[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stdio.h>
|
---|
| 11 | #include <assert.h>
|
---|
| 12 | #include "internal/cryptlib.h"
|
---|
| 13 | #include <openssl/evp.h>
|
---|
| 14 | #include <openssl/err.h>
|
---|
| 15 | #include <openssl/rand.h>
|
---|
| 16 | #include <openssl/engine.h>
|
---|
| 17 | #include "internal/evp_int.h"
|
---|
| 18 | #include "evp_locl.h"
|
---|
| 19 |
|
---|
| 20 | int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
|
---|
| 21 | {
|
---|
| 22 | if (c == NULL)
|
---|
| 23 | return 1;
|
---|
| 24 | if (c->cipher != NULL) {
|
---|
| 25 | if (c->cipher->cleanup && !c->cipher->cleanup(c))
|
---|
| 26 | return 0;
|
---|
| 27 | /* Cleanse cipher context data */
|
---|
| 28 | if (c->cipher_data && c->cipher->ctx_size)
|
---|
| 29 | OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
|
---|
| 30 | }
|
---|
| 31 | OPENSSL_free(c->cipher_data);
|
---|
| 32 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 33 | ENGINE_finish(c->engine);
|
---|
| 34 | #endif
|
---|
| 35 | memset(c, 0, sizeof(*c));
|
---|
| 36 | return 1;
|
---|
| 37 | }
|
---|
| 38 |
|
---|
| 39 | EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
|
---|
| 40 | {
|
---|
| 41 | return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
|
---|
| 42 | }
|
---|
| 43 |
|
---|
| 44 | void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
|
---|
| 45 | {
|
---|
| 46 | EVP_CIPHER_CTX_reset(ctx);
|
---|
| 47 | OPENSSL_free(ctx);
|
---|
| 48 | }
|
---|
| 49 |
|
---|
| 50 | int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
---|
| 51 | const unsigned char *key, const unsigned char *iv, int enc)
|
---|
| 52 | {
|
---|
| 53 | EVP_CIPHER_CTX_reset(ctx);
|
---|
| 54 | return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
|
---|
| 55 | }
|
---|
| 56 |
|
---|
| 57 | int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
---|
| 58 | ENGINE *impl, const unsigned char *key,
|
---|
| 59 | const unsigned char *iv, int enc)
|
---|
| 60 | {
|
---|
| 61 | if (enc == -1)
|
---|
| 62 | enc = ctx->encrypt;
|
---|
| 63 | else {
|
---|
| 64 | if (enc)
|
---|
| 65 | enc = 1;
|
---|
| 66 | ctx->encrypt = enc;
|
---|
| 67 | }
|
---|
| 68 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 69 | /*
|
---|
| 70 | * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
|
---|
| 71 | * this context may already have an ENGINE! Try to avoid releasing the
|
---|
| 72 | * previous handle, re-querying for an ENGINE, and having a
|
---|
| 73 | * reinitialisation, when it may all be unnecessary.
|
---|
| 74 | */
|
---|
| 75 | if (ctx->engine && ctx->cipher
|
---|
| 76 | && (cipher == NULL || cipher->nid == ctx->cipher->nid))
|
---|
| 77 | goto skip_to_init;
|
---|
| 78 | #endif
|
---|
| 79 | if (cipher) {
|
---|
| 80 | /*
|
---|
| 81 | * Ensure a context left lying around from last time is cleared (the
|
---|
| 82 | * previous check attempted to avoid this if the same ENGINE and
|
---|
| 83 | * EVP_CIPHER could be used).
|
---|
| 84 | */
|
---|
| 85 | if (ctx->cipher) {
|
---|
| 86 | unsigned long flags = ctx->flags;
|
---|
| 87 | EVP_CIPHER_CTX_reset(ctx);
|
---|
| 88 | /* Restore encrypt and flags */
|
---|
| 89 | ctx->encrypt = enc;
|
---|
| 90 | ctx->flags = flags;
|
---|
| 91 | }
|
---|
| 92 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 93 | if (impl) {
|
---|
| 94 | if (!ENGINE_init(impl)) {
|
---|
| 95 | EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
|
---|
| 96 | return 0;
|
---|
| 97 | }
|
---|
| 98 | } else
|
---|
| 99 | /* Ask if an ENGINE is reserved for this job */
|
---|
| 100 | impl = ENGINE_get_cipher_engine(cipher->nid);
|
---|
| 101 | if (impl) {
|
---|
| 102 | /* There's an ENGINE for this job ... (apparently) */
|
---|
| 103 | const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
|
---|
| 104 | if (!c) {
|
---|
| 105 | /*
|
---|
| 106 | * One positive side-effect of US's export control history,
|
---|
| 107 | * is that we should at least be able to avoid using US
|
---|
| 108 | * misspellings of "initialisation"?
|
---|
| 109 | */
|
---|
| 110 | EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
|
---|
| 111 | return 0;
|
---|
| 112 | }
|
---|
| 113 | /* We'll use the ENGINE's private cipher definition */
|
---|
| 114 | cipher = c;
|
---|
| 115 | /*
|
---|
| 116 | * Store the ENGINE functional reference so we know 'cipher' came
|
---|
| 117 | * from an ENGINE and we need to release it when done.
|
---|
| 118 | */
|
---|
| 119 | ctx->engine = impl;
|
---|
| 120 | } else
|
---|
| 121 | ctx->engine = NULL;
|
---|
| 122 | #endif
|
---|
| 123 |
|
---|
| 124 | ctx->cipher = cipher;
|
---|
| 125 | if (ctx->cipher->ctx_size) {
|
---|
| 126 | ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
|
---|
| 127 | if (ctx->cipher_data == NULL) {
|
---|
| 128 | ctx->cipher = NULL;
|
---|
| 129 | EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
|
---|
| 130 | return 0;
|
---|
| 131 | }
|
---|
| 132 | } else {
|
---|
| 133 | ctx->cipher_data = NULL;
|
---|
| 134 | }
|
---|
| 135 | ctx->key_len = cipher->key_len;
|
---|
| 136 | /* Preserve wrap enable flag, zero everything else */
|
---|
| 137 | ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
|
---|
| 138 | if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
|
---|
| 139 | if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
|
---|
| 140 | ctx->cipher = NULL;
|
---|
| 141 | EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
|
---|
| 142 | return 0;
|
---|
| 143 | }
|
---|
| 144 | }
|
---|
| 145 | } else if (!ctx->cipher) {
|
---|
| 146 | EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_NO_CIPHER_SET);
|
---|
| 147 | return 0;
|
---|
| 148 | }
|
---|
| 149 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 150 | skip_to_init:
|
---|
| 151 | #endif
|
---|
| 152 | /* we assume block size is a power of 2 in *cryptUpdate */
|
---|
| 153 | OPENSSL_assert(ctx->cipher->block_size == 1
|
---|
| 154 | || ctx->cipher->block_size == 8
|
---|
| 155 | || ctx->cipher->block_size == 16);
|
---|
| 156 |
|
---|
| 157 | if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
|
---|
| 158 | && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) {
|
---|
| 159 | EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
|
---|
| 160 | return 0;
|
---|
| 161 | }
|
---|
| 162 |
|
---|
| 163 | if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) {
|
---|
| 164 | switch (EVP_CIPHER_CTX_mode(ctx)) {
|
---|
| 165 |
|
---|
| 166 | case EVP_CIPH_STREAM_CIPHER:
|
---|
| 167 | case EVP_CIPH_ECB_MODE:
|
---|
| 168 | break;
|
---|
| 169 |
|
---|
| 170 | case EVP_CIPH_CFB_MODE:
|
---|
| 171 | case EVP_CIPH_OFB_MODE:
|
---|
| 172 |
|
---|
| 173 | ctx->num = 0;
|
---|
| 174 | /* fall-through */
|
---|
| 175 |
|
---|
| 176 | case EVP_CIPH_CBC_MODE:
|
---|
| 177 |
|
---|
| 178 | OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <=
|
---|
| 179 | (int)sizeof(ctx->iv));
|
---|
| 180 | if (iv)
|
---|
| 181 | memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
|
---|
| 182 | memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
|
---|
| 183 | break;
|
---|
| 184 |
|
---|
| 185 | case EVP_CIPH_CTR_MODE:
|
---|
| 186 | ctx->num = 0;
|
---|
| 187 | /* Don't reuse IV for CTR mode */
|
---|
| 188 | if (iv)
|
---|
| 189 | memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
|
---|
| 190 | break;
|
---|
| 191 |
|
---|
| 192 | default:
|
---|
| 193 | return 0;
|
---|
| 194 | }
|
---|
| 195 | }
|
---|
| 196 |
|
---|
| 197 | if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
|
---|
| 198 | if (!ctx->cipher->init(ctx, key, iv, enc))
|
---|
| 199 | return 0;
|
---|
| 200 | }
|
---|
| 201 | ctx->buf_len = 0;
|
---|
| 202 | ctx->final_used = 0;
|
---|
| 203 | ctx->block_mask = ctx->cipher->block_size - 1;
|
---|
| 204 | return 1;
|
---|
| 205 | }
|
---|
| 206 |
|
---|
| 207 | int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
---|
| 208 | const unsigned char *in, int inl)
|
---|
| 209 | {
|
---|
| 210 | if (ctx->encrypt)
|
---|
| 211 | return EVP_EncryptUpdate(ctx, out, outl, in, inl);
|
---|
| 212 | else
|
---|
| 213 | return EVP_DecryptUpdate(ctx, out, outl, in, inl);
|
---|
| 214 | }
|
---|
| 215 |
|
---|
| 216 | int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
---|
| 217 | {
|
---|
| 218 | if (ctx->encrypt)
|
---|
| 219 | return EVP_EncryptFinal_ex(ctx, out, outl);
|
---|
| 220 | else
|
---|
| 221 | return EVP_DecryptFinal_ex(ctx, out, outl);
|
---|
| 222 | }
|
---|
| 223 |
|
---|
| 224 | int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
---|
| 225 | {
|
---|
| 226 | if (ctx->encrypt)
|
---|
| 227 | return EVP_EncryptFinal(ctx, out, outl);
|
---|
| 228 | else
|
---|
| 229 | return EVP_DecryptFinal(ctx, out, outl);
|
---|
| 230 | }
|
---|
| 231 |
|
---|
| 232 | int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
---|
| 233 | const unsigned char *key, const unsigned char *iv)
|
---|
| 234 | {
|
---|
| 235 | return EVP_CipherInit(ctx, cipher, key, iv, 1);
|
---|
| 236 | }
|
---|
| 237 |
|
---|
| 238 | int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
---|
| 239 | ENGINE *impl, const unsigned char *key,
|
---|
| 240 | const unsigned char *iv)
|
---|
| 241 | {
|
---|
| 242 | return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
|
---|
| 243 | }
|
---|
| 244 |
|
---|
| 245 | int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
---|
| 246 | const unsigned char *key, const unsigned char *iv)
|
---|
| 247 | {
|
---|
| 248 | return EVP_CipherInit(ctx, cipher, key, iv, 0);
|
---|
| 249 | }
|
---|
| 250 |
|
---|
| 251 | int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
---|
| 252 | ENGINE *impl, const unsigned char *key,
|
---|
| 253 | const unsigned char *iv)
|
---|
| 254 | {
|
---|
| 255 | return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
|
---|
| 256 | }
|
---|
| 257 |
|
---|
| 258 | /*
|
---|
| 259 | * According to the letter of standard difference between pointers
|
---|
| 260 | * is specified to be valid only within same object. This makes
|
---|
| 261 | * it formally challenging to determine if input and output buffers
|
---|
| 262 | * are not partially overlapping with standard pointer arithmetic.
|
---|
| 263 | */
|
---|
| 264 | #ifdef PTRDIFF_T
|
---|
| 265 | # undef PTRDIFF_T
|
---|
| 266 | #endif
|
---|
| 267 | #if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
|
---|
| 268 | /*
|
---|
| 269 | * Then we have VMS that distinguishes itself by adhering to
|
---|
| 270 | * sizeof(size_t)==4 even in 64-bit builds, which means that
|
---|
| 271 | * difference between two pointers might be truncated to 32 bits.
|
---|
| 272 | * In the context one can even wonder how comparison for
|
---|
| 273 | * equality is implemented. To be on the safe side we adhere to
|
---|
| 274 | * PTRDIFF_T even for comparison for equality.
|
---|
| 275 | */
|
---|
| 276 | # define PTRDIFF_T uint64_t
|
---|
| 277 | #else
|
---|
| 278 | # define PTRDIFF_T size_t
|
---|
| 279 | #endif
|
---|
| 280 |
|
---|
| 281 | int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
|
---|
| 282 | {
|
---|
| 283 | PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
|
---|
| 284 | /*
|
---|
| 285 | * Check for partially overlapping buffers. [Binary logical
|
---|
| 286 | * operations are used instead of boolean to minimize number
|
---|
| 287 | * of conditional branches.]
|
---|
| 288 | */
|
---|
| 289 | int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) |
|
---|
| 290 | (diff > (0 - (PTRDIFF_T)len)));
|
---|
| 291 |
|
---|
| 292 | return overlapped;
|
---|
| 293 | }
|
---|
| 294 |
|
---|
| 295 | int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
---|
| 296 | const unsigned char *in, int inl)
|
---|
| 297 | {
|
---|
| 298 | int i, j, bl, cmpl = inl;
|
---|
| 299 |
|
---|
| 300 | if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
|
---|
| 301 | cmpl = (cmpl + 7) / 8;
|
---|
| 302 |
|
---|
| 303 | bl = ctx->cipher->block_size;
|
---|
| 304 |
|
---|
| 305 | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
---|
| 306 | /* If block size > 1 then the cipher will have to do this check */
|
---|
| 307 | if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
|
---|
| 308 | EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
---|
| 309 | return 0;
|
---|
| 310 | }
|
---|
| 311 |
|
---|
| 312 | i = ctx->cipher->do_cipher(ctx, out, in, inl);
|
---|
| 313 | if (i < 0)
|
---|
| 314 | return 0;
|
---|
| 315 | else
|
---|
| 316 | *outl = i;
|
---|
| 317 | return 1;
|
---|
| 318 | }
|
---|
| 319 |
|
---|
| 320 | if (inl <= 0) {
|
---|
| 321 | *outl = 0;
|
---|
| 322 | return inl == 0;
|
---|
| 323 | }
|
---|
| 324 | if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
|
---|
| 325 | EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
---|
| 326 | return 0;
|
---|
| 327 | }
|
---|
| 328 |
|
---|
| 329 | if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
|
---|
| 330 | if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
|
---|
| 331 | *outl = inl;
|
---|
| 332 | return 1;
|
---|
| 333 | } else {
|
---|
| 334 | *outl = 0;
|
---|
| 335 | return 0;
|
---|
| 336 | }
|
---|
| 337 | }
|
---|
| 338 | i = ctx->buf_len;
|
---|
| 339 | OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
|
---|
| 340 | if (i != 0) {
|
---|
| 341 | if (bl - i > inl) {
|
---|
| 342 | memcpy(&(ctx->buf[i]), in, inl);
|
---|
| 343 | ctx->buf_len += inl;
|
---|
| 344 | *outl = 0;
|
---|
| 345 | return 1;
|
---|
| 346 | } else {
|
---|
| 347 | j = bl - i;
|
---|
| 348 | memcpy(&(ctx->buf[i]), in, j);
|
---|
| 349 | inl -= j;
|
---|
| 350 | in += j;
|
---|
| 351 | if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
|
---|
| 352 | return 0;
|
---|
| 353 | out += bl;
|
---|
| 354 | *outl = bl;
|
---|
| 355 | }
|
---|
| 356 | } else
|
---|
| 357 | *outl = 0;
|
---|
| 358 | i = inl & (bl - 1);
|
---|
| 359 | inl -= i;
|
---|
| 360 | if (inl > 0) {
|
---|
| 361 | if (!ctx->cipher->do_cipher(ctx, out, in, inl))
|
---|
| 362 | return 0;
|
---|
| 363 | *outl += inl;
|
---|
| 364 | }
|
---|
| 365 |
|
---|
| 366 | if (i != 0)
|
---|
| 367 | memcpy(ctx->buf, &(in[inl]), i);
|
---|
| 368 | ctx->buf_len = i;
|
---|
| 369 | return 1;
|
---|
| 370 | }
|
---|
| 371 |
|
---|
| 372 | int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
---|
| 373 | {
|
---|
| 374 | int ret;
|
---|
| 375 | ret = EVP_EncryptFinal_ex(ctx, out, outl);
|
---|
| 376 | return ret;
|
---|
| 377 | }
|
---|
| 378 |
|
---|
| 379 | int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
---|
| 380 | {
|
---|
| 381 | int n, ret;
|
---|
| 382 | unsigned int i, b, bl;
|
---|
| 383 |
|
---|
| 384 | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
---|
| 385 | ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
|
---|
| 386 | if (ret < 0)
|
---|
| 387 | return 0;
|
---|
| 388 | else
|
---|
| 389 | *outl = ret;
|
---|
| 390 | return 1;
|
---|
| 391 | }
|
---|
| 392 |
|
---|
| 393 | b = ctx->cipher->block_size;
|
---|
| 394 | OPENSSL_assert(b <= sizeof ctx->buf);
|
---|
| 395 | if (b == 1) {
|
---|
| 396 | *outl = 0;
|
---|
| 397 | return 1;
|
---|
| 398 | }
|
---|
| 399 | bl = ctx->buf_len;
|
---|
| 400 | if (ctx->flags & EVP_CIPH_NO_PADDING) {
|
---|
| 401 | if (bl) {
|
---|
| 402 | EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,
|
---|
| 403 | EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
|
---|
| 404 | return 0;
|
---|
| 405 | }
|
---|
| 406 | *outl = 0;
|
---|
| 407 | return 1;
|
---|
| 408 | }
|
---|
| 409 |
|
---|
| 410 | n = b - bl;
|
---|
| 411 | for (i = bl; i < b; i++)
|
---|
| 412 | ctx->buf[i] = n;
|
---|
| 413 | ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
|
---|
| 414 |
|
---|
| 415 | if (ret)
|
---|
| 416 | *outl = b;
|
---|
| 417 |
|
---|
| 418 | return ret;
|
---|
| 419 | }
|
---|
| 420 |
|
---|
| 421 | int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
---|
| 422 | const unsigned char *in, int inl)
|
---|
| 423 | {
|
---|
| 424 | int fix_len, cmpl = inl;
|
---|
| 425 | unsigned int b;
|
---|
| 426 |
|
---|
| 427 | b = ctx->cipher->block_size;
|
---|
| 428 |
|
---|
| 429 | if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
|
---|
| 430 | cmpl = (cmpl + 7) / 8;
|
---|
| 431 |
|
---|
| 432 | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
---|
| 433 | if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
|
---|
| 434 | EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
---|
| 435 | return 0;
|
---|
| 436 | }
|
---|
| 437 |
|
---|
| 438 | fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
|
---|
| 439 | if (fix_len < 0) {
|
---|
| 440 | *outl = 0;
|
---|
| 441 | return 0;
|
---|
| 442 | } else
|
---|
| 443 | *outl = fix_len;
|
---|
| 444 | return 1;
|
---|
| 445 | }
|
---|
| 446 |
|
---|
| 447 | if (inl <= 0) {
|
---|
| 448 | *outl = 0;
|
---|
| 449 | return inl == 0;
|
---|
| 450 | }
|
---|
| 451 |
|
---|
| 452 | if (ctx->flags & EVP_CIPH_NO_PADDING)
|
---|
| 453 | return EVP_EncryptUpdate(ctx, out, outl, in, inl);
|
---|
| 454 |
|
---|
| 455 | OPENSSL_assert(b <= sizeof ctx->final);
|
---|
| 456 |
|
---|
| 457 | if (ctx->final_used) {
|
---|
| 458 | /* see comment about PTRDIFF_T comparison above */
|
---|
| 459 | if (((PTRDIFF_T)out == (PTRDIFF_T)in)
|
---|
| 460 | || is_partially_overlapping(out, in, b)) {
|
---|
| 461 | EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
---|
| 462 | return 0;
|
---|
| 463 | }
|
---|
| 464 | memcpy(out, ctx->final, b);
|
---|
| 465 | out += b;
|
---|
| 466 | fix_len = 1;
|
---|
| 467 | } else
|
---|
| 468 | fix_len = 0;
|
---|
| 469 |
|
---|
| 470 | if (!EVP_EncryptUpdate(ctx, out, outl, in, inl))
|
---|
| 471 | return 0;
|
---|
| 472 |
|
---|
| 473 | /*
|
---|
| 474 | * if we have 'decrypted' a multiple of block size, make sure we have a
|
---|
| 475 | * copy of this last block
|
---|
| 476 | */
|
---|
| 477 | if (b > 1 && !ctx->buf_len) {
|
---|
| 478 | *outl -= b;
|
---|
| 479 | ctx->final_used = 1;
|
---|
| 480 | memcpy(ctx->final, &out[*outl], b);
|
---|
| 481 | } else
|
---|
| 482 | ctx->final_used = 0;
|
---|
| 483 |
|
---|
| 484 | if (fix_len)
|
---|
| 485 | *outl += b;
|
---|
| 486 |
|
---|
| 487 | return 1;
|
---|
| 488 | }
|
---|
| 489 |
|
---|
| 490 | int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
---|
| 491 | {
|
---|
| 492 | int ret;
|
---|
| 493 | ret = EVP_DecryptFinal_ex(ctx, out, outl);
|
---|
| 494 | return ret;
|
---|
| 495 | }
|
---|
| 496 |
|
---|
| 497 | int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
---|
| 498 | {
|
---|
| 499 | int i, n;
|
---|
| 500 | unsigned int b;
|
---|
| 501 | *outl = 0;
|
---|
| 502 |
|
---|
| 503 | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
---|
| 504 | i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
|
---|
| 505 | if (i < 0)
|
---|
| 506 | return 0;
|
---|
| 507 | else
|
---|
| 508 | *outl = i;
|
---|
| 509 | return 1;
|
---|
| 510 | }
|
---|
| 511 |
|
---|
| 512 | b = ctx->cipher->block_size;
|
---|
| 513 | if (ctx->flags & EVP_CIPH_NO_PADDING) {
|
---|
| 514 | if (ctx->buf_len) {
|
---|
| 515 | EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,
|
---|
| 516 | EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
|
---|
| 517 | return 0;
|
---|
| 518 | }
|
---|
| 519 | *outl = 0;
|
---|
| 520 | return 1;
|
---|
| 521 | }
|
---|
| 522 | if (b > 1) {
|
---|
| 523 | if (ctx->buf_len || !ctx->final_used) {
|
---|
| 524 | EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
|
---|
| 525 | return (0);
|
---|
| 526 | }
|
---|
| 527 | OPENSSL_assert(b <= sizeof ctx->final);
|
---|
| 528 |
|
---|
| 529 | /*
|
---|
| 530 | * The following assumes that the ciphertext has been authenticated.
|
---|
| 531 | * Otherwise it provides a padding oracle.
|
---|
| 532 | */
|
---|
| 533 | n = ctx->final[b - 1];
|
---|
| 534 | if (n == 0 || n > (int)b) {
|
---|
| 535 | EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
|
---|
| 536 | return (0);
|
---|
| 537 | }
|
---|
| 538 | for (i = 0; i < n; i++) {
|
---|
| 539 | if (ctx->final[--b] != n) {
|
---|
| 540 | EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
|
---|
| 541 | return (0);
|
---|
| 542 | }
|
---|
| 543 | }
|
---|
| 544 | n = ctx->cipher->block_size - n;
|
---|
| 545 | for (i = 0; i < n; i++)
|
---|
| 546 | out[i] = ctx->final[i];
|
---|
| 547 | *outl = n;
|
---|
| 548 | } else
|
---|
| 549 | *outl = 0;
|
---|
| 550 | return (1);
|
---|
| 551 | }
|
---|
| 552 |
|
---|
| 553 | int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
|
---|
| 554 | {
|
---|
| 555 | if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
|
---|
| 556 | return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
|
---|
| 557 | if (c->key_len == keylen)
|
---|
| 558 | return 1;
|
---|
| 559 | if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
|
---|
| 560 | c->key_len = keylen;
|
---|
| 561 | return 1;
|
---|
| 562 | }
|
---|
| 563 | EVPerr(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, EVP_R_INVALID_KEY_LENGTH);
|
---|
| 564 | return 0;
|
---|
| 565 | }
|
---|
| 566 |
|
---|
| 567 | int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
|
---|
| 568 | {
|
---|
| 569 | if (pad)
|
---|
| 570 | ctx->flags &= ~EVP_CIPH_NO_PADDING;
|
---|
| 571 | else
|
---|
| 572 | ctx->flags |= EVP_CIPH_NO_PADDING;
|
---|
| 573 | return 1;
|
---|
| 574 | }
|
---|
| 575 |
|
---|
| 576 | int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
|
---|
| 577 | {
|
---|
| 578 | int ret;
|
---|
| 579 | if (!ctx->cipher) {
|
---|
| 580 | EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
|
---|
| 581 | return 0;
|
---|
| 582 | }
|
---|
| 583 |
|
---|
| 584 | if (!ctx->cipher->ctrl) {
|
---|
| 585 | EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED);
|
---|
| 586 | return 0;
|
---|
| 587 | }
|
---|
| 588 |
|
---|
| 589 | ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
|
---|
| 590 | if (ret == -1) {
|
---|
| 591 | EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL,
|
---|
| 592 | EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
|
---|
| 593 | return 0;
|
---|
| 594 | }
|
---|
| 595 | return ret;
|
---|
| 596 | }
|
---|
| 597 |
|
---|
| 598 | int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
---|
| 599 | {
|
---|
| 600 | if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
|
---|
| 601 | return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
|
---|
| 602 | if (RAND_bytes(key, ctx->key_len) <= 0)
|
---|
| 603 | return 0;
|
---|
| 604 | return 1;
|
---|
| 605 | }
|
---|
| 606 |
|
---|
| 607 | int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
|
---|
| 608 | {
|
---|
| 609 | if ((in == NULL) || (in->cipher == NULL)) {
|
---|
| 610 | EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INPUT_NOT_INITIALIZED);
|
---|
| 611 | return 0;
|
---|
| 612 | }
|
---|
| 613 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 614 | /* Make sure it's safe to copy a cipher context using an ENGINE */
|
---|
| 615 | if (in->engine && !ENGINE_init(in->engine)) {
|
---|
| 616 | EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB);
|
---|
| 617 | return 0;
|
---|
| 618 | }
|
---|
| 619 | #endif
|
---|
| 620 |
|
---|
| 621 | EVP_CIPHER_CTX_reset(out);
|
---|
| 622 | memcpy(out, in, sizeof(*out));
|
---|
| 623 |
|
---|
| 624 | if (in->cipher_data && in->cipher->ctx_size) {
|
---|
| 625 | out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
|
---|
| 626 | if (out->cipher_data == NULL) {
|
---|
| 627 | out->cipher = NULL;
|
---|
| 628 | EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
|
---|
| 629 | return 0;
|
---|
| 630 | }
|
---|
| 631 | memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
|
---|
| 632 | }
|
---|
| 633 |
|
---|
| 634 | if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
|
---|
| 635 | if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
|
---|
| 636 | out->cipher = NULL;
|
---|
| 637 | EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INITIALIZATION_ERROR);
|
---|
| 638 | return 0;
|
---|
| 639 | }
|
---|
| 640 | return 1;
|
---|
| 641 | }
|
---|