1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/cipher.h> 58 59 #include <assert.h> 60 #include <string.h> 61 62 #include <openssl/err.h> 63 #include <openssl/mem.h> 64 #include <openssl/nid.h> 65 66 #include "internal.h" 67 #include "../../internal.h" 68 69 70 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { 71 OPENSSL_memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); 72 } 73 74 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { 75 EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); 76 if (ctx) { 77 EVP_CIPHER_CTX_init(ctx); 78 } 79 return ctx; 80 } 81 82 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { 83 if (c->cipher != NULL && c->cipher->cleanup) { 84 c->cipher->cleanup(c); 85 } 86 OPENSSL_free(c->cipher_data); 87 88 OPENSSL_memset(c, 0, sizeof(EVP_CIPHER_CTX)); 89 return 1; 90 } 91 92 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { 93 if (ctx) { 94 EVP_CIPHER_CTX_cleanup(ctx); 95 OPENSSL_free(ctx); 96 } 97 } 98 99 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { 100 if (in == NULL || in->cipher == NULL) { 101 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); 102 return 0; 103 } 104 105 EVP_CIPHER_CTX_cleanup(out); 106 OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX)); 107 108 if (in->cipher_data && in->cipher->ctx_size) { 109 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); 110 if (!out->cipher_data) { 111 out->cipher = NULL; 112 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); 113 return 0; 114 } 115 OPENSSL_memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); 116 } 117 118 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { 119 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) { 120 out->cipher = NULL; 121 return 0; 122 } 123 } 124 125 return 1; 126 } 127 128 void EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) { 129 EVP_CIPHER_CTX_cleanup(ctx); 130 EVP_CIPHER_CTX_init(ctx); 131 } 132 133 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 134 ENGINE *engine, const uint8_t *key, const uint8_t *iv, 135 int enc) { 136 if (enc == -1) { 137 enc = ctx->encrypt; 138 } else { 139 if (enc) { 140 enc = 1; 141 } 142 ctx->encrypt = enc; 143 } 144 145 if (cipher) { 146 // Ensure a context left from last time is cleared (the previous check 147 // attempted to avoid this if the same ENGINE and EVP_CIPHER could be 148 // used). 149 if (ctx->cipher) { 150 EVP_CIPHER_CTX_cleanup(ctx); 151 // Restore encrypt and flags 152 ctx->encrypt = enc; 153 } 154 155 ctx->cipher = cipher; 156 if (ctx->cipher->ctx_size) { 157 ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); 158 if (!ctx->cipher_data) { 159 ctx->cipher = NULL; 160 OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE); 161 return 0; 162 } 163 } else { 164 ctx->cipher_data = NULL; 165 } 166 167 ctx->key_len = cipher->key_len; 168 ctx->flags = 0; 169 170 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { 171 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { 172 ctx->cipher = NULL; 173 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); 174 return 0; 175 } 176 } 177 } else if (!ctx->cipher) { 178 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); 179 return 0; 180 } 181 182 // we assume block size is a power of 2 in *cryptUpdate 183 assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || 184 ctx->cipher->block_size == 16); 185 186 if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { 187 switch (EVP_CIPHER_CTX_mode(ctx)) { 188 case EVP_CIPH_STREAM_CIPHER: 189 case EVP_CIPH_ECB_MODE: 190 break; 191 192 case EVP_CIPH_CFB_MODE: 193 ctx->num = 0; 194 // fall-through 195 196 case EVP_CIPH_CBC_MODE: 197 assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv)); 198 if (iv) { 199 OPENSSL_memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 200 } 201 OPENSSL_memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); 202 break; 203 204 case EVP_CIPH_CTR_MODE: 205 case EVP_CIPH_OFB_MODE: 206 ctx->num = 0; 207 // Don't reuse IV for CTR mode 208 if (iv) { 209 OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 210 } 211 break; 212 213 default: 214 return 0; 215 } 216 } 217 218 if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { 219 if (!ctx->cipher->init(ctx, key, iv, enc)) { 220 return 0; 221 } 222 } 223 224 ctx->buf_len = 0; 225 ctx->final_used = 0; 226 ctx->block_mask = ctx->cipher->block_size - 1; 227 return 1; 228 } 229 230 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 231 ENGINE *impl, const uint8_t *key, const uint8_t *iv) { 232 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1); 233 } 234 235 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 236 ENGINE *impl, const uint8_t *key, const uint8_t *iv) { 237 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); 238 } 239 240 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 241 const uint8_t *in, int in_len) { 242 int i, j, bl; 243 244 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 245 i = ctx->cipher->cipher(ctx, out, in, in_len); 246 if (i < 0) { 247 return 0; 248 } else { 249 *out_len = i; 250 } 251 return 1; 252 } 253 254 if (in_len <= 0) { 255 *out_len = 0; 256 return in_len == 0; 257 } 258 259 if (ctx->buf_len == 0 && (in_len & ctx->block_mask) == 0) { 260 if (ctx->cipher->cipher(ctx, out, in, in_len)) { 261 *out_len = in_len; 262 return 1; 263 } else { 264 *out_len = 0; 265 return 0; 266 } 267 } 268 269 i = ctx->buf_len; 270 bl = ctx->cipher->block_size; 271 assert(bl <= (int)sizeof(ctx->buf)); 272 if (i != 0) { 273 if (bl - i > in_len) { 274 OPENSSL_memcpy(&ctx->buf[i], in, in_len); 275 ctx->buf_len += in_len; 276 *out_len = 0; 277 return 1; 278 } else { 279 j = bl - i; 280 OPENSSL_memcpy(&ctx->buf[i], in, j); 281 if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) { 282 return 0; 283 } 284 in_len -= j; 285 in += j; 286 out += bl; 287 *out_len = bl; 288 } 289 } else { 290 *out_len = 0; 291 } 292 293 i = in_len & ctx->block_mask; 294 in_len -= i; 295 if (in_len > 0) { 296 if (!ctx->cipher->cipher(ctx, out, in, in_len)) { 297 return 0; 298 } 299 *out_len += in_len; 300 } 301 302 if (i != 0) { 303 OPENSSL_memcpy(ctx->buf, &in[in_len], i); 304 } 305 ctx->buf_len = i; 306 return 1; 307 } 308 309 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { 310 int n, ret; 311 unsigned int i, b, bl; 312 313 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 314 ret = ctx->cipher->cipher(ctx, out, NULL, 0); 315 if (ret < 0) { 316 return 0; 317 } else { 318 *out_len = ret; 319 } 320 return 1; 321 } 322 323 b = ctx->cipher->block_size; 324 assert(b <= sizeof(ctx->buf)); 325 if (b == 1) { 326 *out_len = 0; 327 return 1; 328 } 329 330 bl = ctx->buf_len; 331 if (ctx->flags & EVP_CIPH_NO_PADDING) { 332 if (bl) { 333 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 334 return 0; 335 } 336 *out_len = 0; 337 return 1; 338 } 339 340 n = b - bl; 341 for (i = bl; i < b; i++) { 342 ctx->buf[i] = n; 343 } 344 ret = ctx->cipher->cipher(ctx, out, ctx->buf, b); 345 346 if (ret) { 347 *out_len = b; 348 } 349 350 return ret; 351 } 352 353 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 354 const uint8_t *in, int in_len) { 355 int fix_len; 356 unsigned int b; 357 358 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 359 int r = ctx->cipher->cipher(ctx, out, in, in_len); 360 if (r < 0) { 361 *out_len = 0; 362 return 0; 363 } else { 364 *out_len = r; 365 } 366 return 1; 367 } 368 369 if (in_len <= 0) { 370 *out_len = 0; 371 return in_len == 0; 372 } 373 374 if (ctx->flags & EVP_CIPH_NO_PADDING) { 375 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 376 } 377 378 b = ctx->cipher->block_size; 379 assert(b <= sizeof(ctx->final)); 380 381 if (ctx->final_used) { 382 OPENSSL_memcpy(out, ctx->final, b); 383 out += b; 384 fix_len = 1; 385 } else { 386 fix_len = 0; 387 } 388 389 if (!EVP_EncryptUpdate(ctx, out, out_len, in, in_len)) { 390 return 0; 391 } 392 393 // if we have 'decrypted' a multiple of block size, make sure 394 // we have a copy of this last block 395 if (b > 1 && !ctx->buf_len) { 396 *out_len -= b; 397 ctx->final_used = 1; 398 OPENSSL_memcpy(ctx->final, &out[*out_len], b); 399 } else { 400 ctx->final_used = 0; 401 } 402 403 if (fix_len) { 404 *out_len += b; 405 } 406 407 return 1; 408 } 409 410 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { 411 int i, n; 412 unsigned int b; 413 *out_len = 0; 414 415 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 416 i = ctx->cipher->cipher(ctx, out, NULL, 0); 417 if (i < 0) { 418 return 0; 419 } else { 420 *out_len = i; 421 } 422 return 1; 423 } 424 425 b = ctx->cipher->block_size; 426 if (ctx->flags & EVP_CIPH_NO_PADDING) { 427 if (ctx->buf_len) { 428 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 429 return 0; 430 } 431 *out_len = 0; 432 return 1; 433 } 434 435 if (b > 1) { 436 if (ctx->buf_len || !ctx->final_used) { 437 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); 438 return 0; 439 } 440 assert(b <= sizeof(ctx->final)); 441 442 // The following assumes that the ciphertext has been authenticated. 443 // Otherwise it provides a padding oracle. 444 n = ctx->final[b - 1]; 445 if (n == 0 || n > (int)b) { 446 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 447 return 0; 448 } 449 450 for (i = 0; i < n; i++) { 451 if (ctx->final[--b] != n) { 452 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); 453 return 0; 454 } 455 } 456 457 n = ctx->cipher->block_size - n; 458 for (i = 0; i < n; i++) { 459 out[i] = ctx->final[i]; 460 } 461 *out_len = n; 462 } else { 463 *out_len = 0; 464 } 465 466 return 1; 467 } 468 469 int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 470 size_t in_len) { 471 return ctx->cipher->cipher(ctx, out, in, in_len); 472 } 473 474 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 475 const uint8_t *in, int in_len) { 476 if (ctx->encrypt) { 477 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 478 } else { 479 return EVP_DecryptUpdate(ctx, out, out_len, in, in_len); 480 } 481 } 482 483 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { 484 if (ctx->encrypt) { 485 return EVP_EncryptFinal_ex(ctx, out, out_len); 486 } else { 487 return EVP_DecryptFinal_ex(ctx, out, out_len); 488 } 489 } 490 491 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { 492 return ctx->cipher; 493 } 494 495 int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { 496 return ctx->cipher->nid; 497 } 498 499 int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) { 500 return ctx->encrypt; 501 } 502 503 unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) { 504 return ctx->cipher->block_size; 505 } 506 507 unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { 508 return ctx->key_len; 509 } 510 511 unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { 512 return ctx->cipher->iv_len; 513 } 514 515 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) { 516 return ctx->app_data; 517 } 518 519 void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) { 520 ctx->app_data = data; 521 } 522 523 uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) { 524 return ctx->cipher->flags & ~EVP_CIPH_MODE_MASK; 525 } 526 527 uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { 528 return ctx->cipher->flags & EVP_CIPH_MODE_MASK; 529 } 530 531 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { 532 int ret; 533 if (!ctx->cipher) { 534 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); 535 return 0; 536 } 537 538 if (!ctx->cipher->ctrl) { 539 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED); 540 return 0; 541 } 542 543 ret = ctx->cipher->ctrl(ctx, command, arg, ptr); 544 if (ret == -1) { 545 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); 546 return 0; 547 } 548 549 return ret; 550 } 551 552 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) { 553 if (pad) { 554 ctx->flags &= ~EVP_CIPH_NO_PADDING; 555 } else { 556 ctx->flags |= EVP_CIPH_NO_PADDING; 557 } 558 return 1; 559 } 560 561 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { 562 if (c->key_len == key_len) { 563 return 1; 564 } 565 566 if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { 567 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH); 568 return 0; 569 } 570 571 c->key_len = key_len; 572 return 1; 573 } 574 575 int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; } 576 577 unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) { 578 return cipher->block_size; 579 } 580 581 unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher) { 582 return cipher->key_len; 583 } 584 585 unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) { 586 return cipher->iv_len; 587 } 588 589 uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher) { 590 return cipher->flags & ~EVP_CIPH_MODE_MASK; 591 } 592 593 uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher) { 594 return cipher->flags & EVP_CIPH_MODE_MASK; 595 } 596 597 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 598 const uint8_t *key, const uint8_t *iv, int enc) { 599 if (cipher) { 600 EVP_CIPHER_CTX_init(ctx); 601 } 602 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc); 603 } 604 605 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 606 const uint8_t *key, const uint8_t *iv) { 607 return EVP_CipherInit(ctx, cipher, key, iv, 1); 608 } 609 610 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 611 const uint8_t *key, const uint8_t *iv) { 612 return EVP_CipherInit(ctx, cipher, key, iv, 0); 613 } 614 615 int EVP_add_cipher_alias(const char *a, const char *b) { 616 return 1; 617 } 618 619 void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, uint32_t flags) {} 620