2
* Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License version 2 as
8
* published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
20
* In addition, as a special exception, the copyright holders give
21
* permission to link the code of portions of this program with the
22
* OpenSSL library under certain conditions as described in each
23
* individual source file, and distribute linked combinations
26
* You must obey the GNU General Public License in all respects
27
* for all of the code used other than OpenSSL. If you modify
28
* file(s) with this exception, you may extend this exception to your
29
* version of the file(s), but you are not obligated to do so. If you
30
* do not wish to do so, delete this exception statement from your
31
* version. If you delete this exception statement from all source
32
* files in the program, then also delete it here.
35
#if !defined(_CLAMAV_CRYPTO_H)
36
#define _CLAMAV_CRYPTO_H
39
* \defgroup CryptoAPI ClamAV Crypto API
43
#define SHA1_HASH_SIZE 20
44
#define SHA256_HASH_SIZE 32
47
* Initialize the crypto system.
48
* @return Always returns 0
50
int cl_initialize_crypto(void);
52
/** Clean up the crypto system prior to program exit.
54
void cl_cleanup_crypto(void);
56
/** Generate a hash of data.
57
@param[in] alg The hashing algorithm to use
58
@param[in] buf The data to be hashed
59
@param[in] len The length of the to-be-hashed data
60
@param[out] obuf An optional buffer to store the generated hash. Use NULL to dynamically allocate buffer.
61
@param[out] olen An optional pointer that stores how long the generated hash is.
62
@return A pointer to the generated hash or obuf if obuf is not NULL.
64
unsigned char *cl_hash_data(char *alg, const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);
66
/** Generate a hash of a file.
67
@param[in] ctx A pointer to the OpenSSL EVP_MD_CTX object
68
@param[in] fd The file descriptor
69
@param[out] olen An optional pointer that stores how long the generated hash is
70
@return A pointer to a dynamically-created buffer that holds the generated hash
72
unsigned char *cl_hash_file_fd_ctx(EVP_MD_CTX *ctx, int fd, unsigned int *olen);
74
/** Generate a hash of a file.
75
@param[in] fd The file descriptor
76
@param[in] alg The hashing algorithm to use
77
@param[out] olen An optional pointer that stores how long the generated hash is
78
@return A pointer to a dynamically-created buffer that holds the generated hash
80
unsigned char *cl_hash_file_fd(int fd, char *alg, unsigned int *olen);
82
/** Generate a hash of a file.
83
@param[in] fp A pointer to a FILE object
84
@param[in] alg The hashing algorithm to use
85
@param[out] olen An optional pointer that stores how long the generated hash is
86
@return A pointer to a dynamically-created buffer that holds the generated hash
88
unsigned char *cl_hash_file_fp(FILE *fp, char *alg, unsigned int *olen);
90
/** Generate a sha256 hash of data
91
@param[in] buf The data to hash
92
@param[in] len The length of the to-be-hashed data
93
@param[out] obuf An optional pointer to store the generated hash. Use NULL to dynamically allocate buffer.
94
@param[out] olen An optional pointer that stores how long the generated hash is.
95
@return A pointer to the buffer that holds the generated hash
97
unsigned char *cl_sha256(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);
99
/** Generate a sha1 hash of data
100
@param[in] buf The data to hash
101
@param[in] len The length of the to-be-hashed data
102
@param[out] obuf An optional pointer to store the generated hash. Use NULL to dynamically allocate buffer.
103
@param[out] olen An optional pointer that stores how long the generated hash is.
104
@return A pointer to the buffer that holds the generated hash or obuf if obuf is not NULL
106
unsigned char *cl_sha1(const void *buf, size_t len, unsigned char *obuf, unsigned int *olen);
108
/** Verify validity of signed data
109
@param[in] pkey The public key of the keypair that signed the data
110
@param[in] alg The algorithm used to hash the data
111
@param[in] sig The signature block
112
@param[in] siglen The length of the signature
113
@param[in] data The data that was signed
114
@param[in] datalen The length of the data
115
@param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
116
@return 0 for success, -1 for error or invalid signature
118
int cl_verify_signature(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);
120
/** Verify validity of signed data
121
@param[in] pkey The public key of the keypair that signed the data
122
@param[in] alg The algorithm used to hash the data
123
@param[in] sig The signature block
124
@param[in] siglen The length of the signature
125
@param[in] digest The hash of the signed data
126
@return 0 for success, -1 for error or invalid signature
128
int cl_verify_signature_hash(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);
130
/** Verify validity of signed data
131
@param[in] pkey The public key of the keypair that signed the data
132
@param[in] alg The algorithm used to hash the data
133
@param[in] sig The signature block
134
@param[in] siglen The length of the signature
135
@param[in] fd The file descriptor
136
@return 0 for success, -1 for error or invalid signature
138
int cl_verify_signature_fd(EVP_PKEY *pkey, char *alg, unsigned char *sig, unsigned int siglen, int fd);
140
/** Verify validity of signed data
141
@param[in] x509path The path to the public key of the keypair that signed the data
142
@param[in] alg The algorithm used to hash the data
143
@param[in] sig The signature block
144
@param[in] siglen The length of the signature
145
@param[in] digest The hash of the signed data
146
@return 0 for success, -1 for error or invalid signature
148
int cl_verify_signature_hash_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);
150
/** Verify validity of signed data
151
@param[in] x509path The path to the public key of the keypair that signed the data
152
@param[in] alg The algorithm used to hash the data
153
@param[in] sig The signature block
154
@param[in] siglen The length of the signature
155
@param[in] fd The file descriptor
156
@return 0 for success, -1 for error or invalid signature
158
int cl_verify_signature_fd_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, int fd);
160
/** Verify validity of signed data
161
@param[in] x509path The path to the public key of the keypair that signed the data
162
@param[in] alg The algorithm used to hash the data
163
@param[in] sig The signature block
164
@param[in] siglen The length of the signature
165
@param[in] data The data that was signed
166
@param[in] datalen The length of the data
167
@param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
168
@return 0 for success, -1 for error or invalid signature
170
int cl_verify_signature_x509_keyfile(char *x509path, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);
172
/** Verify validity of signed data
173
@param[in] x509 The X509 object of the public key of the keypair that signed the data
174
@param[in] alg The algorithm used to hash the data
175
@param[in] sig The signature block
176
@param[in] siglen The length of the signature
177
@param[in] digest The hash of the signed data
178
@return 0 for success, -1 for error or invalid signature
180
int cl_verify_signature_hash_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *digest);
182
/** Verify validity of signed data
183
@param[in] x509 The X509 object of the public key of the keypair that signed the data
184
@param[in] alg The algorithm used to hash the data
185
@param[in] sig The signature block
186
@param[in] siglen The length of the signature
187
@param[in] fd The file descriptor
188
@return 0 for success, -1 for error or invalid signature
190
int cl_verify_signature_fd_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, int fd);
192
/** Verify validity of signed data
193
@param[in] x509 The X509 object of the public key of the keypair that signed the data
194
@param[in] alg The algorithm used to hash the data
195
@param[in] sig The signature block
196
@param[in] siglen The length of the signature
197
@param[in] data The data that was signed
198
@param[in] datalen The length of the data
199
@param[in] decode Whether or not to base64-decode the signature prior to verification. 1 for yes, 0 for no.
200
@return 0 for success, -1 for error or invalid signature
202
int cl_verify_signature_x509(X509 *x509, char *alg, unsigned char *sig, unsigned int siglen, unsigned char *data, size_t datalen, int decode);
204
/** Get an X509 object from memory
205
* @param[in] data A pointer to a spot in memory that contains the PEM X509 cert
206
* @param[in] len The length of the data
207
* @return a pointer to the X509 object on success, NULL on error
209
X509 *cl_get_x509_from_mem(void *data, unsigned int len);
211
/** Validate an X509 certificate chain, with the chain being located in a directory
212
@param[in] tsdir The path to the trust store directory
213
@param[in] certpath The path to the X509 certificate to be validated.
214
@return 0 for success, -1 for error or invalid certificate.
216
int cl_validate_certificate_chain_ts_dir(char *tsdir, char *certpath);
218
/** Validate an X509 certificate chain with support for a CRL
219
@param[in] authorities A NULL-terminated array of strings that hold the path of the CA's X509 certificate
220
@param[in] crlpath An optional path to the CRL file. NULL if no CRL.
221
@param[in] certpath The path to the X509 certificate to be validated.
222
@return 0 for success, -1 for error or invalid certificate.
224
int cl_validate_certificate_chain(char **authorities, char *crlpath, char *certpath);
226
/** Load an X509 certificate from a file
227
@param[in] certpath The path to the X509 certificate
229
X509 *cl_load_cert(const char *certpath);
231
/** Parse an ASN1_TIME object
232
@param[in] timeobj The ASN1_TIME object
233
@return A pointer to a (struct tm). Adjusted for time zone and daylight savings time.
235
struct tm *cl_ASN1_GetTimeT(ASN1_TIME *timeobj);
237
/** Load a CRL file into an X509_CRL object
238
@param[in] file The path to the CRL
239
@return A pointer to an X509_CRL object or NULL on error.
241
X509_CRL *cl_load_crl(const char *timeobj);
243
/** Sign data with a key stored on disk
244
@param[in] keypath The path to the RSA private key
245
@param[in] alg The hash/signature algorithm to use
246
@param[in] hash The hash to sign
247
@param[out] olen A pointer that stores the size of the signature
248
@param[in] Whether or not to base64-encode the signature. 1 for yes, 0 for no.
249
@return The generated signature
251
unsigned char *cl_sign_data_keyfile(char *keypath, char *alg, unsigned char *hash, unsigned int *olen, int encode);
253
/** Sign data with an RSA private key object
254
@param[in] pkey The RSA private key object
255
@param[in] alg The hash/signature algorithm to use
256
@param[in] hash The hash to sign
257
@param[out] olen A pointer that stores the size of the signature
258
@param[in] Whether or not to base64-encode the signature. 1 for yes, 0 for no.
259
@return The generated signature
261
unsigned char *cl_sign_data(EVP_PKEY *pkey, char *alg, unsigned char *hash, unsigned int *olen, int encode);
263
/** Sign a file with an RSA private key object
264
@param[in] fd The file descriptor
265
@param[in] pkey The RSA private key object
266
@param[in] alg The hash/signature algorithm to use
267
@param[out] olen A pointer that stores the size of the signature
268
@param[in] encode Whether or not to base64-encode the signature. 1 for yes, 0 for no.
270
unsigned char *cl_sign_file_fd(int fd, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode);
272
/** Sign a file with an RSA private key object
273
@param[in] fp A pointer to a FILE object
274
@param[in] pkey The RSA private key object
275
@param[in] alg The hash/signature algorithm to use
276
@param[out] olen A pointer that stores the size of the signature
277
@param[in] encode Whether or not to base64-encode the signature. 1 for yes, 0 for no.
279
unsigned char *cl_sign_file_fp(FILE *fp, EVP_PKEY *pkey, char *alg, unsigned int *olen, int encode);
281
/** Get the Private Key stored on disk
282
* @param[in] keypath The path on disk where the private key is stored
283
* @return A pointer to the EVP_PKEY object that contains the private key in memory
285
EVP_PKEY *cl_get_pkey_file(char *keypath);
287
void *cl_hash_init(const char *alg);
288
int cl_update_hash(void *ctx, void *data, size_t sz);
289
int cl_finish_hash(void *ctx, void *buf);
290
void cl_hash_destroy(void *ctx);