[94672] | 1 | /** @file
|
---|
| 2 | * VirtualBox - Cryptographic support functions Interface.
|
---|
| 3 | */
|
---|
| 4 |
|
---|
| 5 | /*
|
---|
[106061] | 6 | * Copyright (C) 2022-2024 Oracle and/or its affiliates.
|
---|
[94672] | 7 | *
|
---|
[96407] | 8 | * This file is part of VirtualBox base platform packages, as
|
---|
| 9 | * available from https://www.virtualbox.org.
|
---|
[94672] | 10 | *
|
---|
[96407] | 11 | * This program is free software; you can redistribute it and/or
|
---|
| 12 | * modify it under the terms of the GNU General Public License
|
---|
| 13 | * as published by the Free Software Foundation, in version 3 of the
|
---|
| 14 | * License.
|
---|
| 15 | *
|
---|
| 16 | * This program is distributed in the hope that it will be useful, but
|
---|
| 17 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
| 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
| 19 | * General Public License for more details.
|
---|
| 20 | *
|
---|
| 21 | * You should have received a copy of the GNU General Public License
|
---|
| 22 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
---|
| 23 | *
|
---|
[94672] | 24 | * The contents of this file may alternatively be used under the terms
|
---|
| 25 | * of the Common Development and Distribution License Version 1.0
|
---|
[96407] | 26 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
---|
| 27 | * in the VirtualBox distribution, in which case the provisions of the
|
---|
[94672] | 28 | * CDDL are applicable instead of those of the GPL.
|
---|
| 29 | *
|
---|
| 30 | * You may elect to license modified versions of this file under the
|
---|
| 31 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
[96407] | 32 | *
|
---|
| 33 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
---|
[94672] | 34 | */
|
---|
| 35 |
|
---|
| 36 | #ifndef VBOX_INCLUDED_VBoxCryptoIf_h
|
---|
| 37 | #define VBOX_INCLUDED_VBoxCryptoIf_h
|
---|
| 38 | #ifndef RT_WITHOUT_PRAGMA_ONCE
|
---|
| 39 | # pragma once
|
---|
| 40 | #endif
|
---|
| 41 |
|
---|
| 42 | #include <iprt/vfs.h>
|
---|
| 43 | #include <VBox/types.h>
|
---|
| 44 |
|
---|
| 45 | /** An opaque VBox cryptographic context handle. */
|
---|
[94673] | 46 | typedef struct VBOXCRYPTOCTXINT *VBOXCRYPTOCTX;
|
---|
[94672] | 47 | /**Pointer to an opaque VBox cryptographic context handle. */
|
---|
| 48 | typedef VBOXCRYPTOCTX *PVBOXCRYPTOCTX;
|
---|
| 49 |
|
---|
| 50 | /** Magic identifying the cryptographic interface (Charles Babbage). */
|
---|
| 51 | #define VBOXCRYPTOIF_MAGIC UINT32_C(0x17911226)
|
---|
| 52 |
|
---|
[94689] | 53 | /** Pointer to const cryptographic interface. */
|
---|
[94672] | 54 | typedef const struct VBOXCRYPTOIF *PCVBOXCRYPTOIF;
|
---|
| 55 | /**
|
---|
| 56 | * The main cryptographic callbacks interface table.
|
---|
| 57 | */
|
---|
| 58 | typedef struct VBOXCRYPTOIF
|
---|
| 59 | {
|
---|
| 60 | /** Interface magic, set to VBOXCRYPTOIF_MAGIC. */
|
---|
| 61 | uint32_t u32Magic;
|
---|
| 62 | /** Interface version.
|
---|
| 63 | * This is set to VBOXCRYPTOIF_VERSION. */
|
---|
| 64 | uint32_t u32Version;
|
---|
[94689] | 65 | /** Description string. */
|
---|
| 66 | const char *pszDesc;
|
---|
[94672] | 67 |
|
---|
[94775] | 68 | /** @name Generic crytographic context operations.
|
---|
[94672] | 69 | * @{ */
|
---|
| 70 |
|
---|
| 71 | /**
|
---|
| 72 | * Creates a new cryptographic context for encryption.
|
---|
| 73 | *
|
---|
| 74 | * @returns VBox status code.
|
---|
| 75 | * @param pszCipher The identifier of the cipher to use.
|
---|
| 76 | * @param pszPassword Password for encrypting the context.
|
---|
| 77 | * @param phCryptoCtx Where to store the handle to the crypto context on success.
|
---|
| 78 | */
|
---|
| 79 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxCreate, (const char *pszCipher, const char *pszPassword,
|
---|
| 80 | PVBOXCRYPTOCTX phCryptoCtx));
|
---|
| 81 |
|
---|
| 82 | /**
|
---|
| 83 | * Creates a new cryptographic context for decryption from the given base-64 encoded context.
|
---|
| 84 | *
|
---|
| 85 | * @returns VBox status code.
|
---|
| 86 | * @param pszStoredCtx The base-64 encoded context to decrypt with the given password.
|
---|
| 87 | * @param pszPassword Password for encrypting the context.
|
---|
| 88 | * @param phCryptoCtx Where to store the handle to the crypto context on success.
|
---|
| 89 | */
|
---|
[94689] | 90 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxLoad, (const char *pszStoredCtx, const char *pszPassword,
|
---|
[94672] | 91 | PVBOXCRYPTOCTX phCryptoCtx));
|
---|
| 92 |
|
---|
| 93 | /**
|
---|
| 94 | * Destroys a previously created cryptographic context.
|
---|
| 95 | *
|
---|
| 96 | * @returns VBox status code.
|
---|
| 97 | * @param hCryptoCtx Handle of crpytographic context to destroy.
|
---|
| 98 | */
|
---|
[94674] | 99 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxDestroy, (VBOXCRYPTOCTX hCryptoCtx));
|
---|
[94672] | 100 |
|
---|
| 101 | /**
|
---|
| 102 | * Returns the given cryptographic context as a base-64 encoded string.
|
---|
| 103 | *
|
---|
| 104 | * @returns VBox status code.
|
---|
| 105 | * @param hCryptoCtx Handle of crpytographic context.
|
---|
| 106 | * @param ppszStoredCtx Where to store the base-64 encoded cryptographic context on success.
|
---|
| 107 | * Must be freed with RTMemFree() when not required anymore.
|
---|
| 108 | */
|
---|
[94673] | 109 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxSave, (VBOXCRYPTOCTX hCryptoCtx, char **ppszStoredCtx));
|
---|
[94672] | 110 |
|
---|
| 111 | /**
|
---|
| 112 | * Changes the encryption password for the given context.
|
---|
| 113 | *
|
---|
| 114 | * @returns VBox status code.
|
---|
| 115 | * @param hCryptoCtx Handle of crpytographic context.
|
---|
| 116 | * @param pszPassword New password used for encrypting the DEK.
|
---|
| 117 | */
|
---|
| 118 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxPasswordChange, (VBOXCRYPTOCTX hCryptoCtx, const char *pszPassword));
|
---|
| 119 |
|
---|
| 120 | /**
|
---|
| 121 | * Queries the required size of the output buffer for encrypted data. Depends on the cipher.
|
---|
| 122 | *
|
---|
| 123 | * @returns VBox status code.
|
---|
| 124 | * @param hCryptoCtx Handle of crpytographic context.
|
---|
| 125 | * @param cbPlainText The size of the data to be encrypted.
|
---|
| 126 | * @param pcbEncrypted Where to store the size in bytes of the encrypted data on success.
|
---|
| 127 | */
|
---|
[94699] | 128 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxQueryEncryptedSize, (VBOXCRYPTOCTX hCryptoCtx, size_t cbPlaintext,
|
---|
| 129 | size_t *pcbEncrypted));
|
---|
[94672] | 130 |
|
---|
| 131 | /**
|
---|
| 132 | * Queries the required size of the output buffer for decrypted data. Depends on the cipher.
|
---|
| 133 | *
|
---|
| 134 | * @returns VBox status code.
|
---|
| 135 | * @param hCryptoCtx Handle of crpytographic context.
|
---|
| 136 | * @param cbEncrypted The size of the encrypted chunk before decryption.
|
---|
| 137 | * @param pcbPlaintext Where to store the size in bytes of the decrypted data on success.
|
---|
| 138 | */
|
---|
[94699] | 139 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxQueryDecryptedSize, (VBOXCRYPTOCTX hCryptoCtx, size_t cbEncrypted,
|
---|
| 140 | size_t *pcbPlaintext));
|
---|
[94672] | 141 |
|
---|
| 142 | /**
|
---|
| 143 | * Encrypts data.
|
---|
| 144 | *
|
---|
| 145 | * @returns VBox status code.
|
---|
| 146 | * @param hCryptoCtx Handle of crpytographic context.
|
---|
| 147 | * @param fPartial Only part of data to be encrypted is specified. The encryption
|
---|
| 148 | * cipher context will not be closed. Set to false for last piece
|
---|
| 149 | * of data, or if data is specified completely.
|
---|
| 150 | * Only CTR mode supports partial encryption.
|
---|
| 151 | * @param pvIV Pointer to IV. If null it will be generated.
|
---|
| 152 | * @param cbIV Size of the IV.
|
---|
| 153 | * @param pvPlainText Data to encrypt.
|
---|
| 154 | * @param cbPlainText Size of the data in the pvPlainText.
|
---|
| 155 | * @param pvAuthData Data used for authenticate the pvPlainText
|
---|
| 156 | * @param cbAuthData Size of the pvAuthData
|
---|
| 157 | * @param pvEncrypted Buffer to store encrypted data
|
---|
| 158 | * @param cbEncrypted Size of the buffer in pvEncrypted
|
---|
| 159 | * @param pcbEncrypted Placeholder where the size of the encrypted data returned.
|
---|
| 160 | */
|
---|
| 161 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxEncrypt, (VBOXCRYPTOCTX hCryptoCtx, bool fPartial, void const *pvIV, size_t cbIV,
|
---|
| 162 | void const *pvPlainText, size_t cbPlainText,
|
---|
| 163 | void const *pvAuthData, size_t cbAuthData,
|
---|
| 164 | void *pvEncrypted, size_t cbEncrypted,
|
---|
| 165 | size_t *pcbEncrypted));
|
---|
| 166 |
|
---|
| 167 | /**
|
---|
| 168 | * Decrypts data.
|
---|
| 169 | *
|
---|
| 170 | * @returns VBox status code.
|
---|
| 171 | * @param hCryptoCtx Handle of crpytographic context.
|
---|
| 172 | * @param fPartial Only part of data to be encrypted is specified. The encryption
|
---|
| 173 | * cipher context will not be closed. Set to false for last piece
|
---|
| 174 | * of data, or if data is specified completely.
|
---|
| 175 | * Only CTR mode supports partial encryption.
|
---|
| 176 | * @param pvEncrypted Data to decrypt.
|
---|
| 177 | * @param cbEncrypted Size of the data in the pvEncrypted.
|
---|
| 178 | * @param pvAuthData Data used for authenticate the pvEncrypted
|
---|
| 179 | * @param cbAuthData Size of the pvAuthData
|
---|
| 180 | * @param pvPlainText Buffer to store decrypted data
|
---|
| 181 | * @param cbPlainText Size of the buffer in pvPlainText
|
---|
| 182 | * @param pcbPlainText Placeholder where the size of the decrypted data returned.
|
---|
| 183 | */
|
---|
| 184 | DECLR3CALLBACKMEMBER(int, pfnCryptoCtxDecrypt, (VBOXCRYPTOCTX hCryptoCtx, bool fPartial,
|
---|
| 185 | void const *pvEncrypted, size_t cbEncrypted,
|
---|
| 186 | void const *pvAuthData, size_t cbAuthData,
|
---|
| 187 | void *pvPlainText, size_t cbPlainText, size_t *pcbPlainText));
|
---|
| 188 | /** @} */
|
---|
| 189 |
|
---|
| 190 | /** @name File based cryptographic operations.
|
---|
| 191 | * @{ */
|
---|
| 192 | /**
|
---|
| 193 | * Creates a new VFS file handle for an encrypted or to be encrypted file handle.
|
---|
| 194 | *
|
---|
| 195 | * @returns VBox status code.
|
---|
| 196 | * @param hVfsFile The input file handle, a new reference is retained upon success.
|
---|
| 197 | * @param pszKeyStore The key store containing the DEK used for encryption.
|
---|
| 198 | * @param pszPassword Password encrypting the DEK.
|
---|
| 199 | * @param phVfsFile Where to store the handle to the VFS file on success.
|
---|
| 200 | */
|
---|
| 201 | DECLR3CALLBACKMEMBER(int, pfnCryptoFileFromVfsFile, (RTVFSFILE hVfsFile, const char *pszKeyStore, const char *pszPassword,
|
---|
| 202 | PRTVFSFILE phVfsFile));
|
---|
| 203 |
|
---|
| 204 | /**
|
---|
| 205 | * Opens a new encryption I/O stream.
|
---|
| 206 | *
|
---|
| 207 | * @returns VBox status code.
|
---|
| 208 | * @param hVfsIosDst The encrypted output stream (must be writeable).
|
---|
| 209 | * The reference is not consumed, instead another
|
---|
| 210 | * one is retained.
|
---|
| 211 | * @param pszKeyStore The key store containing the DEK used for encryption.
|
---|
| 212 | * @param pszPassword Password encrypting the DEK.
|
---|
| 213 | * @param phVfsIosCrypt Where to return the crypting input I/O stream handle
|
---|
| 214 | * (you write to this).
|
---|
| 215 | */
|
---|
| 216 | DECLR3CALLBACKMEMBER(int, pfnCryptoIoStrmFromVfsIoStrmEncrypt, (RTVFSIOSTREAM hVfsIosDst, const char *pszKeyStore,
|
---|
[94689] | 217 | const char *pszPassword, PRTVFSIOSTREAM phVfsIosCrypt));
|
---|
[94672] | 218 |
|
---|
| 219 | /**
|
---|
| 220 | * Opens a new decryption I/O stream.
|
---|
| 221 | *
|
---|
| 222 | * @returns VBox status code.
|
---|
| 223 | * @param hVfsIosIn The encrypted input stream (must be readable).
|
---|
| 224 | * The reference is not consumed, instead another
|
---|
| 225 | * one is retained.
|
---|
| 226 | * @param pszKeyStore The key store containing the DEK used for encryption.
|
---|
| 227 | * @param pszPassword Password encrypting the DEK.
|
---|
| 228 | * @param phVfsIosOut Where to return the handle to the decrypted I/O stream (read).
|
---|
| 229 | */
|
---|
| 230 | DECLR3CALLBACKMEMBER(int, pfnCryptoIoStrmFromVfsIoStrmDecrypt, (RTVFSIOSTREAM hVfsIosIn, const char *pszKeyStore,
|
---|
[94689] | 231 | const char *pszPassword, PRTVFSIOSTREAM phVfsIosOut));
|
---|
[94672] | 232 | /** @} */
|
---|
| 233 |
|
---|
| 234 | /** @name Keystore related functions.
|
---|
| 235 | * @{ */
|
---|
| 236 | /**
|
---|
| 237 | * Return the encryption parameters and DEK from the base64 encoded key store data.
|
---|
| 238 | *
|
---|
| 239 | * @returns VBox status code.
|
---|
| 240 | * @param pszEnc The base64 encoded key store data.
|
---|
| 241 | * @param pszPassword The password to use for key decryption.
|
---|
| 242 | * If the password is NULL only the cipher is returned.
|
---|
| 243 | * @param ppbKey Where to store the DEK on success.
|
---|
| 244 | * Must be freed with RTMemSaferFree().
|
---|
| 245 | * @param pcbKey Where to store the DEK size in bytes on success.
|
---|
| 246 | * @param ppszCipher Where to store the used cipher for the decrypted DEK.
|
---|
| 247 | * Must be freed with RTStrFree().
|
---|
| 248 | */
|
---|
| 249 | DECLR3CALLBACKMEMBER(int, pfnCryptoKeyStoreGetDekFromEncoded, (const char *pszEnc, const char *pszPassword,
|
---|
| 250 | uint8_t **ppbKey, size_t *pcbKey, char **ppszCipher));
|
---|
| 251 |
|
---|
| 252 | /**
|
---|
| 253 | * Stores the given DEK in a key store protected by the given password.
|
---|
| 254 | *
|
---|
| 255 | * @returns VBox status code.
|
---|
| 256 | * @param pszPassword The password to protect the DEK.
|
---|
| 257 | * @param pbKey The DEK to protect.
|
---|
| 258 | * @param cbKey Size of the DEK to protect.
|
---|
| 259 | * @param pszCipher The cipher string associated with the DEK.
|
---|
| 260 | * @param ppszEnc Where to store the base64 encoded key store data on success.
|
---|
| 261 | * Must be freed with RTMemFree().
|
---|
| 262 | */
|
---|
| 263 | DECLR3CALLBACKMEMBER(int, pfnCryptoKeyStoreCreate, (const char *pszPassword, const uint8_t *pbKey, size_t cbKey,
|
---|
| 264 | const char *pszCipher, char **ppszEnc));
|
---|
| 265 | /** @} */
|
---|
| 266 |
|
---|
| 267 | DECLR3CALLBACKMEMBER(int, pfnReserved1,(void)); /**< Reserved for minor structure revisions. */
|
---|
| 268 | DECLR3CALLBACKMEMBER(int, pfnReserved2,(void)); /**< Reserved for minor structure revisions. */
|
---|
| 269 | DECLR3CALLBACKMEMBER(int, pfnReserved3,(void)); /**< Reserved for minor structure revisions. */
|
---|
| 270 | DECLR3CALLBACKMEMBER(int, pfnReserved4,(void)); /**< Reserved for minor structure revisions. */
|
---|
| 271 | DECLR3CALLBACKMEMBER(int, pfnReserved5,(void)); /**< Reserved for minor structure revisions. */
|
---|
| 272 | DECLR3CALLBACKMEMBER(int, pfnReserved6,(void)); /**< Reserved for minor structure revisions. */
|
---|
| 273 |
|
---|
| 274 | /** Reserved for minor structure revisions. */
|
---|
| 275 | uint32_t uReserved7;
|
---|
| 276 |
|
---|
[94689] | 277 | /** End of structure marker (VBOXCRYPTOIF_VERSION). */
|
---|
[94672] | 278 | uint32_t u32EndMarker;
|
---|
| 279 | } VBOXCRYPTOIF;
|
---|
[94689] | 280 | /** Current version of the VBOXCRYPTOIF structure. */
|
---|
[94672] | 281 | #define VBOXCRYPTOIF_VERSION RT_MAKE_U32(0, 1)
|
---|
| 282 |
|
---|
| 283 |
|
---|
| 284 | /**
|
---|
| 285 | * The VBoxCrypto entry callback function.
|
---|
| 286 | *
|
---|
| 287 | * @returns VBox status code.
|
---|
| 288 | * @param ppCryptoIf Where to store the pointer to the crypto module interface callback table
|
---|
| 289 | * on success.
|
---|
| 290 | */
|
---|
| 291 | typedef DECLCALLBACKTYPE(int, FNVBOXCRYPTOENTRY,(PCVBOXCRYPTOIF *ppCryptoIf));
|
---|
| 292 | /** Pointer to a FNVBOXCRYPTOENTRY. */
|
---|
| 293 | typedef FNVBOXCRYPTOENTRY *PFNVBOXCRYPTOENTRY;
|
---|
| 294 |
|
---|
| 295 | /** The name of the crypto module entry point. */
|
---|
| 296 | #define VBOX_CRYPTO_MOD_ENTRY_POINT "VBoxCryptoEntry"
|
---|
| 297 |
|
---|
| 298 |
|
---|
| 299 | /**
|
---|
| 300 | * Checks if cryptographic interface version is compatible.
|
---|
| 301 | *
|
---|
| 302 | * @returns true if the do, false if they don't.
|
---|
| 303 | * @param u32Provider The provider version.
|
---|
| 304 | * @param u32User The user version.
|
---|
| 305 | */
|
---|
| 306 | #define VBOXCRYPTO_IS_VER_COMPAT(u32Provider, u32User) \
|
---|
| 307 | ( VBOXCRYPTO_IS_MAJOR_VER_EQUAL(u32Provider, u32User) \
|
---|
| 308 | && (int32_t)RT_LOWORD(u32Provider) >= (int32_t)RT_LOWORD(u32User) ) /* stupid casts to shut up gcc */
|
---|
| 309 |
|
---|
| 310 | /**
|
---|
| 311 | * Check if two cryptographic interface versions have the same major version.
|
---|
| 312 | *
|
---|
| 313 | * @returns true if the do, false if they don't.
|
---|
| 314 | * @param u32Ver1 The first version number.
|
---|
| 315 | * @param u32Ver2 The second version number.
|
---|
| 316 | */
|
---|
| 317 | #define VBOXCRYPTO_IS_MAJOR_VER_EQUAL(u32Ver1, u32Ver2) (RT_HIWORD(u32Ver1) == RT_HIWORD(u32Ver2))
|
---|
| 318 |
|
---|
| 319 | #endif /* !VBOX_INCLUDED_VBoxCryptoIf_h */
|
---|
| 320 |
|
---|