Coverage Report

Created: 2024-11-21 07:03

/src/libgcrypt/cipher/cipher.c
Line
Count
Source (jump to first uncovered line)
1
/* cipher.c  -  cipher dispatcher
2
 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003
3
 *               2005, 2007, 2008, 2009, 2011 Free Software Foundation, Inc.
4
 * Copyright (C) 2013 g10 Code GmbH
5
 *
6
 * This file is part of Libgcrypt.
7
 *
8
 * Libgcrypt is free software; you can redistribute it and/or modify
9
 * it under the terms of the GNU Lesser General Public License as
10
 * published by the Free Software Foundation; either version 2.1 of
11
 * the License, or (at your option) any later version.
12
 *
13
 * Libgcrypt is distributed in the hope that it will be useful,
14
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
 * GNU Lesser General Public License for more details.
17
 *
18
 * You should have received a copy of the GNU Lesser General Public
19
 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
20
 */
21
22
#include <config.h>
23
#include <stdio.h>
24
#include <stdlib.h>
25
#include <string.h>
26
#include <errno.h>
27
28
#include "g10lib.h"
29
#include "../src/gcrypt-testapi.h"
30
#include "cipher.h"
31
#include "./cipher-internal.h"
32
33
34
/* This is the list of the default ciphers, which are included in
35
   libgcrypt.  */
36
static gcry_cipher_spec_t * const cipher_list[] =
37
  {
38
#if USE_BLOWFISH
39
     &_gcry_cipher_spec_blowfish,
40
#endif
41
#if USE_DES
42
     &_gcry_cipher_spec_des,
43
     &_gcry_cipher_spec_tripledes,
44
#endif
45
#if USE_ARCFOUR
46
     &_gcry_cipher_spec_arcfour,
47
#endif
48
#if USE_CAST5
49
     &_gcry_cipher_spec_cast5,
50
#endif
51
#if USE_AES
52
     &_gcry_cipher_spec_aes,
53
     &_gcry_cipher_spec_aes192,
54
     &_gcry_cipher_spec_aes256,
55
#endif
56
#if USE_TWOFISH
57
     &_gcry_cipher_spec_twofish,
58
     &_gcry_cipher_spec_twofish128,
59
#endif
60
#if USE_SERPENT
61
     &_gcry_cipher_spec_serpent128,
62
     &_gcry_cipher_spec_serpent192,
63
     &_gcry_cipher_spec_serpent256,
64
#endif
65
#if USE_RFC2268
66
     &_gcry_cipher_spec_rfc2268_40,
67
     &_gcry_cipher_spec_rfc2268_128,
68
#endif
69
#if USE_SEED
70
     &_gcry_cipher_spec_seed,
71
#endif
72
#if USE_CAMELLIA
73
     &_gcry_cipher_spec_camellia128,
74
     &_gcry_cipher_spec_camellia192,
75
     &_gcry_cipher_spec_camellia256,
76
#endif
77
#if USE_IDEA
78
     &_gcry_cipher_spec_idea,
79
#endif
80
#if USE_SALSA20
81
     &_gcry_cipher_spec_salsa20,
82
     &_gcry_cipher_spec_salsa20r12,
83
#endif
84
#if USE_GOST28147
85
     &_gcry_cipher_spec_gost28147,
86
     &_gcry_cipher_spec_gost28147_mesh,
87
#endif
88
#if USE_CHACHA20
89
     &_gcry_cipher_spec_chacha20,
90
#endif
91
#if USE_SM4
92
     &_gcry_cipher_spec_sm4,
93
#endif
94
#if USE_ARIA
95
     &_gcry_cipher_spec_aria128,
96
     &_gcry_cipher_spec_aria192,
97
     &_gcry_cipher_spec_aria256,
98
#endif
99
     NULL
100
  };
101
102
/* Cipher implementations starting with index 0 (enum gcry_cipher_algos) */
103
static gcry_cipher_spec_t * const cipher_list_algo0[] =
104
  {
105
    NULL, /* GCRY_CIPHER_NONE */
106
#if USE_IDEA
107
    &_gcry_cipher_spec_idea,
108
#else
109
    NULL,
110
#endif
111
#if USE_DES
112
    &_gcry_cipher_spec_tripledes,
113
#else
114
    NULL,
115
#endif
116
#if USE_CAST5
117
    &_gcry_cipher_spec_cast5,
118
#else
119
    NULL,
120
#endif
121
#if USE_BLOWFISH
122
    &_gcry_cipher_spec_blowfish,
123
#else
124
    NULL,
125
#endif
126
    NULL, /* GCRY_CIPHER_SAFER_SK128 */
127
    NULL, /* GCRY_CIPHER_DES_SK */
128
#if USE_AES
129
    &_gcry_cipher_spec_aes,
130
    &_gcry_cipher_spec_aes192,
131
    &_gcry_cipher_spec_aes256,
132
#else
133
    NULL,
134
    NULL,
135
    NULL,
136
#endif
137
#if USE_TWOFISH
138
    &_gcry_cipher_spec_twofish
139
#else
140
    NULL
141
#endif
142
  };
143
144
/* Cipher implementations starting with index 301 (enum gcry_cipher_algos) */
145
static gcry_cipher_spec_t * const cipher_list_algo301[] =
146
  {
147
#if USE_ARCFOUR
148
    &_gcry_cipher_spec_arcfour,
149
#else
150
    NULL,
151
#endif
152
#if USE_DES
153
    &_gcry_cipher_spec_des,
154
#else
155
    NULL,
156
#endif
157
#if USE_TWOFISH
158
    &_gcry_cipher_spec_twofish128,
159
#else
160
    NULL,
161
#endif
162
#if USE_SERPENT
163
    &_gcry_cipher_spec_serpent128,
164
    &_gcry_cipher_spec_serpent192,
165
    &_gcry_cipher_spec_serpent256,
166
#else
167
    NULL,
168
    NULL,
169
    NULL,
170
#endif
171
#if USE_RFC2268
172
    &_gcry_cipher_spec_rfc2268_40,
173
    &_gcry_cipher_spec_rfc2268_128,
174
#else
175
    NULL,
176
    NULL,
177
#endif
178
#if USE_SEED
179
    &_gcry_cipher_spec_seed,
180
#else
181
    NULL,
182
#endif
183
#if USE_CAMELLIA
184
    &_gcry_cipher_spec_camellia128,
185
    &_gcry_cipher_spec_camellia192,
186
    &_gcry_cipher_spec_camellia256,
187
#else
188
    NULL,
189
    NULL,
190
    NULL,
191
#endif
192
#if USE_SALSA20
193
    &_gcry_cipher_spec_salsa20,
194
    &_gcry_cipher_spec_salsa20r12,
195
#else
196
    NULL,
197
    NULL,
198
#endif
199
#if USE_GOST28147
200
    &_gcry_cipher_spec_gost28147,
201
#else
202
    NULL,
203
#endif
204
#if USE_CHACHA20
205
    &_gcry_cipher_spec_chacha20,
206
#else
207
    NULL,
208
#endif
209
#if USE_GOST28147
210
    &_gcry_cipher_spec_gost28147_mesh,
211
#else
212
    NULL,
213
#endif
214
#if USE_SM4
215
    &_gcry_cipher_spec_sm4,
216
#else
217
    NULL,
218
#endif
219
#if USE_ARIA
220
    &_gcry_cipher_spec_aria128,
221
    &_gcry_cipher_spec_aria192,
222
    &_gcry_cipher_spec_aria256
223
#else
224
    NULL,
225
    NULL,
226
    NULL
227
#endif
228
  };
229
230
231
static void _gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode);
232
233

234
static int
235
map_algo (int algo)
236
2.44k
{
237
2.44k
  return algo;
238
2.44k
}
239
240
241
/* Return the spec structure for the cipher algorithm ALGO.  For
242
   an unknown algorithm NULL is returned.  */
243
static gcry_cipher_spec_t *
244
spec_from_algo (int algo)
245
2.44k
{
246
2.44k
  gcry_cipher_spec_t *spec = NULL;
247
248
2.44k
  algo = map_algo (algo);
249
250
2.44k
  if (algo >= 0 && algo < DIM(cipher_list_algo0))
251
1.44k
    spec = cipher_list_algo0[algo];
252
998
  else if (algo >= 301 && algo < 301 + DIM(cipher_list_algo301))
253
998
    spec = cipher_list_algo301[algo - 301];
254
255
2.44k
  if (spec)
256
2.44k
    gcry_assert (spec->algo == algo);
257
258
0
  return spec;
259
2.44k
}
260
261
262
/* Lookup a cipher's spec by its name.  */
263
static gcry_cipher_spec_t *
264
spec_from_name (const char *name)
265
0
{
266
0
  gcry_cipher_spec_t *spec;
267
0
  int idx;
268
0
  const char **aliases;
269
270
0
  for (idx=0; (spec = cipher_list[idx]); idx++)
271
0
    {
272
0
      if (!stricmp (name, spec->name))
273
0
        return spec;
274
0
      if (spec->aliases)
275
0
        {
276
0
          for (aliases = spec->aliases; *aliases; aliases++)
277
0
            if (!stricmp (name, *aliases))
278
0
              return spec;
279
0
        }
280
0
    }
281
282
0
  return NULL;
283
0
}
284
285
286
/* Lookup a cipher's spec by its OID.  */
287
static gcry_cipher_spec_t *
288
spec_from_oid (const char *oid)
289
0
{
290
0
  gcry_cipher_spec_t *spec;
291
0
  const gcry_cipher_oid_spec_t *oid_specs;
292
0
  int idx, j;
293
294
0
  for (idx=0; (spec = cipher_list[idx]); idx++)
295
0
    {
296
0
      oid_specs = spec->oids;
297
0
      if (oid_specs)
298
0
        {
299
0
          for (j = 0; oid_specs[j].oid; j++)
300
0
            if (!stricmp (oid, oid_specs[j].oid))
301
0
              return spec;
302
0
        }
303
0
    }
304
305
0
  return NULL;
306
0
}
307
308
309
/* Locate the OID in the oid table and return the spec or NULL if not
310
   found.  An optional "oid." or "OID." prefix in OID is ignored, the
311
   OID is expected to be in standard IETF dotted notation.  A pointer
312
   to the OID specification of the module implementing this algorithm
313
   is return in OID_SPEC unless passed as NULL.*/
314
static gcry_cipher_spec_t *
315
search_oid (const char *oid, gcry_cipher_oid_spec_t *oid_spec)
316
0
{
317
0
  gcry_cipher_spec_t *spec;
318
0
  int i;
319
320
0
  if (!oid)
321
0
    return NULL;
322
323
0
  if (!strncmp (oid, "oid.", 4) || !strncmp (oid, "OID.", 4))
324
0
    oid += 4;
325
326
0
  spec = spec_from_oid (oid);
327
0
  if (spec && spec->oids)
328
0
    {
329
0
      for (i = 0; spec->oids[i].oid; i++)
330
0
  if (!stricmp (oid, spec->oids[i].oid))
331
0
    {
332
0
      if (oid_spec)
333
0
        *oid_spec = spec->oids[i];
334
0
            return spec;
335
0
    }
336
0
    }
337
338
0
  return NULL;
339
0
}
340
341
342
/* Map STRING to the cipher algorithm identifier.  Returns the
343
   algorithm ID of the cipher for the given name or 0 if the name is
344
   not known.  It is valid to pass NULL for STRING which results in a
345
   return value of 0. */
346
int
347
_gcry_cipher_map_name (const char *string)
348
0
{
349
0
  gcry_cipher_spec_t *spec;
350
351
0
  if (!string)
352
0
    return 0;
353
354
  /* If the string starts with a digit (optionally prefixed with
355
     either "OID." or "oid."), we first look into our table of ASN.1
356
     object identifiers to figure out the algorithm */
357
358
0
  spec = search_oid (string, NULL);
359
0
  if (spec)
360
0
    return spec->algo;
361
362
0
  spec = spec_from_name (string);
363
0
  if (spec)
364
0
    return spec->algo;
365
366
0
  return 0;
367
0
}
368
369
370
/* Given a STRING with an OID in dotted decimal notation, this
371
   function returns the cipher mode (GCRY_CIPHER_MODE_*) associated
372
   with that OID or 0 if no mode is known.  Passing NULL for string
373
   yields a return value of 0. */
374
int
375
_gcry_cipher_mode_from_oid (const char *string)
376
0
{
377
0
  gcry_cipher_spec_t *spec;
378
0
  gcry_cipher_oid_spec_t oid_spec;
379
380
0
  if (!string)
381
0
    return 0;
382
383
0
  spec = search_oid (string, &oid_spec);
384
0
  if (spec)
385
0
    return oid_spec.mode;
386
387
0
  return 0;
388
0
}
389
390
391
/* Map the cipher algorithm identifier ALGORITHM to a string
392
   representing this algorithm.  This string is the default name as
393
   used by Libgcrypt.  A "?" is returned for an unknown algorithm.
394
   NULL is never returned. */
395
const char *
396
_gcry_cipher_algo_name (int algorithm)
397
0
{
398
0
  gcry_cipher_spec_t *spec;
399
400
0
  spec = spec_from_algo (algorithm);
401
0
  return spec? spec->name : "?";
402
0
}
403
404
405
/* Flag the cipher algorithm with the identifier ALGORITHM as
406
   disabled.  There is no error return, the function does nothing for
407
   unknown algorithms.  Disabled algorithms are virtually not
408
   available in Libgcrypt.  This is not thread safe and should thus be
409
   called early. */
410
static void
411
disable_cipher_algo (int algo)
412
0
{
413
0
  gcry_cipher_spec_t *spec = spec_from_algo (algo);
414
415
0
  if (spec)
416
0
    spec->flags.disabled = 1;
417
0
}
418
419
420
/* Return 0 if the cipher algorithm with identifier ALGORITHM is
421
   available. Returns a basic error code value if it is not
422
   available.  */
423
static gcry_err_code_t
424
check_cipher_algo (int algorithm)
425
0
{
426
0
  gcry_cipher_spec_t *spec;
427
428
0
  spec = spec_from_algo (algorithm);
429
0
  if (spec && !spec->flags.disabled && (spec->flags.fips || !fips_mode ()))
430
0
    return 0;
431
432
0
  return GPG_ERR_CIPHER_ALGO;
433
0
}
434
435
436
/* Return the standard length in bits of the key for the cipher
437
   algorithm with the identifier ALGORITHM.  */
438
static unsigned int
439
cipher_get_keylen (int algorithm)
440
862
{
441
862
  gcry_cipher_spec_t *spec;
442
862
  unsigned len = 0;
443
444
862
  spec = spec_from_algo (algorithm);
445
862
  if (spec)
446
862
    {
447
862
      len = spec->keylen;
448
862
      if (!len)
449
0
  log_bug ("cipher %d w/o key length\n", algorithm);
450
862
    }
451
452
862
  return len;
453
862
}
454
455
456
/* Return the block length of the cipher algorithm with the identifier
457
   ALGORITHM.  This function return 0 for an invalid algorithm.  */
458
static unsigned int
459
cipher_get_blocksize (int algorithm)
460
922
{
461
922
  gcry_cipher_spec_t *spec;
462
922
  unsigned len = 0;
463
464
922
  spec = spec_from_algo (algorithm);
465
922
  if (spec)
466
922
    {
467
922
      len = spec->blocksize;
468
922
      if (!len)
469
0
        log_bug ("cipher %d w/o blocksize\n", algorithm);
470
922
    }
471
472
922
  return len;
473
922
}
474
475
476
/*
477
   Open a cipher handle for use with cipher algorithm ALGORITHM, using
478
   the cipher mode MODE (one of the GCRY_CIPHER_MODE_*) and return a
479
   handle in HANDLE.  Put NULL into HANDLE and return an error code if
480
   something goes wrong.  FLAGS may be used to modify the
481
   operation.  The defined flags are:
482
483
   GCRY_CIPHER_SECURE:  allocate all internal buffers in secure memory.
484
   GCRY_CIPHER_ENABLE_SYNC:  Enable the sync operation as used in OpenPGP.
485
   GCRY_CIPHER_CBC_CTS:  Enable CTS mode.
486
   GCRY_CIPHER_CBC_MAC:  Enable MAC mode.
487
488
   Values for these flags may be combined using OR.
489
 */
490
gcry_err_code_t
491
_gcry_cipher_open (gcry_cipher_hd_t *handle,
492
                   int algo, int mode, unsigned int flags)
493
304
{
494
304
  gcry_err_code_t rc;
495
304
  gcry_cipher_hd_t h = NULL;
496
497
304
  if (mode >= GCRY_CIPHER_MODE_INTERNAL)
498
0
    rc = GPG_ERR_INV_CIPHER_MODE;
499
304
  else
500
304
    rc = _gcry_cipher_open_internal (&h, algo, mode, flags);
501
502
304
  *handle = rc ? NULL : h;
503
504
304
  return rc;
505
304
}
506
507
508
gcry_err_code_t
509
_gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
510
          int algo, int mode, unsigned int flags)
511
659
{
512
659
  int secure = (flags & GCRY_CIPHER_SECURE);
513
659
  gcry_cipher_spec_t *spec;
514
659
  gcry_cipher_hd_t h = NULL;
515
659
  gcry_err_code_t err;
516
517
  /* If the application missed to call the random poll function, we do
518
     it here to ensure that it is used once in a while. */
519
659
  _gcry_fast_random_poll ();
520
521
659
  spec = spec_from_algo (algo);
522
659
  if (!spec)
523
0
    err = GPG_ERR_CIPHER_ALGO;
524
659
  else if (spec->flags.disabled)
525
0
    err = GPG_ERR_CIPHER_ALGO;
526
659
  else if (!spec->flags.fips && fips_mode ())
527
0
    err = GPG_ERR_CIPHER_ALGO;
528
659
  else
529
659
    err = 0;
530
531
  /* check flags */
532
659
  if ((! err)
533
659
      && ((flags & ~(0
534
659
         | GCRY_CIPHER_SECURE
535
659
         | GCRY_CIPHER_ENABLE_SYNC
536
659
         | GCRY_CIPHER_CBC_CTS
537
659
         | GCRY_CIPHER_CBC_MAC
538
659
                     | GCRY_CIPHER_EXTENDED))
539
659
    || ((flags & GCRY_CIPHER_CBC_CTS) && (flags & GCRY_CIPHER_CBC_MAC))))
540
0
    err = GPG_ERR_CIPHER_ALGO;
541
542
  /* check that a valid mode has been requested */
543
659
  if (! err)
544
659
    switch (mode)
545
659
      {
546
0
      case GCRY_CIPHER_MODE_ECB:
547
38
      case GCRY_CIPHER_MODE_CBC:
548
210
      case GCRY_CIPHER_MODE_CFB:
549
210
      case GCRY_CIPHER_MODE_CFB8:
550
248
      case GCRY_CIPHER_MODE_OFB:
551
267
      case GCRY_CIPHER_MODE_CTR:
552
267
      case GCRY_CIPHER_MODE_AESWRAP:
553
622
      case GCRY_CIPHER_MODE_CMAC:
554
622
      case GCRY_CIPHER_MODE_EAX:
555
622
  if (!spec->encrypt || !spec->decrypt)
556
0
    err = GPG_ERR_INV_CIPHER_MODE;
557
622
  break;
558
559
0
      case GCRY_CIPHER_MODE_CCM:
560
0
  if (!spec->encrypt || !spec->decrypt)
561
0
    err = GPG_ERR_INV_CIPHER_MODE;
562
0
  else if (spec->blocksize != GCRY_CCM_BLOCK_LEN)
563
0
    err = GPG_ERR_INV_CIPHER_MODE;
564
0
  break;
565
566
3
      case GCRY_CIPHER_MODE_XTS:
567
3
  if (!spec->encrypt || !spec->decrypt)
568
0
    err = GPG_ERR_INV_CIPHER_MODE;
569
3
  else if (spec->blocksize != GCRY_XTS_BLOCK_LEN)
570
0
    err = GPG_ERR_INV_CIPHER_MODE;
571
3
  break;
572
573
34
      case GCRY_CIPHER_MODE_GCM:
574
34
  if (!spec->encrypt || !spec->decrypt)
575
0
    err = GPG_ERR_INV_CIPHER_MODE;
576
34
  else if (spec->blocksize != GCRY_GCM_BLOCK_LEN)
577
0
    err = GPG_ERR_INV_CIPHER_MODE;
578
34
  break;
579
580
0
      case GCRY_CIPHER_MODE_SIV:
581
0
      case GCRY_CIPHER_MODE_GCM_SIV:
582
0
  if (!spec->encrypt || !spec->decrypt)
583
0
    err = GPG_ERR_INV_CIPHER_MODE;
584
0
  else if (spec->blocksize != GCRY_SIV_BLOCK_LEN)
585
0
    err = GPG_ERR_INV_CIPHER_MODE;
586
0
  break;
587
588
0
      case GCRY_CIPHER_MODE_POLY1305:
589
0
  if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
590
0
    err = GPG_ERR_INV_CIPHER_MODE;
591
0
  else if (spec->algo != GCRY_CIPHER_CHACHA20)
592
0
    err = GPG_ERR_INV_CIPHER_MODE;
593
0
  break;
594
595
0
      case GCRY_CIPHER_MODE_OCB:
596
        /* Note that our implementation allows only for 128 bit block
597
           length algorithms.  Lower block lengths would be possible
598
           but we do not implement them because they limit the
599
           security too much.  */
600
0
  if (!spec->encrypt || !spec->decrypt)
601
0
    err = GPG_ERR_INV_CIPHER_MODE;
602
0
  else if (spec->blocksize != GCRY_OCB_BLOCK_LEN)
603
0
    err = GPG_ERR_INV_CIPHER_MODE;
604
0
  break;
605
606
0
      case GCRY_CIPHER_MODE_STREAM:
607
0
  if (!spec->stencrypt || !spec->stdecrypt)
608
0
    err = GPG_ERR_INV_CIPHER_MODE;
609
0
  break;
610
611
0
      case GCRY_CIPHER_MODE_NONE:
612
        /* This mode may be used for debugging.  It copies the main
613
           text verbatim to the ciphertext.  We do not allow this in
614
           fips mode or if no debug flag has been set.  */
615
0
  if (fips_mode () || !_gcry_get_debug_flag (0))
616
0
          err = GPG_ERR_INV_CIPHER_MODE;
617
0
  break;
618
619
0
      default:
620
0
  err = GPG_ERR_INV_CIPHER_MODE;
621
659
      }
622
623
  /* Perform selftest here and mark this with a flag in cipher_table?
624
     No, we should not do this as it takes too long.  Further it does
625
     not make sense to exclude algorithms with failing selftests at
626
     runtime: If a selftest fails there is something seriously wrong
627
     with the system and thus we better die immediately. */
628
629
659
  if (! err)
630
659
    {
631
659
      size_t size = (sizeof (*h)
632
659
                     + 2 * spec->contextsize
633
659
                     - sizeof (cipher_context_alignment_t)
634
659
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
635
659
                     + 15  /* Space for leading alignment gap.  */
636
659
#endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
637
659
                     );
638
639
      /* Space needed per mode.  */
640
659
      switch (mode)
641
659
  {
642
3
  case GCRY_CIPHER_MODE_XTS:
643
3
  case GCRY_CIPHER_MODE_SIV:
644
    /* Additional cipher context for tweak. */
645
3
    size += 2 * spec->contextsize + 15;
646
3
    break;
647
648
656
  default:
649
656
    break;
650
659
  }
651
652
659
      if (secure)
653
213
  h = xtrycalloc_secure (1, size);
654
446
      else
655
446
  h = xtrycalloc (1, size);
656
657
659
      if (! h)
658
0
  err = gpg_err_code_from_syserror ();
659
659
      else
660
659
  {
661
659
          size_t off = 0;
662
659
    char *tc;
663
664
659
#ifdef NEED_16BYTE_ALIGNED_CONTEXT
665
659
          if ( ((uintptr_t)h & 0x0f) )
666
123
            {
667
              /* The malloced block is not aligned on a 16 byte
668
                 boundary.  Correct for this.  */
669
123
              off = 16 - ((uintptr_t)h & 0x0f);
670
123
              h = (void*)((char*)h + off);
671
123
            }
672
659
#endif /*NEED_16BYTE_ALIGNED_CONTEXT*/
673
674
659
    h->magic = secure ? CTX_MAGIC_SECURE : CTX_MAGIC_NORMAL;
675
659
          h->actual_handle_size = size - off;
676
659
          h->handle_offset = off;
677
659
    h->spec = spec;
678
659
          h->algo = algo;
679
659
    h->mode = mode;
680
659
    h->flags = flags;
681
682
          /* Setup mode routines. */
683
659
          _gcry_cipher_setup_mode_ops(h, mode);
684
685
          /* Setup defaults depending on the mode.  */
686
659
          switch (mode)
687
659
            {
688
0
            case GCRY_CIPHER_MODE_OCB:
689
0
              h->u_mode.ocb.taglen = 16; /* Bytes.  */
690
0
              break;
691
692
3
      case GCRY_CIPHER_MODE_XTS:
693
3
        tc = h->context.c + spec->contextsize * 2;
694
3
        tc += (16 - (uintptr_t)tc % 16) % 16;
695
3
        h->u_mode.xts.tweak_context = tc;
696
3
        break;
697
698
0
      case GCRY_CIPHER_MODE_SIV:
699
0
        tc = h->context.c + spec->contextsize * 2;
700
0
        tc += (16 - (uintptr_t)tc % 16) % 16;
701
0
        h->u_mode.siv.ctr_context = tc;
702
0
        break;
703
704
656
            default:
705
656
              break;
706
659
            }
707
659
        }
708
659
    }
709
710
  /* Done.  */
711
712
659
  *handle = err ? NULL : h;
713
714
659
  return err;
715
659
}
716
717
718
/* Release all resources associated with the cipher handle H. H may be
719
   NULL in which case this is a no-operation. */
720
void
721
_gcry_cipher_close (gcry_cipher_hd_t h)
722
659
{
723
659
  size_t off;
724
725
659
  if (!h)
726
0
    return;
727
728
659
  if ((h->magic != CTX_MAGIC_SECURE)
729
659
      && (h->magic != CTX_MAGIC_NORMAL))
730
0
    _gcry_fatal_error(GPG_ERR_INTERNAL,
731
0
          "gcry_cipher_close: already closed/invalid handle");
732
659
  else
733
659
    h->magic = 0;
734
735
  /* We always want to wipe out the memory even when the context has
736
     been allocated in secure memory.  The user might have disabled
737
     secure memory or is using his own implementation which does not
738
     do the wiping.  To accomplish this we need to keep track of the
739
     actual size of this structure because we have no way to known
740
     how large the allocated area was when using a standard malloc. */
741
659
  off = h->handle_offset;
742
659
  wipememory (h, h->actual_handle_size);
743
744
659
  xfree ((char*)h - off);
745
659
}
746
747
748
/* Set the key to be used for the encryption context C to KEY with
749
   length KEYLEN.  The length should match the required length. */
750
static gcry_err_code_t
751
cipher_setkey (gcry_cipher_hd_t c, byte *key, size_t keylen)
752
659
{
753
659
  gcry_err_code_t rc;
754
755
659
  if (c->mode == GCRY_CIPHER_MODE_XTS)
756
3
    {
757
      /* XTS uses two keys. */
758
3
      if (keylen % 2)
759
0
  return GPG_ERR_INV_KEYLEN;
760
3
      keylen /= 2;
761
762
3
      if (fips_mode ())
763
0
  {
764
    /* Reject key if subkeys Key_1 and Key_2 are equal.
765
       See "Implementation Guidance for FIPS 140-2, A.9 XTS-AES
766
       Key Generation Requirements" for details.  */
767
0
    if (buf_eq_const (key, key + keylen, keylen))
768
0
      return GPG_ERR_WEAK_KEY;
769
0
  }
770
3
    }
771
656
  else if (c->mode == GCRY_CIPHER_MODE_SIV)
772
0
    {
773
      /* SIV uses two keys. */
774
0
      if (keylen % 2)
775
0
  return GPG_ERR_INV_KEYLEN;
776
0
      keylen /= 2;
777
0
    }
778
779
659
  rc = c->spec->setkey (&c->context.c, key, keylen, &c->bulk);
780
659
  if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
781
553
    {
782
553
      int is_weak_key = (rc == GPG_ERR_WEAK_KEY);
783
784
      /* Duplicate initial context.  */
785
553
      memcpy ((void *) ((char *) &c->context.c + c->spec->contextsize),
786
553
              (void *) &c->context.c,
787
553
              c->spec->contextsize);
788
553
      c->marks.key = 1;
789
790
553
      switch (c->mode)
791
553
        {
792
252
        case GCRY_CIPHER_MODE_CMAC:
793
252
          rc = _gcry_cipher_cmac_set_subkeys (c);
794
252
          break;
795
796
0
        case GCRY_CIPHER_MODE_EAX:
797
0
          rc = _gcry_cipher_eax_setkey (c);
798
0
          break;
799
800
34
        case GCRY_CIPHER_MODE_GCM:
801
34
          _gcry_cipher_gcm_setkey (c);
802
34
          break;
803
804
0
        case GCRY_CIPHER_MODE_GCM_SIV:
805
0
          rc = _gcry_cipher_gcm_siv_setkey (c, keylen);
806
0
          if (rc && !(c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
807
0
      c->marks.key = 0;
808
0
          break;
809
810
0
        case GCRY_CIPHER_MODE_OCB:
811
0
          _gcry_cipher_ocb_setkey (c);
812
0
          break;
813
814
0
        case GCRY_CIPHER_MODE_POLY1305:
815
0
          _gcry_cipher_poly1305_setkey (c);
816
0
          break;
817
818
0
  case GCRY_CIPHER_MODE_XTS:
819
    /* Setup tweak cipher with second part of XTS key. */
820
0
    rc = c->spec->setkey (c->u_mode.xts.tweak_context, key + keylen,
821
0
        keylen, &c->bulk);
822
0
    if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
823
0
      {
824
        /* Duplicate initial tweak context.  */
825
0
        memcpy (c->u_mode.xts.tweak_context + c->spec->contextsize,
826
0
          c->u_mode.xts.tweak_context, c->spec->contextsize);
827
0
      }
828
0
    else
829
0
      c->marks.key = 0;
830
0
    break;
831
832
0
        case GCRY_CIPHER_MODE_SIV:
833
    /* Setup CTR cipher with second part of SIV key. */
834
0
          rc = _gcry_cipher_siv_setkey (c, key + keylen, keylen);
835
0
    if (!rc || (c->marks.allow_weak_key && rc == GPG_ERR_WEAK_KEY))
836
0
      {
837
        /* Duplicate initial CTR context.  */
838
0
        memcpy (c->u_mode.siv.ctr_context + c->spec->contextsize,
839
0
          c->u_mode.siv.ctr_context, c->spec->contextsize);
840
0
      }
841
0
    else
842
0
      c->marks.key = 0;
843
0
          break;
844
845
267
        default:
846
267
          break;
847
553
        }
848
849
      /* Restore "weak key" error-code in case mode specific setkey
850
       * returned success. */
851
553
      if (!rc && is_weak_key)
852
0
  rc = GPG_ERR_WEAK_KEY;
853
553
    }
854
106
  else
855
106
    c->marks.key = 0;
856
857
659
  return rc;
858
659
}
859
860
861
/* Set the IV to be used for the encryption context C to IV with
862
   length IVLEN.  The length should match the required length. */
863
static gcry_err_code_t
864
cipher_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
865
248
{
866
  /* If the cipher has its own IV handler, we use only this one.  This
867
     is currently used for stream ciphers requiring a nonce.  */
868
248
  if (c->spec->setiv)
869
0
    {
870
0
      c->spec->setiv (&c->context.c, iv, ivlen);
871
0
      return 0;
872
0
    }
873
874
248
  memset (c->u_iv.iv, 0, c->spec->blocksize);
875
248
  if (iv)
876
248
    {
877
248
      if (ivlen != c->spec->blocksize)
878
0
        {
879
0
          log_info ("WARNING: cipher_setiv: ivlen=%u blklen=%u\n",
880
0
                    (unsigned int)ivlen, (unsigned int)c->spec->blocksize);
881
0
          fips_signal_error ("IV length does not match blocklength");
882
0
        }
883
248
      if (ivlen > c->spec->blocksize)
884
0
        ivlen = c->spec->blocksize;
885
248
      memcpy (c->u_iv.iv, iv, ivlen);
886
248
      c->marks.iv = 1;
887
248
    }
888
0
  else
889
0
      c->marks.iv = 0;
890
248
  c->unused = 0;
891
892
248
  return 0;
893
248
}
894
895
896
/* Reset the cipher context to the initial context.  This is basically
897
   the same as an release followed by a new. */
898
static void
899
cipher_reset (gcry_cipher_hd_t c)
900
0
{
901
0
  unsigned int marks_key, marks_allow_weak_key;
902
903
0
  marks_key = c->marks.key;
904
0
  marks_allow_weak_key = c->marks.allow_weak_key;
905
906
0
  memcpy (&c->context.c,
907
0
    (char *) &c->context.c + c->spec->contextsize,
908
0
    c->spec->contextsize);
909
0
  memset (&c->marks, 0, sizeof c->marks);
910
0
  memset (c->u_iv.iv, 0, c->spec->blocksize);
911
0
  memset (c->lastiv, 0, c->spec->blocksize);
912
0
  memset (c->u_ctr.ctr, 0, c->spec->blocksize);
913
0
  c->unused = 0;
914
915
0
  c->marks.key = marks_key;
916
0
  c->marks.allow_weak_key = marks_allow_weak_key;
917
918
0
  switch (c->mode)
919
0
    {
920
0
    case GCRY_CIPHER_MODE_CMAC:
921
0
      _gcry_cmac_reset(&c->u_mode.cmac);
922
0
      break;
923
924
0
    case GCRY_CIPHER_MODE_EAX:
925
0
      _gcry_cmac_reset(&c->u_mode.eax.cmac_header);
926
0
      _gcry_cmac_reset(&c->u_mode.eax.cmac_ciphertext);
927
0
      break;
928
929
0
    case GCRY_CIPHER_MODE_GCM:
930
0
    case GCRY_CIPHER_MODE_GCM_SIV:
931
      /* Only clear head of u_mode, keep ghash_key and gcm_table. */
932
0
      {
933
0
        byte *u_mode_pos = (void *)&c->u_mode;
934
0
        byte *ghash_key_pos = c->u_mode.gcm.u_ghash_key.key;
935
0
        size_t u_mode_head_length = ghash_key_pos - u_mode_pos;
936
937
0
        memset (&c->u_mode, 0, u_mode_head_length);
938
0
      }
939
0
      break;
940
941
0
    case GCRY_CIPHER_MODE_POLY1305:
942
0
      memset (&c->u_mode.poly1305, 0, sizeof c->u_mode.poly1305);
943
0
      break;
944
945
0
    case GCRY_CIPHER_MODE_CCM:
946
0
      memset (&c->u_mode.ccm, 0, sizeof c->u_mode.ccm);
947
0
      break;
948
949
0
    case GCRY_CIPHER_MODE_OCB:
950
0
      {
951
0
  const size_t table_maxblks = 1 << OCB_L_TABLE_SIZE;
952
0
  byte *u_mode_head_pos = (void *)&c->u_mode.ocb;
953
0
  byte *u_mode_tail_pos = (void *)&c->u_mode.ocb.tag;
954
0
  size_t u_mode_head_length = u_mode_tail_pos - u_mode_head_pos;
955
0
  size_t u_mode_tail_length = sizeof(c->u_mode.ocb) - u_mode_head_length;
956
957
0
  if (c->u_mode.ocb.aad_nblocks < table_maxblks)
958
0
    {
959
      /* Precalculated L-values are still ok after reset, no need
960
       * to clear. */
961
0
      memset (u_mode_tail_pos, 0, u_mode_tail_length);
962
0
    }
963
0
  else
964
0
    {
965
      /* Reinitialize L table. */
966
0
      memset (&c->u_mode.ocb, 0, sizeof(c->u_mode.ocb));
967
0
      _gcry_cipher_ocb_setkey (c);
968
0
    }
969
970
  /* Setup default taglen.  */
971
0
  c->u_mode.ocb.taglen = 16;
972
0
      }
973
0
      break;
974
975
0
    case GCRY_CIPHER_MODE_XTS:
976
0
      memcpy (c->u_mode.xts.tweak_context,
977
0
        c->u_mode.xts.tweak_context + c->spec->contextsize,
978
0
        c->spec->contextsize);
979
0
      break;
980
981
0
    case GCRY_CIPHER_MODE_SIV:
982
      /* Only clear head of u_mode, keep s2v_cmac and ctr_context. */
983
0
      {
984
0
        byte *u_mode_pos = (void *)&c->u_mode;
985
0
        byte *tail_pos = (void *)&c->u_mode.siv.s2v_cmac;
986
0
        size_t u_mode_head_length = tail_pos - u_mode_pos;
987
988
0
        memset (&c->u_mode, 0, u_mode_head_length);
989
990
0
  memcpy (c->u_mode.siv.ctr_context,
991
0
    c->u_mode.siv.ctr_context + c->spec->contextsize,
992
0
    c->spec->contextsize);
993
994
0
  memcpy (c->u_mode.siv.s2v_d, c->u_mode.siv.s2v_zero_block,
995
0
    GCRY_SIV_BLOCK_LEN);
996
0
      }
997
0
      break;
998
999
0
    default:
1000
0
      break; /* u_mode unused by other modes. */
1001
0
    }
1002
0
}
1003
1004
1005

1006
static gcry_err_code_t
1007
do_ecb_crypt (gcry_cipher_hd_t c, unsigned char *outbuf, size_t outbuflen,
1008
        const unsigned char *inbuf, size_t inbuflen, int encrypt)
1009
0
{
1010
0
  unsigned int blocksize = c->spec->blocksize;
1011
0
  size_t n, nblocks;
1012
1013
0
  if (outbuflen < inbuflen)
1014
0
    return GPG_ERR_BUFFER_TOO_SHORT;
1015
0
  if ((inbuflen % blocksize))
1016
0
    return GPG_ERR_INV_LENGTH;
1017
1018
0
  nblocks = inbuflen / blocksize;
1019
1020
0
  if (nblocks == 0)
1021
0
    return 0;
1022
1023
0
  if (c->bulk.ecb_crypt)
1024
0
    {
1025
0
      c->bulk.ecb_crypt (&c->context.c, outbuf, inbuf, nblocks, encrypt);
1026
0
    }
1027
0
  else
1028
0
    {
1029
0
      gcry_cipher_encrypt_t crypt_fn =
1030
0
          encrypt ? c->spec->encrypt : c->spec->decrypt;
1031
0
      unsigned int burn = 0;
1032
0
      unsigned int nburn;
1033
1034
0
      for (n = 0; n < nblocks; n++)
1035
0
  {
1036
0
    nburn = crypt_fn (&c->context.c, outbuf, inbuf);
1037
0
    burn = nburn > burn ? nburn : burn;
1038
0
    inbuf  += blocksize;
1039
0
    outbuf += blocksize;
1040
0
  }
1041
1042
0
      if (burn > 0)
1043
0
  _gcry_burn_stack (burn + 4 * sizeof(void *));
1044
0
    }
1045
1046
0
  return 0;
1047
0
}
1048
1049
static gcry_err_code_t
1050
do_ecb_encrypt (gcry_cipher_hd_t c,
1051
                unsigned char *outbuf, size_t outbuflen,
1052
                const unsigned char *inbuf, size_t inbuflen)
1053
0
{
1054
0
  return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1);
1055
0
}
1056
1057
static gcry_err_code_t
1058
do_ecb_decrypt (gcry_cipher_hd_t c,
1059
                unsigned char *outbuf, size_t outbuflen,
1060
                const unsigned char *inbuf, size_t inbuflen)
1061
0
{
1062
0
  return do_ecb_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0);
1063
0
}
1064
1065
1066
static gcry_err_code_t
1067
do_stream_encrypt (gcry_cipher_hd_t c,
1068
                unsigned char *outbuf, size_t outbuflen,
1069
                const unsigned char *inbuf, size_t inbuflen)
1070
0
{
1071
0
  (void)outbuflen;
1072
0
  c->spec->stencrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen);
1073
0
  return 0;
1074
0
}
1075
1076
static gcry_err_code_t
1077
do_stream_decrypt (gcry_cipher_hd_t c,
1078
                unsigned char *outbuf, size_t outbuflen,
1079
                const unsigned char *inbuf, size_t inbuflen)
1080
0
{
1081
0
  (void)outbuflen;
1082
0
  c->spec->stdecrypt (&c->context.c, outbuf, (void *)inbuf, inbuflen);
1083
0
  return 0;
1084
0
}
1085
1086
1087
static gcry_err_code_t
1088
do_encrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
1089
                         const byte *inbuf, size_t inbuflen)
1090
0
{
1091
0
  gcry_err_code_t rc;
1092
1093
0
  (void)outbuflen;
1094
1095
0
  switch (c->mode)
1096
0
    {
1097
0
    case GCRY_CIPHER_MODE_CMAC:
1098
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1099
0
      break;
1100
1101
0
    case GCRY_CIPHER_MODE_NONE:
1102
0
      if (fips_mode () || !_gcry_get_debug_flag (0))
1103
0
        {
1104
0
          fips_signal_error ("cipher mode NONE used");
1105
0
          rc = GPG_ERR_INV_CIPHER_MODE;
1106
0
        }
1107
0
      else
1108
0
        {
1109
0
          if (inbuf != outbuf)
1110
0
            memmove (outbuf, inbuf, inbuflen);
1111
0
          rc = 0;
1112
0
        }
1113
0
      break;
1114
1115
0
    default:
1116
0
      log_fatal ("cipher_encrypt: invalid mode %d\n", c->mode );
1117
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1118
0
      break;
1119
0
    }
1120
1121
0
  return rc;
1122
0
}
1123
1124
static gcry_err_code_t
1125
do_decrypt_none_unknown (gcry_cipher_hd_t c, byte *outbuf, size_t outbuflen,
1126
                         const byte *inbuf, size_t inbuflen)
1127
0
{
1128
0
  gcry_err_code_t rc;
1129
1130
0
  (void)outbuflen;
1131
1132
0
  switch (c->mode)
1133
0
    {
1134
0
    case GCRY_CIPHER_MODE_CMAC:
1135
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1136
0
      break;
1137
1138
0
    case GCRY_CIPHER_MODE_NONE:
1139
0
      if (fips_mode () || !_gcry_get_debug_flag (0))
1140
0
        {
1141
0
          fips_signal_error ("cipher mode NONE used");
1142
0
          rc = GPG_ERR_INV_CIPHER_MODE;
1143
0
        }
1144
0
      else
1145
0
        {
1146
0
          if (inbuf != outbuf)
1147
0
            memmove (outbuf, inbuf, inbuflen);
1148
0
          rc = 0;
1149
0
        }
1150
0
      break;
1151
1152
0
    default:
1153
0
      log_fatal ("cipher_decrypt: invalid mode %d\n", c->mode );
1154
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1155
0
      break;
1156
0
    }
1157
1158
0
  return rc;
1159
0
}
1160
1161
1162
/****************
1163
 * Encrypt IN and write it to OUT.  If IN is NULL, in-place encryption has
1164
 * been requested.
1165
 */
1166
gcry_err_code_t
1167
_gcry_cipher_encrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
1168
                      const void *in, size_t inlen)
1169
265
{
1170
265
  gcry_err_code_t rc;
1171
1172
265
  if (!in)  /* Caller requested in-place encryption.  */
1173
0
    {
1174
0
      in = out;
1175
0
      inlen = outsize;
1176
0
    }
1177
1178
265
  if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
1179
0
    {
1180
0
      log_error ("cipher_encrypt: key not set\n");
1181
0
      return GPG_ERR_MISSING_KEY;
1182
0
    }
1183
1184
265
  rc = h->mode_ops.encrypt (h, out, outsize, in, inlen);
1185
1186
  /* Failsafe: Make sure that the plaintext will never make it into
1187
     OUT if the encryption returned an error.  */
1188
265
  if (rc && out)
1189
0
    memset (out, 0x42, outsize);
1190
1191
265
  return rc;
1192
265
}
1193
1194
1195
/****************
1196
 * Decrypt IN and write it to OUT.  If IN is NULL, in-place encryption has
1197
 * been requested.
1198
 */
1199
gcry_err_code_t
1200
_gcry_cipher_decrypt (gcry_cipher_hd_t h, void *out, size_t outsize,
1201
                      const void *in, size_t inlen)
1202
554
{
1203
554
  if (!in) /* Caller requested in-place encryption. */
1204
0
    {
1205
0
      in = out;
1206
0
      inlen = outsize;
1207
0
    }
1208
1209
554
  if (h->mode != GCRY_CIPHER_MODE_NONE && !h->marks.key)
1210
0
    {
1211
0
      log_error ("cipher_decrypt: key not set\n");
1212
0
      return GPG_ERR_MISSING_KEY;
1213
0
    }
1214
1215
554
  return h->mode_ops.decrypt (h, out, outsize, in, inlen);
1216
554
}
1217
1218
1219
/****************
1220
 * Used for PGP's somewhat strange CFB mode. Only works if
1221
 * the corresponding flag is set.
1222
 */
1223
static void
1224
cipher_sync (gcry_cipher_hd_t c)
1225
0
{
1226
0
  if ((c->flags & GCRY_CIPHER_ENABLE_SYNC) && c->unused)
1227
0
    {
1228
0
      memmove (c->u_iv.iv + c->unused,
1229
0
               c->u_iv.iv, c->spec->blocksize - c->unused);
1230
0
      memcpy (c->u_iv.iv,
1231
0
              c->lastiv + c->spec->blocksize - c->unused, c->unused);
1232
0
      c->unused = 0;
1233
0
    }
1234
0
}
1235
1236
1237
gcry_err_code_t
1238
_gcry_cipher_setkey (gcry_cipher_hd_t hd, const void *key, size_t keylen)
1239
659
{
1240
659
  return cipher_setkey (hd, (void*)key, keylen);
1241
659
}
1242
1243
1244
gcry_err_code_t
1245
_gcry_cipher_setiv (gcry_cipher_hd_t c, const void *iv, size_t ivlen)
1246
282
{
1247
282
  if (c->mode == GCRY_CIPHER_MODE_GCM)
1248
34
    {
1249
34
      c->u_mode.gcm.disallow_encryption_because_of_setiv_in_fips_mode = 0;
1250
1251
34
      if (fips_mode ())
1252
0
        {
1253
          /* Direct invocation of GCM setiv in FIPS mode disables encryption. */
1254
0
          c->u_mode.gcm.disallow_encryption_because_of_setiv_in_fips_mode = 1;
1255
0
        }
1256
34
    }
1257
1258
282
  return c->mode_ops.setiv (c, iv, ivlen);
1259
282
}
1260
1261
1262
/* Set counter for CTR mode.  (CTR,CTRLEN) must denote a buffer of
1263
   block size length, or (NULL,0) to set the CTR to the all-zero
1264
   block. */
1265
gpg_err_code_t
1266
_gcry_cipher_setctr (gcry_cipher_hd_t hd, const void *ctr, size_t ctrlen)
1267
19
{
1268
19
  if (ctr && ctrlen == hd->spec->blocksize)
1269
19
    {
1270
19
      memcpy (hd->u_ctr.ctr, ctr, hd->spec->blocksize);
1271
19
      hd->unused = 0;
1272
19
    }
1273
0
  else if (!ctr || !ctrlen)
1274
0
    {
1275
0
      memset (hd->u_ctr.ctr, 0, hd->spec->blocksize);
1276
0
      hd->unused = 0;
1277
0
    }
1278
0
  else
1279
0
    return GPG_ERR_INV_ARG;
1280
1281
19
  return 0;
1282
19
}
1283
1284
gpg_err_code_t
1285
_gcry_cipher_getctr (gcry_cipher_hd_t hd, void *ctr, size_t ctrlen)
1286
0
{
1287
0
  if (ctr && ctrlen == hd->spec->blocksize)
1288
0
    memcpy (ctr, hd->u_ctr.ctr, hd->spec->blocksize);
1289
0
  else
1290
0
    return GPG_ERR_INV_ARG;
1291
1292
0
  return 0;
1293
0
}
1294
1295
1296
gcry_err_code_t
1297
_gcry_cipher_setup_geniv (gcry_cipher_hd_t hd, int method,
1298
                          const void *fixed_iv, size_t fixed_iv_len,
1299
                          const void *dyn_iv, size_t dyn_iv_len)
1300
0
{
1301
0
  gcry_err_code_t rc = 0;
1302
1303
0
  if (method != GCRY_CIPHER_GENIV_METHOD_CONCAT)
1304
0
    return GPG_ERR_INV_ARG;
1305
1306
0
  if (fixed_iv_len + dyn_iv_len > MAX_BLOCKSIZE)
1307
0
    return GPG_ERR_INV_ARG;
1308
1309
0
  hd->aead.geniv_method = GCRY_CIPHER_GENIV_METHOD_CONCAT;
1310
0
  hd->aead.fixed_iv_len = fixed_iv_len;
1311
0
  hd->aead.dynamic_iv_len = dyn_iv_len;
1312
0
  memset (hd->aead.fixed, 0, MAX_BLOCKSIZE);
1313
0
  memset (hd->aead.dynamic, 0, MAX_BLOCKSIZE);
1314
0
  memcpy (hd->aead.fixed, fixed_iv, fixed_iv_len);
1315
0
  memcpy (hd->aead.dynamic, dyn_iv, dyn_iv_len);
1316
1317
0
  return rc;
1318
0
}
1319
1320
1321
gcry_err_code_t
1322
_gcry_cipher_geniv (gcry_cipher_hd_t hd, void *iv, size_t iv_len)
1323
0
{
1324
0
  gcry_err_code_t rc = 0;
1325
0
  int i;
1326
1327
0
  if (hd->aead.geniv_method != GCRY_CIPHER_GENIV_METHOD_CONCAT)
1328
0
    return GPG_ERR_INV_ARG;
1329
1330
0
  if (iv_len != hd->aead.fixed_iv_len + hd->aead.dynamic_iv_len)
1331
0
    return GPG_ERR_INV_ARG;
1332
1333
0
  memcpy (iv, hd->aead.fixed, hd->aead.fixed_iv_len);
1334
0
  memcpy ((byte *)iv+hd->aead.fixed_iv_len,
1335
0
          hd->aead.dynamic, hd->aead.dynamic_iv_len);
1336
0
  rc = hd->mode_ops.setiv (hd, iv, iv_len);
1337
1338
0
  for (i = hd->aead.dynamic_iv_len; i > 0; i--)
1339
0
    if (++hd->aead.dynamic[i - 1] != 0)
1340
0
      break;
1341
1342
0
  return rc;
1343
0
}
1344
1345
1346
gcry_err_code_t
1347
_gcry_cipher_authenticate (gcry_cipher_hd_t hd, const void *abuf,
1348
                           size_t abuflen)
1349
0
{
1350
0
  gcry_err_code_t rc;
1351
1352
0
  if (hd->mode_ops.authenticate)
1353
0
    {
1354
0
      rc = hd->mode_ops.authenticate (hd, abuf, abuflen);
1355
0
    }
1356
0
  else
1357
0
    {
1358
0
      log_error ("gcry_cipher_authenticate: invalid mode %d\n", hd->mode);
1359
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1360
0
    }
1361
1362
0
  return rc;
1363
0
}
1364
1365
1366
gcry_err_code_t
1367
_gcry_cipher_gettag (gcry_cipher_hd_t hd, void *outtag, size_t taglen)
1368
0
{
1369
0
  gcry_err_code_t rc;
1370
1371
0
  if (hd->mode_ops.get_tag)
1372
0
    {
1373
0
      rc = hd->mode_ops.get_tag (hd, outtag, taglen);
1374
0
    }
1375
0
  else
1376
0
    {
1377
0
      log_error ("gcry_cipher_gettag: invalid mode %d\n", hd->mode);
1378
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1379
0
    }
1380
1381
0
  return rc;
1382
0
}
1383
1384
1385
gcry_err_code_t
1386
_gcry_cipher_checktag (gcry_cipher_hd_t hd, const void *intag, size_t taglen)
1387
0
{
1388
0
  gcry_err_code_t rc;
1389
1390
0
  if (hd->mode_ops.check_tag)
1391
0
    {
1392
0
      rc = hd->mode_ops.check_tag (hd, intag, taglen);
1393
0
    }
1394
0
  else
1395
0
    {
1396
0
      log_error ("gcry_cipher_checktag: invalid mode %d\n", hd->mode);
1397
0
      rc = GPG_ERR_INV_CIPHER_MODE;
1398
0
    }
1399
1400
0
  return rc;
1401
0
}
1402
1403
1404
1405
static void
1406
_gcry_cipher_setup_mode_ops(gcry_cipher_hd_t c, int mode)
1407
659
{
1408
  /* Setup encryption and decryption routines. */
1409
659
  switch (mode)
1410
659
    {
1411
0
    case GCRY_CIPHER_MODE_STREAM:
1412
0
      c->mode_ops.encrypt = do_stream_encrypt;
1413
0
      c->mode_ops.decrypt = do_stream_decrypt;
1414
0
      break;
1415
1416
0
    case GCRY_CIPHER_MODE_ECB:
1417
0
      c->mode_ops.encrypt = do_ecb_encrypt;
1418
0
      c->mode_ops.decrypt = do_ecb_decrypt;
1419
0
      break;
1420
1421
38
    case GCRY_CIPHER_MODE_CBC:
1422
38
      if (!(c->flags & GCRY_CIPHER_CBC_CTS))
1423
38
        {
1424
38
          c->mode_ops.encrypt = _gcry_cipher_cbc_encrypt;
1425
38
          c->mode_ops.decrypt = _gcry_cipher_cbc_decrypt;
1426
38
        }
1427
0
      else
1428
0
        {
1429
0
          c->mode_ops.encrypt = _gcry_cipher_cbc_cts_encrypt;
1430
0
          c->mode_ops.decrypt = _gcry_cipher_cbc_cts_decrypt;
1431
0
        }
1432
38
      break;
1433
1434
172
    case GCRY_CIPHER_MODE_CFB:
1435
172
      c->mode_ops.encrypt = _gcry_cipher_cfb_encrypt;
1436
172
      c->mode_ops.decrypt = _gcry_cipher_cfb_decrypt;
1437
172
      break;
1438
1439
0
    case GCRY_CIPHER_MODE_CFB8:
1440
0
      c->mode_ops.encrypt = _gcry_cipher_cfb8_encrypt;
1441
0
      c->mode_ops.decrypt = _gcry_cipher_cfb8_decrypt;
1442
0
      break;
1443
1444
38
    case GCRY_CIPHER_MODE_OFB:
1445
38
      c->mode_ops.encrypt = _gcry_cipher_ofb_encrypt;
1446
38
      c->mode_ops.decrypt = _gcry_cipher_ofb_encrypt;
1447
38
      break;
1448
1449
19
    case GCRY_CIPHER_MODE_CTR:
1450
19
      c->mode_ops.encrypt = _gcry_cipher_ctr_encrypt;
1451
19
      c->mode_ops.decrypt = _gcry_cipher_ctr_encrypt;
1452
19
      break;
1453
1454
0
    case GCRY_CIPHER_MODE_AESWRAP:
1455
0
      c->mode_ops.decrypt = _gcry_cipher_keywrap_decrypt_auto;
1456
0
      if (!(c->flags & GCRY_CIPHER_EXTENDED))
1457
0
        c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt;
1458
0
      else
1459
0
        c->mode_ops.encrypt = _gcry_cipher_keywrap_encrypt_padding;
1460
0
      break;
1461
1462
0
    case GCRY_CIPHER_MODE_CCM:
1463
0
      c->mode_ops.encrypt = _gcry_cipher_ccm_encrypt;
1464
0
      c->mode_ops.decrypt = _gcry_cipher_ccm_decrypt;
1465
0
      break;
1466
1467
0
    case GCRY_CIPHER_MODE_EAX:
1468
0
      c->mode_ops.encrypt = _gcry_cipher_eax_encrypt;
1469
0
      c->mode_ops.decrypt = _gcry_cipher_eax_decrypt;
1470
0
      break;
1471
1472
34
    case GCRY_CIPHER_MODE_GCM:
1473
34
      c->mode_ops.encrypt = _gcry_cipher_gcm_encrypt;
1474
34
      c->mode_ops.decrypt = _gcry_cipher_gcm_decrypt;
1475
34
      break;
1476
1477
0
    case GCRY_CIPHER_MODE_POLY1305:
1478
0
      c->mode_ops.encrypt = _gcry_cipher_poly1305_encrypt;
1479
0
      c->mode_ops.decrypt = _gcry_cipher_poly1305_decrypt;
1480
0
      break;
1481
1482
0
    case GCRY_CIPHER_MODE_OCB:
1483
0
      c->mode_ops.encrypt = _gcry_cipher_ocb_encrypt;
1484
0
      c->mode_ops.decrypt = _gcry_cipher_ocb_decrypt;
1485
0
      break;
1486
1487
3
    case GCRY_CIPHER_MODE_XTS:
1488
3
      c->mode_ops.encrypt = _gcry_cipher_xts_encrypt;
1489
3
      c->mode_ops.decrypt = _gcry_cipher_xts_decrypt;
1490
3
      break;
1491
1492
0
    case GCRY_CIPHER_MODE_SIV:
1493
0
      c->mode_ops.encrypt = _gcry_cipher_siv_encrypt;
1494
0
      c->mode_ops.decrypt = _gcry_cipher_siv_decrypt;
1495
0
      break;
1496
1497
0
    case GCRY_CIPHER_MODE_GCM_SIV:
1498
0
      c->mode_ops.encrypt = _gcry_cipher_gcm_siv_encrypt;
1499
0
      c->mode_ops.decrypt = _gcry_cipher_gcm_siv_decrypt;
1500
0
      break;
1501
1502
355
    default:
1503
355
      c->mode_ops.encrypt = do_encrypt_none_unknown;
1504
355
      c->mode_ops.decrypt = do_decrypt_none_unknown;
1505
355
      break;
1506
659
    }
1507
1508
  /* Setup IV setting routine. */
1509
659
  switch (mode)
1510
659
    {
1511
0
    case GCRY_CIPHER_MODE_CCM:
1512
0
      c->mode_ops.setiv = _gcry_cipher_ccm_set_nonce;
1513
0
      break;
1514
1515
0
    case GCRY_CIPHER_MODE_EAX:
1516
0
      c->mode_ops.setiv = _gcry_cipher_eax_set_nonce;
1517
0
      break;
1518
1519
34
    case GCRY_CIPHER_MODE_GCM:
1520
34
      c->mode_ops.setiv =  _gcry_cipher_gcm_setiv;
1521
34
      break;
1522
1523
0
    case GCRY_CIPHER_MODE_POLY1305:
1524
0
      c->mode_ops.setiv = _gcry_cipher_poly1305_setiv;
1525
0
      break;
1526
1527
0
    case GCRY_CIPHER_MODE_OCB:
1528
0
      c->mode_ops.setiv = _gcry_cipher_ocb_set_nonce;
1529
0
      break;
1530
1531
0
    case GCRY_CIPHER_MODE_SIV:
1532
0
      c->mode_ops.setiv = _gcry_cipher_siv_set_nonce;
1533
0
      break;
1534
1535
0
    case GCRY_CIPHER_MODE_GCM_SIV:
1536
0
      c->mode_ops.setiv = _gcry_cipher_gcm_siv_set_nonce;
1537
0
      break;
1538
1539
625
    default:
1540
625
      c->mode_ops.setiv = cipher_setiv;
1541
625
      break;
1542
659
    }
1543
1544
1545
  /* Setup authentication routines for AEAD modes. */
1546
659
  switch (mode)
1547
659
    {
1548
0
    case GCRY_CIPHER_MODE_CCM:
1549
0
      c->mode_ops.authenticate = _gcry_cipher_ccm_authenticate;
1550
0
      c->mode_ops.get_tag      = _gcry_cipher_ccm_get_tag;
1551
0
      c->mode_ops.check_tag    = _gcry_cipher_ccm_check_tag;
1552
0
      break;
1553
1554
355
    case GCRY_CIPHER_MODE_CMAC:
1555
355
      c->mode_ops.authenticate = _gcry_cipher_cmac_authenticate;
1556
355
      c->mode_ops.get_tag      = _gcry_cipher_cmac_get_tag;
1557
355
      c->mode_ops.check_tag    = _gcry_cipher_cmac_check_tag;
1558
355
      break;
1559
1560
0
    case GCRY_CIPHER_MODE_EAX:
1561
0
      c->mode_ops.authenticate = _gcry_cipher_eax_authenticate;
1562
0
      c->mode_ops.get_tag      = _gcry_cipher_eax_get_tag;
1563
0
      c->mode_ops.check_tag    = _gcry_cipher_eax_check_tag;
1564
0
      break;
1565
1566
34
    case GCRY_CIPHER_MODE_GCM:
1567
34
      c->mode_ops.authenticate = _gcry_cipher_gcm_authenticate;
1568
34
      c->mode_ops.get_tag      = _gcry_cipher_gcm_get_tag;
1569
34
      c->mode_ops.check_tag    = _gcry_cipher_gcm_check_tag;
1570
34
      break;
1571
1572
0
    case GCRY_CIPHER_MODE_POLY1305:
1573
0
      c->mode_ops.authenticate = _gcry_cipher_poly1305_authenticate;
1574
0
      c->mode_ops.get_tag      = _gcry_cipher_poly1305_get_tag;
1575
0
      c->mode_ops.check_tag    = _gcry_cipher_poly1305_check_tag;
1576
0
      break;
1577
1578
0
    case GCRY_CIPHER_MODE_OCB:
1579
0
      c->mode_ops.authenticate = _gcry_cipher_ocb_authenticate;
1580
0
      c->mode_ops.get_tag      = _gcry_cipher_ocb_get_tag;
1581
0
      c->mode_ops.check_tag    = _gcry_cipher_ocb_check_tag;
1582
0
      break;
1583
1584
0
    case GCRY_CIPHER_MODE_SIV:
1585
0
      c->mode_ops.authenticate = _gcry_cipher_siv_authenticate;
1586
0
      c->mode_ops.get_tag      = _gcry_cipher_siv_get_tag;
1587
0
      c->mode_ops.check_tag    = _gcry_cipher_siv_check_tag;
1588
0
      break;
1589
1590
0
    case GCRY_CIPHER_MODE_GCM_SIV:
1591
0
      c->mode_ops.authenticate = _gcry_cipher_gcm_siv_authenticate;
1592
0
      c->mode_ops.get_tag      = _gcry_cipher_gcm_siv_get_tag;
1593
0
      c->mode_ops.check_tag    = _gcry_cipher_gcm_siv_check_tag;
1594
0
      break;
1595
1596
270
    default:
1597
270
      c->mode_ops.authenticate = NULL;
1598
270
      c->mode_ops.get_tag      = NULL;
1599
270
      c->mode_ops.check_tag    = NULL;
1600
270
      break;
1601
659
    }
1602
659
}
1603
1604
1605
gcry_err_code_t
1606
_gcry_cipher_ctl (gcry_cipher_hd_t h, int cmd, void *buffer, size_t buflen)
1607
195
{
1608
195
  gcry_err_code_t rc = 0;
1609
1610
195
  switch (cmd)
1611
195
    {
1612
0
    case GCRYCTL_RESET:
1613
0
      cipher_reset (h);
1614
0
      break;
1615
1616
195
    case GCRYCTL_FINALIZE:
1617
195
      if (!h || buffer || buflen)
1618
0
  return GPG_ERR_INV_ARG;
1619
195
      h->marks.finalize = 1;
1620
195
      break;
1621
1622
0
    case GCRYCTL_CFB_SYNC:
1623
0
      cipher_sync( h );
1624
0
      break;
1625
1626
0
    case GCRYCTL_SET_CBC_CTS:
1627
0
      if (buflen)
1628
0
  if (h->flags & GCRY_CIPHER_CBC_MAC)
1629
0
    rc = GPG_ERR_INV_FLAG;
1630
0
  else
1631
0
    h->flags |= GCRY_CIPHER_CBC_CTS;
1632
0
      else
1633
0
  h->flags &= ~GCRY_CIPHER_CBC_CTS;
1634
0
      break;
1635
1636
0
    case GCRYCTL_SET_CBC_MAC:
1637
0
      if (buflen)
1638
0
  if (h->flags & GCRY_CIPHER_CBC_CTS)
1639
0
    rc = GPG_ERR_INV_FLAG;
1640
0
  else
1641
0
    h->flags |= GCRY_CIPHER_CBC_MAC;
1642
0
      else
1643
0
  h->flags &= ~GCRY_CIPHER_CBC_MAC;
1644
0
      break;
1645
1646
0
    case GCRYCTL_SET_CCM_LENGTHS:
1647
0
      {
1648
0
        u64 params[3];
1649
0
        size_t encryptedlen;
1650
0
        size_t aadlen;
1651
0
        size_t authtaglen;
1652
1653
0
        if (h->mode != GCRY_CIPHER_MODE_CCM)
1654
0
          return GPG_ERR_INV_CIPHER_MODE;
1655
1656
0
        if (!buffer || buflen != 3 * sizeof(u64))
1657
0
          return GPG_ERR_INV_ARG;
1658
1659
        /* This command is used to pass additional length parameters needed
1660
           by CCM mode to initialize CBC-MAC.  */
1661
0
        memcpy (params, buffer, sizeof(params));
1662
0
        encryptedlen = params[0];
1663
0
        aadlen = params[1];
1664
0
        authtaglen = params[2];
1665
1666
0
        rc = _gcry_cipher_ccm_set_lengths (h, encryptedlen, aadlen, authtaglen);
1667
0
      }
1668
0
      break;
1669
1670
0
    case GCRYCTL_SET_DECRYPTION_TAG:
1671
0
      {
1672
0
        if (!buffer)
1673
0
          return GPG_ERR_INV_ARG;
1674
1675
0
        if (h->mode == GCRY_CIPHER_MODE_SIV)
1676
0
          rc = _gcry_cipher_siv_set_decryption_tag (h, buffer, buflen);
1677
0
        else if (h->mode == GCRY_CIPHER_MODE_GCM_SIV)
1678
0
          rc = _gcry_cipher_gcm_siv_set_decryption_tag (h, buffer, buflen);
1679
0
        else
1680
0
          rc = GPG_ERR_INV_CIPHER_MODE;
1681
0
      }
1682
0
      break;
1683
1684
0
    case GCRYCTL_SET_TAGLEN:
1685
0
      if (!h || !buffer || buflen != sizeof(int) )
1686
0
  return GPG_ERR_INV_ARG;
1687
0
      switch (h->mode)
1688
0
        {
1689
0
        case GCRY_CIPHER_MODE_OCB:
1690
0
          switch (*(int*)buffer)
1691
0
            {
1692
0
            case 8: case 12: case 16:
1693
0
              h->u_mode.ocb.taglen = *(int*)buffer;
1694
0
              break;
1695
0
            default:
1696
0
              rc = GPG_ERR_INV_LENGTH; /* Invalid tag length. */
1697
0
              break;
1698
0
            }
1699
0
          break;
1700
1701
0
        default:
1702
0
          rc =GPG_ERR_INV_CIPHER_MODE;
1703
0
          break;
1704
0
        }
1705
0
      break;
1706
1707
0
    case GCRYCTL_DISABLE_ALGO:
1708
      /* This command expects NULL for H and BUFFER to point to an
1709
         integer with the algo number.  */
1710
0
      if( h || !buffer || buflen != sizeof(int) )
1711
0
  return GPG_ERR_CIPHER_ALGO;
1712
0
      disable_cipher_algo( *(int*)buffer );
1713
0
      break;
1714
1715
0
    case PRIV_CIPHERCTL_DISABLE_WEAK_KEY:  /* (private)  */
1716
0
      if (h->spec->set_extra_info)
1717
0
        rc = h->spec->set_extra_info
1718
0
          (&h->context.c, CIPHER_INFO_NO_WEAK_KEY, NULL, 0);
1719
0
      else
1720
0
        rc = GPG_ERR_NOT_SUPPORTED;
1721
0
      break;
1722
1723
0
    case PRIV_CIPHERCTL_GET_INPUT_VECTOR: /* (private)  */
1724
      /* This is the input block as used in CFB and OFB mode which has
1725
         initially been set as IV.  The returned format is:
1726
           1 byte  Actual length of the block in bytes.
1727
           n byte  The block.
1728
         If the provided buffer is too short, an error is returned. */
1729
0
      if (buflen < (1 + h->spec->blocksize))
1730
0
        rc = GPG_ERR_TOO_SHORT;
1731
0
      else
1732
0
        {
1733
0
          unsigned char *ivp;
1734
0
          unsigned char *dst = buffer;
1735
0
          int n = h->unused;
1736
1737
0
          if (!n)
1738
0
            n = h->spec->blocksize;
1739
0
          gcry_assert (n <= h->spec->blocksize);
1740
0
          *dst++ = n;
1741
0
          ivp = h->u_iv.iv + h->spec->blocksize - n;
1742
0
          while (n--)
1743
0
            *dst++ = *ivp++;
1744
0
        }
1745
0
      break;
1746
1747
0
    case PRIV_CIPHERCTL_GET_COUNTER: /* (private)  */
1748
      /* This is the input block as used in CTR mode which has
1749
         initially been set as IV.  The returned format is:
1750
           1 byte  Actual length of the block in bytes.
1751
           n byte  The block.
1752
         If the provided buffer is too short, an error is returned. */
1753
0
      if (buflen < (1 + h->spec->blocksize))
1754
0
        rc = GPG_ERR_TOO_SHORT;
1755
0
      else
1756
0
        {
1757
0
          unsigned char *ctrp;
1758
0
          unsigned char *dst = buffer;
1759
0
          int n = h->unused;
1760
1761
0
          if (!n)
1762
0
            n = h->spec->blocksize;
1763
0
          gcry_assert (n <= h->spec->blocksize);
1764
0
          *dst++ = n;
1765
0
          ctrp = h->u_ctr.ctr + h->spec->blocksize - n;
1766
0
          while (n--)
1767
0
            *dst++ = *ctrp++;
1768
0
        }
1769
0
      break;
1770
1771
0
    case GCRYCTL_SET_SBOX:
1772
0
      if (h->spec->set_extra_info)
1773
0
        rc = h->spec->set_extra_info
1774
0
          (&h->context.c, GCRYCTL_SET_SBOX, buffer, buflen);
1775
0
      else
1776
0
        rc = GPG_ERR_NOT_SUPPORTED;
1777
0
      break;
1778
1779
0
    case GCRYCTL_SET_ALLOW_WEAK_KEY:
1780
      /* Expecting BUFFER to be NULL and buflen to be on/off flag (0 or 1). */
1781
0
      if (!h || buffer || buflen > 1)
1782
0
  return GPG_ERR_CIPHER_ALGO;
1783
0
      h->marks.allow_weak_key = buflen ? 1 : 0;
1784
0
      break;
1785
1786
0
    default:
1787
0
      rc = GPG_ERR_INV_OP;
1788
195
    }
1789
1790
195
  return rc;
1791
195
}
1792
1793
1794
/* Return information about the cipher handle H.  CMD is the kind of
1795
 * information requested.
1796
 *
1797
 * CMD may be one of:
1798
 *
1799
 *  GCRYCTL_GET_TAGLEN:
1800
 *      Return the length of the tag for an AE algorithm mode.  An
1801
 *      error is returned for modes which do not support a tag.
1802
 *      BUFFER must be given as NULL.  On success the result is stored
1803
 *      at NBYTES.  The taglen is returned in bytes.
1804
 *
1805
 *  GCRYCTL_GET_KEYLEN:
1806
 *      Return the length of the key wrapped for AES-WRAP mode.  The
1807
 *      length is encoded in big-endian 4 bytes, when the key is
1808
 *      unwrapped with KWP.  Return 00 00 00 00, when the key is
1809
 *      unwrapped with KW.
1810
 *
1811
 * The function returns 0 on success or an error code.
1812
 */
1813
gcry_err_code_t
1814
_gcry_cipher_info (gcry_cipher_hd_t h, int cmd, void *buffer, size_t *nbytes)
1815
0
{
1816
0
  gcry_err_code_t rc = 0;
1817
1818
0
  switch (cmd)
1819
0
    {
1820
0
    case GCRYCTL_GET_TAGLEN:
1821
0
      if (!h || buffer || !nbytes)
1822
0
  rc = GPG_ERR_INV_ARG;
1823
0
      else
1824
0
  {
1825
0
          switch (h->mode)
1826
0
            {
1827
0
            case GCRY_CIPHER_MODE_OCB:
1828
0
              *nbytes = h->u_mode.ocb.taglen;
1829
0
              break;
1830
1831
0
            case GCRY_CIPHER_MODE_CCM:
1832
0
              *nbytes = h->u_mode.ccm.authlen;
1833
0
              break;
1834
1835
0
            case GCRY_CIPHER_MODE_EAX:
1836
0
              *nbytes = h->spec->blocksize;
1837
0
              break;
1838
1839
0
            case GCRY_CIPHER_MODE_GCM:
1840
0
              *nbytes = GCRY_GCM_BLOCK_LEN;
1841
0
              break;
1842
1843
0
            case GCRY_CIPHER_MODE_POLY1305:
1844
0
              *nbytes = POLY1305_TAGLEN;
1845
0
              break;
1846
1847
0
            case GCRY_CIPHER_MODE_SIV:
1848
0
              *nbytes = GCRY_SIV_BLOCK_LEN;
1849
0
              break;
1850
1851
0
            case GCRY_CIPHER_MODE_GCM_SIV:
1852
0
              *nbytes = GCRY_SIV_BLOCK_LEN;
1853
0
              break;
1854
1855
0
            default:
1856
0
              rc = GPG_ERR_INV_CIPHER_MODE;
1857
0
              break;
1858
0
            }
1859
0
        }
1860
0
      break;
1861
1862
0
    case GCRYCTL_GET_KEYLEN:
1863
0
      if (!h || !buffer || !nbytes)
1864
0
  rc = GPG_ERR_INV_ARG;
1865
0
      else
1866
0
        {
1867
0
          switch (h->mode)
1868
0
            {
1869
0
            case GCRY_CIPHER_MODE_AESWRAP:
1870
0
              *nbytes = 4;
1871
0
              memcpy (buffer, h->u_mode.wrap.plen, 4);
1872
0
              break;
1873
1874
0
            default:
1875
0
              rc = GPG_ERR_INV_CIPHER_MODE;
1876
0
              break;
1877
0
            }
1878
0
        }
1879
0
      break;
1880
1881
0
    default:
1882
0
      rc = GPG_ERR_INV_OP;
1883
0
    }
1884
1885
0
  return rc;
1886
0
}
1887
1888
/* Return information about the given cipher algorithm ALGO.
1889
1890
   WHAT select the kind of information returned:
1891
1892
    GCRYCTL_GET_KEYLEN:
1893
    Return the length of the key.  If the algorithm ALGO
1894
    supports multiple key lengths, the maximum supported key length
1895
    is returned.  The key length is returned as number of octets.
1896
    BUFFER and NBYTES must be zero.
1897
1898
    GCRYCTL_GET_BLKLEN:
1899
    Return the blocklength of the algorithm ALGO counted in octets.
1900
    BUFFER and NBYTES must be zero.
1901
1902
    GCRYCTL_TEST_ALGO:
1903
    Returns 0 if the specified algorithm ALGO is available for use.
1904
    BUFFER and NBYTES must be zero.
1905
1906
   Note: Because this function is in most cases used to return an
1907
   integer value, we can make it easier for the caller to just look at
1908
   the return value.  The caller will in all cases consult the value
1909
   and thereby detecting whether a error occurred or not (i.e. while
1910
   checking the block size)
1911
 */
1912
gcry_err_code_t
1913
_gcry_cipher_algo_info (int algo, int what, void *buffer, size_t *nbytes)
1914
1.78k
{
1915
1.78k
  gcry_err_code_t rc = 0;
1916
1.78k
  unsigned int ui;
1917
1918
1.78k
  switch (what)
1919
1.78k
    {
1920
862
    case GCRYCTL_GET_KEYLEN:
1921
862
      if (buffer || (! nbytes))
1922
0
  rc = GPG_ERR_CIPHER_ALGO;
1923
862
      else
1924
862
  {
1925
862
    ui = cipher_get_keylen (algo);
1926
862
    if ((ui > 0) && (ui <= 512))
1927
862
      *nbytes = (size_t) ui / 8;
1928
0
    else
1929
      /* The only reason for an error is an invalid algo.  */
1930
0
      rc = GPG_ERR_CIPHER_ALGO;
1931
862
  }
1932
862
      break;
1933
1934
922
    case GCRYCTL_GET_BLKLEN:
1935
922
      if (buffer || (! nbytes))
1936
0
  rc = GPG_ERR_CIPHER_ALGO;
1937
922
      else
1938
922
  {
1939
922
    ui = cipher_get_blocksize (algo);
1940
922
    if ((ui > 0) && (ui < 10000))
1941
922
      *nbytes = ui;
1942
0
    else
1943
0
            {
1944
              /* The only reason is an invalid algo or a strange
1945
                 blocksize.  */
1946
0
              rc = GPG_ERR_CIPHER_ALGO;
1947
0
            }
1948
922
  }
1949
922
      break;
1950
1951
0
    case GCRYCTL_TEST_ALGO:
1952
0
      if (buffer || nbytes)
1953
0
  rc = GPG_ERR_INV_ARG;
1954
0
      else
1955
0
  rc = check_cipher_algo (algo);
1956
0
      break;
1957
1958
0
      default:
1959
0
  rc = GPG_ERR_INV_OP;
1960
1.78k
    }
1961
1962
1.78k
  return rc;
1963
1.78k
}
1964
1965
1966
/* This function returns length of the key for algorithm ALGO.  If the
1967
   algorithm supports multiple key lengths, the maximum supported key
1968
   length is returned.  On error 0 is returned.  The key length is
1969
   returned as number of octets.
1970
1971
   This is a convenience functions which should be preferred over
1972
   gcry_cipher_algo_info because it allows for proper type
1973
   checking.  */
1974
size_t
1975
_gcry_cipher_get_algo_keylen (int algo)
1976
862
{
1977
862
  size_t n;
1978
1979
862
  if (_gcry_cipher_algo_info (algo, GCRYCTL_GET_KEYLEN, NULL, &n))
1980
0
    n = 0;
1981
862
  return n;
1982
862
}
1983
1984
1985
/* This functions returns the blocklength of the algorithm ALGO
1986
   counted in octets.  On error 0 is returned.
1987
1988
   This is a convenience functions which should be preferred over
1989
   gcry_cipher_algo_info because it allows for proper type
1990
   checking.  */
1991
size_t
1992
_gcry_cipher_get_algo_blklen (int algo)
1993
922
{
1994
922
  size_t n;
1995
1996
922
  if (_gcry_cipher_algo_info( algo, GCRYCTL_GET_BLKLEN, NULL, &n))
1997
0
    n = 0;
1998
922
  return n;
1999
922
}
2000
2001
2002
/* Explicitly initialize this module.  */
2003
gcry_err_code_t
2004
_gcry_cipher_init (void)
2005
10
{
2006
10
  return 0;
2007
10
}
2008
2009
2010
/* Run the selftests for cipher algorithm ALGO with optional reporting
2011
   function REPORT.  */
2012
gpg_error_t
2013
_gcry_cipher_selftest (int algo, int extended, selftest_report_func_t report)
2014
0
{
2015
0
  gcry_err_code_t ec = 0;
2016
0
  gcry_cipher_spec_t *spec;
2017
2018
0
  spec = spec_from_algo (algo);
2019
0
  if (spec && !spec->flags.disabled
2020
0
      && (spec->flags.fips || !fips_mode ())
2021
0
      && spec->selftest)
2022
0
    ec = spec->selftest (algo, extended, report);
2023
0
  else
2024
0
    {
2025
0
      ec = GPG_ERR_CIPHER_ALGO;
2026
0
      if (report)
2027
0
        report ("cipher", algo, "module",
2028
0
                spec && !spec->flags.disabled
2029
0
                && (spec->flags.fips || !fips_mode ())?
2030
0
                "no selftest available" :
2031
0
                spec? "algorithm disabled" : "algorithm not found");
2032
0
    }
2033
2034
0
  return gpg_error (ec);
2035
0
}