xref: /openssl/doc/man7/provider-cipher.pod (revision c44066bb)
1=pod
2
3=head1 NAME
4
5provider-cipher - The cipher library E<lt>-E<gt> provider functions
6
7=head1 SYNOPSIS
8
9=for openssl multiple includes
10
11 #include <openssl/core_dispatch.h>
12 #include <openssl/core_names.h>
13
14 /*
15  * None of these are actual functions, but are displayed like this for
16  * the function signatures for functions that are offered as function
17  * pointers in OSSL_DISPATCH arrays.
18  */
19
20 /* Context management */
21 void *OSSL_FUNC_cipher_newctx(void *provctx);
22 void OSSL_FUNC_cipher_freectx(void *cctx);
23 void *OSSL_FUNC_cipher_dupctx(void *cctx);
24
25 /* Encryption/decryption */
26 int OSSL_FUNC_cipher_encrypt_init(void *cctx, const unsigned char *key,
27                                   size_t keylen, const unsigned char *iv,
28                                   size_t ivlen, const OSSL_PARAM params[]);
29 int OSSL_FUNC_cipher_decrypt_init(void *cctx, const unsigned char *key,
30                                   size_t keylen, const unsigned char *iv,
31                                   size_t ivlen, const OSSL_PARAM params[]);
32 int OSSL_FUNC_cipher_update(void *cctx, unsigned char *out, size_t *outl,
33                             size_t outsize, const unsigned char *in, size_t inl);
34 int OSSL_FUNC_cipher_final(void *cctx, unsigned char *out, size_t *outl,
35                            size_t outsize);
36 int OSSL_FUNC_cipher_cipher(void *cctx, unsigned char *out, size_t *outl,
37                             size_t outsize, const unsigned char *in, size_t inl);
38
39 /* Encryption/decryption using cipher pipeline */
40 int OSSL_FUNC_cipher_pipeline_encrypt_init(void *cctx, const unsigned char *key,
41                                            size_t keylen, size_t numpipes,
42                                            const unsigned char **iv, size_t ivlen,
43                                            const OSSL_PARAM params[]))
44 int OSSL_FUNC_cipher_pipeline_decrypt_init(void *cctx, const unsigned char *key,
45                                            size_t keylen, size_t numpipes,
46                                            const unsigned char **iv, size_t ivlen,
47                                            const OSSL_PARAM params[]))
48 int OSSL_FUNC_cipher_pipeline_update(void *cctx, size_t numpipes,
49                                      unsigned char **out, size_t *outl,
50                                      const size_t *outsize,
51                                      const unsigned char **in, const size_t *inl))
52 int OSSL_FUNC_cipher_pipeline_final(void *cctx, size_t numpipes,
53                                     unsigned char **out, size_t *outl,
54                                     const size_t *outsize))
55
56 /* Cipher parameter descriptors */
57 const OSSL_PARAM *OSSL_FUNC_cipher_gettable_params(void *provctx);
58
59 /* Cipher operation parameter descriptors */
60 const OSSL_PARAM *OSSL_FUNC_cipher_gettable_ctx_params(void *cctx,
61                                                        void *provctx);
62 const OSSL_PARAM *OSSL_FUNC_cipher_settable_ctx_params(void *cctx,
63                                                        void *provctx);
64
65 /* Cipher parameters */
66 int OSSL_FUNC_cipher_get_params(OSSL_PARAM params[]);
67
68 /* Cipher operation parameters */
69 int OSSL_FUNC_cipher_get_ctx_params(void *cctx, OSSL_PARAM params[]);
70 int OSSL_FUNC_cipher_set_ctx_params(void *cctx, const OSSL_PARAM params[]);
71
72=head1 DESCRIPTION
73
74This documentation is primarily aimed at provider authors. See L<provider(7)>
75for further information.
76
77The CIPHER operation enables providers to implement cipher algorithms and make
78them available to applications via the API functions L<EVP_EncryptInit_ex(3)>,
79L<EVP_EncryptUpdate(3)> and L<EVP_EncryptFinal(3)> (as well as the decrypt
80equivalents and other related functions).
81
82All "functions" mentioned here are passed as function pointers between
83F<libcrypto> and the provider in L<OSSL_DISPATCH(3)> arrays via
84L<OSSL_ALGORITHM(3)> arrays that are returned by the provider's
85provider_query_operation() function
86(see L<provider-base(7)/Provider Functions>).
87
88All these "functions" have a corresponding function type definition
89named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the
90function pointer from an L<OSSL_DISPATCH(3)> element named
91B<OSSL_FUNC_{name}>.
92For example, the "function" OSSL_FUNC_cipher_newctx() has these:
93
94 typedef void *(OSSL_FUNC_cipher_newctx_fn)(void *provctx);
95 static ossl_inline OSSL_FUNC_cipher_newctx_fn
96     OSSL_FUNC_cipher_newctx(const OSSL_DISPATCH *opf);
97
98L<OSSL_DISPATCH(3)> arrays are indexed by numbers that are provided as
99macros in L<openssl-core_dispatch.h(7)>, as follows:
100
101 OSSL_FUNC_cipher_newctx                    OSSL_FUNC_CIPHER_NEWCTX
102 OSSL_FUNC_cipher_freectx                   OSSL_FUNC_CIPHER_FREECTX
103 OSSL_FUNC_cipher_dupctx                    OSSL_FUNC_CIPHER_DUPCTX
104
105 OSSL_FUNC_cipher_encrypt_init              OSSL_FUNC_CIPHER_ENCRYPT_INIT
106 OSSL_FUNC_cipher_decrypt_init              OSSL_FUNC_CIPHER_DECRYPT_INIT
107 OSSL_FUNC_cipher_update                    OSSL_FUNC_CIPHER_UPDATE
108 OSSL_FUNC_cipher_final                     OSSL_FUNC_CIPHER_FINAL
109 OSSL_FUNC_cipher_cipher                    OSSL_FUNC_CIPHER_CIPHER
110
111 OSSL_FUNC_cipher_pipeline_encrypt_init     OSSL_FUNC_CIPHER_PIPELINE_ENCRYPT_INIT
112 OSSL_FUNC_cipher_pipeline_decrypt_init     OSSL_FUNC_CIPHER_PIPELINE_DECRYPT_INIT
113 OSSL_FUNC_cipher_pipeline_update           OSSL_FUNC_CIPHER_PIPELINE_UPDATE
114 OSSL_FUNC_cipher_pipeline_final            OSSL_FUNC_CIPHER_PIPELINE_FINAL
115
116 OSSL_FUNC_cipher_get_params                OSSL_FUNC_CIPHER_GET_PARAMS
117 OSSL_FUNC_cipher_get_ctx_params            OSSL_FUNC_CIPHER_GET_CTX_PARAMS
118 OSSL_FUNC_cipher_set_ctx_params            OSSL_FUNC_CIPHER_SET_CTX_PARAMS
119
120 OSSL_FUNC_cipher_gettable_params           OSSL_FUNC_CIPHER_GETTABLE_PARAMS
121 OSSL_FUNC_cipher_gettable_ctx_params       OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS
122 OSSL_FUNC_cipher_settable_ctx_params       OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS
123
124A cipher algorithm implementation may not implement all of these functions.
125In order to be a consistent set of functions there must at least be a complete
126set of "encrypt" functions, or a complete set of "decrypt" functions, or a
127single "cipher" function. Similarly, there can be a complete set of pipeline
128"encrypt" functions, and/or a complete set of pipeline "decrypt" functions.
129In all cases both the OSSL_FUNC_cipher_newctx and OSSL_FUNC_cipher_freectx functions must be
130present.
131All other functions are optional.
132
133=head2 Context Management Functions
134
135OSSL_FUNC_cipher_newctx() should create and return a pointer to a provider side
136structure for holding context information during a cipher operation.
137A pointer to this context will be passed back in a number of the other cipher
138operation function calls.
139The parameter I<provctx> is the provider context generated during provider
140initialisation (see L<provider(7)>).
141
142OSSL_FUNC_cipher_freectx() is passed a pointer to the provider side cipher context in
143the I<cctx> parameter.
144This function should free any resources associated with that context.
145
146OSSL_FUNC_cipher_dupctx() should duplicate the provider side cipher context in the
147I<cctx> parameter and return the duplicate copy.
148
149=head2 Encryption/Decryption Functions
150
151OSSL_FUNC_cipher_encrypt_init() initialises a cipher operation for encryption given a
152newly created provider side cipher context in the I<cctx> parameter.
153The key to be used is given in I<key> which is I<keylen> bytes long.
154The IV to be used is given in I<iv> which is I<ivlen> bytes long.
155The I<params>, if not NULL, should be set on the context in a manner similar to
156using OSSL_FUNC_cipher_set_ctx_params().
157
158OSSL_FUNC_cipher_decrypt_init() is the same as OSSL_FUNC_cipher_encrypt_init() except that it
159initialises the context for a decryption operation.
160
161OSSL_FUNC_cipher_update() is called to supply data to be encrypted/decrypted as part of
162a previously initialised cipher operation.
163The I<cctx> parameter contains a pointer to a previously initialised provider
164side context.
165OSSL_FUNC_cipher_update() should encrypt/decrypt I<inl> bytes of data at the location
166pointed to by I<in>.
167The encrypted data should be stored in I<out> and the amount of data written to
168I<*outl> which should not exceed I<outsize> bytes.
169OSSL_FUNC_cipher_update() may be called multiple times for a single cipher operation.
170It is the responsibility of the cipher implementation to handle input lengths
171that are not multiples of the block length.
172In such cases a cipher implementation will typically cache partial blocks of
173input data until a complete block is obtained.
174The pointers I<out> and I<in> may point to the same location, in which
175case the encryption must be done in-place. If I<out> and I<in> point to different
176locations, the requirements of L<EVP_EncryptUpdate(3)> and L<EVP_DecryptUpdate(3)>
177guarantee that the two buffers are disjoint.
178Similarly, the requirements of L<EVP_EncryptUpdate(3)> and L<EVP_DecryptUpdate(3)>
179ensure that the buffer pointed to by I<out> contains sufficient room for the
180operation being performed.
181
182OSSL_FUNC_cipher_final() completes an encryption or decryption started through previous
183OSSL_FUNC_cipher_encrypt_init() or OSSL_FUNC_cipher_decrypt_init(), and OSSL_FUNC_cipher_update()
184calls.
185The I<cctx> parameter contains a pointer to the provider side context.
186Any final encryption/decryption output should be written to I<out> and the
187amount of data written to I<*outl> which should not exceed I<outsize> bytes.
188The same expectations apply to I<outsize> as documented for
189L<EVP_EncryptFinal(3)> and L<EVP_DecryptFinal(3)>.
190
191OSSL_FUNC_cipher_cipher() performs encryption/decryption using the provider side cipher
192context in the I<cctx> parameter that should have been previously initialised via
193a call to OSSL_FUNC_cipher_encrypt_init() or OSSL_FUNC_cipher_decrypt_init().
194This should call the raw underlying cipher function without any padding.
195This will be invoked in the provider as a result of the application calling
196L<EVP_Cipher(3)>.
197The application is responsible for ensuring that the input is a multiple of the
198block length.
199The data to be encrypted/decrypted will be in I<in>, and it will be I<inl> bytes
200in length.
201The output from the encryption/decryption should be stored in I<out> and the
202amount of data stored should be put in I<*outl> which should be no more than
203I<outsize> bytes.
204
205OSSL_FUNC_cipher_pipeline_encrypt_init(), OSSL_FUNC_cipher_pipeline_decrypt_init()
206OSSL_FUNC_cipher_pipeline_update(), and OSSL_FUNC_cipher_pipeline_final() are similar to
207the non-pipeline variants, but are used when the application is using cipher pipelining.
208The I<numpipes> parameter is the number of pipes in the pipeline. The I<iv> parameter
209is an array of buffers with IVs, each I<ivlen> bytes long. The I<in> and I<out> are
210arrays of buffer pointers. The I<inl> and I<outl>, I<outsize> are arrays of size_t
211representing corresponding buffer length as similar to the non-pipeline variants.
212All arrays are of length I<numpipes>. See L<EVP_CipherPipelineEncryptInit(3)> for more
213information.
214
215=head2 Cipher Parameters
216
217See L<OSSL_PARAM(3)> for further details on the parameters structure used by
218these functions.
219
220OSSL_FUNC_cipher_get_params() gets details of the algorithm implementation
221and stores them in I<params>.
222
223OSSL_FUNC_cipher_set_ctx_params() sets cipher operation parameters for the
224provider side cipher context I<cctx> to I<params>.
225Any parameter settings are additional to any that were previously set.
226Passing NULL for I<params> should return true.
227
228OSSL_FUNC_cipher_get_ctx_params() gets cipher operation details details from
229the given provider side cipher context I<cctx> and stores them in I<params>.
230Passing NULL for I<params> should return true.
231
232OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params(),
233and OSSL_FUNC_cipher_settable_ctx_params() all return constant L<OSSL_PARAM(3)>
234arrays as descriptors of the parameters that OSSL_FUNC_cipher_get_params(),
235OSSL_FUNC_cipher_get_ctx_params(), and OSSL_FUNC_cipher_set_ctx_params()
236can handle, respectively.  OSSL_FUNC_cipher_gettable_ctx_params() and
237OSSL_FUNC_cipher_settable_ctx_params() will return the parameters associated
238with the provider side context I<cctx> in its current state if it is
239not NULL.  Otherwise, they return the parameters associated with the
240provider side algorithm I<provctx>.
241
242Parameters currently recognised by built-in ciphers are listed in
243L<EVP_EncryptInit(3)/PARAMETERS>.
244Not all parameters are relevant to, or are understood by all ciphers.
245
246=head1 RETURN VALUES
247
248OSSL_FUNC_cipher_newctx() and OSSL_FUNC_cipher_dupctx() should return the newly created
249provider side cipher context, or NULL on failure.
250
251OSSL_FUNC_cipher_encrypt_init(), OSSL_FUNC_cipher_decrypt_init(), OSSL_FUNC_cipher_update(),
252OSSL_FUNC_cipher_final(), OSSL_FUNC_cipher_cipher(),
253OSSL_FUNC_cipher_pipeline_encrypt_init(), OSSL_FUNC_cipher_pipeline_decrypt_init(),
254OSSL_FUNC_cipher_pipeline_update(), OSSL_FUNC_cipher_pipeline_final(),
255OSSL_FUNC_cipher_get_params(), OSSL_FUNC_cipher_get_ctx_params() and
256OSSL_FUNC_cipher_set_ctx_params() should return 1 for
257success or 0 on error.
258
259OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params() and
260OSSL_FUNC_cipher_settable_ctx_params() should return a constant L<OSSL_PARAM(3)>
261array, or NULL if none is offered.
262
263=head1 SEE ALSO
264
265L<provider(7)>, L<OSSL_PROVIDER-FIPS(7)>, L<OSSL_PROVIDER-default(7)>,
266L<OSSL_PROVIDER-legacy(7)>,
267L<EVP_CIPHER-AES(7)>, L<EVP_CIPHER-ARIA(7)>, L<EVP_CIPHER-BLOWFISH(7)>,
268L<EVP_CIPHER-CAMELLIA(7)>, L<EVP_CIPHER-CAST(7)>, L<EVP_CIPHER-CHACHA(7)>,
269L<EVP_CIPHER-DES(7)>, L<EVP_CIPHER-IDEA(7)>, L<EVP_CIPHER-RC2(7)>,
270L<EVP_CIPHER-RC4(7)>, L<EVP_CIPHER-RC5(7)>, L<EVP_CIPHER-SEED(7)>,
271L<EVP_CIPHER-SM4(7)>, L<EVP_CIPHER-NULL(7)>,
272L<life_cycle-cipher(7)>, L<EVP_EncryptInit(3)>
273
274=head1 HISTORY
275
276The provider CIPHER interface was introduced in OpenSSL 3.0.
277
278=head1 COPYRIGHT
279
280Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
281
282Licensed under the Apache License 2.0 (the "License").  You may not use
283this file except in compliance with the License.  You can obtain a copy
284in the file LICENSE in the source distribution or at
285L<https://www.openssl.org/source/license.html>.
286
287=cut
288