APR_EKEYTYPE if the key type is
00252  *         not known. APR_EPADDING if padding was requested but is not supported.
00253  *         APR_ENOTIMPL if not implemented.
00254  */
00255 APR_DECLARE(apr_status_t) apr_crypto_passphrase(apr_crypto_key_t **key,
00256         apr_size_t *ivSize, const char *pass, apr_size_t passLen,
00257         const unsigned char * salt, apr_size_t saltLen,
00258         const apr_crypto_block_key_type_e type,
00259         const apr_crypto_block_key_mode_e mode, const int doPad,
00260         const int iterations, const apr_crypto_t *f, apr_pool_t *p);
00261 
00262 /**
00263  * @brief Initialise a context for encrypting arbitrary data using the given key.
00264  * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
00265  *       *ctx is not NULL, *ctx must point at a previously created structure.
00266  * @param ctx The block context returned, see note.
00267  * @param iv Optional initialisation vector. If the buffer pointed to is NULL,
00268  *           an IV will be created at random, in space allocated from the pool.
00269  *           If the buffer pointed to is not NULL, the IV in the buffer will be
00270  *           used.
00271  * @param key The key structure to use.
00272  * @param blockSize The block size of the cipher.
00273  * @param p The pool to use.
00274  * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
00275  *         Returns APR_EINIT if the backend failed to initialise the context. Returns
00276  *         APR_ENOTIMPL if not implemented.
00277  */
00278 APR_DECLARE(apr_status_t) apr_crypto_block_encrypt_init(
00279         apr_crypto_block_t **ctx, const unsigned char **iv,
00280         const apr_crypto_key_t *key, apr_size_t *blockSize, apr_pool_t *p);
00281 
00282 /**
00283  * @brief Encrypt data provided by in, write it to out.
00284  * @note The number of bytes written will be written to outlen. If
00285  *       out is NULL, outlen will contain the maximum size of the
00286  *       buffer needed to hold the data, including any data
00287  *       generated by apr_crypto_block_encrypt_finish below. If *out points
00288  *       to NULL, a buffer sufficiently large will be created from
00289  *       the pool provided. If *out points to a not-NULL value, this
00290  *       value will be used as a buffer instead.
00291  * @param out Address of a buffer to which data will be written,
00292  *        see note.
00293  * @param outlen Length of the output will be written here.
00294  * @param in Address of the buffer to read.
00295  * @param inlen Length of the buffer to read.
00296  * @param ctx The block context to use.
00297  * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
00298  *         not implemented.
00299  */
00300 APR_DECLARE(apr_status_t) apr_crypto_block_encrypt(unsigned char **out,
00301         apr_size_t *outlen, const unsigned char *in, apr_size_t inlen,
00302         apr_crypto_block_t *ctx);
00303 
00304 /**
00305  * @brief Encrypt final data block, write it to out.
00306  * @note If necessary the final block will be written out after being
00307  *       padded. Typically the final block will be written to the
00308  *       same buffer used by apr_crypto_block_encrypt, offset by the
00309  *       number of bytes returned as actually written by the
00310  *       apr_crypto_block_encrypt() call. After this call, the context
00311  *       is cleaned and can be reused by apr_crypto_block_encrypt_init().
00312  * @param out Address of a buffer to which data will be written. This
00313  *            buffer must already exist, and is usually the same
00314  *            buffer used by apr_evp_crypt(). See note.
00315  * @param outlen Length of the output will be written here.
00316  * @param ctx The block context to use.
00317  * @return APR_ECRYPT if an error occurred.
00318  * @return APR_EPADDING if padding was enabled and the block was incorrectly
00319  *         formatted.
00320  * @return APR_ENOTIMPL if not implemented.
00321  */
00322 APR_DECLARE(apr_status_t) apr_crypto_block_encrypt_finish(unsigned char *out,
00323         apr_size_t *outlen, apr_crypto_block_t *ctx);
00324 
00325 /**
00326  * @brief Initialise a context for decrypting arbitrary data using the given key.
00327  * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
00328  *       *ctx is not NULL, *ctx must point at a previously created structure.
00329  * @param ctx The block context returned, see note.
00330  * @param blockSize The block size of the cipher.
00331  * @param iv Optional initialisation vector.
00332  * @param key The key structure to use.
00333  * @param p The pool to use.
00334  * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
00335  *         Returns APR_EINIT if the backend failed to initialise the context. Returns
00336  *         APR_ENOTIMPL if not implemented.
00337  */
00338 APR_DECLARE(apr_status_t) apr_crypto_block_decrypt_init(
00339         apr_crypto_block_t **ctx, apr_size_t *blockSize,
00340         const unsigned char *iv, const apr_crypto_key_t *key, apr_pool_t *p);
00341 
00342 /**
00343  * @brief Decrypt data provided by in, write it to out.
00344  * @note The number of bytes written will be written to outlen. If
00345  *       out is NULL, outlen will contain the maximum size of the
00346  *       buffer needed to hold the data, including any data
00347  *       generated by apr_crypto_block_decrypt_finish below. If *out points
00348  *       to NULL, a buffer sufficiently large will be created from
00349  *       the pool provided. If *out points to a not-NULL value, this
00350  *       value will be used as a buffer instead.
00351  * @param out Address of a buffer to which data will be written,
00352  *        see note.
00353  * @param outlen Length of the output will be written here.
00354  * @param in Address of the buffer to read.
00355  * @param inlen Length of the buffer to read.
00356  * @param ctx The block context to use.
00357  * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
00358  *         not implemented.
00359  */
00360 APR_DECLARE(apr_status_t) apr_crypto_block_decrypt(unsigned char **out,
00361         apr_size_t *outlen, const unsigned char *in, apr_size_t inlen,
00362         apr_crypto_block_t *ctx);
00363 
00364 /**
00365  * @brief Decrypt final data block, write it to out.
00366  * @note If necessary the final block will be written out after being
00367  *       padded. Typically the final block will be written to the
00368  *       same buffer used by apr_crypto_block_decrypt, offset by the
00369  *       number of bytes returned as actually written by the
00370  *       apr_crypto_block_decrypt() call. After this call, the context
00371  *       is cleaned and can be reused by apr_crypto_block_decrypt_init().
00372  * @param out Address of a buffer to which data will be written. This
00373  *            buffer must already exist, and is usually the same
00374  *            buffer used by apr_evp_crypt(). See note.
00375  * @param outlen Length of the output will be written here.
00376  * @param ctx The block context to use.
00377  * @return APR_ECRYPT if an error occurred.
00378  * @return APR_EPADDING if padding was enabled and the block was incorrectly
00379  *         formatted.
00380  * @return APR_ENOTIMPL if not implemented.
00381  */
00382 APR_DECLARE(apr_status_t) apr_crypto_block_decrypt_finish(unsigned char *out,
00383         apr_size_t *outlen, apr_crypto_block_t *ctx);
00384 
00385 /**
00386  * @brief Clean encryption / decryption context.
00387  * @note After cleanup, a context is free to be reused if necessary.
00388  * @param ctx The block context to use.
00389  * @return Returns APR_ENOTIMPL if not supported.
00390  */
00391 APR_DECLARE(apr_status_t) apr_crypto_block_cleanup(apr_crypto_block_t *ctx);
00392 
00393 /**
00394  * @brief Clean encryption / decryption context.
00395  * @note After cleanup, a context is free to be reused if necessary.
00396  * @param f The context to use.
00397  * @return Returns APR_ENOTIMPL if not supported.
00398  */
00399 APR_DECLARE(apr_status_t) apr_crypto_cleanup(apr_crypto_t *f);
00400 
00401 /**
00402  * @brief Shutdown the crypto library.
00403  * @note After shutdown, it is expected that the init function can be called again.
00404  * @param driver - driver to use
00405  * @return Returns APR_ENOTIMPL if not supported.
00406  */
00407 APR_DECLARE(apr_status_t)
00408         apr_crypto_shutdown(const apr_crypto_driver_t *driver);
00409 
00410 #endif /* APU_HAVE_CRYPTO */
00411 
00412 /** @} */
00413 
00414 #ifdef __cplusplus
00415 }
00416 #endif
00417 
00418 #endif
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Defines