Google Git
Sign in
flutter / third_party / openssl / 4098e89cbf1212e2fb796d64725f259ac680cb56 / . / doc / cipher.doc
blob: d49ba78c5cd305bc64b29680d915fc5a5eb5f733 [file] [log] [blame]
The Cipher subroutines.
These routines require "evp.h" to be included.
These functions are a higher level interface to the various cipher
routines found in this library. As such, they allow the same code to be
used to encrypt and decrypt via different ciphers with only a change
in an initial parameter. These routines also provide buffering for block
ciphers.
These routines all take a pointer to the following structure to specify
which cipher to use. If you wish to use a new cipher with these routines,
you would probably be best off looking an how an existing cipher is
implemented and copying it. At this point in time, I'm not going to go
into many details. This structure should be considered opaque
typedef struct pem_cipher_st
{
int type;
int block_size;
int key_len;
int iv_len;
void (*enc_init)(); /* init for encryption */
void (*dec_init)(); /* init for decryption */
void (*do_cipher)(); /* encrypt data */
} EVP_CIPHER;
The type field is the object NID of the cipher type
(read the section on Objects for an explanation of what a NID is).
The cipher block_size is how many bytes need to be passed
to the cipher at a time. Key_len is the
length of the key the cipher requires and iv_len is the length of the
initialisation vector required. enc_init is the function
called to initialise the ciphers context for encryption and dec_init is the
function to initialise for decryption (they need to be different, especially
for the IDEA cipher).
One reason for specifying the Cipher via a pointer to a structure
is that if you only use des-cbc, only the des-cbc routines will
be included when you link the program. If you passed an integer
that specified which cipher to use, the routine that mapped that
integer to a set of cipher functions would cause all the ciphers
to be link into the code. This setup also allows new ciphers
to be added by the application (with some restrictions).
The thirteen ciphers currently defined in this library are
EVP_CIPHER *EVP_des_ecb(); /* DES in ecb mode, iv=0, block=8, key= 8 */
EVP_CIPHER *EVP_des_ede(); /* DES in ecb ede mode, iv=0, block=8, key=16 */
EVP_CIPHER *EVP_des_ede3(); /* DES in ecb ede mode, iv=0, block=8, key=24 */
EVP_CIPHER *EVP_des_cfb(); /* DES in cfb mode, iv=8, block=1, key= 8 */
EVP_CIPHER *EVP_des_ede_cfb(); /* DES in ede cfb mode, iv=8, block=1, key=16 */
EVP_CIPHER *EVP_des_ede3_cfb();/* DES in ede cfb mode, iv=8, block=1, key=24 */
EVP_CIPHER *EVP_des_ofb(); /* DES in ofb mode, iv=8, block=1, key= 8 */
EVP_CIPHER *EVP_des_ede_ofb(); /* DES in ede ofb mode, iv=8, block=1, key=16 */
EVP_CIPHER *EVP_des_ede3_ofb();/* DES in ede ofb mode, iv=8, block=1, key=24 */
EVP_CIPHER *EVP_des_cbc(); /* DES in cbc mode, iv=8, block=8, key= 8 */
EVP_CIPHER *EVP_des_ede_cbc(); /* DES in cbc ede mode, iv=8, block=8, key=16 */
EVP_CIPHER *EVP_des_ede3_cbc();/* DES in cbc ede mode, iv=8, block=8, key=24 */
EVP_CIPHER *EVP_desx_cbc(); /* DES in desx cbc mode,iv=8, block=8, key=24 */
EVP_CIPHER *EVP_rc4(); /* RC4, iv=0, block=1, key=16 */
EVP_CIPHER *EVP_idea_ecb(); /* IDEA in ecb mode, iv=0, block=8, key=16 */
EVP_CIPHER *EVP_idea_cfb(); /* IDEA in cfb mode, iv=8, block=1, key=16 */
EVP_CIPHER *EVP_idea_ofb(); /* IDEA in ofb mode, iv=8, block=1, key=16 */
EVP_CIPHER *EVP_idea_cbc(); /* IDEA in cbc mode, iv=8, block=8, key=16 */
EVP_CIPHER *EVP_rc2_ecb(); /* RC2 in ecb mode, iv=0, block=8, key=16 */
EVP_CIPHER *EVP_rc2_cfb(); /* RC2 in cfb mode, iv=8, block=1, key=16 */
EVP_CIPHER *EVP_rc2_ofb(); /* RC2 in ofb mode, iv=8, block=1, key=16 */
EVP_CIPHER *EVP_rc2_cbc(); /* RC2 in cbc mode, iv=8, block=8, key=16 */
EVP_CIPHER *EVP_bf_ecb(); /* Blowfish in ecb mode,iv=0, block=8, key=16 */
EVP_CIPHER *EVP_bf_cfb(); /* Blowfish in cfb mode,iv=8, block=1, key=16 */
EVP_CIPHER *EVP_bf_ofb(); /* Blowfish in ofb mode,iv=8, block=1, key=16 */
EVP_CIPHER *EVP_bf_cbc(); /* Blowfish in cbc mode,iv=8, block=8, key=16 */
The meaning of the compound names is as follows.
des The base cipher is DES.
idea The base cipher is IDEA
rc4 The base cipher is RC4-128
rc2 The base cipher is RC2-128
ecb Electronic Code Book form of the cipher.
cbc Cipher Block Chaining form of the cipher.
cfb 64 bit Cipher Feedback form of the cipher.
ofb 64 bit Output Feedback form of the cipher.
ede The cipher is used in Encrypt, Decrypt, Encrypt mode. The first
and last keys are the same.
ede3 The cipher is used in Encrypt, Decrypt, Encrypt mode.
All the Cipher routines take a EVP_CIPHER_CTX pointer as an argument.
The state of the cipher is kept in this structure.
typedef struct EVP_CIPHER_Ctx_st
{
EVP_CIPHER *cipher;
int encrypt; /* encrypt or decrypt */
int buf_len; /* number we have left */
unsigned char buf[8];
union {
.... /* cipher specific stuff */
} c;
} EVP_CIPHER_CTX;
Cipher is a pointer the the EVP_CIPHER for the current context. The encrypt
flag indicates encryption or decryption. buf_len is the number of bytes
currently being held in buf.
The 'c' union holds the cipher specify context.
The following functions are to be used.
int EVP_read_pw_string(
char *buf,
int len,
char *prompt,
int verify,
This function is the same as des_read_pw_string() (des.doc).
void EVP_set_pw_prompt(char *prompt);
This function sets the 'default' prompt to use to use in
EVP_read_pw_string when the prompt parameter is NULL. If the
prompt parameter is NULL, this 'default prompt' feature is turned
off. Be warned, this is a global variable so weird things
will happen if it is used under Win16 and care must be taken
with a multi-threaded version of the library.
char *EVP_get_pw_prompt();
This returns a pointer to the default prompt string. NULL
if it is not set.
int EVP_BytesToKey(
EVP_CIPHER *type,
EVP_MD *md,
unsigned char *salt,
unsigned char *data,
int datal,
int count,
unsigned char *key,
unsigned char *iv);
This function is used to generate a key and an initialisation vector
for a specified cipher from a key string and a salt. Type
specifies the cipher the 'key' is being generated for. Md is the
message digest algorithm to use to generate the key and iv. The salt
is an optional 8 byte object that is used to help seed the key
generator.
If the salt value is NULL, it is just not used. Datal is the
number of bytes to use from 'data' in the key generation.
This function returns the key size for the specified cipher, if
data is NULL, this value is returns and no other
computation is performed. Count is
the number of times to loop around the key generator. I would
suggest leaving it's value as 1. Key and iv are the structures to
place the returning iv and key in. If they are NULL, no value is
generated for that particular value.
The algorithm used is as follows
/* M[] is an array of message digests
* MD() is the message digest function */
M[0]=MD(data . salt);
for (i=1; i<count; i++) M[0]=MD(M[0]);
i=1
while (data still needed for key and iv)
{
M[i]=MD(M[i-1] . data . salt);
for (i=1; i<count; i++) M[i]=MD(M[i]);
i++;
}
If the salt is NULL, it is not used.
The digests are concatenated together.
M = M[0] . M[1] . M[2] .......
For key= 8, iv=8 => key=M[0.. 8], iv=M[ 9 .. 16].
For key=16, iv=0 => key=M[0..16].
For key=16, iv=8 => key=M[0..16], iv=M[17 .. 24].
For key=24, iv=8 => key=M[0..24], iv=M[25 .. 32].
This routine will produce DES-CBC keys and iv that are compatible
with the PKCS-5 standard when md2 or md5 are used. If md5 is
used, the salt is NULL and count is 1, this routine will produce
the password to key mapping normally used with RC4.
I have attempted to logically extend the PKCS-5 standard to
generate keys and iv for ciphers that require more than 16 bytes,
if anyone knows what the correct standard is, please inform me.
When using sha or sha1, things are a bit different under this scheme,
since sha produces a 20 byte digest. So for ciphers requiring
24 bits of data, 20 will come from the first MD and 4 will
come from the second.
I have considered having a separate function so this 'routine'
can be used without the requirement of passing a EVP_CIPHER *,
but I have decided to not bother. If you wish to use the
function without official EVP_CIPHER structures, just declare
a local one and set the key_len and iv_len fields to the
length you desire.
The following routines perform encryption and decryption 'by parts'. By
this I mean that there are groups of 3 routines. An Init function that is
used to specify a cipher and initialise data structures. An Update routine
that does encryption/decryption, one 'chunk' at a time. And finally a
'Final' function that finishes the encryption/decryption process.
All these functions take a EVP_CIPHER pointer to specify which cipher to
encrypt/decrypt with. They also take a EVP_CIPHER_CTX object as an
argument. This structure is used to hold the state information associated
with the operation in progress.
void EVP_EncryptInit(
EVP_CIPHER_CTX *ctx,
EVP_CIPHER *type,
unsigned char *key,
unsigned char *iv);
This function initialise a EVP_CIPHER_CTX for encryption using the
cipher passed in the 'type' field. The cipher is initialised to use
'key' as the key and 'iv' for the initialisation vector (if one is
required). If the type, key or iv is NULL, the value currently in the
EVP_CIPHER_CTX is reused. So to perform several decrypt
using the same cipher, key and iv, initialise with the cipher,
key and iv the first time and then for subsequent calls,
reuse 'ctx' but pass NULL for type, key and iv. You must make sure
to pass a key that is large enough for a particular cipher. I
would suggest using the EVP_BytesToKey() function.
void EVP_EncryptUpdate(
EVP_CIPHER_CTX *ctx,
unsigned char *out,
int *outl,
unsigned char *in,
int inl);
This function takes 'inl' bytes from 'in' and outputs bytes
encrypted by the cipher 'ctx' was initialised with into 'out'. The
number of bytes written to 'out' is put into outl. If a particular
cipher encrypts in blocks, less or more bytes than input may be
output. Currently the largest block size used by supported ciphers
is 8 bytes, so 'out' should have room for 'inl+7' bytes. Normally
EVP_EncryptInit() is called once, followed by lots and lots of
calls to EVP_EncryptUpdate, followed by a single EVP_EncryptFinal
call.
void EVP_EncryptFinal(
EVP_CIPHER_CTX *ctx,
unsigned char *out,
int *outl);
Because quite a large number of ciphers are block ciphers, there is
often an incomplete block to write out at the end of the
encryption. EVP_EncryptFinal() performs processing on this last
block. The last block in encoded in such a way that it is possible
to determine how many bytes in the last block are valid. For 8 byte
block size ciphers, if only 5 bytes in the last block are valid, the
last three bytes will be filled with the value 3. If only 2 were
valid, the other 6 would be filled with sixes. If all 8 bytes are
valid, a extra 8 bytes are appended to the cipher stream containing
nothing but 8 eights. These last bytes are output into 'out' and
the number of bytes written is put into 'outl' These last bytes
are output into 'out' and the number of bytes written is put into
'outl'. This form of block cipher finalisation is compatible with
PKCS-5. Please remember that even if you are using ciphers like
RC4 that has no blocking and so the function will not write
anything into 'out', it would still be a good idea to pass a
variable for 'out' that can hold 8 bytes just in case the cipher is
changed some time in the future. It should also be remembered
that the EVP_CIPHER_CTX contains the password and so when one has
finished encryption with a particular EVP_CIPHER_CTX, it is good
practice to zero the structure
(ie. memset(ctx,0,sizeof(EVP_CIPHER_CTX)).
void EVP_DecryptInit(
EVP_CIPHER_CTX *ctx,
EVP_CIPHER *type,
unsigned char *key,
unsigned char *iv);
This function is basically the same as EVP_EncryptInit() accept that
is prepares the EVP_CIPHER_CTX for decryption.
void EVP_DecryptUpdate(
EVP_CIPHER_CTX *ctx,
unsigned char *out,
int *outl,
unsigned char *in,
int inl);
This function is basically the same as EVP_EncryptUpdate()
except that it performs decryption. There is one
fundamental difference though. 'out' can not be the same as
'in' for any ciphers with a block size greater than 1 if more
than one call to EVP_DecryptUpdate() will be made. This
is because this routine can hold a 'partial' block between
calls. When a partial block is decrypted (due to more bytes
being passed via this function, they will be written to 'out'
overwriting the input bytes in 'in' that have not been read
yet. From this it should also be noted that 'out' should
be at least one 'block size' larger than 'inl'. This problem
only occurs on the second and subsequent call to
EVP_DecryptUpdate() when using a block cipher.
int EVP_DecryptFinal(
EVP_CIPHER_CTX *ctx,
unsigned char *out,
int *outl);
This function is different to EVP_EncryptFinal in that it 'removes'
any padding bytes appended when the data was encrypted. Due to the
way in which 1 to 8 bytes may have been appended when encryption
using a block cipher, 'out' can end up with 0 to 7 bytes being put
into it. When decoding the padding bytes, it is possible to detect
an incorrect decryption. If the decryption appears to be wrong, 0
is returned. If everything seems ok, 1 is returned. For ciphers
with a block size of 1 (RC4), this function would normally not
return any bytes and would always return 1. Just because this
function returns 1 does not mean the decryption was correct. It
would normally be wrong due to either the wrong key/iv or
corruption of the cipher data fed to EVP_DecryptUpdate().
As for EVP_EncryptFinal, it is a good idea to zero the
EVP_CIPHER_CTX after use since the structure contains the key used
to decrypt the data.
The following Cipher routines are convenience routines that call either
EVP_EncryptXxx or EVP_DecryptXxx depending on weather the EVP_CIPHER_CTX
was setup to encrypt or decrypt.
void EVP_CipherInit(
EVP_CIPHER_CTX *ctx,
EVP_CIPHER *type,
unsigned char *key,
unsigned char *iv,
int enc);
This function take arguments that are the same as EVP_EncryptInit()
and EVP_DecryptInit() except for the extra 'enc' flag. If 1, the
EVP_CIPHER_CTX is setup for encryption, if 0, decryption.
void EVP_CipherUpdate(
EVP_CIPHER_CTX *ctx,
unsigned char *out,
int *outl,
unsigned char *in,
int inl);
Again this function calls either EVP_EncryptUpdate() or
EVP_DecryptUpdate() depending on state in the 'ctx' structure.
As noted for EVP_DecryptUpdate(), when this routine is used
for decryption with block ciphers, 'out' should not be the
same as 'in'.
int EVP_CipherFinal(
EVP_CIPHER_CTX *ctx,
unsigned char *outm,
int *outl);
This routine call EVP_EncryptFinal() or EVP_DecryptFinal()
depending on the state information in 'ctx'. 1 is always returned
if the mode is encryption, otherwise the return value is the return
value of EVP_DecryptFinal().