1=pod
2
3=head1 NAME
4
5provider-asym_cipher - The asym_cipher library E<lt>-E<gt> provider functions
6
7=head1 SYNOPSIS
8
9=for openssl multiple includes
10
11 #include <openssl/core_dispatch.h>
12 #include <openssl/core_names.h>
13
14 /*
15  * None of these are actual functions, but are displayed like this for
16  * the function signatures for functions that are offered as function
17  * pointers in OSSL_DISPATCH arrays.
18  */
19
20 /* Context management */
21 void *OSSL_FUNC_asym_cipher_newctx(void *provctx);
22 void OSSL_FUNC_asym_cipher_freectx(void *ctx);
23 void *OSSL_FUNC_asym_cipher_dupctx(void *ctx);
24
25 /* Encryption */
26 int OSSL_FUNC_asym_cipher_encrypt_init(void *ctx, void *provkey,
27                                        const OSSL_PARAM params[]);
28 int OSSL_FUNC_asym_cipher_encrypt(void *ctx, unsigned char *out, size_t *outlen,
29                                   size_t outsize, const unsigned char *in,
30                                   size_t inlen);
31
32 /* Decryption */
33 int OSSL_FUNC_asym_cipher_decrypt_init(void *ctx, void *provkey,
34                                        const OSSL_PARAM params[]);
35 int OSSL_FUNC_asym_cipher_decrypt(void *ctx, unsigned char *out, size_t *outlen,
36                                   size_t outsize, const unsigned char *in,
37                                   size_t inlen);
38
39 /* Asymmetric Cipher parameters */
40 int OSSL_FUNC_asym_cipher_get_ctx_params(void *ctx, OSSL_PARAM params[]);
41 const OSSL_PARAM *OSSL_FUNC_asym_cipher_gettable_ctx_params(void *provctx);
42 int OSSL_FUNC_asym_cipher_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
43 const OSSL_PARAM *OSSL_FUNC_asym_cipher_settable_ctx_params(void *provctx);
44
45=head1 DESCRIPTION
46
47This documentation is primarily aimed at provider authors. See L<provider(7)>
48for further information.
49
50The asymmetric cipher (OSSL_OP_ASYM_CIPHER) operation enables providers to
51implement asymmetric cipher algorithms and make them available to applications
52via the API functions L<EVP_PKEY_encrypt(3)>,
53L<EVP_PKEY_decrypt(3)> and
54other related functions).
55
56All "functions" mentioned here are passed as function pointers between
57F<libcrypto> and the provider in B<OSSL_DISPATCH> arrays via
58B<OSSL_ALGORITHM> arrays that are returned by the provider's
59provider_query_operation() function
60(see L<provider-base(7)/Provider Functions>).
61
62All these "functions" have a corresponding function type definition
63named B<OSSL_FUNC_{name}_fn>, and a helper function to retrieve the
64function pointer from an B<OSSL_DISPATCH> element named
65B<OSSL_FUNC_{name}>.
66For example, the "function" OSSL_FUNC_asym_cipher_newctx() has these:
67
68 typedef void *(OSSL_FUNC_asym_cipher_newctx_fn)(void *provctx);
69 static ossl_inline OSSL_FUNC_asym_cipher_newctx_fn
70     OSSL_FUNC_asym_cipher_newctx(const OSSL_DISPATCH *opf);
71
72B<OSSL_DISPATCH> arrays are indexed by numbers that are provided as
73macros in L<openssl-core_dispatch.h(7)>, as follows:
74
75 OSSL_FUNC_asym_cipher_newctx               OSSL_FUNC_ASYM_CIPHER_NEWCTX
76 OSSL_FUNC_asym_cipher_freectx              OSSL_FUNC_ASYM_CIPHER_FREECTX
77 OSSL_FUNC_asym_cipher_dupctx               OSSL_FUNC_ASYM_CIPHER_DUPCTX
78
79 OSSL_FUNC_asym_cipher_encrypt_init         OSSL_FUNC_ASYM_CIPHER_ENCRYPT_INIT
80 OSSL_FUNC_asym_cipher_encrypt              OSSL_FUNC_ASYM_CIPHER_ENCRYPT
81
82 OSSL_FUNC_asym_cipher_decrypt_init         OSSL_FUNC_ASYM_CIPHER_DECRYPT_INIT
83 OSSL_FUNC_asym_cipher_decrypt              OSSL_FUNC_ASYM_CIPHER_DECRYPT
84
85 OSSL_FUNC_asym_cipher_get_ctx_params       OSSL_FUNC_ASYM_CIPHER_GET_CTX_PARAMS
86 OSSL_FUNC_asym_cipher_gettable_ctx_params  OSSL_FUNC_ASYM_CIPHER_GETTABLE_CTX_PARAMS
87 OSSL_FUNC_asym_cipher_set_ctx_params       OSSL_FUNC_ASYM_CIPHER_SET_CTX_PARAMS
88 OSSL_FUNC_asym_cipher_settable_ctx_params  OSSL_FUNC_ASYM_CIPHER_SETTABLE_CTX_PARAMS
89
90An asymmetric cipher algorithm implementation may not implement all of these
91functions.
92In order to be a consistent set of functions a provider must implement
93OSSL_FUNC_asym_cipher_newctx and OSSL_FUNC_asym_cipher_freectx.
94It must also implement both of OSSL_FUNC_asym_cipher_encrypt_init and
95OSSL_FUNC_asym_cipher_encrypt, or both of OSSL_FUNC_asym_cipher_decrypt_init and
96OSSL_FUNC_asym_cipher_decrypt.
97OSSL_FUNC_asym_cipher_get_ctx_params is optional but if it is present then so must
98OSSL_FUNC_asym_cipher_gettable_ctx_params.
99Similarly, OSSL_FUNC_asym_cipher_set_ctx_params is optional but if it is present then
100so must OSSL_FUNC_asym_cipher_settable_ctx_params.
101
102An asymmetric cipher algorithm must also implement some mechanism for generating,
103loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
104See L<provider-keymgmt(7)> for further details.
105
106=head2 Context Management Functions
107
108OSSL_FUNC_asym_cipher_newctx() should create and return a pointer to a provider side
109structure for holding context information during an asymmetric cipher operation.
110A pointer to this context will be passed back in a number of the other
111asymmetric cipher operation function calls.
112The parameter I<provctx> is the provider context generated during provider
113initialisation (see L<provider(7)>).
114
115OSSL_FUNC_asym_cipher_freectx() is passed a pointer to the provider side asymmetric
116cipher context in the I<ctx> parameter.
117This function should free any resources associated with that context.
118
119OSSL_FUNC_asym_cipher_dupctx() should duplicate the provider side asymmetric cipher
120context in the I<ctx> parameter and return the duplicate copy.
121
122=head2 Encryption Functions
123
124OSSL_FUNC_asym_cipher_encrypt_init() initialises a context for an asymmetric encryption
125given a provider side asymmetric cipher context in the I<ctx> parameter, and a
126pointer to a provider key object in the I<provkey> parameter.
127The I<params>, if not NULL, should be set on the context in a manner similar to
128using OSSL_FUNC_asym_cipher_set_ctx_params().
129The key object should have been previously generated, loaded or imported into
130the provider using the key management (OSSL_OP_KEYMGMT) operation (see
131provider-keymgmt(7)>.
132OSSL_FUNC_asym_cipher_encrypt() performs the actual encryption itself.
133A previously initialised asymmetric cipher context is passed in the I<ctx>
134parameter.
135The data to be encrypted is pointed to by the I<in> parameter which is I<inlen>
136bytes long.
137Unless I<out> is NULL, the encrypted data should be written to the location
138pointed to by the I<out> parameter and it should not exceed I<outsize> bytes in
139length.
140The length of the encrypted data should be written to I<*outlen>.
141If I<out> is NULL then the maximum length of the encrypted data should be
142written to I<*outlen>.
143
144=head2 Decryption Functions
145
146OSSL_FUNC_asym_cipher_decrypt_init() initialises a context for an asymmetric decryption
147given a provider side asymmetric cipher context in the I<ctx> parameter, and a
148pointer to a provider key object in the I<provkey> parameter.
149The I<params>, if not NULL, should be set on the context in a manner similar to
150using OSSL_FUNC_asym_cipher_set_ctx_params().
151The key object should have been previously generated, loaded or imported into
152the provider using the key management (OSSL_OP_KEYMGMT) operation (see
153provider-keymgmt(7)>.
154
155OSSL_FUNC_asym_cipher_decrypt() performs the actual decryption itself.
156A previously initialised asymmetric cipher context is passed in the I<ctx>
157parameter.
158The data to be decrypted is pointed to by the I<in> parameter which is I<inlen>
159bytes long.
160Unless I<out> is NULL, the decrypted data should be written to the location
161pointed to by the I<out> parameter and it should not exceed I<outsize> bytes in
162length.
163The length of the decrypted data should be written to I<*outlen>.
164If I<out> is NULL then the maximum length of the decrypted data should be
165written to I<*outlen>.
166
167=head2 Asymmetric Cipher Parameters
168
169See L<OSSL_PARAM(3)> for further details on the parameters structure used by
170the OSSL_FUNC_asym_cipher_get_ctx_params() and OSSL_FUNC_asym_cipher_set_ctx_params()
171functions.
172
173OSSL_FUNC_asym_cipher_get_ctx_params() gets asymmetric cipher parameters associated
174with the given provider side asymmetric cipher context I<ctx> and stores them in
175I<params>.
176Passing NULL for I<params> should return true.
177
178OSSL_FUNC_asym_cipher_set_ctx_params() sets the asymmetric cipher parameters associated
179with the given provider side asymmetric cipher context I<ctx> to I<params>.
180Any parameter settings are additional to any that were previously set.
181Passing NULL for I<params> should return true.
182
183Parameters currently recognised by built-in asymmetric cipher algorithms are as
184follows.
185Not all parameters are relevant to, or are understood by all asymmetric cipher
186algorithms:
187
188=over 4
189
190=item "pad-mode" (B<OSSL_ASYM_CIPHER_PARAM_PAD_MODE>) <integer>
191
192The type of padding to be used. The interpretation of this value will depend
193on the algorithm in use. The default provider understands these RSA padding
194modes: 1 (RSA_PKCS1_PADDING), 3 (RSA_NO_PADDING),
1954 (RSA_PKCS1_OAEP_PADDING), 5 (RSA_X931_PADDING), 6 (RSA_PKCS1_PSS_PADDING) and
1967 (RSA_PKCS1_WITH_TLS_PADDING). See L<EVP_PKEY_CTX_set_rsa_padding(3)> for
197further details.
198
199=item "digest" (B<OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST>) <UTF8 string>
200
201Gets or sets the name of the OAEP digest algorithm used when OAEP padding is in
202use.
203
204=item "digest" (B<OSSL_ASYM_CIPHER_PARAM_DIGEST>) <UTF8 string>
205
206Gets or sets the name of the digest algorithm used by the algorithm (where
207applicable).
208
209=item "digest-props" (B<OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS>) <UTF8 string>
210
211Gets or sets the properties to use when fetching the OAEP digest algorithm.
212
213=item "digest-props" (B<OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS>) <UTF8 string>
214
215Gets or sets the properties to use when fetching the cipher digest algorithm.
216
217=item "mgf1-digest" (B<OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST>) <UTF8 string>
218
219Gets or sets the name of the MGF1 digest algorithm used when OAEP or PSS padding
220is in use.
221
222=item "mgf1-digest-props" (B<OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS>) <UTF8 string>
223
224Gets or sets the properties to use when fetching the MGF1 digest algorithm.
225
226=item "oaep-label" (B<OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL>) <octet string>
227
228Gets or sets the OAEP label used when OAEP padding is in use.
229
230=item "tls-client-version" (B<OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION>) <unsigned integer>
231
232The TLS protocol version first requested by the client. See
233B<RSA_PKCS1_WITH_TLS_PADDING> on the page L<EVP_PKEY_CTX_set_rsa_padding(3)>.
234
235=item "tls-negotiated-version" (B<OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION>) <unsigned integer>
236
237The negotiated TLS protocol version. See
238B<RSA_PKCS1_WITH_TLS_PADDING> on the page L<EVP_PKEY_CTX_set_rsa_padding(3)>.
239
240=back
241
242OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()
243get a constant B<OSSL_PARAM> array that describes the gettable and settable
244parameters, i.e. parameters that can be used with OSSL_FUNC_asym_cipherget_ctx_params()
245and OSSL_FUNC_asym_cipher_set_ctx_params() respectively.
246See L<OSSL_PARAM(3)> for the use of B<OSSL_PARAM> as parameter descriptor.
247
248=head1 RETURN VALUES
249
250OSSL_FUNC_asym_cipher_newctx() and OSSL_FUNC_asym_cipher_dupctx() should return the newly
251created provider side asymmetric cipher context, or NULL on failure.
252
253All other functions should return 1 for success or 0 on error.
254
255=head1 SEE ALSO
256
257L<provider(7)>
258
259=head1 HISTORY
260
261The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0.
262
263=head1 COPYRIGHT
264
265Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
266
267Licensed under the Apache License 2.0 (the "License").  You may not use
268this file except in compliance with the License.  You can obtain a copy
269in the file LICENSE in the source distribution or at
270L<https://www.openssl.org/source/license.html>.
271
272=cut
273