projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
RT3425: constant-time evp_enc
[openssl.git] / crypto / evp / evp_enc.c
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index a816eb76b1808edea94a16a8e1504c35d4d08ff7..c06c83c0e33086294ee8b11235601d8d8970c2b1 100644 (file)
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -67,6 +67,7 @@
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
 #endif
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
 #endif
+#include "../constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -125,10 +126,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                /* Ensure a context left lying around from last time is cleared
                 * (the previous check attempted to avoid this if the same
                 * ENGINE and EVP_CIPHER could be used). */
                /* Ensure a context left lying around from last time is cleared
                 * (the previous check attempted to avoid this if the same
                 * ENGINE and EVP_CIPHER could be used). */
-               EVP_CIPHER_CTX_cleanup(ctx);
-
-               /* Restore encrypt field: it is zeroed by cleanup */
-               ctx->encrypt = enc;
+               if (ctx->cipher)
+                       {
+                       unsigned long flags = ctx->flags;
+                       EVP_CIPHER_CTX_cleanup(ctx);
+                       /* Restore encrypt and flags */
+                       ctx->encrypt = enc;
+                       ctx->flags = flags;
+                       }
 #ifndef OPENSSL_NO_ENGINE
                if(impl)
                        {
 #ifndef OPENSSL_NO_ENGINE
                if(impl)
                        {
@@ -166,8 +171,16 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 #endif
 
 #ifdef OPENSSL_FIPS
 #endif
 
 #ifdef OPENSSL_FIPS
-               return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-#else
+               if (FIPS_mode())
+                       {
+                       const EVP_CIPHER *fcipher;
+                       if (cipher)
+                               fcipher = evp_get_fips_cipher(cipher);
+                       if (fcipher)
+                               cipher = fcipher;
+                       return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+                       }
+#endif
                ctx->cipher=cipher;
                if (ctx->cipher->ctx_size)
                        {
                ctx->cipher=cipher;
                if (ctx->cipher->ctx_size)
                        {
@@ -183,7 +196,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                        ctx->cipher_data = NULL;
                        }
                ctx->key_len = cipher->key_len;
                        ctx->cipher_data = NULL;
                        }
                ctx->key_len = cipher->key_len;
-               ctx->flags = 0;
+               /* Preserve wrap enable flag, zero everything else */
+               ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
                if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
                        {
                        if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
                if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
                        {
                        if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
@@ -192,7 +206,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
                                return 0;
                                }
                        }
                                return 0;
                                }
                        }
-#endif
                }
        else if(!ctx->cipher)
                {
                }
        else if(!ctx->cipher)
                {
@@ -203,13 +216,21 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 skip_to_init:
 #endif
 #ifdef OPENSSL_FIPS
 skip_to_init:
 #endif
 #ifdef OPENSSL_FIPS
-       return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-#else
+       if (FIPS_mode())
+               return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+#endif
        /* we assume block size is a power of 2 in *cryptUpdate */
        OPENSSL_assert(ctx->cipher->block_size == 1
            || ctx->cipher->block_size == 8
            || ctx->cipher->block_size == 16);
 
        /* we assume block size is a power of 2 in *cryptUpdate */
        OPENSSL_assert(ctx->cipher->block_size == 1
            || ctx->cipher->block_size == 8
            || ctx->cipher->block_size == 16);
 
+       if(!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
+               && EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE)
+               {
+               EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
+               return 0;
+               }
+
        if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
                switch(EVP_CIPHER_CTX_mode(ctx)) {
 
        if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
                switch(EVP_CIPHER_CTX_mode(ctx)) {
 
@@ -232,6 +253,7 @@ skip_to_init:
                        break;
 
                        case EVP_CIPH_CTR_MODE:
                        break;
 
                        case EVP_CIPH_CTR_MODE:
+                       ctx->num = 0;
                        /* Don't reuse IV for CTR mode */
                        if(iv)
                                memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
                        /* Don't reuse IV for CTR mode */
                        if(iv)
                                memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
@@ -242,6 +264,7 @@ skip_to_init:
                        break;
                }
        }
                        break;
                }
        }
+               
 
        if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
                if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
 
        if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
                if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
@@ -250,7 +273,6 @@ skip_to_init:
        ctx->final_used=0;
        ctx->block_mask=ctx->cipher->block_size-1;
        return 1;
        ctx->final_used=0;
        ctx->block_mask=ctx->cipher->block_size-1;
        return 1;
-#endif
        }
 
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
        }
 
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
@@ -495,21 +517,21 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        {
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
        {
-       int i,n;
-       unsigned int b;
+       unsigned int i, b;
+        unsigned char pad, padding_good;
        *outl=0;
 
        if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
                {
        *outl=0;
 
        if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
                {
-               i = M_do_cipher(ctx, out, NULL, 0);
-               if (i < 0)
+               int ret = M_do_cipher(ctx, out, NULL, 0);
+               if (ret < 0)
                        return 0;
                else
                        return 0;
                else
-                       *outl = i;
+                       *outl = ret;
                return 1;
                }
 
                return 1;
                }
 
-       b=ctx->cipher->block_size;
+       b=(unsigned int)(ctx->cipher->block_size);
        if (ctx->flags & EVP_CIPH_NO_PADDING)
                {
                if(ctx->buf_len)
        if (ctx->flags & EVP_CIPH_NO_PADDING)
                {
                if(ctx->buf_len)
@@ -528,28 +550,34 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
                        return(0);
                        }
                OPENSSL_assert(b <= sizeof ctx->final);
                        return(0);
                        }
                OPENSSL_assert(b <= sizeof ctx->final);
-               n=ctx->final[b-1];
-               if (n == 0 || n > (int)b)
-                       {
-                       EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
-                       return(0);
-                       }
-               for (i=0; i<n; i++)
+               pad=ctx->final[b-1];
+
+               padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
+               padding_good &= constant_time_ge_8(b, pad);
+
+                for (i = 1; i < b; ++i)
                        {
                        {
-                       if (ctx->final[--b] != n)
-                               {
-                               EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
-                               return(0);
-                               }
+                       unsigned char is_pad_index = constant_time_lt_8(i, pad);
+                       unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
+                       padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
                        }
                        }
-               n=ctx->cipher->block_size-n;
-               for (i=0; i<n; i++)
-                       out[i]=ctx->final[i];
-               *outl=n;
+
+               /*
+                * At least 1 byte is always padding, so we always write b - 1
+                * bytes to avoid a timing leak. The caller is required to have |b|
+                * bytes space in |out| by the API contract.
+                */
+               for (i = 0; i < b - 1; ++i)
+                       out[i] = ctx->final[i] & padding_good;
+               /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
+               *outl = padding_good & ((unsigned char)(b - pad));
+               return padding_good & 1;
                }
        else
                }
        else
-               *outl=0;
-       return(1);
+               {
+               *outl = 0;
+               return 1;
+               }
        }
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
        }
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
@@ -673,4 +701,3 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
                return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
        return 1;
        }
                return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
        return 1;
        }
-
Unnamed repository; edit this file 'description' to name the repository.