2 * crypto.h : cryptographic routines
4 * ====================================================================
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
21 * ====================================================================
24 #ifndef SVN_LIBSVN_SUBR_CRYPTO_H
25 #define SVN_LIBSVN_SUBR_CRYPTO_H
27 /* Test for APR crypto and RNG support */
28 #undef SVN_HAVE_CRYPTO
32 #if defined(APU_HAVE_CRYPTO) && APU_HAVE_CRYPTO
33 #define SVN_HAVE_CRYPTO
37 #include "svn_types.h"
38 #include "svn_string.h"
42 #endif /* __cplusplus */
45 /* Opaque context for cryptographic operations. */
46 typedef struct svn_crypto__ctx_t svn_crypto__ctx_t;
49 /* Return TRUE iff Subversion's cryptographic support is available. */
50 svn_boolean_t svn_crypto__is_available(void);
53 /* Set *CTX to new Subversion cryptographic context, based on an
54 APR-managed OpenSSL cryptography context object allocated
55 within RESULT_POOL. */
56 /* ### TODO: Should this be something done once with the resulting
57 ### svn_crypto__ctx_t object stored in svn_client_ctx_t? */
59 svn_crypto__context_create(svn_crypto__ctx_t **ctx,
60 apr_pool_t *result_pool);
63 /* Using a PBKDF2 derivative key based on MASTER, encrypt PLAINTEXT.
64 The salt used for PBKDF2 is returned in SALT, and the IV used for
65 the (AES-256/CBC) encryption is returned in IV. The resulting
66 encrypted data is returned in CIPHERTEXT.
68 Note that MASTER may be the plaintext obtained from the user or
69 some other OS-provided cryptographic store, or it can be a derivation
70 such as SHA1(plaintext). As long as the same octets are passed to
71 the decryption function, everything works just fine. (the SHA1
72 approach is suggested, to avoid keeping the plaintext master in
73 the process' memory space) */
75 svn_crypto__encrypt_password(const svn_string_t **ciphertext,
76 const svn_string_t **iv,
77 const svn_string_t **salt,
78 svn_crypto__ctx_t *ctx,
79 const char *plaintext,
80 const svn_string_t *master,
81 apr_pool_t *result_pool,
82 apr_pool_t *scratch_pool);
85 /* Given the CIPHERTEXT which was encrypted using (AES-256/CBC) with
86 initialization vector given by IV, and a key derived using PBKDF2
87 with SALT and MASTER... return the decrypted password in PLAINTEXT. */
89 svn_crypto__decrypt_password(const char **plaintext,
90 svn_crypto__ctx_t *ctx,
91 const svn_string_t *ciphertext,
92 const svn_string_t *iv,
93 const svn_string_t *salt,
94 const svn_string_t *master,
95 apr_pool_t *result_pool,
96 apr_pool_t *scratch_pool);
98 /* Generate the stuff Subversion needs to store in order to validate a
99 user-provided MASTER password:
101 Set *CIPHERTEXT to a block of encrypted data.
103 Set *IV and *SALT to the initialization vector and salt used for
106 Set *CHECKTEXT to the check text used for validation.
108 CTX is a Subversion cryptographic context. MASTER is the
112 svn_crypto__generate_secret_checktext(const svn_string_t **ciphertext,
113 const svn_string_t **iv,
114 const svn_string_t **salt,
115 const char **checktext,
116 svn_crypto__ctx_t *ctx,
117 const svn_string_t *master,
118 apr_pool_t *result_pool,
119 apr_pool_t *scratch_pool);
121 /* Set *IS_VALID to TRUE iff the encryption secret MASTER successfully
122 validates using Subversion cryptographic context CTX against
123 CIPHERTEXT, IV, SALT, and CHECKTEXT (which where probably generated
124 via previous call to svn_crypto__generate_secret_checktext()).
126 Use SCRATCH_POOL for necessary allocations. */
128 svn_crypto__verify_secret(svn_boolean_t *is_valid,
129 svn_crypto__ctx_t *ctx,
130 const svn_string_t *master,
131 const svn_string_t *ciphertext,
132 const svn_string_t *iv,
133 const svn_string_t *salt,
134 const char *checktext,
135 apr_pool_t *scratch_pool);
139 #endif /* __cplusplus */
141 #endif /* SVN_LIBSVN_SUBR_CRYPTO_H */