1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <limits.h>
12 #include <assert.h>
13 #include "internal/cryptlib.h"
14 #include <openssl/evp.h>
15 #include <openssl/err.h>
16 #include <openssl/rand.h>
17 #include <openssl/rand_drbg.h>
18 #include <openssl/engine.h>
19 #include "crypto/evp.h"
20 #include "evp_local.h"
21
EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX * c)22 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
23 {
24 if (c == NULL)
25 return 1;
26 if (c->cipher != NULL) {
27 if (c->cipher->cleanup && !c->cipher->cleanup(c))
28 return 0;
29 /* Cleanse cipher context data */
30 if (c->cipher_data && c->cipher->ctx_size)
31 OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
32 }
33 OPENSSL_free(c->cipher_data);
34 #ifndef OPENSSL_NO_ENGINE
35 ENGINE_finish(c->engine);
36 #endif
37 memset(c, 0, sizeof(*c));
38 return 1;
39 }
40
EVP_CIPHER_CTX_new(void)41 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
42 {
43 return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
44 }
45
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX * ctx)46 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
47 {
48 EVP_CIPHER_CTX_reset(ctx);
49 OPENSSL_free(ctx);
50 }
51
EVP_CipherInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc)52 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
53 const unsigned char *key, const unsigned char *iv, int enc)
54 {
55 if (cipher != NULL)
56 EVP_CIPHER_CTX_reset(ctx);
57 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
58 }
59
EVP_CipherInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc)60 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
61 ENGINE *impl, const unsigned char *key,
62 const unsigned char *iv, int enc)
63 {
64 if (enc == -1)
65 enc = ctx->encrypt;
66 else {
67 if (enc)
68 enc = 1;
69 ctx->encrypt = enc;
70 }
71 #ifndef OPENSSL_NO_ENGINE
72 /*
73 * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
74 * this context may already have an ENGINE! Try to avoid releasing the
75 * previous handle, re-querying for an ENGINE, and having a
76 * reinitialisation, when it may all be unnecessary.
77 */
78 if (ctx->engine && ctx->cipher
79 && (cipher == NULL || cipher->nid == ctx->cipher->nid))
80 goto skip_to_init;
81 #endif
82 if (cipher) {
83 /*
84 * Ensure a context left lying around from last time is cleared (the
85 * previous check attempted to avoid this if the same ENGINE and
86 * EVP_CIPHER could be used).
87 */
88 if (ctx->cipher
89 #ifndef OPENSSL_NO_ENGINE
90 || ctx->engine
91 #endif
92 || ctx->cipher_data) {
93 unsigned long flags = ctx->flags;
94 EVP_CIPHER_CTX_reset(ctx);
95 /* Restore encrypt and flags */
96 ctx->encrypt = enc;
97 ctx->flags = flags;
98 }
99 #ifndef OPENSSL_NO_ENGINE
100 if (impl) {
101 if (!ENGINE_init(impl)) {
102 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
103 return 0;
104 }
105 } else
106 /* Ask if an ENGINE is reserved for this job */
107 impl = ENGINE_get_cipher_engine(cipher->nid);
108 if (impl) {
109 /* There's an ENGINE for this job ... (apparently) */
110 const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
111 if (!c) {
112 ENGINE_finish(impl);
113 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
114 return 0;
115 }
116 /* We'll use the ENGINE's private cipher definition */
117 cipher = c;
118 /*
119 * Store the ENGINE functional reference so we know 'cipher' came
120 * from an ENGINE and we need to release it when done.
121 */
122 ctx->engine = impl;
123 } else
124 ctx->engine = NULL;
125 #endif
126
127 ctx->cipher = cipher;
128 if (ctx->cipher->ctx_size) {
129 ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
130 if (ctx->cipher_data == NULL) {
131 ctx->cipher = NULL;
132 EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
133 return 0;
134 }
135 } else {
136 ctx->cipher_data = NULL;
137 }
138 ctx->key_len = cipher->key_len;
139 /* Preserve wrap enable flag, zero everything else */
140 ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
141 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
142 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
143 ctx->cipher = NULL;
144 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
145 return 0;
146 }
147 }
148 } else if (!ctx->cipher) {
149 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_NO_CIPHER_SET);
150 return 0;
151 }
152 #ifndef OPENSSL_NO_ENGINE
153 skip_to_init:
154 #endif
155 /* we assume block size is a power of 2 in *cryptUpdate */
156 OPENSSL_assert(ctx->cipher->block_size == 1
157 || ctx->cipher->block_size == 8
158 || ctx->cipher->block_size == 16);
159
160 if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
161 && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) {
162 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
163 return 0;
164 }
165
166 if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) {
167 switch (EVP_CIPHER_CTX_mode(ctx)) {
168
169 case EVP_CIPH_STREAM_CIPHER:
170 case EVP_CIPH_ECB_MODE:
171 break;
172
173 case EVP_CIPH_CFB_MODE:
174 case EVP_CIPH_OFB_MODE:
175
176 ctx->num = 0;
177 /* fall-through */
178
179 case EVP_CIPH_CBC_MODE:
180
181 OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <=
182 (int)sizeof(ctx->iv));
183 if (iv)
184 memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
185 memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
186 break;
187
188 case EVP_CIPH_CTR_MODE:
189 ctx->num = 0;
190 /* Don't reuse IV for CTR mode */
191 if (iv)
192 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
193 break;
194
195 default:
196 return 0;
197 }
198 }
199
200 if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
201 if (!ctx->cipher->init(ctx, key, iv, enc))
202 return 0;
203 }
204 ctx->buf_len = 0;
205 ctx->final_used = 0;
206 ctx->block_mask = ctx->cipher->block_size - 1;
207 return 1;
208 }
209
EVP_CipherUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)210 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
211 const unsigned char *in, int inl)
212 {
213 if (ctx->encrypt)
214 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
215 else
216 return EVP_DecryptUpdate(ctx, out, outl, in, inl);
217 }
218
EVP_CipherFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)219 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
220 {
221 if (ctx->encrypt)
222 return EVP_EncryptFinal_ex(ctx, out, outl);
223 else
224 return EVP_DecryptFinal_ex(ctx, out, outl);
225 }
226
EVP_CipherFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)227 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
228 {
229 if (ctx->encrypt)
230 return EVP_EncryptFinal(ctx, out, outl);
231 else
232 return EVP_DecryptFinal(ctx, out, outl);
233 }
234
EVP_EncryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)235 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
236 const unsigned char *key, const unsigned char *iv)
237 {
238 return EVP_CipherInit(ctx, cipher, key, iv, 1);
239 }
240
EVP_EncryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)241 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
242 ENGINE *impl, const unsigned char *key,
243 const unsigned char *iv)
244 {
245 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
246 }
247
EVP_DecryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)248 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
249 const unsigned char *key, const unsigned char *iv)
250 {
251 return EVP_CipherInit(ctx, cipher, key, iv, 0);
252 }
253
EVP_DecryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)254 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
255 ENGINE *impl, const unsigned char *key,
256 const unsigned char *iv)
257 {
258 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
259 }
260
261 /*
262 * According to the letter of standard difference between pointers
263 * is specified to be valid only within same object. This makes
264 * it formally challenging to determine if input and output buffers
265 * are not partially overlapping with standard pointer arithmetic.
266 */
267 #ifdef PTRDIFF_T
268 # undef PTRDIFF_T
269 #endif
270 #if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
271 /*
272 * Then we have VMS that distinguishes itself by adhering to
273 * sizeof(size_t)==4 even in 64-bit builds, which means that
274 * difference between two pointers might be truncated to 32 bits.
275 * In the context one can even wonder how comparison for
276 * equality is implemented. To be on the safe side we adhere to
277 * PTRDIFF_T even for comparison for equality.
278 */
279 # define PTRDIFF_T uint64_t
280 #else
281 # define PTRDIFF_T size_t
282 #endif
283
is_partially_overlapping(const void * ptr1,const void * ptr2,size_t len)284 int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len)
285 {
286 PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
287 /*
288 * Check for partially overlapping buffers. [Binary logical
289 * operations are used instead of boolean to minimize number
290 * of conditional branches.]
291 */
292 int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) |
293 (diff > (0 - (PTRDIFF_T)len)));
294
295 return overlapped;
296 }
297
evp_EncryptDecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)298 static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
299 unsigned char *out, int *outl,
300 const unsigned char *in, int inl)
301 {
302 int i, j, bl;
303 size_t cmpl = (size_t)inl;
304
305 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
306 cmpl = (cmpl + 7) / 8;
307
308 bl = ctx->cipher->block_size;
309
310 /*
311 * CCM mode needs to know about the case where inl == 0 && in == NULL - it
312 * means the plaintext/ciphertext length is 0
313 */
314 if (inl < 0
315 || (inl == 0
316 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE)) {
317 *outl = 0;
318 return inl == 0;
319 }
320
321 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
322 /* If block size > 1 then the cipher will have to do this check */
323 if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
324 EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
325 return 0;
326 }
327
328 i = ctx->cipher->do_cipher(ctx, out, in, inl);
329 if (i < 0)
330 return 0;
331 else
332 *outl = i;
333 return 1;
334 }
335
336 if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
337 EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
338 return 0;
339 }
340
341 if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
342 if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
343 *outl = inl;
344 return 1;
345 } else {
346 *outl = 0;
347 return 0;
348 }
349 }
350 i = ctx->buf_len;
351 OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
352 if (i != 0) {
353 if (bl - i > inl) {
354 memcpy(&(ctx->buf[i]), in, inl);
355 ctx->buf_len += inl;
356 *outl = 0;
357 return 1;
358 } else {
359 j = bl - i;
360
361 /*
362 * Once we've processed the first j bytes from in, the amount of
363 * data left that is a multiple of the block length is:
364 * (inl - j) & ~(bl - 1)
365 * We must ensure that this amount of data, plus the one block that
366 * we process from ctx->buf does not exceed INT_MAX
367 */
368 if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
369 EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE,
370 EVP_R_OUTPUT_WOULD_OVERFLOW);
371 return 0;
372 }
373 memcpy(&(ctx->buf[i]), in, j);
374 inl -= j;
375 in += j;
376 if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
377 return 0;
378 out += bl;
379 *outl = bl;
380 }
381 } else
382 *outl = 0;
383 i = inl & (bl - 1);
384 inl -= i;
385 if (inl > 0) {
386 if (!ctx->cipher->do_cipher(ctx, out, in, inl))
387 return 0;
388 *outl += inl;
389 }
390
391 if (i != 0)
392 memcpy(ctx->buf, &(in[inl]), i);
393 ctx->buf_len = i;
394 return 1;
395 }
396
397
EVP_EncryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)398 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
399 const unsigned char *in, int inl)
400 {
401 /* Prevent accidental use of decryption context when encrypting */
402 if (!ctx->encrypt) {
403 EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
404 return 0;
405 }
406
407 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
408 }
409
EVP_EncryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)410 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
411 {
412 int ret;
413 ret = EVP_EncryptFinal_ex(ctx, out, outl);
414 return ret;
415 }
416
EVP_EncryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)417 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
418 {
419 int n, ret;
420 unsigned int i, b, bl;
421
422 /* Prevent accidental use of decryption context when encrypting */
423 if (!ctx->encrypt) {
424 EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
425 return 0;
426 }
427
428 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
429 ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
430 if (ret < 0)
431 return 0;
432 else
433 *outl = ret;
434 return 1;
435 }
436
437 b = ctx->cipher->block_size;
438 OPENSSL_assert(b <= sizeof(ctx->buf));
439 if (b == 1) {
440 *outl = 0;
441 return 1;
442 }
443 bl = ctx->buf_len;
444 if (ctx->flags & EVP_CIPH_NO_PADDING) {
445 if (bl) {
446 EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,
447 EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
448 return 0;
449 }
450 *outl = 0;
451 return 1;
452 }
453
454 n = b - bl;
455 for (i = bl; i < b; i++)
456 ctx->buf[i] = n;
457 ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
458
459 if (ret)
460 *outl = b;
461
462 return ret;
463 }
464
EVP_DecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)465 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
466 const unsigned char *in, int inl)
467 {
468 int fix_len;
469 unsigned int b;
470 size_t cmpl = (size_t)inl;
471
472 /* Prevent accidental use of encryption context when decrypting */
473 if (ctx->encrypt) {
474 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
475 return 0;
476 }
477
478 b = ctx->cipher->block_size;
479
480 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
481 cmpl = (cmpl + 7) / 8;
482
483 /*
484 * CCM mode needs to know about the case where inl == 0 - it means the
485 * plaintext/ciphertext length is 0
486 */
487 if (inl < 0
488 || (inl == 0
489 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE)) {
490 *outl = 0;
491 return inl == 0;
492 }
493
494 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
495 if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
496 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
497 return 0;
498 }
499
500 fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
501 if (fix_len < 0) {
502 *outl = 0;
503 return 0;
504 } else
505 *outl = fix_len;
506 return 1;
507 }
508
509 if (ctx->flags & EVP_CIPH_NO_PADDING)
510 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
511
512 OPENSSL_assert(b <= sizeof(ctx->final));
513
514 if (ctx->final_used) {
515 /* see comment about PTRDIFF_T comparison above */
516 if (((PTRDIFF_T)out == (PTRDIFF_T)in)
517 || is_partially_overlapping(out, in, b)) {
518 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
519 return 0;
520 }
521 /*
522 * final_used is only ever set if buf_len is 0. Therefore the maximum
523 * length output we will ever see from evp_EncryptDecryptUpdate is
524 * the maximum multiple of the block length that is <= inl, or just:
525 * inl & ~(b - 1)
526 * Since final_used has been set then the final output length is:
527 * (inl & ~(b - 1)) + b
528 * This must never exceed INT_MAX
529 */
530 if ((inl & ~(b - 1)) > INT_MAX - b) {
531 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
532 return 0;
533 }
534 memcpy(out, ctx->final, b);
535 out += b;
536 fix_len = 1;
537 } else
538 fix_len = 0;
539
540 if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
541 return 0;
542
543 /*
544 * if we have 'decrypted' a multiple of block size, make sure we have a
545 * copy of this last block
546 */
547 if (b > 1 && !ctx->buf_len) {
548 *outl -= b;
549 ctx->final_used = 1;
550 memcpy(ctx->final, &out[*outl], b);
551 } else
552 ctx->final_used = 0;
553
554 if (fix_len)
555 *outl += b;
556
557 return 1;
558 }
559
EVP_DecryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)560 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
561 {
562 int ret;
563 ret = EVP_DecryptFinal_ex(ctx, out, outl);
564 return ret;
565 }
566
EVP_DecryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)567 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
568 {
569 int i, n;
570 unsigned int b;
571
572 /* Prevent accidental use of encryption context when decrypting */
573 if (ctx->encrypt) {
574 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
575 return 0;
576 }
577
578 *outl = 0;
579
580 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
581 i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
582 if (i < 0)
583 return 0;
584 else
585 *outl = i;
586 return 1;
587 }
588
589 b = ctx->cipher->block_size;
590 if (ctx->flags & EVP_CIPH_NO_PADDING) {
591 if (ctx->buf_len) {
592 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,
593 EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
594 return 0;
595 }
596 *outl = 0;
597 return 1;
598 }
599 if (b > 1) {
600 if (ctx->buf_len || !ctx->final_used) {
601 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
602 return 0;
603 }
604 OPENSSL_assert(b <= sizeof(ctx->final));
605
606 /*
607 * The following assumes that the ciphertext has been authenticated.
608 * Otherwise it provides a padding oracle.
609 */
610 n = ctx->final[b - 1];
611 if (n == 0 || n > (int)b) {
612 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
613 return 0;
614 }
615 for (i = 0; i < n; i++) {
616 if (ctx->final[--b] != n) {
617 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
618 return 0;
619 }
620 }
621 n = ctx->cipher->block_size - n;
622 for (i = 0; i < n; i++)
623 out[i] = ctx->final[i];
624 *outl = n;
625 } else
626 *outl = 0;
627 return 1;
628 }
629
EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX * c,int keylen)630 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
631 {
632 if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
633 return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
634 if (c->key_len == keylen)
635 return 1;
636 if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
637 c->key_len = keylen;
638 return 1;
639 }
640 EVPerr(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, EVP_R_INVALID_KEY_LENGTH);
641 return 0;
642 }
643
EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX * ctx,int pad)644 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
645 {
646 if (pad)
647 ctx->flags &= ~EVP_CIPH_NO_PADDING;
648 else
649 ctx->flags |= EVP_CIPH_NO_PADDING;
650 return 1;
651 }
652
EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)653 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
654 {
655 int ret;
656
657 if (!ctx->cipher) {
658 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
659 return 0;
660 }
661
662 if (!ctx->cipher->ctrl) {
663 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED);
664 return 0;
665 }
666
667 ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
668 if (ret == -1) {
669 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL,
670 EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
671 return 0;
672 }
673 return ret;
674 }
675
EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX * ctx,unsigned char * key)676 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
677 {
678 if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
679 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
680 if (RAND_priv_bytes(key, ctx->key_len) <= 0)
681 return 0;
682 return 1;
683 }
684
EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX * out,const EVP_CIPHER_CTX * in)685 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
686 {
687 if ((in == NULL) || (in->cipher == NULL)) {
688 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INPUT_NOT_INITIALIZED);
689 return 0;
690 }
691 #ifndef OPENSSL_NO_ENGINE
692 /* Make sure it's safe to copy a cipher context using an ENGINE */
693 if (in->engine && !ENGINE_init(in->engine)) {
694 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB);
695 return 0;
696 }
697 #endif
698
699 EVP_CIPHER_CTX_reset(out);
700 memcpy(out, in, sizeof(*out));
701
702 if (in->cipher_data && in->cipher->ctx_size) {
703 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
704 if (out->cipher_data == NULL) {
705 out->cipher = NULL;
706 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
707 return 0;
708 }
709 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
710 }
711
712 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
713 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
714 out->cipher = NULL;
715 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INITIALIZATION_ERROR);
716 return 0;
717 }
718 return 1;
719 }
720