OSSL_HPKE_CTX_new.pod 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575
  1. =pod
  2. =head1 NAME
  3. OSSL_HPKE_CTX_new, OSSL_HPKE_CTX_free,
  4. OSSL_HPKE_encap, OSSL_HPKE_decap,
  5. OSSL_HPKE_seal, OSSL_HPKE_open, OSSL_HPKE_export,
  6. OSSL_HPKE_suite_check, OSSL_HPKE_str2suite,
  7. OSSL_HPKE_keygen, OSSL_HPKE_get_grease_value,
  8. OSSL_HPKE_get_ciphertext_size, OSSL_HPKE_get_public_encap_size,
  9. OSSL_HPKE_get_recommended_ikmelen,
  10. OSSL_HPKE_CTX_set1_psk, OSSL_HPKE_CTX_set1_ikme,
  11. OSSL_HPKE_CTX_set1_authpriv, OSSL_HPKE_CTX_set1_authpub,
  12. OSSL_HPKE_CTX_get_seq, OSSL_HPKE_CTX_set_seq
  13. - Hybrid Public Key Encryption (HPKE) functions
  14. =head1 SYNOPSIS
  15. #include <openssl/hpke.h>
  16. typedef struct {
  17. uint16_t kem_id;
  18. uint16_t kdf_id;
  19. uint16_t aead_id;
  20. } OSSL_HPKE_SUITE;
  21. OSSL_HPKE_CTX *OSSL_HPKE_CTX_new(int mode, OSSL_HPKE_SUITE suite, int role,
  22. OSSL_LIB_CTX *libctx, const char *propq);
  23. void OSSL_HPKE_CTX_free(OSSL_HPKE_CTX *ctx);
  24. int OSSL_HPKE_encap(OSSL_HPKE_CTX *ctx,
  25. unsigned char *enc, size_t *enclen,
  26. const unsigned char *pub, size_t publen,
  27. const unsigned char *info, size_t infolen);
  28. int OSSL_HPKE_seal(OSSL_HPKE_CTX *ctx,
  29. unsigned char *ct, size_t *ctlen,
  30. const unsigned char *aad, size_t aadlen,
  31. const unsigned char *pt, size_t ptlen);
  32. int OSSL_HPKE_keygen(OSSL_HPKE_SUITE suite,
  33. unsigned char *pub, size_t *publen, EVP_PKEY **priv,
  34. const unsigned char *ikm, size_t ikmlen,
  35. OSSL_LIB_CTX *libctx, const char *propq);
  36. int OSSL_HPKE_decap(OSSL_HPKE_CTX *ctx,
  37. const unsigned char *enc, size_t enclen,
  38. EVP_PKEY *recippriv,
  39. const unsigned char *info, size_t infolen);
  40. int OSSL_HPKE_open(OSSL_HPKE_CTX *ctx,
  41. unsigned char *pt, size_t *ptlen,
  42. const unsigned char *aad, size_t aadlen,
  43. const unsigned char *ct, size_t ctlen);
  44. int OSSL_HPKE_export(OSSL_HPKE_CTX *ctx,
  45. unsigned char *secret, size_t secretlen,
  46. const unsigned char *label, size_t labellen);
  47. int OSSL_HPKE_CTX_set1_authpriv(OSSL_HPKE_CTX *ctx, EVP_PKEY *priv);
  48. int OSSL_HPKE_CTX_set1_authpub(OSSL_HPKE_CTX *ctx,
  49. unsigned char *pub, size_t publen);
  50. int OSSL_HPKE_CTX_set1_psk(OSSL_HPKE_CTX *ctx,
  51. const char *pskid,
  52. const unsigned char *psk, size_t psklen);
  53. int OSSL_HPKE_CTX_get_seq(OSSL_HPKE_CTX *ctx, uint64_t *seq);
  54. int OSSL_HPKE_CTX_set_seq(OSSL_HPKE_CTX *ctx, uint64_t seq);
  55. int OSSL_HPKE_CTX_set1_ikme(OSSL_HPKE_CTX *ctx,
  56. const unsigned char *ikme, size_t ikmelen);
  57. int OSSL_HPKE_suite_check(OSSL_HPKE_SUITE suite);
  58. int OSSL_HPKE_get_grease_value(const OSSL_HPKE_SUITE *suite_in,
  59. OSSL_HPKE_SUITE *suite,
  60. unsigned char *enc, size_t *enclen,
  61. unsigned char *ct, size_t ctlen,
  62. OSSL_LIB_CTX *libctx, const char *propq);
  63. int OSSL_HPKE_str2suite(const char *str, OSSL_HPKE_SUITE *suite);
  64. size_t OSSL_HPKE_get_ciphertext_size(OSSL_HPKE_SUITE suite, size_t clearlen);
  65. size_t OSSL_HPKE_get_public_encap_size(OSSL_HPKE_SUITE suite);
  66. size_t OSSL_HPKE_get_recommended_ikmelen(OSSL_HPKE_SUITE suite);
  67. =head1 DESCRIPTION
  68. These functions provide an API for using the form of Hybrid Public Key
  69. Encryption (HPKE) defined in RFC9180. Understanding the HPKE specification
  70. is likely required before using these APIs. HPKE is used by various
  71. other IETF specifications, including the TLS Encrypted Client
  72. Hello (ECH) specification and others.
  73. HPKE is a standardised, highly flexible construct for encrypting "to" a public
  74. key that supports combinations of a key encapsulation method (KEM), a key
  75. derivation function (KDF) and an authenticated encryption with additional data
  76. (AEAD) algorithm, with optional sender authentication.
  77. The sender and a receiver here will generally be using some application or
  78. protocol making use of HPKE. For example, with ECH,
  79. the sender will be a browser and the receiver will be a web server.
  80. =head2 Data Structures
  81. B<OSSL_HPKE_SUITE> is a structure that holds identifiers for the algorithms
  82. used for KEM, KDF and AEAD operations.
  83. B<OSSL_HPKE_CTX> is a context that maintains internal state as HPKE
  84. operations are carried out. Separate B<OSSL_HPKE_CTX> objects must be used for
  85. the sender and receiver. Attempting to use a single context for both will
  86. result in errors.
  87. =head2 OSSL_HPKE_SUITE Identifiers
  88. The identifiers used by B<OSSL_HPKE_SUITE> are:
  89. The KEM identifier I<kem_id> is one of the following:
  90. =over 4
  91. =item 0x10 B<OSSL_HPKE_KEM_ID_P256>
  92. =item 0x11 B<OSSL_HPKE_KEM_ID_P384>
  93. =item 0x12 B<OSSL_HPKE_KEM_ID_P521>
  94. =item 0x20 B<OSSL_HPKE_KEM_ID_X25519>
  95. =item 0x21 B<OSSL_HPKE_KEM_ID_X448>
  96. =back
  97. The KDF identifier I<kdf_id> is one of the following:
  98. =over 4
  99. =item 0x01 B<OSSL_HPKE_KDF_ID_HKDF_SHA256>
  100. =item 0x02 B<OSSL_HPKE_KDF_ID_HKDF_SHA384>
  101. =item 0x03 B<OSSL_HPKE_KDF_ID_HKDF_SHA512>
  102. =back
  103. The AEAD identifier I<aead_id> is one of the following:
  104. =over 4
  105. =item 0x01 B<OSSL_HPKE_AEAD_ID_AES_GCM_128>
  106. =item 0x02 B<OSSL_HPKE_AEAD_ID_AES_GCM_256>
  107. =item 0x03 B<OSSL_HPKE_AEAD_ID_CHACHA_POLY1305>
  108. =item 0xFFFF B<OSSL_HPKE_AEAD_ID_EXPORTONLY>
  109. The last identifier above indicates that AEAD operations are not needed.
  110. OSSL_HPKE_export() can be used, but OSSL_HPKE_open() and OSSL_HPKE_seal() will
  111. return an error if called with a context using that AEAD identifier.
  112. =back
  113. =head2 HPKE Modes
  114. HPKE supports the following variants of Authentication using a mode Identifier:
  115. =over 4
  116. =item B<OSSL_HPKE_MODE_BASE>, 0x00
  117. Authentication is not used.
  118. =item B<OSSL_HPKE_MODE_PSK>, 0x01
  119. Authenticates possession of a pre-shared key (PSK).
  120. =item B<OSSL_HPKE_MODE_AUTH>, 0x02
  121. Authenticates possession of a KEM-based sender private key.
  122. =item B<OSSL_HPKE_MODE_PSKAUTH>, 0x03
  123. A combination of B<OSSL_HPKE_MODE_PSK> and B<OSSL_HPKE_MODE_AUTH>.
  124. Both the PSK and the senders authentication public/private must be
  125. supplied before the encapsulation/decapsulation operation will work.
  126. =back
  127. For further information related to authentication see L</Pre-Shared Key HPKE
  128. modes> and L</Sender-authenticated HPKE Modes>.
  129. =head2 HPKE Roles
  130. HPKE contexts have a role - either sender or receiver. This is used
  131. to control which functions can be called and so that senders do not
  132. reuse a key and nonce with different plaintexts.
  133. OSSL_HPKE_CTX_free(), OSSL_HPKE_export(), OSSL_HPKE_CTX_set1_psk(),
  134. and OSSL_HPKE_CTX_get_seq() can be called regardless of role.
  135. =over 4
  136. =item B<OSSL_HPKE_ROLE_SENDER>, 0
  137. An I<OSSL_HPKE_CTX> with this role can be used with
  138. OSSL_HPKE_encap(), OSSL_HPKE_seal(), OSSL_HPKE_CTX_set1_ikme() and
  139. OSSL_HPKE_CTX_set1_authpriv().
  140. =item B<OSSL_HPKE_ROLE_RECEIVER>, 1
  141. An I<OSSL_HPKE_CTX> with this role can be used with OSSL_HPKE_decap(),
  142. OSSL_HPKE_open(), OSSL_HPKE_CTX_set1_authpub() and OSSL_HPKE_CTX_set_seq().
  143. =back
  144. Calling a function with an incorrect role set on I<OSSL_HPKE_CTX> will result
  145. in an error.
  146. =head2 Parameter Size Limits
  147. In order to improve interoperability, RFC9180, section 7.2.1 suggests a
  148. RECOMMENDED maximum size of 64 octets for various input parameters. In this
  149. implementation we apply a limit of 66 octets for the I<ikmlen>, I<psklen>, and
  150. I<labellen> parameters, and for the length of the string I<pskid> for HPKE
  151. functions below. The constant I<OSSL_HPKE_MAX_PARMLEN> is defined as the limit
  152. of this value. (We chose 66 octets so that we can validate all the test
  153. vectors present in RFC9180, Appendix A.)
  154. In accordance with RFC9180, section 9.5, we define a constant
  155. I<OSSL_HPKE_MIN_PSKLEN> with a value of 32 for the minimum length of a
  156. pre-shared key, passed in I<psklen>.
  157. While RFC9180 also RECOMMENDS a 64 octet limit for the I<infolen> parameter,
  158. that is not sufficient for TLS Encrypted ClientHello (ECH) processing, so we
  159. enforce a limit of I<OSSL_HPKE_MAX_INFOLEN> with a value of 1024 as the limit
  160. for the I<infolen> parameter.
  161. =head2 Context Construct/Free
  162. OSSL_HPKE_CTX_new() creates a B<OSSL_HPKE_CTX> context object used for
  163. subsequent HPKE operations, given a I<mode> (See L</HPKE Modes>), I<suite> (see
  164. L</OSSL_HPKE_SUITE Identifiers>) and a I<role> (see L</HPKE Roles>). The
  165. I<libctx> and I<propq> are used when fetching algorithms from providers and may
  166. be set to NULL.
  167. OSSL_HPKE_CTX_free() frees the I<ctx> B<OSSL_HPKE_CTX> that was created
  168. previously by a call to OSSL_HPKE_CTX_new().
  169. =head2 Sender APIs
  170. A sender's goal is to use HPKE to encrypt using a public key, via use of a
  171. KEM, then a KDF and finally an AEAD. The first step is to encapsulate (using
  172. OSSL_HPKE_encap()) the sender's public value using the recipient's public key,
  173. (I<pub>) and to internally derive secrets. This produces the encapsulated public value
  174. (I<enc>) to be sent to the recipient in whatever protocol is using HPKE. Having done the
  175. encapsulation step, the sender can then make one or more calls to
  176. OSSL_HPKE_seal() to encrypt plaintexts using the secret stored within I<ctx>.
  177. OSSL_HPKE_encap() uses the HPKE context I<ctx>, the recipient public value
  178. I<pub> of size I<publen>, and an optional I<info> parameter of size I<infolen>,
  179. to produce the encapsulated public value I<enc>.
  180. On input I<enclen> should contain the maximum size of the I<enc> buffer, and returns
  181. the output size. An error will occur if the input I<enclen> is
  182. smaller than the value returned from OSSL_HPKE_get_public_encap_size().
  183. I<info> may be used to bind other protocol or application artefacts such as identifiers.
  184. Generally, the encapsulated public value I<enc> corresponds to a
  185. single-use ephemeral private value created as part of the encapsulation
  186. process. Only a single call to OSSL_HPKE_encap() is allowed for a given
  187. B<OSSL_HPKE_CTX>.
  188. OSSL_HPKE_seal() takes the B<OSSL_HPKE_CTX> context I<ctx>, the plaintext
  189. buffer I<pt> of size I<ptlen> and optional additional authenticated data buffer
  190. I<aad> of size I<aadlen>, and returns the ciphertext I<ct> of size I<ctlen>.
  191. On input I<ctlen> should contain the maximum size of the I<ct> buffer, and returns
  192. the output size. An error will occur if the input I<ctlen> is
  193. smaller than the value returned from OSSL_HPKE_get_public_encap_size().
  194. OSSL_HPKE_encap() must be called before the OSSL_HPKE_seal(). OSSL_HPKE_seal()
  195. may be called multiple times, with an internal "nonce" being incremented by one
  196. after each call.
  197. =head2 Recipient APIs
  198. Recipients using HPKE require a typically less ephemeral private value so that
  199. the public value can be distributed to potential senders via whatever protocol
  200. is using HPKE. For this reason, recipients will generally first generate a key
  201. pair and will need to manage their private key value using standard mechanisms
  202. outside the scope of this API. Private keys use normal L<EVP_PKEY(3)> pointers
  203. so normal private key management mechanisms can be used for the relevant
  204. values.
  205. In order to enable encapsulation, the recipient needs to make it's public value
  206. available to the sender. There is no generic HPKE format defined for that - the
  207. relevant formatting is intended to be defined by the application/protocols that
  208. makes use of HPKE. ECH for example defines an ECHConfig data structure that
  209. combines the public value with other ECH data items. Normal library functions
  210. must therefore be used to extract the public value in the required format based
  211. on the L<EVP_PKEY(3)> for the private value.
  212. OSSL_HPKE_keygen() provides a way for recipients to generate a key pair based
  213. on the HPKE I<suite> to be used. It returns a L<EVP_PKEY(3)> pointer
  214. for the private value I<priv> and a encoded public key I<pub> of size I<publen>.
  215. On input I<publen> should contain the maximum size of the I<pub> buffer, and
  216. returns the output size. An error will occur if the input I<publen> is too small.
  217. The I<libctx> and I<propq> are used when fetching algorithms from providers
  218. and may be set to NULL.
  219. The HPKE specification also defines a deterministic key generation scheme where
  220. the private value is derived from initial keying material (IKM), so
  221. OSSL_HPKE_keygen() also has an option to use that scheme, using the I<ikm>
  222. parameter of size I<ikmlen>. If either I<ikm> is NULL or I<ikmlen> is zero,
  223. then a randomly generated key for the relevant I<suite> will be produced.
  224. If required I<ikmlen> should be greater than or equal to
  225. OSSL_HPKE_get_recommended_ikmelen().
  226. OSSL_HPKE_decap() takes as input the sender's encapsulated public value
  227. produced by OSSL_HPKE_encap() (I<enc>) and the recipient's L<EVP_PKEY(3)>
  228. pointer (I<prov>), and then re-generates the internal secret derived by the
  229. sender. As before, an optional I<info> parameter allows binding that derived
  230. secret to other application/protocol artefacts. Only a single call to
  231. OSSL_HPKE_decap() is allowed for a given B<OSSL_HPKE_CTX>.
  232. OSSL_HPKE_open() is used by the recipient to decrypt the ciphertext I<ct> of
  233. size I<ctlen> using the I<ctx> and additional authenticated data I<aad> of
  234. size I<aadlen>, to produce the plaintext I<pt> of size I<ptlen>.
  235. On input I<ptlen> should contain the maximum size of the I<pt> buffer, and
  236. returns the output size. A I<pt> buffer that is the same size as the
  237. I<ct> buffer will suffice - generally the plaintext output will be
  238. a little smaller than the ciphertext input.
  239. An error will occur if the input I<ptlen> is too small.
  240. OSSL_HPKE_open() may be called multiple times, but as with OSSL_HPKE_seal()
  241. there is an internally incrementing nonce value so ciphertexts need to be
  242. presented in the same order as used by the OSSL_HPKE_seal().
  243. See L</Re-sequencing> if you need to process multiple ciphertexts in a
  244. different order.
  245. =head2 Exporting Secrets
  246. HPKE defines a way to produce exported secrets for use by the
  247. application.
  248. OSSL_HPKE_export() takes as input the B<OSSL_HPKE_CTX>, and an application
  249. supplied label I<label> of size I<labellen>, to produce a secret I<secret>
  250. of size I<secretlen>. The sender must first call OSSL_HPKE_encap(), and the
  251. receiver must call OSSL_HPKE_decap() in order to derive the same shared secret.
  252. Multiple calls to OSSL_HPKE_export() with the same inputs will produce the
  253. same secret.
  254. I<OSSL_HPKE_AEAD_ID_EXPORTONLY> may be used as the B<OSSL_HPKE_SUITE> I<aead_id>
  255. that is passed to OSSL_HPKE_CTX_new() if the user needs to produce a shared
  256. secret, but does not wish to perform HPKE encryption.
  257. =head2 Sender-authenticated HPKE Modes
  258. HPKE defines modes that support KEM-based sender-authentication
  259. B<OSSL_HPKE_MODE_AUTH> and B<OSSL_HPKE_MODE_PSKAUTH>. This works by binding
  260. the sender's authentication private/public values into the encapsulation and
  261. decapsulation operations. The key used for such modes must also use the same
  262. KEM as used for the overall exchange. OSSL_HPKE_keygen() can be used to
  263. generate the private value required.
  264. OSSL_HPKE_CTX_set1_authpriv() can be used by the sender to set the senders
  265. private I<priv> B<EVP_PKEY> key into the B<OSSL_HPKE_CTX> I<ctx> before calling
  266. OSSL_HPKE_encap().
  267. OSSL_HPKE_CTX_set1_authpub() can be used by the receiver to set the senders
  268. encoded pub key I<pub> of size I<publen> into the B<OSSL_HPKE_CTX> I<ctx> before
  269. calling OSSL_HPKE_decap().
  270. =head2 Pre-Shared Key HPKE modes
  271. HPKE also defines a symmetric equivalent to the authentication described above
  272. using a pre-shared key (PSK) and a PSK identifier. PSKs can be used with the
  273. B<OSSL_HPKE_MODE_PSK> and B<OSSL_HPKE_MODE_PSKAUTH> modes.
  274. OSSL_HPKE_CTX_set1_psk() sets the PSK identifier I<pskid> string, and PSK buffer
  275. I<psk> of size I<psklen> into the I<ctx>. If required this must be called
  276. before OSSL_HPKE_encap() or OSSL_HPKE_decap().
  277. As per RFC9180, if required, both I<psk> and I<pskid> must be set to non-NULL values.
  278. As PSKs are symmetric the same calls must happen on both sender and receiver
  279. sides.
  280. =head2 Deterministic key generation for senders
  281. Normally the senders ephemeral private key is generated randomly inside
  282. OSSL_HPKE_encap() and remains secret.
  283. OSSL_HPKE_CTX_set1_ikme() allows the user to override this behaviour by
  284. setting a deterministic input key material I<ikm> of size I<ikmlen> into
  285. the B<OSSL_HPKE_CTX> I<ctx>.
  286. If required OSSL_HPKE_CTX_set1_ikme() can optionally be called before
  287. OSSL_HPKE_encap().
  288. I<ikmlen> should be greater than or equal to OSSL_HPKE_get_recommended_ikmelen().
  289. It is generally undesirable to use OSSL_HPKE_CTX_set1_ikme(), since it
  290. exposes the relevant secret to the application rather then preserving it
  291. within the library, and is more likely to result in use of predictable values
  292. or values that leak.
  293. =head2 Re-sequencing
  294. Some protocols may have to deal with packet loss while still being able to
  295. decrypt arriving packets later. We provide a way to set the increment used for
  296. the nonce to the next subsequent call to OSSL_HPKE_open() (but not to
  297. OSSL_HPKE_seal() as explained below). The OSSL_HPKE_CTX_set_seq() API can be
  298. used for such purposes with the I<seq> parameter value resetting the internal
  299. nonce increment to be used for the next call.
  300. A baseline nonce value is established based on the encapsulation or
  301. decapsulation operation and is then incremented by 1 for each call to seal or
  302. open. (In other words, the first I<seq> increment defaults to zero.)
  303. If a caller needs to determine how many calls to seal or open have been made
  304. the OSSL_HPKE_CTX_get_seq() API can be used to retrieve the increment (in the
  305. I<seq> output) that will be used in the next call to seal or open. That would
  306. return 0 before the first call a sender made to OSSL_HPKE_seal() and 1 after
  307. that first call.
  308. Note that reuse of the same nonce and key with different plaintexts would
  309. be very dangerous and could lead to loss of confidentiality and integrity.
  310. We therefore only support application control over I<seq> for decryption
  311. (i.e. OSSL_HPKE_open()) operations.
  312. For compatibility with other implementations these I<seq> increments are
  313. represented as I<uint64_t>.
  314. =head2 Protocol Convenience Functions
  315. Additional convenience APIs allow the caller to access internal details of
  316. local HPKE support and/or algorithms, such as parameter lengths.
  317. OSSL_HPKE_suite_check() checks if a specific B<OSSL_HPKE_SUITE> I<suite>
  318. is supported locally.
  319. To assist with memory allocation, OSSL_HPKE_get_ciphertext_size() provides a
  320. way for the caller to know by how much ciphertext will be longer than a
  321. plaintext of length I<clearlen>. (AEAD algorithms add a data integrity tag,
  322. so there is a small amount of ciphertext expansion.)
  323. OSSL_HPKE_get_public_encap_size() provides a way for senders to know how big
  324. the encapsulated public value will be for a given HPKE I<suite>.
  325. OSSL_HPKE_get_recommended_ikmelen() returns the recommended Input Key Material
  326. size (in bytes) for a given I<suite>. This is needed in cases where the same
  327. public value needs to be regenerated by a sender before calling OSSL_HPKE_seal().
  328. I<ikmlen> should be at least this size.
  329. OSSL_HPKE_get_grease_value() produces values of the appropriate length for a
  330. given I<suite_in> value (or a random value if I<suite_in> is NULL) so that a
  331. protocol using HPKE can send so-called GREASE (see RFC8701) values that are
  332. harder to distinguish from a real use of HPKE. The buffer sizes should
  333. be supplied on input. The output I<enc> value will have an appropriate
  334. length for I<suite_out> and a random value, and the I<ct> output will be
  335. a random value. The relevant sizes for buffers can be found using
  336. OSSL_HPKE_get_ciphertext_size() and OSSL_HPKE_get_public_encap_size().
  337. OSSL_HPKE_str2suite() maps input I<str> strings to an B<OSSL_HPKE_SUITE> object.
  338. The input I<str> should be a comma-separated string with a KEM,
  339. KDF and AEAD name in that order, for example "x25519,hkdf-sha256,aes128gcm".
  340. This can be used by command line tools that accept string form names for HPKE
  341. codepoints. Valid (case-insensitive) names are:
  342. "p256", "p384", "p521", "x25519" and "x448" for KEM,
  343. "hkdf-SHA256", "hkdf-SHA384" and "hkdf-SHA512" for KDF, and
  344. "aes-gcm-128", "aes-gcm-256" and "chacha20-poly1305" for AEAD.
  345. String variants of the numbers listed in L</OSSL_HPKE_SUITE Identifiers>
  346. can also be used.
  347. =head1 RETURN VALUES
  348. OSSL_HPKE_CTX_new() returns an OSSL_HPKE_CTX pointer or NULL on error.
  349. OSSL_HPKE_get_ciphertext_size(), OSSL_HPKE_get_public_encap_size(),
  350. OSSL_HPKE_get_recommended_ikmelen() all return a size_t with the
  351. relevant value or zero on error.
  352. All other functions return 1 for success or zero for error.
  353. =head1 EXAMPLES
  354. This example demonstrates a minimal round-trip using HPKE.
  355. #include <stddef.h>
  356. #include <string.h>
  357. #include <openssl/hpke.h>
  358. #include <openssl/evp.h>
  359. /*
  360. * this is big enough for this example, real code would need different
  361. * handling
  362. */
  363. #define LBUFSIZE 48
  364. /* Do a round-trip, generating a key, encrypting and decrypting */
  365. int main(int argc, char **argv)
  366. {
  367. int ok = 0;
  368. int hpke_mode = OSSL_HPKE_MODE_BASE;
  369. OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
  370. OSSL_HPKE_CTX *sctx = NULL, *rctx = NULL;
  371. EVP_PKEY *priv = NULL;
  372. unsigned char pub[LBUFSIZE];
  373. size_t publen = sizeof(pub);
  374. unsigned char enc[LBUFSIZE];
  375. size_t enclen = sizeof(enc);
  376. unsigned char ct[LBUFSIZE];
  377. size_t ctlen = sizeof(ct);
  378. unsigned char clear[LBUFSIZE];
  379. size_t clearlen = sizeof(clear);
  380. const unsigned char *pt = "a message not in a bottle";
  381. size_t ptlen = strlen((char *)pt);
  382. const unsigned char *info = "Some info";
  383. size_t infolen = strlen((char *)info);
  384. unsigned char aad[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
  385. size_t aadlen = sizeof(aad);
  386. /*
  387. * Generate receiver's key pair.
  388. * The receiver gives this public key to the sender.
  389. */
  390. if (OSSL_HPKE_keygen(hpke_suite, pub, &publen, &priv,
  391. NULL, 0, NULL, NULL) != 1)
  392. goto err;
  393. /* sender's actions - encrypt data using the receivers public key */
  394. if ((sctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  395. OSSL_HPKE_ROLE_SENDER,
  396. NULL, NULL)) == NULL)
  397. goto err;
  398. if (OSSL_HPKE_encap(sctx, enc, &enclen, pub, publen, info, infolen) != 1)
  399. goto err;
  400. if (OSSL_HPKE_seal(sctx, ct, &ctlen, aad, aadlen, pt, ptlen) != 1)
  401. goto err;
  402. /* receiver's actions - decrypt data using the receivers private key */
  403. if ((rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
  404. OSSL_HPKE_ROLE_RECEIVER,
  405. NULL, NULL)) == NULL)
  406. goto err;
  407. if (OSSL_HPKE_decap(rctx, enc, enclen, priv, info, infolen) != 1)
  408. goto err;
  409. if (OSSL_HPKE_open(rctx, clear, &clearlen, aad, aadlen, ct, ctlen) != 1)
  410. goto err;
  411. ok = 1;
  412. err:
  413. /* clean up */
  414. printf(ok ? "All Good!\n" : "Error!\n");
  415. OSSL_HPKE_CTX_free(rctx);
  416. OSSL_HPKE_CTX_free(sctx);
  417. EVP_PKEY_free(priv);
  418. return 0;
  419. }
  420. =head1 WARNINGS
  421. Note that the OSSL_HPKE_CTX_set_seq() API could be dangerous - if used with GCM
  422. that could lead to nonce-reuse, which is a known danger. So avoid that
  423. entirely, or be very very careful when using that API.
  424. Use of an IKM value for deterministic key generation (via
  425. OSSL_HPKE_CTX_set1_ikme() or OSSL_HPKE_keygen()) creates the potential for
  426. leaking keys (or IKM values). Only use that if really needed and if you
  427. understand how keys or IKM values could be abused.
  428. =head1 SEE ALSO
  429. The RFC9180 specification: https://datatracker.ietf.org/doc/rfc9180/
  430. =head1 HISTORY
  431. This functionality described here was added in OpenSSL 3.2.
  432. =head1 COPYRIGHT
  433. Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  434. Licensed under the Apache License 2.0 (the "License"). You may not use
  435. this file except in compliance with the License. You can obtain a copy
  436. in the file LICENSE in the source distribution or at
  437. L<https://www.openssl.org/source/license.html>.
  438. =cut