1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/cipher.h> 58 59 #include <string.h> 60 #include <assert.h> 61 62 #include <openssl/err.h> 63 #include <openssl/mem.h> 64 #include <openssl/obj.h> 65 66 #include "internal.h" 67 68 69 const EVP_CIPHER *EVP_get_cipherbynid(int nid) { 70 switch (nid) { 71 case NID_des_ede3_cbc: 72 return EVP_des_ede3_cbc(); 73 case NID_des_ede_cbc: 74 return EVP_des_cbc(); 75 case NID_aes_128_cbc: 76 return EVP_aes_128_cbc(); 77 case NID_aes_256_cbc: 78 return EVP_aes_256_cbc(); 79 default: 80 return NULL; 81 } 82 } 83 84 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { 85 memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); 86 } 87 88 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { 89 EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); 90 if (ctx) { 91 EVP_CIPHER_CTX_init(ctx); 92 } 93 return ctx; 94 } 95 96 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 97 const unsigned char *key, const unsigned char *iv, int enc) { 98 if (cipher) { 99 EVP_CIPHER_CTX_init(ctx); 100 } 101 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc); 102 } 103 104 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { 105 if (c->cipher != NULL && c->cipher->cleanup && !c->cipher->cleanup(c)) { 106 return 0; 107 } 108 109 if (c->cipher_data) { 110 OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size); 111 OPENSSL_free(c->cipher_data); 112 } 113 114 memset(c, 0, sizeof(EVP_CIPHER_CTX)); 115 return 1; 116 } 117 118 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { 119 if (ctx) { 120 EVP_CIPHER_CTX_cleanup(ctx); 121 OPENSSL_free(ctx); 122 } 123 } 124 125 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { 126 if (in == NULL || in->cipher == NULL) { 127 OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, CIPHER_R_INPUT_NOT_INITIALIZED); 128 return 0; 129 } 130 131 EVP_CIPHER_CTX_cleanup(out); 132 memcpy(out, in, sizeof(EVP_CIPHER_CTX)); 133 134 if (in->cipher_data && in->cipher->ctx_size) { 135 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); 136 if (!out->cipher_data) { 137 OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, ERR_R_MALLOC_FAILURE); 138 return 0; 139 } 140 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); 141 } 142 143 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { 144 return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out); 145 } 146 147 return 1; 148 } 149 150 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 151 ENGINE *engine, const uint8_t *key, const uint8_t *iv, 152 int enc) { 153 if (enc == -1) { 154 enc = ctx->encrypt; 155 } else { 156 if (enc) { 157 enc = 1; 158 } 159 ctx->encrypt = enc; 160 } 161 162 if (cipher) { 163 /* Ensure a context left from last time is cleared (the previous check 164 * attempted to avoid this if the same ENGINE and EVP_CIPHER could be 165 * used). */ 166 if (ctx->cipher) { 167 EVP_CIPHER_CTX_cleanup(ctx); 168 /* Restore encrypt and flags */ 169 ctx->encrypt = enc; 170 } 171 172 ctx->cipher = cipher; 173 if (ctx->cipher->ctx_size) { 174 ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); 175 if (!ctx->cipher_data) { 176 OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, ERR_R_MALLOC_FAILURE); 177 return 0; 178 } 179 } else { 180 ctx->cipher_data = NULL; 181 } 182 183 ctx->key_len = cipher->key_len; 184 ctx->flags = 0; 185 186 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { 187 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { 188 OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_INITIALIZATION_ERROR); 189 return 0; 190 } 191 } 192 } else if (!ctx->cipher) { 193 OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_NO_CIPHER_SET); 194 return 0; 195 } 196 197 /* we assume block size is a power of 2 in *cryptUpdate */ 198 assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || 199 ctx->cipher->block_size == 16); 200 201 if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { 202 switch (EVP_CIPHER_CTX_mode(ctx)) { 203 case EVP_CIPH_STREAM_CIPHER: 204 case EVP_CIPH_ECB_MODE: 205 break; 206 207 case EVP_CIPH_CFB_MODE: 208 case EVP_CIPH_OFB_MODE: 209 ctx->num = 0; 210 /* fall-through */ 211 212 case EVP_CIPH_CBC_MODE: 213 assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv)); 214 if (iv) { 215 memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 216 } 217 memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); 218 break; 219 220 case EVP_CIPH_CTR_MODE: 221 ctx->num = 0; 222 /* Don't reuse IV for CTR mode */ 223 if (iv) { 224 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 225 } 226 break; 227 228 default: 229 return 0; 230 } 231 } 232 233 if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { 234 if (!ctx->cipher->init(ctx, key, iv, enc)) { 235 return 0; 236 } 237 } 238 239 ctx->buf_len = 0; 240 ctx->final_used = 0; 241 ctx->block_mask = ctx->cipher->block_size - 1; 242 return 1; 243 } 244 245 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 246 ENGINE *impl, const uint8_t *key, const uint8_t *iv) { 247 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1); 248 } 249 250 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 251 ENGINE *impl, const uint8_t *key, const uint8_t *iv) { 252 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); 253 } 254 255 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 256 const uint8_t *in, int in_len) { 257 int i, j, bl; 258 259 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 260 i = ctx->cipher->cipher(ctx, out, in, in_len); 261 if (i < 0) { 262 return 0; 263 } else { 264 *out_len = i; 265 } 266 return 1; 267 } 268 269 if (in_len <= 0) { 270 *out_len = 0; 271 return in_len == 0; 272 } 273 274 if (ctx->buf_len == 0 && (in_len & ctx->block_mask) == 0) { 275 if (ctx->cipher->cipher(ctx, out, in, in_len)) { 276 *out_len = in_len; 277 return 1; 278 } else { 279 *out_len = 0; 280 return 0; 281 } 282 } 283 284 i = ctx->buf_len; 285 bl = ctx->cipher->block_size; 286 assert(bl <= (int)sizeof(ctx->buf)); 287 if (i != 0) { 288 if (i + in_len < bl) { 289 memcpy(&ctx->buf[i], in, in_len); 290 ctx->buf_len += in_len; 291 *out_len = 0; 292 return 1; 293 } else { 294 j = bl - i; 295 memcpy(&ctx->buf[i], in, j); 296 if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) { 297 return 0; 298 } 299 in_len -= j; 300 in += j; 301 out += bl; 302 *out_len = bl; 303 } 304 } else { 305 *out_len = 0; 306 } 307 308 i = in_len & ctx->block_mask; 309 in_len -= i; 310 if (in_len > 0) { 311 if (!ctx->cipher->cipher(ctx, out, in, in_len)) { 312 return 0; 313 } 314 *out_len += in_len; 315 } 316 317 if (i != 0) { 318 memcpy(ctx->buf, &in[in_len], i); 319 } 320 ctx->buf_len = i; 321 return 1; 322 } 323 324 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { 325 int n, ret; 326 unsigned int i, b, bl; 327 328 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 329 ret = ctx->cipher->cipher(ctx, out, NULL, 0); 330 if (ret < 0) { 331 return 0; 332 } else { 333 *out_len = ret; 334 } 335 return 1; 336 } 337 338 b = ctx->cipher->block_size; 339 assert(b <= sizeof(ctx->buf)); 340 if (b == 1) { 341 *out_len = 0; 342 return 1; 343 } 344 345 bl = ctx->buf_len; 346 if (ctx->flags & EVP_CIPH_NO_PADDING) { 347 if (bl) { 348 OPENSSL_PUT_ERROR(CIPHER, EVP_EncryptFinal_ex, 349 CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 350 return 0; 351 } 352 *out_len = 0; 353 return 1; 354 } 355 356 n = b - bl; 357 for (i = bl; i < b; i++) { 358 ctx->buf[i] = n; 359 } 360 ret = ctx->cipher->cipher(ctx, out, ctx->buf, b); 361 362 if (ret) { 363 *out_len = b; 364 } 365 366 return ret; 367 } 368 369 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 370 const uint8_t *in, int in_len) { 371 int fix_len; 372 unsigned int b; 373 374 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 375 int r = ctx->cipher->cipher(ctx, out, in, in_len); 376 if (r < 0) { 377 *out_len = 0; 378 return 0; 379 } else { 380 *out_len = r; 381 } 382 return 1; 383 } 384 385 if (in_len <= 0) { 386 *out_len = 0; 387 return in_len == 0; 388 } 389 390 if (ctx->flags & EVP_CIPH_NO_PADDING) { 391 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 392 } 393 394 b = ctx->cipher->block_size; 395 assert(b <= sizeof(ctx->final)); 396 397 if (ctx->final_used) { 398 memcpy(out, ctx->final, b); 399 out += b; 400 fix_len = 1; 401 } else { 402 fix_len = 0; 403 } 404 405 if (!EVP_EncryptUpdate(ctx, out, out_len, in, in_len)) { 406 return 0; 407 } 408 409 /* if we have 'decrypted' a multiple of block size, make sure 410 * we have a copy of this last block */ 411 if (b > 1 && !ctx->buf_len) { 412 *out_len -= b; 413 ctx->final_used = 1; 414 memcpy(ctx->final, &out[*out_len], b); 415 } else { 416 ctx->final_used = 0; 417 } 418 419 if (fix_len) { 420 *out_len += b; 421 } 422 423 return 1; 424 } 425 426 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { 427 int i, n; 428 unsigned int b; 429 *out_len = 0; 430 431 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { 432 i = ctx->cipher->cipher(ctx, out, NULL, 0); 433 if (i < 0) { 434 return 0; 435 } else { 436 *out_len = i; 437 } 438 return 1; 439 } 440 441 b = ctx->cipher->block_size; 442 if (ctx->flags & EVP_CIPH_NO_PADDING) { 443 if (ctx->buf_len) { 444 OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, 445 CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); 446 return 0; 447 } 448 *out_len = 0; 449 return 1; 450 } 451 452 if (b > 1) { 453 if (ctx->buf_len || !ctx->final_used) { 454 OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, 455 CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); 456 return 0; 457 } 458 assert(b <= sizeof(ctx->final)); 459 460 /* The following assumes that the ciphertext has been authenticated. 461 * Otherwise it provides a padding oracle. */ 462 n = ctx->final[b - 1]; 463 if (n == 0 || n > (int)b) { 464 OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); 465 return 0; 466 } 467 468 for (i = 0; i < n; i++) { 469 if (ctx->final[--b] != n) { 470 OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT); 471 return 0; 472 } 473 } 474 475 n = ctx->cipher->block_size - n; 476 for (i = 0; i < n; i++) { 477 out[i] = ctx->final[i]; 478 } 479 *out_len = n; 480 } else { 481 *out_len = 0; 482 } 483 484 return 1; 485 } 486 487 int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, 488 size_t in_len) { 489 return ctx->cipher->cipher(ctx, out, in, in_len); 490 } 491 492 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, 493 const uint8_t *in, int in_len) { 494 if (ctx->encrypt) { 495 return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); 496 } else { 497 return EVP_DecryptUpdate(ctx, out, out_len, in, in_len); 498 } 499 } 500 501 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { 502 if (ctx->encrypt) { 503 return EVP_EncryptFinal_ex(ctx, out, out_len); 504 } else { 505 return EVP_DecryptFinal_ex(ctx, out, out_len); 506 } 507 } 508 509 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { 510 return ctx->cipher; 511 } 512 513 int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { 514 return ctx->cipher->nid; 515 } 516 517 unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) { 518 return ctx->cipher->block_size; 519 } 520 521 unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { 522 return ctx->key_len; 523 } 524 525 unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { 526 return ctx->cipher->iv_len; 527 } 528 529 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) { 530 return ctx->app_data; 531 } 532 533 void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) { 534 ctx->app_data = data; 535 } 536 537 uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) { 538 return ctx->cipher->flags & ~EVP_CIPH_MODE_MASK; 539 } 540 541 uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { 542 return ctx->cipher->flags & EVP_CIPH_MODE_MASK; 543 } 544 545 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { 546 int ret; 547 if (!ctx->cipher) { 548 OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_NO_CIPHER_SET); 549 return 0; 550 } 551 552 if (!ctx->cipher->ctrl) { 553 OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_CTRL_NOT_IMPLEMENTED); 554 return 0; 555 } 556 557 ret = ctx->cipher->ctrl(ctx, command, arg, ptr); 558 if (ret == -1) { 559 OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, 560 CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); 561 return 0; 562 } 563 564 return ret; 565 } 566 567 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) { 568 if (pad) { 569 ctx->flags &= ~EVP_CIPH_NO_PADDING; 570 } else { 571 ctx->flags |= EVP_CIPH_NO_PADDING; 572 } 573 return 1; 574 } 575 576 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { 577 if (c->key_len == key_len) { 578 return 1; 579 } 580 581 if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { 582 OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_set_key_length, 583 CIPHER_R_INVALID_KEY_LENGTH); 584 return 0; 585 } 586 587 c->key_len = key_len; 588 return 1; 589 } 590 591 int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; } 592 593 const char *EVP_CIPHER_name(const EVP_CIPHER *cipher) { 594 return OBJ_nid2sn(cipher->nid); 595 } 596 597 unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) { 598 return cipher->block_size; 599 } 600 601 unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher) { 602 return cipher->key_len; 603 } 604 605 unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) { 606 return cipher->iv_len; 607 } 608 609 uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher) { 610 return cipher->flags & ~EVP_CIPH_MODE_MASK; 611 } 612 613 uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher) { 614 return cipher->flags & EVP_CIPH_MODE_MASK; 615 } 616
