1 /*
2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* We need to use some engine deprecated APIs */
11 #define OPENSSL_SUPPRESS_DEPRECATED
12 
13 #include <stdio.h>
14 #include <limits.h>
15 #include <assert.h>
16 #include <openssl/evp.h>
17 #include <openssl/err.h>
18 #include <openssl/rand.h>
19 #ifndef FIPS_MODULE
20 # include <openssl/engine.h>
21 #endif
22 #include <openssl/params.h>
23 #include <openssl/core_names.h>
24 #include "internal/cryptlib.h"
25 #include "internal/provider.h"
26 #include "internal/core.h"
27 #include "crypto/evp.h"
28 #include "evp_local.h"
29 
EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX * ctx)30 int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx)
31 {
32     if (ctx == NULL)
33         return 1;
34 
35     if (ctx->cipher == NULL || ctx->cipher->prov == NULL)
36         goto legacy;
37 
38     if (ctx->algctx != NULL) {
39         if (ctx->cipher->freectx != NULL)
40             ctx->cipher->freectx(ctx->algctx);
41         ctx->algctx = NULL;
42     }
43     if (ctx->fetched_cipher != NULL)
44         EVP_CIPHER_free(ctx->fetched_cipher);
45     memset(ctx, 0, sizeof(*ctx));
46     ctx->iv_len = -1;
47 
48     return 1;
49 
50     /* Remove legacy code below when legacy support is removed. */
51  legacy:
52 
53     if (ctx->cipher != NULL) {
54         if (ctx->cipher->cleanup && !ctx->cipher->cleanup(ctx))
55             return 0;
56         /* Cleanse cipher context data */
57         if (ctx->cipher_data && ctx->cipher->ctx_size)
58             OPENSSL_cleanse(ctx->cipher_data, ctx->cipher->ctx_size);
59     }
60     OPENSSL_free(ctx->cipher_data);
61 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
62     ENGINE_finish(ctx->engine);
63 #endif
64     memset(ctx, 0, sizeof(*ctx));
65     ctx->iv_len = -1;
66     return 1;
67 }
68 
EVP_CIPHER_CTX_new(void)69 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
70 {
71     return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
72 }
73 
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX * ctx)74 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
75 {
76     if (ctx == NULL)
77         return;
78     EVP_CIPHER_CTX_reset(ctx);
79     OPENSSL_free(ctx);
80 }
81 
evp_cipher_init_internal(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc,const OSSL_PARAM params[])82 static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
83                                     const EVP_CIPHER *cipher,
84                                     ENGINE *impl, const unsigned char *key,
85                                     const unsigned char *iv, int enc,
86                                     const OSSL_PARAM params[])
87 {
88     int n;
89 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
90     ENGINE *tmpimpl = NULL;
91 #endif
92 
93     ctx->iv_len = -1;
94 
95     /*
96      * enc == 1 means we are encrypting.
97      * enc == 0 means we are decrypting.
98      * enc == -1 means, use the previously initialised value for encrypt/decrypt
99      */
100     if (enc == -1) {
101         enc = ctx->encrypt;
102     } else {
103         if (enc)
104             enc = 1;
105         ctx->encrypt = enc;
106     }
107 
108     if (cipher == NULL && ctx->cipher == NULL) {
109         ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
110         return 0;
111     }
112 
113     /* Code below to be removed when legacy support is dropped. */
114 
115 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
116     /*
117      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
118      * this context may already have an ENGINE! Try to avoid releasing the
119      * previous handle, re-querying for an ENGINE, and having a
120      * reinitialisation, when it may all be unnecessary.
121      */
122     if (ctx->engine && ctx->cipher
123         && (cipher == NULL || cipher->nid == ctx->cipher->nid))
124         goto skip_to_init;
125 
126     if (cipher != NULL && impl == NULL) {
127          /* Ask if an ENGINE is reserved for this job */
128         tmpimpl = ENGINE_get_cipher_engine(cipher->nid);
129     }
130 #endif
131 
132     /*
133      * If there are engines involved then we should use legacy handling for now.
134      */
135     if (ctx->engine != NULL
136 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
137             || tmpimpl != NULL
138 #endif
139             || impl != NULL
140             || (cipher != NULL && cipher->origin == EVP_ORIG_METH)
141             || (cipher == NULL && ctx->cipher != NULL
142                                && ctx->cipher->origin == EVP_ORIG_METH)) {
143         if (ctx->cipher == ctx->fetched_cipher)
144             ctx->cipher = NULL;
145         EVP_CIPHER_free(ctx->fetched_cipher);
146         ctx->fetched_cipher = NULL;
147         goto legacy;
148     }
149     /*
150      * Ensure a context left lying around from last time is cleared
151      * (legacy code)
152      */
153     if (cipher != NULL && ctx->cipher != NULL) {
154         if (ctx->cipher->cleanup != NULL && !ctx->cipher->cleanup(ctx))
155             return 0;
156         OPENSSL_clear_free(ctx->cipher_data, ctx->cipher->ctx_size);
157         ctx->cipher_data = NULL;
158     }
159 
160     /* Start of non-legacy code below */
161 
162     /* Ensure a context left lying around from last time is cleared */
163     if (cipher != NULL && ctx->cipher != NULL) {
164         unsigned long flags = ctx->flags;
165 
166         EVP_CIPHER_CTX_reset(ctx);
167         /* Restore encrypt and flags */
168         ctx->encrypt = enc;
169         ctx->flags = flags;
170     }
171 
172     if (cipher == NULL)
173         cipher = ctx->cipher;
174 
175     if (cipher->prov == NULL) {
176 #ifdef FIPS_MODULE
177         /* We only do explicit fetches inside the FIPS module */
178         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
179         return 0;
180 #else
181         EVP_CIPHER *provciph =
182             EVP_CIPHER_fetch(NULL,
183                              cipher->nid == NID_undef ? "NULL"
184                                                       : OBJ_nid2sn(cipher->nid),
185                              "");
186 
187         if (provciph == NULL)
188             return 0;
189         cipher = provciph;
190         EVP_CIPHER_free(ctx->fetched_cipher);
191         ctx->fetched_cipher = provciph;
192 #endif
193     }
194 
195     if (cipher->prov != NULL) {
196         if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) {
197             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
198             return 0;
199         }
200         EVP_CIPHER_free(ctx->fetched_cipher);
201         ctx->fetched_cipher = (EVP_CIPHER *)cipher;
202     }
203     ctx->cipher = cipher;
204     if (ctx->algctx == NULL) {
205         ctx->algctx = ctx->cipher->newctx(ossl_provider_ctx(cipher->prov));
206         if (ctx->algctx == NULL) {
207             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
208             return 0;
209         }
210     }
211 
212     if ((ctx->flags & EVP_CIPH_NO_PADDING) != 0) {
213         /*
214          * If this ctx was already set up for no padding then we need to tell
215          * the new cipher about it.
216          */
217         if (!EVP_CIPHER_CTX_set_padding(ctx, 0))
218             return 0;
219     }
220 
221     if (enc) {
222         if (ctx->cipher->einit == NULL) {
223             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
224             return 0;
225         }
226 
227         return ctx->cipher->einit(ctx->algctx,
228                                   key,
229                                   key == NULL ? 0
230                                               : EVP_CIPHER_CTX_get_key_length(ctx),
231                                   iv,
232                                   iv == NULL ? 0
233                                              : EVP_CIPHER_CTX_get_iv_length(ctx),
234                                   params);
235     }
236 
237     if (ctx->cipher->dinit == NULL) {
238         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
239         return 0;
240     }
241 
242     return ctx->cipher->dinit(ctx->algctx,
243                               key,
244                               key == NULL ? 0
245                                           : EVP_CIPHER_CTX_get_key_length(ctx),
246                               iv,
247                               iv == NULL ? 0
248                                          : EVP_CIPHER_CTX_get_iv_length(ctx),
249                                   params);
250 
251     /* Code below to be removed when legacy support is dropped. */
252  legacy:
253 
254     if (cipher != NULL) {
255         /*
256          * Ensure a context left lying around from last time is cleared (we
257          * previously attempted to avoid this if the same ENGINE and
258          * EVP_CIPHER could be used).
259          */
260         if (ctx->cipher) {
261             unsigned long flags = ctx->flags;
262             EVP_CIPHER_CTX_reset(ctx);
263             /* Restore encrypt and flags */
264             ctx->encrypt = enc;
265             ctx->flags = flags;
266         }
267 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
268         if (impl != NULL) {
269             if (!ENGINE_init(impl)) {
270                 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
271                 return 0;
272             }
273         } else {
274             impl = tmpimpl;
275         }
276         if (impl != NULL) {
277             /* There's an ENGINE for this job ... (apparently) */
278             const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
279 
280             if (c == NULL) {
281                 /*
282                  * One positive side-effect of US's export control history,
283                  * is that we should at least be able to avoid using US
284                  * misspellings of "initialisation"?
285                  */
286                 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
287                 return 0;
288             }
289             /* We'll use the ENGINE's private cipher definition */
290             cipher = c;
291             /*
292              * Store the ENGINE functional reference so we know 'cipher' came
293              * from an ENGINE and we need to release it when done.
294              */
295             ctx->engine = impl;
296         } else {
297             ctx->engine = NULL;
298         }
299 #endif
300 
301         ctx->cipher = cipher;
302         if (ctx->cipher->ctx_size) {
303             ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
304             if (ctx->cipher_data == NULL) {
305                 ctx->cipher = NULL;
306                 ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
307                 return 0;
308             }
309         } else {
310             ctx->cipher_data = NULL;
311         }
312         ctx->key_len = cipher->key_len;
313         /* Preserve wrap enable flag, zero everything else */
314         ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
315         if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
316             if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL) <= 0) {
317                 ctx->cipher = NULL;
318                 ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
319                 return 0;
320             }
321         }
322     }
323 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
324  skip_to_init:
325 #endif
326     if (ctx->cipher == NULL)
327         return 0;
328 
329     /* we assume block size is a power of 2 in *cryptUpdate */
330     OPENSSL_assert(ctx->cipher->block_size == 1
331                    || ctx->cipher->block_size == 8
332                    || ctx->cipher->block_size == 16);
333 
334     if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
335         && EVP_CIPHER_CTX_get_mode(ctx) == EVP_CIPH_WRAP_MODE) {
336         ERR_raise(ERR_LIB_EVP, EVP_R_WRAP_MODE_NOT_ALLOWED);
337         return 0;
338     }
339 
340     if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))
341                 & EVP_CIPH_CUSTOM_IV) == 0) {
342         switch (EVP_CIPHER_CTX_get_mode(ctx)) {
343 
344         case EVP_CIPH_STREAM_CIPHER:
345         case EVP_CIPH_ECB_MODE:
346             break;
347 
348         case EVP_CIPH_CFB_MODE:
349         case EVP_CIPH_OFB_MODE:
350 
351             ctx->num = 0;
352             /* fall-through */
353 
354         case EVP_CIPH_CBC_MODE:
355             n = EVP_CIPHER_CTX_get_iv_length(ctx);
356             if (n < 0 || n > (int)sizeof(ctx->iv)) {
357                 ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
358                 return 0;
359             }
360             if (iv != NULL)
361                 memcpy(ctx->oiv, iv, n);
362             memcpy(ctx->iv, ctx->oiv, n);
363             break;
364 
365         case EVP_CIPH_CTR_MODE:
366             ctx->num = 0;
367             /* Don't reuse IV for CTR mode */
368             if (iv != NULL) {
369                 n = EVP_CIPHER_CTX_get_iv_length(ctx);
370                 if (n <= 0 || n > (int)sizeof(ctx->iv)) {
371                     ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH);
372                     return 0;
373                 }
374                 memcpy(ctx->iv, iv, n);
375             }
376             break;
377 
378         default:
379             return 0;
380         }
381     }
382 
383     if (key != NULL || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
384         if (!ctx->cipher->init(ctx, key, iv, enc))
385             return 0;
386     }
387     ctx->buf_len = 0;
388     ctx->final_used = 0;
389     ctx->block_mask = ctx->cipher->block_size - 1;
390     return 1;
391 }
392 
EVP_CipherInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc,const OSSL_PARAM params[])393 int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
394                        const unsigned char *key, const unsigned char *iv,
395                        int enc, const OSSL_PARAM params[])
396 {
397     return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, params);
398 }
399 
EVP_CipherInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,int enc)400 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
401                    const unsigned char *key, const unsigned char *iv, int enc)
402 {
403     if (cipher != NULL)
404         EVP_CIPHER_CTX_reset(ctx);
405     return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, NULL);
406 }
407 
EVP_CipherInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv,int enc)408 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
409                       ENGINE *impl, const unsigned char *key,
410                       const unsigned char *iv, int enc)
411 {
412     return evp_cipher_init_internal(ctx, cipher, impl, key, iv, enc, NULL);
413 }
414 
EVP_CipherUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)415 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
416                      const unsigned char *in, int inl)
417 {
418     if (ctx->encrypt)
419         return EVP_EncryptUpdate(ctx, out, outl, in, inl);
420     else
421         return EVP_DecryptUpdate(ctx, out, outl, in, inl);
422 }
423 
EVP_CipherFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)424 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
425 {
426     if (ctx->encrypt)
427         return EVP_EncryptFinal_ex(ctx, out, outl);
428     else
429         return EVP_DecryptFinal_ex(ctx, out, outl);
430 }
431 
EVP_CipherFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)432 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
433 {
434     if (ctx->encrypt)
435         return EVP_EncryptFinal(ctx, out, outl);
436     else
437         return EVP_DecryptFinal(ctx, out, outl);
438 }
439 
EVP_EncryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)440 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
441                     const unsigned char *key, const unsigned char *iv)
442 {
443     return EVP_CipherInit(ctx, cipher, key, iv, 1);
444 }
445 
EVP_EncryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)446 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
447                        ENGINE *impl, const unsigned char *key,
448                        const unsigned char *iv)
449 {
450     return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
451 }
452 
EVP_EncryptInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,const OSSL_PARAM params[])453 int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
454                         const unsigned char *key, const unsigned char *iv,
455                         const OSSL_PARAM params[])
456 {
457     return EVP_CipherInit_ex2(ctx, cipher, key, iv, 1, params);
458 }
459 
EVP_DecryptInit(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv)460 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
461                     const unsigned char *key, const unsigned char *iv)
462 {
463     return EVP_CipherInit(ctx, cipher, key, iv, 0);
464 }
465 
EVP_DecryptInit_ex(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,ENGINE * impl,const unsigned char * key,const unsigned char * iv)466 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
467                        ENGINE *impl, const unsigned char *key,
468                        const unsigned char *iv)
469 {
470     return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
471 }
472 
EVP_DecryptInit_ex2(EVP_CIPHER_CTX * ctx,const EVP_CIPHER * cipher,const unsigned char * key,const unsigned char * iv,const OSSL_PARAM params[])473 int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
474                         const unsigned char *key, const unsigned char *iv,
475                         const OSSL_PARAM params[])
476 {
477     return EVP_CipherInit_ex2(ctx, cipher, key, iv, 0, params);
478 }
479 
480 /*
481  * According to the letter of standard difference between pointers
482  * is specified to be valid only within same object. This makes
483  * it formally challenging to determine if input and output buffers
484  * are not partially overlapping with standard pointer arithmetic.
485  */
486 #ifdef PTRDIFF_T
487 # undef PTRDIFF_T
488 #endif
489 #if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
490 /*
491  * Then we have VMS that distinguishes itself by adhering to
492  * sizeof(size_t)==4 even in 64-bit builds, which means that
493  * difference between two pointers might be truncated to 32 bits.
494  * In the context one can even wonder how comparison for
495  * equality is implemented. To be on the safe side we adhere to
496  * PTRDIFF_T even for comparison for equality.
497  */
498 # define PTRDIFF_T uint64_t
499 #else
500 # define PTRDIFF_T size_t
501 #endif
502 
ossl_is_partially_overlapping(const void * ptr1,const void * ptr2,int len)503 int ossl_is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
504 {
505     PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
506     /*
507      * Check for partially overlapping buffers. [Binary logical
508      * operations are used instead of boolean to minimize number
509      * of conditional branches.]
510      */
511     int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) |
512                                                 (diff > (0 - (PTRDIFF_T)len)));
513 
514     return overlapped;
515 }
516 
evp_EncryptDecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)517 static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
518                                     unsigned char *out, int *outl,
519                                     const unsigned char *in, int inl)
520 {
521     int i, j, bl, cmpl = inl;
522 
523     if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
524         cmpl = (cmpl + 7) / 8;
525 
526     bl = ctx->cipher->block_size;
527 
528     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
529         /* If block size > 1 then the cipher will have to do this check */
530         if (bl == 1 && ossl_is_partially_overlapping(out, in, cmpl)) {
531             ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
532             return 0;
533         }
534 
535         i = ctx->cipher->do_cipher(ctx, out, in, inl);
536         if (i < 0)
537             return 0;
538         else
539             *outl = i;
540         return 1;
541     }
542 
543     if (inl <= 0) {
544         *outl = 0;
545         return inl == 0;
546     }
547     if (ossl_is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
548         ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
549         return 0;
550     }
551 
552     if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
553         if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
554             *outl = inl;
555             return 1;
556         } else {
557             *outl = 0;
558             return 0;
559         }
560     }
561     i = ctx->buf_len;
562     OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
563     if (i != 0) {
564         if (bl - i > inl) {
565             memcpy(&(ctx->buf[i]), in, inl);
566             ctx->buf_len += inl;
567             *outl = 0;
568             return 1;
569         } else {
570             j = bl - i;
571 
572             /*
573              * Once we've processed the first j bytes from in, the amount of
574              * data left that is a multiple of the block length is:
575              * (inl - j) & ~(bl - 1)
576              * We must ensure that this amount of data, plus the one block that
577              * we process from ctx->buf does not exceed INT_MAX
578              */
579             if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
580                 ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
581                 return 0;
582             }
583             memcpy(&(ctx->buf[i]), in, j);
584             inl -= j;
585             in += j;
586             if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
587                 return 0;
588             out += bl;
589             *outl = bl;
590         }
591     } else
592         *outl = 0;
593     i = inl & (bl - 1);
594     inl -= i;
595     if (inl > 0) {
596         if (!ctx->cipher->do_cipher(ctx, out, in, inl))
597             return 0;
598         *outl += inl;
599     }
600 
601     if (i != 0)
602         memcpy(ctx->buf, &(in[inl]), i);
603     ctx->buf_len = i;
604     return 1;
605 }
606 
607 
EVP_EncryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)608 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
609                       const unsigned char *in, int inl)
610 {
611     int ret;
612     size_t soutl, inl_ = (size_t)inl;
613     int blocksize;
614 
615     if (outl != NULL) {
616         *outl = 0;
617     } else {
618         ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
619         return 0;
620     }
621 
622     /* Prevent accidental use of decryption context when encrypting */
623     if (!ctx->encrypt) {
624         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
625         return 0;
626     }
627 
628     if (ctx->cipher == NULL) {
629         ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
630         return 0;
631     }
632 
633     if (ctx->cipher->prov == NULL)
634         goto legacy;
635 
636     blocksize = ctx->cipher->block_size;
637 
638     if (ctx->cipher->cupdate == NULL  || blocksize < 1) {
639         ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
640         return 0;
641     }
642 
643     ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
644                                inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
645                                in, inl_);
646 
647     if (ret) {
648         if (soutl > INT_MAX) {
649             ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
650             return 0;
651         }
652         *outl = soutl;
653     }
654 
655     return ret;
656 
657     /* Code below to be removed when legacy support is dropped. */
658  legacy:
659 
660     return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
661 }
662 
EVP_EncryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)663 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
664 {
665     int ret;
666     ret = EVP_EncryptFinal_ex(ctx, out, outl);
667     return ret;
668 }
669 
EVP_EncryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)670 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
671 {
672     int n, ret;
673     unsigned int i, b, bl;
674     size_t soutl;
675     int blocksize;
676 
677     if (outl != NULL) {
678         *outl = 0;
679     } else {
680         ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
681         return 0;
682     }
683 
684     /* Prevent accidental use of decryption context when encrypting */
685     if (!ctx->encrypt) {
686         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
687         return 0;
688     }
689 
690     if (ctx->cipher == NULL) {
691         ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
692         return 0;
693     }
694     if (ctx->cipher->prov == NULL)
695         goto legacy;
696 
697     blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
698 
699     if (blocksize < 1 || ctx->cipher->cfinal == NULL) {
700         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
701         return 0;
702     }
703 
704     ret = ctx->cipher->cfinal(ctx->algctx, out, &soutl,
705                               blocksize == 1 ? 0 : blocksize);
706 
707     if (ret) {
708         if (soutl > INT_MAX) {
709             ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
710             return 0;
711         }
712         *outl = soutl;
713     }
714 
715     return ret;
716 
717     /* Code below to be removed when legacy support is dropped. */
718  legacy:
719 
720     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
721         ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
722         if (ret < 0)
723             return 0;
724         else
725             *outl = ret;
726         return 1;
727     }
728 
729     b = ctx->cipher->block_size;
730     OPENSSL_assert(b <= sizeof(ctx->buf));
731     if (b == 1) {
732         *outl = 0;
733         return 1;
734     }
735     bl = ctx->buf_len;
736     if (ctx->flags & EVP_CIPH_NO_PADDING) {
737         if (bl) {
738             ERR_raise(ERR_LIB_EVP, EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
739             return 0;
740         }
741         *outl = 0;
742         return 1;
743     }
744 
745     n = b - bl;
746     for (i = bl; i < b; i++)
747         ctx->buf[i] = n;
748     ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
749 
750     if (ret)
751         *outl = b;
752 
753     return ret;
754 }
755 
EVP_DecryptUpdate(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl,const unsigned char * in,int inl)756 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
757                       const unsigned char *in, int inl)
758 {
759     int fix_len, cmpl = inl, ret;
760     unsigned int b;
761     size_t soutl, inl_ = (size_t)inl;
762     int blocksize;
763 
764     if (outl != NULL) {
765         *outl = 0;
766     } else {
767         ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
768         return 0;
769     }
770 
771     /* Prevent accidental use of encryption context when decrypting */
772     if (ctx->encrypt) {
773         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
774         return 0;
775     }
776 
777     if (ctx->cipher == NULL) {
778         ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
779         return 0;
780     }
781     if (ctx->cipher->prov == NULL)
782         goto legacy;
783 
784     blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
785 
786     if (ctx->cipher->cupdate == NULL || blocksize < 1) {
787         ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
788         return 0;
789     }
790     ret = ctx->cipher->cupdate(ctx->algctx, out, &soutl,
791                                inl_ + (size_t)(blocksize == 1 ? 0 : blocksize),
792                                in, inl_);
793 
794     if (ret) {
795         if (soutl > INT_MAX) {
796             ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR);
797             return 0;
798         }
799         *outl = soutl;
800     }
801 
802     return ret;
803 
804     /* Code below to be removed when legacy support is dropped. */
805  legacy:
806 
807     b = ctx->cipher->block_size;
808 
809     if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
810         cmpl = (cmpl + 7) / 8;
811 
812     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
813         if (b == 1 && ossl_is_partially_overlapping(out, in, cmpl)) {
814             ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
815             return 0;
816         }
817 
818         fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
819         if (fix_len < 0) {
820             *outl = 0;
821             return 0;
822         } else
823             *outl = fix_len;
824         return 1;
825     }
826 
827     if (inl <= 0) {
828         *outl = 0;
829         return inl == 0;
830     }
831 
832     if (ctx->flags & EVP_CIPH_NO_PADDING)
833         return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
834 
835     OPENSSL_assert(b <= sizeof(ctx->final));
836 
837     if (ctx->final_used) {
838         /* see comment about PTRDIFF_T comparison above */
839         if (((PTRDIFF_T)out == (PTRDIFF_T)in)
840             || ossl_is_partially_overlapping(out, in, b)) {
841             ERR_raise(ERR_LIB_EVP, EVP_R_PARTIALLY_OVERLAPPING);
842             return 0;
843         }
844         /*
845          * final_used is only ever set if buf_len is 0. Therefore the maximum
846          * length output we will ever see from evp_EncryptDecryptUpdate is
847          * the maximum multiple of the block length that is <= inl, or just:
848          * inl & ~(b - 1)
849          * Since final_used has been set then the final output length is:
850          * (inl & ~(b - 1)) + b
851          * This must never exceed INT_MAX
852          */
853         if ((inl & ~(b - 1)) > INT_MAX - b) {
854             ERR_raise(ERR_LIB_EVP, EVP_R_OUTPUT_WOULD_OVERFLOW);
855             return 0;
856         }
857         memcpy(out, ctx->final, b);
858         out += b;
859         fix_len = 1;
860     } else
861         fix_len = 0;
862 
863     if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
864         return 0;
865 
866     /*
867      * if we have 'decrypted' a multiple of block size, make sure we have a
868      * copy of this last block
869      */
870     if (b > 1 && !ctx->buf_len) {
871         *outl -= b;
872         ctx->final_used = 1;
873         memcpy(ctx->final, &out[*outl], b);
874     } else
875         ctx->final_used = 0;
876 
877     if (fix_len)
878         *outl += b;
879 
880     return 1;
881 }
882 
EVP_DecryptFinal(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)883 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
884 {
885     int ret;
886     ret = EVP_DecryptFinal_ex(ctx, out, outl);
887     return ret;
888 }
889 
EVP_DecryptFinal_ex(EVP_CIPHER_CTX * ctx,unsigned char * out,int * outl)890 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
891 {
892     int i, n;
893     unsigned int b;
894     size_t soutl;
895     int ret;
896     int blocksize;
897 
898     if (outl != NULL) {
899         *outl = 0;
900     } else {
901         ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
902         return 0;
903     }
904 
905     /* Prevent accidental use of encryption context when decrypting */
906     if (ctx->encrypt) {
907         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION);
908         return 0;
909     }
910 
911     if (ctx->cipher == NULL) {
912         ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
913         return 0;
914     }
915 
916     if (ctx->cipher->prov == NULL)
917         goto legacy;
918 
919     blocksize = EVP_CIPHER_CTX_get_block_size(ctx);
920 
921     if (blocksize < 1 || ctx->cipher->cfinal == NULL) {
922         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
923         return 0;
924     }
925 
926     ret = ctx->cipher->cfinal(ctx->algctx, out, &soutl,
927                               blocksize == 1 ? 0 : blocksize);
928 
929     if (ret) {
930         if (soutl > INT_MAX) {
931             ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
932             return 0;
933         }
934         *outl = soutl;
935     }
936 
937     return ret;
938 
939     /* Code below to be removed when legacy support is dropped. */
940  legacy:
941 
942     *outl = 0;
943     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
944         i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
945         if (i < 0)
946             return 0;
947         else
948             *outl = i;
949         return 1;
950     }
951 
952     b = ctx->cipher->block_size;
953     if (ctx->flags & EVP_CIPH_NO_PADDING) {
954         if (ctx->buf_len) {
955             ERR_raise(ERR_LIB_EVP, EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
956             return 0;
957         }
958         *outl = 0;
959         return 1;
960     }
961     if (b > 1) {
962         if (ctx->buf_len || !ctx->final_used) {
963             ERR_raise(ERR_LIB_EVP, EVP_R_WRONG_FINAL_BLOCK_LENGTH);
964             return 0;
965         }
966         OPENSSL_assert(b <= sizeof(ctx->final));
967 
968         /*
969          * The following assumes that the ciphertext has been authenticated.
970          * Otherwise it provides a padding oracle.
971          */
972         n = ctx->final[b - 1];
973         if (n == 0 || n > (int)b) {
974             ERR_raise(ERR_LIB_EVP, EVP_R_BAD_DECRYPT);
975             return 0;
976         }
977         for (i = 0; i < n; i++) {
978             if (ctx->final[--b] != n) {
979                 ERR_raise(ERR_LIB_EVP, EVP_R_BAD_DECRYPT);
980                 return 0;
981             }
982         }
983         n = ctx->cipher->block_size - n;
984         for (i = 0; i < n; i++)
985             out[i] = ctx->final[i];
986         *outl = n;
987     } else
988         *outl = 0;
989     return 1;
990 }
991 
EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX * c,int keylen)992 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
993 {
994     if (c->cipher->prov != NULL) {
995         int ok;
996         OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
997         size_t len = keylen;
998 
999         if (EVP_CIPHER_CTX_get_key_length(c) == keylen)
1000             return 1;
1001 
1002         /* Check the cipher actually understands this parameter */
1003         if (OSSL_PARAM_locate_const(EVP_CIPHER_settable_ctx_params(c->cipher),
1004                                     OSSL_CIPHER_PARAM_KEYLEN) == NULL) {
1005             ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1006             return 0;
1007         }
1008 
1009         params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len);
1010         ok = evp_do_ciph_ctx_setparams(c->cipher, c->algctx, params);
1011 
1012         return ok > 0 ? 1 : 0;
1013     }
1014 
1015     /* Code below to be removed when legacy support is dropped. */
1016 
1017     /*
1018      * Note there have never been any built-in ciphers that define this flag
1019      * since it was first introduced.
1020      */
1021     if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
1022         return EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_KEY_LENGTH, keylen, NULL);
1023     if (EVP_CIPHER_CTX_get_key_length(c) == keylen)
1024         return 1;
1025     if ((keylen > 0) && (c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
1026         c->key_len = keylen;
1027         return 1;
1028     }
1029     ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH);
1030     return 0;
1031 }
1032 
EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX * ctx,int pad)1033 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
1034 {
1035     int ok;
1036     OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
1037     unsigned int pd = pad;
1038 
1039     if (pad)
1040         ctx->flags &= ~EVP_CIPH_NO_PADDING;
1041     else
1042         ctx->flags |= EVP_CIPH_NO_PADDING;
1043 
1044     if (ctx->cipher != NULL && ctx->cipher->prov == NULL)
1045         return 1;
1046     params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_PADDING, &pd);
1047     ok = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1048 
1049     return ok != 0;
1050 }
1051 
EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)1052 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
1053 {
1054     int ret = EVP_CTRL_RET_UNSUPPORTED;
1055     int set_params = 1;
1056     size_t sz = arg;
1057     unsigned int i;
1058     OSSL_PARAM params[4] = {
1059         OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END
1060     };
1061 
1062     if (ctx == NULL || ctx->cipher == NULL) {
1063         ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET);
1064         return 0;
1065     }
1066 
1067     if (ctx->cipher->prov == NULL)
1068         goto legacy;
1069 
1070     switch (type) {
1071     case EVP_CTRL_SET_KEY_LENGTH:
1072         params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &sz);
1073         break;
1074     case EVP_CTRL_RAND_KEY:      /* Used by DES */
1075         set_params = 0;
1076         params[0] =
1077             OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY,
1078                                               ptr, sz);
1079         break;
1080 
1081     case EVP_CTRL_INIT:
1082         /*
1083          * EVP_CTRL_INIT is purely legacy, no provider counterpart.
1084          * As a matter of fact, this should be dead code, but some caller
1085          * might still do a direct control call with this command, so...
1086          * Legacy methods return 1 except for exceptional circumstances, so
1087          * we do the same here to not be disruptive.
1088          */
1089         return 1;
1090     case EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS: /* Used by DASYNC */
1091     default:
1092         goto end;
1093     case EVP_CTRL_AEAD_SET_IVLEN:
1094         if (arg < 0)
1095             return 0;
1096         params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz);
1097         ctx->iv_len = -1;
1098         break;
1099     case EVP_CTRL_CCM_SET_L:
1100         if (arg < 2 || arg > 8)
1101             return 0;
1102         sz = 15 - arg;
1103         params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz);
1104         ctx->iv_len = -1;
1105         break;
1106     case EVP_CTRL_AEAD_SET_IV_FIXED:
1107         params[0] = OSSL_PARAM_construct_octet_string(
1108                         OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED, ptr, sz);
1109         break;
1110     case EVP_CTRL_GCM_IV_GEN:
1111         set_params = 0;
1112         if (arg < 0)
1113             sz = 0; /* special case that uses the iv length */
1114         params[0] = OSSL_PARAM_construct_octet_string(
1115                         OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, ptr, sz);
1116         break;
1117     case EVP_CTRL_GCM_SET_IV_INV:
1118         if (arg < 0)
1119             return 0;
1120         params[0] = OSSL_PARAM_construct_octet_string(
1121                         OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV, ptr, sz);
1122         break;
1123     case EVP_CTRL_GET_RC5_ROUNDS:
1124         set_params = 0; /* Fall thru */
1125     case EVP_CTRL_SET_RC5_ROUNDS:
1126         if (arg < 0)
1127             return 0;
1128         i = (unsigned int)arg;
1129         params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_ROUNDS, &i);
1130         break;
1131     case EVP_CTRL_SET_SPEED:
1132         if (arg < 0)
1133             return 0;
1134         i = (unsigned int)arg;
1135         params[0] = OSSL_PARAM_construct_uint(OSSL_CIPHER_PARAM_SPEED, &i);
1136         break;
1137     case EVP_CTRL_AEAD_GET_TAG:
1138         set_params = 0; /* Fall thru */
1139     case EVP_CTRL_AEAD_SET_TAG:
1140         params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
1141                                                       ptr, sz);
1142         break;
1143     case EVP_CTRL_AEAD_TLS1_AAD:
1144         /* This one does a set and a get - since it returns a size */
1145         params[0] =
1146             OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD,
1147                                               ptr, sz);
1148         ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1149         if (ret <= 0)
1150             goto end;
1151         params[0] =
1152             OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, &sz);
1153         ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1154         if (ret <= 0)
1155             goto end;
1156         return sz;
1157 #ifndef OPENSSL_NO_RC2
1158     case EVP_CTRL_GET_RC2_KEY_BITS:
1159         set_params = 0; /* Fall thru */
1160     case EVP_CTRL_SET_RC2_KEY_BITS:
1161         params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_RC2_KEYBITS, &sz);
1162         break;
1163 #endif /* OPENSSL_NO_RC2 */
1164 #if !defined(OPENSSL_NO_MULTIBLOCK)
1165     case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE:
1166         params[0] = OSSL_PARAM_construct_size_t(
1167                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT, &sz);
1168         ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1169         if (ret <= 0)
1170             return 0;
1171 
1172         params[0] = OSSL_PARAM_construct_size_t(
1173                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE, &sz);
1174         params[1] = OSSL_PARAM_construct_end();
1175         ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1176         if (ret <= 0)
1177             return 0;
1178         return sz;
1179     case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD: {
1180         EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p =
1181             (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr;
1182 
1183         if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM))
1184             return 0;
1185 
1186         params[0] = OSSL_PARAM_construct_octet_string(
1187                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD, (void*)p->inp, p->len);
1188         params[1] = OSSL_PARAM_construct_uint(
1189                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1190         ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1191         if (ret <= 0)
1192             return ret;
1193         /* Retrieve the return values changed by the set */
1194         params[0] = OSSL_PARAM_construct_size_t(
1195                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN, &sz);
1196         params[1] = OSSL_PARAM_construct_uint(
1197                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1198         params[2] = OSSL_PARAM_construct_end();
1199         ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1200         if (ret <= 0)
1201             return 0;
1202         return sz;
1203     }
1204     case EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT: {
1205         EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *p =
1206             (EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM *)ptr;
1207 
1208         params[0] = OSSL_PARAM_construct_octet_string(
1209                         OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC, p->out, p->len);
1210 
1211         params[1] = OSSL_PARAM_construct_octet_string(
1212                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN, (void*)p->inp,
1213                 p->len);
1214         params[2] = OSSL_PARAM_construct_uint(
1215                 OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE, &p->interleave);
1216         ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1217         if (ret <= 0)
1218             return ret;
1219         params[0] = OSSL_PARAM_construct_size_t(
1220                         OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN, &sz);
1221         params[1] = OSSL_PARAM_construct_end();
1222         ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1223         if (ret <= 0)
1224             return 0;
1225         return sz;
1226     }
1227 #endif /* OPENSSL_NO_MULTIBLOCK */
1228     case EVP_CTRL_AEAD_SET_MAC_KEY:
1229         if (arg < 0)
1230             return -1;
1231         params[0] = OSSL_PARAM_construct_octet_string(
1232                 OSSL_CIPHER_PARAM_AEAD_MAC_KEY, ptr, sz);
1233         break;
1234     }
1235 
1236     if (set_params)
1237         ret = evp_do_ciph_ctx_setparams(ctx->cipher, ctx->algctx, params);
1238     else
1239         ret = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params);
1240     goto end;
1241 
1242     /* Code below to be removed when legacy support is dropped. */
1243 legacy:
1244     if (ctx->cipher->ctrl == NULL) {
1245         ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_NOT_IMPLEMENTED);
1246         return 0;
1247     }
1248 
1249     ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
1250 
1251  end:
1252     if (ret == EVP_CTRL_RET_UNSUPPORTED) {
1253         ERR_raise(ERR_LIB_EVP, EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
1254         return 0;
1255     }
1256     return ret;
1257 }
1258 
EVP_CIPHER_get_params(EVP_CIPHER * cipher,OSSL_PARAM params[])1259 int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[])
1260 {
1261     if (cipher != NULL && cipher->get_params != NULL)
1262         return cipher->get_params(params);
1263     return 0;
1264 }
1265 
EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX * ctx,const OSSL_PARAM params[])1266 int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[])
1267 {
1268     if (ctx->cipher != NULL && ctx->cipher->set_ctx_params != NULL) {
1269         ctx->iv_len = -1;
1270         return ctx->cipher->set_ctx_params(ctx->algctx, params);
1271     }
1272     return 0;
1273 }
1274 
EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX * ctx,OSSL_PARAM params[])1275 int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[])
1276 {
1277     if (ctx->cipher != NULL && ctx->cipher->get_ctx_params != NULL)
1278         return ctx->cipher->get_ctx_params(ctx->algctx, params);
1279     return 0;
1280 }
1281 
EVP_CIPHER_gettable_params(const EVP_CIPHER * cipher)1282 const OSSL_PARAM *EVP_CIPHER_gettable_params(const EVP_CIPHER *cipher)
1283 {
1284     if (cipher != NULL && cipher->gettable_params != NULL)
1285         return cipher->gettable_params(
1286                    ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher)));
1287     return NULL;
1288 }
1289 
EVP_CIPHER_settable_ctx_params(const EVP_CIPHER * cipher)1290 const OSSL_PARAM *EVP_CIPHER_settable_ctx_params(const EVP_CIPHER *cipher)
1291 {
1292     void *provctx;
1293 
1294     if (cipher != NULL && cipher->settable_ctx_params != NULL) {
1295         provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher));
1296         return cipher->settable_ctx_params(NULL, provctx);
1297     }
1298     return NULL;
1299 }
1300 
EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER * cipher)1301 const OSSL_PARAM *EVP_CIPHER_gettable_ctx_params(const EVP_CIPHER *cipher)
1302 {
1303     void *provctx;
1304 
1305     if (cipher != NULL && cipher->gettable_ctx_params != NULL) {
1306         provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cipher));
1307         return cipher->gettable_ctx_params(NULL, provctx);
1308     }
1309     return NULL;
1310 }
1311 
EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX * cctx)1312 const OSSL_PARAM *EVP_CIPHER_CTX_settable_params(EVP_CIPHER_CTX *cctx)
1313 {
1314     void *alg;
1315 
1316     if (cctx != NULL && cctx->cipher->settable_ctx_params != NULL) {
1317         alg = ossl_provider_ctx(EVP_CIPHER_get0_provider(cctx->cipher));
1318         return cctx->cipher->settable_ctx_params(cctx->algctx, alg);
1319     }
1320     return NULL;
1321 }
1322 
EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX * cctx)1323 const OSSL_PARAM *EVP_CIPHER_CTX_gettable_params(EVP_CIPHER_CTX *cctx)
1324 {
1325     void *provctx;
1326 
1327     if (cctx != NULL && cctx->cipher->gettable_ctx_params != NULL) {
1328         provctx = ossl_provider_ctx(EVP_CIPHER_get0_provider(cctx->cipher));
1329         return cctx->cipher->gettable_ctx_params(cctx->algctx, provctx);
1330     }
1331     return NULL;
1332 }
1333 
1334 #ifndef FIPS_MODULE
EVP_CIPHER_CTX_get_libctx(EVP_CIPHER_CTX * ctx)1335 static OSSL_LIB_CTX *EVP_CIPHER_CTX_get_libctx(EVP_CIPHER_CTX *ctx)
1336 {
1337     const EVP_CIPHER *cipher = ctx->cipher;
1338     const OSSL_PROVIDER *prov;
1339 
1340     if (cipher == NULL)
1341         return NULL;
1342 
1343     prov = EVP_CIPHER_get0_provider(cipher);
1344     return ossl_provider_libctx(prov);
1345 }
1346 #endif
1347 
EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX * ctx,unsigned char * key)1348 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
1349 {
1350     if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
1351         return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
1352 
1353 #ifdef FIPS_MODULE
1354     return 0;
1355 #else
1356     {
1357         int kl;
1358         OSSL_LIB_CTX *libctx = EVP_CIPHER_CTX_get_libctx(ctx);
1359 
1360         kl = EVP_CIPHER_CTX_get_key_length(ctx);
1361         if (kl <= 0 || RAND_priv_bytes_ex(libctx, key, kl, 0) <= 0)
1362             return 0;
1363         return 1;
1364     }
1365 #endif /* FIPS_MODULE */
1366 }
1367 
EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX * out,const EVP_CIPHER_CTX * in)1368 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
1369 {
1370     if ((in == NULL) || (in->cipher == NULL)) {
1371         ERR_raise(ERR_LIB_EVP, EVP_R_INPUT_NOT_INITIALIZED);
1372         return 0;
1373     }
1374 
1375     if (in->cipher->prov == NULL)
1376         goto legacy;
1377 
1378     if (in->cipher->dupctx == NULL) {
1379         ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX);
1380         return 0;
1381     }
1382 
1383     EVP_CIPHER_CTX_reset(out);
1384 
1385     *out = *in;
1386     out->algctx = NULL;
1387 
1388     if (in->fetched_cipher != NULL && !EVP_CIPHER_up_ref(in->fetched_cipher)) {
1389         out->fetched_cipher = NULL;
1390         return 0;
1391     }
1392 
1393     out->algctx = in->cipher->dupctx(in->algctx);
1394     if (out->algctx == NULL) {
1395         ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX);
1396         return 0;
1397     }
1398 
1399     return 1;
1400 
1401     /* Code below to be removed when legacy support is dropped. */
1402  legacy:
1403 
1404 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
1405     /* Make sure it's safe to copy a cipher context using an ENGINE */
1406     if (in->engine && !ENGINE_init(in->engine)) {
1407         ERR_raise(ERR_LIB_EVP, ERR_R_ENGINE_LIB);
1408         return 0;
1409     }
1410 #endif
1411 
1412     EVP_CIPHER_CTX_reset(out);
1413     memcpy(out, in, sizeof(*out));
1414 
1415     if (in->cipher_data && in->cipher->ctx_size) {
1416         out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
1417         if (out->cipher_data == NULL) {
1418             out->cipher = NULL;
1419             ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
1420             return 0;
1421         }
1422         memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
1423     }
1424 
1425     if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
1426         if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
1427             out->cipher = NULL;
1428             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
1429             return 0;
1430         }
1431     return 1;
1432 }
1433 
evp_cipher_new(void)1434 EVP_CIPHER *evp_cipher_new(void)
1435 {
1436     EVP_CIPHER *cipher = OPENSSL_zalloc(sizeof(EVP_CIPHER));
1437 
1438     if (cipher != NULL) {
1439         cipher->lock = CRYPTO_THREAD_lock_new();
1440         if (cipher->lock == NULL) {
1441             OPENSSL_free(cipher);
1442             return NULL;
1443         }
1444         cipher->refcnt = 1;
1445     }
1446     return cipher;
1447 }
1448 
1449 /*
1450  * FIPS module note: since internal fetches will be entirely
1451  * provider based, we know that none of its code depends on legacy
1452  * NIDs or any functionality that use them.
1453  */
1454 #ifndef FIPS_MODULE
1455 /* After removal of legacy support get rid of the need for legacy NIDs */
set_legacy_nid(const char * name,void * vlegacy_nid)1456 static void set_legacy_nid(const char *name, void *vlegacy_nid)
1457 {
1458     int nid;
1459     int *legacy_nid = vlegacy_nid;
1460     /*
1461      * We use lowest level function to get the associated method, because
1462      * higher level functions such as EVP_get_cipherbyname() have changed
1463      * to look at providers too.
1464      */
1465     const void *legacy_method = OBJ_NAME_get(name, OBJ_NAME_TYPE_CIPHER_METH);
1466 
1467     if (*legacy_nid == -1)       /* We found a clash already */
1468         return;
1469     if (legacy_method == NULL)
1470         return;
1471     nid = EVP_CIPHER_get_nid(legacy_method);
1472     if (*legacy_nid != NID_undef && *legacy_nid != nid) {
1473         *legacy_nid = -1;
1474         return;
1475     }
1476     *legacy_nid = nid;
1477 }
1478 #endif
1479 
evp_cipher_from_algorithm(const int name_id,const OSSL_ALGORITHM * algodef,OSSL_PROVIDER * prov)1480 static void *evp_cipher_from_algorithm(const int name_id,
1481                                        const OSSL_ALGORITHM *algodef,
1482                                        OSSL_PROVIDER *prov)
1483 {
1484     const OSSL_DISPATCH *fns = algodef->implementation;
1485     EVP_CIPHER *cipher = NULL;
1486     int fnciphcnt = 0, fnctxcnt = 0;
1487 
1488     if ((cipher = evp_cipher_new()) == NULL) {
1489         ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
1490         return NULL;
1491     }
1492 
1493 #ifndef FIPS_MODULE
1494     cipher->nid = NID_undef;
1495     if (!evp_names_do_all(prov, name_id, set_legacy_nid, &cipher->nid)
1496             || cipher->nid == -1) {
1497         ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
1498         EVP_CIPHER_free(cipher);
1499         return NULL;
1500     }
1501 #endif
1502 
1503     cipher->name_id = name_id;
1504     if ((cipher->type_name = ossl_algorithm_get1_first_name(algodef)) == NULL) {
1505         EVP_CIPHER_free(cipher);
1506         return NULL;
1507     }
1508     cipher->description = algodef->algorithm_description;
1509 
1510     for (; fns->function_id != 0; fns++) {
1511         switch (fns->function_id) {
1512         case OSSL_FUNC_CIPHER_NEWCTX:
1513             if (cipher->newctx != NULL)
1514                 break;
1515             cipher->newctx = OSSL_FUNC_cipher_newctx(fns);
1516             fnctxcnt++;
1517             break;
1518         case OSSL_FUNC_CIPHER_ENCRYPT_INIT:
1519             if (cipher->einit != NULL)
1520                 break;
1521             cipher->einit = OSSL_FUNC_cipher_encrypt_init(fns);
1522             fnciphcnt++;
1523             break;
1524         case OSSL_FUNC_CIPHER_DECRYPT_INIT:
1525             if (cipher->dinit != NULL)
1526                 break;
1527             cipher->dinit = OSSL_FUNC_cipher_decrypt_init(fns);
1528             fnciphcnt++;
1529             break;
1530         case OSSL_FUNC_CIPHER_UPDATE:
1531             if (cipher->cupdate != NULL)
1532                 break;
1533             cipher->cupdate = OSSL_FUNC_cipher_update(fns);
1534             fnciphcnt++;
1535             break;
1536         case OSSL_FUNC_CIPHER_FINAL:
1537             if (cipher->cfinal != NULL)
1538                 break;
1539             cipher->cfinal = OSSL_FUNC_cipher_final(fns);
1540             fnciphcnt++;
1541             break;
1542         case OSSL_FUNC_CIPHER_CIPHER:
1543             if (cipher->ccipher != NULL)
1544                 break;
1545             cipher->ccipher = OSSL_FUNC_cipher_cipher(fns);
1546             break;
1547         case OSSL_FUNC_CIPHER_FREECTX:
1548             if (cipher->freectx != NULL)
1549                 break;
1550             cipher->freectx = OSSL_FUNC_cipher_freectx(fns);
1551             fnctxcnt++;
1552             break;
1553         case OSSL_FUNC_CIPHER_DUPCTX:
1554             if (cipher->dupctx != NULL)
1555                 break;
1556             cipher->dupctx = OSSL_FUNC_cipher_dupctx(fns);
1557             break;
1558         case OSSL_FUNC_CIPHER_GET_PARAMS:
1559             if (cipher->get_params != NULL)
1560                 break;
1561             cipher->get_params = OSSL_FUNC_cipher_get_params(fns);
1562             break;
1563         case OSSL_FUNC_CIPHER_GET_CTX_PARAMS:
1564             if (cipher->get_ctx_params != NULL)
1565                 break;
1566             cipher->get_ctx_params = OSSL_FUNC_cipher_get_ctx_params(fns);
1567             break;
1568         case OSSL_FUNC_CIPHER_SET_CTX_PARAMS:
1569             if (cipher->set_ctx_params != NULL)
1570                 break;
1571             cipher->set_ctx_params = OSSL_FUNC_cipher_set_ctx_params(fns);
1572             break;
1573         case OSSL_FUNC_CIPHER_GETTABLE_PARAMS:
1574             if (cipher->gettable_params != NULL)
1575                 break;
1576             cipher->gettable_params = OSSL_FUNC_cipher_gettable_params(fns);
1577             break;
1578         case OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS:
1579             if (cipher->gettable_ctx_params != NULL)
1580                 break;
1581             cipher->gettable_ctx_params =
1582                 OSSL_FUNC_cipher_gettable_ctx_params(fns);
1583             break;
1584         case OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS:
1585             if (cipher->settable_ctx_params != NULL)
1586                 break;
1587             cipher->settable_ctx_params =
1588                 OSSL_FUNC_cipher_settable_ctx_params(fns);
1589             break;
1590         }
1591     }
1592     if ((fnciphcnt != 0 && fnciphcnt != 3 && fnciphcnt != 4)
1593             || (fnciphcnt == 0 && cipher->ccipher == NULL)
1594             || fnctxcnt != 2) {
1595         /*
1596          * In order to be a consistent set of functions we must have at least
1597          * a complete set of "encrypt" functions, or a complete set of "decrypt"
1598          * functions, or a single "cipher" function. In all cases we need both
1599          * the "newctx" and "freectx" functions.
1600          */
1601         EVP_CIPHER_free(cipher);
1602         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_PROVIDER_FUNCTIONS);
1603         return NULL;
1604     }
1605     cipher->prov = prov;
1606     if (prov != NULL)
1607         ossl_provider_up_ref(prov);
1608 
1609     if (!evp_cipher_cache_constants(cipher)) {
1610         EVP_CIPHER_free(cipher);
1611         ERR_raise(ERR_LIB_EVP, EVP_R_CACHE_CONSTANTS_FAILED);
1612         cipher = NULL;
1613     }
1614 
1615     return cipher;
1616 }
1617 
evp_cipher_up_ref(void * cipher)1618 static int evp_cipher_up_ref(void *cipher)
1619 {
1620     return EVP_CIPHER_up_ref(cipher);
1621 }
1622 
evp_cipher_free(void * cipher)1623 static void evp_cipher_free(void *cipher)
1624 {
1625     EVP_CIPHER_free(cipher);
1626 }
1627 
EVP_CIPHER_fetch(OSSL_LIB_CTX * ctx,const char * algorithm,const char * properties)1628 EVP_CIPHER *EVP_CIPHER_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
1629                              const char *properties)
1630 {
1631     EVP_CIPHER *cipher =
1632         evp_generic_fetch(ctx, OSSL_OP_CIPHER, algorithm, properties,
1633                           evp_cipher_from_algorithm, evp_cipher_up_ref,
1634                           evp_cipher_free);
1635 
1636     return cipher;
1637 }
1638 
EVP_CIPHER_up_ref(EVP_CIPHER * cipher)1639 int EVP_CIPHER_up_ref(EVP_CIPHER *cipher)
1640 {
1641     int ref = 0;
1642 
1643     if (cipher->origin == EVP_ORIG_DYNAMIC)
1644         CRYPTO_UP_REF(&cipher->refcnt, &ref, cipher->lock);
1645     return 1;
1646 }
1647 
evp_cipher_free_int(EVP_CIPHER * cipher)1648 void evp_cipher_free_int(EVP_CIPHER *cipher)
1649 {
1650     OPENSSL_free(cipher->type_name);
1651     ossl_provider_free(cipher->prov);
1652     CRYPTO_THREAD_lock_free(cipher->lock);
1653     OPENSSL_free(cipher);
1654 }
1655 
EVP_CIPHER_free(EVP_CIPHER * cipher)1656 void EVP_CIPHER_free(EVP_CIPHER *cipher)
1657 {
1658     int i;
1659 
1660     if (cipher == NULL || cipher->origin != EVP_ORIG_DYNAMIC)
1661         return;
1662 
1663     CRYPTO_DOWN_REF(&cipher->refcnt, &i, cipher->lock);
1664     if (i > 0)
1665         return;
1666     evp_cipher_free_int(cipher);
1667 }
1668 
EVP_CIPHER_do_all_provided(OSSL_LIB_CTX * libctx,void (* fn)(EVP_CIPHER * mac,void * arg),void * arg)1669 void EVP_CIPHER_do_all_provided(OSSL_LIB_CTX *libctx,
1670                                 void (*fn)(EVP_CIPHER *mac, void *arg),
1671                                 void *arg)
1672 {
1673     evp_generic_do_all(libctx, OSSL_OP_CIPHER,
1674                        (void (*)(void *, void *))fn, arg,
1675                        evp_cipher_from_algorithm, evp_cipher_up_ref,
1676                        evp_cipher_free);
1677 }
1678