2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/evp.h>
13 #include <openssl/err.h>
14 #include <openssl/rand.h>
15 #include <openssl/engine.h>
16 #include "internal/evp_int.h"
19 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
23 if (c->cipher != NULL) {
24 if (c->cipher->cleanup && !c->cipher->cleanup(c))
26 /* Cleanse cipher context data */
27 if (c->cipher_data && c->cipher->ctx_size)
28 OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
30 OPENSSL_free(c->cipher_data);
31 #ifndef OPENSSL_NO_ENGINE
32 ENGINE_finish(c->engine);
34 memset(c, 0, sizeof(*c));
38 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
40 return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
43 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
45 EVP_CIPHER_CTX_reset(ctx);
49 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
50 const unsigned char *key, const unsigned char *iv, int enc)
52 EVP_CIPHER_CTX_reset(ctx);
53 return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
56 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
57 ENGINE *impl, const unsigned char *key,
58 const unsigned char *iv, int enc)
67 #ifndef OPENSSL_NO_ENGINE
69 * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
70 * this context may already have an ENGINE! Try to avoid releasing the
71 * previous handle, re-querying for an ENGINE, and having a
72 * reinitialisation, when it may all be unnecessary.
74 if (ctx->engine && ctx->cipher
75 && (cipher == NULL || cipher->nid == ctx->cipher->nid))
80 * Ensure a context left lying around from last time is cleared (the
81 * previous check attempted to avoid this if the same ENGINE and
82 * EVP_CIPHER could be used).
85 unsigned long flags = ctx->flags;
86 EVP_CIPHER_CTX_reset(ctx);
87 /* Restore encrypt and flags */
91 #ifndef OPENSSL_NO_ENGINE
93 if (!ENGINE_init(impl)) {
94 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
98 /* Ask if an ENGINE is reserved for this job */
99 impl = ENGINE_get_cipher_engine(cipher->nid);
101 /* There's an ENGINE for this job ... (apparently) */
102 const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
105 * One positive side-effect of US's export control history,
106 * is that we should at least be able to avoid using US
107 * misspellings of "initialisation"?
109 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
112 /* We'll use the ENGINE's private cipher definition */
115 * Store the ENGINE functional reference so we know 'cipher' came
116 * from an ENGINE and we need to release it when done.
123 ctx->cipher = cipher;
124 if (ctx->cipher->ctx_size) {
125 ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
126 if (ctx->cipher_data == NULL) {
127 EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
131 ctx->cipher_data = NULL;
133 ctx->key_len = cipher->key_len;
134 /* Preserve wrap enable flag, zero everything else */
135 ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
136 if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
137 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
138 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
142 } else if (!ctx->cipher) {
143 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_NO_CIPHER_SET);
146 #ifndef OPENSSL_NO_ENGINE
149 /* we assume block size is a power of 2 in *cryptUpdate */
150 OPENSSL_assert(ctx->cipher->block_size == 1
151 || ctx->cipher->block_size == 8
152 || ctx->cipher->block_size == 16);
154 if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
155 && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) {
156 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
160 if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) {
161 switch (EVP_CIPHER_CTX_mode(ctx)) {
163 case EVP_CIPH_STREAM_CIPHER:
164 case EVP_CIPH_ECB_MODE:
167 case EVP_CIPH_CFB_MODE:
168 case EVP_CIPH_OFB_MODE:
173 case EVP_CIPH_CBC_MODE:
175 OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <=
176 (int)sizeof(ctx->iv));
178 memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
179 memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
182 case EVP_CIPH_CTR_MODE:
184 /* Don't reuse IV for CTR mode */
186 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
194 if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
195 if (!ctx->cipher->init(ctx, key, iv, enc))
200 ctx->block_mask = ctx->cipher->block_size - 1;
204 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
205 const unsigned char *in, int inl)
208 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
210 return EVP_DecryptUpdate(ctx, out, outl, in, inl);
213 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
216 return EVP_EncryptFinal_ex(ctx, out, outl);
218 return EVP_DecryptFinal_ex(ctx, out, outl);
221 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
224 return EVP_EncryptFinal(ctx, out, outl);
226 return EVP_DecryptFinal(ctx, out, outl);
229 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
230 const unsigned char *key, const unsigned char *iv)
232 return EVP_CipherInit(ctx, cipher, key, iv, 1);
235 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
236 ENGINE *impl, const unsigned char *key,
237 const unsigned char *iv)
239 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
242 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
243 const unsigned char *key, const unsigned char *iv)
245 return EVP_CipherInit(ctx, cipher, key, iv, 0);
248 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
249 ENGINE *impl, const unsigned char *key,
250 const unsigned char *iv)
252 return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
255 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
256 const unsigned char *in, int inl)
260 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
261 i = ctx->cipher->do_cipher(ctx, out, in, inl);
274 if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
275 if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
284 bl = ctx->cipher->block_size;
285 OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
288 memcpy(&(ctx->buf[i]), in, inl);
294 memcpy(&(ctx->buf[i]), in, j);
295 if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
307 if (!ctx->cipher->do_cipher(ctx, out, in, inl))
313 memcpy(ctx->buf, &(in[inl]), i);
318 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
321 ret = EVP_EncryptFinal_ex(ctx, out, outl);
325 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
328 unsigned int i, b, bl;
330 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
331 ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
339 b = ctx->cipher->block_size;
340 OPENSSL_assert(b <= sizeof ctx->buf);
346 if (ctx->flags & EVP_CIPH_NO_PADDING) {
348 EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,
349 EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
357 for (i = bl; i < b; i++)
359 ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
367 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
368 const unsigned char *in, int inl)
373 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
374 fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
388 if (ctx->flags & EVP_CIPH_NO_PADDING)
389 return EVP_EncryptUpdate(ctx, out, outl, in, inl);
391 b = ctx->cipher->block_size;
392 OPENSSL_assert(b <= sizeof ctx->final);
394 if (ctx->final_used) {
395 memcpy(out, ctx->final, b);
401 if (!EVP_EncryptUpdate(ctx, out, outl, in, inl))
405 * if we have 'decrypted' a multiple of block size, make sure we have a
406 * copy of this last block
408 if (b > 1 && !ctx->buf_len) {
411 memcpy(ctx->final, &out[*outl], b);
421 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
424 ret = EVP_DecryptFinal_ex(ctx, out, outl);
428 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
434 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
435 i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
443 b = ctx->cipher->block_size;
444 if (ctx->flags & EVP_CIPH_NO_PADDING) {
446 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,
447 EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
454 if (ctx->buf_len || !ctx->final_used) {
455 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
458 OPENSSL_assert(b <= sizeof ctx->final);
461 * The following assumes that the ciphertext has been authenticated.
462 * Otherwise it provides a padding oracle.
464 n = ctx->final[b - 1];
465 if (n == 0 || n > (int)b) {
466 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
469 for (i = 0; i < n; i++) {
470 if (ctx->final[--b] != n) {
471 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT);
475 n = ctx->cipher->block_size - n;
476 for (i = 0; i < n; i++)
477 out[i] = ctx->final[i];
484 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
486 if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
487 return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
488 if (c->key_len == keylen)
490 if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
494 EVPerr(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, EVP_R_INVALID_KEY_LENGTH);
498 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
501 ctx->flags &= ~EVP_CIPH_NO_PADDING;
503 ctx->flags |= EVP_CIPH_NO_PADDING;
507 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
511 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
515 if (!ctx->cipher->ctrl) {
516 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED);
520 ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
522 EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL,
523 EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
529 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
531 if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
532 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
533 if (RAND_bytes(key, ctx->key_len) <= 0)
538 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
540 if ((in == NULL) || (in->cipher == NULL)) {
541 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INPUT_NOT_INITIALIZED);
544 #ifndef OPENSSL_NO_ENGINE
545 /* Make sure it's safe to copy a cipher context using an ENGINE */
546 if (in->engine && !ENGINE_init(in->engine)) {
547 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_ENGINE_LIB);
552 EVP_CIPHER_CTX_reset(out);
553 memcpy(out, in, sizeof(*out));
555 if (in->cipher_data && in->cipher->ctx_size) {
556 out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
557 if (out->cipher_data == NULL) {
558 EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
561 memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
564 if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
565 return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);