FFI (C Binding)

New in version 2.0.0.

Botan’s ffi module provides a C89 binding intended to be easily usable with other language’s foreign function interface (FFI) libraries. For instance the included Python wrapper uses Python’s ctypes module and the C89 API. This API is of course also useful for programs written directly in C.

Code examples can be found in the tests as well as the implementations of the various language bindings. At the time of this writing, the Python and Rust bindings are probably the most comprehensive.

Rules of Engagement

Writing language bindings for C or C++ libraries is typically a tedious and bug-prone experience. This FFI layer was designed to make the experience, if not pleasant, at least straighforward.

  • All objects manipulated by the API are opaque structs. Each struct is tagged with a 32-bit magic number which is unique to its type; accidentally passing the wrong object type to a function will result in a BOTAN_FFI_ERROR_INVALID_OBJECT error, instead of a crash or memory corruption.

  • (Almost) all functions return an integer error code indicating success or failure. The exception is a small handful of version query functions, which are guaranteed to never fail. All functions returning errors use the same set of error codes.

  • The set of types used is small and commonly supported: uint8_t arrays for binary data, size_t for lengths, and NULL-terminated UTF-8 encoded strings.

  • No ownership of pointers crosses the boundary. If the library is producing output, it does so by either writing to a buffer that was provided by the application, or calling a view callback.

    In the first case, the application typically passes both an output buffer and a pointer to a length field. On entry, the length field should be set to the number of bytes available in the output buffer. If there is sufficient room, the output is written to the buffer, the actual number of bytes written is returned in the length field, and the function returns 0 (success). Otherwise, the number of bytes required is placed in the length parameter, and then BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE is returned.

    In most cases, for this style of function, there is also a function which allows querying the actual (or possibly upper bound) number of bytes in the function’s output. For example calling botan_hash_output_length allows the application to determine in advance the number of bytes that botan_hash_final will want to write.

    In some situations, it is not possible to determine exactly what the output size of the function will be in advance. Here the FFI layer uses what it terms View Functions; callbacks that are allowed to view the entire output of the function, but once the callback returns, no further access is allowed. View functions are called with an opaque pointer provided by the application, which allows passing arbitrary context information.

Return Codes

Almost all functions in the Botan C interface return an int error code. The only exceptions are a handful of functions (like botan_ffi_api_version) which cannot fail in any circumstances.

The FFI functions return a non-negative integer (usually 0) to indicate success, or a negative integer to represent an error. A few functions (like botan_block_cipher_block_size) return positive integers instead of zero on success.

The error codes returned in certain error situations may change over time. This especially applies to very generic errors like BOTAN_FFI_ERROR_EXCEPTION_THROWN and BOTAN_FFI_ERROR_UNKNOWN_ERROR. For instance, before 2.8, setting an invalid key length resulted in BOTAN_FFI_ERROR_EXCEPTION_THROWN but now this is specially handled and returns BOTAN_FFI_ERROR_INVALID_KEY_LENGTH instead.

The following enum values are defined in the FFI header:

enumerator BOTAN_FFI_SUCCESS = 0

Generally returned to indicate success

enumerator BOTAN_FFI_INVALID_VERIFIER = 1

Note this value is positive, but still represents an error condition. In indicates that the function completed successfully, but the value provided was not correct. For example botan_bcrypt_is_valid returns this value if the password did not match the hash.

enumerator BOTAN_FFI_ERROR_INVALID_INPUT = -1

The input was invalid. (Currently this error return is not used.)

enumerator BOTAN_FFI_ERROR_BAD_MAC = -2

While decrypting in an AEAD mode, the tag failed to verify.

enumerator BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE = -10

Functions which write a variable amount of space return this if the indicated buffer length was insufficient to write the data. In that case, the output length parameter is set to the size that is required.

enumerator BOTAN_FFI_ERROR_STRING_CONVERSION_ERROR = -11

A string view function which attempts to convert a string to a specified charset, and fails, can use this function to indicate the error.

enumerator BOTAN_FFI_ERROR_EXCEPTION_THROWN = -20

An exception was thrown while processing this request, but no further details are available.

Note

If the environment variable BOTAN_FFI_PRINT_EXCEPTIONS is set to any non-empty value, then any exception which is caught by the FFI layer will first print the exception message to stderr before returning an error. This is sometimes useful for debugging.

enumerator BOTAN_FFI_ERROR_OUT_OF_MEMORY = -21

Memory allocation failed

enumerator BOTAN_FFI_ERROR_SYSTEM_ERROR = -22

A system call failed

enumerator BOTAN_FFI_ERROR_INTERNAL_ERROR = -23

An internal bug was encountered (please open a ticket on github)

enumerator BOTAN_FFI_ERROR_BAD_FLAG = -30

A value provided in a flag variable was unknown.

enumerator BOTAN_FFI_ERROR_NULL_POINTER = -31

A null pointer was provided as an argument where that is not allowed.

enumerator BOTAN_FFI_ERROR_BAD_PARAMETER = -32

An argument did not match the function.

enumerator BOTAN_FFI_ERROR_KEY_NOT_SET = -33

An object that requires a key normally must be keyed before use (eg before encrypting or MACing data). If this is not done, the operation will fail and return this error code.

enumerator BOTAN_FFI_ERROR_INVALID_KEY_LENGTH = -34

An invalid key length was provided with a call to foo_set_key.

enumerator BOTAN_FFI_ERROR_INVALID_OBJECT_STATE = -35

An operation was invoked that makes sense for the object, but it is in the wrong state to perform it.

enumerator BOTAN_FFI_ERROR_NOT_IMPLEMENTED = -40

This is returned if the functionality is not available for some reason. For example if you call botan_hash_init with a named hash function which is not enabled, this error is returned.

enumerator BOTAN_FFI_ERROR_INVALID_OBJECT = -50

This is used if an object provided did not match the function. For example calling botan_hash_destroy on a botan_rng_t object will cause this error.

enumerator BOTAN_FFI_ERROR_UNKNOWN_ERROR = -100

Something bad happened, but we are not sure why or how.

Error values below -10000 are reserved for the application (these can be returned from view functions).

Further information about the error that occured is available via

const char *botan_error_last_exception_message()

New in version 3.0.0.

Returns a static string stored in a thread local variable which contains the last exception message thrown.

Warning

This string buffer is overwritten on the next call to the FFI layer

Versioning

uint32_t botan_ffi_api_version()

Returns the version of the currently supported FFI API. This is expressed in the form YYYYMMDD of the release date of this version of the API.

int botan_ffi_supports_api(uint32_t version)

Returns 0 iff the FFI version specified is supported by this library. Otherwise returns -1. The expression botan_ffi_supports_api(botan_ffi_api_version()) will always evaluate to 0. A particular version of the library may also support other (older) versions of the FFI API.

const char *botan_version_string()

Returns a free-form string describing the version. The return value is a statically allocated string.

uint32_t botan_version_major()

Returns the major version of the library

uint32_t botan_version_minor()

Returns the minor version of the library

uint32_t botan_version_patch()

Returns the patch version of the library

uint32_t botan_version_datestamp()

Returns the date this version was released as an integer YYYYMMDD, or 0 if an unreleased version

FFI Versions

This maps the FFI API version to the first version of the library that supported it.

FFI Version

Supported Starting

20230403

3.0.0

20210220

2.18.0

20191214

2.13.0

20180713

2.8.0

20170815

2.3.0

20170327

2.1.0

20150515

2.0.0

View Functions

New in version 3.0.0.

Starting in Botan 3.0, certain functions were added which produce a “view”. That is instead of copying data to a user provided buffer, they instead invoke a callback, passing the data that was requested. This avoids an issue where in some cases it is not possible for the caller to know what the output length of the FFI function will be. In these cases, the best they can do is set a large length, invoke the function, and then accept that they may need to retry the (potentially expensive) operation.

View functions avoid this by always providing the full data, and allowing the caller to allocate memory as necessary to copy out the result, without having to guess the length in advance.

In all cases the pointer passed to the view function is deallocated after the view function returns, and should not be retained.

The view functions return an integer value; if they return non-zero, then the overall FFI function will also return this integer. To avoid confusion when mapping the errors, any error returns should either match Botan’s FFI error codes, or else use an integer value in the application reserved range.

typedef void *botan_view_ctx

The application context, which is passed back to the view function.

typedef int (*botan_view_bin_fn)(botan_view_ctx view_ctx, const uint8_t *data, size_t len)

A viewer of arbitrary binary data.

typedef int (*botan_view_str_fn)(botan_view_ctx view_ctx, const char *str, size_t len)

A viewer of a null terminated C-style string. The length includes the null terminator byte. The string should be UTF-8 encoded, but in certain circumstances may not be. (Typically this would be due to a bug or oversight; please report the issue.) BOTAN_FFI_ERROR_STRING_CONVERSION_ERROR is reserved to allow the FFI call to indicate the problem, should it be unable to convert the data.

Utility Functions

int botan_constant_time_compare(const uint8_t *x, const uint8_t *y, size_t len)

Returns 0 if x[0..len] == y[0..len], -1 otherwise.

int botan_hex_encode(const uint8_t *x, size_t len, char *out, uint32_t flags)

Performs hex encoding of binary data in x of size len bytes. The output buffer out must be of at least x*2 bytes in size. If flags contains BOTAN_FFI_HEX_LOWER_CASE, hex encoding will only contain lower-case letters, upper-case letters otherwise. Returns 0 on success, 1 otherwise.

int botan_hex_decode(const char *hex_str, size_t in_len, uint8_t *out, size_t *out_len)

Hex decode some data

Random Number Generators

typedef opaque *botan_rng_t

An opaque data type for a random number generator. Don’t mess with it.

int botan_rng_init(botan_rng_t *rng, const char *rng_type)

Initialize a random number generator object from the given rng_type: “system” (or nullptr): System_RNG, “user”: AutoSeeded_RNG, “user-threadsafe”: serialized AutoSeeded_RNG, “null”: Null_RNG (always fails), “hwrnd” or “rdrand”: Processor_RNG (if available)

int botan_rng_init_custom(botan_rng_t *rng, const char *rng_name, void *context, int (*get_cb)(void *context, uint8_t *out, size_t out_len), int (*add_entropy_cb)(void *context, const uint8_t input[], size_t length), void (*destroy_cb)(void *context));

New in version 2.18.0.

Create a new custom RNG object, which will invoke the provided callbacks.

int botan_rng_get(botan_rng_t rng, uint8_t *out, size_t out_len)

Get random bytes from a random number generator.

int botan_rng_reseed(botan_rng_t rng, size_t bits)

Reseeds the random number generator with bits number of bits from the System_RNG.

int botan_rng_reseed_from_rng(botan_rng_t rng, botan_rng_t src, size_t bits)

Reseeds the random number generator with bits number of bits taken from the given source RNG.

int botan_rng_add_entropy(botan_rng_t rng, const uint8_t seed[], size_t len)

Adds the provided seed material to the internal RNG state.

This call may be ignored by certain RNG instances (such as RDRAND or, on some systems, the system RNG).

int botan_rng_destroy(botan_rng_t rng)

Destroy the object created by botan_rng_init.

Block Ciphers

New in version 2.1.0.

This is a ‘raw’ interface to ECB mode block ciphers. Most applications want the higher level cipher API which provides authenticated encryption. This API exists as an escape hatch for applications which need to implement custom primitives using a PRP.

typedef opaque *botan_block_cipher_t

An opaque data type for a block cipher. Don’t mess with it.

int botan_block_cipher_init(botan_block_cipher_t *bc, const char *cipher_name)

Create a new cipher mode object, cipher_name should be for example “AES-128” or “Threefish-512”

int botan_block_cipher_block_size(botan_block_cipher_t bc)

Return the block size of this cipher.

int botan_block_cipher_name(botan_block_cipher_t cipher, char *name, size_t *name_len)

Return the name of this block cipher algorithm, which may nor may not exactly match what was passed to botan_block_cipher_init.

int botan_block_cipher_get_keyspec(botan_block_cipher_t cipher, size_t *out_minimum_keylength, size_t *out_maximum_keylength, size_t *out_keylength_modulo)

Return the limits on the key which can be provided to this cipher. If any of the parameters are null, no output is written to that field. This allows retrieving only (say) the maximum supported keylength, if that is the only information needed.

int botan_block_cipher_clear(botan_block_cipher_t bc)

Clear the internal state (such as keys) of this cipher object, but do not deallocate it.

int botan_block_cipher_set_key(botan_block_cipher_t bc, const uint8_t key[], size_t key_len)

Set the cipher key, which is required before encrypting or decrypting.

int botan_block_cipher_encrypt_blocks(botan_block_cipher_t bc, const uint8_t in[], uint8_t out[], size_t blocks)

The key must have been set first with botan_block_cipher_set_key. Encrypt blocks blocks of data stored in in and place the ciphertext into out. The two parameters may be the same buffer, but must not overlap.

int botan_block_cipher_decrypt_blocks(botan_block_cipher_t bc, const uint8_t in[], uint8_t out[], size_t blocks)

The key must have been set first with botan_block_cipher_set_key. Decrypt blocks blocks of data stored in in and place the ciphertext into out. The two parameters may be the same buffer, but must not overlap.

int botan_block_cipher_destroy(botan_block_cipher_t rng)

Destroy the object created by botan_block_cipher_init.

Hash Functions

typedef opaque *botan_hash_t

An opaque data type for a hash. Don’t mess with it.

int botan_hash_init(botan_hash_t hash, const char *hash_name, uint32_t flags)

Creates a hash of the given name, e.g., “SHA-384”.

Flags should always be zero in this version of the API.

int botan_hash_destroy(botan_hash_t hash)

Destroy the object created by botan_hash_init.

int botan_hash_name(botan_hash_t hash, char *name, size_t *name_len)

Write the name of the hash function to the provided buffer.

int botan_hash_copy_state(botan_hash_t *dest, const botan_hash_t source)

Copies the state of the hash object to a new hash object.

int botan_hash_clear(botan_hash_t hash)

Reset the state of this object back to clean, as if no input has been supplied.

int botan_hash_output_length(botan_hash_t hash, size_t *output_length)

Return the output length of the hash function.

int botan_hash_update(botan_hash_t hash, const uint8_t *input, size_t len)

Add input to the hash computation.

int botan_hash_final(botan_hash_t hash, uint8_t out[])

Finalize the hash and place the output in out. Exactly botan_hash_output_length bytes will be written.

Message Authentication Codes

typedef opaque *botan_mac_t

An opaque data type for a MAC. Don’t mess with it, but do remember to set a random key first.

int botan_mac_init(botan_mac_t *mac, const char *mac_name, uint32_t flags)

Creates a MAC of the given name, e.g., “HMAC(SHA-384)”. Flags should always be zero in this version of the API.

int botan_mac_destroy(botan_mac_t mac)

Destroy the object created by botan_mac_init.

int botan_mac_clear(botan_mac_t mac)

Reset the state of this object back to clean, as if no key and input have been supplied.

int botan_mac_output_length(botan_mac_t mac, size_t *output_length)

Return the output length of the MAC.

int botan_mac_set_key(botan_mac_t mac, const uint8_t *key, size_t key_len)

Set the random key.

int botan_mac_set_nonce(botan_mac_t mac, const uint8_t *key, size_t key_len)

Set a nonce for the MAC. This is used for certain (relatively uncommon) MACs such as GMAC

int botan_mac_update(botan_mac_t mac, uint8_t buf[], size_t len)

Add input to the MAC computation.

int botan_mac_final(botan_mac_t mac, uint8_t out[], size_t *out_len)

Finalize the MAC and place the output in out. Exactly botan_mac_output_length bytes will be written.

Symmetric Ciphers

typedef opaque *botan_cipher_t

An opaque data type for a symmetric cipher object. Don’t mess with it, but do remember to set a random key first. And please use an AEAD.

int botan_cipher_init(botan_cipher_t *cipher, const char *cipher_name, uint32_t flags)

Create a cipher object from a name such as “AES-256/GCM” or “Serpent/OCB”.

Flags is a bitfield; the low bitof flags specifies if encrypt or decrypt, ie use 0 for encryption and 1 for decryption.

int botan_cipher_destroy(botan_cipher_t cipher)
int botan_cipher_clear(botan_cipher_t hash)
int botan_cipher_set_key(botan_cipher_t cipher, const uint8_t *key, size_t key_len)
int botan_cipher_is_authenticated(botan_cipher_t cipher)
int botan_cipher_requires_entire_message(botan_cipher_t cipher)
int botan_cipher_get_tag_length(botan_cipher_t cipher, size_t *tag_len)

Write the tag length of the cipher to tag_len. This will be zero for non-authenticated ciphers.

int botan_cipher_valid_nonce_length(botan_cipher_t cipher, size_t nl)

Returns 1 if the nonce length is valid, or 0 otherwise. Returns -1 on error (such as the cipher object being invalid).

int botan_cipher_get_default_nonce_length(botan_cipher_t cipher, size_t *nl)

Return the default nonce length

int botan_cipher_get_update_granularity(botan_cipher_t cipher, size_t *ug)

Return the minimum update granularity, ie the size of a buffer that must be passed to botan_cipher_update

int botan_cipher_get_ideal_update_granularity(botan_cipher_t cipher, size_t *ug)

Return the ideal update granularity, ie the size of a buffer that must be passed to botan_cipher_update that maximizes performance.

Note

Using larger buffers than the value returned here is unlikely to hurt (within reason). Typically the returned value is a small multiple of the minimum granularity, with the multiplier depending on the algorithm and hardware support.

int botan_cipher_set_associated_data(botan_cipher_t cipher, const uint8_t *ad, size_t ad_len)

Set associated data. Will fail unless the cipher is an AEAD.

int botan_cipher_start(botan_cipher_t cipher, const uint8_t *nonce, size_t nonce_len)

Start processing a message using the provided nonce.

int botan_cipher_update(botan_cipher_t cipher, uint32_t flags, uint8_t output[], size_t output_size, size_t *output_written, const uint8_t input_bytes[], size_t input_size, size_t *input_consumed)

Encrypt or decrypt data.

PBKDF

int botan_pbkdf(const char *pbkdf_algo, uint8_t out[], size_t out_len, const char *passphrase, const uint8_t salt[], size_t salt_len, size_t iterations)

Derive a key from a passphrase for a number of iterations using the given PBKDF algorithm, e.g., “PBKDF2(SHA-512)”.

int botan_pbkdf_timed(const char *pbkdf_algo, uint8_t out[], size_t out_len, const char *passphrase, const uint8_t salt[], size_t salt_len, size_t milliseconds_to_run, size_t *out_iterations_used)

Derive a key from a passphrase using the given PBKDF algorithm, e.g., “PBKDF2(SHA-512)”. If out_iterations_used is zero, instead the PBKDF is run until milliseconds_to_run milliseconds have passed. In this case, the number of iterations run will be written to out_iterations_used.

KDF

int botan_kdf(const char *kdf_algo, uint8_t out[], size_t out_len, const uint8_t secret[], size_t secret_len, const uint8_t salt[], size_t salt_len, const uint8_t label[], size_t label_len)

Derive a key using the given KDF algorithm, e.g., “SP800-56C”. The derived key of length out_len bytes will be placed in out.

Multiple Precision Integers

typedef opaque *botan_mp_t

An opaque data type for a multiple precision integer. Don’t mess with it.

int botan_mp_init(botan_mp_t *mp)

Initialize a botan_mp_t. Initial value is zero, use botan_mp_set_X to load a value.

int botan_mp_destroy(botan_mp_t mp)

Free a botan_mp_t

int botan_mp_to_hex(botan_mp_t mp, char *out)

Writes exactly botan_mp_num_bytes(mp)*2 + 1 bytes to out

int botan_mp_to_str(botan_mp_t mp, uint8_t base, char *out, size_t *out_len)

Base can be either 10 or 16.

int botan_mp_set_from_int(botan_mp_t mp, int initial_value)

Set botan_mp_t from an integer value.

int botan_mp_set_from_mp(botan_mp_t dest, botan_mp_t source)

Set botan_mp_t from another MP.

int botan_mp_set_from_str(botan_mp_t dest, const char *str)

Set botan_mp_t from a string. Leading prefix of “0x” is accepted.

int botan_mp_num_bits(botan_mp_t n, size_t *bits)

Return the size of n in bits.

int botan_mp_num_bytes(botan_mp_t n, size_t *uint8_ts)

Return the size of n in bytes.

int botan_mp_to_bin(botan_mp_t mp, uint8_t vec[])

Writes exactly botan_mp_num_bytes(mp) to vec.

int botan_mp_from_bin(botan_mp_t mp, const uint8_t vec[], size_t vec_len)

Loads botan_mp_t from a binary vector (as produced by botan_mp_to_bin).

int botan_mp_is_negative(botan_mp_t mp)

Return 1 if mp is negative, otherwise 0.

int botan_mp_flip_sign(botan_mp_t mp)

Flip the sign of mp.

int botan_mp_add(botan_mp_t result, botan_mp_t x, botan_mp_t y)

Add two botan_mp_t and store the output in result.

int botan_mp_sub(botan_mp_t result, botan_mp_t x, botan_mp_t y)

Subtract two botan_mp_t and store the output in result.

int botan_mp_mul(botan_mp_t result, botan_mp_t x, botan_mp_t y)

Multiply two botan_mp_t and store the output in result.

int botan_mp_div(botan_mp_t quotient, botan_mp_t remainder, botan_mp_t x, botan_mp_t y)

Divide x by y and store the output in quotient and remainder.

int botan_mp_mod_mul(botan_mp_t result, botan_mp_t x, botan_mp_t y, botan_mp_t mod)

Set result to x times y modulo mod.

int botan_mp_equal(botan_mp_t x, botan_mp_t y)

Return 1 if x is equal to y, 0 if x is not equal to y

int botan_mp_is_zero(const botan_mp_t x)

Return 1 if x is equal to zero, otherwise 0.

int botan_mp_is_odd(const botan_mp_t x)

Return 1 if x is odd, otherwise 0.

int botan_mp_is_even(const botan_mp_t x)

Return 1 if x is even, otherwise 0.

int botan_mp_is_positive(const botan_mp_t x)

Return 1 if x is greater than or equal to zero.

int botan_mp_is_negative(const botan_mp_t x)

Return 1 if x is less than zero.

int botan_mp_to_uint32(const botan_mp_t x, uint32_t *val)

If x fits in a 32-bit integer, set val to it and return 0. If x is out of range an error is returned.

int botan_mp_cmp(int *result, botan_mp_t x, botan_mp_t y)

Three way comparison: set result to -1 if x is less than y, 0 if x is equal to y, and 1 if x is greater than y.

int botan_mp_swap(botan_mp_t x, botan_mp_t y)

Swap two botan_mp_t values.

int botan_mp_powmod(botan_mp_t out, botan_mp_t base, botan_mp_t exponent, botan_mp_t modulus)

Modular exponentiation.

int botan_mp_lshift(botan_mp_t out, botan_mp_t in, size_t shift)

Left shift by specified bit count, place result in out.

int botan_mp_rshift(botan_mp_t out, botan_mp_t in, size_t shift)

Right shift by specified bit count, place result in out.

int botan_mp_mod_inverse(botan_mp_t out, botan_mp_t in, botan_mp_t modulus)

Compute modular inverse. If no modular inverse exists (for instance because in and modulus are not relatively prime), then sets out to -1.

int botan_mp_rand_bits(botan_mp_t rand_out, botan_rng_t rng, size_t bits)

Create a random botan_mp_t of the specified bit size.

int botan_mp_rand_range(botan_mp_t rand_out, botan_rng_t rng, botan_mp_t lower_bound, botan_mp_t upper_bound)

Create a random botan_mp_t within the provided range.

int botan_mp_gcd(botan_mp_t out, botan_mp_t x, botan_mp_t y)

Compute the greatest common divisor of x and y.

int botan_mp_is_prime(botan_mp_t n, botan_rng_t rng, size_t test_prob)

Test if n is prime. The algorithm used (Miller-Rabin) is probabilistic, set test_prob to the desired assurance level. For example if test_prob is 64, then sufficient Miller-Rabin iterations will run to assure there is at most a 1/2**64 chance that n is composite.

int botan_mp_get_bit(botan_mp_t n, size_t bit)

Returns 0 if the specified bit of n is not set, 1 if it is set.

int botan_mp_set_bit(botan_mp_t n, size_t bit)

Set the specified bit of n

int botan_mp_clear_bit(botan_mp_t n, size_t bit)

Clears the specified bit of n

Password Hashing

int botan_bcrypt_generate(uint8_t *out, size_t *out_len, const char *password, botan_rng_t rng, size_t work_factor, uint32_t flags)

Create a password hash using Bcrypt. The output buffer out should be of length 64 bytes. The output is formatted bcrypt $2a$…

int botan_bcrypt_is_valid(const char *pass, const char *hash)

Check a previously created password hash. Returns BOTAN_SUCCESS if if this password/hash combination is valid, BOTAN_FFI_INVALID_VERIFIER if the combination is not valid (but otherwise well formed), negative on error.

Public Key Creation, Import and Export

typedef opaque *botan_privkey_t

An opaque data type for a private key. Don’t mess with it.

int botan_privkey_destroy(botan_privkey_t key)

Destroy an object.

int botan_privkey_create(botan_privkey_t *key, const char *algo_name, const char *algo_params, botan_rng_t rng)
int botan_privkey_create_rsa(botan_privkey_t *key, botan_rng_t rng, size_t n_bits)

Create an RSA key of the given size

int botan_privkey_create_ecdsa(botan_privkey_t *key, botan_rng_t rng, const char *curve)

Create a ECDSA key of using a named curve

int botan_privkey_create_ecdh(botan_privkey_t *key, botan_rng_t rng, const char *curve)

Create a ECDH key of using a named curve

int botan_privkey_create_mceliece(botan_privkey_t *key, botan_rng_t rng, size_t n, size_t t)

Create a McEliece key using the specified parameters. See McEliece cryptosystem for details on choosing parameters.

int botan_privkey_create_dh(botan_privkey_t *key, botan_rng_t rng, const char *params)

Create a finite field Diffie-Hellman key using the specified named group, for example “modp/ietf/3072”.

int botan_privkey_load(botan_privkey_t *key, botan_rng_t rng, const uint8_t bits[], size_t len, const char *password)

Load a private key. If the key is encrypted, password will be used to attempt decryption.

int botan_privkey_export(botan_privkey_t key, uint8_t out[], size_t *out_len, uint32_t flags)

Export a private key. If flags is 1 then PEM format is used.

int botan_privkey_view_encrypted_der(botan_privkey_t key, botan_rng_t rng, const char *passphrase, const char *cipher_algo, const char *pbkdf_hash, size_t pbkdf_iterations, botan_view_ctx ctx, botan_view_bin_fn view)

View the encrypted DER private key. In this version the number of PKBDF2 iterations is specified.

Set cipher_algo and pbkdf_hash to NULL to select defaults.

int botan_privkey_view_encrypted_der_timed(botan_privkey_t key, botan_rng_t rng, const char *passphrase, const char *cipher_algo, const char *pbkdf_hash, size_t pbkdf_runtime_msec, botan_view_ctx ctx, botan_view_bin_fn view)

View the encrypted DER private key. In this version the desired PBKDF runtime is specified in milliseconds.

Set cipher_algo and pbkdf_hash to NULL to select defaults.

int botan_privkey_view_encrypted_pem(botan_privkey_t key, botan_rng_t rng, const char *passphrase, const char *cipher_algo, const char *pbkdf_hash, size_t pbkdf_iterations, botan_view_ctx ctx, botan_view_str_fn view)

View the encrypted PEM private key. In this version the number of PKBDF2 iterations is specified.

Set cipher_algo and pbkdf_hash to NULL to select defaults.

int botan_privkey_view_encrypted_pem_timed(botan_privkey_t key, botan_rng_t rng, const char *passphrase, const char *cipher_algo, const char *pbkdf_hash, size_t pbkdf_runtime_msec, botan_view_ctx ctx, botan_view_str_fn view)

View the encrypted PEM private key. In this version the desired PBKDF runtime is specified in milliseconds.

Set cipher_algo and pbkdf_hash to NULL to select defaults.

int botan_privkey_view_der(botan_privkey_t key, botan_view_ctx ctx, botan_view_bin_fn view)

View the unencrypted DER encoding of the private key

int botan_privkey_view_pem(botan_privkey_t key, botan_view_ctx ctx, botan_view_str_fn view)

View the unencrypted PEM encoding of the private key

int botan_privkey_export_encrypted(botan_privkey_t key, uint8_t out[], size_t *out_len, botan_rng_t rng, const char *passphrase, const char *encryption_algo, uint32_t flags)

Deprecated, use botan_privkey_export_encrypted_msec or botan_privkey_export_encrypted_iter

int botan_privkey_export_pubkey(botan_pubkey_t *out, botan_privkey_t in)
int botan_privkey_get_field(botan_mp_t output, botan_privkey_t key, const char *field_name)

Read an algorithm specific field from the private key object, placing it into output. For example “p” or “q” for RSA keys, or “x” for DSA keys or ECC keys.

typedef opaque *botan_pubkey_t

An opaque data type for a public key. Don’t mess with it.

int botan_pubkey_load(botan_pubkey_t *key, const uint8_t bits[], size_t len)
int botan_pubkey_export(botan_pubkey_t key, uint8_t out[], size_t *out_len, uint32_t flags)
int botan_pubkey_view_der(botan_pubkey_t key, botan_view_ctx ctx, botan_view_bin_fn view)

View the DER encoding of the public key

int botan_pubkey_view_pem(botan_pubkey_t key, botan_view_ctx ctx, botan_view_str_fn view)

View the PEM encoding of the public key

int botan_pubkey_algo_name(botan_pubkey_t key, char out[], size_t *out_len)
int botan_pubkey_estimated_strength(botan_pubkey_t key, size_t *estimate)
int botan_pubkey_fingerprint(botan_pubkey_t key, const char *hash, uint8_t out[], size_t *out_len)
int botan_pubkey_destroy(botan_pubkey_t key)
int botan_pubkey_get_field(botan_mp_t output, botan_pubkey_t key, const char *field_name)

Read an algorithm specific field from the public key object, placing it into output. For example “n” or “e” for RSA keys or “p”, “q”, “g”, and “y” for DSA keys.

RSA specific functions

Note

These functions are deprecated. Instead use botan_privkey_get_field and botan_pubkey_get_field.

int botan_privkey_rsa_get_p(botan_mp_t p, botan_privkey_t rsa_key)

Set p to the first RSA prime.

int botan_privkey_rsa_get_q(botan_mp_t q, botan_privkey_t rsa_key)

Set q to the second RSA prime.

int botan_privkey_rsa_get_d(botan_mp_t d, botan_privkey_t rsa_key)

Set d to the RSA private exponent.

int botan_privkey_rsa_get_n(botan_mp_t n, botan_privkey_t rsa_key)

Set n to the RSA modulus.

int botan_privkey_rsa_get_e(botan_mp_t e, botan_privkey_t rsa_key)

Set e to the RSA public exponent.

int botan_pubkey_rsa_get_e(botan_mp_t e, botan_pubkey_t rsa_key)

Set e to the RSA public exponent.

int botan_pubkey_rsa_get_n(botan_mp_t n, botan_pubkey_t rsa_key)

Set n to the RSA modulus.

int botan_privkey_load_rsa(botan_privkey_t *key, botan_mp_t p, botan_mp_t q, botan_mp_t e)

Initialize a private RSA key using parameters p, q, and e.

int botan_pubkey_load_rsa(botan_pubkey_t *key, botan_mp_t n, botan_mp_t e)

Initialize a public RSA key using parameters n and e.

DSA specific functions

int botan_privkey_load_dsa(botan_privkey_t *key, botan_mp_t p, botan_mp_t q, botan_mp_t g, botan_mp_t x)

Initialize a private DSA key using group parameters p, q, and g and private key x.

int botan_pubkey_load_dsa(botan_pubkey_t *key, botan_mp_t p, botan_mp_t q, botan_mp_t g, botan_mp_t y)

Initialize a private DSA key using group parameters p, q, and g and public key y.

ElGamal specific functions

int botan_privkey_load_elgamal(botan_privkey_t *key, botan_mp_t p, botan_mp_t g, botan_mp_t x)

Initialize a private ElGamal key using group parameters p and g and private key x.

int botan_pubkey_load_elgamal(botan_pubkey_t *key, botan_mp_t p, botan_mp_t g, botan_mp_t y)

Initialize a public ElGamal key using group parameters p and g and public key y.

Diffie-Hellman specific functions

int botan_privkey_load_dh(botan_privkey_t *key, botan_mp_t p, botan_mp_t g, botan_mp_t x)

Initialize a private Diffie-Hellman key using group parameters p and g and private key x.

int botan_pubkey_load_dh(botan_pubkey_t *key, botan_mp_t p, botan_mp_t g, botan_mp_t y)

Initialize a public Diffie-Hellman key using group parameters p and g and public key y.

Public Key Encryption/Decryption

typedef opaque *botan_pk_op_encrypt_t

An opaque data type for an encryption operation. Don’t mess with it.

int botan_pk_op_encrypt_create(botan_pk_op_encrypt_t *op, botan_pubkey_t key, const char *padding, uint32_t flags)

Create a new operation object which can be used to encrypt using the provided key and the specified padding scheme (such as “OAEP(SHA-256)” for use with RSA). Flags should be 0 in this version.

int botan_pk_op_encrypt_destroy(botan_pk_op_encrypt_t op)

Destroy the object.

int botan_pk_op_encrypt_output_length(botan_pk_op_encrypt_t op, size_t ptext_len, size_t *ctext_len)

Returns an upper bound on the output length if a plaintext of length ptext_len is encrypted with this key/parameter setting. This allows correctly sizing the buffer that is passed to botan_pk_op_encrypt.

int botan_pk_op_encrypt(botan_pk_op_encrypt_t op, botan_rng_t rng, uint8_t out[], size_t *out_len, const uint8_t plaintext[], size_t plaintext_len)

Encrypt the provided data using the key, placing the output in out. If out is NULL, writes the length of what the ciphertext would have been to *out_len. However this is computationally expensive (the encryption actually occurs, then the result is discarded), so it is better to use botan_pk_op_encrypt_output_length to correctly size the buffer.

typedef opaque *botan_pk_op_decrypt_t

An opaque data type for a decryption operation. Don’t mess with it.

int botan_pk_op_decrypt_create(botan_pk_op_decrypt_t *op, botan_privkey_t key, const char *padding, uint32_t flags)
int botan_pk_op_decrypt_destroy(botan_pk_op_decrypt_t op)
int botan_pk_op_decrypt_output_length(botan_pk_op_decrypt_t op, size_t ctext_len, size_t *ptext_len)

For a given ciphertext length, returns the upper bound on the size of the plaintext that might be enclosed. This allows properly sizing the output buffer passed to botan_pk_op_decrypt.

int botan_pk_op_decrypt(botan_pk_op_decrypt_t op, uint8_t out[], size_t *out_len, uint8_t ciphertext[], size_t ciphertext_len)

Signature Generation

typedef opaque *botan_pk_op_sign_t

An opaque data type for a signature generation operation. Don’t mess with it.

int botan_pk_op_sign_create(botan_pk_op_sign_t *op, botan_privkey_t key, const char *hash_and_padding, uint32_t flags)

Create a signature operator for the provided key. The padding string specifies what hash function and padding should be used, for example “PKCS1v15(SHA-256)” for PKCS #1 v1.5 padding (used with RSA) or “SHA-384”. Generally speaking only RSA has special padding modes; for other algorithms like ECDSA one just names the hash.

int botan_pk_op_sign_destroy(botan_pk_op_sign_t op)

Destroy an object created by botan_pk_op_sign_create.

int botan_pk_op_sign_output_length(botan_pk_op_sign_t op, size_t *sig_len)

Writes the length of the signatures that this signer will produce. This allows properly sizing the buffer passed to botan_pk_op_sign_finish.

int botan_pk_op_sign_update(botan_pk_op_sign_t op, const uint8_t in[], size_t in_len)

Add bytes of the message to be signed.

int botan_pk_op_sign_finish(botan_pk_op_sign_t op, botan_rng_t rng, uint8_t sig[], size_t *sig_len)

Produce a signature over all of the bytes passed to botan_pk_op_sign_update. Afterwards, the sign operator is reset and may be used to sign a new message.

Signature Verification

typedef opaque *botan_pk_op_verify_t

An opaque data type for a signature verification operation. Don’t mess with it.

int botan_pk_op_verify_create(botan_pk_op_verify_t *op, botan_pubkey_t key, const char *hash_and_padding, uint32_t flags)
int botan_pk_op_verify_destroy(botan_pk_op_verify_t op)
int botan_pk_op_verify_update(botan_pk_op_verify_t op, const uint8_t in[], size_t in_len)

Add bytes of the message to be verified

int botan_pk_op_verify_finish(botan_pk_op_verify_t op, const uint8_t sig[], size_t sig_len)

Verify if the signature provided matches with the message provided as calls to botan_pk_op_verify_update.

Key Agreement

typedef opaque *botan_pk_op_ka_t

An opaque data type for a key agreement operation. Don’t mess with it.

int botan_pk_op_key_agreement_create(botan_pk_op_ka_t *op, botan_privkey_t key, const char *kdf, uint32_t flags)
int botan_pk_op_key_agreement_destroy(botan_pk_op_ka_t op)
int botan_pk_op_key_agreement_export_public(botan_privkey_t key, uint8_t out[], size_t *out_len)
int botan_pk_op_key_agreement_view_public(botan_privkey_t key, botan_view_ctx ctx, botan_view_bin_fn view)
int botan_pk_op_key_agreement(botan_pk_op_ka_t op, uint8_t out[], size_t *out_len, const uint8_t other_key[], size_t other_key_len, const uint8_t salt[], size_t salt_len)

Public Key Encapsulation

New in version 3.0.0.

typedef opaque *botan_pk_op_kem_encrypt_t

An opaque data type for a KEM operation. Don’t mess with it.

int botan_pk_op_kem_encrypt_create(botan_pk_op_kem_encrypt_t *op, botan_pubkey_t key, const char *kdf)

Create a KEM operation, encrypt version

int botan_pk_op_kem_encrypt_destroy(botan_pk_op_kem_encrypt_t op)

Destroy the operation, freeing memory

int botan_pk_op_kem_encrypt_shared_key_length(botan_pk_op_kem_encrypt_t op, size_t desired_shared_key_length, size_t *output_shared_key_length)

Return the output shared key length, assuming desired_shared_key_length is provided.

Note

Normally this will just return desired_shared_key_length but may return a different value if a “raw” KDF is used (returning the unhashed output), or potentially depending on KDF limitations.

int botan_pk_op_kem_encrypt_encapsulated_key_length(botan_pk_op_kem_encrypt_t op, size_t *output_encapsulated_key_length)

Return the length of the encapsulated key

int botan_pk_op_kem_encrypt_create_shared_key(botan_pk_op_kem_encrypt_t op, botan_rng_t rng, const uint8_t salt[], size_t salt_len, size_t desired_shared_key_len, uint8_t shared_key[], size_t *shared_key_len, uint8_t encapsulated_key[], size_t *encapsulated_key_len)

Create a new encapsulated key. Use the length query functions beforehand to correctly size the output buffers, otherwise an error will be returned.

typedef opaque *botan_pk_op_kem_decrypt_t

An opaque data type for a KEM operation. Don’t mess with it.

int botan_pk_op_kem_decrypt_create(botan_pk_op_kem_decrypt_t *op, botan_pubkey_t key, const char *kdf)

Create a KEM operation, decrypt version

int botan_pk_op_kem_decrypt_shared_key_length(botan_pk_op_kem_decrypt_t op, size_t desired_shared_key_length, size_t *output_shared_key_length)

See botan_pk_op_kem_encrypt_shared_key_length

int botan_pk_op_kem_decrypt_shared_key(botan_pk_op_kem_decrypt_t op, const uint8_t salt[], size_t salt_len, const uint8_t encapsulated_key[], size_t encapsulated_key_len, size_t desired_shared_key_len, uint8_t shared_key[], size_t *shared_key_len)

Decrypt an encapsulated key and return the shared secret

int botan_pk_op_kem_decrypt_destroy(botan_pk_op_kem_decrypt_t op)

Destroy the operation, freeing memory

X.509 Certificates

typedef opaque *botan_x509_cert_t

An opaque data type for an X.509 certificate. Don’t mess with it.

int botan_x509_cert_load(botan_x509_cert_t *cert_obj, const uint8_t cert[], size_t cert_len)

Load a certificate from the DER or PEM representation

int botan_x509_cert_load_file(botan_x509_cert_t *cert_obj, const char *filename)

Load a certificate from a file.

int botan_x509_cert_dup(botan_x509_cert_t *cert_obj, botan_x509_cert_t cert)

Create a new object that refers to the same certificate.

int botan_x509_cert_destroy(botan_x509_cert_t cert)

Destroy the certificate object

int botan_x509_cert_gen_selfsigned(botan_x509_cert_t *cert, botan_privkey_t key, botan_rng_t rng, const char *common_name, const char *org_name)
int botan_x509_cert_get_time_starts(botan_x509_cert_t cert, char out[], size_t *out_len)

Return the time the certificate becomes valid, as a string in form “YYYYMMDDHHMMSSZ” where Z is a literal character reflecting that this time is relative to UTC. Prefer botan_x509_cert_not_before.

int botan_x509_cert_get_time_expires(botan_x509_cert_t cert, char out[], size_t *out_len)

Return the time the certificate expires, as a string in form “YYYYMMDDHHMMSSZ” where Z is a literal character reflecting that this time is relative to UTC. Prefer botan_x509_cert_not_after.

int botan_x509_cert_not_before(botan_x509_cert_t cert, uint64_t *time_since_epoch)

Return the time the certificate becomes valid, as seconds since epoch.

int botan_x509_cert_not_after(botan_x509_cert_t cert, uint64_t *time_since_epoch)

Return the time the certificate expires, as seconds since epoch.

int botan_x509_cert_get_fingerprint(botan_x509_cert_t cert, const char *hash, uint8_t out[], size_t *out_len)
int botan_x509_cert_get_serial_number(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)

Return the serial number of the certificate.

int botan_x509_cert_get_authority_key_id(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)

Return the authority key ID set in the certificate, which may be empty.

int botan_x509_cert_get_subject_key_id(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)

Return the subject key ID set in the certificate, which may be empty.

int botan_x509_cert_get_public_key_bits(botan_x509_cert_t cert, uint8_t out[], size_t *out_len)

Get the serialized (DER) representation of the public key included in this certificate

int botan_x509_cert_view_public_key_bits(botan_x509_cert_t cert, botan_view_ctx ctx, botan_view_bin_fn view)

View the serialized (DER) representation of the public key included in this certificate

int botan_x509_cert_get_public_key(botan_x509_cert_t cert, botan_pubkey_t *key)

Get the public key included in this certificate as a newly allocated object

int botan_x509_cert_get_issuer_dn(botan_x509_cert_t cert, const char *key, size_t index, uint8_t out[], size_t *out_len)

Get a value from the issuer DN field.

int botan_x509_cert_get_subject_dn(botan_x509_cert_t cert, const char *key, size_t index, uint8_t out[], size_t *out_len)

Get a value from the subject DN field.

int botan_x509_cert_to_string(botan_x509_cert_t cert, char out[], size_t *out_len)

Format the certificate as a free-form string.

int botan_x509_cert_view_as_string(botan_x509_cert_t cert, botan_view_ctx ctx, botan_view_str_fn view)

View the certificate as a free-form string.

enum botan_x509_cert_key_constraints

Certificate key usage constraints. Allowed values: NO_CONSTRAINTS, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, DATA_ENCIPHERMENT, KEY_AGREEMENT, KEY_CERT_SIGN, CRL_SIGN, ENCIPHER_ONLY, DECIPHER_ONLY.

int botan_x509_cert_allowed_usage(botan_x509_cert_t cert, unsigned int key_usage)
int botan_x509_cert_verify(int *validation_result, botan_x509_cert_t cert, const botan_x509_cert_t *intermediates, size_t intermediates_len, const botan_x509_cert_t *trusted, size_t trusted_len, const char *trusted_path, size_t required_strength, const char *hostname, uint64_t reference_time)

Verify a certificate. Returns 0 if validation was successful, 1 if unsuccessful, or negative on error.

Sets validation_result to a code that provides more information.

If not needed, set intermediates to NULL and intermediates_len to zero.

If not needed, set trusted to NULL and trusted_len to zero.

The trusted_path refers to a directory where one or more trusted CA certificates are stored. It may be NULL if not needed.

Set required_strength to indicate the minimum key and hash strength that is allowed. For instance setting to 80 allows 1024-bit RSA and SHA-1. Setting to 110 requires 2048-bit RSA and SHA-256 or higher. Set to zero to accept a default.

Set reference_time to be the time which the certificate chain is validated against. Use zero to use the current system clock.

int botan_x509_cert_verify_with_crl(int *validation_result, botan_x509_cert_t cert, const botan_x509_cert_t *intermediates, size_t intermediates_len, const botan_x509_cert_t *trusted, size_t trusted_len, const botan_x509_crl_t *crls, size_t crls_len, const char *trusted_path, size_t required_strength, const char *hostname, uint64_t reference_time)

Certificate path validation supporting Certificate Revocation Lists.

Works the same as botan_x509_cert_cerify.

crls is an array of botan_x509_crl_t objects, crls_len is its length.

const char *botan_x509_cert_validation_status(int code)

Return a (statically allocated) string associated with the verification result, or NULL if the code is not known.

X.509 Certificate Revocation Lists

typedef opaque *botan_x509_crl_t

An opaque data type for an X.509 CRL.

int botan_x509_crl_load(botan_x509_crl_t *crl_obj, const uint8_t crl[], size_t crl_len)

Load a CRL from the DER or PEM representation.

int botan_x509_crl_load_file(botan_x509_crl_t *crl_obj, const char *filename)

Load a CRL from a file.

int botan_x509_crl_destroy(botan_x509_crl_t crl)

Destroy the CRL object.

int botan_x509_is_revoked(botan_x509_crl_t crl, botan_x509_cert_t cert)

Check whether a given crl contains a given cert. Return 0 when the certificate is revoked, -1 otherwise.

ZFEC (Forward Error Correction)

New in version 3.0.0.

int botan_zfec_encode(size_t K, size_t N, const uint8_t *input, size_t size, uint8_t **outputs)

Perform forward error correction encoding. The input length must be a multiple of K bytes. The outputs parameter must point to N output buffers, each of length size / K.

Any K of the N output shares is sufficient to recover the original input.

int botan_zfec_decode(size_t K, size_t N, const size_t *indexes, uint8_t *const *const inputs, size_t shareSize, uint8_t **outputs)

Decode some FEC shares. The indexes and inputs must be exactly K in length. The indexes array specifies which shares are presented in inputs. Each input must be of length shareSize. The output is written to the K buffers in outputs, each buffer must be shareSize long.