1 /*
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <limits.h>
12 #include <assert.h>
13 #include "internal/cryptlib.h"
14 #include <openssl/evp.h>
15 #include <openssl/err.h>
16 #include <openssl/rand.h>
17 #include <openssl/rand_drbg.h>
18 #include <openssl/engine.h>
19 #include "crypto/evp.h"
20 #include "evp_local.h"
21
EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX * c)22 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
23 {
24 if (c == NULL)
25 return 1;
26 if (c->cipher != NULL) {
27 if (c->cipher->cleanup && !c->cipher->cleanup(c))
28 return 0;
29 /* Cleanse cipher context data */
30 if (c->cipher_data && c->cipher->ctx_size)
31 OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
32 }
33 OPENSSL_free(c->cipher_data);
34 #ifndef OPENSSL_NO_ENGINE
35 ENGINE_finish(c->engine);
36 #endif
37 memset(c, 0, sizeof(*c));
38 return 1;
39 }
40
EVP_CIPHER_CTX_new(void)41 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
42 {
43 return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
44 }
45
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX * ctx)46 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
47 {
48 EVP_CIPHER_CTX_reset(ctx);
49 OPENSSL_free(ctx);
50 }
51
EVP_CipherInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc)52 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
53 const unsigned char *key, const unsigned char *iv, int enc)
54 {
55 if (cipher != NULL)
56 EVP_CIPHER_CTX_reset(ctx);
57 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
58 }
59
EVP_CipherInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc)60 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
61 ENGINE *impl, const unsigned char *key,
62 const unsigned char *iv, int enc)
63 {
64 if (enc == -1)
65 enc = ctx->encrypt;
66 else {
67 if (enc)
68 enc = 1;
69 ctx->encrypt = enc;
70 }
71 #ifndef OPENSSL_NO_ENGINE
72 /*
73 * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
74 * this context may already have an ENGINE! Try to avoid releasing the
75 * previous handle, re-querying for an ENGINE, and having a
76 * reinitialisation, when it may all be unnecessary.
77 */
78 if (ctx->engine && ctx->cipher
79 && (cipher == NULL || cipher->nid == ctx->cipher->nid))
80 goto skip_to_init;
81 #endif
82 if (cipher) {
83 /*
84 * Ensure a context left lying around from last time is cleared (the
85 * previous check attempted to avoid this if the same ENGINE and
86 * EVP_CIPHER could be used).
87 */
88 if (ctx->cipher
89 #ifndef OPENSSL_NO_ENGINE
90 || ctx->engine
91 #endif
92 || ctx->cipher_data) {
93 unsigned long flags = ctx->flags;
94 EVP_CIPHER_CTX_reset(ctx);
95 /* Restore encrypt and flags */
96 ctx->encrypt = enc;
97 ctx->flags = flags;
98 }
99 #ifndef OPENSSL_NO_ENGINE
100 if (impl) {
101 if (!ENGINE_init(impl)) {
102 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
103 return 0;
104 }
105 } else
106 /* Ask if an ENGINE is reserved for this job */
107 impl = ENGINE_get_cipher_engine(cipher->nid);
108 if (impl) {
109 /* There's an ENGINE for this job ... (apparently) */
110 const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
111 if (!c) {
112 ENGINE_finish(impl);
113 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
114 return 0;
115 }
116 /* We'll use the ENGINE's private cipher definition */
117 cipher = c;
118 /*
119 * Store the ENGINE functional reference so we know 'cipher' came
120 * from an ENGINE and we need to release it when done.
121 */
122 ctx->engine = impl;
123 } else
124 ctx->engine = NULL;
125 #endif
126
127 ctx->cipher = cipher;
128 if (ctx->cipher->ctx_size) {
129 ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
130 if (ctx->cipher_data == NULL) {
131 ctx->cipher = NULL;
132 EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
133 return 0;
134 }
135 } else {
136 ctx->cipher_data = NULL;
137 }
138 ctx->key_len = cipher->key_len;
139 /* Preserve wrap enable flag, zero everything else */
140 ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
141 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
142 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
143 ctx->cipher = NULL;
144 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
145 return 0;
146 }
147 }
148 } else if (!ctx->cipher) {
149 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_NO_CIPHER_SET);
150 return 0;
151 }
152 #ifndef OPENSSL_NO_ENGINE
153 skip_to_init:
154 #endif
155 /* we assume block size is a power of 2 in *cryptUpdate */
156 OPENSSL_assert(ctx->cipher->block_size == 1
157 || ctx->cipher->block_size == 8
158 || ctx->cipher->block_size == 16);
159
160 if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
161 && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) {
162 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
163 return 0;
164 }
165
166 if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) {
167 switch (EVP_CIPHER_CTX_mode(ctx)) {
168
169 case EVP_CIPH_STREAM_CIPHER:
170 case EVP_CIPH_ECB_MODE:
171 break;
172
173 case EVP_CIPH_CFB_MODE:
174 case EVP_CIPH_OFB_MODE:
175
176 ctx->num = 0;
177 /* fall-through */
178
179 case EVP_CIPH_CBC_MODE:
180
181 OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <=
182 (int)sizeof(ctx->iv));
183 if (iv)
184 memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
185 memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
186 break;
187
188 case EVP_CIPH_CTR_MODE:
189 ctx->num = 0;
190 /* Don't reuse IV for CTR mode */
191 if (iv)
192 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
193 break;
194
195 default:
196 return 0;
197 }
198 }
199
200 if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
201 if (!ctx->cipher->init(ctx, key, iv, enc))
202 return 0;
203 }
204 ctx->buf_len = 0;
205 ctx->final_used = 0;
206 ctx->block_mask = ctx->cipher->block_size - 1;
207 return 1;
208 }
209
EVP_CipherUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)210 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
211 const unsigned char *in, int inl)
212 {
213 if (ctx->encrypt)
214 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
215 else
216 return EVP_DecryptUpdate(ctx, out, outl, in, inl);
217 }
218
EVP_CipherFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)219 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
220 {
221 if (ctx->encrypt)
222 return EVP_EncryptFinal_ex(ctx, out, outl);
223 else
224 return EVP_DecryptFinal_ex(ctx, out, outl);
225 }
226
EVP_CipherFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)227 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
228 {
229 if (ctx->encrypt)
230 return EVP_EncryptFinal(ctx, out, outl);
231 else
232 return EVP_DecryptFinal(ctx, out, outl);
233 }
234
EVP_EncryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)235 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
236 const unsigned char *key, const unsigned char *iv)
237 {
238 return EVP_CipherInit(ctx, cipher, key, iv, 1);
239 }
240
EVP_EncryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)241 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
242 ENGINE *impl, const unsigned char *key,
243 const unsigned char *iv)
244 {
245 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
246 }
247
EVP_DecryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)248 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
249 const unsigned char *key, const unsigned char *iv)
250 {
251 return EVP_CipherInit(ctx, cipher, key, iv, 0);
252 }
253
EVP_DecryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)254 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
255 ENGINE *impl, const unsigned char *key,
256 const unsigned char *iv)
257 {
258 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
259 }
260
261 /*
262 * According to the letter of standard difference between pointers
263 * is specified to be valid only within same object. This makes
264 * it formally challenging to determine if input and output buffers
265 * are not partially overlapping with standard pointer arithmetic.
266 */
267 #ifdef PTRDIFF_T
268 # undef PTRDIFF_T
269 #endif
270 #if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
271 /*
272 * Then we have VMS that distinguishes itself by adhering to
273 * sizeof(size_t)==4 even in 64-bit builds, which means that
274 * difference between two pointers might be truncated to 32 bits.
275 * In the context one can even wonder how comparison for
276 * equality is implemented. To be on the safe side we adhere to
277 * PTRDIFF_T even for comparison for equality.
278 */
279 # define PTRDIFF_T uint64_t
280 #else
281 # define PTRDIFF_T size_t
282 #endif
283
is_partially_overlapping(const void * ptr1,const void * ptr2,int len)284 int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
285 {
286 PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
287 /*
288 * Check for partially overlapping buffers. [Binary logical
289 * operations are used instead of boolean to minimize number
290 * of conditional branches.]
291 */
292 int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) |
293 (diff > (0 - (PTRDIFF_T)len)));
294
295 return overlapped;
296 }
297
evp_EncryptDecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)298 static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
299 unsigned char *out, int *outl,
300 const unsigned char *in, int inl)
301 {
302 int i, j, bl, cmpl = inl;
303
304 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
305 cmpl = (cmpl + 7) / 8;
306
307 bl = ctx->cipher->block_size;
308
309 /*
310 * CCM mode needs to know about the case where inl == 0 && in == NULL - it
311 * means the plaintext/ciphertext length is 0
312 */
313 if (inl < 0
314 || (inl == 0
315 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE)) {
316 *outl = 0;
317 return inl == 0;
318 }
319
320 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
321 /* If block size > 1 then the cipher will have to do this check */
322 if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
323 EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
324 return 0;
325 }
326
327 i = ctx->cipher->do_cipher(ctx, out, in, inl);
328 if (i < 0)
329 return 0;
330 else
331 *outl = i;
332 return 1;
333 }
334
335 if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
336 EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
337 return 0;
338 }
339
340 if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
341 if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
342 *outl = inl;
343 return 1;
344 } else {
345 *outl = 0;
346 return 0;
347 }
348 }
349 i = ctx->buf_len;
350 OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
351 if (i != 0) {
352 if (bl - i > inl) {
353 memcpy(&(ctx->buf[i]), in, inl);
354 ctx->buf_len += inl;
355 *outl = 0;
356 return 1;
357 } else {
358 j = bl - i;
359
360 /*
361 * Once we've processed the first j bytes from in, the amount of
362 * data left that is a multiple of the block length is:
363 * (inl - j) & ~(bl - 1)
364 * We must ensure that this amount of data, plus the one block that
365 * we process from ctx->buf does not exceed INT_MAX
366 */
367 if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
368 EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE,
369 EVP_R_OUTPUT_WOULD_OVERFLOW);
370 return 0;
371 }
372 memcpy(&(ctx->buf[i]), in, j);
373 inl -= j;
374 in += j;
375 if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
376 return 0;
377 out += bl;
378 *outl = bl;
379 }
380 } else
381 *outl = 0;
382 i = inl & (bl - 1);
383 inl -= i;
384 if (inl > 0) {
385 if (!ctx->cipher->do_cipher(ctx, out, in, inl))
386 return 0;
387 *outl += inl;
388 }
389
390 if (i != 0)
391 memcpy(ctx->buf, &(in[inl]), i);
392 ctx->buf_len = i;
393 return 1;
394 }
395
396
EVP_EncryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)397 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
398 const unsigned char *in, int inl)
399 {
400 /* Prevent accidental use of decryption context when encrypting */
401 if (!ctx->encrypt) {
402 EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
403 return 0;
404 }
405
406 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
407 }
408
EVP_EncryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)409 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
410 {
411 int ret;
412 ret = EVP_EncryptFinal_ex(ctx, out, outl);
413 return ret;
414 }
415
EVP_EncryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)416 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
417 {
418 int n, ret;
419 unsigned int i, b, bl;
420
421 /* Prevent accidental use of decryption context when encrypting */
422 if (!ctx->encrypt) {
423 EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
424 return 0;
425 }
426
427 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
428 ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
429 if (ret < 0)
430 return 0;
431 else
432 *outl = ret;
433 return 1;
434 }
435
436 b = ctx->cipher->block_size;
437 OPENSSL_assert(b <= sizeof(ctx->buf));
438 if (b == 1) {
439 *outl = 0;
440 return 1;
441 }
442 bl = ctx->buf_len;
443 if (ctx->flags & EVP_CIPH_NO_PADDING) {
444 if (bl) {
445 EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,
446 EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
447 return 0;
448 }
449 *outl = 0;
450 return 1;
451 }
452
453 n = b - bl;
454 for (i = bl; i < b; i++)
455 ctx->buf[i] = n;
456 ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
457
458 if (ret)
459 *outl = b;
460
461 return ret;
462 }
463
EVP_DecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)464 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
465 const unsigned char *in, int inl)
466 {
467 int fix_len, cmpl = inl;
468 unsigned int b;
469
470 /* Prevent accidental use of encryption context when decrypting */
471 if (ctx->encrypt) {
472 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
473 return 0;
474 }
475
476 b = ctx->cipher->block_size;
477
478 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
479 cmpl = (cmpl + 7) / 8;
480
481 /*
482 * CCM mode needs to know about the case where inl == 0 - it means the
483 * plaintext/ciphertext length is 0
484 */
485 if (inl < 0
486 || (inl == 0
487 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE)) {
488 *outl = 0;
489 return inl == 0;
490 }
491
492 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
493 if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
494 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
495 return 0;
496 }
497
498 fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
499 if (fix_len < 0) {
500 *outl = 0;
501 return 0;
502 } else
503 *outl = fix_len;
504 return 1;
505 }
506
507 if (ctx->flags & EVP_CIPH_NO_PADDING)
508 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
509
510 OPENSSL_assert(b <= sizeof(ctx->final));
511
512 if (ctx->final_used) {
513 /* see comment about PTRDIFF_T comparison above */
514 if (((PTRDIFF_T)out == (PTRDIFF_T)in)
515 || is_partially_overlapping(out, in, b)) {
516 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
517 return 0;
518 }
519 /*
520 * final_used is only ever set if buf_len is 0. Therefore the maximum
521 * length output we will ever see from evp_EncryptDecryptUpdate is
522 * the maximum multiple of the block length that is <= inl, or just:
523 * inl & ~(b - 1)
524 * Since final_used has been set then the final output length is:
525 * (inl & ~(b - 1)) + b
526 * This must never exceed INT_MAX
527 */
528 if ((inl & ~(b - 1)) > INT_MAX - b) {
529 EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
530 return 0;
531 }
532 memcpy(out, ctx->final, b);
533 out += b;
534 fix_len = 1;
535 } else
536 fix_len = 0;
537
538 if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
539 return 0;
540
541 /*
542 * if we have 'decrypted' a multiple of block size, make sure we have a
543 * copy of this last block
544 */
545 if (b > 1 && !ctx->buf_len) {
546 *outl -= b;
547 ctx->final_used = 1;
548 memcpy(ctx->final, &out[*outl], b);
549 } else
550 ctx->final_used = 0;
551
552 if (fix_len)
553 *outl += b;
554
555 return 1;
556 }
557
EVP_DecryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)558 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
559 {
560 int ret;
561 ret = EVP_DecryptFinal_ex(ctx, out, outl);
562 return ret;
563 }
564
EVP_DecryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)565 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
566 {
567 int i, n;
568 unsigned int b;
569
570 /* Prevent accidental use of encryption context when decrypting */
571 if (ctx->encrypt) {
572 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
573 return 0;
574 }
575
576 *outl = 0;
577
578 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
579 i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
580 if (i < 0)
581 return 0;
582 else
583 *outl = i;
584 return 1;
585 }
586
587 b = ctx->cipher->block_size;
588 if (ctx->flags & EVP_CIPH_NO_PADDING) {
589 if (ctx->buf_len) {
590 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,
591 EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
592 return 0;
593 }
594 *outl = 0;
595 return 1;
596 }
597 if (b > 1) {
598 if (ctx->buf_len || !ctx->final_used) {
599 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
600 return 0;
601 }
602 OPENSSL_assert(b <= sizeof(ctx->final));
603
604 /*
605 * The following assumes that the ciphertext has been authenticated.
606 * Otherwise it provides a padding oracle.
607 */
608 n = ctx->final[b - 1];
609 if (n == 0 || n > (int)b) {
610 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
611 return 0;
612 }
613 for (i = 0; i < n; i++) {
614 if (ctx->final[--b] != n) {
615 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
616 return 0;
617 }
618 }
619 n = ctx->cipher->block_size - n;
620 for (i = 0; i < n; i++)
621 out[i] = ctx->final[i];
622 *outl = n;
623 } else
624 *outl = 0;
625 return 1;
626 }
627
EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX * c,int keylen)628 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
629 {
630 if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
631 return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
632 if (c->key_len == keylen)
633 return 1;
634 if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
635 c->key_len = keylen;
636 return 1;
637 }
638 EVPerr(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, EVP_R_INVALID_KEY_LENGTH);
639 return 0;
640 }
641
EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX * ctx,int pad)642 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
643 {
644 if (pad)
645 ctx->flags &= ~EVP_CIPH_NO_PADDING;
646 else
647 ctx->flags |= EVP_CIPH_NO_PADDING;
648 return 1;
649 }
650
EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)651 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
652 {
653 int ret;
654
655 if (!ctx->cipher) {
656 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
657 return 0;
658 }
659
660 if (!ctx->cipher->ctrl) {
661 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED);
662 return 0;
663 }
664
665 ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
666 if (ret == -1) {
667 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL,
668 EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
669 return 0;
670 }
671 return ret;
672 }
673
EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX * ctx,unsigned char * key)674 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
675 {
676 if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
677 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
678 if (RAND_priv_bytes(key, ctx->key_len) <= 0)
679 return 0;
680 return 1;
681 }
682
EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX * out,const EVP_CIPHER_CTX * in)683 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
684 {
685 if ((in == NULL) || (in->cipher == NULL)) {
686 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INPUT_NOT_INITIALIZED);
687 return 0;
688 }
689 #ifndef OPENSSL_NO_ENGINE
690 /* Make sure it's safe to copy a cipher context using an ENGINE */
691 if (in->engine && !ENGINE_init(in->engine)) {
692 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB);
693 return 0;
694 }
695 #endif
696
697 EVP_CIPHER_CTX_reset(out);
698 memcpy(out, in, sizeof(*out));
699
700 if (in->cipher_data && in->cipher->ctx_size) {
701 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
702 if (out->cipher_data == NULL) {
703 out->cipher = NULL;
704 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
705 return 0;
706 }
707 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
708 }
709
710 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
711 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
712 out->cipher = NULL;
713 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INITIALIZATION_ERROR);
714 return 0;
715 }
716 return 1;
717 }
718