Annotation of win32/apache22/srclib/apr-util/include/apr_crypto.h, revision 1.1

1.1     ! moko        1: /* Licensed to the Apache Software Foundation (ASF) under one or more
        !             2:  * contributor license agreements.  See the NOTICE file distributed with
        !             3:  * this work for additional information regarding copyright ownership.
        !             4:  * The ASF licenses this file to You under the Apache License, Version 2.0
        !             5:  * (the "License"); you may not use this file except in compliance with
        !             6:  * the License.  You may obtain a copy of the License at
        !             7:  *
        !             8:  *     http://www.apache.org/licenses/LICENSE-2.0
        !             9:  *
        !            10:  * Unless required by applicable law or agreed to in writing, software
        !            11:  * distributed under the License is distributed on an "AS IS" BASIS,
        !            12:  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        !            13:  * See the License for the specific language governing permissions and
        !            14:  * limitations under the License.
        !            15:  */
        !            16: 
        !            17: #ifndef APR_CRYPTO_H
        !            18: #define APR_CRYPTO_H
        !            19: 
        !            20: #include "apu.h"
        !            21: #include "apr_pools.h"
        !            22: #include "apr_tables.h"
        !            23: #include "apr_hash.h"
        !            24: #include "apu_errno.h"
        !            25: 
        !            26: #ifdef __cplusplus
        !            27: extern "C" {
        !            28: #endif
        !            29: 
        !            30: /**
        !            31:  * @file apr_crypto.h
        !            32:  * @brief APR-UTIL Crypto library
        !            33:  */
        !            34: /**
        !            35:  * @defgroup APR_Util_Crypto Crypto routines
        !            36:  * @ingroup APR_Util
        !            37:  * @{
        !            38:  */
        !            39: 
        !            40: #if APU_HAVE_CRYPTO
        !            41: 
        !            42: #ifndef APU_CRYPTO_RECOMMENDED_DRIVER
        !            43: #if APU_HAVE_OPENSSL
        !            44: #define APU_CRYPTO_RECOMMENDED_DRIVER "openssl"
        !            45: #else
        !            46: #if APU_HAVE_NSS
        !            47: #define APU_CRYPTO_RECOMMENDED_DRIVER "nss"
        !            48: #else
        !            49: #if APU_HAVE_MSCNG
        !            50: #define APU_CRYPTO_RECOMMENDED_DRIVER "mscng"
        !            51: #else
        !            52: #if APU_HAVE_MSCAPI
        !            53: #define APU_CRYPTO_RECOMMENDED_DRIVER "mscapi"
        !            54: #else
        !            55: #endif
        !            56: #endif
        !            57: #endif
        !            58: #endif
        !            59: #endif
        !            60: 
        !            61: /**
        !            62:  * Symmetric Key types understood by the library.
        !            63:  *
        !            64:  * NOTE: It is expected that this list will grow over time.
        !            65:  *
        !            66:  * Interoperability Matrix:
        !            67:  *
        !            68:  * The matrix is based on the testcrypto.c unit test, which attempts to
        !            69:  * test whether a simple encrypt/decrypt will succeed, as well as testing
        !            70:  * whether an encrypted string by one library can be decrypted by the
        !            71:  * others.
        !            72:  *
        !            73:  * Some libraries will successfully encrypt and decrypt their own data,
        !            74:  * but won't decrypt data from another library. It is hoped that over
        !            75:  * time these anomalies will be found and fixed, but until then it is
        !            76:  * recommended that ciphers are chosen that interoperate across platform.
        !            77:  *
        !            78:  * An X below means the test passes, it does not necessarily mean that
        !            79:  * encryption performed is correct or secure. Applications should stick
        !            80:  * to ciphers that pass the interoperablity tests on the right hand side
        !            81:  * of the table.
        !            82:  *
        !            83:  * Aligned data is data whose length is a multiple of the block size for
        !            84:  * the chosen cipher. Padded data is data that is not aligned by block
        !            85:  * size and must be padded by the crypto library.
        !            86:  *
        !            87:  *                  OpenSSL      NSS      Interop
        !            88:  *                 Align Pad  Align Pad  Align Pad
        !            89:  * 3DES_192/CBC    X     X    X     X    X     X
        !            90:  * 3DES_192/ECB    X     X
        !            91:  * AES_256/CBC     X     X    X     X    X     X
        !            92:  * AES_256/ECB     X     X    X          X
        !            93:  * AES_192/CBC     X     X    X     X
        !            94:  * AES_192/ECB     X     X    X
        !            95:  * AES_128/CBC     X     X    X     X
        !            96:  * AES_128/ECB     X     X    X
        !            97:  *
        !            98:  * Conclusion: for padded data, use 3DES_192/CBC or AES_256/CBC. For
        !            99:  * aligned data, use 3DES_192/CBC, AES_256/CBC or AES_256/ECB.
        !           100:  */
        !           101: 
        !           102: typedef enum
        !           103: {
        !           104:     APR_KEY_NONE, APR_KEY_3DES_192, /** 192 bit (3-Key) 3DES */
        !           105:     APR_KEY_AES_128, /** 128 bit AES */
        !           106:     APR_KEY_AES_192, /** 192 bit AES */
        !           107:     APR_KEY_AES_256
        !           108: /** 256 bit AES */
        !           109: } apr_crypto_block_key_type_e;
        !           110: 
        !           111: typedef enum
        !           112: {
        !           113:     APR_MODE_NONE, /** An error condition */
        !           114:     APR_MODE_ECB, /** Electronic Code Book */
        !           115:     APR_MODE_CBC
        !           116: /** Cipher Block Chaining */
        !           117: } apr_crypto_block_key_mode_e;
        !           118: 
        !           119: /* These are opaque structs.  Instantiation is up to each backend */
        !           120: typedef struct apr_crypto_driver_t apr_crypto_driver_t;
        !           121: typedef struct apr_crypto_t apr_crypto_t;
        !           122: typedef struct apr_crypto_config_t apr_crypto_config_t;
        !           123: typedef struct apr_crypto_key_t apr_crypto_key_t;
        !           124: typedef struct apr_crypto_block_t apr_crypto_block_t;
        !           125: 
        !           126: /**
        !           127:  * @brief Perform once-only initialisation. Call once only.
        !           128:  *
        !           129:  * @param pool - pool to register any shutdown cleanups, etc
        !           130:  * @return APR_NOTIMPL in case of no crypto support.
        !           131:  */
        !           132: APU_DECLARE(apr_status_t) apr_crypto_init(apr_pool_t *pool);
        !           133: 
        !           134: /**
        !           135:  * @brief Register a cleanup to zero out the buffer provided
        !           136:  * when the pool is cleaned up.
        !           137:  *
        !           138:  * @param pool - pool to register the cleanup
        !           139:  * @param buffer - buffer to zero out
        !           140:  * @param size - size of the buffer to zero out
        !           141:  */
        !           142: APU_DECLARE(apr_status_t) apr_crypto_clear(apr_pool_t *pool, void *buffer,
        !           143:         apr_size_t size);
        !           144: 
        !           145: /**
        !           146:  * @brief Get the driver struct for a name
        !           147:  *
        !           148:  * @param driver - pointer to driver struct.
        !           149:  * @param name - driver name
        !           150:  * @param params - array of initialisation parameters
        !           151:  * @param result - result and error message on failure
        !           152:  * @param pool - (process) pool to register cleanup
        !           153:  * @return APR_SUCCESS for success
        !           154:  * @return APR_ENOTIMPL for no driver (when DSO not enabled)
        !           155:  * @return APR_EDSOOPEN if DSO driver file can't be opened
        !           156:  * @return APR_ESYMNOTFOUND if the driver file doesn't contain a driver
        !           157:  * @remarks NSS: the params can have "dir", "key3", "cert7" and "secmod"
        !           158:  *  keys, each followed by an equal sign and a value. Such key/value pairs can
        !           159:  *  be delimited by space or tab. If the value contains a space, surround the
        !           160:  *  whole key value pair in quotes: "dir=My Directory".
        !           161:  * @remarks OpenSSL: currently no params are supported.
        !           162:  */
        !           163: APU_DECLARE(apr_status_t) apr_crypto_get_driver(
        !           164:         const apr_crypto_driver_t **driver,
        !           165:         const char *name, const char *params, const apu_err_t **result,
        !           166:         apr_pool_t *pool);
        !           167: 
        !           168: /**
        !           169:  * @brief Return the name of the driver.
        !           170:  *
        !           171:  * @param driver - The driver in use.
        !           172:  * @return The name of the driver.
        !           173:  */
        !           174: APU_DECLARE(const char *) apr_crypto_driver_name(
        !           175:         const apr_crypto_driver_t *driver);
        !           176: 
        !           177: /**
        !           178:  * @brief Get the result of the last operation on a context. If the result
        !           179:  *        is NULL, the operation was successful.
        !           180:  * @param result - the result structure
        !           181:  * @param f - context pointer
        !           182:  * @return APR_SUCCESS for success
        !           183:  */
        !           184: APU_DECLARE(apr_status_t) apr_crypto_error(const apu_err_t **result,
        !           185:         const apr_crypto_t *f);
        !           186: 
        !           187: /**
        !           188:  * @brief Create a context for supporting encryption. Keys, certificates,
        !           189:  *        algorithms and other parameters will be set per context. More than
        !           190:  *        one context can be created at one time. A cleanup will be automatically
        !           191:  *        registered with the given pool to guarantee a graceful shutdown.
        !           192:  * @param f - context pointer will be written here
        !           193:  * @param driver - driver to use
        !           194:  * @param params - array of key parameters
        !           195:  * @param pool - process pool
        !           196:  * @return APR_ENOENGINE when the engine specified does not exist. APR_EINITENGINE
        !           197:  * if the engine cannot be initialised.
        !           198:  * @remarks NSS: currently no params are supported.
        !           199:  * @remarks OpenSSL: the params can have "engine" as a key, followed by an equal
        !           200:  *  sign and a value.
        !           201:  */
        !           202: APU_DECLARE(apr_status_t) apr_crypto_make(apr_crypto_t **f,
        !           203:         const apr_crypto_driver_t *driver, const char *params,
        !           204:         apr_pool_t *pool);
        !           205: 
        !           206: /**
        !           207:  * @brief Get a hash table of key types, keyed by the name of the type against
        !           208:  * an integer pointer constant.
        !           209:  *
        !           210:  * @param types - hashtable of key types keyed to constants.
        !           211:  * @param f - encryption context
        !           212:  * @return APR_SUCCESS for success
        !           213:  */
        !           214: APU_DECLARE(apr_status_t) apr_crypto_get_block_key_types(apr_hash_t **types,
        !           215:         const apr_crypto_t *f);
        !           216: 
        !           217: /**
        !           218:  * @brief Get a hash table of key modes, keyed by the name of the mode against
        !           219:  * an integer pointer constant.
        !           220:  *
        !           221:  * @param modes - hashtable of key modes keyed to constants.
        !           222:  * @param f - encryption context
        !           223:  * @return APR_SUCCESS for success
        !           224:  */
        !           225: APU_DECLARE(apr_status_t) apr_crypto_get_block_key_modes(apr_hash_t **modes,
        !           226:         const apr_crypto_t *f);
        !           227: 
        !           228: /**
        !           229:  * @brief Create a key from the given passphrase. By default, the PBKDF2
        !           230:  *        algorithm is used to generate the key from the passphrase. It is expected
        !           231:  *        that the same pass phrase will generate the same key, regardless of the
        !           232:  *        backend crypto platform used. The key is cleaned up when the context
        !           233:  *        is cleaned, and may be reused with multiple encryption or decryption
        !           234:  *        operations.
        !           235:  * @note If *key is NULL, a apr_crypto_key_t will be created from a pool. If
        !           236:  *       *key is not NULL, *key must point at a previously created structure.
        !           237:  * @param key The key returned, see note.
        !           238:  * @param ivSize The size of the initialisation vector will be returned, based
        !           239:  *               on whether an IV is relevant for this type of crypto.
        !           240:  * @param pass The passphrase to use.
        !           241:  * @param passLen The passphrase length in bytes
        !           242:  * @param salt The salt to use.
        !           243:  * @param saltLen The salt length in bytes
        !           244:  * @param type 3DES_192, AES_128, AES_192, AES_256.
        !           245:  * @param mode Electronic Code Book / Cipher Block Chaining.
        !           246:  * @param doPad Pad if necessary.
        !           247:  * @param iterations Number of iterations to use in algorithm
        !           248:  * @param f The context to use.
        !           249:  * @param p The pool to use.
        !           250:  * @return Returns APR_ENOKEY if the pass phrase is missing or empty, or if a backend
        !           251:  *         error occurred while generating the key. APR_ENOCIPHER if the type or mode
        !           252:  *         is not supported by the particular backend. APR_EKEYTYPE if the key type is
        !           253:  *         not known. APR_EPADDING if padding was requested but is not supported.
        !           254:  *         APR_ENOTIMPL if not implemented.
        !           255:  */
        !           256: APU_DECLARE(apr_status_t) apr_crypto_passphrase(apr_crypto_key_t **key,
        !           257:         apr_size_t *ivSize, const char *pass, apr_size_t passLen,
        !           258:         const unsigned char * salt, apr_size_t saltLen,
        !           259:         const apr_crypto_block_key_type_e type,
        !           260:         const apr_crypto_block_key_mode_e mode, const int doPad,
        !           261:         const int iterations, const apr_crypto_t *f, apr_pool_t *p);
        !           262: 
        !           263: /**
        !           264:  * @brief Initialise a context for encrypting arbitrary data using the given key.
        !           265:  * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
        !           266:  *       *ctx is not NULL, *ctx must point at a previously created structure.
        !           267:  * @param ctx The block context returned, see note.
        !           268:  * @param iv Optional initialisation vector. If the buffer pointed to is NULL,
        !           269:  *           an IV will be created at random, in space allocated from the pool.
        !           270:  *           If the buffer pointed to is not NULL, the IV in the buffer will be
        !           271:  *           used.
        !           272:  * @param key The key structure to use.
        !           273:  * @param blockSize The block size of the cipher.
        !           274:  * @param p The pool to use.
        !           275:  * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
        !           276:  *         Returns APR_EINIT if the backend failed to initialise the context. Returns
        !           277:  *         APR_ENOTIMPL if not implemented.
        !           278:  */
        !           279: APU_DECLARE(apr_status_t) apr_crypto_block_encrypt_init(
        !           280:         apr_crypto_block_t **ctx, const unsigned char **iv,
        !           281:         const apr_crypto_key_t *key, apr_size_t *blockSize, apr_pool_t *p);
        !           282: 
        !           283: /**
        !           284:  * @brief Encrypt data provided by in, write it to out.
        !           285:  * @note The number of bytes written will be written to outlen. If
        !           286:  *       out is NULL, outlen will contain the maximum size of the
        !           287:  *       buffer needed to hold the data, including any data
        !           288:  *       generated by apr_crypto_block_encrypt_finish below. If *out points
        !           289:  *       to NULL, a buffer sufficiently large will be created from
        !           290:  *       the pool provided. If *out points to a not-NULL value, this
        !           291:  *       value will be used as a buffer instead.
        !           292:  * @param out Address of a buffer to which data will be written,
        !           293:  *        see note.
        !           294:  * @param outlen Length of the output will be written here.
        !           295:  * @param in Address of the buffer to read.
        !           296:  * @param inlen Length of the buffer to read.
        !           297:  * @param ctx The block context to use.
        !           298:  * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
        !           299:  *         not implemented.
        !           300:  */
        !           301: APU_DECLARE(apr_status_t) apr_crypto_block_encrypt(unsigned char **out,
        !           302:         apr_size_t *outlen, const unsigned char *in, apr_size_t inlen,
        !           303:         apr_crypto_block_t *ctx);
        !           304: 
        !           305: /**
        !           306:  * @brief Encrypt final data block, write it to out.
        !           307:  * @note If necessary the final block will be written out after being
        !           308:  *       padded. Typically the final block will be written to the
        !           309:  *       same buffer used by apr_crypto_block_encrypt, offset by the
        !           310:  *       number of bytes returned as actually written by the
        !           311:  *       apr_crypto_block_encrypt() call. After this call, the context
        !           312:  *       is cleaned and can be reused by apr_crypto_block_encrypt_init().
        !           313:  * @param out Address of a buffer to which data will be written. This
        !           314:  *            buffer must already exist, and is usually the same
        !           315:  *            buffer used by apr_evp_crypt(). See note.
        !           316:  * @param outlen Length of the output will be written here.
        !           317:  * @param ctx The block context to use.
        !           318:  * @return APR_ECRYPT if an error occurred.
        !           319:  * @return APR_EPADDING if padding was enabled and the block was incorrectly
        !           320:  *         formatted.
        !           321:  * @return APR_ENOTIMPL if not implemented.
        !           322:  */
        !           323: APU_DECLARE(apr_status_t) apr_crypto_block_encrypt_finish(unsigned char *out,
        !           324:         apr_size_t *outlen, apr_crypto_block_t *ctx);
        !           325: 
        !           326: /**
        !           327:  * @brief Initialise a context for decrypting arbitrary data using the given key.
        !           328:  * @note If *ctx is NULL, a apr_crypto_block_t will be created from a pool. If
        !           329:  *       *ctx is not NULL, *ctx must point at a previously created structure.
        !           330:  * @param ctx The block context returned, see note.
        !           331:  * @param blockSize The block size of the cipher.
        !           332:  * @param iv Optional initialisation vector.
        !           333:  * @param key The key structure to use.
        !           334:  * @param p The pool to use.
        !           335:  * @return Returns APR_ENOIV if an initialisation vector is required but not specified.
        !           336:  *         Returns APR_EINIT if the backend failed to initialise the context. Returns
        !           337:  *         APR_ENOTIMPL if not implemented.
        !           338:  */
        !           339: APU_DECLARE(apr_status_t) apr_crypto_block_decrypt_init(
        !           340:         apr_crypto_block_t **ctx, apr_size_t *blockSize,
        !           341:         const unsigned char *iv, const apr_crypto_key_t *key, apr_pool_t *p);
        !           342: 
        !           343: /**
        !           344:  * @brief Decrypt data provided by in, write it to out.
        !           345:  * @note The number of bytes written will be written to outlen. If
        !           346:  *       out is NULL, outlen will contain the maximum size of the
        !           347:  *       buffer needed to hold the data, including any data
        !           348:  *       generated by apr_crypto_block_decrypt_finish below. If *out points
        !           349:  *       to NULL, a buffer sufficiently large will be created from
        !           350:  *       the pool provided. If *out points to a not-NULL value, this
        !           351:  *       value will be used as a buffer instead.
        !           352:  * @param out Address of a buffer to which data will be written,
        !           353:  *        see note.
        !           354:  * @param outlen Length of the output will be written here.
        !           355:  * @param in Address of the buffer to read.
        !           356:  * @param inlen Length of the buffer to read.
        !           357:  * @param ctx The block context to use.
        !           358:  * @return APR_ECRYPT if an error occurred. Returns APR_ENOTIMPL if
        !           359:  *         not implemented.
        !           360:  */
        !           361: APU_DECLARE(apr_status_t) apr_crypto_block_decrypt(unsigned char **out,
        !           362:         apr_size_t *outlen, const unsigned char *in, apr_size_t inlen,
        !           363:         apr_crypto_block_t *ctx);
        !           364: 
        !           365: /**
        !           366:  * @brief Decrypt final data block, write it to out.
        !           367:  * @note If necessary the final block will be written out after being
        !           368:  *       padded. Typically the final block will be written to the
        !           369:  *       same buffer used by apr_crypto_block_decrypt, offset by the
        !           370:  *       number of bytes returned as actually written by the
        !           371:  *       apr_crypto_block_decrypt() call. After this call, the context
        !           372:  *       is cleaned and can be reused by apr_crypto_block_decrypt_init().
        !           373:  * @param out Address of a buffer to which data will be written. This
        !           374:  *            buffer must already exist, and is usually the same
        !           375:  *            buffer used by apr_evp_crypt(). See note.
        !           376:  * @param outlen Length of the output will be written here.
        !           377:  * @param ctx The block context to use.
        !           378:  * @return APR_ECRYPT if an error occurred.
        !           379:  * @return APR_EPADDING if padding was enabled and the block was incorrectly
        !           380:  *         formatted.
        !           381:  * @return APR_ENOTIMPL if not implemented.
        !           382:  */
        !           383: APU_DECLARE(apr_status_t) apr_crypto_block_decrypt_finish(unsigned char *out,
        !           384:         apr_size_t *outlen, apr_crypto_block_t *ctx);
        !           385: 
        !           386: /**
        !           387:  * @brief Clean encryption / decryption context.
        !           388:  * @note After cleanup, a context is free to be reused if necessary.
        !           389:  * @param ctx The block context to use.
        !           390:  * @return Returns APR_ENOTIMPL if not supported.
        !           391:  */
        !           392: APU_DECLARE(apr_status_t) apr_crypto_block_cleanup(apr_crypto_block_t *ctx);
        !           393: 
        !           394: /**
        !           395:  * @brief Clean encryption / decryption context.
        !           396:  * @note After cleanup, a context is free to be reused if necessary.
        !           397:  * @param f The context to use.
        !           398:  * @return Returns APR_ENOTIMPL if not supported.
        !           399:  */
        !           400: APU_DECLARE(apr_status_t) apr_crypto_cleanup(apr_crypto_t *f);
        !           401: 
        !           402: /**
        !           403:  * @brief Shutdown the crypto library.
        !           404:  * @note After shutdown, it is expected that the init function can be called again.
        !           405:  * @param driver - driver to use
        !           406:  * @return Returns APR_ENOTIMPL if not supported.
        !           407:  */
        !           408: APU_DECLARE(apr_status_t) apr_crypto_shutdown(
        !           409:         const apr_crypto_driver_t *driver);
        !           410: 
        !           411: #endif /* APU_HAVE_CRYPTO */
        !           412: 
        !           413: /** @} */
        !           414: 
        !           415: #ifdef __cplusplus
        !           416: }
        !           417: #endif
        !           418: 
        !           419: #endif

E-mail: