X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fevp%2Fevp_enc.c;h=c06c83c0e33086294ee8b11235601d8d8970c2b1;hp=a816eb76b1808edea94a16a8e1504c35d4d08ff7;hb=738911cde68b2b3706e502cf8daf5b14738f2f42;hpb=5792219d1d7c13551d715a7381a134a91519d9c7

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index a816eb76b1..c06c83c0e3 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -67,6 +67,7 @@
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
 #endif
+#include "../constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -125,10 +126,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 		/* Ensure a context left lying around from last time is cleared
 		 * (the previous check attempted to avoid this if the same
 		 * ENGINE and EVP_CIPHER could be used). */
-		EVP_CIPHER_CTX_cleanup(ctx);
-
-		/* Restore encrypt field: it is zeroed by cleanup */
-		ctx->encrypt = enc;
+		if (ctx->cipher)
+			{
+			unsigned long flags = ctx->flags;
+			EVP_CIPHER_CTX_cleanup(ctx);
+			/* Restore encrypt and flags */
+			ctx->encrypt = enc;
+			ctx->flags = flags;
+			}
 #ifndef OPENSSL_NO_ENGINE
 		if(impl)
 			{
@@ -166,8 +171,16 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 #endif
 
 #ifdef OPENSSL_FIPS
-		return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-#else
+		if (FIPS_mode())
+			{
+			const EVP_CIPHER *fcipher;
+			if (cipher)
+				fcipher = evp_get_fips_cipher(cipher);
+			if (fcipher)
+				cipher = fcipher;
+			return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+			}
+#endif
 		ctx->cipher=cipher;
 		if (ctx->cipher->ctx_size)
 			{
@@ -183,7 +196,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 			ctx->cipher_data = NULL;
 			}
 		ctx->key_len = cipher->key_len;
-		ctx->flags = 0;
+		/* Preserve wrap enable flag, zero everything else */
+		ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
 		if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
 			{
 			if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
@@ -192,7 +206,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 				return 0;
 				}
 			}
-#endif
 		}
 	else if(!ctx->cipher)
 		{
@@ -203,13 +216,21 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 skip_to_init:
 #endif
 #ifdef OPENSSL_FIPS
-	return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-#else
+	if (FIPS_mode())
+		return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+#endif
 	/* we assume block size is a power of 2 in *cryptUpdate */
 	OPENSSL_assert(ctx->cipher->block_size == 1
 	    || ctx->cipher->block_size == 8
 	    || ctx->cipher->block_size == 16);
 
+	if(!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW)
+		&& EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE)
+		{
+		EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_WRAP_MODE_NOT_ALLOWED);
+		return 0;
+		}
+
 	if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
 		switch(EVP_CIPHER_CTX_mode(ctx)) {
 
@@ -232,6 +253,7 @@ skip_to_init:
 			break;
 
 			case EVP_CIPH_CTR_MODE:
+			ctx->num = 0;
 			/* Don't reuse IV for CTR mode */
 			if(iv)
 				memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
@@ -242,6 +264,7 @@ skip_to_init:
 			break;
 		}
 	}
+		
 
 	if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
 		if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
@@ -250,7 +273,6 @@ skip_to_init:
 	ctx->final_used=0;
 	ctx->block_mask=ctx->cipher->block_size-1;
 	return 1;
-#endif
 	}
 
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
@@ -495,21 +517,21 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	int i,n;
-	unsigned int b;
+	unsigned int i, b;
+        unsigned char pad, padding_good;
 	*outl=0;
 
 	if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
 		{
-		i = M_do_cipher(ctx, out, NULL, 0);
-		if (i < 0)
+		int ret = M_do_cipher(ctx, out, NULL, 0);
+		if (ret < 0)
 			return 0;
 		else
-			*outl = i;
+			*outl = ret;
 		return 1;
 		}
 
-	b=ctx->cipher->block_size;
+	b=(unsigned int)(ctx->cipher->block_size);
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -528,28 +550,34 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		n=ctx->final[b-1];
-		if (n == 0 || n > (int)b)
-			{
-			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
-			return(0);
-			}
-		for (i=0; i<n; i++)
+		pad=ctx->final[b-1];
+
+		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
+		padding_good &= constant_time_ge_8(b, pad);
+
+                for (i = 1; i < b; ++i)
 			{
-			if (ctx->final[--b] != n)
-				{
-				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
-				return(0);
-				}
+			unsigned char is_pad_index = constant_time_lt_8(i, pad);
+			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
+			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
 			}
-		n=ctx->cipher->block_size-n;
-		for (i=0; i<n; i++)
-			out[i]=ctx->final[i];
-		*outl=n;
+
+		/*
+		 * At least 1 byte is always padding, so we always write b - 1
+		 * bytes to avoid a timing leak. The caller is required to have |b|
+		 * bytes space in |out| by the API contract.
+		 */
+		for (i = 0; i < b - 1; ++i)
+			out[i] = ctx->final[i] & padding_good;
+		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
+		*outl = padding_good & ((unsigned char)(b - pad));
+		return padding_good & 1;
 		}
 	else
-		*outl=0;
-	return(1);
+		{
+		*outl = 0;
+		return 1;
+		}
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
@@ -673,4 +701,3 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
 		return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
 	return 1;
 	}
-