1 /* $OpenBSD: evp_cipher.c,v 1.23 2024/04/10 15:00:38 beck Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 2015 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * licensing@OpenSSL.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <limits.h> 113 #include <stdio.h> 114 #include <stdlib.h> 115 #include <string.h> 116 117 #include <openssl/asn1.h> 118 #include <openssl/err.h> 119 #include <openssl/evp.h> 120 121 #include "asn1_local.h" 122 #include "evp_local.h" 123 124 int 125 EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 126 const unsigned char *key, const unsigned char *iv, int enc) 127 { 128 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc); 129 } 130 LCRYPTO_ALIAS(EVP_CipherInit); 131 132 int 133 EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine, 134 const unsigned char *key, const unsigned char *iv, int enc) 135 { 136 if (enc == -1) 137 enc = ctx->encrypt; 138 if (enc != 0) 139 enc = 1; 140 ctx->encrypt = enc; 141 142 if (cipher == NULL && ctx->cipher == NULL) { 143 EVPerror(EVP_R_NO_CIPHER_SET); 144 return 0; 145 } 146 147 /* 148 * Set up cipher and context. Allocate cipher data and initialize ctx. 149 * On ctx reuse only retain encryption direction and key wrap flag. 150 */ 151 if (cipher != NULL) { 152 unsigned long flags = ctx->flags; 153 154 EVP_CIPHER_CTX_cleanup(ctx); 155 ctx->encrypt = enc; 156 ctx->flags = flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; 157 158 ctx->cipher = cipher; 159 ctx->key_len = cipher->key_len; 160 161 if (ctx->cipher->ctx_size != 0) { 162 ctx->cipher_data = calloc(1, ctx->cipher->ctx_size); 163 if (ctx->cipher_data == NULL) { 164 EVPerror(ERR_R_MALLOC_FAILURE); 165 return 0; 166 } 167 } 168 169 if ((ctx->cipher->flags & EVP_CIPH_CTRL_INIT) != 0) { 170 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { 171 EVPerror(EVP_R_INITIALIZATION_ERROR); 172 return 0; 173 } 174 } 175 } 176 177 /* Block sizes must be a power of 2 due to the use of block_mask. */ 178 if (ctx->cipher->block_size != 1 && 179 ctx->cipher->block_size != 8 && 180 ctx->cipher->block_size != 16) { 181 EVPerror(EVP_R_BAD_BLOCK_LENGTH); 182 return 0; 183 } 184 185 if ((ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) == 0 && 186 EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) { 187 EVPerror(EVP_R_WRAP_MODE_NOT_ALLOWED); 188 return 0; 189 } 190 191 if ((EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV) == 0) { 192 int iv_len; 193 194 switch (EVP_CIPHER_CTX_mode(ctx)) { 195 196 case EVP_CIPH_STREAM_CIPHER: 197 case EVP_CIPH_ECB_MODE: 198 break; 199 200 case EVP_CIPH_CFB_MODE: 201 case EVP_CIPH_OFB_MODE: 202 203 ctx->num = 0; 204 /* fall-through */ 205 206 case EVP_CIPH_CBC_MODE: 207 iv_len = EVP_CIPHER_CTX_iv_length(ctx); 208 if (iv_len < 0 || iv_len > sizeof(ctx->oiv) || 209 iv_len > sizeof(ctx->iv)) { 210 EVPerror(EVP_R_IV_TOO_LARGE); 211 return 0; 212 } 213 if (iv != NULL) 214 memcpy(ctx->oiv, iv, iv_len); 215 memcpy(ctx->iv, ctx->oiv, iv_len); 216 break; 217 218 case EVP_CIPH_CTR_MODE: 219 ctx->num = 0; 220 iv_len = EVP_CIPHER_CTX_iv_length(ctx); 221 if (iv_len < 0 || iv_len > sizeof(ctx->iv)) { 222 EVPerror(EVP_R_IV_TOO_LARGE); 223 return 0; 224 } 225 /* Don't reuse IV for CTR mode */ 226 if (iv != NULL) 227 memcpy(ctx->iv, iv, iv_len); 228 break; 229 230 default: 231 return 0; 232 break; 233 } 234 } 235 236 if (key != NULL || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT) != 0) { 237 if (!ctx->cipher->init(ctx, key, iv, enc)) 238 return 0; 239 } 240 241 ctx->partial_len = 0; 242 ctx->final_used = 0; 243 244 return 1; 245 } 246 LCRYPTO_ALIAS(EVP_CipherInit_ex); 247 248 int 249 EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len, 250 const unsigned char *in, int in_len) 251 { 252 if (ctx->encrypt) 253 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 254 255 return EVP_DecryptUpdate(ctx, out, out_len, in, in_len); 256 } 257 LCRYPTO_ALIAS(EVP_CipherUpdate); 258 259 int 260 EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) 261 { 262 if (ctx->encrypt) 263 return EVP_EncryptFinal_ex(ctx, out, out_len); 264 265 return EVP_DecryptFinal_ex(ctx, out, out_len); 266 } 267 LCRYPTO_ALIAS(EVP_CipherFinal); 268 269 int 270 EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) 271 { 272 if (ctx->encrypt) 273 return EVP_EncryptFinal_ex(ctx, out, out_len); 274 275 return EVP_DecryptFinal_ex(ctx, out, out_len); 276 } 277 LCRYPTO_ALIAS(EVP_CipherFinal_ex); 278 279 int 280 EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 281 const unsigned char *key, const unsigned char *iv) 282 { 283 return EVP_CipherInit(ctx, cipher, key, iv, 1); 284 } 285 LCRYPTO_ALIAS(EVP_EncryptInit); 286 287 int 288 EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine, 289 const unsigned char *key, const unsigned char *iv) 290 { 291 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1); 292 } 293 LCRYPTO_ALIAS(EVP_EncryptInit_ex); 294 295 /* 296 * EVP_Cipher() is an implementation detail of EVP_Cipher{Update,Final}(). 297 * Behavior depends on EVP_CIPH_FLAG_CUSTOM_CIPHER being set on ctx->cipher. 298 * 299 * If the flag is set, do_cipher() operates in update mode if in != NULL and 300 * in final mode if in == NULL. It returns the number of bytes written to out 301 * (which may be 0) or -1 on error. 302 * 303 * If the flag is not set, do_cipher() assumes properly aligned data and that 304 * padding is handled correctly by the caller. Most do_cipher() methods will 305 * silently produce garbage and succeed. Returns 1 on success, 0 on error. 306 */ 307 int 308 EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, 309 unsigned int in_len) 310 { 311 return ctx->cipher->do_cipher(ctx, out, in, in_len); 312 } 313 LCRYPTO_ALIAS(EVP_Cipher); 314 315 static int 316 evp_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len, 317 const unsigned char *in, int in_len) 318 { 319 int len; 320 321 *out_len = 0; 322 323 if (in_len < 0) 324 return 0; 325 326 if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0) { 327 if ((len = ctx->cipher->do_cipher(ctx, out, in, in_len)) < 0) 328 return 0; 329 330 *out_len = len; 331 return 1; 332 } 333 334 if (!ctx->cipher->do_cipher(ctx, out, in, in_len)) 335 return 0; 336 337 *out_len = in_len; 338 339 return 1; 340 } 341 342 int 343 EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len, 344 const unsigned char *in, int in_len) 345 { 346 const int block_size = ctx->cipher->block_size; 347 const int block_mask = block_size - 1; 348 int partial_len = ctx->partial_len; 349 int len = 0, total_len = 0; 350 351 *out_len = 0; 352 353 if ((block_size & block_mask) != 0) 354 return 0; 355 356 if (in_len < 0) 357 return 0; 358 359 if (in_len == 0 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE) 360 return 1; 361 362 if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0) 363 return evp_cipher(ctx, out, out_len, in, in_len); 364 365 if (partial_len == 0 && (in_len & block_mask) == 0) 366 return evp_cipher(ctx, out, out_len, in, in_len); 367 368 if (partial_len < 0 || partial_len >= block_size || 369 block_size > sizeof(ctx->buf)) { 370 EVPerror(EVP_R_BAD_BLOCK_LENGTH); 371 return 0; 372 } 373 374 if (partial_len > 0) { 375 int partial_needed; 376 377 if ((partial_needed = block_size - partial_len) > in_len) { 378 memcpy(&ctx->buf[partial_len], in, in_len); 379 ctx->partial_len += in_len; 380 return 1; 381 } 382 383 /* 384 * Once the first partial_needed bytes from in are processed, 385 * the number of multiples of block_size of data remaining is 386 * (in_len - partial_needed) & ~block_mask. Ensure that this 387 * plus the block processed from ctx->buf doesn't overflow. 388 */ 389 if (((in_len - partial_needed) & ~block_mask) > INT_MAX - block_size) { 390 EVPerror(EVP_R_TOO_LARGE); 391 return 0; 392 } 393 memcpy(&ctx->buf[partial_len], in, partial_needed); 394 395 len = 0; 396 if (!evp_cipher(ctx, out, &len, ctx->buf, block_size)) 397 return 0; 398 total_len = len; 399 400 in_len -= partial_needed; 401 in += partial_needed; 402 out += len; 403 } 404 405 partial_len = in_len & block_mask; 406 if ((in_len -= partial_len) > 0) { 407 if (INT_MAX - in_len < total_len) 408 return 0; 409 len = 0; 410 if (!evp_cipher(ctx, out, &len, in, in_len)) 411 return 0; 412 if (INT_MAX - len < total_len) 413 return 0; 414 total_len += len; 415 } 416 417 if ((ctx->partial_len = partial_len) > 0) 418 memcpy(ctx->buf, &in[in_len], partial_len); 419 420 *out_len = total_len; 421 422 return 1; 423 } 424 LCRYPTO_ALIAS(EVP_EncryptUpdate); 425 426 int 427 EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) 428 { 429 return EVP_EncryptFinal_ex(ctx, out, out_len); 430 } 431 LCRYPTO_ALIAS(EVP_EncryptFinal); 432 433 int 434 EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) 435 { 436 const int block_size = ctx->cipher->block_size; 437 int partial_len = ctx->partial_len; 438 int pad; 439 440 *out_len = 0; 441 442 if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0) 443 return evp_cipher(ctx, out, out_len, NULL, 0); 444 445 if (partial_len < 0 || partial_len >= block_size || 446 block_size > sizeof(ctx->buf)) { 447 EVPerror(EVP_R_BAD_BLOCK_LENGTH); 448 return 0; 449 } 450 if (block_size == 1) 451 return 1; 452 453 if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) { 454 if (partial_len != 0) { 455 EVPerror(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 456 return 0; 457 } 458 return 1; 459 } 460 461 pad = block_size - partial_len; 462 memset(&ctx->buf[partial_len], pad, pad); 463 464 return evp_cipher(ctx, out, out_len, ctx->buf, block_size); 465 } 466 LCRYPTO_ALIAS(EVP_EncryptFinal_ex); 467 468 int 469 EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 470 const unsigned char *key, const unsigned char *iv) 471 { 472 return EVP_CipherInit(ctx, cipher, key, iv, 0); 473 } 474 LCRYPTO_ALIAS(EVP_DecryptInit); 475 476 int 477 EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine, 478 const unsigned char *key, const unsigned char *iv) 479 { 480 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0); 481 } 482 LCRYPTO_ALIAS(EVP_DecryptInit_ex); 483 484 int 485 EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len, 486 const unsigned char *in, int in_len) 487 { 488 const int block_size = ctx->cipher->block_size; 489 const int block_mask = block_size - 1; 490 int len = 0, total_len = 0; 491 492 *out_len = 0; 493 494 if ((block_size & block_mask) != 0) 495 return 0; 496 497 if (in_len < 0) 498 return 0; 499 500 if (in_len == 0 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE) 501 return 1; 502 503 if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0) 504 return evp_cipher(ctx, out, out_len, in, in_len); 505 506 if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) 507 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 508 509 if (block_size > sizeof(ctx->final)) { 510 EVPerror(EVP_R_BAD_BLOCK_LENGTH); 511 return 0; 512 } 513 514 if (ctx->final_used) { 515 /* 516 * final_used is only set if partial_len is 0. Therefore the 517 * output from EVP_EncryptUpdate() is in_len & ~block_mask. 518 * Ensure (in_len & ~block_mask) + block_size doesn't overflow. 519 */ 520 if ((in_len & ~block_mask) > INT_MAX - block_size) { 521 EVPerror(EVP_R_TOO_LARGE); 522 return 0; 523 } 524 memcpy(out, ctx->final, block_size); 525 out += block_size; 526 total_len = block_size; 527 } 528 529 ctx->final_used = 0; 530 531 len = 0; 532 if (!EVP_EncryptUpdate(ctx, out, &len, in, in_len)) 533 return 0; 534 535 /* Keep copy of last block if a multiple of block_size was decrypted. */ 536 if (block_size > 1 && ctx->partial_len == 0) { 537 if (len < block_size) 538 return 0; 539 len -= block_size; 540 memcpy(ctx->final, &out[len], block_size); 541 ctx->final_used = 1; 542 } 543 544 if (len > INT_MAX - total_len) 545 return 0; 546 total_len += len; 547 548 *out_len = total_len; 549 550 return 1; 551 } 552 LCRYPTO_ALIAS(EVP_DecryptUpdate); 553 554 int 555 EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) 556 { 557 return EVP_DecryptFinal_ex(ctx, out, out_len); 558 } 559 LCRYPTO_ALIAS(EVP_DecryptFinal); 560 561 int 562 EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) 563 { 564 const int block_size = ctx->cipher->block_size; 565 int partial_len = ctx->partial_len; 566 int i, pad, plain_len; 567 568 *out_len = 0; 569 570 if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) != 0) 571 return evp_cipher(ctx, out, out_len, NULL, 0); 572 573 if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) { 574 if (partial_len != 0) { 575 EVPerror(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 576 return 0; 577 } 578 return 1; 579 } 580 581 if (block_size == 1) 582 return 1; 583 584 if (partial_len != 0 || !ctx->final_used) { 585 EVPerror(EVP_R_WRONG_FINAL_BLOCK_LENGTH); 586 return 0; 587 } 588 589 if (block_size > sizeof(ctx->final)) { 590 EVPerror(EVP_R_BAD_BLOCK_LENGTH); 591 return 0; 592 } 593 594 pad = ctx->final[block_size - 1]; 595 if (pad <= 0 || pad > block_size) { 596 EVPerror(EVP_R_BAD_DECRYPT); 597 return 0; 598 } 599 plain_len = block_size - pad; 600 for (i = plain_len; i < block_size; i++) { 601 if (ctx->final[i] != pad) { 602 EVPerror(EVP_R_BAD_DECRYPT); 603 return 0; 604 } 605 } 606 607 memcpy(out, ctx->final, plain_len); 608 *out_len = plain_len; 609 610 return 1; 611 } 612 LCRYPTO_ALIAS(EVP_DecryptFinal_ex); 613 614 EVP_CIPHER_CTX * 615 EVP_CIPHER_CTX_new(void) 616 { 617 return calloc(1, sizeof(EVP_CIPHER_CTX)); 618 } 619 LCRYPTO_ALIAS(EVP_CIPHER_CTX_new); 620 621 void 622 EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) 623 { 624 if (ctx == NULL) 625 return; 626 627 EVP_CIPHER_CTX_cleanup(ctx); 628 629 free(ctx); 630 } 631 LCRYPTO_ALIAS(EVP_CIPHER_CTX_free); 632 633 void 634 EVP_CIPHER_CTX_legacy_clear(EVP_CIPHER_CTX *ctx) 635 { 636 memset(ctx, 0, sizeof(*ctx)); 637 } 638 639 int 640 EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) 641 { 642 return EVP_CIPHER_CTX_cleanup(ctx); 643 } 644 LCRYPTO_ALIAS(EVP_CIPHER_CTX_init); 645 646 int 647 EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) 648 { 649 return EVP_CIPHER_CTX_cleanup(ctx); 650 } 651 LCRYPTO_ALIAS(EVP_CIPHER_CTX_reset); 652 653 int 654 EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx) 655 { 656 if (ctx == NULL) 657 return 1; 658 659 if (ctx->cipher != NULL) { 660 /* XXX - Avoid leaks, so ignore return value of cleanup()... */ 661 if (ctx->cipher->cleanup != NULL) 662 ctx->cipher->cleanup(ctx); 663 if (ctx->cipher_data != NULL) 664 explicit_bzero(ctx->cipher_data, ctx->cipher->ctx_size); 665 } 666 667 /* XXX - store size of cipher_data so we can always freezero(). */ 668 free(ctx->cipher_data); 669 670 explicit_bzero(ctx, sizeof(EVP_CIPHER_CTX)); 671 672 return 1; 673 } 674 LCRYPTO_ALIAS(EVP_CIPHER_CTX_cleanup); 675 676 int 677 EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) 678 { 679 int ret; 680 681 if (!ctx->cipher) { 682 EVPerror(EVP_R_NO_CIPHER_SET); 683 return 0; 684 } 685 686 if (!ctx->cipher->ctrl) { 687 EVPerror(EVP_R_CTRL_NOT_IMPLEMENTED); 688 return 0; 689 } 690 691 ret = ctx->cipher->ctrl(ctx, type, arg, ptr); 692 if (ret == -1) { 693 EVPerror(EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED); 694 return 0; 695 } 696 return ret; 697 } 698 LCRYPTO_ALIAS(EVP_CIPHER_CTX_ctrl); 699 700 int 701 EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) 702 { 703 if (ctx->cipher->flags & EVP_CIPH_RAND_KEY) 704 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key); 705 arc4random_buf(key, ctx->key_len); 706 return 1; 707 } 708 LCRYPTO_ALIAS(EVP_CIPHER_CTX_rand_key); 709 710 int 711 EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) 712 { 713 if (in == NULL || in->cipher == NULL) { 714 EVPerror(EVP_R_INPUT_NOT_INITIALIZED); 715 return 0; 716 } 717 718 EVP_CIPHER_CTX_cleanup(out); 719 memcpy(out, in, sizeof *out); 720 721 if (in->cipher_data && in->cipher->ctx_size) { 722 out->cipher_data = calloc(1, in->cipher->ctx_size); 723 if (out->cipher_data == NULL) { 724 EVPerror(ERR_R_MALLOC_FAILURE); 725 return 0; 726 } 727 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); 728 } 729 730 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { 731 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 732 0, out)) { 733 /* 734 * If the custom copy control failed, assume that there 735 * may still be pointers copied in the cipher_data that 736 * we do not own. This may result in a leak from a bad 737 * custom copy control, but that's preferable to a 738 * double free... 739 */ 740 freezero(out->cipher_data, in->cipher->ctx_size); 741 out->cipher_data = NULL; 742 return 0; 743 } 744 } 745 746 return 1; 747 } 748 LCRYPTO_ALIAS(EVP_CIPHER_CTX_copy); 749 750 /* 751 * EVP_CIPHER_CTX accessors. 752 */ 753 754 const EVP_CIPHER * 755 EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) 756 { 757 return ctx->cipher; 758 } 759 LCRYPTO_ALIAS(EVP_CIPHER_CTX_cipher); 760 761 int 762 EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) 763 { 764 return ctx->encrypt; 765 } 766 LCRYPTO_ALIAS(EVP_CIPHER_CTX_encrypting); 767 768 int 769 EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx, unsigned char *iv, size_t len) 770 { 771 if (ctx == NULL || len != EVP_CIPHER_CTX_iv_length(ctx)) 772 return 0; 773 if (len > EVP_MAX_IV_LENGTH) 774 return 0; /* sanity check; shouldn't happen */ 775 /* 776 * Skip the memcpy entirely when the requested IV length is zero, 777 * since the iv pointer may be NULL or invalid. 778 */ 779 if (len != 0) { 780 if (iv == NULL) 781 return 0; 782 memcpy(iv, ctx->iv, len); 783 } 784 return 1; 785 } 786 LCRYPTO_ALIAS(EVP_CIPHER_CTX_get_iv); 787 788 int 789 EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) 790 { 791 if (ctx == NULL || len != EVP_CIPHER_CTX_iv_length(ctx)) 792 return 0; 793 if (len > EVP_MAX_IV_LENGTH) 794 return 0; /* sanity check; shouldn't happen */ 795 /* 796 * Skip the memcpy entirely when the requested IV length is zero, 797 * since the iv pointer may be NULL or invalid. 798 */ 799 if (len != 0) { 800 if (iv == NULL) 801 return 0; 802 memcpy(ctx->iv, iv, len); 803 } 804 return 1; 805 } 806 LCRYPTO_ALIAS(EVP_CIPHER_CTX_set_iv); 807 808 unsigned char * 809 EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx) 810 { 811 return ctx->buf; 812 } 813 LCRYPTO_ALIAS(EVP_CIPHER_CTX_buf_noconst); 814 815 void * 816 EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) 817 { 818 return ctx->app_data; 819 } 820 LCRYPTO_ALIAS(EVP_CIPHER_CTX_get_app_data); 821 822 void 823 EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) 824 { 825 ctx->app_data = data; 826 } 827 LCRYPTO_ALIAS(EVP_CIPHER_CTX_set_app_data); 828 829 int 830 EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) 831 { 832 return ctx->key_len; 833 } 834 LCRYPTO_ALIAS(EVP_CIPHER_CTX_key_length); 835 836 int 837 EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *ctx, int key_len) 838 { 839 if (ctx->key_len == key_len) 840 return 1; 841 if (key_len > 0 && (ctx->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { 842 ctx->key_len = key_len; 843 return 1; 844 } 845 EVPerror(EVP_R_INVALID_KEY_LENGTH); 846 return 0; 847 } 848 LCRYPTO_ALIAS(EVP_CIPHER_CTX_set_key_length); 849 850 int 851 EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) 852 { 853 if (pad) 854 ctx->flags &= ~EVP_CIPH_NO_PADDING; 855 else 856 ctx->flags |= EVP_CIPH_NO_PADDING; 857 return 1; 858 } 859 LCRYPTO_ALIAS(EVP_CIPHER_CTX_set_padding); 860 861 void 862 EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags) 863 { 864 ctx->flags |= flags; 865 } 866 LCRYPTO_ALIAS(EVP_CIPHER_CTX_set_flags); 867 868 void 869 EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags) 870 { 871 ctx->flags &= ~flags; 872 } 873 LCRYPTO_ALIAS(EVP_CIPHER_CTX_clear_flags); 874 875 int 876 EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) 877 { 878 return (ctx->flags & flags); 879 } 880 LCRYPTO_ALIAS(EVP_CIPHER_CTX_test_flags); 881 882 void * 883 EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx) 884 { 885 return ctx->cipher_data; 886 } 887 LCRYPTO_ALIAS(EVP_CIPHER_CTX_get_cipher_data); 888 889 void * 890 EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data) 891 { 892 void *old_cipher_data; 893 894 old_cipher_data = ctx->cipher_data; 895 ctx->cipher_data = cipher_data; 896 897 return old_cipher_data; 898 } 899 LCRYPTO_ALIAS(EVP_CIPHER_CTX_set_cipher_data); 900 901 /* 902 * EVP_CIPHER_CTX getters that reach into the cipher attached to the context. 903 */ 904 905 int 906 EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) 907 { 908 return ctx->cipher->nid; 909 } 910 LCRYPTO_ALIAS(EVP_CIPHER_CTX_nid); 911 912 int 913 EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) 914 { 915 return ctx->cipher->block_size; 916 } 917 LCRYPTO_ALIAS(EVP_CIPHER_CTX_block_size); 918 919 int 920 EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) 921 { 922 int iv_length = 0; 923 924 if ((ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_IV_LENGTH) == 0) 925 return ctx->cipher->iv_len; 926 927 /* 928 * XXX - sanity would suggest to pass the size of the pointer along, 929 * but unfortunately we have to match the other crowd. 930 */ 931 if (EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0, 932 &iv_length) != 1) 933 return -1; 934 935 return iv_length; 936 } 937 LCRYPTO_ALIAS(EVP_CIPHER_CTX_iv_length); 938 939 unsigned long 940 EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) 941 { 942 return ctx->cipher->flags; 943 } 944 LCRYPTO_ALIAS(EVP_CIPHER_CTX_flags); 945 946 /* 947 * Used by CMS and its predecessors. Only GOST and RC2 have a custom method. 948 */ 949 950 int 951 EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type) 952 { 953 int iv_len; 954 955 if (type == NULL) 956 return 0; 957 958 iv_len = EVP_CIPHER_CTX_iv_length(ctx); 959 if (iv_len < 0 || iv_len > sizeof(ctx->oiv) || iv_len > sizeof(ctx->iv)) { 960 EVPerror(EVP_R_IV_TOO_LARGE); 961 return 0; /* XXX */ 962 } 963 if (ASN1_TYPE_get_octetstring(type, ctx->oiv, iv_len) != iv_len) 964 return -1; 965 966 if (iv_len > 0) 967 memcpy(ctx->iv, ctx->oiv, iv_len); 968 969 return iv_len; 970 } 971 972 int 973 EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type) 974 { 975 if (ctx->cipher->get_asn1_parameters != NULL) 976 return ctx->cipher->get_asn1_parameters(ctx, type); 977 978 if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) != 0) 979 return EVP_CIPHER_get_asn1_iv(ctx, type); 980 981 return -1; 982 } 983 984 int 985 EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type) 986 { 987 int iv_len; 988 989 if (type == NULL) 990 return 0; 991 992 iv_len = EVP_CIPHER_CTX_iv_length(ctx); 993 if (iv_len < 0 || iv_len > sizeof(ctx->oiv)) { 994 EVPerror(EVP_R_IV_TOO_LARGE); 995 return 0; 996 } 997 998 return ASN1_TYPE_set_octetstring(type, ctx->oiv, iv_len); 999 } 1000 1001 int 1002 EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type) 1003 { 1004 if (ctx->cipher->set_asn1_parameters != NULL) 1005 return ctx->cipher->set_asn1_parameters(ctx, type); 1006 1007 if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) != 0) 1008 return EVP_CIPHER_set_asn1_iv(ctx, type); 1009 1010 return -1; 1011 } 1012 1013 /* Convert the various cipher NIDs and dummies to a proper OID NID */ 1014 int 1015 EVP_CIPHER_type(const EVP_CIPHER *cipher) 1016 { 1017 ASN1_OBJECT *aobj; 1018 int nid; 1019 1020 nid = EVP_CIPHER_nid(cipher); 1021 switch (nid) { 1022 case NID_rc2_cbc: 1023 case NID_rc2_64_cbc: 1024 case NID_rc2_40_cbc: 1025 return NID_rc2_cbc; 1026 1027 case NID_rc4: 1028 case NID_rc4_40: 1029 return NID_rc4; 1030 1031 case NID_aes_128_cfb128: 1032 case NID_aes_128_cfb8: 1033 case NID_aes_128_cfb1: 1034 return NID_aes_128_cfb128; 1035 1036 case NID_aes_192_cfb128: 1037 case NID_aes_192_cfb8: 1038 case NID_aes_192_cfb1: 1039 return NID_aes_192_cfb128; 1040 1041 case NID_aes_256_cfb128: 1042 case NID_aes_256_cfb8: 1043 case NID_aes_256_cfb1: 1044 return NID_aes_256_cfb128; 1045 1046 case NID_des_cfb64: 1047 case NID_des_cfb8: 1048 case NID_des_cfb1: 1049 return NID_des_cfb64; 1050 1051 case NID_des_ede3_cfb64: 1052 case NID_des_ede3_cfb8: 1053 case NID_des_ede3_cfb1: 1054 return NID_des_cfb64; 1055 1056 default: 1057 /* Check it has an OID and it is valid */ 1058 if (((aobj = OBJ_nid2obj(nid)) == NULL) || aobj->data == NULL) 1059 nid = NID_undef; 1060 1061 ASN1_OBJECT_free(aobj); 1062 1063 return nid; 1064 } 1065 } 1066 LCRYPTO_ALIAS(EVP_CIPHER_type); 1067 1068 /* 1069 * Accessors. First the trivial getters, then the setters for the method API. 1070 */ 1071 1072 int 1073 EVP_CIPHER_nid(const EVP_CIPHER *cipher) 1074 { 1075 return cipher->nid; 1076 } 1077 LCRYPTO_ALIAS(EVP_CIPHER_nid); 1078 1079 int 1080 EVP_CIPHER_block_size(const EVP_CIPHER *cipher) 1081 { 1082 return cipher->block_size; 1083 } 1084 LCRYPTO_ALIAS(EVP_CIPHER_block_size); 1085 1086 int 1087 EVP_CIPHER_key_length(const EVP_CIPHER *cipher) 1088 { 1089 return cipher->key_len; 1090 } 1091 LCRYPTO_ALIAS(EVP_CIPHER_key_length); 1092 1093 int 1094 EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) 1095 { 1096 return cipher->iv_len; 1097 } 1098 LCRYPTO_ALIAS(EVP_CIPHER_iv_length); 1099 1100 unsigned long 1101 EVP_CIPHER_flags(const EVP_CIPHER *cipher) 1102 { 1103 return cipher->flags; 1104 } 1105 LCRYPTO_ALIAS(EVP_CIPHER_flags); 1106 1107 EVP_CIPHER * 1108 EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len) 1109 { 1110 EVP_CIPHER *cipher; 1111 1112 if (cipher_type < 0 || key_len < 0) 1113 return NULL; 1114 1115 /* EVP_CipherInit() will fail for any other value. */ 1116 if (block_size != 1 && block_size != 8 && block_size != 16) 1117 return NULL; 1118 1119 if ((cipher = calloc(1, sizeof(*cipher))) == NULL) 1120 return NULL; 1121 1122 cipher->nid = cipher_type; 1123 cipher->block_size = block_size; 1124 cipher->key_len = key_len; 1125 1126 return cipher; 1127 } 1128 LCRYPTO_ALIAS(EVP_CIPHER_meth_new); 1129 1130 EVP_CIPHER * 1131 EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher) 1132 { 1133 EVP_CIPHER *copy; 1134 1135 if ((copy = calloc(1, sizeof(*copy))) == NULL) 1136 return NULL; 1137 1138 *copy = *cipher; 1139 1140 return copy; 1141 } 1142 LCRYPTO_ALIAS(EVP_CIPHER_meth_dup); 1143 1144 void 1145 EVP_CIPHER_meth_free(EVP_CIPHER *cipher) 1146 { 1147 free(cipher); 1148 } 1149 LCRYPTO_ALIAS(EVP_CIPHER_meth_free); 1150 1151 int 1152 EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len) 1153 { 1154 cipher->iv_len = iv_len; 1155 1156 return 1; 1157 } 1158 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_iv_length); 1159 1160 int 1161 EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags) 1162 { 1163 cipher->flags = flags; 1164 1165 return 1; 1166 } 1167 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_flags); 1168 1169 int 1170 EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size) 1171 { 1172 cipher->ctx_size = ctx_size; 1173 1174 return 1; 1175 } 1176 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_impl_ctx_size); 1177 1178 int 1179 EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher, 1180 int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, 1181 const unsigned char *iv, int enc)) 1182 { 1183 cipher->init = init; 1184 1185 return 1; 1186 } 1187 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_init); 1188 1189 int 1190 EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher, 1191 int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, 1192 const unsigned char *in, size_t inl)) 1193 { 1194 cipher->do_cipher = do_cipher; 1195 1196 return 1; 1197 } 1198 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_do_cipher); 1199 1200 int 1201 EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher, 1202 int (*cleanup)(EVP_CIPHER_CTX *)) 1203 { 1204 cipher->cleanup = cleanup; 1205 1206 return 1; 1207 } 1208 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_cleanup); 1209 1210 int 1211 EVP_CIPHER_meth_set_set_asn1_params(EVP_CIPHER *cipher, 1212 int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)) 1213 { 1214 cipher->set_asn1_parameters = set_asn1_parameters; 1215 1216 return 1; 1217 } 1218 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_set_asn1_params); 1219 1220 int 1221 EVP_CIPHER_meth_set_get_asn1_params(EVP_CIPHER *cipher, 1222 int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)) 1223 { 1224 cipher->get_asn1_parameters = get_asn1_parameters; 1225 1226 return 1; 1227 } 1228 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_get_asn1_params); 1229 1230 int 1231 EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, 1232 int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr)) 1233 { 1234 cipher->ctrl = ctrl; 1235 1236 return 1; 1237 } 1238 LCRYPTO_ALIAS(EVP_CIPHER_meth_set_ctrl); 1239