1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay@cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay@cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57#include <openssl/cipher.h> 58 59#include <assert.h> 60#include <string.h> 61 62#include <openssl/err.h> 63#include <openssl/mem.h> 64#include <openssl/nid.h> 65 66#include "internal.h" 67#include "../../internal.h" 68 69 70void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { 71 OPENSSL_memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); 72} 73 74EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { 75 EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); 76 if (ctx) { 77 EVP_CIPHER_CTX_init(ctx); 78 } 79 return ctx; 80} 81 82int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { 83 if (c->cipher != NULL && c->cipher->cleanup) { 84 c->cipher->cleanup(c); 85 } 86 OPENSSL_free(c->cipher_data); 87 88 OPENSSL_memset(c, 0, sizeof(EVP_CIPHER_CTX)); 89 return 1; 90} 91 92void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { 93 if (ctx) { 94 EVP_CIPHER_CTX_cleanup(ctx); 95 OPENSSL_free(ctx); 96 } 97} 98 99int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { 100 if (in == NULL || in->cipher == NULL) { 101 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); 102 return 0; 103 } 104 105 EVP_CIPHER_CTX_cleanup(out); 106 OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX)); 107 108 if (in->cipher_data && in->cipher->ctx_size) { 109 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); 110 if (!out->cipher_data) { 111 out->cipher = NULL; 112 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); 113 return 0; 114 } 115 OPENSSL_memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); 116 } 117 118 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { 119 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) { 120 out->cipher = NULL; 121 return 0; 122 } 123 } 124 125 return 1; 126} 127 128void EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) { 129 EVP_CIPHER_CTX_cleanup(ctx); 130 EVP_CIPHER_CTX_init(ctx); 131} 132 133int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 134 ENGINE *engine, const uint8_t *key, const uint8_t *iv, 135 int enc) { 136 if (enc == -1) { 137 enc = ctx->encrypt; 138 } else { 139 if (enc) { 140 enc = 1; 141 } 142 ctx->encrypt = enc; 143 } 144 145 if (cipher) { 146 // Ensure a context left from last time is cleared (the previous check 147 // attempted to avoid this if the same ENGINE and EVP_CIPHER could be 148 // used). 149 if (ctx->cipher) { 150 EVP_CIPHER_CTX_cleanup(ctx); 151 // Restore encrypt and flags 152 ctx->encrypt = enc; 153 } 154 155 ctx->cipher = cipher; 156 if (ctx->cipher->ctx_size) { 157 ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); 158 if (!ctx->cipher_data) { 159 ctx->cipher = NULL; 160 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); 161 return 0; 162 } 163 } else { 164 ctx->cipher_data = NULL; 165 } 166 167 ctx->key_len = cipher->key_len; 168 ctx->flags = 0; 169 170 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { 171 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { 172 ctx->cipher = NULL; 173 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); 174 return 0; 175 } 176 } 177 } else if (!ctx->cipher) { 178 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); 179 return 0; 180 } 181 182 // we assume block size is a power of 2 in *cryptUpdate 183 assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || 184 ctx->cipher->block_size == 16); 185 186 if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { 187 switch (EVP_CIPHER_CTX_mode(ctx)) { 188 case EVP_CIPH_STREAM_CIPHER: 189 case EVP_CIPH_ECB_MODE: 190 break; 191 192 case EVP_CIPH_CFB_MODE: 193 ctx->num = 0; 194 // fall-through 195 196 case EVP_CIPH_CBC_MODE: 197 assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv)); 198 if (iv) { 199 OPENSSL_memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 200 } 201 OPENSSL_memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); 202 break; 203 204 case EVP_CIPH_CTR_MODE: 205 case EVP_CIPH_OFB_MODE: 206 ctx->num = 0; 207 // Don't reuse IV for CTR mode 208 if (iv) { 209 OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 210 } 211 break; 212 213 default: 214 return 0; 215 } 216 } 217 218 if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { 219 if (!ctx->cipher->init(ctx, key, iv, enc)) { 220 return 0; 221 } 222 } 223 224 ctx->buf_len = 0; 225 ctx->final_used = 0; 226 ctx->block_mask = ctx->cipher->block_size - 1; 227 return 1; 228} 229 230int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 231 ENGINE *impl, const uint8_t *key, const uint8_t *iv) { 232 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1); 233} 234 235int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 236 ENGINE *impl, const uint8_t *key, const uint8_t *iv) { 237 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); 238} 239 240int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 241 const uint8_t *in, int in_len) { 242 int i, j, bl; 243 244 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 245 i = ctx->cipher->cipher(ctx, out, in, in_len); 246 if (i < 0) { 247 return 0; 248 } else { 249 *out_len = i; 250 } 251 return 1; 252 } 253 254 if (in_len <= 0) { 255 *out_len = 0; 256 return in_len == 0; 257 } 258 259 if (ctx->buf_len == 0 && (in_len & ctx->block_mask) == 0) { 260 if (ctx->cipher->cipher(ctx, out, in, in_len)) { 261 *out_len = in_len; 262 return 1; 263 } else { 264 *out_len = 0; 265 return 0; 266 } 267 } 268 269 i = ctx->buf_len; 270 bl = ctx->cipher->block_size; 271 assert(bl <= (int)sizeof(ctx->buf)); 272 if (i != 0) { 273 if (bl - i > in_len) { 274 OPENSSL_memcpy(&ctx->buf[i], in, in_len); 275 ctx->buf_len += in_len; 276 *out_len = 0; 277 return 1; 278 } else { 279 j = bl - i; 280 OPENSSL_memcpy(&ctx->buf[i], in, j); 281 if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) { 282 return 0; 283 } 284 in_len -= j; 285 in += j; 286 out += bl; 287 *out_len = bl; 288 } 289 } else { 290 *out_len = 0; 291 } 292 293 i = in_len & ctx->block_mask; 294 in_len -= i; 295 if (in_len > 0) { 296 if (!ctx->cipher->cipher(ctx, out, in, in_len)) { 297 return 0; 298 } 299 *out_len += in_len; 300 } 301 302 if (i != 0) { 303 OPENSSL_memcpy(ctx->buf, &in[in_len], i); 304 } 305 ctx->buf_len = i; 306 return 1; 307} 308 309int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { 310 int n, ret; 311 unsigned int i, b, bl; 312 313 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 314 ret = ctx->cipher->cipher(ctx, out, NULL, 0); 315 if (ret < 0) { 316 return 0; 317 } else { 318 *out_len = ret; 319 } 320 return 1; 321 } 322 323 b = ctx->cipher->block_size; 324 assert(b <= sizeof(ctx->buf)); 325 if (b == 1) { 326 *out_len = 0; 327 return 1; 328 } 329 330 bl = ctx->buf_len; 331 if (ctx->flags & EVP_CIPH_NO_PADDING) { 332 if (bl) { 333 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 334 return 0; 335 } 336 *out_len = 0; 337 return 1; 338 } 339 340 n = b - bl; 341 for (i = bl; i < b; i++) { 342 ctx->buf[i] = n; 343 } 344 ret = ctx->cipher->cipher(ctx, out, ctx->buf, b); 345 346 if (ret) { 347 *out_len = b; 348 } 349 350 return ret; 351} 352 353int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 354 const uint8_t *in, int in_len) { 355 int fix_len; 356 unsigned int b; 357 358 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 359 int r = ctx->cipher->cipher(ctx, out, in, in_len); 360 if (r < 0) { 361 *out_len = 0; 362 return 0; 363 } else { 364 *out_len = r; 365 } 366 return 1; 367 } 368 369 if (in_len <= 0) { 370 *out_len = 0; 371 return in_len == 0; 372 } 373 374 if (ctx->flags & EVP_CIPH_NO_PADDING) { 375 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 376 } 377 378 b = ctx->cipher->block_size; 379 assert(b <= sizeof(ctx->final)); 380 381 if (ctx->final_used) { 382 OPENSSL_memcpy(out, ctx->final, b); 383 out += b; 384 fix_len = 1; 385 } else { 386 fix_len = 0; 387 } 388 389 if (!EVP_EncryptUpdate(ctx, out, out_len, in, in_len)) { 390 return 0; 391 } 392 393 // if we have 'decrypted' a multiple of block size, make sure 394 // we have a copy of this last block 395 if (b > 1 && !ctx->buf_len) { 396 *out_len -= b; 397 ctx->final_used = 1; 398 OPENSSL_memcpy(ctx->final, &out[*out_len], b); 399 } else { 400 ctx->final_used = 0; 401 } 402 403 if (fix_len) { 404 *out_len += b; 405 } 406 407 return 1; 408} 409 410int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { 411 int i, n; 412 unsigned int b; 413 *out_len = 0; 414 415 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 416 i = ctx->cipher->cipher(ctx, out, NULL, 0); 417 if (i < 0) { 418 return 0; 419 } else { 420 *out_len = i; 421 } 422 return 1; 423 } 424 425 b = ctx->cipher->block_size; 426 if (ctx->flags & EVP_CIPH_NO_PADDING) { 427 if (ctx->buf_len) { 428 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 429 return 0; 430 } 431 *out_len = 0; 432 return 1; 433 } 434 435 if (b > 1) { 436 if (ctx->buf_len || !ctx->final_used) { 437 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); 438 return 0; 439 } 440 assert(b <= sizeof(ctx->final)); 441 442 // The following assumes that the ciphertext has been authenticated. 443 // Otherwise it provides a padding oracle. 444 n = ctx->final[b - 1]; 445 if (n == 0 || n > (int)b) { 446 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 447 return 0; 448 } 449 450 for (i = 0; i < n; i++) { 451 if (ctx->final[--b] != n) { 452 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 453 return 0; 454 } 455 } 456 457 n = ctx->cipher->block_size - n; 458 for (i = 0; i < n; i++) { 459 out[i] = ctx->final[i]; 460 } 461 *out_len = n; 462 } else { 463 *out_len = 0; 464 } 465 466 return 1; 467} 468 469int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 470 size_t in_len) { 471 return ctx->cipher->cipher(ctx, out, in, in_len); 472} 473 474int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 475 const uint8_t *in, int in_len) { 476 if (ctx->encrypt) { 477 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 478 } else { 479 return EVP_DecryptUpdate(ctx, out, out_len, in, in_len); 480 } 481} 482 483int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { 484 if (ctx->encrypt) { 485 return EVP_EncryptFinal_ex(ctx, out, out_len); 486 } else { 487 return EVP_DecryptFinal_ex(ctx, out, out_len); 488 } 489} 490 491const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { 492 return ctx->cipher; 493} 494 495int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { 496 return ctx->cipher->nid; 497} 498 499unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) { 500 return ctx->cipher->block_size; 501} 502 503unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { 504 return ctx->key_len; 505} 506 507unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { 508 return ctx->cipher->iv_len; 509} 510 511void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) { 512 return ctx->app_data; 513} 514 515void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) { 516 ctx->app_data = data; 517} 518 519uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) { 520 return ctx->cipher->flags & ~EVP_CIPH_MODE_MASK; 521} 522 523uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { 524 return ctx->cipher->flags & EVP_CIPH_MODE_MASK; 525} 526 527int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { 528 int ret; 529 if (!ctx->cipher) { 530 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); 531 return 0; 532 } 533 534 if (!ctx->cipher->ctrl) { 535 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED); 536 return 0; 537 } 538 539 ret = ctx->cipher->ctrl(ctx, command, arg, ptr); 540 if (ret == -1) { 541 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); 542 return 0; 543 } 544 545 return ret; 546} 547 548int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) { 549 if (pad) { 550 ctx->flags &= ~EVP_CIPH_NO_PADDING; 551 } else { 552 ctx->flags |= EVP_CIPH_NO_PADDING; 553 } 554 return 1; 555} 556 557int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { 558 if (c->key_len == key_len) { 559 return 1; 560 } 561 562 if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { 563 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH); 564 return 0; 565 } 566 567 c->key_len = key_len; 568 return 1; 569} 570 571int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; } 572 573unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) { 574 return cipher->block_size; 575} 576 577unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher) { 578 return cipher->key_len; 579} 580 581unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) { 582 return cipher->iv_len; 583} 584 585uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher) { 586 return cipher->flags & ~EVP_CIPH_MODE_MASK; 587} 588 589uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher) { 590 return cipher->flags & EVP_CIPH_MODE_MASK; 591} 592 593int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 594 const uint8_t *key, const uint8_t *iv, int enc) { 595 if (cipher) { 596 EVP_CIPHER_CTX_init(ctx); 597 } 598 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc); 599} 600 601int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 602 const uint8_t *key, const uint8_t *iv) { 603 return EVP_CipherInit(ctx, cipher, key, iv, 1); 604} 605 606int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 607 const uint8_t *key, const uint8_t *iv) { 608 return EVP_CipherInit(ctx, cipher, key, iv, 0); 609} 610 611int EVP_add_cipher_alias(const char *a, const char *b) { 612 return 1; 613} 614 615void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, uint32_t flags) {} 616