1676
1886
@c **********************************************************
1677
@c ******************* Hash Functions *********************
1678
@c **********************************************************
1682
Libgcrypt provides an easy and consistent to use interface
1683
for hashing. Hashing is buffered and several hash algorithms can be
1684
updated at once. It is possible to calculate a MAC using the same
1685
routines. The programming model follows an open/process/close
1686
paradigm and is in that similar to other building blocks provided by
1689
For convenience reasons, a few cyclic redundancy check value operations
1693
* Available hash algorithms:: List of hash algorithms supported by the library.
1694
* Hash algorithm modules:: How to work with hash algorithm modules.
1695
* Working with hash algorithms:: List of functions related to hashing.
1698
@node Available hash algorithms
1699
@section Available hash algorithms
1701
@c begin table of hash algorithms
1704
This is not a real algorithm but used by some functions as an error
1705
return value. This constant is guaranteed to have the value @code{0}.
1708
This is the SHA-1 algorithm which yields a message digest of 20 bytes.
1710
@item GCRY_MD_RMD160
1711
This is the 160 bit version of the RIPE message digest (RIPE-MD-160).
1712
Like SHA-1 it also yields a digest of 20 bytes.
1715
This is the well known MD5 algorithm, which yields a message digest of
1719
This is the MD4 algorithm, which yields a message digest of 16 bytes.
1722
This is an reserved identifier for MD-2; there is no implementation yet.
1725
This is the TIGER/192 algorithm which yields a message digest of 24 bytes.
1728
This is an reserved for the HAVAL algorithm with 5 passes and 160
1729
bit. It yields a message digest of 20 bytes. Note that there is no
1730
implementation yet available.
1732
@item GCRY_MD_SHA224
1733
This is the SHA-224 algorithm which yields a message digest of 28 bytes.
1734
See Change Notice 1 for FIPS 180-2 for the specification.
1736
@item GCRY_MD_SHA256
1737
This is the SHA-256 algorithm which yields a message digest of 32 bytes.
1738
See FIPS 180-2 for the specification.
1740
@item GCRY_MD_SHA384
1741
This is the SHA-384 algorithm which yields a message digest of 48 bytes.
1742
See FIPS 180-2 for the specification.
1744
@item GCRY_MD_SHA512
1745
This is the SHA-384 algorithm which yields a message digest of 64 bytes.
1746
See FIPS 180-2 for the specification.
1749
This is the ISO 3309 and ITU-T V.42 cyclic redundancy check. It
1750
yields an output of 4 bytes.
1752
@item GCRY_MD_CRC32_RFC1510
1753
This is the above cyclic redundancy check function, as modified by RFC
1754
1510. It yields an output of 4 bytes.
1756
@item GCRY_MD_CRC24_RFC2440
1757
This is the OpenPGP cyclic redundancy check function. It yields an
1760
@item GCRY_MD_WHIRLPOOL
1761
This is the Whirlpool algorithm which yields a message digest of 64
1765
@c end table of hash algorithms
1767
@node Hash algorithm modules
1768
@section Hash algorithm modules
1770
Libgcrypt makes it possible to load additional `message
1771
digest modules'; these digests can be used just like the message digest
1772
algorithms that are built into the library directly. For an
1773
introduction into extension modules, see @xref{Modules}.
1775
@deftp {Data type} gcry_md_spec_t
1776
This is the `module specification structure' needed for registering
1777
message digest modules, which has to be filled in by the user before
1778
it can be used to register a module. It contains the following
1782
@item const char *name
1783
The primary name of this algorithm.
1784
@item unsigned char *asnoid
1785
Array of bytes that form the ASN OID.
1787
Length of bytes in `asnoid'.
1788
@item gcry_md_oid_spec_t *oids
1789
A list of OIDs that are to be associated with the algorithm. The
1790
list's last element must have it's `oid' member set to NULL. See
1791
below for an explanation of this type. See below for an explanation
1794
Length of the message digest algorithm. See below for an explanation
1796
@item gcry_md_init_t init
1797
The function responsible for initializing a handle. See below for an
1798
explanation of this type.
1799
@item gcry_md_write_t write
1800
The function responsible for writing data into a message digest
1801
context. See below for an explanation of this type.
1802
@item gcry_md_final_t final
1803
The function responsible for `finalizing' a message digest context.
1804
See below for an explanation of this type.
1805
@item gcry_md_read_t read
1806
The function responsible for reading out a message digest result. See
1807
below for an explanation of this type.
1808
@item size_t contextsize
1809
The size of the algorithm-specific `context', that should be
1810
allocated for each handle.
1814
@deftp {Data type} gcry_md_oid_spec_t
1815
This type is used for associating a user-provided algorithm
1816
implementation with certain OIDs. It contains the following members:
1819
@item const char *oidstring
1820
Textual representation of the OID.
1824
@deftp {Data type} gcry_md_init_t
1825
Type for the `init' function, defined as: void (*gcry_md_init_t) (void
1829
@deftp {Data type} gcry_md_write_t
1830
Type for the `write' function, defined as: void (*gcry_md_write_t)
1831
(void *c, unsigned char *buf, size_t nbytes)
1834
@deftp {Data type} gcry_md_final_t
1835
Type for the `final' function, defined as: void (*gcry_md_final_t)
1839
@deftp {Data type} gcry_md_read_t
1840
Type for the `read' function, defined as: unsigned char
1841
*(*gcry_md_read_t) (void *c)
1844
@deftypefun gcry_error_t gcry_md_register (gcry_md_spec_t *@var{digest}, unsigned int *algorithm_id, gcry_module_t *@var{module})
1846
Register a new digest module whose specification can be found in
1847
@var{digest}. On success, a new algorithm ID is stored in
1848
@var{algorithm_id} and a pointer representing this module is stored
1852
@deftypefun void gcry_md_unregister (gcry_module_t @var{module})
1853
Unregister the digest identified by @var{module}, which must have been
1854
registered with gcry_md_register.
1857
@deftypefun gcry_error_t gcry_md_list (int *@var{list}, int *@var{list_length})
1858
Get a list consisting of the IDs of the loaded message digest modules.
1859
If @var{list} is zero, write the number of loaded message digest
1860
modules to @var{list_length} and return. If @var{list} is non-zero,
1861
the first *@var{list_length} algorithm IDs are stored in @var{list},
1862
which must be of according size. In case there are less message
1863
digests modules than *@var{list_length}, *@var{list_length} is updated
1864
to the correct number.
1867
@node Working with hash algorithms
1868
@section Working with hash algorithms
1870
To use most of these function it is necessary to create a context;
1873
@deftypefun gcry_error_t gcry_md_open (gcry_md_hd_t *@var{hd}, int @var{algo}, unsigned int @var{flags})
1875
Create a message digest object for algorithm @var{algo}. @var{flags}
1876
may be given as an bitwise OR of constants described below. @var{algo}
1877
may be given as @code{0} if the algorithms to use are later set using
1878
@code{gcry_md_enable}. @var{hd} is guaranteed to either receive a valid
1881
For a list of supported algorithms, see @xref{Available hash
1884
The flags allowed for @var{mode} are:
1886
@c begin table of hash flags
1888
@item GCRY_MD_FLAG_SECURE
1889
Allocate all buffers and the resulting digest in "secure memory". Use
1890
this is the hashed data is highly confidential.
1892
@item GCRY_MD_FLAG_HMAC
1893
Turn the algorithm into a HMAC message authentication algorithm. This
1894
only works if just one algorithm is enabled for the handle. Note that the function
1895
@code{gcry_md_setkey} must be used to set the MAC key. If you want CBC
1896
message authentication codes based on a cipher, see @xref{Working with
1900
@c begin table of hash flags
1902
You may use the function @code{gcry_md_is_enabled} to later check
1903
whether an algorithm has been enabled.
1906
@c end function gcry_md_open
1908
If you want to calculate several hash algorithms at the same time, you
1909
have to use the following function right after the @code{gcry_md_open}:
1911
@deftypefun gcry_error_t gcry_md_enable (gcry_md_hd_t @var{h}, int @var{algo})
1913
Add the message digest algorithm @var{algo} to the digest object
1914
described by handle @var{h}. Duplicated enabling of algorithms is
1915
detected and ignored.
1918
If the flag @code{GCRY_MD_FLAG_HMAC} was used, the key for the MAC must
1919
be set using the function:
1921
@deftypefun gcry_error_t gcry_md_setkey (gcry_md_hd_t @var{h}, const void *@var{key}, size_t @var{keylen})
1923
For use with the HMAC feature, set the MAC key to the value of @var{key}
1924
of length @var{keylen}.
1928
After you are done with the hash calculation, you should release the
1931
@deftypefun void gcry_md_close (gcry_md_hd_t @var{h})
1933
Release all resources of hash context @var{h}. @var{h} should not be
1934
used after a call to this function. A @code{NULL} passed as @var{h} is
1939
Often you have to do several hash operations using the same algorithm.
1940
To avoid the overhead of creating and releasing context, a reset function
1943
@deftypefun void gcry_md_reset (gcry_md_hd_t @var{h})
1945
Reset the current context to its initial state. This is effectively
1946
identical to a close followed by an open and enabling all currently
1951
Often it is necessary to start hashing some data and then continue to
1952
hash different data. To avoid hashing the same data several times (which
1953
might not even be possible if the data is received from a pipe), a
1954
snapshot of the current hash context can be taken and turned into a new
1957
@deftypefun gcry_error_t gcry_md_copy (gcry_md_hd_t *@var{handle_dst}, gcry_md_hd_t @var{handle_src})
1959
Create a new digest object as an exact copy of the object described by
1960
handle @var{handle_src} and store it in @var{handle_dst}. The context
1961
is not reset and you can continue to hash data using this context and
1962
independently using the original context.
1966
Now that we have prepared everything to calculate hashes, it is time to
1967
see how it is actually done. There are two ways for this, one to
1968
update the hash with a block of memory and one macro to update the hash
1969
by just one character. Both methods can be used on the same hash context.
1971
@deftypefun void gcry_md_write (gcry_md_hd_t @var{h}, const void *@var{buffer}, size_t @var{length})
1973
Pass @var{length} bytes of the data in @var{buffer} to the digest object
1974
with handle @var{h} to update the digest values. This
1975
function should be used for large blocks of data.
1978
@deftypefun void gcry_md_putc (gcry_md_hd_t @var{h}, int @var{c})
1980
Pass the byte in @var{c} to the digest object with handle @var{h} to
1981
update the digest value. This is an efficient function, implemented as
1982
a macro to buffer the data before an actual update.
1985
The semantics of the hash functions do not provide for reading out intermediate
1986
message digests because the calculation must be finalized first. This
1987
finalization may for example include the number of bytes hashed in the
1988
message digest or some padding.
1990
@deftypefun void gcry_md_final (gcry_md_hd_t @var{h})
1992
Finalize the message digest calculation. This is not really needed
1993
because @code{gcry_md_read} does this implicitly. After this has been
1994
done no further updates (by means of @code{gcry_md_write} or
1995
@code{gcry_md_putc} are allowed. Only the first call to this function
1996
has an effect. It is implemented as a macro.
1999
The way to read out the calculated message digest is by using the
2002
@deftypefun unsigned char *gcry_md_read (gcry_md_hd_t @var{h}, int @var{algo})
2004
@code{gcry_md_read} returns the message digest after finalizing the
2005
calculation. This function may be used as often as required but it will
2006
always return the same value for one handle. The returned message digest
2007
is allocated within the message context and therefore valid until the
2008
handle is released or reseted (using @code{gcry_md_close} or
2009
@code{gcry_md_reset}. @var{algo} may be given as 0 to return the only
2010
enabled message digest or it may specify one of the enabled algorithms.
2011
The function does return @code{NULL} if the requested algorithm has not
2015
Because it is often necessary to get the message digest of one block of
2016
memory, a fast convenience function is available for this task:
2018
@deftypefun void gcry_md_hash_buffer (int @var{algo}, void *@var{digest}, const void *@var{buffer}, size_t @var{length});
2020
@code{gcry_md_hash_buffer} is a shortcut function to calculate a message
2021
digest of a buffer. This function does not require a context and
2022
immediately returns the message digest of the @var{length} bytes at
2023
@var{buffer}. @var{digest} must be allocated by the caller, large
2024
enough to hold the message digest yielded by the the specified algorithm
2025
@var{algo}. This required size may be obtained by using the function
2026
@code{gcry_md_get_algo_dlen}.
2028
Note that this function will abort the process if an unavailable
2032
@c ***********************************
2033
@c ***** MD info functions ***********
2034
@c ***********************************
2036
Hash algorithms are identified by internal algorithm numbers (see
2037
@code{gcry_md_open} for a list). However, in most applications they are
2038
used by names, so two functions are available to map between string
2039
representations and hash algorithm identifiers.
2041
@deftypefun const char *gcry_md_algo_name (int @var{algo})
2043
Map the digest algorithm id @var{algo} to a string representation of the
2044
algorithm name. For unknown algorithms this function returns the
2045
string @code{"?"}. This function should not be used to test for the
2046
availability of an algorithm.
2049
@deftypefun int gcry_md_map_name (const char *@var{name})
2051
Map the algorithm with @var{name} to a digest algorithm identifier.
2052
Returns 0 if the algorithm name is not known. Names representing
2053
@acronym{ASN.1} object identifiers are recognized if the @acronym{IETF}
2054
dotted format is used and the OID is prefixed with either "@code{oid.}"
2055
or "@code{OID.}". For a list of supported OIDs, see the source code at
2056
@file{cipher/md.c}. This function should not be used to test for the
2057
availability of an algorithm.
2060
@deftypefun gcry_error_t gcry_md_get_asnoid (int @var{algo}, void *@var{buffer}, size_t *@var{length})
2062
Return an DER encoded ASN.1 OID for the algorithm @var{algo} in the
2063
user allocated @var{buffer}. @var{length} must point to variable with
2064
the available size of @var{buffer} and receives after return the
2065
actual size of the returned OID. The returned error code may be
2066
@code{GPG_ERR_TOO_SHORT} if the provided buffer is to short to receive
2067
the OID; it is possible to call the function with @code{NULL} for
2068
@var{buffer} to have it only return the required size. The function
2069
returns 0 on success.
2074
To test whether an algorithm is actually available for use, the
2075
following macro should be used:
2077
@deftypefun gcry_error_t gcry_md_test_algo (int @var{algo})
2079
The macro returns 0 if the algorithm @var{algo} is available for use.
2082
If the length of a message digest is not known, it can be retrieved
2083
using the following function:
2085
@deftypefun unsigned int gcry_md_get_algo_dlen (int @var{algo})
2087
Retrieve the length in bytes of the digest yielded by algorithm
2088
@var{algo}. This is often used prior to @code{gcry_md_read} to allocate
2089
sufficient memory for the digest.
2093
In some situations it might be hard to remember the algorithm used for
2094
the ongoing hashing. The following function might be used to get that
2097
@deftypefun int gcry_md_get_algo (gcry_md_hd_t @var{h})
2099
Retrieve the algorithm used with the handle @var{h}. Note that this
2100
does not work reliable if more than one algorithm is enabled in @var{h}.
2103
The following macro might also be useful:
2105
@deftypefun int gcry_md_is_secure (gcry_md_hd_t @var{h})
2107
This function returns true when the digest object @var{h} is allocated
2108
in "secure memory"; i.e. @var{h} was created with the
2109
@code{GCRY_MD_FLAG_SECURE}.
2112
@deftypefun int gcry_md_is_enabled (gcry_md_hd_t @var{h}, int @var{algo})
2114
This function returns true when the algorithm @var{algo} has been
2115
enabled for the digest object @var{h}.
2120
Tracking bugs related to hashing is often a cumbersome task which
2121
requires to add a lot of printf statements into the code.
2122
Libgcrypt provides an easy way to avoid this. The actual data
2123
hashed can be written to files on request.
2125
@deftypefun void gcry_md_debug (gcry_md_hd_t @var{h}, const char *@var{suffix})
2127
Enable debugging for the digest object with handle @var{h}. This
2128
creates create files named @file{dbgmd-<n>.<string>} while doing the
2129
actual hashing. @var{suffix} is the string part in the filename. The
2130
number is a counter incremented for each new hashing. The data in the
2131
file is the raw data as passed to @code{gcry_md_write} or
2132
@code{gcry_md_putc}. If @code{NULL} is used for @var{suffix}, the
2133
debugging is stopped and the file closed. This is only rarely required
2134
because @code{gcry_md_close} implicitly stops debugging.
2138
The following two deprecated macros are used for debugging by old code.
2139
They shopuld be replaced by @code{gcry_md_debug}.
2141
@deftypefun void gcry_md_start_debug (gcry_md_hd_t @var{h}, const char *@var{suffix})
2143
Enable debugging for the digest object with handle @var{h}. This
2144
creates create files named @file{dbgmd-<n>.<string>} while doing the
2145
actual hashing. @var{suffix} is the string part in the filename. The
2146
number is a counter incremented for each new hashing. The data in the
2147
file is the raw data as passed to @code{gcry_md_write} or
2148
@code{gcry_md_putc}.
2152
@deftypefun void gcry_md_stop_debug (gcry_md_hd_t @var{h}, int @var{reserved})
2154
Stop debugging on handle @var{h}. @var{reserved} should be specified as
2155
0. This function is usually not required because @code{gcry_md_close}
2156
does implicitly stop debugging.
2160
@c **********************************************************
2161
1887
@c ******************* Public Key *************************
2162
1888
@c **********************************************************
2163
@node Public Key cryptography (I)
2164
@chapter Public Key cryptography (I)
1889
@node Public Key cryptography
1890
@chapter Public Key cryptography
2166
1892
Public key cryptography, also known as asymmetric cryptography, is an
2167
1893
easy way for key management and to provide digital signatures.
3548
3371
@end deftypefun
3550
3373
@c **********************************************************
3374
@c ******************* Hash Functions *********************
3375
@c **********************************************************
3379
Libgcrypt provides an easy and consistent to use interface for hashing.
3380
Hashing is buffered and several hash algorithms can be updated at once.
3381
It is possible to compute a MAC using the same routines. The
3382
programming model follows an open/process/close paradigm and is in that
3383
similar to other building blocks provided by Libgcrypt.
3385
For convenience reasons, a few cyclic redundancy check value operations
3389
* Available hash algorithms:: List of hash algorithms supported by the library.
3390
* Hash algorithm modules:: How to work with hash algorithm modules.
3391
* Working with hash algorithms:: List of functions related to hashing.
3394
@node Available hash algorithms
3395
@section Available hash algorithms
3397
@c begin table of hash algorithms
3399
@cindex SHA-224, SHA-256, SHA-384, SHA-512
3401
@cindex MD2, MD4, MD5
3408
This is not a real algorithm but used by some functions as an error
3409
return value. This constant is guaranteed to have the value @code{0}.
3412
This is the SHA-1 algorithm which yields a message digest of 20 bytes.
3414
@item GCRY_MD_RMD160
3415
This is the 160 bit version of the RIPE message digest (RIPE-MD-160).
3416
Like SHA-1 it also yields a digest of 20 bytes.
3419
This is the well known MD5 algorithm, which yields a message digest of
3423
This is the MD4 algorithm, which yields a message digest of 16 bytes.
3426
This is an reserved identifier for MD-2; there is no implementation yet.
3429
This is the TIGER/192 algorithm which yields a message digest of 24 bytes.
3432
This is an reserved for the HAVAL algorithm with 5 passes and 160
3433
bit. It yields a message digest of 20 bytes. Note that there is no
3434
implementation yet available.
3436
@item GCRY_MD_SHA224
3437
This is the SHA-224 algorithm which yields a message digest of 28 bytes.
3438
See Change Notice 1 for FIPS 180-2 for the specification.
3440
@item GCRY_MD_SHA256
3441
This is the SHA-256 algorithm which yields a message digest of 32 bytes.
3442
See FIPS 180-2 for the specification.
3444
@item GCRY_MD_SHA384
3445
This is the SHA-384 algorithm which yields a message digest of 48 bytes.
3446
See FIPS 180-2 for the specification.
3448
@item GCRY_MD_SHA512
3449
This is the SHA-384 algorithm which yields a message digest of 64 bytes.
3450
See FIPS 180-2 for the specification.
3453
This is the ISO 3309 and ITU-T V.42 cyclic redundancy check. It
3454
yields an output of 4 bytes.
3456
@item GCRY_MD_CRC32_RFC1510
3457
This is the above cyclic redundancy check function, as modified by RFC
3458
1510. It yields an output of 4 bytes.
3460
@item GCRY_MD_CRC24_RFC2440
3461
This is the OpenPGP cyclic redundancy check function. It yields an
3464
@item GCRY_MD_WHIRLPOOL
3465
This is the Whirlpool algorithm which yields a message digest of 64
3469
@c end table of hash algorithms
3471
@node Hash algorithm modules
3472
@section Hash algorithm modules
3474
Libgcrypt makes it possible to load additional `message
3475
digest modules'; these digests can be used just like the message digest
3476
algorithms that are built into the library directly. For an
3477
introduction into extension modules, see @xref{Modules}.
3479
@deftp {Data type} gcry_md_spec_t
3480
This is the `module specification structure' needed for registering
3481
message digest modules, which has to be filled in by the user before
3482
it can be used to register a module. It contains the following
3486
@item const char *name
3487
The primary name of this algorithm.
3488
@item unsigned char *asnoid
3489
Array of bytes that form the ASN OID.
3491
Length of bytes in `asnoid'.
3492
@item gcry_md_oid_spec_t *oids
3493
A list of OIDs that are to be associated with the algorithm. The
3494
list's last element must have it's `oid' member set to NULL. See
3495
below for an explanation of this type. See below for an explanation
3498
Length of the message digest algorithm. See below for an explanation
3500
@item gcry_md_init_t init
3501
The function responsible for initializing a handle. See below for an
3502
explanation of this type.
3503
@item gcry_md_write_t write
3504
The function responsible for writing data into a message digest
3505
context. See below for an explanation of this type.
3506
@item gcry_md_final_t final
3507
The function responsible for `finalizing' a message digest context.
3508
See below for an explanation of this type.
3509
@item gcry_md_read_t read
3510
The function responsible for reading out a message digest result. See
3511
below for an explanation of this type.
3512
@item size_t contextsize
3513
The size of the algorithm-specific `context', that should be
3514
allocated for each handle.
3518
@deftp {Data type} gcry_md_oid_spec_t
3519
This type is used for associating a user-provided algorithm
3520
implementation with certain OIDs. It contains the following members:
3523
@item const char *oidstring
3524
Textual representation of the OID.
3528
@deftp {Data type} gcry_md_init_t
3529
Type for the `init' function, defined as: void (*gcry_md_init_t) (void
3533
@deftp {Data type} gcry_md_write_t
3534
Type for the `write' function, defined as: void (*gcry_md_write_t)
3535
(void *c, unsigned char *buf, size_t nbytes)
3538
@deftp {Data type} gcry_md_final_t
3539
Type for the `final' function, defined as: void (*gcry_md_final_t)
3543
@deftp {Data type} gcry_md_read_t
3544
Type for the `read' function, defined as: unsigned char
3545
*(*gcry_md_read_t) (void *c)
3548
@deftypefun gcry_error_t gcry_md_register (gcry_md_spec_t *@var{digest}, unsigned int *algorithm_id, gcry_module_t *@var{module})
3550
Register a new digest module whose specification can be found in
3551
@var{digest}. On success, a new algorithm ID is stored in
3552
@var{algorithm_id} and a pointer representing this module is stored
3556
@deftypefun void gcry_md_unregister (gcry_module_t @var{module})
3557
Unregister the digest identified by @var{module}, which must have been
3558
registered with gcry_md_register.
3561
@deftypefun gcry_error_t gcry_md_list (int *@var{list}, int *@var{list_length})
3562
Get a list consisting of the IDs of the loaded message digest modules.
3563
If @var{list} is zero, write the number of loaded message digest
3564
modules to @var{list_length} and return. If @var{list} is non-zero,
3565
the first *@var{list_length} algorithm IDs are stored in @var{list},
3566
which must be of according size. In case there are less message
3567
digests modules than *@var{list_length}, *@var{list_length} is updated
3568
to the correct number.
3571
@node Working with hash algorithms
3572
@section Working with hash algorithms
3574
To use most of these function it is necessary to create a context;
3577
@deftypefun gcry_error_t gcry_md_open (gcry_md_hd_t *@var{hd}, int @var{algo}, unsigned int @var{flags})
3579
Create a message digest object for algorithm @var{algo}. @var{flags}
3580
may be given as an bitwise OR of constants described below. @var{algo}
3581
may be given as @code{0} if the algorithms to use are later set using
3582
@code{gcry_md_enable}. @var{hd} is guaranteed to either receive a valid
3585
For a list of supported algorithms, see @xref{Available hash
3588
The flags allowed for @var{mode} are:
3590
@c begin table of hash flags
3592
@item GCRY_MD_FLAG_SECURE
3593
Allocate all buffers and the resulting digest in "secure memory". Use
3594
this is the hashed data is highly confidential.
3596
@item GCRY_MD_FLAG_HMAC
3598
Turn the algorithm into a HMAC message authentication algorithm. This
3599
only works if just one algorithm is enabled for the handle. Note that
3600
the function @code{gcry_md_setkey} must be used to set the MAC key.
3601
The size of the MAC is equal to the message digest of the underlying
3602
hash algorithm. If you want CBC message authentication codes based on
3603
a cipher, see @xref{Working with cipher handles}.
3606
@c begin table of hash flags
3608
You may use the function @code{gcry_md_is_enabled} to later check
3609
whether an algorithm has been enabled.
3612
@c end function gcry_md_open
3614
If you want to calculate several hash algorithms at the same time, you
3615
have to use the following function right after the @code{gcry_md_open}:
3617
@deftypefun gcry_error_t gcry_md_enable (gcry_md_hd_t @var{h}, int @var{algo})
3619
Add the message digest algorithm @var{algo} to the digest object
3620
described by handle @var{h}. Duplicated enabling of algorithms is
3621
detected and ignored.
3624
If the flag @code{GCRY_MD_FLAG_HMAC} was used, the key for the MAC must
3625
be set using the function:
3627
@deftypefun gcry_error_t gcry_md_setkey (gcry_md_hd_t @var{h}, const void *@var{key}, size_t @var{keylen})
3629
For use with the HMAC feature, set the MAC key to the value of @var{key}
3630
of length @var{keylen}. There is no restriction on the length of the key.
3634
After you are done with the hash calculation, you should release the
3637
@deftypefun void gcry_md_close (gcry_md_hd_t @var{h})
3639
Release all resources of hash context @var{h}. @var{h} should not be
3640
used after a call to this function. A @code{NULL} passed as @var{h} is
3645
Often you have to do several hash operations using the same algorithm.
3646
To avoid the overhead of creating and releasing context, a reset function
3649
@deftypefun void gcry_md_reset (gcry_md_hd_t @var{h})
3651
Reset the current context to its initial state. This is effectively
3652
identical to a close followed by an open and enabling all currently
3657
Often it is necessary to start hashing some data and then continue to
3658
hash different data. To avoid hashing the same data several times (which
3659
might not even be possible if the data is received from a pipe), a
3660
snapshot of the current hash context can be taken and turned into a new
3663
@deftypefun gcry_error_t gcry_md_copy (gcry_md_hd_t *@var{handle_dst}, gcry_md_hd_t @var{handle_src})
3665
Create a new digest object as an exact copy of the object described by
3666
handle @var{handle_src} and store it in @var{handle_dst}. The context
3667
is not reset and you can continue to hash data using this context and
3668
independently using the original context.
3672
Now that we have prepared everything to calculate hashes, it is time to
3673
see how it is actually done. There are two ways for this, one to
3674
update the hash with a block of memory and one macro to update the hash
3675
by just one character. Both methods can be used on the same hash context.
3677
@deftypefun void gcry_md_write (gcry_md_hd_t @var{h}, const void *@var{buffer}, size_t @var{length})
3679
Pass @var{length} bytes of the data in @var{buffer} to the digest object
3680
with handle @var{h} to update the digest values. This
3681
function should be used for large blocks of data.
3684
@deftypefun void gcry_md_putc (gcry_md_hd_t @var{h}, int @var{c})
3686
Pass the byte in @var{c} to the digest object with handle @var{h} to
3687
update the digest value. This is an efficient function, implemented as
3688
a macro to buffer the data before an actual update.
3691
The semantics of the hash functions do not provide for reading out intermediate
3692
message digests because the calculation must be finalized first. This
3693
finalization may for example include the number of bytes hashed in the
3694
message digest or some padding.
3696
@deftypefun void gcry_md_final (gcry_md_hd_t @var{h})
3698
Finalize the message digest calculation. This is not really needed
3699
because @code{gcry_md_read} does this implicitly. After this has been
3700
done no further updates (by means of @code{gcry_md_write} or
3701
@code{gcry_md_putc} are allowed. Only the first call to this function
3702
has an effect. It is implemented as a macro.
3705
The way to read out the calculated message digest is by using the
3708
@deftypefun {unsigned char *} gcry_md_read (gcry_md_hd_t @var{h}, int @var{algo})
3710
@code{gcry_md_read} returns the message digest after finalizing the
3711
calculation. This function may be used as often as required but it will
3712
always return the same value for one handle. The returned message digest
3713
is allocated within the message context and therefore valid until the
3714
handle is released or reseted (using @code{gcry_md_close} or
3715
@code{gcry_md_reset}. @var{algo} may be given as 0 to return the only
3716
enabled message digest or it may specify one of the enabled algorithms.
3717
The function does return @code{NULL} if the requested algorithm has not
3721
Because it is often necessary to get the message digest of one block of
3722
memory, a fast convenience function is available for this task:
3724
@deftypefun void gcry_md_hash_buffer (int @var{algo}, void *@var{digest}, const void *@var{buffer}, size_t @var{length});
3726
@code{gcry_md_hash_buffer} is a shortcut function to calculate a message
3727
digest of a buffer. This function does not require a context and
3728
immediately returns the message digest of the @var{length} bytes at
3729
@var{buffer}. @var{digest} must be allocated by the caller, large
3730
enough to hold the message digest yielded by the the specified algorithm
3731
@var{algo}. This required size may be obtained by using the function
3732
@code{gcry_md_get_algo_dlen}.
3734
Note that this function will abort the process if an unavailable
3738
@c ***********************************
3739
@c ***** MD info functions ***********
3740
@c ***********************************
3742
Hash algorithms are identified by internal algorithm numbers (see
3743
@code{gcry_md_open} for a list). However, in most applications they are
3744
used by names, so two functions are available to map between string
3745
representations and hash algorithm identifiers.
3747
@deftypefun {const char *} gcry_md_algo_name (int @var{algo})
3749
Map the digest algorithm id @var{algo} to a string representation of the
3750
algorithm name. For unknown algorithms this function returns the
3751
string @code{"?"}. This function should not be used to test for the
3752
availability of an algorithm.
3755
@deftypefun int gcry_md_map_name (const char *@var{name})
3757
Map the algorithm with @var{name} to a digest algorithm identifier.
3758
Returns 0 if the algorithm name is not known. Names representing
3759
@acronym{ASN.1} object identifiers are recognized if the @acronym{IETF}
3760
dotted format is used and the OID is prefixed with either "@code{oid.}"
3761
or "@code{OID.}". For a list of supported OIDs, see the source code at
3762
@file{cipher/md.c}. This function should not be used to test for the
3763
availability of an algorithm.
3766
@deftypefun gcry_error_t gcry_md_get_asnoid (int @var{algo}, void *@var{buffer}, size_t *@var{length})
3768
Return an DER encoded ASN.1 OID for the algorithm @var{algo} in the
3769
user allocated @var{buffer}. @var{length} must point to variable with
3770
the available size of @var{buffer} and receives after return the
3771
actual size of the returned OID. The returned error code may be
3772
@code{GPG_ERR_TOO_SHORT} if the provided buffer is to short to receive
3773
the OID; it is possible to call the function with @code{NULL} for
3774
@var{buffer} to have it only return the required size. The function
3775
returns 0 on success.
3780
To test whether an algorithm is actually available for use, the
3781
following macro should be used:
3783
@deftypefun gcry_error_t gcry_md_test_algo (int @var{algo})
3785
The macro returns 0 if the algorithm @var{algo} is available for use.
3788
If the length of a message digest is not known, it can be retrieved
3789
using the following function:
3791
@deftypefun {unsigned int} gcry_md_get_algo_dlen (int @var{algo})
3793
Retrieve the length in bytes of the digest yielded by algorithm
3794
@var{algo}. This is often used prior to @code{gcry_md_read} to allocate
3795
sufficient memory for the digest.
3799
In some situations it might be hard to remember the algorithm used for
3800
the ongoing hashing. The following function might be used to get that
3803
@deftypefun int gcry_md_get_algo (gcry_md_hd_t @var{h})
3805
Retrieve the algorithm used with the handle @var{h}. Note that this
3806
does not work reliable if more than one algorithm is enabled in @var{h}.
3809
The following macro might also be useful:
3811
@deftypefun int gcry_md_is_secure (gcry_md_hd_t @var{h})
3813
This function returns true when the digest object @var{h} is allocated
3814
in "secure memory"; i.e. @var{h} was created with the
3815
@code{GCRY_MD_FLAG_SECURE}.
3818
@deftypefun int gcry_md_is_enabled (gcry_md_hd_t @var{h}, int @var{algo})
3820
This function returns true when the algorithm @var{algo} has been
3821
enabled for the digest object @var{h}.
3826
Tracking bugs related to hashing is often a cumbersome task which
3827
requires to add a lot of printf statements into the code.
3828
Libgcrypt provides an easy way to avoid this. The actual data
3829
hashed can be written to files on request.
3831
@deftypefun void gcry_md_debug (gcry_md_hd_t @var{h}, const char *@var{suffix})
3833
Enable debugging for the digest object with handle @var{h}. This
3834
creates create files named @file{dbgmd-<n>.<string>} while doing the
3835
actual hashing. @var{suffix} is the string part in the filename. The
3836
number is a counter incremented for each new hashing. The data in the
3837
file is the raw data as passed to @code{gcry_md_write} or
3838
@code{gcry_md_putc}. If @code{NULL} is used for @var{suffix}, the
3839
debugging is stopped and the file closed. This is only rarely required
3840
because @code{gcry_md_close} implicitly stops debugging.
3844
The following two deprecated macros are used for debugging by old code.
3845
They shopuld be replaced by @code{gcry_md_debug}.
3847
@deftypefun void gcry_md_start_debug (gcry_md_hd_t @var{h}, const char *@var{suffix})
3849
Enable debugging for the digest object with handle @var{h}. This
3850
creates create files named @file{dbgmd-<n>.<string>} while doing the
3851
actual hashing. @var{suffix} is the string part in the filename. The
3852
number is a counter incremented for each new hashing. The data in the
3853
file is the raw data as passed to @code{gcry_md_write} or
3854
@code{gcry_md_putc}.
3858
@deftypefun void gcry_md_stop_debug (gcry_md_hd_t @var{h}, int @var{reserved})
3860
Stop debugging on handle @var{h}. @var{reserved} should be specified as
3861
0. This function is usually not required because @code{gcry_md_close}
3862
does implicitly stop debugging.
3866
@c **********************************************************
3551
3867
@c ******************* Random *****************************
3552
3868
@c **********************************************************
3553
3869
@node Random Numbers
4337
4656
@end deftypefun
4339
4658
@c **********************************************************
4659
@c ***************** Architecure Overview *****************
4660
@c **********************************************************
4662
@chapter Architecture
4664
This chapter describes the internal architecture of Libgcrypt.
4666
Libgcrypt is a function library written in ISO C-90. Any compliant
4667
compiler should be able to build Libgcrypt as long as the target is
4668
either a POSIX platform or compatible to the API used by Windows NT.
4669
Provisions have been take so that the library can be directly used from
4670
C++ applications; however building with a C++ compiler is not supported.
4672
Building Libgcrypt is done by using the common @code{./configure && make}
4673
approach. The configure command is included in the source distribution
4674
and as a portable shell script it works on any Unix-alike system. The
4675
result of running the configure script are a C header file
4676
(@file{config.h}), customized Makefiles, the setup of symbolic links and
4677
a few other things. After that the make tool builds and optionally
4678
installs the library and the documentation. See the files
4679
@file{INSTALL} and @file{README} in the source distribution on how to do
4682
Libgcrypt is developed using a Subversion@footnote{A version control
4683
system available for many platforms} repository. Although all released
4684
versions are tagged in this repository, they should not be used to build
4685
production versions of Libgcrypt. Instead released tarballs should be
4686
used. These tarballs are available from several places with the master
4687
copy at @indicateurl{ftp://ftp.gnupg.org/gcrypt/libgcrypt/}.
4688
Announcements of new releases are posted to the
4689
@indicateurl{gnupg-announce@@gnupg.org} mailing list@footnote{See
4690
@url{http://www.gnupg.org/documentation/mailing-lists.en.html} for
4694
@float Figure,fig:subsystems
4695
@caption{Libgcrypt subsystems}
4696
@center @image{libgcrypt-modules, 150mm,,Libgcrypt subsystems}
4699
Libgcrypt consists of several subsystems (@pxref{fig:subsystems}) and
4700
all these subsystems provide a public API; this includes the helper
4701
subsystems like the one for S-expressions. The API style depends on the
4702
subsystem; in general an open-use-close approach is implemented. The
4703
open returns a handle to a context used for all further operations on
4704
this handle, several functions may then be used on this handle and a
4705
final close function releases all resources associated with the handle.
4708
* Public-Key Subsystem Architecture:: About public keys.
4709
* Symmetric Encryption Subsystem Architecture:: About standard ciphers.
4710
* Hashing and MACing Subsystem Architecture:: About hashing.
4711
* Multi-Precision-Integer Subsystem Architecture:: About big integers.
4712
* Prime-Number-Generator Subsystem Architecture:: About prime numbers.
4713
* Random-Number Subsystem Architecture:: About random stuff.
4714
@c * Helper Subsystems Architecture:: About other stuff.
4719
@node Public-Key Subsystem Architecture
4720
@section Public-Key Architecture
4722
Libgcrypt implements two interfaces for public key cryptography: The
4723
standard interface is PK interface using functions in the
4724
@code{gcry_pk_} name space. The AC interface in an alternative one
4725
which is now deprecated and will not be further described. The AC
4726
interface is also disabled in FIPS mode.
4728
Because public key cryptography is almost always used to process small
4729
amounts of data (hash values or session keys), the interface is not
4730
implemented using the open-use-close paradigm, but with single
4731
self-contained functions. Due to the wide variety of parameters
4732
required by different algorithms S-expressions, as flexible way to
4733
convey these parameters, are used. There is a set of helper functions
4734
to work with these S-expressions.
4735
@c see @xref{S-expression Subsystem Architecture}.
4737
Aside of functions to register new algorithms, map algorithms names to
4738
algorithms identifiers and to lookup properties of a key, the
4739
following main functions are available:
4743
@item gcry_pk_encrypt
4744
Encrypt data using a public key.
4746
@item gcry_pk_decrypt
4747
Decrypt data using a private key.
4750
Sign data using a private key.
4752
@item gcry_pk_verify
4753
Verify that a signature matches the data.
4755
@item gcry_pk_testkey
4756
Perform a consistency over a public or private key.
4758
@item gcry_pk_genkey
4759
Create a new public/private key pair.
4763
With the help of the module registration system all these functions
4764
lookup the module implementing the algorithm and pass the actual work
4765
to that module. The parsing of the S-expression input and the
4766
construction of S-expression for the return values is done by the high
4767
level code (@file{cipher/pubkey.c}). Thus the internal interface
4768
between the algorithm modules and the high level functions passes data
4769
in a custom format. The interface to the modules is published
4770
(@file{gcrypt-modules.h}) so that it can used to register external
4771
implementations of algorithms with Libgcrypt. However, for some
4772
algorithms this module interface is to limited and thus for the
4773
internal modules an extra interface is sometimes used to convey more
4776
By default Libgcrypt uses a blinding technique for RSA decryption to
4777
mitigate real world timing attacks over a network: Instead of using
4778
the RSA decryption directly, a blinded value @math{y = x r^{e} \bmod n}
4779
is decrypted and the unblinded value @math{x' = y' r^{-1} \bmod n}
4780
returned. The blinding value @math{r} is a random value with the size
4781
of the modulus @math{n} and generated with @code{GCRY_WEAK_RANDOM}
4786
The algorithm used for RSA and DSA key generation depends on whether
4787
Libgcrypt is operated in standard or in FIPS mode. In standard mode
4788
an algorithm based on the Lim-Lee prime number generator is used. In
4789
FIPS mode RSA keys are generated as specified in ANSI X9.31 (1998) and
4790
DSA keys as specified in FIPS 186-2.
4794
@node Symmetric Encryption Subsystem Architecture
4795
@section Symmetric Encryption Subsystem Architecture
4797
The interface to work with symmetric encryption algorithms is made up
4798
of functions from the @code{gcry_cipher_} name space. The
4799
implementation follows the open-use-close paradigm and uses registered
4800
algorithm modules for the actual work. Unless a module implements
4801
optimized cipher mode implementations, the high level code
4802
(@file{cipher/cipher.c}) implements the modes and calls the core
4803
algorithm functions to process each block.
4805
The most important functions are:
4809
@item gcry_cipher_open
4810
Create a new instance to encrypt or decrypt using a specified
4813
@item gcry_cipher_close
4814
Release an instance.
4816
@item gcry_cipher_setkey
4817
Set a key to be used for encryption or decryption.
4819
@item gcry_cipher_setiv
4820
Set an initialization vector to be used for encryption or decryption.
4822
@item gcry_cipher_encrypt
4823
@itemx gcry_cipher_decrypt
4824
Encrypt or decrypt data. These functions may be called with arbitrary
4825
amounts of data and as often as needed to encrypt or decrypt all data.
4829
There are also functions to query properties of algorithms or context,
4830
like block length, key length, map names or to enable features like
4835
@node Hashing and MACing Subsystem Architecture
4836
@section Hashing and MACing Subsystem Architecture
4838
The interface to work with message digests and CRC algorithms is made
4839
up of functions from the @code{gcry_md_} name space. The
4840
implementation follows the open-use-close paradigm and uses registered
4841
algorithm modules for the actual work. Although CRC algorithms are
4842
not considered cryptographic hash algorithms, they share enough
4843
properties so that it makes sense to handle them in the same way.
4844
It is possible to use several algorithms at once with one context and
4845
thus compute them all on the same data.
4847
The most important functions are:
4851
Create a new message digest instance and optionally enable one
4852
algorithm. A flag may be used to turn the message digest algorithm
4853
into a HMAC algorithm.
4855
@item gcry_md_enable
4856
Enable an additional algorithm for the instance.
4858
@item gcry_md_setkey
4859
Set the key for the MAC.
4862
Pass more data for computing the message digest to an instance.
4865
Buffered version of @code{gcry_md_write} implemented as a macro.
4868
Finalize the computation of the message digest or HMAC and return the
4874
@item gcry_md_hash_buffer
4875
Convenience function to directly compute a message digest over a
4876
memory buffer without the need to create an instance first.
4880
There are also functions to query properties of algorithms or the
4881
instance, like enabled algorithms, digest length, map algorithm names.
4882
it is also possible to reset an instance or to copy the current state
4883
of an instance at any time. Debug functions to write the hashed data
4884
to files are available as well.
4888
@node Multi-Precision-Integer Subsystem Architecture
4889
@section Multi-Precision-Integer Subsystem Architecture
4891
The implementation of Libgcrypt's big integer computation code is
4892
based on an old release of GNU Multi-Precision Library (GMP). The
4893
decision not to use the GMP library directly was due to stalled
4894
development at that time and due to security requirements which could
4895
not be provided by the code in GMP. As GMP does, Libgcrypt provides
4896
high performance assembler implementations of low level code for
4897
several CPUS to gain much better performance than with a generic C
4901
Major features of Libgcrypt's multi-precision-integer code compared to
4906
Avoidance of stack based allocations to allow protection against
4907
swapping out of sensitive data and for easy zeroing of sensitive
4908
intermediate results.
4911
Optional use of secure memory and tracking of its use so that results
4912
are also put into secure memory.
4915
MPIs are identified by a handle (implemented as a pointer) to give
4916
better control over allocations and to augment them with extra
4917
properties like opaque data.
4920
Removal of unnecessary code to reduce complexity.
4923
Functions specialized for public key cryptography.
4929
@node Prime-Number-Generator Subsystem Architecture
4930
@section Prime-Number-Generator Subsystem Architecture
4932
Libgcrypt provides an interface to its prime number generator. These
4933
functions make use of the internal prime number generator which is
4934
required for the generation for public key key pairs. The plain prime
4935
checking function is exported as well.
4937
The generation of random prime numbers is based on the Lim and Lee
4938
algorithm to create practically save primes.@footnote{Chae Hoon Lim
4939
and Pil Joong Lee. A key recovery attack on discrete log-based shemes
4940
using a prime order subgroup. In Burton S. Kaliski Jr., editor,
4941
Advances in Cryptology: Crypto '97, pages 249Ā-263, Berlin /
4942
Heidelberg / New York, 1997. Springer-Verlag. Described on page 260.}
4943
This algorithm creates a pool of smaller primes, select a few of them
4944
to create candidate primes of the form @math{2 * p_0 * p_1 * ... * p_n
4945
+ 1}, tests the candidate for primality and permutates the pool until
4946
a prime has been found. It is possible to clamp one of the small
4947
primes to a certain size to help DSA style algorithms. Because most
4948
of the small primes in the pool are not used for the resulting prime
4949
number, they are saved for later use (see @code{save_pool_prime} and
4950
@code{get_pool_prime} in @file{cipher/primegen.c}). The prime
4951
generator optionally supports the finding of an appropriate generator.
4954
The primality test works in three steps:
4958
The standard sieve algorithm using the primes up to 4999 is used as a
4962
A Fermat test filters out almost all non-primes.
4965
A 5 round Rabin-Miller test is finally used. The first round uses a
4966
witness of 2, whereas the next rounds use a random witness.
4970
To support the generation of RSA and DSA keys in FIPS mode according
4971
to X9.31 and FIPS 186-2, Libgcrypt implements two additional prime
4972
generation functions: @code{_gcry_derive_x931_prime} and
4973
@code{_gcry_generate_fips186_2_prime}. These functions are internal
4974
and not available through the public API.
4978
@node Random-Number Subsystem Architecture
4979
@section Random-Number Subsystem Architecture
4981
Libgcrypt provides 3 levels or random quality: The level
4982
@code{GCRY_VERY_STRONG_RANDOM} usually used for key generation, the
4983
level @code{GCRY_STRONG_RANDOM} for all other strong random
4984
requirements and the function @code{gcry_create_nonce} which is used
4985
for weaker usages like nonces. There is also a level
4986
@code{GCRY_WEAK_RANDOM} which in general maps to
4987
@code{GCRY_STRONG_RANDOM} except when used with the function
4988
@code{gcry_mpi_randomize}, where it randomizes an
4989
multi-precision-integer using the @code{gcry_create_nonce} function.
4992
There are two distinct random generators available:
4996
The Continuously Seeded Pseudo Random Number Generator (CSPRNG), which
4997
is based on the classic GnuPG derived big pool implementation.
4998
Implemented in @code{random/random-csprng.c} and used by default.
5000
A FIPS approved ANSI X9.31 PRNG using AES with a 128 bit key. Implemented in
5001
@code{random/random-fips.c} and used if Libgcrypt is in FIPS mode.
5005
Both generators make use of so-called entropy gathering modules:
5009
Uses the operating system provided
5010
@file{/dev/random} and @file{/dev/urandom} devices.
5013
Runs several operating system commands to collect entropy from sources
5014
like virtual machine and process statistics. It is a kind of
5015
poor-man's @code{/dev/random} implementation. It is not available in
5019
Uses the operating system provided Entropy Gathering Daemon (EGD).
5020
The EGD basically uses the same algorithms as rndunix does. However
5021
as a system daemon it keeps on running and thus can serve several
5022
processes requiring entropy input and does not waste collected entropy
5023
if the application does not need all the collected entropy. It is not
5024
available in FIPS mode.
5027
Targeted for the Microsoft Windows OS. It uses certain properties of
5028
that system and is the only gathering module available for that OS.
5031
Extra module to collect additional entropy by utilizing a hardware
5032
random number generator. As of now the only supported hardware RNG is
5033
the Padlock engine of VIA (Centaur) CPUs. It is not available in FIPS
5040
* CSPRNG Description:: Description of the CSPRNG.
5041
* FIPS PRNG Description:: Description of the FIPS X9.31 PRNG.
5045
@node CSPRNG Description
5046
@subsection Description of the CSPRNG
5048
This random number generator is loosely modelled after the one
5049
described in Peter Gutmann's paper: "Software Generation of
5050
Practically Strong Random Numbers".@footnote{Also described in chapter
5051
6 of his book "Cryptographic Security Architecture", New York, 2004,
5052
ISBN 0-387-95387-6.}
5054
A pool of 600 bytes is used and mixed using the core RIPE-MD160 hash
5055
transform function. Several extra features are used to make the
5056
robust against a wide variety of attacks and to protect against
5057
failures of subsystems. The state of the generator may be saved to a
5058
file and initially seed form a file.
5060
Depending on how Libgcrypt was build the generator is able to select
5061
the best working entropy gathering module. It makes use of the slow
5062
and fast collection methods and requires the pool to initially seeded
5063
form the slow gatherer or a seed file. An entropy estimation is used
5064
to mix in enough data from the gather modules before returning the
5065
actual random output. Process fork detection and protection is
5068
@c FIXME: The design and implementaion needs a more verbose description.
5070
The implementation of the nonce generator (for
5071
@code{gcry_create_nonce}) is a straightforward repeated hash design: A
5072
28 byte buffer is initially seeded with the PID and the time in
5073
seconds in the first 20 bytes and with 8 bytes of random taken from
5074
the @code{GCRY_STRONG_RANDOM} generator. Random numbers are then
5075
created by hashing all the 28 bytes with SHA-1 and saving that again
5076
in the first 20 bytes. The hash is also returned as result.
5079
@node FIPS PRNG Description
5080
@subsection Description of the FIPS X9.31 PRNG
5082
The core of this deterministic random number generator is implemented
5083
according to the document ``NIST-Recommended Random Number Generator
5084
Based on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES and AES
5085
Algorithms'', dated 2005-01-31. This implementation uses the AES
5088
The generator is based on contexts to utilize the same core functions
5089
for all random levels as required by the high-level interface. All
5090
random generators return their data in 128 bit blocks. If the caller
5091
requests less bits, the extra bits are not used. The key for each
5092
generator is only set once at the first time a generator context is
5093
used. The seed value is set along with the key and again after 1000
5096
On Unix like systems the @code{GCRY_VERY_STRONG_RANDOM} and
5097
@code{GCRY_STRONG_RANDOM} generators are keyed and seeded using the
5098
rndlinux module with the @file{/dev/radnom} device. Thus these
5099
generators may block until the OS kernel has collected enough entropy.
5100
When used with Microsoft Windows the rndw32 module is used instead.
5102
The generator used for @code{gcry_create_nonce} is keyed and seeded
5103
from the @code{GCRY_STRONG_RANDOM} generator. Thus is may also block
5104
if the @code{GCRY_STRONG_RANDOM} generator has not yet been used
5105
before and thus gets initialized on the first use by
5106
@code{gcry_create_nonce}. This special treatment is justified by the
5107
weaker requirements for a nonce generator and to save precious kernel
5108
entropy for use by the ``real'' random generators.
5110
A self-test facility uses a separate context to check the
5111
functionality of the core X9.31 functions using a known answers test.
5112
During runtime each output block is compared to the previous one to
5113
detect a stucked generator.
5115
The DT value for the generator is made up of the current time down to
5116
microseconds (if available) and a free running 64 bit counter. When
5117
used with the test context the DT value is taken from the context and
5118
incremented on each use.
5122
@c @node Helper Subsystems Architecture
5123
@c @section Helper Subsystems Architecture
5125
@c There are a few smaller subsystems which are mainly used internally by
5126
@c Libgcrypt but also available to applications.
5129
@c * S-expression Subsystem Architecture:: Details about the S-expression architecture.
5130
@c * Memory Subsystem Architecture:: Details about the memory allocation architecture.
5131
@c * Miscellaneous Subsystems Architecture:: Details about other subsystems.
5134
@c @node S-expression Subsystem Architecture
5135
@c @subsection S-expression Subsystem Architecture
5137
@c Libgcrypt provides an interface to S-expression to create and parse
5138
@c them. To use an S-expression with Libgcrypt it needs first be
5139
@c converted into the internal representation used by Libgcrypt (the type
5140
@c @code{gcry_sexp_t}). The conversion functions support a large subset
5141
@c of the S-expression specification and further fature a printf like
5142
@c function to convert a list of big integers or other binary data into
5145
@c Libgcrypt currently implements S-expressions using a tagged linked
5146
@c list. However this is not exposed to an application and may be
5147
@c changed in future releases to reduce overhead when already working
5148
@c with canonically encoded S-expressions. Secure memory is supported by
5149
@c this S-expressions implementation.
5151
@c @node Memory Subsystem Architecture
5152
@c @subsection Memory Subsystem Architecture
5157
@c @node Miscellaneous Subsystems Architecture
5158
@c @subsection Miscellaneous Subsystems Architecture
5166
@c **********************************************************
4340
5167
@c ******************* Appendices *************************
4341
5168
@c **********************************************************
5170
@c ********************************************
5172
@appendix Description of the Self-Tests
5174
In addition to the build time regression test suite, Libgcrypt
5175
implements self-tests to be performed at runtime. Which self-tests
5176
are actually used depends on the mode Libgcrypt is used in. In
5177
standard mode a limited set of self-tests is run at the time an
5178
algorithm is first used. Note that not all algorithms feature a
5179
self-test in standard mode. The @code{GCRYCTL_SELFTEST} control
5180
command may be used to run all implemented self-tests at any time;
5181
this will even run more tests than those run in FIPS mode.
5183
If any of the self-tests fails, the library immediately returns an
5184
error code to the caller. If Libgcrypt is in FIPS mode the self-tests
5185
will be performed within the ``Self-Test'' state and any failure puts
5186
the library into the ``Error'' state.
5188
@c --------------------------------
5189
@section Power-Up Tests
5191
Power-up tests are only performed if Libgcrypt is in FIPS mode.
5193
@subsection Symmetric Cipher Algorithm Power-Up Tests
5195
The following symmetric encryption algorithm tests are run during
5200
To test the 3DES 3-key EDE encryption in ECB mode these tests are
5204
A known answer test is run on a 64 bit test vector processed by 64
5205
rounds of Single-DES block encryption and decryption using a key
5206
changed with each round.
5208
A known answer test is run on a 64 bit test vector processed by 16
5209
rounds of 2-key and 3-key Triple-DES block encryption and decryptions
5210
using a key changed with each round.
5212
10 known answer tests using 3-key Triple-DES EDE encryption, comparing
5213
the ciphertext to the known value, then running a decryption and
5214
comparing it to the initial plaintext.
5216
(@code{cipher/des.c:selftest})
5219
A known answer tests is run using one test vector and one test
5220
key with AES in ECB mode. (@code{cipher/rijndael.c:selftest_basic_128})
5223
A known answer tests is run using one test vector and one test
5224
key with AES in ECB mode. (@code{cipher/rijndael.c:selftest_basic_192})
5227
A known answer tests is run using one test vector and one test key
5228
with AES in ECB mode. (@code{cipher/rijndael.c:selftest_basic_256})
5231
@subsection Hash Algorithm Power-Up Tests
5233
The following hash algorithm tests are run during power-up:
5237
A known answer test using the string @code{"abc"} is run.
5238
(@code{cipher/@/sha1.c:@/selftests_sha1})
5240
A known answer test using the string @code{"abc"} is run.
5241
(@code{cipher/@/sha256.c:@/selftests_sha224})
5243
A known answer test using the string @code{"abc"} is run.
5244
(@code{cipher/@/sha256.c:@/selftests_sha256})
5246
A known answer test using the string @code{"abc"} is run.
5247
(@code{cipher/@/sha512.c:@/selftests_sha384})
5249
A known answer test using the string @code{"abc"} is run.
5250
(@code{cipher/@/sha512.c:@/selftests_sha512})
5253
@subsection MAC Algorithm Power-Up Tests
5255
The following MAC algorithm tests are run during power-up:
5259
A known answer test using 9 byte of data and a 64 byte key is run.
5260
(@code{cipher/hmac-tests.c:selftests_sha1})
5262
A known answer test using 28 byte of data and a 4 byte key is run.
5263
(@code{cipher/hmac-tests.c:selftests_sha224})
5265
A known answer test using 28 byte of data and a 4 byte key is run.
5266
(@code{cipher/hmac-tests.c:selftests_sha256})
5268
A known answer test using 28 byte of data and a 4 byte key is run.
5269
(@code{cipher/hmac-tests.c:selftests_sha384})
5271
A known answer test using 28 byte of data and a 4 byte key is run.
5272
(@code{cipher/hmac-tests.c:selftests_sha512})
5275
@subsection Random Number Power-Up Test
5277
The DRNG is tested during power-up this way:
5281
Requesting one block of random using the public interface to check
5282
general working and the duplicated block detection.
5284
3 know answer tests using pre-defined keys, seed and initial DT
5285
values. For each test 3 blocks of 16 bytes are requested and compared
5286
to the expected result. The DT value is incremented for each block.
5289
@subsection Public Key Algorithm Power-Up Tests
5291
The public key algorithms are tested during power-up:
5295
A pre-defined 1024 bit RSA key is used and these tests are run
5299
Conversion of S-expression to internal format.
5300
(@code{cipher/@/rsa.c:@/selftests_rsa})
5302
Private key consistency check.
5303
(@code{cipher/@/rsa.c:@/selftests_rsa})
5305
A pre-defined 20 byte value is signed with PKCS#1 padding for SHA-1.
5306
The result is verified using the public key against the original data
5307
and against modified data. (@code{cipher/@/rsa.c:@/selftest_sign_1024})
5309
A 1000 bit random value is encrypted and checked that it does not
5310
match the orginal random value. The encrtypted result is then
5311
decrypted and checked that it macthes the original random value.
5312
(@code{cipher/@/rsa.c:@/selftest_encr_1024})
5316
A pre-defined 1024 bit DSA key is used and these tests are run in turn:
5319
Conversion of S-expression to internal format.
5320
(@code{cipher/@/dsa.c:@/selftests_dsa})
5322
Private key consistency check.
5323
(@code{cipher/@/dsa.c:@/selftests_dsa})
5325
A pre-defined 20 byte value is signed with PKCS#1 padding for
5326
SHA-1. The result is verified using the public key against the
5327
original data and against modified data.
5328
(@code{cipher/@/dsa.c:@/selftest_sign_1024})
5332
@subsection Integrity Power-Up Tests
5334
The integrity of the Libgcrypt is tested during power-up but only if
5335
checking has been enabled at build time. The check works by computing
5336
a HMAC SHA-256 checksum over the file used to load Libgcrypt into
5337
memory. That checksum is compared against a checksum stored in a file
5338
of the same name but with a single dot as a prefix and a suffix of
5342
@subsection Critical Functions Power-Up Tests
5344
The 3DES weak key detection is tested during power-up by calling the
5345
detection function with keys taken from a table listening all weak
5346
keys. The table itself is protected using a SHA-1 hash.
5347
(@code{cipher/@/des.c:@/selftest})
5351
@c --------------------------------
5352
@section Conditional Tests
5354
The conditional tests are performed if a certain contidion is met.
5355
This may occur at any time; the library does not necessary enter the
5356
``Self-Test'' state to run these tests but will transit to the
5357
``Error'' state if a test failed.
5359
@subsection Key-Pair Generation Tests
5361
After an asymmetric key-pair has been generated, Libgcrypt runs a
5362
pair-wise consistency tests on the generated key. On failure the
5363
generated key is not used, an error code is returned and, if in FIPS
5364
mode, the library is put into the ``Error'' state.
5368
The test uses a random number 64 bits less the size of the modulus as
5369
plaintext and runs an encryption and decryption operation in turn. The
5370
encrypted value is checked to not match the plaintext and the result
5371
of the decryption is checked to match the plaintext.
5373
A new random number of the same size is generated, signed and verified
5374
to test the correctness of the signing operation. As a second signing
5375
test, the signature is modified by incrementing its value and then
5376
verified with the expected result that the verification fails.
5377
(@code{cipher/@/rsa.c:@/test_keys})
5379
The test uses a random number of the size of the Q parameter to create
5380
a signature and then checks that the signature verifies. As a second
5381
signing test, the data is modified by incrementing its value and then
5382
verified against the signature with the expected result that the
5383
verification fails. (@code{cipher/@/dsa.c:@/test_keys})
5387
@subsection Software Load Tests
5389
Loading of extra modules into libgcrypt is disabled in FIPS mode and
5391
implemented. (@code{cipher/@/cipher.c:@/gcry_cipher_register},
5392
@code{cipher/@/md.c:@/gcry_md_register},
5393
@code{cipher/@/md.c:@/gcry_pk_register})
5396
@subsection Manual Key Entry Tests
5398
A manual key entry feature is not implemented in Libgcrypt.
5401
@subsection Continuous RNG Tests
5403
The continuous random number test is only used in FIPS mode. The RNG
5404
generates blocks of 128 bit size; the first block generated per
5405
context is saved in the context and another block is generated to be
5406
returned to the caller. Each block is compared against the saved
5407
block and then stored in the context. If a duplicated block is
5408
detected an error is signaled and the libray is put into the
5409
``Fatal-Error'' state.
5410
(@code{random/@/random-fips.c:@/x931_aes_driver})
5414
@c --------------------------------
5415
@section Application Requested Tests
5417
The application may requests tests at any time by means of the
5418
@code{GCRYCTL_SELFTEST} control command. Note that using these tests
5419
is not FIPS conform: Although Libgcrypt rejects all application
5420
requests for services while running self-tests, it does not ensure
5421
that no other operations of Libgcrypt are still being executed. Thus,
5422
in FIPS mode an application requesting self-tests needs to power-cycle
5425
When self-tests are requested, Libgcrypt runs all the tests it does
5426
during power-up as well as a few extra checks as described below.
5428
@subsection Symmetric Cipher Algorithm Tests
5430
The following symmetric encryption algorithm tests are run in addition
5431
to the power-up tests:
5435
A known answer tests with test vectors taken from NIST SP800-38a and
5436
using the high level functions is run for block modes CFB and OFB.
5440
@subsection Hash Algorithm Tests
5442
The following hash algorithm tests are run in addition to the
5451
A known answer test using a 56 byte string is run.
5453
A known answer test using a string of one million letters "a" is run.
5455
(@code{cipher/@/sha1.c:@/selftests_sha1},
5456
@code{cipher/@/sha256.c:@/selftests_sha224},
5457
@code{cipher/@/sha256.c:@/selftests_sha256})
5462
A known answer test using a 112 byte string is run.
5464
A known answer test using a string of one million letters "a" is run.
5466
(@code{cipher/@/sha512.c:@/selftests_sha384},
5467
@code{cipher/@/sha512.c:@/selftests_sha512})
5470
@subsection MAC Algorithm Tests
5472
The following MAC algorithm tests are run in addition to the power-up
5479
A known answer test using 9 byte of data and a 20 byte key is run.
5481
A known answer test using 9 byte of data and a 100 byte key is run.
5483
A known answer test using 9 byte of data and a 49 byte key is run.
5485
(@code{cipher/hmac-tests.c:selftests_sha1})
5492
A known answer test using 9 byte of data and a 20 byte key is run.
5494
A known answer test using 50 byte of data and a 20 byte key is run.
5496
A known answer test using 50 byte of data and a 26 byte key is run.
5498
A known answer test using 54 byte of data and a 131 byte key is run.
5500
A known answer test using 152 byte of data and a 131 byte key is run.
5502
(@code{cipher/@/hmac-tests.c:@/selftests_sha224},
5503
@code{cipher/@/hmac-tests.c:@/selftests_sha256},
5504
@code{cipher/@/hmac-tests.c:@/selftests_sha384},
5505
@code{cipher/@/hmac-tests.c:@/selftests_sha512})
5509
@c ********************************************
5511
@appendix Description of the FIPS Mode
5513
This appendix gives detailed information pertaining to the FIPS mode.
5514
In particular, the changes to the standard mode and the finite state
5515
machine are described. The self-tests required in this mode are
5516
described in the appendix on self-tests.
5518
@c -------------------------------
5519
@section Restrictions in FIPS Mode
5522
If Libgcrypt is used in FIPS mode these restrictions are effective:
5526
The cryptographic algorithms are restricted to this list:
5529
@item GCRY_CIPHER_3DES
5530
3 key EDE Triple-DES symmetric encryption.
5531
@item GCRY_CIPHER_AES128
5532
AES 128 bit symmetric encryption.
5533
@item GCRY_CIPHER_AES192
5534
AES 192 bit symmetric encryption.
5535
@item GCRY_CIPHER_AES256
5536
AES 256 bit symmetric encryption.
5538
SHA-1 message digest.
5539
@item GCRY_MD_SHA224
5540
SHA-224 message digest.
5541
@item GCRY_MD_SHA256
5542
SHA-256 message digest.
5543
@item GCRY_MD_SHA384
5544
SHA-384 message digest.
5545
@item GCRY_MD_SHA512
5546
SHA-512 message digest.
5547
@item GCRY_MD_SHA1,GCRY_MD_FLAG_HMAC
5548
HMAC using a SHA-1 message digest.
5549
@item GCRY_MD_SHA224,GCRY_MD_FLAG_HMAC
5550
HMAC using a SHA-224 message digest.
5551
@item GCRY_MD_SHA256,GCRY_MD_FLAG_HMAC
5552
HMAC using a SHA-256 message digest.
5553
@item GCRY_MD_SHA384,GCRY_MD_FLAG_HMAC
5554
HMAC using a SHA-384 message digest.
5555
@item GCRY_MD_SHA512,GCRY_MD_FLAG_HMAC
5556
HMAC using a SHA-512 message digest.
5558
RSA encryption and signing.
5563
Note that the CRC algorithms are not considered cryptographic algorithms
5564
and thus are in addition available.
5567
RSA key generation refuses to create a key with a keysize of
5568
less than 1024 bits.
5571
DSA key generation refuses to create a key with a keysize other
5575
The @code{transient-key} flag for RSA and DSA key generation is ignored.
5578
Support for the VIA Padlock engine is disabled.
5581
FIPS mode may only be used on systems with a /dev/random device.
5582
Switching into FIPS mode on other systems will fail at runtime.
5585
Saving and loading a random seed file is ignored.
5588
An X9.31 style random number generator is used in place of the
5589
large-pool-CSPRNG generator.
5592
The command @code{GCRYCTL_ENABLE_QUICK_RANDOM} is ignored.
5595
The Alternative Public Key Interface (@code{gcry_ac_xxx}) is not
5596
supported and all API calls return an error.
5599
Registration of external modules is not supported.
5602
Message digest debugging is disabled.
5605
All debug output related to cryptographic data is suppressed.
5608
On-the-fly self-tests are not performed, instead self-tests are run
5609
before entering operational state.
5612
The function @code{gcry_set_allocation_handler} may not be used. If
5613
it is used Libgcrypt disables FIPS mode unless Enforced FIPS mode is
5614
enabled, in which case Libgcrypt will enter the error state.
5617
The digest algorithm MD5 may not be used. If it is used Libgcrypt
5618
disables FIPS mode unless Enforced FIPS mode is enabled, in which case
5619
Libgcrypt will enter the error state.
5622
In Enforced FIPS mode the command @code{GCRYCTL_DISABLE_SECMEM} is
5623
ignored. In standard FIPS mode it disables FIPS mode.
5626
A handler set by @code{gcry_set_outofcore_handler} is ignored.
5628
A handler set by @code{gcry_set_fatalerror_handler} is ignored.
5632
Note that when we speak about disabling FIPS mode, it merely means
5633
that the function @code{gcry_fips_mode_active} returns false; it does
5634
not mean that any non FIPS algorithms are allowed.
5636
@c ********************************************
5637
@section FIPS Finite State Machine
5639
The FIPS mode of libgcrypt implements a finite state machine (FSM) using
5640
8 states (@pxref{tbl:fips-states}) and checks at runtime that only valid
5641
transitions (@pxref{tbl:fips-state-transitions}) may happen.
5643
@float Figure,fig:fips-fsm
5644
@caption{FIPS mode state diagram}
5645
@center @image{fips-fsm,150mm,,FIPS FSM Diagram}
5648
@float Table,tbl:fips-states
5649
@caption{FIPS mode states}
5651
States used by the FIPS FSM:
5655
Libgcrypt is not runtime linked to another application. This usually
5656
means that the library is not loaded into main memory. This state is
5660
Libgcrypt is loaded into memory and API calls may be made. Compiler
5661
introducted constructor functions may be run. Note that Libgcrypt does
5662
not implement any arbitrary constructor functions to be called by the
5666
The Libgcrypt initialization functions are performed and the library has
5667
not yet run any self-test.
5670
Libgcrypt is performing self-tests.
5673
Libgcrypt is in the operational state and all interfaces may be used.
5676
Libgrypt is in the error state. When calling any FIPS relevant
5677
interfaces they either return an error (@code{GPG_ERR_NOT_OPERATIONAL})
5678
or put Libgcrypt into the Fatal-Error state and won't return.
5681
Libgcrypt is in a non-recoverable error state and
5682
will automatically transit into the Shutdown state.
5685
Libgcrypt is about to be terminated and removed from the memory. The
5686
application may at this point still runing cleanup handlers.
5692
@float Table,tbl:fips-state-transitions
5693
@caption{FIPS mode state transitions}
5695
The valid state transitions (@pxref{fig:fips-fsm}) are:
5698
Power-Off to Power-On is implicitly done by the OS loading Libgcrypt as
5699
a shared library and having it linked to an application.
5702
Power-On to Init is triggered by the application calling the
5703
Libgcrypt intialization function @code{gcry_check_version}.
5706
Init to Self-Test is either triggred by a dedicated API call or implicit
5707
by invoking a libgrypt service conrolled by the FSM.
5710
Self-Test to Operational is triggered after all self-tests passed
5714
Operational to Shutdown is an artifical state without any direct action
5715
in Libgcrypt. When reaching the Shutdown state the library is
5716
deinitialized and can't return to any other state again.
5719
Shutdown to Power-off is the process of removing Libgcrypt from the
5720
computer's memory. For obvious reasons the Power-Off state can't be
5721
represented within Libgcrypt and thus this transition is for
5725
Operational to Error is triggered if Libgcrypt detected an application
5726
error which can't be returned to the caller but still allows Libgcrypt
5727
to properly run. In the Error state all FIPS relevant interfaces return
5731
Error to Shutdown is similar to the Operational to Shutdown transition
5735
Error to Fatal-Error is triggred if Libgrypt detects an fatal error
5736
while already being in Error state.
5739
Fatal-Error to Shutdown is automatically entered by Libgcrypt
5740
after having reported the error.
5743
Power-On to Shutdown is an artifical state to document that Libgcrypt
5744
has not ye been initializaed but the process is about to terminate.
5747
Power-On to Fatal-Error will be triggerd if certain Libgcrypt functions
5748
are used without having reached the Init state.
5751
Self-Test to Fatal-Error is triggred by severe errors in Libgcrypt while
5755
Self-Test to Error is triggred by a failed self-test.
5758
Operational to Fatal-Error is triggered if Libcrypt encountered a
5759
non-recoverable error.
5762
Operational to Self-Test is triggred if the application requested to run
5763
the self-tests again.
5766
Error to Self-Test is triggered if the application has requested to run
5767
self-tests to get to get back into operational state after an error.
5770
Init to Error is triggered by errors in the initialization code.
5773
Init to Fatal-Error is triggered by non-recoverable errors in the
5774
initialization code.
5777
Error to Error is triggered by errors while already in the Error
5784
@c ********************************************
5785
@section FIPS Miscellaneous Information
5787
Libgcrypt does not do any key management on itself; the application
5788
needs to care about it. Keys which are passed to Libgcrypt should be
5789
allocated in secure memory as available with the functions
5790
@code{gcry_malloc_secure} and @code{gcry_calloc_secure}. By calling
5791
@code{gcry_free} on this memory, the memory and thus the keys are
5792
overwritten with zero bytes before releasing the memory.
5794
For use with the random number generator, Libgcrypt generates 3
5795
internal keys which are stored in the encryption contexts used by the
5796
RNG. These keys are stored in secure memory for the lifetime of the
5797
process. Application are required to use @code{GCRYCTL_TERM_SECMEM}
5798
before process termination. This will zero out the entire secure
5799
memory and thus also the encryption contexts with these keys.
5803
@c **********************************************************
5804
@c ************* Appendices (license etc.) ****************
5805
@c **********************************************************
4343
5806
@include lgpl.texi
4345
5808
@include gpl.texi
5810
@node Figures and Tables
5811
@unnumbered List of Figures and Tables
5813
@listoffloats Figure
4347
5817
@node Concept Index
4348
5818
@unnumbered Concept Index