xref: /openssl/engines/e_ossltest.c (revision af16097f)
1 /*
2  * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * This is the OSSLTEST engine. It provides deliberately crippled digest
12  * implementations for test purposes. It is highly insecure and must NOT be
13  * used for any purpose except testing
14  */
15 
16 /* We need to use some engine deprecated APIs */
17 #define OPENSSL_SUPPRESS_DEPRECATED
18 
19 /*
20  * SHA low level APIs are deprecated for public use, but still ok for
21  * internal use.  Note, that due to symbols not being exported, only the
22  * #defines and type definitions can be accessed, function calls are not
23  * available.  The digest lengths, block sizes and sizeof(CTX) are used herein
24  * for several different digests.
25  */
26 #include "internal/deprecated.h"
27 
28 #include <stdio.h>
29 #include <string.h>
30 #include "internal/common.h" /* for CHECK_AND_SKIP_CASE_PREFIX */
31 
32 #include <openssl/engine.h>
33 #include <openssl/sha.h>
34 #include <openssl/md5.h>
35 #include <openssl/rsa.h>
36 #include <openssl/evp.h>
37 #include <openssl/modes.h>
38 #include <openssl/aes.h>
39 #include <openssl/rand.h>
40 #include <openssl/crypto.h>
41 #include <openssl/pem.h>
42 #include <crypto/evp.h>
43 
44 #include "e_ossltest_err.c"
45 
46 /* Engine Id and Name */
47 static const char *engine_ossltest_id = "ossltest";
48 static const char *engine_ossltest_name = "OpenSSL Test engine support";
49 
50 
51 /* Engine Lifetime functions */
52 static int ossltest_destroy(ENGINE *e);
53 static int ossltest_init(ENGINE *e);
54 static int ossltest_finish(ENGINE *e);
55 void ENGINE_load_ossltest(void);
56 
57 
58 /* Set up digests */
59 static int ossltest_digests(ENGINE *e, const EVP_MD **digest,
60                           const int **nids, int nid);
61 static const RAND_METHOD *ossltest_rand_method(void);
62 
63 /* MD5 */
64 static int digest_md5_init(EVP_MD_CTX *ctx);
65 static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
66                              size_t count);
67 static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md);
68 
69 static EVP_MD *_hidden_md5_md = NULL;
digest_md5(void)70 static const EVP_MD *digest_md5(void)
71 {
72     if (_hidden_md5_md == NULL) {
73         EVP_MD *md;
74 
75         if ((md = EVP_MD_meth_new(NID_md5, NID_md5WithRSAEncryption)) == NULL
76             || !EVP_MD_meth_set_result_size(md, MD5_DIGEST_LENGTH)
77             || !EVP_MD_meth_set_input_blocksize(md, MD5_CBLOCK)
78             || !EVP_MD_meth_set_app_datasize(md,
79                                              sizeof(EVP_MD *) + sizeof(MD5_CTX))
80             || !EVP_MD_meth_set_flags(md, 0)
81             || !EVP_MD_meth_set_init(md, digest_md5_init)
82             || !EVP_MD_meth_set_update(md, digest_md5_update)
83             || !EVP_MD_meth_set_final(md, digest_md5_final)) {
84             EVP_MD_meth_free(md);
85             md = NULL;
86         }
87         _hidden_md5_md = md;
88     }
89     return _hidden_md5_md;
90 }
91 
92 /* SHA1 */
93 static int digest_sha1_init(EVP_MD_CTX *ctx);
94 static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
95                               size_t count);
96 static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md);
97 
98 static EVP_MD *_hidden_sha1_md = NULL;
digest_sha1(void)99 static const EVP_MD *digest_sha1(void)
100 {
101     if (_hidden_sha1_md == NULL) {
102         EVP_MD *md;
103 
104         if ((md = EVP_MD_meth_new(NID_sha1, NID_sha1WithRSAEncryption)) == NULL
105             || !EVP_MD_meth_set_result_size(md, SHA_DIGEST_LENGTH)
106             || !EVP_MD_meth_set_input_blocksize(md, SHA_CBLOCK)
107             || !EVP_MD_meth_set_app_datasize(md,
108                                              sizeof(EVP_MD *) + sizeof(SHA_CTX))
109             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
110             || !EVP_MD_meth_set_init(md, digest_sha1_init)
111             || !EVP_MD_meth_set_update(md, digest_sha1_update)
112             || !EVP_MD_meth_set_final(md, digest_sha1_final)) {
113             EVP_MD_meth_free(md);
114             md = NULL;
115         }
116         _hidden_sha1_md = md;
117     }
118     return _hidden_sha1_md;
119 }
120 
121 /* SHA256 */
122 static int digest_sha256_init(EVP_MD_CTX *ctx);
123 static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
124                                 size_t count);
125 static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md);
126 
127 static EVP_MD *_hidden_sha256_md = NULL;
digest_sha256(void)128 static const EVP_MD *digest_sha256(void)
129 {
130     if (_hidden_sha256_md == NULL) {
131         EVP_MD *md;
132 
133         if ((md = EVP_MD_meth_new(NID_sha256, NID_sha256WithRSAEncryption)) == NULL
134             || !EVP_MD_meth_set_result_size(md, SHA256_DIGEST_LENGTH)
135             || !EVP_MD_meth_set_input_blocksize(md, SHA256_CBLOCK)
136             || !EVP_MD_meth_set_app_datasize(md,
137                                              sizeof(EVP_MD *) + sizeof(SHA256_CTX))
138             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
139             || !EVP_MD_meth_set_init(md, digest_sha256_init)
140             || !EVP_MD_meth_set_update(md, digest_sha256_update)
141             || !EVP_MD_meth_set_final(md, digest_sha256_final)) {
142             EVP_MD_meth_free(md);
143             md = NULL;
144         }
145         _hidden_sha256_md = md;
146     }
147     return _hidden_sha256_md;
148 }
149 
150 /* SHA384/SHA512 */
151 static int digest_sha384_init(EVP_MD_CTX *ctx);
152 static int digest_sha384_update(EVP_MD_CTX *ctx, const void *data,
153                                 size_t count);
154 static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md);
155 
156 static int digest_sha512_init(EVP_MD_CTX *ctx);
157 static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
158                                 size_t count);
159 static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md);
160 
161 static EVP_MD *_hidden_sha384_md = NULL;
digest_sha384(void)162 static const EVP_MD *digest_sha384(void)
163 {
164     if (_hidden_sha384_md == NULL) {
165         EVP_MD *md;
166 
167         if ((md = EVP_MD_meth_new(NID_sha384, NID_sha384WithRSAEncryption)) == NULL
168             || !EVP_MD_meth_set_result_size(md, SHA384_DIGEST_LENGTH)
169             || !EVP_MD_meth_set_input_blocksize(md, SHA512_CBLOCK)
170             || !EVP_MD_meth_set_app_datasize(md,
171                                              sizeof(EVP_MD *) + sizeof(SHA512_CTX))
172             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
173             || !EVP_MD_meth_set_init(md, digest_sha384_init)
174             || !EVP_MD_meth_set_update(md, digest_sha384_update)
175             || !EVP_MD_meth_set_final(md, digest_sha384_final)) {
176             EVP_MD_meth_free(md);
177             md = NULL;
178         }
179         _hidden_sha384_md = md;
180     }
181     return _hidden_sha384_md;
182 }
183 static EVP_MD *_hidden_sha512_md = NULL;
digest_sha512(void)184 static const EVP_MD *digest_sha512(void)
185 {
186     if (_hidden_sha512_md == NULL) {
187         EVP_MD *md;
188 
189         if ((md = EVP_MD_meth_new(NID_sha512, NID_sha512WithRSAEncryption)) == NULL
190             || !EVP_MD_meth_set_result_size(md, SHA512_DIGEST_LENGTH)
191             || !EVP_MD_meth_set_input_blocksize(md, SHA512_CBLOCK)
192             || !EVP_MD_meth_set_app_datasize(md,
193                                              sizeof(EVP_MD *) + sizeof(SHA512_CTX))
194             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
195             || !EVP_MD_meth_set_init(md, digest_sha512_init)
196             || !EVP_MD_meth_set_update(md, digest_sha512_update)
197             || !EVP_MD_meth_set_final(md, digest_sha512_final)) {
198             EVP_MD_meth_free(md);
199             md = NULL;
200         }
201         _hidden_sha512_md = md;
202     }
203     return _hidden_sha512_md;
204 }
destroy_digests(void)205 static void destroy_digests(void)
206 {
207     EVP_MD_meth_free(_hidden_md5_md);
208     _hidden_md5_md = NULL;
209     EVP_MD_meth_free(_hidden_sha1_md);
210     _hidden_sha1_md = NULL;
211     EVP_MD_meth_free(_hidden_sha256_md);
212     _hidden_sha256_md = NULL;
213     EVP_MD_meth_free(_hidden_sha384_md);
214     _hidden_sha384_md = NULL;
215     EVP_MD_meth_free(_hidden_sha512_md);
216     _hidden_sha512_md = NULL;
217 }
ossltest_digest_nids(const int ** nids)218 static int ossltest_digest_nids(const int **nids)
219 {
220     static int digest_nids[6] = { 0, 0, 0, 0, 0, 0 };
221     static int pos = 0;
222     static int init = 0;
223 
224     if (!init) {
225         const EVP_MD *md;
226         if ((md = digest_md5()) != NULL)
227             digest_nids[pos++] = EVP_MD_get_type(md);
228         if ((md = digest_sha1()) != NULL)
229             digest_nids[pos++] = EVP_MD_get_type(md);
230         if ((md = digest_sha256()) != NULL)
231             digest_nids[pos++] = EVP_MD_get_type(md);
232         if ((md = digest_sha384()) != NULL)
233             digest_nids[pos++] = EVP_MD_get_type(md);
234         if ((md = digest_sha512()) != NULL)
235             digest_nids[pos++] = EVP_MD_get_type(md);
236         digest_nids[pos] = 0;
237         init = 1;
238     }
239     *nids = digest_nids;
240     return pos;
241 }
242 
243 /* Setup ciphers */
244 static int ossltest_ciphers(ENGINE *, const EVP_CIPHER **,
245                             const int **, int);
246 
247 static int ossltest_cipher_nids[] = {
248     NID_aes_128_cbc, NID_aes_128_gcm,
249     NID_aes_128_cbc_hmac_sha1, 0
250 };
251 
252 /* AES128 */
253 
254 static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx,
255                                     const unsigned char *key,
256                                     const unsigned char *iv, int enc);
257 static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
258                                       const unsigned char *in, size_t inl);
259 static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx,
260                                         const unsigned char *key,
261                                         const unsigned char *iv, int enc);
262 static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
263                                       const unsigned char *in, size_t inl);
264 static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
265                                     void *ptr);
266 static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
267                                                   const unsigned char *key,
268                                                   const unsigned char *iv,
269                                                   int enc);
270 static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
271                                                 unsigned char *out,
272                                                 const unsigned char *in,
273                                                 size_t inl);
274 static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
275                                               int arg, void *ptr);
276 
277 typedef struct {
278     size_t payload_length;      /* AAD length in decrypt case */
279     unsigned int tls_ver;
280 } EVP_AES_HMAC_SHA1;
281 
282 static EVP_CIPHER *_hidden_aes_128_cbc = NULL;
ossltest_aes_128_cbc(void)283 static const EVP_CIPHER *ossltest_aes_128_cbc(void)
284 {
285     if (_hidden_aes_128_cbc == NULL
286         && ((_hidden_aes_128_cbc = EVP_CIPHER_meth_new(NID_aes_128_cbc,
287                                                        16 /* block size */,
288                                                        16 /* key len */)) == NULL
289             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc,16)
290             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc,
291                                           EVP_CIPH_FLAG_DEFAULT_ASN1
292                                           | EVP_CIPH_CBC_MODE)
293             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc,
294                                          ossltest_aes128_init_key)
295             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc,
296                                               ossltest_aes128_cbc_cipher)
297             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc,
298                     EVP_CIPHER_impl_ctx_size(EVP_aes_128_cbc())))) {
299         EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
300         _hidden_aes_128_cbc = NULL;
301     }
302     return _hidden_aes_128_cbc;
303 }
304 
305 static EVP_CIPHER *_hidden_aes_128_gcm = NULL;
306 
307 #define AES_GCM_FLAGS   (EVP_CIPH_FLAG_DEFAULT_ASN1 \
308                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
309                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
310                 | EVP_CIPH_CUSTOM_COPY |EVP_CIPH_FLAG_AEAD_CIPHER \
311                 | EVP_CIPH_GCM_MODE)
312 
ossltest_aes_128_gcm(void)313 static const EVP_CIPHER *ossltest_aes_128_gcm(void)
314 {
315     if (_hidden_aes_128_gcm == NULL
316         && ((_hidden_aes_128_gcm = EVP_CIPHER_meth_new(NID_aes_128_gcm,
317                                                        1 /* block size */,
318                                                        16 /* key len */)) == NULL
319             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_gcm,12)
320             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_gcm, AES_GCM_FLAGS)
321             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_gcm,
322                                          ossltest_aes128_gcm_init_key)
323             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_gcm,
324                                               ossltest_aes128_gcm_cipher)
325             || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_gcm,
326                                               ossltest_aes128_gcm_ctrl)
327             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_gcm,
328                     EVP_CIPHER_impl_ctx_size(EVP_aes_128_gcm())))) {
329         EVP_CIPHER_meth_free(_hidden_aes_128_gcm);
330         _hidden_aes_128_gcm = NULL;
331     }
332     return _hidden_aes_128_gcm;
333 }
334 
335 static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL;
336 
ossltest_aes_128_cbc_hmac_sha1(void)337 static const EVP_CIPHER *ossltest_aes_128_cbc_hmac_sha1(void)
338 {
339     if (_hidden_aes_128_cbc_hmac_sha1 == NULL
340         && ((_hidden_aes_128_cbc_hmac_sha1
341              = EVP_CIPHER_meth_new(NID_aes_128_cbc_hmac_sha1,
342                                    16 /* block size */,
343                                    16 /* key len */)) == NULL
344             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16)
345             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1,
346                    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
347                    EVP_CIPH_FLAG_AEAD_CIPHER)
348             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1,
349                    ossltest_aes128_cbc_hmac_sha1_init_key)
350             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1,
351                    ossltest_aes128_cbc_hmac_sha1_cipher)
352             || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1,
353                                          ossltest_aes128_cbc_hmac_sha1_ctrl)
354             || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_128_cbc_hmac_sha1,
355                    EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv)
356             || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_128_cbc_hmac_sha1,
357                    EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv)
358             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1,
359                    sizeof(EVP_AES_HMAC_SHA1)))) {
360         EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
361         _hidden_aes_128_cbc_hmac_sha1 = NULL;
362     }
363     return _hidden_aes_128_cbc_hmac_sha1;
364 }
365 
destroy_ciphers(void)366 static void destroy_ciphers(void)
367 {
368     EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
369     EVP_CIPHER_meth_free(_hidden_aes_128_gcm);
370     EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
371     _hidden_aes_128_cbc = NULL;
372     _hidden_aes_128_gcm = NULL;
373     _hidden_aes_128_cbc_hmac_sha1 = NULL;
374 }
375 
376 /* Key loading */
load_key(ENGINE * eng,const char * key_id,int pub,UI_METHOD * ui_method,void * ui_data)377 static EVP_PKEY *load_key(ENGINE *eng, const char *key_id, int pub,
378                           UI_METHOD *ui_method, void *ui_data)
379 {
380     BIO *in;
381     EVP_PKEY *key;
382 
383     if (!CHECK_AND_SKIP_CASE_PREFIX(key_id, "ot:"))
384         return NULL;
385 
386     fprintf(stderr, "[ossltest]Loading %s key %s\n",
387             pub ? "Public" : "Private", key_id);
388     in = BIO_new_file(key_id, "r");
389     if (!in)
390         return NULL;
391     if (pub)
392         key = PEM_read_bio_PUBKEY(in, NULL, 0, NULL);
393     else
394         key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
395     BIO_free(in);
396     return key;
397 }
398 
ossltest_load_privkey(ENGINE * eng,const char * key_id,UI_METHOD * ui_method,void * ui_data)399 static EVP_PKEY *ossltest_load_privkey(ENGINE *eng, const char *key_id,
400                                        UI_METHOD *ui_method, void *ui_data)
401 {
402     return load_key(eng, key_id, 0, ui_method, ui_data);
403 }
404 
ossltest_load_pubkey(ENGINE * eng,const char * key_id,UI_METHOD * ui_method,void * ui_data)405 static EVP_PKEY *ossltest_load_pubkey(ENGINE *eng, const char *key_id,
406                                       UI_METHOD *ui_method, void *ui_data)
407 {
408     return load_key(eng, key_id, 1, ui_method, ui_data);
409 }
410 
411 
bind_ossltest(ENGINE * e)412 static int bind_ossltest(ENGINE *e)
413 {
414     /* Ensure the ossltest error handling is set up */
415     ERR_load_OSSLTEST_strings();
416 
417     if (!ENGINE_set_id(e, engine_ossltest_id)
418         || !ENGINE_set_name(e, engine_ossltest_name)
419         || !ENGINE_set_digests(e, ossltest_digests)
420         || !ENGINE_set_ciphers(e, ossltest_ciphers)
421         || !ENGINE_set_RAND(e, ossltest_rand_method())
422         || !ENGINE_set_destroy_function(e, ossltest_destroy)
423         || !ENGINE_set_load_privkey_function(e, ossltest_load_privkey)
424         || !ENGINE_set_load_pubkey_function(e, ossltest_load_pubkey)
425         || !ENGINE_set_init_function(e, ossltest_init)
426         || !ENGINE_set_finish_function(e, ossltest_finish)) {
427         OSSLTESTerr(OSSLTEST_F_BIND_OSSLTEST, OSSLTEST_R_INIT_FAILED);
428         return 0;
429     }
430 
431     return 1;
432 }
433 
434 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
bind_helper(ENGINE * e,const char * id)435 static int bind_helper(ENGINE *e, const char *id)
436 {
437     if (id && (strcmp(id, engine_ossltest_id) != 0))
438         return 0;
439     if (!bind_ossltest(e))
440         return 0;
441     return 1;
442 }
443 
444 IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)445     IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
446 #endif
447 
448 static ENGINE *engine_ossltest(void)
449 {
450     ENGINE *ret = ENGINE_new();
451     if (ret == NULL)
452         return NULL;
453     if (!bind_ossltest(ret)) {
454         ENGINE_free(ret);
455         return NULL;
456     }
457     return ret;
458 }
459 
ENGINE_load_ossltest(void)460 void ENGINE_load_ossltest(void)
461 {
462     /* Copied from eng_[openssl|dyn].c */
463     ENGINE *toadd = engine_ossltest();
464     if (!toadd)
465         return;
466     ENGINE_add(toadd);
467     ENGINE_free(toadd);
468     ERR_clear_error();
469 }
470 
471 
ossltest_init(ENGINE * e)472 static int ossltest_init(ENGINE *e)
473 {
474     return 1;
475 }
476 
477 
ossltest_finish(ENGINE * e)478 static int ossltest_finish(ENGINE *e)
479 {
480     return 1;
481 }
482 
483 
ossltest_destroy(ENGINE * e)484 static int ossltest_destroy(ENGINE *e)
485 {
486     destroy_digests();
487     destroy_ciphers();
488     ERR_unload_OSSLTEST_strings();
489     return 1;
490 }
491 
ossltest_digests(ENGINE * e,const EVP_MD ** digest,const int ** nids,int nid)492 static int ossltest_digests(ENGINE *e, const EVP_MD **digest,
493                           const int **nids, int nid)
494 {
495     int ok = 1;
496     if (!digest) {
497         /* We are returning a list of supported nids */
498         return ossltest_digest_nids(nids);
499     }
500     /* We are being asked for a specific digest */
501     switch (nid) {
502     case NID_md5:
503         *digest = digest_md5();
504         break;
505     case NID_sha1:
506         *digest = digest_sha1();
507         break;
508     case NID_sha256:
509         *digest = digest_sha256();
510         break;
511     case NID_sha384:
512         *digest = digest_sha384();
513         break;
514     case NID_sha512:
515         *digest = digest_sha512();
516         break;
517     default:
518         ok = 0;
519         *digest = NULL;
520         break;
521     }
522     return ok;
523 }
524 
ossltest_ciphers(ENGINE * e,const EVP_CIPHER ** cipher,const int ** nids,int nid)525 static int ossltest_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
526                           const int **nids, int nid)
527 {
528     int ok = 1;
529     if (!cipher) {
530         /* We are returning a list of supported nids */
531         *nids = ossltest_cipher_nids;
532         return (sizeof(ossltest_cipher_nids) - 1)
533                / sizeof(ossltest_cipher_nids[0]);
534     }
535     /* We are being asked for a specific cipher */
536     switch (nid) {
537     case NID_aes_128_cbc:
538         *cipher = ossltest_aes_128_cbc();
539         break;
540     case NID_aes_128_gcm:
541         *cipher = ossltest_aes_128_gcm();
542         break;
543     case NID_aes_128_cbc_hmac_sha1:
544         *cipher = ossltest_aes_128_cbc_hmac_sha1();
545         break;
546     default:
547         ok = 0;
548         *cipher = NULL;
549         break;
550     }
551     return ok;
552 }
553 
fill_known_data(unsigned char * md,unsigned int len)554 static void fill_known_data(unsigned char *md, unsigned int len)
555 {
556     unsigned int i;
557 
558     for (i=0; i<len; i++) {
559         md[i] = (unsigned char)(i & 0xff);
560     }
561 }
562 
563 /*
564  * MD5 implementation. We go through the motions of doing MD5 by deferring to
565  * the standard implementation. Then we overwrite the result with a will defined
566  * value, so that all "MD5" digests using the test engine always end up with
567  * the same value.
568  */
digest_md5_init(EVP_MD_CTX * ctx)569 static int digest_md5_init(EVP_MD_CTX *ctx)
570 {
571    return EVP_MD_meth_get_init(EVP_md5())(ctx);
572 }
573 
digest_md5_update(EVP_MD_CTX * ctx,const void * data,size_t count)574 static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
575                              size_t count)
576 {
577     return EVP_MD_meth_get_update(EVP_md5())(ctx, data, count);
578 }
579 
digest_md5_final(EVP_MD_CTX * ctx,unsigned char * md)580 static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md)
581 {
582     int ret = EVP_MD_meth_get_final(EVP_md5())(ctx, md);
583 
584     if (ret > 0) {
585         fill_known_data(md, MD5_DIGEST_LENGTH);
586     }
587     return ret;
588 }
589 
590 /*
591  * SHA1 implementation.
592  */
digest_sha1_init(EVP_MD_CTX * ctx)593 static int digest_sha1_init(EVP_MD_CTX *ctx)
594 {
595     return EVP_MD_meth_get_init(EVP_sha1())(ctx);
596 }
597 
digest_sha1_update(EVP_MD_CTX * ctx,const void * data,size_t count)598 static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
599                               size_t count)
600 {
601     return EVP_MD_meth_get_update(EVP_sha1())(ctx, data, count);
602 }
603 
digest_sha1_final(EVP_MD_CTX * ctx,unsigned char * md)604 static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
605 {
606     int ret = EVP_MD_meth_get_final(EVP_sha1())(ctx, md);
607 
608     if (ret > 0) {
609         fill_known_data(md, SHA_DIGEST_LENGTH);
610     }
611     return ret;
612 }
613 
614 /*
615  * SHA256 implementation.
616  */
digest_sha256_init(EVP_MD_CTX * ctx)617 static int digest_sha256_init(EVP_MD_CTX *ctx)
618 {
619     return EVP_MD_meth_get_init(EVP_sha256())(ctx);
620 }
621 
digest_sha256_update(EVP_MD_CTX * ctx,const void * data,size_t count)622 static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
623                                 size_t count)
624 {
625     return EVP_MD_meth_get_update(EVP_sha256())(ctx, data, count);
626 }
627 
digest_sha256_final(EVP_MD_CTX * ctx,unsigned char * md)628 static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
629 {
630     int ret = EVP_MD_meth_get_final(EVP_sha256())(ctx, md);
631 
632     if (ret > 0) {
633         fill_known_data(md, SHA256_DIGEST_LENGTH);
634     }
635     return ret;
636 }
637 
638 /*
639  * SHA384 implementation.
640  */
digest_sha384_init(EVP_MD_CTX * ctx)641 static int digest_sha384_init(EVP_MD_CTX *ctx)
642 {
643     return EVP_MD_meth_get_init(EVP_sha384())(ctx);
644 }
645 
digest_sha384_update(EVP_MD_CTX * ctx,const void * data,size_t count)646 static int digest_sha384_update(EVP_MD_CTX *ctx, const void *data,
647                                 size_t count)
648 {
649     return EVP_MD_meth_get_update(EVP_sha384())(ctx, data, count);
650 }
651 
digest_sha384_final(EVP_MD_CTX * ctx,unsigned char * md)652 static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md)
653 {
654     int ret = EVP_MD_meth_get_final(EVP_sha384())(ctx, md);
655 
656     if (ret > 0) {
657         fill_known_data(md, SHA384_DIGEST_LENGTH);
658     }
659     return ret;
660 }
661 
662 /*
663  * SHA512 implementation.
664  */
digest_sha512_init(EVP_MD_CTX * ctx)665 static int digest_sha512_init(EVP_MD_CTX *ctx)
666 {
667     return EVP_MD_meth_get_init(EVP_sha512())(ctx);
668 }
669 
digest_sha512_update(EVP_MD_CTX * ctx,const void * data,size_t count)670 static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
671                                 size_t count)
672 {
673     return EVP_MD_meth_get_update(EVP_sha512())(ctx, data, count);
674 }
675 
digest_sha512_final(EVP_MD_CTX * ctx,unsigned char * md)676 static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
677 {
678     int ret = EVP_MD_meth_get_final(EVP_sha512())(ctx, md);
679 
680     if (ret > 0) {
681         fill_known_data(md, SHA512_DIGEST_LENGTH);
682     }
683     return ret;
684 }
685 
686 /*
687  * AES128 Implementation
688  */
689 
ossltest_aes128_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)690 static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx,
691                                     const unsigned char *key,
692                                     const unsigned char *iv, int enc)
693 {
694     return EVP_CIPHER_meth_get_init(EVP_aes_128_cbc()) (ctx, key, iv, enc);
695 }
696 
ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t inl)697 static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
698                                       const unsigned char *in, size_t inl)
699 {
700     unsigned char *tmpbuf;
701     int ret;
702 
703     tmpbuf = OPENSSL_malloc(inl);
704 
705     /* OPENSSL_malloc will return NULL if inl == 0 */
706     if (tmpbuf == NULL && inl > 0)
707         return -1;
708 
709     /* Remember what we were asked to encrypt */
710     if (tmpbuf != NULL)
711         memcpy(tmpbuf, in, inl);
712 
713     /* Go through the motions of encrypting it */
714     ret = EVP_CIPHER_meth_get_do_cipher(EVP_aes_128_cbc())(ctx, out, in, inl);
715 
716     /* Throw it all away and just use the plaintext as the output */
717     if (tmpbuf != NULL)
718         memcpy(out, tmpbuf, inl);
719     OPENSSL_free(tmpbuf);
720 
721     return ret;
722 }
723 
ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * key,const unsigned char * iv,int enc)724 static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx,
725                                         const unsigned char *key,
726                                         const unsigned char *iv, int enc)
727 {
728     return EVP_CIPHER_meth_get_init(EVP_aes_128_gcm()) (ctx, key, iv, enc);
729 }
730 
ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t inl)731 static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
732                                       const unsigned char *in, size_t inl)
733 {
734     unsigned char *tmpbuf = OPENSSL_malloc(inl);
735 
736     /* OPENSSL_malloc will return NULL if inl == 0 */
737     if (tmpbuf == NULL && inl > 0)
738         return -1;
739 
740     /* Remember what we were asked to encrypt */
741     if (tmpbuf != NULL)
742         memcpy(tmpbuf, in, inl);
743 
744     /* Go through the motions of encrypting it */
745     EVP_CIPHER_meth_get_do_cipher(EVP_aes_128_gcm())(ctx, out, in, inl);
746 
747     /* Throw it all away and just use the plaintext as the output */
748     if (tmpbuf != NULL && out != NULL)
749         memcpy(out, tmpbuf, inl);
750     OPENSSL_free(tmpbuf);
751 
752     return inl;
753 }
754 
ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)755 static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
756                                     void *ptr)
757 {
758     /* Pass the ctrl down */
759     int ret = EVP_CIPHER_meth_get_ctrl(EVP_aes_128_gcm())(ctx, type, arg, ptr);
760 
761     if (ret <= 0)
762         return ret;
763 
764     switch (type) {
765     case EVP_CTRL_AEAD_GET_TAG:
766         /* Always give the same tag */
767         memset(ptr, 0, EVP_GCM_TLS_TAG_LEN);
768         break;
769 
770     default:
771         break;
772     }
773 
774     return 1;
775 }
776 
777 #define NO_PAYLOAD_LENGTH       ((size_t)-1)
778 # define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
779 
ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX * ctx,const unsigned char * inkey,const unsigned char * iv,int enc)780 static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
781                                                   const unsigned char *inkey,
782                                                   const unsigned char *iv,
783                                                   int enc)
784 {
785     EVP_AES_HMAC_SHA1 *key = data(ctx);
786     key->payload_length = NO_PAYLOAD_LENGTH;
787     return 1;
788 }
789 
ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX * ctx,unsigned char * out,const unsigned char * in,size_t len)790 static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
791                                                 unsigned char *out,
792                                                 const unsigned char *in,
793                                                 size_t len)
794 {
795     EVP_AES_HMAC_SHA1 *key = data(ctx);
796     unsigned int l;
797     size_t plen = key->payload_length;
798 
799     key->payload_length = NO_PAYLOAD_LENGTH;
800 
801     if (len % AES_BLOCK_SIZE)
802         return 0;
803 
804     if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
805         if (plen == NO_PAYLOAD_LENGTH)
806             plen = len;
807         else if (len !=
808                  ((plen + SHA_DIGEST_LENGTH +
809                    AES_BLOCK_SIZE) & -AES_BLOCK_SIZE))
810             return 0;
811 
812         memmove(out, in, plen);
813 
814         if (plen != len) {      /* "TLS" mode of operation */
815             /* calculate HMAC and append it to payload */
816             fill_known_data(out + plen, SHA_DIGEST_LENGTH);
817 
818             /* pad the payload|hmac */
819             plen += SHA_DIGEST_LENGTH;
820             for (l = len - plen - 1; plen < len; plen++)
821                 out[plen] = l;
822         }
823     } else {
824         /* decrypt HMAC|padding at once */
825         memmove(out, in, len);
826 
827         if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
828             unsigned int maxpad, pad;
829 
830             if (key->tls_ver >= TLS1_1_VERSION) {
831                 if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1))
832                     return 0;
833 
834                 /* omit explicit iv */
835                 in += AES_BLOCK_SIZE;
836                 out += AES_BLOCK_SIZE;
837                 len -= AES_BLOCK_SIZE;
838             } else if (len < (SHA_DIGEST_LENGTH + 1))
839                 return 0;
840 
841             /* figure out payload length */
842             pad = out[len - 1];
843             maxpad = len - (SHA_DIGEST_LENGTH + 1);
844             if (pad > maxpad)
845                 return 0;
846             for (plen = len - pad - 1; plen < len; plen++)
847                 if (out[plen] != pad)
848                     return 0;
849         }
850     }
851 
852     return 1;
853 }
854 
ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX * ctx,int type,int arg,void * ptr)855 static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
856                                               int arg, void *ptr)
857 {
858     EVP_AES_HMAC_SHA1 *key = data(ctx);
859 
860     switch (type) {
861     case EVP_CTRL_AEAD_SET_MAC_KEY:
862         return 1;
863 
864     case EVP_CTRL_AEAD_TLS1_AAD:
865         {
866             unsigned char *p = ptr;
867             unsigned int len;
868 
869             if (arg != EVP_AEAD_TLS1_AAD_LEN)
870                 return -1;
871 
872             len = p[arg - 2] << 8 | p[arg - 1];
873             key->tls_ver = p[arg - 4] << 8 | p[arg - 3];
874 
875             if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
876                 key->payload_length = len;
877                 if (key->tls_ver >= TLS1_1_VERSION) {
878                     if (len < AES_BLOCK_SIZE)
879                         return 0;
880                     len -= AES_BLOCK_SIZE;
881                     p[arg - 2] = len >> 8;
882                     p[arg - 1] = len;
883                 }
884 
885                 return (int)(((len + SHA_DIGEST_LENGTH +
886                                AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)
887                              - len);
888             } else {
889                 key->payload_length = arg;
890 
891                 return SHA_DIGEST_LENGTH;
892             }
893         }
894     default:
895         return -1;
896     }
897 }
898 
ossltest_rand_bytes(unsigned char * buf,int num)899 static int ossltest_rand_bytes(unsigned char *buf, int num)
900 {
901     unsigned char val = 1;
902 
903     while (--num >= 0)
904         *buf++ = val++;
905     return 1;
906 }
907 
ossltest_rand_status(void)908 static int ossltest_rand_status(void)
909 {
910     return 1;
911 }
912 
ossltest_rand_method(void)913 static const RAND_METHOD *ossltest_rand_method(void)
914 {
915 
916     static RAND_METHOD osslt_rand_meth = {
917         NULL,
918         ossltest_rand_bytes,
919         NULL,
920         NULL,
921         ossltest_rand_bytes,
922         ossltest_rand_status
923     };
924 
925     return &osslt_rand_meth;
926 }
927