Updated `NEWS'.
[gnutls.git] / lgl / gc.h
blob9f4bf21515def76af15b20aeae1faed7c61b9ab0
1 /* gc.h --- Header file for implementation agnostic crypto wrapper API.
2 * Copyright (C) 2002, 2003, 2004, 2005, 2007 Simon Josefsson
4 * This file is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU Lesser General Public License as published
6 * by the Free Software Foundation; either version 2.1, or (at your
7 * option) any later version.
9 * This file is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public License
15 * along with this file; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
21 #ifndef GC_H
22 # define GC_H
24 /* Get size_t. */
25 # include <stddef.h>
27 enum Gc_rc
29 GC_OK = 0,
30 GC_MALLOC_ERROR,
31 GC_INIT_ERROR,
32 GC_RANDOM_ERROR,
33 GC_INVALID_CIPHER,
34 GC_INVALID_HASH,
35 GC_PKCS5_INVALID_ITERATION_COUNT,
36 GC_PKCS5_INVALID_DERIVED_KEY_LENGTH,
37 GC_PKCS5_DERIVED_KEY_TOO_LONG
39 typedef enum Gc_rc Gc_rc;
41 /* Hash types. */
42 enum Gc_hash
44 GC_MD4,
45 GC_MD5,
46 GC_SHA1,
47 GC_MD2,
48 GC_RMD160,
49 GC_SHA256,
50 GC_SHA384,
51 GC_SHA512
53 typedef enum Gc_hash Gc_hash;
55 enum Gc_hash_mode
57 GC_HMAC = 1
59 typedef enum Gc_hash_mode Gc_hash_mode;
61 typedef void *gc_hash_handle;
63 #define GC_MD2_DIGEST_SIZE 16
64 #define GC_MD4_DIGEST_SIZE 16
65 #define GC_MD5_DIGEST_SIZE 16
66 #define GC_RMD160_DIGEST_SIZE 20
67 #define GC_SHA1_DIGEST_SIZE 20
68 #define GC_SHA256_DIGEST_SIZE 32
69 #define GC_SHA384_DIGEST_SIZE 48
70 #define GC_SHA512_DIGEST_SIZE 64
72 /* Cipher types. */
73 enum Gc_cipher
75 GC_AES128,
76 GC_AES192,
77 GC_AES256,
78 GC_3DES,
79 GC_DES,
80 GC_ARCFOUR128,
81 GC_ARCFOUR40,
82 GC_ARCTWO40
84 typedef enum Gc_cipher Gc_cipher;
86 enum Gc_cipher_mode
88 GC_ECB,
89 GC_CBC,
90 GC_STREAM
92 typedef enum Gc_cipher_mode Gc_cipher_mode;
94 typedef void *gc_cipher_handle;
96 /* Call before respectively after any other functions. */
97 extern Gc_rc gc_init (void);
98 extern void gc_done (void);
100 /* Memory allocation (avoid). */
101 typedef void *(*gc_malloc_t) (size_t n);
102 typedef int (*gc_secure_check_t) (const void *);
103 typedef void *(*gc_realloc_t) (void *p, size_t n);
104 typedef void (*gc_free_t) (void *);
105 extern void gc_set_allocators (gc_malloc_t func_malloc,
106 gc_malloc_t secure_malloc,
107 gc_secure_check_t secure_check,
108 gc_realloc_t func_realloc,
109 gc_free_t func_free);
111 /* Randomness. */
112 extern Gc_rc gc_nonce (char *data, size_t datalen);
113 extern Gc_rc gc_pseudo_random (char *data, size_t datalen);
114 extern Gc_rc gc_random (char *data, size_t datalen);
116 /* Ciphers. */
117 extern Gc_rc gc_cipher_open (Gc_cipher cipher, Gc_cipher_mode mode,
118 gc_cipher_handle *outhandle);
119 extern Gc_rc gc_cipher_setkey (gc_cipher_handle handle,
120 size_t keylen, const char *key);
121 extern Gc_rc gc_cipher_setiv (gc_cipher_handle handle,
122 size_t ivlen, const char *iv);
123 extern Gc_rc gc_cipher_encrypt_inline (gc_cipher_handle handle,
124 size_t len, char *data);
125 extern Gc_rc gc_cipher_decrypt_inline (gc_cipher_handle handle,
126 size_t len, char *data);
127 extern Gc_rc gc_cipher_close (gc_cipher_handle handle);
129 /* Hashes. */
131 extern Gc_rc gc_hash_open (Gc_hash hash, Gc_hash_mode mode,
132 gc_hash_handle *outhandle);
133 extern Gc_rc gc_hash_clone (gc_hash_handle handle, gc_hash_handle *outhandle);
134 extern size_t gc_hash_digest_length (Gc_hash hash);
135 extern void gc_hash_hmac_setkey (gc_hash_handle handle,
136 size_t len, const char *key);
137 extern void gc_hash_write (gc_hash_handle handle,
138 size_t len, const char *data);
139 extern const char *gc_hash_read (gc_hash_handle handle);
140 extern void gc_hash_close (gc_hash_handle handle);
142 /* Compute a hash value over buffer IN of INLEN bytes size using the
143 algorithm HASH, placing the result in the pre-allocated buffer OUT.
144 The required size of OUT depends on HASH, and is generally
145 GC_<HASH>_DIGEST_SIZE. For example, for GC_MD5 the output buffer
146 must be 16 bytes. The return value is 0 (GC_OK) on success, or
147 another Gc_rc error code. */
148 extern Gc_rc
149 gc_hash_buffer (Gc_hash hash, const void *in, size_t inlen, char *out);
151 /* One-call interface. */
152 extern Gc_rc gc_md2 (const void *in, size_t inlen, void *resbuf);
153 extern Gc_rc gc_md4 (const void *in, size_t inlen, void *resbuf);
154 extern Gc_rc gc_md5 (const void *in, size_t inlen, void *resbuf);
155 extern Gc_rc gc_sha1 (const void *in, size_t inlen, void *resbuf);
156 extern Gc_rc gc_hmac_md5 (const void *key, size_t keylen,
157 const void *in, size_t inlen, char *resbuf);
158 extern Gc_rc gc_hmac_sha1 (const void *key, size_t keylen,
159 const void *in, size_t inlen, char *resbuf);
161 /* Derive cryptographic keys from a password P of length PLEN, with
162 salt S of length SLEN, placing the result in pre-allocated buffer
163 DK of length DKLEN. An iteration count is specified in C, where a
164 larger value means this function take more time (typical iteration
165 counts are 1000-20000). This function "stretches" the key to be
166 exactly dkLen bytes long. GC_OK is returned on success, otherwise
167 an Gc_rc error code is returned. */
168 extern Gc_rc
169 gc_pbkdf2_sha1 (const char *P, size_t Plen,
170 const char *S, size_t Slen,
171 unsigned int c, char *DK, size_t dkLen);
174 TODO:
176 From: Simon Josefsson <jas@extundo.com>
177 Subject: Re: generic crypto
178 Newsgroups: gmane.comp.lib.gnulib.bugs
179 Cc: bug-gnulib@gnu.org
180 Date: Fri, 07 Oct 2005 12:50:57 +0200
181 Mail-Copies-To: nobody
183 Paul Eggert <eggert@CS.UCLA.EDU> writes:
185 > Simon Josefsson <jas@extundo.com> writes:
187 >> * Perhaps the /dev/?random reading should be separated into a separate
188 >> module? It might be useful outside of the gc layer too.
190 > Absolutely. I've been meaning to do that for months (for a "shuffle"
191 > program I want to add to coreutils), but hadn't gotten around to it.
192 > It would have to be generalized a bit. I'd like to have the file
193 > descriptor cached, for example.
195 I'll write a separate module for that part.
197 I think we should even add a good PRNG that is re-seeded from
198 /dev/?random frequently. GnuTLS can need a lot of random data on a
199 big server, more than /dev/random can supply. And /dev/urandom might
200 not be strong enough. Further, the security of /dev/?random can also
201 be questionable.
203 >> I'm also not sure about the names of those functions, they suggest
204 >> a more higher-level API than what is really offered (i.e., the
205 >> names "nonce" and "pseudo_random" and "random" imply certain
206 >> cryptographic properties).
208 > Could you expand a bit more on that? What is the relationship between
209 > nonce/pseudorandom/random and the /dev/ values you are using?
211 There is none, that is the problem.
213 Applications generally need different kind of "random" numbers.
214 Sometimes they just need some random data and doesn't care whether it
215 is possible for an attacker to compute the string (aka a "nonce").
216 Sometimes they need data that is very difficult to compute (i.e.,
217 computing it require inverting SHA1 or similar). Sometimes they need
218 data that is not possible to compute, i.e., it wants real entropy
219 collected over time on the system. Collecting the last kind of random
220 data is very expensive, so it must not be used too often. The second
221 kind of random data ("pseudo random") is typically generated by
222 seeding a good PRNG with a couple of hundred bytes of real entropy
223 from the "real random" data pool. The "nonce" is usually computed
224 using the PRNG as well, because PRNGs are usually fast.
226 Pseudo-random data is typically used for session keys. Strong random
227 data is often used to generate long-term keys (e.g., private RSA
228 keys).
230 Of course, there are many subtleties. There are several different
231 kind of nonce:s. Sometimes a nonce is just an ever-increasing
232 integer, starting from 0. Sometimes it is assumed to be unlikely to
233 be the same as previous nonces, but without a requirement that the
234 nonce is possible to guess. MD5(system clock) would thus suffice, if
235 it isn't called too often. You can guess what the next value will be,
236 but it will always be different.
238 The problem is that /dev/?random doesn't offer any kind of semantic
239 guarantees. But applications need an API that make that promise.
241 I think we should do this in several steps:
243 1) Write a module that can read from /dev/?random.
245 2) Add a module for a known-good PRNG suitable for random number
246 generation, that can be continuously re-seeded.
248 3) Add a high-level module that provide various different randomness
249 functions. One for nonces, perhaps even different kind of nonces,
250 one for pseudo random data, and one for strong random data. It is
251 not clear whether we can hope to achieve the last one in a portable
252 way.
254 Further, it would be useful to allow users to provide their own
255 entropy source as a file, used to seed the PRNG or initialize the
256 strong randomness pool. This is used on embedded platforms that
257 doesn't have enough interrupts to hope to generate good random data.
259 > For example, why not use OpenBSD's /dev/arandom?
261 I don't trust ARC4. For example, recent cryptographic efforts
262 indicate that you must throw away the first 512 bytes generated from
263 the PRNG for it to be secure. I don't know whether OpenBSD do this.
264 Further, I recall some eprint paper on RC4 security that didn't
265 inspire confidence.
267 While I trust the random devices in OpenBSD more than
268 Solaris/AIX/HPUX/etc, I think that since we need something better on
269 Solaris/AIX/HPUX we'd might as well use it on OpenBSD or even Linux
270 too.
272 > Here is one thought. The user could specify a desired quality level
273 > range, and the implementation then would supply random data that is at
274 > least as good as the lower bound of the range. I.e., ihe
275 > implementation refuses to produce any random data if it can't generate
276 > data that is at least as good as the lower end of the range. The
277 > upper bound of the range is advice from the user not to be any more
278 > expensive than that, but the implementation can ignore the advice if
279 > it doesn't have anything cheaper.
281 I'm not sure this is a good idea. Users can't really be expected to
282 understand this. Further, applications need many different kind of
283 random data. Selecting the randomness level for each by the user will
284 be too complicated.
286 I think it is better if the application decide, from its cryptographic
287 requirement, what entropy quality it require, and call the proper API.
288 Meeting the implied semantic properties should be the job for gnulib.
290 >> Perhaps gc_dev_random and gc_dev_urandom?
292 > To some extent. I'd rather insulate the user from the details of
293 > where the random numbers come from. On the other hand we need to
294 > provide a way for applications to specify a file that contains
295 > random bits, so that people can override the defaults.
297 Agreed.
299 This may require some thinking before it is finalized. Is it ok to
300 install the GC module as-is meanwhile? Then I can continue to add the
301 stuff that GnuTLS need, and then come back to re-working the
302 randomness module. That way, we have two different projects that use
303 the code. GnuTLS includes the same randomness code that was in GNU
304 SASL and that is in the current gc module. I feel much more
305 comfortable working in small steps at a time, rather then working on
306 this for a long time in gnulib and only later integrate the stuff in
307 GnuTLS.
309 Thanks,
310 Simon
313 #endif /* GC_H */