1 /*
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* We need to use some engine deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12
13 #include <stdio.h>
14 #include <limits.h>
15 #include <assert.h>
16 #include <openssl/evp.h>
17 #include <openssl/err.h>
18 #include <openssl/rand.h>
19 #ifndef FIPS_MODULE
20 #include <openssl/engine.h>
21 #endif
22 #include <openssl/params.h>
23 #include <openssl/core_names.h>
24 #include "internal/cryptlib.h"
25 #include "internal/provider.h"
26 #include "internal/core.h"
27 #include "internal/safe_math.h"
28 #include "crypto/evp.h"
29 #include "evp_local.h"
30
OSSL_SAFE_MATH_SIGNED(int,int)31 OSSL_SAFE_MATH_SIGNED(int, int)
32
33 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
34 {
35 if (ctx == NULL)
36 return 1;
37
38 if (ctx->cipher == NULL || ctx->cipher->prov == NULL)
39 goto legacy;
40
41 if (ctx->algctx != NULL) {
42 if (ctx->cipher->freectx != NULL)
43 ctx->cipher->freectx(ctx->algctx);
44 ctx->algctx = NULL;
45 }
46 if (ctx->fetched_cipher != NULL)
47 EVP_CIPHER_free(ctx->fetched_cipher);
48 memset(ctx, 0, sizeof(*ctx));
49 ctx->iv_len = -1;
50
51 return 1;
52
53 /* Remove legacy code below when legacy support is removed. */
54 legacy:
55
56 if (ctx->cipher != NULL) {
57 if (ctx->cipher->cleanup && !ctx->cipher->cleanup(ctx))
58 return 0;
59 /* Cleanse cipher context data */
60 if (ctx->cipher_data && ctx->cipher->ctx_size)
61 OPENSSL_cleanse(ctx->cipher_data, ctx->cipher->ctx_size);
62 }
63 OPENSSL_free(ctx->cipher_data);
64 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
65 ENGINE_finish(ctx->engine);
66 #endif
67 memset(ctx, 0, sizeof(*ctx));
68 ctx->iv_len = -1;
69 return 1;
70 }
71
EVP_CIPHER_CTX_new(void)72 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
73 {
74 EVP_CIPHER_CTX *ctx;
75
76 ctx = OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
77 if (ctx == NULL)
78 return NULL;
79
80 ctx->iv_len = -1;
81 return ctx;
82 }
83
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX * ctx)84 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
85 {
86 if (ctx == NULL)
87 return;
88 EVP_CIPHER_CTX_reset(ctx);
89 OPENSSL_free(ctx);
90 }
91
evp_cipher_init_internal(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc,uint8_t is_pipeline,const OSSL_PARAM params[])92 static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
93 const EVP_CIPHER *cipher,
94 ENGINE *impl, const unsigned char *key,
95 const unsigned char *iv, int enc,
96 uint8_t is_pipeline,
97 const OSSL_PARAM params[])
98 {
99 int n;
100 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
101 ENGINE *tmpimpl = NULL;
102 #endif
103
104 /*
105 * enc == 1 means we are encrypting.
106 * enc == 0 means we are decrypting.
107 * enc == -1 means, use the previously initialised value for encrypt/decrypt
108 */
109 if (enc == -1) {
110 enc = ctx->encrypt;
111 } else {
112 if (enc)
113 enc = 1;
114 ctx->encrypt = enc;
115 }
116
117 if (cipher == NULL && ctx->cipher == NULL) {
118 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
119 return 0;
120 }
121
122 /* Code below to be removed when legacy support is dropped. */
123 if (is_pipeline)
124 goto nonlegacy;
125
126 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
127 /*
128 * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
129 * this context may already have an ENGINE! Try to avoid releasing the
130 * previous handle, re-querying for an ENGINE, and having a
131 * reinitialisation, when it may all be unnecessary.
132 */
133 if (ctx->engine && ctx->cipher
134 && (cipher == NULL || cipher->nid == ctx->cipher->nid))
135 goto skip_to_init;
136
137 if (cipher != NULL && impl == NULL) {
138 /* Ask if an ENGINE is reserved for this job */
139 tmpimpl = ENGINE_get_cipher_engine(cipher->nid);
140 }
141 #endif
142
143 /*
144 * If there are engines involved then we should use legacy handling for now.
145 */
146 if (ctx->engine != NULL
147 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
148 || tmpimpl != NULL
149 #endif
150 || impl != NULL
151 || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
152 || (cipher == NULL && ctx->cipher != NULL
153 && ctx->cipher->origin == EVP_ORIG_METH)) {
154 if (ctx->cipher == ctx->fetched_cipher)
155 ctx->cipher = NULL;
156 EVP_CIPHER_free(ctx->fetched_cipher);
157 ctx->fetched_cipher = NULL;
158 goto legacy;
159 }
160 /*
161 * Ensure a context left lying around from last time is cleared
162 * (legacy code)
163 */
164 if (cipher != NULL && ctx->cipher != NULL) {
165 if (ctx->cipher->cleanup != NULL && !ctx->cipher->cleanup(ctx))
166 return 0;
167 OPENSSL_clear_free(ctx->cipher_data, ctx->cipher->ctx_size);
168 ctx->cipher_data = NULL;
169 }
170
171 /* Start of non-legacy code below */
172 nonlegacy:
173 /* Ensure a context left lying around from last time is cleared */
174 if (cipher != NULL && ctx->cipher != NULL) {
175 unsigned long flags = ctx->flags;
176
177 EVP_CIPHER_CTX_reset(ctx);
178 /* Restore encrypt and flags */
179 ctx->encrypt = enc;
180 ctx->flags = flags;
181 }
182
183 if (cipher == NULL)
184 cipher = ctx->cipher;
185
186 if (cipher->prov == NULL) {
187 #ifdef FIPS_MODULE
188 /* We only do explicit fetches inside the FIPS module */
189 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
190 return 0;
191 #else
192 EVP_CIPHER *provciph = EVP_CIPHER_fetch(NULL,
193 cipher->nid == NID_undef ? "NULL"
194 : OBJ_nid2sn(cipher->nid),
195 "");
196
197 if (provciph == NULL)
198 return 0;
199 cipher = provciph;
200 EVP_CIPHER_free(ctx->fetched_cipher);
201 ctx->fetched_cipher = provciph;
202 #endif
203 }
204
205 if (!ossl_assert(cipher->prov != NULL)) {
206 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
207 return 0;
208 }
209
210 if (cipher != ctx->fetched_cipher) {
211 if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) {
212 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
213 return 0;
214 }
215 EVP_CIPHER_free(ctx->fetched_cipher);
216 /* Coverity false positive, the reference counting is confusing it */
217 /* coverity[use_after_free] */
218 ctx->fetched_cipher = (EVP_CIPHER *)cipher;
219 }
220 ctx->cipher = cipher;
221
222 if (is_pipeline && !EVP_CIPHER_can_pipeline(cipher, enc)) {
223 ERR_raise(ERR_LIB_EVP, EVP_R_PIPELINE_NOT_SUPPORTED);
224 return 0;
225 }
226
227 if (ctx->algctx == NULL) {
228 ctx->algctx = ctx->cipher->newctx(ossl_provider_ctx(cipher->prov));
229 if (ctx->algctx == NULL) {
230 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
231 return 0;
232 }
233 }
234
235 if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) {
236 /*
237 * If this ctx was already set up for no padding then we need to tell
238 * the new cipher about it.
239 */
240 if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
241 return 0;
242 }
243
244 #ifndef FIPS_MODULE
245 /*
246 * Fix for CVE-2023-5363
247 * Passing in a size as part of the init call takes effect late
248 * so, force such to occur before the initialisation.
249 *
250 * The FIPS provider's internal library context is used in a manner
251 * such that this is not an issue.
252 */
253 if (params != NULL) {
254 OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
255 OSSL_PARAM_END };
256 OSSL_PARAM *q = param_lens;
257 const OSSL_PARAM *p;
258
259 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
260 if (p != NULL)
261 memcpy(q++, p, sizeof(*q));
262
263 /*
264 * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synonym for
265 * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
266 */
267 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
268 if (p != NULL)
269 memcpy(q++, p, sizeof(*q));
270
271 if (q != param_lens) {
272 if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
273 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
274 return 0;
275 }
276 }
277 }
278 #endif
279
280 if (is_pipeline)
281 return 1;
282
283 if (enc) {
284 if (ctx->cipher->einit == NULL) {
285 /*
286 * We still should be able to set the IV using the new API
287 * if the key is not specified and old API is not available
288 */
289 if (key == NULL && ctx->cipher->einit_skey != NULL) {
290 return ctx->cipher->einit_skey(ctx->algctx, NULL,
291 iv,
292 iv == NULL ? 0
293 : EVP_CIPHER_CTX_get_iv_length(ctx),
294 params);
295 }
296 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
297 return 0;
298 }
299
300 return ctx->cipher->einit(ctx->algctx,
301 key,
302 key == NULL ? 0
303 : EVP_CIPHER_CTX_get_key_length(ctx),
304 iv,
305 iv == NULL ? 0
306 : EVP_CIPHER_CTX_get_iv_length(ctx),
307 params);
308 }
309
310 if (ctx->cipher->dinit == NULL) {
311 /*
312 * We still should be able to set the IV using the new API
313 * if the key is not specified and old API is not available
314 */
315 if (key == NULL && ctx->cipher->dinit_skey != NULL) {
316 return ctx->cipher->dinit_skey(ctx->algctx, NULL,
317 iv,
318 iv == NULL ? 0
319 : EVP_CIPHER_CTX_get_iv_length(ctx),
320 params);
321 }
322 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
323 return 0;
324 }
325
326 return ctx->cipher->dinit(ctx->algctx,
327 key,
328 key == NULL ? 0
329 : EVP_CIPHER_CTX_get_key_length(ctx),
330 iv,
331 iv == NULL ? 0
332 : EVP_CIPHER_CTX_get_iv_length(ctx),
333 params);
334
335 /* Code below to be removed when legacy support is dropped. */
336 legacy:
337
338 if (cipher != NULL) {
339 /*
340 * Ensure a context left lying around from last time is cleared (we
341 * previously attempted to avoid this if the same ENGINE and
342 * EVP_CIPHER could be used).
343 */
344 if (ctx->cipher) {
345 unsigned long flags = ctx->flags;
346 EVP_CIPHER_CTX_reset(ctx);
347 /* Restore encrypt and flags */
348 ctx->encrypt = enc;
349 ctx->flags = flags;
350 }
351 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
352 if (impl != NULL) {
353 if (!ENGINE_init(impl)) {
354 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
355 return 0;
356 }
357 } else {
358 impl = tmpimpl;
359 }
360 if (impl != NULL) {
361 /* There's an ENGINE for this job ... (apparently) */
362 const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
363
364 if (c == NULL) {
365 /*
366 * One positive side-effect of US's export control history,
367 * is that we should at least be able to avoid using US
368 * misspellings of "initialisation"?
369 */
370 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
371 return 0;
372 }
373 /* We'll use the ENGINE's private cipher definition */
374 cipher = c;
375 /*
376 * Store the ENGINE functional reference so we know 'cipher' came
377 * from an ENGINE and we need to release it when done.
378 */
379 ctx->engine = impl;
380 } else {
381 ctx->engine = NULL;
382 }
383 #endif
384
385 ctx->cipher = cipher;
386 if (ctx->cipher->ctx_size) {
387 ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
388 if (ctx->cipher_data == NULL) {
389 ctx->cipher = NULL;
390 return 0;
391 }
392 } else {
393 ctx->cipher_data = NULL;
394 }
395 ctx->key_len = cipher->key_len;
396 /* Preserve wrap enable flag, zero everything else */
397 ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
398 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
399 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL) <= 0) {
400 ctx->cipher = NULL;
401 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
402 return 0;
403 }
404 }
405 }
406 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
407 skip_to_init:
408 #endif
409 if (ctx->cipher == NULL)
410 return 0;
411
412 /* we assume block size is a power of 2 in *cryptUpdate */
413 OPENSSL_assert(ctx->cipher->block_size == 1
414 || ctx->cipher->block_size == 8
415 || ctx->cipher->block_size == 16);
416
417 if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
418 && EVP_CIPHER_CTX_get_mode(ctx) == EVP_CIPH_WRAP_MODE) {
419 ERR_raise(ERR_LIB_EVP, EVP_R_WRAP_MODE_NOT_ALLOWED);
420 return 0;
421 }
422
423 if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))
424 & EVP_CIPH_CUSTOM_IV)
425 == 0) {
426 switch (EVP_CIPHER_CTX_get_mode(ctx)) {
427
428 case EVP_CIPH_STREAM_CIPHER:
429 case EVP_CIPH_ECB_MODE:
430 break;
431
432 case EVP_CIPH_CFB_MODE:
433 case EVP_CIPH_OFB_MODE:
434
435 ctx->num = 0;
436 /* fall-through */
437
438 case EVP_CIPH_CBC_MODE:
439 n = EVP_CIPHER_CTX_get_iv_length(ctx);
440 if (n < 0 || n > (int)sizeof(ctx->iv)) {
441 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
442 return 0;
443 }
444 if (iv != NULL)
445 memcpy(ctx->oiv, iv, n);
446 memcpy(ctx->iv, ctx->oiv, n);
447 break;
448
449 case EVP_CIPH_CTR_MODE:
450 ctx->num = 0;
451 /* Don't reuse IV for CTR mode */
452 if (iv != NULL) {
453 n = EVP_CIPHER_CTX_get_iv_length(ctx);
454 if (n <= 0 || n > (int)sizeof(ctx->iv)) {
455 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
456 return 0;
457 }
458 memcpy(ctx->iv, iv, n);
459 }
460 break;
461
462 default:
463 return 0;
464 }
465 }
466
467 if (key != NULL || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
468 if (!ctx->cipher->init(ctx, key, iv, enc))
469 return 0;
470 }
471 ctx->buf_len = 0;
472 ctx->final_used = 0;
473 ctx->block_mask = ctx->cipher->block_size - 1;
474 return 1;
475 }
476
477 /*
478 * This function is basically evp_cipher_init_internal without ENGINE support.
479 * They should be combined when engines are not supported any longer.
480 */
evp_cipher_init_skey_internal(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const EVP_SKEY * skey,const unsigned char * iv,size_t iv_len,int enc,const OSSL_PARAM params[])481 static int evp_cipher_init_skey_internal(EVP_CIPHER_CTX *ctx,
482 const EVP_CIPHER *cipher,
483 const EVP_SKEY *skey,
484 const unsigned char *iv, size_t iv_len,
485 int enc, const OSSL_PARAM params[])
486 {
487 int ret;
488
489 /*
490 * enc == 1 means we are encrypting.
491 * enc == 0 means we are decrypting.
492 * enc == -1 means, use the previously initialised value for encrypt/decrypt
493 */
494 if (enc == -1)
495 enc = ctx->encrypt;
496 else
497 ctx->encrypt = enc != 0;
498
499 if (cipher == NULL && ctx->cipher == NULL) {
500 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
501 return 0;
502 }
503
504 /*
505 * If there are engines involved then we throw an error
506 */
507 if (ctx->engine != NULL
508 || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
509 || (cipher == NULL && ctx->cipher != NULL
510 && ctx->cipher->origin == EVP_ORIG_METH)) {
511 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
512 return 0;
513 }
514 /*
515 * Ensure a context left lying around from last time is cleared
516 * (legacy code)
517 */
518 if (cipher != NULL && ctx->cipher != NULL) {
519 if (ctx->cipher->cleanup != NULL && !ctx->cipher->cleanup(ctx))
520 return 0;
521 OPENSSL_clear_free(ctx->cipher_data, ctx->cipher->ctx_size);
522 ctx->cipher_data = NULL;
523 }
524
525 /* Ensure a context left lying around from last time is cleared */
526 if (cipher != NULL && ctx->cipher != NULL) {
527 unsigned long flags = ctx->flags;
528
529 EVP_CIPHER_CTX_reset(ctx);
530 /* Restore encrypt and flags */
531 ctx->encrypt = enc;
532 ctx->flags = flags;
533 }
534
535 if (cipher == NULL)
536 cipher = ctx->cipher;
537
538 if (cipher->prov == NULL) {
539 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
540 return 0;
541 }
542
543 if (cipher != ctx->fetched_cipher) {
544 if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) {
545 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
546 return 0;
547 }
548 EVP_CIPHER_free(ctx->fetched_cipher);
549 /* Coverity false positive, the reference counting is confusing it */
550 /* coverity[use_after_free] */
551 ctx->fetched_cipher = (EVP_CIPHER *)cipher;
552 }
553 ctx->cipher = cipher;
554 if (ctx->algctx == NULL) {
555 ctx->algctx = ctx->cipher->newctx(ossl_provider_ctx(cipher->prov));
556 if (ctx->algctx == NULL) {
557 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
558 return 0;
559 }
560 }
561
562 if (skey != NULL && ctx->cipher->prov != skey->skeymgmt->prov) {
563 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
564 return 0;
565 }
566
567 if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) {
568 /*
569 * If this ctx was already set up for no padding then we need to tell
570 * the new cipher about it.
571 */
572 if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
573 return 0;
574 }
575
576 if (iv == NULL)
577 iv_len = 0;
578
579 /* We have a data managed via key management, using the new callbacks */
580 if (enc) {
581 if (ctx->cipher->einit_skey == NULL) {
582 /*
583 * When skey is NULL, it's a multiple-step init as the current API does.
584 * Otherwise we try to fallback for providers that do not support SKEYs.
585 */
586 const unsigned char *keydata = NULL;
587 size_t keylen = 0;
588
589 if (skey != NULL && !EVP_SKEY_get0_raw_key(skey, &keydata, &keylen)) {
590 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
591 return 0;
592 }
593
594 ret = ctx->cipher->einit(ctx->algctx, keydata, keylen,
595 iv, iv_len, params);
596 } else {
597 ret = ctx->cipher->einit_skey(ctx->algctx,
598 skey == NULL ? NULL : skey->keydata,
599 iv, iv_len, params);
600 }
601 } else {
602 if (ctx->cipher->dinit_skey == NULL) {
603 /*
604 * When skey is NULL, it's a multiple-step init as the current API does.
605 * Otherwise we try to fallback for providers that do not support SKEYs.
606 */
607 const unsigned char *keydata = NULL;
608 size_t keylen = 0;
609
610 if (skey != NULL && !EVP_SKEY_get0_raw_key(skey, &keydata, &keylen)) {
611 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
612 return 0;
613 }
614
615 ret = ctx->cipher->dinit(ctx->algctx, keydata, keylen,
616 iv, iv_len, params);
617 } else {
618 ret = ctx->cipher->dinit_skey(ctx->algctx,
619 skey == NULL ? NULL : skey->keydata,
620 iv, iv_len, params);
621 }
622 }
623
624 return ret;
625 }
626
EVP_CipherInit_SKEY(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,EVP_SKEY * skey,const unsigned char * iv,size_t iv_len,int enc,const OSSL_PARAM params[])627 int EVP_CipherInit_SKEY(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
628 EVP_SKEY *skey, const unsigned char *iv, size_t iv_len,
629 int enc, const OSSL_PARAM params[])
630 {
631 return evp_cipher_init_skey_internal(ctx, cipher, skey, iv, iv_len, enc, params);
632 }
633
EVP_CipherInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc,const OSSL_PARAM params[])634 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
635 const unsigned char *key, const unsigned char *iv,
636 int enc, const OSSL_PARAM params[])
637 {
638 return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, 0, params);
639 }
640
EVP_CipherInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc)641 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
642 const unsigned char *key, const unsigned char *iv, int enc)
643 {
644 if (cipher != NULL)
645 EVP_CIPHER_CTX_reset(ctx);
646 return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, 0, NULL);
647 }
648
EVP_CipherInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc)649 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
650 ENGINE *impl, const unsigned char *key,
651 const unsigned char *iv, int enc)
652 {
653 return evp_cipher_init_internal(ctx, cipher, impl, key, iv, enc, 0, NULL);
654 }
655
EVP_CipherPipelineEncryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,size_t keylen,size_t numpipes,const unsigned char ** iv,size_t ivlen)656 int EVP_CipherPipelineEncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
657 const unsigned char *key, size_t keylen,
658 size_t numpipes,
659 const unsigned char **iv, size_t ivlen)
660 {
661 if (numpipes > EVP_MAX_PIPES) {
662 ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_PIPES);
663 return 0;
664 }
665
666 ctx->numpipes = numpipes;
667
668 if (!evp_cipher_init_internal(ctx, cipher, NULL, NULL, NULL, 1, 1,
669 NULL))
670 return 0;
671
672 if (ctx->cipher->p_einit == NULL) {
673 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
674 return 0;
675 }
676
677 return ctx->cipher->p_einit(ctx->algctx,
678 key,
679 keylen,
680 numpipes,
681 iv,
682 ivlen,
683 NULL);
684 }
685
EVP_CipherPipelineDecryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,size_t keylen,size_t numpipes,const unsigned char ** iv,size_t ivlen)686 int EVP_CipherPipelineDecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
687 const unsigned char *key, size_t keylen,
688 size_t numpipes,
689 const unsigned char **iv, size_t ivlen)
690 {
691 if (numpipes > EVP_MAX_PIPES) {
692 ERR_raise(ERR_LIB_EVP, EVP_R_TOO_MANY_PIPES);
693 return 0;
694 }
695
696 ctx->numpipes = numpipes;
697
698 if (!evp_cipher_init_internal(ctx, cipher, NULL, NULL, NULL, 0, 1,
699 NULL))
700 return 0;
701
702 if (ctx->cipher->p_dinit == NULL) {
703 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
704 return 0;
705 }
706
707 return ctx->cipher->p_dinit(ctx->algctx,
708 key,
709 keylen,
710 numpipes,
711 iv,
712 ivlen,
713 NULL);
714 }
715
EVP_CipherUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)716 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
717 const unsigned char *in, int inl)
718 {
719 if (ctx->encrypt)
720 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
721 else
722 return EVP_DecryptUpdate(ctx, out, outl, in, inl);
723 }
724
EVP_CipherPipelineUpdate(EVP_CIPHER_CTX * ctx,unsigned char ** out,size_t * outl,const size_t * outsize,const unsigned char ** in,const size_t * inl)725 int EVP_CipherPipelineUpdate(EVP_CIPHER_CTX *ctx,
726 unsigned char **out, size_t *outl,
727 const size_t *outsize,
728 const unsigned char **in, const size_t *inl)
729 {
730 size_t i;
731
732 if (ossl_unlikely(outl == NULL || inl == NULL)) {
733 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
734 return 0;
735 }
736
737 if (ossl_unlikely(ctx->cipher == NULL)) {
738 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
739 return 0;
740 }
741
742 if (ossl_unlikely(ctx->cipher->prov == NULL)) {
743 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
744 return 0;
745 }
746
747 if (ossl_unlikely(ctx->cipher->p_cupdate == NULL)) {
748 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
749 return 0;
750 }
751
752 for (i = 0; i < ctx->numpipes; i++)
753 outl[i] = 0;
754
755 return ctx->cipher->p_cupdate(ctx->algctx, ctx->numpipes,
756 out, outl, outsize,
757 in, inl);
758 }
759
EVP_CipherFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)760 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
761 {
762 if (ctx->encrypt)
763 return EVP_EncryptFinal_ex(ctx, out, outl);
764 else
765 return EVP_DecryptFinal_ex(ctx, out, outl);
766 }
767
EVP_CipherFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)768 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
769 {
770 if (ctx->encrypt)
771 return EVP_EncryptFinal(ctx, out, outl);
772 else
773 return EVP_DecryptFinal(ctx, out, outl);
774 }
775
EVP_CipherPipelineFinal(EVP_CIPHER_CTX * ctx,unsigned char ** out,size_t * outl,const size_t * outsize)776 int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
777 unsigned char **out, size_t *outl,
778 const size_t *outsize)
779 {
780 size_t i;
781
782 if (ossl_unlikely(outl == NULL)) {
783 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
784 return 0;
785 }
786
787 if (ossl_unlikely(ctx->cipher == NULL)) {
788 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
789 return 0;
790 }
791
792 if (ossl_unlikely(ctx->cipher->prov == NULL)) {
793 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
794 return 0;
795 }
796
797 if (ossl_unlikely(ctx->cipher->p_cfinal == NULL)) {
798 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
799 return 0;
800 }
801
802 for (i = 0; i < ctx->numpipes; i++)
803 outl[i] = 0;
804
805 return ctx->cipher->p_cfinal(ctx->algctx, ctx->numpipes,
806 out, outl, outsize);
807 }
808
EVP_EncryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)809 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
810 const unsigned char *key, const unsigned char *iv)
811 {
812 return EVP_CipherInit(ctx, cipher, key, iv, 1);
813 }
814
EVP_EncryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)815 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
816 ENGINE *impl, const unsigned char *key,
817 const unsigned char *iv)
818 {
819 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
820 }
821
EVP_EncryptInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,const OSSL_PARAM params[])822 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
823 const unsigned char *key, const unsigned char *iv,
824 const OSSL_PARAM params[])
825 {
826 return EVP_CipherInit_ex2(ctx, cipher, key, iv, 1, params);
827 }
828
EVP_DecryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)829 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
830 const unsigned char *key, const unsigned char *iv)
831 {
832 return EVP_CipherInit(ctx, cipher, key, iv, 0);
833 }
834
EVP_DecryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)835 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
836 ENGINE *impl, const unsigned char *key,
837 const unsigned char *iv)
838 {
839 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
840 }
841
EVP_DecryptInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,const OSSL_PARAM params[])842 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
843 const unsigned char *key, const unsigned char *iv,
844 const OSSL_PARAM params[])
845 {
846 return EVP_CipherInit_ex2(ctx, cipher, key, iv, 0, params);
847 }
848
849 /*
850 * According to the letter of standard difference between pointers
851 * is specified to be valid only within same object. This makes
852 * it formally challenging to determine if input and output buffers
853 * are not partially overlapping with standard pointer arithmetic.
854 */
855 #ifdef PTRDIFF_T
856 #undef PTRDIFF_T
857 #endif
858 #if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE == 64
859 /*
860 * Then we have VMS that distinguishes itself by adhering to
861 * sizeof(size_t)==4 even in 64-bit builds, which means that
862 * difference between two pointers might be truncated to 32 bits.
863 * In the context one can even wonder how comparison for
864 * equality is implemented. To be on the safe side we adhere to
865 * PTRDIFF_T even for comparison for equality.
866 */
867 #define PTRDIFF_T uint64_t
868 #else
869 #define PTRDIFF_T size_t
870 #endif
871
ossl_is_partially_overlapping(const void * ptr1,const void * ptr2,int len)872 int ossl_is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
873 {
874 PTRDIFF_T diff = (PTRDIFF_T)ptr1 - (PTRDIFF_T)ptr2;
875 /*
876 * Check for partially overlapping buffers. [Binary logical
877 * operations are used instead of boolean to minimize number
878 * of conditional branches.]
879 */
880 int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) | (diff > (0 - (PTRDIFF_T)len)));
881
882 return overlapped;
883 }
884
evp_EncryptDecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)885 static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
886 unsigned char *out, int *outl,
887 const unsigned char *in, int inl)
888 {
889 int i, j, bl, cmpl = inl;
890
891 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
892 cmpl = safe_div_round_up_int(cmpl, 8, NULL);
893
894 bl = ctx->cipher->block_size;
895
896 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
897 /* If block size > 1 then the cipher will have to do this check */
898 if (bl == 1 && ossl_is_partially_overlapping(out, in, cmpl)) {
899 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
900 return 0;
901 }
902
903 i = ctx->cipher->do_cipher(ctx, out, in, inl);
904 if (i < 0)
905 return 0;
906 else
907 *outl = i;
908 return 1;
909 }
910
911 if (inl <= 0) {
912 *outl = 0;
913 return inl == 0;
914 }
915 if (ossl_is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
916 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
917 return 0;
918 }
919
920 if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
921 if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
922 *outl = inl;
923 return 1;
924 } else {
925 *outl = 0;
926 return 0;
927 }
928 }
929 i = ctx->buf_len;
930 OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
931 if (i != 0) {
932 if (bl - i > inl) {
933 memcpy(&(ctx->buf[i]), in, inl);
934 ctx->buf_len += inl;
935 *outl = 0;
936 return 1;
937 } else {
938 j = bl - i;
939
940 /*
941 * Once we've processed the first j bytes from in, the amount of
942 * data left that is a multiple of the block length is:
943 * (inl - j) & ~(bl - 1)
944 * We must ensure that this amount of data, plus the one block that
945 * we process from ctx->buf does not exceed INT_MAX
946 */
947 if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
948 ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
949 return 0;
950 }
951 memcpy(&(ctx->buf[i]), in, j);
952 inl -= j;
953 in += j;
954 if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
955 return 0;
956 out += bl;
957 *outl = bl;
958 }
959 } else
960 *outl = 0;
961 i = inl & (bl - 1);
962 inl -= i;
963 if (inl > 0) {
964 if (!ctx->cipher->do_cipher(ctx, out, in, inl))
965 return 0;
966 *outl += inl;
967 }
968
969 if (i != 0)
970 memcpy(ctx->buf, &(in[inl]), i);
971 ctx->buf_len = i;
972 return 1;
973 }
974
EVP_EncryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)975 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
976 const unsigned char *in, int inl)
977 {
978 int ret;
979 size_t soutl, inl_ = (size_t)inl;
980 int blocksize;
981
982 if (ossl_likely(outl != NULL)) {
983 *outl = 0;
984 } else {
985 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
986 return 0;
987 }
988
989 /* Prevent accidental use of decryption context when encrypting */
990 if (ossl_unlikely(!ctx->encrypt)) {
991 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
992 return 0;
993 }
994
995 if (ossl_unlikely(ctx->cipher == NULL)) {
996 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
997 return 0;
998 }
999
1000 if (ossl_unlikely(ctx->cipher->prov == NULL))
1001 goto legacy;
1002
1003 blocksize = ctx->cipher->block_size;
1004
1005 if (ossl_unlikely(ctx->cipher->cupdate == NULL || blocksize < 1)) {
1006 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
1007 return 0;
1008 }
1009
1010 ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
1011 inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
1012 in, inl_);
1013
1014 if (ossl_likely(ret)) {
1015 if (soutl > INT_MAX) {
1016 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
1017 return 0;
1018 }
1019 *outl = soutl;
1020 }
1021
1022 return ret;
1023
1024 /* Code below to be removed when legacy support is dropped. */
1025 legacy:
1026
1027 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
1028 }
1029
EVP_EncryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)1030 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
1031 {
1032 int ret;
1033 ret = EVP_EncryptFinal_ex(ctx, out, outl);
1034 return ret;
1035 }
1036
EVP_EncryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)1037 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
1038 {
1039 int n, ret;
1040 unsigned int i, b, bl;
1041 size_t soutl;
1042 int blocksize;
1043
1044 if (outl != NULL) {
1045 *outl = 0;
1046 } else {
1047 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
1048 return 0;
1049 }
1050
1051 /* Prevent accidental use of decryption context when encrypting */
1052 if (!ctx->encrypt) {
1053 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
1054 return 0;
1055 }
1056
1057 if (ctx->cipher == NULL) {
1058 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
1059 return 0;
1060 }
1061 if (ctx->cipher->prov == NULL)
1062 goto legacy;
1063
1064 blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
1065
1066 if (blocksize < 1 || ctx->cipher->cfinal == NULL) {
1067 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
1068 return 0;
1069 }
1070
1071 ret = ctx->cipher->cfinal(ctx->algctx, out, &soutl,
1072 blocksize == 1 ? 0 : blocksize);
1073
1074 if (ret) {
1075 if (soutl > INT_MAX) {
1076 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
1077 return 0;
1078 }
1079 *outl = soutl;
1080 }
1081
1082 return ret;
1083
1084 /* Code below to be removed when legacy support is dropped. */
1085 legacy:
1086
1087 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
1088 ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
1089 if (ret < 0)
1090 return 0;
1091 else
1092 *outl = ret;
1093 return 1;
1094 }
1095
1096 b = ctx->cipher->block_size;
1097 OPENSSL_assert(b <= sizeof(ctx->buf));
1098 if (b == 1) {
1099 *outl = 0;
1100 return 1;
1101 }
1102 bl = ctx->buf_len;
1103 if (ctx->flags & EVP_CIPH_NO_PADDING) {
1104 if (bl) {
1105 ERR_raise(ERR_LIB_EVP, EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
1106 return 0;
1107 }
1108 *outl = 0;
1109 return 1;
1110 }
1111
1112 n = b - bl;
1113 for (i = bl; i < b; i++)
1114 ctx->buf[i] = n;
1115 ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
1116
1117 if (ret)
1118 *outl = b;
1119
1120 return ret;
1121 }
1122
EVP_DecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)1123 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
1124 const unsigned char *in, int inl)
1125 {
1126 int fix_len, cmpl = inl, ret;
1127 unsigned int b;
1128 size_t soutl, inl_ = (size_t)inl;
1129 int blocksize;
1130
1131 if (ossl_likely(outl != NULL)) {
1132 *outl = 0;
1133 } else {
1134 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
1135 return 0;
1136 }
1137
1138 /* Prevent accidental use of encryption context when decrypting */
1139 if (ossl_unlikely(ctx->encrypt)) {
1140 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
1141 return 0;
1142 }
1143
1144 if (ossl_unlikely(ctx->cipher == NULL)) {
1145 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
1146 return 0;
1147 }
1148 if (ossl_unlikely(ctx->cipher->prov == NULL))
1149 goto legacy;
1150
1151 blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
1152
1153 if (ossl_unlikely(ctx->cipher->cupdate == NULL || blocksize < 1)) {
1154 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
1155 return 0;
1156 }
1157 ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
1158 inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
1159 in, inl_);
1160
1161 if (ossl_likely(ret)) {
1162 if (soutl > INT_MAX) {
1163 ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
1164 return 0;
1165 }
1166 *outl = soutl;
1167 }
1168
1169 return ret;
1170
1171 /* Code below to be removed when legacy support is dropped. */
1172 legacy:
1173
1174 b = ctx->cipher->block_size;
1175
1176 if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
1177 cmpl = safe_div_round_up_int(cmpl, 8, NULL);
1178
1179 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
1180 if (b == 1 && ossl_is_partially_overlapping(out, in, cmpl)) {
1181 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
1182 return 0;
1183 }
1184
1185 fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
1186 if (fix_len < 0) {
1187 *outl = 0;
1188 return 0;
1189 } else
1190 *outl = fix_len;
1191 return 1;
1192 }
1193
1194 if (inl <= 0) {
1195 *outl = 0;
1196 return inl == 0;
1197 }
1198
1199 if (ctx->flags & EVP_CIPH_NO_PADDING)
1200 return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
1201
1202 OPENSSL_assert(b <= sizeof(ctx->final));
1203
1204 if (ctx->final_used) {
1205 /* see comment about PTRDIFF_T comparison above */
1206 if (((PTRDIFF_T)out == (PTRDIFF_T)in)
1207 || ossl_is_partially_overlapping(out, in, b)) {
1208 ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
1209 return 0;
1210 }
1211 /*
1212 * final_used is only ever set if buf_len is 0. Therefore the maximum
1213 * length output we will ever see from evp_EncryptDecryptUpdate is
1214 * the maximum multiple of the block length that is <= inl, or just:
1215 * inl & ~(b - 1)
1216 * Since final_used has been set then the final output length is:
1217 * (inl & ~(b - 1)) + b
1218 * This must never exceed INT_MAX
1219 */
1220 if ((inl & ~(b - 1)) > INT_MAX - b) {
1221 ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
1222 return 0;
1223 }
1224 memcpy(out, ctx->final, b);
1225 out += b;
1226 fix_len = 1;
1227 } else
1228 fix_len = 0;
1229
1230 if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
1231 return 0;
1232
1233 /*
1234 * if we have 'decrypted' a multiple of block size, make sure we have a
1235 * copy of this last block
1236 */
1237 if (b > 1 && !ctx->buf_len) {
1238 *outl -= b;
1239 ctx->final_used = 1;
1240 memcpy(ctx->final, &out[*outl], b);
1241 } else
1242 ctx->final_used = 0;
1243
1244 if (fix_len)
1245 *outl += b;
1246
1247 return 1;
1248 }
1249
EVP_DecryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)1250 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
1251 {
1252 int ret;
1253 ret = EVP_DecryptFinal_ex(ctx, out, outl);
1254 return ret;
1255 }
1256
EVP_DecryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)1257 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
1258 {
1259 int i, n;
1260 unsigned int b;
1261 size_t soutl;
1262 int ret;
1263 int blocksize;
1264
1265 if (outl != NULL) {
1266 *outl = 0;
1267 } else {
1268 ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
1269 return 0;
1270 }
1271
1272 /* Prevent accidental use of encryption context when decrypting */
1273 if (ctx->encrypt) {
1274 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
1275 return 0;
1276 }
1277
1278 if (ctx->cipher == NULL) {
1279 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
1280 return 0;
1281 }
1282
1283 if (ctx->cipher->prov == NULL)
1284 goto legacy;
1285
1286 blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
1287
1288 if (blocksize < 1 || ctx->cipher->cfinal == NULL) {
1289 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
1290 return 0;
1291 }
1292
1293 ret = ctx->cipher->cfinal(ctx->algctx, out, &soutl,
1294 blocksize == 1 ? 0 : blocksize);
1295
1296 if (ret) {
1297 if (soutl > INT_MAX) {
1298 ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
1299 return 0;
1300 }
1301 *outl = soutl;
1302 }
1303
1304 return ret;
1305
1306 /* Code below to be removed when legacy support is dropped. */
1307 legacy:
1308
1309 *outl = 0;
1310 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
1311 i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
1312 if (i < 0)
1313 return 0;
1314 else
1315 *outl = i;
1316 return 1;
1317 }
1318
1319 b = ctx->cipher->block_size;
1320 if (ctx->flags & EVP_CIPH_NO_PADDING) {
1321 if (ctx->buf_len) {
1322 ERR_raise(ERR_LIB_EVP, EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
1323 return 0;
1324 }
1325 *outl = 0;
1326 return 1;
1327 }
1328 if (b > 1) {
1329 if (ctx->buf_len || !ctx->final_used) {
1330 ERR_raise(ERR_LIB_EVP, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
1331 return 0;
1332 }
1333 OPENSSL_assert(b <= sizeof(ctx->final));
1334
1335 /*
1336 * The following assumes that the ciphertext has been authenticated.
1337 * Otherwise it provides a padding oracle.
1338 */
1339 n = ctx->final[b - 1];
1340 if (n == 0 || n > (int)b) {
1341 ERR_raise(ERR_LIB_EVP, EVP_R_BAD_DECRYPT);
1342 return 0;
1343 }
1344 for (i = 0; i < n; i++) {
1345 if (ctx->final[--b] != n) {
1346 ERR_raise(ERR_LIB_EVP, EVP_R_BAD_DECRYPT);
1347 return 0;
1348 }
1349 }
1350 n = ctx->cipher->block_size - n;
1351 for (i = 0; i < n; i++)
1352 out[i] = ctx->final[i];
1353 *outl = n;
1354 }
1355 return 1;
1356 }
1357
EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX * c,int keylen)1358 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
1359 {
1360 if (c->cipher->prov != NULL) {
1361 int ok;
1362 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
1363 size_t len;
1364
1365 if (EVP_CIPHER_CTX_get_key_length(c) == keylen)
1366 return 1;
1367
1368 /* Check the cipher actually understands this parameter */
1369 if (OSSL_PARAM_locate_const(EVP_CIPHER_settable_ctx_params(c->cipher),
1370 OSSL_CIPHER_PARAM_KEYLEN)
1371 == NULL) {
1372 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1373 return 0;
1374 }
1375
1376 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len);
1377 if (!OSSL_PARAM_set_int(params, keylen))
1378 return 0;
1379 ok = evp_do_ciph_ctx_setparams(c->cipher, c->algctx, params);
1380 if (ok <= 0)
1381 return 0;
1382 c->key_len = keylen;
1383 return 1;
1384 }
1385
1386 /* Code below to be removed when legacy support is dropped. */
1387
1388 /*
1389 * Note there have never been any built-in ciphers that define this flag
1390 * since it was first introduced.
1391 */
1392 if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
1393 return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
1394 if (EVP_CIPHER_CTX_get_key_length(c) == keylen)
1395 return 1;
1396 if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
1397 c->key_len = keylen;
1398 return 1;
1399 }
1400 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1401 return 0;
1402 }
1403
EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX * ctx,int pad)1404 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
1405 {
1406 int ok;
1407 OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
1408 unsigned int pd = pad;
1409
1410 if (pad)
1411 ctx->flags &= ~EVP_CIPH_NO_PADDING;
1412 else
1413 ctx->flags |= EVP_CIPH_NO_PADDING;
1414
1415 if (ctx->cipher != NULL && ctx->cipher->prov == NULL)
1416 return 1;
1417 params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_PADDING, &pd);
1418 ok = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1419
1420 return ok != 0;
1421 }
1422
EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)1423 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1424 {
1425 int ret = EVP_CTRL_RET_UNSUPPORTED;
1426 int set_params = 1;
1427 size_t sz = arg;
1428 unsigned int i;
1429 OSSL_PARAM params[4] = {
1430 OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
1431 };
1432
1433 if (ctx == NULL || ctx->cipher == NULL) {
1434 ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
1435 return 0;
1436 }
1437
1438 if (ctx->cipher->prov == NULL)
1439 goto legacy;
1440
1441 switch (type) {
1442 case EVP_CTRL_SET_KEY_LENGTH:
1443 if (arg < 0)
1444 return 0;
1445 if (ctx->key_len == arg)
1446 /* Skip calling into provider if unchanged. */
1447 return 1;
1448 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &sz);
1449 ctx->key_len = -1;
1450 break;
1451 case EVP_CTRL_RAND_KEY: /* Used by DES */
1452 set_params = 0;
1453 params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY,
1454 ptr, sz);
1455 break;
1456
1457 case EVP_CTRL_INIT:
1458 /*
1459 * EVP_CTRL_INIT is purely legacy, no provider counterpart.
1460 * As a matter of fact, this should be dead code, but some caller
1461 * might still do a direct control call with this command, so...
1462 * Legacy methods return 1 except for exceptional circumstances, so
1463 * we do the same here to not be disruptive.
1464 */
1465 return 1;
1466 case EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS: /* Used by DASYNC */
1467 default:
1468 goto end;
1469 case EVP_CTRL_AEAD_SET_IVLEN:
1470 if (arg < 0)
1471 return 0;
1472 if (ctx->iv_len == arg)
1473 /* Skip calling into provider if unchanged. */
1474 return 1;
1475 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz);
1476 ctx->iv_len = -1;
1477 break;
1478 case EVP_CTRL_CCM_SET_L:
1479 if (arg < 2 || arg > 8)
1480 return 0;
1481 sz = 15 - arg;
1482 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz);
1483 ctx->iv_len = -1;
1484 break;
1485 case EVP_CTRL_AEAD_SET_IV_FIXED:
1486 params[0] = OSSL_PARAM_construct_octet_string(
1487 OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, ptr, sz);
1488 break;
1489 case EVP_CTRL_GCM_IV_GEN:
1490 set_params = 0;
1491 if (arg < 0)
1492 sz = 0; /* special case that uses the iv length */
1493 params[0] = OSSL_PARAM_construct_octet_string(
1494 OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, ptr, sz);
1495 break;
1496 case EVP_CTRL_GCM_SET_IV_INV:
1497 if (arg < 0)
1498 return 0;
1499 params[0] = OSSL_PARAM_construct_octet_string(
1500 OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, ptr, sz);
1501 break;
1502 case EVP_CTRL_GET_RC5_ROUNDS:
1503 set_params = 0; /* Fall thru */
1504 case EVP_CTRL_SET_RC5_ROUNDS:
1505 if (arg < 0)
1506 return 0;
1507 i = (unsigned int)arg;
1508 params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_ROUNDS, &i);
1509 break;
1510 case EVP_CTRL_SET_SPEED:
1511 if (arg < 0)
1512 return 0;
1513 i = (unsigned int)arg;
1514 params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_SPEED, &i);
1515 break;
1516 case EVP_CTRL_AEAD_GET_TAG:
1517 set_params = 0; /* Fall thru */
1518 case EVP_CTRL_AEAD_SET_TAG:
1519 params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
1520 ptr, sz);
1521 break;
1522 case EVP_CTRL_AEAD_TLS1_AAD:
1523 /* This one does a set and a get - since it returns a size */
1524 params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD,
1525 ptr, sz);
1526 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1527 if (ret <= 0)
1528 goto end;
1529 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, &sz);
1530 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1531 if (ret <= 0)
1532 goto end;
1533 return sz;
1534 #ifndef OPENSSL_NO_RC2
1535 case EVP_CTRL_GET_RC2_KEY_BITS:
1536 set_params = 0; /* Fall thru */
1537 case EVP_CTRL_SET_RC2_KEY_BITS:
1538 params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_RC2_KEYBITS, &sz);
1539 break;
1540 #endif /* OPENSSL_NO_RC2 */
1541 #if !defined(OPENSSL_NO_MULTIBLOCK)
1542 case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE:
1543 params[0] = OSSL_PARAM_construct_size_t(
1544 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, &sz);
1545 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1546 if (ret <= 0)
1547 return 0;
1548
1549 params[0] = OSSL_PARAM_construct_size_t(
1550 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, &sz);
1551 params[1] = OSSL_PARAM_construct_end();
1552 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1553 if (ret <= 0)
1554 return 0;
1555 return sz;
1556 case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: {
1557 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p = (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr;
1558
1559 if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM))
1560 return 0;
1561
1562 params[0] = OSSL_PARAM_construct_octet_string(
1563 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, (void *)p->inp, p->len);
1564 params[1] = OSSL_PARAM_construct_uint(
1565 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1566 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1567 if (ret <= 0)
1568 return ret;
1569 /* Retrieve the return values changed by the set */
1570 params[0] = OSSL_PARAM_construct_size_t(
1571 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, &sz);
1572 params[1] = OSSL_PARAM_construct_uint(
1573 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1574 params[2] = OSSL_PARAM_construct_end();
1575 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1576 if (ret <= 0)
1577 return 0;
1578 return sz;
1579 }
1580 case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: {
1581 EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p = (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr;
1582
1583 params[0] = OSSL_PARAM_construct_octet_string(
1584 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, p->out, p->len);
1585
1586 params[1] = OSSL_PARAM_construct_octet_string(
1587 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, (void *)p->inp,
1588 p->len);
1589 params[2] = OSSL_PARAM_construct_uint(
1590 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1591 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1592 if (ret <= 0)
1593 return ret;
1594 params[0] = OSSL_PARAM_construct_size_t(
1595 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, &sz);
1596 params[1] = OSSL_PARAM_construct_end();
1597 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1598 if (ret <= 0)
1599 return 0;
1600 return sz;
1601 }
1602 #endif /* OPENSSL_NO_MULTIBLOCK */
1603 case EVP_CTRL_AEAD_SET_MAC_KEY:
1604 if (arg < 0)
1605 return -1;
1606 params[0] = OSSL_PARAM_construct_octet_string(
1607 OSSL_CIPHER_PARAM_AEAD_MAC_KEY, ptr, sz);
1608 break;
1609 }
1610
1611 if (set_params)
1612 ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1613 else
1614 ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1615 goto end;
1616
1617 /* Code below to be removed when legacy support is dropped. */
1618 legacy:
1619 if (ctx->cipher->ctrl == NULL) {
1620 ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_NOT_IMPLEMENTED);
1621 return 0;
1622 }
1623
1624 ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
1625
1626 end:
1627 if (ret == EVP_CTRL_RET_UNSUPPORTED) {
1628 ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
1629 return 0;
1630 }
1631 return ret;
1632 }
1633
EVP_CIPHER_get_params(EVP_CIPHER * cipher,OSSL_PARAM params[])1634 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[])
1635 {
1636 if (cipher != NULL && cipher->get_params != NULL)
1637 return cipher->get_params(params);
1638 return 0;
1639 }
1640
EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX * ctx,const OSSL_PARAM params[])1641 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[])
1642 {
1643 int r = 0;
1644 const OSSL_PARAM *p;
1645
1646 if (ctx->cipher != NULL && ctx->cipher->set_ctx_params != NULL) {
1647 r = ctx->cipher->set_ctx_params(ctx->algctx, params);
1648 if (r > 0) {
1649 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
1650 if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->key_len)) {
1651 r = 0;
1652 ctx->key_len = -1;
1653 }
1654 }
1655 if (r > 0) {
1656 p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
1657 if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->iv_len)) {
1658 r = 0;
1659 ctx->iv_len = -1;
1660 }
1661 }
1662 }
1663 return r;
1664 }
1665
EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX * ctx,OSSL_PARAM params[])1666 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[])
1667 {
1668 if (ctx->cipher != NULL && ctx->cipher->get_ctx_params != NULL)
1669 return ctx->cipher->get_ctx_params(ctx->algctx, params);
1670 return 0;
1671 }
1672
EVP_CIPHER_gettable_params(const EVP_CIPHER * cipher)1673 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher)
1674 {
1675 if (cipher != NULL && cipher->gettable_params != NULL)
1676 return cipher->gettable_params(
1677 ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher)));
1678 return NULL;
1679 }
1680
EVP_CIPHER_settable_ctx_params(const EVP_CIPHER * cipher)1681 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher)
1682 {
1683 void *provctx;
1684
1685 if (cipher != NULL && cipher->settable_ctx_params != NULL) {
1686 provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher));
1687 return cipher->settable_ctx_params(NULL, provctx);
1688 }
1689 return NULL;
1690 }
1691
EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER * cipher)1692 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher)
1693 {
1694 void *provctx;
1695
1696 if (cipher != NULL && cipher->gettable_ctx_params != NULL) {
1697 provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher));
1698 return cipher->gettable_ctx_params(NULL, provctx);
1699 }
1700 return NULL;
1701 }
1702
EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX * cctx)1703 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *cctx)
1704 {
1705 void *alg;
1706
1707 if (cctx != NULL && cctx->cipher->settable_ctx_params != NULL) {
1708 alg = ossl_provider_ctx(EVP_CIPHER_get0_provider(cctx->cipher));
1709 return cctx->cipher->settable_ctx_params(cctx->algctx, alg);
1710 }
1711 return NULL;
1712 }
1713
EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX * cctx)1714 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *cctx)
1715 {
1716 void *provctx;
1717
1718 if (cctx != NULL && cctx->cipher->gettable_ctx_params != NULL) {
1719 provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cctx->cipher));
1720 return cctx->cipher->gettable_ctx_params(cctx->algctx, provctx);
1721 }
1722 return NULL;
1723 }
1724
1725 #ifndef FIPS_MODULE
EVP_CIPHER_CTX_get_libctx(EVP_CIPHER_CTX * ctx)1726 static OSSL_LIB_CTX *EVP_CIPHER_CTX_get_libctx(EVP_CIPHER_CTX *ctx)
1727 {
1728 const EVP_CIPHER *cipher = ctx->cipher;
1729 const OSSL_PROVIDER *prov;
1730
1731 if (cipher == NULL)
1732 return NULL;
1733
1734 prov = EVP_CIPHER_get0_provider(cipher);
1735 return ossl_provider_libctx(prov);
1736 }
1737 #endif
1738
EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX * ctx,unsigned char * key)1739 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
1740 {
1741 if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
1742 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
1743
1744 #ifdef FIPS_MODULE
1745 return 0;
1746 #else
1747 {
1748 int kl;
1749 OSSL_LIB_CTX *libctx = EVP_CIPHER_CTX_get_libctx(ctx);
1750
1751 kl = EVP_CIPHER_CTX_get_key_length(ctx);
1752 if (kl <= 0 || RAND_priv_bytes_ex(libctx, key, kl, 0) <= 0)
1753 return 0;
1754 return 1;
1755 }
1756 #endif /* FIPS_MODULE */
1757 }
1758
EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX * in)1759 EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
1760 {
1761 EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
1762
1763 if (out != NULL && !EVP_CIPHER_CTX_copy(out, in)) {
1764 EVP_CIPHER_CTX_free(out);
1765 out = NULL;
1766 }
1767 return out;
1768 }
1769
EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX * out,const EVP_CIPHER_CTX * in)1770 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
1771 {
1772 if ((in == NULL) || (in->cipher == NULL)) {
1773 ERR_raise(ERR_LIB_EVP, EVP_R_INPUT_NOT_INITIALIZED);
1774 return 0;
1775 }
1776
1777 if (in->cipher->prov == NULL)
1778 goto legacy;
1779
1780 if (in->cipher->dupctx == NULL) {
1781 ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX);
1782 return 0;
1783 }
1784
1785 EVP_CIPHER_CTX_reset(out);
1786
1787 *out = *in;
1788 out->algctx = NULL;
1789
1790 if (in->fetched_cipher != NULL && !EVP_CIPHER_up_ref(in->fetched_cipher)) {
1791 out->fetched_cipher = NULL;
1792 return 0;
1793 }
1794
1795 out->algctx = in->cipher->dupctx(in->algctx);
1796 if (out->algctx == NULL) {
1797 ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX);
1798 return 0;
1799 }
1800
1801 return 1;
1802
1803 /* Code below to be removed when legacy support is dropped. */
1804 legacy:
1805
1806 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
1807 /* Make sure it's safe to copy a cipher context using an ENGINE */
1808 if (in->engine && !ENGINE_init(in->engine)) {
1809 ERR_raise(ERR_LIB_EVP, ERR_R_ENGINE_LIB);
1810 return 0;
1811 }
1812 #endif
1813
1814 EVP_CIPHER_CTX_reset(out);
1815 memcpy(out, in, sizeof(*out));
1816
1817 if (in->cipher_data && in->cipher->ctx_size) {
1818 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
1819 if (out->cipher_data == NULL) {
1820 out->cipher = NULL;
1821 return 0;
1822 }
1823 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
1824 }
1825
1826 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
1827 if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
1828 out->cipher = NULL;
1829 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
1830 return 0;
1831 }
1832 return 1;
1833 }
1834
evp_cipher_new(void)1835 EVP_CIPHER *evp_cipher_new(void)
1836 {
1837 EVP_CIPHER *cipher = OPENSSL_zalloc(sizeof(EVP_CIPHER));
1838
1839 if (cipher != NULL && !CRYPTO_NEW_REF(&cipher->refcnt, 1)) {
1840 OPENSSL_free(cipher);
1841 return NULL;
1842 }
1843 return cipher;
1844 }
1845
1846 /*
1847 * FIPS module note: since internal fetches will be entirely
1848 * provider based, we know that none of its code depends on legacy
1849 * NIDs or any functionality that use them.
1850 */
1851 #ifndef FIPS_MODULE
1852 /* After removal of legacy support get rid of the need for legacy NIDs */
set_legacy_nid(const char * name,void * vlegacy_nid)1853 static void set_legacy_nid(const char *name, void *vlegacy_nid)
1854 {
1855 int nid;
1856 int *legacy_nid = vlegacy_nid;
1857 /*
1858 * We use lowest level function to get the associated method, because
1859 * higher level functions such as EVP_get_cipherbyname() have changed
1860 * to look at providers too.
1861 */
1862 const void *legacy_method = OBJ_NAME_get(name, OBJ_NAME_TYPE_CIPHER_METH);
1863
1864 if (*legacy_nid == -1) /* We found a clash already */
1865 return;
1866 if (legacy_method == NULL)
1867 return;
1868 nid = EVP_CIPHER_get_nid(legacy_method);
1869 if (*legacy_nid != NID_undef && *legacy_nid != nid) {
1870 *legacy_nid = -1;
1871 return;
1872 }
1873 *legacy_nid = nid;
1874 }
1875 #endif
1876
evp_cipher_from_algorithm(const int name_id,const OSSL_ALGORITHM * algodef,OSSL_PROVIDER * prov)1877 static void *evp_cipher_from_algorithm(const int name_id,
1878 const OSSL_ALGORITHM *algodef,
1879 OSSL_PROVIDER *prov)
1880 {
1881 const OSSL_DISPATCH *fns = algodef->implementation;
1882 EVP_CIPHER *cipher = NULL;
1883 int fnciphcnt = 0, encinit = 0, decinit = 0, fnpipecnt = 0, fnctxcnt = 0;
1884
1885 if ((cipher = evp_cipher_new()) == NULL) {
1886 ERR_raise(ERR_LIB_EVP, ERR_R_EVP_LIB);
1887 return NULL;
1888 }
1889
1890 #ifndef FIPS_MODULE
1891 cipher->nid = NID_undef;
1892 if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid)
1893 || cipher->nid == -1) {
1894 ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
1895 goto err;
1896 }
1897 #endif
1898
1899 cipher->name_id = name_id;
1900 if ((cipher->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL)
1901 goto err;
1902
1903 cipher->description = algodef->algorithm_description;
1904
1905 for (; fns->function_id != 0; fns++) {
1906 switch (fns->function_id) {
1907 case OSSL_FUNC_CIPHER_NEWCTX:
1908 if (cipher->newctx != NULL)
1909 break;
1910 cipher->newctx = OSSL_FUNC_cipher_newctx(fns);
1911 fnctxcnt++;
1912 break;
1913 case OSSL_FUNC_CIPHER_ENCRYPT_INIT:
1914 if (cipher->einit != NULL)
1915 break;
1916 cipher->einit = OSSL_FUNC_cipher_encrypt_init(fns);
1917 encinit = 1;
1918 break;
1919 case OSSL_FUNC_CIPHER_DECRYPT_INIT:
1920 if (cipher->dinit != NULL)
1921 break;
1922 cipher->dinit = OSSL_FUNC_cipher_decrypt_init(fns);
1923 decinit = 1;
1924 break;
1925 case OSSL_FUNC_CIPHER_ENCRYPT_SKEY_INIT:
1926 if (cipher->einit_skey != NULL)
1927 break;
1928 cipher->einit_skey = OSSL_FUNC_cipher_encrypt_skey_init(fns);
1929 encinit = 1;
1930 break;
1931 case OSSL_FUNC_CIPHER_DECRYPT_SKEY_INIT:
1932 if (cipher->dinit_skey != NULL)
1933 break;
1934 cipher->dinit_skey = OSSL_FUNC_cipher_decrypt_skey_init(fns);
1935 decinit = 1;
1936 break;
1937 case OSSL_FUNC_CIPHER_UPDATE:
1938 if (cipher->cupdate != NULL)
1939 break;
1940 cipher->cupdate = OSSL_FUNC_cipher_update(fns);
1941 fnciphcnt++;
1942 break;
1943 case OSSL_FUNC_CIPHER_FINAL:
1944 if (cipher->cfinal != NULL)
1945 break;
1946 cipher->cfinal = OSSL_FUNC_cipher_final(fns);
1947 fnciphcnt++;
1948 break;
1949 case OSSL_FUNC_CIPHER_CIPHER:
1950 if (cipher->ccipher != NULL)
1951 break;
1952 cipher->ccipher = OSSL_FUNC_cipher_cipher(fns);
1953 break;
1954 case OSSL_FUNC_CIPHER_PIPELINE_ENCRYPT_INIT:
1955 if (cipher->p_einit != NULL)
1956 break;
1957 cipher->p_einit = OSSL_FUNC_cipher_pipeline_encrypt_init(fns);
1958 fnpipecnt++;
1959 break;
1960 case OSSL_FUNC_CIPHER_PIPELINE_DECRYPT_INIT:
1961 if (cipher->p_dinit != NULL)
1962 break;
1963 cipher->p_dinit = OSSL_FUNC_cipher_pipeline_decrypt_init(fns);
1964 fnpipecnt++;
1965 break;
1966 case OSSL_FUNC_CIPHER_PIPELINE_UPDATE:
1967 if (cipher->p_cupdate != NULL)
1968 break;
1969 cipher->p_cupdate = OSSL_FUNC_cipher_pipeline_update(fns);
1970 fnpipecnt++;
1971 break;
1972 case OSSL_FUNC_CIPHER_PIPELINE_FINAL:
1973 if (cipher->p_cfinal != NULL)
1974 break;
1975 cipher->p_cfinal = OSSL_FUNC_cipher_pipeline_final(fns);
1976 fnpipecnt++;
1977 break;
1978 case OSSL_FUNC_CIPHER_FREECTX:
1979 if (cipher->freectx != NULL)
1980 break;
1981 cipher->freectx = OSSL_FUNC_cipher_freectx(fns);
1982 fnctxcnt++;
1983 break;
1984 case OSSL_FUNC_CIPHER_DUPCTX:
1985 if (cipher->dupctx != NULL)
1986 break;
1987 cipher->dupctx = OSSL_FUNC_cipher_dupctx(fns);
1988 break;
1989 case OSSL_FUNC_CIPHER_GET_PARAMS:
1990 if (cipher->get_params != NULL)
1991 break;
1992 cipher->get_params = OSSL_FUNC_cipher_get_params(fns);
1993 break;
1994 case OSSL_FUNC_CIPHER_GET_CTX_PARAMS:
1995 if (cipher->get_ctx_params != NULL)
1996 break;
1997 cipher->get_ctx_params = OSSL_FUNC_cipher_get_ctx_params(fns);
1998 break;
1999 case OSSL_FUNC_CIPHER_SET_CTX_PARAMS:
2000 if (cipher->set_ctx_params != NULL)
2001 break;
2002 cipher->set_ctx_params = OSSL_FUNC_cipher_set_ctx_params(fns);
2003 break;
2004 case OSSL_FUNC_CIPHER_GETTABLE_PARAMS:
2005 if (cipher->gettable_params != NULL)
2006 break;
2007 cipher->gettable_params = OSSL_FUNC_cipher_gettable_params(fns);
2008 break;
2009 case OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS:
2010 if (cipher->gettable_ctx_params != NULL)
2011 break;
2012 cipher->gettable_ctx_params = OSSL_FUNC_cipher_gettable_ctx_params(fns);
2013 break;
2014 case OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS:
2015 if (cipher->settable_ctx_params != NULL)
2016 break;
2017 cipher->settable_ctx_params = OSSL_FUNC_cipher_settable_ctx_params(fns);
2018 break;
2019 }
2020 }
2021 fnciphcnt += encinit + decinit;
2022 if ((fnciphcnt != 0 && fnciphcnt != 3 && fnciphcnt != 4)
2023 || (fnciphcnt == 0 && cipher->ccipher == NULL && fnpipecnt == 0)
2024 || (fnpipecnt != 0 && (fnpipecnt < 3 || cipher->p_cupdate == NULL || cipher->p_cfinal == NULL))
2025 || fnctxcnt != 2) {
2026 /*
2027 * In order to be a consistent set of functions we must have at least
2028 * a complete set of "encrypt" functions, or a complete set of "decrypt"
2029 * functions, or a single "cipher" function. In all cases we need both
2030 * the "newctx" and "freectx" functions.
2031 */
2032 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
2033 goto err;
2034 }
2035 if (prov != NULL && !ossl_provider_up_ref(prov))
2036 goto err;
2037
2038 cipher->prov = prov;
2039
2040 if (!evp_cipher_cache_constants(cipher)) {
2041 ERR_raise(ERR_LIB_EVP, EVP_R_CACHE_CONSTANTS_FAILED);
2042 goto err;
2043 }
2044
2045 return cipher;
2046
2047 err:
2048 EVP_CIPHER_free(cipher);
2049 return NULL;
2050 }
2051
evp_cipher_up_ref(void * cipher)2052 static int evp_cipher_up_ref(void *cipher)
2053 {
2054 return EVP_CIPHER_up_ref(cipher);
2055 }
2056
evp_cipher_free(void * cipher)2057 static void evp_cipher_free(void *cipher)
2058 {
2059 EVP_CIPHER_free(cipher);
2060 }
2061
EVP_CIPHER_fetch(OSSL_LIB_CTX * ctx,const char * algorithm,const char * properties)2062 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
2063 const char *properties)
2064 {
2065 EVP_CIPHER *cipher = evp_generic_fetch(ctx, OSSL_OP_CIPHER, algorithm, properties,
2066 evp_cipher_from_algorithm, evp_cipher_up_ref,
2067 evp_cipher_free);
2068
2069 return cipher;
2070 }
2071
evp_cipher_fetch_from_prov(OSSL_PROVIDER * prov,const char * algorithm,const char * properties)2072 EVP_CIPHER *evp_cipher_fetch_from_prov(OSSL_PROVIDER *prov,
2073 const char *algorithm,
2074 const char *properties)
2075 {
2076 return evp_generic_fetch_from_prov(prov, OSSL_OP_CIPHER,
2077 algorithm, properties,
2078 evp_cipher_from_algorithm,
2079 evp_cipher_up_ref,
2080 evp_cipher_free);
2081 }
2082
EVP_CIPHER_can_pipeline(const EVP_CIPHER * cipher,int enc)2083 int EVP_CIPHER_can_pipeline(const EVP_CIPHER *cipher, int enc)
2084 {
2085 if (((enc && cipher->p_einit != NULL) || (!enc && cipher->p_dinit != NULL))
2086 && cipher->p_cupdate != NULL && cipher->p_cfinal != NULL)
2087 return 1;
2088
2089 return 0;
2090 }
2091
EVP_CIPHER_up_ref(EVP_CIPHER * cipher)2092 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher)
2093 {
2094 int ref = 0;
2095
2096 if (cipher->origin == EVP_ORIG_DYNAMIC)
2097 CRYPTO_UP_REF(&cipher->refcnt, &ref);
2098 return 1;
2099 }
2100
evp_cipher_free_int(EVP_CIPHER * cipher)2101 void evp_cipher_free_int(EVP_CIPHER *cipher)
2102 {
2103 OPENSSL_free(cipher->type_name);
2104 ossl_provider_free(cipher->prov);
2105 CRYPTO_FREE_REF(&cipher->refcnt);
2106 OPENSSL_free(cipher);
2107 }
2108
EVP_CIPHER_free(EVP_CIPHER * cipher)2109 void EVP_CIPHER_free(EVP_CIPHER *cipher)
2110 {
2111 int i;
2112
2113 if (cipher == NULL || cipher->origin != EVP_ORIG_DYNAMIC)
2114 return;
2115
2116 CRYPTO_DOWN_REF(&cipher->refcnt, &i);
2117 if (i > 0)
2118 return;
2119 evp_cipher_free_int(cipher);
2120 }
2121
EVP_CIPHER_do_all_provided(OSSL_LIB_CTX * libctx,void (* fn)(EVP_CIPHER * mac,void * arg),void * arg)2122 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
2123 void (*fn)(EVP_CIPHER *mac, void *arg),
2124 void *arg)
2125 {
2126 evp_generic_do_all(libctx, OSSL_OP_CIPHER,
2127 (void (*)(void *, void *))fn, arg,
2128 evp_cipher_from_algorithm, evp_cipher_up_ref,
2129 evp_cipher_free);
2130 }
2131