/src/boringssl/crypto/fipsmodule/cipher/cipher.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
2 | | * All rights reserved. |
3 | | * |
4 | | * This package is an SSL implementation written |
5 | | * by Eric Young (eay@cryptsoft.com). |
6 | | * The implementation was written so as to conform with Netscapes SSL. |
7 | | * |
8 | | * This library is free for commercial and non-commercial use as long as |
9 | | * the following conditions are aheared to. The following conditions |
10 | | * apply to all code found in this distribution, be it the RC4, RSA, |
11 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
12 | | * included with this distribution is covered by the same copyright terms |
13 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
14 | | * |
15 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
16 | | * the code are not to be removed. |
17 | | * If this package is used in a product, Eric Young should be given attribution |
18 | | * as the author of the parts of the library used. |
19 | | * This can be in the form of a textual message at program startup or |
20 | | * in documentation (online or textual) provided with the package. |
21 | | * |
22 | | * Redistribution and use in source and binary forms, with or without |
23 | | * modification, are permitted provided that the following conditions |
24 | | * are met: |
25 | | * 1. Redistributions of source code must retain the copyright |
26 | | * notice, this list of conditions and the following disclaimer. |
27 | | * 2. Redistributions in binary form must reproduce the above copyright |
28 | | * notice, this list of conditions and the following disclaimer in the |
29 | | * documentation and/or other materials provided with the distribution. |
30 | | * 3. All advertising materials mentioning features or use of this software |
31 | | * must display the following acknowledgement: |
32 | | * "This product includes cryptographic software written by |
33 | | * Eric Young (eay@cryptsoft.com)" |
34 | | * The word 'cryptographic' can be left out if the rouines from the library |
35 | | * being used are not cryptographic related :-). |
36 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
37 | | * the apps directory (application code) you must include an acknowledgement: |
38 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
39 | | * |
40 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
41 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
43 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
44 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
45 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
46 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
48 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
49 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
50 | | * SUCH DAMAGE. |
51 | | * |
52 | | * The licence and distribution terms for any publically available version or |
53 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
54 | | * copied and put under another distribution licence |
55 | | * [including the GNU Public Licence.] */ |
56 | | |
57 | | #include <openssl/cipher.h> |
58 | | |
59 | | #include <assert.h> |
60 | | #include <limits.h> |
61 | | #include <string.h> |
62 | | |
63 | | #include <openssl/err.h> |
64 | | #include <openssl/mem.h> |
65 | | #include <openssl/nid.h> |
66 | | |
67 | | #include "internal.h" |
68 | | #include "../service_indicator/internal.h" |
69 | | #include "../../internal.h" |
70 | | |
71 | | |
72 | 33.6k | void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { |
73 | 33.6k | OPENSSL_memset(ctx, 0, sizeof(EVP_CIPHER_CTX)); |
74 | 33.6k | } |
75 | | |
76 | 26.4k | EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { |
77 | 26.4k | EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); |
78 | 26.4k | if (ctx) { |
79 | 26.4k | EVP_CIPHER_CTX_init(ctx); |
80 | 26.4k | } |
81 | 26.4k | return ctx; |
82 | 26.4k | } |
83 | | |
84 | 63.2k | int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { |
85 | 63.2k | if (c->cipher != NULL && c->cipher->cleanup) { |
86 | 3.19k | c->cipher->cleanup(c); |
87 | 3.19k | } |
88 | 63.2k | OPENSSL_free(c->cipher_data); |
89 | | |
90 | 63.2k | OPENSSL_memset(c, 0, sizeof(EVP_CIPHER_CTX)); |
91 | 63.2k | return 1; |
92 | 63.2k | } |
93 | | |
94 | 26.4k | void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { |
95 | 26.4k | if (ctx) { |
96 | 26.4k | EVP_CIPHER_CTX_cleanup(ctx); |
97 | 26.4k | OPENSSL_free(ctx); |
98 | 26.4k | } |
99 | 26.4k | } |
100 | | |
101 | 30.9k | int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { |
102 | 30.9k | if (in == NULL || in->cipher == NULL) { |
103 | 1.35k | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED); |
104 | 1.35k | return 0; |
105 | 1.35k | } |
106 | | |
107 | 29.6k | if (in->poisoned) { |
108 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
109 | 0 | return 0; |
110 | 0 | } |
111 | | |
112 | 29.6k | EVP_CIPHER_CTX_cleanup(out); |
113 | 29.6k | OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX)); |
114 | | |
115 | 29.6k | if (in->cipher_data && in->cipher->ctx_size) { |
116 | 29.6k | out->cipher_data = OPENSSL_memdup(in->cipher_data, in->cipher->ctx_size); |
117 | 29.6k | if (!out->cipher_data) { |
118 | 0 | out->cipher = NULL; |
119 | 0 | return 0; |
120 | 0 | } |
121 | 29.6k | } |
122 | | |
123 | 29.6k | if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { |
124 | 2.87k | if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) { |
125 | 0 | out->cipher = NULL; |
126 | 0 | return 0; |
127 | 0 | } |
128 | 2.87k | } |
129 | | |
130 | 29.6k | return 1; |
131 | 29.6k | } |
132 | | |
133 | | int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) { |
134 | | EVP_CIPHER_CTX_cleanup(ctx); |
135 | | EVP_CIPHER_CTX_init(ctx); |
136 | | return 1; |
137 | | } |
138 | | |
139 | | int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
140 | | ENGINE *engine, const uint8_t *key, const uint8_t *iv, |
141 | 2.56k | int enc) { |
142 | 2.56k | if (enc == -1) { |
143 | 0 | enc = ctx->encrypt; |
144 | 2.56k | } else { |
145 | 2.56k | if (enc) { |
146 | 1.20k | enc = 1; |
147 | 1.20k | } |
148 | 2.56k | ctx->encrypt = enc; |
149 | 2.56k | } |
150 | | |
151 | 2.56k | if (cipher) { |
152 | | // Ensure a context left from last time is cleared (the previous check |
153 | | // attempted to avoid this if the same ENGINE and EVP_CIPHER could be |
154 | | // used). |
155 | 1.39k | if (ctx->cipher) { |
156 | 0 | EVP_CIPHER_CTX_cleanup(ctx); |
157 | | // Restore encrypt and flags |
158 | 0 | ctx->encrypt = enc; |
159 | 0 | } |
160 | | |
161 | 1.39k | ctx->cipher = cipher; |
162 | 1.39k | if (ctx->cipher->ctx_size) { |
163 | 1.39k | ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); |
164 | 1.39k | if (!ctx->cipher_data) { |
165 | 0 | ctx->cipher = NULL; |
166 | 0 | return 0; |
167 | 0 | } |
168 | 1.39k | } else { |
169 | 0 | ctx->cipher_data = NULL; |
170 | 0 | } |
171 | | |
172 | 1.39k | ctx->key_len = cipher->key_len; |
173 | 1.39k | ctx->flags = 0; |
174 | | |
175 | 1.39k | if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { |
176 | 457 | if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { |
177 | 0 | ctx->cipher = NULL; |
178 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR); |
179 | 0 | return 0; |
180 | 0 | } |
181 | 457 | } |
182 | 1.39k | } else if (!ctx->cipher) { |
183 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); |
184 | 0 | return 0; |
185 | 0 | } |
186 | | |
187 | | // we assume block size is a power of 2 in *cryptUpdate |
188 | 2.56k | assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || |
189 | 2.56k | ctx->cipher->block_size == 16); |
190 | | |
191 | 2.56k | if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { |
192 | 2.02k | switch (EVP_CIPHER_CTX_mode(ctx)) { |
193 | 249 | case EVP_CIPH_STREAM_CIPHER: |
194 | 698 | case EVP_CIPH_ECB_MODE: |
195 | 698 | break; |
196 | | |
197 | 0 | case EVP_CIPH_CFB_MODE: |
198 | 0 | ctx->num = 0; |
199 | 0 | OPENSSL_FALLTHROUGH; |
200 | |
|
201 | 599 | case EVP_CIPH_CBC_MODE: |
202 | 599 | assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv)); |
203 | 599 | if (iv) { |
204 | 327 | OPENSSL_memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx)); |
205 | 327 | } |
206 | 599 | OPENSSL_memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); |
207 | 599 | break; |
208 | | |
209 | 314 | case EVP_CIPH_CTR_MODE: |
210 | 730 | case EVP_CIPH_OFB_MODE: |
211 | 730 | ctx->num = 0; |
212 | | // Don't reuse IV for CTR mode |
213 | 730 | if (iv) { |
214 | 352 | OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); |
215 | 352 | } |
216 | 730 | break; |
217 | | |
218 | 0 | default: |
219 | 0 | return 0; |
220 | 2.02k | } |
221 | 2.02k | } |
222 | | |
223 | 2.56k | if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { |
224 | 1.49k | if (!ctx->cipher->init(ctx, key, iv, enc)) { |
225 | 0 | return 0; |
226 | 0 | } |
227 | 1.49k | } |
228 | | |
229 | 2.56k | ctx->buf_len = 0; |
230 | 2.56k | ctx->final_used = 0; |
231 | | // Clear the poisoned flag to permit re-use of a CTX that previously had a |
232 | | // failed operation. |
233 | 2.56k | ctx->poisoned = 0; |
234 | 2.56k | return 1; |
235 | 2.56k | } |
236 | | |
237 | | int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
238 | 1.47k | ENGINE *impl, const uint8_t *key, const uint8_t *iv) { |
239 | 1.47k | return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1); |
240 | 1.47k | } |
241 | | |
242 | | int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
243 | 1.93k | ENGINE *impl, const uint8_t *key, const uint8_t *iv) { |
244 | 1.93k | return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); |
245 | 1.93k | } |
246 | | |
247 | | // block_remainder returns the number of bytes to remove from |len| to get a |
248 | | // multiple of |ctx|'s block size. |
249 | 2.52k | static int block_remainder(const EVP_CIPHER_CTX *ctx, int len) { |
250 | | // |block_size| must be a power of two. |
251 | 2.52k | assert(ctx->cipher->block_size != 0); |
252 | 2.52k | assert((ctx->cipher->block_size & (ctx->cipher->block_size - 1)) == 0); |
253 | 2.52k | return len & (ctx->cipher->block_size - 1); |
254 | 2.52k | } |
255 | | |
256 | | int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, |
257 | 10.5k | const uint8_t *in, int in_len) { |
258 | 10.5k | if (ctx->poisoned) { |
259 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
260 | 0 | return 0; |
261 | 0 | } |
262 | | // If the first call to |cipher| succeeds and the second fails, |ctx| may be |
263 | | // left in an indeterminate state. We set a poison flag on failure to ensure |
264 | | // callers do not continue to use the object in that case. |
265 | 10.5k | ctx->poisoned = 1; |
266 | | |
267 | | // Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output |
268 | | // does not overflow |*out_len|. |
269 | 10.5k | int bl = ctx->cipher->block_size; |
270 | 10.5k | if (bl > 1 && in_len > INT_MAX - bl) { |
271 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW); |
272 | 0 | return 0; |
273 | 0 | } |
274 | | |
275 | 10.5k | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { |
276 | 404 | int ret = ctx->cipher->cipher(ctx, out, in, in_len); |
277 | 404 | if (ret < 0) { |
278 | 3 | return 0; |
279 | 401 | } else { |
280 | 401 | *out_len = ret; |
281 | 401 | } |
282 | 401 | ctx->poisoned = 0; |
283 | 401 | return 1; |
284 | 404 | } |
285 | | |
286 | 10.1k | if (in_len <= 0) { |
287 | 7.40k | *out_len = 0; |
288 | 7.40k | if (in_len == 0) { |
289 | 7.40k | ctx->poisoned = 0; |
290 | 7.40k | return 1; |
291 | 7.40k | } |
292 | 0 | return 0; |
293 | 7.40k | } |
294 | | |
295 | 2.78k | if (ctx->buf_len == 0 && block_remainder(ctx, in_len) == 0) { |
296 | 1.66k | if (ctx->cipher->cipher(ctx, out, in, in_len)) { |
297 | 1.66k | *out_len = in_len; |
298 | 1.66k | ctx->poisoned = 0; |
299 | 1.66k | return 1; |
300 | 1.66k | } else { |
301 | 0 | *out_len = 0; |
302 | 0 | return 0; |
303 | 0 | } |
304 | 1.66k | } |
305 | | |
306 | 1.12k | int i = ctx->buf_len; |
307 | 1.12k | assert(bl <= (int)sizeof(ctx->buf)); |
308 | 1.12k | if (i != 0) { |
309 | 859 | if (bl - i > in_len) { |
310 | 528 | OPENSSL_memcpy(&ctx->buf[i], in, in_len); |
311 | 528 | ctx->buf_len += in_len; |
312 | 528 | *out_len = 0; |
313 | 528 | ctx->poisoned = 0; |
314 | 528 | return 1; |
315 | 528 | } else { |
316 | 331 | int j = bl - i; |
317 | 331 | OPENSSL_memcpy(&ctx->buf[i], in, j); |
318 | 331 | if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) { |
319 | 0 | return 0; |
320 | 0 | } |
321 | 331 | in_len -= j; |
322 | 331 | in += j; |
323 | 331 | out += bl; |
324 | 331 | *out_len = bl; |
325 | 331 | } |
326 | 859 | } else { |
327 | 266 | *out_len = 0; |
328 | 266 | } |
329 | | |
330 | 597 | i = block_remainder(ctx, in_len); |
331 | 597 | in_len -= i; |
332 | 597 | if (in_len > 0) { |
333 | 202 | if (!ctx->cipher->cipher(ctx, out, in, in_len)) { |
334 | 0 | return 0; |
335 | 0 | } |
336 | 202 | *out_len += in_len; |
337 | 202 | } |
338 | | |
339 | 597 | if (i != 0) { |
340 | 462 | OPENSSL_memcpy(ctx->buf, &in[in_len], i); |
341 | 462 | } |
342 | 597 | ctx->buf_len = i; |
343 | 597 | ctx->poisoned = 0; |
344 | 597 | return 1; |
345 | 597 | } |
346 | | |
347 | 377 | int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { |
348 | 377 | int n; |
349 | 377 | unsigned int i, b, bl; |
350 | | |
351 | 377 | if (ctx->poisoned) { |
352 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
353 | 0 | return 0; |
354 | 0 | } |
355 | | |
356 | 377 | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { |
357 | | // When EVP_CIPH_FLAG_CUSTOM_CIPHER is set, the return value of |cipher| is |
358 | | // the number of bytes written, or -1 on error. Otherwise the return value |
359 | | // is one on success and zero on error. |
360 | 146 | const int num_bytes = ctx->cipher->cipher(ctx, out, NULL, 0); |
361 | 146 | if (num_bytes < 0) { |
362 | 1 | return 0; |
363 | 1 | } |
364 | 145 | *out_len = num_bytes; |
365 | 145 | goto out; |
366 | 146 | } |
367 | | |
368 | 231 | b = ctx->cipher->block_size; |
369 | 231 | assert(b <= sizeof(ctx->buf)); |
370 | 231 | if (b == 1) { |
371 | 170 | *out_len = 0; |
372 | 170 | goto out; |
373 | 170 | } |
374 | | |
375 | 61 | bl = ctx->buf_len; |
376 | 61 | if (ctx->flags & EVP_CIPH_NO_PADDING) { |
377 | 2 | if (bl) { |
378 | 2 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); |
379 | 2 | return 0; |
380 | 2 | } |
381 | 0 | *out_len = 0; |
382 | 0 | goto out; |
383 | 2 | } |
384 | | |
385 | 59 | n = b - bl; |
386 | 451 | for (i = bl; i < b; i++) { |
387 | 392 | ctx->buf[i] = n; |
388 | 392 | } |
389 | 59 | if (!ctx->cipher->cipher(ctx, out, ctx->buf, b)) { |
390 | 0 | return 0; |
391 | 0 | } |
392 | 59 | *out_len = b; |
393 | | |
394 | 374 | out: |
395 | 374 | EVP_Cipher_verify_service_indicator(ctx); |
396 | 374 | return 1; |
397 | 59 | } |
398 | | |
399 | | int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, |
400 | 9.38k | const uint8_t *in, int in_len) { |
401 | 9.38k | if (ctx->poisoned) { |
402 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
403 | 0 | return 0; |
404 | 0 | } |
405 | | |
406 | | // Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output |
407 | | // does not overflow |*out_len|. |
408 | 9.38k | unsigned int b = ctx->cipher->block_size; |
409 | 9.38k | if (b > 1 && in_len > INT_MAX - (int)b) { |
410 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW); |
411 | 0 | return 0; |
412 | 0 | } |
413 | | |
414 | 9.38k | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { |
415 | 1.33k | int r = ctx->cipher->cipher(ctx, out, in, in_len); |
416 | 1.33k | if (r < 0) { |
417 | 2 | *out_len = 0; |
418 | 2 | return 0; |
419 | 1.33k | } else { |
420 | 1.33k | *out_len = r; |
421 | 1.33k | } |
422 | 1.33k | return 1; |
423 | 1.33k | } |
424 | | |
425 | 8.04k | if (in_len <= 0) { |
426 | 6.45k | *out_len = 0; |
427 | 6.45k | return in_len == 0; |
428 | 6.45k | } |
429 | | |
430 | 1.58k | if (ctx->flags & EVP_CIPH_NO_PADDING) { |
431 | 417 | return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); |
432 | 417 | } |
433 | | |
434 | 1.17k | assert(b <= sizeof(ctx->final)); |
435 | 1.17k | int fix_len = 0; |
436 | 1.17k | if (ctx->final_used) { |
437 | 21 | OPENSSL_memcpy(out, ctx->final, b); |
438 | 21 | out += b; |
439 | 21 | fix_len = 1; |
440 | 21 | } |
441 | | |
442 | 1.17k | if (!EVP_EncryptUpdate(ctx, out, out_len, in, in_len)) { |
443 | 0 | return 0; |
444 | 0 | } |
445 | | |
446 | | // if we have 'decrypted' a multiple of block size, make sure |
447 | | // we have a copy of this last block |
448 | 1.17k | if (b > 1 && !ctx->buf_len) { |
449 | 153 | *out_len -= b; |
450 | 153 | ctx->final_used = 1; |
451 | 153 | OPENSSL_memcpy(ctx->final, &out[*out_len], b); |
452 | 1.01k | } else { |
453 | 1.01k | ctx->final_used = 0; |
454 | 1.01k | } |
455 | | |
456 | 1.17k | if (fix_len) { |
457 | 21 | *out_len += b; |
458 | 21 | } |
459 | | |
460 | 1.17k | return 1; |
461 | 1.17k | } |
462 | | |
463 | 628 | int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) { |
464 | 628 | int i, n; |
465 | 628 | unsigned int b; |
466 | 628 | *out_len = 0; |
467 | | |
468 | 628 | if (ctx->poisoned) { |
469 | 0 | OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
470 | 0 | return 0; |
471 | 0 | } |
472 | | |
473 | 628 | if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { |
474 | 64 | i = ctx->cipher->cipher(ctx, out, NULL, 0); |
475 | 64 | if (i < 0) { |
476 | 62 | return 0; |
477 | 62 | } else { |
478 | 2 | *out_len = i; |
479 | 2 | } |
480 | 2 | goto out; |
481 | 64 | } |
482 | | |
483 | 564 | b = ctx->cipher->block_size; |
484 | 564 | if (ctx->flags & EVP_CIPH_NO_PADDING) { |
485 | 100 | if (ctx->buf_len) { |
486 | 49 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); |
487 | 49 | return 0; |
488 | 49 | } |
489 | 51 | *out_len = 0; |
490 | 51 | goto out; |
491 | 100 | } |
492 | | |
493 | 464 | if (b > 1) { |
494 | 192 | if (ctx->buf_len || !ctx->final_used) { |
495 | 60 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH); |
496 | 60 | return 0; |
497 | 60 | } |
498 | 132 | assert(b <= sizeof(ctx->final)); |
499 | | |
500 | | // The following assumes that the ciphertext has been authenticated. |
501 | | // Otherwise it provides a padding oracle. |
502 | 132 | n = ctx->final[b - 1]; |
503 | 132 | if (n == 0 || n > (int)b) { |
504 | 41 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
505 | 41 | return 0; |
506 | 41 | } |
507 | | |
508 | 515 | for (i = 0; i < n; i++) { |
509 | 440 | if (ctx->final[--b] != n) { |
510 | 16 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
511 | 16 | return 0; |
512 | 16 | } |
513 | 440 | } |
514 | | |
515 | 75 | n = ctx->cipher->block_size - n; |
516 | 427 | for (i = 0; i < n; i++) { |
517 | 352 | out[i] = ctx->final[i]; |
518 | 352 | } |
519 | 75 | *out_len = n; |
520 | 272 | } else { |
521 | 272 | *out_len = 0; |
522 | 272 | } |
523 | | |
524 | 400 | out: |
525 | 400 | EVP_Cipher_verify_service_indicator(ctx); |
526 | 400 | return 1; |
527 | 464 | } |
528 | | |
529 | | int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, |
530 | 3.50k | size_t in_len) { |
531 | 3.50k | const int ret = ctx->cipher->cipher(ctx, out, in, in_len); |
532 | | |
533 | | // |EVP_CIPH_FLAG_CUSTOM_CIPHER| never sets the FIPS indicator via |
534 | | // |EVP_Cipher| because it's complicated whether the operation has completed |
535 | | // or not. E.g. AES-GCM with a non-NULL |in| argument hasn't completed an |
536 | | // operation. Callers should use the |EVP_AEAD| API or, at least, |
537 | | // |EVP_CipherUpdate| etc. |
538 | | // |
539 | | // This call can't be pushed into |EVP_Cipher_verify_service_indicator| |
540 | | // because whether |ret| indicates success or not depends on whether |
541 | | // |EVP_CIPH_FLAG_CUSTOM_CIPHER| is set. (This unreasonable, but matches |
542 | | // OpenSSL.) |
543 | 3.50k | if (!(ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) && ret) { |
544 | 3.50k | EVP_Cipher_verify_service_indicator(ctx); |
545 | 3.50k | } |
546 | | |
547 | 3.50k | return ret; |
548 | 3.50k | } |
549 | | |
550 | | int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, |
551 | 252k | const uint8_t *in, int in_len) { |
552 | 252k | if (ctx->encrypt) { |
553 | 252k | return EVP_EncryptUpdate(ctx, out, out_len, in, in_len); |
554 | 252k | } else { |
555 | 4 | return EVP_DecryptUpdate(ctx, out, out_len, in, in_len); |
556 | 4 | } |
557 | 252k | } |
558 | | |
559 | 3 | int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { |
560 | 3 | if (ctx->encrypt) { |
561 | 0 | return EVP_EncryptFinal_ex(ctx, out, out_len); |
562 | 3 | } else { |
563 | 3 | return EVP_DecryptFinal_ex(ctx, out, out_len); |
564 | 3 | } |
565 | 3 | } |
566 | | |
567 | 0 | const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { |
568 | 0 | return ctx->cipher; |
569 | 0 | } |
570 | | |
571 | 0 | int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { |
572 | 0 | return ctx->cipher->nid; |
573 | 0 | } |
574 | | |
575 | 0 | int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) { |
576 | 0 | return ctx->encrypt; |
577 | 0 | } |
578 | | |
579 | 6.67k | unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) { |
580 | 6.67k | return ctx->cipher->block_size; |
581 | 6.67k | } |
582 | | |
583 | 382 | unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { |
584 | 382 | return ctx->key_len; |
585 | 382 | } |
586 | | |
587 | 1.87k | unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { |
588 | 1.87k | if (EVP_CIPHER_mode(ctx->cipher) == EVP_CIPH_GCM_MODE) { |
589 | 0 | int length; |
590 | 0 | int res = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0, |
591 | 0 | &length); |
592 | | // EVP_CIPHER_CTX_ctrl returning an error should be impossible under this |
593 | | // circumstance. If it somehow did, fallback to the static cipher iv_len. |
594 | 0 | if (res == 1) { |
595 | 0 | return length; |
596 | 0 | } |
597 | 0 | } |
598 | 1.87k | return ctx->cipher->iv_len; |
599 | 1.87k | } |
600 | | |
601 | 0 | void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) { |
602 | 0 | return ctx->app_data; |
603 | 0 | } |
604 | | |
605 | 0 | void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) { |
606 | 0 | ctx->app_data = data; |
607 | 0 | } |
608 | | |
609 | 2.56k | uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) { |
610 | 2.56k | return ctx->cipher->flags & ~EVP_CIPH_MODE_MASK; |
611 | 2.56k | } |
612 | | |
613 | 2.02k | uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) { |
614 | 2.02k | return ctx->cipher->flags & EVP_CIPH_MODE_MASK; |
615 | 2.02k | } |
616 | | |
617 | 880 | int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) { |
618 | 880 | int ret; |
619 | 880 | if (!ctx->cipher) { |
620 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET); |
621 | 0 | return 0; |
622 | 0 | } |
623 | | |
624 | 880 | if (!ctx->cipher->ctrl) { |
625 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED); |
626 | 0 | return 0; |
627 | 0 | } |
628 | | |
629 | 880 | ret = ctx->cipher->ctrl(ctx, command, arg, ptr); |
630 | 880 | if (ret == -1) { |
631 | 0 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED); |
632 | 0 | return 0; |
633 | 0 | } |
634 | | |
635 | 880 | return ret; |
636 | 880 | } |
637 | | |
638 | 102 | int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) { |
639 | 102 | if (pad) { |
640 | 0 | ctx->flags &= ~EVP_CIPH_NO_PADDING; |
641 | 102 | } else { |
642 | 102 | ctx->flags |= EVP_CIPH_NO_PADDING; |
643 | 102 | } |
644 | 102 | return 1; |
645 | 102 | } |
646 | | |
647 | 303 | int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) { |
648 | 303 | if (c->key_len == key_len) { |
649 | 0 | return 1; |
650 | 0 | } |
651 | | |
652 | 303 | if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) { |
653 | 110 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH); |
654 | 110 | return 0; |
655 | 110 | } |
656 | | |
657 | 193 | c->key_len = key_len; |
658 | 193 | return 1; |
659 | 303 | } |
660 | | |
661 | 0 | int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; } |
662 | | |
663 | 19.5k | unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) { |
664 | 19.5k | return cipher->block_size; |
665 | 19.5k | } |
666 | | |
667 | 1.33k | unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher) { |
668 | 1.33k | return cipher->key_len; |
669 | 1.33k | } |
670 | | |
671 | 1.24k | unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) { |
672 | 1.24k | return cipher->iv_len; |
673 | 1.24k | } |
674 | | |
675 | 1.57k | uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher) { |
676 | 1.57k | return cipher->flags & ~EVP_CIPH_MODE_MASK; |
677 | 1.57k | } |
678 | | |
679 | 1.87k | uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher) { |
680 | 1.87k | return cipher->flags & EVP_CIPH_MODE_MASK; |
681 | 1.87k | } |
682 | | |
683 | | int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
684 | 0 | const uint8_t *key, const uint8_t *iv, int enc) { |
685 | 0 | if (cipher) { |
686 | 0 | EVP_CIPHER_CTX_init(ctx); |
687 | 0 | } |
688 | 0 | return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc); |
689 | 0 | } |
690 | | |
691 | | int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
692 | 0 | const uint8_t *key, const uint8_t *iv) { |
693 | 0 | return EVP_CipherInit(ctx, cipher, key, iv, 1); |
694 | 0 | } |
695 | | |
696 | | int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
697 | 0 | const uint8_t *key, const uint8_t *iv) { |
698 | 0 | return EVP_CipherInit(ctx, cipher, key, iv, 0); |
699 | 0 | } |
700 | | |
701 | 0 | int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { |
702 | 0 | return EVP_CipherFinal_ex(ctx, out, out_len); |
703 | 0 | } |
704 | | |
705 | 0 | int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { |
706 | 0 | return EVP_EncryptFinal_ex(ctx, out, out_len); |
707 | 0 | } |
708 | | |
709 | 0 | int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { |
710 | 0 | return EVP_DecryptFinal_ex(ctx, out, out_len); |
711 | 0 | } |
712 | | |
713 | 0 | int EVP_add_cipher_alias(const char *a, const char *b) { |
714 | 0 | return 1; |
715 | 0 | } |
716 | | |
717 | 0 | void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, uint32_t flags) {} |