2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/objects.h>
13 #include <openssl/evp.h>
14 #include "internal/cryptlib.h"
15 #include "crypto/evp.h"
16 #include "internal/provider.h"
17 #include "evp_local.h"
19 static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX
*ctx
, int operation
)
23 EVP_ASYM_CIPHER
*cipher
= NULL
;
26 EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
30 evp_pkey_ctx_free_old_ops(ctx
);
31 ctx
->operation
= operation
;
33 if (ctx
->keytype
== NULL
|| ctx
->engine
!= NULL
)
36 if (ctx
->keymgmt
== NULL
)
38 EVP_KEYMGMT_fetch(ctx
->libctx
, ctx
->keytype
, ctx
->propquery
);
39 if (ctx
->keymgmt
!= NULL
) {
40 const char *supported_ciph
= NULL
;
42 if (ctx
->keymgmt
->query_operation_name
!= NULL
)
44 ctx
->keymgmt
->query_operation_name(OSSL_OP_ASYM_CIPHER
);
47 * If we didn't get a supported ciph, assume there is one with the
48 * same name as the key type.
50 if (supported_ciph
== NULL
)
51 supported_ciph
= ctx
->keytype
;
54 * Because we cleared out old ops, we shouldn't need to worry about
55 * checking if cipher is already there.
58 EVP_ASYM_CIPHER_fetch(ctx
->libctx
, supported_ciph
, ctx
->propquery
);
61 if (ctx
->keymgmt
== NULL
63 || (EVP_KEYMGMT_provider(ctx
->keymgmt
)
64 != EVP_ASYM_CIPHER_provider(cipher
))) {
66 * We don't have the full support we need with provided methods,
67 * let's go see if legacy does. Also, we don't need to free
68 * ctx->keymgmt here, as it's not necessarily tied to this
69 * operation. It will be freed by EVP_PKEY_CTX_free().
71 EVP_ASYM_CIPHER_free(cipher
);
75 ctx
->op
.ciph
.cipher
= cipher
;
77 if (ctx
->pkey
!= NULL
) {
78 provkey
= evp_keymgmt_export_to_provider(ctx
->pkey
, ctx
->keymgmt
, 0);
79 /* If export failed, legacy may be able to pick it up */
83 ctx
->op
.ciph
.ciphprovctx
= cipher
->newctx(ossl_provider_ctx(cipher
->prov
));
84 if (ctx
->op
.ciph
.ciphprovctx
== NULL
) {
85 /* The provider key can stay in the cache */
86 EVPerr(0, EVP_R_INITIALIZATION_ERROR
);
91 case EVP_PKEY_OP_ENCRYPT
:
92 if (cipher
->encrypt_init
== NULL
) {
93 EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
97 ret
= cipher
->encrypt_init(ctx
->op
.ciph
.ciphprovctx
, provkey
);
99 case EVP_PKEY_OP_DECRYPT
:
100 if (cipher
->decrypt_init
== NULL
) {
101 EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
105 ret
= cipher
->decrypt_init(ctx
->op
.ciph
.ciphprovctx
, provkey
);
108 EVPerr(0, EVP_R_INITIALIZATION_ERROR
);
113 cipher
->freectx(ctx
->op
.ciph
.ciphprovctx
);
114 ctx
->op
.ciph
.ciphprovctx
= NULL
;
120 if (ctx
->pmeth
== NULL
|| ctx
->pmeth
->encrypt
== NULL
) {
121 EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
124 switch(ctx
->operation
) {
125 case EVP_PKEY_OP_ENCRYPT
:
126 if (ctx
->pmeth
->encrypt_init
== NULL
)
128 ret
= ctx
->pmeth
->encrypt_init(ctx
);
130 case EVP_PKEY_OP_DECRYPT
:
131 if (ctx
->pmeth
->decrypt_init
== NULL
)
133 ret
= ctx
->pmeth
->decrypt_init(ctx
);
136 EVPerr(0, EVP_R_INITIALIZATION_ERROR
);
142 ctx
->operation
= EVP_PKEY_OP_UNDEFINED
;
146 int EVP_PKEY_encrypt_init(EVP_PKEY_CTX
*ctx
)
148 return evp_pkey_asym_cipher_init(ctx
, EVP_PKEY_OP_ENCRYPT
);
151 int EVP_PKEY_encrypt(EVP_PKEY_CTX
*ctx
,
152 unsigned char *out
, size_t *outlen
,
153 const unsigned char *in
, size_t inlen
)
158 EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
162 if (ctx
->operation
!= EVP_PKEY_OP_ENCRYPT
) {
163 EVPerr(0, EVP_R_OPERATON_NOT_INITIALIZED
);
167 if (ctx
->op
.ciph
.ciphprovctx
== NULL
)
170 ret
= ctx
->op
.ciph
.cipher
->encrypt(ctx
->op
.ciph
.ciphprovctx
, out
, outlen
,
171 (out
== NULL
? 0 : *outlen
), in
, inlen
);
175 if (ctx
->pmeth
== NULL
|| ctx
->pmeth
->encrypt
== NULL
) {
176 EVPerr(EVP_F_EVP_PKEY_ENCRYPT
,
177 EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
180 M_check_autoarg(ctx
, out
, outlen
, EVP_F_EVP_PKEY_ENCRYPT
)
181 return ctx
->pmeth
->encrypt(ctx
, out
, outlen
, in
, inlen
);
184 int EVP_PKEY_decrypt_init(EVP_PKEY_CTX
*ctx
)
186 return evp_pkey_asym_cipher_init(ctx
, EVP_PKEY_OP_DECRYPT
);
189 int EVP_PKEY_decrypt(EVP_PKEY_CTX
*ctx
,
190 unsigned char *out
, size_t *outlen
,
191 const unsigned char *in
, size_t inlen
)
196 EVPerr(0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
200 if (ctx
->operation
!= EVP_PKEY_OP_DECRYPT
) {
201 EVPerr(0, EVP_R_OPERATON_NOT_INITIALIZED
);
205 if (ctx
->op
.ciph
.ciphprovctx
== NULL
)
208 ret
= ctx
->op
.ciph
.cipher
->decrypt(ctx
->op
.ciph
.ciphprovctx
, out
, outlen
,
209 (out
== NULL
? 0 : *outlen
), in
, inlen
);
213 if (ctx
->pmeth
== NULL
|| ctx
->pmeth
->decrypt
== NULL
) {
214 EVPerr(EVP_F_EVP_PKEY_DECRYPT
,
215 EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
);
218 M_check_autoarg(ctx
, out
, outlen
, EVP_F_EVP_PKEY_DECRYPT
)
219 return ctx
->pmeth
->decrypt(ctx
, out
, outlen
, in
, inlen
);
223 static EVP_ASYM_CIPHER
*evp_asym_cipher_new(OSSL_PROVIDER
*prov
)
225 EVP_ASYM_CIPHER
*cipher
= OPENSSL_zalloc(sizeof(EVP_ASYM_CIPHER
));
227 if (cipher
== NULL
) {
228 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
232 cipher
->lock
= CRYPTO_THREAD_lock_new();
233 if (cipher
->lock
== NULL
) {
234 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
235 OPENSSL_free(cipher
);
239 ossl_provider_up_ref(prov
);
245 static void *evp_asym_cipher_from_dispatch(int name_id
,
246 const OSSL_DISPATCH
*fns
,
249 EVP_ASYM_CIPHER
*cipher
= NULL
;
250 int ctxfncnt
= 0, encfncnt
= 0, decfncnt
= 0;
251 int gparamfncnt
= 0, sparamfncnt
= 0;
253 if ((cipher
= evp_asym_cipher_new(prov
)) == NULL
) {
254 ERR_raise(ERR_LIB_EVP
, ERR_R_MALLOC_FAILURE
);
258 cipher
->name_id
= name_id
;
260 for (; fns
->function_id
!= 0; fns
++) {
261 switch (fns
->function_id
) {
262 case OSSL_FUNC_ASYM_CIPHER_NEWCTX
:
263 if (cipher
->newctx
!= NULL
)
265 cipher
->newctx
= OSSL_get_OP_asym_cipher_newctx(fns
);
268 case OSSL_FUNC_ASYM_CIPHER_ENCRYPT_INIT
:
269 if (cipher
->encrypt_init
!= NULL
)
271 cipher
->encrypt_init
= OSSL_get_OP_asym_cipher_encrypt_init(fns
);
274 case OSSL_FUNC_ASYM_CIPHER_ENCRYPT
:
275 if (cipher
->encrypt
!= NULL
)
277 cipher
->encrypt
= OSSL_get_OP_asym_cipher_encrypt(fns
);
280 case OSSL_FUNC_ASYM_CIPHER_DECRYPT_INIT
:
281 if (cipher
->decrypt_init
!= NULL
)
283 cipher
->decrypt_init
= OSSL_get_OP_asym_cipher_decrypt_init(fns
);
286 case OSSL_FUNC_ASYM_CIPHER_DECRYPT
:
287 if (cipher
->decrypt
!= NULL
)
289 cipher
->decrypt
= OSSL_get_OP_asym_cipher_decrypt(fns
);
292 case OSSL_FUNC_ASYM_CIPHER_FREECTX
:
293 if (cipher
->freectx
!= NULL
)
295 cipher
->freectx
= OSSL_get_OP_asym_cipher_freectx(fns
);
298 case OSSL_FUNC_ASYM_CIPHER_DUPCTX
:
299 if (cipher
->dupctx
!= NULL
)
301 cipher
->dupctx
= OSSL_get_OP_asym_cipher_dupctx(fns
);
303 case OSSL_FUNC_ASYM_CIPHER_GET_CTX_PARAMS
:
304 if (cipher
->get_ctx_params
!= NULL
)
306 cipher
->get_ctx_params
307 = OSSL_get_OP_asym_cipher_get_ctx_params(fns
);
310 case OSSL_FUNC_ASYM_CIPHER_GETTABLE_CTX_PARAMS
:
311 if (cipher
->gettable_ctx_params
!= NULL
)
313 cipher
->gettable_ctx_params
314 = OSSL_get_OP_asym_cipher_gettable_ctx_params(fns
);
317 case OSSL_FUNC_ASYM_CIPHER_SET_CTX_PARAMS
:
318 if (cipher
->set_ctx_params
!= NULL
)
320 cipher
->set_ctx_params
321 = OSSL_get_OP_asym_cipher_set_ctx_params(fns
);
324 case OSSL_FUNC_ASYM_CIPHER_SETTABLE_CTX_PARAMS
:
325 if (cipher
->settable_ctx_params
!= NULL
)
327 cipher
->settable_ctx_params
328 = OSSL_get_OP_asym_cipher_settable_ctx_params(fns
);
334 || (encfncnt
!= 0 && encfncnt
!= 2)
335 || (decfncnt
!= 0 && decfncnt
!= 2)
336 || (encfncnt
!= 2 && decfncnt
!= 2)
337 || (gparamfncnt
!= 0 && gparamfncnt
!= 2)
338 || (sparamfncnt
!= 0 && sparamfncnt
!= 2)) {
340 * In order to be a consistent set of functions we must have at least
341 * a set of context functions (newctx and freectx) as well as a pair of
342 * "cipher" functions: (encrypt_init, encrypt) or
343 * (decrypt_init decrypt). set_ctx_params and settable_ctx_params are
344 * optional, but if one of them is present then the other one must also
345 * be present. The same applies to get_ctx_params and
346 * gettable_ctx_params. The dupctx function is optional.
348 ERR_raise(ERR_LIB_EVP
, EVP_R_INVALID_PROVIDER_FUNCTIONS
);
354 EVP_ASYM_CIPHER_free(cipher
);
358 void EVP_ASYM_CIPHER_free(EVP_ASYM_CIPHER
*cipher
)
360 if (cipher
!= NULL
) {
363 CRYPTO_DOWN_REF(&cipher
->refcnt
, &i
, cipher
->lock
);
366 ossl_provider_free(cipher
->prov
);
367 CRYPTO_THREAD_lock_free(cipher
->lock
);
368 OPENSSL_free(cipher
);
372 int EVP_ASYM_CIPHER_up_ref(EVP_ASYM_CIPHER
*cipher
)
376 CRYPTO_UP_REF(&cipher
->refcnt
, &ref
, cipher
->lock
);
380 OSSL_PROVIDER
*EVP_ASYM_CIPHER_provider(const EVP_ASYM_CIPHER
*cipher
)
385 EVP_ASYM_CIPHER
*EVP_ASYM_CIPHER_fetch(OPENSSL_CTX
*ctx
, const char *algorithm
,
386 const char *properties
)
388 return evp_generic_fetch(ctx
, OSSL_OP_ASYM_CIPHER
, algorithm
, properties
,
389 evp_asym_cipher_from_dispatch
,
390 (int (*)(void *))EVP_ASYM_CIPHER_up_ref
,
391 (void (*)(void *))EVP_ASYM_CIPHER_free
);
394 int EVP_ASYM_CIPHER_is_a(const EVP_ASYM_CIPHER
*cipher
, const char *name
)
396 return evp_is_a(cipher
->prov
, cipher
->name_id
, name
);
399 int EVP_ASYM_CIPHER_number(const EVP_ASYM_CIPHER
*cipher
)
401 return cipher
->name_id
;
404 void EVP_ASYM_CIPHER_do_all_provided(OPENSSL_CTX
*libctx
,
405 void (*fn
)(EVP_ASYM_CIPHER
*cipher
,
409 evp_generic_do_all(libctx
, OSSL_OP_ASYM_CIPHER
,
410 (void (*)(void *, void *))fn
, arg
,
411 evp_asym_cipher_from_dispatch
,
412 (void (*)(void *))EVP_ASYM_CIPHER_free
);
416 void EVP_ASYM_CIPHER_names_do_all(const EVP_ASYM_CIPHER
*cipher
,
417 void (*fn
)(const char *name
, void *data
),
420 if (cipher
->prov
!= NULL
)
421 evp_names_do_all(cipher
->prov
, cipher
->name_id
, fn
, data
);