1 /*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* We need to use some engine deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12
13 #include <stdio.h>
14 #include <limits.h>
15 #include <assert.h>
16 #include <openssl/evp.h>
17 #include <openssl/err.h>
18 #include <openssl/rand.h>
19 #ifndef FIPS_MODULE
20 # include <openssl/engine.h>
21 #endif
22 #include <openssl/params.h>
23 #include <openssl/core_names.h>
24 #include "internal/cryptlib.h"
25 #include "internal/provider.h"
26 #include "internal/core.h"
27 #include "crypto/evp.h"
28 #include "evp_local.h"
29
EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX * ctx)30 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
31 {
32 if (ctx == NULL)
33 return 1;
34
35 if (ctx->cipher == NULL || ctx->cipher->prov == NULL)
36 goto legacy;
37
38 if (ctx->algctx != NULL) {
39 if (ctx->cipher->freectx != NULL)
40 ctx->cipher->freectx(ctx->algctx);
41 ctx->algctx = NULL;
42 }
43 if (ctx->fetched_cipher != NULL)
44 EVP_CIPHER_free(ctx->fetched_cipher);
45 memset(ctx, 0, sizeof(*ctx));
46 ctx->iv_len = -1;
47
48 return 1;
49
50 /* Remove legacy code below when legacy support is removed. */
51 legacy:
52
53 if (ctx->cipher != NULL) {
54 if (ctx->cipher->cleanup && !ctx->cipher->cleanup(ctx))
55 return 0;
56 /* Cleanse cipher context data */
57 if (ctx->cipher_data && ctx->cipher->ctx_size)
58 OPENSSL_cleanse(ctx->cipher_data, ctx->cipher->ctx_size);
59 }
60 OPENSSL_free(ctx->cipher_data);
61 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
62 ENGINE_finish(ctx->engine);
63 #endif
64 memset(ctx, 0, sizeof(*ctx));
65 ctx->iv_len = -1;
66 return 1;
67 }
68
EVP_CIPHER_CTX_new(void)69 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
70 {
71 return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
72 }
73
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX * ctx)74 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
75 {
76 if (ctx == NULL)
77 return;
78 EVP_CIPHER_CTX_reset(ctx);
79 OPENSSL_free(ctx);
80 }
81
evp_cipher_init_internal(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc,const OSSL_PARAM params[])82 static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
83 const EVP_CIPHER *cipher,
84 ENGINE *impl, const unsigned char *key,
85 const unsigned char *iv, int enc,
86 const OSSL_PARAM params[])
87 {
88 int n;
89 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
90 ENGINE *tmpimpl = NULL;
91 #endif
92
93 ctx->iv_len = -1;
94
95 /*
96 * enc == 1 means we are encrypting.
97 * enc == 0 means we are decrypting.
98 * enc == -1 means, use the previously initialised value for encrypt/decrypt
99 */
100 if (enc == -1) {
101 enc = ctx->encrypt;
102 } else {
103 if (enc)
104 enc = 1;
105 ctx->encrypt = enc;
106 }
107
108 if (cipher == NULL && ctx->cipher == NULL) {
109 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
110 return 0;
111 }
112
113 /* Code below to be removed when legacy support is dropped. */
114
115 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
116 /*
117 * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
118 * this context may already have an ENGINE! Try to avoid releasing the
119 * previous handle, re-querying for an ENGINE, and having a
120 * reinitialisation, when it may all be unnecessary.
121 */
122 if (ctx->engine && ctx->cipher
123 && (cipher == NULL || cipher->nid == ctx->cipher->nid))
124 goto skip_to_init;
125
126 if (cipher != NULL && impl == NULL) {
127 /* Ask if an ENGINE is reserved for this job */
128 tmpimpl = ENGINE_get_cipher_engine(cipher->nid);
129 }
130 #endif
131
132 /*
133 * If there are engines involved then we should use legacy handling for now.
134 */
135 if (ctx->engine != NULL
136 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
137 || tmpimpl != NULL
138 #endif
139 || impl != NULL
140 || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
141 || (cipher == NULL && ctx->cipher != NULL
142 && ctx->cipher->origin == EVP_ORIG_METH)) {
143 if (ctx->cipher == ctx->fetched_cipher)
144 ctx->cipher = NULL;
145 EVP_CIPHER_free(ctx->fetched_cipher);
146 ctx->fetched_cipher = NULL;
147 goto legacy;
148 }
149 /*
150 * Ensure a context left lying around from last time is cleared
151 * (legacy code)
152 */
153 if (cipher != NULL && ctx->cipher != NULL) {
154 if (ctx->cipher->cleanup != NULL && !ctx->cipher->cleanup(ctx))
155 return 0;
156 OPENSSL_clear_free(ctx->cipher_data, ctx->cipher->ctx_size);
157 ctx->cipher_data = NULL;
158 }
159
160 /* Start of non-legacy code below */
161
162 /* Ensure a context left lying around from last time is cleared */
163 if (cipher != NULL && ctx->cipher != NULL) {
164 unsigned long flags = ctx->flags;
165
166 EVP_CIPHER_CTX_reset(ctx);
167 /* Restore encrypt and flags */
168 ctx->encrypt = enc;
169 ctx->flags = flags;
170 }
171
172 if (cipher == NULL)
173 cipher = ctx->cipher;
174
175 if (cipher->prov == NULL) {
176 #ifdef FIPS_MODULE
177 /* We only do explicit fetches inside the FIPS module */
178 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
179 return 0;
180 #else
181 EVP_CIPHER *provciph =
182 EVP_CIPHER_fetch(NULL,
183 cipher->nid == NID_undef ? "NULL"
184 : OBJ_nid2sn(cipher->nid),
185 "");
186
187 if (provciph == NULL)
188 return 0;
189 cipher = provciph;
190 EVP_CIPHER_free(ctx->fetched_cipher);
191 ctx->fetched_cipher = provciph;
192 #endif
193 }
194
195 if (cipher->prov != NULL) {
196 if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) {
197 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
198 return 0;
199 }
200 EVP_CIPHER_free(ctx->fetched_cipher);
201 ctx->fetched_cipher = (EVP_CIPHER *)cipher;
202 }
203 ctx->cipher = cipher;
204 if (ctx->algctx == NULL) {
205 ctx->algctx = ctx->cipher->newctx(ossl_provider_ctx(cipher->prov));
206 if (ctx->algctx == NULL) {
207 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
208 return 0;
209 }
210 }
211
212 if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) {
213 /*
214 * If this ctx was already set up for no padding then we need to tell
215 * the new cipher about it.
216 */
217 if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
218 return 0;
219 }
220
221 #ifndef FIPS_MODULE
222 /*
223 * Fix for CVE-2023-5363
224 * Passing in a size as part of the init call takes effect late
225 * so, force such to occur before the initialisation.
226 *
227 * The FIPS provider's internal library context is used in a manner
228 * such that this is not an issue.
229 */
230 if (params != NULL) {
231 OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
232 OSSL_PARAM_END };
233 OSSL_PARAM *q = param_lens;
234 const OSSL_PARAM *p;
235
236 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
237 if (p != NULL)
238 memcpy(q++, p, sizeof(*q));
239
240 /*
241 * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
242 * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
243 */
244 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
245 if (p != NULL)
246 memcpy(q++, p, sizeof(*q));
247
248 if (q != param_lens) {
249 if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
250 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
251 return 0;
252 }
253 }
254 }
255 #endif
256
257 if (enc) {
258 if (ctx->cipher->einit == NULL) {
259 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
260 return 0;
261 }
262
263 return ctx->cipher->einit(ctx->algctx,
264 key,
265 key == NULL ? 0
266 : EVP_CIPHER_CTX_get_key_length(ctx),
267 iv,
268 iv == NULL ? 0
269 : EVP_CIPHER_CTX_get_iv_length(ctx),
270 params);
271 }
272
273 if (ctx->cipher->dinit == NULL) {
274 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
275 return 0;
276 }
277
278 return ctx->cipher->dinit(ctx->algctx,
279 key,
280 key == NULL ? 0
281 : EVP_CIPHER_CTX_get_key_length(ctx),
282 iv,
283 iv == NULL ? 0
284 : EVP_CIPHER_CTX_get_iv_length(ctx),
285 params);
286
287 /* Code below to be removed when legacy support is dropped. */
288 legacy:
289
290 if (cipher != NULL) {
291 /*
292 * Ensure a context left lying around from last time is cleared (we
293 * previously attempted to avoid this if the same ENGINE and
294 * EVP_CIPHER could be used).
295 */
296 if (ctx->cipher) {
297 unsigned long flags = ctx->flags;
298 EVP_CIPHER_CTX_reset(ctx);
299 /* Restore encrypt and flags */
300 ctx->encrypt = enc;
301 ctx->flags = flags;
302 }
303 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
304 if (impl != NULL) {
305 if (!ENGINE_init(impl)) {
306 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
307 return 0;
308 }
309 } else {
310 impl = tmpimpl;
311 }
312 if (impl != NULL) {
313 /* There's an ENGINE for this job ... (apparently) */
314 const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
315
316 if (c == NULL) {
317 /*
318 * One positive side-effect of US's export control history,
319 * is that we should at least be able to avoid using US
320 * misspellings of "initialisation"?
321 */
322 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
323 return 0;
324 }
325 /* We'll use the ENGINE's private cipher definition */
326 cipher = c;
327 /*
328 * Store the ENGINE functional reference so we know 'cipher' came
329 * from an ENGINE and we need to release it when done.
330 */
331 ctx->engine = impl;
332 } else {
333 ctx->engine = NULL;
334 }
335 #endif
336
337 ctx->cipher = cipher;
338 if (ctx->cipher->ctx_size) {
339 ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
340 if (ctx->cipher_data == NULL) {
341 ctx->cipher = NULL;
342 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
343 return 0;
344 }
345 } else {
346 ctx->cipher_data = NULL;
347 }
348 ctx->key_len = cipher->key_len;
349 /* Preserve wrap enable flag, zero everything else */
350 ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
351 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
352 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL) <= 0) {
353 ctx->cipher = NULL;
354 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
355 return 0;
356 }
357 }
358 }
359 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
360 skip_to_init:
361 #endif
362 if (ctx->cipher == NULL)
363 return 0;
364
365 /* we assume block size is a power of 2 in *cryptUpdate */
366 OPENSSL_assert(ctx->cipher->block_size == 1
367 || ctx->cipher->block_size == 8
368 || ctx->cipher->block_size == 16);
369
370 if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
371 && EVP_CIPHER_CTX_get_mode(ctx) == EVP_CIPH_WRAP_MODE) {
372 ERR_raise(ERR_LIB_EVP, EVP_R_WRAP_MODE_NOT_ALLOWED);
373 return 0;
374 }
375
376 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))
377 & EVP_CIPH_CUSTOM_IV) == 0) {
378 switch (EVP_CIPHER_CTX_get_mode(ctx)) {
379
380 case EVP_CIPH_STREAM_CIPHER:
381 case EVP_CIPH_ECB_MODE:
382 break;
383
384 case EVP_CIPH_CFB_MODE:
385 case EVP_CIPH_OFB_MODE:
386
387 ctx->num = 0;
388 /* fall-through */
389
390 case EVP_CIPH_CBC_MODE:
391 n = EVP_CIPHER_CTX_get_iv_length(ctx);
392 if (n < 0 || n > (int)sizeof(ctx->iv)) {
393 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
394 return 0;
395 }
396 if (iv != NULL)
397 memcpy(ctx->oiv, iv, n);
398 memcpy(ctx->iv, ctx->oiv, n);
399 break;
400
401 case EVP_CIPH_CTR_MODE:
402 ctx->num = 0;
403 /* Don't reuse IV for CTR mode */
404 if (iv != NULL) {
405 n = EVP_CIPHER_CTX_get_iv_length(ctx);
406 if (n <= 0 || n > (int)sizeof(ctx->iv)) {
407 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
408 return 0;
409 }
410 memcpy(ctx->iv, iv, n);
411 }
412 break;
413
414 default:
415 return 0;
416 }
417 }
418
419 if (key != NULL || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
420 if (!ctx->cipher->init(ctx, key, iv, enc))
421 return 0;
422 }
423 ctx->buf_len = 0;
424 ctx->final_used = 0;
425 ctx->block_mask = ctx->cipher->block_size - 1;
426 return 1;
427 }
428
EVP_CipherInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc,const OSSL_PARAM params[])429 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
430 const unsigned char *key, const unsigned char *iv,
431 int enc, const OSSL_PARAM params[])
432 {
433 return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, params);
434 }
435
EVP_CipherInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc)436 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
437 const unsigned char *key, const unsigned char *iv, int enc)
438 {
439 if (cipher != NULL)
440 EVP_CIPHER_CTX_reset(ctx);
441 return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, NULL);
442 }
443
EVP_CipherInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc)444 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
445 ENGINE *impl, const unsigned char *key,
446 const unsigned char *iv, int enc)
447 {
448 return evp_cipher_init_internal(ctx, cipher, impl, key, iv, enc, NULL);
449 }
450
EVP_CipherUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)451 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
452 const unsigned char *in, int inl)
453 {
454 if (ctx->encrypt)
455 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
456 else
457 return EVP_DecryptUpdate(ctx, out, outl, in, inl);
458 }
459
EVP_CipherFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)460 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
461 {
462 if (ctx->encrypt)
463 return EVP_EncryptFinal_ex(ctx, out, outl);
464 else
465 return EVP_DecryptFinal_ex(ctx, out, outl);
466 }
467
EVP_CipherFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)468 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
469 {
470 if (ctx->encrypt)
471 return EVP_EncryptFinal(ctx, out, outl);
472 else
473 return EVP_DecryptFinal(ctx, out, outl);
474 }
475
EVP_EncryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)476 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
477 const unsigned char *key, const unsigned char *iv)
478 {
479 return EVP_CipherInit(ctx, cipher, key, iv, 1);
480 }
481
EVP_EncryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)482 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
483 ENGINE *impl, const unsigned char *key,
484 const unsigned char *iv)
485 {
486 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
487 }
488
EVP_EncryptInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,const OSSL_PARAM params[])489 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
490 const unsigned char *key, const unsigned char *iv,
491 const OSSL_PARAM params[])
492 {
493 return EVP_CipherInit_ex2(ctx, cipher, key, iv, 1, params);
494 }
495
EVP_DecryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)496 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
497 const unsigned char *key, const unsigned char *iv)
498 {
499 return EVP_CipherInit(ctx, cipher, key, iv, 0);
500 }
501
EVP_DecryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)502 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
503 ENGINE *impl, const unsigned char *key,
504 const unsigned char *iv)
505 {
506 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
507 }
508
EVP_DecryptInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,const OSSL_PARAM params[])509 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
510 const unsigned char *key, const unsigned char *iv,
511 const OSSL_PARAM params[])
512 {
513 return EVP_CipherInit_ex2(ctx, cipher, key, iv, 0, params);
514 }
515
516 /*
517 * According to the letter of standard difference between pointers
518 * is specified to be valid only within same object. This makes
519 * it formally challenging to determine if input and output buffers
520 * are not partially overlapping with standard pointer arithmetic.
521 */
522 #ifdef PTRDIFF_T
523 # undef PTRDIFF_T
524 #endif
525 #if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
526 /*
527 * Then we have VMS that distinguishes itself by adhering to
528 * sizeof(size_t)==4 even in 64-bit builds, which means that
529 * difference between two pointers might be truncated to 32 bits.
530 * In the context one can even wonder how comparison for
531 * equality is implemented. To be on the safe side we adhere to
532 * PTRDIFF_T even for comparison for equality.
533 */
534 # define PTRDIFF_T uint64_t
535 #else
536 # define PTRDIFF_T size_t
537 #endif
538
ossl_is_partially_overlapping(const void * ptr1,const void * ptr2,int len)539 int ossl_is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
540 {
541 PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
542 /*
543 * Check for partially overlapping buffers. [Binary logical
544 * operations are used instead of boolean to minimize number
545 * of conditional branches.]
546 */
547 int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) |
548 (diff > (0 - (PTRDIFF_T)len)));
549
550 return overlapped;
551 }
552
evp_EncryptDecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)553 static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
554 unsigned char *out, int *outl,
555 const unsigned char *in, int inl)
556 {
557 int i, j, bl, cmpl = inl;
558
559 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
560 cmpl = (cmpl + 7) / 8;
561
562 bl = ctx->cipher->block_size;
563
564 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
565 /* If block size > 1 then the cipher will have to do this check */
566 if (bl == 1 && ossl_is_partially_overlapping(out, in, cmpl)) {
567 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
568 return 0;
569 }
570
571 i = ctx->cipher->do_cipher(ctx, out, in, inl);
572 if (i < 0)
573 return 0;
574 else
575 *outl = i;
576 return 1;
577 }
578
579 if (inl <= 0) {
580 *outl = 0;
581 return inl == 0;
582 }
583 if (ossl_is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
584 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
585 return 0;
586 }
587
588 if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
589 if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
590 *outl = inl;
591 return 1;
592 } else {
593 *outl = 0;
594 return 0;
595 }
596 }
597 i = ctx->buf_len;
598 OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
599 if (i != 0) {
600 if (bl - i > inl) {
601 memcpy(&(ctx->buf[i]), in, inl);
602 ctx->buf_len += inl;
603 *outl = 0;
604 return 1;
605 } else {
606 j = bl - i;
607
608 /*
609 * Once we've processed the first j bytes from in, the amount of
610 * data left that is a multiple of the block length is:
611 * (inl - j) & ~(bl - 1)
612 * We must ensure that this amount of data, plus the one block that
613 * we process from ctx->buf does not exceed INT_MAX
614 */
615 if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
616 ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
617 return 0;
618 }
619 memcpy(&(ctx->buf[i]), in, j);
620 inl -= j;
621 in += j;
622 if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
623 return 0;
624 out += bl;
625 *outl = bl;
626 }
627 } else
628 *outl = 0;
629 i = inl & (bl - 1);
630 inl -= i;
631 if (inl > 0) {
632 if (!ctx->cipher->do_cipher(ctx, out, in, inl))
633 return 0;
634 *outl += inl;
635 }
636
637 if (i != 0)
638 memcpy(ctx->buf, &(in[inl]), i);
639 ctx->buf_len = i;
640 return 1;
641 }
642
643
EVP_EncryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)644 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
645 const unsigned char *in, int inl)
646 {
647 int ret;
648 size_t soutl, inl_ = (size_t)inl;
649 int blocksize;
650
651 if (outl != NULL) {
652 *outl = 0;
653 } else {
654 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
655 return 0;
656 }
657
658 /* Prevent accidental use of decryption context when encrypting */
659 if (!ctx->encrypt) {
660 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
661 return 0;
662 }
663
664 if (ctx->cipher == NULL) {
665 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
666 return 0;
667 }
668
669 if (ctx->cipher->prov == NULL)
670 goto legacy;
671
672 blocksize = ctx->cipher->block_size;
673
674 if (ctx->cipher->cupdate == NULL || blocksize < 1) {
675 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
676 return 0;
677 }
678
679 ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
680 inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
681 in, inl_);
682
683 if (ret) {
684 if (soutl > INT_MAX) {
685 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
686 return 0;
687 }
688 *outl = soutl;
689 }
690
691 return ret;
692
693 /* Code below to be removed when legacy support is dropped. */
694 legacy:
695
696 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
697 }
698
EVP_EncryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)699 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
700 {
701 int ret;
702 ret = EVP_EncryptFinal_ex(ctx, out, outl);
703 return ret;
704 }
705
EVP_EncryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)706 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
707 {
708 int n, ret;
709 unsigned int i, b, bl;
710 size_t soutl;
711 int blocksize;
712
713 if (outl != NULL) {
714 *outl = 0;
715 } else {
716 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
717 return 0;
718 }
719
720 /* Prevent accidental use of decryption context when encrypting */
721 if (!ctx->encrypt) {
722 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
723 return 0;
724 }
725
726 if (ctx->cipher == NULL) {
727 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
728 return 0;
729 }
730 if (ctx->cipher->prov == NULL)
731 goto legacy;
732
733 blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
734
735 if (blocksize < 1 || ctx->cipher->cfinal == NULL) {
736 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
737 return 0;
738 }
739
740 ret = ctx->cipher->cfinal(ctx->algctx, out, &soutl,
741 blocksize == 1 ? 0 : blocksize);
742
743 if (ret) {
744 if (soutl > INT_MAX) {
745 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
746 return 0;
747 }
748 *outl = soutl;
749 }
750
751 return ret;
752
753 /* Code below to be removed when legacy support is dropped. */
754 legacy:
755
756 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
757 ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
758 if (ret < 0)
759 return 0;
760 else
761 *outl = ret;
762 return 1;
763 }
764
765 b = ctx->cipher->block_size;
766 OPENSSL_assert(b <= sizeof(ctx->buf));
767 if (b == 1) {
768 *outl = 0;
769 return 1;
770 }
771 bl = ctx->buf_len;
772 if (ctx->flags & EVP_CIPH_NO_PADDING) {
773 if (bl) {
774 ERR_raise(ERR_LIB_EVP, EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
775 return 0;
776 }
777 *outl = 0;
778 return 1;
779 }
780
781 n = b - bl;
782 for (i = bl; i < b; i++)
783 ctx->buf[i] = n;
784 ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
785
786 if (ret)
787 *outl = b;
788
789 return ret;
790 }
791
EVP_DecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)792 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
793 const unsigned char *in, int inl)
794 {
795 int fix_len, cmpl = inl, ret;
796 unsigned int b;
797 size_t soutl, inl_ = (size_t)inl;
798 int blocksize;
799
800 if (outl != NULL) {
801 *outl = 0;
802 } else {
803 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
804 return 0;
805 }
806
807 /* Prevent accidental use of encryption context when decrypting */
808 if (ctx->encrypt) {
809 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
810 return 0;
811 }
812
813 if (ctx->cipher == NULL) {
814 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
815 return 0;
816 }
817 if (ctx->cipher->prov == NULL)
818 goto legacy;
819
820 blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
821
822 if (ctx->cipher->cupdate == NULL || blocksize < 1) {
823 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
824 return 0;
825 }
826 ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
827 inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
828 in, inl_);
829
830 if (ret) {
831 if (soutl > INT_MAX) {
832 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
833 return 0;
834 }
835 *outl = soutl;
836 }
837
838 return ret;
839
840 /* Code below to be removed when legacy support is dropped. */
841 legacy:
842
843 b = ctx->cipher->block_size;
844
845 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
846 cmpl = (cmpl + 7) / 8;
847
848 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
849 if (b == 1 && ossl_is_partially_overlapping(out, in, cmpl)) {
850 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
851 return 0;
852 }
853
854 fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
855 if (fix_len < 0) {
856 *outl = 0;
857 return 0;
858 } else
859 *outl = fix_len;
860 return 1;
861 }
862
863 if (inl <= 0) {
864 *outl = 0;
865 return inl == 0;
866 }
867
868 if (ctx->flags & EVP_CIPH_NO_PADDING)
869 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
870
871 OPENSSL_assert(b <= sizeof(ctx->final));
872
873 if (ctx->final_used) {
874 /* see comment about PTRDIFF_T comparison above */
875 if (((PTRDIFF_T)out == (PTRDIFF_T)in)
876 || ossl_is_partially_overlapping(out, in, b)) {
877 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
878 return 0;
879 }
880 /*
881 * final_used is only ever set if buf_len is 0. Therefore the maximum
882 * length output we will ever see from evp_EncryptDecryptUpdate is
883 * the maximum multiple of the block length that is <= inl, or just:
884 * inl & ~(b - 1)
885 * Since final_used has been set then the final output length is:
886 * (inl & ~(b - 1)) + b
887 * This must never exceed INT_MAX
888 */
889 if ((inl & ~(b - 1)) > INT_MAX - b) {
890 ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
891 return 0;
892 }
893 memcpy(out, ctx->final, b);
894 out += b;
895 fix_len = 1;
896 } else
897 fix_len = 0;
898
899 if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
900 return 0;
901
902 /*
903 * if we have 'decrypted' a multiple of block size, make sure we have a
904 * copy of this last block
905 */
906 if (b > 1 && !ctx->buf_len) {
907 *outl -= b;
908 ctx->final_used = 1;
909 memcpy(ctx->final, &out[*outl], b);
910 } else
911 ctx->final_used = 0;
912
913 if (fix_len)
914 *outl += b;
915
916 return 1;
917 }
918
EVP_DecryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)919 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
920 {
921 int ret;
922 ret = EVP_DecryptFinal_ex(ctx, out, outl);
923 return ret;
924 }
925
EVP_DecryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)926 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
927 {
928 int i, n;
929 unsigned int b;
930 size_t soutl;
931 int ret;
932 int blocksize;
933
934 if (outl != NULL) {
935 *outl = 0;
936 } else {
937 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
938 return 0;
939 }
940
941 /* Prevent accidental use of encryption context when decrypting */
942 if (ctx->encrypt) {
943 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
944 return 0;
945 }
946
947 if (ctx->cipher == NULL) {
948 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
949 return 0;
950 }
951
952 if (ctx->cipher->prov == NULL)
953 goto legacy;
954
955 blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
956
957 if (blocksize < 1 || ctx->cipher->cfinal == NULL) {
958 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
959 return 0;
960 }
961
962 ret = ctx->cipher->cfinal(ctx->algctx, out, &soutl,
963 blocksize == 1 ? 0 : blocksize);
964
965 if (ret) {
966 if (soutl > INT_MAX) {
967 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
968 return 0;
969 }
970 *outl = soutl;
971 }
972
973 return ret;
974
975 /* Code below to be removed when legacy support is dropped. */
976 legacy:
977
978 *outl = 0;
979 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
980 i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
981 if (i < 0)
982 return 0;
983 else
984 *outl = i;
985 return 1;
986 }
987
988 b = ctx->cipher->block_size;
989 if (ctx->flags & EVP_CIPH_NO_PADDING) {
990 if (ctx->buf_len) {
991 ERR_raise(ERR_LIB_EVP, EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
992 return 0;
993 }
994 *outl = 0;
995 return 1;
996 }
997 if (b > 1) {
998 if (ctx->buf_len || !ctx->final_used) {
999 ERR_raise(ERR_LIB_EVP, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
1000 return 0;
1001 }
1002 OPENSSL_assert(b <= sizeof(ctx->final));
1003
1004 /*
1005 * The following assumes that the ciphertext has been authenticated.
1006 * Otherwise it provides a padding oracle.
1007 */
1008 n = ctx->final[b - 1];
1009 if (n == 0 || n > (int)b) {
1010 ERR_raise(ERR_LIB_EVP, EVP_R_BAD_DECRYPT);
1011 return 0;
1012 }
1013 for (i = 0; i < n; i++) {
1014 if (ctx->final[--b] != n) {
1015 ERR_raise(ERR_LIB_EVP, EVP_R_BAD_DECRYPT);
1016 return 0;
1017 }
1018 }
1019 n = ctx->cipher->block_size - n;
1020 for (i = 0; i < n; i++)
1021 out[i] = ctx->final[i];
1022 *outl = n;
1023 } else
1024 *outl = 0;
1025 return 1;
1026 }
1027
EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX * c,int keylen)1028 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
1029 {
1030 if (c->cipher->prov != NULL) {
1031 int ok;
1032 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
1033 size_t len = keylen;
1034
1035 if (EVP_CIPHER_CTX_get_key_length(c) == keylen)
1036 return 1;
1037
1038 /* Check the cipher actually understands this parameter */
1039 if (OSSL_PARAM_locate_const(EVP_CIPHER_settable_ctx_params(c->cipher),
1040 OSSL_CIPHER_PARAM_KEYLEN) == NULL) {
1041 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1042 return 0;
1043 }
1044
1045 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len);
1046 ok = evp_do_ciph_ctx_setparams(c->cipher, c->algctx, params);
1047
1048 return ok > 0 ? 1 : 0;
1049 }
1050
1051 /* Code below to be removed when legacy support is dropped. */
1052
1053 /*
1054 * Note there have never been any built-in ciphers that define this flag
1055 * since it was first introduced.
1056 */
1057 if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
1058 return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
1059 if (EVP_CIPHER_CTX_get_key_length(c) == keylen)
1060 return 1;
1061 if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
1062 c->key_len = keylen;
1063 return 1;
1064 }
1065 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1066 return 0;
1067 }
1068
EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX * ctx,int pad)1069 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
1070 {
1071 int ok;
1072 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
1073 unsigned int pd = pad;
1074
1075 if (pad)
1076 ctx->flags &= ~EVP_CIPH_NO_PADDING;
1077 else
1078 ctx->flags |= EVP_CIPH_NO_PADDING;
1079
1080 if (ctx->cipher != NULL && ctx->cipher->prov == NULL)
1081 return 1;
1082 params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_PADDING, &pd);
1083 ok = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1084
1085 return ok != 0;
1086 }
1087
EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)1088 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1089 {
1090 int ret = EVP_CTRL_RET_UNSUPPORTED;
1091 int set_params = 1;
1092 size_t sz = arg;
1093 unsigned int i;
1094 OSSL_PARAM params[4] = {
1095 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
1096 };
1097
1098 if (ctx == NULL || ctx->cipher == NULL) {
1099 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
1100 return 0;
1101 }
1102
1103 if (ctx->cipher->prov == NULL)
1104 goto legacy;
1105
1106 switch (type) {
1107 case EVP_CTRL_SET_KEY_LENGTH:
1108 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &sz);
1109 break;
1110 case EVP_CTRL_RAND_KEY: /* Used by DES */
1111 set_params = 0;
1112 params[0] =
1113 OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY,
1114 ptr, sz);
1115 break;
1116
1117 case EVP_CTRL_INIT:
1118 /*
1119 * EVP_CTRL_INIT is purely legacy, no provider counterpart.
1120 * As a matter of fact, this should be dead code, but some caller
1121 * might still do a direct control call with this command, so...
1122 * Legacy methods return 1 except for exceptional circumstances, so
1123 * we do the same here to not be disruptive.
1124 */
1125 return 1;
1126 case EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS: /* Used by DASYNC */
1127 default:
1128 goto end;
1129 case EVP_CTRL_AEAD_SET_IVLEN:
1130 if (arg < 0)
1131 return 0;
1132 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz);
1133 ctx->iv_len = -1;
1134 break;
1135 case EVP_CTRL_CCM_SET_L:
1136 if (arg < 2 || arg > 8)
1137 return 0;
1138 sz = 15 - arg;
1139 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz);
1140 ctx->iv_len = -1;
1141 break;
1142 case EVP_CTRL_AEAD_SET_IV_FIXED:
1143 params[0] = OSSL_PARAM_construct_octet_string(
1144 OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, ptr, sz);
1145 break;
1146 case EVP_CTRL_GCM_IV_GEN:
1147 set_params = 0;
1148 if (arg < 0)
1149 sz = 0; /* special case that uses the iv length */
1150 params[0] = OSSL_PARAM_construct_octet_string(
1151 OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, ptr, sz);
1152 break;
1153 case EVP_CTRL_GCM_SET_IV_INV:
1154 if (arg < 0)
1155 return 0;
1156 params[0] = OSSL_PARAM_construct_octet_string(
1157 OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, ptr, sz);
1158 break;
1159 case EVP_CTRL_GET_RC5_ROUNDS:
1160 set_params = 0; /* Fall thru */
1161 case EVP_CTRL_SET_RC5_ROUNDS:
1162 if (arg < 0)
1163 return 0;
1164 i = (unsigned int)arg;
1165 params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_ROUNDS, &i);
1166 break;
1167 case EVP_CTRL_SET_SPEED:
1168 if (arg < 0)
1169 return 0;
1170 i = (unsigned int)arg;
1171 params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_SPEED, &i);
1172 break;
1173 case EVP_CTRL_AEAD_GET_TAG:
1174 set_params = 0; /* Fall thru */
1175 case EVP_CTRL_AEAD_SET_TAG:
1176 params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
1177 ptr, sz);
1178 break;
1179 case EVP_CTRL_AEAD_TLS1_AAD:
1180 /* This one does a set and a get - since it returns a size */
1181 params[0] =
1182 OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD,
1183 ptr, sz);
1184 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1185 if (ret <= 0)
1186 goto end;
1187 params[0] =
1188 OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, &sz);
1189 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1190 if (ret <= 0)
1191 goto end;
1192 return sz;
1193 #ifndef OPENSSL_NO_RC2
1194 case EVP_CTRL_GET_RC2_KEY_BITS:
1195 set_params = 0; /* Fall thru */
1196 case EVP_CTRL_SET_RC2_KEY_BITS:
1197 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_RC2_KEYBITS, &sz);
1198 break;
1199 #endif /* OPENSSL_NO_RC2 */
1200 #if !defined(OPENSSL_NO_MULTIBLOCK)
1201 case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE:
1202 params[0] = OSSL_PARAM_construct_size_t(
1203 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, &sz);
1204 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1205 if (ret <= 0)
1206 return 0;
1207
1208 params[0] = OSSL_PARAM_construct_size_t(
1209 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, &sz);
1210 params[1] = OSSL_PARAM_construct_end();
1211 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1212 if (ret <= 0)
1213 return 0;
1214 return sz;
1215 case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: {
1216 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p =
1217 (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr;
1218
1219 if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM))
1220 return 0;
1221
1222 params[0] = OSSL_PARAM_construct_octet_string(
1223 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, (void*)p->inp, p->len);
1224 params[1] = OSSL_PARAM_construct_uint(
1225 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1226 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1227 if (ret <= 0)
1228 return ret;
1229 /* Retrieve the return values changed by the set */
1230 params[0] = OSSL_PARAM_construct_size_t(
1231 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, &sz);
1232 params[1] = OSSL_PARAM_construct_uint(
1233 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1234 params[2] = OSSL_PARAM_construct_end();
1235 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1236 if (ret <= 0)
1237 return 0;
1238 return sz;
1239 }
1240 case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: {
1241 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p =
1242 (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr;
1243
1244 params[0] = OSSL_PARAM_construct_octet_string(
1245 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, p->out, p->len);
1246
1247 params[1] = OSSL_PARAM_construct_octet_string(
1248 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, (void*)p->inp,
1249 p->len);
1250 params[2] = OSSL_PARAM_construct_uint(
1251 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1252 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1253 if (ret <= 0)
1254 return ret;
1255 params[0] = OSSL_PARAM_construct_size_t(
1256 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, &sz);
1257 params[1] = OSSL_PARAM_construct_end();
1258 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1259 if (ret <= 0)
1260 return 0;
1261 return sz;
1262 }
1263 #endif /* OPENSSL_NO_MULTIBLOCK */
1264 case EVP_CTRL_AEAD_SET_MAC_KEY:
1265 if (arg < 0)
1266 return -1;
1267 params[0] = OSSL_PARAM_construct_octet_string(
1268 OSSL_CIPHER_PARAM_AEAD_MAC_KEY, ptr, sz);
1269 break;
1270 }
1271
1272 if (set_params)
1273 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1274 else
1275 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1276 goto end;
1277
1278 /* Code below to be removed when legacy support is dropped. */
1279 legacy:
1280 if (ctx->cipher->ctrl == NULL) {
1281 ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_NOT_IMPLEMENTED);
1282 return 0;
1283 }
1284
1285 ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
1286
1287 end:
1288 if (ret == EVP_CTRL_RET_UNSUPPORTED) {
1289 ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
1290 return 0;
1291 }
1292 return ret;
1293 }
1294
EVP_CIPHER_get_params(EVP_CIPHER * cipher,OSSL_PARAM params[])1295 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[])
1296 {
1297 if (cipher != NULL && cipher->get_params != NULL)
1298 return cipher->get_params(params);
1299 return 0;
1300 }
1301
EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX * ctx,const OSSL_PARAM params[])1302 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[])
1303 {
1304 if (ctx->cipher != NULL && ctx->cipher->set_ctx_params != NULL) {
1305 ctx->iv_len = -1;
1306 return ctx->cipher->set_ctx_params(ctx->algctx, params);
1307 }
1308 return 0;
1309 }
1310
EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX * ctx,OSSL_PARAM params[])1311 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[])
1312 {
1313 if (ctx->cipher != NULL && ctx->cipher->get_ctx_params != NULL)
1314 return ctx->cipher->get_ctx_params(ctx->algctx, params);
1315 return 0;
1316 }
1317
EVP_CIPHER_gettable_params(const EVP_CIPHER * cipher)1318 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher)
1319 {
1320 if (cipher != NULL && cipher->gettable_params != NULL)
1321 return cipher->gettable_params(
1322 ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher)));
1323 return NULL;
1324 }
1325
EVP_CIPHER_settable_ctx_params(const EVP_CIPHER * cipher)1326 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher)
1327 {
1328 void *provctx;
1329
1330 if (cipher != NULL && cipher->settable_ctx_params != NULL) {
1331 provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher));
1332 return cipher->settable_ctx_params(NULL, provctx);
1333 }
1334 return NULL;
1335 }
1336
EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER * cipher)1337 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher)
1338 {
1339 void *provctx;
1340
1341 if (cipher != NULL && cipher->gettable_ctx_params != NULL) {
1342 provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher));
1343 return cipher->gettable_ctx_params(NULL, provctx);
1344 }
1345 return NULL;
1346 }
1347
EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX * cctx)1348 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *cctx)
1349 {
1350 void *alg;
1351
1352 if (cctx != NULL && cctx->cipher->settable_ctx_params != NULL) {
1353 alg = ossl_provider_ctx(EVP_CIPHER_get0_provider(cctx->cipher));
1354 return cctx->cipher->settable_ctx_params(cctx->algctx, alg);
1355 }
1356 return NULL;
1357 }
1358
EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX * cctx)1359 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *cctx)
1360 {
1361 void *provctx;
1362
1363 if (cctx != NULL && cctx->cipher->gettable_ctx_params != NULL) {
1364 provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cctx->cipher));
1365 return cctx->cipher->gettable_ctx_params(cctx->algctx, provctx);
1366 }
1367 return NULL;
1368 }
1369
1370 #ifndef FIPS_MODULE
EVP_CIPHER_CTX_get_libctx(EVP_CIPHER_CTX * ctx)1371 static OSSL_LIB_CTX *EVP_CIPHER_CTX_get_libctx(EVP_CIPHER_CTX *ctx)
1372 {
1373 const EVP_CIPHER *cipher = ctx->cipher;
1374 const OSSL_PROVIDER *prov;
1375
1376 if (cipher == NULL)
1377 return NULL;
1378
1379 prov = EVP_CIPHER_get0_provider(cipher);
1380 return ossl_provider_libctx(prov);
1381 }
1382 #endif
1383
EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX * ctx,unsigned char * key)1384 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
1385 {
1386 if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
1387 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
1388
1389 #ifdef FIPS_MODULE
1390 return 0;
1391 #else
1392 {
1393 int kl;
1394 OSSL_LIB_CTX *libctx = EVP_CIPHER_CTX_get_libctx(ctx);
1395
1396 kl = EVP_CIPHER_CTX_get_key_length(ctx);
1397 if (kl <= 0 || RAND_priv_bytes_ex(libctx, key, kl, 0) <= 0)
1398 return 0;
1399 return 1;
1400 }
1401 #endif /* FIPS_MODULE */
1402 }
1403
EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX * out,const EVP_CIPHER_CTX * in)1404 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
1405 {
1406 if ((in == NULL) || (in->cipher == NULL)) {
1407 ERR_raise(ERR_LIB_EVP, EVP_R_INPUT_NOT_INITIALIZED);
1408 return 0;
1409 }
1410
1411 if (in->cipher->prov == NULL)
1412 goto legacy;
1413
1414 if (in->cipher->dupctx == NULL) {
1415 ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX);
1416 return 0;
1417 }
1418
1419 EVP_CIPHER_CTX_reset(out);
1420
1421 *out = *in;
1422 out->algctx = NULL;
1423
1424 if (in->fetched_cipher != NULL && !EVP_CIPHER_up_ref(in->fetched_cipher)) {
1425 out->fetched_cipher = NULL;
1426 return 0;
1427 }
1428
1429 out->algctx = in->cipher->dupctx(in->algctx);
1430 if (out->algctx == NULL) {
1431 ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX);
1432 return 0;
1433 }
1434
1435 return 1;
1436
1437 /* Code below to be removed when legacy support is dropped. */
1438 legacy:
1439
1440 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
1441 /* Make sure it's safe to copy a cipher context using an ENGINE */
1442 if (in->engine && !ENGINE_init(in->engine)) {
1443 ERR_raise(ERR_LIB_EVP, ERR_R_ENGINE_LIB);
1444 return 0;
1445 }
1446 #endif
1447
1448 EVP_CIPHER_CTX_reset(out);
1449 memcpy(out, in, sizeof(*out));
1450
1451 if (in->cipher_data && in->cipher->ctx_size) {
1452 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
1453 if (out->cipher_data == NULL) {
1454 out->cipher = NULL;
1455 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
1456 return 0;
1457 }
1458 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
1459 }
1460
1461 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
1462 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
1463 out->cipher = NULL;
1464 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
1465 return 0;
1466 }
1467 return 1;
1468 }
1469
evp_cipher_new(void)1470 EVP_CIPHER *evp_cipher_new(void)
1471 {
1472 EVP_CIPHER *cipher = OPENSSL_zalloc(sizeof(EVP_CIPHER));
1473
1474 if (cipher != NULL) {
1475 cipher->lock = CRYPTO_THREAD_lock_new();
1476 if (cipher->lock == NULL) {
1477 OPENSSL_free(cipher);
1478 return NULL;
1479 }
1480 cipher->refcnt = 1;
1481 }
1482 return cipher;
1483 }
1484
1485 /*
1486 * FIPS module note: since internal fetches will be entirely
1487 * provider based, we know that none of its code depends on legacy
1488 * NIDs or any functionality that use them.
1489 */
1490 #ifndef FIPS_MODULE
1491 /* After removal of legacy support get rid of the need for legacy NIDs */
set_legacy_nid(const char * name,void * vlegacy_nid)1492 static void set_legacy_nid(const char *name, void *vlegacy_nid)
1493 {
1494 int nid;
1495 int *legacy_nid = vlegacy_nid;
1496 /*
1497 * We use lowest level function to get the associated method, because
1498 * higher level functions such as EVP_get_cipherbyname() have changed
1499 * to look at providers too.
1500 */
1501 const void *legacy_method = OBJ_NAME_get(name, OBJ_NAME_TYPE_CIPHER_METH);
1502
1503 if (*legacy_nid == -1) /* We found a clash already */
1504 return;
1505 if (legacy_method == NULL)
1506 return;
1507 nid = EVP_CIPHER_get_nid(legacy_method);
1508 if (*legacy_nid != NID_undef && *legacy_nid != nid) {
1509 *legacy_nid = -1;
1510 return;
1511 }
1512 *legacy_nid = nid;
1513 }
1514 #endif
1515
evp_cipher_from_algorithm(const int name_id,const OSSL_ALGORITHM * algodef,OSSL_PROVIDER * prov)1516 static void *evp_cipher_from_algorithm(const int name_id,
1517 const OSSL_ALGORITHM *algodef,
1518 OSSL_PROVIDER *prov)
1519 {
1520 const OSSL_DISPATCH *fns = algodef->implementation;
1521 EVP_CIPHER *cipher = NULL;
1522 int fnciphcnt = 0, fnctxcnt = 0;
1523
1524 if ((cipher = evp_cipher_new()) == NULL) {
1525 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
1526 return NULL;
1527 }
1528
1529 #ifndef FIPS_MODULE
1530 cipher->nid = NID_undef;
1531 if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid)
1532 || cipher->nid == -1) {
1533 ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
1534 EVP_CIPHER_free(cipher);
1535 return NULL;
1536 }
1537 #endif
1538
1539 cipher->name_id = name_id;
1540 if ((cipher->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL) {
1541 EVP_CIPHER_free(cipher);
1542 return NULL;
1543 }
1544 cipher->description = algodef->algorithm_description;
1545
1546 for (; fns->function_id != 0; fns++) {
1547 switch (fns->function_id) {
1548 case OSSL_FUNC_CIPHER_NEWCTX:
1549 if (cipher->newctx != NULL)
1550 break;
1551 cipher->newctx = OSSL_FUNC_cipher_newctx(fns);
1552 fnctxcnt++;
1553 break;
1554 case OSSL_FUNC_CIPHER_ENCRYPT_INIT:
1555 if (cipher->einit != NULL)
1556 break;
1557 cipher->einit = OSSL_FUNC_cipher_encrypt_init(fns);
1558 fnciphcnt++;
1559 break;
1560 case OSSL_FUNC_CIPHER_DECRYPT_INIT:
1561 if (cipher->dinit != NULL)
1562 break;
1563 cipher->dinit = OSSL_FUNC_cipher_decrypt_init(fns);
1564 fnciphcnt++;
1565 break;
1566 case OSSL_FUNC_CIPHER_UPDATE:
1567 if (cipher->cupdate != NULL)
1568 break;
1569 cipher->cupdate = OSSL_FUNC_cipher_update(fns);
1570 fnciphcnt++;
1571 break;
1572 case OSSL_FUNC_CIPHER_FINAL:
1573 if (cipher->cfinal != NULL)
1574 break;
1575 cipher->cfinal = OSSL_FUNC_cipher_final(fns);
1576 fnciphcnt++;
1577 break;
1578 case OSSL_FUNC_CIPHER_CIPHER:
1579 if (cipher->ccipher != NULL)
1580 break;
1581 cipher->ccipher = OSSL_FUNC_cipher_cipher(fns);
1582 break;
1583 case OSSL_FUNC_CIPHER_FREECTX:
1584 if (cipher->freectx != NULL)
1585 break;
1586 cipher->freectx = OSSL_FUNC_cipher_freectx(fns);
1587 fnctxcnt++;
1588 break;
1589 case OSSL_FUNC_CIPHER_DUPCTX:
1590 if (cipher->dupctx != NULL)
1591 break;
1592 cipher->dupctx = OSSL_FUNC_cipher_dupctx(fns);
1593 break;
1594 case OSSL_FUNC_CIPHER_GET_PARAMS:
1595 if (cipher->get_params != NULL)
1596 break;
1597 cipher->get_params = OSSL_FUNC_cipher_get_params(fns);
1598 break;
1599 case OSSL_FUNC_CIPHER_GET_CTX_PARAMS:
1600 if (cipher->get_ctx_params != NULL)
1601 break;
1602 cipher->get_ctx_params = OSSL_FUNC_cipher_get_ctx_params(fns);
1603 break;
1604 case OSSL_FUNC_CIPHER_SET_CTX_PARAMS:
1605 if (cipher->set_ctx_params != NULL)
1606 break;
1607 cipher->set_ctx_params = OSSL_FUNC_cipher_set_ctx_params(fns);
1608 break;
1609 case OSSL_FUNC_CIPHER_GETTABLE_PARAMS:
1610 if (cipher->gettable_params != NULL)
1611 break;
1612 cipher->gettable_params = OSSL_FUNC_cipher_gettable_params(fns);
1613 break;
1614 case OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS:
1615 if (cipher->gettable_ctx_params != NULL)
1616 break;
1617 cipher->gettable_ctx_params =
1618 OSSL_FUNC_cipher_gettable_ctx_params(fns);
1619 break;
1620 case OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS:
1621 if (cipher->settable_ctx_params != NULL)
1622 break;
1623 cipher->settable_ctx_params =
1624 OSSL_FUNC_cipher_settable_ctx_params(fns);
1625 break;
1626 }
1627 }
1628 if ((fnciphcnt != 0 && fnciphcnt != 3 && fnciphcnt != 4)
1629 || (fnciphcnt == 0 && cipher->ccipher == NULL)
1630 || fnctxcnt != 2) {
1631 /*
1632 * In order to be a consistent set of functions we must have at least
1633 * a complete set of "encrypt" functions, or a complete set of "decrypt"
1634 * functions, or a single "cipher" function. In all cases we need both
1635 * the "newctx" and "freectx" functions.
1636 */
1637 EVP_CIPHER_free(cipher);
1638 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
1639 return NULL;
1640 }
1641 cipher->prov = prov;
1642 if (prov != NULL)
1643 ossl_provider_up_ref(prov);
1644
1645 if (!evp_cipher_cache_constants(cipher)) {
1646 EVP_CIPHER_free(cipher);
1647 ERR_raise(ERR_LIB_EVP, EVP_R_CACHE_CONSTANTS_FAILED);
1648 cipher = NULL;
1649 }
1650
1651 return cipher;
1652 }
1653
evp_cipher_up_ref(void * cipher)1654 static int evp_cipher_up_ref(void *cipher)
1655 {
1656 return EVP_CIPHER_up_ref(cipher);
1657 }
1658
evp_cipher_free(void * cipher)1659 static void evp_cipher_free(void *cipher)
1660 {
1661 EVP_CIPHER_free(cipher);
1662 }
1663
EVP_CIPHER_fetch(OSSL_LIB_CTX * ctx,const char * algorithm,const char * properties)1664 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
1665 const char *properties)
1666 {
1667 EVP_CIPHER *cipher =
1668 evp_generic_fetch(ctx, OSSL_OP_CIPHER, algorithm, properties,
1669 evp_cipher_from_algorithm, evp_cipher_up_ref,
1670 evp_cipher_free);
1671
1672 return cipher;
1673 }
1674
EVP_CIPHER_up_ref(EVP_CIPHER * cipher)1675 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher)
1676 {
1677 int ref = 0;
1678
1679 if (cipher->origin == EVP_ORIG_DYNAMIC)
1680 CRYPTO_UP_REF(&cipher->refcnt, &ref, cipher->lock);
1681 return 1;
1682 }
1683
evp_cipher_free_int(EVP_CIPHER * cipher)1684 void evp_cipher_free_int(EVP_CIPHER *cipher)
1685 {
1686 OPENSSL_free(cipher->type_name);
1687 ossl_provider_free(cipher->prov);
1688 CRYPTO_THREAD_lock_free(cipher->lock);
1689 OPENSSL_free(cipher);
1690 }
1691
EVP_CIPHER_free(EVP_CIPHER * cipher)1692 void EVP_CIPHER_free(EVP_CIPHER *cipher)
1693 {
1694 int i;
1695
1696 if (cipher == NULL || cipher->origin != EVP_ORIG_DYNAMIC)
1697 return;
1698
1699 CRYPTO_DOWN_REF(&cipher->refcnt, &i, cipher->lock);
1700 if (i > 0)
1701 return;
1702 evp_cipher_free_int(cipher);
1703 }
1704
EVP_CIPHER_do_all_provided(OSSL_LIB_CTX * libctx,void (* fn)(EVP_CIPHER * mac,void * arg),void * arg)1705 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
1706 void (*fn)(EVP_CIPHER *mac, void *arg),
1707 void *arg)
1708 {
1709 evp_generic_do_all(libctx, OSSL_OP_CIPHER,
1710 (void (*)(void *, void *))fn, arg,
1711 evp_cipher_from_algorithm, evp_cipher_up_ref,
1712 evp_cipher_free);
1713 }
1714