2 * Copyright (c) 2016, Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * - Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
23 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
29 * OF THE POSSIBILITY OF SUCH DAMAGE.
32 /* OpenSSL provider */
41 #ifdef HAVE_HCRYPTO_W_OPENSSL
44 * This is the OpenSSL 1.x backend for hcrypto. It has been tested with
45 * OpenSSL 1.0.1f and OpenSSL 1.1.0-pre3-dev.
47 * NOTE: In order for this to work with OpenSSL 1.1.x and up, it is
48 * critical to use opaque OpenSSL type accessors everywhere /
49 * never use knowledge of opaque OpenSSL type internals.
52 #include <evp-openssl.h>
55 * This being an OpenSSL backend for hcrypto... we need to be able to
56 * refer to types and objects (functions) from both, OpenSSL and
59 * The hcrypto API is *very* similar to the OpenSSL 1.0.x API, with the
60 * same type and symbol names in many cases, except that the hcrypto
61 * names are prefixed with hc_*. hcrypto has convenience macros that
62 * provide OpenSSL aliases for the hcrypto interfaces, and hcrypto
63 * applications are expected to use the OpenSSL names.
65 * Since here we must be able to refer to types and objects from both
66 * OpenSSL and from hcrypto, we disable the hcrypto renaming for the
67 * rest of this file. These #undefs could be collected into an
68 * <hcrypto/undef.h> for the purpose of permitting other applications to
69 * use both, hcrypto and OpenSSL in the same source files (provided that
70 * such applications refer to hcrypto types and objects by their proper
71 * hc_-prefixed names).
75 /* Now it's safe to include OpenSSL headers */
76 #include <openssl/evp.h>
78 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
79 #define EVP_MD_CTX_new EVP_MD_CTX_create
80 #define EVP_MD_CTX_free EVP_MD_CTX_destroy
83 /* A HEIM_BASE_ONCE argument struct for per-EVP one-time initialization */
84 struct once_init_cipher_ctx {
85 const hc_EVP_CIPHER **hc_memoizep;
86 hc_EVP_CIPHER *hc_memoize;
87 const hc_EVP_CIPHER *fallback;
92 /* Our wrapper for OpenSSL EVP_CIPHER_CTXs */
93 struct ossl_cipher_ctx {
94 EVP_CIPHER_CTX *ossl_cipher_ctx; /* OpenSSL cipher ctx */
95 const EVP_CIPHER *ossl_cipher; /* OpenSSL cipher */
100 * Our hc_EVP_CIPHER init() method; wraps around OpenSSL
101 * EVP_CipherInit_ex().
103 * This is very similar to the init() function pointer in an OpenSSL
104 * EVP_CIPHER, but a) we can't access them in 1.1, and b) the method
105 * invocation protocols in hcrypto and OpenSSL are similar but not the
106 * same, thus we must have this wrapper.
109 cipher_ctx_init(hc_EVP_CIPHER_CTX *ctx, const unsigned char *key,
110 const unsigned char *iv, int enc)
112 struct ossl_cipher_ctx *ossl_ctx = ctx->cipher_data; /* EVP_CIPHER_CTX wrapper */
115 assert(ossl_ctx != NULL);
116 assert(ctx->cipher != NULL);
117 assert(ctx->cipher->app_data != NULL);
122 * We need to make sure that the OpenSSL EVP_CipherInit_ex() is
123 * called with cipher!=NULL just once per EVP_CIPHER_CTX, otherwise
124 * state in the OpenSSL EVP_CIPHER_CTX will get cleaned up and then
127 * hcrypto applications can re-initialize an (hc_)EVP_CIPHER_CTX as
128 * usual by calling (hc)EVP_CipherInit_ex() with a non-NULL cipher
129 * argument, and that will cause cipher_cleanup() (below) to be
132 c = ossl_ctx->ossl_cipher = ctx->cipher->app_data; /* OpenSSL's EVP_CIPHER * */
133 if (!ossl_ctx->initialized) {
134 ossl_ctx->ossl_cipher_ctx = EVP_CIPHER_CTX_new();
135 if (ossl_ctx->ossl_cipher_ctx == NULL)
138 * So we always call EVP_CipherInit_ex() with c!=NULL, but other
141 if (!EVP_CipherInit_ex(ossl_ctx->ossl_cipher_ctx, c, NULL, NULL, NULL, enc))
143 ossl_ctx->initialized = 1;
146 /* ...and from here on always call EVP_CipherInit_ex() with c=NULL */
147 if ((ctx->cipher->flags & hc_EVP_CIPH_VARIABLE_LENGTH) &&
149 EVP_CIPHER_CTX_set_key_length(ossl_ctx->ossl_cipher_ctx, ctx->key_len);
151 return EVP_CipherInit_ex(ossl_ctx->ossl_cipher_ctx, NULL, NULL, key, iv, enc);
155 cipher_do_cipher(hc_EVP_CIPHER_CTX *ctx, unsigned char *out,
156 const unsigned char *in, unsigned int len)
158 struct ossl_cipher_ctx *ossl_ctx = ctx->cipher_data;
160 assert(ossl_ctx != NULL);
161 return EVP_Cipher(ossl_ctx->ossl_cipher_ctx, out, in, len);
165 cipher_cleanup(hc_EVP_CIPHER_CTX *ctx)
167 struct ossl_cipher_ctx *ossl_ctx = ctx->cipher_data;
169 if (ossl_ctx == NULL || !ossl_ctx->initialized)
172 if (ossl_ctx->ossl_cipher_ctx != NULL)
173 EVP_CIPHER_CTX_free(ossl_ctx->ossl_cipher_ctx);
175 ossl_ctx->ossl_cipher_ctx = NULL;
176 ossl_ctx->ossl_cipher = NULL;
177 ossl_ctx->initialized = 0;
182 cipher_ctrl(hc_EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
184 struct ossl_cipher_ctx *ossl_ctx = ctx->cipher_data;
186 assert(ossl_ctx != NULL);
187 return EVP_CIPHER_CTX_ctrl(ossl_ctx->ossl_cipher_ctx, type, arg, ptr);
192 get_EVP_CIPHER_once_cb(void *d)
194 struct once_init_cipher_ctx *arg = d;
195 const EVP_CIPHER *ossl_evp;
196 hc_EVP_CIPHER *hc_evp;
198 hc_evp = arg->hc_memoize;
201 * We lookup EVP_CIPHER *s by NID so that we don't fail to find a
202 * symbol such as EVP_aes...() when libcrypto changes after build
203 * time (e.g., updates, LD_LIBRARY_PATH/LD_PRELOAD).
205 ossl_evp = EVP_get_cipherbynid(arg->nid);
206 if (ossl_evp == NULL) {
207 (void) memset(hc_evp, 0, sizeof(*hc_evp));
209 *arg->hc_memoizep = arg->fallback;
214 /* Build the hc_EVP_CIPHER */
215 hc_evp->nid = EVP_CIPHER_nid(ossl_evp); /* We would an hcrypto NIDs if we had them */
216 hc_evp->block_size = EVP_CIPHER_block_size(ossl_evp);
217 hc_evp->key_len = EVP_CIPHER_key_length(ossl_evp);
218 hc_evp->iv_len = EVP_CIPHER_iv_length(ossl_evp);
221 * We force hc_EVP_CipherInit_ex to always call our init() function,
222 * otherwise we don't get a chance to call EVP_CipherInit_ex()
225 hc_evp->flags = hc_EVP_CIPH_ALWAYS_CALL_INIT | arg->flags;
227 /* Our cipher context */
228 hc_evp->ctx_size = sizeof(struct ossl_cipher_ctx);
231 hc_evp->init = cipher_ctx_init;
232 hc_evp->do_cipher = cipher_do_cipher;
233 hc_evp->cleanup = cipher_cleanup;
234 hc_evp->set_asn1_parameters = NULL;
235 hc_evp->get_asn1_parameters = NULL;
236 hc_evp->ctrl = cipher_ctrl;
238 /* Our link to the OpenSSL EVP_CIPHER */
239 hc_evp->app_data = (void *)ossl_evp;
241 /* Finally, set the static hc_EVP_CIPHER * to the one we just built */
242 *arg->hc_memoizep = hc_evp;
245 static const hc_EVP_CIPHER *
246 get_EVP_CIPHER(heim_base_once_t *once, hc_EVP_CIPHER *hc_memoize,
247 const hc_EVP_CIPHER **hc_memoizep,
248 const hc_EVP_CIPHER *fallback,
249 unsigned long flags, int nid)
251 struct once_init_cipher_ctx arg;
254 arg.hc_memoizep = hc_memoizep;
255 arg.hc_memoize = hc_memoize;
256 arg.fallback = fallback;
258 heim_base_once_f(once, &arg, get_EVP_CIPHER_once_cb);
259 return *hc_memoizep; /* May be NULL */
262 #define OSSL_CIPHER_ALGORITHM(name, flags) \
263 extern const hc_EVP_CIPHER *hc_EVP_hcrypto_##name(void); \
264 const hc_EVP_CIPHER *hc_EVP_ossl_##name(void) \
266 static hc_EVP_CIPHER ossl_##name##_st; \
267 static const hc_EVP_CIPHER *ossl_##name; \
268 static heim_base_once_t once = HEIM_BASE_ONCE_INIT; \
269 return get_EVP_CIPHER(&once, &ossl_##name##_st, &ossl_##name, \
270 hc_EVP_hcrypto_##name(), \
271 flags, NID_##name); \
274 /* As above, but for EVP_MDs */
277 EVP_MD_CTX *ossl_md_ctx; /* OpenSSL md ctx */
278 const EVP_MD *ossl_md; /* OpenSSL md */
283 ossl_md_init(struct ossl_md_ctx *ctx, const EVP_MD *md)
285 if (ctx->initialized)
286 EVP_MD_CTX_free(ctx->ossl_md_ctx);
287 ctx->initialized = 0;
290 ctx->ossl_md_ctx = EVP_MD_CTX_new();
291 if (!EVP_DigestInit(ctx->ossl_md_ctx, md)) {
292 EVP_MD_CTX_free(ctx->ossl_md_ctx);
293 ctx->ossl_md_ctx = NULL;
297 ctx->initialized = 1;
302 ossl_md_update(hc_EVP_MD_CTX *d, const void *data, size_t count)
304 struct ossl_md_ctx *ctx = (void *)d;
306 return EVP_DigestUpdate(ctx->ossl_md_ctx, data, count);
310 ossl_md_final(void *md_data, hc_EVP_MD_CTX *d)
312 struct ossl_md_ctx *ctx = (void *)d;
314 return EVP_DigestFinal(ctx->ossl_md_ctx, md_data, NULL);
318 ossl_md_cleanup(hc_EVP_MD_CTX *d)
320 struct ossl_md_ctx *ctx = (void *)d;
322 if (!ctx->initialized)
324 EVP_MD_CTX_free(ctx->ossl_md_ctx);
326 ctx->initialized = 0;
331 struct once_init_md_ctx {
332 const EVP_MD **ossl_memoizep;
333 const hc_EVP_MD **hc_memoizep;
334 hc_EVP_MD *hc_memoize;
335 const hc_EVP_MD *fallback;
336 hc_evp_md_init md_init;
341 get_EVP_MD_once_cb(void *d)
343 struct once_init_md_ctx *arg = d;
344 const EVP_MD *ossl_evp;
347 hc_evp = arg->hc_memoize;
348 *arg->ossl_memoizep = ossl_evp = EVP_get_digestbynid(arg->nid);
350 if (ossl_evp == NULL) {
351 (void) memset(hc_evp, 0, sizeof(*hc_evp));
353 *arg->hc_memoizep = arg->fallback;
358 /* Build the hc_EVP_MD */
359 hc_evp->block_size = EVP_MD_block_size(ossl_evp);
360 hc_evp->hash_size = EVP_MD_size(ossl_evp);
361 hc_evp->ctx_size = sizeof(struct ossl_md_ctx);
362 hc_evp->init = arg->md_init;
363 hc_evp->update = ossl_md_update;
364 hc_evp->final = ossl_md_final;
365 hc_evp->cleanup = ossl_md_cleanup;
367 *arg->hc_memoizep = hc_evp;
370 static const hc_EVP_MD *
371 get_EVP_MD(heim_base_once_t *once, hc_EVP_MD *hc_memoize,
372 const hc_EVP_MD **hc_memoizep, const EVP_MD **ossl_memoizep,
373 const hc_EVP_MD *fallback,
374 hc_evp_md_init md_init, int nid)
376 struct once_init_md_ctx ctx;
378 ctx.ossl_memoizep = ossl_memoizep;
379 ctx.hc_memoizep = hc_memoizep;
380 ctx.hc_memoize = hc_memoize;
381 ctx.fallback = fallback;
382 ctx.md_init = md_init;
384 heim_base_once_f(once, &ctx, get_EVP_MD_once_cb);
385 return *hc_memoizep; /* May be NULL */
388 #define OSSL_MD_ALGORITHM(name) \
389 extern const hc_EVP_MD *hc_EVP_hcrypto_##name(void); \
390 static const EVP_MD *ossl_EVP_##name; \
391 static const hc_EVP_MD *ossl_##name; \
392 static int ossl_init_##name(hc_EVP_MD_CTX *d) \
394 return ossl_md_init((void *)d, ossl_EVP_##name); \
396 const hc_EVP_MD *hc_EVP_ossl_##name(void) \
398 static hc_EVP_MD ossl_##name##_st; \
399 static heim_base_once_t once = HEIM_BASE_ONCE_INIT; \
400 return get_EVP_MD(&once, &ossl_##name##_st, &ossl_##name, \
401 &ossl_EVP_##name, hc_EVP_hcrypto_##name(), \
402 ossl_init_##name, NID_##name); \
405 #else /* HAVE_HCRYPTO_W_OPENSSL */
407 #include "evp-hcrypto.h"
409 #define OSSL_CIPHER_ALGORITHM(name, flags) \
410 extern const hc_EVP_CIPHER *hc_EVP_ossl_##name(void); \
411 const hc_EVP_CIPHER *hc_EVP_ossl_##name(void) \
413 return hc_EVP_hcrypto_##name(); \
416 #define OSSL_MD_ALGORITHM(name) \
417 extern const hc_EVP_MD *hc_EVP_ossl_##name(void); \
418 const hc_EVP_MD *hc_EVP_ossl_##name(void) \
420 return hc_EVP_hcrypto_##name(); \
423 #endif /* HAVE_HCRYPTO_W_OPENSSL */
426 * The triple DES cipher type (OpenSSL provider)
428 * @return the DES-EDE3-CBC EVP_CIPHER pointer.
430 * @ingroup hcrypto_evp
432 OSSL_CIPHER_ALGORITHM(des_ede3_cbc, hc_EVP_CIPH_CBC_MODE)
435 * The DES cipher type (OpenSSL provider)
437 * @return the DES-CBC EVP_CIPHER pointer.
439 * @ingroup hcrypto_evp
441 OSSL_CIPHER_ALGORITHM(des_cbc, hc_EVP_CIPH_CBC_MODE)
444 * The AES-128 cipher type (OpenSSL provider)
446 * @return the AES-128-CBC EVP_CIPHER pointer.
448 * @ingroup hcrypto_evp
450 OSSL_CIPHER_ALGORITHM(aes_128_cbc, hc_EVP_CIPH_CBC_MODE)
453 * The AES-192 cipher type (OpenSSL provider)
455 * @return the AES-192-CBC EVP_CIPHER pointer.
457 * @ingroup hcrypto_evp
459 OSSL_CIPHER_ALGORITHM(aes_192_cbc, hc_EVP_CIPH_CBC_MODE)
462 * The AES-256 cipher type (OpenSSL provider)
464 * @return the AES-256-CBC EVP_CIPHER pointer.
466 * @ingroup hcrypto_evp
468 OSSL_CIPHER_ALGORITHM(aes_256_cbc, hc_EVP_CIPH_CBC_MODE)
471 * The AES-128 CFB8 cipher type (OpenSSL provider)
473 * @return the AES-128-CFB8 EVP_CIPHER pointer.
475 * @ingroup hcrypto_evp
477 OSSL_CIPHER_ALGORITHM(aes_128_cfb8, hc_EVP_CIPH_CFB8_MODE)
480 * The AES-192 CFB8 cipher type (OpenSSL provider)
482 * @return the AES-192-CFB8 EVP_CIPHER pointer.
484 * @ingroup hcrypto_evp
486 OSSL_CIPHER_ALGORITHM(aes_192_cfb8, hc_EVP_CIPH_CFB8_MODE)
489 * The AES-256 CFB8 cipher type (OpenSSL provider)
491 * @return the AES-256-CFB8 EVP_CIPHER pointer.
493 * @ingroup hcrypto_evp
495 OSSL_CIPHER_ALGORITHM(aes_256_cfb8, hc_EVP_CIPH_CFB8_MODE)
498 * RC2 is only needed for tests of PKCS#12 support, which currently uses
499 * the RC2 PBE. So no RC2 -> tests fail.
503 * The RC2 cipher type - OpenSSL
505 * @return the RC2 EVP_CIPHER pointer.
507 * @ingroup hcrypto_evp
509 OSSL_CIPHER_ALGORITHM(rc2_cbc,
510 hc_EVP_CIPH_CBC_MODE |
511 hc_EVP_CIPH_VARIABLE_LENGTH)
514 * The RC2-40 cipher type - OpenSSL
516 * @return the RC2-40 EVP_CIPHER pointer.
518 * @ingroup hcrypto_evp
520 OSSL_CIPHER_ALGORITHM(rc2_40_cbc,
521 hc_EVP_CIPH_CBC_MODE)
524 * The RC2-64 cipher type - OpenSSL
526 * @return the RC2-64 EVP_CIPHER pointer.
528 * @ingroup hcrypto_evp
530 OSSL_CIPHER_ALGORITHM(rc2_64_cbc,
531 hc_EVP_CIPH_CBC_MODE |
532 hc_EVP_CIPH_VARIABLE_LENGTH)
535 * The Camellia-128 cipher type - OpenSSL
537 * @return the Camellia-128 EVP_CIPHER pointer.
539 * @ingroup hcrypto_evp
541 OSSL_CIPHER_ALGORITHM(camellia_128_cbc, hc_EVP_CIPH_CBC_MODE)
544 * The Camellia-198 cipher type - OpenSSL
546 * @return the Camellia-198 EVP_CIPHER pointer.
548 * @ingroup hcrypto_evp
550 OSSL_CIPHER_ALGORITHM(camellia_192_cbc, hc_EVP_CIPH_CBC_MODE)
553 * The Camellia-256 cipher type - OpenSSL
555 * @return the Camellia-256 EVP_CIPHER pointer.
557 * @ingroup hcrypto_evp
559 OSSL_CIPHER_ALGORITHM(camellia_256_cbc, hc_EVP_CIPH_CBC_MODE)
562 * The RC4 cipher type (OpenSSL provider)
564 * @return the RC4 EVP_CIPHER pointer.
566 * @ingroup hcrypto_evp
568 OSSL_CIPHER_ALGORITHM(rc4,
569 hc_EVP_CIPH_STREAM_CIPHER |
570 hc_EVP_CIPH_VARIABLE_LENGTH)
573 * The RC4-40 cipher type (OpenSSL provider)
575 * @return the RC4 EVP_CIPHER pointer.
577 * @ingroup hcrypto_evp
579 OSSL_CIPHER_ALGORITHM(rc4_40,
580 hc_EVP_CIPH_STREAM_CIPHER |
581 hc_EVP_CIPH_VARIABLE_LENGTH)
584 * The MD2 hash algorithm (OpenSSL provider)
586 * @return the MD2 EVP_MD pointer.
588 * @ingroup hcrypto_evp
590 OSSL_MD_ALGORITHM(md2)
593 * The MD4 hash algorithm (OpenSSL provider)
595 * @return the MD4 EVP_MD pointer.
597 * @ingroup hcrypto_evp
599 OSSL_MD_ALGORITHM(md4)
602 * The MD5 hash algorithm (OpenSSL provider)
604 * @return the MD5 EVP_MD pointer.
606 * @ingroup hcrypto_evp
608 OSSL_MD_ALGORITHM(md5)
611 * The SHA-1 hash algorithm (OpenSSL provider)
613 * @return the SHA-1 EVP_MD pointer.
615 * @ingroup hcrypto_evp
617 OSSL_MD_ALGORITHM(sha1)
620 * The SHA-256 hash algorithm (OpenSSL provider)
622 * @return the SHA-256 EVP_MD pointer.
624 * @ingroup hcrypto_evp
626 OSSL_MD_ALGORITHM(sha256)
629 * The SHA-384 hash algorithm (OpenSSL provider)
631 * @return the SHA-384 EVP_MD pointer.
633 * @ingroup hcrypto_evp
635 OSSL_MD_ALGORITHM(sha384)
638 * The SHA-512 hash algorithm (OpenSSL provider)
640 * @return the SHA-512 EVP_MD pointer.
642 * @ingroup hcrypto_evp
644 OSSL_MD_ALGORITHM(sha512)